Data Processing Agreement (DPA)

"Personal Data" means any information relating to an identified or identifiable natural person collected through Customer's forms (e.g., name, email, phone).

"Data Subject" means the individual whose Personal Data is being processed (e.g., person filling out Customer's contact form).

"Processing" means any operation performed on Personal Data, such as collection, storage, transmission, or deletion.

"GDPR" means the General Data Protection Regulation (EU) 2016/679.

"Services" means the Quickest Leads platform for real-time lead notifications.

3.1 Scope of Processing

• Subject Matter: Lead notification services
• Duration: For the term of the subscription + 30 days
• Nature and Purpose: Collecting, storing, and transmitting lead data to Customer
• Type of Personal Data: Name, email, phone, form messages, IP address, timestamp
• Categories of Data Subjects: Individuals submitting forms on Customer's websites

3.2 Documented Instructions

We process Personal Data only based on Customer's documented instructions, which include:

• Customer's integration of our JavaScript widget or API
• Customer's configuration in the dashboard (projects, Telegram settings)
• This DPA and Terms of Service
• Email requests from Customer to delete or export data

3.3 Unlawful Instructions: If we believe an instruction violates GDPR or applicable law, we will inform Customer immediately and may refuse to comply.

4.1 Authorized Sub-Processors

Customer authorizes use of the following sub-processors:

4.2 Changes to Sub-Processors

We will inform Customer at least 30 days before adding or replacing a sub-processor. Customer may object on reasonable data protection grounds within 15 days.

4.3 Sub-Processor Obligations

We ensure all sub-processors are bound by data protection obligations equivalent to this DPA, including appropriate security measures and confidentiality.

We implement appropriate technical and organizational measures to protect Personal Data:

5.1 Technical Measures

• Encryption in transit (HTTPS/TLS 1.3)
• Encryption at rest (AES-256)
• Password hashing (bcrypt)
• Database-level access controls (Row-Level Security)
• Regular security updates and patches
• Automated backups with encryption
• Network firewalls and DDoS protection

5.2 Organizational Measures

• Limited employee access to Personal Data (need-to-know basis)
• Confidentiality agreements with staff
• Security awareness training
• Incident response procedures
• Regular security audits
• Data minimization practices

5.3 Testing and Evaluation

We regularly test and evaluate the effectiveness of our security measures through vulnerability scans, dependency audits, and monitoring.

We will assist Customer in fulfilling Data Subject requests:

6.1 Access Requests

Upon Customer's request, we will provide data about a specific Data Subject in JSON format.

6.2 Deletion Requests ("Right to be Forgotten")

We will delete Data Subject's Personal Data within 7 days of Customer's request.

6.3 Other Rights

We will reasonably assist with:

• Rectification (correcting inaccurate data)
• Restriction of processing
• Data portability (export in machine-readable format)
• Objection to processing

6.4 Timeline and Fees

We will respond to Customer's assistance requests within 7 business days. No fees for reasonable requests (excessive requests may incur charges).

7.1 Notification to Customer

We will notify Customer within 48 hours of becoming aware of a Personal Data breach affecting Customer's data.

7.2 Breach Information

The notification will include:

• Nature of the breach
• Categories and approximate number of Data Subjects affected
• Categories and approximate number of Personal Data records affected
• Likely consequences of the breach
• Measures taken or proposed to address the breach
• Contact point for further information

7.3 Customer's Obligations

Customer is responsible for:

• Notifying Data Subjects if required by GDPR (within 72 hours)
• Reporting to supervisory authority (UODO) if required
• Documenting the breach

If Customer is required to conduct a Data Protection Impact Assessment (GDPR Article 35), we will provide reasonable assistance, including:

• Information about our processing activities
• Description of security measures
• List of sub-processors
• Data flow diagrams

9.1 Upon Termination

When Customer's subscription ends or account is deleted:

• We will delete all Personal Data within 30 days
• Customer may request data export before deletion
• Backups will be deleted within 30 days

9.2 Exceptions

We may retain data if required by law (e.g., 10-year retention for billing records under tax law). Such data will be isolated and only used for compliance purposes.

Customer may audit our compliance with this DPA by:

• Requesting information about our security practices
• Reviewing third-party audit reports (e.g., SOC 2, ISO 27001 from sub-processors)
• Conducting on-site audits with 30 days notice (once per year, at Customer's expense)

We will provide audit cooperation within reasonable business hours and subject to confidentiality obligations.

Personal Data may be transferred to and processed in countries outside the European Economic Area (EEA), specifically the United States.

11.1 Transfer Mechanism

We rely on Standard Contractual Clauses (SCCs) approved by the European Commission for transfers to USA (Supabase, Stripe, Netlify).

11.2 Additional Safeguards

• Encryption in transit and at rest
• Access controls and authentication
• Sub-processors' GDPR compliance commitments
• Regular security assessments

All persons authorized to process Personal Data:

• Are bound by confidentiality obligations (contractual or statutory)
• Receive appropriate training on data protection
• Have signed confidentiality agreements
• Are granted access only on a need-to-know basis

13.1 Processor Liability (GDPR Article 82)

We are liable for damages caused by processing only if we:

• Failed to comply with GDPR obligations specifically directed at processors, OR
• Acted outside or contrary to Customer's lawful instructions

13.2 Limitation

Our total liability under this DPA is limited to the amount paid by Customer in the last 12 months, except for damages caused by willful misconduct or gross negligence.

13.3 Customer Indemnity

Customer indemnifies us against claims arising from Customer's failure to:

• Obtain necessary consents from Data Subjects
• Provide adequate privacy notices
• Comply with data protection laws as Data Controller

14.1 Duration

This DPA remains in effect for the duration of our Terms of Service and Customer's use of our Services.

14.2 Survival

Sections 5 (Security), 7 (Data Breach), 9 (Deletion), 12 (Confidentiality), and 13 (Liability) survive termination.

Data Processor:

Quickest Leads
Poland
Email: quickestleads@gmail.com