Data Processing Agreement

Version 1.0 — Last updated: April 2026

Template notice. This DPA is a good-faith template modelled on the EU Standard Contractual Clauses (SCCs) and GDPR Art. 28. It should be reviewed and, where required, countersigned by qualified legal counsel before being relied upon in any regulated context. If you need a signed counterparty copy, email legal@qace.app.

1. Parties

This Data Processing Agreement (“DPA”) is entered into between:

Customer — the entity that has contracted with QACE for the Services (the controller).
QACE — the entity operating the platform (the processor).

This DPA is incorporated by reference into the Terms of Service and forms an integral part of the commercial relationship between the parties. In the event of conflict between the Terms of Service and this DPA with respect to the processing of personal data, this DPA prevails.

2. Subject matter and duration

QACE processes personal data on behalf of Customer solely for the purpose of providing the Services described in the Terms of Service (content generation, publishing, analytics, support). Processing begins when Customer’s client workspace is activated and ends when the workspace is deleted or the agreement is terminated, with a wind-down period of 30 days for data export.

3. Nature and purpose of processing

Nature of processing	Storage, transmission, transformation and deletion of personal data inside the platform; invocation of AI providers with Customer-supplied API keys; delivery of generated content to Customer-connected CMS.
Purpose of processing	Performance of the Services as defined in the Terms, including article generation, team collaboration, analytics and reporting.
Types of data	Account data (emails, display names, role, 2FA secrets), usage telemetry, content (articles, prompts, personas, templates), encrypted third-party API keys, connected CMS access tokens.
Categories of data subjects	Customer’s employees, freelancers and contractors with access to the client workspace; end-user data that Customer chooses to import (if any).
Duration	For the term of the Services plus a 30-day wind-down period.

4. Obligations of the processor

Process personal data only on documented instructions from Customer, including the instructions embedded in the Terms of Service and the platform UI.
Ensure that persons authorised to process personal data are bound by confidentiality obligations.
Implement appropriate technical and organisational measures (see Annex II) to ensure a level of security appropriate to the risk.
Respect the conditions in Art. 28(2) and (4) GDPR for engaging sub-processors (see section 6).
Assist Customer in responding to data subject rights requests (Chap. III GDPR) by providing export, deletion and audit-log tooling inside the platform.
Assist Customer in ensuring compliance with Art. 32 to 36 GDPR taking into account the nature of processing and the information available to the processor.
At Customer’s choice, delete or return all personal data after the end of the provision of services.
Make available all information necessary to demonstrate compliance with Art. 28 GDPR and allow for audits.

5. Data breach notification

QACE will notify Customer without undue delay and in any event within 72 hours after becoming aware of a personal data breach affecting Customer’s data. The notification will include, to the extent known at the time, a description of the nature of the breach, categories and approximate number of data subjects and records concerned, likely consequences, and measures taken or proposed to address the breach and mitigate its possible adverse effects.

6. Sub-processors

Customer provides general authorisation for QACE to engage the sub-processors listed in Annex I. QACE will inform Customer of any intended changes concerning the addition or replacement of sub-processors at least 30 days in advance. Customer may object to such changes within 15 days of notification; if the objection cannot be resolved, Customer may terminate the affected part of the Services without penalty.

7. International transfers

Where personal data is transferred outside the European Economic Area (EEA) or the United Kingdom to a country that is not the subject of an adequacy decision, such transfer is performed under the EU Standard Contractual Clauses (Module 2 or 3, as applicable), which are hereby incorporated by reference. Customer appoints QACE to execute the SCCs on its behalf with any affected sub-processor.

8. Audits

Customer may audit QACE’s compliance with this DPA once per calendar year, on at least 30 days prior notice, at Customer’s expense, during regular business hours, in a manner that does not disrupt the Services, and subject to confidentiality. QACE may satisfy audit obligations by providing third-party reports, certifications, or security questionnaires where available.

9. Liability

Each party’s liability under this DPA is governed by and subject to the limitations of liability in the Terms of Service. Nothing in this DPA limits or excludes either party’s liability where such limitation would be unlawful.

Annex I — List of sub-processors

The current sub-processors are listed below. The list is maintained in-product under Admin → Legal → Sub-processors and Customer is notified of any change by email at least 30 days in advance.

Sub-processor	Purpose	Region
Supabase	Managed Postgres database, authentication, storage	EU or US (client choice)
Vercel	Application hosting and edge network	Global (EU primary)
Trigger.dev	Background jobs (article generation pipeline)	EU / US
Upstash	Rate limiting cache (Redis)	EU or US (client choice)
Resend	Transactional email delivery	EU / US
Sentry	Error reporting with secrets pre-scrubbed	EU / US (configurable)

Third-party AI providers invoked with Customer-supplied API keys (Anthropic, OpenAI, Gemini, Pinecone, DataForSEO, Placid, etc.) are not sub-processors of QACE; they are independent controllers with which Customer has its own contractual relationship.

Annex II — Technical and organisational measures

Transport encryption (TLS 1.2+) on all connections to and from the platform.
At-rest encryption of sensitive credentials (AES-256-GCM with scrypt key derivation), distinct from the database-level disk encryption.
Row-level security (RLS) policies on every multi-tenant table, enforcing that a given user can only access data belonging to clients they are members of.
Service-role database access restricted to backend processes; no direct service- role exposure to end users.
Optional two-factor authentication (TOTP) for administrator accounts, password strength policy, and rate limiting on authentication endpoints.
Secret rotation procedure documented in docs/secret-rotation.md and executable via scripts/reencrypt-secrets.ts.
Point-in-Time Recovery backups at the database layer with documented restore procedure.
Error reporting via Sentry with automatic scrubbing of API keys, tokens, passwords and encrypted fields before transmission.
Audit log of sensitive events (invites, role changes, API key operations, impersonation, data export, data deletion), with an immutable trigger at the database layer.
Documented incident response runbook (docs/runbook.md).
Principle of least privilege applied to all staff access. Production access is logged.