Data Processing Agreement

Last Updated: June 9, 2026

Effective Date: June 9, 2026

Table of Contents

1. Definitions

This Data Processing Agreement ("DPA") forms part of the Terms of Service between QFlow Inc. ("Processor") and the subscribing organization ("Controller"). This DPA governs the processing of Personal Data in connection with the Services.

The following terms have the meanings set forth below:

  • "Personal Data" means any information relating to an identified or identifiable natural person submitted to the Services by or on behalf of Controller
  • "Processing" means any operation performed on Personal Data, including collection, recording, organization, storage, adaptation, retrieval, consultation, use, disclosure, or erasure
  • "Data Subject" means the individual to whom Personal Data relates (e.g., customers using Controller's queue management system)
  • "Controller" means the entity that determines the purposes and means of Processing Personal Data
  • "Processor" means QFlow, the entity that Processes Personal Data on behalf of Controller
  • "Sub-Processor" means any third party engaged by Processor to Process Personal Data
  • "Data Protection Laws" means all applicable laws and regulations relating to privacy and data protection, including GDPR, CCPA, HIPAA (where applicable), and similar laws
  • "GDPR" means the General Data Protection Regulation (EU) 2016/679
  • "Standard Contractual Clauses" or "SCCs" means the standard data protection clauses for the transfer of personal data to third countries approved by the European Commission

2. Scope of Processing & Roles

2.1 Roles

Under this DPA, Controller acts as the data controller and Processor acts as the data processor. Controller is solely responsible for determining the purposes and means of Processing Personal Data. Processor will Process Personal Data only on behalf of and in accordance with Controller's documented instructions.

2.2 Subject Matter & Duration

The subject matter of Processing is the provision of queue management services as described in the Terms of Service. Processing will continue for the duration of the subscription term and the post-termination data retention period.

2.3 Nature and Purpose of Processing

Processor will Process Personal Data to:

  • Provide queue management and customer flow services
  • Generate tickets and manage appointments
  • Send notifications (SMS, email, push) to Data Subjects
  • Generate analytics and reports for Controller
  • Provide technical support and troubleshooting
2.4 Categories of Data Subjects
  • Customers of Controller using queue management services
  • Employees or staff of Controller managing queues
  • Visitors to Controller's physical locations
2.5 Types of Personal Data

The Services may Process the following categories of Personal Data:

Category Examples
Identification Data Name, email address, phone number, customer ID
Service Data Service type, appointment time, queue position, wait time
Technical Data IP address, device ID, browser type, mobile app usage
Communication Data SMS/email notification preferences and history
Special Categories (if applicable) Health data (HIPAA-covered entities only), as authorized by Controller

3. Processing Instructions

3.1 Documented Instructions

Processor shall Process Personal Data only on documented instructions from Controller, including:

  • Instructions set forth in the Terms of Service and this DPA
  • Instructions provided through the Services' user interface, API, or configuration settings
  • Additional written instructions agreed upon by both parties
3.2 Limitations

Processor shall immediately inform Controller if, in its opinion, an instruction infringes Data Protection Laws or if Processor is unable to comply with the instruction.

3.3 Changes to Instructions

Controller may modify Processing instructions at any time through the Services or by written notice to Processor, provided such changes are technically feasible and do not require material changes to the Services.

4. Processor Obligations

4.1 Confidentiality

Processor shall ensure that persons authorized to Process Personal Data:

  • Are subject to confidentiality obligations (contractual or statutory)
  • Receive appropriate data protection training
  • Access Personal Data only on a need-to-know basis
4.2 Compliance with Data Protection Laws

Processor shall comply with all applicable Data Protection Laws in its Processing of Personal Data, including implementing appropriate technical and organizational measures.

4.3 Assistance to Controller

Processor shall provide reasonable assistance to Controller to:

  • Respond to Data Subject rights requests (see Section 7)
  • Comply with Controller's obligations under Data Protection Laws
  • Conduct Data Protection Impact Assessments (DPIAs) where required
  • Consult with supervisory authorities when required

Controller shall reimburse Processor for reasonable costs incurred in providing such assistance, except for assistance related to Data Subject access requests which is included in the Services.

5. Security Measures

5.1 Technical and Organizational Measures

Processor implements and maintains appropriate technical and organizational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.

5.2 Security Measures Include
Access Controls
  • Role-based access control (RBAC)
  • Multi-factor authentication (MFA) for all users
  • Unique user credentials (no shared accounts)
  • Regular access reviews and revocation upon termination
  • Principle of least privilege enforcement
Encryption
  • AES-256 encryption at rest for all Personal Data
  • TLS 1.3 encryption in transit
  • Encrypted database backups
  • End-to-end encryption for sensitive communications
  • Regular encryption key rotation
Network Security
  • Firewalls and intrusion detection systems
  • DDoS protection and rate limiting
  • Network segmentation and isolation
  • Vulnerability scanning and penetration testing
  • Security patch management
Monitoring & Logging
  • 24/7 security monitoring (SOC)
  • Comprehensive audit logs (1-year retention)
  • Automated threat detection and response
  • Real-time security alerts
  • Log integrity protection (immutability)
Data Protection
  • Daily automated backups (30-day retention)
  • Disaster recovery plan (RTO: 4 hours, RPO: 1 hour)
  • Data pseudonymization where feasible
  • Secure data disposal procedures
  • Geographic data residency controls
Personnel Security
  • Background checks for employees with data access
  • Regular security awareness training
  • Confidentiality agreements for all personnel
  • Incident response training and drills
  • Segregation of duties for sensitive operations
5.3 Security Certifications

Processor maintains the following security certifications:

  • Security controls: Regular review of technical and organizational security measures
  • Information security: Documented information-security management practices
  • HIPAA Compliance: For healthcare customers (BAA required)
  • PCI DSS Level 1: For payment processing (via certified Sub-Processors)
5.4 Security Updates

Processor may update its security measures from time to time, provided such updates do not result in degradation of the overall security of the Services.

6. Sub-Processors

6.1 Authorization

Controller provides general authorization for Processor to engage Sub-Processors to assist in providing the Services, subject to the conditions in this section.

6.2 Current Sub-Processors

Processor maintains a list of current Sub-Processors at qflow.io/subprocessors, including:

Sub-Processor Service Location
Amazon Web Services (AWS) Cloud hosting infrastructure United States (or as selected by Controller)
Twilio Inc. SMS and voice notification services United States
SendGrid (Twilio) Email delivery services United States
Stripe, Inc. Payment processing (PCI DSS certified) United States
LogRocket, Inc. Application monitoring and support United States
6.3 Sub-Processor Obligations

Processor shall ensure that each Sub-Processor:

  • Is bound by written agreement imposing data protection obligations equivalent to those in this DPA
  • Implements appropriate technical and organizational security measures
  • Complies with applicable Data Protection Laws
  • Processes Personal Data only for the purposes authorized by Controller
6.4 New Sub-Processors

Processor will notify Controller of any intended changes concerning the addition or replacement of Sub-Processors via:

  • Email notification to Controller's account administrator
  • Update to the Sub-Processor list 30 days before engagement
  • In-app notification for active users
6.5 Objection Rights

Controller may object to a new Sub-Processor on reasonable data protection grounds by notifying Processor within 30 days of notification. If Controller objects, the parties shall work together in good faith to find a resolution. If no resolution is found, Controller may terminate the affected Services with 30 days' notice and receive a pro-rata refund.

6.6 Processor Liability

Processor remains liable to Controller for the performance of Sub-Processor obligations under this DPA.

7. Data Subject Rights

7.1 Assistance with Data Subject Requests

Taking into account the nature of the Processing, Processor shall assist Controller in fulfilling its obligations to respond to requests from Data Subjects to exercise their rights under Data Protection Laws, including:

  • Access: Provide copies of Personal Data
  • Rectification: Correct inaccurate or incomplete Personal Data
  • Erasure: Delete Personal Data ("right to be forgotten")
  • Restriction: Restrict Processing in certain circumstances
  • Portability: Export Personal Data in structured, machine-readable format
  • Objection: Object to Processing for certain purposes
7.2 Request Handling Process

If Processor receives a Data Subject request directly, it shall:

  • Promptly notify Controller within 2 business days
  • Not respond to the Data Subject without Controller's prior written authorization
  • Redirect the Data Subject to Controller where appropriate
7.3 Tools and Assistance

The Services provide self-service tools for Controller to respond to Data Subject requests, including:

  • Data export functionality (CSV, JSON formats)
  • Personal Data search and retrieval
  • Data modification and deletion capabilities
  • Processing restriction controls

For requests requiring additional assistance beyond self-service tools, Controller may contact privacy@qflow.io. Processor will respond within 10 business days.

8. International Data Transfers

8.1 Data Residency

Personal Data is primarily hosted in the United States (AWS US-East-1 region) unless Controller selects a different region during account setup. Available regions include:

  • United States (US-East-1, US-West-2)
  • European Union (EU-Central-1 - Frankfurt)
  • United Kingdom (EU-West-2 - London)
  • Canada (CA-Central-1 - Montreal)
  • Australia (AP-Southeast-2 - Sydney)
8.2 Transfers from the EEA

For transfers of Personal Data from the European Economic Area (EEA), UK, or Switzerland to countries without an adequacy decision, Processor implements the following safeguards:

  • Standard Contractual Clauses (SCCs): EU Commission-approved Module 2 (Controller to Processor) SCCs are incorporated into this DPA
  • Supplementary Measures: Additional technical and organizational measures as required by the Schrems II decision
  • Transfer Impact Assessment: Regular assessments of data transfer risks and mitigation measures
8.3 SCC Terms

The Standard Contractual Clauses are deemed executed as follows:

  • Module: Module 2 (Controller to Processor)
  • Clause 7 (Docking Clause): Optional clause applies
  • Clause 9(a) (Use of Sub-Processors): General authorization with objection rights (Option 2)
  • Clause 11(a) (Redress): Optional language applies
  • Clause 17 (Governing Law): Laws of Ireland
  • Clause 18 (Choice of Forum): Courts of Ireland
8.4 UK Addendum

For UK data transfers, the UK International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (UK Addendum) applies.

9. Audits & Compliance

9.1 Audit Rights

Processor shall make available to Controller all information necessary to demonstrate compliance with this DPA and allow for audits, including inspections, conducted by Controller or an independent auditor mandated by Controller.

9.2 Audit Process

Controller may exercise audit rights by:

  • Reviewing Certifications: Access to available security documentation describing our security practices (no additional cost)
  • Questionnaires: Complete standardized security questionnaires (no additional cost, annually)
  • On-Site Audits: Physical or virtual audits with 30 days' advance notice (Controller bears reasonable costs; maximum once per year unless breach suspected)
9.3 Audit Limitations

Audits must:

  • Be conducted during normal business hours
  • Not disrupt Processor's business operations
  • Respect confidentiality of other customers' data and Processor's confidential information
  • Be subject to execution of Processor's standard NDA
9.4 Remediation

If an audit reveals non-compliance, Processor shall implement corrective measures within a timeframe agreed by both parties (no longer than 90 days for critical issues).

10. Data Breach Notification

10.1 Notification Obligations

Processor shall notify Controller without undue delay after becoming aware of a Personal Data breach affecting Controller's data. Notification shall be provided within:

  • 24 hours: Initial notification for confirmed breaches
  • 72 hours: Full incident report with details below
10.2 Notification Contents

Breach notifications shall include:

  • Nature of the breach (categories and approximate number of affected Data Subjects and records)
  • Name and contact details of Processor's data protection officer or security contact
  • Likely consequences of the breach
  • Measures taken or proposed to address the breach and mitigate potential adverse effects
  • Timeline of the incident and investigation status
10.3 Cooperation

Processor shall cooperate with Controller and provide reasonable assistance in investigating the breach, notifying affected Data Subjects and supervisory authorities, and mitigating harm.

10.4 Incident Response

Processor maintains a documented incident response plan including:

  • Breach detection and classification procedures
  • Incident response team roles and responsibilities
  • Containment and remediation protocols
  • Communication and escalation procedures
  • Post-incident review and lessons learned process

11. Deletion and Return of Personal Data

11.1 Post-Termination Obligations

Upon termination of the Services or upon Controller's written request, Processor shall, at Controller's choice:

  • Return: Export and provide all Personal Data to Controller in a structured, commonly used, machine-readable format (CSV or JSON), or
  • Delete: Securely delete all Personal Data and provide written certification of deletion
11.2 Timeline
  • Export Window: Controller has 30 days from termination to export data via self-service tools
  • Deletion: Processor will delete all Personal Data within 90 days of termination or export completion, whichever is earlier
  • Backup Retention: Data in backups will be deleted within 30 days of backup rotation (maximum 60 days total)
11.3 Exceptions

Processor may retain Personal Data to the extent required by applicable law, provided such data:

  • Is isolated and protected from further Processing
  • Is retained only for the duration required by law
  • Is subject to appropriate security safeguards
11.4 Anonymized Data

Processor may retain anonymized data (data that can no longer identify Data Subjects) for analytical and product improvement purposes without obligation to delete.

12. Liability and Indemnification

12.1 Liability Cap

Each party's liability under this DPA shall be subject to the limitation of liability provisions in the Terms of Service, except where prohibited by Data Protection Laws.

12.2 GDPR Liability

For Processing subject to GDPR, each party's liability shall be determined in accordance with GDPR Article 82:

  • Each party is liable for damages caused by Processing that infringes the GDPR
  • Processor is exempt from liability if it proves it is not in any way responsible for the damage
  • Where multiple parties are responsible, each party is liable for the entire damage to ensure effective compensation
12.3 Indemnification

Subject to the Terms of Service:

  • Processor Indemnity: Processor shall indemnify Controller for claims arising from Processor's breach of this DPA or Data Protection Laws
  • Controller Indemnity: Controller shall indemnify Processor for claims arising from Controller's Processing instructions that violate Data Protection Laws
12.4 Regulatory Fines

In the event of a supervisory authority fine:

  • Each party bears responsibility for fines attributable to its own violations
  • Processor bears fines for violations of its obligations as a processor under Data Protection Laws
  • Controller bears fines for violations of its obligations as a controller
Questions or Concerns?

For questions regarding this Data Processing Agreement or to report a data protection concern, please contact:

Data Protection Officer

Email: dpo@qflow.io

Phone: available on request

Mail: QFlow Inc., Attn: Data Protection Officer — registered address available on request