Global DPA - Quadient Processor to Subprocessor
This Data Processing Addendum ("DPA") forms part of, and is subject to, the Agreement between Quadient (acting as a Processor) and the Supplier (acting as a Subprocessor) for the provision of services described below (the "Agreement").
WHEREAS
I. Quadient acts as a Processor on behalf of its Customer, who is the Controller;
II. Quadient wishes to appoint the Supplier as its Subprocessor to support the Service as defined in the Agreement;
III. The parties desire to set forth their respective obligations for compliance with applicable Data Protection Laws in connection with such Processing.
1. Definitions.
1.1. "Affiliate" means an entity that directly or indirectly controls, is controlled by, or is under common control with a party. "Control" means direct or indirect ownership or control of 50% or more of the voting interests of the subject entity or the ability to direct or control the management decisions of such entity.
1.2 "Agreement" means the master agreement, order form, statement of work or other written instrument between Quadient and the Supplier governing the Service.
1.3 "AI-enabled Processing" (when applicable) when applicable, means Processing activities performed by Supplier in connection with the Services that involve an Artificial Intelligence System, including machine learning, automated decision-making, or generative AI.
1.4 "Artificial Intelligence System" (when applicable), means a machine-based system designed to operate with varying levels of autonomy that may generate outputs such as predictions, recommendations, classifications, or content that can influence physical or virtual environments, as defined under applicable artificial intelligence laws and regulations, including the EU Artificial Intelligence Act where relevant.
1.5 "Controller" means the person or entity which determines the purposes and means of the Processing of Personal Data.
1.6 "Customer" means Quadient’s customer who is the Controller of the Personal Data that Quadient processes under the Agreement with such customer.
1.7. "Data Incident" means the actual or reasonably suspected theft, destruction, alteration, damage, loss, use, disclosure, Processing, or access to Personal Data that is unlawful, unauthorized, made by a person not authorized to do so, that contravenes policies or procedures, or that violates this DPA or gives rise to a reporting obligation under Data Protection Laws.
1.8. “Data Protection Laws” means the GDPR, UK GDPR, the Swiss Data Protection Act (nFADP) of Sept 1st 2023, and the United States’ state and federal laws regarding data privacy, including the California Consumer Privacy Act and its implementing regulations (the “CCPA”), in each case, as amended from time to time and only to the extent applicable to Supplier’s Processing of Customer Personal Data under the Agreement.
1.9. "Data Subject" means an identified or identifiable natural person to whom Personal Data relates.
1.10. "Data Subject Request" means a request, notice, or complaint from, or on behalf of, a Data Subject under Data Protection Laws.
1.11. "EEA" means the European Economic Area.
1.12. "Effective Date" means the date of last signature as indicated on this Agreement.
1.13. "EU" means the European Union.
1.14. "Personal Data" means any information relating to an identified or identifiable natural person that the Supplier processes on behalf of Quadient (for the Customer) in providing the Services.
1.15. "Processor" means the person or entity that Processes Personal Data on behalf of the Controller.
1.16. "Processing" means any operation or set of operations performed on Personal Data, whether or not by automated means, such as collection, recording, retention, organization, structuring, storage, adaptation, alteration, retrieval, consultation, transfer, use, disclosure, transmission, dissemination, alignment, combination, restriction, erasure or destruction.
1.17. "SCCs" means the Standard Contractual Clauses adopted by the European Commission for the transfer of personal data to third countries, including Module Three (Processor to Subprocessor), as may be amended or replaced from time to time.
1.18. "Subprocessor" means any person or entity engaged by Quadient (Processor) to Process Personal Data on its behalf.
1.19. “Subsequent Subprocessor” means any Subprocessor engaged by Service Provider as listed in Annex I.B 9.
1.20. "Supervisory Authority" means an independent public authority established pursuant to the GDPR or other Data Protection Laws.
1.21. "UK GDPR" means the UK Data Protection Act 2018 and the UK General Data Protection Regulation.
1.22. "UK Addendum" means the International Data Transfer Addendum issued by the UK Information Commissioner under s119A(1) of the Data Protection Act 2018, as amended from time to time.
2. Relationship of the Parties.
The parties acknowledge and agree that the Customer is the Controller, Quadient is the Processor acting on behalf of the Customer, and the Supplier is engaged by Quadient as a Subprocessor with respect to Personal Data. As between the parties, Quadient has the sole right to issue instructions to the Supplier with regard to the Processing of Personal Data, which reflect the documented instructions of the Customer. Quadient enters into this DPA on its own behalf and on behalf of its relevant Affiliates acting as Processor for the Customer.
3. Obligations of the Parties.
3.1 Compliance with Laws. Each party shall comply with applicable Data Protection Laws. Quadient discloses Personal Data to the Supplier solely for a valid business purpose and to perform the Services.
3.2 Processing Activities. Quadient determines and instructs the Supplier as to the scope, purposes, and manner by which Personal Data is to be Processed. The Supplier shall promptly notify Quadient if, in its opinion, an instruction infringes Data Protection Laws. The Supplier shall Process Personal Data only as set forth in this DPA and any specific, written instructions provided by an authorized representative of Quadient and shall not Process Personal Data in a manner that would cause Quadient to breach its obligations under Data Protection Laws. The Supplier is prohibited from: (i) selling or sharing Personal Data; (ii) retaining, using, Processing, or disclosing Personal Data for any purpose other than performing the Services or as authorized by Quadient; (iii) retaining, using, or disclosing Personal Data outside of the direct business relationship between Quadient and The Supplier ; and (iv) combining Personal Data with other data except as expressly permitted by Quadient in writing.
3.3. Before using any AI System in the Services, and before any material modification to such use, Supplier should assess whether the relevant AI functionality may fall within a prohibited use, a high-risk category, or another regulated category under applicable AI law, and should notify Quadient where such classification could reasonably affect Quadient's legal obligations, procurement decision, or risk assessment. Where AI outputs are used in decision-support within the Services, Supplier should design the workflow so that appropriately trained personnel can review, question, suspend, or override AI supported outputs where necessary.
3.4. Restrictions on model training. Unless expressly authorised in writing by Quadient and permitted under applicable law, Supplier should not use Personal Data processed under this DPA to train, fine-tune, test, benchmark or otherwise improve any Artificial Intelligence System including for the benefit of other customers or for general model improvement.
3.5. Non-Compliance Notice. The Supplier shall, without undue delay and in any event within 24 hours of discovery, notify Quadient: (a) upon becoming aware of any violation of Data Protection Laws with respect to Personal Data; (b) if Personal Data has been Processed in a manner inconsistent with this DPA, Quadient’s instructions, or Data Protection Laws; or (c) if it cannot comply, or has not complied, with any portion of this DPA or Data Protection Laws. In such cases, the Supplier will take all steps required by Quadient to remedy any noncompliance or cease further Processing, and Quadient may restrict access to Personal Data or terminate this DPA and the Agreement without penalty.
3.6 Data Subjects’ Rights. If the Supplier receives any Data Subject Request, it shall notify Quadient within 48 hours and promptly redirect the request to Quadient (unless responding is part of the Services). The Supplier will not respond to such requests without Quadient’s prior authorization, unless legally required to do so. The Supplier shall cooperate with Quadient in responding to Data Subject Requests, including deletion and access requests and shall cause its Subprocessors to do the same.
3.7 AI Disclosure (where applicable). Supplier shall disclose to Quadient prior to deployment and upon material change, whether the Services involve AI-enabled Processing, including automated decision-making, profiling, or generative AI, or other AI relevant functionality relevant to Quadient's compliance obligations and shall provide a general description of such use.
3.8 Subsequent Subprocessing. The Supplier shall not further subcontract any Processing of Personal Data to any third party without Quadient’s prior written authorization, and where required, the Customer’s authorization. The Supplier shall provide at least 30 days’ prior written notice of any proposed changes to its Subsequent Subprocessor. Quadient (and, where applicable, the Customer) may object to any appointment or replacement of a Subsequent Subprocessor. In such event, the parties shall in good faith discuss commercially reasonable alternatives; if none is agreed, Quadient may terminate the affected Services without penalty. The Supplier shall impose on each authorized Subsequent Subprocessor data protection obligations no less onerous than those set forth in this DPA and applicable Data Protection Laws, and shall remain fully liable for the acts and omissions of such Subsequent Subprocessor.
3.9. Assistance. At no additional cost, the Supplier shall provide reasonable assistance to Quadient in relation to Processing in order to allow Quadient to comply with its obligations under Data Protection Laws, including Articles 32 to 36 of the GDPR, and to respond to Supervisory Authority inquiries. If the Supplier receives any correspondence or request from a Supervisory Authority relating to the Personal Data, it shall promptly notify Quadient unless legally prohibited.
3.10 AI regulatory support (where applicable). Where relevant to the Services, Supplier should maintain and provide upon reasonable request, documentation reasonably necessary to support Quadient's compliance with applicable AI regulations including descriptions of AI functionality, intended purpose, known limitations, governance controls, logging and monitoring practices, human oversight measures, material subcontracting, and AI-related incident reporting processes.
3.11 Personnel. The Supplier shall ensure that personnel engaged in Processing are informed of the confidential nature of Personal Data, have received appropriate training, are subject to written confidentiality obligations, and access Personal Data only as necessary to perform the Services.
3.12 Government and Legal Requests. The Supplier has implemented measures to regulate disclosure of Personal Data to government entities. Unless prohibited by law, the Supplier shall notify Quadient within 48 hours of any legal request for disclosure of Personal Data, cooperate at no cost if Quadient elects to contest such disclosure, and limit disclosure to the minimum amount necessary to comply with the request.
4. Data Security
The Supplier shall maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk, no less than those set out in Annex II, and shall enhance such measures during the term to align with then-current industry standards.
5. Data Incidents.
The Supplier shall notify Quadient of a Data Incident without undue delay and in any event within 24 hours of discovery. Such notice shall include the cause, affected data and Data Subject categories, remedial steps taken, and information required for Quadient to meet its legal obligations. The Supplier shall promptly contain, investigate, and remediate the Data Incident and cooperate with Quadient in notifications to Supervisory Authorities and Data Subjects. The Supplier shall not make any statement or notification regarding a Data Incident without Quadient’s prior written approval. The occurrence of a Data Incident constitutes a material breach of this DPA.
6. Data Transfer.
To the extent Personal Data originating from the EEA, Switzerland, or the UK is accessed, processed, transferred to or by the Supplier or any other country that does not ensure an adequate level of protection, the parties agree to implement a valid transfer mechanism as required by Data Protection Laws, including the SCCs (Module Three: Processor to Subprocessor) and, where applicable, the UK Addendum. If alternative transfer mechanisms become available and legally sufficient, the parties may agree to rely on them. Where more than one transfer mechanism applies, the SCCs shall take precedence to the extent required by law. The applicable Standard Contractual Clauses and the UK Addendum are available at the following link: Standard Contractual Clauses | Quadient.
7. Term and Termination.
This DPA becomes effective on the Effective Date and continues until the earlier of (i) termination or expiry of the Agreement; or (ii) termination pursuant to this section. Quadient may terminate this DPA and the Agreement immediately if the Supplier materially breaches this DPA.
8. Data Return and Destruction.
Upon termination of the Services or upon Quadient’s written instruction at any time, The Supplier shall promptly return to Quadient all Personal Data and permanently delete all copies in its possession or control and cause its Subprocessors to do the same, unless retention is required by applicable law. Upon request, the Supplier shall provide written certification of such return and deletion. If returning data, the Supplier shall deliver a copy of all Personal Data in a commonly used, machine-readable, structured format at no additional charge.
9. Audit.
The Supplier shall make available to Quadient all information necessary to demonstrate compliance with this DPA and applicable Data Protection Laws and shall allow for and contribute to audits, including inspections, by Quadient, the Customer, or an independent auditor mandated by Quadient, at no additional charge, no more than annually unless required by law or following a Data Incident. The Supplier shall cooperate with any audit by a Supervisory Authority and bear its own costs associated with such audit.
10. Indemnification.
The Supplier shall indemnify, defend, and hold harmless Quadient, its Affiliates, and their respective directors, officers, employees, and agents from and against all claims, damages, penalties, fines, costs, and expenses (including reasonable attorneys’ fees) arising out of or related to: (i) The Supplier ’s breach of this DPA; (ii) any Data Incident; or (iii) acts or omissions of its Subprocessors. No limitation of liability in the Agreement shall apply to The Supplier ’s obligations under this section to the extent prohibited by applicable law.
11. General Terms
11.1 Interpretation. In the event of a conflict between the Agreement and this DPA, this DPA shall prevail with respect to the Processing of Personal Data. If and to the extent the SCCs conflict with any provision of this DPA, the SCCs shall control to the extent of the conflict.
11.2 Affiliates. By executing this DPA, Quadient enters into it on behalf of itself and, as applicable, on behalf of its Affiliate(s) acting as Processor for the Customer. Quadient may exercise any rights or remedies under this DPA on behalf of such Affiliates.
1.3 Choice of Law / Venue. This DPA shall be construed and enforced in accordance with the laws of the Main Agreement, without regard to conflicts of laws principles, and the parties submit to the exclusive jurisdiction of the tribunal as set in the Agreement.
11.4 Amendments. This DPA may be modified only by a written instrument signed by authorized representatives of both parties; provided that this DPA shall automatically be amended to the extent necessary to comply with mandatory requirements of Data Protection Laws as they become effective.
11.5 Waiver. No failure or delay by either party in exercising any right under this DPA shall constitute a waiver of that right. A waiver with respect to one event shall not be construed as a waiver of any subsequent event.
11.6 Third-Party Beneficiaries. Except as required by applicable Data Protection Laws or the SCCs (under which the Customer may have third-party beneficiary rights), this DPA does not confer any third-party beneficiary rights.
11.7 Notices. All notices under this DPA shall be provided in accordance with the notice provisions of the Agreement.
11.8 Entire Agreement. This DPA is the final, complete, and exclusive statement of the parties with respect to the subject matter hereof and supersedes all prior or contemporaneous communications relating thereto.
11.9 Severability. If any provision of this DPA is held invalid or unenforceable by a court of competent jurisdiction, the remaining provisions shall remain in full force and effect.
11.10 Counterparts. This DPA may be executed in counterparts, including by electronic signature and delivery, each of which shall be deemed an original and together constitute one and the same instrument.
IN WITNESS WHEREOF
The parties have caused this DPA to be executed by their duly authorized representatives as of the Effective Date.
ANNEX I
A. LIST OF PARTIES
Data Exporter:
Service Provider: as defined in the Services Agreement
Service Provider’s address and contact information as designated in the Agreement
Privacy officer email contact: as defined in the Services Agreement
Activities: Service Provider, provider of the Services
Data Importer:
Quadient and address: as defined in the Services Agreement
Privacy Officer: Privacyteam@quadient.com
Activities: Quadient, recipient of the Services
B. DESCRIPTION OF TRANSFER
CATEGORIES OF DATA SUBJECTS. The personal data transferred concern the following categories of data subjects unless otherwise modified in the Agreement:
a). leads, prospects, suppliers, and customers and their respective employees, agents, and end users
b). Quadient employees, agents, and end users as well as Quadient’s contractors.
CATEGORIES OF PERSONAL DATA PROCESSED. The personal data transferred concern the following categories of data unless otherwise modified in the Agreement:
First and last name, contact information (email, phone, physical address), and financial data (bank account numbers).
SENSITIVE DATA (if appropriate). The personal data transferred concern the following categories of sensitive data:
None.
FREQUENCY. The transfer of personal data will occur with the following frequency:
Periodically during the term of the Agreement until Supplier completes the Services for Quadient.
NATURE. The nature of the personal data transfer is as follows:
Supplier will process Quadient Personal Data for the purposes of providing the Services and as set forth in the Agreement or DPA.
PURPOSES OF THE TRANSFER(S). The transfer is made for the following purposes: The transfer is intended to enable the relationship and performance of the Agreement between the parties.
ADDITIONAL USEFUL INFORMATION (storage limits and other relevant information). Any personal data transferred between the parties may only be retained for the period of time permitted under the Agreement between the parties.
FOR TRANSFERS TO (SUB) PROCESSORS. Any personal data transferred between the parties may only be retained for the period of time permitted under the Agreement between the parties.
Please check Agreement.
LIST OF SUBSEQUENT SUBPROCESSORS.
Please check Agreement.
C. COMPETENT SUPERVISORY AUTHORITY.
France’s Commission Nationale de l’Informatique et des Libertés.
ANNEX II:
TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
Considering the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the data importer has implemented appropriate technical and organizational measures intended to ensure a level of security appropriate to the risk. As used below, "Data" will have the same meaning as "Personal Data" in the DPA.
Domain | Practices |
Organization of Information Security | Security Responsibility. Each Party shall appoint one or more security officers responsible for coordinating and monitoring the security rules and procedures. Security Roles and Responsibilities. Each Party’s personnel with access to Data shall be subject to confidentiality obligations. Risk Management Program. Each Party shall perform a risk assessment before processing the Data or launching the corresponding service. Each Party shall retain its security documents pursuant to its retention requirements after they are no longer in effect. |
Asset Management | Asset Inventory. Each Party’s shall maintain an inventory of all assets on which Data is stored. Access to the inventories of such assets shall be restricted to personnel authorized in writing to have such access. Asset Handling. - Each Party shall classify Data to help identify it and to allow for access to it to be appropriately restricted. - Each Party shall impose restrictions on printing Data and shall have procedures for disposing of printed materials that contain Data. - One Party personnel shall obtain internal authorization prior to storing Data on portable devices, remotely accessing Data, or processing Data outside its facilities. |
Human Resources Security | Security Training. Each Party shall inform its personnel about relevant security procedures and their respective roles. Each Party shall also inform its personnel of possible consequences of breaching the security rules and procedures. |
Physical and Environmental Security | Physical Access to Facilities. Each Party shall limit access to facilities where information systems that process Data are located to identified authorized individuals. Protection from Disruptions. Each Party shall use a variety of industry standard systems to protect against loss of Data due to power supply failure or line interference. Component Disposal. Data Processor shall use industry standard processes to delete Data when it is no longer needed. |
Communications and Operations Management | Operational Policy. Each Party shall maintain security documents describing its security measures and the relevant procedures and responsibilities of its personnel who have access to Data. Data Recovery Procedures - On an ongoing basis, but in no case less frequently than once a week (unless no updates have occurred during that period), Each Party shall maintain multiple backups of Data from which such data can be recovered. - Each Party shall store backups of Data and data recovery procedures in a different place from where the primary computer equipment processing the Data are located. - Each Party shall have specific procedures in place governing access to backups of Data. - Each Party shall log data restoration efforts, including the person responsible, the description of the restored Data and where applicable, the person responsible and which Data (if any) had to be input manually in the data recovery process. Malicious Software. Each Party shall have anti-malware controls to help avoid malicious software gaining unauthorized access to Data, including malicious software originating from public networks. Data Beyond the limits of the information system - Each Party shall encrypt Data that is transmitted over public networks. - Each Party shall restrict access to Data stored on media leaving its facilities. Event Logging. Each Party shall log, access and use of information systems containing Data, registering the access ID, time, authorization granted or denied, and relevant activity. AI Security Measures (where applicable). Where AI-enabled Processing is used, Supplier should implement measures to reduce AI-specific risks (e.g., access controls for model endpoints, protection against prompt-injection/data leakage, monitoring for abnormal usage patterns, and procedures to suspend or isolate AI functionality when a security incident is suspected. |
Access Control | Access Policy. Each Party shall maintain a record of security privileges of individuals having access to Data. Access Authorization - Each Party shall maintain and update a record of personnel authorized to access its systems that contain Data. - Each Party shall deactivate authentication credentials that have not been used for a period of time not to exceed six months. - Each Party shall identify those personnel who may grant, alter or cancel authorized access to Data and resources. - Each Party shall ensure the individuals have separate identifiers/log-ins. Need to Know - Technical support personnel are only permitted to have access to Data when needed. - Each Party shall restrict access to Data to only those individuals who require such access to perform their job function. Integrity and Confidentiality - Each Party shall instruct its personnel to disable administrative sessions when leaving premises under its controls or when computers are otherwise left unattended. - Each Party shall store passwords in a way that makes them unintelligible while they are in force. Authentication - Each Party shall use industry standard practices to identify and authenticate users who attempt to access information systems. - Where authentication mechanisms are based on passwords, Each Party shall require that the passwords are renewed regularly. - Where authentication mechanisms are based on passwords, Each Party shall require the password to be at least eight characters long. - Each Party shall ensure that de-activated or expired identifiers are not granted to other individuals. - Each Party shall monitor repeated attempts to gain access to the information system using an invalid password. - Each Party shall maintain industry standard procedures to deactivate passwords that have been corrupted or inadvertently disclosed. - Each Party shall use industry standard password protection practices, including practices designed to maintain the confidentiality and integrity of passwords when they are assigned and distributed, and during storage. Network Security. Each Party shall have controls to avoid individuals assuming access rights they have not been assigned to gain access to Data they are not authorized to access. |
Information Security Incident Management | Incident Response Process - Each Party shall maintain a record of security breaches with a description of the breach, the time period, the consequences of the breach, the source of the reporting, and the main mitigation and recovery actions. - For each breach that is a Security Incident, notification by Data Processor to Data Controller shall be made without undue delay. Service Monitoring. - Each Party operation personnel shall verify logs on a regular basis to propose remediation efforts if necessary. |
Business Continuity Management | - Data Processor shall maintain emergency and contingency plans for the facilities in which its information systems that process Data are located. - Data Processor redundant storage and its procedures for recovering data shall be designed to attempt to reconstruct Data in its original or last-replicated state from before the time it was lost or destroyed. |











