qrius.io
Sign inSign up

Data Processing Agreement (DPA)

Effective Date: November 23, 2025

This Data Processing Agreement ("DPA") forms part of the Terms of Service between you ("Customer," "Data Controller") and Qrius.io ("Processor," "we," "us") and governs the processing of personal data under the EU General Data Protection Regulation (GDPR).

1. Definitions

Personal Data: Any information relating to an identified or identifiable natural person as defined in GDPR Article 4(1).

Processing: Any operation performed on Personal Data as defined in GDPR Article 4(2).

Data Subject: An identified or identifiable natural person whose Personal Data is processed.

Sub-processor: Any third party engaged by the Processor to process Personal Data on behalf of the Customer.

2. Scope and Roles

2.1 Relationship

  • Customer is the Data Controller
  • Qrius.io is the Data Processor
  • This DPA applies to all Personal Data processed through our Service

2.2 Nature and Purpose of Processing

  • Purpose: To provide QR code management and analytics services
  • Duration: For the term of the Customer's account
  • Nature: Hosting, storage, analytics, and management of QR code data

2.3 Types of Personal Data

  • Email addresses
  • Names (optional)
  • IP addresses (hashed)
  • Device and browser information
  • QR scan timestamps and locations

2.4 Categories of Data Subjects

  • Customer's account users
  • End users who scan Customer's QR codes

3. Processor Obligations

3.1 Processing Instructions

We process Personal Data only on documented instructions from the Customer, unless required by EU or Member State law.

3.2 Confidentiality

We ensure that personnel authorized to process Personal Data:

  • Are bound by confidentiality obligations
  • Receive appropriate training on data protection

3.3 Security Measures

We implement appropriate technical and organizational measures including:

Technical Measures:

  • Encryption in transit (TLS 1.3)
  • Encryption at rest (database encryption)
  • Hashed IP addresses for privacy
  • Encrypted password storage (bcrypt)
  • Regular security patches and updates

Organizational Measures:

  • Access control and authentication
  • Security incident response procedures
  • Regular security audits
  • Employee data protection training
  • Secure development practices

3.4 Sub-processors

Current Sub-processors:

  • Stripe Inc. - Payment processing (EU data center)
  • Hosting Provider - EU-based infrastructure (Stockholm, Sweden)

We will:

  • Notify Customer of any changes to Sub-processors (30 days notice via email)
  • Ensure Sub-processors meet GDPR requirements
  • Remain liable for Sub-processor performance

3.5 Data Subject Rights

We will assist the Customer in responding to Data Subject requests:

  • Right of access
  • Right to rectification
  • Right to erasure ("right to be forgotten")
  • Right to restriction of processing
  • Right to data portability
  • Right to object

Assistance provided within: 10 business days of Customer request

3.6 Data Breach Notification

We will notify the Customer within 24 hours of becoming aware of a Personal Data breach affecting the Customer's data.

Notification will include:

  • Nature of the breach
  • Categories and approximate number of affected Data Subjects
  • Likely consequences
  • Measures taken or proposed to address the breach

3.7 Data Protection Impact Assessment

We will provide reasonable assistance with Data Protection Impact Assessments (DPIA) and prior consultations with supervisory authorities when required.

3.8 Deletion and Return of Data

Upon account termination, we will:

  • Delete all Personal Data within 30 days
  • Provide data export option before deletion
  • Certify deletion upon Customer request

Exception: Data retained for legal compliance (e.g., billing records for 7 years).

3.9 Audits and Inspections

We will:

  • Make available all information necessary to demonstrate GDPR compliance
  • Allow for and contribute to audits (with reasonable notice)
  • Audits may be conducted by Customer or authorized third party

Audit frequency: Once per year (unless a breach has occurred)

4. Customer Obligations

The Customer warrants that:

  • They have a legal basis for processing Personal Data
  • They have obtained necessary consents from Data Subjects
  • They comply with GDPR in their capacity as Data Controller
  • They provide clear instructions for data processing

5. Data Transfers

5.1 Data Location

All Personal Data is stored and processed in the European Union (Stockholm, Sweden).

5.2 International Transfers

We do not transfer Personal Data outside the EU/EEA.

If future transfers are necessary:

  • We will implement Standard Contractual Clauses (SCCs)
  • We will notify the Customer in advance
  • Transfers will comply with GDPR Chapter V

6. Liability and Indemnification

6.1 Processor Liability

We are liable for damages caused by processing that violates GDPR obligations specific to Processors.

6.2 Indemnification

Each party indemnifies the other for damages arising from the indemnifying party's violation of GDPR.

7. Term and Termination

7.1 Term

This DPA is effective from the date of account creation and continues for the duration of the Service.

7.2 Termination

This DPA terminates automatically upon termination of the Terms of Service.

7.3 Survival

Provisions regarding data deletion, confidentiality, and liability survive termination.

8. Governing Law and Jurisdiction

This DPA is governed by Swedish law. Disputes will be resolved in Stockholm courts.

9. Amendments

We may update this DPA to reflect changes in:

  • GDPR guidance or interpretation
  • Supervisory authority requirements
  • Security best practices

Material changes will be notified via email at least 30 days in advance.

10. Contact for Data Protection Matters

Data Protection Officer: [email protected]

Legal Department: [email protected]

Mailing Address:
Qrius.io
Stockholm, Sweden

11. Supervisory Authority

Swedish Data Protection Authority (Datainspektionen)

Website: datainspektionen.se

Email: [email protected]

Phone: +46 8 657 61 00

Appendix A: Technical and Organizational Measures

A.1 Access Control

  • Multi-factor authentication for admin access
  • Role-based access control (RBAC)
  • Regular access reviews

A.2 Encryption

  • TLS 1.3 for data in transit
  • AES-256 encryption for data at rest
  • Hashed passwords (bcrypt)
  • Hashed IP addresses

A.3 Backup and Recovery

  • Daily automated backups
  • Encrypted backup storage
  • Disaster recovery plan
  • Regular recovery testing

A.4 Security Monitoring

  • Real-time security monitoring
  • Intrusion detection systems
  • Regular vulnerability scans
  • Penetration testing (annual)

A.5 Incident Response

  • 24/7 security incident monitoring
  • Incident response plan
  • Security incident logs
  • Regular incident response drills

A.6 Data Minimization

  • Collection of only necessary data
  • IP address hashing
  • Automatic data retention limits
  • Regular data cleanup

Appendix B: Sub-processors

Sub-processorServiceData ProcessedLocation
Stripe Inc.Payment processingName, email, billing detailsEU data center
Hosting ProviderInfrastructureAll customer dataStockholm, Sweden

Last Updated: November 23, 2025

Acceptance

By using Qrius.io, Customer acknowledges and agrees to this Data Processing Agreement.