Data Processing & GDPR Information

1. Roles under GDPR

In most cases, our clients are the primary data controllers for any personal data contained in their systems and applications. Dream Driven Digital typically acts as a data processor when we access client environments to perform QA activities.

For data we collect directly through our own website and business operations (for example, contact details of potential clients), we act as a data controller.

2. Nature of processing in QA engagements

When providing QA services, we may access client systems that contain personal data, such as:

• User accounts and profiles in staging or test environments.
• Application logs that may include identifiers or other data.
• API responses used for testing various scenarios.

Wherever possible, we recommend using anonymised or pseudonymised test data, especially in non-production environments, to minimise exposure of real personal data.

3. Data Processing Agreement (DPA)

For clients based in the EU/EEA, or where GDPR applies, we can enter into a Data Processing Agreement (DPA) that sets out:

• The subject matter and duration of the processing.
• The nature and purpose of the processing.
• The types of personal data and categories of data subjects.
• The obligations and rights of the client (controller).
• The obligations of Dream Driven Digital as processor, including confidentiality, security measures, assistance with data subject rights and, where needed, support with DPIAs.

Details are usually defined in the service agreement and/or a separate DPA signed with the client.

4. Technical and organisational measures

We implement reasonable technical and organisational measures to protect personal data processed as part of QA work, including:

• Restricted access to client environments and data.
• Use of secure communication channels for credentials and test data.
• Limiting test data downloads or exports, unless explicitly required.
• Secure storage of project-related information, for example in version control, ticketing and documentation systems.

Specific measures may vary depending on the client's technology stack, infrastructure and security requirements, and can be described in more detail in the service agreement or DPA.

5. Sub-processors and third-party tools

In addition to tools used directly in client projects (for example, issue trackers, documentation, communication tools), we also rely on third-party services to host and operate this website.

• Vercel (hosting & analytics) – provides hosting infrastructure and privacy-friendly analytics without tracking cookies. Analytics data is aggregated and used to understand overall traffic and performance.
• Other tools may be used for collaboration, project management or communication, depending on the engagement. Where these process client-related personal data, they are treated as sub-processors and covered by appropriate contracts.

6. Data subject rights in the context of QA

For data processed on behalf of a client as part of QA work, requests from data subjects (for example, access, rectification, deletion) should primarily be addressed to the client as data controller. We will support the client, where necessary, in responding to such requests in accordance with the service agreement and applicable law.

For data where Dream Driven Digital acts as controller (for example, contact details of clients or prospects), you can exercise your rights by contacting us at contact@dreamdrivendigital.com.