Data Processing Agreement

This Data Processing Agreement ("DPA") supplements OSQR's Terms of Service and governs the processing of personal data that OSQR performs on behalf of its customers. It applies wherever OSQR acts as a data processor under applicable data protection law.

• →This DPA applies when OSQR processes personal data on behalf of a customer (the "Controller")
• →OSQR acts as a "Processor" under GDPR and other applicable data protection laws
• →For enterprise customers, this DPA is automatically incorporated into the service agreement
• →Where OSQR processes personal data for its own purposes (e.g., account management), OSQR acts as a Controller and its Privacy Policy applies

The following terms have the meanings set out below when used in this DPA:

• →Controller — the entity that determines the purposes and means of processing personal data (typically the OSQR customer)
• →Processor — the entity that processes personal data on behalf of the Controller (OSQR)
• →Data Subject — an identified or identifiable natural person whose personal data is processed
• →Personal Data — any information relating to an identified or identifiable natural person
• →Processing — any operation performed on personal data, including collection, storage, use, transfer, or deletion
• →Sub-processor — any third-party processor engaged by OSQR to process personal data on the Controller's behalf
• →Applicable Data Protection Law — GDPR (EU 2016/679), UK GDPR, CCPA, PIPEDA, and other applicable privacy legislation
• →Standard Contractual Clauses (SCCs) — the European Commission's approved mechanism for lawful international data transfers
• →Technical and Organizational Measures (TOMs) — the security and privacy safeguards OSQR implements to protect personal data

As a data processor, OSQR commits to the following obligations with respect to personal data processed under this DPA:

• →Process personal data only on documented instructions from the Controller, including as set out in this DPA and the Terms of Service
• →Ensure that persons authorized to process personal data are subject to appropriate confidentiality obligations
• →Implement appropriate technical and organizational security measures as described in Section 05
• →Not engage sub-processors without the Controller's authorization — general written authorization is granted by acceptance of this DPA, with the right to object as described in Section 06
• →Assist the Controller in responding to data subject requests for access, deletion, portability, and rectification
• →Delete or return all personal data upon termination of the service agreement, at the Controller's choice
• →Make available all information reasonably necessary to demonstrate compliance with this DPA
• →Immediately inform the Controller if any instruction would, in OSQR's opinion, violate applicable data protection law
• →Notify the Controller of personal data breaches within 72 hours of becoming aware, as described in Section 09

OSQR implements the following technical and organizational measures to protect personal data:

• →Encryption at rest: End-to-end AES-256-GCM encryption for all vault data
• →Encryption in transit: TLS 1.3 for all data transmitted between clients and OSQR servers
• →User-controlled keys: Encryption keys are derived from user passwords — OSQR staff cannot decrypt vault content
• →Encrypted embeddings: Vector embeddings used for semantic search are encrypted and cannot be reversed to source text
• →Access controls: Role-based access, multi-factor authentication available for all accounts
• →Staff access limitations: No OSQR staff have access to user vault content
• →Infrastructure security: Hosted on Vercel and AWS infrastructure with enterprise-grade physical and network security
• →Incident response: Documented incident response procedures with defined escalation paths and notification timelines
• →Security assessments: Regular security reviews and vulnerability assessments

OSQR engages the following categories of sub-processors to deliver its services:

• →AI Providers: Anthropic, OpenAI, Google, xAI — for AI model inference
• →Infrastructure: Vercel (hosting, edge functions), Neon (serverless PostgreSQL)
• →Payments: Stripe — for payment processing and subscription management
• →Communications: Twilio — for SMS and voice features
• →File Processing: Third-party services for document parsing and format conversion

The current sub-processor list is maintained at osqr.ai/subprocessors.

OSQR assists the Controller in fulfilling data subject rights requests. The following mechanisms are available:

• →Right to access: Controllers can export all workspace data via OSQR's interface at any time
• →Right to erasure: The "Burn It" button in account settings provides complete, irreversible deletion of all user data
• →Right to portability: Data export is available in standard machine-readable formats
• →Right to rectification: Users can directly update their personal data within the OSQR interface
• →Right to restriction: Account suspension is available to pause all processing
• →Right to object: Processing can be stopped at any time by account termination

OSQR will respond to Controller requests regarding data subject rights within 10 business days. For complex requests, OSQR will acknowledge receipt within 3 business days and provide a timeline for completion.

OSQR is based in the United States (Maricopa County, Arizona). Personal data processed through OSQR may be transferred to and stored in the United States.

• →For transfers from the EEA, UK, or Switzerland to the US, OSQR relies on Standard Contractual Clauses (SCCs) as the legal transfer mechanism
• →OSQR will execute SCCs upon written request — contact legal@osqr.app
• →Supplementary measures applied to all international transfers include encryption, strict access controls, and regular transparency reviews

In the event of a personal data breach, OSQR commits to the following:

• →Notify the Controller without undue delay, and within 72 hours of becoming aware of a breach involving personal data
• →Provide notification that includes: the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed to address the breach
• →Cooperate fully with the Controller and relevant supervisory authorities throughout the investigation
• →Take all reasonable steps to mitigate the effects of the breach and prevent recurrence

OSQR maintains a documented incident response plan that is reviewed and tested regularly. The Controller is responsible for notifying supervisory authorities and affected data subjects as required by applicable law.

• →OSQR retains personal data for the duration of the active service agreement
• →Upon termination, the Controller's data is deleted within 30 days unless OSQR is legally required to retain it for a longer period
• →The "Burn It" button in account settings triggers immediate and complete deletion of all personal data at any time, without waiting for account termination
• →Encrypted database backups are purged within 90 days of the deletion event
• →Aggregated, anonymized, and de-identified data (containing no personal data) may be retained for service improvement purposes

OSQR supports the Controller's right to audit compliance with this DPA:

• →OSQR will make available all information reasonably necessary to demonstrate compliance with this DPA
• →The Controller may conduct audits, or engage a qualified third-party auditor, with at least 30 days' prior written notice
• →Audits are limited to once per calendar year, unless a personal data breach has occurred
• →OSQR will cooperate in good faith with all reasonable audit requests and will not unreasonably restrict access to relevant records
• →Each party bears its own costs for audits unless a material breach is discovered
• →Where available, OSQR may provide SOC 2 Type II reports or equivalent independent certifications in lieu of on-site audits

Each party's liability under this DPA is subject to the exclusions and limitations set forth in the main Terms of Service, except that:

• !Neither party limits its liability for willful or intentional breach of its data protection obligations under this DPA
• !Neither party limits its liability for claims by data subjects arising directly from either party's non-compliance with applicable data protection law

In cases where both parties are responsible for a data protection breach, liability is apportioned according to each party's degree of responsibility.

• →This DPA is effective for the duration of the main service agreement between the parties
• →Obligations regarding data deletion, security, and confidentiality survive the termination of this DPA
• →Either party may terminate this DPA if the other materially breaches its obligations and fails to cure that breach within 30 days of written notice
• →Termination of this DPA automatically terminates the main service agreement where data processing is a fundamental component of the service

The governing law applicable to this DPA depends on the jurisdiction of the data subjects involved:

• →EEA data subjects: Governed by the laws of the Republic of Ireland, with jurisdiction in the Irish courts
• →UK data subjects: Governed by the laws of England and Wales, with jurisdiction in the courts of England and Wales
• →All other data subjects: Governed by the laws of the State of Arizona, United States

All disputes arising under this DPA are subject to the arbitration provisions set out in the main Terms of Service, except where applicable data protection law requires otherwise.

For all data protection and DPA-related inquiries, please contact us at:

• Data protection inquiries: privacy@osqr.app
• DPA requests and SCC execution: legal@osqr.app
• Data controller address: OSQR, Maricopa County, Arizona, United States

Enterprise customers requiring a signed DPA or executed SCCs should contact legal@osqr.app. We aim to respond to all legal and data protection requests within 5 business days.