BOOK A CALL
QARP AI — Confidentiality & Data Protection Package
🔒 Data Protection Package

Confidentiality & Legal Documents

Three documents that protect every party: auditor, client, and auditee. Use them as-is or adapt to your engagement.

Documents
Document Status
DPA — Ready to use
Client Clause — Ready
Disclosure — Ready
Questions?

Send any comments or requests for modification directly to:

maxim.bunimovich@theqarp.com

Three documents. Complete protection.

When using QARP AI during an audit, three parties are involved: you (the auditor), your client (who commissioned the audit), and the auditee (whose documents are reviewed). Each document below addresses one relationship.

📋
DPA
You ↔ QARP Academy
📝
Contract Clause
You → Client
📣
Disclosure
You → Auditee
🛡️ How Document Protection Works in Practice
📂
Document uploaded
By auditor on-site
🔍
Anonymiser runs
Names, IDs, sponsors redacted
🧠
AI processes
Anonymised content only
🗑️
File deleted
Not stored, not trained on

All processing on EU-based restricted server. GDPR compliant. No data shared with third parties.

📋 Document 1 — Data Processing Agreement (DPA)
Between Auditor & QARP
Parties: Auditor (Data Controller) ↔ THE QARP ACADEMY S.L. (Data Processor) Framework: GDPR Art. 28 Version: 1.0 · April 2026

Preamble

This Data Processing Agreement ("DPA") is entered into between the Auditor (hereinafter "Controller") and THE QARP ACADEMY S.L., a Spanish limited liability company registered under number B19913078, with registered address at Carrer Lluís I Companys, 08860 Castelldefels, Spain, represented by its Director Maxim Bunimovich (hereinafter "Processor"), collectively referred to as the "Parties".

This DPA forms part of and supplements the Founding User Agreement and governs the processing of personal data by the Processor on behalf of the Controller in connection with the use of the QARP AI Audit Assistant platform ("Service").

Article 1 — Definitions

  • "Personal Data" means any information relating to an identified or identifiable natural person, as defined in GDPR Art. 4(1).
  • "Processing" means any operation performed on Personal Data, including collection, recording, storage, retrieval, use, disclosure, erasure.
  • "Audit Documents" means protocols, SOPs, training records, informed consent forms, TMF documents, interview notes, and any other documents uploaded to the Service.
  • "Anonymiser" means the automated system embedded in the Service that identifies and redacts personal identifiers prior to AI processing.

Article 2 — Subject Matter & Scope

The Processor provides an AI-assisted audit tool that processes Audit Documents uploaded by the Controller. The subject matter of this DPA is the processing of any Personal Data that may be contained in such Audit Documents.

Technical design note: The Service is designed to minimise Personal Data processing. All Audit Documents pass through an automated Anonymiser that redacts names, addresses, subject identifiers, sponsor names, site names, investigator names, and drug/device identifiers before reaching any AI processing layer.

Article 3 — Processor Obligations

The Processor shall:

  1. Process Personal Data only on documented instructions from the Controller;
  2. Ensure that persons authorised to process Personal Data have committed to confidentiality;
  3. Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk (GDPR Art. 32);
  4. Not engage sub-processors without prior written authorisation from the Controller;
  5. Assist the Controller in ensuring compliance with GDPR obligations (Arts. 32–36);
  6. Delete or return all Personal Data upon termination of the Service;
  7. Make available all information necessary to demonstrate compliance with this DPA.

Article 4 — Technical Security Measures

MeasureImplementation
AnonymisationAutomated PII/PHI redaction before AI processing (names, IDs, sponsors, sites)
Data StorageEU-based restricted server (Spain/EEA data residency)
Data RetentionUploaded files deleted immediately after processing session
AI TrainingNo user-uploaded data is used for AI model training
Access ControlRole-based access, user-specific encrypted sessions
Data IsolationEach user's data is logically isolated; no cross-user visibility
EncryptionTLS 1.3 in transit; AES-256 at rest
Audit TrailSystem access log maintained for compliance (21 CFR Part 11 aligned)

Article 5 — Data Breach Notification

In the event of a Personal Data breach, the Processor shall notify the Controller without undue delay and in any event within 72 hours of becoming aware, providing: (a) description of the breach; (b) categories and approximate number of data subjects; (c) likely consequences; (d) measures taken or proposed.

Article 6 — Data Subject Rights

The Processor shall assist the Controller in fulfilling obligations to respond to requests from data subjects exercising their rights under GDPR (Arts. 15–22), including rights of access, rectification, erasure, restriction, portability, and objection.

Article 7 — Liability & Indemnification

Each Party shall be liable to the other for damages caused by processing in breach of GDPR obligations applicable to it. The Controller indemnifies the Processor against claims arising from the Controller's failure to obtain necessary consents or authorisations from clients or auditees prior to uploading Audit Documents to the Service.

Article 8 — Governing Law

This DPA is governed by the laws of Spain. The courts of Barcelona shall have exclusive jurisdiction for any disputes arising from this DPA.

Signatures

THE QARP ACADEMY S.L.
Processor
Maxim Bunimovich, Director
Name & Title
Date & Signature
Controller (Auditor — Company/Name)
Name & Title
Date & Signature
📝 Document 2 — Contract Clause for Client Agreement
Auditor → Client
Purpose: Insert into your audit services contract with the sponsor/client Length: ~1 page Format: Ready-to-insert clause

How to Use This Clause

Insert this clause into your standard Audit Services Agreement with the client (sponsor, CRO, or company that commissioned the audit). It can be added as a new numbered clause or as an appendix titled "Use of AI-Assisted Audit Tools".
⚠️ Review with your legal counsel if required. This clause is provided as a template and may need adaptation based on your specific client relationship and applicable law.

Clause Text — Ready to Insert

Clause [X] — Use of AI-Assisted Audit Tool


[X].1  The Auditor may use the QARP AI Audit Assistant, a validated AI-powered software tool developed and operated by THE QARP ACADEMY S.L. (B19913078, Spain), to support audit preparation, on-site conduct, and audit report generation.


[X].2  The Client acknowledges and agrees to the Auditor's use of such AI-assisted tools, subject to the data protection measures set out in this Clause.


[X].3  Data Protection Measures. Prior to any processing by the AI tool, all documents uploaded to the system are processed through an automated anonymisation module that redacts all personal identifiers, including but not limited to: subject identifiers, investigator names, sponsor names, site identifiers, and proprietary drug or device names. No identifiable confidential information is transmitted to or stored by external AI providers.


[X].4  Data Storage & Retention. All uploaded documents are stored exclusively on EU-based restricted servers (EEA data residency) and are deleted upon completion of the processing session. No Client data is used to train any AI model. Access to data is restricted to the individual Auditor's secure session.


[X].5  Security Standards. The tool operates in accordance with GDPR (Regulation 2016/679), is aligned with 21 CFR Part 11 audit trail requirements where applicable, and employs TLS 1.3 encryption in transit and AES-256 encryption at rest.


[X].6  Auditor Responsibility. The Auditor remains solely responsible for the accuracy and professional quality of audit findings, conclusions, and reports. The AI tool supports but does not replace the Auditor's independent professional judgment. All AI-generated outputs are reviewed and validated by the Auditor prior to inclusion in any deliverable.


[X].7  Further Information. The Client may request a copy of the Data Processing Agreement between the Auditor and THE QARP ACADEMY S.L. by written request to the Auditor.

📣 Document 3 — Disclosure Statement for Auditee
Opening Meeting
Purpose: Read aloud or hand out at opening meeting Length: 1 page Format: Standalone disclosure

How to Use This Document

At the opening meeting of the audit, inform the auditee's team that an AI-assisted tool will be used. You can either read this statement aloud (takes ~90 seconds) or hand out a printed copy and ask for acknowledgment. File the signed copy in your audit documentation.

Disclosure Statement — Full Text

DISCLOSURE OF AI-ASSISTED AUDIT TOOL USE

To be presented at the Audit Opening Meeting

Audit Reference: _________________    Date: _________________

Auditor: _________________    Auditee Organisation: _________________


1. Purpose of This Disclosure

In the interest of transparency and in compliance with applicable data protection regulations, I wish to inform you that during the conduct of this audit I may use an AI-assisted software tool: the QARP AI Audit Assistant, developed by THE QARP ACADEMY S.L. (Spain, Registration B19913078).


2. What the Tool Does

The tool supports audit preparation, on-site note-taking and finding classification, and audit report generation. It does not make autonomous audit decisions — all findings, conclusions, and assessments are reviewed and confirmed by the auditor.


3. How Your Documents Are Protected

If any documents from your organisation are uploaded to the tool, the following protections apply:

  • Automatic anonymisation: all personal identifiers (subject IDs, staff names, organisation names, product names) are automatically redacted before reaching any AI processing.
  • No external AI providers receive your raw documents.
  • EU data residency: all data is stored on restricted EU-based servers.
  • Immediate deletion: uploaded files are deleted upon completion of the processing session.
  • No AI training: your documents are never used to train AI models.
  • Access restriction: data is accessible only to the individual auditor's secure session.

4. Your Rights

You have the right to: (a) request a copy of the full Data Processing Agreement; (b) ask any questions about how your organisation's documents are handled; (c) object to the use of this tool — in which case the auditor will conduct the audit using conventional methods only.


5. Contact

For questions regarding data protection: maxim.bunimovich@theqarp.com


Acknowledgment (optional but recommended):

I/We, the undersigned representative(s) of the audited organisation, acknowledge receipt of this disclosure and confirm we have been informed of the use of an AI-assisted audit tool and the data protection measures in place.

Name & Title
Date & Signature

THE QARP ACADEMY S.L. · Registration B19913078 · Carrer Lluís I Companys, 08860 Castelldefels, Spain
Director: Maxim Bunimovich · maxim.bunimovich@theqarp.com
Founding User Agreement · © 2026 THE QARP ACADEMY S.L.