This Data Processing Agreement ("DPA") forms part of the Terms of Service between Quivra ("Processor", "we") and the customer ("Controller", "you") and applies wherever we process personal data on your behalf in the course of providing the quivra.io service.
We use the following subprocessors to deliver the service. Each is bound by its own data protection terms.
| Subprocessor | Purpose | Location |
|---|---|---|
| Railway | Application hosting & database | United States |
| Stripe | Payment processing & billing | United States |
| Resend | Transactional email delivery | United States |
| Anthropic | AI fix generation & AI-visibility checks | United States |
| OpenAI | AI-visibility checks | United States |
| Perplexity | AI-visibility checks | United States |
| Google (Gemini, Search Console, PageSpeed) | AI-visibility checks & search data integrations | United States |
| DataForSEO | Keyword & backlink data | United States |
| PostHog | Product analytics | United States |
All data is encrypted in transit (TLS) and at rest. Access to production systems is restricted to authorized personnel. Passwords are stored as salted bcrypt hashes. API keys are stored as SHA-256 hashes.
We assist you in responding to data subject requests (access, correction, deletion, portability). Deleting your account removes your sites, audits, keywords, and tracking data. To exercise any right, contact support@quivra.io.
Customer data is retained for the life of the account. Upon account deletion, associated data is removed from production systems within 30 days, except where retention is required by law (e.g., billing records).
Where personal data originating in the EEA/UK is transferred to the United States, we rely on Standard Contractual Clauses with our subprocessors where applicable.
We will notify affected customers without undue delay after becoming aware of a personal data breach affecting their data.
Questions about this DPA or our data practices: support@quivra.io.