Data Processing Addendum
Data Processing Addendum
This Data Processing Addendum ("DPA") applies when a customer uses DuoQR to process personal data on behalf of that customer, including QR campaign data, QR scanner analytics, uploaded content, and related workspace data. This DPA supplements the Terms of Service. DuoQR means DuoQR, LLC, a Delaware limited liability company.
1. Roles
For account administration, billing, security, support, marketing, and service operations, DuoQR generally acts as an independent controller or business.
For Customer Content and QR scan data processed on behalf of a customer, DuoQR generally acts as a processor or service provider, and the customer acts as controller or business.
2. Processing details
| Item | Details |
|---|---|
| Subject matter | Dynamic QR code creation, hosting, redirection, analytics, uploads, and dashboard services |
| Duration | For the term of the customer relationship and as otherwise described in the Terms and Privacy & Cookie Policy |
| Categories of data | QR destinations, uploaded assets, contact details, Wi-Fi details, scanner metadata, account/workspace data, support data |
| Categories of data subjects | Account users, workspace members, QR scanners, customer contacts, and people represented in Customer Content |
| Purpose | Providing, securing, maintaining, supporting, and improving the Service |
3. Customer instructions
DuoQR will process customer personal data only to provide the Service, follow documented customer instructions, comply with law, prevent abuse, protect the Service, and perform obligations under the Terms.
Customers are responsible for determining whether they may use DuoQR for their campaigns, destinations, audiences, files, and analytics, and for providing required notices and obtaining required consents.
4. Security
DuoQR will maintain reasonable technical and organizational measures designed to protect customer personal data against unauthorized access, loss, misuse, and alteration. These measures may include access controls, encryption in transit, provider security controls, logging, monitoring, and incident response procedures.
5. Subprocessors
DuoQR may use subprocessors to provide the Service. Current core subprocessors may include:
| Provider | Purpose | Primary region or note |
|---|---|---|
| Vercel | Application hosting and edge delivery | Global infrastructure |
| Neon | Postgres database hosting | Europe where configured |
| Upstash | Redis cache and temporary draft storage | Europe where configured |
| Cloudflare R2 | Uploaded asset storage and delivery | Europe where configured |
| Resend | Transactional email delivery | Europe where configured |
| Stripe | Payment processing and billing | Region varies by Stripe configuration |
| OAuth authentication | Global provider | |
| PostHog | Product analytics | Europe where configured |
We may update subprocessors as the Service evolves. We will take reasonable steps to use providers with appropriate data protection, security, and transfer commitments.
6. Assistance and deletion
DuoQR will provide reasonable assistance with data subject requests, security requests, and deletion requests where required by applicable data protection law and where the request relates to personal data DuoQR processes on behalf of the customer.
After account termination or deletion, DuoQR will delete or de-identify customer personal data within a reasonable period, unless retention is required or permitted for legal, tax, accounting, security, backup, fraud-prevention, dispute, or service-integrity reasons.
7. International transfers
DuoQR is intended for global use. Where required for international transfers, DuoQR will rely on appropriate transfer mechanisms, such as contractual commitments with providers or other safeguards recognized by applicable law.
8. Contact
Questions about this DPA or subprocessors should be sent to support@duoqr.com.