This Data Processing Agreement ("DPA") forms part of the agreement between Qusto ("Processor") and the operator entity that registers for or uses the Qusto platform ("Controller"). It governs the processing of personal data carried out by Qusto on behalf of the Controller in connection with the Qusto analytics service.
By accepting Qusto's Terms of Service, creating an account, or otherwise using the Qusto platform, the Controller agrees to the terms of this DPA.
1. Definitions
Terms used but not defined here have the meaning given in the General Data Protection Regulation (EU) 2016/679 ("GDPR").
- "Personal Data" means any information relating to an identified or identifiable natural person that is processed by Qusto under this DPA on behalf of the Controller.
- "Processing" means any operation performed on Personal Data, including collection, storage, retrieval, use, disclosure, or deletion.
- "Data Subject" means the individual to whom the Personal Data relates (typically the Controller's end customers).
- "Sub-processor" means any third party engaged by Qusto to process Personal Data on behalf of the Controller.
- "Services" means the Qusto e-commerce analytics platform, including the analytics engine, revenue intelligence, attribution, and funnel analysis features.
2. Subject Matter and Duration
Qusto processes Personal Data on behalf of the Controller solely to provide the Services as described in the Terms of Service and the Privacy Policy. Processing continues for the duration of the Controller's active subscription and ceases upon termination, subject to the deletion obligations in Section 9.
3. Nature and Purpose of Processing
Qusto processes Personal Data for the following purposes, each of which is necessary to deliver the Services:
- Receiving and storing e-commerce analytics events (page views, add-to-cart, order completions, funnel steps) transmitted by the Controller's store integration.
- Attributing revenue events to marketing channels and traffic sources on behalf of the Controller.
- Computing funnel analytics, cart abandonment rates, customer lifetime value, and product performance metrics.
- Generating dashboards, reports, and data exports accessible to the Controller.
- Maintaining the Controller's account, billing, and user authentication.
Qusto does not process Personal Data for its own purposes, for advertising, or for any purpose other than providing the Services to the Controller.
4. Categories of Personal Data Processed
Qusto's architecture is designed to minimise personal data. The following categories may be processed depending on the integration configuration:
| Data Category | Description | PII Status |
|---|---|---|
| Customer token | A pseudonymous identifier derived from the customer's identifier using a keyed one-way cryptographic hash, computed by the Controller using a site-specific secret held exclusively by the Controller. Qusto never receives or stores the underlying email address or identifier. | Pseudonymous — not PII in Qusto's systems |
| Order data | Order ID, SKU list, order value, currency, timestamp. Linked to customer token, not to any individual name, email, or address. | Pseudonymous |
| Analytics events | Page views, funnel steps, session signals. IP addresses are used solely for geolocation and discarded; they are not stored beyond 7 days in server logs. | Anonymised (IP discarded) |
| Operator account data | Business email address, store URL, password hash (bcrypt). Relates to the Controller's authorised users, not to end customers. | Personal data of operator users |
5. Categories of Data Subjects
The Data Subjects whose Personal Data may be processed under this DPA are:
- End customers of the Controller's store — represented exclusively by pseudonymous customer tokens. Qusto cannot identify these individuals and processes no PII relating to them.
- Authorised users of the Controller's Qusto account — employees or contractors of the Controller who access the Qusto dashboard.
6. Obligations of Qusto as Processor
Qusto shall:
- Process Personal Data only on documented instructions from the Controller (as set out in this DPA and the Terms of Service), unless required to do so by applicable law.
- Ensure that persons authorised to process Personal Data have committed to confidentiality or are under appropriate statutory obligations of confidentiality.
- Implement the technical and organisational measures described in Section 10 of this DPA.
- Not engage a new Sub-processor without prior general or specific written authorisation from the Controller, subject to Section 8.
- Assist the Controller, taking into account the nature of the processing, in fulfilling its obligations to respond to Data Subject rights requests (Articles 15–22 GDPR), including by providing the deletion and export tools described in the Services.
- Assist the Controller in complying with its obligations under Articles 32–36 GDPR (security, breach notification, DPIA, prior consultation), taking into account the nature of the processing and information available to Qusto.
- At the Controller's choice, delete or return all Personal Data to the Controller after the end of the provision of Services, and delete existing copies unless applicable law requires storage.
- Make available to the Controller all information necessary to demonstrate compliance with obligations in Article 28 GDPR and allow for and contribute to audits and inspections, subject to reasonable prior notice and confidentiality obligations.
7. Controller's Instructions and Responsibilities
The Controller warrants and undertakes that:
- It has a lawful basis for instructing Qusto to process Personal Data on its behalf and, where applicable, has obtained appropriate consents from Data Subjects.
- The instructions given to Qusto comply with applicable data protection law.
- It will configure the Qusto integration to transmit only pseudonymous customer tokens (and not raw personal data such as email addresses, names, or postal addresses) to Qusto's systems.
- It will promptly notify Qusto of any changes to its instructions or any suspected data breach involving Qusto-processed data.
8. Sub-processors
The Controller grants Qusto general authorisation to engage the Sub-processors listed below. Qusto will notify the Controller of any intended change to this list (addition or replacement) at least 14 days in advance by email to the Controller's registered address. The Controller may object on reasonable data protection grounds within that period.
| Sub-processor | Country | Purpose | Data Processed |
|---|---|---|---|
| Hetzner Online GmbH | Germany (EU) | Dedicated server infrastructure hosting all Qusto services, databases, and analytics storage. | All data described in Section 4. Hetzner has no logical access to data; access is limited to physical infrastructure. |
All Sub-processors are bound by data processing agreements that impose obligations equivalent to those in this DPA. All processing takes place within the European Union. No data is transferred to countries outside the EEA.
9. Return and Deletion of Data
Upon termination of the Controller's subscription, Qusto will:
- Make the Controller's analytics data available for export in CSV or JSON format for 30 days following termination.
- Permanently delete all Personal Data from active systems within 30 days of the export window closing.
- Delete backup copies within 90 days of subscription termination, unless a longer period is required by applicable law.
- Provide a written confirmation of deletion upon request.
The Controller may also request deletion at any time during the subscription period via the Data Monitor dashboard (Settings → Privacy & Data) or by contacting compliance@qusto.io.
10. Technical and Organisational Security Measures
Qusto implements the following technical and organisational measures to protect Personal Data, in accordance with Article 32 GDPR. A detailed Technical Security Annex describing specific implementations is available on written request to compliance@qusto.io.
- Encryption in transit: All data transmitted between the Controller's store and Qusto, and between the Controller and the Qusto dashboard, is encrypted using industry-standard transport layer security.
- Encryption at rest: All database volumes are encrypted at rest on Qusto's infrastructure.
- Pseudonymisation: Customer identifiers are pseudonymised using a keyed one-way cryptographic hash before ingestion. The lookup key (site secret) is held exclusively by the Controller and is never transmitted to or stored by Qusto.
- Access control: Access to production systems is restricted to authorised personnel using cryptographic authentication. Role-based access controls limit data access to the minimum necessary for each role.
- Network security: Production servers are protected by a network-level firewall configured to allow only necessary service ports. All other inbound connections are blocked by default.
- Monitoring and alerting: Production systems are monitored continuously with automated alerting. Security events are escalated to the operations team in real time.
- Vulnerability management: System packages are maintained on a regular update schedule. Critical security vulnerabilities are prioritised for immediate remediation on a risk-based basis.
- Backup and recovery: Encrypted backups of all databases are taken regularly, retained according to the applicable schedule, and tested periodically to verify recoverability.
- Data minimisation: Qusto's architecture is designed to process the minimum data necessary. IP addresses are used solely for geolocation and are not retained beyond operational necessity. No direct personal identifiers are required or accepted in the analytics event payload.
- Incident response: Qusto maintains a documented incident response procedure. The Controller will be notified without undue delay, and in any event within 72 hours of Qusto becoming aware, of any Personal Data breach affecting their data.
11. Data Subject Rights Assistance
Qusto provides the following mechanisms to assist the Controller in fulfilling Data Subject rights:
- Erasure (Article 17): The Controller may submit a deletion request for a specific customer token by contacting compliance@qusto.io. Qusto will confirm receipt, process the deletion, and provide written confirmation of deletion upon completion.
- Portability (Article 20): The Controller may request an export of analytics data associated with their account at any time by contacting compliance@qusto.io. Data is provided in CSV or JSON format.
- Access (Article 15): The Controller may request a summary of the data footprint associated with their account and sites by contacting compliance@qusto.io.
Because Qusto stores only pseudonymous customer tokens (not email addresses, names, or any other direct identifier), Qusto cannot independently identify which token corresponds to a given Data Subject. The Controller, who holds the site secret used to derive the token, is responsible for computing the token from the Data Subject's identifier before submitting deletion or access requests to Qusto.
12. Transfers Outside the EEA
Qusto does not transfer Personal Data to any country outside the European Economic Area. All processing, storage, and backup infrastructure is located in Germany (EU). No Standard Contractual Clauses or transfer impact assessments are required under this DPA.
13. Audit Rights
The Controller has the right to audit Qusto's compliance with this DPA, including by:
- Requesting a written summary of Qusto's technical and organisational measures at any time.
- Commissioning an independent third-party auditor, subject to: (i) 30 days' prior written notice; (ii) the auditor being bound by a confidentiality agreement; (iii) the audit being conducted during normal business hours and causing minimal disruption; and (iv) the Controller bearing all costs unless the audit reveals a material breach by Qusto.
- Requesting a copy of Qusto's most recent SOC 2 report or equivalent certification, when available.
14. Liability and Indemnity
Each party's liability under this DPA is subject to the limitations set out in the Terms of Service. Where Qusto is responsible for a GDPR infringement, Qusto shall be liable for the portion of any damage or fine attributable to its actions or omissions as Processor, as determined by the competent supervisory authority or court. Where the Controller is responsible, the Controller shall indemnify Qusto for any resulting liability.
15. Term and Termination
This DPA is effective from the date the Controller accepts the Terms of Service and remains in force for the duration of the processing relationship. It terminates automatically upon permanent deletion of all Personal Data under Section 9. Termination of this DPA does not affect the rights or obligations of either party that accrued before termination.
16. Governing Law
This DPA is governed by Spanish law. Any disputes arising under this DPA shall be subject to the exclusive jurisdiction of the courts of Spain, without prejudice to the rights of Data Subjects to bring claims before the competent supervisory authority (AEPD for Spain, or the authority of their EU member state of residence).
17. Contact and Execution
For questions about this DPA, to request a signed copy, or to exercise rights under it:
Qusto — Data Protection
Email: compliance@qusto.io
Subject line: DPA Request — [your company name]
A countersigned PDF copy of this DPA is available on request. Operators requiring a countersigned DPA for their own compliance records should email the address above with their company name and registered address.
Annex I — Processing Activities Summary (Article 30 Record)
| Controller | The operator entity registered on the Qusto platform |
| Processor | Qusto — compliance@qusto.io |
| Purpose | E-commerce analytics: revenue intelligence, attribution, funnel analysis, product analytics |
| Legal basis (Controller) | Art. 6(1)(f) legitimate interest (analytics for business optimisation) or Art. 6(1)(b) contract performance, as applicable to Controller's relationship with end customers |
| Data categories | Pseudonymous customer tokens; order data (value, SKU, timestamp); anonymised analytics events; operator account data |
| Data subjects | End customers of the Controller's store (pseudonymous); authorised dashboard users of the Controller |
| Retention | Per subscription tier: Core 12 months; Growth 24 months; Professional 36 months; Enterprise configurable (subject to agreement) |
| Sub-processors | Hetzner Online GmbH (Germany) |
| Third-country transfers | None — all processing within the EU |
| Security measures | Encryption in transit and at rest; keyed one-way pseudonymisation; cryptographic access controls; network-level firewall; continuous monitoring with automated alerting; regular encrypted backups. Full Technical Security Annex available on request. |
This DPA will be reviewed and updated when: (i) a new Sub-processor is engaged; (ii) processing activities materially change; (iii) applicable law requires an update. The version date above reflects the most recent revision. A Technical Security Annex with implementation details is available on written request to compliance@qusto.io. A Spanish-language version (Acuerdo de Tratamiento de Datos) is available on request.