FASTQUOTE
Data Processing Agreement
Version 2026-06-29
Why this exists
When you upload your end clients' personal data (their names, site addresses, photos of their property) to FastQuote, you are the data controller and FastQuote is your processor. UK GDPR Article 28 requires a written agreement between us. This page IS that agreement. Accepting the Terms at signup also accepts this DPA.
1. Definitions
- You / "Controller": the tradesperson with a FastQuote account.
- FastQuote / "Processor": Harry Doyle, sole trader t/a FastQuote.
- End Client Data: personal data about your end clients (homeowners, businesses) that you upload to FastQuote.
- UK GDPR: the United Kingdom General Data Protection Regulation.
2. Subject matter and duration
FastQuote processes End Client Data solely to provide the quoting service to you: to analyse photos, generate quotes, store quotes for retrieval, and deliver quotes via the client portal. Processing continues for as long as you have an account or as required to provide the service.
3. Nature and purpose of processing
- Storage of End Client Data in our database.
- Transmission of photos and transcripts to Anthropic for AI analysis.
- Transmission of audio to OpenAI Whisper for transcription.
- Generation and delivery of quote documents (PDF, DOCX, client portal URL).
- Encrypted backups via Cloudflare R2.
4. Categories of data and data subjects
- Categories of personal data: name, address, telephone, email, photographs of property, video walkthroughs, quote-specific notes.
- Data subjects: your end clients (homeowners, business owners commissioning trade work).
5. Your obligations as controller
- You confirm you have a lawful basis to collect and upload End Client Data (typically your contract with the client).
- You will inform your end clients that a digital tool is used to prepare their quote (a short verbal mention is sufficient).
- You will respond to their data-subject requests directly; FastQuote will assist where technically necessary.
6. FastQuote's obligations as processor
- Process End Client Data only on your documented instructions (the act of using the service constitutes instruction).
- Ensure persons authorised to process the data are bound by confidentiality (currently only Harry has access).
- Apply appropriate technical and organisational security measures (HTTPS, encrypted backups, environment-variable secrets, no third-party tracking, see Privacy Policy for detail).
- Assist you in responding to data-subject requests (access, correction, deletion) within a reasonable time.
- Notify you without undue delay (within 72 hours) on becoming aware of a personal data breach.
- Return or delete all End Client Data after the end of services, subject to backup retention windows (~5 weeks).
7. Sub-processors
FastQuote uses the following sub-processors. By accepting this DPA you provide general authorisation; we will notify you of new sub-processors with a chance to object.
- Anthropic, PBC — AI analysis (US, SCCs + UK Addendum).
- OpenAI, LLC — voice-to-text (US, SCCs + UK Addendum).
- Railway Corp. — hosting + managed Postgres (currently US, migrating to EU).
- Cloudflare, Inc. — encrypted backup storage (R2, multi-region with EU option).
- Auth0 by Okta (Okta, Inc.) — authentication and identity management (UK & EU data residency available). Hosts Universal Login for both Google social sign-in and the email magic link option.
- Google LLC — sign-in only, via Auth0's Google social connection.
- Stripe, Inc. — payment processing (controller for payment data, not a sub-processor of yours).
8. International transfers
Transfers to US-based sub-processors (Anthropic, OpenAI, Stripe) are covered by the UK Addendum to the EU Standard Contractual Clauses. Railway production data is in transit to the EU region.
9. Liability
Each party is liable for damages caused by its own breach of UK GDPR or this agreement. FastQuote's overall liability is limited as set out in the Terms of Service.
10. Governing law
This agreement is governed by the laws of England and Wales.
Accepted on signup. Version recorded against your user record with a timestamp.