DPA /
DATA PROCESSING AGREEMENT
(ART. 28 GDPR)
Insofar as QuanteliX processes personal data on behalf of a customer, we conclude a data processing agreement (DPA) with our customers in accordance with Art. 28 GDPR.
Request via e-mail to legal@quantelix.io. On request, we will also send the current sub-processor list.
WHEN IS A DPA REQUIRED?
A DPA is required if QuanteliX processes personal data on behalf of and according to the instructions of the customer as part of the provision of services – e.g. for support, operation, customizing or development services within the customer systems.
KEY FACTS
ROLE
QuanteliX typically acts as a data processor.
HOSTING
Processing takes place exclusively in the customer’s tenant/environment (e.g. Microsoft Azure, Dynamics 365, M365). QuanteliX does not provide its own hosting systems for customer data.
ACCESS
Depending on the project, access to production data is required (role-based, according to need-to-know).
SUB-PROCESSORS
QuanteliX uses selected sub-processors. We provide a current sub-processor list on request and contractually regulate the involvement within the framework of the DPA.
DATA RESIDENCY
EU/Germany requirements are implemented project-specifically in the customer tenant.
TYPICAL PROCESSING SCENARIOS
SERVICES
Microsoft D365 (Customizing/Development)
ERP/BI
Data Foundation for AI
Managed Services / Support
DATA SUBJECTS
Customers and prospects
Customer employees
Supplier/partner contacts
DATA CATEGORIES
- Employee, customer and supplier master data
- Transaction data
- Support tickets and communication content (if provided by the customer)
HIGH LEVEL SECURITY MEASURES
QuanteliX implements technical and organizational measures that are appropriate to the risk. Examples:
- Mandatory MFA and Conditional Access Policies
- Role and authorization concept (Least Privilege)
- Logging and security monitoring (within the scope of customer systems, as far as applicable)
- Secure Remote Access
- Encryption according to platform standard (customer-side/Cloud)
- Secure SDLC as well as Change/Release processes
- Patch and device management (if within our sphere of influence)
SUB-PROCESSORS
Insofar as QuanteliX uses sub-processors, this is done in a controlled and contractually secured manner. Sub-processors are only integrated if they are required for defined purposes and meet appropriate security standards.
- Current list on request Provision of the sub-processor list via legal@quantelix.io
- Contractual security Flow-down obligations according to Art. 28 GDPR (e.g. confidentiality, TOMs, support obligations)
- Access restriction Access only as far as necessary (need-to-know), role-based; logging where applicable
- Change management Changes/additions according to DPA with appropriate advance notice and contractual procedure
- Third country transfers If applicable, use of suitable guarantees (e.g. EU standard contractual clauses), regulated in the DPA
OPERATIONAL PROCESSES
Security Incident / Breach Notification Information of the customer within 24–72 hours after awareness (according to DPA/project standard; immediately/"without undue delay").
Return & Deletion Return of all project artifacts; deletion of existing copies, if any, provided there are no statutory retention obligations.
Audit & Assistance Remote audits on request with appropriate advance notice; support for data subject rights and authority inquiries according to DPA.
REQUEST DPA
Send your request to legal@quantelix.io. We will provide you with our standard DPA and support you in coordinating with compliance and procurement. On request, you will also receive the current sub-processor list as well as a brief description of the respective processing activities.
FAQ
1.
Does QuanteliX host customer data on its own systems?
No. Processing takes place exclusively in the customer’s systems/tenants (e.g. Microsoft Azure/D365/M365). QuanteliX does not provide its own hosting systems for customer data.
2.
Does QuanteliX access production data?
Depending on the project and mandate, access to production data may be necessary, e.g. for support, troubleshooting, operation, or error analysis. Access is role-based and follows the need-to-know principle.
3.
Does QuanteliX use sub-processors?
Yes, QuanteliX uses selected sub-processors. We provide a current list of sub-processors upon request and contractually integrate sub-processors in accordance with Art. 28 GDPR.
4.
How quickly does QuanteliX inform about security incidents?
We inform the customer within 24–72 hours after becoming aware, in accordance with the DPA/project standard and without undue delay.
5.
How do I obtain the DPA and the sub-processor list?
Upon request to legal@quantelix.io. We provide the standard DPA and send the current sub-processor list on request.