Run a free scan
Legal · DPA

Data Processing Agreement

v3.2 · Effective April 1, 2026

For customers in regulated regions — EU/EEA, UK, California, and any environment that needs a signed processor contract before data crosses a boundary.

PDF
Pre-signed DPA
PDF · 14 pages · 184 KB
Download →
§ 01

Parties & scope

This Data Processing Agreement ("DPA") is entered into between misquoted, inc., a Delaware corporation ("Processor"), and the customer organization ("Controller"). It governs the processing of personal data by Processor on behalf of Controller in connection with the misquoted.ai service.

This DPA forms part of, and is subject to, the Terms of Service. In the event of conflict, this DPA controls with respect to data processing matters.

§ 02

Definitions

Capitalized terms used but not defined herein have the meanings given in the GDPR (Regulation (EU) 2016/679), the UK Data Protection Act 2018, or the California Consumer Privacy Act (as amended), as applicable. "Personal Data" means any information relating to an identified or identifiable natural person processed in connection with the service.

§ 03

Nature of processing

Processor processes Personal Data on behalf of Controller solely for the purpose of providing the misquoted service. This includes account administration, scan execution, report delivery, support, billing, and security operations. Categories of data subjects include Controller's employees and authorized users. Categories of Personal Data include name, email, authentication credentials, and product-usage telemetry.

§ 04

Customer instructions

Processor will process Personal Data only on documented instructions from Controller, including with regard to international transfers. Acceptance of the Terms of Service and configuration of the service constitute Controller's documented instructions. Additional instructions outside the scope of the service may be subject to additional fees.

§ 05

Sub-processors

Controller authorizes Processor to engage the sub-processors listed at misquoted.ai/sub-processors. Processor will notify Controller of any intended addition or replacement of sub-processors at least 30 days in advance, providing Controller a reasonable opportunity to object. Processor remains liable for the acts and omissions of its sub-processors.

§ 06

Security measures

Processor implements appropriate technical and organizational measures to protect Personal Data, including encryption in transit and at rest, passkey- and TOTP-based authentication, least-privilege access controls, audit logging, vulnerability management, and a documented incident response plan. Full controls are described at misquoted.ai/security.

§ 07

Breach notification

Processor will notify Controller without undue delay, and in any event within 72 hours of becoming aware, of any Personal Data Breach. Notification will include the nature of the breach, affected categories of data subjects and records, likely consequences, and measures taken or proposed to address the breach.

§ 08

Audits

Once per twelve-month period, Controller (or an independent auditor on its behalf) may audit Processor's compliance with this DPA upon 30 days' written notice. Processor will make available copies of its SOC 2 report and recent penetration test summaries under NDA in lieu of on-site audit where practical.

§ 09

International transfers

Where Personal Data is transferred from the EU/EEA, UK, or Switzerland to a country outside those regions, the European Commission's Standard Contractual Clauses (Module 2: Controller-to-Processor) are incorporated by reference into this DPA. The UK Addendum applies to UK transfers. Processor will assist Controller in completing transfer impact assessments upon request.

§ 10

Deletion & return

Upon termination of the service or upon Controller's written request, Processor will, at Controller's choice, delete or return all Personal Data within 30 days, unless retention is required by applicable law. Backups will be purged on the next scheduled rotation cycle, not to exceed 90 days.

§ 11

Liability

Each party's liability under this DPA is subject to, and counts toward, the limitations of liability set out in the Terms of Service. Nothing in this DPA limits liability for fines or penalties imposed by a supervisory authority directly on a party for that party's own breach of applicable data protection law.

§ 12

Execute the DPA

This DPA is pre-signed by misquoted, inc. To execute, download the PDF, sign as Controller, and email the executed copy to legal@misquoted.ai. We'll countersign and return within two business days, attaching the file to your account.

Need a redline or custom terms?

For redlined DPAs, enterprise contracts, or custom Annex II language, write to our legal team directly. We're a small company — turnaround is faster than you expect.

legal@misquoted.ai