Data Processing Addendum (DPA)

    Last updated:

    Introduction and Scope

    1. This Data Processing Addendum (“Addendum”) forms part of the Terms of Service (“Agreement”) between QDEX AI Ltd (“QDEX”, “we”, “us”, the Processor) and the Customer (the Controller). It governs the additional terms, requirements and conditions on which QDEX will process Personal Data on behalf of the Controller in connection with the provision of the Service. Capitalised terms not defined here have the meanings in the Agreement.
    2. QDEX is the Controller only for Customer account/administrative data relating to brokers (e.g., login, billing, support) and Processor of Active Case data provided by the Controller.
    3. QDEX’s Privacy Policy applies separately when QDEX acts as Controller.
    4. This Addendum  contains the mandatory clauses required by Article 28(3) of the retained EU law version of the General Data Protection Regulation ((EU) 2016/679) (UK GDPR) for contracts between controllers and processors

    Definitions

    •  “Active Case Data” means borrower-related data and documents stored within the Services for preparing/managing a mortgage application or advice file.
    • “Controller” and “Processor” have the meanings given under UK GDPR. For Active Case Data: Controller is the Customer; QDEX acts as Processor.
    • “Data Protection Legislation”  all applicable data protection and privacy legislation in force from time to time in the UK, including, without limitation, the UK GDPR; the Data Protection Act 2018 (and regulations made thereunder) (DPA 2018); the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) as amended;
    • “Personal Data” and “Special Category Data” have the meanings given under UK GDPR. Special Category Data may be incidentally included within uploaded documents.
    • “Services” means QDEX’s lender-matching and compliance tooling, including document ingestion/extraction and the “DEX” conversational assistant provided pursuant to the Agreement.
    •  “Sub-processor” means any processor engaged by QDEX to Process Personal Data on behalf of the Controller.
    •  “Supervisory Authority” means the Information Commissioner’s Office or any other competent data-protection regulator.

    Roles, Instructions and Restrictions

    1. . The Customer and the QDEX agree and acknowledge that for the purpose of the Data Protection Legislation:
      1. the Customer is the controller and QDEX is the processor.
      1.  the Customer retains control of the Personal Data in the Active Case Data and remains responsible for its compliance obligations under the applicable Data Protection Legislation, including but not limited to providing any required notices and obtaining any required consents, and for the written processing instructions it gives to QDEX.
    2.  QDEX will Process Personal Data only to the extent, and in such manner, as is necessary in accordance with written instructions from the Controller and as necessary to provide the Services, unless required by law.  QDEX will not process the Personal Data for any other purpose or in a way that does not comply with this Agreement or the Data Protection Legislation. QDEX must use commercially reasonable endeavours to notify the Customer if, in its opinion and subject to the same being reasonably apparent, it believes that the Customer’s instructions do not comply with the Data Protection Legislation.
    3.  The Controller is responsible for: (a) ensuring a lawful basis; (b) providing appropriate borrower notices; (c) ensuring the accuracy of data input and of outputs used in advice documents (e.g., ESIS, Suitability letters, Case Summaries). QDEX does not provide regulated advice nor interact with borrowers. The Controller warrants that it has all necessary rights, consents and lawful bases to provide Personal Data (including Special Category Data) to QDEX for Processing under this Addendum. The Controller shall indemnify and hold harmless QDEX against any and all claims, losses, damages, costs and expenses (including reasonable legal fees) arising from or relating to the Controller’s breach of its obligations, warranties or responsibilities under this Addendum.
    4.  If QDEX becomes subject to any legal, regulatory or governmental requirement (including but not limited to court orders, law enforcement requests, or regulatory investigations) that conflicts with its obligations under this Addendum or requires disclosure of Personal Data, QDEX shall (where legally permitted): (a) promptly notify the Controller; and (b) use reasonable efforts to limit the scope of disclosure. QDEX shall be excused from the conflicting obligation to the extent required by applicable law and shall not be liable for any such legally-mandated disclosure, action or omission.
    5.  QDEX will not sell Personal Data; will maintain the confidentiality of the Personal Data and not disclose Personal Data except to Sub-processors or as required by law; and will not use Personal Data for model training or product improvement, except as expressly permitted in this Addendum.

    Scope, Nature and Purpose of Processing

    1.  The purpose of Processing is to enable brokers to prepare and evidence mortgage advice workflows and compliance artefacts, including ESIS, Suitability letters and case summaries.
    2.  Data categories include: borrower identity and contact data; household/dependant information; property, assets and liabilities; income and expenditure; employment/business data; documents such as payslips, bank statements, tax returns, company accounts, ID documents; case notes; lender responses; and any Personal Data revealed by those documents.
    3.  Data subjects include borrowers and, where entered by the Controller, joint applicants, guarantors and dependants.
    4.  Processing operations include ingestion and extraction; structured field parsing; storage; retrieval; and limited analytics/telemetry as described in clause 25.
    5.  Processing continues for the Subscription Term and the case lifecycle, unless earlier deletion is instructed by the Controller in writing or retention is required by law/backups.

    Assistance and Data-Subject Rights

    •  QDEX will, to the extent technically feasible, comply with any reasonable Customer written instructions requiring the Provider to amend, transfer, delete or otherwise process the Personal Data, or to stop, mitigate or remedy any unauthorised processing.
    •  QDEX will reasonably assist the Controller in responding to data-subject requests (access, rectification, erasure, restriction, portability, objection). within a reasonable time from the Controller’s written request, limited to providing data extracts and technical information within QDEX’s possession and control. Borrowers should contact the Controller; QDEX will not respond directly unless legally required or instructed. Assistance beyond QDEX’s standard support functionality (including but not limited to bespoke data extraction (i.e. custom data retrieval requiring manual work, non-standard formatting, or technical development beyond QDEX’s standard export and reporting features), legal analysis, or drafting responses to data subjects) shall be provided at QDEX’s then-current professional services rates, payable by the Controller..
    •  Taking into account the nature of Processing and information available to QDEX, QDEX will provide commercially reasonable assistance with DPIAs, consultations with Supervisory Authorities, and lawful requests, at the Controller’s cost where material and beyond standard support.
    •  QDEX may process de-identified/aggregated service telemetry (e.g., feature usage, error rates) for reliability, security and capacity planning, provided it does not contain any Personal Data.

    Security

    •  QDEX implements appropriate technical and organisational measures, including encryption in transit and at rest, role-based access controls, least-privilege access, logging and monitoring, personnel confidentiality, vulnerability management, secure software development practices and incident response procedures.
    •  Access by personnel is limited to those with a business need for support, security or maintenance, and is subject to confidentiality and monitoring.
    • QDEX personnel may access Customer account data and Active Case Data where necessary to:
      •  provide support and investigate reported issues;
      •  maintain security and prevent abuse;
      •  ensure platform stability and performance; or
      •  Investigate suspected security incidents, platform anomalies, or breaches of the AUP.
    •  Such access is limited to personnel with a legitimate business need, subject to confidentiality obligations, access controls, and audit logging. QDEX will notify the Customer of any proactive access under (d) where appropriate and where doing so would not compromise the investigation or security measures. The Controller acknowledges this access as a necessary component of the Services and as falling within the documented instructions under this Addendum. Such access shall not constitute a breach of this Addendum or the Agreement, and QDEX shall have no liability for actions taken in good faith pursuant to clause 28.

     QDEX will notify the Controller  without undue delay upon becoming aware of a confirmed Personal Data Breach affecting the Controller’s Personal Data, including available information and follow-up updates. QDEX shall be deemed to become aware of a breach only when QDEX’s security team has verified that an incident has occurred and confirmed that it constitutes a Personal Data Breach under applicable law.

    Sub-processors

    •  The Controller authorises QDEX to engage Sub-processors to provide the Services. QDEX will impose data-protection obligations equivalent to this Addendum.
    •  QDEX will maintain a current Sub-processor list at /legal/subprocessors and provide notice of material changes by email to the Controller’s registered account email at least 30 days before appointment. The Controller acknowledges that certain Sub-processors identified as ‘essential’ on the Sub-processor list are critical to the Services and cannot be objected to. For non-essential Sub-processors, the Controller may object on reasonable, data-protection-related grounds within 30 days by providing written notice with specific reasons; the parties will discuss in good faith. If unresolved, QDEX may, in its sole discretion: (a) not appoint the objected Sub-processor; (b) provide an alternative technical solution; or (c) terminate the affected Service component with 90 days’ written notice, without liability to the Controller..

    AI Processing and the DEX Assistant

    • . The Controller acknowledges QDEX may use reputable AI API providers to perform document extraction and to operate the DEX assistant that can access case data to assist the broker.
    • . QDEX will use commercially reasonable efforts to
      • select AI Sub-processors that contractually commit not to use Customer Personal Data for model training or to build/augment their models, and configure available technical controls to prevent such use and limit retention to what is necessary to provide the API service; and
      •  contractually require AI Sub-processor personnel not to view content except where necessary to operate, maintain or secure the service, subject to confidentiality obligations. QDEX does not warrant or guarantee AI Sub-processor compliance with such restrictions. The Controller acknowledges that the use of third-party AI services involves inherent risks and that QDEX’s liability for AI Sub-processor acts or omissions is limited to QDEX’s selection and oversight obligations under this clause..
    • . Outputs are assistive and subject to the Controller’s professional judgement. QDEX does not carry out automated decision-making producing legal or similarly significant effects on data subjects.

    International Transfers

    •  QDEX stores Active Case Data on servers located in the United Kingdom (London). Other QDEX systems that do not hold borrower Personal Data may be located outside the UK.
    •  Where Processing involves transfers outside the UK, QDEX will ensure appropriate safeguards are in place, including the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses, with supplementary measures where appropriate. QDEX will provide information reasonably necessary to complete transfer risk assessments on request.
    •  The Controller hereby pre-authorises international transfers of Personal Data to the Sub-processors and locations identified on QDEX’s Sub-processor list at /legal/subprocessors. QDEX’s implementation of the UK IDTA or UK Addendum to EU SCCs (as applicable) shall be deemed to satisfy the ‘appropriate safeguards’ requirement under UK GDPR. The Controller shall reasonably cooperate with QDEX in completing any required transfer impact assessments within 20 business days of QDEX’s request.

    Audits and Information

    •  QDEX will make available information reasonably necessary to demonstrate compliance with this Addendum.
    •  Upon at least 30 days’ prior written notice, the Controller may conduct audits during business hours at the Controller’s cost, limited to once per 12-month period (unless required by a competent authority or following a confirmed Personal Data Breach affecting the Controller’s data), and subject to confidentiality and security requirements. Audits shall be limited to reviewing QDEX’s compliance with this Addendum and must not unreasonably interfere with QDEX’s business operations. Any third-party auditors require QDEX’s prior written approval (not to be unreasonably withheld or delayed) and must execute QDEX’s standard form non-disclosure agreement. The Controller shall provide QDEX with a copy of any audit report and shall treat such report as QDEX’s Confidential Information.

    Return and Deletion

    •  Upon termination or Controller instruction, QDEX will, at the Controller’s written election, either delete or return Personal Data within 30 days. Data return (if elected) shall be provided in a commonly used electronic format (CSV, JSON or PDF). If the Controller requires (i) any data return requests beyond the initial return, (ii) data conversion to other formats, data manipulation, reformatting or transformation beyond simple extraction, or (iii) any technical assistance, this shall be charged at QDEX’s then current professional services rate.  QDEX will delete existing copies from active systems following return or deletion, unless retention is required by law, regulation or for QDEX’s legitimate business purposes (including backup retention, dispute resolution, or regulatory compliance). QDEX will provide written certification of deletion upon the Controller’s written request.
    •  Standard backup archives will be overwritten on their normal cycle and are not routinely accessible; any restoration will be minimised and subject to this Addendum.

    Confidentiality

    •  QDEX will ensure that persons authorised to Process Personal Data are subject to appropriate confidentiality obligations.

    Liability and Precedence

    •  Any liability arising out of or in connection with this Addendum is subject to the exclusions and limitations of liability set out in the Agreement. Notwithstanding anything to the contrary in the Agreement, QDEX’s total aggregate liability arising out of or in connection with this Addendum (whether in contract, tort, negligence, breach of statutory duty or otherwise) shall not exceed the lesser of: (a) the total fees paid by the Controller to QDEX in the 12 months immediately preceding the event giving rise to the claim; or (b) £500,000. This limitation applies to all claims in aggregate, including but not limited to claims relating to Personal Data Breaches, unauthorised processing, or regulatory fines imposed on the Controller.
    •  In the event of conflict between this Addendum and the Agreement, this Addendum governs the parties’ data-protection obligations only; otherwise, the Agreement controls.

    Annexe 1: Security Overview

    • Encryption in transit and at rest
    • Role-based access controls
    • Logging and monitoring
    • Incident response procedures
    • Secure software development practices

    Annexe 2: Sub-processors

    The current Sub-processor list is maintained at legal/subprocessors and is incorporated by reference into this Addendum.

    Version: 4.0

    Effective date: 06 February 2026

    Document owner: COO

    Last review: 05 February 2026

    Next review: 31 July 2026

    Version History

    Previous versions available on request to legal@qdexai.com