Data Processing Agreement
1. Background and Scope
2. Definitions
“Personal Data” means any information relating to an identified or identifiable natural person that QuickQore processes on behalf of Customer in connection with the Services.
“Personal Data Breach” means a confirmed security incident leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data processed under this DPA.
“Sub-processor” means any third party engaged by QuickQore to process Personal Data on Customer’s behalf.
“Third-Party Personal Information” means Personal Data about individuals other than Customer or Customer’s Authorized Users that Customer uploads to, stores in, or processes through the Services, as further described in Section 7.7 of the QuickQore Terms of Service.
3. Roles of the Parties
For Personal Data processed by QuickQore in providing the Services to Customer, Customer acts as the controller (or equivalent role under applicable U.S. state privacy laws, such as “Business” under California law), and QuickQore acts as the processor (or “Service Provider”), processing Personal Data only on Customer’s documented instructions. The Principal Agreement, this DPA, the Documentation, and Customer’s use of the Services constitute Customer’s documented instructions.
For limited account-administration, billing, security telemetry, and aggregated analytics processing, QuickQore acts as an independent controller, governed by the QuickQore Privacy Policy and not by this DPA.
Customer represents and warrants that it has the legal authority and basis under applicable law to disclose Personal Data to QuickQore for processing under this DPA, and has provided all required notices and obtained any required consents from data subjects. This includes, without limitation, the representations and warranties Customer makes with respect to Third-Party Personal Information under Section 7.7 of the QuickQore Terms of Service.
3.1 CCPA and U.S. State Service Provider Provisions
With respect to Personal Information of California residents (as defined under the California Consumer Privacy Act, as amended, “CCPA”) and equivalent categories of Personal Data under other applicable U.S. state privacy laws (including the Virginia Consumer Data Protection Act, the Colorado Privacy Act, the Connecticut Data Privacy Act, the Utah Consumer Privacy Act, and the Texas Data Privacy and Security Act), QuickQore acts as a Service Provider, Processor, or Contractor to Customer (as applicable) and agrees that:
- QuickQore will not sell or share Personal Data, as those terms are defined under applicable U.S. state privacy laws, and will not engage in cross-context behavioral advertising using Personal Data;
- QuickQore will not retain, use, or disclose Personal Data for any purpose other than the specific business purpose of providing the Services to Customer under the Principal Agreement and this DPA, or as otherwise permitted by applicable law;
- QuickQore will not retain, use, or disclose Personal Data outside the direct business relationship between QuickQore and Customer, and will not combine Personal Data received from Customer with personal information that QuickQore receives from any other source, except as expressly permitted under applicable U.S. state privacy laws;
- QuickQore certifies that it understands the restrictions in this Section 3.1 and will comply with them; and
- Customer may take reasonable and appropriate steps to remediate QuickQore’s unauthorized use of Personal Data, consistent with applicable U.S. state privacy laws.
Nothing in this Section 3.1 prevents QuickQore from (a) generating aggregated or de-identified information that does not identify any individual; (b) detecting, preventing, or responding to security incidents, fraud, or unlawful activity; (c) preserving the integrity or security of the Services; or (d) complying with applicable law or valid legal process.
4. Security
QuickQore maintains commercially reasonable administrative, technical, and physical safeguards designed to protect Personal Data, including encryption of Personal Data in transit and at rest, access controls and two-factor authentication for user accounts, regular backups of production data, and reasonable security and monitoring practices appropriate for a cloud bookkeeping platform. QuickQore’s specific safeguards may change from time to time.
QuickQore ensures that personnel authorized to process Personal Data are bound by appropriate confidentiality obligations.
4.1 United States Only Processing
Personal Data processed under this DPA is processed and stored within the United States. The Services are offered only to Customers located in the United States, and this DPA does not contemplate any international transfer of Personal Data. If Customer accesses the Services from outside the United States, Customer does so at its own risk and acknowledges that no cross-border transfer mechanism (such as Standard Contractual Clauses) is required or applies under this DPA.
5. Sub-processors
Customer authorizes QuickQore to use trusted third-party Sub-processors to provide the Services. The current Sub-processor list is set forth in Annex 1 to this DPA. QuickQore may update its Sub-processor list from time to time, and the most current version of Annex 1 represents the authoritative list. QuickQore imposes appropriate contractual obligations on each Sub-processor and remains responsible to Customer for each Sub-processor’s performance under this DPA.
6. Breach Notification
QuickQore will provide notice of confirmed Personal Data Breaches affecting Customer’s Personal Data as required by applicable law. Notice will be sent to the security contact and primary account email on file. Customer is responsible for keeping those contacts current, for assessing whether to notify regulators or affected individuals, and for providing reasonable cooperation with any incident-response investigation.
7. Data Retention and Deletion
QuickQore will use commercially reasonable efforts to make Customer Personal Data available for export through the Services for sixty (60) days following termination of the Principal Agreement. After the export period, QuickQore may delete Personal Data from its active systems in accordance with its standard data-retention practices, subject to any applicable legal retention obligations (such as litigation holds, tax laws, and subpoenas). Backups containing Personal Data are retained according to QuickQore’s standard backup-retention practices and are overwritten or destroyed over time as part of normal operations.
8. No AI Training
QuickQore does not intentionally use Personal Data to train, fine-tune, or improve any public artificial intelligence model or machine learning system, whether operated by QuickQore or any Sub-processor, absent Customer’s express, written, opt-in consent provided through the Services. Where AI features rely on third-party providers, QuickQore selects reputable providers and configures available controls intended to prevent customer data from being used to train their public models.
9. No Protected Health Information
The Services are not intended for, and Customer agrees not to upload, protected health information (“PHI”) governed by HIPAA, and QuickQore is not a HIPAA Business Associate, unless QuickQore has expressly agreed in writing and the parties have executed a HIPAA Business Associate Agreement.
10. General Provisions
Order of Precedence. In the event of conflict between this DPA and the Principal Agreement, this DPA controls with respect to processing of Personal Data, except where the Principal Agreement provides greater protection.
Governing Law. This DPA is governed by the same governing law and dispute-resolution provisions as the Principal Agreement.
Modifications. QuickQore may update this DPA from time to time to reflect changes in applicable law or operational practices. The current version is available at quickqore.com/legal/dpa/.
Severability. If any provision of this DPA is held unenforceable, the remaining provisions remain in effect, modified to the minimum extent necessary to make them enforceable.
Annex 1 — Sub-processors List
The following Sub-processors are used by QuickQore as of the Effective Date. This list may be updated from time to time; the most current version of this Annex represents the authoritative list.
- Cloud Infrastructure: Amazon Web Services, Inc. (United States) — hosting, managed databases, and encrypted backup and archival storage.
- Banking-Data Aggregation: Quiltt, Inc. (United States) — read-only banking-data aggregation (no QuickQore handling of bank credentials).
- Payment Processing: Stripe, Inc. (United States) — payment-card and ACH processing.
- Transactional Email: SendGrid, a Twilio company (United States) — transactional and notification email delivery.
- SMS and Voice Communications: Twilio Inc. (United States) — SMS and voice communications, including authentication and notification messages.
Annex 2 — Details of Processing
The following table describes the nature of QuickQore’s processing of Personal Data under this DPA, provided for Customer’s privacy-program records.
| Item | Description |
|---|---|
|
Subject matter of processing |
Provision of the QuickQore cloud bookkeeping software and related services to Customer. |
|
Nature and purpose of processing |
Hosting, storage, retrieval, organization, transmission, security, backup, and presentation of Customer’s bookkeeping records and related Personal Data to enable Customer to operate, maintain, and analyze its own business records. |
|
Duration of processing |
For the term of the Principal Agreement, plus the 60-day export window and any applicable legal retention obligations described in Section 7. |
|
Categories of data subjects |
Customer’s personnel and Authorized Users; Customer’s own customers, clients, members, or end-users; Customer’s vendors, suppliers, contractors, and other business contacts; Customer’s employees (limited to information Customer chooses to enter, such as expense reimbursements or vendor records). |
|
Categories of Personal Data |
Contact information (name, business email, business address, business phone); business and billing information (invoices, expenses, payments, ledger entries); banking identifiers in masked form (typically last four digits, supplied via banking-data aggregator); tax identifiers Customer chooses to enter (such as EIN or SSN for 1099 contractors); authentication metadata (hashed passwords, 2FA enrollment, session and login records); device, browser, and IP information; communications and support records. |
|
Special categories of Personal Data |
The Services are not intended for, and Customer agrees not to upload, special categories of personal information (such as protected health information governed by HIPAA, biometric identifiers, or precise geolocation), except to the limited extent Customer chooses to enter such information into general-purpose fields and at Customer’s sole responsibility. |
|
Frequency of processing |
Continuous, for the duration of the Principal Agreement. |
|
Geographic location of processing
|
United States only. See Section 4.1. |
