Data Processing Agreement
This DPA is incorporated into the Service Agreement between Quake ("Processor") and the Client ("Controller").
1. DEFINITIONS
1.1 "Data Protection Laws" means the UK Data Protection Act 2018, UK GDPR, and (where applicable) the EU GDPR.
1.2 "Personal Data", "Processing", "Controller", "Processor", and "Data Subject" have the meanings given in Data Protection Laws.
2. SCOPE AND RESPONSIBILITIES
2.1 Roles: The Client is the Controller and Quake is the Processor.
2.2 Processing Instructions: Quake shall process Personal Data only on the documented instructions of the Client (which include the Service Agreement) or as required by Applicable Law. Quake shall immediately inform the Client if, in its opinion, any instruction infringes applicable Data Protection Laws.
2.3 Confidentiality: Quake ensures that all personnel authorised to process Personal Data are committed to confidentiality or are under an appropriate statutory obligation of confidentiality.
2.4 AI Processing: The Client acknowledges that Quake utilizes Artificial Intelligence (LLM) sub-processors. Quake warrants that such processing is stateless and configured to "Zero Data Retention" standards. Sub-processors are contractually prohibited from using Client Personal Data to train their public models.
3. SECURITY & AUDIT
3.1 Security Measures: Quake shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including encryption at rest (AES-256), encryption in transit (TLS 1.2+), and mandatory MFA.
3.2 Audit Rights:
(a) Quake shall make available all information necessary to demonstrate compliance with this DPA.
(b) In lieu of an onsite audit, the Client agrees to accept Quake’s latest ISO 27001 audit summary or independent third-party security reports.
(c) If Applicable Law strictly requires a physical audit, it shall be conducted at the Client's expense, with 30 days' notice, and subject to Quake’s security policies.
4. SUB-PROCESSORS
4.1 General Authorisation: The Client grants Quake a general authorisation to engage sub-processors (listed in Appendix B) to provide the Services.
4.2 Changes: Quake shall inform the Client of any intended changes to sub-processors via email or the platform status page. The Client may object within 10 days on reasonable data protection grounds.
4.3 Obligations: Quake shall enter into a written agreement with each sub-processor imposing data protection obligations no less onerous than those in this DPA.
5. DATA SUBJECT RIGHTS & ASSISTANCE
5.1 User Rights: Quake shall, taking into account the nature of the processing, assist the Client (at the Client’s cost) by appropriate technical and organisational measures to fulfill the Client’s obligation to respond to Data Subject requests (e.g., access, deletion).
5.2 Breach Notification: Quake shall notify the Client without undue delay (and no later than 72 hours) after becoming aware of a Personal Data Breach affecting Client Data.
5.3 Compliance Assistance: Quake shall also assist the Client, taking into account the nature of the processing, with compliance with its obligations under Articles 32–36 UK GDPR, including security, breach notification, data protection impact assessments, and prior consultation with the ICO.
6. INTERNATIONAL TRANSFERS
6.1 Location: Quake hosts data primarily within the United Kingdom (UK) and EU/US (depending on Client region). Production PII is stored in the London region by default.
6.2 Transfers: If Quake transfers data outside the UK/EEA to a country not deemed "adequate", Quake ensures appropriate safeguards are in place (e.g., UK IDTA or EU SCCs).
6.3 Remote Access: The Client acknowledges that Quake support staff located in Malaysia and Kenya may access data remotely. This access is covered by internal SCCs/IDTAs and strict security controls (Zero Local Retention).
7. DELETION & RETURN
7.1 End of Term: Upon termination of the Service Agreement, Quake shall (at the Client’s choice) delete or return all Personal Data to the Client in a standard machine-readable format (e.g., CSV/JSON), unless Applicable Law requires storage of the Personal Data.