Data Processing Agreement

1. Definitions

For the purposes of this DPA:

• "Controller" means you, the customer, who determines the purposes and means of processing personal data collected through the Service
• "Processor" means eQuest (Kooslab UG), which processes personal data on behalf of the Controller
• "Data Subject" means the individual whose personal data is processed (e.g., your clients who fill out questionnaires)
• "Personal Data" means any information relating to an identified or identifiable natural person
• "Processing" means any operation performed on personal data, including collection, storage, use, and deletion
• "Sub-processor" means any third party engaged by eQuest to process personal data on behalf of the Controller
• "GDPR" means the General Data Protection Regulation (EU) 2016/679
• "Service" means the eQuest questionnaire builder platform

2. Scope and Roles

2.1 Relationship of Parties

When you use the Service to collect data from your clients:

• You (the Customer) are the Controller of the personal data you collect
• eQuest is the Processor, processing data on your behalf

2.2 Controller Responsibilities

As Controller, you are responsible for:

• Determining the lawful basis for processing
• Providing appropriate privacy notices to Data Subjects
• Obtaining necessary consents where required
• Responding to Data Subject rights requests
• Ensuring the accuracy of personal data
• Complying with applicable data protection laws

3. Processing Details

3.1 Subject Matter and Duration

This DPA applies to the processing of personal data through the Service for the duration of your use of the Service, plus any retention period required by law or as specified in our Privacy Policy.

3.2 Nature and Purpose of Processing

We process personal data for the following purposes:

• Storing and displaying questionnaire responses
• Enabling review and approval workflows
• Storing and serving uploaded files
• Facilitating communication between you and your clients
• Providing analytics and reporting features
• Maintaining security and preventing fraud

3.3 Types of Personal Data

The following categories of personal data may be processed:

• Contact information (name, email, phone number)
• Business information (company name, role, address)
• Questionnaire responses and answers
• Uploaded files and documents
• Communication content (comments, messages)
• Technical data (IP address, browser information)

3.4 Categories of Data Subjects

• Your clients who fill out questionnaires
• Team members you invite to collaborate
• Any other individuals whose data you collect through the Service

4. Processor Obligations

As Processor, eQuest agrees to:

4.1 Processing Instructions

• Process personal data only on your documented instructions
• Inform you if we believe an instruction violates GDPR or other data protection laws
• Not process personal data for any purpose other than providing the Service

4.2 Confidentiality

• Ensure all personnel processing personal data are bound by confidentiality obligations
• Limit access to personal data to personnel who need it to provide the Service

4.3 Security Measures

We implement appropriate technical and organizational measures to protect personal data, including:

• Encryption at rest: AES-256-GCM for sensitive data (PII, credentials)
• Encryption in transit: TLS 1.2+ for all data transmission
• Access control: Role-based permissions, secure authentication
• Password security: Argon2id hashing algorithm
• Session management: Secure, HttpOnly cookies
• Infrastructure security: Regular security updates, monitoring
• Backup and recovery: Regular encrypted backups

4.4 Sub-processing

We use sub-processors to provide parts of the Service. By agreeing to this DPA, you authorize our use of the sub-processors listed in Section 7.

• We will notify you of any intended changes to sub-processors
• You may object to new sub-processors within 30 days of notification
• We ensure sub-processors are bound by equivalent data protection obligations

4.5 Data Subject Rights

We will assist you in responding to Data Subject requests, including:

• Access requests
• Rectification requests
• Erasure requests
• Data portability requests
• Restriction requests
• Objection requests

If we receive a request directly from a Data Subject, we will refer them to you unless legally required to respond directly.

4.6 Data Breach Notification

In the event of a personal data breach, we will:

• Notify you without undue delay (within 72 hours where feasible)
• Provide details of the breach, including categories and number of Data Subjects affected
• Describe the likely consequences of the breach
• Describe measures taken or proposed to address the breach
• Cooperate with your breach investigation and notification obligations

4.7 Deletion and Return of Data

Upon termination of the Service or upon your request, we will delete or return all personal data (at your choice), unless retention is required by applicable law. You can export your data at any time through the Service.

4.8 Audit Rights

Upon reasonable request and subject to confidentiality obligations, we will provide information necessary to demonstrate compliance with this DPA. This may include security certifications, audit reports, or responses to security questionnaires.

5. International Transfers

Personal data may be transferred to and processed in countries outside the European Economic Area (EEA). When this occurs, we ensure appropriate safeguards are in place:

• Transfers to countries with an EU adequacy decision
• Standard Contractual Clauses (SCCs) approved by the European Commission
• Other legally recognized transfer mechanisms

You may request information about the specific safeguards applied to international transfers by contacting us at privacy@equest.app.

6. Data Protection Impact Assessments

Where required, we will provide reasonable assistance with data protection impact assessments (DPIAs) and prior consultations with supervisory authorities. This assistance may be subject to additional fees for extensive support beyond standard documentation.

7. Sub-processors

We currently use the following sub-processors:

We will notify you of any changes to this list. The current list is always available at equest.app/dpa.

8. Liability

Each party's liability under this DPA is subject to the limitations set forth in the Terms of Service, except that:

• Neither party limits its liability for breaches of its data protection obligations to the extent prohibited by applicable law
• Each party remains liable for the acts and omissions of its sub-processors

9. Term and Termination

This DPA remains in effect for the duration of your use of the Service. Upon termination:

• You may export your data before account closure
• We will delete personal data within 30 days of termination, unless retention is required by law
• Provisions relating to confidentiality and liability survive termination

10. Governing Law

This DPA is governed by the laws of Germany, without regard to conflict of law principles. The courts of Berlin, Germany have exclusive jurisdiction over disputes arising from this DPA, subject to the rights of EU consumers to bring proceedings in their country of residence.

11. Standard Contractual Clauses

For transfers of personal data from the EEA to countries without an adequacy decision, the Standard Contractual Clauses (Module Two: Controller to Processor) approved by the European Commission are incorporated by reference.

The SCCs apply with the following specifications:

• Module: Module Two (Controller to Processor)
• Clause 7 (Docking clause): Not applicable
• Clause 9 (Use of sub-processors): Option 2 (general authorization)
• Clause 11 (Redress): Optional clause not included
• Clause 17 (Governing law): Germany
• Clause 18 (Choice of forum): Courts of Berlin, Germany

12. Contact

For questions about this DPA or to exercise your rights, contact us: