This Data Processing Addendum ("DPA") is entered into between QEngine LLC, dba INZATA ("Inzata," "Processor," or "Service Provider") and the Customer ("Controller," "Business," or "Customer"). This DPA forms part of the applicable Terms of Service and other governing agreements between the parties (the "Agreement").
1. Purpose and Scope
This DPA governs the processing of Personal Data by Inzata on behalf of Customer in connection with the Services provided under the Agreement.
- Customer acts as the Controller or Business with respect to Personal Data.
- Inzata acts as the Processor or Service Provider, processing Personal Data solely on Customer's behalf.
This DPA applies only to Personal Data processed by Inzata in connection with the Services.
2. Definitions
Applicable Data Protection Laws
All laws and regulations applicable to the processing of Personal Data under the Agreement, including where applicable: the EU GDPR, UK GDPR, the California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA), and similar applicable privacy laws.
Personal Data
Information relating to an identified or identifiable natural person that is processed by Inzata on behalf of Customer.
Processing
Any operation performed on Personal Data, including collection, storage, use, transmission, disclosure, deletion, analysis, and modification.
Security Incident
Unauthorized access to, acquisition of, disclosure of, alteration of, or destruction of Customer Personal Data.
Subprocessor
A third party engaged by Inzata to process Personal Data in connection with the Services.
3. Processing of Personal Data
Inzata shall process Personal Data only:
- To provide the Services as described in the Agreement.
- Pursuant to Customer's documented instructions.
- As required under the Agreement.
- As required by applicable law.
Inzata shall not:
- Sell Personal Data.
- Share Personal Data for cross-context behavioral advertising.
- Use Customer Personal Data to train generalized public AI models unless expressly authorized by Customer in writing.
4. Customer Obligations
Customer represents and warrants that it has all necessary rights and legal bases to provide Personal Data to Inzata, will comply with Applicable Data Protection Laws, and will provide any required notices and obtain any required consents.
Customer remains solely responsible for:
- The legality of Customer Data uploaded to or processed through the Services.
- The accuracy and quality of Customer Data.
- The means by which Customer acquired Personal Data.
5. Confidentiality
- Are subject to appropriate confidentiality obligations.
- Receive training regarding privacy and security obligations.
- Access Personal Data only where necessary for authorized business purposes.
6. Security Measures
- Encryption of data in transit and at rest.
- Access controls and authentication mechanisms.
- Logging and monitoring of system activity.
- Backup procedures and disaster recovery capabilities.
- Vulnerability management and regular security assessments.
- Documented incident response procedures.
Customer acknowledges that no method of data transmission or storage is completely secure.
7. Subprocessors
Customer provides a general authorization for Inzata to engage Subprocessors to support delivery of the Services. Inzata shall:
- Maintain agreements with Subprocessors that impose materially similar data protection obligations to those in this DPA.
- Remain responsible for Subprocessor compliance to the extent required by applicable law.
A current list of Subprocessors is available upon request at [email protected].
8. International Data Transfers
- The parties incorporate applicable Standard Contractual Clauses ("SCCs") by reference.
- Customer acts as data exporter and Inzata acts as data importer.
The parties agree to cooperate in good faith to implement lawful transfer mechanisms where required.
9. Data Subject Requests
- Access to and portability of Personal Data.
- Correction or rectification of inaccurate data.
- Deletion or erasure of Personal Data.
- Restriction of or objection to processing.
Where Inzata receives a data subject request directly relating to Customer Data, Inzata may redirect the requester to Customer unless prohibited by law.
10. Security Incidents
- The nature of the incident and categories of data affected.
- The approximate number of data subjects and records involved.
- Known impacts and remediation efforts underway.
- Recommended mitigation measures for Customer.
Notification of a Security Incident does not constitute an admission of fault or liability by Inzata.
11. Audits and Information Rights
- Are limited to once annually unless otherwise required by applicable law.
- Must not unreasonably interfere with Inzata's operations.
- May be satisfied by Inzata providing security reports, certifications, or third-party assessments in lieu of on-site audits.
12. Data Retention and Deletion
- Applicable law or regulatory obligation.
- Standard backup retention practices.
- Dispute resolution or legal hold obligations.
- Legitimate operational business needs.
Residual copies stored in backup systems may remain until overwritten in accordance with Inzata's standard retention schedules.
13. AI Processing Provisions
- Customer acknowledges that AI-generated outputs are probabilistic and may contain inaccuracies.
- Customer remains responsible for reviewing AI outputs prior to reliance or operational use.
- Customer Data shall not be used to train generalized public AI models unless expressly authorized by Customer in writing.
Inzata may use aggregated or de-identified operational data for security monitoring, service analytics, and platform optimization, provided such use does not identify Customer or individual data subjects.
14. Compliance Assistance
- Data protection impact assessments (DPIAs).
- Regulatory inquiries or investigations.
- Compliance obligations directly related to the Services.
15. Limitation of Liability
The liability limitations and exclusions contained in the Agreement apply to this DPA unless prohibited by applicable law. Nothing in this DPA limits either party's liability to data subjects or supervisory authorities under Applicable Data Protection Laws.
16. Term
This DPA remains effective for as long as Inzata processes Personal Data on behalf of Customer under the Agreement. Obligations that by their nature survive termination - including confidentiality and data deletion - shall survive expiration of this DPA.
17. Order of Precedence
In the event of a conflict between this DPA and the Agreement regarding the processing of Personal Data, this DPA shall control to the extent of the conflict.
18. Governing Law
This DPA shall be governed by the governing law provisions contained in the Agreement unless otherwise required by Applicable Data Protection Laws.
Annex 1 - Details of Processing
| Subject Matter | Provision of cloud-based analytics, AI, reporting, business intelligence, and related SaaS services. |
| Nature & Purpose | Hosting, storage, analytics, reporting, AI processing, customer support, operational monitoring, and platform administration. |
| Categories of Data | Account information, business contact details, authentication data, usage logs, uploaded datasets, communications, and technical identifiers. |
| Data Subjects | Customer employees, contractors, end users, business contacts, and Customer's own clients or users. |
| Duration | For the duration of the Agreement and any applicable post-termination retention period. |
Contact Information
Company: QEngine LLC, dba INZATA
Address: PO Box 90762, Lakeland, FL 33804-0762
Email: [email protected]