Data Processing Agreement (DPA)

This Data Processing Agreement ("DPA") forms part of the Terms of Service between you (the "Customer" or "Data Controller") and Caliqa ("Processor" or "we") and governs the processing of Personal Data in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and applicable data protection laws.

By using Caliqa's services, the Customer agrees to the terms of this DPA. This DPA applies to all Personal Data processed by Caliqa on behalf of the Customer in connection with the provision of our instrument calibration management services.

• Data Controller: The Customer who determines the purposes and means of processing Personal Data.
• Data Processor: Caliqa, who processes Personal Data on behalf of the Customer.
• Personal Data: Any information relating to an identified or identifiable natural person as defined in GDPR Article 4(1).
• Processing: Any operation performed on Personal Data as defined in GDPR Article 4(2).
• Data Subject: An identified or identifiable natural person whose Personal Data is processed.
• Sub-processor: Any third party engaged by Caliqa to process Personal Data on behalf of the Customer.

Caliqa processes Personal Data solely to provide the instrument calibration management services as described in the Terms of Service, including:

• User account management and authentication
• Instrument tracking and calibration management
• Certificate storage and management
• Email notifications and alerts
• Customer support and service improvement
• Billing and payment processing

The duration of processing is for the term of the Customer's subscription and as required by law following termination.

Caliqa may process the following categories of Personal Data on behalf of the Customer:

• User Identity Data: Full name, email address, user ID
• Contact Data: Email address, organization name
• Usage Data: Login timestamps, IP addresses, browser information
• Technical Data: Instrument data, calibration records, certificate metadata
• Communication Data: Support tickets, email correspondence

The Personal Data processed may relate to the following categories of Data Subjects:

• Authorized users of the Customer's Caliqa account (employees, contractors)
• Administrative contacts for the Customer's organization
• Individuals whose information is included in instrument records or certificates

5.1 Customer Obligations (Data Controller)

The Customer warrants that:

• It has all necessary rights and consents to provide Personal Data to Caliqa for processing
• It complies with all applicable data protection laws in its role as Data Controller
• Processing instructions are lawful and do not violate GDPR or other applicable laws
• It will inform Data Subjects about the processing as required by GDPR Article 13/14

5.2 Caliqa Obligations (Data Processor)

Caliqa shall:

• Process Personal Data only on documented instructions from the Customer (including this DPA and Terms of Service)
• Ensure that persons authorized to process Personal Data are subject to confidentiality obligations
• Implement appropriate technical and organizational measures (see Section 6)
• Only engage Sub-processors in accordance with Section 7
• Assist the Customer in responding to Data Subject rights requests
• Assist the Customer in meeting GDPR compliance obligations (Article 32-36)
• Delete or return all Personal Data upon termination (see Section 11)
• Make available all information necessary to demonstrate compliance

In accordance with GDPR Article 32, Caliqa implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

• Encryption: Data encrypted in transit (TLS 1.3) and at rest (AES-256)
• Access Control: Role-based access controls, multi-factor authentication, principle of least privilege
• Infrastructure Security: Hosting on Supabase (ISO 27001 certified), regular security updates
• Monitoring: Continuous security monitoring, logging of access and changes
• Backup and Recovery: Regular automated backups, disaster recovery procedures
• Vulnerability Management: Regular security assessments, penetration testing
• Personnel Security: Background checks, security training, confidentiality agreements

The Customer provides general authorization for Caliqa to engage Sub-processors. Current Sub-processors include:

• Supabase Inc. (USA) - Database hosting, authentication, file storage - Privacy Policy
• Vercel Inc. (USA) - Application hosting and delivery - Privacy Policy
• Stripe Inc. (USA) - Payment processing - Privacy Policy
• Resend Inc. (USA) - Transactional email delivery - Privacy Policy

All Sub-processors are bound by data protection obligations equivalent to those in this DPA. Caliqa will notify the Customer of any intended changes to Sub-processors (additions or replacements) via email at least 30 days in advance. The Customer may object to a new Sub-processor on reasonable data protection grounds within 30 days of notification.

Caliqa will assist the Customer in fulfilling its obligations to respond to Data Subject requests to exercise their rights under GDPR:

• Right of access (Article 15)
• Right to rectification (Article 16)
• Right to erasure ("right to be forgotten") (Article 17)
• Right to restriction of processing (Article 18)
• Right to data portability (Article 20)
• Right to object (Article 21)

If Caliqa receives a Data Subject request directly, it will forward it to the Customer without undue delay. The Customer remains responsible for responding to such requests. Caliqa will provide commercially reasonable assistance, which may be subject to additional fees for complex requests.

In the event of a Personal Data breach, Caliqa will:

• Notify the Customer without undue delay and no later than 72 hours after becoming aware of the breach
• Provide information about the nature of the breach, categories and number of Data Subjects affected, and likely consequences
• Describe measures taken or proposed to address the breach and mitigate adverse effects
• Provide contact information for further inquiries
• Cooperate with the Customer in investigating and remediating the breach

The Customer remains responsible for determining whether to notify the relevant supervisory authority and Data Subjects as required by GDPR Articles 33 and 34.

Caliqa will make available to the Customer information necessary to demonstrate compliance with this DPA, including:

• Security certifications and audit reports (SOC 2, ISO 27001 from Sub-processors)
• Documentation of security measures and policies
• Responses to security questionnaires (subject to reasonable frequency)

The Customer may conduct audits or inspections, subject to:

• Providing at least 30 days written notice
• Conducting audits no more than once per year (unless required by a supervisory authority)
• Entering into a separate audit agreement (including confidentiality and liability terms)
• Reimbursing Caliqa for time and resources required for the audit

Upon termination or expiration of the Customer's subscription, Caliqa will:

• Provide the Customer with the ability to export all Personal Data in a machine-readable format (CSV/JSON) for 30 days after termination
• Delete or anonymize all Personal Data within 90 days of termination, unless longer retention is required by law
• Provide written confirmation of deletion upon request

Caliqa may retain Personal Data to the extent required by applicable law (e.g., accounting, tax, legal obligations). Such retained data will continue to be protected in accordance with this DPA.

Personal Data may be transferred to and processed in countries outside the European Economic Area (EEA), including the United States, where our Sub-processors are located.

For transfers to countries without an adequacy decision from the European Commission, Caliqa ensures appropriate safeguards are in place:

• Standard Contractual Clauses (SCCs): Caliqa and its Sub-processors have entered into the European Commission's Standard Contractual Clauses (Module 2: Controller to Processor) as approved by Commission Implementing Decision (EU) 2021/914
• Additional Safeguards: Technical and organizational measures including encryption, access controls, and data minimization
• Transfer Impact Assessments: Regular assessments of the legal framework in destination countries

Copies of the relevant SCCs are available upon request to privacy@caliqa.com.

Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service.

In accordance with GDPR Article 82:

• Each party is liable for damage caused by processing that violates GDPR
• Caliqa is liable only for damage caused by processing where it has not complied with GDPR obligations specifically directed at processors or has acted outside or contrary to lawful instructions from the Customer
• Caliqa is exempt from liability if it proves it is not in any way responsible for the event giving rise to the damage

This DPA shall be governed by and construed in accordance with the laws of Belgium, without regard to conflict of law principles.

Any disputes arising from this DPA shall be subject to the exclusive jurisdiction of the courts of Belgium.

In the event of any conflict between this DPA and the Terms of Service, this DPA shall prevail with respect to the processing of Personal Data.

For questions, concerns, or requests related to this DPA, please contact:

Caliqa Data Protection Officer
Email: dpo@caliqa.com
Address: [Your Business Address]

This DPA may be updated from time to time. We will notify customers of material changes via email at least 30 days in advance. Continued use of the service after changes take effect constitutes acceptance of the updated DPA.