PillarIndex™ 1001,2751.2%
SENTIMENT:BULLISH

Data Processing Agreement

Last Updated: February 01, 2026

This Data Processing Agreement ("DPA") is an integral part of the QuantPillar Terms of Service. It outlines the legal framework for the processing of Personal Data by QuantPillar Inc. ("Processor") on behalf of our Clients ("Controller").

1. Regulatory Compliance

This DPA is designed to ensure compliance with global data protection laws, including:

  • GDPR: General Data Protection Regulation (EU/UK), including the supplemental regulation on cross-border enforcement effective January 1, 2026 (full application April 2027).
  • CCPA/CPRA: California Consumer Privacy Act, as amended effective January 1, 2026, including requirements for risk assessments, cybersecurity audits (phased from 2027), and automated decision-making technology (ADMT) rights.
  • PIPEDA: Personal Information Protection and Electronic Documents Act (Canada), as amended by Bill C-15 (2025) introducing data mobility rights, and anticipated regulations under the Consumer Privacy Protection Act (CPPA via Bill C-27).
  • EU AI Act: Regulation (EU) 2024/1689, with transparency and high-risk system obligations effective August 2, 2026, intersecting with GDPR for AI-driven processing.
  • Other Applicable Laws: Where relevant, comprehensive privacy laws in U.S. states such as Indiana, Kentucky, and Rhode Island (effective January 1, 2026), and equivalents in other jurisdictions.

The parties agree to monitor and amend this DPA as needed to comply with regulatory updates, including the EU's Digital Omnibus proposal (under discussion as of 2026).

2. Processing Scope

2.1 Subject Matter: The processing of data required to provide QuantCore™, QuantVal™, and QuantTerminal™ services, including AI-driven financial analysis, valuation reporting, and market intelligence. For AI processing, this includes training, inference, and decision-making activities compliant with the EU AI Act.

2.2 Nature & Purpose: Storage, computation, analysis (including automated processing/ADMT), and reporting of data to fulfill the obligations under the Terms of Service. Processing shall adhere to data minimization principles and be limited to documented purposes.

2.3 Categories of Data: Employee data (for Cap Tables), Shareholder data, Director/Officer information, financial records, and any sensitive personal information (as defined under CCPA/CPRA or GDPR). Risk assessments shall be conducted prior to processing sensitive data or using ADMT, per CCPA amendments effective January 1, 2026.

2.4 Data Mobility: In compliance with PIPEDA amendments (Bill C-15), upon an individual's request, Processor shall facilitate disclosure of collected personal information to a designated organization, subject to applicable regulations and data-mobility frameworks.

3. Processor Obligations

QuantPillar commits to:

  • Instructions: Process Personal Data only on documented instructions from the Controller.
  • Confidentiality: Ensure all personnel authorized to process data are bound by strict confidentiality agreements, with AI literacy training per EU AI Act requirements.
  • Security: Implement industry-standard technical and organizational measures (TOMs) to secure data, including annual cybersecurity audits (per CCPA amendments, phased from 2027 for qualifying businesses) and AI-specific safeguards (e.g., bias detection, robustness testing). Security obligations apply regardless of whether data appears anonymous to potential attackers, per GDPR guidance.
  • Breach Notification: Notify the Controller without undue delay (within 72 hours under GDPR; 45 days max under CCPA if applicable) after becoming aware of a Personal Data Breach.
  • Risk Assessments: Conduct and document risk assessments for high-risk processing (e.g., sensitive data, ADMT) as required under CCPA/CPRA effective January 1, 2026, and share summaries with Controller upon request.

4. Sub-processing

The Controller authorizes QuantPillar to engage third-party sub-processors (e.g., cloud hosting, payment processing) to support service delivery. QuantPillar shall provide an updated list of sub-processors upon request or material change, and ensure contracts flow down equivalent obligations, including EU AI Act transparency for AI systems and CCPA risk assessment requirements. QuantPillar remains fully liable for sub-processors' performance.

5. Audit Rights

To demonstrate compliance, QuantPillar will provide, upon written request, copies of relevant third-party security certifications (e.g., SOC 2 Type II report), cybersecurity audit results (per CCPA from 2027), AI system documentation (per EU AI Act), and answer reasonable security questionnaires from the Controller. Controller may conduct on-site audits with reasonable notice (at least 30 days) and at its expense, limited to once per year unless triggered by a breach.

6. International Transfers

For data transfers originating from the EEA/UK to countries not deemed adequate, the parties agree to rely on Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs per GDPR Recommendations 1/2026), or other approved mechanisms. Parties shall monitor transfer adequacy, including potential challenges (e.g., Schrems III), and amend as needed.

7. Termination and Data Return

Upon termination, Processor shall return or delete all Personal Data at Controller's choice, except where retention is required by law (e.g., 7 years for tax purposes).

8. Amendments

This DPA may be amended by mutual agreement to address regulatory changes.

9. Contact

For DPA-related inquiries:

QuantPillar Legal Compliance
Email: hello@quantpillar.com