Data Processing Agreement
Last updated: April 2026
1. Scope and Purpose
This Data Processing Agreement ("DPA") forms part of the agreement between EZQR ("Processor") and the customer ("Controller") for the provision of QR code generation, analytics, and related services.
2. Data Processing Details
- Subject matter: QR code generation, scan tracking, and analytics
- Duration: For the term of the service agreement
- Nature and purpose: Providing QR code services, including scan analytics
- Types of personal data: Device information, browser type, OS, geographic location (country/city level), IP-derived anonymized identifiers
- Categories of data subjects: End users who scan QR codes created by the Controller
3. Processor Obligations
- Process personal data only on documented instructions from the Controller
- Ensure persons authorized to process data have committed to confidentiality
- Implement appropriate technical and organizational security measures
- Not engage sub-processors without prior authorization
- Assist the Controller in responding to data subject requests
- Delete or return all personal data upon termination
- Make available information necessary to demonstrate compliance
4. Sub-Processors
EZQR uses the following sub-processors:
| Provider | Purpose | Location |
|---|---|---|
| Vercel | Hosting & CDN | US (Global edge) |
| Polar | Payment processing | EU |
| Upstash | Redis cache & message queue | US |
| Neon / Supabase | PostgreSQL database | US |
5. Security Measures
- TLS 1.3 encryption for all data in transit
- Encrypted database storage at rest
- Access controls and authentication for all systems
- Regular security reviews and dependency updates
- Rate limiting and abuse prevention
6. Contact
For DPA-related inquiries or to request a signed copy, contact [email protected].