This Data Processing Agreement ("DPA") forms part of the agreement between Quantum Automations Group Ltd ("Processor", "we", "us") and the Client ("Controller", "you") for the provision of Services as described in the applicable service agreement or Terms of Service.
This DPA sets out the terms on which we process personal data on your behalf, in compliance with UK GDPR (the retained EU law version of the General Data Protection Regulation) and the Data Protection Act 2018.
01Definitions
"Personal Data" means any information relating to an identified or identifiable natural person, as defined in UK GDPR.
"Processing" means any operation performed on Personal Data, including collection, recording, organisation, structuring, storage, adaptation, retrieval, consultation, use, disclosure, erasure, or destruction.
"Data Subject" means the individual to whom the Personal Data relates.
"Sub-processor" means any third party engaged by us to process Personal Data on your behalf.
"Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.
02Scope and roles
You are the Controller of the Personal Data. We are the Processor, processing Personal Data solely on your behalf and in accordance with your documented instructions.
This DPA applies to all Personal Data processed by us in connection with the Services we provide to you, including data stored in our SaaS platforms, data transmitted through our APIs, and data shared with us during consulting engagements.
03Processing instructions
We shall process Personal Data only in accordance with your documented written instructions, unless required to do so by applicable law. If we are required by law to process Personal Data outside of your instructions, we will notify you before doing so, unless the law prohibits such notification.
We shall not process Personal Data for any purpose other than providing the Services to you.
04Categories of data and data subjects
The categories of Personal Data and Data Subjects processed under this DPA will depend on the specific Services provided, but may include:
Data subjects: your employees, customers, end-users, contacts, and prospects.
Categories of data: names, email addresses, phone numbers, job titles, company names, IP addresses, usage data, and any other Personal Data you submit to or process through our Services.
Sensitive data: we do not intentionally collect or process special categories of Personal Data (e.g., health data, biometric data, religious beliefs) unless explicitly agreed in writing.
05Our obligations
We shall:
- Process Personal Data only on your documented instructions
- Ensure that persons authorised to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality
- Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk (see our Security Policy)
- Not engage another processor (sub-processor) without your prior general or specific written authorisation
- Assist you, taking into account the nature of processing, in fulfilling your obligation to respond to Data Subject requests
- Assist you in ensuring compliance with your obligations regarding data security, breach notification, data protection impact assessments, and prior consultation with supervisory authorities
- At your choice, delete or return all Personal Data to you after the end of the provision of Services, and delete existing copies unless applicable law requires storage
- Make available to you all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits conducted by you or an auditor mandated by you
06Sub-processors
We maintain a list of sub-processors used in connection with the Services. We will notify you before adding or replacing any sub-processor, giving you the opportunity to object.
Current sub-processors include (but are not limited to):
| Sub-processor | Purpose | Location |
|---|---|---|
| Amazon Web Services (AWS) | Cloud infrastructure and hosting | EU / US |
| Wise | Payment processing | UK / EU |
| Stripe | Payment processing | US / EU |
| Google Analytics / Plausible | Website analytics | US / EU |
| Supabase | Database and backend services | US / EU |
| Anthropic (Claude) | Large language model API for AI agents and automations | US |
| OpenAI | Large language model API for AI agents and automations | US |
| OpenRouter | LLM routing and gateway services | US |
| n8n | Workflow automation and orchestration | EU |
| Make.com | Workflow automation and orchestration | EU |
If you object to a new sub-processor, we will work with you to find a reasonable alternative. If no alternative is available, either party may terminate the affected Services.
All sub-processors are bound by contractual obligations that provide the same level of data protection as this DPA.
07International transfers
Where Personal Data is transferred outside the United Kingdom, we shall ensure that appropriate safeguards are in place in accordance with UK GDPR, including:
- Transfers to countries with an adequacy decision by the UK Secretary of State
- Standard Contractual Clauses (UK International Data Transfer Agreement or UK Addendum to the EU SCCs)
- Other appropriate safeguards as permitted by UK GDPR
08Data breach notification
In the event of a Data Breach affecting Personal Data processed on your behalf, we shall:
- Notify you without undue delay and in any case within 72 hours of becoming aware of the breach
- Provide you with sufficient information to allow you to meet your obligations to report the breach to the ICO and to notify affected Data Subjects, if required
- Cooperate with you and take reasonable steps to investigate, remediate, and mitigate the effects of the breach
09Data subject rights
We shall assist you in responding to requests from Data Subjects exercising their rights under UK GDPR, including rights of access, rectification, erasure, restriction, portability, and objection.
If we receive a request directly from a Data Subject, we shall promptly notify you and shall not respond to the request without your instructions, unless legally required to do so.
10Data protection impact assessments
We shall provide reasonable assistance to you in conducting data protection impact assessments and prior consultations with supervisory authorities, where required, taking into account the nature of the processing and the information available to us.
11Audit rights
You may audit our compliance with this DPA, subject to reasonable notice (at least 30 days), during business hours, and no more than once per year unless required by a supervisory authority or following a Data Breach.
We may satisfy audit requests by providing certifications, audit reports, or other evidence of compliance with industry-recognised standards.
12Duration and termination
This DPA shall remain in effect for the duration of our processing of Personal Data on your behalf. Upon termination or expiry of the Services:
- We shall, at your election, return or delete all Personal Data within 30 days
- We may retain copies of Personal Data only to the extent required by applicable law, in which case we shall continue to protect such data in accordance with this DPA
13Liability
The liability of each party under this DPA is subject to the limitations set out in the applicable service agreement or Terms of Service.
14Governing law
This DPA is governed by the laws of England and Wales. Any disputes shall be subject to the exclusive jurisdiction of the courts of England and Wales.
15Contact
For questions or requests related to this DPA, contact us at: