Skip to main content

Exhibit 1: Qt Insight Data Processing Addendum

1. This Data Processing Addendum together with its Schedules (“DPA”) forms part of the Appendix for Qt Insight between the Customer, as defined in the Agreement, and The Qt Company (“Agreement”). This DPA sets out data protection requirements with respect to the processing of Events Personal Data (as defined below) that is collected, stored, or otherwise processed by The Qt Company (including its global affiliates and employees) in providing the Insight Service under the Agreement. This DPA is effective as of the effective date of the Appendix for Qt Insight, unless this DPA is separately executed in which case it is effective as of the last date of signature.  

2. This DPA applies to the Qt Company as a processor of Events Personal Data and to Customer as a Controller or Processor of Events Personal Data, to the extent such data is subject to Data Protection Laws.

3. DEFINITIONS. Capitalized terms not defined in this DPA are as defined in the Agreement or Appendix for Qt Insight. 

3.1. “Events Personal Data” means any Personal Data in Events Data (as defined in the Appendix for Qt Insight); 

3.2. “Personal Data” means information about an identified or identifiable natural person or which otherwise constitutes “personal data”, “personal information”, “personally identifiable information” or similar terms as defined in Data Protection Laws.

3.3. “Data Protection Laws” means EU Data Protection Laws and, to the extent applicable, the data protection or privacy laws of any other country; 

3.4.  “EEA” means the European Economic Area; 

3.5.  “EU Data Protection Laws” means EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR; 

3.6.  “GDPR” means EU General Data Protection Regulation 2016/679; 

3.7. “Security Incident” means any breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Events Personal Data being processed by The Qt Company.  

3.8. “Subprocessor” means any natural or legal person, which processes Events Personal Data on behalf of The Qt Company in the provision of the Insight Service. 

3.9. “Subprocessor List” means the list of The Qt Company’s Subprocessors for Insight Services, to be updated from time to time.

3.10. The terms, “Commission”, “Controller”, “Data Subject”, “Member State”, “processing” and “Supervisory Authority” shall have the same meaning as in the GDPR. 

4. PROCESSING OF EVENTS PERSONAL DATA

4.1. Instructions. “Customer Instructions” means: (i) processing to provide the Insight Service and perform The Qt Company’s obligations in the Appendix for Qt Insight (including this DPA) and (ii) other reasonable documented instructions of Customer consistent with the terms of the Appendix for Qt Insight t. Schedule 1 (Subject Matter and Details of Processing) sets forth details regarding the processing of Events Personal Data by The Qt Company. 

4.2. Notification Regarding Instructions. The Qt Company will notify Customer if it receives an instruction that The Qt Company reasonably believes infringes Data Protection Laws (but The Qt Company has no obligation to actively monitor Customer’s compliance with Data Protection Laws). 

5.  COMPLIANCE WITH LAWS

5.1. The Qt Company and Customer will each comply with Data Protection Laws in their respective processing of Events Personal Data. 

5.2. Customer will comply with Data Protection Laws in its issuing of instructions to The Qt Company. Customer will ensure that it has established all necessary lawful bases under Data Protection Laws to enable The Qt Company to lawfully Process Events Personal Data for the purposes contemplated by the Appendix for Qt Insight (including this DPA), including, as applicable, by obtaining all necessary consents from, and giving all necessary notices to, Data Subjects. 

5.3. The parties will work together in good faith to negotiate an amendment to this DPA as reasonably necessary to address the requirements of Data Protection Laws from time to time. 

5.4. Customer is responsible for reviewing the information made available by The Qt Company and making an independent determination as to whether the Service meets Customer’s requirements and legal obligations under Data Protection Laws. 

5.5. Customer is solely responsible for complying with Security Incident notification laws applicable to Customer and fulfilling any obligations to give notices to government authorities, affected individuals or others relating to any Security Incidents. 

6. SECURITY.  Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, The Qt Company shall in relation to the Events Personal Data implement appropriate technical and organizational measures. Technical and organizational measures are set forth in Schedule 2 of this DPA.  

7. SUBPROCESSING

7.1. The Qt Company will maintain an up-to-date list of its Insight Service Subprocessors, including their functions and locations, as specified in the Subprocessor List attached to this DPA, and as updated from time to time. 

7.2. Subprocessors as of the date of entry into this DPA: 

  1. Amazon Web Services. Location: Ireland. Purpose: data hosting  
  2. Monad Ltd. Location: Finland. Purpose: maintenance and development in cloud environment 

7.3. Notice of New Subprocessors. The Qt Company may update its Subprocessors from time to time. At least thirty (30) days before any new Subprocessor processes any Events Personal Data, The Qt Company will notify Customer through email or other means and provide an updated Subprocessor list. 

7.4. Objection to New Subprocessors. If, within thirty (30) days after notice of a new Subprocessor, Customer notifies The Qt Company in writing that Customer objects to The Qt Company’s appointment of such new Subprocessor based on reasonable data protection concerns, the parties will discuss such concerns in good faith. If the parties are unable to reach a mutually agreeable resolution to Customer’s objection to a new Subprocessor, Customer, as its sole and exclusive remedy, may terminate the Order for the affected Insight Service and The Qt Company will refund any prepaid, unused fees for the affected Insight Service. 

8. DATA SUBJECT RIGHTS

8.1. Taking into account the nature of the processing, The Qt Company shall assist Customer by implementing appropriate technical and organisational measures, insofar as this is reasonably possible, for the fulfilment of Customer’s obligations to respond to requests to exercise Data Subject rights under Data Protection Laws. 

8.2. The Qt Company shall promptly notify Customer if it receives a request from a Data Subject under any Data Protection Law in respect of Customer’s Events Personal Data; and ensure that it does not respond to that request except on the written instructions of Customer or as required by applicable laws to which The Qt Company is subject, in which case the Qt Company will, to the extent permitted by appplicable law, inform Customer of that legal requirement before responding to the request. 

9. PERSONAL DATA BREACH

9.1. The Qt Company shall notify Customer without undue delay upon becoming aware of a Security Incident and provide Customer with sufficient information to allow Customer to report or inform Data Subjects of the Security Incident under Data Protection Laws. 

9.2. Upon Customer’s request and taking into account the nature of the applicable processing, The Qt Company will assist Customer by providing, when available, information reasonably necessary for Customer to meet its Security Incident notification obligations under Data Protection Laws. 

9.3. Customer acknowledges that The Qt Company’s notification of a Security Incident is not an acknowledgement by The Qt Company of fault or liability. 

9.4. Security Incidents do not include unsuccessful attempts or activities that do not compromise the security of Events Personal Data, including unsuccessful login attempts, pings, port scans, denial of service attacks or other network attacks on firewalls or networked systems. 

10. DATA PROTECTION IMPACT ASSESSMENT. Upon Customer’s request and taking into account the nature of the applicable processing and the information available, to the extent such information is available to The Qt Company, The Qt Company will assist Customer in fulfilling Customer’s obligations under Data Protection Laws to carry out a data protection impact or similar risk assessment related to Customer’s use of the Service, including, if required by Data Protection Laws, by assisting Customer in consultations with relevant government authorities. 

11. DELETION OR RETURN OF COMPANY PERSONAL DATA

11.1. Following termination or expiration of the Agreement, The Qt Company will, in accordance with its obligations under the Agreement, delete all Events Personal Data from The Qt Company’s systems. 

11.2. Deletion will be in accordance with industry-standard secure deletion practices. The Qt Company will issue a confirmation of deletion upon Customer’s request. 

11.3. Notwithstanding the foregoing, The Qt Company may retain Events Personal Data: (i) as required by applicable law or (ii) in accordance with its standard backup or record retention policies, provided that, in either case, The Qt Company will (x) maintain the confidentiality of, and otherwise comply with the applicable provisions of this DPA with respect to, retained Events Personal Data and (y) not further process retained Events Personal Data except for such purpose(s) and duration specified in applicable Data Protection Laws. 

12. RECORDS AND AUDIT

12.1. Information and audit rights of Customer arise under this section to the extent that the Agreement does not otherwise give Customer information and audit rights meeting the relevant requirements of Data Protection Law. 

12.2. Records. The Qt Company will keep records of its processing in compliance with Data Protection Laws and, upon Customer’s request, make available to Customer records reasonably necessary to demonstrate compliance with The Qt Company’s obligations under this DPA and Data Protection Laws. 

12.3. Third-Party Compliance Program. The Qt Company will describe its third-party audit and certification programs (if any) and make summary copies of its audit reports (each, an “Audit Report”) available to Customer upon Customer’s written request at reasonable intervals (subject to confidentiality obligations). Customer may share a copy of Audit Reports with relevant government authorities as required upon their request. Customer agrees that, to the maximum extent permissible under applicable law, any audit rights granted by Data Protection Laws will be satisfied by Audit Reports and the procedures set forth in this section. 

12.4. Customer Audit. Subject to the terms of this section, Customer has the right, at Customer’s expense, to conduct an audit of reasonable scope and duration pursuant to a mutually agreed-upon audit plan with The Qt Company that is consistent with the audit parameters (an “Audit”). 

12.4.1. Customer may exercise its Audit right: (i) to the extent The Qt Company’s provision of an Audit Report, or responses to Customer security questionnaires, does not provide sufficient information for Customer to verify The Qt Company’s compliance with this DPA or the parties’ compliance with Data Protection Laws, (ii) as necessary for Customer to respond to a government authority audit or (iii) in connection with a Security Incident. 

12.4.2. Each Audit must conform to the following parameters (“Audit Parameters”): (i) be conducted subject to a confidentiality agreement with The Qt Company, (ii) be limited in scope to matters reasonably required for Customer to assess The Qt Company’s compliance with this DPA and the parties’ compliance with Data Protection Laws, (iii) occur at a mutually agreed date and time and only during The Qt Company’s regular business hours, (iv) occur no more than once annually (unless required under Data Protection Laws or in connection with a Security Incident), (v) cover only facilities controlled by The Qt Company, (vi) restrict findings to Customer Events Personal Data only and (vii) treat any results as confidential information to the fullest extent permitted by Data Protection Laws.

13. TRANSFERS OF PERSONAL DATA; STANDARD CONTRACTUAL CLAUSES. A. The Standard Contractual Clauses will only apply to Events Personal Data subject to the GDPR that is transferred, either directly or via onward transfer, to any third country not covered by a suitable framework or other legally adequate transfer mechanism recognized by the European Commission as providing an adequate level of protection for Personal Data, (each a “Transfer”). In such a situation where Customer is acting as a controller, the Controller-to-Processor Clauses will apply to a Transfer. “Controller-to-Processor Clauses” means the standard contractual clauses between controllers and processors for Transfers, as approved by the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, and currently located at https://commission.europa.eu/publications/standard-contractual-clauses-international-transfers_en. This DPA incorporates the Standard Contractual Clauses by reference. 

14. GENERAL TERMS

14.1. Confidentiality. The Qt Company will ensure personnel who process Events Personal Data enter into written confidentiality agreements obliging them to maintain confidentiality or are subject to statutory obligations of confidentiality.

14.2. Termination of DPA. This DPA terminates upon expiration or termination of the Appendix (or, if later, the date on which The Qt Company has ceased all processing of Events Personal Data).

14.3. Conflict. Except as amended by this DPA, the Appendix and Agreement will remain in full force and effect.

14.4. Order of Precedence. In the event of any conflict or inconsistency among the following documents, the order of precedence will be: (1) any applicable Standard Contractual Clauses, (2) this DPA and (3) the Agreement. To the fullest extent permitted by Data Protection Laws, any claims brought in connection with this DPA (including its Schedules) will be subject to the terms and conditions, including, but not limited to, the exclusions and limitations, set forth in the Agreement.

14.5. Governing Law. This DPA is governed by the governing law of the Agreement unless otherwise required by Data Protection Laws.

 

SCHEDULE 1: Subject Matter and Details of Processing 

  • Subject matter. The subject matter of the data processing under this DPA is Events Personal Data.  
  • Duration. As between The Qt Company and Customer, the duration of the data processing under this DPA is determined by Customer. 
  • Purpose. The purpose of the data processing under this DPA is the provision of the Insight Services initiated by Customer from time to time.  
  • Nature of the processing. Compute, storage, visualization of Events Data 
  • Type of Personal Data. Personal Data (e.g., IP addresses) captured via interaction with the Insight Service.  
  • Categories of data subjects. Customer’s End Users as defined in the Appendix.

 

SCHEDULE 2: Technical and Organizational Measures 

The Qt Company has implemented and will maintain the following technical and organizational measures: 

Information Security: The Qt Company will maintain an information security program designed to (a) secure personal data against accidental or unlawful loss, access, or disclosure, (b) identify reasonably foreseeable risks to the security and availability of Qt systems, and (c) minimize physical and logical security risks to Qt systems, including through regular risk assessment and testing. The Qt Company will designate one or more employees to coordinate and be accountable for the information security program. 

Access Controls: 

  • All employees, contractors, and partners will have access to the Qt Company’s systems and data on a need-to-know basis only. 
  • Access to confidential information and data will be restricted based on role-based access controls. 
  • All employees, contractors, and partners will be required to use strong passwords. 
  • Processes for revoking access to systems and data when employees, contractors, or partners leave the company or no longer require access. 

Data Protection: 

  • All sensitive data will be encrypted when stored or transmitted. 
  • The Qt Company will implement data loss prevention (DLP) controls to prevent the unauthorized disclosure of confidential data.
  • The Qt Company will maintain backup and recovery procedures to ensure the availability of critical systems and data.
    Incident Management: 
  • The Qt Company will implement an incident response plan (IRP) to identify, contain, remediate, and report security incidents. 
  • The IRP will be regularly reviewed and tested to ensure its effectiveness. 
  • Procedures will be put into place to correct and prevent any deviations and incidents. 
  • All employees, contractors, and partners will be required to report any suspected security incidents. 
  • The Qt Company will implement and maintain a Business Continuity Policy (BCP) designed to ensure the continuity of essential business functions and minimize the impact of potential disruptions. 

Employees: 

  • The Qt Company will implement and maintain employee security training programs regarding Qt information security requirements. The security awareness training programs will be reviewed and updated at least annually. 
    Continuous Improvement: 
  • Policies and procedures documents will be reviewed at least yearly and after any internal testing. The Qt Company will update or alter its information security program as necessary to respond to new security risks and to take advantage of new technologies.  
  • The Qt Company will perform regular external vulnerability assessments, and will investigate identified issues and track them to resolution in a timely manner.  
  • Before publicly launching new Services or significant new features of Services, The Qt Company will perform application security reviews designed to identify, mitigate and remediate security risks.