Data Processing Addendum

Last updated: June 5, 2026

Scope

This DPA forms part of the agreement between you ("Controller") and Quillon ("Processor") under which Quillon processes Personal Data on your behalf. It applies when Personal Data of EU/UK/Swiss data subjects is processed.

Definitions

"GDPR" means EU Regulation 2016/679. "Personal Data," "Processing," "Controller," "Processor," "Data Subject," and "Sub-processor" have the meanings in Article 4 of the GDPR. "SCCs" means the Standard Contractual Clauses adopted by the European Commission Decision 2021/914.

Roles

You are the Controller. Quillon is the Processor. Quillon processes Personal Data only on your documented instructions, which include operating the service as described in the Privacy Policy.

Categories of Personal Data processed

• Identifiers of your customers (IDs, names, emails) pulled from your connected Postgres and Stripe accounts.
• Commercial information (plan, payment status, billing amounts).
• Usage activity counts.
• Optional CRM enrichment data (contact frequency, opportunity stage).

Categories of Data Subjects

Your customers and end-users.

Duration

For the term of the agreement plus the 30-day deletion grace window.

Sub-processors

Quillon engages the sub-processors listed at quillon.co/sub-processors. By accepting this DPA you authorize these sub-processors. Quillon will notify you of changes with at least 30 days notice; you may object, in which case the parties will work in good faith to resolve.

Security

• Integration credentials (database connection strings, API keys) encrypted at rest with libsodium secretbox.
• Transport encryption (TLS 1.2+) for all data in transit.
• Role-based access controls; admin actions logged.
• Backup encryption and access logging on the database layer.

Data subject requests

Quillon will assist you in responding to data subject rights requests (access, rectification, erasure, portability) within 5 business days of your written request.

Breach notification

Quillon will notify you in writing without undue delay (and in any event within 48 hours) after becoming aware of a Personal Data breach affecting your data.

International transfers

Where Quillon processes Personal Data outside the EEA / UK / Switzerland, the transfer is governed by the SCCs (Module 2: Controller-to-Processor), incorporated by reference, with the Controller as data exporter and Quillon as data importer.

Audit

You may request, no more than once per 12-month period, a summary of Quillon's then-current security practices. On-site audits are not supported in v1.

Deletion / return

On termination, Quillon deletes Personal Data per the 30-day grace + hard purge flow described in the Privacy Policy. Anonymized billing records may be retained ~7 years for legal/tax compliance.

Liability

Liability under this DPA is subject to the limitations in the main Terms of Service.

Contact

Data protection inquiries: [email protected].