Data Processing Agreement

1. Definitions

• "Controller" means the Qord customer who determines the purposes and means of processing personal data.
• "Processor" means Qord, which processes personal data on behalf of the Controller.
• "Data Subject" means an identified or identifiable natural person whose personal data is processed.
• "Personal Data" means any information relating to a Data Subject.
• "Sub-Processor" means any third party engaged by Qord to process Personal Data.

2. Scope & Purpose

This Data Processing Agreement ("DPA") applies to the processing of Personal Data by Qord on behalf of the Controller in connection with the provision of the Qord property management platform. Qord processes data solely to provide, maintain, and improve the Service as instructed by the Controller.

3. Data Processing Details

• Categories of Data Subjects: Property owners, team members, and guests.
• Types of Personal Data: Names, email addresses, phone numbers, booking details, property information, and usage data.
• Processing Activities: Storage, retrieval, organisation, and transmission of data to deliver the Service.
• Duration: Data is processed for the duration of the service agreement and deleted within 30 days of account termination unless legally required to retain.

4. Processor Obligations

Qord shall:

• Process Personal Data only on documented instructions from the Controller.
• Ensure that persons authorised to process Personal Data have committed themselves to confidentiality.
• Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including AES-256 encryption at rest and TLS 1.3 in transit.
• Assist the Controller in fulfilling its obligations to respond to Data Subject requests.
• Delete or return all Personal Data to the Controller upon termination of the Service, unless retention is required by law.

5. Sub-Processors

Qord uses the following Sub-Processors to deliver the Service. The Controller consents to the use of these Sub-Processors:

Qord will notify the Controller before engaging any new Sub-Processor, providing the Controller an opportunity to object.

6. Data Subject Rights

Qord shall assist the Controller in responding to requests from Data Subjects exercising their rights under applicable data protection laws, including access, rectification, erasure, restriction, portability, and objection. Requests should be directed to privacy@qord.in and will be addressed within 30 days.

7. Breach Notification

Qord shall notify the Controller without undue delay (and in any event within 72 hours) upon becoming aware of a Personal Data breach. The notification shall include the nature of the breach, categories and approximate number of Data Subjects affected, likely consequences, and measures taken or proposed to mitigate the breach.

8. Data Transfers

Personal Data is primarily stored within AWS ap-south-1 (Mumbai, India). Where data is transferred outside the originating jurisdiction, Qord ensures that appropriate safeguards are in place (e.g., Standard Contractual Clauses) in accordance with applicable data protection laws.

9. Audit Rights

The Controller may, upon reasonable written notice and no more than once per calendar year, audit or appoint a third-party auditor to verify Qord's compliance with this DPA. Qord shall cooperate with such audits and provide reasonable access to relevant information, facilities, and personnel.

10. Term & Termination

This DPA remains in effect for the duration of the Controller's use of the Qord platform. Upon termination, Qord will delete all Personal Data within 30 days unless retention is required by applicable law. The Controller may request a copy of their data in a machine-readable format (JSON) prior to deletion.

11. Contact

For questions or requests related to this DPA, contact us at privacy@qord.in.