Data Processing Agreement (DPA)
Effective date: January 1, 2026
between
Customer, in accordance with the applicable general terms and conditions as data Controller (hereinafter the “Controller”),
and
QCarder (owned by ASTROSIST Inc.), as data Processor (hereinafter the “Processor”; Controller and Processor together the “Parties”).
between
Customer, in accordance with the applicable general terms and conditions as data Controller (hereinafter the “Controller”),
and
QCarder (owned by ASTROSIST Inc.), as data Processor (hereinafter the “Processor”; Controller and Processor together the “Parties”).
Preamble
The Controller has engaged the Processor under a separate agreement (such as QCarder’s General Terms, Subscription Agreement, or similar – hereinafter the “Main Agreement”) to provide certain services described therein. As part of performing these services, the Processor will process personal data on behalf of the Controller.
Article 28 of the GDPR and other applicable data protection laws require that such processing by a processor on behalf of a controller be governed by a written agreement. To comply with these requirements, the Parties enter into this Data Processing Agreement (the “Agreement”).
This Agreement sets out the data protection obligations of the Parties in relation to the processing of personal data by the Processor on behalf of the Controller. Unless expressly agreed otherwise, the performance of this Agreement is not subject to separate remuneration.
In the event of any conflict between this Agreement and the Main Agreement with respect to data protection and processing of personal data, the provisions of this Agreement shall prevail to the extent of that conflict.
Article 28 of the GDPR and other applicable data protection laws require that such processing by a processor on behalf of a controller be governed by a written agreement. To comply with these requirements, the Parties enter into this Data Processing Agreement (the “Agreement”).
This Agreement sets out the data protection obligations of the Parties in relation to the processing of personal data by the Processor on behalf of the Controller. Unless expressly agreed otherwise, the performance of this Agreement is not subject to separate remuneration.
In the event of any conflict between this Agreement and the Main Agreement with respect to data protection and processing of personal data, the provisions of this Agreement shall prevail to the extent of that conflict.
1. Definitions
For the purposes of this Agreement, the following terms shall have the meanings set out below. Where terms are not defined here, they shall have the meaning given to them in the Main Agreement or in the GDPR.
1.1 Controller
“Controller” has the meaning given in Article 4(7) GDPR and refers to the entity which, alone or jointly with others, determines the purposes and means of the processing of personal data.
1.2 Processor
“Processor” has the meaning given in Article 4(8) GDPR and refers to a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the Controller. Under this Agreement, QCarder (owned by ASTROSIST Inc.) acts as the Processor.
1.3 Personal Data
“Personal Data” has the meaning given in Article 4(1) GDPR and means any information relating to an identified or identifiable natural person (“Data Subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
1.4 Special Categories of Personal Data
“Special Categories of Personal Data” refers to personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as genetic data, biometric data for the purpose of uniquely identifying a natural person, health data, and data concerning a natural person’s sex life or sexual orientation, as described in Articles 9 and 10 GDPR and related provisions.
1.5 Processing
“Processing” has the meaning given in Article 4(2) GDPR and means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
1.6 Supervisory Authority
“Supervisory Authority” has the meaning given in Article 4(21) GDPR and refers to an independent public authority established by a Member State pursuant to Article 51 GDPR that is responsible for monitoring the application of data protection law.
1.7 European Data Protection Laws
“European Data Protection Laws” means all laws and regulations applicable to the protection of personal data in the European Economic Area (“EEA”), Switzerland, and the United Kingdom (“UK”), including, without limitation:
1.1 Controller
“Controller” has the meaning given in Article 4(7) GDPR and refers to the entity which, alone or jointly with others, determines the purposes and means of the processing of personal data.
1.2 Processor
“Processor” has the meaning given in Article 4(8) GDPR and refers to a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the Controller. Under this Agreement, QCarder (owned by ASTROSIST Inc.) acts as the Processor.
1.3 Personal Data
“Personal Data” has the meaning given in Article 4(1) GDPR and means any information relating to an identified or identifiable natural person (“Data Subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
1.4 Special Categories of Personal Data
“Special Categories of Personal Data” refers to personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as genetic data, biometric data for the purpose of uniquely identifying a natural person, health data, and data concerning a natural person’s sex life or sexual orientation, as described in Articles 9 and 10 GDPR and related provisions.
1.5 Processing
“Processing” has the meaning given in Article 4(2) GDPR and means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
1.6 Supervisory Authority
“Supervisory Authority” has the meaning given in Article 4(21) GDPR and refers to an independent public authority established by a Member State pursuant to Article 51 GDPR that is responsible for monitoring the application of data protection law.
1.7 European Data Protection Laws
“European Data Protection Laws” means all laws and regulations applicable to the protection of personal data in the European Economic Area (“EEA”), Switzerland, and the United Kingdom (“UK”), including, without limitation:
- Regulation (EU) 2016/679 (General Data Protection Regulation – “GDPR”);
- Directive 2002/58/EC (ePrivacy Directive) and its national implementations;
- the GDPR as it forms part of UK law under the UK European Union (Withdrawal) Act 2018 and the UK Data Protection Act 2018 (“UK Data Protection Laws”); and
- the Swiss Federal Data Protection Act and its implementing ordinances (“Swiss DPA”).
2. Subject Matter and Scope of the Agreement
2.1 Services and Processing on Behalf of the Controller
The Processor provides the services described in the Main Agreement (for example, hosting and managing digital profiles, digital business cards, team dashboards, analytics, and related features) to the Controller. In providing these services, the Processor may have access to and process Personal Data on behalf of the Controller exclusively for the purposes of performing the Main Agreement and in accordance with the Controller’s documented instructions.
The scope, nature, and purposes of the Processing carried out by the Processor are further described in the Main Agreement and in Annex 1 of this DPA. The Controller is responsible for ensuring that the Processing of Personal Data, as instructed to the Processor, is lawful under applicable Data Protection Laws.
2.2 Purpose of this Agreement
This Agreement sets out the Parties’ respective rights and obligations under data protection law with respect to the Processing of Personal Data by the Processor on behalf of the Controller. In the event of any conflict between this Agreement and the Main Agreement concerning data protection or the Processing of Personal Data, the provisions of this Agreement shall take precedence to the extent of such conflict.
2.3 Application to All Processing Activities
The provisions of this Agreement apply to all Processing activities related to the Main Agreement in which the Processor, its employees, or any third parties acting on its behalf (including Sub-processors) come into contact with Personal Data originating from the Controller or collected for the Controller.
2.4 Term of the Agreement
This Agreement shall enter into force on the Effective Date stated above and shall remain in effect for as long as the Processor Processes Personal Data on behalf of the Controller under the Main Agreement. Termination of the Main Agreement shall automatically trigger the relevant provisions on return and deletion of data set out in Section 11 of this Agreement, and this DPA shall continue to apply to the extent necessary to complete those obligations.
The Processor provides the services described in the Main Agreement (for example, hosting and managing digital profiles, digital business cards, team dashboards, analytics, and related features) to the Controller. In providing these services, the Processor may have access to and process Personal Data on behalf of the Controller exclusively for the purposes of performing the Main Agreement and in accordance with the Controller’s documented instructions.
The scope, nature, and purposes of the Processing carried out by the Processor are further described in the Main Agreement and in Annex 1 of this DPA. The Controller is responsible for ensuring that the Processing of Personal Data, as instructed to the Processor, is lawful under applicable Data Protection Laws.
2.2 Purpose of this Agreement
This Agreement sets out the Parties’ respective rights and obligations under data protection law with respect to the Processing of Personal Data by the Processor on behalf of the Controller. In the event of any conflict between this Agreement and the Main Agreement concerning data protection or the Processing of Personal Data, the provisions of this Agreement shall take precedence to the extent of such conflict.
2.3 Application to All Processing Activities
The provisions of this Agreement apply to all Processing activities related to the Main Agreement in which the Processor, its employees, or any third parties acting on its behalf (including Sub-processors) come into contact with Personal Data originating from the Controller or collected for the Controller.
2.4 Term of the Agreement
This Agreement shall enter into force on the Effective Date stated above and shall remain in effect for as long as the Processor Processes Personal Data on behalf of the Controller under the Main Agreement. Termination of the Main Agreement shall automatically trigger the relevant provisions on return and deletion of data set out in Section 11 of this Agreement, and this DPA shall continue to apply to the extent necessary to complete those obligations.
3. Right of Instruction
3.1 Processing Only on Documented Instructions
The Processor shall collect, process, and use Personal Data only within the scope of the Main Agreement and this DPA, and strictly in accordance with the Controller’s documented instructions, unless the Processor is required to do otherwise under applicable law. In such a case, the Processor shall inform the Controller of that legal requirement before Processing, unless the law prohibits such notification on important grounds of public interest.
3.2 Form and Scope of Instructions
The Controller’s initial instructions to the Processor are set out in this Agreement, the Main Agreement, and any applicable service descriptions or configurations in the QCarder Platform.
Thereafter, the Controller may issue additional, modified, or replacement instructions (“Individual Instructions”) in written or text form (including email or secure portal communication). The Controller is entitled to issue such instructions at any time, including with respect to the rectification, restriction, deletion, or blocking of Personal Data.
3.3 Documentation of Instructions
The Controller shall document all instructions it issues to the Processor. Instructions that go beyond or materially change the services agreed in the Main Agreement may be treated by the Processor as a request for a change of services and may require a separate agreement or adjustment to fees, timelines, or technical scope.
3.4 Obligation to Review Instructions
If the Processor believes that an instruction from the Controller violates applicable Data Protection Laws, the Processor shall promptly inform the Controller without undue delay. In such cases:
The Controller remains responsible for the lawfulness of its instructions and the overall Processing operations for which it acts as Controller.
The Processor shall collect, process, and use Personal Data only within the scope of the Main Agreement and this DPA, and strictly in accordance with the Controller’s documented instructions, unless the Processor is required to do otherwise under applicable law. In such a case, the Processor shall inform the Controller of that legal requirement before Processing, unless the law prohibits such notification on important grounds of public interest.
3.2 Form and Scope of Instructions
The Controller’s initial instructions to the Processor are set out in this Agreement, the Main Agreement, and any applicable service descriptions or configurations in the QCarder Platform.
Thereafter, the Controller may issue additional, modified, or replacement instructions (“Individual Instructions”) in written or text form (including email or secure portal communication). The Controller is entitled to issue such instructions at any time, including with respect to the rectification, restriction, deletion, or blocking of Personal Data.
3.3 Documentation of Instructions
The Controller shall document all instructions it issues to the Processor. Instructions that go beyond or materially change the services agreed in the Main Agreement may be treated by the Processor as a request for a change of services and may require a separate agreement or adjustment to fees, timelines, or technical scope.
3.4 Obligation to Review Instructions
If the Processor believes that an instruction from the Controller violates applicable Data Protection Laws, the Processor shall promptly inform the Controller without undue delay. In such cases:
- The Processor may suspend the execution of the relevant instruction until the Controller confirms, amends, or withdraws the instruction; and
- The Processor is entitled to refuse to execute any instruction that is clearly unlawful.
The Controller remains responsible for the lawfulness of its instructions and the overall Processing operations for which it acts as Controller.
4. Types of Data Processed, Categories of Data Subjects and Third-Country Transfers
4.1 Types of Personal Data
Within the scope of performing the Main Agreement, the Processor may have access to and process the categories of Personal Data described in more detail in Annex 1 to this Agreement. These may include, in particular and without limitation:
Processing of Special Categories of Personal Data (as defined in Section 1.4) is not intended under the Main Agreement. If the Controller chooses to include any such data in the content it uploads or configures in QCarder, the Controller remains responsible for ensuring a lawful basis and for notifying the Processor in advance where required.
4.2 Categories of Data Subjects
The Processing activities under this Agreement may concern, in particular, the categories of Data Subjects set out in Annex 1, such as:
4.3 Third-Country Transfers
Depending on the hosting locations and Sub-processors used by the Processor, Personal Data may be transferred to and processed in countries outside the EEA, Switzerland, or the UK (“third countries”), including in particular the United States.
Any such transfer shall occur only:
Details of the hosting locations and Sub-processors involved in such transfers are set out in Annex 3 and may be updated from time to time in accordance with Section 8 of this Agreement.
Within the scope of performing the Main Agreement, the Processor may have access to and process the categories of Personal Data described in more detail in Annex 1 to this Agreement. These may include, in particular and without limitation:
- Identification and contact data (e.g. name, email address, phone number)
- Professional information (e.g. job title, role, company/organization, department)
- Profile and business card content (e.g. profile photo, logo, links to websites and social media, biography, business information)
- Account data (e.g. login identifiers, user IDs, organization membership)
- Usage and interaction data (e.g. access logs, date/time of access, sharing activity, engagement with digital profiles)
- Technical data (e.g. IP address, browser type, device information, approximate location based on IP)
Processing of Special Categories of Personal Data (as defined in Section 1.4) is not intended under the Main Agreement. If the Controller chooses to include any such data in the content it uploads or configures in QCarder, the Controller remains responsible for ensuring a lawful basis and for notifying the Processor in advance where required.
4.2 Categories of Data Subjects
The Processing activities under this Agreement may concern, in particular, the categories of Data Subjects set out in Annex 1, such as:
- Employees, contractors, or representatives of the Controller who use QCarder
- Business contacts, partners, customers, or leads whose information is stored in QCarder profiles or digital business cards
- Other individuals whose personal data is entered into the QCarder Platform by or on behalf of the Controller
4.3 Third-Country Transfers
Depending on the hosting locations and Sub-processors used by the Processor, Personal Data may be transferred to and processed in countries outside the EEA, Switzerland, or the UK (“third countries”), including in particular the United States.
Any such transfer shall occur only:
- under the conditions set out in Articles 44 et seq. GDPR and other applicable Data Protection Laws; and
- with appropriate safeguards in place, such as Standard Contractual Clauses (SCCs) adopted by the European Commission or other legally recognized transfer mechanisms.
Details of the hosting locations and Sub-processors involved in such transfers are set out in Annex 3 and may be updated from time to time in accordance with Section 8 of this Agreement.
5. Protective Measures of the Processor
5.1 Confidentiality and Data Protection Obligations
The Processor shall comply with all applicable data protection laws and shall treat all Personal Data received from the Controller as strictly confidential. The Processor shall not disclose Personal Data to third parties or make it accessible to them, except:
The Processor shall ensure that all documents, systems, and data are protected against unauthorized access, disclosure, alteration, or loss, taking into account the current state of the art, implementation costs, the nature, scope, context, and purposes of Processing, and the risks to the rights and freedoms of Data Subjects.
5.2 Technical and Organisational Measures (TOMs)
The Processor shall implement and maintain appropriate technical and organisational measures (“TOMs”) to ensure a level of security appropriate to the risk, in accordance with Article 32 GDPR and other applicable Data Protection Laws. These measures are described in Annex 2 to this Agreement, which forms an integral part of this DPA.
The Processor may update or modify the TOMs from time to time, provided that any such changes do not materially reduce the overall level of protection for Personal Data. The Controller acknowledges the TOMs as appropriate at the time of entering into this Agreement.
5.3 Personnel and Confidentiality
The Processor shall ensure that all persons (including employees, contractors, and other personnel) who are authorized to process Personal Data on its behalf:
The Processor will conduct such onboarding, training, and awareness measures as it deems appropriate to ensure that its personnel understand and comply with applicable data protection and security requirements.
5.4 Data Protection Officer (if applicable)
Where required by applicable Data Protection Laws, the Processor will appoint a data protection officer (DPO) or other contact responsible for data protection matters. The contact details of the Processor’s DPO or privacy contact (if appointed) will be made available to the Controller upon request or in the Processor’s publicly available privacy documentation.
The Processor shall comply with all applicable data protection laws and shall treat all Personal Data received from the Controller as strictly confidential. The Processor shall not disclose Personal Data to third parties or make it accessible to them, except:
- where this is necessary for the performance of the Main Agreement and this DPA (e.g. Sub-processors in accordance with Section 8); or
- where required by applicable law.
The Processor shall ensure that all documents, systems, and data are protected against unauthorized access, disclosure, alteration, or loss, taking into account the current state of the art, implementation costs, the nature, scope, context, and purposes of Processing, and the risks to the rights and freedoms of Data Subjects.
5.2 Technical and Organisational Measures (TOMs)
The Processor shall implement and maintain appropriate technical and organisational measures (“TOMs”) to ensure a level of security appropriate to the risk, in accordance with Article 32 GDPR and other applicable Data Protection Laws. These measures are described in Annex 2 to this Agreement, which forms an integral part of this DPA.
The Processor may update or modify the TOMs from time to time, provided that any such changes do not materially reduce the overall level of protection for Personal Data. The Controller acknowledges the TOMs as appropriate at the time of entering into this Agreement.
5.3 Personnel and Confidentiality
The Processor shall ensure that all persons (including employees, contractors, and other personnel) who are authorized to process Personal Data on its behalf:
- are subject to an appropriate duty of confidentiality (whether contractual or statutory); and
- process Personal Data only in accordance with the Controller’s documented instructions and for the purposes set out in the Main Agreement and this DPA.
The Processor will conduct such onboarding, training, and awareness measures as it deems appropriate to ensure that its personnel understand and comply with applicable data protection and security requirements.
5.4 Data Protection Officer (if applicable)
Where required by applicable Data Protection Laws, the Processor will appoint a data protection officer (DPO) or other contact responsible for data protection matters. The contact details of the Processor’s DPO or privacy contact (if appointed) will be made available to the Controller upon request or in the Processor’s publicly available privacy documentation.
6. Information Obligations and Incident / Breach Notification
6.1 Duty to Inform About Incidents
The Processor shall promptly inform the Controller without undue delay if it becomes aware of:
The same applies if the Processor becomes aware of audits, investigations, or formal inquiries by a Supervisory Authority that specifically relate to the Processing of the Controller’s Personal Data.
6.2 Content of the Breach Notification
Where feasible, the Processor’s notification of a personal data breach shall include at least the following information:
a) a description of the nature of the personal data breach, including, where possible, the categories and approximate number of Data Subjects concerned, and the categories and approximate number of Personal Data records concerned;
b) a description of the likely consequences of the personal data breach;
c) a description of the measures taken or proposed by the Processor to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
Where it is not possible for the Processor to provide all such information at the same time, the information may be provided in phases without undue further delay.
6.3 Mitigation and Cooperation
Upon becoming aware of a personal data breach, the Processor shall:
6.4 Ongoing Information Duty
The Processor shall keep the Controller informed of significant developments related to any incident or breach that affects the Controller’s Personal Data, including new findings, additional measures taken, or relevant correspondence with Supervisory Authorities (where it directly relates to the Controller’s data).
6.5 Changes to Security Measures
The Processor shall inform the Controller of any significant changes to the technical and organisational measures described in Annex 2 that could materially impact the protection of Personal Data, so that the Controller can assess compliance with applicable Data Protection Laws.
The Processor shall promptly inform the Controller without undue delay if it becomes aware of:
- any personal data breach (as defined in Article 4(12) GDPR) affecting Personal Data processed on behalf of the Controller;
- any significant security incident that may compromise the confidentiality, integrity, or availability of such Personal Data; or
- any material breach of this DPA or other data protection obligations by the Processor, its personnel, or its Sub-processors.
The same applies if the Processor becomes aware of audits, investigations, or formal inquiries by a Supervisory Authority that specifically relate to the Processing of the Controller’s Personal Data.
6.2 Content of the Breach Notification
Where feasible, the Processor’s notification of a personal data breach shall include at least the following information:
a) a description of the nature of the personal data breach, including, where possible, the categories and approximate number of Data Subjects concerned, and the categories and approximate number of Personal Data records concerned;
b) a description of the likely consequences of the personal data breach;
c) a description of the measures taken or proposed by the Processor to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
Where it is not possible for the Processor to provide all such information at the same time, the information may be provided in phases without undue further delay.
6.3 Mitigation and Cooperation
Upon becoming aware of a personal data breach, the Processor shall:
- take all reasonable steps to contain, mitigate, and remedy the breach as soon as practicable;
- promptly inform the Controller of the actions taken and any further steps it recommends; and
- assist the Controller, upon request and to the extent reasonably possible, in meeting the Controller’s obligations under applicable Data Protection Laws (including Articles 33 and 34 GDPR) relating to notification of Supervisory Authorities and communication to Data Subjects.
6.4 Ongoing Information Duty
The Processor shall keep the Controller informed of significant developments related to any incident or breach that affects the Controller’s Personal Data, including new findings, additional measures taken, or relevant correspondence with Supervisory Authorities (where it directly relates to the Controller’s data).
6.5 Changes to Security Measures
The Processor shall inform the Controller of any significant changes to the technical and organisational measures described in Annex 2 that could materially impact the protection of Personal Data, so that the Controller can assess compliance with applicable Data Protection Laws.
7. Control and Audit Rights of the Controller
7.1 Right to Verify Compliance
The Controller has the right to satisfy itself that the Processor complies with this DPA and applicable Data Protection Laws, in particular with regard to the implementation of appropriate technical and organisational measures (TOMs).
Before the start of Processing and thereafter at reasonable intervals (e.g. once per year), the Controller may:
7.2 Audit Methods
To demonstrate compliance, the Processor may make available, as applicable:
Where this information is not sufficient in the Controller’s reasonable judgment, the Controller may, after giving reasonable prior notice and during normal business hours, conduct an on-site audit or appoint an independent third party (that is not a competitor of the Processor) to do so, subject to appropriate confidentiality obligations.
7.3 Conditions for On-Site Audits
On-site audits or inspections:
The Controller shall be responsible for any costs associated with audits it initiates, unless the audit reveals a material breach of this DPA attributable to the Processor, in which case the Parties will discuss allocation of reasonable costs in good faith.
7.4 Provision of Information and Remediation
The Processor shall provide the Controller, upon verbal or written request and within a reasonable period, with all information and evidence reasonably necessary to demonstrate compliance with this DPA.
If the Controller identifies deficiencies or irregularities during an audit, the Controller shall document these and notify the Processor without undue delay. The Parties will then cooperate in good faith to agree on appropriate remedial measures and timelines, where such measures are necessary for compliance with applicable Data Protection Laws.
The Controller has the right to satisfy itself that the Processor complies with this DPA and applicable Data Protection Laws, in particular with regard to the implementation of appropriate technical and organisational measures (TOMs).
Before the start of Processing and thereafter at reasonable intervals (e.g. once per year), the Controller may:
- request information from the Processor;
- review available documentation, such as security whitepapers, audit reports, or certifications; and/or
- conduct or commission audits or inspections, as described in this Section.
7.2 Audit Methods
To demonstrate compliance, the Processor may make available, as applicable:
- current third-party certifications, audit reports, or attestations (e.g. ISO, SOC reports);
- internal or external security and privacy documentation; and
- responses to reasonable security and privacy questionnaires.
Where this information is not sufficient in the Controller’s reasonable judgment, the Controller may, after giving reasonable prior notice and during normal business hours, conduct an on-site audit or appoint an independent third party (that is not a competitor of the Processor) to do so, subject to appropriate confidentiality obligations.
7.3 Conditions for On-Site Audits
On-site audits or inspections:
- must be coordinated in advance with the Processor;
- must be carried out in a way that does not disproportionately disrupt the Processor’s operations or compromise the security or confidentiality of other customers’ data; and
- may be subject to reasonable logistical, security, and confidentiality requirements imposed by the Processor (including signing an NDA).
The Controller shall be responsible for any costs associated with audits it initiates, unless the audit reveals a material breach of this DPA attributable to the Processor, in which case the Parties will discuss allocation of reasonable costs in good faith.
7.4 Provision of Information and Remediation
The Processor shall provide the Controller, upon verbal or written request and within a reasonable period, with all information and evidence reasonably necessary to demonstrate compliance with this DPA.
If the Controller identifies deficiencies or irregularities during an audit, the Controller shall document these and notify the Processor without undue delay. The Parties will then cooperate in good faith to agree on appropriate remedial measures and timelines, where such measures are necessary for compliance with applicable Data Protection Laws.
8. Use of Sub-Processors
8.1 Engagement of Sub-Processors
The Processor may engage third parties to process Personal Data on its behalf in connection with the performance of the Main Agreement (“Sub-Processors”). The Sub-Processors currently engaged by the Processor, and the nature and location of their services, are listed in Annex 3 to this Agreement.
The Controller hereby grants the Processor a general written authorisation, within the meaning of Article 28(2) GDPR, to engage additional Sub-Processors or replace existing Sub-Processors, provided that the conditions of this Section 8 are met.
8.2 Notification of Changes to Sub-Processors
The Processor shall inform the Controller of any intended changes concerning the addition or replacement of Sub-Processors by updating Annex 3 and/or by providing notice through appropriate channels (for example, via email, in-app notification, or a published list on a designated webpage).
The Controller may object to the intended engagement or replacement of a Sub-Processor on reasonable data protection grounds.
8.3 Objection by the Controller
Any objection by the Controller to the engagement or replacement of a Sub-Processor must be raised within 14 days of the Controller receiving the relevant notice. If the Controller does not object within this period, the change shall be deemed approved.
If the Controller raises a justified objection based on data protection concerns, the Parties shall, in good faith, seek a mutually acceptable solution. If no solution can be reached, the Controller shall have the right to terminate the portion of the services affected by the use of the Sub-Processor, or, if that is not reasonably separable, to terminate the Main Agreement with respect to the affected services, subject to any applicable notice period.
8.4 Sub-Processor Obligations
When engaging Sub-Processors, the Processor shall:
8.5 Ancillary Services (Non–Sub-Processor Relationships)
The mere use of third parties for ancillary services (such as postal services, telecommunications services without specific data processing duties, facility security, or standard software support that does not involve access to the Controller’s Personal Data) does not constitute a Sub-Processor relationship within the meaning of this DPA.
However, where third parties perform maintenance, support, or other services on IT systems that process Personal Data on behalf of the Controller, such services will be treated as Sub-Processing and shall require appropriate contractual safeguards in accordance with this Section 8.
The Processor may engage third parties to process Personal Data on its behalf in connection with the performance of the Main Agreement (“Sub-Processors”). The Sub-Processors currently engaged by the Processor, and the nature and location of their services, are listed in Annex 3 to this Agreement.
The Controller hereby grants the Processor a general written authorisation, within the meaning of Article 28(2) GDPR, to engage additional Sub-Processors or replace existing Sub-Processors, provided that the conditions of this Section 8 are met.
8.2 Notification of Changes to Sub-Processors
The Processor shall inform the Controller of any intended changes concerning the addition or replacement of Sub-Processors by updating Annex 3 and/or by providing notice through appropriate channels (for example, via email, in-app notification, or a published list on a designated webpage).
The Controller may object to the intended engagement or replacement of a Sub-Processor on reasonable data protection grounds.
8.3 Objection by the Controller
Any objection by the Controller to the engagement or replacement of a Sub-Processor must be raised within 14 days of the Controller receiving the relevant notice. If the Controller does not object within this period, the change shall be deemed approved.
If the Controller raises a justified objection based on data protection concerns, the Parties shall, in good faith, seek a mutually acceptable solution. If no solution can be reached, the Controller shall have the right to terminate the portion of the services affected by the use of the Sub-Processor, or, if that is not reasonably separable, to terminate the Main Agreement with respect to the affected services, subject to any applicable notice period.
8.4 Sub-Processor Obligations
When engaging Sub-Processors, the Processor shall:
- enter into a written contract with each Sub-Processor that imposes data protection obligations no less protective than those set out in this DPA, in particular with respect to implementing appropriate technical and organisational measures and processing Personal Data only on documented instructions; and
- remain fully liable to the Controller for the performance of the Sub-Processor’s obligations, to the same extent the Processor would be liable if it performed the services itself.
8.5 Ancillary Services (Non–Sub-Processor Relationships)
The mere use of third parties for ancillary services (such as postal services, telecommunications services without specific data processing duties, facility security, or standard software support that does not involve access to the Controller’s Personal Data) does not constitute a Sub-Processor relationship within the meaning of this DPA.
However, where third parties perform maintenance, support, or other services on IT systems that process Personal Data on behalf of the Controller, such services will be treated as Sub-Processing and shall require appropriate contractual safeguards in accordance with this Section 8.
9. Requests and Rights of Data Subjects
9.1 Assistance with Data Subject Rights
Taking into account the nature of the Processing and the information available to the Processor, the Processor shall assist the Controller, by appropriate technical and organisational measures, in fulfilling the Controller’s obligations to respond to requests from Data Subjects under applicable Data Protection Laws, including (where applicable) Articles 12–22 and 32–36 GDPR. These rights may include, in particular:
9.2 Handling of Direct Requests to the Processor
If a Data Subject submits a request relating to their Personal Data directly to the Processor, the Processor shall:
Where the Processor is required by law to respond directly to a Data Subject, the Processor shall, to the extent legally permitted, inform the Controller of that legal requirement before responding.
9.3 Controller’s Responsibility
The Controller remains solely responsible for handling and responding to Data Subject requests in accordance with applicable Data Protection Laws. The Processor’s responsibility is limited to providing reasonable assistance as described in this Section and in the Main Agreement.
9.4 Cooperation and Documentation
The Processor shall maintain appropriate records, to the extent required by law, of assistance provided in connection with Data Subject requests and shall, upon reasonable request, provide the Controller with information necessary to demonstrate compliance with the Controller’s obligations regarding Data Subject rights.
Taking into account the nature of the Processing and the information available to the Processor, the Processor shall assist the Controller, by appropriate technical and organisational measures, in fulfilling the Controller’s obligations to respond to requests from Data Subjects under applicable Data Protection Laws, including (where applicable) Articles 12–22 and 32–36 GDPR. These rights may include, in particular:
- Right of access
- Right to rectification
- Right to erasure (“right to be forgotten”)
- Right to restriction of processing
- Right to data portability
- Right to object
- Rights related to automated decision-making (where applicable)
9.2 Handling of Direct Requests to the Processor
If a Data Subject submits a request relating to their Personal Data directly to the Processor, the Processor shall:
- not respond to the request on its own authority, unless legally required to do so;
- promptly forward the request to the Controller without undue delay; and
- refrain from disclosing or modifying any Personal Data in response to the request, unless instructed by the Controller or required by applicable law.
Where the Processor is required by law to respond directly to a Data Subject, the Processor shall, to the extent legally permitted, inform the Controller of that legal requirement before responding.
9.3 Controller’s Responsibility
The Controller remains solely responsible for handling and responding to Data Subject requests in accordance with applicable Data Protection Laws. The Processor’s responsibility is limited to providing reasonable assistance as described in this Section and in the Main Agreement.
9.4 Cooperation and Documentation
The Processor shall maintain appropriate records, to the extent required by law, of assistance provided in connection with Data Subject requests and shall, upon reasonable request, provide the Controller with information necessary to demonstrate compliance with the Controller’s obligations regarding Data Subject rights.
10. Liability
10.1 Allocation of Responsibility vis-à-vis Data Subjects
As between the Parties, the Controller shall be primarily responsible for responding to claims by Data Subjects arising from unlawful or incorrect Processing of Personal Data carried out under this DPA and the Main Agreement, in accordance with Articles 82(2)–(4) GDPR and other applicable Data Protection Laws.
10.2 Processor’s Liability to the Controller
The Processor shall be liable to the Controller for damages caused by Processing only where the Processor:
In such cases, the Processor shall be liable for damages caused by its own intentional or grossly negligent breach of this DPA or applicable Data Protection Laws, as well as the intentional or grossly negligent acts of its legal representatives or vicarious agents.
10.3 Limitation of Liability Between the Parties
Unless otherwise agreed in the Main Agreement, and to the fullest extent permitted by applicable law:
10.4 Exceptions to Limitation of Liability
The limitations set out in Section 10.3 shall not apply to:
10.5 Contribution and Recourse
If a Data Subject brings a claim for damages directly against the Processor, and such damages are attributable, in whole or in part, to the Controller’s breach of its obligations under applicable Data Protection Laws or this DPA, the Controller shall indemnify and hold the Processor harmless to the extent that the Controller is responsible for the damage, in accordance with Article 82 GDPR and applicable law.
As between the Parties, the Controller shall be primarily responsible for responding to claims by Data Subjects arising from unlawful or incorrect Processing of Personal Data carried out under this DPA and the Main Agreement, in accordance with Articles 82(2)–(4) GDPR and other applicable Data Protection Laws.
10.2 Processor’s Liability to the Controller
The Processor shall be liable to the Controller for damages caused by Processing only where the Processor:
- has not complied with obligations of the GDPR specifically directed to processors; or
- has acted outside of, or contrary to, the Controller’s lawful instructions.
In such cases, the Processor shall be liable for damages caused by its own intentional or grossly negligent breach of this DPA or applicable Data Protection Laws, as well as the intentional or grossly negligent acts of its legal representatives or vicarious agents.
10.3 Limitation of Liability Between the Parties
Unless otherwise agreed in the Main Agreement, and to the fullest extent permitted by applicable law:
- For negligent breaches (other than gross negligence or wilful misconduct), the Processor’s liability under this DPA shall be limited to the average damages typical for this type of contract and subject to any overall limitation of liability set out in the Main Agreement.
- In all other respects, any further liability of the Processor – including for slight negligence and indirect or consequential damages – is excluded, except where mandatory law provides otherwise.
10.4 Exceptions to Limitation of Liability
The limitations set out in Section 10.3 shall not apply to:
- liability for damages arising from injury to life, body, or health;
- liability based on the assumption of a guarantee or fraudulent misrepresentation; or
- any other liability that cannot be limited or excluded under applicable law.
10.5 Contribution and Recourse
If a Data Subject brings a claim for damages directly against the Processor, and such damages are attributable, in whole or in part, to the Controller’s breach of its obligations under applicable Data Protection Laws or this DPA, the Controller shall indemnify and hold the Processor harmless to the extent that the Controller is responsible for the damage, in accordance with Article 82 GDPR and applicable law.
11. Termination of the Main Agreement; Return and Deletion of Data
11.1 Return or Deletion of Personal Data upon Termination
Upon termination or expiry of the Main Agreement, or upon the Controller’s written request at any time, the Processor shall, at the Controller’s choice:
This obligation applies to all Personal Data in the Processor’s possession or control that has been processed on behalf of the Controller, including any backups, to the extent technically feasible.
11.2 Legal Retention Requirements
Where the Processor is required by applicable law to retain certain Personal Data beyond the term of the Main Agreement (for example, for tax, audit, or regulatory purposes), the Processor may retain such data only for as long as necessary to fulfil those legal obligations. During this period, the Personal Data shall be:
11.3 Confirmation of Deletion
Upon the Controller’s request, the Processor shall provide written confirmation that Personal Data processed on behalf of the Controller has been deleted in accordance with this Section 11, except where legal retention obligations apply.
11.4 Controller’s Right to Verify Deletion or Return
The Controller shall have the right, in an appropriate manner and subject to reasonable limitations, to verify the complete and compliant return or deletion of Personal Data by the Processor, for example through a deletion certificate, written confirmation, or by including this verification within an audit conducted under Section 7.
11.5 Continuing Confidentiality Obligations
The Processor’s duty to maintain the confidentiality of Personal Data processed on behalf of the Controller shall survive termination or expiry of the Main Agreement and this DPA for as long as the Processor continues to have access to such Personal Data.
This Agreement shall remain in effect, to the extent necessary, for as long as the Processor retains Personal Data of the Controller, whether due to legal retention obligations or in the course of completing return or deletion in accordance with this Section 11.
Upon termination or expiry of the Main Agreement, or upon the Controller’s written request at any time, the Processor shall, at the Controller’s choice:
- return to the Controller all Personal Data processed on behalf of the Controller (in a commonly used, machine-readable format where technically feasible); or
- delete such Personal Data, unless the Processor is legally required to retain it.
This obligation applies to all Personal Data in the Processor’s possession or control that has been processed on behalf of the Controller, including any backups, to the extent technically feasible.
11.2 Legal Retention Requirements
Where the Processor is required by applicable law to retain certain Personal Data beyond the term of the Main Agreement (for example, for tax, audit, or regulatory purposes), the Processor may retain such data only for as long as necessary to fulfil those legal obligations. During this period, the Personal Data shall be:
- processed only for the purpose of complying with such legal obligations; and
- subject to appropriate technical and organisational measures to protect it.
11.3 Confirmation of Deletion
Upon the Controller’s request, the Processor shall provide written confirmation that Personal Data processed on behalf of the Controller has been deleted in accordance with this Section 11, except where legal retention obligations apply.
11.4 Controller’s Right to Verify Deletion or Return
The Controller shall have the right, in an appropriate manner and subject to reasonable limitations, to verify the complete and compliant return or deletion of Personal Data by the Processor, for example through a deletion certificate, written confirmation, or by including this verification within an audit conducted under Section 7.
11.5 Continuing Confidentiality Obligations
The Processor’s duty to maintain the confidentiality of Personal Data processed on behalf of the Controller shall survive termination or expiry of the Main Agreement and this DPA for as long as the Processor continues to have access to such Personal Data.
This Agreement shall remain in effect, to the extent necessary, for as long as the Processor retains Personal Data of the Controller, whether due to legal retention obligations or in the course of completing return or deletion in accordance with this Section 11.
12. Final Provisions
12.1 Support and Cooperation Fees
Unless expressly agreed otherwise in the Main Agreement, any assistance or support provided by the Processor under this DPA that goes beyond what is reasonably required for standard operation of the Services (for example, extensive audit support, complex data export, or custom assistance with DPIAs) may be subject to a reasonable fee, provided that:
This does not apply where the Processor’s own breach or incident has directly made such support necessary.
12.2 Amendments and Form Requirements
Any amendments or additions to this DPA, including any waiver of this written form requirement, shall be made in writing or text form (e.g. email, electronic acceptance via the QCarder Platform), unless a stricter form is required by law.
In case of conflict between this DPA and any other data protection documentation provided by the Processor, the Parties shall interpret them harmoniously where possible. Where conflicts remain, this DPA shall prevail with respect to Processing of Personal Data on behalf of the Controller.
12.3 Severability
If any provision of this DPA is held to be wholly or partially invalid, illegal, or unenforceable, the validity of the remaining provisions shall not be affected. The Parties shall replace any invalid or unenforceable provision with a valid provision that most closely reflects the Parties’ original intent and the economic purpose of the invalid provision.
12.4 Governing Law and Jurisdiction
This DPA shall be governed by and construed in accordance with the same governing law as the Main Agreement between the Parties, excluding its conflict of law rules.
Where and to the extent required, the Parties acknowledge that EU/EEA, UK, and Swiss Data Protection Laws (including the GDPR, UK GDPR, and Swiss DPA) will apply independently and prevail over conflicting national laws with respect to the protection of Personal Data of Data Subjects in those jurisdictions.
Disputes arising out of or in connection with this DPA shall be subject to the same venue and jurisdiction as defined in the Main Agreement, without prejudice to the rights of Data Subjects or Supervisory Authorities under applicable Data Protection Laws.
12.5 Order of Precedence
In case of any conflict or inconsistency between:
the following order of precedence shall apply with respect to the Processing of Personal Data:
Unless expressly agreed otherwise in the Main Agreement, any assistance or support provided by the Processor under this DPA that goes beyond what is reasonably required for standard operation of the Services (for example, extensive audit support, complex data export, or custom assistance with DPIAs) may be subject to a reasonable fee, provided that:
- such fees are consistent with the Processor’s standard rates; and
- the Processor informs the Controller in advance where a charge will apply.
This does not apply where the Processor’s own breach or incident has directly made such support necessary.
12.2 Amendments and Form Requirements
Any amendments or additions to this DPA, including any waiver of this written form requirement, shall be made in writing or text form (e.g. email, electronic acceptance via the QCarder Platform), unless a stricter form is required by law.
In case of conflict between this DPA and any other data protection documentation provided by the Processor, the Parties shall interpret them harmoniously where possible. Where conflicts remain, this DPA shall prevail with respect to Processing of Personal Data on behalf of the Controller.
12.3 Severability
If any provision of this DPA is held to be wholly or partially invalid, illegal, or unenforceable, the validity of the remaining provisions shall not be affected. The Parties shall replace any invalid or unenforceable provision with a valid provision that most closely reflects the Parties’ original intent and the economic purpose of the invalid provision.
12.4 Governing Law and Jurisdiction
This DPA shall be governed by and construed in accordance with the same governing law as the Main Agreement between the Parties, excluding its conflict of law rules.
Where and to the extent required, the Parties acknowledge that EU/EEA, UK, and Swiss Data Protection Laws (including the GDPR, UK GDPR, and Swiss DPA) will apply independently and prevail over conflicting national laws with respect to the protection of Personal Data of Data Subjects in those jurisdictions.
Disputes arising out of or in connection with this DPA shall be subject to the same venue and jurisdiction as defined in the Main Agreement, without prejudice to the rights of Data Subjects or Supervisory Authorities under applicable Data Protection Laws.
12.5 Order of Precedence
In case of any conflict or inconsistency between:
- 1. this Data Processing Agreement;
- 2. the Main Agreement; and
- 3. any other applicable terms or policies,
the following order of precedence shall apply with respect to the Processing of Personal Data:
- 1. this Data Processing Agreement (DPA);
- 2. the Main Agreement;
- 3. any other applicable documents.
Annex 1 – Description of the Processing: Data / Data Categories and Data Subjects
1. Customer Types
QCarder is used by organizations and individuals to create and manage digital business profiles and cards. Typical customer types include:
Depending on how the Controller uses QCarder, the Personal Data processed may relate to:
1. Employees and Representatives of the Controller
The Processor may process, on behalf of the Controller, in particular the following categories of Personal Data (as configured and provided by the Controller):
Account and Identity Data
Contact and Professional Data
Profile / Business Card Content
Usage and Interaction Data
Billing and Subscription Data (if managed by Controller)
Support and Communication Data
Note: Processing of Special Categories of Personal Data (e.g. health, religion, political opinions) is not intended in normal use of QCarder. Any such data entered by the Controller or its users is under the Controller’s sole responsibility.
QCarder is used by organizations and individuals to create and manage digital business profiles and cards. Typical customer types include:
- Company / Organization accounts
- Teams within organizations
- Individual professional users (freelancers, consultants, etc.)
Depending on how the Controller uses QCarder, the Personal Data processed may relate to:
1. Employees and Representatives of the Controller
- Users who have QCarder accounts (e.g. staff, managers, sales reps, executives).
- Contacts who receive or interact with QCarder profiles or digital business cards (e.g. customers, partners, prospects, vendors).
- Individuals who sign up for trials, demos, or marketing communications managed by the Controller through QCarder.
- Any other individuals whose Personal Data is entered into the QCarder Platform by or on behalf of the Controller (e.g. imported contact lists).
The Processor may process, on behalf of the Controller, in particular the following categories of Personal Data (as configured and provided by the Controller):
Account and Identity Data
- First and last name
- Display name
- Username or user ID
- Profile photo or avatar
Contact and Professional Data
- Email address
- Phone number(s)
- Job title / role
- Department / team
- Company / organization name
- Company address or location
- Links to websites, landing pages, or booking pages
Profile / Business Card Content
- Biography or “about” text
- Profile descriptions and taglines
- Social media links (e.g. LinkedIn, Instagram, X/Twitter, Facebook, YouTube, etc.)
- Calendar / meeting links (e.g. Calendly or similar tools)
- Additional custom fields configured by the Controller (e.g. secondary emails, language, region, internal codes)
Usage and Interaction Data
- Login timestamps and session identifiers
- Events related to profile views, card scans, link clicks
- Device and browser information (e.g. user agent, screen size)
- IP address and approximate location derived from IP
- Logs related to feature usage (e.g. what was shared, when, and how)
Billing and Subscription Data (if managed by Controller)
- Subscription or plan details
- Invoice references, transaction IDs (not full payment card details)
Support and Communication Data
- Messages or tickets submitted via support channels
- Feedback, survey responses, or other comments
Note: Processing of Special Categories of Personal Data (e.g. health, religion, political opinions) is not intended in normal use of QCarder. Any such data entered by the Controller or its users is under the Controller’s sole responsibility.
Annex 2 – Technical and Organisational Measures (TOMs) of the Processor
1. Introduction
This Annex describes the technical and organisational measures implemented by the Processor (QCarder, owned by ASTROSIST Inc.) to protect Personal Data processed on behalf of the Controller, in line with Art. 32 GDPR and other applicable data protection laws.
These measures are designed to ensure:
of systems and services used to process Personal Data. The Processor may update these measures over time, provided the overall level of protection is not reduced.
2. Confidentiality (Art. 32(1)(b) GDPR)
2.1 Physical Access Control
Measures to prevent unauthorised physical access to premises and systems where Personal Data is processed or stored, for example:
2.2 System Access Control
Measures to prevent unauthorised access to IT systems and applications:
2.3 Data Access Control
Measures to ensure that only authorised users can access Personal Data within systems:
2.4 Separation Control
Measures to ensure that data collected for different purposes or customers is processed separately:
3.1 Transfer Control
Measures to protect Personal Data during transmission and to ensure secure transfer:
3.2 Input / Change Control
Measures to ensure that it is possible to verify who has processed Personal Data and when:
Measures to protect Personal Data and systems against accidental loss, destruction, or disruption:
Where necessary, the Processor maintains and tests backup and recovery processes to help ensure the continuity of services.
5. Procedures for Regular Review, Assessment and Evaluation (Art. 32(1)(d) GDPR; Art. 25 GDPR)
5.1 Data Protection Management
Measures to embed data protection into internal processes, for example:
5.2 Incident and Breach Management
Measures to detect, assess, and respond to security incidents and personal data breaches:
5.3 Data Protection by Design and by Default (Art. 25 GDPR)
Measures to embed privacy into the design and default settings of the QCarder Platform:
5.4 Order Control (Processor Acting Only on Instructions)
Measures to ensure that Personal Data is processed only according to the Controller’s instructions:
This Annex describes the technical and organisational measures implemented by the Processor (QCarder, owned by ASTROSIST Inc.) to protect Personal Data processed on behalf of the Controller, in line with Art. 32 GDPR and other applicable data protection laws.
These measures are designed to ensure:
- confidentiality
- integrity
- availability
- resilience
of systems and services used to process Personal Data. The Processor may update these measures over time, provided the overall level of protection is not reduced.
2. Confidentiality (Art. 32(1)(b) GDPR)
2.1 Physical Access Control
Measures to prevent unauthorised physical access to premises and systems where Personal Data is processed or stored, for example:
- Use of secure office or data centre locations managed with restricted access
- Access limited to authorised personnel (e.g. badges, keys, visitor registration)
- Policies for remote work / home office ensuring that third parties cannot view or access work devices
2.2 System Access Control
Measures to prevent unauthorised access to IT systems and applications:
- Individual user accounts (no shared generic accounts for admin access)
- Strong authentication (password policies, optional multi-factor authentication where supported)
- Automatic screen lock after inactivity
- Central management of user accounts and permissions (granting, modification, revocation)
- Use of firewalls and endpoint protection on relevant systems
- Encryption of data at rest on servers and on mobile devices where appropriate
2.3 Data Access Control
Measures to ensure that only authorised users can access Personal Data within systems:
- Role-based access control (RBAC), granting users only the access they need
- Restricting administrative access to a small group of trained personnel
- Logging of access activities to sensitive areas of the platform
- Internal procedures requiring approval before data is deleted or changed in sensitive contexts
2.4 Separation Control
Measures to ensure that data collected for different purposes or customers is processed separately:
- Logical separation of customer data (e.g. tenant separation in databases or application logic)
- Separation of production and test environments
- Use of distinct databases or schema separation, where applicable
- Internal policies requiring anonymisation or pseudonymisation of data used for testing or analytics where feasible
3.1 Transfer Control
Measures to protect Personal Data during transmission and to ensure secure transfer:
- Use of encrypted communication channels (e.g. HTTPS/TLS) for data in transit
- Restricted use of external storage or transfer tools; company-managed tools preferred
- Prohibition of unauthorised export of Personal Data to external systems or personal devices
- Logging of certain data access and transfer events where appropriate
3.2 Input / Change Control
Measures to ensure that it is possible to verify who has processed Personal Data and when:
- Logging of key operations (e.g. creation, modification, deletion of user profiles or settings)
- Use of individual user IDs to ensure traceability of changes
- Clear responsibilities and authorisation processes for data correction and deletion
- Periodic review of logs where appropriate for security or compliance purposes
Measures to protect Personal Data and systems against accidental loss, destruction, or disruption:
- Use of reputable cloud infrastructure or hosting providers with industry-standard security controls
- Regular data backups for critical systems and customer data
- Replication or redundancy concepts (e.g. storing backups in separate locations or zones)
- Internal procedures for restoring services and data from backups in the event of an incident
- Monitoring and alerting for key systems to detect outages or anomalies
Where necessary, the Processor maintains and tests backup and recovery processes to help ensure the continuity of services.
5. Procedures for Regular Review, Assessment and Evaluation (Art. 32(1)(d) GDPR; Art. 25 GDPR)
5.1 Data Protection Management
Measures to embed data protection into internal processes, for example:
- Appointment of a privacy contact or Data Protection Officer (if legally required)
- Onboarding and periodic training of staff on data protection, confidentiality, and information security
- Maintaining records of processing activities (where required by law)
- Internal policies on data handling, retention, access, and deletion
5.2 Incident and Breach Management
Measures to detect, assess, and respond to security incidents and personal data breaches:
- Defined internal process for reporting and escalating potential security or data protection incidents
- Evaluation of incidents and classification of severity and impact
- Implementation of remedial measures to mitigate risks and prevent recurrence
- Notification procedures to the Controller in line with Section 6 of this DPA and applicable law
5.3 Data Protection by Design and by Default (Art. 25 GDPR)
Measures to embed privacy into the design and default settings of the QCarder Platform:
- Limiting default visibility of user data to what is necessary for intended use
- Use of configuration options that allow Controllers to control which data fields are collected and shown
- Regular review of new features for privacy and security impact
- Avoiding the collection of unnecessary data where possible
5.4 Order Control (Processor Acting Only on Instructions)
Measures to ensure that Personal Data is processed only according to the Controller’s instructions:
- Written data processing terms (this DPA) binding the Processor and its Sub-Processors
- Documented procedures to ensure new features or data uses are evaluated for compliance with instructions
- Contractual requirements for Sub-Processors to follow comparable obligations
- Confirmations or records of data deletion or return after the end of the Main Agreement, upon Controller request
Annex 3 – Current Sub-Processors
The Processor uses certain third-party service providers (“Sub-Processors”) to support the provision of the QCarder Services. These Sub-Processors may process Personal Data on behalf of the Controller as part of the Services.
The list below reflects the current Sub-Processors as of the Effective Date of this DPA and may be updated from time to time in accordance with Section 8 (Use of Sub-Processors).
Note: QCarder may from time to time engage additional Sub-Processors or replace existing ones in accordance with Section 8 of this DPA. The Controller will be informed of such changes and may object on reasonable data protection grounds.
The list below reflects the current Sub-Processors as of the Effective Date of this DPA and may be updated from time to time in accordance with Section 8 (Use of Sub-Processors).
| Name | Function | Location | Privacy Policy |
|---|---|---|---|
| Google LLC | Cloud Services, Analytics, Logging | United States | Visit Here |
| Microsoft | Cloud Services, Productivity Tools | United States | Visit Here |
| Stripe | Payment Processing | United States | Visit Here |
| Twilio Sengrid | Email and SMS Delivery | United States | Visit Here |
| PlanetScale | Managed Database Hosting | United States | Visit Here |
| Vercel | Hosting, Edge Delivery, CDN | United States | Visit Here |
| Intercom | Customer Support & in-app Messaging | United States | Visit Here |
| MaxMind | IP Geolocation & Fraud Signals | United States | Visit Here |
| Shopify | E-commerce Front / Store (if used) | Canada / Global | Visit Here |
| HubSpot | CRM & Marketing Automation | United States | Visit Here |
| PostHog.Inc. | Product Analytics | United States | Visit Here |
Note: QCarder may from time to time engage additional Sub-Processors or replace existing ones in accordance with Section 8 of this DPA. The Controller will be informed of such changes and may object on reasonable data protection grounds.
INDEMNIFICATION
To the fullest extent permitted by law, you agree to indemnify, defend, and hold harmless QCarder (owned by ASTROSIST Inc.), its affiliates, officers, directors, employees, agents, licensors, and service providers (the “QCarder Parties”) from and against any and all claims, liabilities, damages, losses, costs, and expenses (including reasonable legal fees) arising out of or relating to:
QCarder reserves the right, at your expense, to assume the exclusive defense and control of any matter subject to indemnification by you, and you agree to cooperate with QCarder’s defense of such claims. You agree not to settle any claim without QCarder’s prior written consent, unless the settlement fully and unconditionally releases all QCarder Parties and does not require any admission of fault or payment by them.
- your access to or use of the Website or Services;
- your violation of these Terms or any applicable law or regulation;
- any content, data, or materials you upload, submit, share, or otherwise make available through QCarder;
- your infringement, misappropriation, or violation of any third party’s rights, including intellectual property, privacy, or publicity rights; or
- any other party’s access to or use of the Services via your account or credentials.
QCarder reserves the right, at your expense, to assume the exclusive defense and control of any matter subject to indemnification by you, and you agree to cooperate with QCarder’s defense of such claims. You agree not to settle any claim without QCarder’s prior written consent, unless the settlement fully and unconditionally releases all QCarder Parties and does not require any admission of fault or payment by them.
LANGUAGE
These Terms are written in English, and the English text is the official and controlling version.
If these Terms are translated into another language and there is any discrepancy or inconsistency between the English version and the translated version, the English version shall prevail.
If these Terms are translated into another language and there is any discrepancy or inconsistency between the English version and the translated version, the English version shall prevail.
ASSIGNMENT
You may not assign, transfer, or delegate any of your rights or obligations under these Terms, whether by operation of law or otherwise, without the prior written consent of QCarder (owned byASTROSIST Inc.).
QCarder may freely assign or transfer these Terms, in whole or in part, without restriction, including in connection with a merger, acquisition, corporate reorganization, sale of assets, or by operation of law. Any permitted assignment by QCarder will not affect your rights under these Terms.
QCarder may freely assign or transfer these Terms, in whole or in part, without restriction, including in connection with a merger, acquisition, corporate reorganization, sale of assets, or by operation of law. Any permitted assignment by QCarder will not affect your rights under these Terms.
SEVERABILITY
If any provision of these Terms is held to be invalid, illegal, or unenforceable by a court or other tribunal of competent jurisdiction, that provision will be enforced to the maximum extent permissible, and the remaining provisions of these Terms will remain in full force and effect.
NO WAIVER
No failure or delay by QCarder in exercising any right, power, or remedy under these Terms shall operate as a waiver of that right, nor shall any single or partial exercise of any right, power, or remedy preclude any other or further exercise of that right or any other right, power, or remedy.
Any waiver of any provision of these Terms will be effective only if it is in writing and signed by an authorized representative of QCarder.
Any waiver of any provision of these Terms will be effective only if it is in writing and signed by an authorized representative of QCarder.
ENTIRE AGREEMENT
These Terms, together with any other terms and policies expressly incorporated by reference (including our Privacy Policy and any service-specific terms that apply to particular features or plans), constitute the entire agreement between you and QCarder regarding your use of the Website and Services, and supersede all prior and contemporaneous agreements, proposals, negotiations, communications, and understandings, whether written or oral, relating to their subject matter.
