Data processing agreement
Last updated: 2026-05-19
Effective date: 2026-05-19
Customer-facing URL: https://qortara.com/legal/dpa
Form: standing template — published openly and incorporated by reference into the Terms of service for any customer who is a controller of personal data processed by Qortara.
This Data processing agreement ("DPA") forms part of the Terms of service at https://qortara.com/legal/terms between MythologIQ Labs LLC ("Qortara", "Processor") and the customer entity identified in the account record ("Customer", "Controller"). It governs Qortara's processing of personal data on Customer's behalf in connection with the Qortara service ("Service") and reflects the parties' obligations under Article 28 of the UK GDPR and EU GDPR and, where applicable, the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA").
Where Customer is a controller of personal data processed by Qortara, this DPA applies automatically on Customer's acceptance of the Terms of service. No countersignature is required for the standing version published here; an executed copy is available on request to privacy@qortara.com.
1. Definitions
Terms used but not defined in this DPA have the meanings given in the UK GDPR, the EU GDPR, or the CCPA/CPRA, as applicable. "Personal data", "controller", "processor", "data subject", "processing", and "subprocessor" have their respective meanings under the applicable data-protection law.
"Personal data" for purposes of this DPA means personal data within the meaning of applicable data-protection law that is contained in Customer Content or otherwise processed by Qortara on Customer's behalf in connection with the Service.
"Sub-processor" means any third party engaged by Qortara to process personal data on Customer's behalf.
"Standard Contractual Clauses" means (a) the European Commission's standard contractual clauses set out in Decision (EU) 2021/914 of 4 June 2021 and (b) the UK International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the Information Commissioner (Version B1.0, in force 21 March 2022), in each case as updated from time to time.
2. Subject matter, nature, and purpose of processing
| Item | Description |
|---|---|
| Subject matter | Provision of the Qortara hosted governance service for AI agents |
| Duration | The term of the Service subscription, plus the retention periods set out in §10 |
| Nature of processing | Hosting, storage, transmission, evaluation, logging, attestation, audit-evidence generation, billing, fraud and abuse detection, and incident response |
| Purpose of processing | Performance of the Service and compliance with the Terms of service |
| Categories of data subjects | Customer's authorized users, end users of Customer's AI agents, Customer's billing contacts, and any natural persons referenced in Customer Content |
| Categories of personal data | Identifiers (name, email, account ID), authentication identifiers (SSO subject claims), professional and employment information (organization, role), business activity records (policy decisions, tool calls, audit events), technical identifiers (IP address, user-agent), billing contact information |
| Special-category data | None expected. Customer agrees not to submit special-category personal data (Art. 9 GDPR) or criminal-conviction data (Art. 10 GDPR) to the Service without prior written agreement with Qortara |
Customer warrants that it has all necessary legal bases and consents to provide personal data to Qortara for processing under this DPA.
3. Controller and processor obligations
3.1 Controller obligations
Customer is the controller and:
(a) determines the purposes and means of processing personal data through the Service;
(b) is responsible for the accuracy, quality, and legality of personal data submitted to the Service;
(c) ensures it has obtained any necessary consents and provided any required notices to data subjects;
(d) is responsible for complying with applicable data-protection laws in relation to its use of the Service.
3.2 Processor obligations
Qortara is the processor and will:
(a) process personal data only on documented instructions from Customer (the Terms of service, this DPA, the configurations Customer makes in the Service, and any subsequent written instructions Customer provides);
(b) inform Customer if Qortara believes a Customer instruction infringes applicable data-protection law, in which case Qortara may decline to act until the conflict is resolved;
(c) ensure that personnel authorized to process personal data are subject to a duty of confidentiality;
(d) implement and maintain the technical and organizational measures described in §4;
(e) assist Customer, to the extent reasonably possible, in fulfilling Customer's obligations to respond to data-subject requests (§7) and to comply with Articles 32-36 of the GDPR (§8 and §9);
(f) at Customer's choice, delete or return personal data at the end of the Service term, as described in §10.
3.3 Cross-border processor role under CCPA/CPRA
For Customer's California personal information, Qortara acts as a "service provider" (and not a "third party") within the meaning of CCPA/CPRA. Qortara:
(a) will not sell or share personal information;
(b) will not retain, use, or disclose personal information for any purpose other than the business purpose described in this DPA or the Terms of service;
(c) will not retain, use, or disclose personal information outside the direct business relationship with Customer; and
(d) will not combine personal information received from Customer with personal information from any other source, except as permitted by 11 CCR §7050.
4. Security measures
Qortara implements administrative, technical, and physical safeguards designed to protect personal data against unauthorized access, alteration, disclosure, or destruction. Current measures are summarized at https://qortara.com/legal/security and include:
- access controls and policy decisions enforced through Cedar policies in a deny-closed fail mode;
- secrets stored in Azure Key Vault;
- audit events signed with Ed25519 keys and canonicalized via RFC 8785 JCS;
- encryption in transit (TLS 1.2 or higher) and at rest (Azure-managed encryption);
- subprocessor due diligence and contractual flow-down of GDPR Article 28 obligations;
- vulnerability-disclosure program at
security@qortara.com; - incident-response procedures including 72-hour controller notification.
Qortara may update these measures over time provided that they continue to meet the standard of Article 32 of the GDPR. Material reductions in protection are not permitted without Customer's prior agreement.
5. Subprocessors
5.1 General written authorization
Customer grants Qortara general written authorization to engage subprocessors to process personal data on Customer's behalf, subject to the conditions in this §5. The current list of subprocessors is published at https://qortara.com/legal/subprocessors.
5.2 New subprocessors
Qortara will give Customer at least 30 days' advance notice before adding a new subprocessor by updating the subprocessor list and, on request, by email to the controller contact on file. Customer may object on reasonable grounds related to data protection within that notice period by writing to privacy@qortara.com. If Customer objects, the parties will negotiate in good faith for 30 days; if no resolution is reached, Customer may terminate the affected Service subscription on written notice and receive a pro-rata refund of prepaid unused fees.
5.3 Subprocessor obligations
Qortara will impose data-protection obligations on each subprocessor that are no less protective than those in this DPA. Qortara remains liable to Customer for the acts and omissions of its subprocessors to the same extent as if performed by Qortara.
6. International transfers
Where personal data is transferred from the United Kingdom or European Economic Area to a third country, the parties will implement an appropriate transfer mechanism under Chapter V of the GDPR. The parties agree that:
(a) where the European Commission Standard Contractual Clauses (Module 2, controller-to-processor, or Module 3, processor-to-processor, as applicable) apply to the transfer, those clauses are incorporated by reference into this DPA, with Customer as the data exporter and Qortara as the data importer, and with the Annexes populated by the corresponding sections of this DPA (Annex I.A and I.B by the account record, Annex I.C by the supervisory authority of Customer's lead establishment, Annex II by §4, and Annex III by https://qortara.com/legal/subprocessors);
(b) where the UK International Data Transfer Addendum applies, that Addendum is likewise incorporated, with Table 1 populated by the account record, Table 2 by the Module corresponding to the transfer, Table 3 by the Annexes of the Standard Contractual Clauses as set out above, and Table 4 set so that neither party may end the Addendum on the bases set out in §19;
(c) Qortara will provide reasonable assistance to Customer in assessing the adequacy of protection in the destination country (transfer-impact assessment).
If a competent authority finds that the chosen transfer mechanism does not provide adequate protection, the parties will negotiate in good faith to put in place an alternative mechanism. If no mechanism is available, Qortara may suspend the affected transfer and the parties may terminate the affected Service on written notice.
7. Data subject requests
Qortara will, to the extent reasonably possible, assist Customer in responding to requests from data subjects exercising rights under applicable law (access, rectification, erasure, restriction, portability, objection). Where a data subject contacts Qortara directly with a request relating to Customer Content, Qortara will direct the data subject to Customer and, where possible, notify Customer.
Qortara may charge a reasonable fee for assistance that is disproportionate or repetitive, on prior notice and consent from Customer.
8. Personal data breach notification
Qortara will notify Customer without undue delay and, where feasible, within 72 hours of becoming aware of a personal data breach affecting Customer's personal data. The notification will, to the extent known, include:
- the nature of the breach, including the categories and approximate number of data subjects and records affected;
- the likely consequences of the breach;
- the measures Qortara has taken or proposes to take to address the breach and mitigate its possible adverse effects;
- a point of contact for further information (typically
security@qortara.com).
Where information is not available within 72 hours, Qortara will provide it in phases without undue delay. Customer remains responsible for any onward notification to supervisory authorities or data subjects.
9. Data protection impact assessments and prior consultation
Qortara will, taking into account the nature of processing and the information available to it, provide reasonable assistance to Customer in carrying out data protection impact assessments under Article 35 of the GDPR and in any prior consultation with a supervisory authority under Article 36.
10. Return or deletion of personal data
On termination or expiry of the Service subscription, at Customer's choice Qortara will, within 30 days, either:
(a) return personal data to Customer in a structured, commonly used, machine-readable format (typically JSON export via the dashboard or API); or
(b) delete personal data from Qortara's systems.
Backups containing personal data are deleted on Qortara's standard backup rotation (up to 35 days) and are not restored except for disaster-recovery purposes. Qortara may retain personal data to the extent required by applicable law (notably tax records and minimum-statutory log retention) and only for as long as required.
For Marketplace-fulfilled subscriptions, the 30-day retention period required by the Microsoft AI Cloud Partner Program applies. Tenant CA private keys deleted as part of this process cannot be regenerated.
11. Audit rights
Qortara will make available to Customer information reasonably necessary to demonstrate compliance with Article 28 of the GDPR. This will ordinarily take the form of:
(a) the Service's published security overview at https://qortara.com/legal/security;
(b) the subprocessor list at https://qortara.com/legal/subprocessors;
(c) third-party attestations, audit reports, or certifications when available;
(d) written responses to reasonable due-diligence questionnaires (one per Customer per year, except where the law or a security incident requires more).
Where Customer reasonably believes that the above information is insufficient to demonstrate compliance, Customer may, on at least 30 days' written notice and not more than once per year (except where required by a supervisory authority or following a personal data breach), conduct an audit through a mutually agreed third-party auditor under non-disclosure obligations. Audits will be conducted at Customer's expense, during business hours, in a manner that minimizes disruption to Qortara's operations, and on the basis of an agreed scope and methodology.
12. Liability and indemnification
Liability under this DPA is governed by the limitation-of-liability and indemnification provisions of the Terms of service at https://qortara.com/legal/terms, including the liability cap in §10 of the Terms of service. Nothing in this DPA limits liability that cannot be limited under applicable data-protection law (including liability for fraud, willful misconduct, or gross negligence, and liability arising under Articles 82-84 of the GDPR insofar as such liability cannot be limited by contract).
13. Order of precedence
In case of conflict between this DPA and the Terms of service, this DPA controls for issues related to the processing of personal data. In case of conflict between this DPA and the Standard Contractual Clauses (where incorporated), the Standard Contractual Clauses control.
14. Term and termination
This DPA takes effect when Customer first uses the Service as a controller of personal data and remains in force until the Service subscription terminates and all personal data has been returned or deleted in accordance with §10.
15. Governing law and dispute resolution
Governing law and dispute-resolution provisions of the Terms of service apply, except that where the Standard Contractual Clauses are incorporated, the choice-of-law and dispute-resolution clauses of those Clauses apply for matters within their scope.
16. Contact
- Data protection inquiries:
privacy@qortara.com - Personal data breach:
security@qortara.com - Legal notices:
legal@qortara.com