Data Processing Addendum

Effective date: May 10, 2026 Version: 2026-05-10

This Data Processing Addendum ("DPA") supplements the QuillAI Terms of Service (the "Agreement") between you, the customer ("Customer", "Controller"), and Axevia Labs LLC (d/b/a QuillAI) ("QuillAI", "Processor"). It applies when QuillAI processes Personal Data on Customer's behalf in connection with the Service.

If you require an executed (signed) DPA — for example, as a condition of B2B procurement — contact [email protected]. We sign DPAs with B2B customers on request, typically the same business day.

1. Definitions

• "Applicable Data Protection Law" means all data-protection and privacy laws applicable to the processing of Personal Data under the Agreement, including the EU General Data Protection Regulation 2016/679 ("GDPR"), the UK Data Protection Act 2018 and UK GDPR ("UK GDPR"), the Swiss Federal Act on Data Protection ("FADP"), and the California Consumer Privacy Act of 2018 as amended ("CCPA/CPRA").
• "Personal Data" has the meaning given in Applicable Data Protection Law and refers to personal data Customer (or its end users) provides to QuillAI in connection with the Service.
• "Subprocessor" means a third party engaged by QuillAI to process Personal Data on its behalf.
• Other capitalized terms have the meanings given in the Agreement or in Applicable Data Protection Law.

2. Roles and scope

Customer is the Controller, and QuillAI is the Processor, of Personal Data processed under the Agreement. QuillAI processes Personal Data only on documented instructions from Customer, which are set out in (a) the Agreement, (b) this DPA, and (c) Customer's use of the Service in accordance with its documentation.

| Item | Description | |---|---| | Subject matter | Provision of the Service as described in the Agreement | | Duration | The duration of the Agreement plus the retention periods set out in §6 | | Nature and purpose | Hosting, transmission, transcription, summarization, structuring, and storage of Customer-supplied audio, video, and text content | | Categories of data subjects | Customer's authorized end users; participants in meetings, calls, or recordings Customer chooses to process; other individuals whose Personal Data Customer chooses to submit | | Categories of Personal Data | Account identifiers, names, email addresses, profile pictures; voice recordings; transcripts and derived AI outputs; usage logs and metadata; payment metadata (excluding full card numbers, which Stripe handles directly); IP addresses | | Special-category data | Audio recordings may incidentally contain special-category data within Article 9 GDPR (health, religion, political opinion, etc.) depending on what is said. Customer is responsible for an Article 9 lawful basis for any such processing. |

3. Customer's obligations

Customer represents and warrants that:

(a) it has all rights, consents, and authority necessary to provide the Personal Data to QuillAI for processing as contemplated by the Agreement;

(b) it has provided all required notices and obtained all required consents from data subjects, including from participants in any meeting, call, or recording Customer chooses to process (see Section 5 of the Terms of Service);

(c) it will not provide QuillAI with special-category data unless it has an explicit Article 9 lawful basis;

(d) its instructions to QuillAI comply with Applicable Data Protection Law.

4. Processor obligations

QuillAI will:

(a) process Personal Data only on Customer's documented instructions, except as required by applicable law;

(b) ensure that personnel authorized to process Personal Data are bound by confidentiality;

(c) implement and maintain appropriate technical and organizational measures (TOMs) as set out in Annex A;

(d) assist Customer, taking into account the nature of processing, in fulfilling Customer's obligations to respond to data-subject requests, by providing information, tools, and configuration necessary;

(e) assist Customer in complying with Articles 32–36 GDPR (security, breach notification, DPIA, prior consultation), to the extent applicable to the Service;

(f) make available to Customer all information necessary to demonstrate compliance with Article 28 GDPR and allow for and contribute to audits as set out in §8;

(g) at the choice of Customer, delete or return all Personal Data after the end of provision of the Service relating to processing, and delete existing copies unless Union or Member State law requires storage.

5. Subprocessors

5.1 General authorization

Customer grants QuillAI a general authorization to engage Subprocessors to process Personal Data on Customer's behalf. The current list of Subprocessors is published at /en/legal/subprocessors.

5.2 Notice of changes

QuillAI will provide at least thirty (30) days' advance notice of the addition or replacement of Subprocessors by updating the public Subprocessors page. Customer may object to a new Subprocessor on reasonable data-protection grounds by emailing [email protected] within the notice period. If the parties cannot agree on a resolution within thirty (30) days, Customer may terminate the affected portion of the Agreement and receive a pro-rata refund of any prepaid fees attributable to the unused period.

5.3 Subprocessor obligations

QuillAI requires each Subprocessor by written contract to comply with substantially similar data-protection obligations to those set out in this DPA. QuillAI remains responsible for Subprocessors' performance.

6. Retention and deletion

Personal Data is retained as set out in the Privacy Policy §6. On termination of the Agreement (or on Customer's earlier written instruction), QuillAI will delete Personal Data within thirty (30) days, with backup copies purged within an additional thirty (30) days, except for records required to be retained by law (notably payment records).

On request, QuillAI will provide written confirmation of deletion.

7. International transfers

To the extent processing involves transfers of Personal Data from the European Economic Area, the United Kingdom, or Switzerland to a country not recognized as providing adequate protection, the parties agree that:

(a) Module 2 of the European Commission's Standard Contractual Clauses (Decision (EU) 2021/914), as amended from time to time, are incorporated by reference into this DPA. The Customer is the data exporter, and QuillAI is the data importer. The optional clauses are not selected unless agreed in writing. Annex I.A and I.B are populated by reference to §2 of this DPA. Annex I.C is the supervisory authority of the Customer's country of establishment. Annex II is Annex A to this DPA. Annex III is the public Subprocessors page.

(b) For UK transfers, the UK International Data Transfer Addendum to the Standard Contractual Clauses (issued by the Information Commissioner's Office) is incorporated by reference, with the optional Mandatory Clauses applying.

(c) For Swiss transfers, references to the GDPR are interpreted as references to the FADP, and the Swiss Federal Data Protection and Information Commissioner is the competent supervisory authority.

(d) Where the data importer is certified under the EU-US Data Privacy Framework (or the UK Extension or Swiss-US framework) and the transfer falls within the certification, the parties may rely on the framework instead of the SCCs.

8. Audits

QuillAI will, on Customer's written request and not more than once per twelve (12) months (except after a documented data-protection incident or when required by Applicable Data Protection Law), make available to Customer information necessary to demonstrate compliance with Article 28 GDPR, including independent third-party audit reports (e.g., SOC 2, ISO 27001) when available.

If a third-party audit report is not sufficient, Customer may request an audit on at least sixty (60) days' written notice, conducted by Customer or a qualified independent auditor (mutually agreed) under reasonable confidentiality terms, at Customer's expense, during business hours, and in a manner that does not unreasonably interfere with QuillAI's operations.

9. Security incidents

QuillAI will notify Customer without undue delay, and within seventy-two (72) hours where the incident triggers a notification obligation under Article 33 GDPR, of any actual or reasonably suspected breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data ("Security Incident"). The notice will include, to the extent then known, the nature of the incident, the categories and approximate number of data subjects and records concerned, the likely consequences, and the measures taken or proposed.

10. Liability

The liability provisions of the Agreement (Section 10 of the Terms of Service) apply to this DPA. To the extent Applicable Data Protection Law sets a higher minimum standard of liability that cannot be limited contractually (notably Article 82 GDPR), that standard prevails.

11. Annex A — Technical and Organizational Measures

QuillAI maintains the following technical and organizational measures, reviewed at least annually and updated as needed:

• Encryption. TLS 1.2+ for all data in transit; AES-256 encryption at rest for stored audio, video, and database records.
• Access control. Role-based access; least-privilege principles; multi-factor authentication for engineering access; audit logs of administrative actions.
• Network security. Edge filtering at Vercel and Cloudflare level; rate limiting; bot protection.
• Application security. Input validation; CSRF protection; secret management via environment variables; dependency-vulnerability monitoring.
• Data segregation. Logical separation of customer data through unique identifiers and per-row authorization (Supabase Row-Level Security).
• Backup and recovery. Database point-in-time recovery; storage versioning; tested restore procedures.
• Personnel. Confidentiality obligations; security training.
• Vendor management. Written contracts with all subprocessors requiring substantially equivalent measures; periodic review.
• Incident response. Defined response procedure; 72-hour notification commitment; post-incident review.
• Logging and monitoring. Centralized error and access logs; retention as per Privacy Policy §6.

12. Order of precedence

In case of conflict between this DPA and the Agreement, this DPA prevails with respect to data-protection matters. In case of conflict between this DPA and an executed (signed) custom DPA between the parties, the executed DPA prevails.

13. Contact

DPA-related correspondence: [email protected].