Data Processing Addendum

Quanted Technologies Ltd., a limited company formed under the laws of England and Wales, with company number 15760069 (“Quanted”), and the customer (the “Customer”) (each a “Party” and together the “Parties”), hereby agree as follows:

1 Scope

1.1

This data processing addendum (the “Addendum”) applies exclusively to the processing of personal data (the “Customer Personal Data”) by Quanted on behalf of the Customer where such processing is subject to United Kingdom (UK) data privacy law. This Addendum, including its annexes, forms part of, and is subject to, the provisions of the agreement between the parties (the “Services Agreement”) in respect of the performance of services (the “Services”) by Quanted to the Customer that include the processing of such Customer Personal Data.

1.2

The term “UK Data Privacy Law” means all laws relating to data protection, the processing of personal data, privacy and/or electronic communications in force from time to time in the UK, including the GDPR to the extent that it forms part of the United Kingdom’s local law as a result of Section 3 of the European Union (Withdrawal Act) 2018 and the Data Protection Act 2018.

1.3

Terms such as “processing”, “Personal Data”, “Controller”, “Processor”, “Data Subject”, “Sub-Processors” and “Data Breach” shall have the meaning ascribed to them in Data Privacy Law, as applicable to the processing.

2 Binding Character of this Addendum

The Parties hereby agree to be bound by the provisions and obligations set forth in this Addendum in respect of all their data protection obligations and agree that any data protection and data processing obligations as agreed to previously amongst the Parties shall be deleted and repealed in its entirety and be replaced with this Addendum.

Any changes to this Addendum shall be made in accordance with the provisions of the applicable Services Agreement.

3 Details of Processing

The processing carried out by Quanted will be as follows:

3.1 Subject matter of processing

Data management services by means of a software application (the “Application”) and the fulfilment of contractual obligations under the Services Agreement and this Addendum.

3.2 Duration of processing

For the duration of the Services Agreement until terminated or once processing by Quanted of any Customer Personal Data is no longer required for the performance of its relevant obligations under the Services Agreement or Addendum.

3.3 Purpose of processing

The provision of the Services.

3.4 Categories of Personal Data

General Personal Data: data about an identified or identifiable Data Subject, including, but not limited to name, surname, title, date of birth, country of origin, telephone number, email, postal address.

Any other personal data requested by the Customer through its use of the Services and Application, provided always that the Customer should not use the Services or Application to process special category data.

3.5 Categories of Data Subjects

Any natural persons who access and use your account (e.g., quantitative analysts).

4 Roles of the Parties

The Customer and Quanted hereby agree that for the purposes of this Addendum, the Customer shall be the Controller and Quanted shall be the Processor.

5 Quanted’s obligations

Quanted, acting as Processor, shall:

5.1

only process Customer Personal Data on documented instructions from the Customer, unless required to do so by applicable laws to Quanted (provided that Quanted first informs the Customer of that legal requirement before processing, unless that law prohibits this on important grounds of public interest). The Services Agreement, this Addendum along with the Customer's use of the Services constitute the Customer's documented instructions to Quanted for the purpose of providing the Services. Quanted shall immediately inform the Customer if instructions given by the Customer, in the opinion of Quanted, contravene Data Privacy Law.

5.2

ensure that all personnel who have access to Customer Personal Data have committed themselves to appropriate obligations of confidentiality;

5.3

maintain appropriate technical and organisational measures to protect the Customer Personal Data. The Parties acknowledge that security requirements are constantly changing and that effective security requires frequent evaluation and regular improvements of outdated security measures. Quanted will, therefore, evaluate the measures on an on-going basis and will tighten, supplement and improve these measures as it deems necessary or appropriate in its sole discretion. An overview of the current technical and organisational measures can be found on Annex 1 of this Addendum;

5.4

assist the Customer, to the extent possible, to fulfil the Customer’s obligations in responding to requests for exercising of Data Subject rights set out in the applicable Data Privacy Law;

5.5

assist the Customer in complying with Article 35 (Data protection impact assessment) and Article 36 (Prior consultation) of the UK GDPR in respect of any new type of processing proposed, in accordance with Data Privacy Law.

6 The Customer’s obligations

The Customer, acting as the Controller, hereby warrants and represents:

6.1

that all processing of Customer Personal Data will be in compliance with all Data Privacy Law, and that the processing of the Customer Personal Data by Quanted in accordance with this Addendum will not breach Data Privacy Law;

6.2

that Customer Personal Data provided to Quanted are accurate and will be updated to ensure continued accuracy as and when required;

6.3

that it has notified Data Subjects of any applicable period for which Customer Personal Data or any element of Customer Personal Data will be stored by Quanted;

6.4

that the Customer has the right to provide Customer Personal Data to Quanted and has provided Data Subjects with all necessary information and data protection notices on or in connection with the collection of such Customer Personal Data from data subjects including, but not limited to, the supply of Customer Personal Data to Quanted and details of the purposes for which such Customer Personal Data will be processed by Quanted including, if applicable, as set out in Quanted’s retention policy;

6.5

Customer warrants and represents:

6.5.1

that the Customer will not provide Quanted with nor request Quanted to process the types and categories of Personal Data listed, defined, or referenced to in Articles 8–10 of the UK GDPR, and

6.5.2

that the Customer will not provide Quanted with nor pass to Quanted personal data for which Quanted has no knowledge of, is unaware of, or which is not explicitly provided for under this Addendum, and that where applicable, the Customer will not enter any personal data into free text fields embedded in relevant Quanted products and/or Services and will not incorporate any personal data outside of the scope of Personal Data as contemplated in the Services Agreement and this Addendum into any attachments that are to be uploaded into Quanted’s Application;

6.6

that the Customer shall, and shall procure its employees, contractors, and/or agents to keep the login credentials used to access to the Services secure and shall be liable for the access to the Services through such login credentials. The Customer further shall promptly notify Quanted of any unauthorised use of any login credentials, or other breaches of security, including loss, theft or unauthorised disclosure of login credentials.

7 Sub-processors

7.1

The Customer hereby provides its prior, general authorisation for Quanted to appoint Sub-Processors to process the Customer Personal Data in connection with the provision of the Services.

7.2

Quanted shall:

7.2.1

enter into an agreement with each Sub-Processor containing obligations which are materially similar to those set out in this Addendum to the extent applicable to the nature of the services provided by such Sub-Processor;

7.2.2

remain responsible for the acts and omissions of any such Sub-Processor as if they were the acts and omissions of Quanted.

7.3

A list of Quanted’s current Sub-Processors is set out at Annex 2.  The Customer may request an up-to-date list of Sub-Processors at any time.

7.4

Quanted will notify the Customer prior to transferring any Customer Personal Data to a new Sub-Processor.  The Customer will notify Quanted in writing within 30 days after being notified of such new Sub-Processor if it objects to the processing of its Customer Personal Data by the new Sub-Processor. In such event the parties will, acting reasonably, try to come to an agreement over the transfer of the Customer Personal Data to the applicable Sub-Processor. Where agreement is not possible the Customer shall be entitled to terminate the Services Agreement.

8 Audit Rights

8.1

Quanted shall maintain complete, accurate and up to date written records of all categories of processing activities carried out on behalf of the Customer.

8.2

Such records shall include all information necessary to demonstrate Quanted’s compliance with this Addendum. Quanted shall make copies of such records referred to at clause 8.1 available to the Customer promptly on request.

8.3

Quanted shall promptly make available to the Customer such information as is required to demonstrate Quanted’s compliance with its obligations under the Data Privacy Law. If the Customer can reasonably show that the documentation made available to it does not provide sufficient information for the Customer to confirm Quanted’s compliance with the terms of this Addendum, Quanted shall permit the Customer or an accredited third-party auditor to conduct an audit to confirm such compliance.  Such audit shall take place during Quanted’s regular hours of business, not more than once in any 12 month period, and on not less than 4 weeks prior written notice.  The Customer and its auditors (if any) shall enter into confidentiality agreements with Quanted and shall comply with all Quanted’s reasonable requirements to minimise disruption to Quanted’s business.

9 Personal Data Breach

Quanted shall, without undue delay:

(a) notify the Customer after it (or any of the Sub-Processors’ or Quanted’s personnel) becomes aware of a Personal Data Breach in respect of any Customer Personal Data;

(b) provide all information as the Customer requires (to the extent that it is available to Quanted) to report the circumstances to a supervisory authority and to notify affected data subjects under Data Privacy Law;

and

(c)  provide the Customer with reasonable assistance in responding to and mitigating the Personal Data Breach.

10 Overseas Transfers

Quanted may transfer Customer Personal Data outside of the United Kingdom as required to process the Customer Personal Data for the purpose under this Addendum, provided that Quanted shall ensure that all such transfers are made in accordance with applicable Data Privacy Law, including by way of entering into standard data protection clauses adopted by the UK, as applicable.

11 Liability

The Customer acknowledges that Quanted is reliant on the Customer for instructions as to the extent to which Quanted is entitled to use and process the Customer Personal Data. Consequently, Quanted will not be liable for losses (including indirect losses, loss or corruption of data, loss of reputation, goodwill and profits), actions, proceedings and liabilities of whatsoever nature incurred by Quanted or for which Quanted may become liable due to any claim brought by a Data Subject or Supervisory Authority arising from the Customer’s instructions or use of the Services or Application in breach of the Data Privacy Law.

‍12 Order of Precedence

To the extent of any conflict between this Addendum and any parts of the Services Agreement, this Addendum shall prevail, govern, and supersede.

13 Survival

This Addendum and the obligations hereunder shall survive the termination or expiry of the Services Agreement however effected or arising, and shall continue until Quanted no longer processes any Customer Personal Data. The Customer Personal Data will be returned to the Customer and deleted by Quanted in accordance with the Services Agreement.

Annex 1 - Technical and Organisational Measures

This annex to the Data Processing Addendum outlines the technical and organisational measures implemented by Quanted Technologies Ltd. (“Quanted”, "Processor" or the “data processor”) in compliance with its data protection obligations as a data processor.

These measures aim to ensure the security and protection of personal data processed on behalf of ‘Customer’ ("Controller") in accordance with applicable data protection laws, including the Federal Act on Data Protection (FADP) and the General Data Protection Regulation (GDPR).

‍Organisational Security Measures‍

Security Management

  • Security Governance: Quanted has a dedicated individual in senior leadership to oversee information security. Responsibilities include defining policies, enforcing security practices, and monitoring overall security.

  • Risk Management: Ongoing management of IT-related risks is in place and overseen by relevant personnel and senior leadership.

  • Roles and Responsibilities: Responsibilities for processing personal data are clearly defined in line with security policies.

  • Resource/Asset Management: Quanted registers IT resources used for personal data processing, including hardware, software, and network. Designated personnel are responsible for maintaining and updating the registers.

Incident Response and Business Continuity

Incidents Handling / Personal Data Breaches:

  • Incident procedures are in place to ensure effective responses to security incidents, including those involving personal data.

  • Quanted promptly reports any security incident leading to the loss, misuse, or unauthorised access to personal data to affected data controller(s).

Business Continuity: Quanted has established procedures and controls to ensure the required level of IT system continuity and availability in case of an incident or data breach.

  • Multiple Fallback Servers to provide improved redundancy and fault tolerance.

  • Periodic Disaster Recovery and/or Business Continuity exercises are conducted.

Human Resource Security

  • Verification: Quanted verifies and validates all candidates prior to hiring, including background checks, to assess their suitability and manage risk.

  • Policy Compliance: Quanted ensures that all employees understand their responsibilities and obligations regarding personal data processing and compliance with security policies.

  • Onboarding and Offboarding: Quanted maintains clear procedures for management of access rights for new joiners and during termination. Processes are also defined for transferring rights and responsibilities during internal reorganisations or other changes in employment.

  • Training: Quanted trains employees about security controls and requirements relevant to their work. Employees are regularly educated on data protection requirements and legal obligations through awareness campaigns and training on general security topics.

Technical Security Measures

Access Control and Authentication

  • Least Privilege: Access control rights are specifically assigned to roles involved in personal data processing, following the principle of least privilege. Access is granted following the "need-to-know"principle to limit access to personal data to those who require it. Periodic reviews of all access levels are conducted.

  • Authentication: An access control system applicable to all IT system users is implemented, allowing for user account creation, approval, review, and deletion. Multi-factor authentication (MFA) is enforced where possible.

  • Unique Accounts: The use of common user accounts is prohibited, and if necessary, users with common accounts have the same roles and responsibilities.

  • Passwords: Where passwords are used, they are required to meet strong password control parameters (length, complexity, non-repeatability), and are never transmitted over the network unprotected.

Logging and Monitoring

  • Log Creation: Log files are enabled for systems and applications used in personal data processing, tracking data access (view, modification, deletion) and other security and system events.

  • Log Monitoring: Quanted has implemented comprehensive logging and monitoring mechanisms to track data access and system activities.

Data Protection and Security

  • Data Protection: Database(s) servers and application run in separate environments and separate systems to ensure data protection. Personal data is only processed as required to fulfil the service’s intended purpose.

  • Data Access Controls: Database access is highly restricted to database administrators and only granted on a need-to-know basis.

  • Data Disposal: Stored personal data is only stored in cloud storage where secure deletion assurance is provided by the cloud hosting provider. Policies are in place prohibiting the storage of personal data on paper or local drives to prevent data loss through these methods.

  • Data Encryption: Stored data is encrypted at rest using AES-256. When accessed through the Internet, communication is encrypted using TLS 1.2 or better.

  • Backup Security: Quanted manages a backup/snapshot service daily, which is tested periodically. Backup and data restore procedures are defined, documented, and linked to specific roles and responsibilities.

Secure System Architecture

  • Perimeter Controls: Network traffic to and from the IT system is monitored and controlled using firewalls and/or security groups and other network security technologies. A Web-Application Firewall (WAF)is used to monitor web traffic and help prevent abuses.

Application and System Lifecycle

  • Secure SDLC: Quanted adheres to a structured Software Development Lifecycle (SDLC) throughout its software and system development practices. Security is integrated throughout the phases of the development lifecycle.

  • Change Management: Quanted ensures that IT system changes are recorded and monitored by designated personnel, subjected to appropriate testing, and approved prior to release.

  • Vulnerability Management: Software, system components, and 3rd party dependencies are subjected to regular reviews to proactively identify and track potential security vulnerabilities, which are then tracked until addressed.

  • Security Testing: System components are subjected to periodic and ongoing security testing, including penetration tests, security scans, and code analysis. Findings are tracked until addressed.

Physical and Environmental Security

Data Centres: Quanted hosts all Customer Data in Amazon Web Services (AWS). Quanted regularly reviews AWS physical and environmental controls for relevant data centres, as audited by Google’s third-party auditors. Such controls include, but are not limited to:

  • Physical access to the facilities is controlled at the building ingress points;

  • Visitors are required to present ID and sign in;

  • Physical access to servers is managed by access control devices;

  • Physical access privileges are reviewed regularly;

  • Facilities utilise monitor and alarm procedures;

  • Fire detection and protection systems;

  • Power back-up and redundancy systems; and Climate control systems.

Last updated: December 13, 2024.

Address

71-75 Shelton Street
Covent Garden, London
United Kingdom, WC2H 9JQ

Contact

UK: +44 735 607 5745

US: +1 (332) 334-9840

Legal

Quanted Technologies Ltd.

Address

71-75 Shelton Street
Covent Garden, London
United Kingdom, WC2H 9JQ

Contact

UK: +44 735 607 5745

US: +1 (332) 334-9840

Legal

Quanted Technologies Ltd.

Address

71-75 Shelton Street
Covent Garden, London
United Kingdom, WC2H 9JQ

Contact

UK: +44 735 607 5745

US: +1 (332) 334-9840

Legal

Quanted Technologies Ltd.