Data Processing Agreement
This Data Processing Agreement (“DPA”) forms part of the Master Services Agreement (“Agreement”) between Quadrillion and Customer. Capitalized terms used but not defined in this DPA will have the meanings set forth in the Agreement. If there is any inconsistency or conflict between terms of DPA and the other terms of the Agreement, the terms of this DPA will control to the extent of such inconsistency or conflict.
1. Scope
1.1 Roles of Parties. With respect to Customer Personal Data, (a) Customer is the “controller” and “business” (as such terms are defined under applicable Data Protection Law) and Quadrillion is the “processor” and “service provider” (as such terms are defined under applicable Data Protection Law). Each Party will comply with its respective obligations under applicable privacy and data protection law (“Data Protection Law”) in connection with the Services and Customer Personal Data.
1.2 Scope of Processing. The subject matter, nature and purpose of Quadrillion’s Processing of Customer Personal Data, the types of Customer Personal Data Processed by Quadrillion, and categories of applicable data subjects are set out in Schedule I.
2. Customer Personal Data
2.1 Customer Personal Data Processing. Quadrillion will only Process Customer Personal Data to provide the Services and in accordance with Customer’s documented instructions, which are set forth in this DPA, the Agreement, applicable Order or otherwise provided by Customer to Quadrillion in writing (“Documented Instructions”). Unless prohibited by applicable Law, Quadrillion will inform Customer if Quadrillion is subject to a legal obligation that requires Quadrillion to Process Customer Personal Data in contravention of Customer’s Documented Instructions.
2.2 Quadrillion Responsibilities. Quadrillion will not (a) “sell” or “share” (as such terms are defined in the California Consumer Privacy Act (“CCPA”)) Customer Personal Data, (b) retain, use, or disclose Customer Personal Data for any purpose other than in accordance with the Documented Instructions, (c) retain, use, or disclose Customer Personal Data outside of the direct business relationship between Customer and Quadrillion, nor (d) except as otherwise permitted under applicable Data Protection Law, combine Customer Personal Data with personal data that Quadrillion receives from or on behalf of any third party.
3. Subprocessors
3.1 Authorization. Customer provides general authorization for Quadrillion to engage the following subprocessors as described at https://trust.quadrillion.io/subprocessors (“Subprocessors”). Quadrillion will (a) enter into a contractual agreement with each Subprocessor that imposes data protection obligations that are substantially as protective as Quadrillion’s obligations under this DPA to the extent applicable to the nature of the services provided by such Subprocessor and (b) remain responsible for the acts and omissions of the Subprocessors’ Processing of Customer Personal Data under this DPA.
3.2 Notice of New Subprocessors. Quadrillion will provide Customer reasonable advance notice prior to appointing any new Subprocessor. Customer may object to the appointment of such new Subprocessor within 15 days of the date of such notice on reasonable privacy or security grounds by providing Quadrillion written notice of its objection. In the event that Customer objects to Quadrillion’s appointment of a new Subprocessor, Customer and Quadrillion will work together in good faith to address any such objection.
4. Assistance
4.1 Data Subject Rights. Quadrillion will (a) promptly forward to Customer any request it receives from “data subjects” or “consumers” (as such terms are defined under applicable Data Protection Law) to exercise their rights under applicable Data Protection Law relating to Customer Personal Data, (b) advise such data subjects and consumers to submit such requests directly to Customer, and (c) provide Customer with reasonable assistance as necessary for Customer to fulfil its obligations under applicable Data Protection Laws to respond to such requests.
4.2 Cooperation. Taking into account the nature of the Processing, Quadrillion will provide Customer with reasonable assistance as necessary for Customer to fulfil its obligations under applicable Data Protection Laws, including to conduct data protection impact assessments and consultations with regulatory authorities. Quadrillion may charge Customer a reasonable fee for such assistance under this Section 4.2.
5. Security
5.1 Security Measures. Quadrillion has implemented and will maintain reasonable and appropriate security measures designed to protect Customer Data as described on Quadrillion’s Trust Center available at https://trust.quadrillion.io/. The Parties acknowledge that the Security Measures provide an appropriate level of security for the risks of the Processing of Customer Personal Data under the Agreement. Quadrillion may update or modify the Security Measures provided that such updates and modifications do not materially decrease the overall security of the Services.
5.2 Security Incident. Quadrillion will notify Customer of any Security Incident in accordance with Section 6.2 of the Agreement.
5.3 Audits. Upon Customer’s written request, no more than once every 12 months, Quadrillion will permit Customer to audit Quadrillion’s controls applicable to its Processing of Customer Personal Data and compliance with this DPA (“Audit”), provided that such Audit is conducted at Customer’s sole cost, during normal business hours, in a manner that causes minimal disruption, and in accordance with mutually agreed upon scope and terms.
6. International Data Transfers
6.1 Data Transfers. Customer authorizes Quadrillion to conduct transfers of Customer Personal Data to countries deemed to have an adequate level of data protection by the European Commission or the applicable competent regulatory authority on the basis of adequate safeguards in accordance with Data Protection Law or pursuant to (a) the contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, as amended, superseded, or replaced from time to time (“EU SCCs”) or (b) the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner, Version B1.0, in force 21 March 2022, as amended, superseded or replaced from time to time (“UK Addendum”).
6.2 EU Data Transfers. For transfers of Customer Personal Data from the European Union, Quadrillion and Customer conclude Module 2 (controller-to-processor) of the EU SCCs and, if Customer is a processor on behalf of a third-party controller, Module 3 (Processor-to-Subprocessor) of the EU SCCs, which are incorporated herein and completed as follows: (a) the “data exporter” is Customer; (b) the “data importer” is Quadrillion; (c) the optional docking clause in Clause 7 is implemented; (d) option 2 of Clause 9(a) is implemented and the time period therein is specified in Section 3.2; (e) the optional redress clause in Clause 11(a) is struck; (f) option 1 in Clause 17 is implemented; (g) the governing law is the law of Ireland and the courts in Clause 18(b) are the Courts of Dublin, Ireland; and (h) Annex I and Annex II to Module 2 and 3 of the EU SCCs are Schedule I and the Security Measures respectively. For transfers of Customer Personal Data from Switzerland, any dispute arising from these EU SCCs relating to Swiss Data Protection Laws will be resolved by the courts of Switzerland and data subjects who have their habitual residence in Switzerland may bring claims under the EU SCCs before the courts of Switzerland.
6.3 UK Data Transfers. For transfers of Customer Personal Data from the United Kingdom, Quadrillion and Customer conclude the UK Addendum, which is incorporated herein and completed as follows: (a) in Table 1, the “Exporter” is Customer and the “Importer” is Quadrillion, their details are set forth in this DPA and the Agreement; (b) in Table 2, the first option is selected and the “Approved EU SCCs” are the EU SCCs referred to in Section 6.2; (c) in Table 3, Annexes 1 (A and B) and II to the “Approved EU SCCs” are Schedule I and the Security Measures respectively; and (d) in Table 4, both the “Importer” and the “Exporter” can terminate the UK Addendum.
Schedule I — Description of Processing
List of Parties
Data exporter. Name: Customer. Activities relevant to the data transferred under these Clauses: Customer receives the Services as described in the Agreement and Quadrillion provides Customer Personal Data to Quadrillion in that context. Role (controller/processor): Controller.
Data importer. Name: Quadrillion. Activities relevant to the data transferred under these Clauses: Quadrillion provides the Services to Customer as described in the Agreement and Processes Customer Personal Data on behalf of Customer in that context. Role (controller/processor): Processor on behalf of Customer.
Categories of Data Subjects
Customer and Customer’s users.
Categories of Personal Data Transferred
Customer Personal Data, the content of which is determined and controlled by Customer.
Sensitive Data Transferred (If Applicable)
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures: N/A.
Frequency of the Transfer
The frequency of the International Data Transfer (e.g. whether the Personal Data is transferred on a one-off or continuous basis): On a continuous basis.
Nature of the Processing
The Customer Personal Data will be processed and transferred as described in the Agreement and DPA.
Purpose(s) of the International Data Transfer and Further Processing
The Customer Personal Data will be transferred and further processed for the provision of the Services as described in the Agreement and DPA.
Duration of Processing
The period for which the Personal Data will be retained, or, if that is not possible, the criteria used to determine that period: Customer Personal Data will be retained for as long as necessary taking into account the purpose of the Processing, and in compliance with applicable laws, including laws on the statute of limitations and Data Protection Law.
Sub-Processor Transfers
For International Data Transfer to (Sub)Processors, also specify subject matter, nature and duration of the Processing: For the subject matter and nature of the Processing, reference is made to the Agreement and DPA. The Processing will take place for the duration of the Agreement.
Competent Supervisory Authority
The competent authority for the Processing of Customer Personal Data relating to data subjects located in the EEA is the Supervisory Authority of Ireland.
The competent authority for the Processing of Customer Personal Data relating to data subjects located in the UK is the UK Information Commissioner.
The competent authority for the Processing of Customer Personal Data relating to data subjects located in Switzerland is the Swiss Federal Data Protection and Information Commissioner.
Technical and Organizational Measures
Quadrillion will implement security safeguards designed to protect the security, confidentiality and integrity of Personal Data as described on Quadrillion’s Trust Center available at https://trust.quadrillion.io/.
