GDPR Article 28 compliant

Data Processing Addendum

Effective: May 28, 2026

This Data Processing Addendum ('DPA') supplements your agreement with Queringo, Inc. ('Queringo') and applies whenever Queringo processes personal data on your behalf under the EU General Data Protection Regulation (GDPR), UK GDPR, or equivalent data protection laws. In this DPA, you (the customer) are the data controller and Queringo is the data processor.

Scope and purpose

Queringo processes personal data only to the extent necessary to provide the Queringo service as described in the Terms of Service, and only on your documented instructions. The categories of personal data processed include:

  • End-user account data: name, work email, job title, phone number
  • Query and conversation content submitted to the platform
  • Encrypted result snapshots retained for dashboard refresh
  • Session and access data: IP addresses, device labels, browser identifiers
  • Audit log entries recording sensitive actions within your account

Connected-platform customer data

When you connect a third-party source (for example a commerce platform such as Shopify), Queringo processes the personal data of your customers contained in that source solely to provide analytics to you, as your processor and on your instructions. We apply data minimisation: we read only the fields needed for analysis, such as names, email, and coarse geography (city, region, and country), and we do not read street addresses, postal codes, or phone numbers. Personal-data fields are masked by default (email hashed, names redacted) for users who lack reveal permission.

By default this data is queried live and is not stored. If you opt in to deep analysis for a source, Queringo keeps an encrypted, access-controlled copy to speed up complex questions, and you can turn it off at any time to delete that copy. We honour deletion and redaction signals from the connected platform: when the platform notifies us that a customer or a shop must be erased, we purge the corresponding stored data.

Processor obligations

Queringo will:

  • Process personal data only on your documented instructions, unless required to do so by applicable law
  • Ensure that all personnel authorised to process personal data are bound by confidentiality obligations
  • Implement and maintain the technical and organisational security measures described on our Security page
  • Assist you in responding to data subject rights requests (access, rectification, erasure, portability, restriction, objection) within the timeframes required by applicable law
  • Assist you in complying with your obligations under Articles 32 to 36 of the GDPR (security, breach notification, impact assessments, prior consultation)
  • Delete or return all personal data to you at the end of the service relationship, in accordance with the retention schedule in our Privacy Policy, unless retention is required by law
  • Make available all information necessary to demonstrate compliance with this DPA and allow for audits, on reasonable notice and at your cost

Sub-processors

Queringo engages the following sub-processors as of the effective date:

Sub-processorPurposeLocation
Amazon Web ServicesCloud hosting, KMS, S3, SESGlobal (multi-region)
PaddlePayment processing and subscription management (global, Merchant of Record)United States / United Kingdom
RazorpayPayment processing for Indian customers (UPI AutoPay, e-mandate)India
ResendTransactional email deliveryUnited States
TwilioSMS verification and critical alertsUnited States
PostHogProduct analytics (self-hosted on our AWS infrastructure)Our infrastructure

We will notify you at least 30 days before engaging a new sub-processor by posting a notice to the sub-processor list and, where applicable, emailing the account's admin contact. If you object to a new sub-processor, you may notify us in writing within the 30-day window; we will work with you to find a resolution, which may include the right to terminate the affected services without penalty.

International data transfers

Where personal data is transferred from the EU, EEA, or UK to a country not recognised as providing adequate protection, Queringo relies on the EU Standard Contractual Clauses (Module Two: Controller to Processor, Commission Implementing Decision 2021/914) as the applicable transfer mechanism.

Enterprise customers can request specific AWS region constraints for data residency. When such a constraint is in place, personal data is not stored or processed outside the agreed region except as required by law. Contact legal@queringo.com to add a region constraint to your DPA.

Data subject rights

Queringo provides self-service tools for data export and deletion in Settings, under Data and Privacy. These tools are available to all users. For requests that cannot be fulfilled via self-service, Queringo will assist you in responding within the timeframes required by applicable law, typically 30 days with a possible 60-day extension for complex requests.

Security measures

Queringo implements the technical and organisational measures described on our Security page. These include, at minimum:

  • Envelope encryption at rest: per-workspace DEK encrypted with AWS KMS master key, AES-256-GCM via libsodium
  • TLS 1.3 in transit, HSTS enforced
  • Read-only database roles: Queringo cannot write to your source data
  • MFA and role-based access controls for all internal Queringo staff
  • Annual third-party penetration tests
  • SOC 2 Type II audit (Scale and Enterprise plans)

Personal data breach notification

In the event of a personal data breach affecting your data, Queringo will notify you without undue delay, and in any case within 72 hours of becoming aware of the breach, to the extent necessary to allow you to meet your own notification obligations under GDPR Article 33. The notification will include the nature of the breach, the categories and approximate number of data subjects and personal data records affected, the likely consequences, and the measures taken or proposed to address the breach.

Retention and deletion

On termination of the service, Queringo retains your data for the GDPR grace period (default 90 days, jurisdiction-adjusted), after which an automated purge job removes all personal data. You may request earlier deletion by contacting privacy@queringo.com. Queringo will confirm deletion in writing within 30 days.

Executing the DPA

To execute a countersigned DPA, email legal@queringo.com with your company's full legal name, registered address, and the name and email address of your authorised signatory. We will return a countersigned copy within two business days. Scale and Enterprise customers may also request a mutual NDA in the same email.