Data Processing Agreement

Purpose and scope

This page summarizes the Data Processing Agreement (“DPA”) that governs Qanta’s processing of personal data when we provide services to a client. It is intended to give you a clear overview of our commitments. The full, executable DPA is provided on request and is incorporated into our Master Services Agreement (MSA).

Roles of the parties

For personal data processed in connection with our services, the client acts as the controller (or, where the client is itself a processor, as a processor), and Qanta acts as a processor or sub-processor. Qanta processes personal data only on the documented instructions of the client, except where required otherwise by applicable law.

Subject matter and duration

The subject matter of processing is the provision of the cybersecurity and GRC services described in the applicable SOW. Processing continues for the duration of the engagement and any wind-down period agreed in the MSA, after which the obligations regarding return and deletion of data apply.

Nature and purpose of processing

Qanta processes personal data solely to deliver the contracted services—such as security assessments, program implementation, monitoring, and advisory work—and for no other purpose. We do not use client personal data for our own marketing or product development.

Categories of data and data subjects

The categories of personal data and data subjects depend on the engagement and are specified in the DPA and SOW. They typically include:

• Data subjects:the client’s employees, contractors, and authorized personnel.
• Categories of data: business contact details, account and access identifiers, and system, log, and configuration data that may contain personal data.

We do not seek special categories of personal data, and engagements are scoped to minimize the personal data involved.

Processor obligations

• Confidentiality. Personnel with access to personal data are bound by confidentiality obligations.
• Security measures. We maintain appropriate technical and organizational measures aligned to the NIST Cybersecurity Framework (CSF) 2.0 and the CIS Critical Security Controls, including access management, encryption in transit and at rest, logging and monitoring, and secure development practices.
• Assistance. We assist the controller in responding to data subject requests and in meeting obligations such as data protection impact assessments and consultations with regulators.
• Breach notification. We notify the client without undue delay, and in any event within the timeframe specified in the DPA (typically within 72 hours of becoming aware of a personal data breach), and cooperate on remediation.

Sub-processors

We engage sub-processors only under written contracts that impose data protection obligations no less protective than those in our DPA. We maintain a current list of sub-processors and provide a mechanism for the client to be informed of and object to changes, as set out in the DPA.

International transfers

Where personal data is transferred across borders, we rely on appropriate safeguards, including the European Commission’s Standard Contractual Clauses (SCCs) and equivalent mechanisms, together with supplementary measures where required.

Audit rights

The client may verify our compliance with the DPA through reasonable audits or by reviewing relevant assessments and reports, subject to the notice, confidentiality, and frequency terms set out in the DPA.

Return and deletion of data

On termination or expiry of the engagement, and at the client’s choice, we return or securely delete all personal data we process on the client’s behalf, except where retention is required by applicable law.

Request the signed DPA

The full executable DPA is provided on request as part of our MSA. To request our signed DPA, please contact us.