Legal01Definitions
In this DPA the following definitions apply in addition to those in the Terms and Conditions:
- "Controller" means the Subscriber who determines the purposes and means of processing personal data.
- "Processor" means SQRD² which processes personal data on behalf of the Controller.
- "Data Subject" means the individual to whom personal data relates.
- "Personal Data" has the meaning given in the GDPR.
- "Processing" has the meaning given in the GDPR.
- "Sub-processor" means any third party engaged by SQRD² to process personal data in connection with the Platform.
- "GDPR" means Regulation (EU) 2016/679 as retained in Irish law.
02Scope and Nature of Processing
SQRD² processes personal data on behalf of the Subscriber in connection with the provision of the Platform services. The nature and purpose of processing is as follows:
| Category | Data Types | Purpose |
|---|---|---|
| Project contacts | Names, addresses, phone numbers, email addresses of clients, consultants, contractors and sub-contractors | Population of manual templates and contact database |
| Uploaded documents | Content of uploaded PDF, Word and other files | File storage and AI processing |
| Sub-contractor data | Email addresses, uploaded documents, IP addresses | Document request processing and portal upload |
| Hosted manual visitors | IP addresses, access timestamps, browser data | Manual delivery and access logging |
03Obligations of the Processor
SQRD² as Processor agrees to:
- Process personal data only on documented instructions from the Controller — being the use of the Platform features as described in the Terms and Conditions
- Ensure that persons authorised to process the personal data are subject to confidentiality obligations
- Implement appropriate technical and organisational security measures as described in our Privacy Policy
- Not engage sub-processors without prior general authorisation from the Controller — by accepting these Terms the Controller provides general authorisation for the sub-processors listed herein
- Assist the Controller in responding to Data Subject rights requests where technically feasible
- Assist the Controller in ensuring compliance with security, breach notification and data protection impact assessment obligations
- Delete or return all personal data on termination of the Agreement as set out in our data retention policy
- Provide all information necessary to demonstrate compliance with GDPR Article 28 obligations
- Notify the Controller without undue delay upon becoming aware of a personal data breach affecting the Controller's data
04Obligations of the Controller
The Subscriber as Controller agrees to:
- Ensure there is a lawful basis for all personal data uploaded to or processed through the Platform
- Ensure Data Subjects have been informed about the processing of their data in accordance with GDPR transparency requirements
- Not instruct SQRD² to process personal data in a manner that would breach applicable data protection law
- Ensure that personal data of sub-contractors collected through the document request feature has been collected fairly and lawfully
- Be responsible for the content of Hosted Manuals and ensuring they do not contain personal data that should not be publicly accessible
05Sub-processors
The Controller provides general authorisation for SQRD² to engage the following sub-processors:
| Sub-processor | Purpose | Location |
|---|---|---|
| Supabase Inc. | Database, authentication, file storage | EU (Ireland) |
| Stripe Inc. | Payment processing | EU/US |
| Anthropic PBC | AI content generation | US |
| Resend Inc. | Transactional email delivery | US |
| Vercel Inc. | Platform hosting | EU |
SQRD² will notify the Controller of any intended changes to sub-processors by updating this DPA with at least 30 days notice. If the Controller objects to a new sub-processor they may terminate their Subscription within the notice period.
06International Transfers
Where personal data is transferred to sub-processors located outside the EEA, SQRD² ensures appropriate safeguards are in place including Standard Contractual Clauses under EU Commission Decision 2021/914.
Copies of applicable Standard Contractual Clauses are available on request.
07Security Measures
SQRD² implements the following technical and organisational security measures:
- TLS encryption for all data in transit
- Encryption at rest for all stored data
- Row-level security on the database ensuring strict data segregation between Subscribers
- Access controls and principle of least privilege for staff access
- Regular security testing and review
- Secure password hashing using industry-standard algorithms
- Incident response procedures
08Data Subject Rights
Where SQRD² receives a Data Subject rights request relating to personal data for which the Subscriber is the Controller, SQRD² will forward the request to the Subscriber without undue delay.
SQRD² will assist the Subscriber in responding to Data Subject rights requests to the extent technically feasible within the Platform. Where assistance requires work beyond normal Platform functionality this will be discussed and agreed separately.
09Breach Notification
In the event of a personal data breach affecting the Subscriber's data, SQRD² will notify the Subscriber without undue delay and in any event within 72 hours of becoming aware of the breach. Notification will include:
- Description of the nature of the breach
- Categories and approximate number of Data Subjects affected
- Categories and approximate number of records affected
- Likely consequences of the breach
- Measures taken or proposed to address the breach
Where full information is not available within 72 hours, initial notification will be provided with further information to follow.
10Term and Termination
This DPA applies for the duration of the Subscription and continues to apply in respect of any personal data retained following cancellation in accordance with the data retention policy set out in the Privacy Policy.
On termination of the Subscription SQRD² will retain and delete personal data in accordance with the retention schedules set out in the Privacy Policy and Terms and Conditions.