Data Processing Agreement
pursuant to Art. 28 GDPR
Last updated: January 2026
Contracting Parties
This Data Processing Agreement (DPA) is entered into between:
Controller (Customer): The customer using the QUALLEE platform and thereby accepting this DPA.
Processor: QUALLEE UG (haftungsbeschränkt) Kollwitzstr. 76 10435 Berlin Germany Email: info@quallee.de
§ 1 Subject Matter and Duration of Processing
1.1 Subject Matter
This agreement covers the processing of personal data by QUALLEE in connection with providing the QUALLEE platform, including:
- Conducting AI-powered qualitative interviews
- Transcription of audio and video recordings
- Analysis and evaluation of interview data using AI
- Storage and management of research data
- Provision of export and reporting functions
1.2 Duration
Processing begins upon acceptance of the Terms of Service and ends upon termination of the user relationship. Data deletion occurs in accordance with § 10 of this agreement.
§ 2 Nature and Purpose of Processing
2.1 Nature of Processing
Processing includes: collection (through interview participation), storage (on servers in Germany), transmission (to AI sub-processors for analysis), evaluation and analysis (using AI technology), deletion (upon expiration of retention periods).
2.2 Purpose
Processing serves exclusively to provide the contractually agreed services in the field of AI-powered qualitative research.
§ 3 Types of Personal Data
The following categories of personal data are processed:
Platform user data (Controller):
- Contact data (name, email address, phone number)
- Access data (encrypted passwords)
- Usage data (activity logs, project data)
Interview participant data:
- Interview content (transcripts, audio/video recordings)
- Technical data (IP address, browser information)
- Consent data (timestamps, consent versions)
Note: Processing of special categories of personal data (Art. 9 GDPR) is not intended. Should such data be mentioned in interviews, the Controller is responsible for the lawfulness of processing.
§ 4 Categories of Data Subjects
- Employees and agents of the Controller
- Interview participants (respondents, study participants)
- Other persons mentioned in research data
§ 5 Obligations of the Processor
5.1 Instructions
Processing occurs exclusively based on documented instructions from the Controller. Use of platform functions constitutes an instruction. QUALLEE will inform the Controller immediately if an instruction violates data protection law.
5.2 Confidentiality
All persons involved in processing are bound by confidentiality obligations. This applies even after termination of their activities.
5.3 Technical and Organizational Measures
QUALLEE implements and maintains appropriate technical and organizational measures pursuant to Art. 32 GDPR (see Annex 1).
5.4 Assistance Obligations
QUALLEE assists the Controller in fulfilling their obligations, particularly regarding: responding to data subject requests, reporting data breaches, conducting data protection impact assessments.
§ 6 Sub-processors
6.1 Authorization
The Controller hereby grants general authorization for engaging sub-processors. QUALLEE will inform the Controller of changes at least 14 days before they take effect via email. The Controller may object within 14 days.
6.2 Current Sub-processors
| Provider | Function | Location | Legal Basis |
|---|---|---|---|
| Anthropic, PBC | AI Interviews (Claude API) | USA | DPF, SCCs, DPA |
| OpenAI, Inc. | Transcription, Analysis | USA / Ireland | DPF, SCCs, DPA |
| Hetzner Online GmbH | Hosting, Storage | Germany | DPA |
| Stripe, Inc. | Payment Processing | USA / Ireland | DPF, SCCs, DPA |
6.3 No Use for AI Training
Important: All AI sub-processors have contractually committed to not using API data for training their models. This is explicitly excluded in the respective DPAs.
§ 7 Transfers to Third Countries
Where personal data is transferred to the USA, this occurs based on:
- EU-US Data Privacy Framework (DPF) pursuant to the EU Commission's adequacy decision of July 10, 2023
- Standard Contractual Clauses (SCCs) pursuant to Implementing Decision (EU) 2021/914
- Data Processing Agreements with the respective providers
Raw data (transcripts, audio) is stored exclusively on servers in Germany. Only the text content necessary for the respective processing is transmitted to AI APIs.
§ 8 Data Subject Rights
QUALLEE assists the Controller in fulfilling data subject rights (Art. 12-22 GDPR). The platform provides self-service functions for this purpose:
- Access: Data export in machine-readable format (JSON)
- Rectification: Via account settings
- Erasure: Account deletion with anonymization
- Withdrawal: Consent management in privacy settings
§ 9 Reporting Data Breaches
QUALLEE will report data breaches to the Controller without undue delay, at the latest within 24 hours of becoming aware. The report will include: nature of the breach and affected data categories, approximate number of affected persons/records, likely consequences, measures taken and proposed remedial measures.
§ 10 Deletion and Return
10.1 Retention Periods
| Data Type | Retention Period |
|---|---|
| Project data (active) | During contract term |
| Archived sessions | 12 months after archiving |
| Support tickets | 24 months |
| Consent records | 36 months after withdrawal/deletion |
10.2 After Contract Termination
Upon termination of the user relationship: 30-day transition period for data export, subsequent deletion of all personal data, exception: statutory retention obligations.
§ 11 Audit Rights
QUALLEE enables the Controller to verify compliance with this agreement through: provision of documentation (TOMs, certificates), responding to written inquiries, upon agreement: on-site audits (at the Controller's expense).
§ 12 Final Provisions
12.1 Order of Precedence
In case of conflicts between this agreement and the Terms of Service, this agreement shall prevail.
12.2 Amendments
Amendments to this agreement will be communicated with 30 days' notice via email. Continued use of the platform after expiration of this period constitutes acceptance.
12.3 Governing Law
The laws of the Federal Republic of Germany shall apply. Place of jurisdiction is Berlin.
12.4 Contract Formation
This DPA becomes effective upon acceptance of QUALLEE's Terms of Service. No separate signature is required.
Annex 1: Technical and Organizational Measures
1. Confidentiality (Art. 32(1)(b) GDPR)
Physical Access Control
- Hosting in ISO 27001 certified data centers (Hetzner, Germany)
- Physical security measures by the hosting provider
System Access Control
- Password policies (minimum length, complexity)
- Encrypted password storage (bcrypt)
- Session management with automatic timeout
Data Access Control
- Role-based authorization concept
- Project-based data isolation
- Access logging
Separation Control
- Logical tenant separation at database level
- Separate storage of production and test data
2. Integrity (Art. 32(1)(b) GDPR)
Transfer Control
- TLS 1.3 encryption for all data transmissions
- Encryption of data at rest (AES-256)
Input Control
- Complete audit logs for data changes
- Tamper-proof consent documentation
3. Availability and Resilience (Art. 32(1)(b), (c) GDPR)
- Daily automated backups
- Redundant storage (RAID)
- Monitoring and alerting
- Target availability: 99.5% annually
4. Procedures for Regular Review (Art. 32(1)(d) GDPR)
- Regular review of security measures
- Automated deletion routines according to retention periods
- Documented incident response procedure
For questions about this DPA, please contact: info@quallee.de