Global Vendor DPA Quadient as Controller

This Data Processing Addendum(“DPA”) forms part of the Agreement. 

WHEREAS 

I. Supplier may Process Personal Data in connection with the Agreement; 

II. Quadient and Supplier have determined Quadient to be a Controller and Supplier to be a Processor under Data Protection Laws with respect to Personal Data; and 

III. Quadient and Supplier desire to set forth their respective obligations for compliance under Data Protection Laws;  

NOW, THEREFORE, in consideration of the mutual obligations set out herein and other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, the parties agree as follows: 

1. Definitions. 

1.1.  “Affiliate” means an entity that directly or indirectly controls, is controlled by, or is under common control with Quadient. “Control,” for purposes of this definition, means direct or indirect ownership or control of 50% or more of the voting interests of the subject entity or the ability to direct or control the management decisions of such entity. 

1.2. “Agreement” means either the Quadient (i) Framework Agreement for Supply of Goods and Services, (ii) the Professional Services Consultancy Agreement or (iii) General Terms and Conditions for Purchase of Goods and Services agreed between the Supplier and Quadient. 

1.3. "AI-enabled Processing" means Processing activities performed by Supplier in connection with the Services that involve an Artificial Intelligence System, including machine learning, automated decision-making, or generative AI. 

1.4. "Artificial Intelligence System" means a machine-based system designed to operate with varying levels of autonomy that may generate outputs such as predictions, recommendations, classifications, or content that can influence physical or virtual environments, as defined under applicable artificial intelligence laws and regulations, including the EU Artificial Intelligence Act where relevant. 

1.5. “Controller” means (i) the person or entity which determines the purposes and means of the Processing of Personal Data, and (ii) a person or entity defined as a “Controller”, “Business” or similar terms under Data Protection Laws. 

1.6 “Data Incident” means the actual or reasonably suspected theft, destruction, alteration, damage, loss, use, disclosure, Processing, or access to Personal Data that is unlawful, unauthorized, made by a person not authorized by Supplier to do so, that contravenes Supplier’s policies or procedures, or that violates this DPA or gives rise to a reporting obligation under Data Protection Laws. 

1.7. “Data Protection Laws” means the GDPR, UK GDPR, the Swiss Data Protection Act (nFADP) of Sept 1st 2023, and the United States’ state and federal laws regarding data privacy, including the California Consumer Privacy Act and its implementing regulations (the “CCPA”), in each case, as amended from time to time and only to the extent applicable to Supplier’s Processing of Customer Personal Data under the Agreement. 

1.8. “Data Subject” means (i) an identified or identifiable person to whom Personal Data relates, and (ii) any individual defined as “Data Subject”, “Consumer”, or other similar terms under Data Protection Laws. 

1.9. “Data Subject Request” means an actual or purported request, notice, or complaint from, or on behalf of, a Data Subject under Data Protection Laws. 

1.10. “EEA” means the European Economic Area. 

1.11. “Effective Date” means the date of last signature as indicated on the signature page of this DPA or, if earlier, the first date upon which Supplier Processes Personal Data. 

1.12. “EU” means the European Union. 

1.13. “GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC. 

1.14. “Data Privacy Framework” means the EU-U.S Data Privacy Framework, as defined by the Decision (UE) 2023/1795 of the European Commission, and the Swiss-U.S Data Privacy Framework as defined by the Federal Act on Data Protection (FADP), SR 235.1 and the Decision of the Swiss Federal Council dated 14 August 2024. 

1.15. “Personal Data” means (i) any information relating to an identified or identifiable natural person, and (ii) any information defined as “Personally Identifiable Information,” “Personal information,” “Personal Data”, “Sensitive Personal Information”, or similar terms under Data Protection Laws, in each case that Supplier Processes on behalf of Quadient in providing the Services or otherwise. 

1.16. “Processor” means (i) the person or entity that Processes Personal Data on behalf of the Controller, and (ii) any entity defined as “Processor”, “Supplier”, “Contractor” or similar terms under Data Protection Laws. 

1.17. “Processing” (including its root word and derivatives thereof) means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, retention, organization, structuring, storage, adaptation, alteration, retrieval, consultation, transfer, use, disclosure, transmission, dissemination, otherwise making available, alignment, combination, restriction, erasure, disposal, or destruction. 

1.18. “Quadient” means the Customer as defined in the Agreement. 

1.19. “SCCs” means the standard contractual clauses referenced in Section 6 of the DPA. 

1.20. “Subprocessor” means any person or entity Processing Personal Data on behalf of Supplier. 

1.21. “Supervisory Authority” means a regulatory authority or governmental agency, including an independent public authority established pursuant to the GDPR. 

1.22. “UK GDPR” means the Data Protection Act 2018, as amended by regulations under the European Union (Withdrawal) Act 2018, and the UK General Data Protection Regulation. 

1.23. “UK Addendum” means Standard Data Protection Clauses to be Issued by the Commissioner under S119A(1) Data Protection Act 2018 

Capitalized terms used but not otherwise defined in this DPA shall have the meanings ascribed in Data Protection Laws. 

2. Relationship of the Parties. 

The parties acknowledge and agree that Quadient is a Controller and that Supplier is the Processor with respect to Personal Data. As between the parties, Quadient has the sole right to give Supplier instructions with regard to the Processing of Personal Data. Quadient enters into this DPA on behalf of itself and in the name and on behalf of its Affiliates if and to the extent Supplier Processes Personal Data for which such Affiliates qualify as a “controller.”

3. Obligations of the Parties. 

3.1. Compliance with Laws. Supplier shall comply with Data Protection Laws. Quadient discloses Personal Data to Supplier solely for a valid business purpose and for Supplier to perform the Services. 

3.2. Processing Activities. Quadient shall determine and instruct Supplier as to the scope, purposes, and manner by which Personal Data is to be Processed by Supplier and, from time to time, may reasonably modify those instructions by written notice to Supplier. Supplier shall notify Quadient if, in Supplier’s opinion, an instruction provided by Quadient infringes upon Data Protection Laws. The subject matter, duration, nature, and purposes of the Processing and the types of Personal Data and categories of Data Subjects contemplated by this DPA are accurately described as follows, and Quadient instructs Supplier to engage in such Processing. Annex I to this DPA describes the subject matter, duration, nature, and purposes of the Processing, as well as the types of Personal Data and categories of data subjects, contemplated by this DPA. shall only Process Personal Data as set forth herein and any specific, written instructions provided to Supplier by an authorized representative of Quadient. Supplier shall not Process Personal Data in a manner that will result in Quadient breaching its obligations under Data Protection Laws. Supplier is prohibited from: (i) selling (including exchanging for monetary or other valuable consideration) or sharing (as such terms are defined by the CCPA) Personal Data, (ii) retaining, using, Processing, or disclosing Personal Data for a purpose other than performing the Services or as authorized by Quadient, (iii) retaining, using, or disclosing Personal Data outside of the direct business relationship between Quadient  and Supplier; and (iv) combining Personal Data with other data (including, but not limited to personal information that it receives from, or on behalf of, another person or persons, or collects from its own interaction with an individual). Supplier certifies that it understands the restrictions set forth herein and will comply with them. 

3.3. Restrictions on model training. Unless expressly authorised in writing by Quadient and permitted under applicable law, Supplier should not use Personal Data processed under this DPA to train, fine-tune, or improve any Artificial Intelligence System (including for the benefit of other customers or for general model improvement). 

3.4. Supplier shall, without undue delay and, in any event, within 24 hours of discovery, notify Quadient (a) upon becoming aware of any violation or breach of Data Protection Laws with respect to Personal Data; (b) if, in its assessment, Personal Data has been Processed in a manner that is inconsistent with this DPA, the instructions provided by Quadient, or Data Protection Laws; or (c) if it cannot comply, or has not complied, with any portion of this DPA or Data Protection Laws. In such cases, Supplier will take all steps required by Quadient to remedy any noncompliance or cease further processing of Personal Data, and Quadient may restrict access to Personal Data or terminate this DPA and the Agreement without penalty. 

3.5. Data Subjects’ Rights. If Supplier receives any Data Subject Requests, Supplier will notify Quadient within 48 hours and promptly redirect the request to Quadient (unless responding to such Data Subject Request is part of the Services). Supplier will not respond to such Data Subject Requests without Quadient’s prior authorization, unless legally required to do so. Supplier shall cooperate with Quadient in responding to requests from individuals regarding Personal Data. At the direction of Quadient, Supplier shall delete, or enable Quadient to delete, and shall notify any of Supplier’s Suppliers or contractors to delete, the relevant personal information about the individual. 

3.6. AI Disclosure (where applicable). Supplier may be requested to disclose whether the Services involve AI-enabled Processing, including automated decision-making, profiling, or generative AI, and to provide a general description of such use where relevant to Quadient's compliance obligations. 

3.7. Subprocessors. 

3.7.1. Quadient hereby consents to Supplier’s subcontracting of its Processing of Personal Data under the SCCs, pursuant to the terms of this DPA, and to use of the Subprocessors listed on Annex I.B. Supplier shall not further subcontract its duties to any other third party without the prior written authorization of the Quadient, in its sole discretion. Supplier shall provide at least 30 days written notice of any proposed changes to its Subprocessors. Quadient may object to Supplier’s appointment or replacement of a Subprocessor and withhold its authorization in its sole discretion. In such an event, the parties shall, in good faith, discuss commercially reasonable alternative solutions, and, if a solution is not agreed upon by the parties, then Quadient may terminate this DPA and the Agreement without penalty on written notice to Supplier. 

3.7.2. Supplier shall ensure that each of its Subprocessors is bound, by way of contract, to data protection obligations no less onerous than those imposed by Data Protection Laws and this DPA, as may be amended from time to time. Supplier will be responsible for any acts, errors, or omissions of its Subprocessors and will remain liable to Quadient for a breach of the terms of this DPA by a Subprocessor. 

3.7.3. In the event Supplier transfers any Personal Data to a Subprocessor located outside of the EU, EEA, Switzerland, UK, or a jurisdiction that the European Commission has determined as not having adequate Data Protection Laws, Supplier shall ensure that a legal mechanism to achieve adequacy with respect to such Processing and transfer is in place. 

3.8. Assistance. Supplier shall, at no additional cost to Quadient, provide reasonable assistance to Quadient in relation to Supplier’s Processing of Personal Data in order to allow Quadient to comply with its obligations under Data Protection Laws, including Articles 32 to 36 of GDPR, and as is necessary to enable Quadient to respond to and comply with any correspondence from a Supervisory Authority. If Supplier receives from a Supervisory Authority correspondence or a request, which relates to the Processing of Personal Data, Supplier shall, unless prohibited by Data Protection Laws, promptly notify Quadient of the request.  

AI regulatory support (where applicable). Where relevant, Supplier may be requested to provide Quadient with reasonable documentation, instructions, and information necessary to support Quadient's compliance with applicable AI regulations (including the EU Artificial Intelligence Act), such as descriptions of AI functionality, governance controls, logging/monitoring practices, human oversight measures, and incident reporting processes. 

3.9. Personnel. Supplier shall ensure that its personnel who are engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data and have received appropriate training on their responsibilities and have executed written confidentiality agreements at least as protective as this DPA. Supplier shall ensure that access to Personal Data is limited to those of its personnel who are performing the Processing in accordance with this DPA, and shall ensure that its personnel do not breach this DPA. 

3.10. Subpoenas and Other Inquiries. Supplier has implemented measures to regulate the disclosure of Personal Data to a government entity. These measures require Supplier to consider its obligations to comply with any order or demand and any legal obligations to protect Personal Data. With regard to data of EU, UK and other jurisdictions with data transfer restrictions, Supplier shall comply with applicable Data Protection Laws and ensure that any disclosure request is handled in a manner consistent with those requirements. Unless prohibited by applicable law, Supplier shall, without undue delay and, in any event, within 48 hours of receipt, notify Quadient if Supplier (or a Subprocessor) is required by law, court order, warrant, subpoena, or other legal process to disclose any Personal Data to any person other than Quadient. Unless prohibited by applicable law, Supplier shall (a) promptly notify Quadient prior to such disclosure; (b) cooperate with Quadient at no cost to Quadient in the event Quadient elects to contest such disclosure; and (c) limit such disclosure to the extent legally permissible, including disclosing the minimum amount of Personal Data necessary to comply with such order or demand. If Supplier is not permitted to provide notification to Quadient, Supplier will seek permission to notify Quadient or ask the issuing court or government authority to seek the requested documents directly from Quadient. 

4. Data Security.

Supplier shall maintain appropriate organizational and technical measures for protection of the security, confidentiality, availability, and integrity of Personal Data (including protection against unauthorized or unlawful Processing and against unlawful or accidental destruction, alteration or damage or loss, and unauthorized disclosure of, or access to, Personal Data), to ensure a level of security appropriate to the risk and no less than that required by Annex II. Supplier shall enhance the safeguards throughout the term in order to align with then-current industry standards.  

5. Data Incidents.

5.1. Supplier shall notify Quadient of a Data Incident without undue delay and, in any event, within 24 hours of discovery. Such notice shall identify the cause of the Data Incident, the information and categories of data subjects affected, the steps taken to remediate the Data Incident, any information as may be needed to report the Data Incident to a Supervisory Authority or individual, and any other information requested by Quadient. Supplier shall supplement the information provided as additional information becomes available. Quadient will decide whether any notice of breach is legally required to be given to any person, and if so, the content of that notice. Supplier shall reimburse Quadient for all costs and expenses incurred by Quadient as a result of a Data Incident. The occurrence of a Data Incident will be a material breach of this DPA. 

5.2. Supplier shall immediately take action to contain and investigate the Data Incident, to identify, prevent, and mitigate the effects of any such Data Incident, and to carry out any recovery or other action necessary to remedy the Data Incident. Supplier shall use best efforts to remedy any Data Incident immediately but no later than within thirty (30) days of discovery. Supplier acknowledges and agrees that Quadient may take reasonable and appropriate steps to stop and remediate any Data Incident, including any unauthorized use of Personal Data. 

5.3. Supplier shall provide all assistance requested by Quadient in responding to a Data Incident, including: mitigating its effects, documenting its effects and any remedial actions taken, reporting the matter as required by Data Protection Laws, responding to any inquiries from a Supervisory Authority, and notifying affected Data Subjects. Supplier will not make any statement or notification to any Data Subject, Supervisory Authority or otherwise relating to a Data Incident without prior written approval of Quadient.  

6. Data Transfer.

Quadient and Supplier may transfer Personal Data outside the EU, the EEA, Switzerland, or the UK, the parties agree to rely on appropriate data transfer mechanisms as required by Data Protection Laws, which may include the Data Privacy Framework, the Standard Contractual Clauses, or other legally recognized mechanisms. If a party is unable or becomes unable to comply with these requirements, Personal Data will only be Processed as permitted by Data Protection Laws. The parties shall work together to implement a data transfer mechanism to the extent required by Data Protection Laws with respect to Personal Data. 

6.1. In the event the Service is covered by more than one Transfer Mechanism, the transfer of personal data will be subject to a single Transfer Mechanism, as applicable, and in accordance with the following order of precedence: (a) the Data Privacy Frameworks; (b) the applicable Standard Contractual Clauses; and, if neither of the preceding is applicable, then (c) other alternative data Transfer Mechanisms permitted under Applicable Laws will apply. 

6.2. To the extent the Supplier processes Customer Personal Data originating from the EEA, United Kingdom, or Switzerland, the Supplier declares that it is self-certified under the Data Privacy Frameworks and adheres to the Data Privacy Principles.  

6.3. The applicable Standard Contractual Clauses and the UK Addendum are available at the following link : Standard Contractual Clauses | Quadient 

7. Term and Termination.

This DPA shall become effective on the Effective Date and shall continue in effect until the earlier to occur of (i) expiration or termination of the Agreement; or (ii) termination pursuant to this section. Quadient may terminate this DPA and the Agreement immediately if Supplier breaches a material term of this DPA. 

8. Data Return and Destruction.

Upon termination or upon Quadient’s written instructions at any time during the term, Supplier shall promptly return to Quadient all Personal Data, permanently delete all Personal Data in Supplier’s possession, and cause all Subprocessors to return and permanently delete all Personal Data in such Subprocessor’s possession. Upon Quadient’s request, Supplier shall provide written confirmation to Quadient of the return and destruction of Personal Data. In returning data, Supplier will deliver to Quadient, at no additional charge, a copy of all Personal Data in a generally recognized standard electronic structured format for migration of such data to a system of Quadient’s choosing. The requirements of this section shall survive termination or expiration of this DPA and shall be in force as long as any Personal Data remains in the custody or control of Supplier or a Subprocessor. 

9. Audit.

Supplier shall make available to Quadient, on request, all information necessary and required by Quadient to demonstrate compliance with this DPA or as required by applicable Data Protection Laws. Upon reasonable written notice, Supplier shall allow for and contribute to audits, including inspections, by Quadient or an independent auditor mandated by Quadient in relation to the Processing of Personal Data at no cost to Quadient. Audits will occur at most annually unless otherwise required by applicable Data Protection Law, or following notice of a Data Incident. Supplier will cooperate with any audit by a Supervisory Authority and bear the expenses associated with the audit. Quadient may monitor Supplier’s compliance with this DPA through measures designated by Quadient, including, but not limited to, ongoing manual reviews and automated scans and regular assessments, audits, or other technical and operational testing at least once every 12 months. 

10. Indemnification.

Supplier shall indemnify, defend, and hold harmless, Quadient, its Affiliates, and their respective directors, officers, employees, agents, stockholders, and members from and against all allegations, claims, actions (including without limitation, any claims or any enforcement action of any regulatory authority), suits, demands, damages, liabilities, obligations, losses, settlements, judgments, costs and expenses (including without limitation attorneys’ fees and costs), which arise out of, relate to, or result from (i) a breach of this DPA, or (ii) a Data Incident, or (iii) any action or inaction of a Subprocessor. Quadient will promptly notify Supplier in writing of any indemnification claim, but any failure to notify Supplier will not relieve Supplier from any indemnity liability or obligation it may have, except to the extent Supplier is materially prejudiced by that failure. Any provision of the Agreement or any other document to the contrary notwithstanding, no limitation of liability shall apply to the obligations set forth in this paragraph. 

11. General Terms.

11.1. Interpretation. In the event of a conflict between the Agreement (or any document referred to therein) and this DPA, the provisions of this DPA shall prevail, unless otherwise required by Data Protection Laws. If and to the extent the SCCs conflict with any provision of this DPA, the SCCs shall control to the extent of such conflict. 

11.2. Affiliates. The parties agree that, by executing the DPA, Quadient enters into the DPA on behalf of itself and, as applicable, in the name and on behalf of its Affiliate(s), thereby establishing a separate DPA between Supplier and each such Affiliate. Except where applicable Data Protection Laws require the Affiliate to exercise a right or seek any remedy under this DPA against Supplier directly by itself, the parties agree that Quadient, as the contracting party to the Agreement, may exercise any such right or seek any such remedy on behalf of the Affiliate. 

11.3. Choice of Law/Venue. This DPA shall be construed and enforced in accordance with the laws of France without application of its conflicts or choice of law rules, and venue for any dispute that may arise under or relating to this DPA shall be in the tribunal de commerce de Nanterre  Each party hereby consents to the exclusive jurisdiction of such courts with regard thereto. 

11.4. Amendments. This DPA may not be modified, except in a writing duly signed by authorized representatives of the parties; provided, however, that (a) Supplier may revise Annex II as set forth in Section 4, and (b) this DPA shall, unless prohibited by applicable Data Protection Laws, be automatically amended to include all provisions necessary to address the requirements of any Data Protection Laws upon the effective date of such requirement. 

11.5. Waiver. A waiver with respect to one event shall not be construed as continuing, or as a bar to or waiver of, any right or remedy as to subsequent events. 

11.6. Third-Party Beneficiaries. Except as otherwise required by Data Protection Laws, this DPA does not confer any third-party beneficiary rights, it is intended for the benefit of the parties hereto and their respective permitted successors and assigns only and is not for the benefit of, nor may any provision hereof be enforced by, any other person. 

11.7. Notices. All notices required or permitted under this DPA shall be provided in the manner and to the points of contact designated in the Agreement or to such other addresses as may be designated by a party from time to time. 

11.8. Entire Agreeement. This DPA is the final, complete and exclusive agreement of the parties with respect to the subject-matter hereof. No prior or contemporaneous representations, inducements, promises, or agreements, oral or otherwise, between the parties with reference thereto will be of any force or effect.  

11.9. Severability. If any provision of this DPA is determined by a court of competent jurisdiction to be contrary to law, such provision will be severed from the Agreement and all remaining provisions continue in full force and effect.  

11.10. Counterparts.  This DPA may be executed in separate counterparts, each of which so executed and delivered shall constitute an original, but all such counterparts constitute one and the same instrument.  Manually-executed counterparts may be delivered in faxed or scanned electronic form, each of which (whether originally executed or such a faxed or scanned electronic document) shall be deemed an original, and all of which together shall constitute one and the same instrument.   

IN WITNESS WHEREOF, Quadient and Supplier have caused this DPA to be executed and delivered by their duly authorized representatives as of the Effective Date. 

ANNEX I

A.    LIST OF PARTIES

Data Exporter:

• Service Provider: as defined in the Services Agreement
• Service Provider’s address and contact information as designated in the Agreement
• Privacy officer email contact: as defined in the Services Agreement
• Activities: Service Provider, provider of the Services 

Data Importer: 

• Quadient and address: as defined in the Services Agreement
• Privacy Officer: Privacyteam@quadient.com
• Activities: Quadient, recipient of the Services

B.    DESCRIPTION OF TRANSFER 

CATEGORIES OF DATA SUBJECTS. 
The personal data transferred concern the following categories of data subjects unless otherwise modified in the Agreement:
a)    leads, prospects, suppliers, and customers and their respective employees, agents, and end users 
b)    Quadient employees, agents, and end users as well as Quadient’s contractors. 

CATEGORIES OF PERSONAL DATA PROCESSED. 
The personal data transferred concern the following categories of data unless otherwise modified in the Agreement:

First and last name, contact information (email, phone, physical address), and financial data (bank account numbers). 

SENSITIVE DATA (if appropriate). 
The personal data transferred concern the following categories of sensitive data: 
None

FREQUENCY. 
The transfer of personal data will occur with the following frequency:
Periodically during the term of the Agreement until Supplier completes the Services for Quadient. 

NATURE. 
The nature of the personal data transfer is as follows:
Supplier will process Quadient Personal Data for the purposes of providing the Services and as set forth in the Agreement or DPA. 

PURPOSES OF THE TRANSFER(S). 
The transfer is made for the following purposes:
The transfer is intended to enable the relationship and performance of the Agreement between the parties. 

ADDITIONAL USEFUL INFORMATION (storage limits and other relevant information).
Any personal data transferred between the parties may only be retained for the period of time permitted under the Agreement between the parties.  

FOR TRANSFERS TO (SUB-) PROCESSORS.

Any personal data transferred between the parties may only be retained for the period of time permitted under the Agreement between the parties.  

Please check Agreement.  

C.    COMPETENT SUPERVISORY AUTHORITY.

France’s Commission Nationale de l’Informatique et des Libertés.
 

ANNEX II: TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

Considering the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the data importer has implemented appropriate technical and organizational measures intended to ensure a level of security appropriate to the risk. As used below, "Data" will have the same meaning as "Personal Data" in the DPA.