QS Data Processing Addendum

Last updated: 17th December 2025

‍

This Data Processing Addendum (“DPA”) is made by and between the parties to any Main Agreement incorporating this DPA by reference and this DPA shall be in addition to any obligations set out in any Main Agreement.

This DPA outlines the obligations between the parties where QS acts as a data processor in providing Services to the Customer insofar as it relates to Customer Personal Data.

‍

Variables
Parties’ roles	Customer will act as the Controller (as defined in Section 1 of the Terms). QS will act as the Processor (as defined in Section 1 of the Terms).
Data protection contacts	QS Name: QS Group Data Protection Officer Email: DPO@qs.com	Customer Name: As listed in the Main Agreement or as set forth in this DPA. Email: As listed in the Main Agreement or as set forth in this DPA.
Main agreement	Means the agreement in place between Customer and QS covering the use of the Services.
Term	As listed in the Main Agreement.
Breach notification period	Without undue delay after becoming aware of a Personal Data breach.
Sub-processor notification period	As soon as reasonably practicable, but no later than fourteen (14) days’ prior to allowing such sub-processor to process Personal Data.
Liability cap	Notwithstanding anything to the contrary in this DPA, the liability of each party and each party’s affiliates under this DPA is subject to the exclusions and limitations of liability set out in the Main Agreement.
Governing law and jurisdiction	As per the Main Agreement.
Data protection laws	To the extent applicable, all laws, regulations and court orders which may apply to the processing of Personal Data in: the European Economic Area (EEA) the United Kingdom (UK) Switzerland the United States (US) Australia This includes the European Union General Data Protection Regulation (EU) 2016/679 (GDPR), the Data Protection Act 2018 (DPA 18), the Swiss Federal Act on Data Protection and its implementing regulations (Swiss FADP), California Consumer Privacy Act of 2018 (CCPA), California Privacy Rights Act of 2020 (CPRA), and the Privacy Act 1998, each as amended from time to time.
Services related to processing	As described in the Main Agreement.
Duration of processing	The Term plus the period from the end of the Term until deletion of all Personal Data by QS in accordance with this DPA or as otherwise specified in the Main Agreement.
Nature and purpose of processing	The nature and purpose of the processing is as described in Exhibit A, Annex I.
Personal data	The types of Personal Data processed are as described in Exhibit A, Annex I.
Data subjects	The individuals whose Personal Data will be processed are as described in Exhibit A, Annex I.
Transfer mechanism	The Standard Contractual Clauses approved by the European Commission Decision of 4 June 2021 (as amended from time to time), for the transfer of personal data from the EEA or adequate country to a third country (EU SCCs). The International Data Transfer Addendum issued by the Information Commissioner’s Office under section 119A of the Data Protection Act 2018, effective from 21 March 2022 (UK IDTA).
Security measures	The security measures are as described in Exhibit A, Annex II.
Sub-processors (current)	The current sub-processors are listed at www.qs.com/qs-sub-processor-list/.

‍

Terms

1. What is this Addendum about?

1.1 Purpose. The parties are entering into this Data Processing Addendum (DPA) for the purpose of processing Personal Data in connection with the provision of the products and services by QS (Services)to the Customer pursuant to the Main Agreement.

1.2 Definitions. All capitalised terms in this DPA shall have the meaning as prescribed by QS Main Agreement or as otherwise agreed between the parties, unless otherwise specified below. Under this DPA:

(a) adequate country means a country or territory that is recognised under Data Protection Laws from time to time as providing adequate protection for processing Personal Data,

(b) Controller, data subject, personal data breach, process/processing, Processor and supervisory authority have the same meanings as in the Data Protection Laws, and

(c) Sub-processor means another processor engaged by the Processor to carry out specific processing activities with Personal Data.

‍

2. What are each party’s obligations?

2.1 Role and Scope of the Processing. Customer will act as the Controller and QS will act as the Processor under this DPA. The Controller instructs the Processor to process its Personal Data in accordance with this DPA, and is responsible for providing any necessary notices, consents, licences and legal bases required to allow Processor to process Personal Data.

2.2 Processor obligations. Processor will:

(a) only process Personal Data in accordance with this DPA and Controller’s instructions(unless legally required to do otherwise),

(b) not sell, retain or use any Personal Data for any purpose other than as permitted by this DPA and the Main Agreement,

(d) use the technical and organisational measures described in Exhibit A, Annex II when processing Personal Data to ensure a level of security appropriate to the risk involved,

(e) notify Controller of a personal data breach within the Breach Notification Period and provide assistance to Controller as required under Data Protection Laws in responding to it,

(f) ensure that anyone authorised to process Personal Data is committed to confidentiality obligations,

(g) without undue delay, and at the expense of the Controller, provide Controller reasonable assistance with:

i. data protection impact assessments,

ii. responses to data subjects’ requests to exercise their rights under Data Protection Laws, and

iii. engagement with supervisory authorities,

(h) if requested, provide Controller with information necessary to demonstrate its compliance with obligations under Data Protection Laws and this DPA,

(i) allow for audits of Processor’s compliance with its obligations under this DPA, on at least thirty (30) days’ notice at Controller’s reasonable request, provided that audits are limited to once a year and during business hours except in the event of a personal data breach, and

(j) return Personal Data upon Controller’s written request or delete Personal Data by the end of the Term, unless retention is legally required.

2.3 Warranties. The parties warrant that they will comply with their respective obligations under Data Protection Laws.

2.4 Anonymisation: Processor may anonymise, de-identify and aggregate Personal Data (such that it does not identify or permit the identification of any individual), and may use such data for its legitimate business purposes, including to provide, maintain, improve and develop the Services.

3. Sub-processing

3.1 Use of sub-processors. Controller authorises Processor to engage other processors (referred to in this section as sub-processors) when processing Personal Data. Processor’s existing sub-processors are listed in Exhibit A, Annex I (Sub-Processor List).

3.2 Sub-processor requirements. Processor will:

(a) require its sub-processors to comply with equivalent terms as Processor’s obligations in this DPA,

(b) ensure appropriate safeguards are in place before internationally transferring Personal Data to its sub-processor, and

3.3 Changes. To receive notification concerning the addition or replacement of sub-processors, Controller shall subscribe by sending an email to DPO@qs.com to receive notifications of any new sub-processors used to process Personal Data in accordance with the Sub-processor Notification Period. If Controller does not object during the Sub-processor Notification Period, Processor will deem Controller to have authorised the relevant changes and sub-processors.

3.4 Objections. Controller may reasonably object inwriting to any future sub-processor within the Sub-processor Notification Period, provided that such objection is based on reasonable grounds relating to data protection. Controller may execute a written amendment to the Main Agreement implementing appropriate changes or exercise the right to terminate the Main Agreement in accordance with the termination provisions. Such termination shall not constitute termination for breach of the Main Agreement.

4. International personal data transfers

4.1 Instructions. Processor will transfer Personal Data outside the UK, the EEA or an adequate country only on documented instructions from Controller, unless otherwise required by law.

4.2 Transfer mechanism. Parties agree that when the transfer of personal data from Controller (as data exporter) to Processor (as data importer) takes place the relevant Transfer Mechanism will apply. The parties agree that the Transfer Mechanism attached hereto as Exhibit A shall apply to transfers of personal data under this DPA.

5. Other important information

5.1 Liability: Any claims arising from or in anyway related to this DPA or Processor’s processing of Personal Data hereunder, including the Standard Contractual Clauses, shall be subject to any limitation of liability, dispute resolution requirements, and other limitations set for thin the Main Agreement.

5.2 Order of precedence. In case of a conflict between this DPA and other relevant agreements, they will take priority in this order:

(a) Transfer Mechanism,

(b) DPA,

5.3 Governing law and jurisdiction. The Governing Law applies to this DPA and all disputes will only be litigated in the courts of the Jurisdiction.

‍

Exhibit A

‍

Standard Contractual Clauses

The newly applicable Standard Contractual Clauses based on European Commission’s decision(EU) 2021/914 4 June 2021 are fully part of the Main Agreement between the parties and DPA. The terms contained in Standard Contractual Clauses are available at: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc/standard-contractual-clauses-international-transfers_en. Details required by the Standard Contractual Clauses are outlined in the table below and in the Appendices. With respect to shared Personal Data originated from the EU or EEA:

1. in the event that both Parties are Controllers Module 1 shall apply;

2. in the event that either Party is a Controller and the other is the Processor, Module 2 shall apply.

3. in the event that either Party is a Processor and the other is the Controller, Module 4 shall apply.

‍

Section	Module 1	Module 2	Module 3
Relationship	Controller to controller	Controller to processor	Processor to controller
Clause 7 (Docking clause)	Included	Included	Included
Clause 9 Use of sub-processors	Not applicable	Option 2 will apply, and the time period for prior notice of sub-processor changes will be as set out in Clause 3.3 of this DPA.	Not applicable
Clause 11(a) Redress	Optional language not included	Optional language not included	Optional language not included
Clause 17 Governing law	Option 2, with selection of Germany, unless the parties have already agreed a specific country in this DPA or the Main Agreement, in which case the selected country shall be used.	Option 2, with selection of Germany, unless the parties have already agreed a specific country in this DPA or the Main Agreement, in which case the selected country shall be used.	Option 2, with selection of Germany, unless the parties have already agreed a specific country in this DPA or the Main Agreement, in which case the selected country shall be used.
Clause 18 Choice of forum and jurisdiction	Selected country shall be Germany, unless the parties have already agreed a specific country in this DPA or the Main Agreement.	Selected country shall be Germany, unless the parties have already agreed a specific country in this DPA or the Main Agreement.	Selected country shall be Germany, unless the parties have already agreed a specific country in this DPA or the Main Agreement.
Supervisory authority	The data exporters competent supervisory authority will be determined in accordance with the GDPR.