between
The customer of Qdrant, as identified in the applicable agreement governing the use of Qdrant’s services (the “Customer”), acting as data controller (the “Controller”),
and
Qdrant Solutions GmbH, Chausseestraße 86, 10115 Berlin, Germany as Data Processor (hereinafter “Data Processor”),
Controller and Data Processor jointly the “Parties”
This Data Processing Agreement applies to the processing of personal data carried out by Qdrant Solutions GmbH in connection with the provision of Qdrant Cloud — a managed vector-database and embedding-storage platform that processes and stores data uploaded by the Controller for indexing, similarity search, and related support services.
The Controller has commissioned the Data Processor in a contract already concluded (hereinafter referred to as the "Agreement") for the services specified therein. Part of the execution of the contract is the processing of personal data. To comply with these requirements, the Parties enter into the following Data Processing Agreement (hereinafter referred to as the “DPA”), the performance of which shall not be remunerated separately unless expressly agreed.
(1) Data Protection Laws: Refers to all applicable data protection and privacy legislation in force from time to time in Switzerland, the United Kingdom, and the European Union, including but not limited to the Swiss Federal Act on Data Protection ("FADP"), the UK General Data Protection Regulation ("UK GDPR"), the EU General Data Protection Regulation ("EU GDPR"), and any other applicable data protection or privacy legislation.
(2) The Controller is the entity that alone or jointly with other Controllers determines the purposes and means of the processing of personal data.
(3) The Data Processor is a natural or legal person, authority, institution, or other body that processes personal data on behalf of the Controller.
(4) Personal data means any information relating to an identified or identifiable natural person (hereinafter "Data Subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
(5) Personal data requiring special protection are personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership of Data Subjects, personal data on criminal convictions and criminal offenses or related security measures, as well as genetic data, biometric data, health data, and data on the sex life or sexual orientation of a natural person.
(6) Processing is any operation or set of operations that is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, filing, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
(7) A supervisory authority is an independent state body established by applicable Data Protection Laws.
(8) The Standard Contractual Clauses (SCCs) refer to the contractual clauses adopted by the European Commission and/or the relevant data protection authorities in Switzerland and the UK for the transfer of personal data to processors established in third countries.
(9) Third country transfer refers to the transfer of personal data from one country to another country outside the jurisdiction or regional area where the data was originally collected, which does not necessarily provide the same level of data protection in accordance with applicable data protection laws.
(1) The Data Processor provides the services specified in the Agreement for the Controller. In doing so, the Data Processor obtains access to personal data, which the Data Processor processes for the Controller exclusively on behalf of and in accordance with the Controller's instructions. The scope and purpose of the data processing by the Data Processor are set out in the Agreement and any associated service descriptions. The Controller shall be responsible for assessing the admissibility of the data processing.
(2) The Parties conclude the present DPA to specify the mutual rights and obligations under data protection law. In case of doubt, the provisions of this DPA shall take precedence over the provisions of the Agreement.
(3) The provisions of this contract shall apply to all activities related to the Agreement in which the Data Processor and its employees or persons authorized by the Data Processor come into contact with personal data originating from the Controller or collected for the Controller.
(4) The term of this DPA shall be governed by the term of the Agreement unless the following provisions give rise to further obligations or termination rights.
(1) The Data Processor may only collect, process or use data within the scope of the Agreement and in accordance with the instructions of the Controller. If the Data Processor is required to carry out further processing by the law of the European Union or the Member States to which it is subject, it shall notify the Controller of these legal requirements prior to the processing.
(2) The instructions of the Controller shall initially be determined by this DPA. Thereafter, they may be amended, supplemented, or replaced by the Controller in writing or text form by individual instructions (Individual Instructions). The Controller shall be entitled to issue such instructions at any time. This includes instructions with regard to the correction, deletion, and blocking of data.
(3) All instructions issued shall be documented by the Controller. Instructions that go beyond the service agreed in the Agreement shall be treated as a request for a change in service.
(4) If the Data Processor is of the opinion that an instruction of the Controller violates data protection provisions, it shall notify the Controller thereof without undue delay. The Data Processor shall be entitled to suspend the implementation of the relevant instruction until it is confirmed or amended by the Controller. The Data Processor may refuse to carry out an obviously unlawful instruction.
(1) Within the scope of the implementation of the Agreement, the Data Processor shall have access to the personal data specified in more detail in Annex 1.
(2) The group of Data Subjects affected by the data processing is listed in Annex 1.
(3) A transfer of personal data to a third country may take place under the conditions of applicable Data Protection Laws.
(1) The Data Processor shall be obliged to observe the statutory provisions on data protection and not to disclose information obtained from the Controller's domain to third parties or expose it to their access. Documents and data shall be secured against disclosure to unauthorized persons, taking into account the state of the art.
(2) The Data Processor shall organize the internal organization within its field of responsibility in such a way that it meets the special requirements of data protection. It shall have taken the technical and organizational measures specified in Annex 3 to adequately protect the Controller's data, which the Controller acknowledges as adequate. The Data Processor may adapt its technical and organisational measures to reflect technical progress, provided that the overall level of protection is not reduced.
(3) The persons employed in the data processing by the Data Processor are prohibited from collecting, processing or using personal data without authorization. The Data Processor shall oblige all persons entrusted by it with the processing and performance of this contract (hereinafter "Employees") accordingly and shall ensure compliance with this obligation with due care.
(4) The Data Processor has appointed a data protection officer. The Data Processor’s data protection officer is heyData GmbH, Schützenstr. 5, 10117 Berlin, datenschutz@heydata.eu, www.heydata.eu.
(1) In the event of disruptions, suspected data protection violations or breaches of contractual obligations of the Data Processor, suspected security-related incidents or other irregularities in the processing of personal data by the Data Processor, by persons employed by it within the scope of the contract or by third parties, the Data Processor shall inform the Controller without undue delay and, in any case, no later than forty-eight (48) hours after becoming aware of a personal-data breach. The same shall apply to audits of the Data Processor by the data protection supervisory authority. The notification of a personal data breach shall contain at least the following information:
(a) a description of the nature of the personal data breach, including, to the extent possible, the categories and the number of Data Subjects affected, the categories affected and the number of personal data records affected;
(b) a description of the measures taken or proposed by the Data Processor to address the breach and, where applicable, measures to mitigate its possible adverse effects;
(c) a description of the likely consequences of the personal data breach.
(2) The Data Processor shall immediately take the necessary measures to secure the data and to mitigate any possible adverse consequences for the Data Subjects, inform the Controller thereof and request further instructions.
(3) In addition, the Data Processor shall be obliged to provide the Controller with information at any time insofar as the Controller's data are affected by a breach pursuant to paragraph 1.
(4) The Data Processor shall inform the Controller of any significant changes to the security measures pursuant to Section 5 (2).
(1) The Controller may satisfy itself of the technical and organizational measures of the Data Processor prior to the commencement of data processing and thereafter regularly on a yearly basis. For this purpose, the Controller may, for example, obtain information from the Data Processor, obtain existing certificates from experts, certifications or internal audits or, after timely coordination, personally inspect the technical and organizational measures of the Data Processor during normal business hours or have them inspected by a competent third party, provided that the third party is not in a competitive relationship with the Data Processor. The Controller shall carry out checks only to the extent necessary and shall not disproportionately disrupt the operations of the Data Processor in the process. The Data Processor may demonstrate compliance through current SOC 2 Type II reports or equivalent independent audit documentation.
(2) The Data Processor undertakes to provide the Controller, upon the latter's verbal or written request and within a reasonable period of time, with all information and evidence required to carry out a check of the technical and organizational measures of the Data Processor.
(3) The Controller shall document the results of the inspection and notify the Data Processor thereof. In the event of errors or irregularities which the Controller discovers, in particular during the inspection of the results of the inspection, the Controller shall inform the Data Processor without undue delay. If facts are found during the control, the future avoidance of which requires changes to the ordered procedure, the Controller shall notify the Data Processor of the necessary procedural changes without delay.
(1) The contractually agreed services shall be performed with the involvement of the service providers named in Annex 2 (hereinafter “Sub-processors”). The Controller grants the Data Processor its general authorization to engage additional Sub-processors within the scope of its contractual obligations or to replace Sub-processors already engaged.
(2) The Data Processor shall inform the Controller before any intended change in relation to the involvement or replacement of a Sub-processor. The Controller can object to the intended involvement or replacement of a Sub-processor for an important reason under data protection law.
(3) The objection to the intended involvement or replacement of a Sub-processor must be raised within 2 weeks of receiving the information about the change. If no objection is raised, the involvement or replacement shall be deemed approved. If there is an important reason under data protection law and an amicable solution is not possible between the Controller and the Processor, the Controller has a special right of termination at the end of the month following the objection.
(4) When engaging Sub-processors, the Data Processor shall oblige them in accordance with the provisions of this DPA.
(5) A Sub-processor relationship within the meaning of these provisions does not exist if the Data Processor commissions third parties with services that are regarded as purely ancillary services. These include, for example, postal, transport and shipping services, cleaning services, telecommunications services without any specific reference to services provided by the Data Processor to the Controller and guarding services. Maintenance and testing services constitute Sub-processor relationships requiring consent insofar as they are provided for IT systems that are also used in connection with the provision of services for the Controller.
(1) The Data Processor shall support the Controller with suitable technical and organizational measures in fulfilling the Controller's obligations pursuant to applicable Data Protection Laws, for example regarding Data subject requests, technical and organizational measures, data protection impact assessments and prior consultation with supervisory authorities.
(2) If a Data Subject asserts rights, such as the right of access, correction or deletion with regard to his or her data, directly against the Data Processor, the latter shall not react independently but shall refer the Data Subject to the Controller and await the Controller's instructions.
(1) In the internal relationship with the Data Processor, the Controller alone shall be liable to the Data Subject for compensation for damage suffered by a Data Subject due to inadmissible or incorrect data processing under Data Protection Laws or use within the scope of the commissioned processing.
(2) The Data Processor shall have unlimited liability for damage insofar as the cause of the damage is based on an intentional or grossly negligent breach of duty by the Data Processor, its legal representative or vicarious agent.
(3) The Data Processor shall only be liable for negligent conduct in the event of a breach of an obligation, the fulfillment of which is a prerequisite for the proper performance of the contract and the observance of which the Controller regularly relies on and may rely on, but limited to the average damage typical for the contract. In all other respects, the liability of the Processor - including for its vicarious agents - shall be excluded.
(4) The limitation of liability pursuant to § 10.3 shall not apply to claims for damages arising from injury to life, body, health or from the assumption of a guarantee.
(1) The Parties agree that the EU Standard Contractual Clauses ("EU SCCs") as set forth in the European Commission Implementing Decision 2021/914 of 4 June 2021, are hereby incorporated by reference and form an integral part of this DPA insofar as this is necessary according to the applicable Data Protection Laws and a third country transfer takes place.
The applicable module(s) of the EU SCCs are as follows: Module 2 may apply insofar as the Controller is acting as a Controller and Data Exporter and Module 3 may apply insofar the Controller is acting as a Data Processor and Data Exporter.
For each Module, where applicable: (a) In Clause 7, the optional docking clause does not apply.
(b) In Clause 9, Option 2 applies, and the time period for prior notice of Sub-processor changes is stated in § 8 of this DPA.
(c) In Clause 11, the optional wording does not apply.
(d) In Clause 17, Option 1 applies, and the EU SCCs are governed by German law.
(e) In Clause 18(b), disputes will be resolved before the courts of Germany.
(f) The Appendix of EU SCCs is populated as follows:
(2) The Parties agree that the UK International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (the "UK Addendum") is hereby incorporated by reference and forms an integral part of this DPA insofar as this is necessary according to the applicable Data Protection Laws. The EU SCCs apply as set forth in the foregoing with the following modifications:
(a) Each party shall be deemed to have signed the UK Addendum.
(b) For Table 1 of the UK Addendum, the parties' key contact information is located in this DPA, the Agreement and/or relevant Orders.
(c) For Table 2 of the UK Addendum, the relevant information about the version of the EU SCCs, modules, and selected clauses which this UK Addendum is appended to is located above in § 11 (2) of this DPA.
(d) For Table 3 of the UK Addendum:
(e) In Table 4 of the UK Addendum, both the data importer and data exporter may end the UK Addendum.
(3) The Parties agree that the EU SCCs, as modified to reflect Swiss law requirements, are hereby incorporated by reference and form an integral part of this DPA for transfers of personal data from Switzerland insofar as this is necessary according to the applicable Data Protection Laws.
The following modifications apply to the EU SCCs for Swiss transfers:
(a) The term "member state" shall not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of exercising their rights.
(b) References to the "GDPR" shall be understood as references to the FADP.
(c) The competent supervisory authority for Switzerland shall be the Swiss Federal Data Protection and Information Commissioner (FDPIC).
(1) After termination of the Agreement, the Data Processor shall return to the Controller all documents, data and data carriers provided to it or - at the request of the Controller, unless there is an obligation to store the personal data under applicable legislation, delete them. This shall also apply to any data backups at the Data Processor. The Data Processor shall on request provide documented proof of the proper deletion of any data. Upon request, the Data Processor shall confirm deletion in writing after completion.
(2) The Controller shall have the right to control the complete and contractual return or deletion of the data at the Data Processor in an appropriate manner.
(3) The Data Processor shall be obligated to keep confidential the data of which it has become aware in connection with the Agreement even beyond the end of the Agreement. The DPA shall remain valid beyond the end of the Agreement as long as the Data Processor has personal data at its disposal which have been forwarded to it by the Controller or which it has collected for the Controller.
(1) To the extent that the Data Processor does not expressly perform support actions under this DPA free of charge, it may charge the Controller a reasonable fee therefore, unless the Data Processor's own actions or omissions have made such support directly necessary.
(2) Amendments and supplements to this DPA must be made in writing. This shall also apply to any waiver of this formal requirement. The priority of individual contractual agreements shall remain unaffected.
(3) If individual provisions of this DPA are or become wholly or partially invalid or unenforceable, this shall not affect the validity of the remaining provisions.
| Description | Details |
|---|---|
| Nature of Processing | Storage, indexing, vector similarity search and retrieval of data uploaded by the Controller; limited analytics, logging and support. |
| Purpose of Processing | Provision, maintenance and monitoring of Qdrant Cloud managed vector-database services. |
| Categories of Data Subjects | Employees, contractors, end-users and customers of the Controller. |
| Categories of Personal Data | Identifiers (user ID, e-mail), metadata, embeddings, logs, account and billing data. |
| Special Categories | None intentionally processed; responsibility remains with the Controller. |
| Processing Locations | EEA (primarily Germany and Ireland); limited transfers to the U.S. under the EU–US Data Privacy Framework or SCCs. |
| Duration | For the term of the Cloud Service Agreement and statutory retention periods. |
| Security Reference | Technical and Organisational Measures per Annex 3, aligned with SOC 2 Type II or comparable standards. |
The current list of approved Sub-processors is published at https://qdrant.to/trust-center and forms part of this Agreement.
This document summarizes the technical and organizational measures taken by the data processor within the meaning of Art. 32, para. 1 of the GDPR. These are measures by which the data processor protects personal data. The purpose of the document is to support the data processor in fulfilling his accountability obligation under Art. 5, para. 2 of the GDPR.
Qdrant maintains a documented information-security management system with independently audited controls aligned with SOC 2 Type II or comparable industry standards. The following measures apply to all data processed through Qdrant Cloud.