Data Processing Agreement

1. Definitions

2. Roles and Responsibilities

3. Nature, Purpose, and Duration of Processing

4. Sub-processors

The Customer authorises Qonera to engage sub-processors to assist in providing the Services. Qonera will ensure that sub-processors are bound by data protection obligations at least as stringent as those in this DPA.

Current categories of sub-processors include:

• —AI model providers (for inference and document analysis)
• —Cloud infrastructure providers (for hosting and storage)
• —Authentication service providers
• —Analytics service providers (for aggregate, anonymised usage data)

Qonera will notify the Customer of any new sub-processor appointments or changes with at least 14 days' notice, providing the Customer with the opportunity to object. The full sub-processor list is available on request at security@qonera.ai.

5. International Data Transfers

Qonera is based in the United States. Where personal data is transferred from the EEA, UK, or Switzerland to countries not recognised as providing an adequate level of protection, Qonera will implement appropriate safeguards, including:

• —Standard Contractual Clauses (SCCs) as adopted by the European Commission
• —UK International Data Transfer Agreements (IDTAs) where applicable
• —Supplementary technical and organisational measures as appropriate

Enterprise customers may request the executed SCCs as an addendum to this DPA.

6. Security Measures

Qonera will implement and maintain appropriate technical and organisational security measures to protect personal data, including:

• —Encryption of personal data in transit (TLS 1.2 or higher) and at rest (AES-256)
• —Access controls and least-privilege principles for Qonera personnel
• —Regular security assessments and penetration testing
• —Incident response procedures and breach notification protocols
• —Employee security training

In the event of a personal data breach affecting Customer data, Qonera will notify the Customer without undue delay and no later than 72 hours after becoming aware, providing sufficient information for the Customer to fulfil its own notification obligations.

7. Customer Obligations

The Customer agrees to:

• —Ensure it has a lawful basis to submit personal data to the Services
• —Provide any required notices to data subjects about processing through the Services
• —Ensure that personal data submitted is accurate and up to date
• —Comply with applicable data protection laws in connection with its use of the Services
• —Not submit special categories of personal data (sensitive data) unless expressly agreed in writing with Qonera

8. Data Subject Rights

Qonera will assist the Customer in responding to requests from data subjects exercising their rights under applicable data protection law (including rights of access, rectification, erasure, restriction, portability, and objection), to the extent that such requests relate to personal data processed by Qonera as Processor. Qonera will notify the Customer promptly upon receiving a data subject request that relates to Customer data.

9. Data Deletion and Return

Upon termination of the Customer's subscription or upon written request, Qonera will, at the Customer's election, delete or return all personal data processed on the Customer's behalf within 30 days, and delete existing copies unless retention is required by applicable law. Qonera will provide a written confirmation of deletion upon request.

10. Audits and Inspections

Qonera will make available to the Customer all information necessary to demonstrate compliance with this DPA and will allow for and contribute to audits and inspections conducted by the Customer or a mandated auditor, subject to reasonable advance notice and confidentiality obligations. Qonera may satisfy audit requests by providing relevant third-party certifications (such as SOC 2 reports) where available.