Data Processing Addendum
This Data Processing Addendum (“DPA”) forms part of, and is incorporated by reference into, the QuoteVolution End User License Agreement or other written agreement (the “Agreement”) between QuoteVolution Inc. (“QuoteVolution”) and the Customer. It governs QuoteVolution’s processing of Customer Data, including nonpublic personal information, on Customer’s behalf. In case of conflict regarding data processing, this DPA controls over the Agreement.
1. Definitions
- “Customer Data” means data Customer or its users submit to the Platform.
- “NPI” means “nonpublic personal information” under the Gramm-Leach-Bliley Act (15 U.S.C. § 6801 et seq.) and its implementing regulations.
- “Personal Information” has the meaning given under applicable U.S. state privacy laws, including the California Consumer Privacy Act as amended (“CCPA”).
- “Process” means any operation performed on data (collection, storage, use, disclosure, deletion).
- “Sub-processor” means a third party engaged by QuoteVolution to Process Customer Data.
- “Safeguards Rule” means the GLBA Safeguards Rule, 16 C.F.R. Part 314.
- “State Insurance Data Security Laws” means state laws based on the NAIC Insurance Data Security Model Law.
2. Roles of the Parties
Customer is the entity that determines the purposes and means of Processing Customer Data and, for GLBA purposes, is the “financial institution.” QuoteVolution acts solely as Customer’s service provider (and, under the CCPA, a “service provider”), Processing Customer Data only on Customer’s documented instructions to provide and support the Platform. Customer is responsible for delivering privacy notices to, and obtaining any required authorizations from, its clients and insureds.
3. Scope and Purpose of Processing
QuoteVolution will Process Customer Data only: (a) to provide, maintain, secure, and support the Platform; (b) as further instructed by Customer in writing; or (c) as required by law (with notice to Customer where permitted). QuoteVolution will not Process Customer Data for any other purpose.
Customer will promptly notify QuoteVolution of any material change in the categories of Customer Data it submits, including any introduction of protected health information (PHI) or health/medical insurance lines, so the parties can put appropriate terms in place (including a Business Associate Addendum) before such data is Processed.
4. CCPA Service-Provider Commitments
QuoteVolution will not: (a) sell or share Personal Information; (b) retain, use, or disclose Personal Information for any purpose other than the specific business purpose of providing the Platform, or outside the direct business relationship with Customer; (c) combine Personal Information received from Customer with personal information from other sources except as permitted by the CCPA to perform a business purpose; or (d) use Personal Information to build or improve any separate product or service. QuoteVolution certifies that it understands and will comply with these restrictions.
5. GLBA and State Insurance Data Security Commitments
With respect to NPI, QuoteVolution will: Process NPI only to provide the Platform; maintain a written information security program with administrative, technical, and physical safeguards consistent with the Safeguards Rule and State Insurance Data Security Laws; and not use, disclose, sell, or retain NPI for any purpose other than performing the Platform services, except as required by law.
6. Security Measures
QuoteVolution maintains and follows its Written Information Security Program (“WISP”), which includes at least: encryption of data in transit (TLS 1.2 or higher) and at rest; role-based access controls and least-privilege access; multi-factor authentication; audit logging of significant events; vulnerability management and periodic testing; and oversight of Sub-processors. A summary of the WISP is available to Customer on request.
7. Sub-processors
Customer authorizes QuoteVolution to engage the Sub-processors listed below, each under a written contract imposing data-protection obligations no less protective than this DPA. QuoteVolution will give Customer notice of any new Sub-processor of Customer Data and a reasonable opportunity to object on reasonable data-protection grounds.
| Category | Sub-processor / Purpose |
|---|---|
| Cloud infrastructure & AI | Microsoft Azure — hosting, storage, compute, AI processing via Azure AI Foundry and the Azure OpenAI Service, and application performance monitoring via Azure Application Insights. Customer Data and NPI are not transmitted to OpenAI or used to train foundation models. The specific model is selected from models offered through Azure and may change, including at the request of the Customer/tenant. |
| Payment processing | Stripe, Inc. (PCI-DSS Level 1 Service Provider) — billing and payment processing. Card data is tokenized and never stored on QuoteVolution systems. |
| Transactional email | Microsoft Azure Communication Services — invitations, MFA codes, notifications. |
8. Artificial-Intelligence Processing
AI features are powered by models hosted within QuoteVolution’s Azure environment for security and privacy reasons. Customer Data and NPI Processed for AI features are not used to train or fine-tune any foundation model and are not shared with model providers for their own purposes. QuoteVolution may use only aggregated, de-identified data that cannot reasonably be re-associated with Customer or any individual to operate and improve the Platform. Customer may request a specific available model or model configuration for its tenant.
9. Incident Notification
QuoteVolution will notify Customer without undue delay and no later than seventy-two (72) hours after confirming any unauthorized acquisition of or access to NPI or Personal Information Processed under this DPA, with information reasonably available to help Customer meet its breach-notification obligations (including under the Florida Information Protection Act and other applicable laws).
10. Assistance with Requests
QuoteVolution will provide reasonable assistance to enable Customer to respond to consumer or data-subject requests and to regulatory inquiries relating to Customer Data, and will direct any such request it receives directly to Customer.
11. Return and Deletion
On expiration or termination of the Agreement, QuoteVolution will, at Customer’s election, return or permanently delete Customer Data within thirty (30) days, except one archival copy retained only as required by law, and will certify deletion on written request.
12. Audits
On reasonable prior written notice and no more than once per year (unless required by a regulator or following an incident), QuoteVolution will make available information reasonably necessary to demonstrate compliance with this DPA, subject to confidentiality.
13. Data Location
Customer Data is stored and Processed on infrastructure located in the United States. The Platform is intended for U.S.-based insurance agencies.
14. Term; Liability
This DPA remains in effect for as long as QuoteVolution Processes Customer Data. Each party’s liability under this DPA is subject to the limitations of liability in the Agreement.
Signatures
Execution of the End User License Agreement by click-through or written signature constitutes acceptance of this DPA. Customers requiring a countersigned copy may request one at legal@quotevolution.com.