Data Processing Addendum (Controller → Processor)

Effective date: 20^th September

This DPA forms part of: the Master Services Agreement, Order Form, or other contract between the parties (the “Agreement”).

Parties

• Controller (Customer): the business customer or individual that has entered into an account, subscription, or other agreement for use of the ERPConsult.ai Services, and whose details are provided during the online registration or subscription checkout process.
• Processor: Quantinoid LLC (Registration No. 2023-001261028), 30 N Gould St Ste R, Sheridan, WY 82801, USA
  • Contact (privacy/security/legal): support@erpconsult.ai

1) Purpose and scope

1.1. This DPA explains how Processor handles Personal Data on behalf of Controller when providing ERPConsult.ai services (the “Services”).
1.2. Controller decides what Personal Data is processed and why. Processor acts on Controller’s instructions and only for the Services.

2) Key definitions

• Personal Data: Information that identifies or can identify a person.
• Processing: Any action on Personal Data (collecting, storing, using, sharing, deleting, etc.).
• Controller: The party that decides purposes and means of Processing (Customer).
• Processor: The party that processes Personal Data for the Controller (Quantinoid LLC).
• Sub-processor: A third party engaged by Processor to help deliver the Services and that processes Personal Data.
• Data Protection Laws: All laws that apply to the Processing (e.g., GDPR/UK GDPR, Swiss FADP, CCPA/CPRA and similar US state laws, LGPD, PIPEDA, PDPA, POPIA, UAE/DIFC/ADGM rules).
• EU SCCs: Standard Contractual Clauses (2021/914).
• UK Addendum: UK ICO International Data Transfer Addendum.
• Swiss Addendum: Swiss adaptations to the EU SCCs.

3) Roles and responsibilities

3.1. Controller will ensure a lawful basis and provide clear, documented instructions.
3.2. Processor will:

• Process Personal Data only on Controller’s documented instructions;
• Not use Personal Data for its own purposes;
• Not sell or share Personal Data as those terms are defined in US state privacy laws;
• Not combine Personal Data with other data except as needed to provide, secure, or maintain the Services for Controller’s account or as required by law;
• Keep records needed to show compliance with this DPA.

4) Details of Processing

4.1. Subject matter: Hosting and handling of recruitment-related data in ERPConsult.ai.
4.2. Duration: For the term of the Agreement and any return/deletion period set out in this DPA.
4.3. Nature and purposes: Hosting, storage, indexing, search, availability alerts, team features, reporting, troubleshooting, safety, billing, and support.
4.4. Categories of data subjects: Consultants; recruiter and agency users; Controller’s admins and staff who access the Services.
4.5. Types of Personal Data:

• Identity and contact (name, email, phone, company, role);
• Professional profile (CV/resume, skills, certifications, project history, education, locations served, languages, rates, currencies, availability, notice periods, links);
• Account data (usernames, hashed passwords, seat/role);
• Device/usage data (IP, browser/OS, timestamps, logs, events);
• Support messages and preferences.
  Special categories are not intended to be processed. Controller will avoid uploading such data unless strictly needed and protected by written instruction.
  4.6. Return and deletion: See Section 13.

5) Instructions

5.1. Controller’s initial instructions are to process Personal Data to provide the Services as described in the Agreement.
5.2. If an instruction appears unlawful, Processor will notify Controller and may pause the instruction until clarified or changed.

6) Confidentiality and personnel

6.1. Processor will ensure that personnel with access to Personal Data are bound by confidentiality duties.
6.2. Processor provides privacy and security training to relevant personnel.

7) Security measures

7.1. Processor will implement and maintain the technical and organizational measures described in Annex II (TOMs).
7.2. Measures may be updated to reflect current practice and risks, provided protection is not reduced.

8) Sub-processors

8.1. Controller authorizes the Sub-processors listed in Annex III and any updates.
8.2. Processor will put written terms in place with Sub-processors to protect Personal Data at least to the level required here, and remains responsible for their acts and omissions.
8.3. Change notice and objection: Processor will notify Controller before adding or replacing a Sub-processor. Controller may object on reasonable data protection grounds within 10 days. If the parties cannot resolve the objection in good faith, Controller may suspend the affected feature or terminate the impacted order for a pro-rated refund of prepaid fees for the terminated part.

9) Assistance to Controller

Processor will give reasonable help (taking into account the nature of the Processing and the information available to Processor) with:

• Data subject requests (access, deletion, correction, portability, objection, restriction);
• Security matters, including audits and questionnaires;
• Impact assessments (DPIAs) and cooperation with authorities where the Services are involved.

10) Personal Data breaches

10.1. Processor will notify Controller without undue delay after becoming aware of a Personal Data Breach affecting Controller’s data.
10.2. The notice will include, where known at the time: type of incident, likely impact, categories and approximate numbers affected, steps taken or planned, and a contact point.
10.3. Processor will act to contain, investigate, and reduce harm.
10.4. Controller is responsible for notifying authorities or individuals unless the law or the parties agree otherwise.

11) Audits and assurances

11.1. Processor will share available third-party reports or certifications relevant to the Services (if any) and answer reasonable security questionnaires.
11.2. If the law or a regulator requires a direct audit, Controller may conduct (or appoint an independent auditor to conduct) an audit once every 12 months, with 30 days’ notice, during normal business hours, in a way that protects confidentiality and avoids disruption.
11.3. Audits are at Controller’s cost unless a material breach is found.

12) International transfers

12.1. If Personal Data is transferred internationally and the law requires safeguards, the parties agree to use:

• EU/EEA → non-EEA: EU SCCs (2021/914), Module 2 (Controller → Processor), completed by Annex I–III;
• UK → third country: UK Addendum to the EU SCCs;
• Switzerland → third country: EU SCCs with Swiss Addendum adjustments.

12.2. If a transfer tool is invalidated or replaced, the parties will work together in good faith to adopt a valid alternative.
12.3. Copies of the SCCs/Addenda will be provided on request, with sensitive parts redacted as allowed.

13) Return and deletion

13.1. When the Services end (or on Controller’s written request), Processor will return or delete Personal Data within 60 days, unless the law requires retention.
13.2. Backup copies may persist for up to 90 days and are then deleted in the normal cycle.
13.3. Processor will confirm deletion upon written request.

14) Government and third-party requests

If Processor receives a lawful demand for Controller’s Personal Data from a public authority or another third party, Processor will, to the extent permitted:

• Notify Controller;
• Challenge unlawful or overbroad demands; and
• Disclose only what is legally required.

15) US state privacy laws (service provider / processor terms)

For California and similar state laws, Processor acts as a Service Provider/Processor and will:

• Use Personal Data only to provide the Services, for security and legal compliance, or as allowed by this DPA;
• Not sell or share Personal Data;
• Not combine Personal Data with other data except as needed to provide or protect the Services;
• Assist Controller with consumer rights requests and flow down these duties to Sub-processors.

16) Other regional laws (summary)

Processor supports Controller in meeting obligations under Brazil LGPD, Canada PIPEDA, Singapore PDPA, Australia Privacy Act, South Africa POPIA, UAE (including DIFC/ADGM), and similar laws, to the extent the Services are involved.

17) Liability and indemnity

17.1. Each party is responsible for the damages it causes due to its own breach of this DPA or Data Protection Laws.
17.2. Limits and exclusions of liability in the Agreement apply to this DPA, unless the law does not allow such limits for the specific breach.
17.3. Nothing here limits liability for willful misconduct where such limits are not allowed by law.

18) Term and termination

18.1. This DPA applies for as long as Processor handles Controller’s Personal Data under the Agreement.
18.2. Sections that by their nature continue after termination (e.g., confidentiality, deletion) will survive.

19) Order of precedence

If there is a conflict about privacy or data protection: SCCs/Addenda → this DPA → Agreement.

20) Changes

References may be updated for accuracy (e.g., addresses, legal citations, processor lists). Material changes to duties require written agreement.

21) Contacts

• Processor (Quantinoid LLC): support@erpconsult.ai

• Controller: The business customer or individual that has entered into an account, subscription, or other agreement for use of the ERPConsult.ai Services, and whose details are provided during the online registration or subscription checkout process.

ANNEX I — SCCs: Parties and Description of Processing

• Data exporter (Controller): The business customer or individual that has entered into an account, subscription, or other agreement for use of the ERPConsult.ai Services, and whose details are provided during the online registration or subscription checkout process.
• Role:
• Contact: As provided by the customer during account registration or in the ERPConsult.ai account settings.
• Data importer (Processor): Quantinoid LLC, 30 N Gould St Ste R, Sheridan, WY 82801, USA. Role: Processor.
  Contact: support@erpconsult.ai.

Description of transfer:

• Subjects: Consultants; recruiter/agency users; Controller admins.
• Data: As listed in Section 4.5.
• Sensitive data: Not intended; if present, only on Controller’s written instruction and with extra safeguards.
• Frequency: Continuous as needed for the Services.
• Nature: Hosting, storage, indexing, search, alerts, messaging, reporting, support.
• Purpose: Provide and support the Services for Controller’s account.
• Retention: As in Sections 7 (implicit) and 13; backups up to 90 days after deletion.

Supervisory authority:

• EU: the authority for Controller’s main EU establishment (or where affected users are located).
• UK: ICO (via UK Addendum).
• Switzerland: FDPIC (via Swiss Addendum).

ANNEX II — Technical and Organizational Measures (TOMs)

Hosting and platform

• ERPConsult.ai runs on WordPress + Elementor hosted by Hostinger.
• Data centers with physical security, monitoring, and redundancy.
• TLS for data in transit; encryption at rest for applicable storage.
• Isolation between environments; least-privilege access for admins.

Access control

• Unique accounts; role-based access; periodic access reviews.
• Strong passwords; MFA for admin interfaces where available.
• Session timeouts and revocation on role change or exit.

Application security

• WordPress core, theme, and plugins kept current.
• Only trusted plugins; code/config change control; staging where feasible.
• Web application firewall and brute-force protection; rate limiting.
• Secrets kept outside source control; key rotation on risk events.

Data protection and backups

• Regular backups (per Hostinger schedule plus supplemental backups where needed).
• Encrypted backup storage; separation from production; rolling 90-day retention.
• Data minimization and retention aligned with this DPA.

Monitoring and logging

• Server and uptime monitoring; system and application logs.
• Alerts for unusual access or brute-force patterns; periodic review.

Incident response

• Defined plan: detect → contain → investigate → notify Controller → remediate → post-incident review.
• Contact: support@erpconsult.ai.
• Timeline: notify without undue delay after becoming aware of a breach.

Business continuity and disaster recovery

• Redundant infrastructure and backups to meet reasonable recovery goals.
• Tested restore procedures.

Vendor and Sub-processor management

• Security and privacy due diligence; contractual data terms; ongoing oversight.

Payments

• Stripe processes card data; ERPConsult.ai systems do not store card numbers.
• Stripe maintains PCI DSS compliance.

Analytics and cookies

• Google Analytics and Google Tag Manager used for product and site analytics.
• Consent tools where required by law; IP masking recommended.
• Honor applicable regional signals (e.g., GPC) where supported.

Data subject rights support

• Processes to locate, export, correct, or delete Personal Data for Controller’s data subjects upon request.

Training and awareness

• Privacy and security training for relevant staff; periodic refreshers.

Measures may be refined over time to keep protection current.

ANNEX III — Authorized Sub-processors

ANNEX IV — UK Addendum (summary terms)

Where UK data is transferred to Processor in a third country:

• The UK Addendum to the EU SCCs applies.
• Tables reference Annex I–III for details.
• Either party may end the Addendum if the SCCs are replaced and the parties do not agree on a new tool.

ANNEX V — Swiss Addendum (summary terms)

For Swiss transfers to third countries:

• EU SCCs apply with references read under Swiss law (FADP).
• FDPIC is the supervisory authority.
• Where EU and Swiss rules differ, the stricter applies to Swiss data.

ANNEX VI — Data Subject Request (DSR) Procedure

• Intake: If Processor receives a request directly from a data subject of Controller, Processor forwards it to Controller without undue delay.
• Support: Processor will help Controller by locating, exporting, correcting, or deleting data that is technically feasible for the Services.
• Deadlines: Processor assists so Controller can meet legal timeframes (e.g., 1 month under GDPR; 45 days under CPRA).
• Verification: Controller sets the identity checks for its data subjects.

ANNEX VII — Security Incident Playbook (summary)

1. Detect and triage → 2) Contain and eradicate → 3) Notify Controller → 4) Mitigate and recover → 5) Review and improve.

Signatures

Controller
Name: __________________________
Title: __________________________
Company: _______________________
Date: __________________________
Signature: ______________________

Processor — Quantinoid LLC
Name: __________________________
Title: __________________________
Company: Quantinoid LLC
Date: __________________________
Signature: ______________________