Data Processing Agreement
Last Updated: December 23, 2025
This DPA has 2 parts: (1) the Key Terms on this page and (2) the Common Paper DPA Standard Terms Version 1.1 posted at commonpaper.com/standards/data-processing-agreement/1.1 ("DPA Standard Terms"), which is incorporated by reference. If there is any inconsistency between the parts of the DPA, this page will control over the DPA Standard Terms. Capitalized and highlighted words have the meanings given on this page. However, if this page omits or does not define a highlighted word, the default meaning will be "none" or "not applicable" and the correlating clause, sentence, or section does not apply to this DPA. All other capitalized words have the meanings given in the DPA Standard Terms or the Agreement.
Key Terms
| Term | Details |
|---|---|
| Provider | Quickserve AI Inc DBA Q Concierge |
| Customer | The entity that has entered into the Agreement with Provider |
| Agreement Reference | To sales contract will be set when sending agreement |
| Approved Subprocessors | The current list of Approved Subprocessors is available at the Provider's Trust Portal: https://security.qconcierge.io |
| Provider Security Contact | security@qconcierge.io |
| Security Policy | The Provider's security program is governed by its Information Security Policy and supporting policies (including the Data Protection and Encryption, Access Control, Incident Response, Business Continuity, and Baseline Hardening policies), all of which are available at the Provider's Trust Portal: https://security.qconcierge.io |
| DPA Covered Claim | The Agreement includes an additional Provider Covered Claims for any action, proceeding, or claim arising out of or relating to (1) Provider's breach or alleged breach of the DPA, or (2) Provider's gross negligence or willful misconduct, in each case, that results in a Security Incident. |
| Service Provider Relationship Restricted Transfers | To the extent California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq ("CCPA") applies, the parties acknowledge and agree that Provider is a service provider and is receiving Personal Data from Customer to provide the Service as agreed in the Agreement and detailed below (see Nature and Purpose of Processing), which constitutes a limited and specified business purpose. Provider will not sell or share any Personal Data provided by Customer under the Agreement. In addition, Provider will not retain, use, or disclose any Personal Data provided by Customer under the Agreement except as necessary for providing the Service for Customer, as stated in the Agreement, or as permitted by Applicable Data Protection Laws. Provider certifies that it understands the restrictions of this paragraph and will comply with all Applicable Data Protection Laws. Provider will notify Customer if it can no longer meet its obligations under the CCPA. |
| Governing Member State | EEA Transfers: Netherlands; UK Transfers: England and Wales |
Annex I(A) List of Parties
Data Exporter
- Name: The Customer
- Activities relevant to transfer: See Annex I(B)
- Role: Controller
Data Importer
- Name: Quickserve AI Inc DBA Q Concierge
- Contact person: Alexander Ackerman, CTO & DPO
- Address: 1140 Harrison St Ste 434, San Francisco, California 94103, USA
- Activities relevant to transfer: See Annex I(B)
- Role: Processor
Annex I(B) Description of Transfer and Processing Activities
| Item | Details |
|---|---|
| Service | The Q Concierge AI Platform, a hosted SaaS solution providing voice first AI-driven guest communication services |
| Categories of Data Subjects | Customer's end users or customers; Customer's employees |
| Categories of Personal Data | Name; Contact information such as email, phone number, or address; User activity and analysis such as device information or IP address; Reservation and Stay Details (including room numbers, stay dates, and confirmation codes); Guest Communications Content (including raw audio recordings and verbatim transcripts of voice or text interactions); Guest Preferences and Profile Data (including dietary restrictions, service requests, and interaction summaries) |
| Special Category Data | Is special category data (as defined in Article 9 of the GDPR) Processed? Yes |
| Special Category Data Restrictions or Safeguards | See Security Policy |
| Frequency of Transfer | Continuous |
| Nature and Purpose of Processing | Receiving data, including collection, accessing, retrieval, recording, and data entry; Holding data, including storage, organization, and structuring; Using data, including analysis, consultation, testing, automated decision making, and profiling; Updating data, including correcting, adaption, alteration, alignment, and combination; Protecting data, including restricting, encrypting, and security testing; Sharing data, including disclosure, dissemination, allowing access, or otherwise making available; Returning data to the data exporter or data subject; Erasing data, including destruction and deletion |
| Duration of Processing | Provider will process Customer Personal Data as long as required (i) to conduct the Processing activities instructed in Section 2.2(a)-(d) of the Standard Terms; or (ii) by Applicable Laws. |
Annex I(C) Competent Supervisory Authority
The supervisory authority will be the supervisory authority of the data exporter, as determined in accordance with Clause 13 of the EEA SCCs or the relevant provision of the UK Addendum.
Annex II Technical and Organizational Security Measures
See Security Policy available at https://security.qconcierge.io
Other Changes to Standard Terms
Modification to Section 7.2 (Deletion at DPA Expiration)
Notwithstanding anything to the contrary in Section 7.2(a), the parties agree that Provider's obligation to return or delete Customer Personal Data upon expiration or termination of the Agreement shall not apply to:
- "Usage Data" (as defined in the Agreement), or
- Any machine learning models, weights, embeddings, or neural networks trained on Customer Personal Data;
Provided that such assets do not reproduce Customer Personal Data in a non-de-identified form.
Additional Processing Instructions (Section 2.2) and Status of De-identified Data
Pursuant to Section 2.2(d), Customer instructs Provider to redact and transform Customer Personal Data into de-identified vector embeddings for research and development purposes. Customer acknowledges and agrees that once such transformation is complete, the resulting de-identified vector embeddings and derived models do not constitute "Customer Personal Data" or "Personal Data" under this DPA, provided Provider implements technical controls to prevent re-identification.
Additional Security Measure (Data Lifecycle)
As an additional technical and organizational measure, Provider shall maintain a Data Lifecycle Policy that enforces strict separation between "Identity Data" (Hot Store) and "Pattern Data" (Cold Store). Personal Data stored in the Hot Store is subject to automated purging based on the following schedule:
- (i) Raw Audio/Transcripts: Deleted 90 days after guest checkout
- (ii) Dormant Profiles: Deleted after 3 years of inactivity
Provider and Customer have not changed the Standard Terms, except for the details on this page above.