Skip to content
 

QNOMI Data Processing Agreement (DPA)

Last updated: 28 October 2025

This Data Processing Agreement (“DPA”) forms part of the QNOMI Terms of Service or other written or electronic agreement (the “Agreement”) between Savvy.codes B.V. (“Processor,” “we,” “us,” or “QNOMI”) and the customer identified in the Agreement (“Controller,” “you”).
It governs the processing of personal data on your behalf when using the QNOMI platform.

1. Subject matter and duration

1.1 This DPA applies to all processing of personal data performed by QNOMI on behalf of Controller in connection with the Agreement.
1.2 Processing shall continue for the term of the Agreement and any retention period required by law or by the Controller’s instructions.

2. Roles of the parties

2.1 Controller determines the purposes and means of processing personal data.
2.2 Processor processes personal data solely on documented instructions from the Controller, including with regard to transfers of personal data to a third country or international organisation, unless required to do so by EU or Member State law.
2.3 If such a legal requirement exists, Processor shall inform Controller prior to processing, unless prohibited by that law.

3. Nature and purpose of processing

The Processor provides a hosted platform for psychometric assessments, user management, reporting, and analytics.
Processing involves the storage, organisation, scoring, and presentation of assessment results and user data necessary to deliver these services.

4. Categories of data subjects

  • Organisation users (administrators, HR professionals, consultants)

  • Assessment participants (employees, candidates, clients)

5. Types of personal data

  • Identification data: name, email address, organisation, role

  • Account data: login credentials (hashed), activity logs, permissions

  • Assessment data: answers to test items, results, reports, and derived scores

  • Contact and billing data (for organisation representatives)

No processing of special categories of personal data is intended, except where an assessment instrument inherently involves personality or behavioural indicators, in which case the Controller remains responsible for establishing a lawful basis (e.g. explicit consent).

6. Obligations of the Processor

QNOMI shall:

  1. Process personal data only on documented instructions from the Controller;

  2. Ensure persons authorised to process personal data have committed to confidentiality;

  3. Implement appropriate technical and organisational measures to protect personal data (see §9);

  4. Assist the Controller in responding to data-subject requests under Chapter III of the GDPR;

  5. Assist the Controller with security, data-breach notifications, data protection impact assessments and prior consultations;

  6. Delete or return all personal data to the Controller after termination of the Agreement, unless retention is required by law;

  7. Make available all information necessary to demonstrate compliance and allow audits as described in §10.

7. Obligations of the Controller

The Controller shall:

  1. Ensure it has a valid legal basis for all personal data shared with QNOMI;

  2. Provide clear instructions that comply with applicable data-protection law;

  3. Ensure that data subjects are informed about processing by QNOMI via appropriate privacy notices;

  4. Manage user access and authentication for its organisation;

  5. Refrain from transmitting any personal data unrelated to the agreed purpose.

8. Sub-processors

8.1 QNOMI may engage third parties (“Sub-processors”) for hosting, storage, email delivery, analytics, or support.
8.2 QNOMI shall maintain a current list of Sub-processors available upon request or via the QNOMI website.
8.3 QNOMI will ensure each Sub-processor is bound by a written agreement imposing equivalent data-protection obligations as those in this DPA.
8.4 QNOMI will notify the Controller of any intended changes to Sub-processors, giving the Controller the opportunity to object on reasonable grounds.

9. Security measures

QNOMI maintains industry-standard technical and organisational measures, including:

  • Encryption in transit (TLS 1.2+) and at rest (AES-256)

  • Access control and authentication for all personnel

  • Role-based authorisation within customer environments

  • Regular backups and disaster-recovery procedures

  • Logging and monitoring for unauthorised access

  • Security policies aligned with ISO 27001 principles

Details of security practices are available upon request.

10. Audit and inspection

10.1 Controller may audit QNOMI’s compliance with this DPA once per year (or more frequently if required by law or following a confirmed breach) by providing at least 30 days’ written notice.
10.2 Audits shall be conducted during normal business hours, without disrupting operations, and limited to information reasonably necessary to verify compliance.
10.3 Each party bears its own costs, unless a material breach is found, in which case QNOMI will reimburse reasonable audit costs.

11. Personal data breach

In the event of a personal data breach, QNOMI shall:

  • Notify the Controller without undue delay after becoming aware of the breach;

  • Provide sufficient information to enable the Controller to meet its obligations under Articles 33–34 GDPR;

  • Cooperate in investigation, mitigation and remedial actions.

12. International data transfers

Data are stored within the European Economic Area (EEA).
If data are transferred outside the EEA, QNOMI shall ensure an adequate level of protection through:

  • EU Standard Contractual Clauses (Module 2: Controller → Processor); or

  • Any successor mechanism recognised by the European Commission.

13. Liability

Liability of each party under this DPA is governed by the limitation-of-liability clause in the main Agreement.
Nothing in this DPA relieves either party from its own direct responsibilities under the GDPR.

14. Termination and data return

Upon termination of the Agreement or upon written request, QNOMI will delete or return all personal data within a reasonable period, unless retention is required by law.
Where deletion is not feasible, data will be securely anonymised.

15. Miscellaneous

  • In case of conflict between this DPA and the Agreement, this DPA shall prevail regarding data protection.

  • This DPA is governed by the laws of the Netherlands.

  • Any disputes shall be resolved by the competent courts of Amsterdam, unless mandatory law provides otherwise.