Skip to main content

Legal

Data Processing Addendum

Last updated: May 10, 2026.

Standing offer. This DPA applies between you (the “Customer”) and QuickPly, Inc. (“QuickPly”) when you use our service to process personal data. It supplements our Terms of Service. If your procurement requires a counter-signed copy, email legal@quickply.com with your entity name and we'll send a redlinable PDF.

1. Definitions

Terms used here have the meanings given in EU Regulation 2016/679 (“GDPR”) and, where applicable, the UK Data Protection Act 2018 and California Consumer Privacy Act of 2018 as amended (“CCPA/CPRA”). “Personal Data”, “Processing”, “Controller”, and “Processor” carry their GDPR meanings. “Customer Personal Data” is Personal Data Customer makes available to QuickPly via the service.

2. Roles

Customer is the Controller of Customer Personal Data. QuickPly is the Processor and acts only on Customer's documented instructions — which include this DPA, the Terms, and the configuration choices Customer makes inside the dashboard.

3. Subject matter, duration, nature, purpose

  • Subject matter. Drafting customer-support reply variants from inbound email content.
  • Duration. For the term of the Customer's subscription, plus the export window described in our Terms.
  • Nature & purpose. Storage, retrieval, AI inference, transmission to Customer; no profiling, no automated decisions with legal effect.
  • Categories of data subject. Customer's end-customers (i.e., the people who emailed Customer's support inbox) and Customer's authorized users.
  • Categories of personal data. Names, email addresses, free-text email content, OAuth tokens for Customer's own mailbox, IP addresses, browser metadata.

4. Customer obligations

Customer warrants it has a lawful basis under applicable law to upload Customer Personal Data into the service, has provided appropriate notice to data subjects, and has obtained any consent that the lawful basis requires.

5. QuickPly obligations

QuickPly will:

  • Process Customer Personal Data only on documented instructions.
  • Ensure personnel with access are bound by confidentiality.
  • Implement and maintain the technical & organizational measures listed in Annex II below.
  • Engage sub-processors only under written terms providing materially equivalent protections.
  • Notify Customer of any Personal Data Breach without undue delay and in any event within 72 hours of becoming aware.
  • Assist Customer with data-subject requests, security reviews, DPIAs, and supervisory-authority cooperation, on a commercially reasonable basis.

6. Sub-processors

Customer authorizes QuickPly to engage the sub-processors listed in our Privacy Policy Section 4 (Sub-processors). We'll give 30 days' notice before adding a new sub-processor that handles Customer Personal Data. If Customer objects on reasonable data-protection grounds, we will work in good faith to provide an alternative or, failing that, allow Customer to terminate the affected service for refund of unused fees.

7. International transfers

For transfers of Customer Personal Data from the EEA, UK, or Switzerland to a country without an adequacy decision, the parties incorporate the Standard Contractual Clauses (Module 2: Controller-to-Processor, EU Commission Decision 2021/914), the UK International Data Transfer Addendum, and the Swiss FDPIC addendum. QuickPly is the data importer.

8. CCPA / CPRA

For California-resident Personal Data, QuickPly acts as a "Service Provider" under the CCPA/CPRA. QuickPly does not sell or share Customer Personal Data, does not retain it for any purpose other than performing the service, and combines it with personal data from other sources only as permitted under §7050(b) of the CPRA Regulations.

9. Deletion and return

Within 30 days of contract termination, QuickPly will delete Customer Personal Data from active systems and within 90 days from backups, except where retention is required by law. Customer may export prior to deletion via Settings → Data & privacy.

10. Audits

QuickPly will make available, on Customer's reasonable request and under NDA, the most recent third-party audit reports it holds (where any) and a written response to Customer's security questionnaire. Onsite audits are reserved for material cause and supervisory-authority requirements.

Annex I — Processing details

See Sections 3, 6, and 7 above plus the sub-processor list in our Privacy Policy.

Annex II — Technical & organizational measures

  • Encryption. TLS 1.2+ in transit; pgcrypto AES-encryption of OAuth refresh tokens at rest; Supabase-managed AES-256 disk encryption for the rest of the row store.
  • Access control. Postgres row-level security per workspace. Production console access is two-person, MFA-required, audited.
  • Authentication. Bcrypt passwords (Supabase Auth). TOTP MFA available to every user. SSO via OAuth providers.
  • Network. All endpoints HTTPS with HSTS. Sliding-window rate limiting on auth, write, and AI-generation endpoints. Origin/Referer guards on cookie-authed mutations.
  • Logging. Structured server logs with request IDs; security-relevant events recorded in an immutable audit_log table.
  • Backups. Encrypted, 7-day rolling, restored quarterly to a staging environment as part of disaster-recovery testing.
  • Vulnerability management. Dependency scanning on every CI run. Security reports accepted at security@quickply.com.
  • Incident response. 72-hour breach notification commitment. Postmortem published to affected customers within 30 days.

11. Contact

dpo@quickply.com · contact form