top of page

Data Processing Agreement

Last Updated: June 24, 2026 Operated By: MaxIT LLC

This Data Processing Agreement ("DPA") forms part of, and is incorporated by reference into, the QuickFeedback.ai Terms of Service ("Terms") between you ("Customer", "you") and MaxIT LLC ("QuickFeedback", "we", "us"). It applies whenever, in your use of the Service, we process personal data relating to your own customers, clients, or contacts ("Customer Personal Data") on your behalf.

Capitalized terms not defined here have the meaning given to them in the Terms. Where this DPA and the Terms conflict on a matter of data protection, this DPA controls.

1. Definitions

  • "Data Protection Laws" means all laws and regulations applicable to the processing of personal data under this DPA, including the EU General Data Protection Regulation (Regulation (EU) 2016/679) ("EU GDPR"), the UK GDPR and Data Protection Act 2018 ("UK GDPR"), the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA"), Brazil's Lei Geral de Proteção de Dados ("LGPD"), Canada's PIPEDA and Quebec Law 25, and other comparable laws as applicable.

  • "Controller", "Processor", "Data Subject", "Personal Data", "Processing", and "Personal Data Breach" have the meanings given in the EU GDPR. Where another law applies, the equivalent terms in that law apply (for example, "Business" and "Service Provider" under the CCPA/CPRA).

  • "Customer Personal Data" means personal data that we process on your behalf in providing the Service, as described in Annex 1.

  • "Sub-processor" means any third party engaged by us to process Customer Personal Data on our behalf.

  • "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to third countries adopted by the European Commission in Decision (EU) 2021/914, and, for UK transfers, the UK International Data Transfer Addendum issued by the Information Commissioner's Office.

2. Roles of the Parties

For Customer Personal Data, you are the Controller and we are the Processor. You determine the purposes and means of the processing. We process Customer Personal Data only to provide the Service on your behalf and on your instructions.

You are responsible for the lawfulness of the Customer Personal Data you bring into the Service, including having any consent or other legal basis required to provide that data to us and to send feedback request messages to your customers.

For personal data relating to your account and billing (for example, the account holder's name, email, and payment details), we act as the Controller, and our handling of that data is described in our Privacy Policy rather than this DPA.

3. Processing Instructions

We process Customer Personal Data only on your documented instructions, including with regard to transfers of personal data to a third country, unless required to do otherwise by applicable law. In that case, we will inform you of that legal requirement before processing, unless the law prohibits such notice on important grounds of public interest.

Your instructions are made up of the Terms, this DPA, the configuration choices you make within the Service (for example, which appointments trigger Automated Feedback emails and the content of your messages), and any further written instructions you give us. We will inform you if, in our opinion, an instruction infringes Data Protection Laws.

4. Confidentiality

We ensure that persons authorized to process Customer Personal Data are bound by an appropriate duty of confidentiality, whether a contractual obligation or a statutory one, and that access is limited to personnel who need it to provide the Service.

5. Security

We implement appropriate technical and organizational measures to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of the processing. A summary of these measures is set out in Annex 2. We may update our security measures over time, provided the level of protection is not reduced.

6. Sub-processors

You give us general authorization to engage Sub-processors to process Customer Personal Data, subject to this section. Our current Sub-processors are listed in Annex 3.

When we add or replace a Sub-processor, we will update Annex 3 and provide a way for you to be notified of the change. You may object to a new Sub-processor on reasonable data protection grounds within thirty (30) days of notice. If we cannot reasonably address your objection, you may terminate the affected part of the Service.

We enter into a written agreement with each Sub-processor that imposes data protection obligations no less protective than those in this DPA. We remain responsible to you for the performance of each Sub-processor's obligations.

7. Assistance with Data Subject Rights

Taking into account the nature of the processing, we will assist you by appropriate technical and organizational measures, insofar as reasonably possible, to respond to requests from Data Subjects exercising their rights under Data Protection Laws (such as access, correction, deletion, and objection). If we receive such a request directly from one of your Data Subjects, we will, where permitted, direct that person to you.

8. Personal Data Breaches

We will notify you without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data, and will provide you with the information reasonably available to us to help you meet your own breach notification obligations under Data Protection Laws.

9. Data Protection Impact Assessments

Taking into account the nature of the processing and the information available to us, we will provide reasonable assistance to help you carry out data protection impact assessments and any required prior consultation with a supervisory authority.

10. International Transfers

We are located in the United States, and we and our Sub-processors may process Customer Personal Data in the United States and other countries. Where we transfer Customer Personal Data originating from the European Economic Area, the United Kingdom, Switzerland, or other regions with data transfer restrictions to a country that has not been recognized as providing an adequate level of protection, that transfer is governed by the Standard Contractual Clauses (Module Two: Controller to Processor) or, for UK transfers, the UK International Data Transfer Addendum, which are incorporated into this DPA by reference and completed by the information in the Annexes.

11. Deletion or Return of Data

On termination of the Service, or at your request, we will delete or return Customer Personal Data and delete existing copies, unless retention is required by applicable law.

In addition, certain data is deleted automatically during normal use of the Service. Appointment data used to trigger Automated Feedback is deleted on the schedule you select (immediately, after fifteen days, or after thirty days) and this automatic deletion cannot be disabled. The unsubscribe and suppression list stores only an email address, with no reference to any appointment, and is retained so that we can honor opt-out requests.

12. Audits

We will make available to you the information reasonably necessary to demonstrate compliance with this DPA, and will allow for and contribute to audits, including inspections, conducted by you or an auditor you appoint. Audits must be reasonable in scope and frequency, conducted on reasonable prior notice, and carried out in a manner that does not disrupt our operations or compromise the confidentiality of other customers' data. We may satisfy audit requests by providing relevant third-party certifications or reports where available.

13. Prohibited Data

The Service is not designed for, and you must not submit, collect, store, or process through it, any special category data revealing health, as defined under the EU and UK GDPR, any Protected Health Information as defined under the U.S. Health Insurance Portability and Accountability Act ("HIPAA"), or any equivalent category of sensitive health-related personal data under other applicable laws. We do not act as a HIPAA Business Associate and do not enter into Business Associate Agreements. You are responsible for ensuring that the Customer Personal Data you bring into the Service does not include such data.

14. Other Privacy Laws

To the extent the CCPA/CPRA applies, we act as a Service Provider. We will not sell or share Customer Personal Data, will not retain, use, or disclose it for any purpose other than providing the Service or as otherwise permitted by the CCPA/CPRA, and will not combine it with personal data from other sources except as permitted by that law.

To the extent the LGPD, PIPEDA, Quebec Law 25, or other Data Protection Laws apply, the parties will comply with their respective obligations under those laws, and the equivalent protections set out in this DPA will apply to that processing.

15. Relationship to the Terms

This DPA supplements the Terms. Except as expressly modified here, the Terms remain in full force, including the provisions on limitation of liability, which apply to this DPA and to the SCCs to the maximum extent permitted by law.

16. Term

This DPA takes effect when you accept the Terms and continues for as long as we process Customer Personal Data on your behalf.

17. Contact

For questions about this DPA or to make a data protection request, contact: Email: [email protected]

Annex 1: Description of the Processing

Subject matter: Provision of the QuickFeedback Service, which enables you to collect customer feedback and direct customers to public review platforms, through QR Feedback and through Automated Feedback emails sent after appointments via a connected scheduling tool.

Duration: For the term of your subscription, plus the limited periods described in Section 11.

Nature and purpose of processing: Collecting, storing, organizing, displaying, and analyzing customer feedback; sending feedback request emails on your behalf; generating AI-assisted replies and summaries; and managing unsubscribe and suppression preferences.

Categories of Data Subjects: Your customers, clients, or contacts who provide feedback or who are sent a feedback request.

Categories of Personal Data: Contact details (such as email address and, where you provide it, name); the fact that an appointment was completed, used only to trigger a feedback request; feedback content submitted by your customers, which may include free text; and unsubscribe and suppression status (email address only).

Special categories of data: None. Special category and health-related data must not be submitted to the Service, as set out in Section 13.

Annex 2: Technical and Organizational Security Measures

We maintain measures appropriate to the risk, including:

  • Encryption of Customer Personal Data in transit and at rest.

  • Access controls that limit access to authorized personnel on a need-to-know basis, with unique credentials.

  • Logical separation of customer data within our systems.

  • Use of reputable infrastructure and Sub-processors that maintain recognized security standards.

  • Automatic deletion of appointment trigger data on the schedule selected by the Customer.

  • Logging and monitoring designed to detect and respond to unauthorized access or misuse.

  • Internal policies and procedures for incident response and for the secure handling of personal data.

Annex 3: Sub-processors

The following Sub-processors are engaged to process Customer Personal Data. This list is current as of the Last Updated date above and is maintained as Sub-processors change.

Sub-processorPurposeLocation

Vercel Inc.Application hosting and infrastructure for the QuickFeedback web applicationUnited States

Resend (Plus Five Five, Inc.)Sending transactional and feedback request emails, and maintaining the unsubscribe and suppression listUnited States

Anthropic, PBCAI generation of feedback replies, summaries, and review draftsUnited States

Stripe, Inc.Payment processing for account billingUnited States

Where a connected scheduling tool such as Calendly is used, it is connected by you and acts under your control as the source of appointment data, governed by that provider's own terms, rather than as our Sub-processor.

bottom of page