Data Processing Addendum
Effective Date: July 2, 2026
This Data Processing Addendum ("DPA") forms part of the agreement between Quaspar Inc. ("Quaspar," "Processor") and the customer that accepts it ("Customer," "Controller") governing Customer's use of Quaspar's services (the "Agreement"). This DPA applies to Quaspar's processing of Personal Data (defined below) on behalf of Customer, excluding Protected Health Information, which is governed exclusively by the parties' Business Associate Agreement.
1. Definitions
- "Personal Data" means information relating to an identified or identifiable natural person that Quaspar processes on behalf of Customer under the Agreement, excluding PHI governed by the BAA.
- "Data Protection Laws" means all applicable U.S. federal and state privacy and data protection laws, including state consumer privacy acts (e.g., the California Consumer Privacy Act as amended, and comparable laws in other states), each as amended.
- "Process/Processing," "Controller," "Processor," "Service Provider," "Consumer," "Sell," "Share," and similar terms have the meanings given in applicable Data Protection Laws.
- "Security Incident" means a confirmed breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.
2. Scope and Roles
2.1 Customer is the Controller (or Business, under the CCPA) and Quaspar is the Processor (or Service Provider) with respect to Personal Data.
2.2 Details of processing. Subject matter: provision of the Services. Duration: the term of the Agreement plus any wind-down period. Nature and purpose: hosting, storage, transmission, analysis, and display of data to provide prior authorization workflow services. Categories of data subjects: Customer's workforce members and authorized users. Categories of Personal Data: names, work contact details, professional identifiers, credentials, usage data.
3. Processing Instructions
3.1 Quaspar will process Personal Data only on documented instructions from Customer, including as set out in the Agreement and this DPA, unless required by law (in which case Quaspar will inform Customer unless prohibited).
3.2 Quaspar will not: (a) sell or share Personal Data; (b) retain, use, or disclose Personal Data for any purpose other than performing the Services, or outside the direct business relationship with Customer; or (c) combine Personal Data with personal information from other sources except as permitted for Service Providers under Data Protection Laws. Quaspar certifies that it understands and will comply with these restrictions.
4. Confidentiality
Quaspar ensures that persons authorized to process Personal Data are bound by written confidentiality obligations or an appropriate statutory duty of confidentiality.
5. Security
Quaspar will implement and maintain appropriate technical and organizational measures designed to protect Personal Data against Security Incidents, including at minimum: encryption of data in transit (TLS 1.2+) and at rest; role-based access controls and least-privilege access; multi-factor authentication for administrative access; logging and monitoring; secure software development practices; and personnel security training. A summary of current measures is available in Quaspar's Security Overview.
6. Subprocessors
6.1 Customer authorizes Quaspar to engage subprocessors to process Personal Data. Quaspar's current subprocessors include cloud infrastructure, database/authentication, transaction clearinghouse, payment, and analytics providers; a current list is available upon request at support@quaspar.com.
6.2 Quaspar will: (a) impose data protection obligations on subprocessors no less protective than those in this DPA; (b) remain responsible for subprocessors' performance; and (c) provide notice of new subprocessors (via email or posted list). Customer may object on reasonable data-protection grounds within fifteen (15) days of notice; if the parties cannot resolve the objection, Customer may terminate the affected Services with a pro-rata refund of prepaid fees.
7. Data Subject and Consumer Requests
Taking into account the nature of the processing, Quaspar will provide reasonable assistance to Customer to respond to verified requests from individuals exercising rights under Data Protection Laws (access, deletion, correction, portability, opt-out). If Quaspar receives such a request directly, it will direct the individual to Customer and will not respond substantively except as required by law.
8. Security Incidents
Quaspar will notify Customer without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a Security Incident affecting Personal Data. Notice will describe, to the extent known, the nature of the incident, categories and approximate number of affected individuals and records, likely consequences, and measures taken or proposed. Quaspar will take reasonable steps to contain and remediate the incident. Quaspar's notice is not an admission of fault.
9. Audits and Assessments
Upon reasonable written request no more than once per year (or following a Security Incident), Quaspar will make available information reasonably necessary to demonstrate compliance with this DPA, which may include security documentation, summaries of third-party assessments, and completed security questionnaires. If these are insufficient, Customer may conduct (directly or through an independent auditor bound by confidentiality) an audit during business hours, with reasonable notice, without disrupting Quaspar's operations, at Customer's expense. Quaspar will take reasonable and appropriate steps to remediate any unauthorized use of Personal Data identified.
10. Return and Deletion
Upon termination or expiration of the Agreement, Quaspar will, at Customer's election, return or delete Personal Data within sixty (60) days, except where retention is required by law or the data resides in routine backups, in which case Quaspar will continue to protect it under this DPA until deletion.
11. General
11.1 In the event of a conflict between this DPA and the Agreement regarding Personal Data, this DPA controls. The BAA controls with respect to PHI.
11.2 Quaspar's liability under this DPA is subject to the limitations of liability in the Agreement.
11.3 This DPA is governed by the same law and venue as the Agreement.
11.4 If new Data Protection Laws apply to the processing, the parties will negotiate in good faith any amendments reasonably necessary for compliance.