Data Processing Agreement
Terms governing how QRZone processes data on behalf of our customers.
Last updated: February 2026
Scope
This Data Processing Agreement (DPA) applies to all personal data processed by QRZone on behalf of customers using our QR code infrastructure, analytics, and link management services.
Roles and Responsibilities
The customer acts as the Data Controller. QRZone acts as the Data Processor, processing personal data only as necessary to provide the contracted services and in accordance with documented customer instructions.
Data Security Measures
- AES-256 encryption at rest for all stored data
- TLS 1.3 encryption for all data in transit
- Regular security audits and penetration testing
- Access controls with role-based permissions and MFA
- Incident response procedures with 72-hour breach notification
Sub-Processors
QRZone maintains a list of authorized sub-processors. Customers are notified 30 days before any new sub-processor is engaged, with the right to object.
Data Retention and Deletion
Upon contract termination, QRZone will delete or return all customer personal data within 30 days, unless retention is required by applicable law.
International Transfers
Where data is transferred outside the EEA, QRZone relies on Standard Contractual Clauses (SCCs) and supplementary measures to ensure adequate protection.