Data Processing Agreement

Last updated: 1 April 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Keith Burke trading as QualiHQ ("Processor") and the customer ("Controller") and applies where QualiHQ processes personal data on behalf of the Controller in the course of providing the service.

This DPA is incorporated into and subject to the Terms of Service and Privacy Policy.

1. Definitions

"Personal Data", "Data Subject", "Processing", "Controller", and "Processor" have the meanings given in the GDPR (Regulation (EU) 2016/679) as applicable in Ireland.

"Services" means the QualiHQ platform provided under the Terms of Service.

2. Subject matter and nature of processing

The Processor processes personal data on behalf of the Controller solely to provide the Services as described in the Terms of Service. Processing includes storing, organising, and making available within the platform any personal data included in the content the Controller uploads or creates.

The categories of personal data processed may include names, email addresses, and any personal data included in QMS documentation, requirements, verifications, audit records, or other content submitted by the Controller.

The data subjects may include the Controller's employees, contractors, and any individuals referenced in the Controller's compliance documentation.

3. Controller obligations

The Controller warrants that it has a lawful basis for processing the personal data it submits to the Services and that it has provided all necessary notices to data subjects. The Controller is responsible for the accuracy and legality of personal data it provides to the Processor.

4. Processor obligations

The Processor shall:

  • Process personal data only on documented instructions from the Controller, which are set out in these Terms and this DPA
  • Ensure that persons authorised to process the personal data are bound by appropriate confidentiality obligations
  • Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk
  • Not engage sub-processors without prior authorisation, and ensure sub-processors are bound by equivalent obligations
  • Assist the Controller in meeting its obligations regarding data subject rights, security, breach notification, and impact assessments, to the extent reasonably practicable
  • Delete or return all personal data to the Controller at the end of the service relationship, as described in the Privacy Policy
  • Make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA

5. Authorised sub-processors

The Controller authorises the Processor to engage the following sub-processors:

  • Stripe, Inc. -- payment processing
  • Resend -- transactional email delivery
  • Groq, Inc. -- AI inference (content submitted to bootstrap features)
  • Amazon Web Services (AWS) -- application and database hosting

The Processor will notify the Controller of any intended changes to sub-processors with reasonable advance notice, giving the Controller the opportunity to object.

6. Security measures

The Processor maintains the following technical and organisational security measures:

  • Encrypted data transmission using HTTPS/TLS
  • Passwords stored as secure cryptographic hashes
  • Access controls limiting data access to authorised personnel
  • Regular software updates and security patching
  • Logical separation of customer data

7. Personal data breaches

The Processor will notify the Controller without undue delay, and where feasible within 72 hours, of becoming aware of a personal data breach affecting the Controller's data. Notification will include, to the extent available, the nature of the breach, categories and approximate number of data subjects and records affected, likely consequences, and measures taken or proposed to address the breach.

8. Data subject rights

The Processor will, to the extent reasonably practicable, assist the Controller in responding to requests from data subjects exercising their rights under GDPR. Where a data subject contacts the Processor directly, the Processor will refer them to the Controller.

9. International transfers

Where personal data is transferred to sub-processors outside the European Economic Area, the Processor ensures that appropriate safeguards are in place, including Standard Contractual Clauses where required.

10. Audit rights

The Controller may request, no more than once per year and with reasonable written notice, information necessary to demonstrate the Processor's compliance with this DPA. The Processor will respond to such requests within a reasonable timeframe.

11. Term and termination

This DPA remains in force for the duration of the service relationship. Upon termination, the Processor will delete the Controller's personal data in accordance with the retention terms in the Privacy Policy unless legal obligations require longer retention.

12. Governing law

This DPA is governed by the laws of Ireland and subject to the jurisdiction of the Irish courts.

13. Contact

Questions regarding this DPA should be directed to [email protected].

We use essential cookies for authentication. We'd also like to use analytics cookies to understand how people use the site. Privacy policy