Data Processing Addendum
Last updated: May 20, 2026
1. Scope and roles
This Data Processing Addendum (“DPA”) forms part of the Terms of Service between you (“Customer,” the Data Controller) and Qualitative (the Data Processor) and applies where Qualitative processes personal data on Customer's behalf in connection with the Service.
Qualitative will process personal data only on Customer's documented instructions, which include Customer's configuration of the Service and acceptance of the Terms.
2. Nature and purpose of processing
Qualitative processes personal data contained in meeting transcripts, recordings, and metadata provided by Customer's connected sources, for the purpose of generating structured insights, summaries, and follow-up drafts that are returned to Customer inside the Service.
3. Categories of data subjects
- Customer's employees and authorized users of the Service
- Participants in Customer's meetings (including external customers and prospects)
4. Categories of personal data
- Identification data: name, email address, profile image
- Professional data: job title, organization, role
- Meeting content: transcripts, recordings, calendar metadata
- Communications data: extracts, summaries, drafted emails
5. Sub-processors
Customer authorizes Qualitative to use the following sub-processors. We give 30 days' notice of additions or changes via in-product notification.
| Sub-processor | Purpose | Location |
|---|---|---|
| Vercel, Inc. | Application hosting, analytics | USA |
| Neon, Inc. | Managed Postgres database | USA (US-East) |
| Google LLC | Gemini AI transcription and extraction | USA / global |
| Stripe, Inc. | Payment processing | USA / global |
| Mailjet (Sinch) | Transactional email | EU |
6. International transfers
Where personal data is transferred outside the EEA, UK, or Switzerland, transfers rely on Standard Contractual Clauses (2021/914/EU) with our sub-processors, or on adequacy decisions where available.
7. Security measures
- Encryption of data in transit (TLS 1.2+) and at rest
- OAuth access tokens encrypted at rest in the database
- Role-based access controls and least-privilege internal access
- Logical tenant isolation: every database query enforces an account-id filter
- Cloud-provider-level disk encryption and network isolation
8. Data subject requests
Qualitative will assist Customer in responding to data subject requests (access, rectification, erasure, restriction, portability, objection). Customers can fulfill most requests directly through the product UI. For deletion of an entire account, email privacy@qualitative.app.
9. Personal data breach
Qualitative will notify Customer without undue delay (and, where feasible, within 72 hours) of becoming aware of a personal data breach affecting Customer data, with information sufficient for Customer to meet its own notification obligations.
10. Audits
Customer may, no more than once per year and on at least 30 days' written notice, request reasonable information about Qualitative's data-protection practices. Where required, we will arrange a confidential audit consistent with industry standards.
11. Deletion at end of service
On termination of the Service, and unless legally required to retain data longer, Qualitative will delete all personal data within 30 days. Customer may request a copy of its data in machine-readable form prior to deletion.
12. AI processing
Customer content sent to AI sub-processors (currently Google Gemini) is processed under those providers' commercial terms, which prohibit training on customer data. We do not use Customer content to train our own models.
13. Liability
Liability under this DPA is subject to the limitation of liability provisions of the underlying Terms of Service.
14. Contact
For DPA inquiries or to sign a counter-signed copy on behalf of your organization, email privacy@qualitative.app.