HOME / LEGAL / DPA

Data Processing Agreement

Effective April 20, 2026 · Last updated April 20, 2026

This Data Processing Agreement ("DPA") forms part of your engagement agreement with Quandry Labs, Inc. ("Processor") and governs the processing of personal data on behalf of you ("Controller"). Terms not defined here have the meanings given in the GDPR.

1. Scope and Roles

This DPA applies to the processing of personal data by Processor in the course of delivering consulting services under the engagement agreement. Controller determines the purposes and means of processing; Processor processes data on Controller's instructions only.

2. Data Details

Element	Description
Categories of data subjects	Controller's employees, contractors, customers, and end users whose data is present in the systems Processor accesses during engagement
Categories of personal data	Names, email addresses, job titles, IP addresses, security event data, log entries, and other personal data present in Controller's security tooling
Sensitive data	None anticipated. If encountered, Processor will notify Controller immediately and handle per Controller's instructions
Purposes of processing	Delivering consulting services as defined in the engagement agreement: system integration, automation design, AI workflow build, gap analysis

3. Processor Obligations

Processor shall:

Process personal data only on documented instructions from Controller, including transfers to third countries, unless required by EU or member state law
Ensure persons authorized to process personal data have committed to confidentiality or are under an appropriate statutory obligation
Implement appropriate technical and organizational measures as described in Section 5
Not engage another processor without Controller's prior written authorization
Assist Controller in responding to data subject requests, taking into account the nature of the processing
Assist Controller in ensuring compliance with GDPR Articles 32–36 (security, breach notification, DPIA, prior consultation)
Delete or return all personal data at the end of the engagement, at Controller's choice, and certify deletion
Make available to Controller all information necessary to demonstrate compliance and allow audits

4. Sub-processors

Controller provides prior written authorization for Processor to engage the following sub-processors:

Sub-processor	Purpose	Location
Cloudflare, Inc.	Website hosting, DNS, security, CDN	United States
Google LLC	Cloud infrastructure, email	United States
Infisical, Inc.	Secrets management	United States

Processor shall notify Controller of any changes to sub-processors, giving Controller the opportunity to object. An updated list is available on request.

5. Technical and Organizational Measures

Processor implements the following measures to protect personal data:

Measure	Implementation
Encryption in transit	TLS 1.3 for all data in transit
Encryption at rest	AES-256 via infrastructure providers
Access control	SSO with MFA, role-based access, least privilege
Network security	Zero Trust architecture, Cloudflare Tunnels, no open inbound ports
Data minimization	We work in Controller's environment; we do not copy personal data to our infrastructure
Audit logging	All access to Controller's systems is logged and available for review
Vulnerability management	Continuous monitoring, dependency scanning, periodic penetration testing
Incident response	24-hour notification, 5-business-day written report
Employee training	Annual security awareness training for all team members

6. International Transfers

Where personal data is transferred outside the EEA, Processor ensures adequate safeguards through:

EU-US Data Privacy Framework adequacy decisions (where applicable)
Standard Contractual Clauses (SCCs) as approved by the European Commission
Supplementary measures including encryption, access controls, and Zero Trust architecture

Processor will sign the EU Commission's Standard Contractual Clauses (Module 2: Controller to Processor) upon request as part of the engagement agreement.

7. Data Breach Notification

In case of a personal data breach:

Processor notifies Controller without undue delay and no later than 24 hours after becoming aware
Notification includes: nature of the breach, categories and approximate number of data subjects and records affected, likely consequences, and measures taken or proposed
Processor cooperates with Controller in investigating and remedying the breach

8. Data Retention and Deletion

Upon termination of the engagement:

Processor returns all personal data to Controller in a commonly used, machine-readable format — or deletes it at Controller's choice
Deletion is completed within 30 days of engagement termination
Processor provides written certification of deletion upon request
Existing copies required by law may be retained, but are no longer actively processed

9. Audits

Controller may audit Processor's compliance with this DPA, subject to:

Reasonable notice of at least 10 business days
Conduct during normal business hours
Non-disruption of Processor's operations
Confidentiality obligations on audit findings

Processor will provide reasonable assistance and access to relevant systems and records.

10. Governing Law

This DPA is governed by the laws of Delaware. For GDPR-specific matters, the competent supervisory authority is determined by Controller's establishment. The European Commission and relevant supervisory authorities have jurisdiction over GDPR compliance matters.

11. Contact

For DPA inquiries or to request signed SCCs:

Quandry Labs, Inc.
Email: privacy@quandrylabs.com
Attn: Privacy / DPA
United States