Data Processing Addendum

qlows offers a signed DPA to customers who process personal data using the service. This page summarizes the terms; the actual DPA is a separate countersigned document — request it at legal@qlows.com.

Roles

You are the Controller. qlows is the Processor. We process Personal Data on your documented instructions only.

Subject matter & duration

Subject matter: the qlows app and MCP. Duration: as long as your account is active, plus 30 days of grace before purge on termination.

Categories of data subjects

• Your employees, contractors, and authorized seat holders
• SME team members invited via Q-Routing magic links
• Individuals named in RFP content uploaded to your workspace

Categories of personal data

• Contact details (name, work email, role)
• Workspace activity (which user took which action and when)
• Any personal data incidentally present in uploaded RFPs or answers

Sub-processors

The current sub-processor list is published at /legal/subprocessors and provided as a Schedule on signed DPA execution. Material additions are notified at least 14 days in advance by email to your DPA signatory.

Security measures

• Encryption in transit (TLS 1.3) and at rest (AES-256)
• SSO/SAML available on Enterprise
• Role-based access control on Pro and Enterprise
• Audit log on Pro and Enterprise
• Penetration testing annually

International transfers

Standard Contractual Clauses (SCCs) where applicable. EU customer data stays in the EU region by default.

Sub-processor & breach notice

We notify you of confirmed personal data breaches without undue delay and in any case within 72 hours of becoming aware.

Audit

You can audit our compliance once per year, with reasonable notice. We accept third-party audits on request from Enterprise customers.

Request the DPA

Email legal@qlows.comwith your company details and we’ll send a countersignable version.