Effective Date: 30th December, 2025
This Data Processing Addendum (“DPA”) forms part of and is incorporated into the agreement between:
1. the individual or entity accepting this DPA by registering for or using the QRMetric SaaS platform (the “Controller”); and
2. QRMetric, operating at qrmetric.com, as the service provider (the “Processor”).
BACKGROUND
A. The Controller and the Processor have entered into, or will enter into, an agreement governing the Controller’s use of the QRMetric SaaS platform and related services (the “Main Agreement”).
B. This Data Processing Addendum (“DPA”) forms part of and supplements the Main Agreement and sets out the parties’ respective responsibilities and obligations with respect to the processing of Personal Data under the Main Agreement in order to ensure compliance with Regulation (EU) 2016/679 (GDPR), in particular Article 28.
1. DEFINITIONS
Terms used in this DPA have the meanings set out in the GDPR. In addition:
- “Applicable Data Protection Law” means the GDPR and any national implementing laws.
- “Personal Data” means any information relating to an identified or identifiable natural person processed under the Main Agreement.
- “Processing”, “Data Controller”, “Data Processor”, “data subject”, and similar terms have the meanings given in the GDPR.
2. ROLE OF THE PARTIES
- 2.1 The Controller is the Data Controller in respect of Personal Data submitted to the Processor under the Main Agreement.
- 2.2 The Processor acts as Data Processor and shall process Personal Data only on documented instructions from the Controller, as required by Article 28 GDPR.
3. DURATION, SUBJECT-MATTER, NATURE AND PURPOSE, TYPES OF DATA, CATEGORIES OF DATA SUBJECTS
The details of processing are set out in Annex A (Processing Details) to this DPA (subject-matter, duration, nature and purpose, types of personal data and categories of data subjects). These details form an integral part of this DPA.
4. PROCESSOR OBLIGATIONS
- 4.1 Processor shall only process Personal Data on the Controller’s documented instructions unless required by Union or Member State law to act without such instructions; in that case Processor shall inform Controller of that legal requirement unless legally prohibited.
- 4.2 Processor shall ensure that persons authorized to process Personal Data have committed to confidentiality.
- 4.3 Processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk (see Annex C). Processor shall maintain and test those measures.
- 4.4 Processor shall not engage any sub-processor except as set out in Annex B or with Controller’s prior written authorization; where prior general authorization is provided, Processor shall inform Controller of additions and provide opportunity to object as required by Applicable Data Protection Law. Processor shall flow down equivalent obligations to any sub-processor.
- 4.5 Processor shall assist Controller in responding to requests from data subjects and shall promptly notify Controller of any such requests received directly by Processor.
- 4.6 Processor shall assist Controller with data protection impact assessments and prior consultations with supervisory authorities where needed, taking into account the nature of processing and the information available to Processor.
5. SECURITY BREACH NOTIFICATION
Processor shall notify Controller without undue delay and, where feasible, within 72 hours of becoming aware of a Personal Data breach affecting Controller’s Personal Data, providing sufficient details to enable Controller to meet any obligations to supervisory authorities and data subjects. Processor shall cooperate with Controller’s investigation and mitigation.
6. AUDIT, INSPECTION AND RECORDS
- 6.1 Processor shall make available to Controller all information necessary to demonstrate compliance with obligations of a Processor under the GDPR and allow for and contribute to audits by Controller or an auditor mandated by Controller, subject to reasonable confidentiality protections and advance notice.
- 6.2 Processor shall maintain records of processing activities carried out on behalf of Controller as required by Article 30 GDPR.
7. SUB-PROCESSING
Controller hereby authorizes the Processor to engage sub-processors listed in Annex B. Processor shall ensure sub-processors comply with equivalent obligations. Processor remains fully liable to Controller for the performance of sub-processor obligations.
8. INTERNATIONAL TRANSFERS
Any transfer of Personal Data outside the EEA/UK shall occur only on the basis of an adequacy decision of the Commission (or UK Secretary of State), appropriate safeguards (including the EU Commission’s standard contractual clauses, or other lawful transfer mechanisms), or other lawful basis. Processor and Controller shall cooperate to implement appropriate safeguards (for example, execution of the Commission’s SCCs or other safeguards).
9. RETURN OR DELETION
Within 30 days after termination or expiry of the Main Agreement, Processor shall, at Controller’s option, return all Personal Data to Controller in a readable format or irreversibly delete all Personal Data and certify deletion. Processor shall ensure deletion from active systems and reasonable efforts to delete from backups within 90 days, except to the extent storage is required by law. Processor shall provide a signed certificate of deletion on request.
10. LIABILITY
Each party’s liability for losses arising from breach of Applicable Data Protection Law shall be determined in accordance with the Main Agreement and applicable law. Nothing in this DPA shall limit or exclude liability for breaches of law or willful misconduct to the extent not permitted by applicable law.
11. INDEMNITY
Processor shall defend, indemnify and hold harmless Controller against losses resulting from Processor’s breach of this DPA or Processor's failure to comply with Applicable Data Protection Law to the extent caused by Processor.
12. COOPERATION WITH SUPERVISORY AUTHORITIES
Each party shall cooperate with supervisory authorities and provide reasonable assistance to the other party to enable compliance with instructions from supervisory authorities.
13. MISCELLANEOUS
- 13.1 If any provision of this DPA is found invalid under Applicable Data Protection Law, it will be replaced with a valid provision that best achieves the original purpose.
- 13.2 This DPA is governed by the law set out in the Main Agreement.
- 13.3 In the event of any inconsistency between the Main Agreement and this DPA with respect to data protection, this DPA shall prevail.
ANNEX A — DETAILS OF PROCESSING
- Subject matter of the processing: creation, hosting and analytics of dynamic QR codes for Controller's customers.
- Duration of processing: duration of the Main Agreement and thereafter as required by law or Controller’s instruction.
- Nature and purposes of processing: generation, storage, delivery, tracking and analytics of QR-code scans; customer support; fraud prevention; service improvement
- Types of Personal Data: device identifiers, IP addresses, location data derived from IP, scan timestamps, user-supplied personal data.
- Categories of data subjects: Controller’s customers, end users who scan QR codes, Controller’s staff.
ANNEX B — SUB-PROCESSORS
The Processor uses the following approved sub-processors for the services listed below. Processor shall ensure each sub-processor is contractually bound to comply with obligations no less protective than those set out in this DPA.
| Sub-Processor |
Activity |
| Cloudflare |
DNS hosting |
| Hetzner |
Server hosting |
| Lemon Squeezy |
Payment Processor |
| Olvy |
Feedback widget |
ANNEX C — TECHNICAL AND ORGANISATIONAL MEASURES
Processor shall implement and maintain at least the following measures, and any additional measures required by Applicable Data Protection Law:
- 1) Access controls and role-based access to Personal Data; principle of least privilege.
- 2) Encryption of Personal Data in transit; encryption of Personal Data at rest where feasible
- 3) Data in-transit must be protected using TLS version 1.2 or later.
- 4) Logging and monitoring of access to systems processing Personal Data.
- 5) Regular vulnerability management, patching and secure development practices.
- 6) Network and application firewalls and intrusion detection.
- 7) Data backup and restore procedures; business continuity and disaster recovery plans.
- 8) Incident response plan and testing.
- 9) Personnel security: background checks as permitted by law; confidentiality agreements.
- 10) Procedures for secure deletion and disposal of Personal Data.
