Data Processing Addendum

In this DPA:

• "Controller" means the entity that determines the purposes and means of processing Personal Data
• "Processor" means the entity that processes Personal Data on behalf of the Controller
• "Personal Data" means any information relating to an identified or identifiable natural person
• "Processing" means any operation performed on Personal Data
• "Data Subject" means the individual to whom Personal Data relates
• "Sub-processor" means any third party engaged by the Processor to process Personal Data
• "Data Protection Laws" means GDPR, UK GDPR, and other applicable data protection legislation

Customer as Controller: For the purposes of this DPA, the Customer is the Controller of Personal Data processed through the QuoteOS platform. The Customer determines what Personal Data is uploaded and how it is used within the Service.

QuoteOS as Processor: QuoteOS acts as a Processor of Personal Data on behalf of the Customer. QuoteOS processes Personal Data only in accordance with the Customer's documented instructions and this DPA.

Scope of Processing: QuoteOS processes Personal Data solely to provide the Service, including:

• Storing and managing pricing library data
• Generating quotes based on Customer input
• Storing customer contact information entered by the Customer
• Generating and storing PDF documents
• Providing analytics and reporting features

QuoteOS shall:

• Process Personal Data only on documented instructions from the Customer, unless required by law
• Inform the Customer if, in QuoteOS's opinion, an instruction infringes Data Protection Laws
• Ensure that persons authorised to process Personal Data have committed to confidentiality
• Not process Personal Data for any purpose other than providing the Service

QuoteOS implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:

Technical Measures:

• Encryption of Personal Data in transit (TLS 1.3) and at rest (AES-256)
• Row-level security ensuring complete data isolation between organisations
• Regular security testing and vulnerability assessments
• Automated backup and disaster recovery procedures
• Secure authentication with multi-factor authentication support
• Network security controls and firewalls

Organisational Measures:

• Access controls limiting employee access to Personal Data on a need-to-know basis
• Security awareness training for personnel
• Incident response procedures
• Regular review and update of security measures

The Customer provides general authorisation for QuoteOS to engage Sub-processors to assist in providing the Service. QuoteOS uses industry-leading, SOC 2 Type II certified sub-processors for the following purposes:

• Database hosting and storage (Australia / USA)
• Authentication and identity management (USA)
• Payment processing - PCI DSS Level 1 compliant (USA)
• AI processing for quote generation (USA)
• Email delivery services (USA)
• Hosting infrastructure with global CDN distribution

For a detailed list of current sub-processors, please contact support@getquoteos.com.

QuoteOS shall:

• Maintain an up-to-date list of Sub-processors
• Notify the Customer of any intended changes to Sub-processors with reasonable notice
• Ensure Sub-processors are bound by data protection obligations no less protective than this DPA
• Remain liable for the acts and omissions of its Sub-processors

QuoteOS shall assist the Customer in responding to requests from Data Subjects exercising their rights under Data Protection Laws, including:

• Right of access
• Right to rectification
• Right to erasure
• Right to restriction of processing
• Right to data portability
• Right to object

If QuoteOS receives a request directly from a Data Subject, QuoteOS shall promptly notify the Customer unless prohibited by law.

In the event of a Personal Data breach, QuoteOS shall:

• Notify the Customer without undue delay, and in any event within 48 hours of becoming aware of the breach
• Provide the Customer with sufficient information to enable the Customer to meet any obligations to report the breach to supervisory authorities or Data Subjects
• Cooperate with the Customer in investigating and mitigating the breach
• Take reasonable steps to mitigate the effects of the breach

Notification shall include, to the extent known:

• Description of the nature of the breach
• Categories and approximate number of Data Subjects affected
• Categories and approximate number of Personal Data records affected
• Likely consequences of the breach
• Measures taken or proposed to address the breach

Where Personal Data is transferred outside the EEA or UK, QuoteOS ensures appropriate safeguards are in place:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• UK International Data Transfer Agreement or Addendum where applicable
• Adequacy decisions where the destination country has been deemed adequate
• Other lawful transfer mechanisms as permitted under Data Protection Laws

QuoteOS shall make available to the Customer all information necessary to demonstrate compliance with this DPA and allow for audits, including inspections, conducted by the Customer or an auditor mandated by the Customer.

Audits shall be:

• Conducted with reasonable prior notice (at least 30 days)
• Performed during normal business hours
• Subject to confidentiality obligations
• At the Customer's expense unless the audit reveals material non-compliance

QuoteOS may provide third-party audit reports, certifications, or other documentation as an alternative to on-site audits where appropriate.

Upon termination of the Service agreement or upon the Customer's request:

• QuoteOS shall return or delete all Personal Data within 30 days, at the Customer's choice
• The Customer may export their data through the Service's export functionality
• QuoteOS shall provide certification of deletion upon request
• QuoteOS may retain Personal Data to the extent required by applicable law, subject to confidentiality obligations

Each party's liability under this DPA is subject to the limitations and exclusions set out in the main Service agreement. Nothing in this DPA limits either party's liability for:

• Fraud or fraudulent misrepresentation
• Death or personal injury caused by negligence
• Any liability that cannot be limited by applicable law

This DPA shall remain in effect for the duration of the Service agreement between QuoteOS and the Customer. The obligations under this DPA shall survive termination to the extent necessary to complete the return or deletion of Personal Data.

For questions about this DPA or to exercise rights under this DPA:

Email: support@getquoteos.com
Address: NHP Equities Pty Ltd, Melbourne, Victoria, Australia

For enterprise customers requiring a signed DPA or custom terms, please contact us at support@getquoteos.com.