Skip to main content

DATA PROCESSING AGREEMENT (DPA)

Effective date: September 30, 2025

This Data Processing Agreement (“DPA”) forms part of the terms governing the use of the PDQE application and related services (the “Services”). It is entered into by and between the customer entity that uses the Services (“Customer”) and the developer/publisher of PDQE, Teunis Matthijs Kralt (“Processor”, “PDQE”, “we”, “us”), to the extent PDQE processes Customer Personal Data on behalf of Customer. By using the Services in a manner that involves Customer Personal Data, Customer agrees to this DPA.

1. Definitions

“Applicable Data Protection Laws” means laws and regulations relating to data protection, privacy, and security, including (as applicable) the GDPR/UK GDPR, the Singapore PDPA, and the California CPRA/CPRA regulations, in each case as amended. “Customer Personal Data” means Personal Data (as defined by Applicable Data Protection Laws) processed by PDQE on behalf of Customer through the Services. “Sub-processor” means a third party engaged by PDQE to process Customer Personal Data in connection with the Services.

2. Roles & Scope

Customer is the Controller and PDQE is the Processor of Customer Personal Data. This DPA governs PDQE’s processing of Customer Personal Data to provide the Services, including storing records, generating quotations and PDFs, indexing limited fields for search, sending transactional emails containing quotations to recipients designated by Customer, support/maintenance, security, and compliance with law.

3. Customer Instructions

PDQE will process Customer Personal Data only on documented instructions from Customer, including as set out in this DPA, the Privacy Policy, and the features Customer uses within the Services. Customer is responsible for the accuracy, quality, and lawfulness of Customer Personal Data and the means by which it is obtained.

4. Processor Obligations

PDQE will (a) ensure persons authorized to process Customer Personal Data are bound by confidentiality; (b) implement the technical and organizational measures in Annex C; (c) notify Customer without undue delay after becoming aware of a Personal Data Breach involving Customer Personal Data; (d) assist Customer, to the extent reasonably necessary, with data subject requests, DPIAs, and consultations with regulators; and (e) upon termination, delete or return Customer Personal Data as described in Section 10.

5. Security; Access; Search Index

Encryption & Controls. PDQE uses encryption in transit (TLS) and at rest for Customer data and applies field-level encryption to personally identifiable fields where appropriate, with access controls based on least privilege.

Support Access. PDQE personnel do not access Customer content unless Customer explicitly requests support that requires it; any such access is time-bound, least-privilege, logged, and revocable by Customer.

Search Index. For in-app search performance, only item name and SKU are indexed in PDQE’s managed search service and stored without direct personal identifiers, used solely for search functionality.

6. Sub-processors

Customer authorizes PDQE to engage Sub-processors reasonably necessary to provide the Services. PDQE will enter into written agreements with Sub-processors imposing data protection obligations no less protective than those in this DPA and remains responsible for their performance. PDQE maintains a list of current Sub-processors in Annex B and will provide notice of material changes; Customer may object on reasonable data protection grounds, and the parties will work in good faith to resolve the objection.

7. Data Residency & International Transfers

Primary Residency. PDQE stores and processes Customer data in Asia (Singapore).

Narrow Exceptions. Certain limited processing occurs in the United States by named Sub-processors for (i) error monitoring and diagnostics (minimized/anonymized) and (ii) email delivery and related metadata/content necessary for sending transactional emails. See Annex B for details.

Transfer Safeguards. Where Applicable Data Protection Laws require, PDQE will execute appropriate transfer mechanisms (e.g., EU Standard Contractual Clauses and UK Addendum) and perform transfer risk assessments. For Singapore PDPA, PDQE ensures comparable protection via contractual measures with Sub-processors.

8. No Sale; No Targeted Advertising

PDQE does not sell Customer Personal Data and does not “share” it for cross-context behavioral or targeted advertising. PDQE processes Customer Personal Data solely to provide the Services and as instructed by Customer.

9. Audits & Information

Upon reasonable request, PDQE will make available information necessary to demonstrate compliance with this DPA and, where required by law, allow for audits conducted by Customer or an independent auditor mandated by Customer, subject to confidentiality, safety, and frequency limitations. PDQE may satisfy audit obligations by providing recent third-party security attestations or reports where applicable.

10. Return & Deletion

Upon termination or upon Customer request, PDQE will delete or return Customer Personal Data, and will delete existing copies within its systems and Sub-processors’ systems within commercially reasonable timelines, subject to legal obligations. Search index entries (item name/SKU) will be refreshed or removed following deletion of the underlying records.

11. Liability & Precedence

Each party’s liability under this DPA is subject to the exclusions and limitations set forth in the governing agreement for the Services, except to the extent prohibited by law. In the event of conflict between this DPA and other terms, this DPA controls with respect to processing of Customer Personal Data.

12. Changes

PDQE may update this DPA as necessary to reflect changes in legal requirements or the Services. Material changes will be communicated via the Services or other reasonable means. Continued use of the Services after the effective date of an updated DPA constitutes acceptance.

13. Contact

For questions about this DPA, contact: [email protected].

Annex A — Details of Processing

Subject Matter: Provision of the PDQE Services (quote generation, PDF creation, search, transactional email delivery, support, and security).

Duration: For the term of the Customer’s use of the Services and until deletion/return under Section 10.

Nature & Purpose: Storing, organizing, transmitting, generating, and delivering quotations and related PDFs; sending transactional emails on Customer’s behalf; diagnostics, security, and support.

Categories of Data Subjects: Customer’s personnel and end recipients designated by Customer (e.g., Customer’s clients, prospects, or suppliers).

Categories of Personal Data: Names, business contact details (e.g., email, phone, address), company information, quote information and metadata, communication metadata, and any other personal data Customer submits. PDQE’s search index stores only item name and SKU (no direct identifiers).

Special Categories: Not intended to be processed. Customer will not submit special category or highly sensitive data (e.g., health, biometric, payment card numbers) to the Services.

Customer Responsibilities: Provide notices to and obtain any necessary consents from data subjects; determine the lawful basis; refrain from uploading prohibited/sensitive data; configure the Services appropriately.

Annex B — Sub-processors

Primary Hosting & Search (Asia/Singapore): Cloud infrastructure (including managed databases) and managed ElasticSearch service in Singapore for storage, compute, and search. Stores Customer data and the search index (item name/SKU only).

Email Delivery (United States): Postmark — sends transactional emails (e.g., quotations/PDFs) to recipients designated by Customer; processes recipient addresses, sender details, timestamps, delivery metadata, and message content necessary for delivery.

Error Monitoring (United States): Sentry — processes minimized/anonymized diagnostics and error data for stability and troubleshooting; configured to exclude Customer content fields.

PDQE may engage additional or replacement Sub-processors consistent with Section 6 and will provide notice of material changes prior to replacement where required by law or agreement.

Annex C — Technical & Organizational Measures (TOMs)

  • Encryption: TLS for data in transit; encryption at rest for databases/storage; field-level encryption for PII where appropriate; managed key services with role separation.
  • Access Controls: Role-based access; least privilege; MFA for administrative access; logging and monitoring of access/events.
  • Data Minimization: Search index limited to item name & SKU; no direct personal identifiers stored in the index.
  • Secure Development & Testing: Code review; dependency management; environment separation; secrets management.
  • Vulnerability & Patch Management: Regular patching; vulnerability scanning; remediation processes.
  • Incident Response: Documented procedures; breach detection and notification to Customer without undue delay.
  • Resilience & Backups: Backups and recovery testing; availability/redundancy appropriate to the Services; controlled retention and disposal.
  • Support Access on Request: Customer-authorized, time-bound, least-privilege, and auditable support access; revocable by Customer.
  • Supplier Management: Written contracts with Sub-processors imposing data protection obligations; regional configuration to Asia (Singapore) where supported; transfer safeguards for US subprocessors.

Last updated: September 30, 2025

This site is registered on wpml.org as a development site. Switch to a production site key to remove this banner.