Last updated: 29.5.2026.
At Incisive QA (“Incisive QA,” “we,” “us,” or “our”), protecting the data entrusted to us by our clients is central to how we operate. This page explains how we handle personal data when delivering QA and testing services. It complements our Privacy Policy, which covers data we collect through our website.
1. Our Role: Data Processor
When we deliver QA services, our clients decide what data is processed and why. In data protection terms, the client is the data controller and Incisive QA acts as a data processor, handling data only on the client’s documented instructions. The specific terms of each engagement are set out in a separate Data Processing Agreement (DPA) and service contract.
2. Data Minimization in Testing
We work to limit our exposure to personal data during testing. Wherever practical, we use synthetic, anonymized, or pseudonymized test data rather than real production data, and we encourage clients to provide masked datasets. We process only the data necessary to deliver the agreed testing services.
3. Access Controls
Access to client data and systems is restricted to the engineers assigned to that client’s project, on a need-to-know basis. We apply role-based access, individual accounts, and least-privilege principles, and we remove access promptly when an engagement ends or a team member changes role.
4. Confidentiality
All Incisive QA engineers and personnel are bound by confidentiality obligations. We treat client systems, data, and business information as confidential and use them only for the purpose of delivering the agreed services.
5. Security Measures
We apply appropriate technical and organizational measures to protect client data against unauthorized access, loss, or misuse. These include access controls, encrypted connections where applicable, secured devices, and internal security practices. Further detail is available on our Security & Compliance page.
6. Subprocessors
Where we use third-party tools or providers that may process client data on our behalf (for example, cloud or collaboration tools), we treat them as subprocessors. We select them with care, place appropriate data protection terms with them, and remain responsible for their handling of client data. A list of relevant subprocessors can be provided to clients on request.
7. International Data Transfers
Our teams may work from more than one country. Where delivering services involves transferring personal data across borders, we rely on appropriate safeguards such as the EU Standard Contractual Clauses and, for UK data, the UK International Data Transfer Addendum, as set out in the applicable DPA.
8. Data Retention and Return
We retain client data only for as long as needed to deliver the agreed services or as required by the engagement. On completion or termination, we return or securely delete client data in line with the client’s instructions and the DPA.
9. Incident Response
We maintain procedures to identify and respond to data security incidents. If we become aware of a personal data breach affecting client data, we notify the affected client without undue delay and support them in meeting their own notification obligations.
10. Audit and Cooperation
We support our clients’ compliance obligations by cooperating with reasonable audit and information requests relating to our processing of their data, on the terms agreed in the applicable DPA.
11. Our Compliance Commitment
We are committed to aligning our data protection practices with the EU GDPR, UK GDPR, and applicable US privacy laws.
12. Contact Us
For any questions about how we handle data, or to request a Data Processing Agreement, contact us via Contact form.