Skip to main content
Status: Early Access · May 2026 EU-VAT OSS · XRechnung · IFRS 15 New: ZUGFeRD roadmap from June 2026
Kontorion

Terms of Service – Kontorion Billing Automation

Effective Date: 2 May 2026

Provider: Frontier Algorithmics UG (haftungsbeschränkt)
Koppoldstr. 1, 86551 Aichach, Germany ("Provider", "we", "us")
Registered: Amtsgericht Regensburg, HRB 20570
VAT-ID: DE367287424
Managing Directors: Zaid Marzguioui
Contact: legal@kontorion.eu

Scope of this document. These Terms apply to business customers only (Unternehmer in the meaning of § 14 BGB, juristische Personen des öffentlichen Rechts, and öffentlich-rechtliche Sondervermögen). The Service is not offered to consumers (Verbraucher in the meaning of § 13 BGB). Customer warrants that it enters into this contract in the exercise of its commercial or independent professional activity.

1. Scope and Application (Geltungsbereich)

1.1 These Terms of Service ("Terms") govern the use of the Kontorion Billing Automation platform and related services (the "Service") provided by the Provider to its business customers ("Customer").

1.2 These Terms apply exclusively. Conflicting, deviating, or supplementary terms of the Customer shall not become part of the contract, even if the Provider performs without express objection. Reference by the Customer to its own terms (for example, in a purchase order) is hereby rejected.

1.3 Individual agreements concluded with the Customer in writing (including order forms, statements of work, side letters) take precedence over these Terms (§ 305b BGB).

1.4 Annexes incorporated by reference form an integral part of the contract and appear at the end of these Terms (see Annexes):

In case of conflict, the order of precedence is: (i) the Order Form, (ii) the Data Processing Agreement, (iii) these Terms, (iv) other Annexes.

2. Subject Matter and Service Description (Vertragsgegenstand)

2.1 The Provider grants the Customer access to the Service via the internet for the duration of the contract. The Service supports the creation, management, and electronic transmission of invoices, credit notes, and related billing documents, including formats compliant with German and European e-invoicing standards (in particular XRechnung and EN 16931 / Peppol BIS where applicable).

2.2 The legal nature of the Service is access to standardised software in exchange for a fee. The parties agree that, to the extent permitted by law, the legal regime of the Mietvertrag (§§ 535 ff. BGB) is to be applied analogously, subject to the modifications in these Terms.

2.3 The agreed scope of functions follows from the Order Form and the Service Description (Annex 1). Marketing material, demos, and product roadmaps are non-binding.

2.4 The Provider is entitled to develop the Service further, in particular to release updates, upgrades, and new features. The Provider shall not materially reduce the agreed core functionality during a paid contract term unless required by law, security, or by the discontinuation of an underlying third-party service. Material adverse changes shall be announced with reasonable advance notice and grant the Customer an extraordinary right of termination as set out in Section 9.

2.5 The Service is provided as a multi-tenant SaaS offering. The Provider does not owe a specific implementation, integration, customisation, or on-premises deployment unless expressly agreed in writing.

3. Conclusion of Contract (Vertragsschluss)

3.1 The presentation of the Service on the Provider's website does not constitute a binding offer.

3.2 The contract is concluded by (i) Customer's electronic acceptance of an Order Form, (ii) signature of an Order Form, or (iii) Customer's first paid use of the Service after registration, whichever occurs first.

3.3 The Customer must provide accurate registration data and update it without undue delay if it changes. The Provider may verify identity and creditworthiness using lawful means.

3.4 The Provider may refuse contract conclusion at its discretion, in particular where there are reasonable grounds for concern as to identity, solvency, or compliance (including sanctions and export control screening).

4. Customer Account and Access Credentials

4.1 The Customer receives access via individual user accounts. The Customer is responsible for the secure storage and confidential handling of access credentials and shall enable available security features (in particular multi-factor authentication) where supported.

4.2 The Customer shall notify the Provider without undue delay of any actual or suspected unauthorised use of an account.

4.3 The Customer is liable for activities carried out via its accounts unless it proves that the activity is not attributable to it.

5. Customer Obligations and Acceptable Use (Mitwirkungspflichten)

5.1 The Customer's cooperation is a contractual duty (echte Mitwirkungspflicht), not a mere Obliegenheit, where these Terms, the Order Form, or the Service Description so provide.

5.2 The Customer is solely responsible for:

  • (a) the accuracy, completeness, and legal compliance of all data it inputs into the Service, in particular the content of invoices and credit notes (correct VAT treatment, mandatory invoice content under §§ 14, 14a UStG, accurate counterparty data, accurate amounts and tax rates);
  • (b) compliance with retention and archival obligations under the Abgabenordnung (in particular §§ 146, 147 AO) and the GoBD, including independent retention of invoice records as required by tax law (the Service may support archival but does not replace the Customer's primary obligation);
  • (c) obtaining and maintaining all consents, lawful bases, and notices required for the lawful processing of personal data and counterparty data through the Service;
  • (d) configuring the Service in line with its own legal, sectoral, and accounting requirements;
  • (e) maintaining adequate internet connectivity, end-user equipment, and a supported browser;
  • (f) backing up its own data outside the Service to the extent reasonable.

5.3 The Customer shall not, and shall not permit any user to:

  • (a) use the Service in violation of applicable law (including export control and sanctions);
  • (b) infringe third-party rights, in particular intellectual property, personality, or data protection rights;
  • (c) issue invoices via the Service which the Customer knows or should know to be incorrect, fictitious, or misleading;
  • (d) probe, scan, penetrate, overload, or bypass security or rate limits without prior written authorisation;
  • (e) reverse-engineer, decompile, or disassemble the Service except to the extent permitted by mandatory law (in particular § 69e UrhG);
  • (f) use the Service to develop or train a competing product;
  • (g) circumvent metering, pricing, or seat limits.

5.4 The Provider may suspend access (in whole or in part) without prior notice where required to avert imminent significant risk to security, integrity, or lawful operation of the Service or third parties. Where reasonably possible, the Provider shall give prior notice and an opportunity to cure. Suspension does not affect the Customer's payment obligations except where the cause is attributable to the Provider.

6. Pricing, Invoicing, and Payment (Preise, Rechnungsstellung, Zahlung)

6.1 The fees follow from the Order Form. All prices are net prices in Euro (EUR), exclusive of statutory value added tax (Umsatzsteuer) where applicable.

6.2 Unless otherwise agreed, fees are invoiced in advance for the agreed billing period (monthly or annually). Usage-based fees are invoiced in arrears.

6.3 Invoices are payable within fourteen (14) days from the invoice date without deduction. § 286 Abs. 3 BGB applies; the Customer is in default no later than thirty (30) days after receipt of the invoice without further reminder. The Provider may charge default interest in the statutory amount (§ 288 Abs. 2 BGB) and the lump sum under § 288 Abs. 5 BGB.

6.4 The Customer may set off only with claims that are undisputed or have been finally adjudicated (rechtskräftig festgestellt). The Customer may exercise a right of retention only to the extent that its counterclaim arises from the same contractual relationship.

6.5 The Provider may adjust list prices for renewal periods. A planned price increase shall be communicated at least sixty (60) days before the start of the renewal period and grants the Customer an extraordinary right of termination effective at the end of the then-current contract period. Price adjustments within a running fixed term require the Customer's consent unless otherwise expressly agreed in the Order Form.

6.6 Where electronic invoicing is required by law (in particular under the Wachstumschancengesetz transition for B2B e-invoicing in Germany), invoices to the Customer may be issued in a structured electronic format (e.g. ZUGFeRD/XRechnung) and the Customer accepts receipt in such format.

6.7 Late or missing payments after the second written reminder entitle the Provider to suspend the Service until full payment, without prejudice to other rights. Suspension does not relieve the Customer of payment obligations.

7. Term, Renewal and Termination (Laufzeit und Kündigung)

7.1 The contract starts on the date stated in the Order Form. The initial term and renewal periods follow from the Order Form. Where no term is specified, the contract runs for an initial term of twelve (12) months and renews automatically for successive periods of twelve (12) months, unless terminated by either party with three (3) months' notice to the end of the then-current term.

7.2 Each party may terminate the contract for cause without notice (außer- ordentliche Kündigung) where there is good cause within the meaning of § 314 BGB. Good cause for the Provider exists in particular where the Customer:

  • (a) is in default with non-trivial fees for more than thirty (30) days after a payment reminder;
  • (b) materially breaches Section 5.3 and fails to cure (where capable of cure) within fifteen (15) business days of written notice;
  • (c) becomes insolvent, files for insolvency, or has insolvency proceedings opened over its assets, to the extent permitted by §§ 119, 103 InsO.

7.3 Termination shall be in text form (Textform, § 126b BGB). E-mail to the addresses designated for notices is sufficient.

7.4 Upon termination, the Customer's right to use the Service ends. The Customer may export its data via the export functions of the Service for a period of thirty (30) days after the effective date of termination ("Export Period"). After the Export Period, the Provider is entitled and, under the Data Processing Agreement, obliged to delete Customer Data, subject to retention obligations under mandatory law.

8. Service Levels, Availability, Maintenance

8.1 The Provider targets the availability and support levels set out in Annex 1 (Service Levels). Unless expressly agreed otherwise, the Service is provided with a target availability of 99.5% per calendar month, measured at the Provider's perimeter, excluding the events listed below.

8.2 The following events do not count against availability:

  • (a) scheduled maintenance announced at least forty-eight (48) hours in advance;
  • (b) emergency maintenance required to maintain security or integrity;
  • (c) Force Majeure (Section 17);
  • (d) outages caused by the Customer, its users, or third-party services chosen by the Customer (in particular government systems for e-invoice transmission or upstream tax authorities);
  • (e) outages of public telecommunications networks beyond the Provider's reasonable control.

8.3 Where a service credit regime is agreed in Annex 1, service credits are the Customer's exclusive remedy for missed availability targets, without prejudice to the limitation of liability in Section 10 and the right to extraordinary termination for repeated material breach.

9. Defects, Warranty, and Updates

9.1 The Provider warrants that during the contract term the Service will materially conform to the Service Description. The Customer shall report defects without undue delay in text form, providing sufficient information to reproduce the issue.

9.2 The Customer's primary remedy is rectification (Mangelbeseitigung) within a reasonable period. If rectification fails after two reasonable cure attempts (or if cure is impossible, refused, or unreasonable), the Customer may reduce the fee (§ 536 BGB analog) or, for material defects, terminate for cause (§ 543 BGB analog), in each case in accordance with statutory law.

9.3 Strict no-fault liability under § 536a Abs. 1 Alt. 1 BGB for initial defects (anfängliche Mängel) is excluded to the extent permitted by law. This exclusion does not apply to liability for damage to life, body, or health, to claims under the Produkthaftungsgesetz, to fraudulently concealed defects, to the breach of guarantees, or to claims based on intent or gross negligence; for the breach of cardinal duties (Kardinalpflichten), Section 10 applies.

9.4 The Provider may release Updates that are reasonably necessary to maintain functionality, security, and legal conformity. The Customer shall accept Updates that do not materially impair the agreed functionality. Material adverse changes are announced with at least sixty (60) days' advance notice and grant an extraordinary right of termination effective on the change date.

9.5 The Customer's warranty rights expire after twelve (12) months from the occurrence of the defect, except for claims based on intent or gross negligence, claims for damage to life, body, or health, claims under the Produkthaftungsgesetz, and claims for fraudulently concealed defects.

10. Limitation of Liability (Haftungsbeschränkung)

10.1 The Provider is liable without limitation for:

  • (a) damage caused intentionally or by gross negligence;
  • (b) damage to life, body, or health;
  • (c) liability under the Produkthaftungsgesetz (Product Liability Act);
  • (d) fraudulently concealed defects;
  • (e) breach of an express guarantee (Garantie) to the extent of the guarantee;
  • (f) liability under mandatory provisions of the GDPR (Art. 82 GDPR) and applicable data protection law.

10.2 In the case of slight negligence (leichte Fahrlässigkeit), the Provider is liable only for the breach of a Kardinalpflicht (a duty whose fulfilment is essential to the proper performance of the contract and on whose observance the Customer regularly relies). Liability for breach of a Kardinalpflicht caused by slight negligence is limited to the typical foreseeable damage.

10.3 Subject to Section 10.1, the Provider's aggregate liability for damages and reimbursement of futile expenses arising under or in connection with the contract is, in any twelve (12) month period, limited to the fees paid by the Customer for the Service in the twelve (12) months preceding the event giving rise to the claim, but in any event no less than EUR 50,000 per contract year.

10.4 The Provider is not liable for the loss of data to the extent that the loss could have been avoided by the Customer's compliance with reasonable backup duties (Section 5.2(f)) or where data could be reconstructed from data stored outside the Service. In any event, the Provider's liability for loss of data is limited to the typical reconstruction cost of properly backed-up data.

10.5 The above limitations apply correspondingly to the Provider's bodies, employees, agents, and Subcontractors.

10.6 The Customer's claims for damages or reimbursement of futile expenses become time-barred after twelve (12) months from statutory commencement of the limitation period, except in the cases of Section 10.1.

11. Indemnification (Freistellung)

11.1 The Customer shall defend, indemnify, and hold harmless the Provider against third-party claims arising from:

  • (a) the content of invoices, credit notes, and other documents the Customer issues via the Service;
  • (b) the Customer's breach of Section 5.3 (Acceptable Use);
  • (c) the Customer's lack of necessary rights, consents, or lawful bases for the data processed via the Service;

except to the extent the claim is caused by the Provider.

11.2 The Provider shall defend the Customer against third-party claims that the use of the Service in conformity with the contract infringes intellectual property rights enforceable in the European Union, and shall reimburse damages and reasonable legal costs finally awarded against the Customer, provided the Customer (i) notifies the Provider in writing without undue delay, (ii) gives the Provider sole control of the defence and settlement, and (iii) reasonably cooperates. The Provider may, at its option, modify the Service to be non-infringing, obtain a license, or terminate the affected part of the Service against pro-rata refund of pre-paid unused fees. The remedy in this Section 11.2 is exclusive for IP infringement claims, subject only to Section 10.1.

12. Customer Data, Data Protection (Datenschutz)

12.1 As between the parties, the Customer is the controller (Verantwortlicher) for personal data processed via the Service. The Provider acts as processor (Auftragsverarbeiter) within the meaning of Art. 28 GDPR.

12.2 The Data Processing Agreement (Annex 2) governs the processing of personal data on behalf of the Customer. By accepting these Terms, the Customer enters into the Data Processing Agreement.

12.3 The Provider implements and maintains technical and organisational measures (Annex 5 – TOM) to ensure a level of security appropriate to the risk under Art. 32 GDPR.

12.4 The Provider may engage Sub-processors as listed in Annex 3. Changes to the Sub-processor list are governed by the Data Processing Agreement.

12.5 To the extent personal data is transferred outside the EU/EEA, the Provider relies on appropriate safeguards under Chapter V GDPR, in particular the EU Standard Contractual Clauses and, where applicable, the EU-U.S. Data Privacy Framework.

12.6 The Customer is the controller responsible for the lawfulness of processing under Art. 6 GDPR for invoice and counterparty data and for compliance with information duties towards data subjects (Arts. 13, 14 GDPR).

13. Confidentiality (Vertraulichkeit)

13.1 Each party shall treat as confidential any information of the other party that is marked as confidential or that should reasonably be understood as confidential, including business plans, pricing, and the non-public components of the Service. Confidential Information shall be used only for the performance of the contract and protected with the same care as the receiving party uses for its own confidential information, but in no event with less than reasonable care.

13.2 The duty of confidentiality does not apply to information that (a) is or becomes publicly available without breach, (b) was lawfully known prior to receipt without obligation of confidence, (c) is independently developed without use of the other party's Confidential Information, or (d) must be disclosed by law or binding order, in which case the receiving party shall, where lawful, give the other party reasonable advance notice.

13.3 Confidentiality obligations survive termination for five (5) years; trade secrets within the meaning of the GeschGehG are protected as long as they qualify as such.

14. Intellectual Property and License (Nutzungsrechte)

14.1 The Provider and its licensors retain all rights, title, and interest in and to the Service, including all software, documentation, templates, data models, and aggregated, anonymised analytics derived from operation of the Service.

14.2 The Provider grants the Customer, for the duration of the contract, a non-exclusive, non-transferable, non-sublicensable right to use the Service in accordance with these Terms and the Order Form, limited to the agreed scope of users, entities, volumes, and territory.

14.3 Feedback voluntarily provided by the Customer may be used by the Provider without restriction or compensation, provided no Customer Confidential Information is disclosed to third parties.

14.4 The Customer retains all rights in Customer Data. The Customer grants the Provider a non-exclusive, worldwide, royalty-free right to host, copy, transmit, display, and process Customer Data solely as necessary to provide and improve the Service in accordance with these Terms and the Data Processing Agreement.

15. Beta and Free Services

Beta features, free trials, and previews are provided "as is" and "as available" to the maximum extent permitted by law. Sections 9 and 10.2–10.6 do not apply to Beta and Free Services; the Provider remains liable in accordance with Section 10.1. The Provider may modify or discontinue Beta and Free Services at any time.

16. Third-Party Services and Integrations

16.1 The Service may interoperate with third-party services chosen by the Customer (e.g. accounting systems, e-invoice transmission networks, payment service providers, government portals). The Provider is not responsible for the performance, availability, or content of such third-party services and the contractual relationship for those services exists between the Customer and the relevant third-party provider.

16.2 The Customer authorises the Provider to exchange data with the configured third-party services to the extent necessary for the integration.

17. Force Majeure (Höhere Gewalt)

17.1 Neither party is liable for delay or failure in performance to the extent caused by Force Majeure, meaning unforeseeable, exceptional events outside the reasonable control of the affected party, including natural disasters, war, terrorism, civil unrest, official measures, pandemics, large-scale internet, energy, or telecommunications outages, and large-scale strikes not involving the affected party's own workforce.

17.2 The affected party shall notify the other party without undue delay and use reasonable efforts to mitigate effects. If a Force Majeure event continues for more than sixty (60) consecutive days, either party may terminate the affected part of the contract for cause.

18. Changes to the Terms (Änderungen der AGB)

18.1 The Provider may amend these Terms with effect for the future. Amendments are notified in text form at least sixty (60) days before they take effect.

18.2 Amendments are deemed accepted if the Customer does not object in text form before the date on which the amendments take effect, provided that the notification expressly informs the Customer of this consequence and of the right to terminate. If the Customer objects in time, the contract continues on the previous terms; in this case, the Provider may terminate for cause at the end of the then-current term.

18.3 Material adverse changes (in particular: increases of fees beyond what is permitted under Section 6.5, reduction of agreed core functionality, material expansion of Customer obligations) require the Customer's express consent (unless covered by Section 6.5 or Section 9.4).

19. Subcontractors (Unterauftragnehmer)

19.1 The Provider may engage subcontractors for the provision of the Service. The Provider remains responsible for the performance of the Service.

19.2 The engagement of Sub-processors processing personal data on behalf of the Customer is governed by Section 12 and the Data Processing Agreement.

20. Compliance, Sanctions, and Anti-Bribery

20.1 Each party shall comply with applicable laws, including export control, sanctions (in particular EU and UN sanctions), anti-bribery, and anti-money- laundering laws.

20.2 The Customer represents and warrants that it, its affiliates, and its directly involved beneficial owners are not subject to relevant sanctions and that it does not use the Service to engage in transactions that would violate sanctions law.

20.3 The Provider may suspend or terminate the contract for cause if continued performance would violate applicable sanctions or export control law.

21. Notices and Communication

21.1 Notices under the contract are effective in text form (Textform, § 126b BGB) sent to the addresses designated by the parties; e-mail to the addresses on file is sufficient unless these Terms or mandatory law require a higher form.

21.2 The Provider may communicate operational notices via the Service interface or admin e-mail addresses on file.

22. Final Provisions (Schlussbestimmungen)

22.1 Assignment. The Customer may assign rights and obligations under the contract only with the Provider's prior written consent, which shall not be unreasonably withheld. The Provider may assign rights and obligations to an affiliate or to a successor in connection with a corporate transaction, with prior written notice.

22.2 Independent contractors. The parties are independent contractors. Nothing in these Terms creates a partnership, joint venture, or agency relationship.

22.3 No third-party rights. These Terms do not confer rights on third parties (no Vertrag zugunsten Dritter, § 328 BGB), except where expressly stated.

22.4 Severability. Should any provision of these Terms be or become invalid or unenforceable, the validity of the remaining provisions remains unaffected. The invalid provision shall be replaced by a valid provision that comes closest to the economic purpose of the invalid provision. § 306 BGB applies; the parties expressly exclude the application of § 139 BGB.

22.5 Form. Modifications and supplements to the contract require text form. This also applies to changes of this form clause.

22.6 Choice of law. The contract is governed by the laws of the Federal Republic of Germany, excluding the UN Convention on Contracts for the International Sale of Goods (CISG) and excluding conflict-of-law rules.

22.7 Jurisdiction. Exclusive place of jurisdiction for all disputes arising under or in connection with the contract is Regensburg, Germany, where the Customer is a merchant (Kaufmann), a legal person under public law, or a public-law special asset, or where the Customer has no general place of jurisdiction in Germany. The Provider may also sue at the Customer's general place of jurisdiction.

22.8 Language. These Terms are concluded in English. Where a German translation is provided for convenience, the English version prevails in case of conflict, except where mandatory German law requires otherwise. For German-resident business customers, the parties may agree on the German version (AGB) as binding by separate agreement.

Annexes

The following annexes form an integral part of this contract. Click an annex to expand or collapse its full text.

Annex 1 – Service Description and Service Levels

1.1 Functional Scope

The Service is a multi-tenant SaaS platform for billing automation, designed for businesses established in the EU. The functional scope includes in particular:

  • Creation and management of outgoing invoices, credit notes, cancellation invoices, and corrective invoices, including the mandatory invoice content under §§ 14, 14a UStG;
  • Native generation of structured electronic invoices in the XRechnung format (per CIUS XRechnung) and support for further EN 16931 formats (ZUGFeRD, Peppol BIS) according to the product roadmap;
  • EU VAT logic (UStG, VAT Directive), including B2B reverse charge handling, OSS / IOSS turnover marking, and § 14 UStG-compliant invoice generation;
  • SEPA direct debit with pre-notification per the SEPA Rulebook (14-day rule);
  • Customer, contract, and subscription management with terms, renewals, list and discounted pricing, and usage-based fees;
  • Payment processing through Stripe Payments (cards and wallets);
  • Export of accounting data (CSV, DATEV-compatible, GoBD export);
  • Audit trail of all invoice-relevant changes, including timestamp and user ID, to meet the GoBD requirements for immutability and traceability;
  • Web-based user interface and REST API.

A specific performance, throughput, or API response time is owed only to the extent expressly agreed in the Order Form.

1.2 Availability

The target availability of the Service is 99.5% per calendar month, measured at the Provider's perimeter. The events listed in Section 8.2 of the Terms do not count against availability.

1.3 Maintenance Windows

Scheduled maintenance is preferably performed in the maintenance window Sunday 02:00–06:00 (CET / CEST) and is announced at least forty-eight (48) hours in advance by e-mail to the registered administrator addresses or via the user interface. Emergency maintenance to preserve security or integrity may take place at short notice.

1.4 Calculation of Availability

Availability (%) = (total minutes in the month − downtime minutes) / total minutes in the month × 100. Downtime minutes are those during which the core functions of the Service are not reachable over the public internet. Latency, errors of individual endpoints, or degraded performance do not count as downtime as long as the core functionality remains generally available.

1.5 Service Credits

For the Starter and Scale plans, no service credits are granted. For Enterprise customers, the following service credits apply, if and to the extent expressly agreed in the Order Form:

  • Availability below 99.5% but ≥ 99.0%: 5% of the monthly fee as a credit;
  • Availability below 99.0% but ≥ 95.0%: 10% of the monthly fee as a credit;
  • Availability below 95.0%: 25% of the monthly fee as a credit.

Without prejudice to Section 8.3 of the Terms, service credits are the Customer's sole and exclusive remedy for missed availability targets and are applied to the next monthly invoice.

1.6 Support

Support is provided by e-mail at support@kontorion.eu. Response times apply during business hours (Monday to Friday, 09:00–18:00 CET / CEST, excluding German public holidays):

  • S1 – Critical: The Service as a whole is unusable or a core function is down. Response time: four (4) hours.
  • S2 – High: A material function is degraded; no reasonable workaround is available. Response time: one (1) business day.
  • S3 – Medium: Functional impairment without material impact on business operations. Response time: two (2) business days.
  • S4 – Low: General questions, cosmetic defects, configuration assistance. Response time: five (5) business days.

Response time means the time to first qualified reply, not the time to resolution. Severity classification is at the Provider's reasonable discretion.

Annex 2 – Data Processing Agreement (DPA)

This Annex specifies the obligations of the Provider as processor within the meaning of Art. 28 GDPR and forms an integral part of the Terms. By accepting the Terms, the parties enter into this Data Processing Agreement ("DPA").

2.1 Subject Matter and Duration

The subject matter of the processing is the provision of the Service in accordance with the Terms and the Order Form. The duration of the processing corresponds to the term of the contract plus the Export Period under Section 7.4 of the Terms and any applicable statutory retention obligations.

2.2 Nature and Purpose of the Processing

Forms of processing include collecting, recording, storing, adapting, altering, retrieving, consulting, using, disclosing by transmission, disseminating, aligning, combining, restricting, erasing, and destroying personal data. The purpose of the processing is the provision of the Service's functions (invoice generation, e-invoicing, subscription management, payment processing, audit trail, support).

2.3 Types of Personal Data

  • Identification and contact data (name, address, phone, e-mail);
  • Contract and order data;
  • Tax and business data (VAT-ID, Leitweg-ID, bank details for SEPA, billing data);
  • Communication data (e-mail, support tickets, audit log entries);
  • Usage data (login, IP address, user agent, activity history within the application).

2.4 Categories of Data Subjects

  • End customers and business partners of the Customer (invoice recipients);
  • Suppliers and service providers of the Customer;
  • Employees and authorized representatives of the foregoing;
  • Users of the Service on the Customer's side (employees, contractors).

2.5 Obligations of the Provider (Processor)

The Provider shall:

  • (a) process personal data only on documented instructions from the Customer, including the instructions documented in the Terms and the Order Form; instructions outside the agreed scope of services are subject to reasonable additional remuneration;
  • (b) ensure that persons authorized to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
  • (c) take all measures required pursuant to Art. 32 GDPR, as described in Annex 5 (TOM), and adapt them to the state of the art;
  • (d) engage Sub-processors only in accordance with Section 2.7;
  • (e) assist the Customer with appropriate technical and organizational measures in fulfilling data subject rights (Arts. 12–23 GDPR);
  • (f) assist the Customer in complying with its obligations under Arts. 32–36 GDPR, taking into account the nature of processing and the information available to the Provider;
  • (g) at the Customer's choice, return or delete all personal data after the end of the provision of services and destroy existing copies, unless storage of the personal data is required by law;
  • (h) make available to the Customer all information necessary to demonstrate compliance with the obligations laid down in Art. 28 GDPR and allow for and contribute to audits, including inspections, in accordance with Section 2.11.

2.6 Obligations of the Customer (Controller)

The Customer is in particular obliged:

  • (a) to ensure the lawfulness of processing under Art. 6 GDPR;
  • (b) to fulfil the information obligations under Arts. 13 and 14 GDPR towards data subjects;
  • (c) to inform the Provider without undue delay and completely if any errors or irregularities are detected in the review of the processing results;
  • (d) to grant and maintain user permissions in the Service with due care;
  • (e) to itself respond to data subject requests forwarded by the Provider.

2.7 Sub-processing

The Customer grants the Provider a general written authorisation to engage the Sub-processors listed in Annex 3. The Provider notifies the Customer of any intended changes at least thirty (30) days in advance in text form; the Customer may object to the change within this period on legitimate data protection grounds. If the parties cannot agree, the Provider may terminate the affected service for cause; Section 11.2 of the Terms remains unaffected.

The Provider imposes on each Sub-processor the same data protection obligations as set out in this DPA, in particular sufficient guarantees to implement appropriate technical and organizational measures.

2.8 International Transfers

Personal data is transferred to third countries outside the EEA only to the extent necessary for performance of the Service and where appropriate safeguards under Chapter V GDPR are in place. With respect to Sub-processors located in the United States, the Provider primarily relies on the EU-U.S. Data Privacy Framework (adequacy decision) and, in the alternative, on the EU Standard Contractual Clauses (SCC, Module 3) and additional safeguards (encryption in transit and at rest, pseudonymisation, data minimisation).

2.9 Data Subject Rights

The Provider assists the Customer in fulfilling data subject rights (access, rectification, erasure, restriction of processing, data portability, objection). Data subject requests received directly by the Provider are forwarded to the Customer without substantive processing.

2.10 Notification Obligations

The Provider notifies the Customer without undue delay, and in any case no later than twenty-four (24) hours after becoming aware, of any personal data breach within the meaning of Art. 4(12) GDPR. The notification contains the information required under Art. 33(3) GDPR to the extent known to the Provider.

2.11 Audit

The Customer is entitled to verify compliance with the obligations under this DPA. Verification is normally conducted by submission of suitable evidence (certifications, reports of independent auditors, responses to a written audit questionnaire). On-site audits are limited to once per calendar year and require at least thirty (30) days' prior notice; they take place during normal business hours, without disrupting operations, and against signature of an appropriate non-disclosure agreement. The Customer bears the costs of the audit unless the audit reveals a material breach.

2.12 Termination and Deletion

Upon termination of the contract, the Provider returns or securely deletes the Customer Data at the Customer's choice; Section 7.4 of the Terms (Export Period) applies accordingly. Backups are overwritten in the course of the agreed backup cycles; an explicit early destruction of backups can be agreed against reimbursement of expenses.

2.13 Liability

Liability of the Provider under this DPA is governed by Section 10 of the Terms, without prejudice to mandatory liability under Art. 82 GDPR.

Annex 3 – List of Sub-processors

The Provider engages the following Sub-processors for the provision of the Service. The list is updated regularly; changes are notified pursuant to Section 2.7 of this DPA.

3.1 Active Sub-processors

  • Stripe Payments Europe, Limited – The One Building, 1 Grand Canal Street Lower, Dublin 2, Ireland.
    Purpose: Payment processing (cards, SEPA, wallets), subscription management backend, tax and invoicing data for Stripe Tax features.
    Data types: Identification, contact, contract, payment, and transaction data.
    Safeguards: Processing within the EEA; for onward transfer to Stripe Inc. group entities in the United States, EU Standard Contractual Clauses (SCC) and the EU-U.S. Data Privacy Framework.
  • Hosting / Infrastructure: Self-operated within the European Union. [Specific data centre / IaaS partner will be named in the Order Form or with the next update of this list.]
  • Transactional e-mail / notifications: [Provider will be named when deployed; current implementation sends outbound mail through the Provider-operated mail server within the EU.]
  • Error and performance monitoring: [Provider will be named when deployed.]

3.2 Intra-Group Processing

Processing by affiliates of the Provider does not currently take place. Future intra-group processing will be notified in accordance with Section 2.7 of this DPA.

Annex 4 – Pricing Schedule / Order Form

4.1 Plans

The currently applicable plans are published at kontorion.eu/en/pricing. As of the effective date of this Annex:

  • Starter: EUR 79 / month (net, plus VAT).
  • Scale: EUR 299 / month (net, plus VAT).
  • Enterprise: EUR 899 / month (net, plus VAT).
  • On-Premise: custom, as set out in the Order Form.

The plan applicable to the Customer, included volumes, any discounts, and usage-based fees follow from the Order Form or from the Customer's Stripe checkout confirmation.

4.2 Free Trial

New customers receive a fourteen (14) day free trial without credit card requirement. After expiry, the contract converts to the chosen subscription unless the Customer terminates before the end of the trial.

4.3 Order Form and Conclusion of Contract

For purposes of the Terms, "Order Form" means any express confirmation by the Customer ordering a plan, in particular the successful completion of the Stripe checkout for a paid plan, a signed individual quote, or the electronic acceptance of an order via the Service's user interface.

4.4 Payment Processing

Payment processing is performed via Stripe. The Customer manages payment methods, invoices, and the subscription via the Stripe Customer Portal provided by the Provider.

Annex 5 – Technical and Organizational Measures (TOM)

The Provider maintains the following technical and organizational measures pursuant to Art. 32 GDPR. Measures are reviewed regularly and adjusted to the state of the art.

5.1 Confidentiality (Art. 32(1)(b) GDPR)

  • Physical access control: Processing facilities are operated in ISO-27001-certified data centres within the European Union; physical access control is performed by the respective hosting partner.
  • Logical access control: Access to systems exclusively via individual accounts with enforced multi-factor authentication (MFA); password policies aligned with current NIST recommendations; automatic lockout on inactivity.
  • Authorization control: Role-based access control (RBAC) on a need-to-know basis; separation of development, staging, and production environments; production databases are reachable only from the private network.
  • Tenant separation: Application-level multi-tenancy (tenant IDs on every record, filters on every database access); separate encryption contexts per tenant where appropriate.
  • Pseudonymisation: Identifiers are pseudonymised where appropriate; logs do not contain direct personal identifiers.
  • Encryption: All data in transit is transmitted with TLS 1.2+; data at rest is encrypted with AES-256.

5.2 Integrity (Art. 32(1)(b) GDPR)

  • Input control: Audit trail of all invoice-relevant changes with timestamp and user ID; tamper protection through immutable invoice numbering.
  • Transmission control: Remote connections exclusively via TLS; authentication of API clients via API keys or OAuth; signed webhooks.
  • Validation: Server-side input validation for all API inputs; server-side authorisation checks independent of frontend logic.

5.3 Availability and Resilience (Art. 32(1)(b) GDPR)

  • Backups: Daily encrypted database backups with at least thirty (30) days' retention; point-in-time recovery for the last seven (7) days.
  • Restore tests: Periodic restore tests at least every six (6) months.
  • Redundancy: High-availability application configuration; database redundancy with synchronous replication.
  • Protection from malicious code: Container-based deployment with isolated workloads; dependency scanning in CI; signed build artefacts.
  • Monitoring: Continuous performance and availability monitoring; on-call alerting on outages or anomalies.

5.4 Procedures for Regular Review (Art. 32(1)(d) GDPR)

  • Data Protection Impact Assessments for high-risk processing activities pursuant to Art. 35 GDPR.
  • Annual TOM review with update of this Annex.
  • Penetration testing: at least annually, by independent third parties.

5.5 Order Control

Processing is performed exclusively on documented instructions of the Customer. Configuration and administration access of Provider personnel to Customer Data only takes place for support, security, or essential maintenance purposes; access is logged.

5.6 Privacy by Design (Art. 25 GDPR)

Data minimisation in default configurations; storage limitation through retention policies; defaults are privacy-friendly (Art. 25(2) GDPR).

5.7 Personnel

  • Commitment to data secrecy and confidentiality under Art. 28(3)(b) GDPR upon taking up duties;
  • Information security and data protection training at least annually;
  • Background checks for persons with access to production systems within the legally permissible scope.

As of: 2 May 2026

Book a demo

15 minutes, no sales presentation. Describe your business model, we show you the matching blueprint.

Prefer email? Reach us at contact@frontieralgorithmics.com