Data Processing and Security Framework

This page summarizes the main privacy role allocation and the technical-organizational safeguards generally associated with QHSE. Where UESE processes personal data on documented instructions from the customer, this section operates as a public summary and shall be integrated, where necessary, by a separate Data Processing Agreement under Article 28 GDPR.

1. Role allocation

• UESE acts as independent controller for website management, lead handling, onboarding, billing, legal compliance, fraud prevention, platform security, and its own business administration.
• UESE may act as processor when hosting, storing, organizing, or making available customer data within the SaaS workspace on documented instructions of the customer.
• The customer remains controller for the personal data it decides to upload or process through the platform in relation to its own employees, suppliers, clients, leads, or other data subjects.

2. Subject matter, duration, and nature of processing

Processing may include collection, recording, consultation, structuring, storage, adaptation, extraction, alignment, transmission, restriction, deletion, and destruction of data, exclusively within the limits necessary to provide the subscribed service, technical support, security controls, backup, and related administrative activities. The duration ordinarily coincides with the term of the contract plus the retention periods required by law, security needs, or documented post-termination obligations.

3. Categories of data and data subjects

Depending on the customer use case, processed data may concern corporate users, employees, collaborators, consultants, suppliers, clients, prospects, visitors, and other subjects included in records, tickets, evidence repositories, or generated documents. Categories may include common personal data, business contact information, identifiers, usage metadata, compliance-related data, and, only where intentionally uploaded by the customer and lawfully supported, special or judicial categories subject to stricter safeguards.

4. Security measures

Measures are calibrated according to the state of the art, implementation costs, nature, scope, context, and purposes of processing, as well as the risk for the rights and freedoms of data subjects, in line with Articles 24, 25, 28 and 32 GDPR. No internet-connected service can be declared absolutely immune from risk; therefore, both parties shall cooperate in adopting proportionate controls and prompt incident escalation.

5. Sub-processors and third parties

UESE may engage technical sub-processors for hosting, mail, infrastructure, support, security, payment, and maintenance services, ensuring the adoption of contractual obligations substantially aligned with data protection law. Updated information may be made available through contractual documentation, service communications, or support channels.

6. Assistance, incidents, and data subject requests

Where UESE acts as processor, it shall provide reasonable cooperation to support the customer in handling data subject requests, security incidents, breach assessment, and supervisory authority interactions, taking into account the nature of processing and the information available to UESE. Any legally reportable personal data breach will be managed according to internal escalation procedures and applicable law.

7. End-of-service handling

At the end of the contractual relationship, customer data may be returned, made available for export, deleted, anonymized, or retained for the strictly necessary period where required by law, security, accounting obligations, or dispute protection. Specific export, migration, or extended retention services may require separate agreement.