Effective Date: 13.05.2026 | Version: 2.0
This Data Processing Agreement (the “DPA”) forms part of, and is incorporated by reference into, the Master SaaS Agreement (the “Master Agreement”) entered into between:
Quantum Neuron Inc., a corporation incorporated and registered in the State of Delaware, United States of America, with its registered office at 169 Madison Ave STE 15768, New York, NY 10016, United States (“Quantum Neuron”, “we”, “us”);
and
the entity identified as “Client” in the Master Agreement (“Client”, “you”);
each a “Party” and together the “Parties”.
This DPA governs the processing of Personal Data by Quantum Neuron on behalf of the Client in connection with the provision of the Services under the Master Agreement. It is intended to comply with Regulation (EU) 2016/679 (“EU GDPR”), the United Kingdom General Data Protection Regulation (“UK GDPR”), and the Data Protection Act 2018 (collectively, “Data Protection Laws”).
1. Definitions
Capitalized terms used in this DPA have the meanings set out below. Terms not defined herein have the meanings given to them in the Master Agreement or, if not defined therein, in the applicable Data Protection Laws.
“Anonymization” means the documented process applied by Quantum Neuron to Client Personal Data that is intended to be irreversible and to prevent, with reasonable certainty, the singling out of, linkability to, or inference about, any individual Data Subject, in line with the criteria set out by the European Data Protection Board (including, in particular, Opinion 05/2014 on Anonymisation Techniques), and which is subject to a documented manual verification step (“human check”) prior to any downstream use.
“Client Personal Data” means Personal Data processed by Quantum Neuron on behalf of the Client under the Master Agreement, excluding data processed by Quantum Neuron as an independent controller under Section 16 (Scope Exclusions).
“Controller, Processor, Data Subject, Personal Data, Personal Data Breach, Processing and Special Categories of Personal Data” have the meanings given in the applicable Data Protection Laws.
“End-User” means a natural person interacting with the AI Persona deployed by the Client through any communication channel enabled by the Services.
“EU SCC” means the Standard Contractual Clauses approved by the European Commission pursuant to Implementing Decision (EU) 2021/914 of 4 June 2021, including any successor or replacement decision.
“Functional Scope Annex” has the meaning given to it in the Master Agreement.
“High-Risk AI Use Case” has the meaning given to it in the Master Agreement.
“Instructions” means the documented written instructions given by the Client to Quantum Neuron concerning the Processing of Client Personal Data, including the Master Agreement, this DPA, and any subsequent written instructions reasonably issued by the Client within the scope of the Services.
“Lead Data” means Personal Data relating to leads, prospects, recipients, customers or potential customers imported, uploaded, submitted, synchronized or otherwise made available by or on behalf of the Client for use in connection with the Services, including for inbound or outbound communications.
“Order Form” has the meaning given to it in the Master Agreement.
“Outbound Communications” means any marketing, sales, commercial, telemarketing, email, SMS, WhatsApp, Messenger, Instagram, voice, social media, messaging or other outbound communication initiated, automated, assisted or supported through the Services.
“Security Annex” means the Quantum Neuron Security Annex, an internal document describing in detail the technical and organizational measures implemented by Quantum Neuron, made available to the Client on request under appropriate confidentiality obligations.
“Services” means the services provided by Quantum Neuron to the Client pursuant to the Master Agreement.
“Sub-Processor” means any third party engaged by Quantum Neuron to Process Client Personal Data on behalf of the Client.
“Sub-Processor List” means the list of authorized Sub-Processors published and maintained by Quantum Neuron at https://quantumneuron.ai/legal/m26/subprocessors.
“Suppression Data” means opt-out records, unsubscribe records, objection records, suppression lists, communication preferences, do-not-contact indicators and similar data used to prevent or limit communications to Data Subjects.
“UK Addendum” means the International Data Transfer Addendum to the EU SCC issued by the United Kingdom Information Commissioner’s Office (Version B1.0) under Section 119A of the Data Protection Act 2018.
2. Roles and Scope
2.1 Roles of the Parties
The Parties acknowledge and agree that, in respect of the Processing of Client Personal Data under this DPA, the Client acts as the Controller and Quantum Neuron acts as the Processor. Where the Client itself acts as a processor on behalf of a third-party controller, Quantum Neuron shall be considered a sub-processor and the obligations in this DPA shall apply accordingly.
2.2 Scope of this DPA
This DPA applies exclusively to Processing of Client Personal Data carried out by Quantum Neuron on behalf of the Client in connection with the Services. It does not apply to the categories of data Processing described in Section 16 (Scope Exclusions), for which Quantum Neuron acts as an independent controller under its own privacy notice.
2.3 Description of Processing
The subject matter, nature, purpose, duration, categories of Data Subjects, and categories of Personal Data processed under this DPA are set out in Annex I.
2.4 Joint Controllership on Third-Party Platforms
The Client acknowledges that certain integrations with third-party platforms (including, without limitation, Meta’s Messenger, Instagram, WhatsApp Business, and Facebook) may result in joint controllership arrangements between the Client and such third parties under Article 26 EU GDPR, in accordance with the platform terms of the relevant provider. Quantum Neuron is not party to such joint controllership arrangements. The Parties acknowledge that the operational implementation of such joint controllership arrangements is the responsibility of the Client and the relevant third-party platform.
2.5 Client Acting as Processor
Where the Client acts as a processor on behalf of a third-party controller, including where the Client uses the Services to communicate with leads, prospects or customers on behalf of its own client, the Client represents that it is authorized to appoint Quantum Neuron as a sub-processor and to issue the Instructions set out in this DPA. The Client shall ensure that the relevant third-party controller has been informed of, and where required has consented to, the engagement of Quantum Neuron as a sub-processor.
Processing Instructions
3.1 Lawfulness and Instructions
Quantum Neuron shall Process Client Personal Data only on the basis of the documented Instructions of the Client, including with regard to any transfer of Client Personal Data to a third country or an international organization, unless required to do otherwise by European Union or Member State law to which Quantum Neuron is subject. In such case, Quantum Neuron shall inform the Client of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest.
3.2 Unlawful Instructions
Quantum Neuron shall immediately inform the Client if, in its opinion, an Instruction infringes applicable Data Protection Laws. In such case, Quantum Neuron is entitled to suspend the execution of the affected Instruction until it is confirmed or amended by the Client. This includes, without limitation, Instructions relating to unlawful Outbound Communications, unlawful use of Lead Data, processing without a required lawful basis, or communications to Data Subjects who have opted out or objected.
3.3 Controller Responsibilities
The Client represents and warrants that: (a) it has a valid lawful basis under Article 6 EU GDPR (and, where applicable, Article 9 EU GDPR) for the Processing of Client Personal Data by Quantum Neuron; (b) it has provided all notices and obtained all consents required under applicable Data Protection Laws, including notices to its own customers, employees, and End-Users concerning the Processing of their Personal Data through the Services; and (c) its Instructions to Quantum Neuron comply with applicable Data Protection Laws.
Where Client Personal Data includes Lead Data, contact lists, recipient data, phone numbers, email addresses, social media identifiers, Suppression Data or other data used for Outbound Communications, the Client represents and warrants that such data has been collected, sourced, imported, uploaded and used lawfully and that the Client has obtained and will maintain all lawful bases, notices, consents, permissions, opt-in records, opt-out records, suppression lists and other records required for the relevant processing activity, communication channel and jurisdiction. The Client remains solely responsible for determining whether its use of the Services for Outbound Communications is lawful under applicable data protection, ePrivacy, electronic communications, telemarketing, anti-spam, consumer protection and platform rules.
Special Categories of Personal Data
The Services are not specifically designed for the Processing of Special Categories of Personal Data within the meaning of Article 9 EU GDPR. The Client shall not submit such data to the Platform unless each of the following conditions is satisfied:
(a) the Client has a valid lawful basis under Article 9(2) EU GDPR and, where applicable, equivalent provisions of UK GDPR or national law;
(b) the Client has informed the relevant Data Subjects and obtained any consents required under applicable Data Protection Laws;
(c) the Client has activated the corresponding subscription tier or feature with Quantum Neuron, where offered; and
(d) the Parties have executed any supplementary terms, addenda, or technical and organizational safeguards reasonably required by Quantum Neuron in relation to the processing of such data.
Where the Client’s processing involves Special Categories of Personal Data on a regular or substantial basis, the Parties may execute a supplementary healthcare or sensitive data addendum establishing enhanced technical, organizational, and contractual safeguards. The Client bears full responsibility for ensuring that any Processing of Special Categories of Personal Data through the Services complies with applicable Data Protection Laws.
The Client shall not use the Services to infer, target, segment or conduct Outbound Communications based on Special Categories of Personal Data unless the conditions in this Section 4 are satisfied and the Parties have agreed supplementary terms.
Confidentiality and Personnel
Quantum Neuron shall ensure that its personnel and any other persons authorized to Process Client Personal Data:
•have been committed to confidentiality obligations, whether by contract or by an applicable statutory obligation of confidentiality, which shall survive termination of their engagement with Quantum Neuron;
•Process Client Personal Data only on the Instructions of the Client and on a strict need-to-know basis;
•have received appropriate training on their obligations regarding the protection of Personal Data; and
•are subject to user access management practices limiting access to Client Personal Data to what is strictly necessary for the performance of their duties.
6. Security of Processing
6.1 Technical and Organizational Measures
Quantum Neuron shall implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk of the Processing, in accordance with Article 32 EU GDPR and equivalent provisions of UK GDPR. A summary description of such measures is set out in Annex II. A more detailed description is set out in the Security Annex, which is made available to the Client on request under appropriate confidentiality obligations.
6.2 Updates to Security Measures
Quantum Neuron may update the technical and organizational measures from time to time, provided that any such updates do not materially diminish the overall level of protection of Client Personal Data.
6.3 Diagnostic and Monitoring Tooling
Where session replay, error monitoring or diagnostic tooling is used in connection with the Services, Quantum Neuron shall configure masking, scrubbing or equivalent controls for sensitive form inputs and user-entered content where technically supported by the relevant tool.
7. Data Protection Officer and Representatives
7.1 Data Protection Officer
Quantum Neuron has appointed a Data Protection Officer pursuant to Article 37 EU GDPR. The Data Protection Officer is Mr. Krzysztof Kochanowski, contactable at ido@quantumneuron.ai. The Data Protection Officer is the primary point of contact for matters relating to the Processing of Personal Data under this DPA, in addition to privacy@quantumneuron.ai for general privacy enquiries.
7.2 EU Representative (Article 27 EU GDPR)
Quantum Neuron has designated, in writing, the following EU Representative pursuant to Article 27 EU GDPR:
Quantum Neuron Sp. z o.o., ul. Żurawia 6/12/745, 00-503 Warsaw, Poland. Contact: ido@quantumneuron.ai.
7.3 UK Representative (Article 27 UK GDPR)
Quantum Neuron has designated, in writing, the following UK Representative pursuant to Article 27 UK GDPR:
Kochanowski Consulting Ltd, 151 Picton Road, Liverpool, Merseyside L15 4LG, United Kingdom. Contact: ido@quantumneuron.ai.
8. Sub-Processors
8.1 General Authorization
The Client grants Quantum Neuron general written authorization to engage Sub-Processors in connection with the performance of the Services. The current list of authorized Sub-Processors is set out in the Sub-Processor List published at https://quantumneuron.ai/legal/m26/subprocessors.
8.2 Obligations Imposed on Sub-Processors
Quantum Neuron shall enter into a written agreement with each Sub-Processor containing data protection obligations materially equivalent to those set out in this DPA. Where a Sub-Processor is located outside the European Economic Area or the United Kingdom, Quantum Neuron shall ensure that an appropriate transfer mechanism under Chapter V EU GDPR or UK GDPR is in place, including, as applicable, the EU SCC, the UK Addendum, or an applicable adequacy decision.
8.3 Notification of Changes
Quantum Neuron shall give the Client at least thirty (30) days’ prior written notice of any intended addition or replacement of a Sub-Processor. Such notice shall be provided by sending an email notification to the Client’s privacy contact and by updating the Sub-Processor List.
8.4 Right to Object
The Client may object to the proposed change within thirty (30) days of receipt of the notice on reasonable grounds related to data protection. The Parties shall in good faith seek a mutually acceptable resolution within thirty (30) days of the Client’s objection. If no resolution is reached, the Client may, as its sole and exclusive remedy: (a) discontinue use of the feature or functionality affected by the proposed Sub-Processor change; or (b) terminate the affected portion of the Master Agreement on written notice, with a pro-rata refund of any prepaid and unused fees attributable to the terminated functionality.
8.5 Liability for Sub-Processors
Quantum Neuron remains liable to the Client for the acts and omissions of its Sub-Processors to the same extent as if such acts or omissions had been carried out by Quantum Neuron itself, subject to the limitations of liability set out in the Master Agreement.
International Data Transfers
9.1 Primary Location of Processing
Primary Processing of Client Personal Data takes place within the European Economic Area. Any transfers of Client Personal Data outside the European Economic Area or the United Kingdom are carried out in reliance on a valid transfer mechanism under Chapter V EU GDPR or UK GDPR.
9.2 EU Standard Contractual Clauses
Where Quantum Neuron Processes Client Personal Data subject to the EU GDPR outside the European Economic Area in circumstances requiring a transfer mechanism under Chapter V EU GDPR, the EU SCC (Module Two: Controller-to-Processor, or, where the Client itself is a processor, Module Three: Processor-to-Processor) are hereby incorporated by reference into this DPA and deemed entered into between the Parties. For the purposes of Clause 17 of the EU SCC, the Parties select Option 1 and the governing law of Ireland. For the purposes of Clause 18(b), the Parties select the courts of Ireland. Annex I and Annex II of this DPA shall serve, respectively, as Annex I and Annex II to the EU SCC. Annex III to the EU SCC shall be completed by reference to the Sub-Processor List.
9.3 UK International Data Transfer Addendum
Where Quantum Neuron Processes Client Personal Data subject to the UK GDPR outside the United Kingdom in circumstances requiring a transfer mechanism under Chapter V UK GDPR, the UK Addendum is hereby incorporated by reference into this DPA and shall apply as an addendum to the EU SCC. Tables 1 to 4 of the UK Addendum shall be completed by reference to the corresponding information set out in this DPA and in Annex I and Annex II.
9.4 Transfer Impact Assessment
Where Client Personal Data is transferred to a country not covered by an adequacy decision under Article 45 EU GDPR or the equivalent provision of UK GDPR, Quantum Neuron has conducted, or shall conduct, a Transfer Impact Assessment in accordance with the European Data Protection Board’s Recommendations 01/2020 on measures that supplement transfer tools, taking into account the laws and practices of the destination country and identifying appropriate supplementary technical, contractual, and organizational measures where necessary. A summary of such assessment is available to the Client on request under appropriate confidentiality obligations.
9.5 Conflict
In case of any conflict or inconsistency between this DPA and the EU SCC or the UK Addendum in relation to a relevant transfer of Client Personal Data, the terms of the EU SCC or UK Addendum (as applicable) shall prevail.
9.6 Sub-Processor Location and Transfer Mechanism
The Sub-Processor List shall identify, where available, the location and transfer mechanism applicable to each Sub-Processor.
10. Data Subject Rights
10.1 Assistance to the Client
Taking into account the nature of the Processing, Quantum Neuron shall assist the Client by appropriate technical and organizational measures, insofar as this is possible, in fulfilling the Client’s obligation to respond to requests from Data Subjects exercising their rights under Chapter III EU GDPR or Chapter III UK GDPR.
10.2 Communications from Data Subjects
If Quantum Neuron receives a request from a Data Subject concerning Client Personal Data, it shall not respond to the request directly (other than to acknowledge receipt or to redirect the Data Subject to the Client), and shall forward the request to the Client without undue delay.
10.3 Response Time
Quantum Neuron shall respond to a Client’s request for assistance in connection with a Data Subject request within fourteen (14) days of receipt of the Client’s request. For requests that are complex or involve a substantial volume of Client Personal Data, Quantum Neuron may extend this period by a reasonable additional period, provided it notifies the Client of such extension within the initial fourteen-day period.
10.4 Costs
Assistance with Data Subject requests shall be provided at no additional cost to the Client and is included in the fees payable under the Master Agreement, provided that the volume and frequency of such requests are reasonable. Quantum Neuron reserves the right to charge a reasonable fee for assistance that is manifestly unfounded, excessive, or repetitive, in line with Article 12(5) EU GDPR.
11. Personal Data Breach Notification
11.1 Notification Timing
Quantum Neuron shall notify the Client without undue delay, and in any event within forty-eight (48) hours of becoming aware of a Personal Data Breach affecting Client Personal Data. For the purposes of this DPA, “becoming aware” means the point in time at which Quantum Neuron has reasonable certainty, based on its internal security detection and investigation capabilities, that a Personal Data Breach has occurred. The 48-hour cap set out in this Section 11.1 applies to Personal Data Breaches under Article 4(12) EU GDPR. Where the Master Agreement (or a supplementary enterprise contract) incorporates the Quantum Neuron Security Annex with shorter incident-priority notification SLAs (e.g., one (1) business hour for Priority 1 incidents), such shorter timelines shall apply in addition to, and shall prevail over, the 48-hour cap for the incidents to which they apply.
11.2 Content of Notification
The notification shall contain, to the extent reasonably available at the time of notification:
(a) a description of the nature of the Personal Data Breach, including, where possible, the categories and approximate number of Data Subjects and records concerned;
(b) the contact details of Quantum Neuron’s privacy contact at privacy@quantumneuron.ai, the Data Protection Officer at ido@quantumneuron.ai, or another designated point of contact for further information;
(c) a description of the likely consequences of the Personal Data Breach; and
(d) a description of the measures taken or proposed to be taken by Quantum Neuron to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.
11.3 Continued Cooperation
Where and insofar as it is not possible to provide the information referred to above at the same time, it may be provided in phases without further undue delay. Quantum Neuron shall cooperate in good faith with the Client in connection with the Client’s own obligations to notify competent supervisory authorities and, where applicable, Data Subjects, under Articles 33 and 34 EU GDPR or equivalent provisions of UK GDPR.
11.4 No Admission of Liability
Notification of a Personal Data Breach by Quantum Neuron shall not be construed as an acknowledgment by Quantum Neuron of any fault or liability with respect to the Personal Data Breach.
12. Data Protection Impact Assessment and Prior Consultation
Taking into account the nature of the Processing and the information available to it, Quantum Neuron shall provide reasonable assistance to the Client in carrying out data protection impact assessments in accordance with Article 35 EU GDPR and in consulting with supervisory authorities in accordance with Article 36 EU GDPR, where the Client reasonably considers such assessments or consultations to be required.
Where the Client uses the Services for Outbound Communications, large-scale lead activation, voice calls, SMS campaigns, WhatsApp campaigns or similar communications, the Client remains responsible for determining whether a data protection impact assessment, legitimate interest assessment, ePrivacy assessment, telemarketing compliance assessment or equivalent assessment is required for its own use case. Quantum Neuron shall provide reasonable assistance to the Client as set out in this Section, taking into account the nature of the Processing and the information available to Quantum Neuron.
13. Audits and Information Rights
13.1 Information Rights
Quantum Neuron shall make available to the Client all information necessary to demonstrate compliance with the obligations laid down in this DPA and in applicable Data Protection Laws, including:
(a) responses to reasonable written security and data protection questionnaires submitted by the Client;
(b) applicable third-party audit reports, certifications, and attestations (including, where available, ISO/IEC 27001 and SOC 2 reports), subject to appropriate confidentiality obligations; and
(c) upon execution of a non-disclosure agreement, access to the Quantum Neuron Security Annex describing its technical and organizational measures in further detail.
13.2 On-Site Audits
The Client or an auditor mandated by the Client may conduct an on-site audit of Quantum Neuron’s processing activities under this DPA, subject to the following conditions:
(a) no more than once per calendar year, except where a confirmed Personal Data Breach has occurred;
(b) at least thirty (30) days’ prior written notice;
(c) conducted during regular business hours, without unreasonable disruption to Quantum Neuron’s operations;
(d) at the Client’s sole cost and expense, including reasonable fees charged by Quantum Neuron for personnel time and support, except that in the case of a confirmed Personal Data Breach affecting the Client, the audit shall be conducted without charge and without limitation to frequency;
(e) subject to execution of a non-disclosure agreement between Quantum Neuron and any third-party auditor, which auditor shall not be a competitor of Quantum Neuron; and
(f) limited in scope to information and systems reasonably necessary to verify compliance with this DPA.
13.3 Audit Reports
The Client shall promptly provide Quantum Neuron with a copy of the audit report and shall treat the report and all information obtained in the course of the audit as confidential information of Quantum Neuron.
14. AI Model Training and Test Environments
14.1 No Use of Client Personal Data for Training
Quantum Neuron does not use Client Personal Data, in its identifiable form, to train, fine-tune, or otherwise improve the AI models underlying the Services. Quantum Neuron uses, for such purposes, only data that has first been subjected to its documented irreversible Anonymization process. Following successful Anonymization, the resulting data is no longer Personal Data within the meaning of applicable Data Protection Laws and is therefore outside the material scope of the EU GDPR and UK GDPR, and outside the scope of this DPA.
14.2 Default Anonymization Pipeline
By default, Quantum Neuron processes selected Client Personal Data through its documented irreversible Anonymization process for the following purposes:
(a) fine-tuning and improving the AI models underlying the Services; and
(b) use of selected production data, following Anonymization, within non-production test environments operated by Quantum Neuron.
The Anonymization process is designed to be irreversible and is verified through a documented manual verification step prior to any downstream use, in line with the criteria set out by the European Data Protection Board (Opinion 05/2014). The resulting Anonymized data sets do not contain raw conversation logs and are not associated with any Client identifier, tenant identifier, account identifier, or other reference linking the data to a specific Client or to an identifiable natural person.
14.3 Opt-Out
The Client may opt out of the processing described in Section 14.2 at any time by written notice to privacy@quantumneuron.ai with copy to legal@quantumneuron.ai. The Client may also opt out directly in the applicable Order Form, in which case the opt-out applies from the start of the relevant subscription term. Upon receipt of such notice, Quantum Neuron shall cease further processing of newly ingested Client Personal Data through its Anonymization pipeline within a reasonable period not exceeding fifteen (15) days. For the avoidance of doubt, the opt-out shall operate prospectively only and shall not affect data that has already undergone Anonymization prior to the effective date of the opt-out, given that such data is no longer Personal Data.
14.4 Controller Responsibilities
The Client confirms that it has, or will have prior to the relevant Processing taking place, a valid lawful basis for the Processing described in this Section 14 and shall inform its own customers, employees, and End-Users of such Processing where required by applicable Data Protection Laws.
14.5 Underlying Foundation Models
Client Personal Data is not made available to third-party developers of underlying foundation models (including, without limitation, OpenAI, Anthropic, and Google) and is not used to train, fine-tune, or otherwise improve such foundation models outside of Quantum Neuron’s own deployments. Quantum Neuron accesses underlying foundation models through enterprise cloud services (currently Microsoft Azure and, on a limited and optional basis, Google Cloud Vertex AI) under contractual terms that prohibit the use of customer data for the training, fine-tuning, or improvement of such foundation models by the relevant cloud provider.
The specific AI infrastructure providers and model orchestration components used for a Client deployment may vary depending on the features, communication channels, region, configuration and integrations selected under the applicable Order Form and reflected in the Sub-Processor List. Quantum Neuron shall not permit third-party AI model providers to use Client Personal Data to train, fine-tune or improve their general-purpose or foundation models, except where expressly agreed in writing with the Client.
15. Return and Deletion of Client Personal Data
15.1 Retention During the Term
Quantum Neuron shall retain Client Personal Data for the duration of the subscription under the Master Agreement or until earlier deletion instructed by the Client. The Client is responsible for configuring any applicable retention settings available within the Services and for issuing deletion Instructions as required by applicable Data Protection Laws.
15.2 Return or Deletion on Termination
Upon termination or expiration of the Master Agreement, Quantum Neuron shall, at the Client’s choice, return or delete all Client Personal Data in its possession within thirty (30) days of the effective date of termination, and shall purge such data from backup systems within a further ninety (90) days thereafter, unless applicable law requires further storage.
15.3 Anonymization Exception
Prior to deletion pursuant to Section 15.2, and unless the Client has opted out under Section 14.3 or otherwise objected in writing, Quantum Neuron may apply its documented irreversible Anonymization process to selected Client Personal Data. Data that has successfully undergone such Anonymization is no longer Personal Data within the meaning of applicable Data Protection Laws and is not subject to the deletion obligations set out in this Section 15. For the avoidance of doubt, Anonymized data sets retained by Quantum Neuron pursuant to this Section 15.3 are not linked to the Client, to any tenant or account identifier of the Client, or to any other identifier capable of associating the data with a specific Client or with an identifiable natural person, after termination of the Master Agreement. The Client may, at any time, object in writing to such Anonymization, in which case the Client Personal Data concerned shall be deleted in accordance with Section 15.2 without being subjected to the Anonymization process.
Where the Client has opted out in the applicable Order Form, Quantum Neuron shall not apply the Anonymization process described in this Section 15.3 to newly ingested Client Personal Data covered by such opt-out.
15.4 Certification
Upon the Client’s written request, Quantum Neuron shall provide written confirmation that it has complied with its obligations under this Section 15.
16. Scope Exclusions
This DPA does not govern the following Processing activities, for which Quantum Neuron acts as an independent controller in accordance with its privacy notice available at https://quantumneuron.ai/legal/m26/privacy:
(a) Processing of the Client’s billing, payment, and account administration information for the purposes of contract performance, invoicing, and compliance with financial and tax obligations;
(b) Processing of support communications initiated by the Client or its authorized personnel (including support tickets, email correspondence, and attachments submitted in connection with such communications), for the purposes of providing support, resolving issues, and improving service quality;
(c) Processing of security telemetry, access logs, audit logs, and related operational data for the purposes of protecting the security, integrity, and availability of the Services, preventing and investigating fraud and abuse, and complying with Quantum Neuron’s legal and regulatory obligations; and
(d) Processing of aggregate, de-identified, or technical product analytics for the purposes of operating, maintaining, and improving the Services.
To the extent any such Processing involves Personal Data, Quantum Neuron shall Process such data in accordance with applicable Data Protection Laws and on an appropriate lawful basis under Article 6 EU GDPR. To the extent any data Processing under this Section 16 is held by a competent supervisory authority or court to fall outside Quantum Neuron’s controller capacity in respect of a particular Client, the processor obligations of this DPA shall apply to such Processing mutatis mutandis.
17. AI Act Compliance
17.1 Scope of AI Act References
References to Regulation (EU) 2024/1689 (the “AI Act”) in this DPA apply only to the extent the relevant use, deployment, output, market placement or legal obligation falls within the territorial or extraterritorial scope of the AI Act. For Clients established in the United Kingdom or outside the European Union, such references shall not be construed as an admission that the AI Act automatically applies to all uses of the Services. The restrictions on High-Risk AI Use Cases may nevertheless apply as a contractual safety standard under the Master Agreement.
17.2 Provider and Deployer Roles
To the extent the AI Act applies, Quantum Neuron acts as a “provider” of an AI system and the Client acts as a “deployer” of the AI system within the meaning of the AI Act. The Services are classified, in their default configuration, as a limited-risk AI system under the AI Act. The Client is responsible for compliance with any deployer obligations applicable to its use of the Services under the AI Act, where applicable, and under any equivalent AI, data protection, consumer protection, sectoral, safety or platform rules applicable to the Client’s use of the Services.
17.3 Transparency and AI Disclosure
Quantum Neuron provides technical functionality and recommended default settings enabling AI-system disclosure where required. The Client, as the party deploying the AI Persona in its own business context, communication channels and End-User relationship, is responsible for ensuring that End-Users receive all legally required notices, disclosures and transparency information, unless the Parties expressly agree otherwise in the Order Form or an Enterprise AI compliance addendum.
17.4 High-Risk AI Use Cases
The Client shall not use the Services for any High-Risk AI Use Case except in accordance with the Master Agreement and any Enterprise High-Risk AI Addendum executed by the Parties.
18. Liability
18.1 Limitation of Liability
Each Party’s liability under or in connection with this DPA, of any kind, whether in contract, tort (including negligence), or otherwise, is subject to the aggregate limitations of liability set out in the Master Agreement. For the avoidance of doubt, this DPA does not increase or expand such limitations of liability beyond those set out in the Master Agreement.
18.2 Administrative Fines
Administrative fines imposed on a Party by a competent supervisory authority under Data Protection Laws shall be borne by the Party on which they are imposed, except to the extent that the other Party has caused or materially contributed, through breach of this DPA or applicable Data Protection Laws, to the circumstances giving rise to the fine.
19. Term and Termination
This DPA shall take effect on the effective date of the Master Agreement and shall continue for the duration of the Master Agreement and for such further period during which Quantum Neuron Processes Client Personal Data following termination, including the retention periods set out in Section 15.
20. Changes to this DPA
Quantum Neuron may update this DPA from time to time, provided that:
(a) non-material changes (including editorial, clarifying, or technical changes that do not materially diminish the Client’s rights or Quantum Neuron’s obligations under this DPA) may be made by publication of an updated version at https://quantumneuron.ai/legal/m26/dpa and shall take effect on publication;
(b) material changes shall take effect no earlier than thirty (30) days after Quantum Neuron provides notice to the Client, during which period the Client may object to such changes in accordance with the Sub-Processor change procedure set out in Section 8.4, applied mutatis mutandis. Notice of material changes will be sent by email to the Client’s primary administrative contact.
All versions of this DPA are maintained under a version control system, and prior versions shall remain available to the Client upon request.
21. Order of Precedence
In the event of any conflict or inconsistency:
(a) between this DPA and the Master Agreement, this DPA shall prevail in matters relating to privacy, data protection, and the Processing of Personal Data, and the Master Agreement shall prevail in all other matters;
(b) between this DPA and the EU SCC or the UK Addendum in relation to a transfer governed by those instruments, the EU SCC or the UK Addendum (as applicable) shall prevail;
(c) between this DPA and any other document incorporated by reference, this DPA shall prevail, except as otherwise expressly provided.
For the avoidance of doubt, this DPA governs the Processing of Client Personal Data. The Master Agreement and Order Form govern commercial terms, fees, usage limits, product scope, selected channels, functional limitations, service availability and non-data-protection matters.
22. Miscellaneous
22.1 Governing Law
This DPA shall be governed by and construed in accordance with the laws of the State of Delaware, United States of America, consistent with the governing law of the Master Agreement. Notwithstanding the foregoing, the mandatory provisions of applicable Data Protection Laws of the Client’s jurisdiction shall apply where required, and the governing law and jurisdiction of the EU SCC and the UK Addendum are as set out therein and in Section 9 of this DPA. The Parties may agree in writing in the Order Form or in a supplementary enterprise contract to apply the law of the Client’s jurisdiction (or another mutually agreed jurisdiction) to this DPA.
22.2 Severability
If any provision of this DPA is held invalid, illegal, or unenforceable, the remaining provisions shall continue in full force and effect. The Parties shall, in good faith, negotiate a valid and enforceable substitute provision that most closely reflects the Parties’ original intent.
22.3 Notices
Notices under this DPA shall be given in accordance with the notice provisions of the Master Agreement. For data protection matters, notices to Quantum Neuron shall additionally be sent to privacy@quantumneuron.ai and to the Data Protection Officer at ido@quantumneuron.ai, with copy to legal@quantumneuron.ai.
22.4 Electronic Acceptance
The Client accepts this DPA by entering into the Master Agreement into which this DPA is incorporated by reference. A signed counterpart of this DPA may be executed by the Parties upon request of the Client; however, electronic acceptance through the Master Agreement shall be fully binding and effective in accordance with applicable law.
Annex I - Description of Processing
A. List of Parties
Data Exporter (Controller): The Client, as identified in the Master Agreement.
Data Importer (Processor): Quantum Neuron Inc., a Delaware corporation, with its registered office at 169 Madison Ave STE 15768, New York, NY 10016, United States.
Contact point for data protection matters (Data Importer):
•Privacy contact: privacy@quantumneuron.ai
•Data Protection Officer (Article 37 EU GDPR): Krzysztof Kochanowski, ido@quantumneuron.ai
•EU Representative (Article 27 EU GDPR): Quantum Neuron Sp. z o.o., ul. Żurawia 6/12/745, 00-503 Warsaw, Poland
•UK Representative (Article 27 UK GDPR): Kochanowski Consulting Ltd, 151 Picton Road, Liverpool, Merseyside L15 4LG, United Kingdom
B. Description of Transfer / Processing
Categories of Data Subjects:
•Employees, contractors, and other authorized personnel of the Client who access the Services through a dashboard account.
•Customers, prospects, leads, and other End-Users interacting with the Client’s AI Persona through any text or voice channel enabled by the Services.
•Contacts, correspondents, and other individuals identified in systems integrated with the Services at the Client’s configuration (including, without limitation, email, calendar, and CRM systems).
•Recipients of Outbound Communications, including leads, prospects, customers, potential customers, business contacts and other individuals whose contact details or identifiers are submitted by or on behalf of the Client to the Services.
Categories of Personal Data:
•Identification and contact data, including name, email address, telephone number, and similar identifiers.
•Communication content, including text messages, voice audio streams, voice recordings where recording is enabled and subject to the Client’s lawful basis, notices and applicable consent requirements, conversation transcripts, and conversation history.
•Voice consent metadata, where collected as part of a voice interaction recording consent flow.
•Authentication and account data, including hashed credentials, session identifiers, and account configuration data.
•Technical data, including IP address, user agent, device information, and log data generated by use of the Services.
•Client-provided knowledge base content uploaded by the Client for use within the Services, to the extent such content contains Personal Data.
•Data from systems integrated with the Services (for example, CRM records, email content, calendar events), as configured by the Client, to the extent such data contains Personal Data.
•Lead Data, prospect data, recipient data, contact list data, phone numbers, email addresses, social media identifiers, messaging identifiers, communication preferences, consent metadata, opt-in records, opt-out records, suppression lists, do-not-contact indicators, campaign metadata, delivery-status metadata, response metadata, call metadata, SMS metadata, WhatsApp template metadata and other metadata relating to inbound or outbound communications.
Special Categories of Personal Data: Not ordinarily processed. Where the Client submits Special Categories of Personal Data, the conditions of Section 4 of the DPA apply.
Frequency of Processing: Continuous during the term of the Master Agreement.
Nature and Purpose of Processing:
•Provision of the AI Persona platform for automated communication through text and voice channels.
•Retrieval-augmented processing of Client-provided knowledge base content for the purposes of AI Persona responses.
•Integration with the Client’s communication, productivity, and customer-relationship-management systems in accordance with the Client’s configuration.
•Operational support, service provision, billing, and such other purposes as are reasonably necessary to deliver the Services.
•Processing of Lead Data and recipient data for the purpose of enabling the Client to conduct, manage, automate, monitor and analyze inbound and outbound communications through the Services, subject to the Client’s lawful instructions, selected communication channels, Order Form, Functional Scope Annex and applicable law.
Duration of Processing: For the duration of the Master Agreement, plus post-termination retention and deletion periods set out in Section 15 of the DPA.
C. Competent Supervisory Authority
For the purposes of Clause 13 of the EU SCC, the competent supervisory authority shall be the supervisory authority of the European Economic Area Member State in which the relevant Data Subjects are located, or, where the Client is established in the European Economic Area, the supervisory authority of the Member State of the Client’s main establishment. For Clients subject to the UK GDPR, the competent supervisory authority is the United Kingdom Information Commissioner’s Office.
Annex II - Technical and Organizational Measures
Quantum Neuron has implemented and maintains the following technical and organizational measures designed to ensure an appropriate level of security for Client Personal Data, in accordance with Article 32 EU GDPR and equivalent provisions of UK GDPR. The measures described below are provided at a summary level; a more detailed description is set out in the Quantum Neuron Security Annex, which is made available to the Client on request under appropriate confidentiality obligations.
1. Access Control and Authentication
Access to systems processing Client Personal Data is restricted on a need-to-know basis through role-based access controls, least-privilege access principles, and tenant-level logical separation. Authentication to production environments requires multi-factor authentication. User accounts are provisioned, reviewed, and revoked in accordance with documented procedures. Support and onboarding access to Client environments is subject to dedicated access controls and time-bound permissions where applicable.
2. Encryption
Client Personal Data is encrypted in transit using industry-standard transport-layer encryption (TLS 1.2 or higher), and at rest using industry-standard symmetric encryption (AES-256 or equivalent) on storage volumes, object storage, and backup systems. Cryptographic keys are managed using a centralized key management service with documented rotation policies.
3. Network and Application Security
Production systems are segregated from non-production environments and protected by network-layer security controls, including firewalls, traffic filtering, and monitoring. Applications are subject to secure development practices, dependency management, and vulnerability scanning.
4. Logging, Monitoring and Audit Trails
Security-relevant events, including access to Client Personal Data, authentication events, and administrative actions, are logged and retained in accordance with Quantum Neuron’s internal retention policies. Access logging and audit trails are maintained for actions performed on Client Personal Data. Logs are monitored for anomalies using automated detection capabilities.
5. Backup, Retention and Business Continuity
Client Personal Data is subject to regular, encrypted backups, retained within the European Economic Area. Quantum Neuron maintains business continuity and disaster recovery procedures designed to restore availability and access to Client Personal Data in a timely manner in the event of a physical or technical incident. Retention controls, backup controls and deletion workflows are documented and operated in accordance with this DPA and applicable Data Protection Laws.
6. Incident Management
Quantum Neuron maintains an incident response procedure covering detection, triage, containment, eradication, recovery, and post-incident review. Incident response roles and responsibilities are documented and regularly reviewed.
7. Personnel Security, Confidentiality and Training
Personnel are subject to internal confidentiality obligations that survive termination of their engagement and receive regular training on data protection and information security matters appropriate to their roles.
8. Sub-Processor Management
Sub-Processors are subject to risk-based due diligence prior to engagement, sub-processor access controls, and ongoing monitoring. Each Sub-Processor is bound by data protection obligations materially equivalent to those set out in this DPA.
9. Physical Security
Physical security of data processing facilities is provided by Quantum Neuron’s infrastructure hosting providers, which maintain industry-recognized physical security controls for their data centers (including ISO/IEC 27001, SOC 2, and ISAE 3402 attested controls).
10. Data Minimization, Pseudonymization and Sensitive Field Handling
Quantum Neuron applies principles of data minimization in the design of the Services and, where appropriate, pseudonymization or anonymization techniques to reduce the risk of unauthorized re-identification. Masking or scrubbing of sensitive fields is applied where technically supported by the relevant component.
11. Controls for Communication Content and Outbound Channels
Specific controls are applied to voice recordings, transcripts, SMS content, WhatsApp content, email content, call metadata and communication logs generated through the Services, including access restrictions, retention controls and deletion workflows aligned with this DPA and the Client’s configuration.
12. Diagnostic, Error Monitoring and Session Replay Tooling
Where session replay, error monitoring or diagnostic tooling is used in connection with the Services, Quantum Neuron configures masking, scrubbing or equivalent controls for sensitive form inputs and user-entered content where technically supported by the relevant tool.
Annex III - Authorized Sub-Processors
The list of Sub-Processors authorized under Section 8 of this DPA is maintained and published by Quantum Neuron at:
https://quantumneuron.ai/legal/m26/subprocessors
The Sub-Processor List is deemed, by reference, to constitute Annex III to the EU SCC and the equivalent Sub-Processor list under the UK Addendum.
