qualcode.ai

Data Processing Agreement

Last updated: January 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service between you ("Controller", "Customer") and AI Research & Technology Lab GmbH ("Processor", "qualcode.ai", "we") for the provision of the qualcode.ai service.

This DPA reflects the requirements of Article 28 of the General Data Protection Regulation (GDPR) and applies to the processing of personal data that you, as data controller, entrust to us for processing.

1. Definitions

  • "Personal Data" means any information relating to an identified or identifiable natural person, as defined in Article 4(1) GDPR.
  • "Processing" means any operation performed on Personal Data, as defined in Article 4(2) GDPR.
  • "Data Subject" means the individual to whom Personal Data relates (in this context, typically your survey respondents).
  • "Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
  • "Customer Data" means the survey responses, coding guides, and related data you upload to the Service.

2. Scope and Roles

2.1 Controller

You are the Controller for all Customer Data you upload to the Service. You determine the purposes and means of processing survey respondent data.

2.2 Processor

We are the Processor for Customer Data. We process this data solely to provide the Service to you, in accordance with your documented instructions.

2.3 Our Own Processing

For data we collect directly (your account information, usage data), we are the Controller. See our Privacy Policy for details.

3. Details of Processing

Subject matter AI-assisted classification of open-ended survey responses
Duration For the duration of your use of the Service, plus retention periods specified in Section 8
Nature of processing Storage, transmission to AI services for classification, aggregation, export
Purpose To provide qualitative coding services as described in the Terms of Service
Categories of Data Subjects Survey respondents whose responses you upload
Types of Personal Data Free-text survey responses, which may contain any personal data you choose to upload

4. Controller Obligations

As Controller, you are responsible for:

  • Ensuring you have a valid legal basis for processing respondent data (consent, legitimate interest, etc.)
  • Providing appropriate privacy notices to Data Subjects, including disclosure of AI processing
  • Responding to Data Subject requests (we will assist as described in Section 6)
  • Ensuring uploaded data complies with applicable laws
  • Not uploading special category data (Article 9 GDPR) without explicit consent and appropriate safeguards
  • Implementing appropriate anonymization or pseudonymization where feasible

5. Processor Obligations

We commit to:

5.1 Processing Instructions

We will process Customer Data only on your documented instructions, unless required by EU or Austrian law. The Service's standard operation constitutes your instructions. If we believe an instruction violates GDPR, we will inform you.

5.2 Confidentiality

All personnel processing Customer Data are bound by confidentiality obligations.

5.3 Security Measures

We implement appropriate technical and organizational measures including:

  • Encryption of data in transit (TLS) and at rest
  • Access controls and authentication requirements
  • Secure development practices
  • Physical security at hosting facilities (AWS Frankfurt data center)

5.4 Sub-processors

We may engage Sub-processors to assist in providing the Service. The current list is in Section 7. We will:

  • Maintain written contracts with Sub-processors imposing equivalent data protection obligations
  • Notify you of any intended changes to Sub-processors with at least 30 days' notice
  • Provide you with the opportunity to object to new Sub-processors
  • Remain liable for Sub-processor compliance

5.5 Data Subject Rights

We will assist you in responding to Data Subject requests (access, rectification, erasure, etc.) by:

  • Providing you with tools to export and delete data
  • Promptly informing you of any requests received directly
  • Providing relevant information upon request

5.6 Data Protection Impact Assessments

We will provide reasonable assistance if you need to conduct a DPIA for your processing activities.

6. Data Subject Requests

If we receive a request from a Data Subject regarding Customer Data, we will:

  1. Notify you without undue delay
  2. Not respond directly unless required by law or with your authorization
  3. Provide you with information needed to respond

You can fulfill most requests directly through the Service interface (export data, delete projects, etc.).

7. Sub-processors

We use the following Sub-processors for Customer Data:

Sub-processor Purpose Location Transfer Mechanism
Amazon Web Services EMEA SARL Infrastructure hosting (servers, storage, databases) Frankfurt, Germany (eu-central-1) EU-based, no transfer
OpenAI, Inc. AI classification (Rater A) USA EU Standard Contractual Clauses
Anthropic, PBC AI classification (Rater B) USA EU Standard Contractual Clauses
Stripe, Inc. Payment processing (does not process Customer survey data) Ireland/USA EU Standard Contractual Clauses
Resend, Inc. Transactional email (does not process Customer survey data) USA EU Standard Contractual Clauses

7.1 AI Sub-processor Details

Survey data sent to OpenAI and Anthropic for classification:

  • Is transmitted via encrypted connections
  • Is processed transiently and not used for model training. OpenAI and Anthropic may retain request logs for abuse detection (up to 30 days) per their API terms.
  • Is not used to train their AI models
  • Is subject to their data processing agreements with us

7.2 Changes to Sub-processors

We will notify you via email of any intended addition or replacement of Sub-processors at least 30 days before the change takes effect. You may object in writing within 14 days. If we cannot reasonably accommodate your objection, either party may terminate the affected services.

8. Data Retention and Deletion

8.1 During Service

Customer Data is retained while your account is active. You can delete individual projects or data files at any time through the Service interface. Deleted data enters a 30-day trash period, then is permanently deleted.

8.2 Upon Termination

When you close your account or we terminate the Service:

  • You have 30 days to export your data
  • After 30 days, we will delete or anonymize all Customer Data
  • We may retain data as required by law (e.g., audit logs for 7 years per Austrian tax law)
  • Accounts with credit transaction history are soft-deleted (deactivated) rather than fully deleted to maintain financial audit integrity; personal identifiable information in such accounts is anonymized

8.3 Deletion Confirmation

Upon request, we will provide written confirmation that Customer Data has been deleted, except for legally required retention.

9. Data Breach Notification

In the event of a Personal Data breach affecting Customer Data, we will:

  1. Notify you without undue delay, and where feasible within 72 hours of becoming aware
  2. Provide details including:
    • Nature of the breach
    • Categories and approximate number of affected Data Subjects
    • Likely consequences
    • Measures taken or proposed to address the breach
  3. Cooperate with your investigation and any regulatory notification
  4. Document the breach and remediation for audit purposes

10. Audit Rights

You have the right to audit our compliance with this DPA. We will:

  • Make available information necessary to demonstrate compliance
  • Allow for and contribute to audits conducted by you or an independent auditor

Audits shall be conducted with reasonable notice (at least 7 business days), during business hours, and in a manner that minimizes disruption. You shall bear your own audit costs.

11. International Transfers

Customer Data is primarily stored in the EU (Frankfurt, Germany). When transferred to the USA (for AI processing), we rely on:

  • Standard Contractual Clauses (SCCs) - EU Commission approved (Commission Implementing Decision 2021/914), Module 2 (Controller to Processor) and Module 3 (Processor to Processor) as applicable
  • Supplementary measures including encryption and contractual commitments from processors

We conduct Transfer Impact Assessments (TIAs) to evaluate and document the risks of international transfers. Our TIA document provides detailed analysis of the legal framework and supplementary measures for each sub-processor.

12. Liability

Each party's liability under this DPA is subject to the limitations set out in the Terms of Service, except that these limitations do not apply to:

  • Breaches of confidentiality obligations
  • Violations of applicable data protection laws
  • Indemnification obligations

13. Term and Termination

This DPA remains in effect for the duration of your use of the Service. Upon termination:

  • Sections 8 (Retention and Deletion), 10 (Audit Rights), and 12 (Liability) survive
  • We will fulfill our deletion obligations as specified in Section 8

14. Governing Law

This DPA is governed by Austrian law. For disputes, the courts of Mödling, Austria shall have exclusive jurisdiction.

15. Contact

For questions or requests regarding this DPA, contact:

AI Research & Technology Lab GmbH
Attn: Data Protection
Enzersdorfer Strasse 25
A-2340 Modling
Austria
Email: legal@qualcode.ai

By using the Service, you acknowledge that you have read, understood, and agree to this Data Processing Agreement.