pursuant to Art. 28 GDPR · QuickQuote - quickquote.tech · Version: March 2026
English courtesy translation of the German legal text. In case of discrepancies, the German version shall prevail.
This Data Processing Agreement (the "DPA") is concluded between the provider of the QuickQuote software as processor and the customer as controller and supplements the General Terms and Conditions (T&Cs) of QuickQuote.
This DPA applies to all processing activities in which the processor processes personal data on behalf of the controller arising in connection with the use of the QuickQuote software.
Processor:
Lukas Kessler / QuickQuote
Buergermeister-Fuchs-Str. 70, 68169 Mannheim
Email: info@quickquote.tech
Controller:
The customer as stored in the T&Cs and in the customer account (hereinafter the "Controller" or "Customer").
(1) The subject matter of the commissioned processing is the provision of the cloud-based QuickQuote software for the digital capture of inspection data, project management and quotation preparation in the skilled trades sector.
(2) The duration of commissioned processing corresponds to the term of the subscription agreement concluded between the parties. After termination of the contract, the rules on data deletion pursuant to Section 9 of this DPA apply.
(1) The processor processes personal data exclusively on behalf of and in accordance with documented instructions of the controller, unless a legal obligation requires different processing.
(2) Processing includes the following activities: storage, structuring, transmission and deletion of data in the course of using the software.
Within the scope of commissioned processing, the following categories of data may be processed:
| Categories of data subjects | Type of data |
|---|---|
| Employees and users of the customer | Name, email address, login credentials, usage behavior |
| End customers of the customer (for example commissioning parties of skilled-trade services) | Name, address, contact details where recorded in projects |
| Persons depicted in photos | Image data from construction sites and inspections |
| Other persons whose data the customer records in the software | Other personal data entered by the customer |
Special categories of personal data within the meaning of Art. 9 GDPR are not processed as planned when using QuickQuote. The controller shall ensure that no such data is entered into the software.
(1) The processor processes personal data exclusively in accordance with the controller's documented instructions and the provisions of this DPA.
(2) The processor shall ensure that persons authorized to process personal data have committed themselves to confidentiality or are subject to an appropriate statutory duty of confidentiality.
(3) The processor shall take all necessary technical and organizational measures pursuant to Art. 32 GDPR to ensure a level of protection appropriate to the risk.
(4) The processor shall assist the controller in complying with obligations pursuant to Arts. 32 to 36 GDPR insofar as this lies within the processor's sphere of influence.
(5) The processor shall make available to the controller all information necessary to demonstrate compliance with the obligations laid down in Art. 28 GDPR.
(1) The controller is solely responsible for the lawfulness of the collection and processing of personal data when using QuickQuote.
(2) The controller shall ensure that an appropriate legal basis pursuant to Art. 6 GDPR exists for all personal data entered into QuickQuote.
(3) The controller shall inform the processor without undue delay if errors or irregularities in the processing of personal data are identified.
(4) The controller shall issue instructions relating to data processing exclusively in written or electronic form.
(1) The controller hereby grants the processor general authorization to engage the following sub-processors:
| Sub-processor | Service | Location / third-country transfer |
|---|---|---|
| Google LLC (Firebase, Cloud) | Hosting, database, authentication | USA - EU-U.S. DPF + standard contractual clauses |
| OpenAI, L.L.C. (or comparable AI service) | AI-supported functions | USA - standard contractual clauses under Art. 46 GDPR |
| Stripe, Inc. | Payment processing | USA - EU-U.S. DPF + standard contractual clauses |
| Resend, Inc. | Transactional email delivery | USA - standard contractual clauses under Art. 46 GDPR |
(2) The processor shall inform the controller of intended changes regarding the addition or replacement of sub-processors. The controller has the right to object to such changes within four weeks after notification.
(3) The processor shall ensure that sub-processors are subject to the same data protection obligations as the processor itself.
(4) The processor aims to process personal data primarily within the European Union or the European Economic Area. Where processing takes place in third countries, this is done exclusively on the basis of appropriate safeguards pursuant to Art. 46 GDPR or an adequacy decision of the European Commission.
(1) The processor shall assist the controller, within technical possibilities, in handling requests from data subjects (access, rectification, erasure, restriction, portability, objection).
(2) Incoming requests from data subjects addressed directly to the processor shall be forwarded to the controller without undue delay.
(1) After termination of the subscription, all data stored in QuickQuote by the controller will be kept available for collection for a period of 90 days. During this period, the controller can download its data using the software's export function. The export can be triggered at most once per calendar month; media files are not part of the export package, but can be downloaded via the retrieval links contained in the export.
(2) After the 90-day period has expired, all personal data of the controller will be irreversibly deleted unless statutory retention obligations prevent deletion.
(3) At the controller's request, the processor shall confirm complete deletion of the data in writing.
(1) The processor shall inform the controller without undue delay, but no later than within 72 hours after becoming aware, of personal data breaches pursuant to Art. 33 GDPR.
(2) To the extent possible, the notification shall contain: a description of the nature of the breach, the categories and approximate number of data subjects and data records concerned, the likely consequences and the measures taken or proposed.
(3) The duty to notify the competent supervisory authority of a personal data breach lies with the controller.
The processor has implemented the following technical and organizational measures to protect personal data:
| Measure | Implementation |
|---|---|
| Encryption | Data transmission via TLS/HTTPS, encrypted data storage in Google Firebase |
| Access control | Authentication via Google Firebase Auth, role-based access rights (admin/user) |
| Availability control | Redundant cloud infrastructure at Google Firebase, automatic backups |
| Separation control | Tenant separation through workspace structure, data isolation per customer |
| Pseudonymization | Internal user IDs instead of plain names in system logs |
| Order control | DPAs with all sub-processors (Google, OpenAI, Stripe, Resend) |
| Disclosure control | No disclosure of data to third parties outside the named sub-processors |
| Input control | Logging of data changes, role-based access rights |
(1) The controller may issue instructions to the processor regarding the processing of personal data at any time. Instructions must be transmitted in writing or by email to info@quickquote.tech.
(2) If the processor considers an instruction to be impermissible under data protection law, the processor shall inform the controller without undue delay. The processor is entitled to suspend execution of the instruction until the matter has been clarified.
(1) The controller has the right to verify the processor's compliance with data protection provisions and the terms of this DPA.
(2) Audits shall be conducted with reasonable prior notice (at least 5 business days) and at the controller's expense. The processor shall provide the necessary information and evidence.
(3) Instead of an on-site audit, the processor may offer submission of a current audit report by an independent third party.
(1) This DPA forms part of the contractual agreement between the parties and supplements QuickQuote's T&Cs.
(2) In the event of contradictions between this DPA and the T&Cs, the provisions of this DPA shall prevail with regard to data protection matters.
(3) This DPA is governed by the law of the Federal Republic of Germany. Place of jurisdiction is Mannheim.
(4) Amendments and additions to this DPA must be made in writing. This also applies to any waiver of this written form requirement.
(5) Should individual provisions of this DPA be invalid, the validity of the remaining provisions shall remain unaffected.
This DPA enters into force upon conclusion of the subscription agreement. By accepting QuickQuote's T&Cs, the customer simultaneously agrees to the terms of this DPA.
Lukas Kessler · Buergermeister-Fuchs-Str. 70 · 68169 Mannheim · quickquote.tech
Quick