Boring Digital Limited · Last updated: March 2026
Data Processing Agreement
This Data Processing Agreement ("DPA") forms part of our Terms of Service and describes how Recibo Simples processes personal data on behalf of users.
Roles
For the purposes of this DPA: Recibo Simples acts as the data processor. You, the user, act as the data controller with respect to the personal data you input (income records, client information, invoices).
Processor Obligations
- Process data only on your documented instructions and for the purpose of providing the service
- Ensure that personnel who process data are bound by confidentiality obligations
- Implement appropriate technical and organisational measures to ensure data security (encryption at rest and in transit, access controls, regular backups)
- Not engage sub-processors without prior notice — current sub-processors are listed in our Privacy Policy
- Assist you in responding to data subject requests (access, rectification, erasure, portability)
- Delete or return all personal data upon termination of your account, unless retention is legally required
Breach Notification
In the event of a personal data breach, Recibo Simples will notify you without undue delay and no later than 72 hours after becoming aware of the breach. The notification will include the nature of the breach, the categories of data affected, and the measures taken to address it.
Security Measures
We implement industry-standard security measures including encryption (TLS 1.2+), secure authentication, access logging, and regular security reviews.