Effective Date: March 17, 2026 | Last Updated: March 17, 2026
Introduction & Scope
This Data Processing Agreement (“DPA”) forms part of the Terms of Service or other written agreement between QAIL AI, Inc. (“Processor”, “we”, “us”) and the entity or person accessing or using the QAIL AI services (“Controller”, “Customer”, “you”).
This DPA applies to the extent that QAIL AI processes Personal Data on behalf of the Customer in the course of providing the QAIL AI platform and related services. QAIL AI acts as a data Processor, and the Customer acts as the data Controller, as those terms are defined under the EU General Data Protection Regulation (GDPR) and other applicable data protection laws.
This DPA is designed to ensure compliance with Article 28 of the GDPR and other applicable data protection legislation.
Definitions
- “Personal Data” means any information relating to an identified or identifiable natural person that is processed by QAIL AI on behalf of the Customer.
- “Processing” means any operation performed on Personal Data, including collection, recording, organization, storage, adaptation, retrieval, consultation, use, disclosure, erasure, or destruction.
- “Data Subject” means the individual to whom the Personal Data relates.
- “Sub-processor” means any third party engaged by QAIL AI to process Personal Data on behalf of the Customer.
- “Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.
- “Standard Contractual Clauses (SCCs)” means the standard contractual clauses approved by the European Commission for the transfer of Personal Data to third countries.
Data Processing Details
QAIL AI processes Personal Data solely for the purpose of providing its lead quality assurance and verification services as described in the Terms of Service and as instructed by the Customer.
Categories of Data Subjects
- Leads and prospects who submit information through the Customer’s web forms, landing pages, or other data collection points
- End users who interact with the Customer’s marketing campaigns
Types of Personal Data Processed
- Lead names (first and last)
- Email addresses
- Phone numbers
- IP addresses
- Form submission data (any fields submitted through Customer’s forms)
- Device and browser information
- Behavioral data (page interactions, click patterns)
Nature and Purpose of Processing
Personal Data is processed for the following purposes:
- Lead quality scoring and verification
- Fraud detection and prevention
- Email and phone number validation
- Bot and AI-generated traffic detection
- Reporting and analytics for the Customer
Sub-processors
The Customer authorizes QAIL AI to engage the following sub-processors for the processing of Personal Data. QAIL AI will notify the Customer of any changes to this list at least 30 days in advance, allowing the Customer the opportunity to object.
| Sub-processor | Purpose | Location |
|---|---|---|
| Amazon Web Services (AWS) | Cloud infrastructure and data hosting | United States |
| Stripe | Payment processing | United States |
| OpenAI | AI-powered lead analysis and processing | United States |
| AssemblyAI | Speech-to-text transcription | United States |
| Cartesia | Text-to-speech synthesis | United States |
| LiveKit | Real-time communication infrastructure | United States |
| Cal.com | Scheduling and appointment booking | United States |
| Clearout | Email verification and validation | United States |
| Abstract API | Data enrichment and validation | United States |
Third-Party Integrations
The following third-party services may be connected to QAIL AI by the Customer. These integrations are configured and controlled by the Customer, and the respective providers act as independent data controllers under their own terms and privacy policies. They are not sub-processors of QAIL AI.
- Google Ads: When the Customer connects their Google Ads account, lead and conversion data may be shared with Google for campaign optimization. Google processes this data as an independent controller under its own privacy policy and terms.
- Facebook Ads (Meta): When the Customer connects their Facebook Ads account, lead and conversion data may be shared with Meta for campaign optimization. Meta processes this data as an independent controller under its own privacy policy and terms.
The Customer is responsible for ensuring that their use of these integrations complies with applicable data protection laws, including providing appropriate notices and obtaining necessary consents from Data Subjects.
Customer Obligations
As the data Controller, the Customer is responsible for:
- Ensuring that there is a lawful basis for the processing of Personal Data by QAIL AI, including obtaining any necessary consents from Data Subjects
- Providing appropriate privacy notices to Data Subjects that disclose the use of QAIL AI as a data processor
- Ensuring that the instructions given to QAIL AI regarding the processing of Personal Data comply with all applicable data protection laws
- Promptly notifying QAIL AI of any Data Subject requests or complaints received that relate to QAIL AI’s processing
- Ensuring that any third-party integrations configured by the Customer comply with applicable data protection laws
Security Measures
QAIL AI implements and maintains appropriate technical and organizational measures to protect Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, or damage. These measures include:
- Encryption of data in transit using TLS 1.2 or higher
- Encryption of data at rest using AES-256
- Role-based access controls and principle of least privilege
- Regular security assessments and vulnerability scanning
- Logging and monitoring of access to Personal Data
- Employee training on data protection and security
- Incident response procedures
Data Subject Rights & Assistance
QAIL AI will assist the Customer in responding to requests from Data Subjects exercising their rights under applicable data protection laws (including rights of access, rectification, erasure, restriction, portability, and objection).
Upon receiving a Data Subject request directly, QAIL AI will promptly notify the Customer and will not respond to the request directly unless authorized by the Customer or required by law. QAIL AI will provide the Customer with reasonable cooperation and assistance to fulfill such requests within the legally required timeframes.
Data Breach Notification
In the event of a Data Breach affecting Personal Data processed on behalf of the Customer, QAIL AI will:
- Notify the Customer without undue delay and in any event within 72 hours of becoming aware of the breach
- Provide the Customer with sufficient information to enable the Customer to meet its obligations under applicable data protection laws, including the nature of the breach, the categories and approximate number of Data Subjects affected, the likely consequences, and the measures taken or proposed to mitigate the breach
- Cooperate with the Customer and take reasonable steps to assist in the investigation, mitigation, and remediation of the breach
- Document the breach, including the facts, its effects, and the remedial actions taken
Data Retention & Deletion
QAIL AI will process Personal Data for the duration of the agreement with the Customer. Upon termination or expiration of the agreement, or upon the Customer’s written request, QAIL AI will:
- Delete all Personal Data processed on behalf of the Customer within 30 days, unless retention is required by applicable law
- Provide written confirmation of deletion upon request
- Ensure that all sub-processors also delete the relevant Personal Data within the same timeframe
The Customer may request the return of Personal Data in a structured, commonly used, machine-readable format prior to deletion.
International Data Transfers
QAIL AI is based in the United States. Where Personal Data is transferred from the European Economic Area (EEA), the United Kingdom, or Switzerland to the United States, QAIL AI relies on the following transfer mechanisms to ensure adequate protection:
- Standard Contractual Clauses (SCCs): QAIL AI enters into EU-approved Standard Contractual Clauses (Module 2: Controller to Processor) with Customers located in the EEA, UK, or Switzerland. The SCCs are incorporated by reference into this DPA.
- EU-US Data Privacy Framework: Where applicable, QAIL AI relies on sub-processors that participate in the EU-US Data Privacy Framework.
QAIL AI ensures that all sub-processors involved in international data transfers provide appropriate safeguards for the protection of Personal Data.
Audits & Compliance
QAIL AI will make available to the Customer all information necessary to demonstrate compliance with the obligations set out in this DPA and applicable data protection laws.
Upon reasonable written request (no more than once per year), QAIL AI will allow the Customer or its appointed third-party auditor to conduct an audit of QAIL AI’s processing activities and security measures, subject to the following conditions:
- The Customer must provide at least 30 days’ written notice
- The audit must be conducted during normal business hours
- The auditor must agree to appropriate confidentiality obligations
- The audit must not unreasonably interfere with QAIL AI’s business operations
- The Customer shall bear the costs of any audit
Term & Termination
This DPA shall remain in effect for the duration of the agreement between QAIL AI and the Customer under which QAIL AI processes Personal Data. Upon termination of the underlying agreement, this DPA will automatically terminate, subject to the data deletion obligations described in the “Data Retention & Deletion” section above.
Provisions of this DPA that by their nature should survive termination (including data deletion, audit rights, and confidentiality obligations) shall survive the termination of this DPA.
Contact Information
For questions or concerns about this Data Processing Agreement, please contact us at:
Email: info@qail.ai
Address: 3400 Cottage Way, Ste G2 #28646, Sacramento, CA 95825
Phone: (510) 592-7712