Data Processing Addendum
This Data Processing Addendum (the “DPA”) is entered into by and between Quantum PM LLP (the “Quantum”) and You, the User as defined in the Agreement (the “User”). This DPA is incorporated by reference into the Quantum’s Terms and Conditions (the “Agreement”) available at https://www.qpm.ai/terms which govern the use of the service provided by Quantum.
This DPA consists of Standard Contractual Clauses (the “SCC”) and other provisions, including its applicable Annexes (the “Annex”), and replaces any previously applicable data processing and security terms. In the event of any conflict between the provisions of this DPA and the provisions of the Agreement, the provisions of this DPA shall prevail over the conflicting provisions of the Agreement.
Quantum and the User are also referred to individually as a “Party” and collectively as the “Parties”.
1. Definitions
Unless otherwise set out below, each capitalized term in this DPA shall have the meaning set out in the Agreement, and the following capitalized terms used in this DPA shall be defined as follows:
1.1. “Authorised Affiliate” means any of the User’s Team member(s), as defined by the Agreement, who is invited by the User, has accepted the terms and conditions of the Agreement and is entitled to use the services under the Agreement.
1.2. “Controller” has the meaning given in the GDPR.
1.3. “Data Protection Laws” means all applicable laws, regulations, and other legal or regulatory requirements in any jurisdiction relating to privacy, data protection, security, or the Processing of personal data, including without limitation (i) the General Data Protection Regulation, Regulation (EU) 2016/679 (the “GDPR”), (ii) in respect of the United Kingdom, the Data Protection Act 2018 (the ”UK DPA 2018”) and the GDPR as saved into United Kingdom law by virtue of section 3 of the United Kingdom's European Union (Withdrawal) Act 2018 (the “UK GDPR”).
1.4. “Data Subject” has the meaning given in the GDPR.
1.5. “European Economic Area” or “EEA” means the Member States of the European Union together with Iceland, Norway, Liechtenstein.
1.6. “Personal Data” means the personal data as defined in the GDPR and described in ANNEX II, and any other personal data that Quantum Processes on behalf of the User in connection with Quantum’s provision of the services under the Agreement.
1.7. “Processing” has the meaning given in the GDPR, and “Process” will be interpreted accordingly.
1.8. “Processor” has the meaning given in the GDPR.
1.9. “Sensitive Data” means Personal Data that is protected under special legislation and requires unique treatment under relevant Data Protection Laws. Sensitive Data may include information about racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or sex life, or sexual orientation.
1.10. “Standard Contractual Clauses” means (i) where the GDPR applies, the standard contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the European Council (available as of June 2021 https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj), (the “EU SCCs”); (ii) where the UK GDPR applies, the applicable standard data protection clauses adopted pursuant to Article 46(2)(c) or (d) of the UK GDPR including the standard data protection clauses issued by the commissioner under section 119A(1) of the UK DPA 2018 as revised from time to time (the “UK Addendum”)
1.11. “Subprocessor” means any third party that carries out specific Processing activities of Personal Data under the instruction of Quantum.
1.12. “Supervisory Authority” has the meaning given in the Regulation.
2. Purpose and scope
The purpose of this DPA is to ensure compliance with Data Protection Laws on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data. This DPA applies to the Processing of Personal Data as specified hereof and in relevant Annexes. All Annexes to this DPA shall form an integral part of it. This DPA is without prejudice to obligations to which the User is subject by virtue of Data Protection Laws.
3. Roles of the Parties
The Parties agree that while Processing Personal Data on behalf of the User, Quantum is the Processor of such Personal Data and the User is the Controller of Personal Data. Hereinafter the terms “Processor” and “Controller” refer to Quantum and the User respectively.
4. User’s obligations and responsibilities
While using the services and providing instructions to Quantum, the User shall comply with relevant Data Protection Laws, provisions of the Agreement and this DPA. Without prejudice to the generality of the foregoing, the User shall be solely responsible for:
4.1. the accuracy, quality, and legality of the Personal Data and the means by which Personal Data was obtained by the User;
4.2. ensuring its compliance with all necessary transparency and lawfulness requirements under applicable Data Protection Laws for the collection and use of Personal Data, including obtaining any necessary consents and authorizations;
4.3. having the right to transfer to Quantum the Personal Data and/or to provide Quantum with access to the Personal Data;
4.4. instructions provided to Quantum regarding the Processing of Personal Data and their compliance with Data Protection Laws and other applicable legislation;
4.5. obtaining necessary consents from the relevant Data Subject where Quantum, while Processing Personal Data on behalf of the Controller, is required to send email to that Data Subject.
5. User’s instructions
Quantum shall Process Personal Data only on documented instructions from the Controller, unless otherwise required by the relevant legislation to which Quantum is subject. In this case, Quantum shall inform the Controller of that legal requirement before Processing, unless the law prohibits this on important grounds of public interest. Subsequent instructions may also be given by the Controller throughout the duration of the Processing of Personal Data. These instructions shall always be documented. The Parties agree that this DPA, the Agreement, and the User’s usage of the service in accordance with the Agreement shall constitute complete instructions from the User to Quantum regarding the Processing of Personal Data. Notwithstanding the foregoing, while using the services under the Agreement, the User may provide additional instructions regarding the Processing of Personal Data that shall be consistent with the Agreement, Data Protection Laws, the nature and lawful use of the services.
Quantum shall immediately inform the Controller if, in the Quantum’s opinion, instructions given by the Controller infringe Data Protection Laws or other applicable legislation. It is hereby clarified that Quantum has no obligation to assess whether instructions of the Controller infringe any Data Protection Laws.
6. Quantum’s obligations
6.1. Compliance with instructions and conflicts of law. Quantum shall Process Personal Data only for the purposes described in this DPA and User’s instructions as described in section 5 hereof. Quantum shall not be responsible for compliance with any Data Protection Laws applicable to User and/or its industry that are not generally applicable to Quantum. In case Quantum become aware of inability and/or prohibition of Processing Personal Data in accordance with User’s instructions due to a legal requirement under any applicable law, Quantum shall (i) within reasonable period of time and to the extent permitted by the applicable law, notify the User of that legal requirement; and (ii) where necessary, cease all Processing (other than merely storing and maintaining the security of the affected Personal Data) until the User issue new instructions that comply with applicable law. If Quantum can not Process Personal Data for above mentioned reasons and that causes failure to provide services under the Agreement, Quantum shall not be liable to User under the Agreement and this DPA.
6.2. Duration of Processing. Quantum shall Process Personal Data only for the duration specified in Annex II.
6.3. Description of Processing. Quantum Process Personal Data to provide services to the User pursuant to the Agreement and this DPA. The details of the Processing operations, in particular, the categories of Personal Data and the purposes of Processing are specified in Annex II.
6.4. Security of Processing. Quantum shall at least implement the technical and organizational measures specified in Annex III to ensure the security of Personal Data. This includes protecting the data against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to the data (the “Personal Data Breach”). Notwithstanding any provision to the contrary, Quantum shall be entitled to modify or update the security measures at its sole discretion provided that such modification or update does not result in a material degradation in the protection of Personal Data.
6.5. Confidentiality. Quantum shall ensure that persons authorized to Process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
7. Sensitive Data
The Parties agree that the services provided under the Agreement are not intended for the Processing of Sensitive Data. In case the Controller wants the Processor to Process Sensitive Data on behalf of the Controller, it must first obtain the Processor’s explicit prior written consent and enter into any additional agreements as may be required.
8. Documentation and compliance
The Parties shall be able to demonstrate compliance with this DPA. Upon the Controller’s 10 (ten) business days prior written request, which shall be no more than once per 12 (twelve) months (except when there are indications of non-compliance), the Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations that are set out in this DPA, and shall also permit and contribute to audits of the Processing activities covered by this DPA. In deciding on a review or an audit, the Controller may take into account relevant certifications held by the Processor. The Controller may conduct the audit by itself or attract an independent auditor which shall be mutually agreed by the Parties. Audits may also include inspections at the premises or physical facilities of the Processor and shall, where appropriate, be carried out with reasonable notice. Any information relating to audits, inspections and the results therefrom, including the documents reflecting the outcome thereof, shall only be used by the Controller to assess Processor’s compliance with this DPA, and shall not be used for any other purpose or disclosed to any third party without Processor’s prior written approval. In connection with any audit or inspection conducted in accordance with this section 8, the Controller and/or relevant independent auditor must be bound by obligations of confidentiality no less protective than those contained in the Agreement. The Controller and/or relevant independent auditor will not be entitled to receive any data or information pertaining to other users of Processor or any other confidential information of the Processor that is not directly related to the authorized purposes of the audit or inspection.
In the event of an audit or inspections as set forth above, the Controller shall ensure that it and/or relevant independent auditor will not cause (or will minimize, in case it cannot avoid) any damage, injury, or disruption to Processor’s operations, premises, equipment, personnel and business, as applicable, while conducting such audit or inspection.
If and to the extent that the SCC apply, nothing in this section 8 varies or modifies the SCC nor affects any Supervisory Authority’s or Data Subject’s rights under the SCC.
The Parties shall make the information referred to in this section, including the results of any audits or inspections, available to the competent Supervisory Authority/ies on request.
9. Subprocessors
9.1. General terms. The Processor has the Controller’s general authorization for the engagement of Subprocessors from an agreed list, which is added as Annex IV to this DPA. The Processor shall specifically inform in writing the Controller of any addition or replacement of Subprocessors at least 14 (fourteen) calendar days in advance, thereby giving the Controller sufficient time to be able to object to such changes prior to the engagement of the concerned Subprocessor(s).
9.2. Right to object. The Controller may reasonably object to the Processor’s use of a new or replacement of a Subprocessor. Within 14 (fourteen) calendar days after receipt of the notice regarding addition or replacement of the Subprocessor, the Controller shall submit the objection by notifying the Processor to legal@qpm.ai. In the notification, the Controller shall outline the reasons for its objection. In case the Controller has not objected within the abovementioned period of time and in the described way, the use of the new Subprocessor shall be deemed accepted by the Controller. In the event the Controller notifies the Processor about its objections according to the abovementioned procedure, the Processor shall use reasonable efforts to make available to the Controller a change in the services provided under the Agreement or recommend a commercially reasonable change to the Controller’s configuration or use of the services to avoid Processing of Personal Data by the objected-to new Subprocessor. If the Processor is unable to provide such change within 30 (thirty) calendar days following receipt of the objection, either Party may terminate the Agreement and this DPA without penalty by providing written notice to the other Party. All amounts outstanding under the Agreement before the termination date with respect to the Processing at issue shall be duly paid to the Processor. The Processor may temporarily avoid or cease the Processing of the affected Personal Data and/or suspend access to the services under the Agreement, until a decision regarding the Controller’s objections is made. In case of termination of the Agreement and this DPA according to this section, the Controller shall have no further claims against the Processor due to the termination, including, without limitation, requesting refunds.
9.3. Contractual relations with Subprocessors. Where the Processor engages a Subprocessor for carrying out specific Processing activities (on behalf of the Controller), it shall do so by way of a contract which imposes on the Subprocessor, in substance, the same data protection obligations as the ones imposed on the Processor in accordance with this DPA. The Processor shall ensure that the Subprocessor complies with the obligations to which the Processor is subject pursuant to this DPA and Data Protection Regulation. The Processor shall remain responsible to the Controller for the performance by the Subprocessor of its obligations in accordance with its contract with the Processor. The Processor shall notify the Controller of any failure by the Subprocessor to fulfil its contractual obligations.
10. Authorised Affiliate
10.1. Relationships between the User and Authorised Affiliate. The Parties acknowledge and agree that, by executing this DPA, the User enters into the DPA on behalf of itself and, as applicable, in the name and on behalf of its Authorised Affiliates, in which case each Authorised Affiliate agrees to be bound by the User’s obligations under this DPA, if and to the extent that Processor Processes Personal Data on the behalf of such Authorised Affiliates, thus qualifying them as the “Controller” with respect to the Personal Data Processed on their behalf. All access to and use of the services by Authorised Affiliates must comply with the terms and conditions of the Agreement and this DPA. Any violation of this DPA by the Authorised Affiliate shall be deemed a violation by the User.
10.1. Communication between the User and Authorised Affiliate. The User shall remain responsible for coordinating all communication with the Processor under the Agreement and this DPA and shall be entitled to make and receive any communication in relation to this DPA on behalf of its Authorised Affiliates.
11. International transfers
11.1. Transfers from the EEA and the UK to the countries covered by Adequacy Decision. In case the Personal Data is transferred from the EEA, and the United Kingdom (the “UK”) to countries that offer an adequate level of data protection under or pursuant to the adequacy decisions published by the relevant authorities of the EEA and/or the UK as relevant (the “Adequacy Decisions”), as applicable, any further safeguard is not necessary.
11.2. Transfers from the EEA and the UK to other countries.
11.2.1. For transfers of Personal Data from the EEA to the other countries that are not covered by the relevant Adequacy Decisions, and such transfers can not be performed through an alternative compliance mechanism recognized by Data Protection Laws, EU SCC terms and conditions shall apply.
11.2.2. For transfers of Personal Data from the UK to the other countries that are not covered by the relevant Adequacy Decisions, and such transfers can not be performed through an alternative compliance mechanism recognized by Data Protection Laws, UK Addendum terms and conditions shall apply.
11.3. Transfers from other countries. In the event Personal Data is transferred by and/or on behalf of the Controller to the Processor from any other jurisdiction that requires a specific compliance mechanism for the lawful transfer of such data, the Controller shall notify the Processor of such applicable requirements, and the Parties may seek any necessary modifications to this DPA.
12. Data Subject requests
While receiving any request from the Data Subject, the Processor shall promptly notify the Controller of any request it has received or refer Data Subject to the Controller. To the extent permitted and required by the Data Protection Laws, the Processor shall assist the Controller in fulfilling its obligations to respond to Data Subjects’ requests to exercise their rights, taking into account the nature of the Processing. To the extent legally permitted, the Controller shall be responsible for any costs arising from the Processor’s provision of additional functionality to assist with a Data Subject request.
13. Notification of Personal Data Breach
In the event of a Personal Data Breach concerning data processed by the Processor, the Processor shall notify the Controller without undue delay after the Processor having become aware of the breach. Such notification shall contain, at least:
13.1. a description of the nature of the breach (including, where possible, the categories and approximate number of Data Subjects and data records concerned);
13.2. the details of a contact point where more information concerning the Personal Data Breach can be obtained;
13.3. its likely consequences and the measures taken or proposed to be taken to address the breach, including to mitigate its possible adverse effects.
Where, and insofar as, it is not possible to provide all this information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.
14. Deletion or return of Personal Data
Following termination of the Agreement and cessation of the services, the Processor shall, at the choice of the Controller that shall be communicated to the Processor in writing, delete all Personal Data processed on behalf of the Controller and certify to the Controller that it has done so, or, return all the Personal Data to the Controller and delete existing copies, unless applicable laws require otherwise. Until the data is deleted or returned, the Processor shall continue to ensure compliance with this DPA.
15. Non-compliance with DPA and termination
Without prejudice to any provisions of Data Protection Laws, in the event that the Processor is in breach of its obligations under this DPA, the Controller may instruct the Processor to suspend the Processing of Personal Data until the latter complies with this DPA or the Agreement is terminated. The Processor shall promptly inform the Controller in case it is unable to comply with this DPA, for whatever reason.
15.1. Termination by the Controller. The Controller shall be entitled to terminate the Agreement and this DPA insofar as it concerns the Processing of Personal Data in accordance with this DPA if:
15.1.1. the Processing of Personal Data by the Processor has been suspended by the Controller pursuant to the abovementioned reasons and if compliance with this DPA is not restored within a reasonable time and in any event within 1 (one) month following suspension;
15.1.2. the Processor is in substantial or persistent breach of this DPA or its obligations under Data Protection Laws;
15.1.3. the Processor fails to comply with a binding decision of a competent court or the competent supervisory authority/ies regarding its obligations pursuant to this DPA or to Data Protection Laws.
15.2. Termination by the Processor. The Processor shall be entitled to terminate the Agreement and this DPA insofar as it concerns the Processing of Personal Data under this DPA, where after having informed the Controller that its instructions infringe applicable Data Protection Laws, the Controller insists on compliance with the instructions.
16. Data Protection Impact Assessment and Prior Consultation
Taking into account the nature of the Processing and the information available to the Processor, the Processor will provide reasonable assistance to and cooperation with the Controller for the Controller’s performance of any legally required data protection impact assessment of the Processing or proposed Processing of Controller Personal Data involving the Processor, and in consultation with Supervisory Authorities or other regulatory authorities as required, by providing the Controller with any publicly available documentation for the service provided under the Agreement or by complying with section 8 hereof. Additional support for data protection impact assessments or relations with Supervisory Authorities may be available and would require mutual agreement on fees, the scope of the Processor’s involvement, and any other terms that the Parties deem appropriate.
17. Amendments
Upon at least 30 (thirty) calendar days prior written notice to the other Party, either Party may request in writing any amendments to this DPA if they are required as a result of any change in applicable Data Protection Laws to allow the Processing of Personal Data to be made in compliance with such Data Protection Laws. Pursuant to such notice the Parties shall use commercially reasonable efforts to accommodate such required amendments and negotiate in good faith with a view to agreeing and implementing those or alternative amendments designed to address the requirements under applicable Data Protection Law as outlined in the relevant notice as soon as is reasonably practicable. Additionally, the Processor may amend this DPA from time to time without notice, provided that such amendments are not adverse in any material aspect with respect to the Controller’s rights or the Processor’s obligations. In case the Processor makes any material adverse amendments to the Controller’s rights or the Processor’s obligations, the Processor shall notify the Controller by sending an email.
ANNEX I - DESCRIPTION OF PERSONAL DATA TRANSFER
A. LIST OF PARTIES
__________
Role: Controller
Email: ____
Signature and date: ____
and
QUANTUM PM LLP
Role: Processor
Email: legal@qpm.ai
Signature and date: ____
B. DESCRIPTION OF TRANSFER
Categories of Data Subjects whose Personal Data is transferred: The categories of Data Subjects whose Personal Data is transferred are determined solely by the Controller. The Processor Processes Personal Data about the following categories of Data Subjects on behalf of the Controller: Controller’s employees, contractors, suppliers, and any other data subjects whose data the Controller extracts, transfers, and loads onto the servers while using services under the Agreement.
Categories of Personal Data transferred: The categories of Personal Data transferred are determined solely by the Controller. Usually, while using services under the Agreement, the Controller may transfer Personal Data which include, but is not limited to:
- name and surname;
- contact information;
- _______
Sensitive Data: Non-applicable
The frequency of the transfer: Continuous basis
Nature of the Processing: The provision of services according to the Agreement.
Purpose(s) of the data transfer and further Processing: To provide services under the Agreement, to perform obligations under DPA, to act according to Controller’s instructions, providing they are consistent with the terms of the Agreement, to comply with applicable laws.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: Duration of the Agreement and as legally required.
For transfers to Subprocessors, also specify the subject matter, nature and duration of the Processing: The same subject matter, nature and duration of the Processing as specified above and in the Agreement and DPA.
Competent Supervisory Authority
The competent Supervisory Authority shall be __________________________.
ANNEX II - DESCRIPTION OF THE PROCESSING
Categories of Data Subjects whose Personal Data is processed:
The categories of Data Subjects whose Personal Data shall be processed are determined solely by the Controller. The Processor Processes Personal Data about the following categories of Data Subjects on behalf of the Controller: Controller’s employees, contractors, suppliers, and any other Data Subjects whose data the Controller extracts, transfers, and loads onto the servers while using services under the Agreement.
Categories of Personal Data processed:
The categories of Personal Data to be processed by the Processor are determined solely by the Controller. It is agreed by the Parties that the Processor shall Process the following categories of Personal Data on behalf of the Controller:
1) name and surname;
2) contact information;
3) _______
Nature of the Processing:
The Processor Processes Personal Data to provide the services under the Agreement and to communicate with the Controller about those services. It may include both automated and manual Processing of data.
Purpose(s) for which the Personal Data is processed on behalf of the Controller:
To provide services under the Agreement, to perform obligations under DPA, to act according to Controller’s instructions, providing they are consistent with the terms of the Agreement, to comply with applicable laws.
Duration of the Processing:
The Processor will Process Personal Data for the duration of the Agreement and as legally required.
ANNEX III - TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
Processor must implement such measures:
| Measure | Description |
|---|---|
| Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident | Company will implement and maintain a documented set of disaster recovery policies and procedures to enable the recovery or continuation of vital technology infrastructure and systems following a disaster. |
| Processes for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing | Company performs periodic assessments to monitor its information security program to identify risks and ensure controls are operating effectively by performing internal audits and risk assessments. Company will engage qualified external auditors to perform assessments of its information security program against the ISO 27000 family of standards. Assessments will be conducted annually and evidence will be made available to the Customer pursuant to their respective Agreement. |
| Measures for user identification and authorisation | Access to Personal Data is restricted to authorized Company personnel who are required to access Personal Data to perform functions as part of the delivery of services. Access to Personal Data must be through unique usernames and passwords and multi-factor authentication must be enabled. Access is disabled within one business day after an employee’s termination. |
| Measures for the protection of data during transmission | Company will encrypt Personal Data in transit and at rest using industry-standard encryption algorithms that are appropriate for the mechanism of transfer (e.g. TLS 1.2, AES-256). |
| Measures for the protection of data during storage | Personal Data is stored with Microsoft Azure. Data backups are encrypted. Personal Data is encrypted in transit and at rest using industry-standard encryption algorithms that are appropriate for the mechanism of transfer (e.g. TLS 1.2, AES-256). |
| Measures for ensuring physical security of locations at which personal data are processed | Company will ensure that all physical locations that process, store, or transmit Personal Data are located in a secure physical facility. Company will review third-party security certifications of its third-party cloud hosting providers on at least an annual basis to ensure that appropriate physical security controls are in place. |
| Measures for ensuring events logging | All access to information security management systems at Company are restricted, monitored, and logged. At a minimum, log entries include date, timestamp, action performed, and the user ID or device ID of the action performed. The level of additional detail to be recorded by each audit log will be proportional to the amount and sensitivity of the information stored and/or processed on that system. All logs are protected from change. |
| Measures for ensuring system configuration, including default configuration | To prevent and minimize the potential for threats to Company’s systems all cloud resources configurations are defined in a human-readable manifest and any changes are going through the peer-review process and automated security validation. Special measures are taken to periodically verify that the actual state of resources matches the manifest. |
| Measures for internal IT and IT security governance and management | IT Security Governance and Management structures and processes are designed to ensure compliance with data protection principles at their effective implementation. Company ensures that personnel that are authorized to access sensitive data are educated and trained accordingly. |
| Measures for certification/assurance of processes and products | Company’s information security framework will be based on the ISO 27001 Information Security Management System and will cover the following areas: security risk management, policies and procedures, security incident management, access controls, vulnerability management, physical security, operational security, corporate security, infrastructure security, product security, business continuity disaster recovery, personnel security, security compliance, and vendor security. |
| Measures for ensuring data minimisation | Company only collects information that is necessary in order to provide the services outlined in our Terms of Service and Privacy Policy. Our employees are directed to access only the minimum amount of information necessary to perform the task at hand. |
| Measures for ensuring data quality | Users who would like to exercise their rights under applicable law to update information which is out of date or incorrect may do so at any time using relevant self-service form. |
| Measures for ensuring limited data retention | Company will retain information for the period necessary to fulfil the purposes outlined in our Privacy Policy, unless a longer retention period is required or permitted by law, or where the Agreement requires or permits specific retention or deletion periods. Customer may request deletion of data at any time and Personal Data is deleted or anonymized upon termination of the Agreement. |
| Measures for ensuring accountability | Company has established a comprehensive GDPR compliance program and is committed to partnering with its customers and vendors on GDPR compliance efforts. Appointed a Data Protection Officer (“DPO”), who can be reached at dpo@qpm.ai. |
| Measures for allowing data portability and ensuring erasure | Company provides a mechanism for individuals to exercise their privacy rights in accordance with applicable law. Individuals may contact the Company at any time through the customer’s support. |
ANNEX IV – LIST OF SUBPROCESSORS
The Controller has authorized the use of the Subprocessors according to Annex I and IV:
Site usage tracking and analytics
• Google Analytics (contact form, US): email, IP address.
• Microsoft (contact form, other contact information here; US): email, IP address.
Сloud services provider
• Microsoft (contact form, other contact information here; US): email, IP address.
User identity management provider
• Microsoft (contact form, other contact information here; US): email, name.
Payment processing
• Stripe (contact form, other contact information here; for most cases US, depends on jurisdiction, more information here): payment card information (Card number, Expiration date, CVC, Country).
Transactional and marketing email processing
• SendGrid (privacy@twilio.com, other contact information here; depends on jurisdiction, more information here): email, name, IP address.
Service hosting and data backups
• Microsoft Azure (contact form, other contact information here; US): storing databases, encrypted archives of backup data, and import files. This data is not readable by Microsoft.