Data Processing Agreement

1. Parties

This DPA is entered into between Ramón Carmenaty (sole trader, NIF Y9958619R, registered/professional address: Pintor López Mezquita, 9 3B, 18002 Granada, Spain), operator of Quotably ("Quotably", "we"), and the Customer who has accepted the Quotably Terms of Service. The DPA takes effect when the Customer accepts the Terms of Service or first enters Customer Personal Data into the service, whichever is earlier.

2. Definitions

Capitalised terms not defined here have the meaning given in the Terms of Service or in applicable data-protection law. "GDPR" means Regulation (EU) 2016/679. "EU SCCs" means the standard contractual clauses adopted by Commission Implementing Decision (EU) 2021/914. "Applicable Law" means EU/UK GDPR, the Spanish LOPDGDD, the CCPA/CPRA, and any other privacy or data-protection law that applies to the processing of Customer Personal Data.

3. Subject matter and duration

Subject matter: Quotably processes Customer Personal Data solely to provide and support the Quotably service (quote generation, public quote links, transactional email delivery, billing, and security). Duration: this DPA applies for as long as Quotably processes Customer Personal Data on behalf of the Customer, and survives termination of the Terms of Service to the extent required to give effect to deletion/return obligations.

4. Nature, purpose, and scope of processing

Nature of processing: collection, storage, organisation, retrieval, transmission, deletion of Customer Personal Data through the Quotably service.

Purpose: to enable the Customer to create, send, store, and manage quotes for its own end-customers; to deliver transactional emails (e.g. quote delivery); to provide public quote links; to support billing; to maintain service security.

Categories of personal data: end-customer name, email, phone, business name (if any), event details (date, type, location), quote contents, brand assets uploaded by the Customer, and access metadata (IP/user-agent of public-link visitors for abuse prevention).

Categories of data subjects: the Customer's end-customers, recipients of quotes, and visitors of public quote links.

5. Processor acts only on documented instructions

Quotably will process Customer Personal Data only on documented instructions from the Customer, including those set out in the Terms of Service, this DPA, and through the Customer's use of the service. Quotably will inform the Customer if, in its opinion, an instruction infringes Applicable Law. Quotably will not process Customer Personal Data for its own purposes, will not sell or share Customer Personal Data, and will not use Customer Personal Data for cross-context behavioural advertising.

6. Confidentiality

Quotably ensures that any person authorised to process Customer Personal Data is bound by an appropriate obligation of confidentiality (whether by contract or by statutory duty).

7. Security measures (Art. 32 GDPR)

Quotably implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk. These include:

• Encryption in transit (TLS 1.2+) for all customer-facing endpoints and subprocessor communication.
• Encryption at rest for the application database (Neon) and object storage (Vercel Blob).
• Role-based access controls and the principle of least privilege for production systems and data stores.
• Strong authentication for administrators and operators, including unique credentials and session timeouts.
• Audit logging of administrative actions and security-relevant events; logs reviewed periodically.
• Centralised secret management; secrets are not embedded in source control.
• Periodic review of subprocessor security practices and DPAs.
• Encrypted backups of the production database; backups overwritten on a defined retention schedule.
• Documented incident-response and breach-notification process.

8. Subprocessors

The Customer authorises Quotably to engage the subprocessors listed in the Privacy Policy (Stripe, Resend, Neon, Vercel) and any future subprocessors required to deliver the service. Each subprocessor is bound by data-protection obligations no less protective than those in this DPA. Quotably will give the Customer reasonable advance notice of any new subprocessor by updating the Privacy Policy and, where material, by email to the registered account email. The Customer may object to a new subprocessor on reasonable data-protection grounds; if the parties cannot resolve the objection, the Customer may terminate the affected service for convenience.

Current subprocessor list (Privacy Policy)

9. Assistance with data-subject rights

Quotably will assist the Customer, taking into account the nature of processing and the information available to Quotably, in fulfilling the Customer's obligations to respond to requests from data subjects exercising their rights under GDPR Arts. 15–22 (or analogous rights under other Applicable Law). The Customer remains responsible for verifying the identity of requesters and for the lawfulness of any instruction. Where Quotably receives a data-subject request directly relating to Customer Personal Data, it will promptly notify the Customer and not respond directly except to confirm receipt or to redirect the requester.

10. Personal-data breach notification

Quotably will notify the Customer without undue delay (and in any event within 72 hours of becoming aware) of any personal-data breach affecting Customer Personal Data. The notification will include, to the extent then known, the nature of the breach, categories and approximate number of data subjects and records concerned, likely consequences, and measures taken or proposed to address the breach and mitigate its effects. Quotably will provide the Customer with reasonable cooperation to enable the Customer to comply with its own breach-notification obligations.

11. International transfers

Customer Personal Data is hosted primarily in the United States (Neon, Vercel) and processed by other subprocessors as described in the Privacy Policy. For transfers from the EEA, UK, or Switzerland to a country without an adequacy decision, the parties rely on the EU SCCs (Module 2: controller-to-processor and Module 3: processor-to-processor as applicable), with the UK International Data Transfer Addendum and the Swiss equivalent where required. The EU SCCs are incorporated into this DPA by reference and apply automatically where required by Applicable Law. The Customer may request a copy of the executed transfer safeguards (or a description sufficient to demonstrate compliance) by emailing support@quotably.app.

12. Deletion or return on termination

On termination of the Terms of Service or on the Customer's written request, Quotably will, at the Customer's choice, delete or return all Customer Personal Data, and delete existing copies, unless retention is required by Applicable Law or for legitimate business purposes such as tax, accounting, fraud-prevention, security, or legal claims. Backups containing Customer Personal Data are overwritten on the defined retention schedule. Self-serve account deletion may not yet be available; deletion requests are processed manually within a reasonable timeframe.

13. Audits and information

Quotably will make available to the Customer all information reasonably necessary to demonstrate compliance with this DPA and Applicable Law, and will allow for and contribute to audits, including inspections, conducted by the Customer or a mutually agreed independent auditor. Audits must be conducted on at least 30 days' written notice, no more than once per 12 months (except where required by a regulator or in connection with a security incident), during regular business hours, in a manner that does not unreasonably disrupt Quotably's operations, and subject to confidentiality obligations. Where appropriate, Quotably may satisfy audit obligations by providing third-party security reports or attestations from its subprocessors.

14. U.S. state privacy terms

For Customer Personal Data subject to U.S. state privacy laws, Quotably acts as a service provider (CCPA/CPRA), processor (Colorado, Connecticut, Virginia, Texas, Utah, and other comparable laws), or contractor as applicable, and:

• Will not sell or share Customer Personal Data within the meaning of the CCPA/CPRA.
• Will not retain, use, or disclose Customer Personal Data outside the direct business relationship between Quotably and the Customer or for any purpose other than performing the service.
• Will not combine Customer Personal Data with personal information received from another source, except where permitted by Applicable Law.
• Will comply with applicable obligations imposed on service providers, processors, or contractors, and will assist the Customer in responding to consumer rights requests received under those laws.
• Will notify the Customer if it determines it can no longer meet these obligations and will permit the Customer to take reasonable steps to stop and remediate any unauthorised use.

15. Liability

Each party's liability under this DPA is subject to the limitation-of-liability clause of the Terms of Service. Nothing in this DPA limits the liability of either party in a way that is not permitted by Applicable Law, including for fraud, fraudulent misrepresentation, or any liability that cannot be excluded under data-protection law.

16. Governing law

This DPA is governed by the laws of Spain. Disputes are subject to the exclusive jurisdiction of the courts of Spain, without prejudice to mandatory data-protection rules and supervisory-authority jurisdiction in the data subject's country of habitual residence.

17. Acceptance

This DPA is accepted by the Customer when the Customer accepts the Terms of Service or first enters Customer Personal Data into the service. The Customer does not need to sign a separate document. A signed counterpart of this DPA is available on request to support@quotably.app.