Data Processing Addendum

This DPA supplements the Terms and applies where Quenta processes Customer Data containing personal data on behalf of a customer.

1. Purpose and Applicability

This Data Processing Addendum (“DPA”) applies where Quenta processes personal data on behalf of a customer in connection with the Service. It supplements the Main Terms and Privacy Policy.

2. Roles

The customer is the personal information controller for customer-controlled personal data entered into the Service. Quenta is the personal information processor for that data, except where Quenta independently determines processing purposes as described in the Privacy Policy, Main Terms, or applicable law.

3. Processing Instructions

Quenta will process customer-controlled personal data according to the customer’s documented instructions, the Main Terms, this DPA, the Privacy Policy, the Service configuration, and applicable law. Customer instructions include configuration choices, user actions, uploads, review actions, approvals, integrations, support requests, and other authorized use of the Service.

4. Customer Notices, Consents, and Lawful Basis

Customer represents and warrants that it has provided all required notices and obtained all required consents, authorizations, permissions, or lawful bases before uploading, importing, or processing personal data in Quenta, including employee, customer, supplier, contractor, payee, payroll, tax, TIN, and sensitive personal information. Customer is responsible for the accuracy, quality, legality, and authorization of customer-controlled personal data.

Customer must configure roles, permissions, branch access, accountant/advisor access, and account access appropriately and according to the minimum access needed for each user’s role. Customer must not upload personal data that is unnecessary, unlawful, or outside the customer’s authority to process.

5. Product Improvement, De-identification, and OCR Learning

Quenta may process Customer Data as necessary to provide, secure, support, troubleshoot, and improve the Service under the customer’s documented instructions and applicable law. To the extent Quenta creates aggregated, de-identified, pseudonymized, statistical, or non-customer-identifiable information from service operations, such information may be used to improve Quenta Technology, provided it does not disclose identifiable Customer Data.

Quenta will not use identifiable Customer Data, uploaded source documents, payroll records, tax records, or sensitive personal information to train externally available AI, OCR, or machine-learning models unless permitted by the customer’s instructions, configuration, consent, applicable agreement, this DPA, or law.

6. Quenta Obligations

Process personal data only as needed to provide, secure, support, troubleshoot, improve, and maintain the Service or as otherwise permitted by law.

Implement reasonable administrative, technical, organizational, and physical safeguards appropriate to the nature of the Service and personal data processed.

Limit access to personnel and service providers who need access for authorized business, security, support, operational, or legal purposes.

Assist customers with data subject requests, breach response, deletion/export, and security inquiries where reasonably possible and required by law.

Maintain reasonable subprocessor, confidentiality, incident response, and access-control practices.

7. Subprocessors

Customer authorizes Quenta to use subprocessors for hosting, database, storage, application delivery, payment processing, email, SMS, OCR, support, monitoring, logging, analytics, security, communication, and related services. Quenta will maintain appropriate contractual protections with subprocessors where required.

Current or planned subprocessor categories may include hosting/application providers, database/storage providers, payment providers including Xendit and potentially PayMongo, email providers, SMS providers, local OCR and possible OCR fallback providers, monitoring/logging providers, analytics providers, customer support providers, security providers, and communication providers.

Quenta may update subprocessors from time to time. Where required by law or contract, Quenta will provide notice of material changes. Continued use of the Service after notice means the customer acknowledges the updated subprocessors.

8. Cross-Border Processing

Customer authorizes cross-border processing where needed for the Service. Quenta and its subprocessors may process or store personal data in the Philippines or other jurisdictions where Quenta or its subprocessors operate. Quenta will use reasonable contractual, technical, and organizational safeguards designed to protect personal data consistently with applicable Philippine law.

9. Security Incidents

Quenta will maintain a personal data breach response process. Quenta will notify the customer without undue delay after confirming a security incident affecting customer-controlled personal data, where notification is legally required or reasonably necessary for the customer to comply with its own obligations. Quenta will provide available information reasonably needed by the customer, subject to security, confidentiality, legal, and investigative constraints.

10. Return, Export, and Deletion

10.1 Preservation for Legal Claims and Regulatory Requests

Deletion, return, or export obligations are subject to legal retention, dispute preservation, security, fraud-prevention, accounting, tax, audit, regulatory, and enforcement requirements. Quenta may preserve relevant records where reasonably necessary to investigate or defend claims, comply with law, respond to regulators, address chargebacks, or enforce the agreement.

Upon termination or upon written request, Quenta will make customer data available for export where reasonably supported by the Service, subject to legal retention, backups, dispute resolution, fraud prevention, technical limitations, and applicable plan or configuration limits. Backup copies may persist according to Quenta’s backup cycle.

11. Audits and Information

Quenta may provide reasonable information about its security and processing practices. Onsite audits are not available unless expressly agreed in an Enterprise order form or required by law. Any audit must be subject to confidentiality, security, reasonable notice, limited scope, and non-disruption requirements.

11.1 Enterprise Security Reviews and Questionnaires

Quenta may provide security documentation, questionnaires, summaries, or compliance information for enterprise review. Unless expressly incorporated into a signed agreement, these materials are informational only and do not create additional warranties, certifications, audit rights, service levels, or obligations beyond the signed agreement, DPA, Order Form, or SOW.

Any customer audit, assessment, penetration test, security questionnaire obligation, or subprocessor objection process must be stated in the DPA, Order Form, or signed agreement and remains subject to reasonable confidentiality, security, frequency, scope, timing, and cost controls.

Schedule 1 - Processing Details

Payment and Billing Processing Details

Payment and billing processing may include account identifiers, billing contacts, company information, subscription records, invoices, payment statuses, transaction references, provider customer references, provider subscription references, limited payment-method metadata, fraud-prevention signals, chargeback records, refund records, and support communications.

The purposes of this processing include subscription billing, recurring payments, trial-to-paid conversion, failed-payment handling, provider onboarding support, fraud prevention, reconciliation, audit, tax documentation, dispute handling, refund processing, chargeback response, and compliance with payment-provider requirements.

Subject matter: Provision of Quenta’s accounting, inventory, document capture, OCR, reporting, community, financial command center, and business-operations platform.

Duration: For the term of the customer’s subscription and any retention period required for export, backup, legal compliance, security, dispute resolution, or legitimate business purposes.

Categories of data subjects: Customer’s users, owners, employees, contractors, customers, suppliers, payees, advisors, accountants, bookkeepers, invited users, community participants, and other persons whose data is uploaded or processed through the Service.

Categories of personal data: Names, contact details, email addresses, mobile numbers, business identifiers, TINs, billing details, employment or payroll data where applicable, invoices, receipts, bills, vouchers, statements, payments, uploaded documents, OCR text, extracted fields, audit logs, user activity, metadata, comments, approvals, and related business records.

Processing operations: Hosting, storage, retrieval, OCR extraction, display, indexing, transmission, backup, support, security monitoring, reporting, analytics, audit logging, access control, de-identification, troubleshooting, and other processing necessary to provide and secure the Service.

Schedule 2 - Minimum Security Measures

Quenta will maintain reasonable administrative, technical, organizational, and physical safeguards appropriate to the nature of the Service, which may include access controls, authentication, role-based permissions, encryption in transit where supported, provider-side encryption at rest where supported, backup practices, monitoring/logging, least-privilege access, incident response procedures, vendor/subprocessor controls, internal confidentiality obligations, secure development practices, and account security measures.

Schedule 3 - Privacy Request Handling

Where Quenta receives a data subject request relating to Customer Data for which the customer is the controller, Quenta may refer the request to the customer or act on the customer’s documented instructions, unless applicable law requires Quenta to respond directly. Quenta may verify identity and authority before acting on any request and may deny, limit, defer, or condition requests where permitted by law.

Quenta Technologies Inc. · SEC Reg. No. 2026020237348-66 · TIN 010-999-041-000 · 30F Tower 2 RCBC Plaza, Ayala Avenue, Makati City 1209, Philippines · inquire@quenta.ph