Data Processing Agreement
Last updated: 2026-04-22
This Data Processing Agreement ("DPA") applies when QRQC SAS processes personal data on behalf of a customer as a processor under GDPR Article 28. This page summarises the key terms; the signed DPA governs the commercial relationship.
Roles
The customer is the controller of the personal data it submits to the platform. QRQC is the processor and processes personal data only on the documented instructions of the customer.
Scope of processing
Subject matter: provision of the QRQC quality management platform. Nature: hosting, storage, transmission, and access. Categories of data subjects: customer's employees, suppliers' employees, and other operational contacts. Categories of data: contact information, role, authored content (incidents, claims, comments, attachments).
Sub-processors
QRQC relies on a limited set of vetted infrastructure sub-processors (cloud hosting, email delivery, error monitoring). The current list is available on request. We provide prior notice of any change and give the customer the right to object.
Security measures
We implement appropriate technical and organisational measures, including TLS 1.3 in transit, AES-256 at rest, role-based access control, MFA for administrators, audit logging, vulnerability management, and incident response procedures.
International transfers
Data stays in the customer's chosen region. Where a transfer outside the EEA is unavoidable, we rely on the European Commission's Standard Contractual Clauses and additional safeguards as required.
Breach notification and assistance
We notify the customer without undue delay after becoming aware of a personal data breach affecting its data, and we assist with data-subject requests and supervisory-authority engagements.
Termination
At the end of the service, we return or delete the customer's personal data within a reasonable period, unless law requires further retention.
Contact
To sign the DPA or request the sub-processor list: contact@qrqc.app.