Data processing addendum

This data processing addendum (“DPA”) supplements the terms of service and governs the relationship between you (controller) and Quote Bench Pro s. r. o. (processor) under Article 28 GDPR.

1. Subject matter

The processor processes personal data to the extent necessary to deliver the Quote Bench Pro service — building, calculating, and preparing priced quotes from inputs provided by the controller.

2. Duration

Processing lasts for the duration of the service contract plus 30 days after termination (data export window). After this period, data is deleted.

3. Nature and purpose

The purpose is service delivery. The nature of processing includes extracting data from job requests (text or voice), storing it in the database, deterministic price calculation, generating PDF quotes, and — when Gmail is connected — sending messages from the user’s account.

4. Categories of data and data subjects

Categories of data: identification and contact data (name, email, phone, address), the content of communication and job requests, attachments (photos, documents).

Categories of data subjects: employees and contractors of the controller, the controller’s end customers.

5. Security measures

The processor ensures:

• Encryption at rest (Postgres + Cloudflare R2 in EU).
• Encryption in transit (TLS 1.2+).
• Multi-tenant isolation in the database via Row-Level Security and a per-controller data encryption key (DEK).
• Audit log of every operation on data.
• Role-based access control (OWNER / FOREMAN / VIEWER).
• Regular database backups and restore testing.

6. Subprocessors

The processor may engage subprocessors listed in the privacy policy. The processor will notify the controller of subprocessor changes at least 30 days in advance; the controller may object within that period.

7. Breach notification

In the event of a personal data breach, the processor notifies the controller without undue delay, no later than 72 hours after detection, via email to the registered address. The notification includes the nature of the breach, categories and number of affected subjects, and proposed mitigations.

8. Assistance with data subject requests

The processor reasonably assists the controller in responding to data subject requests (access, rectification, erasure, portability). The OWNER role in the service UI can also run export and deletion self-service.

9. Audit

The processor provides the controller, upon request, information demonstrating compliance with this DPA and allows an audit (no more than once annually, with 30 days’ notice) or an audit performed by an independent auditor.

10. After processing ends

After processing ends, the processor exports data in a machine-readable format and then completes full deletion within 30 days, unless retention is legally required.