Data Processing Agreement

1. Definitions

For the purposes of this DPA, the following terms have the meanings set out below. Capitalized terms not defined herein have the meanings given in the Agreement or the GDPR.

• "Controller" means the customer entity that determines the purposes and means of the processing of personal data and has entered into the Agreement with Processor.
• "Processor" means Bolt Systems, LLC, which processes personal data on behalf of the Controller in connection with the provision of the Service.
• "Data Subject" means an identified or identifiable natural person whose personal data is processed under this DPA.
• "Personal Data" means any information relating to a Data Subject that is processed by Processor on behalf of Controller in connection with the Service.
• "Processing" means any operation or set of operations performed on personal data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.
• "Sub-processor" means any third party engaged by Processor to process personal data on behalf of Controller in connection with the Service.
• "Standard Contractual Clauses" (or "SCCs") means the standard contractual clauses approved by the European Commission for the transfer of personal data to countries outside the European Economic Area, as may be amended or replaced from time to time.
• "Supervisory Authority" means an independent public authority established by an EU Member State pursuant to Article 51 of the GDPR.
• "Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.

2. Scope & Purpose

This DPA applies to all processing of personal data by Processor on behalf of Controller in connection with the Service, as described in the Agreement. The subject matter, duration, nature, purpose, types of personal data, and categories of Data Subjects are set out in Annex A.

This DPA does not apply to processing for which Processor acts as an independent controller, such as processing for billing, account management, or compliance with legal obligations applicable to Processor.

3. Roles of the Parties

The Controller determines the purposes and means of the processing of personal data. The Processor processes personal data only on behalf of and in accordance with the documented instructions of the Controller.

Nothing in this DPA shall prevent the Processor from processing personal data as required by applicable law, provided that the Processor informs the Controller of such legal requirement before processing (unless prohibited from doing so by law).

4. Processing Instructions

Processor shall process personal data only in accordance with Controller's documented instructions, as set forth in this DPA, the Agreement, and any subsequent written instructions agreed upon by the parties. The Agreement and this DPA constitute Controller's complete and final instructions at the time of execution. Any additional or alternative instructions must be agreed upon separately in writing.

If Processor reasonably believes that any instruction from Controller infringes applicable data protection law, Processor shall promptly notify Controller and shall be entitled to suspend the relevant processing until Controller issues a revised instruction or confirms the original instruction in writing.

The details of the processing, including the subject matter, duration, nature and purpose, categories of Data Subjects, and types of personal data, are specified in Annex A.

5. Confidentiality

Processor shall ensure that all persons authorized to process personal data under this DPA are subject to appropriate confidentiality obligations, whether contractual or statutory. Processor shall ensure that access to personal data is limited to those personnel who require such access for the performance of the Service, and that such personnel process personal data only in accordance with Controller's instructions.

6. Security Measures

Processor shall implement and maintain appropriate technical and organizational security measures to protect personal data against unauthorized or unlawful processing, accidental loss, destruction, or damage. These measures shall be appropriate to the risk and shall include, at a minimum:

• Encryption: AES-256 encryption for data at rest, TLS 1.2 or higher for data in transit, and field-level encryption for sensitive data fields (e.g., tax identification numbers, financial account numbers).
• Access Controls: Role-based access control (RBAC) with the principle of least privilege, multi-factor authentication (MFA) for all personnel with access to personal data, and per-entity access restrictions.
• Audit Logging: Immutable, tamper-proof audit trail capturing all access to and changes of personal data, including IP address, user agent, timestamp, and actor identity.
• Regular Testing: Periodic testing, assessment, and evaluation of the effectiveness of security measures, including vulnerability scanning and security patching.

The full description of technical and organizational measures is set out in Annex B. Processor shall not materially reduce the overall level of security without prior written notice to Controller.

7. Sub-Processors

Controller provides general written authorization for Processor to engage Sub-processors in connection with the Service. The current list of Sub-processors is maintained in Processor's Privacy Policy, available at quoining.com/privacy.

Processor shall provide Controller with at least 30 days' advance written notice before engaging any new Sub-processor or replacing an existing Sub-processor. Controller may object to the appointment of a new Sub-processor on reasonable grounds relating to data protection by notifying Processor in writing within 15 days of receiving such notice. If Controller objects and the parties cannot resolve the matter, Controller may terminate the affected portion of the Service without penalty.

Processor shall impose data protection obligations on each Sub-processor that are no less protective than those set out in this DPA. Processor shall remain fully liable to Controller for the performance of each Sub-processor's obligations.

8. Data Subject Rights

Processor shall assist Controller in fulfilling its obligations to respond to Data Subject requests to exercise their rights under applicable data protection law, including the rights of access, rectification, erasure, restriction of processing, data portability, and the right to object.

If Processor receives a request from a Data Subject directly, Processor shall promptly notify Controller and shall not respond to the Data Subject without Controller's prior written authorization, unless required to do so by applicable law.

9. Data Breach Notification

Processor shall notify Controller without undue delay and in any event within 72 hours of becoming aware of a Data Breach affecting personal data processed under this DPA. Such notification shall include, to the extent available:

• A description of the nature of the Data Breach, including the categories and approximate number of Data Subjects and personal data records affected
• The name and contact details of Processor's data protection contact
• A description of the likely consequences of the Data Breach
• A description of the measures taken or proposed to be taken to address the Data Breach, including measures to mitigate its adverse effects

Processor shall cooperate with Controller and take reasonable commercial steps to assist in the investigation, mitigation, and remediation of the Data Breach.

10. Data Protection Impact Assessments

Processor shall provide reasonable assistance to Controller in conducting data protection impact assessments ("DPIAs") and prior consultations with Supervisory Authorities, as required under Articles 35 and 36 of the GDPR, to the extent that such assistance is necessary and relates to the processing of personal data by Processor on behalf of Controller.

11. International Transfers

Personal data processed under this DPA is stored and processed in the United States (AWS us-east-1 region). To the extent that Processor processes personal data originating from the European Economic Area, the United Kingdom, or Switzerland, the parties agree that the Standard Contractual Clauses (Module Two: Controller to Processor) as approved by the European Commission are incorporated into this DPA by reference.

Processor shall make Transfer Impact Assessments available to Controller upon reasonable written request, detailing the legal framework applicable in the destination country and any supplementary measures implemented to ensure an essentially equivalent level of protection.

12. Audit Rights

Processor shall make available to Controller all information necessary to demonstrate compliance with this DPA and applicable data protection law, and shall allow for and contribute to audits, including inspections, conducted by Controller or a qualified third-party auditor mandated by Controller.

Audits shall be conducted with reasonable advance notice (at least 30 days), during normal business hours, and in a manner that does not unreasonably disrupt Processor's operations. Controller shall bear the costs of any such audit unless the audit reveals material non-compliance by Processor.

Processor may satisfy Controller's audit rights by providing an up-to-date report from an independent third-party auditor (e.g., SOC 2 Type II report), provided that such report is no more than 12 months old and covers the controls relevant to this DPA.

13. Data Return & Deletion

Upon termination or expiration of the Agreement, or upon Controller's written request, Processor shall:

• Return all personal data to Controller in a commonly used, machine-readable format (e.g., CSV, JSON) within a reasonable timeframe
• Delete all copies of personal data in Processor's possession or control within 90 days of termination, including data held by Sub-processors
• Provide written certification of deletion upon Controller's request

Processor may retain personal data to the extent and for the duration required by applicable law, regulation, or binding order of a governmental body. Any retained data shall remain subject to the confidentiality and security obligations of this DPA.

14. Liability

Each party's liability arising out of or related to this DPA, whether in contract, tort, or under any other theory of liability, is subject to the limitations and exclusions of liability set forth in the Agreement (Terms of Service). This DPA does not modify or supersede the limitations of liability in the Agreement, and the parties' aggregate liability under the Agreement and this DPA combined shall not exceed the limits specified therein.

15. Term & Termination

This DPA shall become effective when Controller first accesses or uses the Service and shall remain in force for the duration of the Agreement. This DPA shall automatically terminate upon termination or expiration of the Agreement.

The provisions of this DPA that by their nature should survive termination shall survive, including but not limited to Sections 5 (Confidentiality), 9 (Data Breach Notification), 12 (Audit Rights), 13 (Data Return & Deletion), and 14 (Liability).

Annex A: Details of Processing

Annex B: Technical & Organizational Measures

Processor implements and maintains the following technical and organizational measures to protect personal data:

Contact

For questions about this DPA or to exercise any rights under this agreement, contact us at: