1. Subject matter and duration
The subject matter of processing is the provision of the productized AI services described in the Agreement. Duration is the term of the Agreement plus any retention period required by law.
2. Nature, purpose, and types of data
| Item | Description |
|---|---|
| Nature of processing | Hosting, parsing, classification, extraction, drafting, retrieval-augmented generation, logging, deletion |
| Purpose | Delivering the Services, support, auditability |
| Categories of data subjects | Customer employees, Customer's end customers and suppliers, taxpayers (for RO compliance products), call participants (for voice products) |
| Categories of personal data | Contact details, business identifiers, correspondence content, fiscal identifiers (VAT, CUI, CNP when present in B2C invoices), voice recordings (if the customer activates voice), any personal data incidentally contained in uploaded documents |
| Special category data | None by default. If Customer uploads Art. 9 data (e.g. health data in documents), additional safeguards are agreed in writing before processing. |
3. Processor obligations
Matchquote will:
- Process personal data only on Controller's documented instructions, including for transfers outside the EEA;
- Ensure persons authorized to process are bound by confidentiality;
- Implement appropriate technical and organizational measures (Annex I below);
- Assist Controller with data subject requests, DPIAs, prior consultations, and breach notifications;
- Delete or return personal data at the end of the services as Controller chooses, except where law requires retention;
- Make available information necessary to demonstrate compliance and allow audits as set out below.
4. Subprocessors
Controller grants general authorization for Matchquote to engage the subprocessors listed below. Matchquote will notify Controller of intended additions or replacements at least 30 days in advance, with the opportunity to object on reasonable data-protection grounds.
| Subprocessor | Service | Location / transfer basis |
|---|---|---|
| Amazon Web Services EMEA SARL | Hosting, storage, Bedrock AI inference | eu-central-1 Frankfurt · EU entity |
| Anthropic PBC (via AWS Bedrock) | Foundation model (Claude) | Processed inside AWS eu-central-1 under the AWS EU entity; Anthropic does not receive the data in the US in this configuration |
| Vercel Inc. | Static hosting, edge runtime for the marketing site | EU edge preferred · SCCs for US-origin |
| Cloudflare Inc. | CDN, WAF, DDoS | Global edge · SCCs |
| Google LLC (Workspace) | Business email, meeting records | EU with SCCs |
| Calendly LLC | Scheduling (marketing only) | US · SCCs + EU-US DPF |
| Stripe Payments Europe Ltd. | Billing | Ireland |
5. International transfers
Customer Data processed through the Services stays within the EEA (primarily AWS eu-central-1). Where a subprocessor is outside the EEA, transfers rely on the EU Commission Standard Contractual Clauses (2021/914) and, where available, the EU-US Data Privacy Framework. Matchquote performs a transfer impact assessment before engaging any non-EEA subprocessor with access to customer content.
6. Security (Annex I)
Measures are described in the Security Overview. Key items:
- Encryption at rest: AES-256 (AWS KMS-managed keys);
- Encryption in transit: TLS 1.2+ for all endpoints;
- Access control: least-privilege IAM, MFA, per-CUI OAuth2 for ANAF integrations, no master tokens;
- Separation of environments (dev, staging, production);
- Audit logging of privileged actions;
- Backup + point-in-time recovery for durable stores;
- Vendor security reviews for subprocessors;
- Secure software development lifecycle with code review.
7. Data subject requests
Matchquote will notify Controller without undue delay of any request received directly from a data subject, and assist with responses via appropriate technical and organizational measures.
8. Personal data breach
Matchquote will notify Controller of any confirmed personal data breach affecting Customer Data without undue delay and in any case within 72 hours of becoming aware, providing the information required under Art. 33(3) GDPR.
9. Audit rights
Controller may audit compliance with this DPA up to once per 12-month period, on reasonable notice and during business hours, provided audits do not compromise the security of other customers. Third-party assurance reports (where available) satisfy audit requests unless a supervisory authority requires a specific on-site audit.
10. Return or deletion
On termination of the services, at Controller's choice, Matchquote will return or delete Customer Data within 30 days, except where Union or Member State law requires retention (e.g. fiscal records under Romanian accounting law).
11. No training on customer data
Matchquote does not use Customer Data to train, fine-tune, or otherwise improve models that are shared with other customers. Inference with foundation models happens through AWS Bedrock under configurations where the model provider does not retain prompt or output content for training.
12. Liability
Each party's liability under this DPA is subject to the limitations agreed in the Agreement, except where such limitations are prohibited by applicable data-protection law.
13. Precedence
In case of conflict between this DPA and the Agreement on data-protection matters, this DPA prevails.
14. Governing law
This DPA is governed by the laws of Romania. For transfers outside the EEA, the EU Standard Contractual Clauses have the governing law specified in those clauses.
This DPA template reflects our standard processor terms. A counter-signable version with Customer identity and jurisdiction specifics is provided on request before onboarding. Material customer-specific changes may be negotiated for enterprise customers.