Data Processing Addendum

Effective: February 25, 2026

This Data Processing Addendum ("DPA") forms part of the agreement between the customer ("Customer," "Controller") and Carlquist ("Carlquist," "Processor") for the provision of the Carlquist middleware platform ("Service"). This DPA sets out the terms that apply when Personal Data is processed by Carlquist on behalf of the Customer.

1. Definitions

• Controller: The entity that determines the purposes and means of the processing of Personal Data. Under this DPA, the Customer is the Controller.
• Processor: The entity that processes Personal Data on behalf of the Controller. Under this DPA, Carlquist is the Processor.
• Personal Data: Any information relating to an identified or identifiable natural person, as defined under applicable data protection law (including GDPR, CCPA, and similar legislation).
• Processing: Any operation performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, erasure, or destruction.
• Sub-processor: A third party engaged by Carlquist to process Personal Data on behalf of the Customer.
• Data Subject: An identified or identifiable natural person whose Personal Data is processed.

2. Scope and Roles

Carlquist acts as a Processor when handling Personal Data transmitted through the Service. The Customer acts as the Controller and determines what data is sent through Carlquist adapters, which fields are mapped, and where transformed data is delivered.

Carlquist does not independently determine the purposes or means of processing Customer data. All processing is performed in accordance with the Customer's adapter configuration and the documented instructions of the Customer.

3. Processing Details

• Nature of processing: Middleware transformation and delivery. Carlquist receives data from Customer-configured source adapters, applies schema mappings and field transformations, and delivers the results to Customer-configured destination endpoints.
• Purpose of processing: Connecting legacy systems to modern applications as directed by the Customer's adapter and mapping configuration.
• Categories of data: As determined by the Customer's adapter configuration. Carlquist does not prescribe or require specific data categories. The Customer controls which data sources are connected and which fields are included in mappings.
• Data subjects: As determined by the Customer. Data subjects may include the Customer's employees, clients, patients, users, or other individuals whose data resides in the connected source systems.

4. Carlquist Obligations

Carlquist shall:

• Process Personal Data only on documented instructions from the Customer, unless required to do so by applicable law (in which case Carlquist will inform the Customer before processing, unless prohibited by law).
• Ensure that all personnel authorized to process Personal Data have committed to confidentiality obligations or are under an appropriate statutory obligation of confidentiality.
• Implement appropriate technical and organizational security measures to protect Personal Data, as described on our Security page. These measures include encryption in transit (TLS 1.3), encryption at rest (AES-256), access controls, audit logging, and network isolation.
• Assist the Customer in responding to requests from Data Subjects exercising their rights under applicable data protection law (access, rectification, erasure, portability, restriction, or objection).
• Assist the Customer in ensuring compliance with obligations related to security, breach notification, data protection impact assessments, and prior consultations with supervisory authorities.
• At the Customer's choice, delete or return all Personal Data upon termination of the Service, and delete existing copies unless applicable law requires retention.
• Make available to the Customer all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits and inspections conducted by the Customer or a qualified auditor.

5. Sub-processors

Carlquist uses a limited number of Sub-processors to provide the Service. The current list of Sub-processors is maintained at /subprocessors.

• Carlquist will provide the Customer with at least 30 days' advance written notice before engaging a new Sub-processor or replacing an existing one.
• The Customer may object to a new Sub-processor by notifying Carlquist in writing within the 30-day notice period. If the Customer objects, Carlquist will make reasonable efforts to provide an alternative or allow the Customer to terminate the affected portion of the Service without penalty.
• Carlquist imposes contractual obligations on all Sub-processors that are no less protective than the terms of this DPA.

6. International Transfers

If Personal Data is transferred from the European Economic Area (EEA), United Kingdom, or Switzerland to a country that does not benefit from an adequacy decision, Carlquist will ensure appropriate safeguards are in place. These safeguards include the European Commission's Standard Contractual Clauses (SCCs), as supplemented by any additional measures necessary to ensure the transferred data receives an essentially equivalent level of protection.

Upon request, Carlquist will execute the applicable SCCs with the Customer.

7. Breach Notification

In the event of a Personal Data breach, Carlquist shall:

• Notify the Customer without undue delay and in any event within 72 hours of becoming aware of the breach.
• Provide the following information (to the extent available):
  • The nature of the Personal Data breach, including the categories and approximate number of Data Subjects and records affected.
  • The likely consequences of the breach.
  • The measures taken or proposed to address the breach, including measures to mitigate its adverse effects.
• Cooperate with the Customer and take reasonable steps to assist in the investigation, mitigation, and remediation of the breach.
• Not inform any third party of the breach without the Customer's prior written consent, unless required by applicable law.

8. Data Retention

• Adapter payloads: Processed in memory and not persisted to disk. Data passes through the transformation pipeline and is delivered to the configured endpoint without intermediate storage.
• Dead-letter queue (DLQ) data: Failed deliveries are retained in the DLQ for 7 days to allow for retry and investigation, then automatically purged.
• Configuration data: Adapter configurations, schema mappings, and workspace settings are retained for the duration of the Customer's subscription plus 30 days post-termination to facilitate data export.
• Audit logs: API call logs, configuration change logs, and administrative action logs are retained for 90 days on standard plans. Enterprise plans may extend audit log retention to 1 year.

9. Deletion

Upon termination of the Service agreement:

• All Customer data (configurations, mappings, workspace settings, DLQ contents, and audit logs) will be deleted within 30 days of the termination effective date.
• Written confirmation of deletion is available upon request.
• If the Customer requests data return instead of deletion, Carlquist will provide the data in a standard machine-readable format within the 30-day post-termination period.

10. Term

This DPA is effective for the duration of the Service agreement between the Customer and Carlquist. The obligations of Carlquist with respect to data deletion and confidentiality survive termination of this DPA.

Contact

For questions regarding this DPA or to request execution of Standard Contractual Clauses, contact us at legal@carlquist.app.