Data Processing Agreement
How QllmSoft processes personal data on behalf of customers, in line with GDPR Article 28.
Data Processing Agreement
1 Parties and Definitions
This Data Processing Agreement ("DPA") forms part of the agreement between QllmSoft ("Processor", "we") and the customer organization using QllmDocs ("Controller", "you") whenever you process personal data of your own end users, employees, or clients through the Service. Terms such as "personal data," "processing," "controller," "processor," and "data subject" have the meanings given under the EU General Data Protection Regulation (GDPR).
2 Scope and Duration
This DPA applies for as long as QllmSoft processes personal data on your behalf under your subscription to QllmDocs, and survives termination of the underlying agreement to the extent personal data is retained during permitted post-termination periods described in Section 11.
3 Details of Processing
- Nature and purpose: Storage, organization, retrieval, and AI-assisted search of documents you upload, and related account and access-management functions.
- Duration: For the length of your active subscription plus applicable retention periods.
- Categories of data subjects: Your team members (Admins, Members) and any individuals identifiable within the documents you upload.
- Categories of personal data: Account data (name, email, role), and any personal data contained within documents, metadata, or files you choose to upload.
4 Processor Obligations
QllmSoft will:
- Process personal data only on your documented instructions, unless required otherwise by law.
- Ensure personnel authorized to process personal data are bound by confidentiality obligations.
- Implement appropriate technical and organizational security measures (Section 6).
- Assist you in responding to data subject rights requests and meeting your own regulatory obligations.
- Notify you without undue delay upon becoming aware of a personal data breach affecting your data (Section 8).
5 Sub-Processors
You grant general authorization for QllmSoft to engage the following sub-processors, each bound by data protection terms consistent with this DPA:
| Sub-processor | Purpose |
|---|---|
| Microsoft Azure (Blob Storage) | Cloud storage of uploaded documents and files |
| PayPal | Payment processing for paid subscriptions |
We will provide reasonable advance notice of any intended addition or replacement of sub-processors.
6 Security Measures
- AES-256 encryption of data at rest.
- TLS/HTTPS encryption of data in transit.
- Role-based access control (Admin / Member) and per-document access permissions.
- Optional two-factor authentication (2FA) available per user.
- Rate limiting and security-header protections.
- Activity logging and audit trails for account and document actions.
7 Data Subject Rights
Where a data subject contacts QllmSoft directly regarding their rights under GDPR or similar law, we will promptly redirect the request to you as Controller, unless legally required to respond ourselves. We will provide reasonable technical assistance to help you fulfill access, rectification, erasure, restriction, and portability requests.
8 Personal Data Breach Notification
In the event of a personal data breach affecting your data, QllmSoft will notify you without undue delay, and in any case within 72 hours of becoming aware of the breach, in accordance with our Breach Notification Policy.
9 International Data Transfers
Personal data is primarily stored on Microsoft Azure infrastructure. Where personal data is transferred outside the country of origin, QllmSoft will ensure such transfers are subject to appropriate safeguards as required by applicable data protection law.
10 Audit Rights
You may request reasonable information demonstrating QllmSoft's compliance with this DPA. On-site audits, if required by law, will be scheduled with reasonable advance notice, during business hours, and at your expense unless material non-compliance is identified.
11 Return and Deletion of Data
Upon termination of your subscription, QllmSoft will, at your choice, delete or return all personal data processed on your behalf within the retention period described in our Privacy Policy, unless further storage is required by law.
12 Liability
Liability under this DPA is subject to the limitation of liability provisions set out in our Terms of Service.
13 Governing Law
This DPA is governed by the laws of Pakistan, without prejudice to any mandatory data protection law applicable to your processing activities (such as GDPR where you process data of EU data subjects).