Data Processing Agreement – EasyQ
Last updated: May 2025
This Data Processing Agreement ("DPA") forms part of the Terms & Conditions between EasyQ ("Data Processor") and the Business User ("Data Controller"). It is accepted by the Business User at the time of account creation and the acceptance timestamp is recorded.
1. Roles
- Business User → Data Controller
- EasyQ → Data Processor
2. Subject Matter and Duration
Processing of personal data for queue management and customer notifications, for the duration of the service agreement. Upon termination, EasyQ will delete or return all personal data within 30 days, as directed by the Controller.
3. Nature and Purpose of Processing
- Queue management (creating, updating, and deleting queue entries)
- Customer communication via WhatsApp Business Platform
- Service analytics for operational purposes
4. Types of Personal Data and Categories of Data Subjects
Data: Phone numbers, WhatsApp display names, queue-related behavior (party size, wait times, exit reasons).
Data subjects: End customers of the Business User (queue participants).
5. Obligations of EasyQ (Processor)
EasyQ shall:
- Process personal data only on documented instructions from the Business User, unless required to do so by EU or Member State law (in which case EasyQ shall inform the Controller beforehand, unless prohibited).
- Ensure that persons authorized to process the data are bound by confidentiality obligations.
- Implement appropriate technical and organizational security measures in accordance with Art. 32 GDPR.
- Not engage additional sub-processors without prior written authorization from the Controller (see Section 6).
- Assist the Controller in fulfilling obligations regarding data subject rights (access, deletion, portability, etc.) within the timelines required by GDPR.
- Assist the Controller in ensuring compliance with Art. 32–36 GDPR (security, breach notification, DPIA).
- Delete or return all personal data upon termination of the agreement, and delete existing copies unless required by law.
- Make available to the Controller all information necessary to demonstrate compliance, and allow for and contribute to audits and inspectionsconducted by the Controller or a mandated third-party auditor, with reasonable notice (minimum 30 days) and at the Controller's cost.
6. Sub-Processors
EasyQ currently uses the following sub-processors. By accepting this DPA, the Controller grants general authorization to use these sub-processors:
| Sub-Processor | Service | Location |
|---|---|---|
| Vercel Inc. | Hosting and infrastructure | USA |
| Supabase Inc. | Database | USA |
| Resend Inc. | Transactional email | USA |
| Meta Platforms (WhatsApp Business Platform) | Customer notifications | USA / Global |
| Stripe Inc. | Payment processing | USA |
EasyQ shall notify the Controller of any intended addition or replacement of sub-processors with at least 30 days' advance notice. The Controller may object within that period. If no objection is raised, the change is deemed accepted. All sub-processors are bound by data protection obligations equivalent to those in this DPA.
7. Security Measures
EasyQ implements the following measures in accordance with Art. 32 GDPR:
- HTTPS encryption in transit
- Encryption at rest for database storage
- Access controls and authentication
- Regular security assessments
8. Data Subject Requests
EasyQ will notify the Controller within 5 business daysof any data subject request received directly. EasyQ will assist the Controller in responding but will not respond to data subjects on the Controller's behalf unless explicitly instructed.
9. Personal Data Breach Notification
In the event of a personal data breach, EasyQ will notify the Controller without undue delay and in any event within 72 hours of becoming aware of the breach. The notification will include:
- A description of the nature of the breach
- Categories and approximate number of data subjects and records affected
- Likely consequences of the breach
- Measures taken or proposed to address the breach
This timeline is designed to allow the Controller to meet its own notification obligations to the relevant supervisory authority under Art. 33 GDPR.
10. Acceptance
This DPA is accepted by the Business User upon creation of an EasyQ account by checking the consent box on the registration page. The acceptance is recorded with a timestamp in EasyQ's systems.
Questions? Contact us at info@easyq-app.com