Data Processing Agreement (DPA)

1. Introduction / Scope

This Data Processing Agreement forms part of the contract between the parties for use of the Q-Hub Service and is subject to the Q-Hub Terms & Conditions (the "Terms"). In the event of any conflict between this DPA and the Terms, this DPA shall prevail solely in relation to the parties' data protection obligations under applicable data protection law.

In this DPA, references to "Data Protection Law" mean the UK General Data Protection Regulation (UK GDPR) as defined in section 3(10) of the Data Protection Act 2018, the Data Protection Act 2018, and any subordinate legislation made under that Act, in each case as amended or replaced from time to time.

2. Formation, Duration, and Termination

This DPA enters into force on the Effective Date of the underlying service agreement between the Controller and the Processor.

The DPA remains in effect for the duration of the service agreement.

Upon termination of the service agreement, this DPA automatically terminates, subject to Section 7 (Data Retention and Return) and any obligations that by their nature survive termination.

3. Subject Matter and Purpose

Processor will process Personal Data only on documented instructions from the Controller, including transfers to third countries, unless required by law. The purpose of processing includes providing services via the Q-Hub platform, maintaining application functionality, and performing analytics as described in the service agreement.

The Processor shall have no control over the purposes of processing and the means used, except as directed by the Controller in documented instructions.

For clarity, this DPA applies only to Q-Hub's processing of Personal Data as a processor on the Customer's behalf. Q-Hub may also process certain Personal Data as an independent controller, for example as described in the Privacy Policy and Section 7.4 of the Terms, in which case this DPA does not apply to that processing.

4. Data Processing Details

Categories of Data Subjects: Employees, clients, and users of the Q-Hub platform.

Categories of Data: Personal data processed under this DPA may include basic identification and contact data (such as names, email addresses, and job titles), employment-related data, IP addresses, and other information uploaded by the Customer in connection with its use of the Q-Hub platform.

In some cases, and only where this is necessary for the intended use of the platform as a compliance system and permitted under the Terms, the Customer may upload limited special categories of personal data (as defined in Article 9 UK GDPR). The Customer remains solely responsible for deciding whether such special category data should be stored in the Service and for ensuring it has a lawful basis and all necessary notices and consents.

Processing Activities: Data storage, retrieval, transmission, and deletion as per the Controller's instructions.

5. Obligations of the Processor

Compliance: The Processor shall comply with Data Protection Law and ensure the confidentiality, integrity, and availability of Personal Data.

Security Measures: Implement technical and organisational measures in line with ISO 27001, NCSC, and/or NIST standards, including encryption, access control, and monitoring as further described in Section 11.

Sub-Processors: The Processor shall engage sub-processors only in accordance with Section 13 of this DPA.

Data Subject Requests: The Processor shall assist the Controller in responding to requests from data subjects exercising their rights under Data Protection Law (including rights of access, rectification, erasure, restriction, portability, and objection).

Data Breaches: The Processor shall notify the Controller of any confirmed Personal Data breach in accordance with Section 12.

6. Obligations of the Controller

The Controller shall:

(a) ensure that all processing of Personal Data shared with the Processor is lawful and in compliance with Data Protection Law;

(b) provide clear documented instructions for processing activities; and

(c) audit Processor compliance periodically in accordance with Section 9.

7. Data Retention and Return

Upon termination or expiry of the service agreement, the Processor shall:

(a) make available to the Controller the standard export tools within the Q-Hub Service so that the Controller can retrieve its Personal Data;

(b) maintain Customer Data within the Service in a form accessible to the Controller for a minimum of 90 days following the effective date of termination or expiry, unless otherwise agreed in writing between the parties; and

(c) following the expiry of the period in paragraph (b), delete Personal Data from active systems once it is no longer reasonably required for the provision of the services, compliance with law, or the establishment, exercise, or defence of legal claims.

Personal Data may be retained in backup systems for a limited period in line with documented backup retention schedules, after which it will be overwritten or deleted in the ordinary course of business.

Upon request by the Controller following the deletion of Customer Personal Data, the Processor shall provide a written certificate of deletion confirming that Personal Data has been removed from the Processor's active systems and, once applicable backup retention cycles have completed, from backup systems.

8. International Transfers

Customer Data is stored within the United Kingdom. The Processor's primary hosting infrastructure (AWS EC2) and primary database (MongoDB Atlas) are both located in the London region.

Some limited operational data — including application logs, company identifiers, and user identifiers — may be processed within the European Economic Area by sub-processors providing system monitoring and operational support services, as identified in the Processor's sub-processor list. No customer-uploaded content is shared with such sub-processors.

Where any Personal Data is transferred outside the United Kingdom, the Processor shall ensure that appropriate safeguards are in place in accordance with Data Protection Law, which may include:

(a) the UK International Data Transfer Agreement (IDTA); or

(b) the UK Addendum to the EU Standard Contractual Clauses,

as applicable.

The Processor shall not transfer Personal Data outside the United Kingdom or the European Economic Area without first ensuring that one of the above safeguards, or another lawful transfer mechanism recognised under Data Protection Law, is in place.

9. Audit Rights

The Controller may audit the Processor's processing operations annually or as reasonably needed, to ensure compliance with this DPA and Data Protection Law.

The Processor will cooperate fully with such audits and ensure that sub-processors provide similar access for audits where reasonably required.

The cost of audits shall be borne by the Controller, unless non-compliance is identified, in which case the Processor shall bear the costs.

Intelligent Quality shall review any recommendations resulting from an audit and will implement those which it considers, acting reasonably, to be appropriate and proportionate in light of the costs, the nature, scope, context and purposes of processing, and the risks to data subjects.

10. Confidentiality

The Processor shall maintain strict confidentiality of all Personal Data.

Confidentiality obligations extend to all personnel and sub-processors engaged by the Processor, enforced through binding agreements.

These obligations shall remain in effect after the termination of this DPA.

11. Security Measures

The Processor implements technical and organisational measures designed to protect the confidentiality, integrity, and availability of Personal Data, including:

• Encryption: Data is encrypted at rest and in transit using industry-standard methods.

• Access Control: Multi-factor authentication (MFA) is available for user accounts. Database access is restricted by IP address, and encryption keys are rotated on a regular schedule.

• Monitoring: Real-time monitoring and alerting is in place for threat detection and response.

• Incident Management: Incident response procedures are maintained in line with NCSC guidance.

• Regular Testing: Periodic penetration testing and vulnerability assessments are carried out.

Security measures will be reviewed annually to ensure their adequacy against evolving risks. Further details of the Processor's security controls and certifications are available on request.

12. Breach Notification

The Processor will notify the Controller without undue delay, and in any event within 48 hours, of becoming aware of a confirmed Personal Data breach.

Notifications will include, to the extent known at the time of notification:

(a) the nature and scope of the breach;

(b) the categories and approximate number of data subjects and Personal Data records affected;

(c) the likely consequences of the breach; and

(d) the measures taken or proposed to mitigate the effects of the breach.

The Processor will provide further updates as additional information becomes available throughout the resolution process.

Costs incurred by the Controller for breach management or remediation shall be reimbursed by the Processor if the breach results from the Processor's failure to meet its obligations under this DPA.

13. Sub-Processors

The Customer gives Intelligent Quality a general authorisation to engage third-party sub-processors to support the provision of the Service. Intelligent Quality shall:

(a) maintain a current list of sub-processors, which will be made available to the Customer on request or published via the Q-Hub website;

(b) ensure that any sub-processor is bound by written data processing terms providing at least the same level of protection for Personal Data as this DPA and requiring processing in accordance with Data Protection Law; and

(c) remain responsible to the Customer for the performance of each sub-processor's data protection obligations.

Intelligent Quality will notify the Customer (for example, via the Q-Hub website or by email) of any intended changes to the sub-processor list. The Customer may object to a new sub-processor on reasonable data protection grounds by notifying Intelligent Quality in writing within 30 days of receiving the notice.

If the parties cannot agree a solution within a reasonable period, the Customer may terminate the affected Service in accordance with the Terms as its sole and exclusive remedy.

14. Liability and Indemnification

The Processor is liable for breaches caused by non-compliance with this DPA or Data Protection Law.

To the extent permitted by applicable law, Intelligent Quality shall indemnify the Customer for direct losses, damages, fines, or penalties finally awarded or agreed in settlement arising directly from Intelligent Quality's breach of this DPA or Data Protection Law, subject always to the limitations and exclusions of liability in the Terms.

The parties agree that any liability arising under or in connection with this DPA (including any indemnity) shall be subject to, and not exceed, the limitations and exclusions of liability set out in Section 14 (Limitation of Liability) of the Terms, except to the extent such limitation is expressly prohibited by Data Protection Law.

Intelligent Quality's indemnity under this Clause does not extend to any fine, penalty, or sanction to the extent that payment or reimbursement of such fine, penalty, or sanction is prohibited by applicable law or is uninsurable in the relevant jurisdiction.

15. Final Provisions

Amendments to this DPA must be in writing and signed by both parties.

This DPA is governed by the laws of England and Wales.

In the event of any conflict between this DPA and any other agreement between the parties (other than the Terms), this DPA shall prevail in relation to data protection matters.

If you would like a signed copy of this agreement, please contact your account manager. Or email support@q-hub.co.uk to request a DPA.