Data Processing Agreement.
Last updated: 3 June 2026
1. When this matters
SimQuota is primarily a consumer iPhone app — most users have an individual contractual relationship with us under the Terms and Privacy Policy. A separate Data Processing Agreement (DPA) is only required in cases where you act as a controller of personal data that you cause us to process — for example:
- You buy Pro Family and invite people whose data ends up in our systems through you.
- You are a business or organisation considering deploying SimQuota for staff or members.
- Your DPA, vendor-risk, or procurement process requires a signed processor agreement under GDPR Article 28.
If any of the above applies, the standard terms below form our DPA with you. Email [email protected] with subject "DPA Request" and we will counter-sign a copy on company letterhead.
2. Roles & subject-matter
- You are the controller of personal data of any data subjects you onboard (e.g. members of your Pro Family group).
- SimQuota is the processor of that data on your behalf, except where we act as an independent controller (e.g. for billing, anti-abuse, and product analytics covered in the Privacy Policy).
- Duration: for as long as you maintain an active SimQuota account, plus the retention windows documented in §6 of the Privacy Policy.
- Nature & purpose: provision of the SimQuota service as described in the Terms.
- Categories of data: email addresses, display names, subscription tier, cellular usage snapshots (aggregate GB only), session metadata.
- Categories of data subjects: end-users you invite (family members), yourself.
3. Subprocessors
We use the following subprocessors. By signing this DPA you provide general authorisation to engage them. We will notify you of any addition or change at least 30 days in advance; you may object in writing within that period.
| Subprocessor | Service | Location | Transfer mechanism |
|---|---|---|---|
| Cloudflare, Inc. | Workers (API), D1 (database), KV (cache), Pages (web hosting), R2 (backups) | USA + EU/UK edge | EU-U.S. DPF + SCCs |
| Resend Technology, Inc. | Transactional and digest email delivery | USA | EU-U.S. DPF + SCCs |
| Apple Inc. | App Store distribution, In-App Purchase, Sign in with Apple, push notifications | USA + EU | EU-U.S. DPF + Apple's standard terms |
Previously included: Google Fonts (Geist via fonts.googleapis.com). The Geist font is now self-hosted on our own domain, so Google is no longer a subprocessor.
4. Our obligations as processor
- We process personal data only on your documented instructions, including for transfers, unless required to do otherwise by law.
- We ensure persons authorised to process the data are bound by confidentiality.
- We implement appropriate technical and organisational measures (TLS in transit, at-rest encryption, password hashing per OWASP, rate limiting, defence-in-depth security headers, audit logging on administrative actions).
- We assist you, taking into account the nature of the processing, with your obligations to respond to data subject rights requests.
- We notify you without undue delay (within 72 hours) of any personal data breach affecting your data.
- At your choice on termination, we delete or return all personal data we hold on your behalf.
- We make available to you all information necessary to demonstrate compliance with Art. 28 and submit to audits on reasonable notice.
5. International transfers
Where we transfer personal data outside the UK or EEA, we rely on the European Commission's Standard Contractual Clauses (Module 2: Controller to Processor) and, for U.S. transfers, the EU-U.S. Data Privacy Framework where the recipient is a certified participant. See our Privacy Policy §9 for the full transfer impact statement.
6. Liability
Each party's liability arising out of or in connection with this DPA is limited as set out in the Terms of Service. Nothing in this DPA limits a data subject's rights against either party under applicable data-protection law.
7. Requesting a signed copy
Email [email protected] with subject "DPA Request" and include:
- Your legal entity name and registered address.
- The email address(es) on your SimQuota account(s).
- Any specific clauses you need varied (we can usually accommodate vendor-specific language for procurement reviews).
We typically respond within 5 business days with a counter-signed PDF.