Effective Date: October 10, 2025Part of: the Terms of Service, Master Service Agreement, and any Order/SOW between Quontumm, Inc. ("Quontumm") and the entity or person that purchases, signs up for, or uses Quontumm's Services ("Customer").Contact: legal@quontumm.com | 1323 South 9th Street, #205, Omaha, NE 68108By creating an account, purchasing, or otherwise using the Services, you agree to this DPA on behalf of your organization. If you do not have authority, do not proceed.
1) When this DPA appliesThis DPA governs Quontumm's processing of Customer Personal Data on Customer's behalf while providing consulting, software development, automation, hosting, and related support (the "Services"). Quontumm's own website analytics, marketing, and billing activities are performed as an independent controller and are covered by the Privacy Policy.
2) Roles; InstructionsRoles. Customer is the Controller; Quontumm is the Processor (or Sub-Processor if Customer acts as a processor to its client).Instructions. Quontumm processes Customer Personal Data only on documented instructions from Customer: this DPA, the Agreement, and Customer's in-product/configuration choices.
3) SecurityQuontumm implements technical and organizational measures designed to protect Customer Personal Data (see "Security Overview" in Section 11). Quontumm may update measures without materially reducing protections.
4) Sub-ProcessorsAuthorized. Customer authorizes Quontumm to use Sub-Processors reasonably needed to deliver the Services. Current list: /legal/subprocessors (see initial list in Section 12 below).Flow-down. Quontumm imposes data-protection terms no less protective than this DPA.Changes. Quontumm will give notice of new Sub-Processors (email or posting). Customer may object on reasonable, data-protection grounds; if unresolved, Customer may suspend the affected Service with a pro-rata refund of prepaid unused fees (sole remedy).
5) AssistanceTaking into account the nature of processing, Quontumm will assist Customer with: (a) data subject requests; (b) security; (c) breach notifications; (d) DPIAs/consultations required by law. Quontumm may charge reasonable fees for non-baseline or excessive requests.
6) Breach NoticeQuontumm will notify Customer without undue delay (no later than 72 hours) after becoming aware of a Personal Data Breach affecting Customer Personal Data, sharing available details to support Customer's regulatory notices.
7) International TransfersWhere GDPR/UK GDPR/Swiss FADP applies and Customer Personal Data is transferred to a country without adequacy, the parties incorporate by reference:EU SCCs (2021/914) Module 2 (C2P) and/or Module 3 (P2P);UK IDTA Addendum; andSwiss-FADP-adapted SCCs. The parties will complete annexes as reasonably required and cooperate on any replacement transfer mechanism.
8) Return/DeletionAt termination or on request, Quontumm will delete or return Customer Personal Data and delete remaining copies within 30 days, unless retention is legally required (in which case data is isolated and protected).
9) AuditsOnce per 12 months (or after a material security incident), with reasonable notice, Customer may: (a) review Quontumm's available audit summaries/certifications; and (b) conduct a focused audit (remote or on-site) limited to this DPA. Audits must minimize disruption and protect confidentiality. Reasonable costs may apply.
10) Customer ResponsibilitiesCustomer is responsible for the lawfulness of Customer Personal Data, providing required notices/consents, and configuring/using the Services in a compliant manner.
11) Security Overview (summary TOMs)Access control & least privilege; MFA for admin access; encryption in transit and at rest (where platform-supported); network segmentation/CDN/WAF; secure SDLC and dependency scanning; secret management; logging/monitoring; vulnerability management and incident response; backups and tested restores; vendor due diligence; staff confidentiality and training; business continuity/DR planning.
12) Sub-Processors (initial list for /legal/subprocessors)Quontumm may use some or all of: Stripe (payments); Cloudflare (CDN/WAF/DNS/edge); AWS, Google Cloud Platform, Microsoft Azure (hosting/compute/storage); SendGrid/Mailgun (email, if used); analytics/ads tech implemented only at Customer's direction for Customer projects: Microsoft Clarity, Google Analytics, Meta Pixel, TikTok. Quontumm will update /legal/subprocessors as changes occur.
13) Order; Liability; LawOrder of precedence. If this DPA conflicts with the Agreement, this DPA controls only for processing of Customer Personal Data. Where SCCs/UK/Swiss terms apply, they control to the extent of conflict.Liability. The Agreement's liability caps and exclusions apply to this DPA.Governing law; venue. Nebraska law (excluding conflicts rules). Disputes resolved by binding AAA arbitration in Lancaster County, Nebraska. Either party may seek injunctive relief in Nebraska courts. These terms are intended to be enforceable throughout the United States.
