Data Processing Agreement
DPA terms for invoice-report services.
These terms set out how DBX ONE, operated by Dillon, processes invoice data for a client organisation when producing an invoice report. A signed version can be provided before processing starts.
1. Roles
The client organisation is the controller for any personal data contained in submitted invoice files. DBX ONE acts as processor when processing that data to provide the requested invoice-report service.
2. Subject matter and duration
The subject matter is the production of supplier invoice reports, including invoice extraction, categorisation, review-point identification, report generation and related communication. Processing lasts for the period needed to produce the report and any agreed retention period.
3. Nature and purpose of processing
DBX ONE may collect, receive, store, review, extract, structure, analyse and report on supplier invoice data. The purpose is to provide the requested invoice report, identify review points and communicate with the client organisation.
4. Types of data
Submitted data may include supplier names, invoice numbers, invoice dates, item descriptions, categories, quantities, unit costs, net/VAT/gross totals, delivery charges, email addresses, contact names and notes supplied by the client organisation.
5. Categories of data subjects
Where personal data appears in invoice files, it may relate to practice or clinic staff, supplier staff, finance contacts or other business contacts. The service is not designed for patient records or clinical documents.
6. Documented instructions
DBX ONE will process invoice data only on the client organisation’s documented instructions, including the instruction to produce the requested report and any agreed follow-up work.
7. Confidentiality
DBX ONE will ensure that people authorised to process invoice data are subject to confidentiality obligations and access invoice data only where necessary for the report.
8. Security measures
DBX ONE will maintain appropriate technical and organisational measures, including HTTPS, controlled storage, encryption controls provided by the storage platform, restricted administrative access, MFA for administrative accounts, least-privilege access, incident response procedures and appropriate deletion processes.
9. Sub-processors
DBX ONE will not appoint a sub-processor to process client invoice data without written authorisation, either specific or general. DBX ONE will ensure that equivalent data protection obligations flow down to approved sub-processors.
10. International transfers
If invoice data is transferred outside the UK or EEA, DBX ONE will use appropriate safeguards required by applicable data protection law, such as relevant contractual safeguards and processor terms.
11. AI processing and model training
DBX ONE may use AI tools to help extract, structure and review invoice data. Submitted invoice data is not used to train shared or general AI models and is not reused for other clients.
12. Assistance to the controller
DBX ONE will provide reasonable assistance with data subject requests, security obligations, DPIAs, prior consultation and audit requests where they relate to the invoice-report processing and are reasonably required by law.
13. Personal data breach
DBX ONE will notify the client organisation without undue delay after becoming aware of a personal-data breach affecting submitted invoice data and will provide information reasonably available to support the client’s assessment and response.
14. Deletion or return
At the end of the service or on written request, DBX ONE will delete or return invoice data unless retention is required by law or agreed for an ongoing service. Free-report invoice files are intended to be deleted within 30 days after report delivery unless otherwise agreed.
15. Audit information
DBX ONE will make available reasonable information needed to demonstrate compliance with these processing terms, subject to confidentiality, security and proportionality.
16. Data minimisation
The client organisation should submit only the invoice information needed for the report. A redacted export may be used where it contains enough information to produce the requested report.