DATA PROCESSING ADDENDUM (DPA)

Effective Date: [Date]

This Data Processing Addendum (“Addendum”) forms part of the Terms of Service between qr8.tech (“Processor”) and the entity or individual identified as the customer in the Terms of Service (“Controller”).

1. DEFINITIONS

  • “Data Protection Laws” means all applicable privacy and data protection laws including the EU General Data Protection Regulation (GDPR), the UK GDPR, and the California Consumer Privacy Act (CCPA).
  • “Personal Data” means any information relating to an identified or identifiable natural person processed by Processor on behalf of Controller.
  • “Sub-processor” means any third party appointed by Processor to process Personal Data.

2. SCOPE AND ROLE

2.1 Roles: The parties acknowledge that for the purposes of the GDPR, the Customer is the Data Controller and qr8.tech is the Data Processor.

2.2 Scope: This DPA applies when qr8.tech processes Personal Data on behalf of the Controller (e.g., when the Controller uses qr8.tech features to collect email addresses or track visitor analytics).

3. PROCESSOR OBLIGATIONS

The Processor agrees to:

  • 3.1 Instructions: Process Personal Data only on the documented instructions of the Controller, including with regard to transfers of personal data to a third country.
  • 3.2 Confidentiality: Ensure that persons authorized to process the personal data have committed themselves to confidentiality.
  • 3.3 Security: Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including encryption and access controls.
  • 3.4 Data Subject Rights: Assist the Controller, insofar as this is possible, for the fulfillment of the Controller’s obligation to respond to requests for exercising the data subject’s rights (access, erasure, etc.).
  • 3.5 Deletion/Return: At the choice of the Controller, delete or return all personal data to the Controller after the end of the provision of services.

4. SUB-PROCESSORS

  • 4.1 Appointment: Controller grants a general authorization to Processor to engage Sub-processors (e.g., hosting providers like AWS or Google Cloud).
  • 4.2 Liability: Processor shall remain fully liable to the Controller for the performance of the Sub-processor’s obligations.

5. DATA BREACH NOTIFICATION

Processor shall notify Controller without undue delay (and in any event within 48 hours) after becoming aware of a personal data breach. Processor will provide sufficient information to allow the Controller to meet any obligations to report the breach to authorities or data subjects.

6. INTERNATIONAL TRANSFERS

To the extent that the processing of Personal Data involves a transfer of data from the EEA or UK to a country not recognized as providing an adequate level of protection, the parties agree to abide by the Standard Contractual Clauses (SCCs) approved by the European Commission.

7. AUDIT RIGHTS

Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.

ANNEX I: DETAILS OF PROCESSING

1. Subject Matter: The provision of link aggregation and digital identity services.

2. Duration of Processing: The term of the Agreement plus the period until all data is deleted in accordance with the Agreement.

3. Nature and Purpose: To enable the Controller to share links, collect lead information (if applicable), and analyze traffic on their qr8.tech profile.

4. Categories of Data Subjects: Visitors to the Controller’s qr8.tech profile; the Controller themselves.

5. Types of Personal Data: IP addresses, device IDs, browser types, click data, and any information submitted via forms (e.g., name, email).

ANNEX II: TECHNICAL AND ORGANIZATIONAL MEASURES

  • Encryption: All data in transit is encrypted via TLS/SSL.
  • Access Control: Access to database systems is restricted to authorized personnel only via Multi-Factor Authentication (MFA).
  • Backups: Regular automated backups are performed and stored in secure, redundant locations.
  • Vulnerability Management: Regular scanning for security vulnerabilities in the application stack.

How to use this DPA:

  1. “Click-Wrap” Agreement: Most SaaS companies do not sign individual DPAs. Instead, you add a clause to your Terms of Service that says: “If you are a business user, our Data Processing Addendum (available at qr8.tech/dpa) is hereby incorporated by reference.”
  2. Sub-processor List: You should maintain a public list (or a link in the DPA) of your Sub-processors (e.g., Stripe, AWS, Google Analytics). This builds trust with enterprise users.
  3. Lead Generation: If you ever add a “Subscribe to my Newsletter” block to your profiles, this DPA becomes legally mandatory for your EU business users.
Scroll to Top