banner

Data Processing Agreement

Last Updated: May 2026 | Effective Date: May 2026
Service Provider: QBRI OÜ (trading as QBRI Digital) · Registration Number: 16230937 | Address: Tornimäe 5, 10145 Tallinn, Estonia
For complete technical and legal details, see our Full DPA (PDF)

Quick Overview

This Data Processing Agreement (“DPA”) outlines how QBRI processes personal data on behalf of clients. As your data processor, QBRI acts under your instructions and maintains strict security, confidentiality, and compliance standards aligned with GDPR, CCPA, LGPD, and other applicable data protection laws.

Acceptance: By signing a Statement of Work, Proposal, Service Order, or other agreement with QBRI, you acknowledge and accept the terms of this DPA.

Key Definitions

  • Client: You — the organization that engages QBRI to provide services and process personal data on your behalf.
  • QBRI: The data processor (us) — responsible for processing personal data only according to your documented instructions.
  • Personal Data: Any information that identifies or could identify a person (name, email, IP address, device ID, location, etc.).
  • Processing: Any action we take with personal data — collection, storage, access, analysis, transmission, or deletion.
  • Data Subject: Any individual whose personal data we process (your customers, employees, end users, etc.).
  • Sub-Processor: Third-party vendors we use to help deliver services (cloud providers, analytics tools, payment processors, etc.).

What Data We Process

The specific data we process depends on your service agreement. QBRI provides services including:

  • IT Consulting & Digital Strategy
  • Web & Mobile Development
  • Digital Marketing & Analytics
  • Technical Support & Infrastructure
  • Cloud Hosting & Management

Personal data categories may include contact information, identification numbers, IP addresses, device information, location data, employment records, financial data, or other categories you specify in your service agreement.

Our Commitments as Your Data Processor

Follow Your Instructions

QBRI processes personal data only as you instruct. We will not use, sell, or disclose your data for any purpose outside our service agreement without your written permission.

Protect Your Data with Advanced Security

We implement industry-leading security measures:

  • Encryption: Data encrypted in transit (TLS 1.2+) and at rest (AES-256)
  • Access Controls: Multi-factor authentication (MFA) and role-based access for all staff
  • Network Security: Firewalls, intrusion detection, and network segmentation
  • Monitoring: 24/7 logging and monitoring for suspicious activities
  • Patching: Critical security updates applied within 30 days
  • Backups: Regular encrypted backups with secure recovery procedures
  • Staff Training: All personnel receive data protection training and sign confidentiality agreements
  • Audits: Regular internal and external security assessments

Maintain Confidentiality

Only authorized QBRI personnel with a documented need-to-know have access to your data. All staff sign confidentiality agreements that survive their employment.

Assist with Data Subject Rights

When your customers or employees request access to their data, ask for corrections, or request deletion, we’ll assist you within 15 business days. We support all GDPR rights including:

  • Right of Access — provide copies of personal data
  • Right to Correction — update or fix inaccurate data
  • Right to Erasure — delete data (where legally permitted)
  • Right to Restrict Processing — limit how we use data
  • Right to Data Portability — export data in standard formats (CSV, JSON)
  • Right to Object — stop processing under certain conditions

Third-Party Vendors (Sub-Processors)

To deliver our services, we use trusted third-party vendors such as:
Service Examples Location
Cloud Infrastructure AWS, Google Cloud Platform EU, US
Email & Marketing Mailchimp, ConvertKit US, EU
CRM & Sales HubSpot, Pipedrive US, EU
Analytics Google Analytics, Hotjar Worldwide
Payments Stripe, PayPal US, EU
Project Management Asana, Monday.com US, EU
View our complete, current list of sub-processors at: qbri.digital/subprocessors We require all sub-processors to maintain the same data protection standards we do. You have the right to object to new sub-processors within 30 days of notification.

Data Breach Response

If a data breach occurs, we will:

  • Notify you within 24 hours of discovery or reasonable suspicion
  • Provide details about what happened, who was affected, and what data was involved
  • Immediately contain and investigate the breach
  • Deliver a full incident report within 30 days including root cause analysis
  • Cooperate with you, law enforcement, and regulators as needed
  • Assist you in notifying affected individuals and authorities (where required)

International Data Transfers

We process data across the EU/EEA and internationally (including the US). For transfers outside the EU/EEA, we implement:

  • Standard Contractual Clauses (SCCs) — EU-approved legal safeguards for international transfers
  • Adequacy Assessments — evaluation of legal protections in destination countries
  • Appropriate Safeguards — additional protections where needed due to surveillance or legal risks

Your service agreement specifies which processing locations are authorized. New locations require your explicit written consent.

Your Audit & Compliance Rights

You have the right to audit our compliance with this DPA:

  • One audit per year during business hours at no additional cost (other than your audit team’s expenses)
  • Additional audits with 30 days’ notice and QBRI approval
  • Unannounced audits if we suspect a data breach or non-compliance
  • Request certifications — we provide copies of ISO 27001, SOC 2, or equivalent security certifications
  • Review findings — we develop corrective action plans within 30 days of audit findings

What Happens When Our Agreement Ends

When you terminate our service, QBRI will:

  • Return or securely delete all your personal data within 30 days
  • Delete from all systems including backups, archives, and off-site storage
  • Provide written certification of deletion within 15 days
  • Retain only if required by law (tax records, legal holds, etc.) — same security applies

Related Policies

This DPA works alongside our other policies:

In case of conflict: This DPA takes priority over other policies regarding data processing. Where this DPA conflicts with mandatory data protection laws, the law prevails.

Our Compliance Commitment

QBRI complies with all applicable data protection laws including:

  • GDPR (EU General Data Protection Regulation)
  • CCPA/CPRA (California data protection)
  • LGPD (Brazilian data protection)
  • PDPA (Estonian Personal Data Protection Act)
  • Other jurisdictional laws applicable to your data processing

We continuously monitor data protection developments and update this DPA and our practices as regulations evolve. Material updates will be published here with notice to existing clients.

Liability

QBRI is liable for damages caused by processing that violates applicable data protection laws, except where liability results from your unlawful instructions. Liability is capped as specified in your Principal Agreement.

Questions or Concerns?