Data Processing Addendum (DPA) — Template
Provider: Valiquest AB · Org.nr 559577-0347 · Stockholm, Sweden Service: Virtual Customer Version: v1 — 2026-04-22 (DRAFT — pre-counsel review) Forms part of: the Terms of Service at /legal/terms-of-service.html (the Agreement).
This DPA is a template. We sign it on request from any Customer that needs a written controller–processor contract under GDPR Art. 28(3). For Customers on Team / Business / Enterprise Plans, we will sign the standard form below. Material changes (e.g. data-residency carve-outs) require sign-off from
info@valiquest.com.
1. Background
1.1 The Customer (the Controller) and Valiquest AB (the Processor) have entered into the Agreement under which the Processor provides the Service to the Controller.
1.2 In providing the Service, the Processor processes personal data on behalf of the Controller. This DPA sets out the terms on which the Processor does so, and forms part of the Agreement.
1.3 In the event of any conflict between the Agreement and this DPA on the subject of personal data processing, this DPA controls.
2. Definitions
For this DPA:
- Applicable Data Protection Law means the GDPR (Regulation (EU) 2016/679), the Swedish Data Protection Act (Lag (2018:218)), the UK GDPR and Data Protection Act 2018, and any other privacy or data protection laws applicable to the Processor's processing of Personal Data on behalf of the Controller.
- Customer Personal Data means Personal Data that the Processor processes on behalf of the Controller in the course of providing the Service.
- Personal Data, Controller, Processor, Sub-processor, Data Subject, Processing, Personal Data Breach, and Special Categories of Personal Data have the meanings given in the GDPR.
- Standard Contractual Clauses (SCCs) means the EU Commission's standard contractual clauses for the transfer of personal data to third countries, as adopted by Decision 2021/914.
Other capitalised terms have the meanings given in the Agreement.
3. Roles and scope
3.1 Roles. For Customer Personal Data processed under the Agreement:
- The Controller is the controller of Customer Personal Data.
- The Processor is the processor of Customer Personal Data, processing it solely on behalf of the Controller and in accordance with the Controller's documented instructions.
3.2 Documented instructions. The Controller's documented instructions for processing Customer Personal Data consist of: (a) the Agreement; (b) this DPA; (c) the Controller's use of the Service in accordance with the Documentation; and (d) any further instructions the Controller may give in writing. If the Processor believes an instruction infringes Applicable Data Protection Law, it will inform the Controller and may suspend the affected processing until clarification.
3.3 Lawful basis. The Controller is responsible for ensuring it has a valid lawful basis for the processing, and for providing privacy notices and obtaining consents required from Data Subjects.
3.4 No use for our purposes. The Processor will not use Customer Personal Data for its own purposes. In particular, Customer Personal Data will not be used to train general-purpose foundation models.
4. Subject matter, duration, nature and purpose
| Topic | Detail |
|---|---|
| Subject matter | Provision of the Virtual Customer service to the Controller as set out in the Agreement. |
| Duration | The term of the Agreement plus the post-termination retention period in section 11. |
| Nature and purpose | Hosting, storing, transmitting, displaying, and routing Customer Personal Data through the Service so the Controller can run AI-powered customer-discovery sessions, store transcripts, share with team members, and export results. |
| Categories of Data Subjects | (a) The Controller's authorised Users; (b) individuals whose personal data the Controller chooses to upload to the Service or include in prompts (for example, customer interviewees, research participants). |
| Categories of Personal Data | (a) User account data: name, email, role, language, time zone, sign-in events. (b) Customer-uploaded content: any personal data the Controller chooses to upload, including transcripts, recordings, names, contact details, employer, role, and free-text content describing individuals. |
| Special categories | The Controller may upload special categories of personal data (e.g. health, religion, political opinions) if its lawful basis allows. The Processor does not require special-category data and does not deliberately process it for the Controller. |
5. Processor obligations (GDPR Art. 28(3))
The Processor will:
5.1 (a) Documented instructions. Process Customer Personal Data only on the documented instructions of the Controller (section 3.2), including with regard to international transfers (section 8), unless required to process otherwise by Union or Member State law to which the Processor is subject. In that case, the Processor will inform the Controller of that legal requirement before processing, unless the law prohibits such information on important grounds of public interest.
5.2 (b) Confidentiality. Ensure that persons authorised to process Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. [REVIEW] Counsel to confirm whether informal NDA + employment confidentiality clauses are sufficient at our scale, or whether a separate written DP-confidentiality undertaking is recommended.
5.3 (c) Security. Take all measures required pursuant to GDPR Art. 32 — namely, implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. Our current technical and organisational measures (TOMs) are listed in Annex 2.
5.4 (d) Sub-processors. Engage Sub-processors only in compliance with section 7.
5.5 (e) Data subject rights. Insofar as possible, assist the Controller — by appropriate technical and organisational measures — to fulfil its obligation to respond to requests from Data Subjects exercising their rights (access, rectification, erasure, restriction, portability, objection). Detail in section 9.
5.6 (f) GDPR Art. 32 / 33 / 34 / 35 / 36 assistance. Assist the Controller in ensuring compliance with the obligations under GDPR Art. 32 – 36 (security, breach notification, data protection impact assessment, and prior consultation), taking into account the nature of the processing and information available to the Processor.
5.7 (g) Return or deletion. At the choice of the Controller, delete or return all Customer Personal Data after the end of the provision of services, and delete existing copies, unless Union or Member State law requires storage. Detail in section 11.
5.8 (h) Audits and inspections. Make available to the Controller all information necessary to demonstrate compliance with GDPR Art. 28, and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller. Detail in section 10.
6. Controller obligations
6.1 The Controller represents and warrants that: (a) it has a valid lawful basis for the processing; (b) it has provided all required notices to Data Subjects; (c) it has obtained any consents required; (d) its instructions to the Processor comply with Applicable Data Protection Law; and (e) it will not upload special categories of personal data unless its lawful basis allows.
6.2 The Controller is solely responsible for the accuracy, quality, and legality of the Customer Personal Data it submits to the Service.
7. Sub-processors
7.1 General authorisation. The Controller authorises the Processor to engage Sub-processors, on the condition that the Processor:
- (a) imposes data protection obligations on each Sub-processor that are no less protective than those in this DPA;
- (b) maintains a current list of Sub-processors at
/legal/subprocessors.html; - (c) gives the Controller at least thirty (30) days' prior notice of any addition or replacement of a Sub-processor (via email and the RSS feed at
/legal/subprocessors.rss); - (d) gives the Controller a reasonable opportunity to object on legitimate data protection grounds, in which case the parties will work in good faith to find a workable solution; and
- (e) remains fully liable to the Controller for the acts and omissions of its Sub-processors.
7.2 Current Sub-processors. The current list, including each Sub-processor's purpose and processing region, is at /legal/subprocessors.html. Annex 3 reproduces this list as at the date of this DPA.
8. International transfers
8.1 EEA, UK, Switzerland. Where the Processor transfers Customer Personal Data from the EEA, the United Kingdom, or Switzerland to a country that has not been recognised as ensuring an adequate level of protection, the transfer will be governed by the EU Standard Contractual Clauses (Decision 2021/914) — Module Two (controller-to-processor) for transfers from the Controller to the Processor, and Module Three (processor-to-processor) where the Processor onward-transfers to a Sub-processor.
8.2 UK transfers. For transfers from the UK, the parties incorporate the UK International Data Transfer Addendum (issued by the UK ICO, version 1.0 dated 21 March 2022) by reference, with the Standard Contractual Clauses as the approved EU SCCs.
8.3 Swiss transfers. For transfers from Switzerland, references in the SCCs to "GDPR" include the Swiss Federal Act on Data Protection (FADP), and references to the EDPB's competent supervisory authority include the Swiss Federal Data Protection and Information Commissioner.
8.4 Annexes to the SCCs. Annex 1 (description of transfer) and Annex 2 (technical and organisational measures) of this DPA satisfy the corresponding annex requirements of the SCCs.
8.5 Supplementary measures. The Processor confirms that it will, in light of the Schrems II decision, perform reasonable transfer impact assessments and implement supplementary measures where required.
9. Assistance with data-subject rights
9.1 The Service includes self-service controls that allow the Controller to access, correct, export, and delete Customer Personal Data within its Account. In most cases the Controller can use these controls to respond to Data Subject requests without further assistance from the Processor.
9.2 Where the Service controls are insufficient, the Processor will, on reasonable notice and to the extent legally permitted, assist the Controller in responding to Data Subject requests received under GDPR Chapter III. Where assistance requires substantial work beyond the scope of the Service (for example, custom data extraction), the parties will agree reasonable additional fees.
9.3 If the Processor receives a Data Subject request directly relating to Customer Personal Data, the Processor will, without undue delay, refer the Data Subject to the Controller, and notify the Controller of the request.
10. Audit rights
10.1 Information. On request, the Processor will make available all information reasonably necessary to demonstrate compliance with this DPA and Applicable Data Protection Law. The Processor will respond to reasonable written enquiries from the Controller within thirty (30) days.
10.2 Audit reports. Where the Processor obtains independent third-party audit reports (for example, SOC 2, ISO 27001), it will make them available to the Controller under appropriate confidentiality. As at the date of this DPA, the Processor does not hold third-party audit certifications; the Processor's compliance is evidenced by the information made available under section 10.1 and Annex 2.
10.3 On-site audits. Where audit reports under section 10.2 are not available or do not address the Controller's reasonable concerns, the Controller may conduct an on-site audit of the Processor's facilities and procedures relevant to the processing of Customer Personal Data, on the following terms:
- (a) audits may be conducted no more than once in any twelve-month period, except where required to investigate a confirmed Personal Data Breach affecting the Controller's data or where mandated by a supervisory authority;
- (b) the Controller will give at least sixty (60) days' written notice;
- (c) audits will be conducted during normal business hours and will not unreasonably interfere with the Processor's operations;
- (d) the Controller will bear its own costs and the Processor's reasonable additional costs (where the audit reveals material non-compliance, the Processor will bear its own costs);
- (e) the Controller and any third-party auditor will be bound by confidentiality obligations no less protective than those in the Agreement; and
- (f) the parties will agree audit scope in advance to limit access to information that does not concern Customer Personal Data.
11. Personal data breach
11.1 The Processor will notify the Controller of any Personal Data Breach affecting Customer Personal Data without undue delay, and in any event within seventy-two (72) hours of becoming aware.
11.2 The notification will include, to the extent then known: (a) a description of the nature of the breach; (b) the categories and approximate number of Data Subjects and records affected; (c) the likely consequences; (d) the measures taken or proposed to address the breach and mitigate its possible adverse effects; and (e) the contact point for further information.
11.3 The Processor will reasonably cooperate with the Controller's response to the breach, including providing further information as it becomes available.
11.4 Notification of a Personal Data Breach is not, in itself, an admission of fault or liability.
12. Return or deletion of Customer Personal Data
12.1 At termination. Upon termination of the Agreement, the Controller may export Customer Personal Data using the Service's export tools for thirty (30) days. After this export window:
- (a) the Processor will delete Customer Personal Data from active production systems within thirty (30) days; and
- (b) backup copies will be overwritten on a rolling cycle of up to ninety (90) days from the deletion in (a).
12.2 Earlier deletion. The Controller may at any time during the term request earlier deletion of specific Customer Personal Data through the Service's controls or by emailing info@valiquest.com.
12.3 Legal retention exception. The Processor may retain Customer Personal Data to the extent and for the duration required by Union or Member State law (for example, accounting records under Bokföringslagen). Such retention will be limited to what is necessary for that legal obligation, and the data will continue to be protected as required by this DPA.
13. Liability
13.1 The liability of each party arising out of or in connection with this DPA is subject to the limitations and exclusions set out in the Agreement.
13.2 Nothing in this DPA limits a party's liability where such limitation is prohibited by Applicable Data Protection Law.
14. General
14.1 Term and termination. This DPA enters into force on the same date as the Agreement, continues for the term of the Agreement, and survives termination to the extent necessary to enable the parties to comply with their obligations following termination.
14.2 Governing law and venue. This DPA is governed by Swedish law and subject to the exclusive jurisdiction of the Stockholm District Court (Stockholms tingsrätt), as set out in the Agreement.
14.3 Conflict. In the event of any conflict between this DPA and the Agreement on the subject of personal data processing, this DPA controls.
14.4 Modifications. No modification or amendment of this DPA is effective unless in writing and signed (or accepted by click-wrap acceptance) by both parties.
14.5 Severability. If any provision of this DPA is held unenforceable, the remaining provisions remain in full force.
14.6 Counterparts. This DPA may be signed in counterparts and by electronic means.
Annex 1 — Description of the processing
| Topic | Detail |
|---|---|
| Categories of Data Subjects | (a) Controller's authorised Users; (b) individuals described in or whose data is included in Customer Content uploaded by Controller (e.g. interviewees, research participants). |
| Categories of Personal Data | (a) Account data: name, email, role, language, sign-in metadata; (b) Customer Content: any personal data the Controller chooses to submit, including transcripts, recordings, free-text descriptions, contact details. |
| Special Categories | The Controller may upload special-category data subject to its lawful basis. The Processor does not require it. |
| Frequency of transfer | Continuous, for the duration of the Agreement. |
| Nature of processing | Hosting, storage, transmission, AI-assisted analysis, retrieval, and deletion of Customer Personal Data via the Service. |
| Purpose of processing | Provision of the Virtual Customer service to the Controller in accordance with the Agreement. |
| Duration | For the term of the Agreement plus the post-termination retention period in section 12. |
| Recipients | The Sub-processors listed in Annex 3 (and updated at /legal/subprocessors.html). |
| Controller (transfer source) | The Controller. |
| Processor (transfer recipient) | Valiquest AB, Stockholm, Sweden. |
| Onward transfers (third countries) | As listed in Annex 3 (Sub-processors). |
| Competent supervisory authority | Integritetsskyddsmyndigheten (IMY), Sweden. |
Annex 2 — Technical and organisational measures (TOMs)
The Processor implements the following TOMs in accordance with GDPR Art. 32. The list reflects the Processor's posture as at the date of this DPA. The Processor may update individual measures over time provided that the overall level of protection is maintained or improved.
A. Pseudonymisation and encryption
- Encryption in transit: TLS 1.2+ for all browser and API traffic.
- Encryption at rest: platform-managed encryption (Firebase, Railway managed disks).
- Customer-managed keys: not currently offered.
B. Confidentiality, integrity, availability, resilience
- Per-organisation isolation enforced by Firestore Security Rules.
- Authentication: Firebase Auth with provider-managed password hashing; OAuth via Google.
- HMAC signature verification on inbound provider webhooks (Paddle) where Paddle is configured.
- Per-IP API rate limiting and Helmet-based security headers are implemented and active in staging; production activation is part of the cutover checklist.
- Application log secret masking is implemented and active in staging; production activation is part of the cutover checklist.
- Firebase / Google Cloud backup and export procedures are documented; first recorded restore test is a pre-cutover requirement.
C. Restoration
- Backups overwritten on a rolling cycle of up to 90 days.
- Restore procedure documented; not currently rehearsed on a fixed cadence.
D. Regular testing and review
- Internal security reviews after material changes.
- Internal dependency checks through
npm audit/ review, plus AI-assisted security reviews where used. - Periodic Firestore rules audit (most recent: G7.x audit, 2026-Q1).
- No formal external penetration testing programme as at the date of this DPA.
E. User access controls
- Access to production data is limited to a small number of personnel under written confidentiality obligations.
- No formal role-based access control across all internal tools as at the date of this DPA; access is controlled by individual platform-level permissions (Firebase Console, Railway, etc.).
F. Data segregation
- Customer Personal Data is segregated by
orgIdin all collections; cross-organisation access is structurally prevented at the Security Rules layer.
G. Sub-processor management
- Written or click-wrap data-protection agreements with each Sub-processor.
- 30-day prior notice of new or replaced Sub-processors via
/legal/subprocessors.htmland the RSS feed.
H. Incident response
- Designated security contact:
info@valiquest.com. - Internal incident-response playbook covering identification, containment, notification, and post-incident review.
- Supervisory-authority notification within 72 hours of becoming aware of a notifiable Personal Data Breach.
I. What we do NOT currently have
For transparency, the Processor explicitly does not (as at the date of this DPA) hold or operate:
- SOC 2 Type I / II certification.
- ISO 27001 certification.
- A formal external penetration testing programme.
- A 24/7 security operations centre.
- A formal bug bounty programme (responsible disclosure invited at
info@valiquest.com). - Customer-managed encryption keys.
- Region-pinned data residency outside Firebase / Railway defaults.
Annex 3 — Sub-processors as at 2026-04-22
| Sub-processor | Purpose | Processing region |
|---|---|---|
| Google Cloud / Firebase | Authentication, Firestore, Storage, Functions, hosting | EU (Belgium / Netherlands) where available; US fallback for some services |
| Railway | Application runtime / container hosting | Region per environment (verify) |
| Paddle.com Market Limited | Merchant of record, billing | UK + Ireland |
| Flowise | Conversational engine container | Co-located with Railway runtime |
| OpenAI, OpenAI Ireland Ltd | LLM inference | US (with EU contracting entity) |
| Anthropic, PBC | LLM inference | US |
| Google AI / Gemini (Google LLC) | LLM inference | Google Cloud regions |
| Resend, Inc. / Twilio SendGrid | Transactional email | US |
The current list, with updates and notification subscription, is at /legal/subprocessors.html.
Reviewer flags
For the external Swedish data protection / IT lawyer (G4.6.13):
- [REVIEW] §5.2 Confidentiality undertaking — confirm informal employment-NDA approach is sufficient under Art. 28(3)(b).
- [REVIEW] §7.1(c) 30-day prior notice — confirm this is consistent with current IMY guidance (some authorities prefer 60 days for enterprise customers).
- [REVIEW] §8 SCCs — confirm we have executed Module Two and Module Three SCCs on file with each onward Sub-processor where transfers occur.
- [REVIEW] §10.3 On-site audit clause — confirm 60-day notice + once-per-12-months is defensible vs typical enterprise procurement requirements.
- [REVIEW] §11.1 72-hour breach notification — confirm wording aligns with Art. 33 verbatim (some Customers expect "without undue delay" only).
- [REVIEW] §12 Backup retention — confirm 90-day rolling overwrite is defensible under storage-limitation principle.
- [REVIEW] Annex 2 TOMs list — confirm the explicit "what we do NOT have" section is acceptable to procurement-heavy buyers (it is honest but might be flagged in some RFPs).
- [REVIEW] Annex 3 Sub-processor regions — verify each entry against actual contracts before any external customer signs this DPA.
End of draft v1 — 2026-04-22