Data Processing Agreement

QAWave processes customer data solely for the purpose of delivering the contracted QA agent services. Processing activities include: reading source code to generate tests, analyzing CI/CD logs for triage, and accessing test environments to validate agent outputs.

QAWave uses a limited set of sub-processors, listed at qawave.ai/legal/subprocessors. Customers will be notified 30 days before any new sub-processor is added.

All data is encrypted in transit and at rest. Access is restricted on a need-to-know basis. QAWave maintains security incident response procedures and will notify the customer within 72 hours of any confirmed data breach.

All processing occurs within the EU (Frankfurt, Germany). If any processing requires transfer outside the EU, QAWave will ensure appropriate safeguards (Standard Contractual Clauses) are in place.

Customers may audit QAWave's compliance with this DPA upon reasonable notice. QAWave will provide all necessary documentation and access to demonstrate compliance.

Upon termination of the service agreement, QAWave will delete all customer data within 90 days unless retention is required by law. Customers may request earlier deletion at any time.