Qwick Cert — Code Signing, Simplified

Data Processing Agreement

Effective date: February 19, 2026  | Last updated: February 19, 2026

This Data Processing Agreement (“DPA”) forms part of, and is incorporated into, the Qwick Cert Terms of Service (the “Agreement”) between Qwick Cert, Inc. (“Processor” or “Qwick Cert”) and the customer entity that has accepted the Agreement (“Controller” or “Customer”).

This DPA applies where Qwick Cert processes Personal Data on behalf of the Customer in the course of providing the Service, as required by Applicable Data Protection Law, including the EU General Data Protection Regulation (“GDPR”), the UK GDPR, and the California Consumer Privacy Act (“CCPA”/“CPRA”).

1. Definitions

Capitalized terms not defined here have the meaning given in the Agreement or in Applicable Data Protection Law.

  • “Applicable Data Protection Law” means all laws and regulations applicable to the processing of Personal Data, including but not limited to the GDPR, UK GDPR, and CCPA/CPRA.
  • “Personal Data” means any information relating to an identified or identifiable natural person that Qwick Cert processes on behalf of Customer under the Agreement.
  • “Processing” means any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion.
  • “Sub-processor” means any third party that Qwick Cert engages to process Personal Data on behalf of Customer.
  • “Security Incident” means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.

2. Roles and Responsibilities

As between the parties, Customer is the data controller and Qwick Cert is the data processor for Personal Data processed under this DPA. Qwick Cert will process Personal Data only as necessary to perform its obligations under the Agreement and only in accordance with Customer's documented instructions, unless required to do otherwise by Applicable Data Protection Law.

3. Subject Matter, Nature, and Purpose of Processing

Subject matterThe provision of the Qwick Cert code-signing platform and associated digest proxy services.
DurationFor the term of the Agreement, plus any legally required retention periods.
Nature and purposeIssuing and revoking short-lived Azure signing credentials; storing signing operation logs; managing team members and API keys; providing billing and account management.

4. Categories of Personal Data

Qwick Cert processes the following categories of Personal Data on behalf of Customer:

  • Identification data: name, email address
  • Authentication data: hashed passwords, OAuth provider tokens, session tokens
  • Professional data: organization name, role, team membership
  • Technical data: IP addresses, device fingerprints (if enabled), user-agent strings, signing operation metadata (file names, SHA-256 hashes, timestamps)
  • Financial data (via Stripe): billing email, Stripe customer ID (no raw payment card data is transmitted to or stored by Qwick Cert)

5. Categories of Data Subjects

  • Customer's employees, contractors, and authorized users of the Service
  • Individuals invited to join Customer's organization via the Service (prospective team members)

6. Customer Instructions

Customer's use of the Service (including configuration settings in the dashboard and API calls) constitutes Customer's instructions to Qwick Cert for the processing of Personal Data. If Qwick Cert believes an instruction violates Applicable Data Protection Law, it will inform Customer without undue delay.

7. Qwick Cert Obligations

Qwick Cert will:

  • Process Personal Data only on Customer's documented instructions, including as set out in this DPA.
  • Ensure that personnel authorized to process Personal Data are bound by appropriate confidentiality obligations.
  • Implement and maintain the technical and organizational security measures described in Section 10.
  • Assist Customer in complying with data subject rights requests to the extent technically feasible (e.g., deletion, export, rectification).
  • Notify Customer without undue delay (and in any event within 72 hours) upon becoming aware of a Security Incident affecting Customer's Personal Data.
  • Delete or return Personal Data upon termination of the Agreement, as elected by Customer, except where retention is required by law.
  • Make available to Customer all information reasonably necessary to demonstrate compliance with this DPA.

8. Sub-processors

Customer provides general authorization to Qwick Cert to engage sub-processors. Qwick Cert maintains an up-to-date list of sub-processors at qwickcert.com/legal/sub-processors. Qwick Cert will notify Customer at least 14 days before engaging a new sub-processor or materially changing an existing sub-processor's role (by emailing the organization billing email or posting to the status page). If Customer has a legitimate objection to a new sub-processor, it must notify Qwick Cert in writing within 14 days of notification; failure to object constitutes acceptance.

Qwick Cert imposes data protection obligations on sub-processors that are no less protective than those in this DPA.

9. International Transfers

Where Customer's Personal Data is transferred from the EEA or UK to countries not recognized as providing an adequate level of data protection, Qwick Cert will ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) as approved by the European Commission (for EEA transfers) or the UK ICO (for UK transfers). Copies of applicable SCCs are available on request at privacy@qwickcert.com.

10. Technical and Organizational Security Measures

Qwick Cert implements and maintains the following security measures:

  • Encryption in transit: All API and dashboard traffic is encrypted via TLS 1.2 or higher.
  • Encryption at rest: Sensitive credentials (Azure service principal secrets) are encrypted using AES-256 via Supabase Vault.
  • Credential minimization: Azure credentials issued to developer machines are short-lived (minutes to hours) and are revoked server-side after each signing session.
  • Access control: Row-level security (RLS) is enforced on all database tables. Multi-tenant isolation ensures organizations cannot access each other's data.
  • Authentication: The dashboard uses Supabase Auth with optional 2FA (TOTP). API access requires scoped API keys or short-lived bearer tokens.
  • Audit logging: All signing operations, credential issuances, and revocations are logged with actor identity, timestamp, and IP address.
  • Vulnerability management: Qwick Cert conducts periodic security reviews and maintains a responsible disclosure program at security@qwickcert.com.
  • Business continuity: Data is replicated across availability zones. Backups are performed daily with point-in-time recovery.

11. Data Subject Rights

Qwick Cert will assist Customer in fulfilling data subject rights requests (access, rectification, erasure, portability, restriction, objection) to the extent technically feasible within the Service. Customer is responsible for receiving, verifying, and responding to such requests; Qwick Cert will provide reasonable technical assistance when requested.

The Service provides a data export endpoint (GET /api/v1/me/export) that users can access to obtain their signing history in machine-readable format.

12. Security Incident Notification

In the event of a Security Incident, Qwick Cert will notify Customer without undue delay and in any event within 72 hours of becoming aware of the incident. The notification will include (to the extent known at the time): (a) a description of the nature of the incident; (b) the categories and approximate number of data subjects affected; (c) the categories and approximate volume of Personal Data records affected; (d) likely consequences; and (e) measures taken or proposed to mitigate the incident.

13. Audit Rights

Upon Customer's written request (no more than once per year), Qwick Cert will provide Customer with a summary of its security audit reports, certifications, or other documentation reasonably sufficient to verify compliance with this DPA. Customer may conduct an audit of Qwick Cert's processing activities with reasonable notice (at least 30 days) and at Customer's expense, subject to Qwick Cert's reasonable security and confidentiality requirements.

14. Term and Termination

This DPA is effective for the term of the Agreement. Upon termination of the Agreement, Qwick Cert will, at Customer's election, delete or return all Personal Data and delete existing copies, unless applicable law requires continued storage. Qwick Cert will confirm completion of deletion in writing within 30 days of Customer's request.

15. CCPA / CPRA Addendum

To the extent Qwick Cert processes Personal Information (as defined by the CCPA) on behalf of Customer, Qwick Cert acts as a “Service Provider” under the CCPA. Qwick Cert will not: (a) sell or share (as defined by the CCPA) Customer's Personal Information; (b) retain, use, or disclose Personal Information for any purpose other than the business purposes specified in the Agreement; or (c) combine Personal Information received from Customer with Personal Information received from or collected in connection with other sources, except as permitted by the CCPA.

16. Order of Precedence

In the event of a conflict between this DPA and the Agreement with respect to the subject matter of this DPA, this DPA shall prevail.

17. Contact

Data protection inquiries and DPA execution requests:
Email: dpo@qwickcert.com
For EU/UK data protection authority inquiries, Customer may also contact the supervisory authority in their jurisdiction.

To execute a signed copy of this DPA, contact legal@qwickcert.com. Enterprise customers on a custom agreement may receive a countersigned DPA upon request.