Data Processing Agreement
queri takes data protection seriously. Our DPA governs how we process data on behalf of our customers, in compliance with GDPR, CCPA, and other applicable data protection regulations.
Download our pre-signed DPA
Our DPA is pre-signed by queri as data processor. Countersign and return to execute.
Download DPA (PDF)To execute, countersign and return to legal@queri.so
Key provisions
queri acts as a data processor; you remain the data controller
Your data is never used to train AI models
All LLM providers operate under zero-retention API terms
Per-organization data isolation via Row-Level Security
Data deletion within 30 days of request or subscription termination
72-hour breach notification
EU Standard Contractual Clauses included for international transfers
How we handle AI and your data
These clauses address the #1 concern organizations have about AI tools. They are included in our DPA and are non-negotiable.
No Model Training
Customer data is never used to train, fine-tune, retrain, or otherwise improve any machine learning model, AI system, or algorithm — whether directly or indirectly. Data is processed solely to provide the service.
LLM Data Handling
When data is transmitted to LLM providers for inference, it is encrypted in transit, processed in real-time only, not stored or cached by the provider, and subject to zero-retention API terms.
Embedding Storage
Document content is processed into vector embeddings (numerical representations) for semantic search. Embeddings cannot be reverse-engineered into original text. Original chunks are stored with the same security measures as all other data.
BYOK (Bring Your Own Key)
On eligible plans, customers may provide their own LLM API keys. When BYOK is enabled, data transmitted to LLM providers is governed by the customer's direct agreement with that provider.
Data handling at a glance
| Aspect | Detail |
|---|---|
| Relationship | Customer = controller. queri = processor. |
| Data processed | Documents, meeting transcripts, support tickets, chat messages connected by the customer. |
| Personal data categories | Employee names, emails, job titles, meeting attendee lists, customer contact info in support tickets. |
| Data subjects | Customer's employees, customer's clients (agencies), end-users (SaaS). |
| Retention | Duration of subscription. Deleted within 30 days of termination or request. Backups expire within 30 additional days. |
| Encryption | AES-256 at rest, TLS 1.2+ in transit. |
| Data isolation | Row-Level Security (RLS) per organization. |
| Breach notification | Within 72 hours, consistent with GDPR Article 33. |
| International transfers | Primary processing in US. EU SCCs incorporated by reference. |
| Data export | JSON/CSV export available via API. Full data portability. |