• Automations
  • Agents
  • Topics
  • Quake Core
  • Pricing
Book Demo
Integration iconClient Attraction Integration iconCandidate Marketing Integration iconShadow AI Integration iconThe Engine Integration iconHybrid Agents Integration iconRecruitment IPaaS
  • Home
  • Quake Core
  • Automations
  • Agents
  • Pricing

Topics

  • Client Attraction
  • Candidate Marketing
  • Shadow AI
  • Quake Core
  • Hybrid Agents
  • IPaaS
  • Privacy Policy
  • Terms & Conditions
  • DPA
  • Security Overview
  • API Docs

Data Processing Agreement

  • Version: 1.0
  • Document Issued: 16/12/25
  • Document Reference: PUBLIC IMS-DPA v1.0

This DPA is incorporated into the Service Agreement between Quake ("Processor") and the Client ("Controller").

1. DEFINITIONS


1.1 "Data Protection Laws" means the UK Data Protection Act 2018, UK GDPR, and (where applicable) the EU GDPR.


1.2 "Personal Data", "Processing", "Controller", "Processor", and "Data Subject" have the meanings given in Data Protection Laws.

2. SCOPE AND RESPONSIBILITIES


2.1 Roles: The Client is the Controller and Quake is the Processor.


2.2 Processing Instructions: Quake shall process Personal Data only on the documented instructions of the Client (which include the Service Agreement) or as required by Applicable Law.


2.3 Confidentiality: Quake ensures that all personnel authorised to process Personal Data are committed to confidentiality or are under an appropriate statutory obligation of confidentiality.


2.4 AI Processing: The Client acknowledges that Quake utilizes Artificial Intelligence (LLM) sub-processors. Quake warrants that such processing is configured to "Zero Data Retention" or Enterprise standards where the sub-processor is contractually prohibited from using Client Personal Data to train public models.

3. SECURITY & AUDIT


3.1 Security Measures: Quake shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including encryption at rest (AES-256), encryption in transit (TLS 1.2+), and access controls as outlined in the Quake Security & Compliance Overview.


3.2 Audit Rights:

(a) Quake shall make available all information necessary to demonstrate compliance with this DPA.

(b) In lieu of an onsite audit, the Client agrees to accept Quake’s latest ISO 27001 certification or independent third-party security reports.

(c) If Applicable Law strictly requires a physical audit, it shall be conducted at the Client's expense, with 30 days' notice, and subject to Quake’s security policies to protect other clients' data.

4. SUB-PROCESSORS


4.1 General Authorisation: The Client grants Quake a general authorisation to engage sub-processors (listed in Appendix B) to provide the Services.


4.2 Changes: Quake shall inform the Client of any intended changes to sub-processors via email or the platform status page. The Client may object within 10 days on reasonable data protection grounds.


4.3 Obligations: Quake shall enter into a written agreement with each sub-processor imposing data protection obligations no less onerous than those in this DPA.

5. DATA SUBJECT RIGHTS & ASSISTANCE


5.1 User Rights: Quake shall, taking into account the nature of the processing, assist the Client (at the Client’s cost) by appropriate technical and organisational measures to fulfill the Client’s obligation to respond to Data Subject requests (e.g., access, deletion).


5.2 Breach Notification: Quake shall notify the Client without undue delay (and no later than 72 hours) after becoming aware of a Personal Data Breach affecting Client Data. Quake shall provide reasonable assistance to the Client in documenting and reporting the breach.

6. INTERNATIONAL TRANSFERS


6.1 Location: Quake primarily hosts data within the United Kingdom (UK), EU, or US (depending on the Client's designated region).


6.2 Transfers: If Quake transfers data outside the UK/EEA to a country not deemed "adequate" by the UK Government or European Commission, Quake shall ensure appropriate safeguards are in place (e.g., the UK International Data Transfer Agreement (IDTA) or EU Standard Contractual Clauses (SCCs)).


6.3 Remote Access: The Client acknowledges that Quake support staff located in Malaysia and Kenya may access data remotely. This access is covered by internal SCCs/IDTAs and strict security controls (VDI/VPN).

7. DELETION & RETURN


7.1 End of Term: Upon termination of the Service Agreement, Quake shall (at the Client’s choice) delete or return all Personal Data to the Client, unless Applicable Law requires storage of the Personal Data.

APPENDIX A: DETAILS OF PROCESSING




Subject Matter
Provision of the Quake SaaS Platform.


Duration
For the duration of the Subscription Term.


Nature & Purpose
Hosting, storage, AI processing, and computing to enable the Client to use the Services.


Data Categories
Names, emails, IP addresses, log-in credentials, Candidate CVs, Job Descriptions.


Data Subjects
Client employees (Authorised Users) and Candidates.


APPENDIX B: APPROVED SUB-PROCESSORS (As of Effective Date)




Name
Service Provided
Location




Supabase
Core Database & Auth
UK / EU / US


Amazon Web Services (AWS)
Underlying Infrastructure
UK / EU / US


Vultr
Compute & Hosting
UK / EU / US


OpenAI / Anthropic
LLM Processing (Stateless - No Training)
US


Mailgun
Email Delivery
US / EU


PostHog
Product Analytics
US / EU


Google Workspace
Internal Identity & Email
Global


  • Linkedin
  • X icon
  • Youtube icon

Privacy Policy Terms and Conditions DPA Security Overview API Docs Login

2026 Quake. All rights reserved.