Data Processing Addendum

This Data Processing Addendum ("DPA") forms part of the Master Services Agreement or Terms of Service (the "Agreement") between Questt Technologies Private Limited ("Questt AI", "Processor") and the Customer ("Customer", "Controller") for the provision of AI-powered enterprise decision intelligence services.

This DPA sets out the terms that apply when Personal Data is processed by Questt AI on behalf of the Customer in connection with the Services. The purpose of this DPA is to ensure such processing is conducted in accordance with applicable laws and with due respect for the rights and freedoms of individuals whose Personal Data is processed.

1. Definitions

In this DPA, unless the context requires otherwise:

• "Applicable Data Protection Laws" means all laws and regulations applicable to the processing of Personal Data under this DPA, including but not limited to the Information Technology Act, 2000 and its rules, the Digital Personal Data Protection Act, 2023 (DPDPA), the General Data Protection Regulation (EU) 2016/679 (GDPR), the UK GDPR, the California Consumer Privacy Act (CCPA) / California Privacy Rights Act (CPRA), and any other applicable privacy or data protection legislation.
• "Controller" means the entity that determines the purposes and means of the processing of Personal Data, which for the purposes of this DPA is the Customer.
• "Customer Data" means all data, including Personal Data, that is provided by or on behalf of the Customer to Questt AI in connection with the Services.
• "Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed.
• "Data Subject" means an identified or identifiable natural person to whom Personal Data relates.
• "Data Fiduciary" has the meaning given under the DPDPA and, where applicable, shall be treated as equivalent to "Controller".
• "Data Principal" has the meaning given under the DPDPA and, where applicable, shall be treated as equivalent to "Data Subject".
• "Data Processor" has the meaning given under the DPDPA and, where applicable, shall be treated as equivalent to "Processor".
• "EEA" means the European Economic Area.
• "Personal Data" means any information relating to an identified or identifiable natural person that is processed by Questt AI on behalf of the Customer in connection with the Services.
• "Processing" (and "Process") means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
• "Processor" means the entity that processes Personal Data on behalf of the Controller, which for the purposes of this DPA is Questt AI.
• "Services" means the AI-powered enterprise decision intelligence services provided by Questt AI to the Customer under the Agreement.
• "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to processors established in third countries, as approved by the European Commission.
• "Subprocessor" means any third party appointed by Questt AI to process Personal Data on behalf of the Customer in connection with the Services.
• "Supervisory Authority" means an independent public authority responsible for monitoring the application of data protection laws, including the Data Protection Board of India, EU/EEA supervisory authorities, and the UK Information Commissioner's Office, as applicable.

2. Scope and Application

1. This DPA applies to the processing of Personal Data by Questt AI on behalf of the Customer in connection with the provision of the Services.
2. The details of the data processing, including the categories of Personal Data, types of Data Subjects, and the nature and purpose of processing, are described in Annex 1 to this DPA.
3. This DPA shall apply to all Personal Data processing activities performed by Questt AI on behalf of the Customer, regardless of whether the processing takes place within or outside India.
4. In the event of any conflict between this DPA and the Agreement, this DPA shall prevail with respect to matters relating to data protection and privacy.

3. Roles and Responsibilities

1. The Customer acts as the Controller (or Data Fiduciary under the DPDPA) and determines the purposes and means of processing Personal Data.
2. Questt AI acts as the Processor (or Data Processor under the DPDPA) and processes Personal Data only on behalf of and under the instructions of the Customer.
3. Each party shall comply with its respective obligations under Applicable Data Protection Laws.
4. Nothing in this DPA relieves either party of its own direct obligations under Applicable Data Protection Laws.

4. Data Processing Requirements

4.1 Lawfulness of Processing

The Customer warrants that:

1. It has a lawful basis for the processing of Personal Data as required under Applicable Data Protection Laws;
2. It has provided all necessary notices and obtained all necessary consents from Data Subjects for the processing of their Personal Data by Questt AI;
3. All instructions given to Questt AI regarding the processing of Personal Data comply with Applicable Data Protection Laws; and
4. It shall not provide to Questt AI any Personal Data that Questt AI is not authorised to process under this DPA or the Agreement.

4.2 Processing Instructions

1. Questt AI shall process Personal Data only on documented instructions from the Customer, including with respect to transfers of Personal Data to a third country, unless required to do so by applicable law.
2. The Customer's instructions for processing are set out in this DPA and the Agreement. Additional instructions may be agreed upon in writing between the parties.
3. If Questt AI believes that any instruction from the Customer infringes Applicable Data Protection Laws, Questt AI shall promptly notify the Customer and may suspend the relevant processing until the Customer modifies or confirms the instruction.

4.3 Purpose Limitation

Questt AI shall process Personal Data only for the specific purposes set out in Annex 1, and shall not process Personal Data for any other purpose unless:

1. The Customer provides prior written instructions to do so;
2. Processing is required by applicable law, in which case Questt AI shall inform the Customer of that legal requirement before processing (unless prohibited by law); or
3. Processing is necessary to protect the vital interests of the Data Subject or another natural person.

5. Questt AI's Obligations

5.1 General Obligations

Questt AI shall:

1. Process Personal Data in accordance with this DPA, the Agreement, and Applicable Data Protection Laws;
2. Maintain the confidentiality of all Personal Data and not disclose it to any third party except as permitted under this DPA;
3. Implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk of processing;
4. Assist the Customer in fulfilling its obligations under Applicable Data Protection Laws, including obligations relating to Data Subject rights, data protection impact assessments, and consultation with supervisory authorities;
5. Make available to the Customer all information necessary to demonstrate compliance with this DPA and Applicable Data Protection Laws;
6. Promptly inform the Customer if, in Questt AI's opinion, an instruction from the Customer infringes Applicable Data Protection Laws.

5.2 Specific Obligations

5.2.1 Confidentiality

1. Questt AI shall ensure that all personnel authorised to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
2. Questt AI shall ensure that access to Personal Data is limited to those personnel who require such access for the performance of the Services.

5.2.2 Security Measures

Questt AI shall implement and maintain the technical and organisational security measures described in Annex 1, Section 4. These measures shall include, as appropriate:

1. Encryption of Personal Data in transit and at rest;
2. Measures to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services;
3. The ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident;
4. A process for regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures for ensuring the security of processing;
5. Measures for user identification and authorisation;
6. Protection of data during transmission and during storage;
7. Measures for ensuring physical security of locations at which Personal Data is processed;
8. Measures for ensuring events logging;
9. Measures for ensuring system configuration, including default configuration;
10. Measures for internal IT and IT security governance and management.

5.2.3 Data Breach Notification

1. Questt AI shall notify the Customer without undue delay, and in any event within 48 hours, after becoming aware of a Data Breach affecting Customer Personal Data.
2. The notification shall include:
   1. A description of the nature of the Data Breach, including the categories and approximate number of Data Subjects and Personal Data records affected;
   2. The name and contact details of Questt AI's contact point for further information;
   3. A description of the likely consequences of the Data Breach; and
   4. A description of the measures taken or proposed to be taken to address the Data Breach, including measures to mitigate its possible adverse effects.
3. Questt AI shall cooperate with the Customer and take reasonable commercial steps to assist in the investigation, mitigation, and remediation of each Data Breach.
4. Questt AI shall maintain a record of all Data Breaches, including the facts relating to the breach, its effects, and the remedial action taken.

5.2.4 Subprocessors

1. The Customer provides general authorisation for Questt AI to engage Subprocessors for the processing of Personal Data, subject to the conditions set out in this section.
2. Questt AI shall maintain a current list of Subprocessors, as set out in Annex 2, and shall make this list available to the Customer upon request.
3. Questt AI shall notify the Customer of any intended changes concerning the addition or replacement of Subprocessors at least 30 days before such changes, giving the Customer the opportunity to object to such changes.
4. If the Customer objects to a new Subprocessor on reasonable grounds related to data protection, the parties shall discuss the Customer's concerns in good faith. If the parties cannot reach a mutually agreeable resolution, the Customer may terminate the affected Services without penalty.
5. Questt AI shall:
   1. Enter into a written agreement with each Subprocessor imposing data protection obligations no less protective than those set out in this DPA;
   2. Remain fully liable to the Customer for the performance of each Subprocessor's obligations; and
   3. Conduct appropriate due diligence on each Subprocessor to ensure they can provide the level of protection required by this DPA.

5.2.5 Data Subject Rights

1. Questt AI shall assist the Customer in responding to requests from Data Subjects exercising their rights under Applicable Data Protection Laws, including rights of access, rectification, erasure, restriction, portability, and objection.
2. If Questt AI receives a request directly from a Data Subject, Questt AI shall promptly redirect the request to the Customer, unless otherwise instructed.
3. Questt AI shall implement appropriate technical and organisational measures to assist the Customer in fulfilling its obligations to respond to Data Subject requests.

5.2.6 Data Protection Impact Assessments

Questt AI shall provide reasonable assistance to the Customer with any data protection impact assessments and prior consultations with supervisory authorities that the Customer is required to carry out under Applicable Data Protection Laws, taking into account the nature of the processing and the information available to Questt AI.

5.2.7 International Data Transfers

1. Questt AI shall not transfer Personal Data to a country outside India, the EEA, or the UK unless:
   1. The transfer is to a country that has been deemed to provide an adequate level of data protection;
   2. Appropriate safeguards have been implemented, such as Standard Contractual Clauses, Binding Corporate Rules, or other approved mechanisms; or
   3. The transfer is otherwise permitted under Applicable Data Protection Laws.
2. Where Standard Contractual Clauses are relied upon, the parties agree to incorporate the applicable SCCs by reference into this DPA.
3. For transfers subject to the DPDPA, Questt AI shall comply with any conditions or restrictions imposed by the Central Government of India regarding cross-border transfers of personal data.

5.2.8 Records of Processing

Questt AI shall maintain records of all processing activities carried out on behalf of the Customer, including:

1. The name and contact details of the Processor and the Controller;
2. The categories of processing carried out on behalf of the Customer;
3. Where applicable, transfers of Personal Data to a third country, including documentation of suitable safeguards;
4. A general description of the technical and organisational security measures.

5.2.9 Audit Rights

1. Questt AI shall make available to the Customer all information necessary to demonstrate compliance with this DPA and shall allow for and contribute to audits, including inspections, conducted by the Customer or an auditor mandated by the Customer.
2. The Customer shall give Questt AI reasonable notice of any audit (at least 30 days, except in the case of an audit required by a supervisory authority or following a Data Breach).
3. Audits shall be conducted during normal business hours and shall not unreasonably interfere with Questt AI's business operations.
4. The Customer shall bear its own costs for any audit, unless the audit reveals material non-compliance by Questt AI, in which case Questt AI shall bear the reasonable costs of the audit.
5. Questt AI may satisfy audit requests by providing:
   1. Relevant certifications (e.g., ISO 27001, SOC 2);
   2. Results of recent third-party audits or assessments; or
   3. Other documentation demonstrating compliance with this DPA.

5.2.10 Return and Deletion of Data

1. Upon termination or expiry of the Agreement, Questt AI shall, at the Customer's choice:
   1. Return all Customer Personal Data to the Customer in a commonly used, machine-readable format; or
   2. Securely delete all Customer Personal Data, including all existing copies, unless applicable law requires continued storage.
2. Questt AI shall complete the return or deletion within 90 days of termination or expiry, unless otherwise agreed in writing.
3. Questt AI shall certify in writing that it has complied with this section upon the Customer's request.

5.2.11 AI-Specific Provisions

1. Questt AI shall not use Customer Personal Data to train, improve, or develop general-purpose AI models or algorithms without the Customer's prior written consent.
2. Any AI processing of Personal Data shall be limited to providing the specific Services agreed upon in the Agreement.
3. Questt AI shall maintain transparency about AI processing methods and shall provide information about the logic involved in automated decision-making, where applicable.
4. The Customer retains full ownership of all Customer Data, including any insights or outputs generated from processing Customer Data through Questt AI's platform.
5. Questt AI shall implement appropriate safeguards to prevent bias, discrimination, or unfair outcomes in AI-driven processing of Personal Data.

6. Customer's Obligations

The Customer shall:

1. Ensure that it has a lawful basis for providing Personal Data to Questt AI and for instructing Questt AI to process such data;
2. Provide all necessary notices and obtain all necessary consents from Data Subjects;
3. Ensure that its instructions to Questt AI comply with Applicable Data Protection Laws;
4. Maintain its own records of processing activities as required under Applicable Data Protection Laws;
5. Implement appropriate security measures for any Personal Data within its control;
6. Promptly notify Questt AI of any changes that may affect Questt AI's ability to comply with this DPA;
7. Cooperate with Questt AI in the event of any regulatory investigation or inquiry relating to the processing of Personal Data under this DPA; and
8. Not provide any special categories of Personal Data (e.g., health data, biometric data, data concerning racial or ethnic origin) unless expressly agreed upon in writing.

7. Government Access Requests

1. If Questt AI receives a request from any government authority for access to Customer Personal Data, Questt AI shall:
   1. Promptly notify the Customer of such request (unless prohibited by applicable law);
   2. Not disclose more data than is necessary to comply with the request;
   3. Challenge the request if there are reasonable grounds to believe it is unlawful; and
   4. Provide the Customer with reasonable assistance in challenging the request, if applicable.
2. Questt AI shall maintain a record of government access requests received and actions taken in response.

8. Precedence

In the event of any inconsistency or conflict between this DPA and the Agreement:

1. This DPA shall prevail with respect to matters relating to data protection and privacy;
2. The Agreement shall prevail with respect to all other matters; and
3. Nothing in this DPA shall be construed to limit or restrict any rights or obligations of the parties under Applicable Data Protection Laws.

9. Liability and Indemnity

1. Each party's liability under this DPA shall be subject to the limitations and exclusions of liability set out in the Agreement, except to the extent that Applicable Data Protection Laws require otherwise.
2. Nothing in this DPA shall limit either party's liability for:
   1. Breaches of its obligations under Applicable Data Protection Laws;
   2. Wilful misconduct or gross negligence;
   3. Fraud or fraudulent misrepresentation; or
   4. Any liability that cannot be limited by applicable law.
3. Each party shall indemnify the other against any losses, claims, damages, or expenses arising from the indemnifying party's breach of this DPA or Applicable Data Protection Laws.

10. Severability

If any provision of this DPA is found to be invalid or unenforceable, the remaining provisions shall continue in full force and effect. The invalid or unenforceable provision shall be modified to the minimum extent necessary to make it valid and enforceable while preserving the parties' original intent.

11. Term and Termination

1. This DPA shall come into effect on the date the Agreement is executed and shall remain in effect for the duration of the Agreement.
2. This DPA shall automatically terminate upon termination or expiry of the Agreement.
3. Sections 5.2.3 (Data Breach Notification), 5.2.9 (Audit Rights), 5.2.10 (Return and Deletion of Data), 9 (Liability and Indemnity), and 13 (Governing Law and Jurisdiction) shall survive termination of this DPA.
4. Questt AI's obligations regarding the return or deletion of Personal Data shall continue after termination as set out in Section 5.2.10.

12. Miscellaneous

12.1 Amendments

This DPA may only be amended by written agreement signed by both parties. Questt AI may update this DPA from time to time to reflect changes in Applicable Data Protection Laws, provided that such updates do not materially reduce the level of protection afforded to Personal Data.

12.2 Notices

All notices under this DPA shall be in writing and sent to the addresses specified in the Agreement or as otherwise notified in writing by the parties.

12.3 Entire Agreement

This DPA, together with the Agreement and its Annexes, constitutes the entire agreement between the parties with respect to the subject matter hereof and supersedes all prior agreements, understandings, and representations.

12.4 Waiver

No failure or delay by either party in exercising any right under this DPA shall constitute a waiver of that right.

12.5 Assignment

Neither party may assign its rights or obligations under this DPA without the prior written consent of the other party, except in connection with a merger, acquisition, or sale of all or substantially all of its assets.

12.6 Third-Party Rights

This DPA does not create any third-party beneficiary rights, except to the extent that Data Subjects have rights under Applicable Data Protection Laws that relate to the processing of their Personal Data under this DPA.

12.7 Counterparts

This DPA may be executed in counterparts, each of which shall be deemed an original and all of which together shall constitute one and the same instrument.

12.8 Force Majeure

Neither party shall be liable for any delay or failure to perform its obligations under this DPA (other than payment obligations) due to circumstances beyond its reasonable control, provided that the affected party promptly notifies the other party and takes reasonable steps to mitigate the impact.

12.9 Relationship of the Parties

Nothing in this DPA shall be construed to create a partnership, joint venture, or agency relationship between the parties.

12.10 Construction

Headings in this DPA are for convenience only and shall not affect the interpretation of this DPA.

12.11 Language

This DPA is executed in the English language. In the event of any conflict between the English version and any translation, the English version shall prevail.

12.12 Updates to Applicable Laws

If changes to Applicable Data Protection Laws require modifications to this DPA, the parties shall negotiate in good faith to agree on the necessary amendments within a reasonable timeframe.

12.13 Cooperation

The parties shall cooperate in good faith to resolve any issues arising under this DPA and to ensure compliance with Applicable Data Protection Laws.

13. Governing Law and Jurisdiction

1. This DPA shall be governed by and construed in accordance with the laws of India, without regard to its conflict of law principles.
2. Any disputes arising out of or in connection with this DPA shall be subject to the exclusive jurisdiction of the courts in Bengaluru, Karnataka, India.
3. For EU/EEA Data Subjects, the provisions of the GDPR shall apply, and any disputes relating to the processing of their Personal Data may be brought before the competent courts of the EU Member State in which the Data Subject resides.
4. For matters subject to the DPDPA, the parties acknowledge the jurisdiction of the Data Protection Board of India.

Annex 1: Description of Processing Activities

1. List of Parties

Data Exporter (Customer/Controller)

Field	Details
Name	As specified in the Agreement
Address	As specified in the Agreement
Contact Person	As specified in the Agreement
Role	Controller / Data Fiduciary

Data Importer (Questt AI/Processor)

Field	Details
Name	Questt Technologies Private Limited
Address	As specified in the Agreement
Contact Person	Akhil Gupta, akhil@questt.com
Role	Processor / Data Processor

2. Competent Supervisory Authority

Jurisdiction	Supervisory Authority
India	Data Protection Board of India (under DPDPA)
EU/EEA	Supervisory Authority of the EU Member State where the Customer is established
UK	Information Commissioner's Office (ICO)
California	California Privacy Protection Agency (CPPA)

3. Description of Processing

3.1 Categories of Data Subjects

• Customer's employees and contractors
• Customer's end users
• Customer's business contacts (suppliers, vendors, partners)
• Customer's customers and prospective customers
• Other individuals whose Personal Data is included in Customer Data

3.2 Categories of Personal Data

• Contact information (name, email address, phone number, address)
• Professional information (job title, company name, department)
• Account credentials (usernames, hashed passwords)
• Usage data (log data, IP addresses, device information)
• Business data (transaction records, order details, supply chain data)
• Communication data (emails, messages, notes)
• Any other Personal Data included in Customer Data as determined by the Customer

3.3 Sensitive Data

No sensitive or special categories of data are intended to be processed under this DPA. If the Customer needs to process such data, a separate written agreement must be executed.

3.4 Frequency of Processing

Continuous, for the duration of the Agreement.

3.5 Nature of Processing

• Collection and storage of Customer Data
• AI-powered analysis and processing for enterprise decision intelligence
• Generation of insights, predictions, and recommendations
• Data visualisation and reporting
• Integration with Customer's existing systems and data sources
• Technical support and maintenance

3.6 Purpose of Processing

• Provision of the Services as described in the Agreement
• Delivery of AI-powered enterprise decision intelligence
• Supply chain optimisation and management
• Sales intelligence and forecasting
• Enterprise planning and analytics
• Customer support and service improvement

3.7 Retention Period

Personal Data will be retained for the duration of the Agreement plus 90 days, unless otherwise agreed in writing or required by applicable law. Upon expiry of the retention period, data will be securely deleted or anonymised in accordance with Section 5.2.10.

3.8 Transfers to Subprocessors

Personal Data may be transferred to the Subprocessors listed in Annex 2, subject to the conditions set out in Section 5.2.4 of this DPA.

4. Technical and Organisational Security Measures

4.1 Encryption

• All data encrypted in transit using TLS 1.2 or higher
• All data encrypted at rest using AES-256 encryption
• Encryption key management following industry best practices

4.2 Access Controls

• Role-based access control (RBAC) for all systems
• Multi-factor authentication (MFA) required for all personnel
• Principle of least privilege applied to all access grants
• Regular access reviews and revocation of unnecessary privileges

4.3 Network Security

• Firewalls and intrusion detection/prevention systems
• Network segmentation to isolate sensitive data
• Regular vulnerability scanning and penetration testing
• DDoS protection mechanisms

4.4 Data Backup and Recovery

• Regular automated backups
• Geographically distributed backup storage
• Regular testing of recovery procedures
• Defined Recovery Time Objective (RTO) and Recovery Point Objective (RPO)

4.5 Physical Security

• Cloud infrastructure hosted in certified data centres (SOC 2, ISO 27001)
• Physical access controls at all facilities
• Environmental controls (fire suppression, climate control)

4.6 Employee Security

• Background checks for all personnel with access to Personal Data
• Mandatory security awareness training
• Confidentiality agreements for all personnel
• Regular security training updates

4.7 Incident Management

• Documented incident response plan
• 24/7 security monitoring
• Defined escalation procedures
• Regular incident response drills

4.8 Logging and Monitoring

• Comprehensive audit logging of all system access and data processing activities
• Centralised log management
• Automated alerting for suspicious activities
• Log retention for a minimum of 12 months

4.9 Software Development

• Secure software development lifecycle (SDLC)
• Regular code reviews and security testing
• Automated vulnerability scanning in CI/CD pipeline
• Separation of development, testing, and production environments

4.10 Vendor Management

• Security assessment of all third-party vendors
• Contractual security requirements for all vendors
• Regular review of vendor security practices
• Vendor access limited to minimum necessary

Annex 2: Subprocessors

1. Current Subprocessors

Questt AI uses the following categories of Subprocessors:

Category	Purpose	Location
Cloud Infrastructure	Hosting and data storage	As specified in the Agreement
Analytics	Service performance monitoring	As specified in the Agreement
Communication	Email delivery and notifications	As specified in the Agreement
Payment Processing	Subscription and billing management	As specified in the Agreement
Customer Support	Help desk and ticketing	As specified in the Agreement

2. List of Sub-processors

Sub-processor	Purpose	Location	Data Processed
Amazon Web Services (AWS)	Cloud infrastructure and hosting	India / US / EU (as configured)	All Customer Data as required for service delivery
Google Cloud Platform	AI/ML processing and analytics	India / US / EU (as configured)	Customer Data for AI processing
MongoDB Atlas	Database management	As configured by Customer	Customer Data requiring database storage
SendGrid / AWS SES	Email delivery	US	Email addresses and communication content
Stripe	Payment processing	US	Payment and billing information
Freshdesk / Zendesk	Customer support	US / EU	Support ticket data and contact information
Mixpanel / Amplitude	Product analytics	US	Usage data and anonymised interaction data

3. Customer Objection Rights

1. Questt AI shall notify the Customer at least 30 days before engaging any new Subprocessor or making changes to existing Subprocessors.
2. The Customer may object to such changes by providing written notice within 15 days of receiving Questt AI's notification.
3. If the Customer objects, the parties shall work together in good faith to find a mutually acceptable solution.
4. If no resolution is reached within 30 days of the Customer's objection, the Customer may terminate the affected Services without penalty by providing written notice.

Document Information and Contact

Field	Details
Document Title	Data Processing Addendum (DPA)
Version	1.0
Company	Questt Technologies Private Limited
Contact	Akhil Gupta, akhil@questt.com
Website	questt.com

For questions about this DPA or to request a signed copy, please contact us at akhil@questt.com.