**Version: 1.0** **Effective Date: November 17, 2025** This Data Processing Agreement ("DPA") forms an integral part of the Terms and Conditions ("Agreement") between: **Data Processor:** QuantixAI s.r.o. IČO 57306290 Svatoplukova 15, 903 01, Senec, Slovak Republic ("Processor", "we", "us", "our") **Data Controller:** The Customer as identified in the Agreement ("Controller", "you", "your") (each a "Party" and collectively the "Parties") This DPA is entered into in accordance with Article 28 of Regulation (EU) 2016/679 (General Data Protection Regulation - "GDPR") and governs the Processing of Personal Data by the Processor on behalf of the Controller. --- ## 1. Definitions Terms not defined herein shall have the meaning set forth in the GDPR. Additionally: - **"Authorized Persons"**: Processor's employees, contractors, or agents authorized to Process Personal Data - **"Data Protection Laws"**: GDPR and any applicable national data protection laws - **"Personal Data"**: Any personal data Processed by the Processor on behalf of the Controller pursuant to the Agreement - **"Personal Data Breach"**: A breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data - **"Processing"**: Any operation performed on Personal Data as defined in GDPR Article 4(2) - **"Security Incident"**: Any actual or suspected unauthorized access to or acquisition of Personal Data - **"Services"**: The services provided by Processor as described in the Agreement - **"Standard Contractual Clauses (SCCs)"**: The standard contractual clauses approved by the European Commission for data transfers - **"Sub-processor"**: Any third party engaged by Processor to Process Personal Data - **"Technical and Organizational Measures (TOMs)"**: Security measures implemented to protect Personal Data --- ## 2. Relationship of the Parties ### 2.1 Independent Controller Determination The Controller has independently determined the purposes and means of Processing Personal Data. ### 2.2 Processor Obligations The Processor shall Process Personal Data only as a Processor on behalf of and for the benefit of the Controller. ### 2.3 Individual Instructions The Parties acknowledge that this DPA along with the Agreement constitute the Controller's complete and final documented instructions to the Processor regarding the Processing of Personal Data. Any additional or alternate instructions must be agreed in writing. --- ## 3. Duration and Termination ### 3.1 Duration This DPA shall remain in effect for the duration of the Agreement and as long as the Processor Processes Personal Data on behalf of the Controller. ### 3.2 Termination This DPA shall automatically terminate upon termination of the Agreement, subject to survival provisions in Section 14. ### 3.3 Post-Termination Processing Upon termination, the Processor shall, at the Controller's written instruction: - Return all Personal Data to the Controller in a commonly used, machine-readable format - Securely delete all Personal Data and existing copies within 90 days - Provide written certification of deletion - Retain Personal Data only if required by applicable law, in which case the Processor shall inform the Controller and maintain confidentiality --- ## 4. Nature, Purpose, and Scope of Processing ### 4.1 Nature of Processing The Processor shall perform the following Processing activities: - Collection and storage of data uploaded by Controller - Computational processing for time-series analysis - Machine learning model training (on aggregated data only) - Statistical analysis and forecasting - Data visualization and report generation - Backup and disaster recovery operations - Technical support and troubleshooting ### 4.2 Purpose of Processing Personal Data shall be Processed solely for: - Providing the Services as described in the Agreement - Maintaining and improving Service performance - Ensuring Service security and integrity - Complying with legal obligations - Providing customer support ### 4.3 Duration of Processing Personal Data shall be Processed for the duration specified in Section 3. ### 4.4 Types of Personal Data The following categories of Personal Data may be Processed: - **Identity Data**: Names, usernames, employee IDs - **Contact Data**: Email addresses, phone numbers - **Account Data**: Account credentials, preferences, settings - **Technical Data**: IP addresses, browser types, device identifiers - **Usage Data**: Service interaction logs, feature usage patterns - **Business Data**: Company information, job titles, departments - **Content Data**: Any Personal Data contained within uploaded datasets ### 4.5 Categories of Data Subjects - Controller's employees and staff - Controller's customers and end-users - Controller's business partners - Other individuals whose data is included in Controller's datasets --- ## 5. Processor Obligations ### 5.1 Compliance with Instructions The Processor shall: - Process Personal Data only on documented instructions from the Controller - Immediately inform the Controller if instructions infringe Data Protection Laws - Not Process Personal Data for any purpose other than providing the Services ### 5.2 Confidentiality The Processor shall: - Ensure all Authorized Persons are subject to enforceable confidentiality obligations - Limit access to Personal Data to Authorized Persons who need to know - Provide regular training on data protection to Authorized Persons The Processor remains liable for actions and omissions of its Authorized Persons as if they were its own. ### 5.3 Security of Processing The Processor shall implement and maintain the Technical and Organizational Measures specified in Annex 1. ### 5.4 Data Subject Rights The Processor shall: - Promptly notify the Controller of any data subject request received - Not respond directly to data subjects without Controller's written authorization - Assist the Controller in fulfilling data subject rights requests within 10 business days - Implement technical measures to support data portability, rectification, and erasure ### 5.5 Data Protection Impact Assessment The Processor shall provide reasonable assistance for the Controller's: - Data Protection Impact Assessments (DPIAs) - Prior consultations with supervisory authorities ### 5.6 Personal Data Breach Notification The Processor shall: - Notify the Controller without undue delay and within 48 hours of becoming aware of a Personal Data Breach - Provide the following information: - Nature of the breach and categories of data affected - Estimated number of data subjects concerned - Likely consequences of the breach - Measures taken or proposed to address the breach - Contact details for further information - Maintain a record of all Personal Data Breaches - Cooperate with the Controller in investigating and remediating breaches ### 5.7 Data Protection Officer The Processor shall designate a data protection contact point: - Email: privacy@quantix-ai.eu - Response time: Within 48 business hours ### 5.8 Records of Processing Activities The Processor shall maintain complete and accurate records of all Processing activities as required by GDPR Article 30. --- ## 6. Sub-processors ### 6.1 General Authorization The Controller provides general authorization for the Processor to engage Sub-processors, subject to the requirements in this Section. ### 6.2 Current Sub-processors The Controller acknowledges and approves the use of the following Sub-processors: | Sub-processor | Purpose | Location | Data Transferred | |--------------|---------|-----------|------------------| | Auth0 Inc. (Okta) | Authentication & Identity Management | USA | User credentials, email, IP addresses | | Paddle.com Market Ltd. | Payment Processing | UK | Billing information, email | | Hetzner Online GmbH | Cloud Infrastructure | Germany | All Service data | | Scaleway | Cloud Infrastructure | Poland | Service data | | SmartSelling a.s. | Email Notifications | Czech Republic | Email addresses, notification content, email marketing, marketing preferences | | Google LLC (Google Analytics) | Website Analytics | USA | Website usage data, IP addresses (anonymized) | ### 6.3 Sub-processor Requirements The Processor shall: - Enter into written agreements with Sub-processors imposing equivalent data protection obligations - Remain fully liable for Sub-processor performance - Conduct annual assessments of Sub-processor compliance ### 6.4 Notification of Changes The Processor shall: - Maintain a current list of Sub-processors at www.quantix-ai.eu/sub-processors - Notify the Controller via email 30 days before adding or replacing Sub-processors - Provide the following information: - Sub-processor name and location - Processing activities to be performed - Safeguards for international transfers ### 6.5 Objection Rights The Controller may object to new Sub-processors within 14 days by providing reasonable grounds related to data protection. If objection cannot be resolved within 30 days, the Controller may terminate the affected Services. --- ## 7. International Data Transfers ### 7.1 Transfer Mechanisms For transfers outside the EEA, the Processor shall ensure: - Adequacy decision coverage, or - Standard Contractual Clauses (Module 2: Controller to Processor), or - Other valid transfer mechanism under Chapter V of GDPR ### 7.2 Transfer Impact Assessment The Processor has conducted and maintains a Transfer Impact Assessment (TIA) confirming adequate protection levels. ### 7.3 Supplementary Measures Where necessary, the Processor implements supplementary measures including: - Encryption in transit and at rest - Pseudonymization where possible - Strict access controls - Contractual commitments from Sub-processors regarding government access requests ### 7.4 Transparency The Processor shall: - Notify the Controller of any legally binding request for disclosure by authorities - Challenge such requests if legally permissible - Provide information about government access laws in relevant jurisdictions --- ## 8. Security Measures ### 8.1 Technical and Organizational Measures The Processor implements the measures detailed in Annex 1, including but not limited to: - Industry-standard encryption (AES-256 at rest, TLS 1.2+ in transit) - Multi-factor authentication - Role-based access controls - Network segmentation - Intrusion detection systems - Regular security updates and patches The Processor may update the TOMs as necessary, provided such changes do not materially diminish the protection of Personal Data. Controller shall be notified of material changes in advance. ### 8.2 Security Assessments The Processor shall: - Conduct annual security assessments - Perform penetration testing bi-annually - Promptly remediate identified vulnerabilities ### 8.3 Business Continuity The Processor maintains: - Business continuity and disaster recovery plans - Regular backups with geographic redundancy - Recovery Time Objective (RTO): 24 hours - Recovery Point Objective (RPO): 4 hours --- ## 9. Audit Rights ### 9.1 Information and Audit The Controller may exercise audit rights through: - Annual questionnaires - Review of certifications and audit reports - On-site audits (once per year with 30 days notice) ### 9.2 Audit Procedures - Audits shall be conducted during business hours - Controller shall minimize disruption to Processor's operations - Costs borne by Controller unless material non-compliance is found - All auditors must sign confidentiality agreements ### 9.3 Third-Party Audits The Controller may accept third-party certifications (ISO 27001, SOC 2) in lieu of audits. --- ## 10. Liability and Indemnification ### 10.1 Liability Allocation Each Party's liability shall be determined in accordance with Articles 82 GDPR and the limitation of liability provisions in the Agreement. ### 10.2 Indemnification The Processor shall indemnify the Controller against damages resulting from: - Processing beyond or contrary to Controller's instructions - Breach of direct GDPR obligations applicable to Processors - Failure to implement appropriate security measures ### 10.3 Insurance The Processor maintains cyber liability insurance with minimum coverage of €2,000,000 per incident. --- ## 11. Controller Obligations The Controller warrants and represents that: - It has lawful basis for Processing Personal Data - It has provided necessary notices to Data Subjects - Its instructions comply with Data Protection Laws - It will maintain records of processing activities - It will cooperate with the Processor in compliance efforts --- ## 12. Specific Jurisdictional Provisions ### 12.1 California Privacy Rights (CCPA/CPRA) For Controllers subject to California privacy laws: - The Processor acts as a "Service Provider" - Personal Information will not be "sold" or "shared" as defined by CCPA/CPRA - Processing is limited to the specific business purposes in the Agreement - The Processor will assist with consumer rights requests - Deletion rights will be honored within 30 days ### 12.2 UK Data Protection For UK Controllers: - This DPA complies with UK GDPR - References to GDPR include UK GDPR where applicable - UK SCCs apply for restricted transfers from the UK ### 12.3 Swiss Data Protection For Swiss Controllers: - This DPA complies with the Swiss Federal Act on Data Protection - Swiss SCCs apply for transfers from Switzerland --- ## 13. Miscellaneous ### 13.1 Order of Precedence In case of conflict: 1. Mandatory Data Protection Laws 2. This DPA 3. The Agreement 4. Other contractual documents ### 13.2 Amendments Modifications to this DPA must be in writing and signed by both Parties. ### 13.3 Severability If any provision is invalid, the remaining provisions continue in full force. ### 13.4 Entire Agreement This DPA constitutes the complete agreement regarding Personal Data Processing. --- ## 14. Survival The following provisions survive termination: - Post-termination data handling (Section 3.3) - Confidentiality obligations - Liability and indemnification provisions - Any provisions necessary for exercise of surviving rights --- ## 15. Governing Law and Jurisdiction ### 15.1 Governing Law This DPA is governed by the laws of the Slovak Republic. ### 15.2 Jurisdiction Disputes shall be submitted to the exclusive jurisdiction of the courts of Bratislava, Slovak Republic. --- ## Signatures By accepting the Agreement incorporating this DPA, the Parties agree to comply with all terms herein. **Data Controller:** _[Automatically accepted upon Agreement acceptance]_ **Data Processor:** QuantixAI s.r.o. _[Pre-signed on behalf of Processor]_ --- ## ANNEX 1: Technical and Organizational Measures (TOMs) ### A. Technical Measures #### 1. Data in Transit Protection - **TLS Encryption**: All data transmissions protected using TLS 1.2 and TLS 1.3 protocols - **SSL Certificates**: Valid SSL certificates issued by Let's Encrypt with automatic renewal - **Cipher Suites**: Strong encryption ciphers - **HTTPS Enforcement**: HTTP Strict Transport Security (HSTS) headers force all connections to use HTTPS - **Protocol**: All API endpoints accessible only via HTTPS #### 2. Data at Rest Protection - **File Storage Encryption**: Server-side encryption (AES-256) for all stored data and machine learning models stored in S3-compatible object storage - **Database Security**: PostgreSQL database isolated on private network with firewall restrictions, accessible only from authorized application servers #### 3. Access Control - **Authentication**: Redis queue system protected with password authentication - **Network Isolation**: Database port restricted to specific internal IP addresses via firewall (UFW) - **Domain Restriction**: API accessible only via authorized domain name; direct IP access blocked - **Credential Management**: All credentials stored in environment variables, not in source code #### 4. Network Security - **Reverse Proxy**: Nginx reverse proxy deployed to protect backend application servers - **Rate Limiting**: - **Training endpoints**: 1 request per minute (burst: 2) - **Forecast endpoints**: 10 requests per second (burst: 20) - **General endpoints**: 10 requests per second (burst: 20) - **Firewall**: UFW (Uncomplicated Firewall) configured to allow only necessary ports (80, 443 for HTTPS; 5432 restricted to internal network) #### 5. Application Security Headers - **X-Frame-Options**: SAMEORIGIN (prevents clickjacking) - **X-Content-Type-Options**: nosniff (prevents MIME type sniffing) - **X-XSS-Protection**: Enabled with blocking mode - **Strict-Transport-Security**: max-age=31536000 with includeSubDomains #### 6. Monitoring and Maintenance - **SSL Certificate Renewal**: Automated certificate renewal configured (certificates valid for 90 days, auto-renewed before expiration) - **Security Updates**: Regular system and container image updates - **Logging**: Nginx access and error logs maintained for security monitoring #### 7. Data Processing Locations - **API Server**: Located at secure data center - **Database Server**: Private network infrastructure - **Object Storage**: S3-compatible storage with encryption at rest ### B. Organizational Measures #### 1. Incident Management - **Detection**: Log monitoring, anomaly detection - **Breach Notification**: Defined process for notifying Controller within 48 hours - **Lessons Learned**: Post-incident reviews and improvement implementation --- ## ANNEX 2: Data Processing Details ### Processing Activities | Activity | Purpose | Legal Basis | Retention Period | |----------|---------|-------------|------------------| | User Authentication | Service access | Contract performance | Duration of account + 30 days | | Usage Analytics | Service improvement | Legitimate interest | 24 months | | Support Tickets | Customer assistance | Contract performance | Resolution + 12 months | | Billing Records | Payment processing | Legal obligation | 7 years | | Security Logs | Security monitoring | Legitimate interest | 12 months | | Backup Data | Business continuity | Legitimate interest | 30 days rolling | ### Data Categories and Subjects | Data Category | Data Subjects | Purpose | |---------------|---------------|---------| | Identity Data | Controller employees | Account management | | Contact Data | Controller staff | Communications | | Authentication Data | System users | Access control | | Usage Data | Service users | Performance monitoring | | Business Data | Controller customers | Service delivery | | Technical Data | All users | Security and troubleshooting | --- ## ANNEX 3: Standard Contractual Clauses [Incorporated by reference: Commission Implementing Decision (EU) 2021/914 of 4 June 2021] The Standard Contractual Clauses for transfers of personal data to third countries pursuant to Regulation (EU) 2016/679 are hereby incorporated where applicable, with the following parameters: - **Module Applied**: Module Two (Controller to Processor) - **Clause 7**: Optional docking clause is included - **Clause 9**: Option 2 (General written authorization) - **Clause 11**: Optional redress clause is not included - **Clause 17**: Option 1 (Slovak Republic) - **Clause 18**: Courts of Slovak Republic --- **Version History:** | Version | Date | Changes | |---------|------|---------| | 1.0 | November 17, 2025 | Initial release | --- *This DPA is executed as part of and incorporated into the Agreement between the Parties.*