QualiflowAIualiflowAIEVERY LEAD GETS A REPLY
Pricing
184 leads qualifying now
Sign inStart freeBook a demo

Data Processing Addendum

Module 3 Standard Contractual Clauses (Processor-to-Processor) for the international transfer of Personal Data processed by Qualiflow AI on behalf of its Customers.

Template version — pending final legal review.

Download as PDF

1. Definitions

For the purposes of this Data Processing Addendum ("DPA"), the terms "Controller", "Processor", "Sub-processor", "Data Subject", "Personal Data", "Processing", and "Personal Data Breach" have the meanings given to them in the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR") and the UK Data Protection Act 2018 ("UK GDPR"), as applicable.

"Customer" means the Qualiflow AI subscriber that has accepted the Qualiflow AI Terms of Service. "Qualiflow" or "we" means Qualiflow AI and any of its affiliates that process Personal Data on behalf of the Customer. "Standard Contractual Clauses" or "SCCs" means the European Commission decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries, Module 3 (Processor-to-Processor).

2. Subject matter and duration of processing

Qualiflow shall process Personal Data on behalf of the Customer for the purpose of providing the Qualiflow AI services as described in the Terms of Service, including AI-assisted lead qualification, conversation orchestration across messaging and voice channels, calendar booking, and reporting.

Processing shall continue for the duration of the Customer's subscription to the Qualiflow AI services and shall terminate in accordance with Section 11 (Term and termination) of this DPA. [SCC Module 3 standard language — Annex I.B].

3. Nature and purpose of processing

The nature of the processing covers the collection, storage, retrieval, analysis (including AI-driven qualification and intent detection), enrichment, transmission, and deletion of Personal Data submitted to the Qualiflow AI services by the Customer or by Data Subjects interacting with the Customer through Qualiflow-managed channels.

The purpose of the processing is strictly to enable Qualiflow to deliver the contracted services to the Customer and to comply with Qualiflow's legal obligations. Qualiflow shall not process Personal Data for any other purpose, including its own marketing or model-training purposes, without the Customer's prior written consent. [SCC Module 3 standard language — Annex I.B].

4. Types of personal data and categories of data subjects

Types of Personal Data processed include, without limitation: identifiers (name, email, phone number), professional information (job title, company name), conversation content (SMS, WhatsApp, email, voice transcripts, web chat), behavioural data (page views, response timing), and qualification metadata (BANT signals, lead score, lifecycle stage).

Categories of Data Subjects include: the Customer's prospective customers and leads, the Customer's existing customers, and the Customer's employees and authorised users of the Qualiflow AI services. [SCC Module 3 standard language — Annex I.B].

5. Sub-processor list

A current list of Qualiflow's authorised sub-processors, together with the country of processing and the nature of the service each sub-processor provides, is maintained at the following URL and updated as sub-processors are added or replaced.

View the current list of sub-processors at /sub-processors. Customers may subscribe to sub-processor change notifications at the same URL. [SCC Module 3 standard language — Annex III].

6. Technical and organisational measures

Qualiflow shall implement and maintain appropriate technical and organisational measures ("TOMs") to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data. TOMs include, without limitation: encryption of Personal Data in transit (TLS 1.2+) and at rest (AES-256), role-based access control with least-privilege defaults, multi-factor authentication for administrative access, network segmentation, regular vulnerability scanning, annual penetration testing, structured logging with tenant-scoped query filters, and a documented incident-response runbook.

A detailed description of Qualiflow's TOMs is available on request. [SCC Module 3 standard language — Annex II].

7. Sub-processor authorisations

The Customer hereby grants Qualiflow general written authorisation to engage sub-processors for the purposes described in this DPA, provided that Qualiflow (a) imposes data-protection obligations on each sub-processor that are substantially the same as those contained in this DPA, (b) remains liable for each sub-processor's acts and omissions to the same extent as if performed by Qualiflow, and (c) gives the Customer at least thirty (30) days' prior notice of any intended addition or replacement of a sub-processor.

The Customer may object to a proposed sub-processor change on reasonable data-protection grounds within fifteen (15) days of notice, in which case the parties shall work in good faith to resolve the objection. [SCC Module 3 standard language — Clause 9].

8. Data subject rights

Qualiflow shall, to the extent legally permitted, promptly notify the Customer of any request received directly from a Data Subject seeking to exercise their rights under the GDPR or UK GDPR (including rights of access, rectification, erasure, restriction, portability, and objection).

Qualiflow shall not respond to any such Data Subject request without the Customer's prior authorisation, except to confirm receipt and to direct the Data Subject to the Customer. Qualiflow shall provide the Customer with reasonable assistance, by appropriate technical and organisational measures, to enable the Customer to respond to Data Subject requests within applicable statutory deadlines. [SCC Module 3 standard language — Clause 10].

9. Personal data breach notification

Qualiflow shall notify the Customer without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a Personal Data Breach affecting the Customer's Personal Data.

The notification shall include, to the extent then known: the nature of the breach, the categories and approximate number of Data Subjects and Personal Data records affected, the likely consequences of the breach, the measures taken or proposed to address the breach, and the contact details of the Qualiflow Data Protection Officer for follow-up. Qualiflow shall provide the Customer with all reasonable assistance to enable the Customer to comply with its own breach-notification obligations under applicable law. [SCC Module 3 standard language — Clause 8.6].

10. International data transfers (SCC reference)

Where Qualiflow or any of its sub-processors processes Personal Data outside the European Economic Area, the United Kingdom, or another jurisdiction recognised as providing an adequate level of data protection, the parties shall rely on Module 3 of the Standard Contractual Clauses (Processor-to-Processor) as the lawful transfer mechanism. The SCCs are hereby incorporated into this DPA by reference and shall prevail in the event of any conflict with this DPA.

For transfers from the United Kingdom, the parties shall additionally rely on the UK International Data Transfer Addendum to the EU SCCs ("UK Addendum"), as published by the UK Information Commissioner's Office. [SCC Module 3 standard language — Clauses 8.7 and 14].

11. Term and termination

This DPA shall take effect on the date the Customer accepts the Qualiflow AI Terms of Service and shall remain in effect for the duration of the Customer's subscription to the Qualiflow AI services.

On termination or expiry of the Customer's subscription, Qualiflow shall, at the Customer's choice, return all Personal Data processed on the Customer's behalf, or delete such Personal Data, within thirty (30) days of termination, except to the extent that applicable law requires Qualiflow to retain a copy. Qualiflow shall certify to the Customer in writing that the Personal Data has been returned or deleted in accordance with this clause. [SCC Module 3 standard language — Clause 8.5].

12. Audit rights

Qualiflow shall make available to the Customer all information necessary to demonstrate compliance with this DPA, and shall allow for and contribute to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer.

In recognition of the disruption an on-site audit may cause, the parties agree that Qualiflow may discharge its audit obligations by providing the Customer with an up-to-date independent third-party audit report (such as SOC 2 Type II or ISO 27001 certification). Where an on-site audit is nonetheless required, the parties shall agree the scope, timing, and conditions of the audit in advance and the Customer shall bear the reasonable costs of the audit unless the audit reveals a material breach of this DPA. [SCC Module 3 standard language — Clause 8.9].

For DPA-related questions, please contact our Data Protection Officer at privacy@qualiflow.ai.

QualiflowAIualiflowAIEVERY LEAD GETS A REPLY

The agentic customer-journey platform — across voice, SMS, WhatsApp, email, web and social.

GDPR-aligned · Encrypted in transit and at rest
Platform
How It WorksJourney AutomationAI EngagementAI VoiceLead CaptureSocial EngagementCRM + Lead ScoringBooking & CalendarProposalsReviews & Re-EngagementIntegrations
Industries
Service & Home ImprovementBeauty & WellnessAutomotiveAuto DealershipsReal EstateHealthcareProfessional ServicesRetail & E-commerceSaaS · Tech · B2B
Company
AboutCareersPricingContact
Resources
BlogHelp CenterWebinarsAccessibility StatementRefund PolicyPrivacy PolicyTerms of Service
© 2026 Qualiflow AI. All rights reserved.·PrivacyTermsDPASub-processorsSitemap