Data Processing Agreement

Última actualización: February 19, 2026 (Versión 2026-02-19)

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Qodiak ("Processor") and the customer using the Service ("Controller").

1. Definitions

  • Controller: The entity determining the purposes and means of processing personal data.
  • Processor: Qodiak, processing data on behalf of the Controller.
  • Personal Data: Any information relating to an identifiable individual.
  • Processing: Any operation performed on Personal Data, including access, storage, modification, deletion, or analysis.

2. Roles & Scope

Qodiak processes Personal Data solely on documented instructions from the Controller, as configured through the Service.

The Controller retains:

  • Ownership of all data
  • Responsibility for lawful collection
  • Responsibility for accuracy and minimization

Qodiak does not determine the purpose of processing.

3. Nature of Processing

Processing may include:

  • Data ingestion from external sources
  • Storage and transformation
  • Automated workflows and scripts
  • AI-assisted analysis or transformation
  • Data deletion or archival

Processing occurs only as initiated or configured by the Controller.

4. Confidentiality

Qodiak ensures that persons authorized to process Personal Data:

  • Are bound by confidentiality obligations
  • Access data only as necessary to provide the Service

5. Security Measures

Qodiak implements reasonable technical and organizational safeguards, including:

  • Encryption at rest and in transit (where applicable)
  • Logical tenant isolation via Row-Level Security
  • Access controls and authentication
  • Infrastructure monitoring and logging

Security controls are designed to be risk-appropriate for a cloud-based SaaS platform.

6. Subprocessors

The Controller authorizes Qodiak to use the following subprocessors:

  • Groq – AI model inference and generation
  • OpenAI – Image generation services
  • Stripe – Payment processing and billing
  • Google – OAuth authentication and Google Sheets API
  • Postmark – Transactional email delivery
  • Cloudflare – CAPTCHA verification (Turnstile)
  • Microsoft Azure – Blob storage for file uploads

Qodiak will notify the Controller of any intended changes to subprocessors with reasonable advance notice. Qodiak remains responsible for subprocessors' compliance with this DPA.

7. Data Subject Rights

Qodiak will reasonably assist the Controller in responding to:

  • Access requests
  • Deletion requests
  • Correction requests
  • Data portability requests

Requests must be submitted in writing and may require verification.

8. Data Breach Notification

Qodiak will notify the Controller within 72 hours of becoming aware of a confirmed Personal Data breach, where required by law. The notification will include the nature of the breach, the categories and approximate number of data subjects and records affected, and the measures taken or proposed to address the breach.

9. Data Retention & Deletion

Upon termination:

  • Data is deleted within 30 days, subject to backups
  • Backup retention is time-limited and access-restricted

10. International Transfers

Where Personal Data is transferred outside the European Economic Area, Qodiak relies on appropriate safeguards as required by applicable law, including Standard Contractual Clauses (SCCs) approved by the European Commission, or transfers to countries with an adequacy decision.

11. Audits

Qodiak may provide reasonable compliance information upon written request.

On-site audits are not supported for standard plans.

12. Liability

Liability under this DPA is subject to the limitations set forth in the Terms of Service.

13. Governing Law

This DPA is governed by the same law as the Terms of Service (Province of Ontario and the federal laws of Canada).

14. Contact

For questions about this DPA or data processing requests: