Data Processing Agreement

1. Definitions

For the purposes of this Data Processing Agreement ("DPA"), the following definitions apply:

2. Scope & Purpose of Processing

This DPA applies to all processing of Personal Data by Quandry Labs in connection with the consulting, integration, and automation services provided under the applicable service agreement.

Subject matter

The processing of Personal Data necessary for Quandry Labs to deliver the services described in the Statement of Work, which may include access to, analysis of, and integration with client security systems containing Personal Data.

Duration

Processing continues for the duration of the service agreement, plus any retention period required by law or specified herein.

Nature and purpose

• System integration and automation of security workflows
• Data pipeline development and testing
• AI model training and validation on client data (where specified in SOW)
• Incident response support and investigation
• Technical support and system maintenance

Categories of Data Subjects

• Client employees and contractors
• Client's end users and customers (where applicable)
• Individuals whose data appears in security logs, alerts, and incident records

Types of Personal Data

• Identifiers: names, email addresses, usernames, IP addresses, device identifiers
• Authentication data: access logs, session tokens (not passwords)
• Activity data: system logs, security alerts, network metadata
• As further specified in the applicable SOW

3. Obligations of the Processor

Quandry Labs, as Processor, shall:

1. Process only on documented instructions — process Personal Data only on documented instructions from the Controller, unless required by law (in which case, we will inform the Controller prior to processing unless prohibited by law)
2. Ensure confidentiality — ensure that persons authorized to process Personal Data are bound by confidentiality obligations
3. Implement security measures — implement appropriate technical and organizational measures as described in Section 6
4. Respect sub-processing conditions — engage Sub-Processors only in accordance with Section 4
5. Assist with Data Subject rights — assist the Controller in responding to Data Subject requests as described in Section 5
6. Assist with compliance obligations — assist the Controller in ensuring compliance with security, breach notification, impact assessment, and prior consultation obligations
7. Delete or return data — at the choice of the Controller, delete or return all Personal Data upon termination, and certify deletion
8. Demonstrate compliance — make available all information necessary to demonstrate compliance and support audits as described in Section 10
9. Inform of conflicting instructions — immediately inform the Controller if, in our opinion, an instruction infringes applicable data protection law

4. Sub-Processors

Prior authorization

The Controller provides general written authorization for Quandry Labs to engage Sub-Processors. Quandry Labs shall:

• Maintain a current list of Sub-Processors, available upon request
• Notify the Controller of any intended addition or replacement of Sub-Processors at least 30 days in advance
• Provide the Controller with the opportunity to object to the engagement of a new Sub-Processor

Objection right

If the Controller objects to a new Sub-Processor on reasonable grounds related to data protection, the parties shall discuss the concern in good faith. If no resolution is reached within 30 days, the Controller may terminate the affected services without penalty.

Sub-Processor obligations

Quandry Labs shall impose on each Sub-Processor, by way of contract, data protection obligations no less protective than those set out in this DPA. Quandry Labs remains fully liable for the performance of each Sub-Processor's obligations.

5. Data Subject Rights

Quandry Labs shall assist the Controller in fulfilling its obligations to respond to Data Subject requests exercising their rights under GDPR, including:

• Access — locating and providing copies of Personal Data
• Rectification — correcting inaccurate data in our systems
• Erasure — deleting Personal Data where required
• Restriction — marking data to restrict future processing
• Portability — exporting data in a structured, machine-readable format
• Objection — ceasing specific processing activities

If a Data Subject contacts Quandry Labs directly, we shall promptly redirect the request to the Controller and not respond directly unless authorized.

Quandry Labs shall respond to Controller assistance requests within 10 business days, or sooner where required by applicable law.

6. Security Measures

Quandry Labs implements and maintains technical and organizational security measures appropriate to the risk, including:

• Encryption — AES-256 at rest, TLS 1.3 in transit
• Access control — role-based access, least privilege, multi-factor authentication with hardware keys
• Monitoring — continuous security monitoring, intrusion detection, immutable audit logs
• Availability — redundant infrastructure, regular backups, tested disaster recovery
• Testing — regular vulnerability scanning, annual penetration testing, security code review
• Personnel — background checks, security training, confidentiality agreements

Quandry Labs shall regularly assess and update these measures to account for evolving risks, technology changes, and regulatory requirements.

7. Data Breach Notification

In the event of a Data Breach affecting Personal Data processed under this DPA, Quandry Labs shall:

The notification shall include, to the extent available:

1. A description of the nature of the breach, including categories and approximate number of Data Subjects and records concerned
2. The name and contact details of the point of contact for further information
3. A description of the likely consequences of the breach
4. A description of the measures taken or proposed to address the breach, including mitigation of adverse effects

Where information is not immediately available, it shall be provided in phases without undue delay. Quandry Labs shall cooperate fully with the Controller's investigation and regulatory notification obligations.

Quandry Labs shall document all Data Breaches, including facts, effects, and remedial actions taken, regardless of whether notification to the Controller is required.

8. International Data Transfers

Quandry Labs is based in the United States. Where Personal Data originating from the EEA, UK, or Switzerland is transferred to the US for processing, the following safeguards apply:

• Standard Contractual Clauses (SCCs) — the EU Commission's Standard Contractual Clauses for international transfers (Module Two: Controller to Processor) are incorporated by reference into this DPA
• UK International Data Transfer Addendum — for UK data transfers, the UK IDTA supplement applies
• Supplementary measures — encryption in transit and at rest, access controls, contractual commitments, and transparency reporting

Quandry Labs shall not transfer Personal Data to any country outside the EEA without appropriate safeguards and without informing the Controller.

Sub-Processors located outside the EEA are subject to equivalent transfer mechanisms before any Personal Data is shared with them.

9. Duration & Termination

Duration

This DPA is effective from the date of the applicable service agreement and remains in force for as long as Quandry Labs processes Personal Data on behalf of the Controller.

Upon termination

Upon termination or expiration of the service agreement, Quandry Labs shall, at the Controller's election:

• Return — return all Personal Data to the Controller in a structured, commonly used format; or
• Delete — securely delete all Personal Data and certify deletion in writing within 30 days

Quandry Labs may retain Personal Data only to the extent required by applicable law, and only for the duration required. Any retained data remains subject to this DPA.

Survival

Confidentiality obligations and data protection commitments survive termination for as long as any Personal Data remains in Quandry Labs' possession.

10. Audit Rights

The Controller has the right to verify Quandry Labs' compliance with this DPA through:

• Documentation review — Quandry Labs shall make available policies, procedures, and certifications demonstrating compliance
• Third-party audits — the Controller may review SOC 2 Type 2 reports, ISO 27001 certifications, and penetration test summaries
• On-site audits — upon 30 days written notice, the Controller (or an independent auditor bound by confidentiality) may conduct an audit of relevant facilities and systems, no more than once per year unless a Data Breach has occurred

Quandry Labs shall cooperate with and provide reasonable assistance for audits. The Controller shall bear the costs of any audit it initiates, except where the audit reveals material non-compliance, in which case Quandry Labs shall bear the costs.

Contact