Data Processing Agreement
Preparation summary for B2B clients that need a DPA before sharing personal data or sensitive projects.
Last updated: 2026-05-11
1. DPA status
This page is not yet a signed DPA and does not replace legal advice. QLAC must prepare a legally reviewed data processing agreement before closing B2B contracts that require it.
2. When it applies
Where QLAC processes personal data on behalf of a business client, especially data included in projects, repositories, reports, evidence, end users, or support, QLAC may act as processor and the client as controller.
3. Expected content
- Subject matter, duration, nature, and purpose of processing.
- Types of personal data and categories of data subjects.
- Documented client instructions.
- Confidentiality, security measures, access control, and client segregation.
- Sub-processors, international transfers, and applicable safeguards.
- Assistance with rights, breaches, audits, deletion, and return of data.
4. Technical measures
QLAC is designed with private storage, access policies, Backoffice/Client Portal separation, audit trail, no execution of uploaded code, encrypted secrets, and configurable retention. These measures should be formally documented in the final DPA.
5. Commercial process
Clients requiring a DPA should request it before uploading sensitive data or connecting repositories. QLAC should provide a legally reviewed version, sub-processor list, and security annexes before signature.