Data Processing Addendum (DPA)

1. Definitions

“Personal Data” means any information relating to an identified or identifiable individual processed by QuizFlow Labs on behalf of Customer.
“Processing” means any operation performed on Personal Data (e.g., collection, storage, use, disclosure).
“Sub-processor” means a third party engaged by QuizFlow Labs to process Personal Data on behalf of Customer.
“Customer Data” means quiz content and respondent data submitted to or collected through the Service.

2. Roles of the Parties

Customer is the Controller of Personal Data collected through quizzes/flows and determines the purposes and means of processing. QuizFlow Labs is the Processor and processes Personal Data only on Customer’s documented instructions as described in this DPA and the Terms.

3. Scope of Processing

Subject matter: Providing the Service (creating, hosting, embedding, delivering quizzes/flows; collecting submissions; analytics; notifications; account management).
Duration: For the term Customer uses the Service, plus any retention period described in the Privacy Policy or required by law.
Nature and purpose: To operate and improve the Service, and to deliver quiz experiences and results as configured by Customer.
Categories of data subjects: Quiz respondents, Customer’s users, Customer’s staff, and other individuals whose data is submitted to the Service.
Types of Personal Data: May include names, email addresses, phone numbers, quiz responses, and any additional fields configured by Customer (which may vary by quiz).

4. Customer Responsibilities

Customer agrees to:

• Provide required notices and obtain any necessary consents from respondents
• Ensure it has a lawful basis to collect and use Personal Data
• Not collect sensitive data unless it has appropriate permissions and compliance measures in place
• Configure quizzes and lead capture gates responsibly and in accordance with applicable laws

5. Processor Obligations

QuizFlow Labs will:

• Process Personal Data only to provide and maintain the Service and as described in Customer’s configuration
• Not sell Customer Data or use it for advertising targeting based on respondent identity
• Ensure personnel with access to Personal Data are bound by confidentiality obligations

6. Security Measures

QuizFlow Labs will maintain reasonable administrative, technical, and organizational safeguards designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. Security measures may include access controls, encryption in transit where supported, and least-privilege practices.

7. Sub-processors

Customer authorizes QuizFlow Labs to engage Sub-processors to support Service delivery (e.g., hosting, email delivery, analytics, billing). QuizFlow Labs will require Sub-processors to protect Personal Data through contractual obligations consistent with this DPA.

Sub-processor list: QuizFlow Labs maintains a list of core Sub-processors in the Privacy Policy and/or product documentation. At minimum, this may include:

• Payment processing provider (e.g., Stripe)
• Email delivery provider
• Cloud hosting/infrastructure provider
• Monitoring/analytics provider

8. International Transfers

Customer acknowledges that Personal Data may be processed or stored in jurisdictions other than Customer’s, depending on hosting and Sub-processor locations. QuizFlow Labs will take reasonable steps to ensure appropriate protections for such transfers consistent with applicable law.

9. Data Subject Requests

If QuizFlow Labs receives a request from an individual to exercise data rights (e.g., access, deletion), QuizFlow Labs will, where legally permitted, direct the requester to Customer. Upon Customer’s request and where feasible, QuizFlow Labs will provide reasonable assistance to help Customer respond.

10. Data Breach Notification

QuizFlow Labs will notify Customer without undue delay after becoming aware of a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data (“Data Breach”), and will provide information reasonably necessary for Customer to meet its obligations.

11. Return or Deletion of Data

Upon termination of Customer’s account or written request, QuizFlow Labs will delete or return Customer Data within a reasonable period, unless retention is required by law or necessary for legitimate purposes such as fraud prevention, dispute resolution, or billing records.

12. Audits

Upon reasonable written request, QuizFlow Labs will provide information reasonably necessary to demonstrate compliance with this DPA, which may include summaries of security practices. On-site audits are not required; any audit must be mutually agreed, limited in scope, and subject to confidentiality.

13. Liability

Liability under this DPA is subject to the limitations of liability in the Terms of Service, unless prohibited by law.

14. Order of Precedence

If there is a conflict between this DPA and the Terms of Service with respect to Personal Data processing, this DPA controls for those processing obligations only.

15. Contact

For questions about this DPA:

QuizFlow Labs (a product of Innovative Edge Consulting)