Data Protection Addendum
How Quantisage processes personal data on your behalf as part of the Quantisage AI platform.
Last updated: June 5, 2026
This Data Protection Addendum (“DPA”) forms part of the agreement between the customer (“Customer”, “you”) and Quantisage LLC (“Quantisage”, “we”, “us”) for use of the Quantisage AI platform (the “Agreement”). It applies where Quantisage processes personal data on Customer’s behalf in providing the Platform. In the event of a conflict on data protection matters, this DPA prevails over the rest of the Agreement; on cross-border transfer conflicts, the applicable Standard Contractual Clauses prevail over this DPA.
1. Definitions and roles
Terms such as “controller”, “processor”, “personal data”, “processing”, “data subject”, “personal data breach”, and “supervisory authority” have the meanings given in applicable data protection law, including the EU GDPR, the UK GDPR, the Swiss FADP, and the California Consumer Privacy Act as amended (the “CCPA”).
For personal data within Customer Data, Customer acts as the controller (or as a processor acting for its own customers, in which case Quantisage is a sub-processor), and Quantisage acts as the processor. For CCPA purposes, Quantisage acts as a service provider.
2. Processing instructions
Quantisage processes personal data only on Customer’s documented instructions, including those set out in the Agreement, this DPA, and Customer’s configuration of the Platform, except where required otherwise by law (in which case Quantisage will, unless legally prohibited, inform Customer first). Quantisage will inform Customer if, in its opinion, an instruction infringes applicable data protection law. The subject matter, duration, nature, purpose, types of personal data, and categories of data subjects are described in Annex 1.
3. CCPA service-provider commitments
Quantisage will not: sell or share personal data; retain, use, or disclose personal data for any purpose other than performing the services or as permitted by the CCPA; retain, use, or disclose personal data outside the direct business relationship; or combine personal data with data from other sources except as permitted by the CCPA. Quantisage certifies that it understands and will comply with these restrictions.
4. Confidentiality
Quantisage ensures that personnel authorised to process personal data are bound by appropriate confidentiality obligations and are trained on their data protection responsibilities, and limits access to those who need it to provide the Platform.
5. Security
Quantisage maintains appropriate technical and organisational measures designed to ensure a level of security appropriate to the risk, as described in Annex 2, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing.
6. Sub-processors
Customer provides general authorisation for Quantisage to engage sub-processors (including cloud and hosting providers, infrastructure and support providers, and Quantisage’s authorised subcontractors) to process personal data in connection with the Platform. Quantisage will:
- impose data protection obligations on each sub-processor that are no less protective than this DPA;
- remain responsible for each sub-processor’s performance; and
- maintain a current list of sub-processors and provide it on request , give Customer reasonable prior notice of any new sub-processor, and allow Customer to object on reasonable, data-protection-related grounds.
Validators, auditors, or assurance providers that Customer engages or directs are Customer’s chosen recipients rather than Quantisage’s sub-processors.
7. Data subject requests
Taking into account the nature of the processing, Quantisage will provide reasonable assistance to enable Customer to respond to requests from data subjects to exercise their rights. If a data subject contacts Quantisage directly about Customer Data, Quantisage will refer the request to Customer and will not respond except on Customer’s instructions or as required by law.
8. Assistance to Customer
Taking into account the nature of processing and the information available to Quantisage, Quantisage will provide reasonable assistance to Customer with data protection impact assessments, prior consultations with supervisory authorities, the security of processing, and personal data breach obligations.
9. Personal data breach
Quantisage will notify Customer without undue delay after becoming aware of a personal data breach affecting Customer’s personal data, and will provide information reasonably available to it to help Customer meet its own notification and communication obligations. Quantisage will take reasonable steps to investigate, contain, and mitigate the breach.
10. International transfers
Where Quantisage processes personal data originating from the EEA, the UK, or Switzerland in a country not recognised as providing an adequate level of protection, the parties agree to the EU Standard Contractual Clauses (Commission Decision 2021/914), which are incorporated by reference, with the applicable module (Module Two: controller-to-processor, or Module Three: processor-to-processor) and with this DPA and the Annexes completing the required information. For UK transfers, the UK International Data Transfer Addendum to the EU SCCs applies; for Swiss transfers, the SCCs apply as adapted under the FADP. Where a transfer mechanism is invalidated, the parties will work in good faith to implement an alternative.
11. Audit
Quantisage will make available information reasonably necessary to demonstrate compliance with this DPA and will allow for and contribute to audits, including inspections, conducted by Customer or an auditor it mandates, on reasonable prior notice, no more than once per year (except where required by a supervisory authority or following a breach), during business hours, subject to confidentiality, and in a manner that does not unreasonably disrupt operations. Quantisage may satisfy audit requests by providing relevant third-party reports or certifications where available.
12. Deletion and return
On termination or expiry of the Agreement, Quantisage will, at Customer’s choice, delete or return personal data, and delete existing copies, within the period stated in the Agreement (or, if none, within ninety (90) days), unless retention is required by law, in which case Quantisage will protect the data and limit further processing.
13. Liability
Each party’s liability under this DPA is subject to the limitations and exclusions of liability set out in the Agreement.
Annex 1 — Details of processing
- Subject matter: provision of the Quantisage AI platform for carbon measurement, validation, and reporting.
- Duration: for the term of the Agreement and any deletion/return period.
- Nature and purpose: hosting, processing, analysis, and reporting of Customer Data to generate Output, plus support.
- Types of personal data: business contact details, names, and job titles of Customer’s personnel and of Customer’s suppliers’ and value-chain contacts, and any other personal data Customer chooses to submit.
- Categories of data subjects: Customer’s personnel and authorised users; contacts at Customer’s suppliers and value-chain partners.
- SCC docking information: to be completed at contract execution.
Annex 2 — Technical and organisational measures
Subject to ongoing improvement, Quantisage’s measures include: encryption of personal data in transit and at rest; role-based access controls and least-privilege access; multi-factor authentication for administrative access; network security and segregation; logging and monitoring; vulnerability and patch management; secure development practices; regular backups and tested recovery; personnel security screening (where lawful) and training; vendor risk management; and a documented incident-response process.
Annex 3 — Sub-processors
A current list of sub-processors is available on request at privacy@quantisage.ai .
Contact
Questions about this Data Protection Addendum? Contact Quantisage LLC, Hanover, New Hampshire, USA — privacy@quantisage.ai or info@quantisage.ai.