Data Processing Agreement
Template DPA for institutional buyers of IMS. The signed version replaces this template and prevails in case of conflict.
Parties
- Processor — Quintessentia Network Inc., a corporation organised under the Canada Business Corporations Act (CBCA), with registered address in Ontario, Canada.
- Controller — the institutional buyer (the “Customer”) named in the signed Master Services Agreement.
1. Scope & subject matter
This DPA governs the Processing of Personal Data by Quintessentia (Processor) on behalf of the Customer (Controller) in the course of providing the IMS service.
2. Nature & purpose of processing
- Categories of data subjects: Customer's authenticated users (analysts, desk officers, security staff). No data subjects beyond Customer's directly-named users.
- Categories of personal data: name, work email, role, organisational affiliation, mission/team metadata, audit-trail of console actions.
- Special categories: none processed by IMS.
- Purpose: operating the incident-monitoring console, generating briefing PDFs on Customer's behalf, providing audit trails for forwarded briefs.
3. Duration
For the term of the Master Services Agreement, plus a 30-day deletion window thereafter.
4. Processor obligations
Quintessentia shall:
- Process Personal Data only on documented instructions from the Customer.
- Ensure that personnel authorised to process Personal Data are bound by confidentiality.
- Implement and maintain technical and organisational measures appropriate to the risk (see Annex 1).
- Not engage sub-processors without prior written consent (see Annex 2).
- Assist the Customer in fulfilling Data Subject rights requests within 10 business days.
- Notify the Customer without undue delay (within 72 hours) of any Personal Data breach.
- Make available all information necessary to demonstrate compliance, including audit rights once per calendar year on reasonable notice.
- Delete or return all Personal Data at the end of the contract, at the Customer's choice, within the 30-day deletion window.
5. International transfers
Where Processor's location requires cross-border transfer, the parties agree to incorporate the EU Standard Contractual Clauses (Module 2: Controller-to-Processor) by reference.
Current Processor location: EU (Hostinger International Ltd., Lithuania). Customer-dedicated EU residency available on Institutional tier.
6. Sub-processors (Annex 2)
| Sub-processor | Service | Location | Safeguards |
|---|---|---|---|
| Hostinger International Ltd. | VPS hosting | Lithuania (EU) | SCCs · data encrypted at rest |
| Let's Encrypt (ISRG) | TLS certificate issuance | USA | No personal data shared (domain only) |
Customer will be notified of any addition or change to this list at least 30 days in advance, with a right to object on reasonable grounds.
7. Security measures (Annex 1)
- TLS 1.3 in transit · AES-256 at rest
- Per-IP rate limits on all public endpoints
- Strict Content-Security-Policy on every page
- SHA-256 chain-of-custody on every generated PDF
- Audit log of every privileged action; tamper-evident
- Backup & restore tested quarterly
- Privacy by design: no facial recognition, no PII scraping, public sources only
8. Liability
As set out in the Master Services Agreement.
9. Governing law
The laws of the Province of Ontario, Canada, except where the Customer is established in the EU/EEA — in which case the SCCs and applicable Member State law govern Processing.
This template is a draft pending review by external counsel. Buyer-specific amendments are negotiable. Contact legal@quintarthai.com to start negotiation.