Data Processing Agreement (Summary)

Effective: 29 May 2026

This is a summary. The full Data Processing Agreement (DPA) is available on request to privacy@gardia.cloud and is automatically incorporated into your subscription agreement.

Roles

Customer is the Data Controller for Customer Data uploaded into the Service. QuantumBox Inc. is the Data Processor, processing Customer Data only on documented instructions from the Customer.

Subject matter and duration

Processing covers all Customer Data uploaded into the Service for the purpose of providing document intelligence (OCR, extraction, search, summarisation, Q&A). Processing continues for the duration of the subscription plus a 90-day post-termination window for data export.

Nature and purpose

Storage, retrieval, transformation (OCR, vector embedding, LLM inference), access control, and deletion of Customer Data, performed automatically by the Service and on demand by authorised users.

Categories of data subjects

Anyone whose personal data appears in the Customer's uploaded documents: typically employees, customers, suppliers, tenants, landlords and other commercial counterparties of the Customer.

Categories of personal data

Names, contact details, employment data, financial data, contractual terms, signatures and any other personal data the Customer chooses to include in uploaded documents. The Customer is responsible for ensuring a lawful basis exists for each category.

Subprocessors

Subprocessors are listed on our Subprocessors page. Each subprocessor is bound by data-protection obligations no less restrictive than those in this DPA. We remain liable to the Customer for the acts and omissions of our subprocessors.

Security measures

Encryption in transit (TLS 1.2+) and at rest (AES-256), Microsoft Entra ID single-sign-on, row-level security in PostgreSQL, principle-of-least-privilege database roles, separate dev/staging/production environments, daily encrypted backups with point-in-time recovery, vulnerability scanning of container images, and structured incident response with notification within 72 hours of a confirmed personal-data breach.

International transfers

Customer Data is stored in France Central (Azure). Subprocessor transfers outside the EEA, where they occur, rely on Standard Contractual Clauses approved by the European Commission.

Data subject rights and assistance

We assist the Customer in responding to data subject requests, in notifying personal-data breaches, and in conducting DPIAs where the Customer is required to do so under GDPR.

Audit

We make available all information necessary to demonstrate compliance with this DPA, including a written summary of audit reports where applicable. On-site audits may be arranged with reasonable notice and at the Customer's expense, subject to a confidentiality agreement.

Return or deletion

On termination, the Customer may export Customer Data for 90 days. After 90 days we delete Customer Data within 90 further days, except for backups (purged on rotation) and any data we are legally required to retain.

Gardia is a product, brand and trademark of QuantumBox Inc. Visit quantumbox.ai for company information.