Data Processing Agreement (DPA)
This is an English translation provided for convenience. The Slovak version is the legally binding one.
pursuant to Art. 28 of Regulation (EU) 2016/679 (GDPR) · an integral part of the VORU terms of service
1. Parties
Controller: the client — the user of the VORU service (a company
or sole trader who has connected their mailboxes).
Processor: SORB XT s.r.o., contact obchod@sorbxt.sk
(the "provider").
2. Subject Matter and Nature of the Processing
The provider processes, on the client's behalf and in an automated manner, email messages in the connected mailboxes, including attachments, for the purpose of recognising invoices, payments, deadlines and tasks and of sending reminders and summaries. The processing lasts for the duration of the client's account.
3. Categories of Data and Data Subjects
Data contained in received mail: identification and contact details of senders, billing and payment data (amounts, IBANs, payment references), and the content of messages and attachments. Data subjects: the client's business partners, suppliers and correspondents.
4. Instructions and Confidentiality
The provider processes the data solely for the purpose of providing the service under this agreement and the client's documented instructions (account settings). Persons with access to the data are bound by confidentiality. The content of mail is not used for advertising or for profiling outside the service, nor is it sold.
5. Sub-processors
The client grants general authorisation for the engagement of the following sub-processors: Anthropic (content-recognition API — the text is not used for training and is not retained beyond the processing of the request), Hetzner (server infrastructure in the EU), and Stripe (subscription payments). The provider will give advance notice of any change to this list by email; the client may object by ceasing to use the service.
6. Security Measures
Encrypted transmission (HTTPS/TLS, IMAPS), encrypted storage of mailbox access credentials, account passwords stored as PBKDF2 hashes, server access via SSH keys only, daily backups, and optional two-factor account authentication.
7. Assistance to the Controller and Erasure
The provider will assist the client in fulfilling data subjects' rights and in notifying incidents (without undue delay after becoming aware of them). Data export and full account erasure are available to the client as self-service options in Settings; upon account cancellation the data is deleted immediately and backups expire within 14 days.
8. Audit
Upon request, the provider will make available the information necessary to demonstrate compliance with the obligations under Art. 28 GDPR and will allow for a reasonable audit conducted in a manner agreed by the parties.
This DPA is concluded by accepting the terms of service upon registration. A signed written copy is available on request at obchod@sorbxt.sk.