Data Processing Agreement

GDPR-compliant data processing terms governing how k&z processes personal data on behalf of clients using our quantum AI infrastructure platform.

Effective Date: January 1, 2026 — Version: 1.0

This Data Processing Agreement (“DPA”) forms part of the Terms of Service or Master Service Agreement (the “Principal Agreement”) between K&z Limited (“k&z” or “Processor”) and the entity agreeing to these terms (“Client” or “Controller”). This DPA sets forth the terms and conditions under which k&z processes Personal Data on behalf of Client in connection with the provision of quantum AI infrastructure services.

1. Definitions

In this DPA, the following terms shall have the meanings set forth below. Capitalized terms not defined herein shall have the meanings assigned to them in the Principal Agreement or in applicable Data Protection Laws.

  • “Data Protection Laws” means all applicable data protection and privacy legislation, including the General Data Protection Regulation (EU) 2016/679 (“GDPR”), the Hong Kong Personal Data (Privacy) Ordinance (Cap. 486) (“PDPO”), the UK Data Protection Act 2018, and any national implementing legislation, as amended from time to time.
  • “Personal Data” means any information relating to an identified or identifiable natural person that is processed by k&z on behalf of Client in connection with the Services.
  • “Processing” means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.
  • “Sub-processor” means any third party appointed by k&z to process Personal Data on behalf of Client.
  • “Data Subject” means the identified or identifiable natural person to whom Personal Data relates.
  • “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed.
  • “Standard Contractual Clauses” or “SCCs” means the standard contractual clauses for the transfer of personal data to processors established in third countries, as approved by the European Commission.

2. Scope and Purpose of Processing

2.1 Scope

This DPA applies to all Processing of Personal Data by k&z on behalf of Client in connection with the Services provided under the Principal Agreement. The subject matter, nature, purpose, duration, types of Personal Data, and categories of Data Subjects are described in Annex A to this DPA.

2.2 Roles of the Parties

For the purposes of Data Protection Laws: (a) Client is the Controller of Personal Data; (b) k&z is the Processor of Personal Data, processing data solely on behalf of and in accordance with the documented instructions of Client. In certain limited circumstances where k&z determines the purposes and means of processing (e.g., for its own compliance, security, or billing purposes), k&z acts as an independent Controller, subject to its Privacy Policy.

2.3 Client Obligations

Client warrants that: (a) it has a lawful basis for the Processing of Personal Data; (b) it has provided all necessary notices and obtained all necessary consents from Data Subjects as required by Data Protection Laws; (c) its instructions to k&z comply with Data Protection Laws; and (d) it is responsible for the accuracy, quality, and legality of Personal Data provided to k&z.

3. Processing Instructions

3.1 Documented Instructions

k&z shall process Personal Data only on the documented instructions of Client, including with respect to transfers of Personal Data to a third country or international organization, unless required to do so by European Union or member state law to which k&z is subject. In such a case, k&z shall inform Client of that legal requirement before Processing, unless prohibited by law from doing so on important grounds of public interest.

3.2 Instructions Outside Scope

If k&z reasonably believes that an instruction from Client infringes Data Protection Laws, k&z shall promptly inform Client. k&z shall not be required to follow instructions that it reasonably believes to be unlawful.

4. Confidentiality

k&z shall ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. k&z shall limit access to Personal Data to those employees, contractors, and agents who require access to perform obligations under the Principal Agreement.

5. Security Measures

5.1 Technical and Organizational Measures

k&z shall implement and maintain appropriate technical and organizational security measures to protect Personal Data against unauthorized or unlawful Processing, and against accidental loss, destruction, or damage. These measures shall include, at a minimum:

  • Encryption: Encryption of Personal Data in transit (TLS 1.3) and at rest (AES-256), including encryption of data stored on quantum computing control systems and classical computing infrastructure.
  • Access Controls: Role-based access controls (RBAC), multi-factor authentication (MFA), and least-privilege access principles for all systems processing Personal Data.
  • Network Security: Network segmentation, firewalls, intrusion detection and prevention systems (IDS/IPS), and DDoS protection for all systems processing Personal Data.
  • Physical Security: Physical access controls for data centers and quantum computing facilities, including biometric authentication, 24/7 video surveillance, and security personnel.
  • Monitoring and Logging: Comprehensive logging of access to Personal Data, regular review of security logs, and real-time security monitoring and alerting.
  • Vulnerability Management: Regular vulnerability assessments, penetration testing, and timely application of security patches.
  • Data Isolation: Logical isolation of Client data in multi-tenant environments; physical isolation available for dedicated single-tenant and sovereign deployments.
  • Backup and Recovery: Regular backups of Personal Data with encrypted storage and tested recovery procedures.

5.2 Security Reviews

k&z shall regularly review and, where necessary, update its security measures to ensure they remain appropriate in light of the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of Data Subjects.

6. Sub-processors

6.1 Authorization

Client provides general authorization for k&z to engage Sub-processors for the Processing of Personal Data. k&z shall maintain a current list of Sub-processors, which is available upon request and shall be published on the k&z website.

6.2 Notification

k&z shall notify Client of any intended changes concerning the addition or replacement of Sub-processors at least thirty (30) days before the engagement of the new Sub-processor, giving Client the opportunity to object to such changes.

6.3 Objection Right

If Client reasonably objects to a new Sub-processor on data protection grounds, the Parties shall discuss the concern in good faith. If the Parties cannot reach a resolution within thirty (30) days, Client may terminate the affected Services without penalty by providing written notice within fifteen (15) days after the end of the discussion period.

6.4 Sub-processor Obligations

k&z shall impose on each Sub-processor, by way of a written contract, data protection obligations no less protective than those set forth in this DPA. k&z shall remain fully liable to Client for the performance of each Sub-processor’s obligations.

7. Data Subject Rights

7.1 Assistance

k&z shall, taking into account the nature of the Processing, assist Client by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Client’s obligation to respond to requests for exercising Data Subject rights under Data Protection Laws, including rights of access, rectification, erasure, restriction, portability, and objection.

7.2 Notification

If k&z receives a request directly from a Data Subject regarding Personal Data processed on behalf of Client, k&z shall promptly redirect the request to Client and shall not respond to the Data Subject directly unless instructed by Client or required by applicable law.

8. Personal Data Breach Notification

8.1 Notification to Client

k&z shall notify Client without undue delay, and in any event within forty-eight (48) hours, after becoming aware of a Personal Data Breach affecting Personal Data processed on behalf of Client. The notification shall include:

  • A description of the nature of the breach, including where possible the categories and approximate number of Data Subjects and Personal Data records concerned;
  • The name and contact details of k&z’s data protection officer or other contact point;
  • A description of the likely consequences of the breach;
  • A description of the measures taken or proposed to be taken to address the breach, including measures to mitigate its possible adverse effects.

8.2 Cooperation

k&z shall cooperate with Client and take reasonable commercial steps to assist in the investigation, mitigation, and remediation of each Personal Data Breach. k&z shall assist Client in complying with its obligations under Articles 33 and 34 of the GDPR to the extent the breach involves Personal Data processed by k&z on behalf of Client.

8.3 Record Keeping

k&z shall maintain a record of all Personal Data Breaches, including the facts relating to the breach, its effects, and the remedial action taken.

9. Data Protection Impact Assessments

k&z shall provide reasonable assistance to Client with data protection impact assessments and prior consultations with supervisory authorities, to the extent required under Data Protection Laws and taking into account the nature of the Processing and the information available to k&z.

10. Audit Rights

10.1 Audit and Inspection

k&z shall make available to Client all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and this DPA, and shall allow for and contribute to audits, including inspections, conducted by Client or an independent auditor mandated by Client.

10.2 Audit Procedures

Client shall provide k&z with at least thirty (30) days’ prior written notice of any audit. Audits shall be conducted during normal business hours, shall not unreasonably interfere with k&z’s business operations, and shall be subject to reasonable confidentiality requirements. Client shall bear its own costs of conducting the audit.

10.3 Certifications and Reports

k&z maintains security controls aligned with SOC 2 Type II and ISO 27001 standards for its quantum computing infrastructure, with formal certifications currently in progress. Upon completion, Client may accept k&z’s audit reports, certifications, and third-party assessments as satisfaction of its audit rights, provided that such reports adequately address the processing activities in question. Current status of all certifications is available on our Compliance & Audits page.

11. International Data Transfers

11.1 Transfer Mechanisms

To the extent that the provision of Services involves the transfer of Personal Data from the EEA, Hong Kong, or the United Kingdom to a country not recognized as providing an adequate level of data protection, k&z shall ensure that appropriate safeguards are in place, including the Standard Contractual Clauses as approved by the European Commission (Commission Implementing Decision (EU) 2021/914).

11.2 Supplementary Measures

k&z shall implement supplementary technical and organizational measures as necessary to ensure an essentially equivalent level of data protection, including encryption of data in transit and at rest, pseudonymization where feasible, and access controls restricting data access to authorized personnel.

12. Data Return and Deletion

12.1 Upon Termination

Upon termination or expiration of the Principal Agreement, k&z shall, at Client’s election, either return all Personal Data to Client in a structured, commonly used, and machine-readable format, or delete all Personal Data and existing copies, unless applicable law requires continued storage. k&z shall complete the return or deletion within thirty (30) days of Client’s request.

12.2 Certification

Upon request, k&z shall provide Client with written certification that all Personal Data has been deleted in accordance with this Section, except where retention is required by applicable law, in which case k&z shall identify the specific Personal Data retained and the legal basis for retention.

13. Annex A — Details of Processing

13.1 Subject Matter and Duration

The subject matter of Processing is the provision of quantum AI infrastructure services as described in the Principal Agreement. Processing shall continue for the duration of the Principal Agreement, plus any retention period required by applicable law.

13.2 Nature and Purpose

k&z processes Personal Data for the purpose of providing the Services, including account management, authentication, job scheduling and execution on QPU resources, usage metering, billing, technical support, and platform security.

13.3 Types of Personal Data

The types of Personal Data processed may include: names, email addresses, job titles, organizational affiliations, IP addresses, authentication credentials, API access logs, QPU job metadata, usage metrics, and communication records.

13.4 Categories of Data Subjects

Data Subjects include: Client’s employees, contractors, authorized users, researchers, and other individuals whose Personal Data is processed through the Services.

14. General

14.1 Precedence

In the event of a conflict between this DPA and the Principal Agreement with respect to the processing of Personal Data, this DPA shall prevail.

14.2 Governing Law

This DPA shall be governed by the laws of the Hong Kong Special Administrative Region of the People's Republic of China, without regard to conflict of laws principles, consistent with the Principal Agreement.

14.3 Liability

The liability of each Party under this DPA shall be subject to the limitations of liability set forth in the Principal Agreement.

15. Contact

For questions about this DPA, please contact:

  • Data Protection Officer: support@kandz.co
  • Legal Department: support@kandz.co
  • Mail: K&z Limited, Legal Department, Flat 10198, 10/F, Liven House, No. 61-63 King Yip Street, Kwun Tong, Kowloon, Hong Kong