Book a demo
New 2026 Gartner® Magic Quadrant™ for Augmented Data Quality Solutions - Download Report
Book a Demo
Scroll top
Meeting

Last Updated: September 18, 2024

This Data Processing Addendum, including Attachment 1 (collectively, the “DPA”), forms part of the Terms and Conditions or other written or electronic agreement between DQLabs, Inc. (“DQLabs”) and the entity identified as Customer in the Agreement (“Customer”) governing Customer’s access to and use of the Service (the “Agreement”). This DPA reflects the parties’ obligations under applicable Data Protection Laws and Regulations and U.S. State Privacy Laws (each as defined below) with respect to the Processing of Personal Data.

If there is any conflict between this DPA and the Agreement regarding the Processing of Personal Data, this DPA controls to the extent of such conflict.

1. Definitions

Capitalized terms not defined in this DPA have the meanings set forth in the Agreement or applicable law.

“Affiliate” means an entity that controls, is controlled by, or is under common control with a party.

“CCPA” means the California Consumer Privacy Act of 2018 (Cal. Civ. Code §§ 1798.100–1798.199), as amended by the CPRA and implementing regulations, as amended or replaced.

“Controller” means the entity that determines the purposes and means of the Processing of Personal Data (including “business” under the CCPA where applicable).

“Processor” means the entity that Processes Personal Data on behalf of the Controller (including “service provider” / “contractor” under the CCPA where applicable).

“Data Privacy Framework” or “DPF” means the EU-U.S. Data Privacy Framework, the UK Extension, and the Swiss-U.S. Data Privacy Framework.

“Data Protection Laws and Regulations” means laws applicable to the Processing of Personal Data under the Agreement, including: EU GDPR; UK GDPR and the UK Data Protection Act 2018; and Swiss FADP, in each case as amended.

“Data Subject” means the individual to whom Personal Data relates.

“Personal Data” means any information Processed via the Service that is defined as “personal data,” “personal information,” or a substantially similar term under applicable law.

“Process” / “Processing” has the meaning given under applicable law.

“Sell” and “Share” have the meanings set forth under applicable U.S. State Privacy Laws.

“Standard Contractual Clauses” or “SCCs” means the standard contractual clauses for international transfers adopted by the European Commission (Decision 2021/914), as updated or replaced.

“Subprocessor” means any third party (including DQLabs Affiliates) engaged by or on behalf of DQLabs to Process Personal Data in connection with the Service.

“U.S. State Privacy Laws” means applicable U.S. state privacy laws governing Personal Data, including CCPA/CPRA and other similar state laws, as amended.

2. Processing of Personal Data

2.1 Roles of the Parties

With respect to Personal Data Processed under the Agreement, Customer is the Controller and DQLabs is the Processor, except to the extent DQLabs processes limited data as an independent Controller for its own purposes (e.g., billing contacts, fraud prevention, security logs), as described in the Agreement and applicable privacy notices.

2.2 Customer Responsibilities

Customer is responsible for: (a) the lawfulness of Processing, including providing required notices and obtaining consents where required; (b) the accuracy, quality, and legality of Personal Data; and (c) ensuring its instructions comply with applicable law.

Customer will promptly notify DQLabs of any restrictions that apply to Processing instructions to the extent such restrictions may affect DQLabs’s ability to perform under the Agreement.

2.3 Customer Instructions

DQLabs will Process Personal Data only:

(a) to provide, maintain, secure, and support the Service under the Agreement;

(b) as initiated by Authorized Users through use of the Service; and

(c) as documented instructions provided by Customer (including via email or support ticket).

DQLabs will notify Customer if DQLabs becomes aware that Customer instructions are unlawful under applicable Data Protection Laws and Regulations, to the extent required by law.

2.4 U.S. State Privacy Laws (Service Provider / Contractor / Processor)

To the extent U.S. State Privacy Laws apply, DQLabs will act as a “service provider,” “contractor,” and/or “processor” (as applicable) and will:

(a) not Sell or Share Personal Data;

(b) not retain, use, or disclose Personal Data outside the direct business relationship with Customer except as necessary to provide the Service and for permitted business purposes under applicable law (including security, fraud prevention, debugging, and service improvement consistent with law); and

(c) not combine Personal Data received from Customer with Personal Data from other sources except as permitted by law and as necessary to provide and secure the Service.

2.5 Aggregated / De-Identified Data

Where permitted by law, DQLabs may aggregate and/or de-identify Personal Data so that it no longer constitutes Personal Data and may use such data for analytics, security, and product improvement. DQLabs will not attempt to re-identify such data and will contractually restrict third parties from attempting re-identification where applicable.

3. Data Subject Rights

3.1 Assistance

To the extent Customer cannot address Data Subject rights requests through the Service, DQLabs will provide reasonable assistance, to the extent legally permitted. Unless otherwise required by law, assistance may be subject to reasonable fees reflecting DQLabs’s costs.

3.2 Data Subject Requests

If DQLabs receives a request from a Data Subject relating to Personal Data Processed on behalf of Customer, DQLabs will (to the extent legally permitted) promptly notify Customer and will not respond except to confirm the request relates to Customer and/or direct the requester to Customer, unless legally required.

4. DQLabs Personnel

4.1 Confidentiality

DQLabs will ensure personnel authorized to Process Personal Data are subject to written confidentiality obligations and receive appropriate privacy/security training.

4.2 Access Controls

DQLabs will restrict access to Personal Data to personnel who require access to perform obligations under the Agreement.

5. Security Measures (TOMs)

DQLabs will implement and maintain appropriate technical and organizational measures (“TOMs”) designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.

DQLabs’s current TOMs are described at: https://www.dqlabs.ai/legal/toms.

DQLabs may update TOMs from time to time, provided it does not materially reduce the overall security of the Service.

6. Security Breach Notification

DQLabs will maintain incident response policies and will notify Customer without undue delay and, where feasible, within seventy-two (72) hours after becoming aware of a Security Breach involving Personal Data Processed under the Agreement. DQLabs will provide information reasonably necessary for Customer to comply with breach notification obligations and will take reasonable steps to mitigate and remediate effects of the Security Breach.

“Security Breach” means a confirmed unauthorized access to, or acquisition, use, disclosure, modification, or destruction of Personal Data Processed by DQLabs or its Subprocessors.

7. Additional Terms

7.1 Cross-Border Transfers

Where required, the parties agree to the transfer mechanisms in Attachment 1.

7.2 Objective and Duration

Processing is for provision of the Service under the Agreement, during the Agreement term and as otherwise described in the Agreement (including post-termination retention/deletion).

7.3 Subprocessors

7.3.1 Authorization

Customer authorizes DQLabs to engage Subprocessors, including DQLabs Affiliates, to provide the Service and support.

7.3.2 Subprocessor Terms

DQLabs will enter into written agreements with Subprocessors imposing obligations not less protective than this DPA, appropriate to services provided.

7.3.3 Liability

DQLabs remains responsible for Subprocessors’ performance to the same extent as if DQLabs performed the services directly.

7.3.4 Subprocessor List and Notice

A current list of Subprocessors is available at: https://www.dqlabs.ai/legal/subprocessors.

DQLabs will provide notice of material changes (addition or replacement) of Subprocessors where required by law and/or in accordance with the Agreement.

7.3.5 Objection

Customer may object to a new Subprocessor on reasonable data protection grounds by notifying DQLabs within fifteen (15) days of notice. The parties will work in good faith to resolve the objection. If resolution is not commercially reasonable, DQLabs may (at its option):

(a) not appoint the Subprocessor; or

(b) permit Customer to terminate the affected portion of the Service, and DQLabs will refund prepaid fees for the terminated portion covering the unused period (if applicable).

7.4 Audits and Certifications

Upon written request and subject to confidentiality obligations, DQLabs will provide reasonable information demonstrating compliance with this DPA, including relevant third-party audit reports or certifications (e.g., SOC 2) if available. If such materials are insufficient and an audit is legally required or reasonably necessary, Customer (or an independent auditor not a competitor) may conduct an audit no more than once per year, upon reasonable notice, during normal business hours, limited to matters relevant to this DPA, and subject to reasonable confidentiality and security controls. Customer bears costs unless material non-compliance is identified, in which case DQLabs bears reasonable costs.

7.5 Return and Deletion

Return/deletion of Personal Data will follow the Agreement, including any export window and deletion timelines. Customer remains responsible for deleting Personal Data within its control.

7.6 DPIAs and Prior Consultation

DQLabs will provide reasonable assistance and information available to DQLabs to support DPIAs and prior consultations as required by law, to the extent Customer cannot access such information through the Service.

7.7 Data Hosting and Regions

7.7.1 Hosting Locations

Unless otherwise specified in the applicable Order Form, DQLabs hosts Customer Data in cloud infrastructure environments located in the United States. Where regional hosting options are made available and selected in the applicable Order Form, DQLabs will host Customer Data in the agreed region (e.g., United States, European Economic Area, or other supported region), subject to backup, redundancy, and disaster recovery processes described below.

7.7.2 Redundancy and Backups

Customer Data may be replicated across availability zones within the selected hosting region for high availability and resilience. Backup copies may be stored in geographically separate locations consistent with DQLabs’s business continuity and disaster recovery practices, provided that such storage complies with applicable Data Protection Laws and Regulations and the transfer mechanisms described in this DPA.

7.7.3 Cross-Border Transfers

Where Customer Data is transferred outside the originating jurisdiction (including for support, maintenance, security operations, or Subprocessor Processing), DQLabs will ensure that appropriate transfer safeguards are in place in accordance with:

The Data Privacy Framework (where applicable), and/or

The Standard Contractual Clauses and applicable UK Addendum, as described in Attachment 1.

7.7.4 Customer-Controlled Environments

If the Service is deployed within infrastructure controlled by Customer (including Customer-managed cloud accounts), Customer is responsible for selecting hosting regions and configuring geographic restrictions. In such deployments, DQLabs’s role is limited to Processing Personal Data within the scope of the Service configuration and Customer’s infrastructure settings.

7.7.5 Region Changes

DQLabs will not materially change the primary hosting region for Customer Data during the Subscription Term without prior notice to Customer, except where required for security, legal compliance, disaster recovery, or service continuity. Any such change will remain subject to the safeguards set forth in this DPA.

8. Other

8.1 Liability

This DPA is subject to the limitations of liability and exclusions of damages in the Agreement.

8.2 Term

This DPA terminates automatically upon termination or expiration of the Agreement.

8.3 Notices

Notices under this DPA will be provided in accordance with the notice provisions in the Agreement.