Data Processing Agreement

This Data Processing Agreement (the DPA) is entered into between the Client as controller and Qualiar as processor, within the meaning of article 28 of the GDPR.

It defines the conditions under which Qualiar processes personal data on behalf of the Client in providing the service.

Qualiar processes personal data only on the Client's documented instructions. This agreement, the main contract and the settings configured by the Client in their Agent constitute those instructions.

Any additional instruction may be notified by email to privacy@qualiar.xyz.

• Nature: hosting, storage, retrieval, indexing, search, language-model-assisted generation.
• Data subjects: the Client's authorised users, the Client's contacts and customers (depending on imported content).
• Data categories: identification data, professional data, business content imported by the Client.
• Duration: the term of the main contract, extended by ninety (90) days for the final export.
• Purpose: performance of the main contract.

Qualiar ensures that persons authorised to process the data are bound by a confidentiality undertaking.

Qualiar implements appropriate technical and organisational measures:

• Encryption in transit and at rest.
• Isolation of data between clients.
• Least-privilege internal access policy with strong authentication for administrators.
• Logging of administrator access.
• Regular encrypted backups.
• Business continuity and disaster recovery planning.

The Client authorises Qualiar to use subprocessors, by category: hosting and infrastructure (EU by default), database and authentication, network routing and protection, transactional email, and language-model inference providers.

The named, up-to-date list is provided on request. Any change is notified to the Client at least thirty (30) days before it takes effect, granting a right of termination without penalty in case of a reasoned objection.

Qualiar assists the Client, through appropriate measures, in responding to data-subject rights requests (access, rectification, erasure, objection, portability, restriction).

The export function built into the Agent lets the Client retrieve all of their data at any time in a structured format.

Qualiar notifies the Client within seventy-two (72) hours of becoming aware of a personal-data breach affecting them.

The notification specifies: the nature of the breach, the categories and approximate number of data subjects, the likely consequences, and the measures taken or proposed.

Qualiar makes available to the Client the information necessary to demonstrate compliance with article 28 GDPR.

The Client may, at its own expense and with reasonable notice, have an annual audit carried out by an independent third party bound by confidentiality, subject to the Provider's operational constraints.

On termination, the Client has ninety (90) days to retrieve all of their data via the export function.

After that period, and unless otherwise requested in writing, all data and backups are permanently deleted within a further thirty (30) days. A deletion certificate can be provided on request.

By default, no transfer outside the EEA takes place.

Where a subprocessor operates outside the EEA, the transfer is governed by the European Commission's Standard Contractual Clauses or an equivalent mechanism ensuring an adequate level of protection.