Data Processing Agreement

Version 1.0 — Effective July 7, 2026

This Data Processing Agreement ("DPA") is incorporated into the Quissly Terms of Service (or other agreement between the parties referencing it) (the "Agreement") between Quissly LLC (შპს „ქვისლი"), identification code 405723962 ("Quissly", the "Processor"), and the customer accepting the Agreement (the "Customer", the "Controller"). It applies to the extent Quissly processes Personal Data on Customer's behalf in providing the Services.

1. Definitions

Terms used but not defined here have the meaning given in the Agreement. "Personal Data", "processing", "data subject", "controller", "processor", and "personal data breach" have the meanings given in applicable Data Protection Law. "Data Protection Law" means the Law of Georgia on Personal Data Protection and, where applicable to the processing, the EU General Data Protection Regulation (GDPR) and other applicable data protection laws.

2. Roles and Scope

2.1. Customer is the controller and Quissly is the processor of Personal Data processed through the Services on Customer's behalf, as described in Annex A.

2.2. Each party will comply with Data Protection Law applicable to it in its respective role. Customer is responsible for the lawfulness of the Personal Data and instructions it provides, including providing required notices to and obtaining required consents from data subjects.

3. Processing on Instructions

3.1. Quissly will process Personal Data only on Customer's documented instructions, including with regard to international transfers, unless required to do otherwise by law to which Quissly is subject (in which case Quissly will inform Customer of that legal requirement before processing, unless the law prohibits doing so). The Agreement, this DPA, the applicable Order Form, and Customer's use and configuration of the Services constitute Customer's documented instructions; additional instructions may be given in writing, including by email.

3.2. Quissly will inform Customer without undue delay if, in its opinion, an instruction infringes Data Protection Law.

3.3. Quissly will not process Personal Data for its own purposes or for purposes other than those set out in Annex A. Aggregated, de-identified data that no longer constitutes Personal Data falls outside this DPA.

3.4. No model training. Quissly will not use Personal Data processed under this DPA to train or fine-tune machine learning models.

4. Confidentiality of Processing

Quissly will ensure that persons authorized to process Personal Data are bound by confidentiality obligations (contractual or statutory) that survive the end of their engagement, and will limit access to Personal Data to authorized personnel on a need-to-know basis as necessary to perform under the Agreement.

5. Security

Quissly will implement and maintain technical and organizational measures appropriate to the risk, taking into account the nature of the Personal Data and the risks to data subjects, including at minimum the measures set out in Annex B. Quissly may update those measures from time to time, provided the updates do not materially reduce the overall level of protection.

6. Sub-processors

6.1. Customer grants Quissly general authorization to engage sub-processors for the processing of Personal Data. The sub-processors engaged as of the effective date of this DPA are listed in Annex C, and the current list is maintained at https://www.quissly.com/legal/dpa.

6.2. Quissly will give Customer at least fifteen (15) calendar days' prior notice (by email or via the Admin Panel) before adding or replacing a sub-processor. Customer may object within that period on reasonable, documented data-protection grounds. The parties will then cooperate in good faith to resolve the objection (including by Quissly proposing an alternative). If no resolution is reached, Customer may, as its sole remedy, terminate the affected Service by written notice, in which case Quissly will refund the pro-rata portion of prepaid fees for the unused remainder of the Subscription Term for that Service. Fees for Services rendered remain payable.

6.3. Quissly will impose on each sub-processor data protection obligations substantially equivalent to those in this DPA, and remains fully liable to Customer for the sub-processor's performance of those obligations.

7. Assistance; Data Subject Requests

7.1. Taking into account the nature of the processing, Quissly will assist Customer with appropriate technical and organizational measures, insofar as reasonably possible, in fulfilling Customer's obligations to respond to data subject requests under Data Protection Law.

7.2. If a data subject, supervisory authority, or other third party contacts Quissly directly regarding Personal Data processed under this DPA, Quissly will promptly notify Customer and will not respond substantively except as instructed by Customer or required by law.

7.3. Upon Customer's documented instruction, Quissly will delete or rectify the Personal Data associated with an identified end user (including associated vector embeddings and logs) within ten (10) business days.

7.4. Quissly will, taking into account the information available to it, reasonably assist Customer with data protection impact assessments, prior consultations with supervisory authorities, and Customer's own security and breach-notification obligations under Data Protection Law.

8. Personal Data Breach

8.1. Quissly will notify Customer without undue delay, and in any event within forty-eight (48) hours, after becoming aware of a personal data breach affecting Personal Data processed under this DPA, at the contact email designated by Customer (or, if none, the account owner's email).

8.2. The notification will describe, to the extent then known: the nature and circumstances of the breach; the categories and approximate numbers of data subjects and records affected; the likely consequences; the measures taken or proposed to address the breach and mitigate its effects; and a contact point. Where full information is not available, Quissly may provide it in phases without undue further delay.

8.3. Quissly will take prompt measures to contain and remediate the breach and its causes, will keep records of the breach and of any disclosures of Personal Data, and will reasonably cooperate with Customer's response, including Customer's notification obligations. Quissly will keep breach information confidential except as required by law; nothing in this Section prevents either party from making notifications required by Data Protection Law.

9. Audits

9.1. Quissly will make available to Customer information reasonably necessary to demonstrate compliance with this DPA, including summaries of relevant policies, security documentation, and responses to reasonable written security questionnaires.

9.2. Where such information is insufficient under Data Protection Law, Customer (or an independent auditor mandated by Customer and bound by confidentiality, not a competitor of Quissly) may conduct an audit, including an on-site inspection, subject to: at least thirty (30) calendar days' prior written notice; at most once in any twelve (12) month period, unless a personal data breach affecting Customer has occurred or an audit is required by a supervisory authority; during business hours, without unreasonable disruption to Quissly's operations; and at Customer's cost. Audit results are Confidential Information of both parties.

10. Return and Deletion

10.1. Upon termination or expiry of the Agreement, Quissly will cease processing Personal Data and, at Customer's choice communicated within the export window in the Agreement, return and/or delete the Personal Data processed under this DPA.

10.2. Quissly will delete Personal Data from active systems within thirty (30) calendar days of the end of the export window. Personal Data in routine backups will be deleted or rendered inaccessible in accordance with Quissly's backup rotation cycle, not exceeding ninety (90) calendar days, and remains protected under this DPA until deleted.

10.3. These obligations do not apply to the extent retention is required by applicable law, in which case Quissly will retain only what the law requires, for only as long as required, and will continue to protect it under this DPA. Upon request, Quissly will confirm deletion in writing.

11. Liability

The liability of each party under or in connection with this DPA is subject to the limitations and exclusions of liability set out in the Agreement, which apply in aggregate across the Agreement and this DPA. Nothing in this Section limits liability that cannot be limited under applicable law.

12. Precedence; Term

12.1. In case of conflict between this DPA and the Agreement, this DPA prevails solely with respect to the processing of Personal Data; the Agreement (including its limitation of liability) otherwise prevails. An Order Form may modify this DPA only expressly.

12.2. This DPA takes effect on acceptance of the Agreement and remains in force for as long as Quissly processes Personal Data on Customer's behalf. It confers no right on Quissly to retain access to Personal Data after the retention periods in Section 10.


Annex A - Details of Processing

Subject matter and duration: processing of Personal Data as necessary to provide the Services (QSearch and QChat) under the Agreement, for the duration of the Agreement plus the return/deletion periods in Section 10.

Nature and purpose: hosting, storage, transmission, indexing, retrieval, analysis, and AI-assisted generation of responses, to deliver product search and conversational assistant functionality on Customer's Properties; related support, security, and troubleshooting.

Categories of data subjects: end users of Customer's Properties; Customer's personnel using the Admin Panel.

Categories of Personal Data: free-text inputs voluntarily entered by end users in search fields or chat (which may include names, contact details, or other personal data the end user chooses to include); technical and usage data (identifiers, timestamps, session data, device/browser data); Admin Panel user account data. Customer instructs its end users' inputs to be processed as configured in the Services and is responsible for not soliciting special-category data unless it has a lawful basis; where end users spontaneously include health-related or other sensitive queries (e.g. in a pharmacy context), Quissly processes them solely to deliver the requested functionality.

Instructed processing operations: collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure by transmission to sub-processors listed in Annex C, restriction, erasure, and destruction.

Annex B - Technical and Organizational Measures

Quissly will maintain at minimum:

  1. Encryption: TLS 1.2+ for data in transit; AES-256 encryption at rest (cloud-provider managed keys).
  2. Access control: least-privilege access management (cloud IAM); mandatory multi-factor authentication on all critical systems (cloud console, code repositories, communications tooling); sensitive dashboards protected by identity-aware proxy; server-to-server authentication via private-key mechanisms.
  3. Personnel: access to Personal Data restricted to authorized personnel on a need-to-know basis, each bound by confidentiality undertakings surviving termination of engagement.
  4. Monitoring and logging: cloud audit logs enabled recording who performed what action and when; automated alerting on anomalous access; incident logging.
  5. Incident response: documented incident-response procedure supporting the notification timeline in Section 8.
  6. Backup and deletion: managed backups with defined rotation; deletion capabilities supporting Sections 7.3 and 10.

Annex C - Sub-processors

Sub-processor Purpose Location of processing
Google Cloud Platform (Google LLC) Cloud hosting, storage, and infrastructure EU / US (per service configuration)
Google (Gemini API) AI model processing of queries and content EU / US
Anthropic (Claude API) AI model processing of queries and content US
Qdrant Cloud Vector database hosting and similarity search EU / US

The current list is maintained at https://www.quissly.com/legal/dpa. Changes are notified in accordance with Section 6.2.