Data Processing Addendum (DPA)

1. Scope and Application

This Data Processing Addendum ("DPA") applies to the processing of personal data by QueueDesk on behalf of our customer organizations (each, a "Customer") in connection with the delivery of the QueueDesk service desk SaaS. This DPA is incorporated into and forms part of the Terms of Service.

2. Roles and Instructions

The parties agree that the Customer acts as the Data Controller, and QueueDesk acts as the Data Processor in relation to all employee identity details, ticket comments, activity logs, and attachments processed inside the Customer's tenant database. QueueDesk shall process personal data only in accordance with the Customer's documented instructions.

3. Technical and Organizational Measures

QueueDesk implements and maintains robust administrative, physical, and technical safeguards to protect Customer Data from unauthorized access, disclosure, or loss. These measures include:

• Multi-tenant logical database isolation via Supabase Row-Level Security (RLS).
• Encryption of data in transit (using TLS 1.3) and at rest.
• Access control logging and role-based permissions (RBAC) enforced across all API endpoints.

4. Sub-processors

Customer provides general authorization for QueueDesk to engage sub-processors to perform infrastructure services necessary to deliver the SaaS. A complete list of active sub-processors (including Vercel, Supabase, Cloudflare, and AWS SES) is available upon request. QueueDesk remains liable for the performance of its sub-processors.

5. Data Subject Rights & Breach Notification

We will assist Customers in responding to requests from Data Subjects exercising their rights under GDPR or local privacy rules. In the event of a confirmed security incident impacting Customer Data, QueueDesk will notify the affected Customer within 72 hours of verification.