Data Processing Agreement
This Data Processing Agreement (DPA) governs how QRZone processes personal data on behalf of its customers.
Last updated: February 2026
1. Definitions
Controller means the customer who determines the purposes and means of processing personal data. Processor means QRZone, which processes personal data on behalf of the Controller. Personal Data has the meaning given in GDPR Article 4(1).
2. Scope of Processing
QRZone processes personal data solely to provide the services described in the customer agreement. This includes QR code scan data (device type, location, timestamp), account data (name, email, billing), and usage analytics. QRZone does not sell personal data or use it for purposes beyond service delivery.
3. Controller Obligations
- Ensure a lawful basis exists for processing personal data through QRZone
- Provide clear privacy notices to data subjects whose data is collected via QR scans
- Respond to data subject access requests with QRZone support as needed
- Comply with applicable data protection laws in their jurisdiction
4. Processor Obligations
- Process personal data only on documented instructions from the Controller
- Ensure personnel authorized to process data are bound by confidentiality obligations
- Implement appropriate technical and organizational security measures
- Assist the Controller in responding to data subject requests
- Delete or return all personal data upon termination of services
5. Security Measures
QRZone implements the following measures: encryption at rest (AES-256) and in transit (TLS 1.3), role-based access controls, multi-factor authentication, network segmentation, intrusion detection, regular penetration testing, and 24/7 security monitoring.
6. Sub-Processors
QRZone uses a limited number of sub-processors to deliver its services. A current list is available upon request. QRZone will provide 30 days advance notice before adding new sub-processors, giving the Controller the opportunity to object.
7. Data Breach Notification
QRZone will notify the Controller of any personal data breach without undue delay and within 72 hours of becoming aware. Notification will include the nature of the breach, categories of data affected, approximate number of records, and remediation steps taken.
8. International Transfers
Where personal data is transferred outside the EEA, QRZone relies on Standard Contractual Clauses (SCCs) as approved by the European Commission. Copies of executed SCCs are available upon request.
9. Term and Termination
This DPA remains in effect for the duration of the service agreement. Upon termination, QRZone will delete all personal data within 90 days unless retention is required by law. The Controller may request earlier deletion at any time.
10. Contact
For DPA requests or questions, contact legal@qrzone.io or visit our contact page.