Data Processing Agreement (DPA)
Last updated: January 2025
GDPR-Compliant Processing
This Data Processing Agreement (DPA) is entered into in accordance with Article 28 of the EU General Data Protection Regulation (GDPR) between you (the "Controller") and Rubinshelf MarTech Initiatives SL (the "Processor") operating QolinAI services.
1. Definitions
Terms used in this DPA have the meanings set forth in the GDPR unless otherwise defined herein:
- "Controller" means the Customer who determines the purposes and means of processing Personal Data
- "Processor" means Rubinshelf MarTech Initiatives SL, which processes Personal Data on behalf of the Controller
- "Personal Data" has the meaning set forth in Article 4(1) GDPR
- "Processing" has the meaning set forth in Article 4(2) GDPR
- "Data Subject" has the meaning set forth in Article 4(1) GDPR
- "Sub-processor" means any processor engaged by the Processor
- "Services" means the QolinAI AI Management System and related services
2. Scope and Applicability
2.1 Application
This DPA applies to all processing of Personal Data by the Processor on behalf of the Controller in connection with the Services.
2.2 Hierarchy
This DPA forms an integral part of the Terms of Service. In case of conflict, this DPA takes precedence regarding data protection matters.
2.3 Duration
This DPA remains in effect for the duration of the Services and survives termination with respect to Personal Data retained by the Processor.
3. Details of Processing
3.1 Subject Matter of Processing
Provision of AI management services including AI model hosting, document processing, user management, and related functionalities.
3.2 Nature and Purpose of Processing
The Processor processes Personal Data to:
- Provide and maintain the Services
- Process AI queries and generate responses
- Store and manage documents and content
- Manage user accounts and authentication
- Provide customer support
- Ensure security and prevent fraud
- Comply with legal obligations
3.3 Categories of Data Subjects
- Employees and staff of the Controller
- Contractors and consultants of the Controller
- Customers and clients of the Controller (where applicable)
- Other individuals whose data is processed through the Services
3.4 Categories of Personal Data
| Data Category | Examples |
|---|---|
| Identification Data | Name, email address, username, employee ID |
| Professional Data | Job title, department, company name, work location |
| Contact Data | Email address, phone number, business address |
| Technical Data | IP address, device information, log data |
| Usage Data | System interactions, feature usage, timestamps |
| Content Data | Documents, chat messages, AI queries, uploaded files |
| Special Categories | Health data, biometric data (if uploaded by Controller) |
3.5 Duration of Processing
For the term of the service agreement and as required for retention obligations thereafter.
4. Processor's Obligations
4.1 Instructions
The Processor shall process Personal Data only on documented instructions from the Controller, including:
- Instructions provided through the Services interface
- Instructions in the Terms of Service and this DPA
- Additional written instructions provided by the Controller
If the Processor believes an instruction violates GDPR or other data protection laws, it shall immediately inform the Controller.
4.2 Confidentiality
The Processor shall ensure that persons authorized to process Personal Data:
- Are committed to confidentiality or are under an appropriate statutory obligation of confidentiality
- Have received appropriate training on data protection
- Process Personal Data only as instructed
4.3 Security Measures
The Processor implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:
Technical Measures:
- Encryption: TLS 1.3 for data in transit; AES-256 for data at rest
- Pseudonymization: Automatic pseudonymization of sensitive data before AI processing
- Access Control: Multi-factor authentication, role-based access control
- Network Security: Firewalls, intrusion detection/prevention systems
- Backup: Automated daily backups with encryption
- Monitoring: 24/7 security monitoring and logging
Organizational Measures:
- Security Management: Comprehensive information security management system
- Security Policies: Comprehensive security policies and procedures
- Employee Training: Regular data protection and security training
- Access Management: Strict need-to-know access principles
- Incident Response: Documented incident response procedures
- Vendor Management: Due diligence on all sub-processors
4.4 Sub-processing
4.4.1 General Authorization
The Controller provides general authorization for the Processor to engage sub-processors, subject to the conditions in this section.
4.4.2 Current Sub-processors
The Processor currently uses the following sub-processors:
| Sub-processor | Service | Location |
|---|---|---|
| [Cloud Provider Name] | Infrastructure hosting | Germany |
| [Database Provider] | Database services | EU |
| [Email Service] | Email delivery | EU |
4.4.3 Sub-processor Requirements
The Processor shall:
- Impose the same data protection obligations as this DPA on sub-processors
- Conduct due diligence on sub-processors' security and compliance
- Remain fully liable to the Controller for sub-processor performance
- Notify the Controller of intended changes to sub-processors at least 30 days in advance
- Allow the Controller to object to new sub-processors
4.4.4 No Third-Country Transfers
All sub-processors are located within the EU/EEA. No Personal Data is transferred outside the EU/EEA.
4.5 Data Subject Rights
The Processor shall assist the Controller in responding to Data Subject requests:
- Right of access (Art. 15 GDPR)
- Right to rectification (Art. 16 GDPR)
- Right to erasure (Art. 17 GDPR)
- Right to restriction of processing (Art. 18 GDPR)
- Right to data portability (Art. 20 GDPR)
- Right to object (Art. 21 GDPR)
The Processor provides self-service tools in the Services for Controllers to fulfill these requests. Additional assistance is available upon request within 5 business days.
4.6 Data Breach Notification
In the event of a Personal Data breach, the Processor shall:
- Notify the Controller without undue delay and no later than 24 hours after becoming aware
- Provide detailed information about the breach including:
- Nature of the breach
- Categories and approximate number of affected Data Subjects
- Categories and approximate number of affected Personal Data records
- Likely consequences of the breach
- Measures taken or proposed to address the breach
- Provide ongoing updates as the investigation progresses
- Cooperate with the Controller in breach notification to authorities and Data Subjects
4.7 Data Protection Impact Assessment (DPIA)
The Processor shall assist the Controller in carrying out DPIAs where required under Article 35 GDPR by:
- Providing information about processing operations
- Providing information about technical and organizational measures
- Providing security documentation and certifications
4.8 Prior Consultation
The Processor shall assist the Controller with prior consultation with supervisory authorities under Article 36 GDPR when required.
4.9 Deletion or Return of Data
Upon termination of Services, the Processor shall, at the Controller's choice:
- Return: Provide all Personal Data in a structured, machine-readable format within 30 days
- Delete: Securely delete all Personal Data and provide written certification of deletion
Exception: The Processor may retain Personal Data to the extent required by EU or Member State law, subject to confidentiality.
4.10 Audit Rights
The Processor shall:
- Make available to the Controller all information necessary to demonstrate compliance with Article 28 GDPR
- Allow for and contribute to audits, including inspections, by the Controller or an auditor mandated by the Controller
- Provide audit reports and certifications upon request
Audit requests must be submitted with reasonable notice (minimum 30 days) and shall not occur more than once per year unless necessitated by a data breach or supervisory authority requirement.
5. Controller's Obligations
The Controller represents and warrants that:
- It has obtained all necessary consents and has a lawful basis for processing Personal Data
- It has provided necessary privacy notices to Data Subjects
- Processing instructions comply with applicable data protection laws
- It will not instruct the Processor to process special categories of Personal Data without explicit agreement
6. International Data Transfers
Not Applicable: All processing occurs within the EU/EEA. No Personal Data is transferred to third countries or international organizations.
Should international transfers become necessary in the future, the parties agree to implement appropriate safeguards pursuant to Chapter V GDPR, such as Standard Contractual Clauses.
7. Liability and Indemnification
7.1 Liability
Each party's liability under this DPA is subject to the limitations set forth in the Terms of Service.
7.2 Processor Liability
Under Article 82 GDPR, the Processor is liable for damages caused by processing only where it has not complied with GDPR obligations specifically directed to processors or where it has acted outside or contrary to lawful instructions of the Controller.
8. Duration and Termination
This DPA takes effect when the Controller begins using the Services and continues until the later of:
- Termination of the Terms of Service
- Deletion or return of all Personal Data
9. Changes to This DPA
The Processor may update this DPA to reflect:
- Changes in data protection laws
- Guidance from supervisory authorities
- Changes to processing operations
Material changes will be notified to the Controller at least 30 days in advance via email.
10. Governing Law and Jurisdiction
This DPA is governed by the laws of the Principality of Andorra and applicable EU data protection regulations (GDPR). Any disputes shall be resolved through arbitration or in the courts of Andorra la Vella, Principality of Andorra.
11. Contact Information
For questions about this DPA:
Data Protection Officer
Rubinshelf MarTech Initiatives SL
Av. de Princep Benlloch 26-30
AD500 Andorra la Vella
Principality of Andorra
Email: dpo@qolinai.com
Need a Signed DPA?
Enterprise customers can request a customized, countersigned DPA. Contact us at legal@qolinai.com