Data processing agreement

1. Introduction

This Data Processing Agreement ("DPA") is entered into between Quickfix AI ("Processor," "we," or "us") and you ("Controller" or "Customer") and forms part of the Terms of Service governing the use of our Service.

This DPA reflects the parties' agreement with respect to the processing of Personal Data in accordance with the requirements of applicable data protection laws, including the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the UK GDPR, and the California Consumer Privacy Act ("CCPA").

2. Definitions

For the purposes of this DPA:

• "Personal Data" means any information relating to an identified or identifiable natural person that is processed by Quickfix AI on behalf of the Customer.
• "Controller" means the entity that determines the purposes and means of processing Personal Data.
• "Processor" means the entity that processes Personal Data on behalf of the Controller.
• "Data Subject" means the individual to whom Personal Data relates.
• "Sub-processor" means any third party engaged by the Processor to process Personal Data.
• "Processing" means any operation performed on Personal Data, such as collection, storage, use, or disclosure.

3. Scope and roles

3.1 Processor Role

Quickfix AI acts as a Processor with respect to Personal Data submitted to the Service. You, as the Customer, act as the Controller and are responsible for ensuring that you have a lawful basis for processing Personal Data.

3.2 Processing Activities

We process Personal Data only as necessary to provide the Service, which includes:

• Processing text inputs to generate AI-powered replies
• Maintaining account information and authentication
• Tracking usage statistics for billing and service provision
• Providing customer support
• Detecting and preventing fraud or abuse

4. Data processing principles

We process Personal Data in accordance with the following principles:

• Lawfulness, fairness, and transparency: We process data lawfully, fairly, and in a transparent manner.
• Purpose limitation: We process data only for the specified, explicit, and legitimate purposes outlined in this DPA and our Privacy Policy.
• Data minimization: We collect and process only the data necessary to provide the Service.
• Accuracy: We take reasonable steps to ensure Personal Data is accurate and kept up to date.
• Storage limitation: We retain Personal Data only as long as necessary for the purposes outlined in our Privacy Policy.
• Integrity and confidentiality: We implement appropriate security measures to protect Personal Data.

5. Customer responsibilities

As the Controller, you are responsible for:

• Ensuring you have a lawful basis to process and share Personal Data with us
• Complying with all applicable data protection laws
• Providing any required notices to Data Subjects
• Obtaining any necessary consents from Data Subjects
• Ensuring the accuracy of Personal Data submitted to the Service
• Not submitting sensitive personal data (e.g., health data, financial data) unless explicitly permitted

6. Processor obligations

As the Processor, we commit to:

• Process Personal Data only on your documented instructions
• Ensure that persons authorized to process Personal Data are bound by confidentiality
• Implement appropriate technical and organizational security measures
• Only engage Sub-processors with your prior written authorization
• Assist you in responding to Data Subject requests
• Assist you in ensuring compliance with data protection obligations
• Delete or return Personal Data upon termination of services, as requested
• Make available information necessary to demonstrate compliance

7. Security measures

7.1 Technical Measures

We implement industry-standard technical security measures, including:

• End-to-end encryption for all data in transit using TLS 1.3
• Encryption of sensitive data at rest using AES-256
• Secure authentication mechanisms with JWT tokens
• Regular security audits and penetration testing
• Automated vulnerability scanning
• Secure backup and disaster recovery procedures

7.2 Organizational Measures

We implement organizational security measures, including:

• Access controls limiting access to Personal Data to authorized personnel only
• Employee confidentiality agreements
• Regular security awareness training for employees
• Incident response and data breach notification procedures
• Vendor security assessments for Sub-processors

8. Sub-processors

8.1 Authorization

You authorize us to engage the following categories of Sub-processors:

• Cloud infrastructure providers: For hosting and storing data
• AI service providers: For processing text inputs and generating responses
• Payment processors: For processing subscription payments (Stripe)
• Analytics providers: For anonymized usage analytics

8.2 Sub-processor Requirements

We ensure that all Sub-processors:

• Are bound by written agreements imposing data protection obligations equivalent to those in this DPA
• Implement appropriate technical and organizational security measures
• Comply with applicable data protection laws
• Process Personal Data only for the purposes specified by us

8.3 Changes to Sub-processors

We will notify you of any intended changes concerning the addition or replacement of Sub-processors. You may object to such changes on reasonable grounds relating to data protection. If we cannot accommodate your objection, you may terminate the relevant Service.

9. Data subject rights

We will assist you in fulfilling your obligations to respond to Data Subject requests to exercise their rights under data protection laws, including:

• Right of access: Providing Data Subjects with copies of their Personal Data
• Right to rectification: Correcting inaccurate Personal Data
• Right to erasure: Deleting Personal Data ("right to be forgotten")
• Right to restriction: Restricting processing of Personal Data
• Right to data portability: Providing Personal Data in a structured, machine-readable format
• Right to object: Objecting to certain types of processing

You are responsible for responding to Data Subject requests. We will provide reasonable assistance upon your written request.

10. Data breach notification

In the event of a Personal Data breach, we will:

• Notify you without undue delay, and in any event within 72 hours of becoming aware of the breach
• Provide you with sufficient information to allow you to meet any obligations to report or inform Data Subjects of the breach
• Provide the following information: nature of the breach, categories and approximate number of affected Data Subjects and records, contact point for more information, likely consequences, and measures taken or proposed to address the breach
• Cooperate with you and take reasonable commercial steps to remediate the breach

11. Data transfers

11.1 International Transfers

Personal Data may be transferred to and processed in countries outside of the European Economic Area (EEA) or your country of residence. We ensure that such transfers comply with applicable data protection laws.

11.2 Transfer Mechanisms

For transfers of Personal Data from the EEA or UK to countries without an adequacy decision, we rely on appropriate safeguards, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• UK International Data Transfer Agreement (IDTA) or Addendum to SCCs
• Other legally approved mechanisms

12. Audit rights

We will make available to you information necessary to demonstrate compliance with this DPA. Upon your written request and subject to reasonable notice and confidentiality obligations, we will allow for and contribute to audits or inspections conducted by you or an independent auditor.

Audit requests should be made no more than once per year unless required by a supervisory authority. You will be responsible for all costs associated with such audits.

13. Data retention and deletion

13.1 Retention Periods

We retain Personal Data as outlined in our Privacy Policy:

• Account data: Retained until account deletion
• Usage statistics: Retained for 12 months
• Payment records: Retained for 7 years (legal requirement)
• Conversation content: Not stored (processed in real-time and immediately deleted)

13.2 Deletion Upon Termination

Upon termination of the Service or upon your request, we will delete or return all Personal Data within 30 days, except where we are required by law to retain certain information. You may request deletion by contacting us at help.quickfix.ai.

14. Limitation of liability

Each party's liability under this DPA shall be subject to the limitations of liability set forth in the Terms of Service. Nothing in this DPA shall exclude or limit either party's liability for matters that cannot be excluded or limited under applicable law.

15. Term and termination

This DPA will remain in effect for as long as we process Personal Data on your behalf. Upon termination of the Service, the terms of this DPA will continue to apply until all Personal Data has been deleted or returned.

Either party may terminate this DPA if the other party materially breaches any provision and fails to remedy the breach within 30 days of written notice.

16. Contact information

For questions about this Data Processing Agreement or to exercise your rights, please visit our help center.