Data Processing Addendum

"Personal Data", "Processing", "Controller", "Processor", and "Data Subject" carry the meanings given in the GDPR (Regulation (EU) 2016/679).

Subject matter: provision of the Kepler Q-Max quantum-AI platform.
Duration: for the term of the underlying agreement.
Nature & purpose: hosted inference, account management, billing, support.
Data categories: identifiers, contact data, usage logs, content submitted to API.
Data subjects: Customer's authorized users and end-users.

We will: (a) process Personal Data only on documented Customer instructions; (b) ensure personnel are bound by confidentiality; (c) implement the technical and organizational measures described on the Security page; (d) assist Customer with DSARs, DPIAs, and breach notifications.

Customer authorizes the sub-processors listed at trust.sonicium.ltd/subprocessors. We provide 30 days' notice before adding a new sub-processor; Customer may object on reasonable data-protection grounds.

Where Personal Data is transferred outside the EEA, UK, or Switzerland, the EU Standard Contractual Clauses (Module 2 / Module 3) and the UK International Data Transfer Addendum are incorporated by reference.

We maintain a written information security program aligned with ISO 27001. We will notify Customer without undue delay (and within 72 hours) of any confirmed Personal Data breach affecting Customer Data.

Customer may, no more than once per year, request third-party audit reports (SOC 2, ISO 27001) under NDA. On-site audits are available for Enterprise customers with reasonable notice.

On termination, Customer Data is exported on request and deleted within 30 days, except where retention is required by law.

Enterprise customers may countersign this DPA by emailing legal@sonicium.ltd with their company details. A counter-signed PDF will be returned within 5 business days.