Compliance & Data Processing
Last updated: 1 May 2025
Qala is a data observability and GDPR compliance platform. We recognize that privacy officers and compliance leads evaluating Qala need assurance about our own data processing practices before making a procurement decision. This page documents Qala's compliance posture, sub-processor list, DPA availability, and supervisory authority registration.
1. Qala as a Data Processor
When organizations use the Qala platform to classify and monitor their own data estate, Qala acts as a data processor under GDPR Article 4(8). The customer organization is the data controller. Qala processes personal data only as instructed by the controller and in accordance with the agreed Data Processing Agreement (DPA).
Qala's platform operates on a read-only credential model for data source connections: the platform reads schema metadata and statistical samples of column values for classification purposes. It does not write to, modify, or export customer data beyond the compliance outputs explicitly requested by the controller.
2. Data Processing Agreement
Qala provides a standard DPA incorporating Standard Contractual Clauses (Module 2: Controller to Processor) for all early access customers. The DPA is available for review upon request by emailing [email protected]. Customers may propose reasonable modifications to the DPA during onboarding; all modifications require written agreement before platform access is provisioned.
3. Swiss nDSG Registration
Qala AG is registered with the Federal Data Protection and Information Commissioner (FDPIC) as required under Swiss nDSG for companies offering data processing services as a core business activity. Registration details are available on the FDPIC public register.
4. Sub-processors
Qala uses a limited number of sub-processors to provide infrastructure and operational services. All sub-processors are subject to data processing agreements and are required to implement appropriate technical and organizational security measures.
| Sub-processor | Purpose | Location | Transfer mechanism |
|---|---|---|---|
| Amazon Web Services (AWS) | Cloud infrastructure (EU region) | Frankfurt, Germany (eu-central-1) | EU region — no transfer outside EEA |
| Postmark (Wildbit) | Transactional email delivery | United States | Standard Contractual Clauses (Module 2) |
| Plausible Analytics | Privacy-preserving website analytics | European Union | EU infrastructure — no transfer outside EEA |
Customers will be notified of new sub-processor additions with a minimum 30-day notice period before the new sub-processor begins processing customer data. Customers have the right to object to new sub-processor additions.
5. Security Measures
Qala implements the following technical and organizational security measures:
- All data in transit encrypted via TLS 1.2 or higher
- All data at rest encrypted using AES-256
- Access to customer data restricted to authorized Qala personnel on a need-to-know basis
- Multi-factor authentication required for all internal system access
- Audit logging of all access to customer data systems
- Annual penetration testing by an independent third-party security firm
- Incident response procedures documented and tested quarterly
6. Data Breach Notification
In the event of a personal data breach affecting customer data, Qala will notify affected customers without undue delay and no later than 72 hours after becoming aware of the breach, as required under GDPR Article 33. Notification will include the information required under Article 33(3) to support the customer's own supervisory authority notification obligations.
7. Customer Data Deletion
Upon termination of the platform relationship, Qala will delete all customer data from live systems within 30 days and from backup systems within 90 days, unless retention is required by applicable law. Confirmation of deletion is provided in writing upon request.
8. Audit Rights
Customers have the right to request evidence of compliance with Qala's data processing commitments, including the results of third-party security audits. Where a customer requests a direct audit, Qala will accommodate reasonable audit requests subject to reasonable notice and cost arrangements.
9. Contact
Compliance inquiries, DPA requests, and data subject rights requests: [email protected] | Technoparkstrasse 1, 8005 Zurich, Switzerland.