Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the Terms and Conditions ("Agreement") between:

Data Processor: QIPP Ltd., 7 Heathfield Drive, CR4 3RD, United Kingdom ("Processor", "we", "us")

and

Data Controller: The user of the Qipp service ("Controller", "you")

This DPA sets out the terms on which we process personal data on your behalf when you use the Qipp service ("Service") to send invoices to your clients.

1. Definitions

In this DPA:

• "Data Protection Laws" means the UK GDPR, the Data Protection Act 2018, and any other applicable data protection legislation.
• "Personal Data" means any information relating to an identified or identifiable natural person that we process on your behalf.
• "Processing" has the meaning given in the UK GDPR and includes any operation performed on Personal Data.
• "Data Subject" means the individual to whom Personal Data relates.
• "Sub-processor" means any third party engaged by us to process Personal Data on your behalf.
• "Security Incident" means any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.

2. Scope and Roles

2.1 Controller and Processor Relationship

When you use the Service to process your clients' personal data (such as creating and sending invoices), you are the Data Controller and we are your Data Processor.

You determine the purposes and means of processing. We process Personal Data only in accordance with your documented instructions.

2.2 Categories of Data Subjects

The Personal Data processed may relate to:

• Your clients (invoice recipients)
• Employees of your clients
• Other individuals whose data you include in invoices

2.3 Types of Personal Data

We may process the following categories of Personal Data on your behalf:

• Contact information: names, email addresses, business addresses, phone numbers
• Business information: company names, job titles
• Financial information: invoice amounts, payment status
• Engagement data: invoice view timestamps, click interactions
• Technical data: IP addresses, user agents (for click tracking)

2.4 Processing Activities

We process Personal Data for the following purposes:

• Storing and displaying invoice information
• Sending invoices via email
• Tracking invoice engagement (views, clicks)
• Processing payments via Stripe Connect
• Generating PDF invoices

3. Processor Obligations

3.1 Processing Instructions

We will:

• Process Personal Data only on your documented instructions, unless required by law
• Inform you if we believe an instruction violates Data Protection Laws
• Ensure that persons authorised to process Personal Data are bound by confidentiality obligations

3.2 Security Measures

We implement appropriate technical and organisational measures to protect Personal Data, including:

• Encryption of data in transit using TLS/SSL
• Encryption of data at rest
• Access controls and authentication mechanisms
• Regular security assessments and testing
• Secure development practices
• Incident response procedures

3.3 Sub-processors

We use the following sub-processors to provide the Service:

You authorise us to engage these sub-processors. We will notify you of any intended changes to sub-processors, giving you the opportunity to object. If you object on reasonable data protection grounds, and we cannot accommodate your objection, you may terminate the Agreement.

We ensure that sub-processors are bound by contractual obligations that are no less protective than those in this DPA.

3.4 Assistance to Controller

Taking into account the nature of processing, we will assist you by:

• Implementing appropriate technical and organisational measures to fulfil your obligation to respond to Data Subject requests
• Assisting with your obligations regarding security, breach notification, impact assessments, and prior consultation, to the extent required by Data Protection Laws
• Making available information necessary to demonstrate compliance with this DPA

3.5 Data Subject Requests

If we receive a request from a Data Subject regarding their Personal Data, we will:

• Promptly notify you of the request
• Not respond to the request directly unless authorised by you or required by law
• Assist you in responding to the request through appropriate technical and organisational measures

4. Security Incidents

4.1 Notification

We will notify you without undue delay (and in any event within 72 hours) upon becoming aware of a Security Incident affecting Personal Data processed on your behalf.

4.2 Information Provided

The notification will include:

• A description of the nature of the Security Incident
• The categories and approximate number of Data Subjects affected
• The categories and approximate number of Personal Data records affected
• The name and contact details of our point of contact
• The likely consequences of the Security Incident
• The measures taken or proposed to address the Security Incident

4.3 Cooperation

We will cooperate with you and take reasonable steps to assist in the investigation, mitigation, and remediation of the Security Incident.

5. International Transfers

Personal Data may be transferred to and processed in countries outside the UK and European Economic Area, including the United States.

We ensure that any international transfers are protected by appropriate safeguards, including:

• Standard Contractual Clauses approved by the UK Information Commissioner and European Commission
• Binding corporate rules of sub-processors
• Adequacy decisions where applicable

You can request copies of the relevant transfer mechanisms upon request.

6. Audits

We will make available to you all information necessary to demonstrate compliance with this DPA.

You may conduct audits of our data processing activities, subject to:

• Providing reasonable advance notice (minimum 30 days)
• Conducting audits during normal business hours
• Ensuring auditors are bound by confidentiality obligations
• Bearing your own costs for the audit

Where possible, we will satisfy audit requirements by providing relevant certifications, audit reports, or other documentation.

7. Data Retention and Deletion

7.1 During the Agreement

We retain Personal Data for as long as necessary to provide the Service and in accordance with our retention policies.

7.2 Upon Termination

Upon termination of the Agreement or upon your request, we will:

• Delete or return all Personal Data to you, at your choice
• Delete existing copies, unless retention is required by law
• Provide certification of deletion upon request

Deletion will be completed within 30 days of termination or request, except for data we are required to retain for legal or regulatory purposes.

8. Controller Obligations

You represent and warrant that:

• You have a lawful basis for processing Personal Data and have provided appropriate notices to Data Subjects
• Your instructions to us comply with Data Protection Laws
• You will inform us promptly of any changes affecting your processing activities
• You will cooperate with us in fulfilling our obligations under this DPA

9. Liability

Each party's liability under this DPA is subject to the limitations set out in the Agreement.

We are not liable for any breach of Data Protection Laws caused by your failure to comply with your obligations as Controller.

10. Term and Termination

This DPA commences when you accept the Agreement and continues until the Agreement is terminated.

Provisions of this DPA that by their nature should survive termination (including confidentiality, data deletion, and liability) shall survive.

11. Amendments

We may update this DPA to reflect changes in Data Protection Laws or our processing activities. Material changes will be notified to you with reasonable advance notice.

12. Contact

For questions about this DPA or to exercise your rights, contact us at:

Email: hello@q-ipp.com
Address: QIPP Ltd., 7 Heathfield Drive, CR4 3RD, United Kingdom