Qply
Data Processing Agreement (DPA)
Version 1.0 — April 12, 2026
This Data Processing Agreement ("DPA") forms part of the Terms of Service (the "Agreement") between:
- Apptesterhub LLC, a Wyoming limited liability company with its principal office at 75 E 3rd St Ste 7, Sheridan, WY 82801, United States, operating the Qply service ("Processor"); and
- The entity or individual identified as the account holder in the Qply dashboard ("Controller").
Together, the "Parties." This DPA applies where Processor processes Personal Data on behalf of Controller in the course of providing the Qply service. Capitalised terms not defined here have the meanings given in the Agreement.
1. Definitions
- "Data Protection Laws" means the EU General Data Protection Regulation 2016/679 ("GDPR"), the UK General Data Protection Regulation as retained by the European Union (Withdrawal) Act 2018 ("UK GDPR"), the Swiss Federal Act on Data Protection ("FADP"), and any implementing or successor legislation.
- "Personal Data" means any information relating to an identified or identifiable natural person that Processor processes on behalf of Controller in connection with the Qply service.
- "Sub-processor" means any third party engaged by Processor to process Personal Data on behalf of Controller.
- "Data Subject" means the individual to whom Personal Data relates.
- "Standard Contractual Clauses" (SCCs) means the clauses adopted by the European Commission Decision 2021/914 and, for UK transfers, the UK International Data Transfer Addendum ("IDTA").
2. Scope and Roles
Controller determines the purposes and means of processing visitor chat data collected through the Qply widget embedded on Controller's website(s). Processor processes that data solely to deliver the Qply service as instructed by Controller.
2.1 Details of Processing
| Element | Description |
|---|---|
| Subject matter | Provision of the Qply AI-powered live chat and helpdesk service. |
| Duration | For the term of the Agreement plus any retention period described in Section 8. |
| Nature and purpose | Receiving, routing, storing, and responding to visitor chat messages; providing analytics and reporting; delivering AI-generated responses based on Controller's knowledge base. |
| Categories of Data Subjects | Website visitors, end-users, and customer support contacts who interact with the Qply widget. |
| Types of Personal Data | Name (if provided), email address (if provided), IP address, browser/device metadata, chat messages, pages visited, and any other data voluntarily submitted through the chat widget. |
3. Processor Obligations
Processor shall:
- Process Personal Data only on documented instructions from Controller, unless required to do so by applicable law (in which case Processor will inform Controller before processing, unless prohibited by law).
- Ensure that persons authorised to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
- Implement and maintain appropriate technical and organisational measures as described in Annex II to ensure a level of security appropriate to the risk.
- Not engage another processor (Sub-processor) without prior specific or general written authorisation of Controller, subject to Section 5.
- Assist Controller, taking into account the nature of processing, by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of Controller's obligations to respond to Data Subject requests.
- Assist Controller in ensuring compliance with Articles 32 to 36 GDPR (security, breach notification, data protection impact assessments, prior consultation), taking into account the nature of processing and the information available to Processor.
- At Controller's choice, delete or return all Personal Data to Controller after the end of the provision of services, and delete existing copies unless applicable law requires storage.
- Make available to Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR and allow for and contribute to audits, including inspections, conducted by Controller or an auditor mandated by Controller, subject to reasonable notice and confidentiality obligations.
4. Controller Obligations
Controller shall:
- Ensure there is a lawful basis for processing Personal Data through the Qply service (e.g., legitimate interest, consent from website visitors).
- Provide clear and transparent privacy notices to Data Subjects informing them about the use of Qply on Controller's website.
- Not instruct Processor to process special categories of data (Article 9 GDPR) or criminal offence data (Article 10 GDPR) through the Qply service.
- Promptly notify Processor of any Data Subject request that Processor must assist with.
5. Sub-processors
Controller grants Processor general written authorisation to engage the Sub-processors listed below. Processor shall inform Controller of any intended changes to Sub-processors by email at least 30 days in advance, giving Controller the opportunity to object.
If Controller objects to a new Sub-processor on reasonable data protection grounds, the Parties shall discuss the concern in good faith. If the Parties cannot reach resolution within 30 days, Controller may terminate the affected service component without penalty.
Current Sub-processors
| Sub-processor | Purpose | Location |
|---|---|---|
| Supabase Inc. | Database hosting, authentication, real-time infrastructure | United States (AWS us-east-1) |
| Stripe Inc. | Payment processing and billing | United States |
| Google LLC (Cloud / Firebase) | Hosting, serverless functions, push notifications | United States |
| Google LLC (Analytics / GA4) | Usage analytics (aggregated / anonymised where consent is denied) | United States |
| Anthropic PBC | AI language model inference for chat responses | United States |
| Google LLC (Gemini API) | AI language model inference for chat responses | United States |
6. International Data Transfers
Where Personal Data is transferred from the EEA, UK, or Switzerland to a country that does not benefit from an adequacy decision, such transfers shall be governed by:
- The EU Standard Contractual Clauses (Module Two: Controller to Processor) adopted by Commission Decision 2021/914, which are hereby incorporated by reference.
- For UK transfers, the UK International Data Transfer Addendum (IDTA) to the EU SCCs, as issued by the UK Information Commissioner.
- For Swiss transfers, the EU SCCs as recognised by the Swiss Federal Data Protection and Information Commissioner, with the modifications required under Swiss law.
Where a Sub-processor is certified under the EU-US Data Privacy Framework, Controller acknowledges that this constitutes a valid transfer mechanism for transfers to such Sub-processor.
7. Security Measures (Annex II Summary)
Processor maintains the following technical and organisational measures:
- Encryption: TLS 1.2+ for data in transit; AES-256 encryption at rest for databases and backups.
- Access control: Role-based access; multi-factor authentication for infrastructure access; principle of least privilege.
- Network security: Firewalls, intrusion detection, DDoS mitigation via cloud provider infrastructure.
- Logging and monitoring: Centralised audit logs for access to Personal Data; anomaly alerting.
- Incident response: Documented incident response plan with escalation procedures.
- Business continuity: Regular automated backups with tested restoration procedures.
- Personnel: Confidentiality agreements for all staff; security awareness training.
- Vendor management: Due diligence on Sub-processors' security posture prior to engagement.
8. Data Retention and Deletion
Processor retains Personal Data only for the duration necessary to provide the service:
- Chat messages and visitor data: Retained for the term of Controller's subscription. Upon account deletion or termination, data is purged within 30 days.
- Backups: Retained for up to 90 days after deletion, then permanently destroyed.
- Billing records: Retained as required by applicable tax and financial regulations (typically 7 years), stored by Stripe.
Controller may request data export in machine-readable format (JSON) at any time during the subscription term via the Qply dashboard or by emailing privacy@qply.io.
9. Personal Data Breach Notification
Processor shall notify Controller without undue delay (and in any event within 72 hours) after becoming aware of a Personal Data breach affecting Controller's data. The notification shall include:
- A description of the nature of the breach, including the categories and approximate number of Data Subjects and records affected.
- The name and contact details of the Processor's data protection point of contact.
- A description of the likely consequences of the breach.
- A description of the measures taken or proposed to address the breach and mitigate its effects.
10. Data Subject Rights
Processor shall assist Controller in responding to Data Subject requests (access, rectification, erasure, portability, restriction, objection) by:
- Providing self-service data export and deletion tools in the Qply dashboard.
- Responding to requests forwarded by Controller within 10 business days.
- Redirecting any Data Subject who contacts Processor directly to Controller, unless legally required to respond.
11. Audits
Controller may audit Processor's compliance with this DPA once per calendar year, upon at least 30 days' written notice, during normal business hours, and subject to reasonable confidentiality obligations. Processor may satisfy audit requests by providing:
- A summary of the most recent independent security assessment or SOC 2 report (when available).
- Written responses to Controller's reasonable audit questionnaire.
- On-site or remote audit access where the above are insufficient to verify compliance.
12. Liability
Each Party's liability under this DPA is subject to the limitations of liability set out in the Agreement. Nothing in this DPA limits either Party's liability for breaches of Data Protection Laws to the extent such limitation is prohibited by applicable law.
13. Term and Termination
This DPA takes effect when Controller first uses the Qply service and remains in force for as long as Processor processes Personal Data on behalf of Controller. Upon termination of the Agreement, Processor shall delete or return Personal Data in accordance with Section 8.
14. Governing Law
This DPA is governed by the laws of the State of Wyoming, United States, except where Data Protection Laws mandate the application of another jurisdiction's law (e.g., GDPR disputes shall be governed by the law of the EU Member State in which the Controller is established).
15. Contact
For questions about this DPA or to exercise rights under it, contact:
Apptesterhub LLC (trading as Qply)
75 E 3rd St Ste 7, Sheridan, WY 82801, United States
Email: privacy@qply.io
Signature
By using the Qply service, Controller agrees to this DPA. If your organisation requires a countersigned copy, complete the fields below and email this page (or a PDF) to privacy@qply.io. We will return a countersigned copy within 5 business days.
Controller
Company name:
Authorised signatory (name & title):
Signature:
Date:
Processor — Apptesterhub LLC
Authorised signatory:
Title:
Signature:
Date: