Last updated: 19 April 2026
This Data Processing Agreement ("DPA") governs the processing of personal data by Quorum on behalf of a syndicat des copropriétaires using the Quorum platform. It is entered into under Article 28 of the General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR"). This DPA is incorporated into, and forms part of, the Terms of Use. By creating or joining a building on Quorum, the syndicat (acting through the syndic) accepts the terms of this DPA.
The controller is the syndicat des copropriétaires of the building, acting through the syndic or another duly mandated representative (the "Controller"). The processor is Quorum SARL, established in Luxembourg (the "Processor"). For a narrow set of platform-wide activities (aggregate product analytics, security monitoring, SaaS billing), the Processor acts as an independent controller. For all personal data entered, uploaded, or generated within the context of managing the building, the Processor acts strictly as a data processor on the Controller’s behalf.
The Processor hosts and operates the Quorum software-as-a-service platform to support the management of the Controller’s building under the Luxembourg loi du 16 mai 1975 and its règlement grand-ducal. The nature of processing includes hosting, storing, displaying, transmitting, and performing computations on personal data entered by the Controller’s members. The purpose is limited to enabling building management activities: communication, issue tracking, assembly preparation and record-keeping, financial attribution and reporting, document management, and related operational tasks. The Processor will not process personal data for any other purpose without the Controller’s documented instructions.
This DPA applies from the moment a building is created on Quorum by or on behalf of the Controller, and continues for as long as the Controller holds an active subscription. Termination of the subscription triggers the return or deletion obligations in Section 13, subject to statutory retention periods.
Data subjects: members of the building (owners, tenants, conseil syndical, syndic, and any other persons whose data the Controller enters into the platform). Categories of personal data: identification data (name, email, avatar, preferred language), membership data (relationship type, unit reference, voting rights, approval status), building content (announcements, issues, comments, agenda items, votes, documents, phonebook entries), financial records (charges, invoices, payments, splits, SEPA mandate metadata), and usage data (sign-in timestamps, feature interactions, error traces).
The Processor shall: (a) process personal data only on documented instructions from the Controller, including the configured roles and permissions within the platform; (b) ensure that persons authorized to process personal data are bound by confidentiality; (c) implement appropriate technical and organizational measures under Article 32 GDPR (see Section 6); (d) respect the conditions for engaging sub-processors (Section 7); (e) assist the Controller in responding to requests from data subjects (Section 8); (f) notify the Controller without undue delay of any personal data breach (Section 9); (g) at the Controller’s choice, return or delete personal data at the end of the service (Section 13); (h) make available to the Controller all information necessary to demonstrate compliance with Article 28 GDPR and allow for audits (Section 10).
The Processor implements, at minimum, the following technical and organizational measures: encryption in transit (TLS 1.2+) and at rest (provider-managed); Supabase Row Level Security policies isolating building data; role-based access control with least-privilege defaults; audit logging of privileged actions; single sign-on and strong password requirements for internal staff; regular dependency and vulnerability scanning; a documented incident-response procedure. The measures evolve with the state of the art; the Processor will not weaken them during the term of this DPA.
The Controller authorizes the Processor to engage the following sub-processors, all bound by GDPR-compliant agreements and hosted in the EU or equivalent jurisdiction: Supabase Inc. (PostgreSQL database and authentication, EU region — Frankfurt); Vercel Inc. (application hosting and CDN, EU region — Frankfurt); Resend (transactional email); Mistral AI (language-model inference, Paris). The Processor will give the Controller at least 30 days’ prior notice of any intended addition or replacement of a sub-processor. The Controller may object on reasonable data-protection grounds; in that case, the parties will seek a mutually acceptable solution, failing which the Controller may terminate the affected service.
The Processor provides self-service tools enabling data subjects to exercise GDPR rights directly: Profile → Download your data (Articles 15 and 20) and Profile → Close my account (Article 17). Where a data subject contacts the Processor directly with a request that requires Controller input or authorization, the Processor will inform the Controller without undue delay and, on the Controller’s instruction, assist in responding within the statutory timeframe. The Processor does not itself respond to data-subject requests on behalf of the Controller.
In the event of a personal data breach affecting the Controller’s data, the Processor will notify the Controller without undue delay and in any event within 72 hours of becoming aware of it. The notification will include, to the extent known at the time: the nature of the breach, the categories and approximate number of data subjects concerned, the likely consequences, and the measures taken or proposed to address it. The Processor will cooperate with the Controller in any notification to the CNPD or to data subjects where required.
The Processor will make available to the Controller, on reasonable request and not more than once per calendar year (unless a supervisory authority requires otherwise), information necessary to demonstrate compliance with this DPA, including a current list of sub-processors, summaries of security measures, and, where applicable, independent audit reports. Physical audits of the Processor’s premises are generally not required; where the Controller demonstrates a specific and justified need, the parties will agree in advance on scope, timing, and cost allocation.
The Processor processes personal data within the European Economic Area. If the Processor or a sub-processor transfers personal data outside the EEA, the Processor will ensure that an appropriate transfer mechanism under Chapter V GDPR is in place (typically the European Commission’s Standard Contractual Clauses with any additional safeguards as required).
During the engagement, the Processor retains personal data as long as necessary for the purposes in Section 2. Financial records are retained for 10 years from the end of the relevant financial year as required by Article 16 of the Luxembourg Code de commerce, which overrides data-subject erasure requests for that specific data. Other personal identifiers are anonymized within 30 days of a valid erasure request.
Upon termination of the subscription, and subject to the statutory retention in Section 12, the Controller may within 30 days request: (a) an export of all personal data in a commonly used machine-readable format, or (b) deletion of the data. Absent a request, the Processor will delete the data 30 days after termination. Backups containing the data are overwritten within 30 days of the deletion.
The liability of each party under this DPA is subject to the limitations and exclusions set out in the Terms of Use, to the extent permitted by applicable law. Neither party limits its liability for damages to data subjects resulting from its own breach of GDPR obligations.
This DPA is governed by the laws of the Grand Duchy of Luxembourg. Any dispute arising out of or in connection with this DPA falls within the exclusive jurisdiction of the courts of Luxembourg City, without prejudice to mandatory rules of jurisdiction under GDPR.
For any question relating to this DPA, including exercising audit rights or reporting a breach, contact privacy@quorum.lu.
See also: Privacy Policy · Terms of Use