Qualithm
Sign in

Data Processing Addendum

Effective Date: 20 November 2025

Introduction

This Data Processing Addendum (“Addendum”) forms part of the Terms of Service and Privacy Policy between Qualithm Ltd. (“Qualithm”, “we”, “us”, “our”) and you (“Client”, “you”, “your”). It governs how we process Personal Data on your behalf when you use our Services.

If there is any conflict between this Addendum and the Terms of Service, this Addendum controls for matters relating to Personal Data processing.

Scope

This Addendum applies when and to the extent that Qualithm processes Personal Data as a Processor on behalf of the Client acting as Controller through the Services.

It does not apply to processing where Qualithm acts as Controller, such as account administration and billing, product analytics and improvement, and security or abuse prevention. Those activities are covered by the Privacy Policy.

Definitions

Unless defined here, capitalised terms have the meanings given in the Terms of Service, Privacy Policy, or applicable Data Protection Laws.

  • Controller — The entity that determines the purposes and means of processing Personal Data.
  • Processor — The entity that processes Personal Data on behalf of a Controller.
  • Personal Data — Any information relating to an identified or identifiable natural person.
  • Processing — Any operation performed on Personal Data (such as collection, storage, use, disclosure, deletion).
  • Data Subject — The individual to whom Personal Data relates.
  • Sub-Processor — A third party engaged by Qualithm to process Personal Data on behalf of the Client.
  • Personal Data Breach — A breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.
  • Supervisory Authority — A regulatory authority responsible for overseeing compliance with Data Protection Laws.
  • Standard Contractual Clauses (SCCs) — The European Commission’s standard contractual clauses for safeguarding transfers of Personal Data.
  • Data Protection Laws — All applicable data-protection and privacy laws, including the EU / UK GDPR and the New Zealand Privacy Act 2020.

Roles and Responsibilities

Qualithm as Processor

When processing Personal Data on your behalf, we will:

  • process Personal Data only on your documented instructions, except where required by law;
  • ensure personnel with access to Personal Data are bound by appropriate confidentiality obligations;
  • implement and maintain appropriate technical and organizational measures to protect Personal Data; and
  • provide reasonable assistance to help you comply with your obligations under Data Protection Laws (for example, data-subject rights and security).

We act as Controller where we process Personal Data for our own purposes, as described in the Privacy Policy.

Client as Controller

You are responsible for:

  • ensuring you have a lawful basis for all Personal Data processed via the Services;
  • providing clear and compliant privacy notices to Data Subjects;
  • ensuring Personal Data submitted to the Services has been collected and is used lawfully;
  • not instructing us to process Personal Data in a way that breaches Data Protection Laws; and
  • securing your Accounts, Users, Devices, and systems that connect to the Services.

Processing Details

The parties acknowledge the following details of the Processing:

  • Subject Matter: Processing of Personal Data submitted to, stored on, or transmitted through the Services on your behalf.
  • Duration: For the duration of your agreement with Qualithm and any additional retention required by law.
  • Nature and Purpose: Provision, operation, support, optimization, and protection of the Services, as well as troubleshooting and analytics relating to your use of the Services.
  • Types of Personal Data: May include names, email addresses, identifiers, device and telemetry data, IP addresses, usage logs, and other data you choose to submit.
  • Categories of Data Subjects: May include your customers, end users, employees, contractors, and other individuals whose Personal Data you process via the Services.

Sub-Processors

Use of Sub-Processors

You authorize Qualithm to engage Sub-Processors to support delivery of the Services (for example, infrastructure, email delivery, monitoring, and payment processing).

We will:

  • ensure Sub-Processors are bound by written contracts imposing obligations equivalent to those in this Addendum; and
  • remain responsible for the acts and omissions of Sub-Processors to the same extent we would be responsible for our own.

Sub-Processor List and Notification

Our current Sub-Processors and their roles are published at Sub-Processors and form part of this Addendum.

We will provide reasonable advance notice (usually at least 30 days) of changes to the Sub-Processor list, except where a shorter notice is required for security, continuity, or legal reasons.

If you reasonably object to a new Sub-Processor on data-protection grounds and we cannot provide an alternative within a reasonable time, you may terminate the affected Services in accordance with the Terms of Service and this Addendum.

International Data Transfers

Personal Data may be processed in countries where we or our Sub-Processors operate, including New Zealand, the European Economic Area (EEA), the United States, and other regions.

Where required by Data Protection Laws, we will ensure appropriate safeguards for international transfers, which may include:

  • Standard Contractual Clauses (SCCs);
  • the UK International Data Transfer Agreement (IDTA) or appropriate addendum;
  • adequacy decisions; or
  • other lawful transfer mechanisms.

Security Measures

We maintain technical and organizational measures appropriate to the risks of the Processing, which may include:

  • access controls and least-privilege permissions;
  • encryption in transit and at rest where appropriate;
  • network and infrastructure security controls;
  • logging, monitoring, and vulnerability management;
  • secure development and change-management practices; and
  • business continuity and disaster-recovery planning.

Additional information may be provided in our documentation or security overviews.

Personal Data Breaches

In the event of a Personal Data Breach affecting Personal Data we process on your behalf, we will:

  • notify you without undue delay after becoming aware of the breach;
  • provide information reasonably available to help you meet any notification obligations to authorities or Data Subjects; and
  • take appropriate steps to mitigate, remediate, and prevent recurrence.

You are responsible for assessing whether a breach must be notified to authorities or individuals under applicable laws and for making such notifications, unless otherwise required by law or agreed between the parties.

Data Subject Requests

If we receive a request from a Data Subject relating to Personal Data we process on your behalf (for example, access, correction, deletion, or portability), we will:

  • promptly notify you, unless legally prohibited from doing so; and
  • where reasonable, assist you in fulfilling the request by providing relevant information or tools.

You are responsible for responding to Data Subject requests as Controller.

Assistance, Impact Assessments, and Audits

Taking into account the nature of the Processing and the information available to us, we will provide reasonable assistance to help you:

  • comply with your obligations relating to security, breach notifications, and data-protection impact assessments; and
  • respond to regulatory or supervisory authority inquiries relating to Processing we perform on your behalf.

Where you are required by law to conduct an audit of our Processing activities, you agree to first rely on data-protection documentation, security reports, or third-party certifications we make available.

If a further audit is necessary, any on-site audit must be limited to information relating to the Services we provide to you, conducted during normal business hours with reasonable prior notice, and subject to appropriate confidentiality obligations and reimbursement of our reasonable costs.

Return and Deletion of Data

Upon termination or expiry of the Services, or on your written request, we will delete or return Personal Data processed on your behalf within a reasonable period (typically within 30 days), unless retention is required by law or permitted under Data Protection Laws.

Backup copies are deleted on a rolling basis in line with our retention practices (typically within 30–90 days), as described in the Privacy Policy.

If you require export of Personal Data prior to deletion, you should request it before the end of the applicable retention period.

Liability

Each party’s liability arising from or in connection with this Addendum is subject to the limitations and exclusions of liability set out in the Terms of Service.

Nothing in this Addendum limits liability where such limitation is not permitted under applicable law, including liability for unlawful Processing resulting from wilful misconduct or fraud.

Changes to This Addendum

We may update this Addendum to reflect changes in our Services, Sub-Processors, or legal requirements. Material changes will be communicated with reasonable advance notice, typically at least 30 days, unless a shorter period is required by law or for security or operational reasons.

Continued use of the Services after the effective date of an updated Addendum constitutes acceptance.

Contact

Privacy & Data Protection: privacy@qualithm.com
Legal: legal@qualithm.com
Security: security@qualithm.com