Data Processing Agreement

1. Definitions

Capitalized terms not defined here have the meaning given in GDPR Article 4. "Personal Data", "Processing", "Data Subject", "Controller", and "Processor" carry their GDPR meanings.

2. Scope & Roles

You act as Controller of the Personal Data submitted to QRCodeStack ("Customer Data"). We act as Processor, processing Customer Data only on your documented instructions, as set out in this DPA and our Terms of Service.

3. Subject Matter, Duration, Nature & Purpose

• Subject matter: Provision of dynamic QR code generation, redirect, analytics, and storage services.
• Duration: For the term of your QRCodeStack subscription, plus retention periods set in the Privacy Policy.
• Nature & purpose: Hosting, redirecting, and analyzing QR code traffic on your behalf.
• Categories of Data Subjects: Your end-users / customers / employees whose data is in your QR codes; visitors who scan your QR codes.
• Types of Personal Data: Identifiers (email, IP), QR code content you submit (which may include contact details, URLs, vCard fields, WiFi credentials), and scan metadata.

4. Processor Obligations

We will:

• Process Customer Data only on your documented instructions, unless required by law (in which case we'll notify you, unless prohibited).
• Ensure persons authorized to process Customer Data are under confidentiality obligations.
• Implement appropriate technical and organizational measures (see Security & Compliance and Annex II).
• Assist you, where reasonably possible, in responding to Data Subject requests (access, rectification, erasure, portability, objection).
• Assist you with Data Protection Impact Assessments (DPIAs) and prior consultations with supervisory authorities.
• Notify you without undue delay (and in any event within 72 hours) after becoming aware of a Personal Data Breach affecting Customer Data.
• At your choice, delete or return Customer Data after the end of services, subject to legal retention requirements.
• Make available all information necessary to demonstrate compliance with this DPA and allow for audits (see Section 8).

5. Sub-processors

You authorize us to engage sub-processors to provide the service. Our current sub-processor list is published in the Privacy Policy, Section 4 and updated as it changes. We will provide at least 30 days' notice before adding a new sub-processor. You may object on reasonable data-protection grounds; if we cannot accommodate, you may terminate the affected service.

Where we use a sub-processor, we impose data protection obligations no less stringent than those in this DPA via written contract.

6. International Transfers

For transfers of Customer Data outside the EEA, UK, or Switzerland, the parties incorporate the European Commission's Standard Contractual Clauses (Module Two: Controller-to-Processor) by reference, and where applicable the UK International Data Transfer Addendum. Customer is the "data exporter" and Processor is the "data importer". Optional clauses 7 (Docking), 9(a) Option 2 (General authorisation of sub-processors with 30 days notice), and 11(a) Option (no independent dispute body) apply. Governing law: Republic of Ireland (Clause 17), supervisory authority: Irish DPC (Clause 13). Annex I.A through I.C, and Annex II, are set out in Sections 3, 5, and 9 of this DPA respectively.

7. Data Subject Rights

QRCodeStack provides self-service tools to support Data Subject rights: data export at GET /api/qr-user/export-data (machine-readable JSON), account deletion via the dashboard, and a privacy request form at /privacy-request. For requests we cannot self-service, we will assist within 10 business days of your written request.

8. Audits

On reasonable prior written notice (and not more than once per year, unless required by a supervisory authority), Controller may audit Processor's compliance with this DPA. Audits will be conducted during normal business hours, will not unreasonably interfere with operations, and Controller bears its own costs. Processor may satisfy its audit obligations by providing third-party audit reports (e.g. SOC 2, ISO 27001) when available.

9. Technical & Organisational Measures (Annex II)

Processor maintains the security measures described at qrcodestack.com/security, including:

• Encryption in transit (TLS 1.2+) and at rest (AES-256 for sensitive fields).
• Role-based access control with least-privilege principle.
• Multi-factor authentication for administrative access.
• Continuous monitoring, intrusion detection, and incident response.
• Regular vulnerability scans and dependency updates.
• Encrypted backups with point-in-time recovery.
• Staff confidentiality agreements and security training.

10. Liability & Indemnity

Each party's liability under this DPA is governed by, and subject to the limitations in, the Terms of Service. Nothing in this DPA excludes liability that cannot be excluded by law (including liability under GDPR Article 82).

11. Term & Termination

This DPA applies from the date of acceptance and continues for as long as you use the QRCodeStack services. Upon termination, Processor will delete or return Customer Data within 30 days, subject to legal retention obligations described in the Privacy Policy.

12. Governing Law & Order of Precedence

This DPA is governed by the law specified in the Terms of Service. If there is a conflict between this DPA and the Terms, this DPA prevails for matters relating to the processing of Personal Data.

13. Contact

DPA-related queries: support@qrcodestack.com (subject: "DPA").