Data Processing Agreement

PREAMBLE

This Data Processing Agreement ("DPA") forms an integral part of and is subject to the written or electronic agreement(s) ("Main Agreement") governing the use of products and services ("Services") provided by QUAFLOW OÜ (registry code: [Registry Code], VAT: [VAT Number]), with its registered office at Harju maakond, Tallinn, Kesklinna linnaosa, Viru väljak 2, 10111, Estonia ("Quaflow" or "Processor"), to the legal entity receiving the Services ("Customer" or "Controller").

By signing the Main Agreement or using the Services, the Customer accepts the terms of this DPA.

1. DEFINITIONS

Capitalized terms not otherwise defined herein shall have the meanings ascribed to them in the Main Agreement or applicable Data Protection Legislation.

• "Data Protection Legislation" means all applicable laws and regulations relating to the processing of Personal Information and privacy, including but not limited to: (i) the EU General Data Protection Regulation 2016/679 ("GDPR"); (ii) the UK GDPR and Data Protection Act 2018; (iii) the California Consumer Privacy Act as amended by the CPRA ("CCPA"); and (iv) any other applicable data protection laws in relevant jurisdictions (e.g., LGPD, PIPLDA).
• "Personal Information" means any information relating to an identified or identifiable natural person ("Data Subject") that Quaflow Processes on behalf of the Customer under the Main Agreement.
• "Restricted Transfer" means a transfer of Personal Information to a country that has not been deemed to provide an adequate level of data protection by the European Commission or the UK Information Commissioner's Office, as applicable.
• "Standard Contractual Clauses" ("SCCs") means the standard contractual clauses for the transfer of personal data to third countries approved by the European Commission (Decision 2021/914) or the UK International Data Transfer Addendum, as applicable.

2. ROLES AND RESPONSIBILITIES

2.1 Relationship of the Parties. The Parties acknowledge that for the purposes of the GDPR, the Customer is the Controller and Quaflow is the Processor. For the purposes of the CCPA, the Customer is the Business and Quaflow is the Service Provider.

2.2 Quaflow's Obligations. Quaflow shall:

1. Instructions: Process Personal Information only for the purposes of providing the Services and in accordance with the Customer's documented lawful instructions, unless required otherwise by applicable law.
2. Confidentiality: Ensure that persons authorized to process the Personal Information have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
3. Security: Implement and maintain appropriate technical and organizational measures set out in Appendix 2 to protect Personal Information against unauthorized or unlawful processing, and against accidental loss, destruction, or damage.
4. No Sale of Data: Not sell, rent, disclose, or share Personal Information for cross-context behavioral advertising, or retain, use, or disclose Personal Information for any purpose other than for the specific purpose of performing the Services, except as otherwise permitted by the CCPA.
5. Data Subject Requests: Taking into account the nature of the processing, assist the Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Customer's obligation to respond to requests for exercising the Data Subject's rights.
6. Assistance: Provide reasonable assistance to the Customer in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR (security, breach notification, DPIAs), taking into account the nature of processing and the information available to Quaflow. Quaflow reserves the right to charge a reasonable fee for assistance that exceeds the standard support services provided under the Main Agreement.
7. Data Breaches: Notify the Customer without undue delay after becoming aware of a confirmed Personal Data Breach affecting Customer Data. Quaflow shall provide the Customer with sufficient information to allow the Customer to meet any obligations to report or inform Data Subjects of the Personal Data Breach.

2.3 Customer's Obligations. The Customer represents and warrants that:

1. It has a lawful basis for processing the Personal Information and for sharing it with Quaflow.
2. Its instructions to Quaflow comply with applicable Data Protection Legislation.
3. It is solely responsible for the accuracy, quality, and legality of the Personal Information and the means by which it acquired the Personal Information.

3. SUBPROCESSING

3.1 Authorized Subprocessors. The Customer grants Quaflow a general authorization to engage the Subprocessors listed in Appendix 3.

3.2 New Subprocessors. Quaflow shall notify the Customer (via email or in-app notification) at least fourteen (14) days prior to engaging any new Subprocessor.

• Objection: The Customer may object to the appointment of a new Subprocessor on reasonable grounds relating to data protection by notifying Quaflow in writing within ten (10) days of receipt of the notice.
• Resolution: If the Customer objects, the Parties will work together in good faith to find a mutually agreeable resolution. If no resolution is reached, Quaflow generally has the right to either not use the Subprocessor for that Customer's data or, if not feasible, the Customer may terminate the affected Services without penalty.

3.3 Liability. Quaflow shall remain fully liable to the Customer for the performance of the Subprocessor's obligations.

4. INTERNATIONAL TRANSFERS

4.1 Transfer Mechanisms. Where the Processing involves a Restricted Transfer, Quaflow shall comply with the applicable Data Protection Legislation.

4.2 Standard Contractual Clauses. To the extent a Restricted Transfer occurs:

• The EU SCCs (Module Two: Controller to Processor) shall apply and are incorporated by reference.
• For transfers subject to the UK GDPR, the UK International Data Transfer Addendum shall apply.
• The governing law and jurisdiction for the SCCs shall be Ireland (for EU) and England & Wales (for UK).

5. LIABILITY

5.1 Limitation. To the maximum extent permitted by applicable law, Quaflow's total aggregate liability to the Customer arising out of or related to this DPA (whether in contract, tort, or otherwise) shall be subject to the limitations and exclusions of liability set forth in the Main Agreement.

6. TERM AND TERMINATION

6.1 Duration. This DPA shall remain in effect for as long as Quaflow processes Personal Information on behalf of the Customer.

6.2 Deletion/Return. Upon termination of the Services, Quaflow shall, at the choice of the Customer, delete or return all Personal Information to the Customer, unless applicable law requires storage of the Personal Information.

7. MISCELLANEOUS

7.1 Order of Precedence. In the event of any conflict between this DPA and the Main Agreement, the provisions of this DPA shall prevail regarding data protection matters. In the event of a conflict between this DPA and the SCCs, the SCCs shall prevail.

7.2 Updates. Quaflow may update this DPA from time to time to reflect changes in law or its practices. Quaflow will notify the Customer of material changes at least thirty (30) days prior to the effective date. Continued use of the Services after the effective date constitutes acceptance of the updated DPA.

APPENDIX 1: PROCESSING DETAILS

A. Subject Matter and Nature of Processing The processing of data is performed to provide the Services (e.g., order processing, file management, automated calculations) as described in the Main Agreement.

B. Duration For the term of the Main Agreement plus the period required for legal compliance or backup retention.

C. Categories of Data Subjects

• Store Owners (Customers)
• End-customers of the Store Owner
• Employees/Users of the Customer

D. Types of Personal Information

• Identity Data: Names, usernames.
• Contact Data: Email addresses, phone numbers, billing/shipping addresses.
• Transaction Data: Order details, product specifications.
• Technical Data: Uploaded design files, IP addresses, device identifiers (as strictly necessary for the Service).
• Sensitive Data: Quaflow does not intentionally process special categories of data (e.g., health, biometrics).

APPENDIX 2: SECURITY MEASURES

Quaflow maintains an information security program designed to protect Customer Data, including:

1. Encryption: Use of TLS/SSL for data in transit and AES encryption for data at rest.
2. Access Control: Implementation of least privilege principles, multi-factor authentication (MFA) for administrative access, and regular access reviews.
3. Network Security: Utilization of firewalls, intrusion detection systems, and network segmentation (Cloudflare/GCP/AWS controls).
4. Vulnerability Management: Regular security scans and patching of systems.
5. Personnel: Mandatory security training and confidentiality agreements for all employees.
6. Resilience: Regular backups and disaster recovery testing.

APPENDIX 3: SUBPROCESSORS

Quaflow uses the following Subprocessors in the provision of the Services:

Contact Us

For more information about our data processing practices, if you have questions, or if you would like to make a complaint, please contact us by e-mail at contact@quaflow.com or by mail using the details provided below:

QUAFLOW OÜ

Harju maakond, Tallinn, Kesklinna linnaosa, Viru väljak 2, 10111, Estonia