Data Processing Addendum

This template describes the terms under which QDES processes personal data contained in Customer Data when providing a QDES product or service to a customer, in support of the customer's obligations under the GDPR and other applicable data protection law.

For the purposes of this DPA, the customer acts as the data controller for any personal data it submits to a QDES product, and QDES acts as the data processor, processing that data only on the customer's documented instructions, except where required otherwise by law.

QDES processes Customer Data solely to provide, maintain, and support the contracted product or service, and not for any other purpose, including not for training models for other customers, unless separately agreed in writing.

QDES ensures that personnel authorised to process Customer Data are bound by appropriate confidentiality obligations.

QDES applies appropriate technical and organisational measures designed to protect Customer Data against unauthorised or unlawful processing, accidental loss, destruction, or damage, taking into account the nature and risk of the processing involved.

QDES may engage sub-processors — including hosting providers and, where a customer opts in, third-party AI providers such as OpenAI, Anthropic, or Google — to support service delivery. QDES remains responsible for sub-processors' compliance with data protection obligations equivalent to those in this DPA. A current list of sub-processors is available on request.

[Placeholder — to be completed per engagement.] Where personal data is transferred outside the European Economic Area, QDES will rely on an appropriate transfer mechanism, such as the EU Standard Contractual Clauses, or another lawful basis recognised under the GDPR.

QDES will provide reasonable assistance to the customer in responding to requests from data subjects seeking to exercise their rights under the GDPR, to the extent the customer cannot reasonably fulfil such requests independently.

On termination of the underlying service agreement, or upon the customer's written request, QDES will delete or return Customer Data within a reasonable period, except where retention is required by law.

[Placeholder — notification window to be agreed per engagement.] QDES will notify the customer without undue delay after becoming aware of a personal data breach affecting Customer Data, and will provide reasonably requested information to assist the customer in meeting its own breach-notification obligations.

QDES (CVR 42351830), Denmark. To request a completed, signable version of this DPA, contact info@qdes.org.