This data processing agreement (DPA) forms part of qMateria Ltd ("qMateria", "Us", "We", "Our") Terms and Conditions (the "MSA").

​

WHEREAS, qMateria shall provide the Service Package as set forth in the MSA for you (collectively, "You", "Your"); and

​

WHEREAS, in the course of providing the Service Package pursuant to the MSA, qMateria may process Personal Data on your behalf, in the capacity of a "Data Processor", and the Parties wish to set forth the arrangements regarding such processing.

​

NOW THEREFORE, in consideration of the above, the Parties agree as follows:

​

1. Interpretation and Definitions

​

1.1 The headings contained in this DPA are for convenience only and shall not be interpreted to limit or otherwise affect the provisions of this DPA. References to clauses or Sections are references to the clauses or Sections of this DPA unless stated otherwise. Words used in the singular include the plural and vice versa, as the context may require. Capitalised terms not defined in this Section 1.2 or elsewhere in this DPA shall have the meanings assigned to such terms elsewhere in the MSA.

​

1.2 Definitions:

• "Data Protection Laws" means all laws and regulations of the United Kingdom applicable to the Processing of Personal Data under the MSA, including the UK GDPR and the Data Protection Act 2018.
• "Data Subject" means the identified or identifiable person to whom the Personal Data relates.
• "GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, as retained in UK law.
• "Personal Data" means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
• "Customer Data" means Personal Data that is provided to us by You or on Your behalf, or otherwise obtained or processed by or on behalf of us throughout Your and Your personnel's use of the Service Package, e.g. when uploading project data or model files to our Platform. Customer Data excludes Customer Relationship Data.
• "Process(ing)" means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
• "Processor" or "Data Processor" means the entity which processes Personal Data on behalf of the Controller.
• "Customer Relationship Data" means all data provided to us by You or on Your behalf, or otherwise obtained or processed by or on behalf of us through an engagement with qMateria to obtain the Service Package, including pseudonymised, aggregated and/or statistical data relating to or derived from Your and Your personnel's use of the Service Package, such as analytics, metadata, and audit logs.
• "Security Documentation" means the security specifications applicable to the specific Service Package You have purchased, as updated from time to time and available within the documentation tab of Your Account on the Platform at qmateria.app.
• "Sub-processor" means any Processor engaged by qMateria and/or qMateria's Affiliates.
• "Supervisory Authority" means the Information Commissioner's Office (ICO), the independent public authority established pursuant to the UK GDPR in the United Kingdom.
• "UK GDPR" means the Data Protection Act 2018, together with the retained EU law version of the General Data Protection Regulation (EU) 2016/679, as updated, amended, replaced, or superseded from time to time.
• "UK Standard Contractual Clauses" or "UK SCCs" means the standard contractual clauses for the transfer of Personal Data to Data Processors established in third countries which do not ensure an adequate level of protection as set out by the ICO, as updated, amended, replaced, or superseded from time to time by the ICO.
• "AI LLM Processing" means the processing of Your Content using Google Gemini, operated through Google Cloud Vertex AI, as described in Section 3.2 of this DPA and Section D of the MSA.

​

2. Processing of Personal Data

​

2.1 Roles of the Parties. The Parties acknowledge and agree that with regard to the Processing of Customer Data, qMateria is a Data Processor and the Receiving Party is the Data Controller.

​

2.2 Your Processing of Personal Data. You shall, in Your use of the Service Package, process Personal Data in accordance with the requirements of Data Protection Laws and comply at all times with the obligations set out therein. You shall have the sole responsibility for how You acquire Personal Data and for ensuring that Your instructions for the Processing of Personal Data and Your and Your users' use of the Service Package shall at all times comply with Data Protection Laws. Without limitation, You shall comply with all transparency-related obligations (including displaying any and all relevant and required privacy notices or policies) and shall have all required legal bases to collect, process, and transfer to qMateria the Personal Data for processing in accordance with this DPA.

​

3. qMateria's Processing of Customer Data

​

3.1 qMateria shall process Customer Data solely in accordance with Your documented instructions, as necessary for the provision of the Service Package and for the performance of the MSA, this DPA, and Data Protection Laws, unless otherwise required by law; in such a case, qMateria shall inform You of the legal requirements before processing, unless applicable law prohibits such information on important grounds of public interest. The duration, nature, and purpose of the processing, as well as the types of Customer Data processed and categories of Data Subjects, are also specified in Schedule 1 to this DPA.

​

3.2 AI LLM Processing. The Receiving Party acknowledges and agrees that processing of Your Content under the Service Package involves submission of data to Google Gemini, operated through Google Cloud Vertex AI (Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA), accessed via Google Cloud's UK datacenter infrastructure. Prior to any AI LLM processing, qMateria strips all personal data, project identifiers, company names, individual names, and any other information capable of identifying the Receiving Party, their clients, or their project from the data. Only structural and material data parameters required for model interrogation and data quality assessment are submitted to Google Cloud Vertex AI. qMateria has entered into a data processing agreement with Google LLC in accordance with UK GDPR requirements. Your Content is not used to train Google's general AI models.

​

3.3 Expert Team Processing. Where Your Content is reviewed and processed by qMateria's subject matter expert team as part of the Premium Tier Service Package, all documentation, drawings, reports, and schedules are anonymised prior to review — removing all names, company identifiers, and personal data — to ensure that expert assessment is conducted objectively and without bias.

​

3.4 If and to the extent qMateria cannot comply with an instruction from You, or where qMateria considers such an instruction to be unlawful, (i) qMateria shall inform You providing reasonable details of the issue, (ii) qMateria may, without any kind of liability towards You, temporarily cease all processing of the affected Customer Data (other than securely storing those data), and (iii) if the Parties do not agree on a resolution to the issue in question and the costs thereof, each Party may, as its sole remedy, terminate the contract relating to the affected Service Package and this DPA with respect to the affected processing, and You shall pay to qMateria all unpaid amounts owed up to the termination effective date. You will have no further claims against qMateria (including, without limitation, requesting refunds) due to the termination in the situation described in this paragraph.

​

3.5 We shall notify You without undue delay if, in our opinion, your instructions do not comply with Data Protection Laws. qMateria will not be liable in the event of any claim brought by a third party, including, without limitation, a Data Subject, arising from any act or omission of qMateria, to the extent that such is a result of Your instructions.

​

4. qMateria Personnel

​

Confidentiality. qMateria shall grant access to the Customer Data to persons under its authority (including, without limitation, its personnel and subject matter expert contractors) only on a need-to-know basis and ensure that such persons engaged in the processing of Customer Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. qMateria may disclose and process Customer Data (a) as permitted hereunder; (b) to the extent required by a court of competent jurisdiction or the Supervisory Authority, and/or otherwise as required by applicable laws or applicable Data Protection Laws (in such a case, qMateria shall inform You of the legal requirement before the disclosure, unless that law prohibits such information on important grounds of public interest); or (c) on a "need-to-know" basis under an obligation of confidentiality to legal counsel(s), data protection advisor(s), accountant(s), investors, or potential acquirers.

​

5. Security

​

5.1 Controls for the Protection of Customer Data. qMateria shall maintain all industry-standard technical and organisational measures required pursuant to Article 32 of the UK GDPR for security (including protection against unauthorised or unlawful processing and against accidental or unlawful destruction, loss, or alteration or damage, unauthorised disclosure of, or access to, Customer Data), confidentiality, and integrity of Customer Data, as set forth in the Security Documentation, which is hereby approved by You. qMateria regularly monitors compliance with these measures and shall notify You of any material changes to the Security Documentation. Upon Your request, qMateria shall demonstrate the implementation of such measures. qMateria will reasonably assist You in complying with Articles 32 to 36 of the UK GDPR, taking into account the nature of the processing and the information available to qMateria.

​

5.2 Third-Party Certifications and Audits. Upon Your written request at reasonable intervals, and subject to the confidentiality obligations set forth in the MSA and this DPA, qMateria shall allow for and contribute to audits at Your cost and expense, and make available to You a copy of qMateria's then most recent third-party audits or certifications, as applicable, provided, however, that such audits, certifications, and the results therefrom shall only be used by You to assess compliance with this DPA and/or with applicable Data Protection Laws, and shall not be used for any other purpose or disclosed to any third party without qMateria's prior written approval. Notwithstanding anything to the contrary, such audits and/or inspections shall not contain any information, including without limitation, Personal Data that does not belong to You. If and to the extent You commission third parties to carry out such audits, such third parties must (i) not be competitors of qMateria and (ii) be subject to at least industry-standard confidentiality obligations for the protection of qMateria's trade and business secrets.

​

6. Authorisation Regarding Sub-Processors

​

6.1 List of Current Sub-processors and Notification of New Sub-processors. qMateria's current list of Sub-processors ("Sub-processor List") is attached as Schedule 2 and is hereby authorised by You. You hereby grant a general authorisation to qMateria to appoint new Sub-processors, and qMateria shall comply with the conditions of Section 6.2.

​

6.2 Objection Right for New Sub-processors. qMateria shall notify You reasonably before authorising a new Sub-processor(s) to process Customer Data in connection with the provision of the Service Package. You may reasonably object to qMateria's use of a new Sub-processor for reasons related to the UK GDPR by notifying qMateria promptly in writing within ten (10) business days after receipt of notice thereof. Failure to object to a new Sub-processor in writing within such time shall be deemed as acceptance of the new Sub-processor. In the event You reasonably object to a new Sub-processor, qMateria will apply reasonable efforts to recommend a commercially reasonable change to Your use of the Service Package to avoid processing by the objected-to new Sub-processor. If qMateria is unable to make such change within thirty (30) days, You may, as a sole remedy, terminate the contract relating to the affected Service Package and this DPA by providing written notice to qMateria, following which all unpaid amounts shall be duly paid to qMateria. Until a decision is made regarding the new Sub-processor, qMateria may temporarily suspend the processing of the affected Customer Data. You will have no further claims against qMateria due to the termination in the situation described in this Section.

​

7. Transfers of Data to Third Countries

​

7.1 Primary Data Location. All primary data storage and processing is conducted within Microsoft Azure UK South and UK West datacenters. qMateria will use reasonable endeavours to ensure that Customer Data remains within the United Kingdom wherever possible.

​

7.2 Transfers to Countries that Offer Adequate Level of Data Protection. Customer Data may be transferred from the United Kingdom to countries that offer an adequate level of data protection pursuant to an adequacy decision published by the competent data protection authorities of the UK, without any further safeguard being necessary.

​

7.3 Transfers to Third Countries. If the processing of Customer Data includes transfers from the UK to countries which do not offer an adequate level of data protection ("Third Countries") — including in connection with AI LLM Processing via Google Cloud Vertex AI — the Parties shall comply with Article 44 et seq. of the UK GDPR, including, if necessary, executing the UK Standard Contractual Clauses adopted by the ICO or complying with any other mechanisms provided for in the UK GDPR for transferring Personal Data to such Third Countries. For the avoidance of doubt, only anonymised structural and material data parameters are transferred in connection with AI LLM Processing, as set out in Section 3.2 of this DPA.

​

8. Rights of Data Subjects

​

Data Subject Request. If qMateria receives a request from a Data Subject to exercise its data subject rights ("Data Subject Request"), qMateria shall, to the extent legally permitted, promptly notify and forward such Data Subject Request to You. Taking into account the nature of the processing, qMateria shall use commercially reasonable efforts to assist You by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of Your obligations to respond to a Data Subject Request under Data Protection Laws. To the extent legally permitted, You shall be responsible for any costs arising from qMateria's provision of such assistance.

​

9. Customer Data Incident Management and Notification

To the extent required under applicable Data Protection Laws, qMateria shall notify You without undue delay, if feasible within 48 hours, after becoming aware of the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Customer Data transmitted, stored or otherwise processed by qMateria or its Sub-processors (a "Data Incident"). qMateria shall make reasonable efforts to identify the cause of such Data Incident and take those steps as qMateria deems necessary, possible, and reasonable in order to remediate the cause of such a Data Incident to the extent the remediation is within qMateria's reasonable control. Except for the notification, the obligations herein shall not apply to Data Incidents caused by You or Your users. In any event, You will be responsible for notifying the Supervisory Authority and/or Data Subjects where required by Data Protection Laws.

​

10. Return and Deletion of Customer Data

qMateria shall, at Your choice, after the end of the provision of the Service Package, delete or return the Customer Data to You and shall delete existing copies unless applicable law requires further storage of the Customer Data. In any event, to the extent permitted by applicable law, qMateria may retain one copy of the Customer Data for evidence purposes and/or for the establishment, exercise, or defence of legal claims and/or to comply with applicable laws and regulations. The Customer Data shall be returned in the format generally available for qMateria's customers. The obligations to delete or return Customer Data pursuant to this Section 10 shall not apply if and to the extent You can retrieve and/or delete Your Customer Data yourself using the features of the Service Package provided in this regard.

​

11. Termination

This DPA shall automatically terminate upon the termination or expiration of the agreement under which the Service Package is provided. Sections 2.2 and 12 shall survive the termination or expiration of this DPA for any reason.

​

12. Liability Limitations

The liability limitations set out in the MSA shall apply accordingly to this DPA. For the avoidance of doubt, the liability of qMateria towards Data Subjects under applicable Data Protection Laws shall not be limited.