This Data Processing Agreement (“Agreement”) forms part of the service relationship between the Customer (“Data Controller”) and Quality Work (“Data Processor”). It governs the processing of personal data submitted, stored, or generated through the Quality Work App (“the Service”).

1. Definitions

For the purposes of this Agreement:

• “Personal Data” means any information relating to an identified or identifiable individual.
• “Processing” means any operation performed on Personal Data, including storage, access, transmission, or deletion.
• “Data Controller” means the organization that determines the purposes and means of processing Personal Data.
• “Data Processor” means Quality Work, which processes Personal Data on behalf of the Controller.
• “Sub‑processor” means any third party engaged by the Processor to assist in providing the Service.

2. Subject Matter and Duration

This Agreement applies to all processing of Personal Data performed by the Processor on behalf of the Controller for the duration of the Controller’s use of the Service.

3. Nature and Purpose of Processing

The Processor processes Personal Data solely to provide the Service, including:

• Task assignment and workflow management
• Photo‑based work documentation
• Data storage, syncing, and retrieval
• Security, performance, and reliability improvements
• Customer support and troubleshooting

The Processor will not process Personal Data for any purpose other than those documented by the Controller.

4. Obligations of the Data Processor

The Processor agrees to:

• Process Personal Data only on documented instructions from the Controller
• Ensure confidentiality of personnel authorized to process Personal Data
• Implement appropriate technical and organizational security measures
• Assist the Controller in responding to data subject requests
• Notify the Controller of any Personal Data breach without undue delay
• Maintain records of processing activities as required by law

5. Sub‑processors

The Processor may engage Sub‑processors to support the delivery of the Service. Sub‑processors may include providers of hosting, storage, analytics, and security infrastructure.

The Processor will ensure that Sub‑processors are bound by data protection obligations no less protective than those in this Agreement.

6. International Data Transfers

Personal Data may be transferred to and processed in countries outside the Controller’s jurisdiction. The Processor will implement appropriate safeguards, such as Standard Contractual Clauses (SCCs), to ensure lawful international transfers.

7. Data Subject Rights

The Processor will assist the Controller in fulfilling requests from data subjects, including:

• Access to Personal Data
• Correction or deletion
• Restriction or objection to processing
• Data portability

8. Security Measures

The Processor will maintain industry‑standard security controls, including:

• Encryption of data in transit
• Secure cloud infrastructure
• Access controls and authentication
• Audit logging and monitoring
• Regular security reviews and updates

9. Data Retention and Deletion

Upon termination of the Service or upon request by the Controller, the Processor will delete or return all Personal Data unless retention is required by law. Backup data may persist for up to thirty (30) days before being fully purged.

10. Audit Rights

The Controller may request documentation demonstrating the Processor’s compliance with this Agreement. The Processor will provide reasonable cooperation and access to relevant information.

11. Liability

Each party’s liability under this Agreement is subject to the limitations set forth in the primary service agreement between the parties.