Data Processing Agreement (DPA)

Last updated: February 2, 2025

This Data Processing Agreement ("DPA") forms part of the agreement between Epic Test Quest ("Processor", "we", "us") and the customer ("Controller", "you") for the use of Wizzo services.

Epic Test Quest is in the process of formal incorporation.

Table of Contents

1. Definitions
2. Scope and Roles
3. Processor Obligations
4. Controller Obligations
5. Data Retention and Deletion
6. AI-Specific Provisions
7. Term and Termination
8. Liability
9. Governing Law
10. How to Execute This DPA
11. Contact
12. Changelog

‍

1. Definitions

Personal Data — Any information relating to an identified or identifiable natural person.

Processing — Any operation performed on Personal Data (collection, storage, use, disclosure, deletion).

Controller — The entity that determines the purposes and means of Processing.

Processor — The entity that Processes Personal Data on behalf of the Controller.

Sub-processor — A third party engaged by the Processor to Process Personal Data.

Data Subject — The individual whose Personal Data is Processed.

GDPR — General Data Protection Regulation (EU) 2016/679.

‍

2. Scope and Roles

2.1 Relationship

You (Customer) are the Controller of Personal Data processed through Wizzo. We (Epic Test Quest) are the Processor acting on your behalf. This DPA governs our Processing of Personal Data on your behalf.

2.2 Data Processed

Wizzo processes the following categories of Personal Data on your behalf:

Identifiers — Slack user IDs, workspace IDs.

User Content — Messages sent to Wizzo, requirements text, test case content.

Usage Data — Session data, conversation history, feature usage.

Integration Data — Jira/GitHub references (if connected).

2.3 Processing Purposes

We Process Personal Data solely to:

• Provide the Wizzo service as described in our Terms of Service
• Generate AI-powered test cases based on your input
• Store and organize your products, features, personas, and test cases
• Facilitate Quality Party collaborative sessions
• Provide customer support

‍

3. Processor Obligations

3.1 Processing Instructions

We will:

• Process Personal Data only on your documented instructions
• Inform you if we believe an instruction violates applicable law
• Not Process Personal Data for any purpose other than providing the Services

3.2 Confidentiality

We will:

• Ensure all personnel processing Personal Data are bound by confidentiality obligations
• Limit access to Personal Data to personnel who need it to perform their duties

3.3 Security Measures

We implement appropriate technical and organizational measures including:

Encryption at rest — AES-256 for all stored data.

Encryption in transit — TLS 1.2+ for all connections.

Access control — Row Level Security (RLS), role-based access.

Data isolation — Multi-tenant isolation via team_id.

Infrastructure — SOC 2 Type II certified providers.

Monitoring — Security logging and alerting.

3.4 Sub-processors

We use the following Sub-processors:

Google (Gemini API) — AI processing. Located in the United States. Safeguards: SCCs, Enterprise DPA.

Supabase — Database and authentication. Located in the EU (Frankfurt, Germany). Safeguards: SOC 2 Type II.

Slack — Platform integration. Located in the United States. Safeguards: SCCs, Enterprise security.

Atlassian (Jira) — Optional integration. Located in the US or EU. Safeguards: OAuth, user-controlled.

GitHub — Optional integration. Located in the United States. Safeguards: GitHub App, admin-controlled.

Sub-processor changes: We will notify you of any intended changes to Sub-processors, giving you the opportunity to object. You may object within 30 days by contacting us.

3.5 International Transfers

Personal Data may be transferred outside the EU/EEA to our Sub-processors. All such transfers are protected by:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Enterprise data processing agreements with all providers
• Compliance certifications (SOC 2, ISO 27001)

3.6 Data Subject Rights

We will assist you in responding to Data Subject requests to exercise their rights under GDPR, including:

• Right of access
• Right to rectification
• Right to erasure
• Right to restriction of processing
• Right to data portability
• Right to object

Upon receiving a Data Subject request, we will promptly notify you and provide reasonable assistance.

3.7 Data Breach Notification

In the event of a Personal Data breach, we will:

• Notify you without undue delay (within 72 hours of becoming aware)
• Provide information about the nature of the breach, categories of data affected, and measures taken
• Assist you in meeting your breach notification obligations

3.8 Audit Rights

You have the right to:

• Request information demonstrating our compliance with this DPA
• Conduct audits (or have them conducted by an independent auditor) upon reasonable notice
• Review our security certifications and compliance documentation

We will make available all information necessary to demonstrate compliance with Article 28 GDPR.

‍

4. Controller Obligations

You warrant that:

• You have a lawful basis for Processing Personal Data through Wizzo
• You have provided appropriate notices to Data Subjects
• You will comply with applicable data protection laws
• Your instructions to us are lawful

‍

5. Data Retention and Deletion

5.1 Retention Periods

Conversation sessions — Retained for 72 hours. Auto-deleted after inactivity.

Draft test cases — Retained for 24 hours. Auto-deleted.

Quality Party sessions — Retained for 24–96 hours. Configurable, auto-deleted.

Saved data (products, test cases) — Retained until deleted. You control deletion.

5.2 Deletion on Termination

Upon termination of the Services:

• We will delete all Personal Data within 30 days
• We will provide certification of deletion upon request
• Data may be retained where required by law (with notification)

5.3 Your Deletion Rights

You can delete your data at any time:

• Individual items via Wizzo's Home Tab
• Integration tokens by disconnecting integrations
• Complete deletion by contacting us at legal@epictestquest.com

‍

6. AI-Specific Provisions

6.1 AI Processing

When you use Wizzo's AI features:

• Your input is sent to Google Gemini for processing
• Data is not retained by Google after processing
• Data is not used to train AI models
• Processing occurs in the United States under SCCs

6.2 AI Output

• AI-generated content (test cases) is stored in your Wizzo workspace
• You retain ownership of AI-generated outputs
• AI outputs should be reviewed before use (see Terms of Service)

‍

7. Term and Termination

This DPA is effective when you start using Wizzo and remains in effect while you use the Services. This DPA terminates automatically when your use of the Services ends. Obligations regarding data deletion and confidentiality survive termination.

‍

8. Liability

Liability under this DPA is subject to the limitations set forth in our Terms of Service.

‍

9. Governing Law

This DPA is governed by the laws of Germany. Disputes shall be resolved in the courts of Berlin, Germany.

Alternative Jurisdiction: For Enterprise customers with specific legal requirements, we are open to discussing alternative governing law arrangements (e.g., English Law, laws of other EU member states). Contact legal@epictestquest.com to discuss your requirements.

‍

10. How to Execute This DPA

This DPA is automatically incorporated into your agreement with us when you use Wizzo.

For a countersigned copy

If your organization requires a separately executed DPA:

1. Email us at legal@epictestquest.com with your company name, contact person and email, and billing address (if applicable).
2. We will provide a countersigned copy within 5 business days.

‍

11. Contact

For questions about this DPA or to exercise your rights:

Email: legal@epictestquest.com

Epic Test Quest Strasse 5 Nr 53Berlin, 13059Germany

‍

Changelog

February 2, 2025 — Added alternative jurisdiction provision for Enterprise customers.

January 21, 2025 — Initial publication.