Company logoquaflow

Data Processing Agreement

This agreement outlines how we process and protect your data.

QUAFLOW OÜ

Version: 1.1.4 - Last updated: June 10, 2025

This Quaflow Data Processing Agreement ("Agreement") forms part of and amends the written or electronic agreement(s) ("Main Agreement") governing the use of products and services ("Services") provided by quaflow.com ("QUAFLOW OÜ"), with registered office at Harju maakond, Tallinn, Kesklinna linnaosa, Veskiposti tn 2-1002, 10138, Estonia, to the legal entity subject to the Main Agreement ("Customer").

Capitalized terms not otherwise defined in this Agreement shall have the meanings given to them in the Main Agreement or the meaning ascribed to the corresponding terms in the applicable Data Protection Legislation.

1. DEFINITIONS

"Business", "Controller", "Processor", "Processing/Process/Processed" and "Service Provider" shall be given the meanings given to them by the applicable Data Protection Legislation.

"Data Subject" means the identified or identifiable natural person to whom Personal Information relates.

"Data Subject Request" means the exercise by Data Subjects of their rights in accordance with applicable Data Protection Legislation in respect of Personal Information.

"Data Protection Legislation" means, collectively: (i) the GDPR, (ii) the California Consumer Privacy Act, as amended by the California Privacy Rights Act of 2020, codified at Cal. Civ. Code §§ 1798.100 – 1798.199.100, and the California Consumer Privacy Act Regulations issued thereto, Cal. Code Regs. tit. 11, div. 6, ch. 1, as amended (together, the "CCPA"), (iii) the Brazilian General Data Protection Law (LGPD), (iv) the Australian Privacy Principles (APP), (v) Japan's Act on the Protection of Personal Information (APPI), (vi) India's Digital Personal Data Protection Act (DPDP), (vii) China's Personal Information Protection Law (PIPL), (viii) Quebec's Law 25, (ix) any other data protection laws, including regulations implementing or made pursuant to those laws, including those which amend, replace, re-enact, or consolidate any data protection laws, (x) applicable data breach notification statutes, and (xi) all other applicable laws relating to Processing of Personal Information and privacy that may exist in any relevant jurisdiction, to the extent applicable to the relevant Personal Information or Processing thereof under the Main Agreement.

"EEA" means the European Economic Area.

"GDPR" stands for "General Data Protection Regulation" and means: (i) the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 ("EU GDPR"); (ii) the EU GDPR as it forms part of United Kingdom ("UK") law by virtue of Section 3 of the European Union (Withdrawal) Act 2018 ("UK GDPR"); and (iii) any applicable implementing or supplementary legislation in any member state of the EEA or the UK (including the UK Data Protection Act 2018).

"Personal Information" means information that constitutes "Personal Data," "Personal Information," "Personally Identifiable Information," or similar information as defined by applicable Data Protection Legislation that Quaflow Processes pursuant to the Main Agreement.

"Personal Data Breach" means a breach of Quaflow's security that has resulted in the accidental or unlawful destruction, acquisition, loss, alteration, unauthorized disclosure of, or access to, Personal Information in Quaflow's possession, custody, or control. Personal Data Breaches do not include unsuccessful attempts or activities that do not compromise the security of Personal Information, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, or other network attacks on firewalls or networked systems.

"Relevant Body" (i) in the context of the UK and the UK GDPR, means the UK Information Commissioner's Office and/or UK Government (as and where applicable); and/or (ii) in the context of the EEA and EU GDPR, means the European Commission.

"Restricted Country" (i) in the context of the UK, means a country or territory outside the UK; and (ii) in the context of the EEA, means a country or territory outside the EEA (which shall, as and where applicable, be interpreted in line with Article FINPROV.10A(1) of the Trade and Cooperation Agreement between the EU and the UK), that the Relevant Body has not deemed to provide an "adequate" level of protection for Personal Information pursuant to a decision made in accordance with Article 45(1) of the GDPR.

"Restricted Data Transfer" means the disclosure, grant of access, or other transfer of Personal Information to: (i) in the context of the EEA, any country or territory outside the EEA which does not benefit from an adequacy decision by the European Commission pursuant to Article 45 of the GDPR; and (ii) in the context of the UK, any country or territory outside the UK which does not benefit from an adequacy decision by the UK Information Commissioner's Office pursuant to Article 45 of the GDPR.

"Security Measures" means the technical and organizational security measures to be applied by Processor in respect of Personal Information, as set out in Appendix 2.

"Standard Contractual Clauses" or "SCCs" means (i) where the GDPR applies, the clauses annexed to European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, available at https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32021D0914&from=EN ("EU SCCs"); and (ii) where the UK GDPR applies, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner under Section 119A(1) Data Protection Act 2018 ("UK IDTA") (in each case, as updated, amended or superseded from time to time).

"Subprocessors" means the relevant subprocessors listed in Appendix 3.

"Supervisory Authority" means: (i) in the context of the EU GDPR, any authority within the meaning of Article 4(21) of the EU GDPR; and (ii) in the context of the UK GDPR, the UK Information Commissioner's Office.

"UK" means the United Kingdom of Great Britain and Northern Ireland.

2. DATA PROTECTION

2.1 In the course of Quaflow providing the Services under the Main Agreement, Customer may from time-to-time provide or make available Personal Information to Quaflow for the limited and specific purposes of providing the Services under the Main Agreement. The Parties acknowledge and agree that, in relation to any such Personal Information provided or made available to Quaflow for Processing by Quaflow under the Main Agreement, the Customer will be the Controller and Quaflow will be the Processor for the purposes of the GDPR and the Customer will be the Business and Quaflow will be the Service Provider for purposes of the CCPA.

2.2 When Quaflow Processes Personal Information in the course of providing the Services, Quaflow will:

2.2.1 Process the Personal Information as a Data Processor, for the purpose of providing the Services in accordance with documented instructions from the Customer (provided that such instructions are commensurate with the functionalities of the Services), to perform Quaflow's obligations and exercise Quaflow's rights under the Main Agreement, including to maintain records relating to the Services and comply with any legal or self-regulatory obligations relating to the Services, and as may subsequently be agreed to by the Customer. Quaflow is prohibited from retaining, using, or disclosing Personal Information provided by the Customer ("Customer Data") for any purpose other than for the specific purpose of performing the Services specified in the Main Agreement, unless otherwise expressly permitted by applicable Data Protection Legislation. If Quaflow is required by applicable laws to Process the Personal Information for any other purpose, Quaflow will provide the Customer with prior notice of this requirement, unless Quaflow is prohibited by such laws from providing such notice;

2.2.2 Not sell, rent, release, disclose, disseminate, make available, transfer, or otherwise communicate Customer Data to any third party for monetary or other valuable consideration. Quaflow shall not share any Customer Data for purposes of cross-context behavioral advertising;

2.2.3 Not combine any Personal Information that Quaflow receives from, or on behalf of, Customer with information that it receives from, or on behalf of, another source provided that Quaflow may combine Personal Information as authorized by Data Protection Legislation;

2.2.4 To the extent that Customer discloses or otherwise makes available deidentified data to Quaflow, Quaflow agrees to take reasonable measures to ensure that the deidentified data cannot be associated with an individual or household;

2.2.5 Notify the Customer if it cannot follow the Customer's instruction for the Processing of Personal Information because, in Quaflow's opinion, the instruction infringes applicable Data Protection Legislation;

2.2.6 Notify the Customer promptly, to the extent permitted by law, upon receiving an inquiry or complaint from a Supervisory Authority relating to Quaflow's Processing of the Personal Information;

2.2.7 Upon Customer's written request, provide Customer with such assistance as may be reasonably necessary and technically feasible in fulfilling its legal obligations under Data Protection Legislation, including data protection impact assessments and prior consultations with Supervisory Authorities which Quaflow reasonably considers to be required of it by Data Protection Legislation, in each case solely in relation to Processing of Personal Information by, and taking into account the nature of the Processing by, and information available to, Quaflow;

2.2.8 Upon the Customer's written request, provide the Customer with such reasonable assistance as may be necessary and technically possible, taking into account the nature and circumstances of the processing and Quaflow's role as a processor, to allow the Customer to fulfill its obligation to respond to Data Subject Requests;

2.2.9 Upon receipt of any Data Subject Request that relates to Personal Information that Quaflow Processes for the Customer, Quaflow may advise the Data Subject to submit the request to Customer and Customer is solely responsible for responding to any such requests. Quaflow's notification of or response to a Data Subject Request under this Section is not an acknowledgment by Quaflow of any fault or liability with respect to the Data Subject Requests;

2.2.10 Implement and maintain appropriate technical and organizational measures designed to protect Personal Information and ensure a level of security appropriate to the risk. Quaflow's measures comprise those documented in the Security Measures listed in Appendix 2;

2.2.11 Comply with applicable obligations under Data Protection Legislation and reasonably ensure its employees, agents, and service providers, comply with the obligations and restrictions applicable to Quaflow under applicable Data Protection Legislation. Quaflow shall reasonably notify Customer if it decides it can no longer meet its obligations. Upon such notification, Customer may take reasonable and appropriate steps to stop and remediate any unauthorized use of Customer Data;

2.2.12 Notify the Customer promptly upon becoming aware of any confirmed Personal Data Breach impacting Customer Data. The Customer is solely responsible for complying with Data Breach notification laws applicable to the Customer and fulfilling any third-party notification obligations related to any Personal Data Breach. Quaflow's notification of, or response to, a Personal Data Breach under this Section is not an acknowledgment by Quaflow of any fault or liability with respect to the Personal Data Breach;

2.2.13 Ensure that its personnel who access the Personal Information have committed themselves to confidentiality or are under appropriate statutory obligations of confidentiality; and

2.2.14 Upon termination of the Main Agreement or expiry of Services involving the Processing of Personal Information, Quaflow shall cease all Processing of Personal Information related to such Services.

2.3 The Customer shall ensure that it is entitled to give access to the relevant Personal Information to Quaflow so that Quaflow may lawfully Process Personal Information in accordance with the Main Agreement on the Customer's behalf. The Customer shall:

2.3.1 Comply with its obligations under the Data Protection Legislation which arise in relation to this Agreement, the Main Agreement, and the receipt of the Services; and

2.3.2 Not do or omit to do anything which causes Quaflow (or any Subprocessor) to breach any of its obligations under the Data Protection Legislation.

2.3.3 Reasonably inform Quaflow of any inquiry or request and any necessary information regarding Quaflow's compliance with Data Protection Legislation, should the Customer receive an inquiry or request.

2.4 In the course of providing the Services, the Customer acknowledges and agrees that Quaflow may use Subprocessors to Process Personal Information. Quaflow's use of any specific Subprocessor to Process Personal Information must be in compliance with Data Protection Legislation and must be governed by a contract between Quaflow and the Subprocessor.

2.5 As part of providing the Services, Data Subject's Personal Information will be Processed in the United States. Such Processing will be completed in compliance with relevant Data Protection Legislation.

2.6 Customer acknowledges and hereby agrees that Quaflow may transfer to, access and Process Personal Information in a Restricted Country, as necessary to provide the Services in accordance with the Main Agreement. Quaflow will make any such Restricted Data Transfers in compliance with the applicable Data Protection Legislation. If Quaflow's compliance with Data Protection Legislation applicable to Restricted Data Transfers is affected by circumstances outside of Quaflow's control, including if a legal instrument for Restricted Data Transfers is invalidated, amended, or replaced, then Customer and Quaflow will work together in good faith to reasonably resolve such non-compliance.

2.7 Solely to the extent required to ensure the legality of Restricted Transfers, in the event that the transfer of Personal Information from Controller to Quaflow involves a transfer of Personal Information, that is subject to GDPR or UK GDPR, to a Restricted Country, the SCCs shall be incorporated by reference and form an integral part of this Agreement with Controller as "data exporter" and Quaflow as "data importer." For the purposes of the EU SCCs: (i) Module Two (controller to processor) terms shall apply and the module one, three and four terms shall be deleted; (ii) Clause 7 (Docking Clause) shall not apply; (iii) in Clause 9, Option 2 shall apply and the "time period" shall be 14 days; (iv) in Clause 11, the optional language shall not apply; (v) in Clause 17 (Option 1) the EU SCCs shall be governed by Irish law; (vi) in Clause 18(b), disputes shall be resolved before the courts of Ireland; (vii) Annex 1 and 3 of the EU SCCs shall be populated with the information set out in Appendix 1; and (viii) Annex 2 of the EU SCCs shall be deemed populated with the information set out in Appendix 2. For the purposes of the UK IDTA: (i) the Appendices or Annexes of the UK IDTA shall be populated with the relevant information set out in this DPA; and (ii) the UK IDTA shall be governed by the laws of, and disputes shall be resolved before the courts of, England and Wales. If and to the extent the applicable SCCs conflict with any provision of this Agreement regarding the transfer of Personal Information from Customer to Quaflow, the SCCs shall prevail to the extent of such conflict.

3. MISCELLANEOUS

3.1 In the event of any conflict or inconsistency between the provisions of the Main Agreement and this Agreement, the provisions of this Agreement shall prevail. For avoidance of doubt and to the extent allowed by applicable law, any and all liability under this Agreement, including limitations thereof, will be governed by the relevant provisions of the Main Agreement.

3.2 The Customer acknowledges and agrees that Quaflow may amend this Agreement from time to time by posting the relevant amended and restated Agreement on Quaflow's website and such amendments to the Agreement are effective as of the date of posting. The Customer's continued use of the Services after the amended Agreement is posted to Quaflow's website constitutes the Customer's acceptance of the amended Agreement.

APPENDIX 1: PROCESSING DETAILS

A. LIST AND PURPOSE OF PROCESSING

Quaflow will process the Customer's Personal Information for the following purposes:

  1. To provide the core functionality of Quaflow's products and services
  2. To facilitate the processing of customer orders
  3. To enable the storage and management of customer files and data
  4. To provide automated calculation services based on order specifications
  5. To provide customer support and service improvement

B. DURATION OF PROCESSING

Quaflow will process Personal Information for the duration of the Main Agreement and for such period after the termination of the Main Agreement as is necessary for Quaflow to comply with its legal obligations. Customer files will be automatically and permanently deleted after the retention period specified in the relevant service documentation or as otherwise agreed with the Customer.

C. CATEGORIES OF DATA SUBJECTS

Quaflow will process Personal Information relating to the following categories of Data Subjects:

  1. Store owners (e.g., Shopify store owners)
  2. Store customers (e.g., customers of online stores)
  3. End users of Quaflow's products and services
  4. Customer's employees and authorized representatives

D. TYPES OF PERSONAL INFORMATION

Quaflow will process the following types of Personal Information:

  1. Store Owner Data:

    • Email address
    • Name and surname

  2. Customer Data:

    • Customer identification numbers
    • Contact information

  3. Order Data:

    • Store owner's order data
    • Transaction information

  4. Uploaded Files:

    • Files uploaded by customers to orders or services
    • Design files and other content

E. SENSITIVE DATA

Quaflow will not process sensitive data.

APPENDIX 2: SECURITY MEASURES

Quaflow will implement the following technical and organizational security measures to protect Personal Information:

A. TECHNICAL SECURITY MEASURES

  1. Data Encryption

    • TLS encryption for data in transit
    • Encryption of data at rest
    • Strong encryption algorithms and protocols

  2. Access Control

    • Multi-factor authentication
    • Access rights based on the principle of least privilege
    • Automatic session timeout
    • Strong password policies
    • Regular access rights reviews

  3. Network Security

    • Firewalls
    • Intrusion detection and prevention systems
    • Network segmentation
    • Regular security scans and vulnerability assessments

  4. Backup and Recovery

    • Regular data backups
    • Encryption of backups
    • Disaster recovery plans and procedures

  5. System Security

    • Regular security updates and patches
    • Malware protection
    • System hardening
    • Secure development practices

B. ORGANIZATIONAL SECURITY MEASURES

  1. Personnel Security

    • Confidentiality agreements
    • Regular security awareness training
    • Security policies and procedures
    • Segregation of duties

  2. Data Breach Management

    • Data breach detection and response procedures
    • Data breach notification processes
    • Data breach drills

  3. Vendor Management

    • Vendor security assessments
    • Vendor privacy and security agreements
    • Regular vendor audits

  4. Security Assessments

    • Regular internal security audits
    • Periodic external security assessments
    • Vulnerability management program

  5. Policy Management

    • Documented security policies and procedures
    • Regular policy reviews and updates
    • Policy compliance monitoring

C. FILE SECURITY

  1. Customer files are stored in secure cloud storage platforms.
  2. Files are automatically and permanently deleted after the retention period specified in the relevant service documentation.
  3. Access to files is limited to authorized personnel and relevant store owners.
  4. All file transfers are encrypted and conducted over secure connections.

APPENDIX 3: SUBPROCESSORS

Quaflow uses the following Subprocessors in the provision of the Services:

SubprocessorService DescriptionLocation
Google Cloud Platform (GCP)Cloud storage and infrastructure servicesUnited States, Germany
Oracle Cloud Infrastructure (OCI)Infrastructure services and cloud computingUnited States, Germany
CloudflareNetwork services and Cloud storageUnited States
Google AnalyticsWeb analytics and statistics servicesUnited States
ShopifyE-commerce platform and solutionsCanada

Contact Us

For more information about our data processing practices, if you have questions, or if you would like to make a complaint, please contact us by e-mail at [email protected] or by mail using the details provided below:

QUAFLOW OÜ

Harju maakond, Tallinn, Kesklinna linnaosa, Veskiposti tn 2-1002, 10138, Estonia