Data Processing Agreement

This Data Processing Agreement ("DPA") supplements the Qpher Terms of Service and governs the processing of personal data by Qpher, Inc. ("Processor") on behalf of the Customer ("Controller") when the Customer uses the Qpher PQC Security Cloud platform. This DPA is entered into pursuant to GDPR Article 28 and applies to all personal data processed by Qpher in its capacity as a data processor. The purpose of processing is to provide post-quantum cryptographic services as described in the Terms of Service, including key encapsulation, digital signatures, and key management.

**Controller (Customer)**: Determines the purposes and means of processing personal data submitted to the Qpher platform. The Controller is responsible for ensuring a lawful basis for processing and for responding to data subject requests related to their own end users. **Processor (Qpher)**: Processes personal data only on documented instructions from the Controller (i.e., API calls made by the Controller). Qpher processes the following categories of data as Processor: (a) customer-encrypted data (ciphertext), (b) PQC cryptographic key pairs managed by the KMS, and (c) customer plaintext submitted for encryption (transient, never stored). Qpher processes the following data as Controller: account data, billing data, and usage logs. The Controller acknowledges that Qpher does not store or have ongoing access to plaintext submitted for encryption.

The Controller authorizes Qpher to engage the following sub-processors: - **Stripe, Inc.** (USA, EU-US DPF certified): Payment processing. Data: customer name, email, billing address, tokenized payment card. - **Resend, Inc.** (USA): Transactional email delivery. Data: recipient email address, email content. - **Upstash, Inc.** (regional, configurable): Rate limiting. Data: hashed IP address, tenant ID. - **Cloud Provider (AWS/GCP)** (configurable region): Infrastructure hosting. Data: all platform data, encrypted at rest and in transit. - **Plausible Analytics** (EU, Germany): Website analytics. Data: page views, referrer, country (no PII, no cookies). - **BetterStack** (EU): Uptime monitoring. Data: endpoint URLs, response times (no customer data). Qpher will provide 30 days advance written notice before engaging a new sub-processor. Enterprise customers may object to a new sub-processor within 14 days of notification. If the objection cannot be resolved, the Customer may terminate the affected services without penalty. All sub-processors are bound by data processing agreements with obligations no less protective than this DPA.

Qpher implements the following technical and organizational measures to ensure a level of security appropriate to the risk: **Technical Measures**: (a) Encryption in transit via TLS 1.2+ (TLS 1.3 preferred) for all external and internal communications, (b) encryption at rest using AES-256-GCM for PQC private keys with a Key Encryption Key (KEK) managed through a multi-provider strategy, (c) HMAC-SHA256 hashing of API keys with timing-safe comparison, (d) bcrypt password hashing with cost factor >= 12, (e) application-level tenant isolation with four-layer enforcement (repository, database constraints, context propagation, gateway injection), (f) non-exportable private keys confined to the KMS secure enclave. **Organizational Measures**: (a) Zero trust policy engine with fail-closed default evaluating every API request, (b) 180-day audit log retention with tamper-evident logging, (c) annual penetration testing by an independent third-party firm, (d) documented incident response process with severity-based response times, (e) quarterly disaster recovery rehearsals, (f) code review requirements for all changes to security-critical components.

Qpher will notify the Controller without undue delay and in any event within 72 hours of becoming aware of a personal data breach affecting data processed under this DPA. The notification will include: (a) the nature of the breach, including the categories and approximate number of data subjects and records affected, (b) the name and contact details of Qpher's point of contact, (c) a description of the likely consequences of the breach, and (d) a description of the measures taken or proposed to address the breach, including measures to mitigate potential adverse effects. Qpher will cooperate with the Controller's investigation and will provide additional information as it becomes available. Qpher will document the breach including its effects and remedial actions taken.

Qpher will assist the Controller in fulfilling data subject requests under GDPR Articles 15-22, taking into account the nature of the processing. Specifically: (a) for access requests (Art. 15), Qpher provides data export functionality in the portal, (b) for rectification requests (Art. 16), Qpher provides profile editing in the portal, (c) for erasure requests (Art. 17), Qpher processes account deletion within 30 days including secure deletion of private key material, (d) for restriction requests (Art. 18), Qpher supports account suspension, (e) for portability requests (Art. 20), Qpher provides public key and encrypted data export. Qpher will respond to Controller instructions regarding data subject requests within 10 business days. Where a data subject contacts Qpher directly, Qpher will promptly redirect the request to the Controller.

Upon termination of the Service or upon the Controller's written request, Qpher will delete all personal data processed under this DPA within 30 days, except where retention is required by applicable law (e.g., 7-year invoice retention for tax compliance). Deletion includes: (a) permanent removal of tenant metadata, API key hashes, user personal data, and PQC public keys from the database, (b) secure deletion of PQC private key files (overwriting encrypted key files with random data before filesystem deletion), and (c) anonymization of Prometheus metrics by removing tenant_id labels. Audit logs containing tenant data are deleted after their 180-day retention period expires. Qpher will certify deletion in writing upon the Controller's request.

Qpher is based in the United States. Where personal data is transferred from the EEA, UK, or Switzerland to the United States or other third countries, Qpher ensures adequate safeguards through: (a) the EU-US Data Privacy Framework (DPF) for sub-processors with DPF certification (currently Stripe, Inc.), (b) Standard Contractual Clauses (SCCs) as approved by the European Commission Decision 2021/914 for all other transfers, and (c) supplementary technical measures including encryption in transit (TLS 1.2+), encryption at rest (AES-256-GCM), and application-level tenant isolation. Enterprise customers may request additional transfer safeguards, including data residency in specific regions, as part of their custom agreement. Qpher will conduct Transfer Impact Assessments (TIAs) upon Controller request.

Qpher shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR. Qpher shall allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller. For Pro and Enterprise plan customers, Qpher will participate in up to one (1) audit per calendar year, with at least 30 days prior written notice. Audits shall be conducted during normal business hours and shall not unreasonably disrupt Qpher's operations. The Controller shall bear the costs of any audit. Where Qpher has obtained SOC 2 Type II certification, provision of the SOC 2 report (under NDA) shall be deemed to satisfy the audit requirement unless the Controller has specific, documented concerns not addressed by the SOC 2 report. Qpher will also provide a summary of penetration test results upon written request under NDA.

This DPA shall remain in effect for the duration of the Terms of Service between the Controller and Qpher. Upon termination of the Terms of Service, Qpher shall, at the Controller's election, delete or return all personal data processed under this DPA within 30 days, except where retention is required by applicable law. Qpher shall certify deletion in writing upon the Controller's request. Sections relating to data deletion, breach notification, and audit rights shall survive termination of this DPA.

This DPA shall be governed by and construed in accordance with the laws of the State of Delaware, United States, without regard to conflict of law principles. For Controllers established in the EEA, this DPA incorporates the Standard Contractual Clauses (SCCs) as approved by European Commission Implementing Decision (EU) 2021/914. In the event of a conflict between this DPA and the SCCs, the SCCs shall prevail with respect to the transfer of personal data from the EEA. Qpher, Inc. Registered in the State of Delaware, United States. Effective Date: February 16, 2026