Data Processing Agreement
Document reference: QUALIVA-LEGAL-003 · Version 1.0 · Effective May 2026
| Regulatory basis | UK GDPR Art. 28 · EU GDPR Art. 28 · Data Protection Act 2018 |
| Data Processor | Qualiva Ltd, 167–169 Great Portland Street, 5th Floor, London W1W 5PF, UK · ICO Reg: C1940367 |
| Data Controller | The subscribing client organisation (as named in the Order Form or subscription record) |
| Contact | hello@qualiva.ai |
This Data Processing Agreement ("DPA") forms part of the Terms of Service (QUALIVA-LEGAL-001) between Qualiva Ltd ("Processor") and the subscribing client organisation ("Controller"). It governs the processing of personal data by Qualiva Ltd on behalf of the Controller in connection with the Qualiva platform service.
Both parties agree that this DPA satisfies the requirements of Article 28 of the UK GDPR and EU GDPR.
1. Definitions
- "Personal Data", "Processing", "Data Subject", "Data Controller", "Data Processor" have the meanings given in UK GDPR / EU GDPR.
- "Client Data" means all data including personal data submitted to the Service by the Controller or on its behalf.
- "Services" means the Qualiva platform provided under the Terms of Service.
- "Sub-processors" means third parties engaged by the Processor to process personal data.
2. Subject Matter and Nature of Processing
| Item | Detail |
|---|---|
| Subject matter | Processing of personal data in connection with the provision of the Qualiva GMP compliance platform |
| Nature | Storage, retrieval, organisation, display, transmission, and deletion of Client Data |
| Purpose | To provide the Services described in the Terms of Service |
| Duration | For the term of the subscription plus 90 days following termination |
| Types of data | User names, email addresses, job titles, activity logs, audit trails, and any personal data included in GMP records (deviations, SOPs, batch records, training records, etc.) |
| Categories of data subjects | Client's employees, contractors, and authorised users; any individuals referenced in GMP records |
3. Processor Obligations
Qualiva Ltd, as Data Processor, agrees to:
- Process personal data only on documented instructions from the Controller, unless required by applicable law
- Ensure that all personnel authorised to process personal data are subject to confidentiality obligations
- Implement and maintain appropriate technical and organisational security measures as described in Section 6
- Not engage sub-processors without prior written authorisation from the Controller (general authorisation is granted for the sub-processors listed in Section 5)
- Assist the Controller in responding to data subject rights requests, to the extent technically feasible
- Assist the Controller in ensuring compliance with GDPR obligations regarding security, breach notification, data protection impact assessments, and prior consultation
- Delete or return all personal data to the Controller upon termination of services, and delete existing copies unless required by law
- Make available all information necessary to demonstrate compliance with this DPA and allow for audits and inspections by the Controller or an auditor mandated by the Controller
- Immediately notify the Controller if an instruction infringes applicable data protection law
4. Controller Obligations
The Controller agrees to:
- Ensure it has a lawful basis for processing and has provided appropriate notices to data subjects
- Ensure that personal data provided to Qualiva is accurate and limited to what is necessary
- Manage user access within the platform, ensuring only authorised individuals have accounts
- Notify Qualiva of any changes to data protection requirements that affect the processing
5. Sub-processors
The Controller provides general written authorisation to engage the following sub-processors. Qualiva will notify the Controller of any changes to sub-processors with at least 14 days' notice.
| Sub-processor | Service | Location | Safeguards |
|---|---|---|---|
| Hetzner Online GmbH | Infrastructure hosting | Germany (EU) | ISO 27001, DPA, EU jurisdiction |
| Anthropic PBC | AI model API (query context only — no data retention) | USA | Standard Contractual Clauses |
| Cloudflare Inc. | Document storage (R2) | EU nodes | ISO 27001, DPA, Standard Contractual Clauses |
6. Security Measures
Qualiva implements the following technical and organisational measures (full detail in QUALIVA-ISMS-001):
- Encryption: TLS 1.3 in transit, AES-256 at rest
- Access control: Role-based access control (RBAC), PIN-based electronic signatures, brute-force protection
- Data isolation: Per-client database schema — no cross-client data access possible
- Audit trail: Immutable, timestamped log of all data access and modifications
- Backup: Daily automated backups retained for 30 days
- Monitoring: Continuous uptime and security monitoring
- Personnel: Confidentiality obligations for all personnel with access to personal data
- Incident response: Documented procedure with 72-hour GDPR breach notification capability
7. Data Breach Notification
Qualiva will notify the Controller without undue delay, and in any event within 48 hours, after becoming aware of a personal data breach affecting Client Data. The notification will include: nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed.
The Controller is responsible for notifying the ICO (or relevant supervisory authority) and affected data subjects as required by applicable law.
8. Data Subject Rights
Where data subjects exercise rights directly with Qualiva, Qualiva will forward such requests to the Controller within 5 business days. Qualiva will provide reasonable technical assistance to help the Controller respond to such requests.
9. Data Transfers
Personal data is processed primarily within the European Economic Area (Germany). Where data is transferred outside the EEA (specifically for Anthropic's AI processing), appropriate safeguards including Standard Contractual Clauses are in place.
10. Termination
Upon termination of the Services, Qualiva will, within 30 days of written request, provide the Controller with an export of Client Data in a standard format. All Client Data will be securely deleted within 90 days of termination unless retention is required by law.
11. Governing Law
This DPA is governed by the laws of England and Wales.
12. Execution
This DPA is incorporated into and forms part of the Qualiva Terms of Service. By subscribing to the Qualiva platform, the Controller agrees to be bound by this DPA. A countersigned copy is available on request for enterprise customers who require a separately executed instrument.
To request a countersigned DPA or to raise questions about this agreement, contact: hello@qualiva.ai