Supplier Data Processing Terms

1. Background and Intention

The company, individual or organisation agreeing to these terms (the “Supplier”), and Quartix Technologies plc, Quartix Limited, Quartix SAS, Quartix Inc or any other entity that is directly or indirectly controlled by Quartix Technologies plc (as applicable, “Quartix”), have entered into an agreement whereby the Supplier will supply certain Services to Quartix (the “Agreement”).

As part of this Agreement, Quartix may from time to time share Data with the Supplier and may be acting as a Data Controller or Processor. In such cases, the Supplier is a Processor or Sub-Processor, respectively.

These data processing and security terms, including their appendices (the “Terms”) will be effective from 8 August 2025 (the “Effective Date”) and replace all data processing and security terms which were previously applicable.

The purpose of these Terms is to set out appropriate arrangements for any Data passing from Quartix to the Supplier. Any transfer of Data from the Supplier to Quartix is governed by Quartix’s Data Processing Terms, available on the Quartix website or on request.

2. Definitions and Interpretation

Within these Terms:

‘Data Protection Legislation’ means (a) the EU General Data Protection Regulation 2016/679 (“EU GDPR”), (b) the UK General Data Protection Regulation and the Data Protection Act 2018 (“UK GDPR”), and (c) all other applicable privacy and data protection laws and regulations in force in the UK, European Union or relevant jurisdiction, including statutory instruments and guidance issued by Supervisory Authorities.

‘Data’ means information subject to Data Protection Legislation, including but not limited to personal data and special categories of personal data as defined in the GDPR and UK GDPR.

‘GDPR’ means, as applicable, the EU GDPR and/or the UK GDPR.

‘Services’ means the services provided by the Supplier as part of the Agreement.

The terms ‘Controller’, ‘Processor’, ‘Sub-Processor’, ‘Data Subject’, ‘Personal Data’, and ‘Supervisory Authority’ have the meanings given in Data Protection Legislation.

3. Data Processing

Quartix retains control of the Data in all cases. The Supplier shall:

1. Treat all Data as confidential, processing it only in accordance with Quartix’s documented instructions and strictly as necessary to perform the Services;
2. Not process Data outside the UK and/or European Economic Area (EEA) without prior written authorisation from Quartix, except in jurisdictions subject to an adequacy decision by (for the EU Data: the European Commission; for UK Data: the UK Secretary of State or relevant UK authority) or using appropriate safeguards under Data Protection Legislation (including the most recent Standard Contractual Clauses (“SCCs”) as adopted by the European Commission and/or the UK International Data Transfer Agreement (“IDTA”) as applicable);
3. Implement and maintain technical and organisational security measures appropriate under Data Protection Legislation and as described in Appendix A, including (where relevant) pseudonymisation, encryption, and regular testing/assessment;
4. Ensure all employees, agents, or subcontractors who process Data are bound by confidentiality and have received adequate data protection training;
5. Obtain Quartix’s written consent before appointing any sub-Processor, and maintain adequate data processing agreements with any approved sub-Processors;
6. Assist Quartix, taking into account the nature of processing, in responding to Data Subjects’ requests and in complying with Articles 32–36 of the applicable GDPR (including breach notifications, impact assessments, and consultation with Supervisory Authorities);
7. Maintain appropriate records of processing and make them available to Quartix or relevant Supervisory Authorities on request;
8. Delete or return all Data (including all copies) to Quartix at the end of the provision of Services unless storage is required by law; provide certification of destruction if requested;
9. Promptly comply with all reasonable instructions from Quartix relating to Data, including transfer, rectification, restriction, erasure, or portability;
10. Adhere to any code of conduct or certification mechanism approved under GDPR/UK GDPR if required by Quartix.

4. Notice Obligations etc

The Supplier shall immediately notify Quartix:

• Of any requests received from a Data Subject exercising his or her rights under Data Protection Legislation and (if required) assist with responses;
• Of any actual or suspected Personal Data Breach, loss, destruction, corruption, or unauthorised disclosure or processing of Data, and follow Quartix’s directions in all remedial actions (meaning the Supplier agrees not to act in any way upon such disclosure without the prior written consent of Quartix);
• Upon receipt of any correspondence, notice, or enquiry from a Supervisory Authority concerning Data processed under these Terms;
• Of any event resulting in loss or unavailability of Data and promptly restore such Data at no cost to Quartix.

5. Termination

On the expiry of these Terms or the termination of this Agreement (whichever is the earlier), the Supplier and its agents or sub-processors shall immediately cease to use the Data and shall arrange for its safe return or destruction (at Quartix’s option) at the relevant time (unless applicable legislation requires stipulated retention for a defined period of time).

6. Rights in Personal Data

Neither the Supplier nor its agents or sub-contractors shall acquire rights in or to the Data and the Supplier shall make no use of the Data other than as permitted by these Terms.

7. Liability

The Supplier agrees to indemnify, defend, and hold harmless Quartix, its affiliates, subsidiaries, and group companies against all losses, damages, fines, costs, claims, and expenses incurred as a result of any breach of these Terms or Data Protection Legislation by the Supplier or its agents/subcontractors.

8. General

1. These Terms shall remain in force even after the Supplier has finished providing the Services as part of the Agreement and may only be amended in writing signed by both parties.
2. The Supplier consents to their business name (whether in the form of a Limited Company, Sole Trader, Limited Liability Partnership, Public Limited Company or any other form of organization) being referenced on the Quartix website as a Processor or Sub-Processor of Data.
3. These Terms represent the entire understanding of the parties relating to necessary legal protections arising out of their relationship under Data Protection Legislation.
4. Each Party irrevocably agrees that the courts of England and Wales shall have exclusive jurisdiction to settle any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with these Terms or its subject matter or formation.
5. If any provision within the Terms is held to be unenforceable or unreasonable it shall, to the extent of such illegality, invalidity, voidness, voidability, unenforceability or unreasonableness, be deemed severable. The remaining provisions of the Terms and the remainder of such provision shall therefore continue in full force and effect.

APPENDIX A: TECHNICAL AND ORGANISATIONAL MEASURES

The Supplier shall implement, as a minimum (in line with Article 32 UK/EU GDPR):

1. Where appropriate, adherence to a recognised code of conduct or approved certification (Articles 40/42 of GDPR).
2. Measures such as pseudonymisation and encryption of Data where appropriate;
3. The ability to ensure ongoing confidentiality, integrity, availability, and resilience of processing systems and services;
4. The ability to restore availability and access to Data in a timely manner in the event of a physical or technical incident;
5. A process for regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures to ensure processing security;
6. Assessment of risks presented by processing, including risks from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Data;
7. Clear processes ensuring no person acts on the Data except on instructions from Quartix or as required by applicable law;
8. Where appropriate, adherence to a recognised code of conduct or approved certification (Articles 40/42 of GDPR).