This Data Processing Agreement is incorporated into the qPipe Terms of Service and applies automatically to every customer, to the extent Customer Data includes personal data. It requires no separate signature.
1.Introduction and applicability
This Data Processing Agreement (“DPA”) forms part of the qPipe Terms of Service (the “Agreement”) between Qvalento Solutions AB (“Qvalento”, the “Processor”) and the customer accepting the Agreement (the “Customer”, the “Controller”). It is incorporated into the Agreement by reference and is binding on both parties from the moment the Customer accepts the Terms of Service — no separate signature is required.
This DPA applies to the extent that Customer Data includes personal data whose processing is subject to the EU General Data Protection Regulation (“GDPR”) or applicable Swedish data protection law, and that Qvalento processes on the Customer’s behalf in providing the Service. It implements the requirements of Article 28(3) GDPR.
Customers who require an individually signed or negotiated DPA (for example, Enterprise procurement processes) can request one at consent@qpipe.io. Once executed, a signed DPA prevails over this standard DPA.
2.Definitions
Terms such as “personal data”, “processing”, “controller”, “processor”, “data subject”, and “personal data breach” have the meanings given in the GDPR. In addition:
- “Customer Data” has the meaning given in the Terms of Service: the data extracted from the Source Platforms the Customer connects and loaded into the Destinations the Customer designates.
- “Customer Personal Data” means the personal data contained in Customer Data.
- “Sub-processor” means a third party engaged by Qvalento to process Customer Personal Data on the Customer’s behalf.
- “SCCs” means the Standard Contractual Clauses approved by the European Commission for transfers of personal data to third countries (Commission Implementing Decision (EU) 2021/914), as updated or replaced from time to time.
3.Details of the processing
- Subject matter. The provision of the qPipe Service: automated extraction of Customer Data from third-party platforms connected by the Customer and its transfer into data warehouses, databases, or storage locations designated by the Customer.
- Duration. The term of the Agreement, until deletion of Customer Personal Data in accordance with Section 11.
- Nature and purpose. Retrieval of data from Source Platforms using credentials provided by the Customer; transient transformation (such as flattening and deduplication) as necessary to load the data; loading into the Customer’s Destinations; and displaying transient previews of extracted data in the application at the Customer’s request. Each transfer job runs in an isolated, ephemeral compute instance that is destroyed when the job completes. Customer Personal Data is not stored on Qvalento’s infrastructure: it passes through only for the duration of a job and is not retained beyond operational metadata (job status, timing, row counts, error categories).
- Categories of data subjects. Determined by the Customer through the sources it connects and the reports it configures. Depending on configuration, these may include the Customer’s own customers, prospects, contacts, employees, and end users of the connected platforms.
- Categories of personal data. Determined by the Customer. By way of example: contact details in CRM data (names, email addresses, phone numbers), employee-related records in accounting or payroll data, and pseudonymous online identifiers in analytics and advertising data (such as client IDs and transaction IDs).
- Special categories of data. The Service is not intended for special categories of personal data (Art. 9 GDPR). The Customer shall not configure the Service to process such data unless it has a lawful basis and has agreed appropriate additional safeguards with Qvalento in writing.
Because the Customer selects which sources to connect, which reports to run, and which destinations to load, this description applies equally to all current and future integrations without amendment.
4.Processing on documented instructions
Qvalento shall process Customer Personal Data only on the Customer’s documented instructions, including with regard to transfers to third countries, unless required to do so by EU or Swedish law — in which case Qvalento will inform the Customer of that legal requirement before processing, unless the law prohibits it on important grounds of public interest.
The Agreement, this DPA, and the configurations the Customer makes in the Service (the sources connected, reports selected, schedules set, and destinations designated) constitute the Customer’s complete documented instructions. Additional instructions require written agreement between the parties.
Qvalento shall immediately inform the Customer if, in its opinion, an instruction infringes the GDPR or other applicable data protection law.
5.Confidentiality
Qvalento ensures that all persons authorized to process Customer Personal Data — employees and contractors alike — are bound by contractual or statutory obligations of confidentiality, and process the data only to the extent required to perform their role in delivering the Service.
6.Security of processing (Art. 32)
Qvalento implements and maintains appropriate technical and organizational measures to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing. These measures include:
- encryption of all platform credentials (OAuth tokens, API keys, service account keys, database connection details) at rest with AES-256-GCM, with the encryption key held separately from the database;
- encryption of data in transit using TLS;
- tenant isolation enforced at the database layer through row-level security, with no cross-tenant override;
- role-based access control (owner, editor, viewer) and owner-only access to credential secrets;
- least-privilege, scoped, expirable API tokens stored only as hashes;
- execution of each transfer job in an isolated, ephemeral compute instance that is destroyed on completion, with no storage of Customer Personal Data on Qvalento’s infrastructure (operational metadata only);
- proactive credential-health monitoring and audit logging of credential events.
Qvalento may update these measures from time to time, provided the updates do not materially reduce the overall level of protection.
7.Sub-processors
The Customer grants Qvalento a general authorization to engage Sub-processors for hosting, database, identity, email delivery, and similar infrastructure functions needed to operate the Service.
- The current list of Sub-processors is published at qpipe.io/subprocessors.
- Qvalento will update that page — and notify the Customer through the Service or by email — at least 30 days before adding or replacing a Sub-processor that processes Customer Personal Data.
- The Customer may object to a new Sub-processor on reasonable, documented data protection grounds within that notice period. The parties will then work in good faith to find a solution; if none is found, the Customer may terminate the affected part of the Service and receive a pro-rata refund of prepaid fees for the period after termination.
- Qvalento imposes data protection obligations on each Sub-processor that are no less protective than those in this DPA, and remains fully liable to the Customer for the performance of its Sub-processors.
For clarity: the Source Platforms the Customer connects and the Destinations the Customer designates are not Sub-processors — they are third-party services chosen and controlled by the Customer under the Customer’s own agreements with those providers.
8.International transfers
Qvalento processes Customer Personal Data in the EU/EEA where feasible. Where a Sub-processor processes Customer Personal Data outside the EU/EEA, Qvalento ensures an appropriate safeguard under GDPR Chapter V — an adequacy decision (including the EU–US Data Privacy Framework where the provider is certified) or the SCCs, which are incorporated into this DPA by reference for such transfers, with Qvalento executing them with the relevant Sub-processor.
Transfers that result from the Customer’s own configuration — for example, designating a Destination located outside the EU/EEA — are made on the Customer’s instruction and are the Customer’s responsibility as controller.
If the Customer is established outside the EU/EEA and the parties’ arrangement involves a transfer of personal data that requires safeguards under Chapter V GDPR — for example, disclosures from Qvalento back to a non-EEA Customer — the parties will, at the Customer’s written request to consent@qpipe.io, execute the appropriate module of the SCCs (such as Module Four, processor-to-controller), which upon execution forms part of this DPA.
9.Assistance to the Customer
Taking into account the nature of the processing, Qvalento shall assist the Customer with appropriate technical and organizational measures, insofar as this is possible, in fulfilling the Customer’s obligations to:
- respond to data subject requests under Chapter III GDPR (access, rectification, erasure, restriction, portability, objection). If a data subject contacts Qvalento directly about Customer Personal Data, Qvalento will refer the request to the Customer without undue delay;
- ensure security of processing (Art. 32), notify personal data breaches (Arts. 33–34), and carry out data protection impact assessments and prior consultations (Arts. 35–36), taking into account the information available to Qvalento.
Qvalento may charge a reasonable fee for assistance that goes materially beyond what the Service provides by default, where permitted by law.
10.Personal data breach notification
Qvalento shall notify the Customer without undue delay, and in any event within 72 hours, after becoming aware of a personal data breach affecting Customer Personal Data, so that the Customer can meet its own notification obligations. The notification will describe, to the extent known, the nature of the breach, the categories and approximate number of data subjects and records concerned, the likely consequences, and the measures taken or proposed to address the breach and mitigate its effects. Qvalento will cooperate with the Customer and provide reasonable assistance with the Customer’s own notification obligations under Articles 33–34 GDPR.
11.Deletion and return of data
Because Customer Personal Data passes through the Service only for the duration of a transfer job and lands in Destinations the Customer controls, the Customer holds its own complete copy of the data at all times. The parties agree that the continuous delivery of Customer Data to the Destinations designated by the Customer constitutes the return of Customer Personal Data at the Customer’s choice within the meaning of Article 28(3)(g) GDPR; no separate return step is required or possible, since Qvalento holds no copy to return. Accordingly, upon termination of the Agreement:
- stored credentials are deleted, and any Customer Personal Data transiently held in processing infrastructure is deleted in the normal course of job completion;
- configurations and account data are deleted or anonymized within a reasonable period, except where retention is required by EU or Swedish law (for example, bookkeeping obligations);
- data already loaded into the Customer’s Destinations is unaffected and remains under the Customer’s exclusive control.
The Customer can also delete individual credentials and data source configurations at any time during the term of the Agreement. Upon written request, Qvalento will confirm deletion in writing.
12.Audits and information rights
Qvalento shall make available to the Customer the information reasonably necessary to demonstrate compliance with Article 28 GDPR and this DPA — including summaries of security measures, Sub-processor agreements (redacted for confidentiality where appropriate), and relevant certifications or audit reports where available.
Where that information is insufficient to demonstrate compliance, Qvalento shall allow for and contribute to audits, including inspections, conducted by the Customer or an independent auditor mandated by the Customer, subject to: reasonable prior written notice (at least 30 days, except following a personal data breach), at most one audit per 12-month period, confidentiality undertakings, conduct during business hours without disrupting the Service, and the Customer bearing its own costs. Requests should be sent to consent@qpipe.io.
13.Liability and order of precedence
The liability of each party under this DPA is subject to the limitations and exclusions of liability in the Terms of Service. In the event of a conflict between this DPA and the Terms of Service regarding the processing of Customer Personal Data, this DPA prevails. A signed, negotiated DPA between the parties prevails over this standard DPA.
If any provision of this DPA is held invalid, the remainder stays in effect and the provision is enforced to the maximum permitted extent.
14.Term, governing law, and changes
This DPA takes effect when the Customer accepts the Terms of Service and remains in force for as long as Qvalento processes Customer Personal Data on the Customer’s behalf.
This DPA is governed by the laws of Sweden, and disputes are resolved as set out in the Terms of Service, without prejudice to mandatory provisions of the GDPR.
Qvalento may update this DPA from time to time, but only where the update (i) is required to reflect changes in applicable law, regulatory guidance, or the SCCs, or (ii) does not reduce the level of protection for Customer Personal Data. Material changes will be notified at least 30 days in advance in accordance with the Terms of Service; if the Customer reasonably objects on data protection grounds, it may terminate the Agreement before the change takes effect and receive a pro-rata refund of prepaid fees for the period after termination. Updates to this DPA do not constitute new processing instructions under Section 4. The “Last updated” date above reflects the latest version.
15.Contact
Qvalento Solutions AB
Organization number: 559216-3306
VAT: SE559216330601
Andra Långgatan 19
413 28 Gothenburg
Sweden
- Privacy, consent & DPA matters: consent@qpipe.io
- General support: support@qpipe.io
- Website: https://www.qvalento.com