Sari la conținut

Data Processing Agreement (DPA)

Effective date: 1 April 2026 | Version: 1.0

This Data Processing Agreement (DPA) governs the processing of personal data by RAZION SHOP S.R.L as a Processor on behalf of Users (Data Controllers) using SimpluFisc.ro services, in compliance with GDPR (Regulation (EU) 2016/679).

1. Scope and Applicability

This DPA applies to all processing of personal data by RAZION SHOP S.R.L when acting as a Data Processor under GDPR Article 28, including:

  • User information: Email, name, tax ID, business data
  • Fiscal data: Income, expenses, tax calculations, declarations
  • Communication data: Chat logs, support messages, audit trails
  • Banking integration data: Account transactions (when enabled)
  • Technical data: IP addresses, cookies, usage analytics

2. Controller and Processor Roles

Data Controller: You (the User) — you own your personal data and fiscal information.
Data Processor: RAZION SHOP S.R.L — we process your data only as instructed and according to this DPA.

SimpluFisc may also act as a Controller for certain anonymous analytics, marketing, and service improvement purposes. See our Privacy Policy for details.

3. Data Processing Instructions

We process personal data only for the following purposes, as instructed by you:

  • Service delivery: Tax calculation, declaration generation, fiscal advice
  • Compliance: Storing records for audit and legal retention requirements
  • Fraud prevention: Detecting and preventing unauthorized account access
  • Support: Responding to user queries and providing customer assistance
  • Legal obligations: Complying with ANAF, tax, and regulatory reporting

Any processing outside these purposes requires your explicit written consent.

4. Data Security Measures

We implement technical and organizational safeguards including:

  • Encryption: TLS 1.3+ for data in transit; AES-256 for sensitive data at rest
  • Access control: Role-based permissions; password policies; MFA on admin accounts
  • Data minimization: Collecting only data necessary for tax calculation and legal compliance
  • Audit logging: All data access logged and monitored for suspicious activity
  • Regular testing: Penetration testing and security audits at least annually
  • Incident response: Documented procedures to detect and respond to data breaches within 72 hours

5. Sub-Processors and Third Parties

We may use the following sub-processors to assist in data processing:

  • Cloud hosting: Amazon AWS (EU regions only)
  • Database: PostgreSQL (self-managed on AWS VPS)
  • Email delivery: SendGrid (transactional emails only)
  • Analytics: Plausible Analytics (privacy-first, no cookies)
  • LLM services: Anthropic Claude, Google Gemini (for AI chat, data not stored)
  • Payment processing: Stripe (PCI-DSS compliant)

All sub-processors comply with GDPR and process data only as instructed. You have the right to object to any sub-processor. Contact contact@simplufisc.ro to review or request changes.

6. International Data Transfers

Data may be processed and stored in AWS EU regions (Frankfurt, Ireland, Paris). For any processing outside the EEA, we ensure adequacy decisions or Standard Contractual Clauses are in place. No data is transferred to countries without GDPR-equivalent protections.

7. Your Rights Under GDPR

You have the right to:

  • Access (Art. 15): Request a copy of your personal data we hold
  • Rectification (Art. 16): Correct inaccurate or incomplete data
  • Erasure (Art. 17): Delete your account and all associated data
  • Restrict processing (Art. 18): Limit how we use your data temporarily
  • Portability (Art. 20): Export your data in machine-readable format (JSON/CSV)
  • Object (Art. 21): Opt-out of marketing and non-essential processing

To exercise any right, email contact@simplufisc.ro with proof of identity. We will respond within 30 days.

8. Data Retention

  • Active user data: Retained while account is active
  • After account deletion: Deleted within 30 days (except legally required records)
  • Fiscal records: Retained for 10 years per Romanian tax law
  • Log files: Deleted after 90 days unless required for security or legal purposes
  • Backups: Retained for 30 days; not separately searchable

    • 9. Data Breach Notification

    In the event of a confirmed data breach affecting your personal data, we will:

    1. Notify you within 72 hours (or as required by law)
    2. Describe the nature of the breach and the data involved
    3. Provide contact details for further information
    4. Recommend steps to protect yourself

    10. Changes to This DPA

    We may update this DPA to reflect changes in law, technology, or our services. Material changes will be notified at least 30 days in advance via email. Continued use of SimpluFisc constitutes acceptance of updated terms.

    Last updated: April 1, 2026

    11. Data Protection Contact

    Data Protection Officer / Responsible Contact:

    • Organization: RAZION SHOP S.R.L
    • Email: contact@simplufisc.ro
    • For GDPR requests: dpa@simplufisc.ro

    For questions about how we process your data or to submit a GDPR request, contact us at contact@simplufisc.ro or use the account deletion / data export features in your account settings.

    This DPA is part of the Terms & Conditions. In case of conflict between this DPA and other agreements, this DPA prevails for matters relating to data processing under GDPR.

    © 2026 RAZION SHOP S.R.L. All rights reserved. Processed according to GDPR requirements.