Data Processing Addendum

Effective Date: May 2, 2026

Last Updated: May 2, 2026

This Data Processing Addendum ("DPA") is incorporated by reference into the FasterQuotes Terms of Service for any Customer that processes Personal Data subject to the EU General Data Protection Regulation ("GDPR"), the UK GDPR, the Swiss Federal Act on Data Protection, or other applicable data-protection law. A counter-signed copy is available on request to privacy@fasterquotes.io.

1. Definitions

• Customer (Controller) means the entity that determines the purposes and means of processing.
• FasterQuotes (Processor) means FasterQuotes acting on Customer's instructions.
• Personal Data has the meaning given in the GDPR.
• Data Subject means an identified or identifiable natural person to whom Personal Data relates.
• Sub-Processor means a third party engaged by FasterQuotes to process Customer Personal Data.
• Personal Data Breach has the meaning given in the GDPR.
• Standard Contractual Clauses or SCCs means the standard contractual clauses for the transfer of personal data to third countries pursuant to the GDPR, approved by European Commission Implementing Decision (EU) 2021/914.
• UK Addendum means the International Data Transfer Addendum to the EU SCCs (version B1.0) issued by the UK Information Commissioner.

2. Subject Matter, Duration, Nature, Purpose

• Subject matter. Processing of Personal Data by FasterQuotes on behalf of Customer to provide the Service.
• Duration. The term of the Agreement plus the post-termination retention period stated in the Terms.
• Nature of processing. Collection, storage, structuring, retrieval, use, disclosure to Sub-Processors, and deletion.
• Purpose. Provision of the AI-powered RFQ extraction Service.
• Categories of Personal Data. Business contact information (names, business email addresses, phone numbers); shipment and freight details (origin, destination, equipment, weight); AI-extracted structured data; account credentials.
• Categories of Data Subjects. Customer's employees and authorized End Users; Customer's customers and their employees; third-party senders of RFQ emails to Customer.

3. Customer Instructions

FasterQuotes processes Personal Data only on Customer's documented instructions, including the Agreement, the Service configuration, and any subsequent written instructions, except where applicable law requires otherwise (in which case FasterQuotes will inform Customer of that legal requirement before processing, unless the law prohibits such notification).

4. Confidentiality of Personnel

FasterQuotes ensures that personnel authorized to process Customer Personal Data are bound by appropriate confidentiality obligations and have received privacy and security training.

5. Security (GDPR Article 32)

FasterQuotes maintains appropriate technical and organizational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. The current measures are described at /security and summarized in Annex A below.

6. Sub-Processors

Customer provides general written authorization for FasterQuotes to engage the Sub-Processors listed at /sub-processors. FasterQuotes will provide at least 30 days' prior notice of any addition or replacement of a Sub-Processor.

Customer may object to a proposed Sub-Processor on legitimate, documented data-protection grounds within 30 days of notice. FasterQuotes will use reasonable efforts to address the objection. If FasterQuotes cannot do so within a reasonable period, Customer may, as its sole and exclusive remedy, terminate the affected Service for cause.

FasterQuotes flows down materially equivalent data-protection obligations to each Sub-Processor in writing.

7. Data Subject Requests

FasterQuotes assists Customer with reasonable technical and organizational measures, including in-product self-service tools, to enable Customer to fulfill its obligations to respond to Data Subject requests.

8. Personal Data Breach Notification

FasterQuotes will notify Customer without undue delay and in any event within seventy-two (72) hours after FasterQuotes becomes aware of a Personal Data Breach affecting Customer Personal Data. Such notification will include, to the extent then known: a description of the nature of the breach, the categories and approximate number of Data Subjects and Personal Data records concerned, the likely consequences, and the measures taken or proposed to be taken to address the breach.

9. DPIA Assistance

FasterQuotes will provide reasonable assistance to Customer with Data Protection Impact Assessments and prior consultations with supervisory authorities, taking into account the nature of processing and information available to FasterQuotes.

10. Audit Rights

Customer may, on at least 30 days' prior written notice and not more than once per year, audit FasterQuotes' compliance with this DPA. In lieu of an on-site audit, Customer may rely on third-party audit reports (such as a SOC 2 Type II report when available) as evidence of compliance. Audit results are Confidential Information of FasterQuotes. Customer bears the cost of the audit unless the audit reveals material non-compliance, in which case FasterQuotes will bear reasonable costs.

11. International Data Transfers

Where FasterQuotes processes Personal Data subject to the GDPR outside the EEA, the SCCs (Module 2: Controller-to-Processor) are incorporated by reference and apply as set out in Annex C. For UK Personal Data, the UK Addendum is incorporated by reference and applies as set out in Annex D. For Swiss Personal Data, the SCCs apply with the adaptations required by the Swiss Federal Data Protection and Information Commissioner.

12. Return or Deletion

On termination, FasterQuotes deletes Customer Personal Data within the periods stated in the Terms. Customer may export Customer Data via the in-product export within 30 days of termination.

13. Liability

Each party's liability under this DPA is subject to the Limitation of Liability in the Terms.

14. Order of Precedence

In the event of a conflict between this DPA and the Terms with respect to data-protection matters, this DPA prevails.

Annex A — Technical and Organizational Measures

FasterQuotes maintains technical and organizational measures including AES-256-GCM encryption at rest, TLS 1.2+ in transit, Postgres Row-Level Security for tenant isolation, encrypted OAuth refresh tokens, two-factor authentication on all administrative consoles, structured logging with 24/7 alerting, vulnerability monitoring against the npm and pip dependency graphs, daily backups with 30-day retention, and a documented incident-response plan with a 72-hour Customer notification commitment for confirmed Personal Data Breaches. Full and current details are at /security.

Annex B — Sub-Processors

The current list of Sub-Processors, including service, data category, and operating location, is published at /sub-processors and is incorporated into this Annex B by reference. FasterQuotes provides 30 days' prior notice of changes.

Annex C — Standard Contractual Clauses (EU 2021/914 Module 2)

Where this DPA applies to a transfer of Personal Data subject to the GDPR outside the EEA, the parties incorporate by reference the Standard Contractual Clauses approved by Commission Implementing Decision (EU) 2021/914 of 4 June 2021, Module Two (Controller to Processor), available at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj, with the following selections:

• Clause 7 (docking clause). Not selected.
• Clause 9(a) (sub-processors). Option 2 (general written authorization). The time period for prior notice of sub-processor changes is 30 days.
• Clause 11(a) (independent dispute resolution). The optional independent dispute-resolution body is not selected.
• Clause 17 (governing law). Option 1; the Clauses are governed by the law of Ireland.
• Clause 18(b) (choice of forum and jurisdiction). The courts of Ireland.
• Annex I.A (parties). The Customer is the data exporter; FasterQuotes is the data importer. Contact details are those on file under the Agreement.
• Annex I.B (description of transfer). Categories of Data Subjects, categories of Personal Data, and purpose of transfer are as set out in Section 2 of this DPA.
• Annex I.C (competent supervisory authority). The supervisory authority of the EEA Member State in which the data exporter is established, or, if the exporter is not established in the EEA, the supervisory authority designated under Clause 13.
• Annex II (technical and organizational measures). The measures described at /security and summarized in Annex A above.
• Annex III (sub-processors). The Sub-Processors listed at /sub-processors.

Annex D — UK International Data Transfer Addendum

Where this DPA applies to a transfer of UK Personal Data, the parties incorporate by reference the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (version B1.0) issued by the UK Information Commissioner under section 119A of the Data Protection Act 2018, available at https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/international-transfers/international-data-transfer-agreement-and-guidance/. Table 1 (parties), Table 2 (selected SCCs, modules, and selected clauses), Table 3 (appendix information), and Table 4 (which party may end the Addendum) align with the corresponding entries in Annex C above. Neither party may end the Addendum under Section 19 of the Mandatory Clauses.

Contact

Email privacy@fasterquotes.io for a counter-signed copy of this DPA or any data-protection question.

Last updated: May 2, 2026