Appearance
Data Processing Agreement
This Data Processing Agreement ("DPA") is incorporated by reference into and forms an integral part of the Terms of Use ("Terms") of Quotalogic.io. By accepting the Terms of Use at https://app.quotalogic.io/legal/terms, you enter into this DPA with:
Quotalogic Oy (Y-tunnus 3385013-2, VAT-ID/ALV: FI33850132), having its registered address at Ranta-Tampellan katu 11 A 29, 33180, TAMPERE, Finland (the “Processor”, “we”, “us”, “our”).
and
The natural or legal person, public authority, agency or other body accepting the Terms of Service (the “Controller”, “you”, “your”).
whereas:
(A) The Controller has determined the purposes and means of the processing of Personal Data as described in this DPA;
(B) The Controller wishes to engage the Processor to process Personal Data on its behalf;
(C) The parties seek to implement a data processing agreement that complies with the requirements of Article 28(3) of the General Data Protection Regulation (EU) 2016/679.
Now therefore, the parties have agreed as follows:
1. Definitions
1.1. “GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
1.2. “Personal Data” means any information relating to an identified or identifiable natural person (“Data Subject”) as defined in Article 4(1) GDPR that is processed by the Processor on behalf of the Controller under this DPA.
1.3. “Processing” means any operation or set of operations performed upon Personal Data, whether or not by automated means, as defined in Article 4(2) GDPR.
1.4. “Supervisory Authority” means an independent public authority established pursuant to Article 51 GDPR.
1.5. “Technical and Organizational Measures” means those measures aimed at protecting Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, and against all other unlawful forms of Processing.
2. Term and Duration
2.1. This DPA sets out the terms and conditions under which the Processor shall process Personal Data on behalf of the Controller.
2.2. This DPA shall commence on the date the Controller accepts the Terms of Service and shall continue in force until the termination or expiry of the principal service agreement between the parties.
3. Processing Operations
3.1. The Processor shall carry out Processing operations including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, use, disclosure by transmission, dissemination, alignment, combination, restriction, and erasure or destruction.
3.2. The purpose of Processing is to provide the Controller with Quotalogic’s services (including all functionality made available on https://quotalogic.io and its subdomains (including app.quotalogic.io)), which may include managing performance data, generating reports, and providing system access and support.
4. Personal Data Categories
4.1. Personal identification data such as name, email address, business phone number, department, and job title.
4.2. Professional data including performance metrics, targets and quotas, roles and assignments.
4.3. Financial/transactional data as necessary for the services (e.g., subscription/billing metadata—no card data is stored by the Processor).
4.4. Technical data including login identifiers, system access logs, IP addresses, and usage data.
4.5. Data Subjects may include the Controller’s employees, contractors, administrators, and end users.
5. Controller Obligations
5.1. The Controller shall ensure that the Processing of Personal Data meets the requirements of GDPR and ensures the protection of Data Subject rights.
5.2. The Controller shall ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
5.3. The Controller shall implement appropriate Technical and Organizational Measures to ensure a level of security appropriate to the risk.
6. Processor Obligations
6.1. The Processor shall process Personal Data solely on documented instructions from the Controller, including with regard to transfers to third countries or international organizations, unless required by EU or Member State law.
6.2. The Processor shall ensure that authorized persons processing Personal Data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality.
6.3. The Processor shall implement measures required by Article 32 GDPR, including implementing technical and organizational measures, ensuring system confidentiality and integrity, regular security testing, data encryption, and maintaining backup procedures.
6.4. The Processor shall assist the Controller in responding to Data Subject requests and ensuring compliance with GDPR Articles 32–36.
6.5. The Processor shall notify the Controller without undue delay and, where feasible, within 24 hours (target response time) of becoming aware of a Personal Data breach and provide relevant breach information and investigation support.
6.6. The Processor shall assist in preparing breach notifications, implementing communication channels, and documenting communications regarding Data Subject matters.
6.7. Upon termination of services, the Processor shall delete or return all Personal Data and destroy existing copies, unless otherwise required by law.
7. Technical and Security Measures
7.1. The Processor shall conduct regular security assessments and system updates.
7.2. The Processor shall implement and maintain access control and authentication systems.
7.3. The Processor shall ensure encryption of data both at rest and in transit.
7.4. The Processor shall implement network security measures and maintain physical security controls.
7.5. The Processor shall develop and maintain business continuity and disaster recovery plans.
7.6. The Processor shall conduct regular staff training and implement security awareness programs.
8. Sub-processor Management
8.1. The Controller provides general authorization for the Processor to engage sub-processors, subject to maintaining an up-to-date list and providing at least 30 days’ advance notification of changes.
8.2. All sub-processors must process data only on documented instructions, implement appropriate security measures, assist in fulfilling GDPR obligations, and allow for audits and inspections.
8.3. The Processor’s current sub-processors engaged in the Processing of Personal Data are:
- Scaleway SAS
Role: Cloud hosting and storage provider
Address: BP 438, 75366 – Paris CEDEX 08, France
VAT: FR 35 433 115 904
Data Processed: Application hosting; storage of account data, authentication identifiers, service usage data.
Data Location: EU (France). - Cloudflare, Inc. (with EU entity: Cloudflare Germany GmbH, Rosental 7, c/o Mindspace, 80331 München, Germany; VAT: DE319501868)
Role: CDN, reverse proxy, DDoS protection, DNS
Data Processed: IP addresses and HTTP request metadata; encrypted traffic in transit for security/performance.
Data Location: Primarily EU PoPs; limited transient processing outside the EEA subject to SCCs/Data Privacy Framework. - Paddle.com Market Limited
Role: Merchant of Record & payment processing (billing and payout support)
Address: Judd House, 18–29 Mora Street, London, EC1V 8BT, United Kingdom
Company No: 08172165 VAT: GB150848114
Data Processed: Customer contact and transaction data necessary for billing (no payment card data stored by the Processor).
Data Location: UK & EEA; international transfers under SCCs.
8.4. The Controller may object on reasonable grounds to a new sub-processor within 30 days of notice. If no reasonable objection is raised, the sub-processor shall be deemed approved.
8.5. Certain services available on our public marketing website (e.g., YouTube video embeds) may be provided by independent third-party controllers. These services are not engaged as sub-processors, and any data collected through them is processed under the third party’s own privacy policies.
9. International Data Transfers
9.1. Transfers of Personal Data to third countries shall occur only where permitted under GDPR Chapter V, including based on an adequacy decision by the European Commission or appropriate safeguards such as the EU Standard Contractual Clauses (SCCs), binding corporate rules, approved codes of conduct, certification mechanisms, and, where applicable, participation in the EU–U.S. Data Privacy Framework.
9.2. Before any such transfer, the Processor shall conduct a documented risk assessment, analyze the recipient country’s laws, implement supplementary measures where necessary, and conduct regular reviews.
10. Data Subject Rights
10.1. The Processor shall implement systems to enable Data Subjects to exercise their rights of access, rectification, erasure, restriction of Processing, data portability, and objection.
10.2. The Processor shall provide multiple channels for request submission including web forms, email, API endpoints, and account interfaces.
10.3. The Processor will acknowledge requests without undue delay (target initial acknowledgement within 24 hours) and support their resolution within one month, unless an extension is required under GDPR.
10.4. The Processor shall maintain documentation of all requests, actions taken, and communications.
11. Security Incident Management
11.1. The Processor shall maintain detection and classification procedures, containment and recovery measures, investigation protocols, and documentation requirements for security incidents.
11.2. The Processor shall notify the Controller without undue delay and, where feasible, within 24 hours (target) of any breach, provide detailed incident reports, and support notifications to authorities and Data Subjects as required.
12. Audit and Compliance
12.1. The Controller may conduct regular audits with 30 days’ notice or special audits in case of incidents, subject to reasonable scheduling and confidentiality obligations.
12.2. The Processor shall maintain records of security measures, Processing activities, training, incidents, and sub-processor agreements.
13. Liability
13.1. The Processor shall be liable for failures to comply with GDPR obligations applicable to processors, for acting outside the Controller’s documented instructions, for sub-processor breaches where the Processor has failed to meet its obligations under Article 28, and for security incidents caused by its negligence or willful misconduct.
14. Termination
14.1. Upon termination, the Processor shall, at the Controller’s choice, return or delete all Personal Data, obtain certification of actions, ensure sub-processor compliance, and provide reasonable transition support.
14.2. Post-termination obligations include continuing confidentiality, record retention as required by law, compliance documentation, and final security measures.
Technical Appendix 1: Security Measures
A.1. Access control: multi-factor authentication, role-based access control, regular access reviews, strong password policies.
A.2. Encryption: AES-256 for data at rest; TLS 1.3 for data in transit; documented key management procedures.
A.3. Network security: firewalls, IDS/IPS, vulnerability scanning, penetration testing, DDoS protection.
A.4. Physical security (at hosting providers): access control systems, CCTV, environmental controls, asset management.
Technical Appendix 2: Incident Response
B.1. Incident severity classes and target response times (working hours, Monday—Friday, 09:00 — 17:00):
- Critical — 8 hours (target)
- High — 16 hours (target)
- Medium — 48 hours (target)
- Low — 40 hours (target)
B.2. Procedures include initial assessment, containment measures, investigation, remediation, and post-incident review.
15. Contact Information
Quotalogic Oy (Y-tunnus 3385013-2, VAT-ID/ALV: FI33850132),
registered address: Ranta-Tampellan katu 11 A 29, 33180, TAMPERE, Finland.
Email: [email protected]