Data Processing Agreement
The Article 28 processor terms under which we handle customer project data.
Version 1.0 · effective 18 July 2026
01Roles
For personal data inside your QuantifyQS workspace, you are the controller and Obedience is your processor. This DPA forms part of the QuantifyQS Terms of Service and reflects Article 28(3) UK GDPR.
02Our processor commitments
- Process your data only on your documented instructions (using the product is the instruction)
- Ensure everyone with access is bound by confidentiality
- Apply the technical and organisational measures in our Security Overview: encryption in transit and at rest, tenant isolation enforced at the database (row-level security), least-privilege access, daily encrypted off-site backups
- Use subprocessors only from the published Subprocessor List, flow these obligations down to them, and notify you of changes with an objection window
- Help you respond to data-subject rights requests and, where you cannot resolve them alone, regulatory enquiries
- Tell you without undue delay about any personal data breach affecting your data
- Delete or return your data at contract end (deletion within 30 days, export available first)
- Make available the information needed to demonstrate compliance, and permit audits within reasonable bounds
03International transfers
Project data is stored in the UK. Where a subprocessor processes data outside the UK, transfers rely on UK adequacy, the UK Extension to the EU-US Data Privacy Framework, or the UK Addendum to the EU Standard Contractual Clauses, as listed per vendor in the Subprocessor List.
04Signed copies
A countersignable copy of this DPA for your procurement records is available on request: hello@obedience.global.