Data Processing Agreement

Version 1.0 · Effective 14 May 2026 · Incorporated into the QENEX Terms of Service by reference

This Data Processing Agreement (“DPA”) supplements the QENEX Terms of Service. It applies whenever QENEX LTD (“Processor”) processes personal data on behalf of a Customer (“Controller”) in the course of providing the services. Where the Customer is itself acting as a Processor for an onward Controller (a common case for QENEX Pulse evidence ingestion), this DPA applies as a Sub-Processor agreement.

Article 1

Definitions and Roles

“Controller”, “Processor”, “Data Subject”, “Personal Data”, “Processing”, “Sub-Processor” and “Special Categories of Personal Data” have the meanings given to them in Article 4 of the UK GDPR and Regulation (EU) 2016/679 (“EU GDPR”, together “GDPR”). In this DPA, Customer is the Controller and QENEX the Processor unless the order form states otherwise.

Article 2

Subject Matter, Duration, Nature and Purpose

Subject matter: Processing of personal data necessary to deliver the QENEX Pulse vendor-monitoring services, the QENEX storefront services (domain, hosting, professional email, AI design) and any optional regulator- evidence bundle the Customer instructs QENEX to produce.
Duration: for the duration of the Customer’s subscription plus any retention period required by law or by the Customer’s regulator.
Nature and purpose: hosting, monitoring, scanning, indexing, signing, anchoring and producing evidence bundles; sending operational and security notifications.
Type of personal data: business contact details (name, work email, work phone), authentication identifiers, IP addresses, audit-log entries, scope- artifact contents which may at the Customer’s discretion include named personnel (e.g., approver of an impact tolerance) or sub-processor contact data.
Categories of data subject: Customer personnel, Customer’s suppliers (vendor domains), end-recipients of email traffic the Customer configures.

Article 3

Processor Obligations (Art. 28(3) GDPR)

QENEX shall:

(a) process personal data only on documented instructions from the Controller, including with regard to transfers to third countries, unless required to do so by Union or Member State law to which the Processor is subject (in which case QENEX shall inform the Controller of that legal requirement before processing unless the law prohibits such notice on important grounds of public interest);
(b) ensure that persons authorised to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
(c) take all measures required pursuant to Article 32 GDPR (security of processing) — described in Article 5 of this DPA;
(d) respect the conditions for engaging Sub-Processors in Article 4 of this DPA;
(e) taking into account the nature of the processing, assist the Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller’s obligation to respond to requests for exercising the data subject’s rights laid down in Chapter III GDPR;
(f) assist the Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 GDPR;
(g) at the choice of the Controller, delete or return all personal data to the Controller after the end of provision of services and delete existing copies, unless Union or Member State law requires storage of the personal data;
(h) make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller, on reasonable written notice and at the Controller’s expense.

Article 4

Sub-Processors

The Controller authorises QENEX to engage Sub-Processors. The current list of QENEX Sub-Processors is published at qenex.ai/subprocessors/ and forms part of this DPA. QENEX shall notify the Controller of any intended changes concerning the addition or replacement of Sub-Processors with at least thirty (30) days’ notice by updating the published list and sending an operational notification to the Controller’s registered contact. The Controller may object to a change for reasonable data-protection grounds; if the parties cannot agree on a remedy within thirty (30) days of objection the Controller may terminate the affected service for convenience.

QENEX shall impose on each Sub-Processor data-protection obligations substantially equivalent to those in this DPA. QENEX remains fully liable to the Controller for the Sub-Processor’s performance.

Article 5

Security of Processing (Art. 32 GDPR)

QENEX implements appropriate technical and organisational measures including:

TLS 1.3 only on all public surfaces, weak protocols disabled;
HSTS with preload and a 2-year max-age; strict CSP (no 'unsafe-inline');
Ed25519 signing of all audit-relevant artifacts;
Daily SHA-256 hash chain anchored into IPFS and the public Bitcoin timechain via OpenTimestamps;
Encryption at rest (LUKS) and in transit (TLS) for personal data;
Principle of least privilege on production systems; access logged;
Continuous monitoring via QENEX Pulse against QENEX’s own surface (“dog-fooding”); evidence published at qenex.ai/trust/;
Documented incident response procedure (Article 6 below).

Article 6

Personal Data Breach Notification (Art. 33 GDPR)

QENEX shall notify the Controller without undue delay and in any event within seventy-two (72) hours after becoming aware of a personal-data breach affecting the Controller’s data. The notification shall include, to the extent then known: the nature of the breach, categories and approximate number of data subjects and records concerned, contact point, likely consequences and the measures taken or proposed to address the breach.

Article 7

International Transfers

Personal data is hosted in the European Union and the United Kingdom by default. Where QENEX transfers personal data to a third country lacking an adequacy decision (currently including the United States in the absence of a valid Trans-Atlantic Data Privacy Framework certification for the specific recipient), the transfer is governed by the European Commission’s 2021 Standard Contractual Clauses (Module Two: controller-to-processor or Module Three: processor-to-processor as applicable) and, for transfers from the United Kingdom, by the International Data Transfer Addendum issued by the Information Commissioner’s Office. By executing the Terms of Service the parties are deemed to have executed those clauses; QENEX completes the schedules from the information set out in this DPA and the published Sub-Processor list.

Article 8

Audits and Documentation

QENEX maintains a public evidence chain at qenex.ai/legal/evidence/ and at qenex.ai/trust/. The Controller may request a copy of QENEX’s most recent third-party audit reports (where available) under NDA, and may conduct its own audit on thirty (30) days’ notice at its own cost, limited to one audit per calendar year except where following a confirmed personal-data breach.

Article 9

Liability

Liability under this DPA is subject to the limitations and exclusions set out in Sections 9 and 10 of the Terms of Service, save to the extent that such limitations are prohibited by mandatory data-protection law.

Contact

Data Protection Contact

QENEX LTD · Companies House 16523814
20 Wenlock Road, London N1 7GU, United Kingdom
dpo@qenex.ai (Data Protection)
legal@qenex.ai (Legal notices)

This DPA is a template prepared for QENEX’s self-service customers. Enterprise customers may negotiate bespoke terms by contacting legal@qenex.ai. This document is not legal advice; obtain independent advice if you are unsure whether the standard terms suit your circumstances.