Data Processing Agreement
Last updated: February 17, 2026 ยท Effective: February 17, 2026
1. Scope
This Data Processing Agreement ("DPA") applies when Quizimoto ("Processor") processes personal data on behalf of a customer ("Controller") through the Service. This DPA supplements and forms part of the Terms of Service.
2. Definitions
- Personal Data: Any information relating to an identified or identifiable natural person, as defined by applicable data protection law.
- Processing: Any operation performed on personal data, including collection, storage, retrieval, use, disclosure, or deletion.
- Sub-processor: A third party engaged by the Processor to process personal data.
3. Controller and Processor Roles
The Controller (quiz creator) determines the purposes and means of processing quiz submission data. Quizimoto acts as a Processor, processing data solely in accordance with the Controller's instructions as implemented through the Service configuration (quiz settings, webhook destinations, retention periods).
For dashboard account data (registration, authentication), Quizimoto acts as an independent Controller as described in the Privacy Policy.
4. Processing Instructions
The Processor shall process personal data only on documented instructions from the Controller. The Controller's instructions are implemented through:
- Quiz configuration (which fields to collect, consent settings)
- Webhook configuration (where to deliver submission data)
- Data retention settings (how long to retain submissions)
- Email notification settings (when and where to send alerts)
5. Categories of Data
| Category | Data Types | Data Subjects |
|---|---|---|
| Quiz responses | Answers, scores, completion status | Quiz respondents |
| Lead capture data | Email, name, custom fields (as configured) | Quiz respondents |
| Technical data | IP address, user agent, timestamps | Quiz respondents |
6. Sub-processors
The Controller authorizes the following sub-processors:
| Sub-processor | Purpose | Location |
|---|---|---|
| Cloudflare, Inc. | Infrastructure: compute, storage, CDN, security | Global (with SCCs) |
| Amazon Web Services (SES only) | Email delivery | United States |
The Processor will notify the Controller at least 30 days before adding a new sub-processor, providing the Controller an opportunity to object.
7. Security Measures
The Processor implements appropriate technical and organizational measures including:
- Encryption in transit: TLS for all connections
- Encryption at rest: AES-GCM for sensitive fields (AI API keys); D1 database encryption provided by Cloudflare
- Access control: Multi-tenant isolation, role-based access, session-based authentication
- Password security: PBKDF2 with 600,000 iterations
- Webhook integrity: HMAC-SHA256 signing with timestamp replay protection
- Bot protection: Cloudflare Turnstile for embed submissions
- Data minimization: IP addresses hashed after 90 days; webhook payloads cleaned after 90 days
8. Data Subject Rights
The Processor will assist the Controller in responding to data subject requests (access, rectification, erasure, portability, restriction, objection) through:
- Dashboard tools for searching and exporting submission data
- API endpoints for programmatic data retrieval and deletion
- Processing data subject requests received directly, forwarding to the Controller where appropriate
9. Data Breach Notification
The Processor will notify the Controller without undue delay (and in any event within 72 hours) after becoming aware of a personal data breach. The notification will include:
- Nature of the breach and categories of data affected
- Approximate number of data subjects affected
- Likely consequences
- Measures taken or proposed to address the breach
10. International Transfers
Where personal data is transferred outside the European Economic Area, the Processor ensures adequate safeguards through Standard Contractual Clauses (SCCs) with sub-processors. Cloudflare maintains its own DPA and SCCs for EU data transfers.
11. Audit Rights
The Controller may request evidence of compliance with this DPA. The Processor will provide relevant security documentation, certifications, and audit reports. On-site audits may be conducted with reasonable notice and at the Controller's expense, subject to confidentiality obligations.
12. Data Return and Deletion
Upon termination of the Service:
- The Controller may export their data through the dashboard or API for 30 days following termination.
- After the 30-day period, the Processor will delete all personal data unless retention is required by law.
- The Processor will provide written confirmation of deletion upon request.
13. Term
This DPA remains in effect for the duration of the Controller's use of the Service and until all personal data has been deleted or returned.
14. Enterprise DPA
Enterprise customers may request a custom DPA with additional terms. Contact [email protected] for details.