InquiruInquiru
Privacy PolicyTermsSign in

Data Processing Agreement

Last updated: May 10, 2026

This Data Processing Agreement ("DPA") forms part of the agreement between you (the "Customer" or "Controller") and Inquiru ("Processor") for the use of the Inquiru service (the "Agreement"). It applies to the processing of Personal Data carried out by Inquiru on the Customer's behalf and is intended to satisfy the requirements of:

  • Articles 28 and 32 of the EU General Data Protection Regulation (Regulation 2016/679, "GDPR"), and equivalent provisions of the UK GDPR;
  • Section 21 of the Protection of Personal Information Act 4 of 2013 ("POPIA") of the Republic of South Africa;
  • The California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act ("CCPA/CPRA") where Inquiru acts as a "service provider".

By accepting the Agreement and using the Service to process Personal Data, the Customer accepts this DPA. A signed counterpart is available on request to [email protected].

1. Definitions

Capitalised terms used in this DPA have the meanings given to them in the GDPR, POPIA, and CCPA respectively. In particular:

  • "Controller", "Processor", "Data Subject", "Personal Data", "Processing", "Personal Data Breach" have the meanings given in Article 4 GDPR.
  • "Responsible Party", "Operator", and "Personal Information" have the meanings given in Section 1 POPIA.
  • "Service Provider", "Personal Information", "Sale", and "Share" have the meanings given in §1798.140 CCPA.
  • "Customer Personal Data" means any Personal Data that Inquiru processes on the Customer's behalf in connection with the Service.

2. Roles and Scope of Processing

The Customer is the Controller (and Responsible Party under POPIA) of Customer Personal Data. Inquiru is the Processor (and Operator under POPIA, and Service Provider under CCPA) and processes Customer Personal Data only on the Customer's documented instructions, including with regard to transfers of Customer Personal Data to a third country.

The subject matter, duration, nature, and purpose of the processing, and the types of Personal Data and categories of Data Subjects, are set out in Annex 1.

Inquiru shall inform the Customer if, in its opinion, an instruction infringes the GDPR, POPIA, CCPA, or other applicable data protection law.

3. Processor Obligations

Inquiru shall:

  • process Customer Personal Data only on the Customer's documented instructions, including those set out in this DPA and the Agreement;
  • ensure that personnel authorised to process Customer Personal Data are bound by appropriate confidentiality obligations;
  • implement and maintain the technical and organisational security measures set out in Annex 2, having regard to the state of the art, the costs of implementation, and the risks presented by the processing;
  • not sell, share (as defined under CCPA), or otherwise disclose Customer Personal Data outside the direct business relationship between the parties, except as permitted by this DPA or required by law;
  • not retain, use, or disclose Customer Personal Data for any purpose other than the specific purpose of performing the Service, including not combining Customer Personal Data with personal information received from another source except as permitted under §1798.140(ag)(1)(D)–(E) CCPA.

4. Subprocessors

The Customer authorises Inquiru to engage Subprocessors to process Customer Personal Data, subject to the conditions in this section. A current list of Subprocessors is available at inquiru.com/subprocessors.

Inquiru shall: (i) impose data-protection obligations on each Subprocessor that are no less protective than those in this DPA; (ii) remain liable to the Customer for the performance of each Subprocessor; and (iii) provide the Customer with at least 30 days' advance notice of any new Subprocessor or replacement Subprocessor before authorising it to process Customer Personal Data.

The Customer may object in writing to a new Subprocessor on reasonable data-protection grounds. If the parties cannot agree on a resolution within 30 days, the Customer may, as its sole remedy, terminate the affected portion of the Service for convenience.

5. Data Subject Rights

Taking into account the nature of the processing, Inquiru shall assist the Customer by appropriate technical and organisational measures, insofar as is possible, in fulfilling its obligation to respond to requests from Data Subjects exercising their rights under Chapter III GDPR, Sections 23–25 POPIA, or §1798.100–130 CCPA — including the rights of access, rectification, erasure, restriction, portability, and the right to opt out of sale or sharing.

Inquiru provides self-service tooling within the Service to enable the Customer to fulfil these obligations directly. Where a Data Subject contacts Inquiru directly, Inquiru shall promptly forward the request to the Customer and shall not respond to the Data Subject without the Customer's instruction, except to acknowledge receipt or to identify the relevant Customer.

6. Personal Data Breach Notification

Inquiru shall notify the Customer without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data Breach affecting Customer Personal Data. The notification shall include the information required under Article 33(3) GDPR and Section 22 POPIA, to the extent then known.

Inquiru shall reasonably assist the Customer in fulfilling its own breach-notification obligations to supervisory authorities and to affected Data Subjects.

7. Audit and Information Rights

Inquiru shall make available to the Customer all information reasonably necessary to demonstrate compliance with this DPA and shall allow for and contribute to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer, subject to reasonable confidentiality and security restrictions.

The Customer shall give at least 30 days' written notice of any audit, may not conduct more than one audit in any 12-month period (except where required by a supervisory authority or following a Personal Data Breach), and shall bear its own costs unless the audit identifies a material breach by Inquiru of this DPA.

8. International Transfers

Inquiru and its Subprocessors may process Customer Personal Data in jurisdictions outside the European Economic Area, the United Kingdom, and the Republic of South Africa. Where such transfers occur, Inquiru relies on the European Commission's Standard Contractual Clauses (Implementing Decision (EU) 2021/914), the UK International Data Transfer Addendum, and (for transfers from South Africa) on the conditions set out in Section 72 POPIA — including binding corporate rules, adequacy decisions, or the Data Subject's consent, as applicable.

By entering into this DPA, the parties are deemed to have signed Module Two (Controller to Processor) of the Standard Contractual Clauses, with the Customer as data exporter and Inquiru as data importer. The optional clauses are excluded unless expressly agreed in writing. The supervisory authority is the supervisory authority of the Customer's establishment in the EEA. Governing law and dispute-resolution forum follow Clause 17 and Clause 18 of the SCCs.

9. Return and Deletion of Customer Personal Data

Upon termination or expiry of the Agreement, Inquiru shall, at the Customer's choice, delete or return all Customer Personal Data to the Customer, and delete existing copies, unless retention is required by applicable law. Inquiru shall complete deletion within 90 days of termination, save for back-up copies that are securely overwritten on rolling cycle.

10. Liability and Term

Each party's liability arising out of or related to this DPA is subject to the limitations and exclusions of liability set out in the Agreement. This DPA takes effect on the Customer's acceptance of the Agreement and continues for as long as Inquiru processes Customer Personal Data on the Customer's behalf.

Annex 1 — Subject Matter and Details of Processing

  • Subject matter: the provision of the Inquiru AI customer-support platform to the Customer.
  • Duration: for the term of the Agreement and for any wind-down period under Section 9.
  • Nature and purpose: ingesting, storing, indexing, retrieving, and generating responses to support enquiries; routing messages to the Customer's integrated systems (CRM, ticketing, Slack); aggregate analytics for the Customer's internal use.
  • Categories of Data Subjects: the Customer's end-users and prospective customers; the Customer's employees and authorised users.
  • Types of Personal Data: identifiers (name, email, customer ID), contact data, conversation content, account metadata, usage telemetry, and any additional fields the Customer chooses to send through custom data fields, CRM enrichments, or warehouse connections.
  • Special-category data: Inquiru is not designed to receive special categories of Personal Data within the meaning of Article 9 GDPR or Section 26 POPIA, or sensitive Personal Information within the meaning of §1798.140(ae) CCPA. The Customer agrees not to submit such data without Inquiru's prior written agreement and additional safeguards.

Annex 2 — Technical and Organisational Measures

Inquiru implements measures appropriate to the risk, including:

  • encryption of OAuth tokens, third-party API keys, BYOK credentials, and other secrets at rest using AES-256-GCM with a key derived from a workspace-scoped master key;
  • TLS 1.2 or higher with HSTS for all data in transit between user agents and Inquiru endpoints;
  • password hashing with bcrypt (cost factor 12) and rotation of refresh tokens on every use;
  • role-based access control with least-privilege defaults; tenant-scoped data isolation enforced at the application and database layers;
  • application-layer rate limiting and abuse detection on authentication and ingest endpoints;
  • regular dependency and vulnerability scanning, with security patches applied on a risk-based schedule;
  • separation of production and non-production environments; production access is restricted to a small group of authorised personnel and is logged;
  • daily encrypted backups with restoration testing; documented incident-response procedures aligned to the 72-hour breach-notification window.

Annex 3 — Subprocessors

The current list of Subprocessors is published at inquiru.com/subprocessors and is updated whenever a Subprocessor is added or replaced. Customers may subscribe to email notifications of changes by contacting [email protected].

Contact

Privacy and DPA enquiries: [email protected].

© 2026 Inquiru. All rights reserved.
Privacy PolicyTerms & ConditionsDPADo Not Sell or ShareSubprocessors