Data Processing Agreement

Version: 1.0.0

This Data Processing Agreement ("DPA") forms part of the agreement between you ("Data Controller") and Quorate ("Data Processor") for the provision of governance and meeting management services.

1. Definitions

Terms used in this DPA have the meanings given in the UK GDPR and Data Protection Act 2018.

2. Scope

This DPA applies to all personal data processed by Quorate on behalf of your organisation through the Platform.

3. Processor Obligations

Quorate shall:

Process personal data only on documented instructions from the Controller

Ensure persons authorised to process data are under confidentiality obligations

Implement appropriate technical and organisational security measures

Not engage sub-processors without prior written consent

Assist the Controller with data subject rights requests

Delete or return all personal data at the end of the service

Make available all information necessary to demonstrate compliance

4. Security Measures

Encryption at rest (AES-256) and in transit (TLS 1.3)

Row-level security isolating each organisation's data

Regular security testing and vulnerability scanning

Access controls and audit logging

Data centre security (AWS eu-west-2, London)

5. Sub-processors

See the Sub-processor List at quorate.app/sub-processors.

6. Data Transfers

All data is processed within the UK/EEA. No international transfers occur.

7. Data Breach Notification

We will notify you without undue delay (and within 72 hours) of becoming aware of a personal data breach.

8. Term

This DPA remains in effect for the duration of the service agreement.

---

*This document requires legal review before publication. Download as PDF for signing.*