1. Parties and scope

This Data Processing Agreement (the "DPA") is entered into between:

1. QuerySafe Intelligence, a product of Metric Vibes ("Processor" or "QuerySafe"), and
2. the customer entity identified in the relevant order form or service agreement ("Controller" or "Customer").

This DPA forms part of, and is subject to, the QuerySafe Master Services Agreement or order form between the parties (the "Agreement"). It governs the processing of personal data by QuerySafe on behalf of the Customer in connection with the QuerySafe Intelligence service (the "Service").

2. Definitions

Capitalized terms have the meanings given in the Agreement. In addition:

• "Personal Data" means any information relating to an identified or identifiable natural person processed by QuerySafe on behalf of the Customer in connection with the Service.
• "Customer Data" means data stored in the Customer's own data warehouse (including BigQuery) that QuerySafe queries on the Customer's behalf.
• "Sub-processor" means a third party engaged by QuerySafe to process Personal Data on behalf of the Customer.
• "Applicable Data Protection Law" means all laws and regulations applicable to the processing of Personal Data, including the EU General Data Protection Regulation (GDPR), the UK Data Protection Act 2018, the India Digital Personal Data Protection Act 2023, and the California Consumer Privacy Act.

3. Scope and nature of processing

3.1 Subject matter and purpose

QuerySafe processes Personal Data on behalf of the Customer solely to provide the Service, which enables Customer users to ask natural language questions about Customer Data and receive answers grounded in that data.

3.2 Categories of data and data subjects

Categories of Personal Data processed are determined by the Customer, who controls what data resides in the connected BigQuery datasets. Typical data subjects include the Customer's end users, employees, customers, and prospects, as represented in the Customer's data warehouse.

3.3 Duration of processing

QuerySafe will process Personal Data for the duration of the Agreement and as required to provide the Service. Upon termination, processing ceases as set out in Section 12.

4. No data movement: the core architectural commitment

QuerySafe does not extract, copy, or replicate Customer Data from the Customer's BigQuery warehouse to QuerySafe-controlled storage.

Queries generated by the Service are executed inside the Customer's Google Cloud project using a service account granted by the Customer. Query results are returned to the QuerySafe application, processed in volatile memory to format the response for the user's interface, and are not persisted to long-term storage on QuerySafe infrastructure.

The information QuerySafe retains in association with each query is limited to: the question text submitted by the user, the SQL query QuerySafe generated, the tables and columns referenced, execution metadata (timestamps, duration), and the identity of the user who submitted the question. This information forms the audit trail described in Section 7.

5. Roles of the parties

The Customer is the Controller of Personal Data processed by the Service. QuerySafe is a Processor acting on the documented instructions of the Customer. The Agreement and this DPA together constitute the Customer's complete and final documented instructions for processing.

6. Obligations of QuerySafe (Processor)

QuerySafe will:

1. process Personal Data only on the documented instructions of the Customer, including with regard to transfers of Personal Data outside the Customer's region, unless required to do so by law;
2. ensure that personnel authorized to process Personal Data are bound by confidentiality obligations;
3. implement appropriate technical and organizational measures (described in Section 8) to ensure a level of security appropriate to the risk;
4. respect the conditions for engaging Sub-processors set out in Section 9;
5. assist the Customer in responding to requests from data subjects exercising their rights under Applicable Data Protection Law;
6. assist the Customer with security incident notification, data protection impact assessments, and consultation with supervisory authorities where required;
7. at the choice of the Customer, delete or return all Personal Data after the end of the provision of services, in accordance with Section 12; and
8. make available to the Customer all information necessary to demonstrate compliance with this DPA and allow for audits as set out in Section 10.

7. Audit trail and transparency

QuerySafe maintains a tamper-evident audit log of every query processed by the Service. The log records the user, the question text, the generated SQL, the tables referenced, and the timestamp. The Customer may export the audit log at any time through the QuerySafe console or by request to security@metricvibes.com.

8. Security measures

QuerySafe implements and maintains the following technical and organizational measures:

1. Encryption in transit: all connections use TLS 1.2 or higher. Connections to BigQuery use Google's documented secure transport.
2. Encryption at rest: application metadata is stored with AES-256 encryption at rest in Google Cloud SQL.
3. Access controls: production systems require multi-factor authentication. Access to Customer environments is logged and reviewed.
4. Least privilege: the service account granted by the Customer is read-only by default and scoped to specific BigQuery datasets.
5. Personally identifiable information (PII) masking: the Service masks PII fields in query results before presenting them to users by default, subject to Customer configuration.
6. Network isolation: production workloads run inside dedicated Google Cloud Run services with VPC connectors and outbound NAT controls.
7. Vulnerability management: dependencies are scanned for known vulnerabilities on every build. Critical issues are patched within 30 days.
8. Personnel security: all QuerySafe personnel with access to production sign confidentiality agreements and complete annual security training.
9. Business continuity: the Service is hosted on Google Cloud Platform infrastructure with redundancy across availability zones.

9. Sub-processors

The Customer authorizes QuerySafe to engage Sub-processors to process Personal Data. The current Sub-processors are listed on the QuerySafe Security page at /security.html and reproduced below:

Sub-processor	Purpose	Location
Google Cloud Platform	Application hosting, BigQuery connectivity	asia-south1 by default
Google Gemini API	Natural language to SQL translation	Zero-training mode, no data retention
Google Cloud SQL	Application metadata storage	asia-south1
Stripe	Payment processing (billing data only)	PCI DSS Level 1

QuerySafe will provide the Customer with at least 30 days' notice before engaging any new Sub-processor that processes Personal Data. The Customer may object to the appointment of a new Sub-processor on reasonable grounds related to the protection of Personal Data; if the parties cannot resolve the objection in good faith, the Customer may terminate the affected Service component without penalty.

10. Audit rights

The Customer may, on reasonable advance written notice and no more than once per year, audit QuerySafe's compliance with this DPA. Audits will be conducted during normal business hours and will not unreasonably interfere with QuerySafe's operations. As an alternative to a Customer-led audit, QuerySafe may provide the Customer with its most recent third-party audit report (e.g., SOC 2 Type II once issued).

11. International data transfers

By default, Customer Data remains in the Customer's chosen Google Cloud region and is not transferred outside that region by QuerySafe. Where Personal Data is transferred internationally as part of operating the Service, QuerySafe relies on the European Commission's Standard Contractual Clauses (where applicable) and equivalent safeguards in other jurisdictions. The parties agree to execute the Standard Contractual Clauses on request.

12. Termination and data deletion

Upon termination of the Agreement, or upon the Customer's earlier written request, QuerySafe will:

1. cease all processing of Customer Data;
2. at the Customer's choice, return or securely delete all Personal Data and audit logs within 30 days of termination; and
3. certify in writing the completion of such deletion or return.

QuerySafe may retain Personal Data only to the extent required by Applicable Data Protection Law, and only for the period required.

13. Personal data breach notification

QuerySafe will notify the Customer without undue delay and in any event within 72 hours of becoming aware of a confirmed Personal Data breach affecting Customer Data. The notification will include the nature of the breach, the categories and approximate number of data subjects affected, the likely consequences, and the measures taken or proposed to mitigate the breach.

14. Liability

Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Agreement.

15. Order of precedence

If there is any conflict between this DPA and the Agreement, the DPA prevails to the extent of the conflict in relation to the processing of Personal Data.

16. Governing law

This DPA is governed by the law specified in the Agreement. If no law is specified, this DPA is governed by the laws of India, without regard to conflict-of-laws principles.

QuerySafe Intelligence is operated by Metric Vibes. For DPA execution or questions, contact inquiry@metricvibes.com.