Last updated: October 1, 2025

This DPA is incorporated into the QuantKey Terms of Service (the “Agreement”) when QuantKey processes Personal Data on your behalf. If there is a conflict, this DPA controls to the extent of the conflict. Capitalized terms not defined here have the meanings in the Agreement or GDPR.

1) Parties & Roles

Customer acts as Controller (or Processor where Customer processes on behalf of its own clients).

QuantKey Solutions LLC (“QuantKey”) acts as Processor (or Sub‑processor where Customer is a Processor).

2) Scope & Processing Instructions

QuantKey will process Personal Data only on documented instructions from Customer, including with respect to international transfers, and only for the duration, nature, purpose, categories of data, and data subjects described in Annex I. If QuantKey is required by law to process beyond these instructions, QuantKey will notify Customer unless legally prohibited. (GDPR Art. 28(3)).

3) Confidentiality & Personnel

QuantKey ensures persons authorized to process Personal Data are bound by confidentiality and receive appropriate training. (GDPR Art. 28(3)(b)).

4) Security

QuantKey will implement and maintain appropriate technical and organizational measures (“TOMs”) as set forth in Annex II (e.g., encryption in transit/at rest, access controls, logging, tenant isolation, vulnerability management, backups/DR). (GDPR Art. 28(3)(c)).

5) Sub‑processors

Customer authorizes QuantKey to use Sub‑processors listed at /legal/subprocessors (as updated from time to time). QuantKey shall:

(a) impose data‑protection terms no less protective than this DPA;

(b) remain liable for Sub‑processor actions; and

(c) provide advance notice of changes (see the Subprocessors page for change‑notice process and objection mechanism). (GDPR Art. 28(2)–(4)).

6) Assistance to Customer

QuantKey will, taking into account the nature of processing, assist Customer with:

(a) responding to Data Subject Requests;

(b) security of processing;

(c) breach notifications; and

(d) DPIAs and prior consultations with supervisory authorities. (GDPR Art. 28(3)(e)–(f)).

7) Return & Deletion

At termination or upon request, QuantKey will delete or return Personal Data (at Customer’s election) after the applicable retention period in the Agreement, unless law requires storage. (GDPR Art. 28(3)(g)).

8) Audits

QuantKey will make available information necessary to demonstrate compliance with this DPA and will allow for reasonable audits once per 12 months (or after a Security Incident) on 30 days’ notice, during normal business hours, under confidentiality, and without disrupting operations. To reduce burden, QuantKey may satisfy audit requests by providing independent audit reports and security documentation (e.g., penetration test summaries). (GDPR Art. 28(3)(h)).

9) International Transfers

Where Personal Data is transferred outside the EEA, UK, or Switzerland, the parties adopt the following transfer mechanisms:

EEA transfers: The 2021 EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914):

Module 2 (Controller → Processor) and Module 3 (Processor → Processor), as applicable, including the Article 28 terms incorporated into Modules 2/3. The SCCs (and Annexes) are incorporated by reference and deemed executed by the parties upon execution of this DPA.

UK transfers: The UK IDTA or the UK Addendum to the EU SCCs (as published by the UK ICO) applies, as elected by QuantKey, with Part 1 tables referencing this DPA and Annexes.

Swiss transfers: The EU SCCs apply with the Swiss Federal Act on Data Protection adaptations (references to EU law read as Swiss law where required).

If we adopt a successor transfer tool, we will notify Customer and implement it without undue delay.

10) U.S. State Privacy Addendum (Service Provider/Processor)

For Personal Data subject to U.S. state privacy laws (e.g., CA/CO/CT/VA/UT), QuantKey will act as a Service Provider/Processor and shall:

(a) process only for Customer’s purposes;

(b) not sell or share Personal Data;

(c) not combine Personal Data except as permitted to provide the Services;

(d) assist with consumer requests; and

(e) require Sub‑processors to meet equivalent obligations.

11) Security Incidents

QuantKey will notify Customer without undue delay after becoming aware of a Security Incident involving Personal Data and provide information to support Customer’s notification duties.

12) Liability; Order of Precedence

Each party’s liability under this DPA is subject to the limitations in the Agreement. If the SCCs, UK Addendum/IDTA, or this DPA conflict with the Agreement, the transfer tools and this DPA prevail.

13) Contact

Email:

[email protected]

US Mail:

QuantKey Solutions LLC
1930 18th St. NW
Ste B2 #1101
Washington, DC 20009

Annex I — Details of Processing

Subject matter: Provision of QuantKey SaaS platform and related services.

Duration: Subscription term + limited backup retention per Agreement.

Nature & purpose: Hosting, routing communications, analytics, automation, support.

Data subjects: Customer’s users; Customer’s end‑customers/leads/contacts.

Categories of data: Contact data; communications metadata; content uploaded by Customer; usage logs; (optional) call recordings; billing contact data.

Special categories: None expected; Customer will not submit special‑category data unless expressly enabled and subject to additional safeguards.

Cross‑border transfers: As described in Section 9.

Annex II — Technical & Organizational Measures Summary

Governance: Security policy; least‑privilege access; employee background checks; confidentiality agreements.

Encryption: TLS in transit; strong encryption at rest for primary datastores/recordings.

Access Controls: SSO/MFA for administrative access; role‑based permissions; session timeouts; IP allow‑listing (admin).

Isolation: Logical tenant separation; environment segregation (prod/non‑prod).

Monitoring & Logging: Centralized logs; alerting; anomaly detection; time‑synced systems.

Vulnerability Management: Secure SDLC; code review; dependency scanning; regular penetration testing; timely patching.

Backups/DR: Encrypted backups; tested restore; geo‑redundant infrastructure; RTO/RPO targets.

Data Minimization & Retention: Configurable retention; safe deletion/crypto‑erasure.

Third‑Party Risk: Vendor due diligence; SCCs/IDTA where required; least data necessary.

Incident Response: Playbooks; 24×7 escalation; customer notification workflows.

Data Subject Rights: Process to retrieve, correct, delete, and export data.

Annex III — Sub‑processors

See /legal/subprocessors (incorporated by reference, including change‑notice terms).