Data Processing Addendum for the QuantCopy/Tactic Platform

This QuantCopy Subscription Data Processing Addendum ("addendum") is entered into by and between QUANTCOPY GROWTH AI LIMITED trading as Tactic incorporated and registered in England and Wales with company number 11808232 whose registered office is at Quantcopy, 2 Underwood Row London N1 7LQ, United Kingdom (hereinafter "Supplier", "QuantCopy" or “we”, “us” and “our”) and the entity or person placing an order for or accessing any Services ("Buyer" or "you") pursuant to the QuantCopy Subscription Terms of Service (the “agreement”). This addendum supplements and forms part of the agreement.

Unless otherwise defined in this addendum, all capitalized terms not defined herein will have the meanings given to them in the Terms of Service. In the event of any conflict or discrepancy between the terms of the agreement and this addendum, the terms of this addendum shall prevail, to the extent of the conflict. In the event of any conflict or discrepancy between this addendum and any applicable Controller to Processor Clauses or Processor to Processor Clauses, the terms of the Controller to Processor Clauses or Processor to Processor Clauses shall prevail to the extent of the conflict.

1. Interpretation

1. The definitions and rules of interpretation in this clause apply in this addendum.

Buyer Data: any data of any type that is submitted, uploaded, imported, or synced to the Platform by or on behalf of the Buyer (including from third party platforms).

Business Day: a day other than a Saturday, Sunday or public holiday in England when banks in London are open for business.

Controller, processor, data subject, personal data, personal data breach and processing: as defined in the Data Protection Legislation.

Controller to Processor Clauses: (i) in respect of transfers of Personal Data subject to the GDPR, the standard contractual clauses for the transfer of Personal Data to third countries set out in Commission Decision 2021/914 of 4 June 2021, specifically including Module 2 (Controller to Processor); and (ii) in respect of transfers of Personal Data subject to the UK GDPR, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (version B.1.0) issued by the UK Information Commissioner, in each case as amended, updated or replaced from time to time.

Data Protection Legislation: the UK Data Protection Legislation and any European Union legislation relating to personal data, including the General Data Protection Regulation ((EU) 2016/679) (GDPR), the Privacy and Electronic Communications Directive 2002/58/EC, and all other legislation and regulatory requirements in force from time to time which apply to a party relating to the use of personal data (including, without limitation, the privacy of electronic communications); and the binding guidance and codes of practice issued by the relevant data protection or supervisory authority and applicable to a party.

Effective Date: the Contract Start Date designated in Customer's first Order Form or, if no start date is so designated, the date on which the Customer first accesses the Platform.

Order Form: Ordering documents, online registration, order descriptions or order confirmations referencing the agreement.

Platform: a technological system solution for the analysis, automation and consequent optimisation of the sales function of the Buyers of the Supplier.

Processor to Processor Clauses: (i) in respect of transfers of Personal Data subject to the GDPR, the standard contractual clauses for the transfer of Personal Data to third countries set out in Commission Decision 2021/914 of 4 June 2021 specifically including Module 3 (Processor to Processor); (ii) in respect of transfers of Personal Data subject to the UK GDPR, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (version B.1.0) issued by the UK Information Commissioner, in each case as in force and as amended, updated or replaced from time to time.

Third Country: (i) in relation to Personal Data transfers subject to the GDPR, any country outside of the scope of the data protection laws of the European Economic Area, excluding countries approved as providing adequate protection for Personal Data by the European Commission from time to time; and (ii) in relation to Personal Data transfers subject to the UK GDPR, any country outside of the scope of the data protection laws of the UK, excluding countries approved as providing adequate protection for Personal Data by the relevant competent authority of the UK from time to time.

UK Data Protection Legislation: all applicable data protection and privacy legislation in force from time to time in the UK, including the UK Data Protection Act 2018 (DPA), the UK General Data Protection Regulation as defined by the DPA as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (together with the DPA, the UK GDPR), and the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) as amended.

2. Clause and paragraph headings shall not affect the interpretation of this addendum.

3. A person includes an individual, corporate or unincorporated body (whether or not having separate legal personality) and that person's legal and personal representatives, successors or permitted assigns.

4. A reference to a company shall include any company, corporation or other body corporate, wherever and however incorporated or established.

5. Unless the context otherwise requires, words in the singular shall include the plural and, in the plural shall include the singular.

6. Unless the context otherwise requires, a reference to one gender shall include a reference to the other genders.

7. A reference to a statute or statutory provision is a reference to it as it is in force as at the date of this addendum.

8. A reference to a statute or statutory provision shall include all subordinate legislation made as at the date of this addendum under that statute or statutory provision.

9. A reference to writing or written includes faxes but not e-mail.

10. References to clauses and schedules are to the clauses and schedules of this addendum; references to paragraphs are to paragraphs of the relevant schedule to this addendum.

2. Processing of Personal Data

1. The parties acknowledge and agree that:

1. if the Supplier processes any personal data on the Buyer's behalf when performing its obligations under the agreement or this addendum (Personal Data), including as may be contained in the Buyer Data, the Buyer is the controller and the Supplier is the processor for the purposes of the Data Protection Legislation;

2. the Personal Data will be subject to the following basic processing activities: collection, communication, and analytics, for the purposes of notifying our users when their requested in-app actions are completed, communicating updates, allowing users to see how their teams usage of the product impacts their organization, as set out in the agreement;

3. the duration of the processing is the length of the commercial relationship with Buyer and the frequency of any international transfers of the Personal Data is daily;

4. the Personal Data consists of the following categories of personal data: email address and name (no sensitive or special category personal data is processed), relating to the following categories of data subjects: Buyer and its customer prospects; and

5. the subject matter, nature and duration of processing carried out by any sub-processors (authorised pursuant to the agreement or this addendum) are as follows:

• Paragon (https://www.useparagon.com/): We use this service to collect our Buyer’s customer prospects’ names for the duration of this addendum and the relevant retention period thereafter.
• AWS (https://aws.amazon.com/): We use this service to store Buyer’s names and email Addresses, and Buyer’s customer prospects’ names for the duration of this addendum and the relevant retention period thereafter.

1. The Buyer will ensure that it has all necessary appropriate consents and notices in place to enable the lawful transfer to and processing of the Personal Data by the Supplier for the purposes of the agreement and this addendum.

2. Supplier shall, in relation to the Personal Data:

1. process such Personal Data only on the instructions of the Buyer unless the Supplier is required by any applicable laws to process Personal Data; in such a case, the Supplier shall inform the Buyer of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest;

2. upon the Buyer’s request, assist the Buyer, at the Buyer's cost, in responding to any request from a data subject and in ensuring compliance with the Buyer’s obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;

3. notify the Buyer without undue delay on becoming aware of a personal data breach;

4. at the written direction of the Buyer, delete or return the Personal Data and copies thereof to the Buyer on termination of this addendum unless required by applicable law to store the Personal Data;

5. immediately inform the Buyer if, in its opinion, an instruction of the Buyer infringes the Data Protection Legislation; and

6. ensure that its personnel authorised to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality with respect to the Personal Data.

3. Each party shall ensure that it has in place appropriate technical and organisational measures, to protect against unauthorised or unlawful processing of the Personal Data and against accidental loss or destruction of, or damage to, the Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the Personal Data. The Supplier has implemented the measures set out in Schedule 1 (as may be amended from time to time).

4. The Buyer hereby grants the Supplier general written authorisation to engage sub-processors, including as those set out in clause 2.1(e), subject to the requirements of clauses 2.6 and 2.7.

5. The Supplier shall ensure that it has a written agreement in place with all sub-processors of the Personal Data which contains obligations on the sub-processor with respect to the Personal Data which are no less onerous than the obligations on the Supplier under this addendum. Where the Supplier’s sub-processor of the Personal Data fails to fulfil its obligations, the Supplier shall remain fully liable under the Data Protection Legislation to the Buyer for the performance of that sub-processor’s obligations.

6. If the Supplier appoints a new sub-processor or intends to make any changes concerning the addition or replacement of any sub-processor, it shall provide the Buyer with five (5) Business Days’ prior written notice, during which the Buyer can object to such appointment or replacement. If the Buyer does not object, the Supplier may proceed with the appointment or replacement

7. To the extent the Supplier processes the Personal Data in a Third Country, and it is acting as data importer, the Supplier shall comply with the data importer’s obligations set out in the Controller to Processor Clauses which are hereby incorporated into and form part of this addendum; the Buyer shall comply with the data exporter’s obligations in such Controller to Processor Clauses, and:

1. for the purposes of Annex I or Part 1 (as relevant) of such Controller to Processor Clauses, the Data Exporter is the Buyer and the Data Importer is the Supplier, and the name, address, contact person’s details and relevant activities for each of them is as set out in the agreement, this addendum or Order Form, and the processing details are as set out in clause 2.1, and the Start Date is the Effective Date;

2. if applicable, for the purposes of Part 1 of such Controller to Processor Clauses, the relevant Addendum EU SCCs (as such term is defined in the applicable Controller to Processor Clauses) are the standard contractual clauses for the transfer of Personal Data to third countries set out in Commission Decision 2021/914 of 4 June 2021 (Module 2) as incorporated into this addendum by virtue of this clause 2.8;

3. for the purposes of Annex II or Part 1 (as relevant) of such Controller to Processor Clauses, the technical and organisational measures set out in clause 2.4 and, if applicable, any additional technical and organisational measures adopted by relevant sub-processors, shall apply;

4. if applicable, for the purposes of: (i) Clause 9 of such Controller to Processor Clauses, Option 2 (“General written authorization”) is deemed to be selected and the notice period specified in clause 2.6 of this addendum shall apply; (ii) Clause 11(a) of such Controller to Processor Clauses, the optional wording in relation to independent dispute resolution is deemed to be omitted; (iii) Clause 13 and Annex I.C, the competent supervisory authority shall be the Buyer’s lead supervisory authority; (iv) Clause 17, Option 1 is deemed to be selected and the governing law shall be Irish laws; (v) Clause 18, the competent courts shall be the courts of Ireland; (vi) Part 1 of such Controller to Processor Clauses, Supplier as Data Importer may terminate the Controller to Processor Clauses pursuant to Section 19 of such Controller to Processor Clauses; and

5. to the extent the Supplier permits any third party including its sub-processors to process the Personal Data in any Third Country, the Supplier shall execute the Processor to Processor Clauses, if applicable and available, with any relevant sub-processor it appoints on behalf of the Buyer, and/ or the Buyer grants the Supplier a mandate to execute the relevant Controller to Processor Clauses (with the processing details and the security measures set out, or referred to, in this clause 2.8 applying for the purposes of Appendix 1 and Appendix 2 respectively)

3. VARIATION and and termination

We may amend this Addendum from time to time due to changes in Data Protection Legislation or as otherwise determined by us in our commercially reasonable discretion.

The Term and termination of this Addendum shall be governed by the Terms of Service.

4. Governing law

This addendum and any dispute or claim arising out of or in connection with it or its subject matter or formation (including non-contractual disputes or claims) shall be governed by and construed in accordance with the laws of England and Wales.

5. Jurisdiction

Each party irrevocably agrees that the courts of England and Wales shall have exclusive jurisdiction to settle any dispute or claim arising out of or in connection with this addendum or its subject matter or formation (including non-contractual disputes or claims).

1. 
   TECHNICAL AND ORGANISATIONAL MEASURES

- Personal data requested from our customers is strictly limited to data required to provide the agreed upon services to our customers.

- All personal data submitted is sent over an encrypted channel to our servers where it is stored in an encrypted database, and is only viewable by authorised users.

- Our services reside within an isolated virtual private cloud network hosted on our cloud provider (AWS).

- The principle of least functionality is incorporated into the configuration of our services.

- Each sub-system within our service is protected by a firewall which is configured to accept traffic from only the necessary and approved channels.

- All communication between subsystems is encrypted.

- Fine-grained identity and access management policies are in place to restrict access to each sub-system in our service according to the concept of least privilege.

- Regular review of the network configuration is performed.

- Tactic's employees require 2FA and a unique password or a secret cryptographic key to access our cloud services.

- Our service endpoints are all secured by HTTPS, require strong authentication, and input validation.

- We use automated vulnerability scanning to prevent the introduction of malware into our services.