Data Processing Agreement

⚠️ PENDING LEGAL REVIEW — This is a starter template. Must be reviewed by qualified legal counsel, particularly for GDPR Article 28 compliance, before publication.

Effective date: April 20, 2026

This Data Processing Agreement (“DPA”) is incorporated into and forms part of the Terms of Service between Qontiv, Inc. (“Processor”) and the customer (“Controller”).

This DPA applies where Qontiv processes personal data on behalf of the Controller in connection with the Services.

1. Definitions

  • GDPR: Regulation (EU) 2016/679 and any implementing legislation.
  • Personal Data: as defined in the GDPR.
  • Processing: as defined in the GDPR.
  • Sub-processor: a third-party engaged by Qontiv to process Personal Data.

2. Processing Instructions

Qontiv shall process Personal Data only on documented instructions from the Controller, unless required by applicable law.

3. Confidentiality

Qontiv shall ensure that persons authorized to process Personal Data are bound by appropriate confidentiality obligations.

4. Security

Qontiv shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

  • Encryption of Personal Data in transit and at rest
  • Access controls and authentication requirements
  • Regular security assessments
  • Procedures for testing and evaluating the effectiveness of security measures

5. Sub-processors

The Controller provides general written authorization for Qontiv to engage sub-processors. Current sub-processors are listed at www.qontiv.com/trust/subprocessors.

Qontiv will provide 30 days’ advance notice of any new sub-processor or material changes to existing sub-processors. The Controller may object to new sub-processors within this notice period.

6. Data Subject Rights

Qontiv shall promptly notify the Controller of any requests from data subjects exercising their rights under the GDPR, and shall provide reasonable assistance to the Controller in fulfilling such requests.

7. Security Incidents

Qontiv shall notify the Controller without undue delay (and in any event within 72 hours) after becoming aware of a Personal Data breach affecting Controller data.

8. Data Protection Impact Assessments

Qontiv shall provide reasonable assistance to the Controller in carrying out data protection impact assessments and prior consultations with supervisory authorities.

9. Deletion and Return of Data

Upon termination of the Services, Qontiv shall, at the Controller’s choice, return or delete all Personal Data within 90 days.

10. Audits

Qontiv shall make available to the Controller all information necessary to demonstrate compliance with this DPA, and shall allow for and contribute to audits conducted by the Controller or its appointed auditor.

11. International Transfers

Where Personal Data is transferred outside the European Economic Area, Qontiv shall ensure appropriate safeguards are in place, such as Standard Contractual Clauses.

12. Liability

Each party’s liability under this DPA is subject to the limitations set out in the Terms of Service.

To request a signed DPA, contact legal@qontiv.com or use the “Request DPA” button on the Trust Center.