Data Processing Agreement — QualIntel OS

1. Definitions

Personal Data — any information relating to an identified or identifiable natural person processed by the Processor on behalf of the Controller via the QualIntel OS platform.
Research Data — documents, transcripts, field notes, codebooks, and other qualitative data uploaded to the platform by the Controller or its Authorised Users.
Authorised Users— individuals granted access to a Controller's QualIntel OS account (researchers, students, supervisors).
Sub-processor — a third party engaged by the Processor to process Personal Data (see Schedule A).
Applicable Law— the privacy and data protection laws applicable to the Controller's jurisdiction, including without limitation: NZ Privacy Act 2020, Australian Privacy Act 1988, Singapore PDPA, GDPR (where applicable), and US state privacy laws.

2. Subject matter and nature of processing

The Processor processes Personal Data solely to provide the QualIntel OS platform services as described in the Terms of Service, including:

Storing and managing research projects, documents, and codebooks.
Generating AI-assisted qualitative coding suggestions using the Controller's uploaded Research Data.
Maintaining a researcher audit trail for methodological transparency.
Providing document export and submission package generation.

Processing occurs for the duration of the Controller's active subscription or until earlier termination.

3. Categories of data subjects and personal data

Data subjects	Categories of personal data
Authorised Users (researchers, students)	Name, email address, platform activity logs
Research participants (as contained in uploaded data)	Names, demographic data, interview transcripts, or other personal data as uploaded by the Controller. The Processor does not control the categories of participant data included by the Controller.

Special categories: The Controller is responsible for ensuring that any sensitive or special-category data (health, ethnicity, political opinions, etc.) uploaded to the platform is appropriately anonymised or that a lawful basis for processing exists under Applicable Law.

4. Processor obligations

The Processor shall:

Process Personal Data only on documented instructions from the Controller (as set out in these terms and the platform's configuration), unless required to do so by law.
Ensure that personnel authorised to process Personal Data are bound by confidentiality obligations.
Implement and maintain appropriate technical and organisational security measures (see Section 6).
Not engage new Sub-processors without notifying the Controller (see Section 8).
Assist the Controller in responding to data subject rights requests (access, correction, deletion, portability) within a reasonable timeframe.
Notify the Controller of a confirmed personal data breach without undue delay and in any event within 72 hours of becoming aware of it, to the extent permitted by law.
At the Controller's election, delete or return all Personal Data on termination of services.
Make available information necessary to demonstrate compliance with this DPA and support audits, subject to reasonable notice and confidentiality protections.

5. Controller obligations

The Controller shall:

Ensure it has a lawful basis under Applicable Law for uploading any Personal Data (including participant data) to the platform.
Obtain appropriate research ethics approval and participant consent before uploading interview or personal data to the platform.
Manage Authorised User access and ensure users comply with the Terms of Service.
Notify the Processor promptly of any changes that affect the Processor's ability to comply with this DPA.

6. Security measures

The Processor maintains the following technical and organisational measures, reviewed periodically:

All data in transit encrypted via TLS 1.2 or higher.
Authentication via industry-standard RS256 JWT tokens (Clerk).
Role-based access control at project and organisation level.
Rate limiting on all API endpoints, including AI-processing endpoints.
Structured security audit logging on all API requests with request ID tracing.
OWASP security response headers on all API responses.
API documentation and schema endpoints disabled in production.
50 MB request size cap to prevent payload-flood attacks.
Immediate Personal Data anonymisation on account deletion.

7. International data transfers

Personal Data is processed in the United States. The Processor relies on the following transfer mechanisms:

New Zealand: NZ holds an EU adequacy decision. Transfers from NZ are lawful.
Australia: Transfers rely on Controller consent and contractual protections under this DPA.
Singapore: Transfers rely on Controller consent and contractual protections consistent with PDPA transfer obligations.
EU/UK: Transfers rely on Controller consent as the lawful basis (Art. 49(1)(a) GDPR). Controllers requiring standard contractual clauses should contact us.

8. Sub-processors

The Controller provides general authorisation for the Processor to engage Sub-processors. Current Sub-processors are listed in Schedule A below. The Processor will notify the Controller of any intended changes to Sub-processors by updating Schedule A and providing at least 30 days' notice by email. The Controller may object to a new Sub-processor within that period; if objection cannot be resolved, the Controller may terminate the agreement without penalty.

9. Data subject rights assistance

Where a data subject exercises rights directly against the Processor (e.g., deletion request via the platform), the Processor will action these technically. Where requests require the Controller's involvement (e.g., access requests to participant data), the Processor will forward the request to the Controller within 5 business days.

The Controller is the primary point of contact for research participants exercising their rights, as the Controller determines the lawful basis and purpose of processing participant data.

10. Breach notification

In the event of a confirmed personal data breach, the Processor will:

Notify the Controller at the email address on their account within 72 hours of becoming aware of the breach.
Provide: nature of the breach, categories and approximate number of affected data subjects and records, likely consequences, and measures taken or proposed.
Cooperate with the Controller in meeting its own notification obligations to supervisory authorities and affected individuals under Applicable Law.

11. Deletion and return of data

On termination of the Controller's account or this DPA, the Processor will:

Anonymise or delete all Personal Data (excluding billing records retained under law) within 30 days of termination.
Provide the Controller with a data export of their projects, codebook, and audit trail on request before termination.

12. Liability and indemnification

Each party is responsible for its own compliance with Applicable Law. The Processor's liability under this DPA is limited to the extent set out in the Terms of Service. The Controller indemnifies the Processor against claims arising from the Controller's failure to obtain lawful basis for processing participant data.

13. Governing law

This DPA is governed by the laws of New Zealand. Disputes will be resolved in the courts of New Zealand, except where Applicable Law requires otherwise.

14. Contact

DPA queries, data breach notifications, and deletion requests: hello@qualintel.io

Schedule A — Sub-processors

Last updated: 1 June 2026

Sub-processor	Purpose	Location
Clerk	User authentication and identity management	United States
Stripe	Payment processing (PCI DSS Level 1)	United States
Railway	API server and PostgreSQL database hosting	United States
Qdrant Cloud	Vector search database (semantic search)	United States
Voyage AI	Text embedding for semantic search	United States
Anthropic	AI language model — coding suggestions (API only; no training on inputs)	United States
Vercel	Web application hosting and CDN	United States / Global CDN