Data Processing Agreement (DPA) — TEMPLATE

⚠️ LEGAL REVIEW REQUIRED. This is an engineering placeholder template, not legal advice and

not a finalized contract. The text below must be reviewed and approved by qualified legal counsel

before it is offered to or relied upon by any customer. Bracketed […] fields are placeholders.

• DPA version: 2026-06-01 (must match dpa.version in subprocessors.json)
• Effective date: 2026-06-01
• Status: legal-review-required

1. Definitions

"Controller", "Processor", "Data Subject", "Personal Data", "Processing" and "Supervisory Authority"

have the meanings given in applicable Data Protection Law (including the EU GDPR and UK GDPR).

• Customer — the entity that has entered into the [Master Subscription Agreement] with [OMGQA legal entity] ("Provider").
• Provider — [OMGQA legal entity, registered address], acting as Processor on behalf of the Customer.

2. Roles and scope of processing

The Customer is the Controller and the Provider is the Processor of Personal Data contained in

Customer content submitted to the OMGQA platform (findings, evidence, comments, account and audit

records). The Provider processes Personal Data only on documented instructions from the Customer,

including with regard to international transfers, except where required by law.

• Subject matter: provision of the OMGQA quality-findings platform.
• Duration: the term of the subscription plus the retention/offboarding window (see § 7).
• Nature and purpose: hosting, storing and processing Customer content to deliver the service.
• Categories of data subjects: Customer's authorized users and any individuals referenced in

Customer content.

3. Confidentiality

The Provider ensures that persons authorized to process Personal Data are bound by confidentiality.

4. Security measures

The Provider implements appropriate technical and organizational measures, including:

• per-organization database isolation (database-per-tenant, ADR-0008);
• encryption of connector secrets at rest and TLS in transit;
• an append-only, tamper-evident audit log (hash-chained);
• scoped API keys and one-time-passcode (OTP) authentication;
• least-privilege access controls.

See the Trust Center for the current security posture.

5. Subprocessors

The Customer authorizes the Provider to engage the subprocessors listed in the machine-readable

subprocessor register (rendered on the Trust Center). The Provider

imposes data-protection obligations on each subprocessor no less protective than those in this DPA and

remains liable for their performance. The Provider will give notice of intended changes (additions or

replacements) of subprocessors via the Trust Center and the subprocessor register's lastUpdated field.

6. International transfers

Where processing involves a transfer of Personal Data outside the EEA/UK, the parties rely on the

Standard Contractual Clauses (SCCs) incorporated by reference in scc.md. Customers may

select a data-residency region (us or eu) for their organization; see the Trust Center.

7. Data subject rights, retention and deletion

The Provider assists the Customer in responding to data-subject requests. On termination, Customer

content is exported and/or deleted in accordance with the offboarding + retention window and tenant

data-eraser implemented in the platform (E32). [Confirm retention period and DSR SLAs.]

8. Audits and assistance

The Provider makes available information necessary to demonstrate compliance and assists the Customer

with data-protection impact assessments and consultations with Supervisory Authorities, as required.

9. Liability and governing law

[Liability caps, indemnities and governing law to be completed by legal counsel.]

---

*Generated as an engineering artifact for the Trust Center (E22 S06). Do not execute without legal review.*