Data Processing Agreement

This Data Processing Agreement (“DPA”) forms part of the Terms of Service between QuoteChase and the Subscriber. It applies where QuoteChase processes personal data relating to the Subscriber's Customers and contacts (“Customer Personal Data”) on the Subscriber's behalf in providing the Service.

For Customer Personal Data, the Subscriber is the controller and QuoteChase is the processor. Words such as personal data, processing, controller, processor, data subject and personal data breach have the meanings given in UK Data Protection Law, meaning the UK GDPR and the Data Protection Act 2018 and related regulations as amended.

QuoteChase will process Customer Personal Data only on the Subscriber's documented instructions, including those given through normal use of the Service (such as sending a quote, invoice, reminder or SMS), and as set out in this DPA, unless required to do otherwise by law, in which case QuoteChase will inform the Subscriber unless the law prohibits it. QuoteChase will tell the Subscriber if it considers an instruction infringes UK Data Protection Law.

QuoteChase will not sell Customer Personal Data and will not use it for its own purposes, including not using it to build profiles or for advertising.

The Subscriber warrants that it has a valid lawful basis to collect and process Customer Personal Data, to enter it into the Service, and to instruct QuoteChase to contact Customers by email or SMS. The Subscriber is responsible for the accuracy of the data and for providing any privacy information and honouring data subject rights as controller.

QuoteChase will ensure that people authorised to process Customer Personal Data are bound by appropriate obligations of confidentiality and only access the data as needed to provide the Service.

QuoteChase will implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, taking account of the state of the art and the nature of the data. A summary of those measures is in Appendix 3.

The Subscriber gives general authorisation for QuoteChase to engage the sub-processors listed in Appendix 2 to process Customer Personal Data. QuoteChase will impose data protection obligations on each sub-processor that are no less protective than those in this DPA and remains responsible for their performance.

QuoteChase will give the Subscriber reasonable advance notice of any intended addition or replacement of a sub-processor (for example by updating the list and, where the Subscriber has asked, by email). The Subscriber may object on reasonable data protection grounds, and the parties will work in good faith to resolve the concern; if it cannot be resolved, the Subscriber may terminate the affected part of the Service.

Taking account of the nature of the processing, QuoteChase will assist the Subscriber by appropriate technical and organisational measures, so far as possible, to respond to requests from data subjects exercising their rights, and to meet the Subscriber's obligations on security, breach notification, data protection impact assessments and prior consultation under Articles 32 to 36 of the UK GDPR. Self-service export and deletion tools in the Service are part of this assistance.

QuoteChase will notify the Subscriber without undue delay after becoming aware of a personal data breach affecting Customer Personal Data, and will provide the information reasonably available to help the Subscriber meet its own breach notification duties to the ICO and affected data subjects.

On the end of the Service, and subject to the read-only retention window described in the Terms, QuoteChase will delete Customer Personal Data, unless UK law requires it to be kept. Before deletion the Subscriber can export its data from the Service.

QuoteChase will make available information reasonably necessary to demonstrate compliance with Article 28 and allow for and contribute to audits, including inspections, conducted by the Subscriber or an auditor it mandates, on reasonable prior notice, no more than once a year unless required by a regulator, and subject to confidentiality and to not compromising other customers' security.

Where processing Customer Personal Data involves a transfer outside the UK, QuoteChase will ensure an appropriate safeguard under UK Data Protection Law is in place, such as UK adequacy regulations or the UK International Data Transfer Agreement or Addendum.

The liability provisions of the Terms of Service apply to this DPA. Nothing in this DPA varies the allocation of risk or limits of liability in the Terms, except where UK Data Protection Law requires otherwise.

• Encryption of data in transit (TLS) and at rest.
• Row-level security so each account can access only its own data.
• Authentication with hashed credentials and session management handled by a specialist auth provider.
• Unguessable, high-entropy tokens for public quote and invoice links, which are read-only.
• Rate limiting on public endpoints and sensitive actions.
• Least-privilege access to production systems and use of reputable hosting and infrastructure providers.
• Logical separation of subscription billing data from customer invoice payment flows.
• Backups and the ability to restore data, and prompt patching of dependencies.