Data Processing Agreement (DPA)
Last updated:
This Data Processing Agreement ("DPA") is entered into between quantum-investai ("Processor") and you, the user or customer ("Controller"), and is incorporated into and governed by the Terms of Service between Processor and Controller.
This DPA applies where and to the extent that Processor processes Personal Data on behalf of Controller in the course of providing the Services. This DPA sets out the parties' obligations with respect to data protection and privacy when processing Personal Data.
1. Definitions
- "Personal Data" means any information relating to an identified or identifiable natural person.
- "Data Subject" means the individual to whom Personal Data relates.
- "Processing" means any operation or set of operations which is performed on Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
- "Controller" means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data. For the purposes of this DPA, you (the user/customer) are the Controller.
- "Processor" means a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Controller. For the purposes of this DPA, quantum-investai is the Processor.
- "Applicable Data Protection Law" means all laws and regulations applicable to the processing of Personal Data under this DPA, including but not limited to the UK GDPR and the Data Protection Act 2018.
2. Processing of Personal Data
Processor shall only process Personal Data on behalf of and in accordance with Controller’s documented instructions, unless required to do so by Union or Member State law to which Processor is subject. The subject matter, duration, nature, and purpose of the Processing, as well as the types of Personal Data and categories of Data Subjects, are primarily determined by the Controller's use of the Services (e.g., data submitted via contact forms, course enrollment data). Processor’s Privacy Policy details the types of data collected and its purposes.
Processor shall ensure that persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
3. Controller's Obligations
Controller warrants that it has all necessary rights to provide the Personal Data to Processor for the Processing to be performed in relation to the Services. Controller shall be responsible for ensuring that its instructions to Processor comply with Applicable Data Protection Law.
4. Processor's Obligations
Processor shall:
- Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.
- Assist the Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Controller's obligation to respond to requests for exercising the Data Subject's rights laid down in Applicable Data Protection Law.
- Assist the Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR (Security of processing, Notification of a personal data breach to the supervisory authority, Communication of a personal data breach to the data subject, Data protection impact assessment, Prior consultation), taking into account the nature of Processing and the information available to the Processor.
- At the choice of the Controller, delete or return all the Personal Data to the Controller after the end of the provision of services relating to Processing, and delete existing copies unless Union or Member State law requires storage of the Personal Data.
- Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.
5. Sub-processing
Processor shall not subcontract any of its processing operations performed on behalf of the Controller under this DPA to a sub-processor without the prior specific written authorization of the Controller. Where Processor engages a sub-processor for carrying out specific processing activities on behalf of the Controller, the same data protection obligations as set out in this DPA shall be imposed on that sub-processor by way of a contract or other legal act under Union or Member State law.
As of the date of this DPA, quantum-investai does not use sub-processors for the core processing of data submitted directly by users for course engagement, other than standard infrastructure providers (e.g., hosting) who are bound by their own security and compliance standards. Any changes to this will be communicated.
6. Data Breach Notification
Processor shall notify Controller without undue delay after becoming aware of a personal data breach affecting Personal Data processed on behalf of the Controller. Such notification shall at least describe the nature of the personal data breach, the categories and approximate number of Data Subjects concerned, and the categories and approximate number of personal data records concerned; communicate the name and contact details of the data protection officer or other contact point; describe the likely consequences of the personal data breach; and describe the measures taken or proposed to be taken by the Processor to address the personal data breach.
7. International Transfers
Any transfer of Personal Data to a third country or an international organization by Processor shall be done only on the basis of documented instructions from Controller or to fulfill a specific requirement under Union or Member State law to which Processor is subject and shall be compliant with Applicable Data Protection Law. Our primary data processing occurs within the United Kingdom. For details, refer to our Privacy Policy.
8. Term and Termination
This DPA shall remain in effect as long as Processor processes Personal Data on behalf of Controller under the Terms of Service. Termination of the Terms of Service shall also terminate this DPA.
9. Governing Law
This DPA shall be governed by and construed in accordance with the laws of the United Kingdom.
Contact Us
If you have any questions about this Data Processing Agreement, please contact us:
- By email: [email protected]
- By phone number: +44 7713 059188
- By mail: 47 Golf Road, Swarland, NE65 5NQ, United Kingdom