This DPA is incorporated into the Service Agreement between Quake ("Processor") and the Client ("Controller").
1.1 "Data Protection Laws" means the UK Data Protection Act 2018, UK GDPR, and (where applicable) the EU GDPR.
1.2 "Personal Data", "Processing", "Controller", "Processor", and "Data Subject" have the meanings given in Data Protection Laws.
2.1 Roles: The Client is the Controller and Quake is the Processor.
2.2 Processing Instructions: Quake shall process Personal Data only on the documented instructions of the Client (which include the Service Agreement) or as required by Applicable Law.
2.3 Confidentiality: Quake ensures that all personnel authorised to process Personal Data are committed to confidentiality or are under an appropriate statutory obligation of confidentiality.
3.1 Security Measures: Quake shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including encryption, backups, and access controls as outlined in the Quake Security & Compliance Overview.
3.2 Audit Rights:
(a) Quake shall make available all information necessary to demonstrate compliance with this DPA.
(b) In lieu of an onsite audit, the Client agrees to accept Quake’s latest ISO 27001 certification or independent third-party security reports.
(c) If Applicable Law strictly requires a physical audit, it shall be conducted at the Client's expense, with 30 days' notice, and subject to Quake’s security policies.
4.1 General Authorisation: The Client grants Quake a general authorisation to engage sub-processors (e.g., AWS, Vultr) to provide the Services.
4.2 Changes: Quake shall inform the Client of any intended changes to sub-processors. The Client may object within 10 days on reasonable data protection grounds.
4.3 Obligations: Quake shall enter into a written agreement with each sub-processor imposing data protection obligations no less onerous than those in this DPA. Quake remains liable for the acts/omissions of its sub-processors.
5.1 User Rights: Quake shall, taking into account the nature of the processing, assist the Client (at the Client’s cost) by appropriate technical and organisational measures to fulfill the Client’s obligation to respond to Data Subject requests (e.g., access, deletion).
5.2 Breach Notification: Quake shall notify the Client without undue delay (and no later than 72 hours) after becoming aware of a Personal Data Breach affecting Client Data. Quake shall provide reasonable assistance to the Client in documenting and reporting the breach.
6.1 Location: Quake primarily processes data within the United Kingdom (UK) or European Economic Area (EEA).
6.2 Transfers: If Quake transfers data outside the UK/EEA to a country not deemed "adequate" by the UK Government or European Commission, Quake shall ensure appropriate safeguards are in place (e.g., the UK International Data Transfer Agreement (IDTA) or EU Standard Contractual Clauses (SCCs)).
7.1 End of Term: Upon termination of the Service Agreement, Quake shall (at the Client’s choice) delete or return all Personal Data to the Client, unless Applicable Law requires storage of the Personal Data.
Client Attraction