Data Processing Agreement

1. Introduction

This Data Processing Agreement ("DPA") is entered into between Quickfix AI ("Processor," "we," or "us") and you ("Controller" or "Customer") and forms part of the Terms of Service governing the use of our Service.

This DPA reflects the parties' agreement with respect to the processing of Personal Data in accordance with the requirements of applicable data protection laws, including the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the UK GDPR, and the California Consumer Privacy Act ("CCPA").

2. Definitions

For the purposes of this DPA:

• "Personal Data" means any information relating to an identified or identifiable natural person that is processed by Quickfix AI on behalf of the Customer.
• "Controller" means the entity that determines the purposes and means of processing Personal Data.
• "Processor" means the entity that processes Personal Data on behalf of the Controller.
• "Data Subject" means the individual to whom Personal Data relates.
• "Sub-processor" means any third party engaged by the Processor to process Personal Data.
• "Processing" means any operation performed on Personal Data, such as collection, storage, use, or disclosure.

3. Scope and Roles

3.1 Processor Role

Quickfix AI acts as a Processor with respect to Personal Data submitted to the Service. You, as the Customer, act as the Controller and are responsible for ensuring that you have a lawful basis for processing Personal Data.

3.2 Processing Activities

We process Personal Data only as necessary to provide the Service, which includes:

• Processing system diagnostic data to generate reports
• Providing AI-powered analysis and recommendations
• Storing diagnostic reports temporarily (24 hours)
• Detecting and preventing fraud or abuse

4. Data Processing Principles

We process Personal Data in accordance with the following principles:

• Lawfulness, fairness, and transparency: We process data lawfully, fairly, and in a transparent manner.
• Purpose limitation: We process data only for the specified, explicit, and legitimate purposes outlined in this DPA and our Privacy Policy.
• Data minimization: We collect and process only the data necessary to provide the Service.
• Accuracy: We take reasonable steps to ensure Personal Data is accurate and kept up to date.
• Storage limitation: We retain Personal Data only as long as necessary (24 hours for diagnostic reports).
• Integrity and confidentiality: We implement appropriate security measures to protect Personal Data.

5. Customer Responsibilities

As the Controller, you are responsible for:

• Ensuring you have a lawful basis to process and share Personal Data with us
• Complying with all applicable data protection laws
• Providing any required notices to Data Subjects
• Ensuring the accuracy of Personal Data submitted to the Service
• Not submitting sensitive personal data unless explicitly permitted

6. Processor Obligations

As the Processor, we commit to:

• Process Personal Data only on your documented instructions
• Ensure that persons authorized to process Personal Data are bound by confidentiality
• Implement appropriate technical and organizational security measures
• Only engage Sub-processors with appropriate safeguards
• Assist you in responding to Data Subject requests
• Delete Personal Data upon termination of services (automatic after 24 hours)
• Make available information necessary to demonstrate compliance

7. Security Measures

7.1 Technical Measures

We implement industry-standard technical security measures, including:

• Encryption for all data in transit using TLS
• Encryption of data at rest
• Secure backup and disaster recovery procedures
• Access controls limiting access to Personal Data to authorized personnel only

7.2 Organizational Measures

We implement organizational security measures, including:

• Employee confidentiality agreements
• Incident response and data breach notification procedures
• Vendor security assessments for Sub-processors

8. Sub-processors

You authorize us to engage the following categories of Sub-processors:

• Cloud infrastructure providers: For hosting and storing data
• AI service providers: For processing diagnostic data and generating recommendations
• Analytics providers: For anonymized usage analytics

We ensure that all Sub-processors are bound by written agreements imposing data protection obligations equivalent to those in this DPA.

9. Data Subject Rights

We will assist you in fulfilling your obligations to respond to Data Subject requests, including:

• Right of access: Providing Data Subjects with copies of their Personal Data
• Right to rectification: Correcting inaccurate Personal Data
• Right to erasure: Deleting Personal Data ("right to be forgotten")
• Right to restriction: Restricting processing of Personal Data
• Right to data portability: Providing Personal Data in a structured, machine-readable format
• Right to object: Objecting to certain types of processing

10. Data Breach Notification

In the event of a Personal Data breach, we will:

• Notify you without undue delay, and in any event within 72 hours of becoming aware of the breach
• Provide you with sufficient information to allow you to meet any obligations to report the breach
• Cooperate with you and take reasonable steps to remediate the breach

11. Data Transfers

Personal Data may be transferred to and processed in countries outside of the European Economic Area (EEA) or your country of residence. We ensure that such transfers comply with applicable data protection laws.

For transfers of Personal Data from the EEA or UK to countries without an adequacy decision, we rely on appropriate safeguards, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Other legally approved mechanisms

12. Data Retention and Deletion

We retain Personal Data as outlined in our Privacy Policy:

• Diagnostic reports: Automatically deleted after 24 hours
• Anonymized benchmark data: May be retained indefinitely (cannot identify individuals)

Upon your request, we will delete Personal Data immediately. You may request deletion by contacting us.

13. Term and Termination

This DPA will remain in effect for as long as we process Personal Data on your behalf. Upon termination of the Service, the terms of this DPA will continue to apply until all Personal Data has been deleted (automatic after 24 hours).

14. Contact Information

For questions about this Data Processing Agreement or to exercise your rights, please contact us.