Data Processing Agreement

1. Definitions

In this Data Processing Agreement ("DPA"):

• Controllerthe entity that determines the purposes and means of processing Personal Data (you, the Customer).
• ProcessorQuantaSeal Pty Ltd ABN 82 697 509 872, providing the QuantaSeal platform.
• Data Subjectthe identified or identifiable natural person to whom Personal Data relates.
• Personal Dataany information relating to an identified or identifiable natural person processed under the Main Agreement.
• Processingany operation performed on Personal Data, including collection, storage, use, disclosure, or deletion.
• Sub-Processorany third party engaged by the Processor to process Personal Data on the Controller's behalf.
• Servicesthe QuantaSeal post-quantum cryptography middleware platform as described in the Main Agreement.
• Main Agreementthe Terms of Service at quantaseal.io/terms or any executed Master Services Agreement.
• Applicable Data Protection LawGDPR (EU 2016/679), UK GDPR, Australian Privacy Act 1988, and any other applicable data protection legislation.
• SCCsStandard Contractual Clauses adopted by the European Commission Decision 2021/914.

2. Scope & Nature of Processing

This DPA applies to the processing of Personal Data by QuantaSeal (as Processor) on behalf of the Customer (as Controller) in connection with the Services.

QuantaSeal processes Personal Data only as necessary to provide the Services and only on documented instructions from the Controller. QuantaSeal does not sell, share, or use Personal Data for its own purposes.

3. Processor Obligations

QuantaSeal shall, in its capacity as Processor:

• Process Personal Data only on documented instructions from the Controller, unless required to do so by applicable law.
• Ensure that persons authorised to process Personal Data are bound by appropriate confidentiality obligations.
• Implement and maintain the technical and organisational security measures described in Section 5 of this DPA.
• Assist the Controller in fulfilling obligations to respond to Data Subject requests as described in Section 6.
• Notify the Controller of any Personal Data breach in accordance with Section 7.
• Delete or return all Personal Data upon termination of the Services in accordance with Section 8.
• Make available all information necessary to demonstrate compliance with the obligations in Article 28 GDPR, and allow for and contribute to audits as described in Section 10.
• Immediately inform the Controller if, in QuantaSeal's opinion, an instruction infringes Applicable Data Protection Law.

4. Sub-Processors

The Controller provides general written authorisation for QuantaSeal to engage Sub-Processors as listed at quantaseal.io/legal/sub-processors. QuantaSeal will:

• Give the Controller at least 30 days' prior written notice before adding or replacing a Sub-Processor.
• Impose data protection obligations on each Sub-Processor equivalent to those in this DPA.
• Remain fully liable to the Controller for Sub-Processor performance.

If the Controller objects to a new Sub-Processor, it may terminate the affected Service on written notice within 30 days. Current Sub-Processors are listed and maintained at quantaseal.io/legal/sub-processors.

5. Security Measures

QuantaSeal has implemented and maintains the following technical and organisational measures (Article 32 GDPR):

6. Data Subject Rights

QuantaSeal will assist the Controller in fulfilling its obligations to respond to requests from Data Subjects exercising their rights under Applicable Data Protection Law, including:

• Right of access, rectification, erasure, and restriction of processing
• Right to data portability
• Right to object to processing
• Rights related to automated decision-making and profiling

Requests from Data Subjects received directly by QuantaSeal will be forwarded to the Controller within 5 business days. QuantaSeal will provide reasonable assistance with technical measures necessary to comply with requests, at the Controller's expense.

7. Personal Data Breach

QuantaSeal will notify the Controller without undue delay, and where feasible within 72 hours, after becoming aware of a Personal Data breach. Notification will include:

• Nature of the breach, including categories and approximate number of Data Subjects and records affected
• Name and contact details of the data protection officer or other contact
• Likely consequences of the breach
• Measures taken or proposed to address the breach, including mitigation steps

Where not all information is available at the time of initial notification, QuantaSeal will provide it in phases as soon as reasonably practicable. The Controller remains responsible for all notifications to supervisory authorities and Data Subjects.

8. Deletion & Return

Upon termination or expiry of the Main Agreement, QuantaSeal will, at the Controller's election:

• Return all Personal Data to the Controller in a machine-readable format (JSON or CSV) within 30 days; or
• Securely delete all Personal Data using cryptographic erasure (key destruction) within 30 days and provide written certification.

Audit logs may be retained for up to 7 years as required by applicable law. Backup copies will be deleted within 90 days. QuantaSeal will provide a deletion certificate upon request.

9. International Transfers

Personal Data of EU/UK Data Subjects may be transferred outside the EEA/UK only under the following safeguards:

• Standard Contractual Clauses (SCCs): EC Decision 2021/914 Module 2 (Controller → Processor) are incorporated by reference and deemed executed as Annex III to this DPA.
• UK IDTA: The UK International Data Transfer Agreement (IDTA) is incorporated for transfers from the UK.
• Adequacy decisions: Transfers to countries with a European Commission adequacy decision.

QuantaSeal's primary data residency is ap-southeast-2 (Sydney, Australia). Enterprise customers may request data-residency-locked deployments in EU (eu-west-1) or US (us-east-1) regions. Contact dpa@quantaseal.io for region-specific DPA addenda.

10. Audits & Inspections

QuantaSeal will make available all information necessary to demonstrate compliance with this DPA and allow for audits conducted by the Controller or a mandated independent auditor.

• Audit requests must be submitted in writing with at least 30 days' notice.
• Audits may not occur more than once per calendar year unless required by a supervisory authority.
• Costs of audits are borne by the Controller unless the audit reveals a material breach by QuantaSeal.
• As an alternative to on-site audits, QuantaSeal will provide its most recent SOC 2 Type II report, ISO 27001 certificate, and penetration test summary under NDA.

11. Duration & Termination

This DPA enters into force on the effective date of the Main Agreement and remains in effect for the duration of the Main Agreement. Termination of the Main Agreement automatically terminates this DPA, subject to survival clauses in this DPA.

Sections 7 (Breach Notification), 8 (Deletion), 10 (Audits), and any obligations arising under Applicable Data Protection Law survive termination.

12. Execution

This DPA is incorporated into and forms part of the Main Agreement. By accepting the Main Agreement (including via click-through acceptance), the Customer agrees to this DPA on behalf of the entity they represent.

For customers requiring a wet or DocuSign-executed copy with their specific company details, please contact: