Last Updated: January 7, 2026

This Data Protection Addendum (“Addendum”) between Questt AI (“Questt AI” or “Processor”) and the Customer (as defined in the Agreement) (“Customer” or “Controller”) forms part of the Questt AI Terms of Service set forth at https://questt.ai//terms-of-use or such other written or electronic agreement incorporating this Addendum, in each case governing Customer’s access to and use of the Services (the “Agreement”). This Addendum was last updated on January 7, 2026.

Customer enters into this Addendum on behalf of itself and any Affiliates authorized to use the Services under the Agreement and who have not entered into a separate contractual arrangement with Questt AI. For the purposes of this Addendum only, and except where otherwise indicated, references to “Customer” shall include Customer and such Affiliates.

The Parties hereby agree that the terms and conditions set out below shall be added as an Addendum to the Agreement.

---

1. Definitions

1.1 General Definitions

In this Addendum, the following terms shall have the meanings set out below and cognate terms shall be construed accordingly:

1. “Affiliate” means an entity that owns or controls, is owned or controlled by or is or under common control or ownership with either Customer or Questt AI (as the context allows), where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise;
2. “Customer Personal Data” means any Personal Data provided by or made available by Customer to Questt AI or collected by Questt AI on behalf of Customer which is Processed by Questt AI to perform the Services;
3. “Controller to Processor SCCs” means the standard contractual clauses for cross-border transfers published by the European Commission on June 4, 2021 governing the transfer of European Area Personal Data to Third Countries as adopted by:
   1. the European Commission, the Swiss Federal Data Protection and Information Commissioner (“Swiss FDPIC”) relating to data transfers to Third Countries (collectively “EU SCCs”);
   2. the international data transfer addendum (“UK Transfer Addendum”) adopted by the UK Information Commissioner’s Office (“UK ICO”) for data transfers from the UK to Third Countries; or
   3. any similar such clauses adopted by a data protection regulator relating to Personal Data transfers to Third Countries, including without limitation any successor clauses thereto;
4. “Data Protection Laws” means any local, state, provincial, or national law regarding the processing of Personal Data applicable to Questt AI in the jurisdictions in which the Services are provided to Customer, including, without limitation, privacy, security, and data protection law;
5. “EU Area” means the European Union, European Economic Area, United Kingdom, and Switzerland;
6. “EU Area Law” means:
   1. Directive 95/46/EC and, from May 25, 2018, Regulation (EU) 2016/679 (“EU GDPR”) together with applicable legislation implementing or supplementing the same or otherwise relating to the processing of Personal Data of natural persons;
   2. the Data Protection Act 1998 of the United Kingdom and the EU GDPR as saved into United Kingdom Law by virtue of section 3 of the United Kingdom’s European Union (Withdrawal) Act 2018 (the “UK GDPR”);
   3. the Swiss Federal Data Protection Act of 19 June 1992 and its Ordinance (“Swiss DPA”);
   4. any other law relating to the data protection, security, or privacy of individuals that applies in the EU Area; or
   5. any successor or amendments thereto (including, without limitation, implementation of the EU GDPR by Member States into their national law);
7. “Security Incident” means any breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data being Processed by Questt AI;
8. “Services” means the services to be supplied by Questt AI to Customer or Customer’s Affiliates pursuant to the Agreement, including but not limited to GenAI solutions for business and finance problems in the Retail & Consumer segment; and
9. “Third Country” means countries that, where required by applicable Data Protection Laws, have not received an adequacy decision from an applicable authority relating to cross-border data transfers of Personal Data, including regulators such as the European Commission, UK ICO, or Swiss FDPIC.

1.2 Data Protection Terms

The terms “Business”, “Business Purpose”, “Commercial Purpose”, “Contractor”, “Controller”, “Data Subject”, “Personal Data”, “Personal Data Breach”, “Process” (and “Processing”, “Processed”), “Processor”, “Sell”, “Service Provider”, “Share”, “Subprocessor”, “Supervisory Authority”, and “Third Party” have the same meanings as described in applicable Data Protection Laws and cognate terms shall be construed accordingly.

1.3 Incorporation of Agreement Terms

Capitalized terms not otherwise defined in this Addendum shall have the meanings ascribed to them in the Agreement.

---

2. Scope of Addendum

2.1 Application

This Addendum applies to Questt AI’s Processing of Customer Personal Data under the Agreement to the extent such Processing is subject to Data Protection Laws. This Addendum is governed by the governing law of the Agreement unless otherwise required by Data Protection Laws.

2.2 Precedence

In the event of any conflict or inconsistency between the provisions of this Addendum and the Agreement, the provisions of this Addendum shall prevail solely to the extent of such conflict or inconsistency with respect to the Processing of Customer Personal Data.

---

3. Roles of the Parties

3.1 Controller and Processor Relationship

The Parties acknowledge and agree that with regard to the Processing of Customer Personal Data, and as more fully described in Annex 1 hereto:

• Customer acts as a Business or Controller determining the purposes and means of processing; and
• Questt AI acts as a Service Provider or Processor and processes Personal Data solely on documented instructions from the Customer.

This Addendum shall apply solely to the Processing of Customer Personal Data by Questt AI acting as a Processor, Subprocessor, or Third Party (as specified in Annex 1).

3.2 Customer Responsibilities

1. The Parties expressly agree that Customer shall be solely responsible for ensuring timely communications to Customer’s Affiliates or the relevant Controller(s) who receive the Services, insofar as such communications may be required or useful in light of applicable Data Protection Laws to enable Customer’s Affiliates or the relevant Controller(s) to comply with such Laws.
2. Customer is solely responsible for:
   • Complying with Security Incident notification laws applicable to Customer;
   • Fulfilling any obligations to give notices to government authorities, affected individuals, or others relating to any Security Incidents;
   • Ensuring that it has all necessary rights and permissions to provide Customer Personal Data to Questt AI for Processing under this Addendum;
   • Determining the lawfulness of the Processing activities contemplated under this Addendum.

---

4. Description and Purpose of Personal Data Processing

4.1 Processing Details

In Annex 1 to this Addendum, the Parties have mutually set out their understanding of:

• The subject matter and details of the Processing of the Customer Personal Data to be Processed by Questt AI pursuant to this Addendum;
• The nature and purpose of the Processing;
• The types of Personal Data and categories of Data Subjects;
• The obligations and rights of the Controller.

4.2 Amendments

The Parties may make reasonable amendments to Annex 1 on mutual written agreement and as reasonably necessary to meet those requirements or to address the requirements of Data Protection Laws from time to time. Annex 1 does not create any obligation or rights for any Party beyond those set out in this Addendum and the Agreement.

4.3 Processing Purpose

The purpose of Processing under this Addendum is the provision of the Services pursuant to the Agreement and any Order Form(s), specifically:

• Processing demo requests and lead information;
• Providing GenAI solutions for business and finance problems in the Retail & Consumer segment;
• Communicating with prospects and customers about Services;
• Analyzing and improving Services.

---

5. Data Processing Terms

5.1 Customer Obligations

Customer shall:

1. Comply with all applicable Data Protection Laws in connection with the performance of this Addendum and the Processing of Customer Personal Data;
2. In connection with its access to and use of the Services, Process Customer Personal Data within such Services and provide Questt AI with instructions in accordance with applicable Data Protection Laws;
3. Be solely responsible for compliance with applicable Data Protection Laws regarding the collection of and transfer to Questt AI of Customer Personal Data;
4. Not provide Questt AI with Special Categories of Personal Data. Customer agrees not to provide Questt AI with any data concerning a natural person’s health, religion, or any special categories of data as defined in Article 9 of the GDPR, including without limitation data pertaining to:
   • Race or ethnic origin
   • Political opinions
   • Religious or philosophical beliefs
   • Trade union membership
   • Genetic data
   • Biometric data for the purpose of uniquely identifying a natural person
   • Data concerning health
   • Data concerning a natural person’s sex life or sexual orientation

5.2 Questt AI Obligations

Questt AI shall comply with all applicable Data Protection Laws in the Processing of Customer Personal Data and Questt AI shall:

5.2.1 Process Only on Instructions

Process the Customer Personal Data:

• For the purposes of the Agreement and for the specific purposes in each case as set out in Annex 1 to this Addendum;
• Solely on the documented instructions of Customer, for the purposes of providing the Services and as otherwise necessary to perform its obligations under the Agreement;
• The Agreement, this Addendum, and Customer’s use of the Services’ features and functionality are Customer’s written instructions to Questt AI in relation to Processing Customer Personal Data.

Specifically, Questt AI shall:

1. Limited Processing: Use, retain, disclose, or otherwise Process Customer Personal Data only on behalf of Customer and for the specific business purpose of providing the Services and in accordance with Customer’s instructions, including as described in the Agreement. Questt AI shall not:
   • Sell or Share Customer Personal Data;
   • Use, retain, disclose, or otherwise Process Customer Personal Data outside of its business relationship with Customer or for any other purpose (including Questt AI’s commercial purpose) except as required or permitted by law.
2. Notification of Inability to Comply: Immediately inform Customer if:
   • Questt AI determines that it is no longer able to meet its obligations under Data Protection Laws; or
   • In Questt AI’s opinion, an instruction infringes applicable Data Protection Laws.
3. Customer’s Right to Remediate: Customer reserves the right to take reasonable and appropriate steps to ensure Questt AI’s Processing of Customer Personal Data is consistent with Customer’s obligations under Data Protection Law and discontinue and remediate unauthorized use of Customer Personal Data.

5.2.2 Permitted Processing Activities

Questt AI shall have rights to process Customer Personal Data solely:

1. To the extent necessary to:
   • Perform the Business Purposes and its obligations under the Agreement;
   • Operate, manage, test, maintain and enhance the Services including as part of its business operations;
   • Disclose aggregate statistics about the Services in a manner that prevents individual identification or re-identification of Customer Personal Data, including without limitation any individual device or individual person;
   • Protect the Services from a threat to the Services or Customer Personal Data;
2. If required by court order of a court or authorized governmental agency, provided that prior notice first be given to Customer (unless legally prohibited);
3. As otherwise expressly authorized by Customer.

5.2.3 No Combination of Data

Questt AI will not combine Customer Personal Data which Questt AI Processes on Customer’s behalf, with Personal Data which it receives from or on behalf of another person or persons, or collects from its own interaction with individuals, provided that Questt AI may combine personal information to perform any Business Purpose permitted or required under the Agreement to perform the Services.

5.2.4 Confidentiality

Implement and maintain measures designed to ensure that Questt AI personnel authorized to process the Customer Personal Data:

• Have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
• Receive appropriate training on data protection and privacy;
• Are aware of Questt AI’s obligations under this Addendum.

Unless disclosure is required by law or professional regulations, Questt AI personnel shall not disclose Customer Personal Data to unauthorized parties.

5.2.5 Security Measures

Implement and maintain the technical and organizational measures set out in Section 4 of Annex 1, and, taking into account:

• The state of the art;
• The costs of implementation;
• The nature, scope, context and purposes of Processing;
• The risk of varying likelihood and severity for the rights and freedoms of natural persons;

Implement and maintain any further commercially reasonable and appropriate administrative, technical, and organizational measures designed to ensure a level of security appropriate to the risk of the Processing of Customer Personal Data in accordance with Article 32 of the GDPR, and specifically:

1. Pseudonymization and Encryption: Pseudonymization and encryption of Customer Personal Data where appropriate;
2. Confidentiality and Resilience: Ensuring ongoing confidentiality, integrity, availability and resilience of Questt AI’s processing systems and services that process Customer Personal Data;
3. Restoration: Restoring availability and access to Customer Personal Data in a timely manner in the event of a physical or technical incident;
4. Testing and Evaluation: Regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing of the Customer Personal Data.

5.2.6 Subprocessors

Customer hereby agrees that Questt AI is generally authorized to engage and appoint Subprocessors, and specifically the Subprocessors listed in Annex 2 hereto, subject to Questt AI’s:

1. Notification: Notifying Customer at least thirty (30) calendar days in advance of any intended changes or additions to its Subprocessors listed in Annex 2 by emailing notice of the intended change to Customer at the email address provided in the Agreement;
2. Contractual Obligations: Including data protection obligations in its contract with each Subprocessor that are materially the same as those set out in this Addendum, including requirements that the Subprocessor only process Customer Personal Data on QuesttAI’s instructions and maintain appropriate security measures;
3. Liability: Remaining liable to Customer for any failure by each Subprocessor to fulfill its obligations in relation to the Processing of the Customer Personal Data. Questt AI is responsible for the acts and omissions of its Subprocessors to the same extent Questt AI would be liable if performing the services of each Subprocessor directly under the terms of this Addendum.

Objection to Subprocessors:

In relation to any notice received under section 5.2.6(1), Customer shall have a period of 30 (thirty) days from the date of the notice to inform Questt AI in writing of any reasonable objection on data protection grounds to the use of that Subprocessor.

The parties will then, for a period of no more than 30 (thirty) days from the date of Customer’s objection, work together in good faith to attempt to find a commercially reasonable solution for Customer which avoids the use of the objected-to Subprocessor.

Where no such solution can be found, either Party may (notwithstanding anything to the contrary in the Agreement) terminate the relevant Services immediately on written notice to the other Party, without damages, penalty or indemnification whatsoever (but without prejudice to any fees incurred by Customer prior to termination).

5.2.7 Compelled Disclosure

To the extent legally permissible, promptly notify Customer in case of any legally binding requests (i.e., disclosures required by law, court order, or subpoena) for disclosure of Customer Personal Data by Questt AI.

If the request is not legally binding, Customer Personal Data would not be disclosed and Questt AI will notify the Customer of such request rejection.

A record of all legally binding disclosure requests relating to Customer Personal Data shall be maintained and made available to Customer upon request.

Questt AI will:

• Challenge overly broad or inappropriate requests where feasible;
• Provide only the minimum amount of information required;
• Seek confidential treatment of disclosed information where possible;
• Notify Customer as soon as legally permissible to allow Customer to seek protective measures.

5.2.8 Data Subject Requests

To the extent legally permissible, promptly notify Customer of:

• Any communication from a Data Subject regarding the Processing of Customer Personal Data;
• Any request to exercise Data Subject rights (access, rectification, erasure, restriction, portability, objection);
• Any other communication (including from a Supervisory Authority) relating to any obligation under the applicable Data Protection Laws in respect of the Customer Personal Data.

Questt AI will not respond to any such request or complaint unless:

• Expressly authorized to do so by Customer; or
• Otherwise required to respond under applicable Data Protection Laws.

Assistance with Data Subject Requests:

Taking into account the nature of the Processing, Questt AI will reasonably assist Customer (or the relevant Controller) by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of Customer’s, Customer’s Affiliates’ or the relevant Controller(s)’ obligation to respond to requests for exercising the data subject’s rights laid down in Chapter III GDPR, including:

• Right of access (Article 15 GDPR);
• Right to rectification (Article 16 GDPR);
• Right to erasure (Article 17 GDPR);
• Right to restriction of processing (Article 18 GDPR);
• Right to data portability (Article 20 GDPR);
• Right to object (Article 21 GDPR);
• Rights related to automated decision-making (Article 22 GDPR).

Customer agrees to reimburse Questt AI for reasonable time and out-of-pocket expenses incurred by Questt AI in connection with the performance of its obligations under this Section 5.2.8, provided that QuesttAI provides Customer with an estimate of such costs in advance and obtains Customer’s approval before incurring significant expenses.

5.2.9 Security Incident Notification

Upon Questt AI’s becoming aware of a Personal Data Breach involving Customer Personal Data:

1. Notification: Notify Customer without undue delay (and in any event within 72 hours of becoming aware) of any Personal Data Breach involving Customer Personal Data;
2. Information to Include: Such notice shall include, to the extent reasonably available to Questt AI, all timely information reasonably required by Customer (or the relevant Controller) to comply with its data breach reporting obligations under the applicable Data Protection Laws, including:
   • The nature of the Personal Data Breach including, where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of personal data records concerned;
   • The likely consequences of the Personal Data Breach;
   • The measures taken or proposed to be taken to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects;
   • The name and contact details of Questt AI’s data protection officer or other contact point from which more information can be obtained.
3. Remediation: Questt AI shall further take all such measures and actions as are necessary to remedy or mitigate the effects of such Security Incident and shall keep Customer reasonably informed of developments concerning Customer Personal Data.
4. No Admission: Customer acknowledges that Questt AI’s notification of a Security Incident is not an acknowledgement by Questt AI of its fault or liability.
5. Exclusions: Security Incidents do not include unsuccessful attempts or activities that do not compromise the security of Customer Personal Data, including unsuccessful login attempts, pings, port scans, denial of service attacks or other network attacks on firewalls or networked systems.

5.2.10 Assistance with Compliance

To the extent required by the applicable Data Protection Laws, provide reasonable assistance to Customer, Customer’s Affiliates’ or the relevant Controller(s)’ with its obligations pursuant to Articles 32 to 36 of the GDPR, taking into account the nature of the Processing and information available to Questt AI, including:

• Data Protection Impact Assessments (Article 35 GDPR): Providing information necessary for Customer to conduct data protection impact assessments where required;
• Prior Consultation (Article 36 GDPR): Assisting Customer with prior consultation with Supervisory Authorities where required.

Customer agrees to reimburse Questt AI for reasonable time and out-of-pocket expenses incurred by Questt AI in connection with any assistance provided in connection with Articles 35 and 36 of the GDPR, provided that Questt AI provides Customer with an estimate of such costs in advance and obtains Customer’s approval before incurring significant expenses.

5.2.11 Return or Deletion of Data

Upon the termination or expiry of the Agreement:

1. Customer’s Choice: At Customer’s option, Customer’s Affiliates or the relevant Controller(s), Questt AI shall either:
   • Return all Customer Personal Data to Customer in a commonly used and machine-readable format; or
   • Delete (including by ensuring such data is in non-readable format) all copies of the Customer Personal Data Processed by Questt AI.
2. Timing: Questt AI shall complete such return or deletion within sixty (60) days of the termination or expiry of the Agreement, unless applicable law requires Questt AI to retain some or all of the Customer Personal Data.
3. Legal Retention: Any such Customer Personal Data retained by Questt AI shall:
   • Remain subject to the obligations of confidentiality set forth in the Agreement and this Addendum;
   • Be retained only for the period and purposes required by applicable law;
   • Be subject to the same security measures as during the term of the Agreement.
4. Certification: Upon Customer’s request, Questt AI shall provide written certification of compliance with this Section 5.2.11.

5.2.12 Records and Compliance

Questt AI shall:

1. Maintain Records: Maintain the necessary records in support of demonstrating compliance with its obligations under this Addendum for the processing of Customer Personal Data carried out on behalf of the Customer, including:
   • Records of processing activities under Article 30(2) GDPR;
   • Records of data breaches;
   • Records of Data Subject requests;
   • Records of Subprocessor agreements.
2. Retention Period: Maintain such records for the duration of the Agreement and for a period of seven (7) years after termination or as required by applicable law, whichever is longer.

5.2.13 Audits and Inspections

Make available to Customer all information reasonably necessary to demonstrate compliance with this Addendum and allow for and contribute to audits, including inspections, by Customer, or an independent third party auditor mandated by Customer, provided that:

1. Notice: Customer gives Questt AI reasonable prior notice (at least thirty (30) days) of its intention to audit;
2. Timing: Audits are conducted during Questt AI’s normal business hours;
3. Disruption: Customer takes all reasonable measures to prevent unnecessary disruption to Questt AI’s operations;
4. Confidentiality: Any auditor is bound by appropriate confidentiality obligations;
5. Frequency: For the purposes of demonstrating compliance with this Addendum under this Section 5.2.13, the Parties agree that in the first instance, once per year during the term of the Agreement (except if and when required by instruction of a competent Supervisory Authority or where Customer believes a further audit is necessary due to a Personal Data Breach concerning Customer Personal Data suffered by Questt AI), Questt AI will provide to Customer:
   • Responses to cybersecurity and other assessments;
   • SOC 2 Type II reports or equivalent compliance reports;
   • Evidence of ISO 27001:2022 certification or equivalent;
   • Other relevant security documentation.
6. On-Site Audits: Only where Customer cannot establish Questt AI’s compliance with this Addendum from Questt AI’s responses and documentation shall Customer request to inspect Questt AI’s processing operations through an on-site audit.
7. Costs: Customer agrees to reimburse Questt AI for reasonable time and out-of-pocket expenses incurred by Questt AI in connection with assistance provided in connection with such audits, responses to cybersecurity and other assessments, provided that Questt AI provides Customer with an estimate of such costs in advance.

---

6. Warranties

6.1 Mutual Warranties

The Parties warrant that they and any staff and/or subcontractors will comply with their respective obligations under Data Protection Laws for the term of this Addendum and the Agreement.

6.2 Questt AI’s Warranties

Questt AI warrants that:

1. It has implemented and will maintain appropriate technical and organizational measures to protect Customer Personal Data as set out in this Addendum;
2. It has procedures in place to detect, respond to, and mitigate Security Incidents;
3. Its personnel are trained in data protection principles and obligations;
4. It will process Customer Personal Data only in accordance with Customer’s documented instructions unless required to do so by applicable law.

6.3 Customer’s Warranties

Customer warrants that:

1. It has all necessary rights and legal bases to provide Customer Personal Data to Questt AI for Processing under this Addendum;
2. It has provided all necessary notices and obtained all necessary consents required under Data Protection Laws for Questt AI to Process Customer Personal Data as contemplated by this Addendum;
3. The Processing of Customer Personal Data in accordance with the Agreement and Customer’s instructions will not violate any applicable Data Protection Laws.

---

7. Restricted Transfers

7.1 Application of Standard Contractual Clauses

The parties agree that when the transfer of Customer Personal Data from Customer and/or any of its Affiliates (as exporter) to Questt AI (as importer) is a Restricted Transfer and EU Area Law applies, the transfer shall be subject to the appropriate Controller to Processor SCCs, which shall be deemed incorporated into and form part of this Addendum as follows:

7.1.1 EU GDPR Transfers

In relation to Customer Personal Data that is protected by the EU GDPR and processed by Questt AI on behalf of and under the instruction of Customer, the EU SCCs will apply completed as follows:

1. Module Two will apply (controller to processor transfers);
2. Clause 7 (Docking Clause): The optional docking clause will apply;
3. Clause 9 (Use of Sub-processors): Option 2 will apply, and the time period for prior notice of sub-processor changes shall be as set out in Section 5.2.6 of this Addendum;
4. Clause 11 (Redress): The optional language will not apply;
5. Clause 17 (Governing Law): Option 1 will apply, and the EU SCCs will be governed by the laws of India;
6. Clause 18(b) (Choice of Forum and Jurisdiction): Disputes shall be resolved before the courts of Bengaluru, Karnataka, India;
7. Annex I of the EU SCCs shall be deemed completed with the information set out in Annex 1 to this Addendum;
8. Annex II of the EU SCCs shall be deemed completed with the information set out in Section 4 of Annex 1 to this Addendum.

7.1.2 Swiss DPA Transfers

In relation to Customer Personal Data that is protected by the Swiss DPA, the EU SCCs shall apply in accordance with Section 7.1.1 of this Addendum, but with the following modifications:

1. Any references in the EU SCCs to “Regulation (EU) 2016/679” shall be interpreted as references to the Swiss DPA and the equivalent articles or sections therein;
2. Any references to “EU”, “Union”, “Member State”, and “Member State law” shall be interpreted as references to Switzerland and Swiss law, as the case may be;
3. Any references to the “competent supervisory authority” and “competent courts” shall be interpreted as references to the Swiss Federal Data Protection and Information Commissioner (FDPIC) and the competent Swiss courts;
4. The Controller to Processor SCCs shall be governed by the laws of Switzerland and disputes shall be resolved before the competent Swiss Courts.

7.1.3 UK GDPR Transfers

In relation to Customer Personal Data that is protected by the UK GDPR, the EU SCCs shall apply in accordance with Section 7.1.1 of this Addendum, but as modified and interpreted by the Part 2: Mandatory Clauses of the UK Transfer Addendum, which shall be incorporated into and form an integral part of this Addendum.

Any conflict between the terms of the EU SCCs and the UK Transfer Addendum shall be resolved in accordance with Section 10 and Section 11 of the UK Transfer Addendum.

In addition, tables 1 to 3 in Part 1 of the UK Transfer Addendum shall be completed respectively with the information set out in Annex 1 of this Addendum, and table 4 in Part 1 of the UK Transfer Addendum shall be deemed completed by selecting both “Importer” and “Exporter”.

7.2 Restrictions on Other Transfers

Questt AI shall not participate in any other Restricted Transfers of Customer Personal Data (whether as an importer or an exporter of the Customer Personal Data) unless:

• The Restricted Transfer is made in compliance with applicable Data Protection Law; and
• Pursuant to the relevant Standard Contractual Clauses implemented between the relevant exporter and importer of the Customer Personal Data, as necessary in order to comply with applicable Data Protection Law.

7.3 Customer’s Monitoring Obligation

Customer should routinely review all international transfers of Personal Data on a case-by-case basis in order to:

• Monitor new risks because of the changes in local laws, data practices, etc.; and
• Implement additional safeguards (such as encryption or pseudonymization) to mitigate identified risks to ensure the Personal Data remains protected to the standard required under Data Protection Laws.

7.4 Transfer Mechanisms

Where a party is located outside the EEA or an adequate country and receives Personal Data:

1. That party will act as the data importer;
2. The other party is the data exporter; and
3. The relevant Transfer Mechanism will apply.

“Transfer Mechanism” refers to any lawful means of transferring personal data from the European Economic Area (EEA) or any adequate country to a third country in compliance with applicable data protection laws. This may include, but is not limited to, the following:

1. Standard Contractual Clauses (SCCs) approved by the European Commission Decision of 4 June 2021 (as amended from time to time) for the transfer of personal data from the EEA or adequate countries to a third country;
2. International Data Transfer Agreement issued by the Information Commissioner’s Office (ICO) under Section 119A of the Data Protection Act 2018, effective from 21 March 2022;
3. International Data Transfer Addendum issued by the Information Commissioner’s Office (ICO) under Section 119A of the Data Protection Act 2018, effective from 21 March 2022;
4. Binding Corporate Rules approved by competent Supervisory Authorities;
5. Approved certification mechanisms together with binding and enforceable commitments;
6. Codes of conduct together with binding and enforceable commitments;
7. Any other transfer mechanism recognized under applicable Data Protection Laws.

7.5 Additional Measures

If the Transfer Mechanism is insufficient to safeguard the transferred Personal Data, the data importer will promptly implement supplementary measures to ensure Personal Data is protected to the same standard as required under Data Protection Laws, which may include:

• Technical measures such as encryption, pseudonymization, or anonymization;
• Organizational measures such as specific contractual clauses, transparency, or internal policies;
• Contractual measures such as specific warranties or obligations on the data importer.

7.6 Disclosures to Public Authorities

Subject to terms of the relevant Transfer Mechanism, if the data importer receives a request from a public authority to access Personal Data, it will (if legally allowed):

1. Challenge the request if the data importer has reasonable grounds to consider that the request is unlawful;
2. Promptly notify the data exporter about the request (unless legally prohibited);
3. Only disclose to the public authority the minimum amount of Personal Data required by the request;
4. Keep a record of the disclosure, including:
   • The date and time of the request;
   • The requesting authority;
   • The legal basis for the request;
   • The Personal Data disclosed;
   • The individuals to whom the Personal Data relates.

---

8. Precedence

8.1 Order of Precedence

The provisions of this Addendum are supplemental to the provisions of the Agreement. In the event of any inconsistency between the provisions of this Addendum and the provisions of the Agreement, they will take priority in this order:

1. Any Standard Contractual Clauses or other Cross-Border Transfer Mechanisms to which the parties have agreed;
2. This Data Protection Addendum;
3. The Agreement.

8.2 SCCs Take Priority

In the event that any provision of this Addendum and/or the Agreement contradicts, directly or indirectly, the Controller to Processor SCCs, the Controller to Processor SCCs will control.

8.3 Data Protection Laws

Notwithstanding the above, nothing in the Agreement or this Addendum shall be interpreted to limit or restrict either party’s obligations under applicable Data Protection Laws.

---

9. Liability and Indemnity

9.1 Customer Indemnity

To the extent permissible by law, Customer shall:

1. Defend: Defend Questt AI and its Affiliates (collectively, “Indemnified Parties”) from and against any and all claims, demands, suits, or proceedings made or brought against any of the Indemnified Parties by any third party (each, a “Claim”); and
2. Indemnify: Indemnify and hold harmless the Indemnified Parties from and against any and all losses, damages, liabilities, fines and administrative fines, penalties, settlements, and costs and expenses of any kind (including, without limitation, reasonable legal, investigatory and consultancy fees and expenses) incurred or suffered by any of the Indemnified Parties;

In each case arising from:

• Any breach by Customer of this Addendum or of its obligations under applicable Data Protection Laws;
• Any claim that Customer’s instructions to Questt AI violate applicable Data Protection Laws;
• Any claim arising from Customer’s failure to obtain necessary consents or provide necessary notices to Data Subjects;
• Any claim that Customer Personal Data infringes third party rights.

9.2 Questt AI’s Right to Participate

Questt AI may participate in the defense and/or settlement of a Claim under this Section 9 with counsel of its choosing at its own expense. Customer shall not settle any Claim in a manner that admits fault on behalf of Questt AI or imposes obligations on Questt AI without Questt AI’s prior written consent.

9.3 Limitation of Liability

Except for liability that cannot be excluded or limited by law:

1. Each party’s total aggregate liability arising out of or related to this Addendum shall be limited to the amounts set forth in the limitation of liability provisions in the Agreement;
2. Neither party shall be liable for any indirect, incidental, special, consequential, or punitive damages;
3. The limitations in this Section 9.3 shall not apply to:
   • Either party’s indemnification obligations under this Addendum;
   • Liability arising from a party’s gross negligence or willful misconduct;
   • Liability that cannot be limited under applicable Data Protection Laws.

---

10. Severability

10.1 Invalid Provisions

The Parties agree that, if any section or sub-section of this Addendum is held by any court or competent authority to be unlawful or unenforceable, it shall not invalidate or render unenforceable any other section of this Addendum.

10.2 Modification

If any provision of this Addendum is held to be invalid or unenforceable, the Parties shall negotiate in good faith to modify such provision to the minimum extent necessary to make it valid and enforceable while preserving the original intent of the Parties.

---

11. Term and Termination

11.1 Term

This Addendum shall commence on the effective date of the Agreement and shall continue in full force and effect for as long as Questt AI Processes Customer Personal Data on behalf of Customer, including during any period of suspension or following termination of the Agreement where Questt AI continues to Process Customer Personal Data.

11.2 Survival

The following provisions shall survive termination or expiry of this Addendum and the Agreement:

• Section 5.2.11 (Return or Deletion of Data);
• Section 9 (Liability and Indemnity);
• Section 12 (Miscellaneous);
• Any other provision that by its nature should survive termination.

---

12. Miscellaneous

12.1 Privacy by Design and Default

Questt AI implements privacy by design and default principles in accordance with Article 25 of the GDPR, including:

1. Implementing appropriate technical and organizational measures to ensure that, by default, only Personal Data which are necessary for each specific purpose of the Processing are processed;
2. Designing services with privacy in mind from the outset;
3. Minimizing the processing of Personal Data to what is necessary for the purposes of providing the Services.

12.2 Achieving Security of Processing

Questt AI implements measures to achieve security of Processing as required by Article 32 of the GDPR, including those set out in Section 4 of Annex 1.

12.3 Notification to Supervisory Authority

Customer (as Controller) is responsible for notification of breaches involving Customer Personal Data to the relevant Supervisory Authority as required by Article 33 of the GDPR. Questt AI will provide reasonable assistance to Customer in this regard as set out in Section 5.2.9.

12.4 Notification to Data Subjects

Customer (as Controller) is responsible for notification of breaches involving Customer Personal Data to Data Subjects as required by Article 34 of the GDPR. Questt AI will provide reasonable assistance to Customer in this regard as set out in Section 5.2.9.

12.5 Data Protection Impact Assessment

Where required by applicable Data Protection Law, Customer (as Controller) is responsible for conducting Data Protection Impact Assessments in accordance with Article 35 of the GDPR. Questt AI will provide reasonable assistance to Customer as set out in Section 5.2.10.

12.6 Prior Consultation

Where required by applicable Data Protection Law, Customer (as Controller) is responsible for prior consultations with relevant Supervisory Authorities in accordance with Article 36 of the GDPR. Questt AI will provide reasonable assistance to Customer as set out in Section 5.2.10.

12.7 Compliance Standards

Questt AI shall comply with all statutory and regulatory requirements, including:

• ISO/IEC 27001:2022 - Information Security Management System;
• ISO/IEC 27701:2019 - Privacy Information Management System;
• EU GDPR and other applicable Data Protection Laws;
• SOC 2 Type II - Security and Privacy controls.

12.8 Data Subject Rights Contact

In the event a Data Subject wishes to exercise its data subject rights under applicable Data Protection Law, including, but not limited to, a data subject’s right of access, correction and/or erasure of its Personal Data in Questt AI’s control, the Data Subjects can submit such request by contacting Questt AI’s Data Protection Officer (DPO) below.

Also, for raising concerns and/or any complaints related to the Customer Personal Data, contact the Data Protection Officer below:

Data Protection Officer

Name: Dheeraj Bhavsar

Email: dheeraj@questt.com

Address: Questt AI, Urban Vault 1666/A, 4th Floor, 14th Main, Sector 3, Sarjapur - Marathahalli Road, HSR Layout, Bengaluru, Karnataka - 560102, India.

12.9 No Temporary Files

Questt AI confirms that no unnecessary temporary files are generated during processing of Customer Personal Data, and any temporary files that are created are securely deleted in accordance with Questt AI’s data retention and deletion policies.

12.10 Amendments

Any amendments to this Addendum must be in writing and signed by authorized representatives of both Parties, except as otherwise provided in this Addendum (such as updates to Annex 2 regarding Subprocessors).

12.11 Notices

All notices under this Addendum shall be in writing and delivered to the addresses set out in the Agreement or as otherwise notified by either Party.

12.12 Language

This Addendum is executed in English. In the event of any conflict between the English version and any translation, the English version shall prevail.

12.13 Entire Agreement

This Addendum, together with the Agreement and any exhibits or annexes hereto, constitutes the entire agreement between the Parties with respect to the subject matter hereof and supersedes all prior agreements, understandings, and communications (whether written or oral) regarding such subject matter.

---

13. Governing Law and Jurisdiction

13.1 Governing Law

This Addendum shall be governed by and construed in accordance with the laws of India, without regard to its conflict of law provisions, except where:

• The Controller to Processor SCCs apply, in which case the governing law provisions of such SCCs shall apply; or
• Applicable Data Protection Laws require otherwise.

13.2 Jurisdiction

Subject to the provisions of any applicable Controller to Processor SCCs, the courts of Bengaluru, Karnataka, India shall have exclusive jurisdiction over any disputes arising out of or in connection with this Addendum.

---

END OF MAIN ADDENDUM

---

Annex 1 to Data Protection Addendum

Description of Processing Activities for Customer Personal Data

This Annex includes certain details of the Processing of Customer Personal Data by Questt AI in connection with the Services.

---

1. List of Parties

Data Exporter (Controller)

Data Importer (Processor)

---

2. Competent Supervisory Authority

Identify the competent supervisory authority/ies in accordance with Clause 13 of the EU SCCs:

As determined by application of Clause 13 of the EU SCCs. For transfers subject to the EU GDPR, the competent supervisory authority shall be determined based on the location of the Controller (Data Exporter).

For transfers from India, the competent authority shall be the Data Protection Board of India once constituted under the Digital Personal Data Protection Act, 2023.

---

3. Processing Information

3.1 Categories of Data Subjects

Customer Personal Data concerns the following categories of data subjects:

• Business Contacts: Individuals who request product demonstrations or express interest in Questt AI’s services
• Prospective Customers: Representatives of companies interested in Questt AI’s GenAI solutions
• Customer Representatives: Employees, agents, or appointees of Customer who interact with Questt AI’s services

3.2 Categories of Personal Data Transferred

Customer Personal Data concerns the following categories of personal data:

Processed automatically by the Services:

• First name and last name
• Work email address
• Company name
• Job title
• Phone number
• Use case description
• Device information (browser type, operating system, IP address - for security purposes only)
• Communication history and interaction records

Note: Questt AI does not collect cookies or use tracking technologies.

3.3 Sensitive Personal Data Transferred

None. Customer shall not provide, and Questt AI shall not process, any Special Categories of Personal Data as defined in Article 9 of the GDPR or sensitive personal data as defined under applicable Data Protection Laws.

3.4 Frequency of the Transfer

Continuous - Customer Personal Data is transferred to Questt AI on an ongoing basis as individuals request demos, submit inquiries, and interact with Questt AI’s services.

3.5 Nature of the Processing

The nature of the processing includes the following activities:

1. Collection: Collecting Personal Data submitted through demo request forms and website interactions
2. Storage: Storing Personal Data in secure databases for the retention period specified in the Privacy Policy (180 days)
3. Analysis: Analyzing use case information to understand customer needs and tailor solutions
4. Communication: Using Personal Data to respond to inquiries, schedule demonstrations, and follow up with prospects
5. Record Keeping: Maintaining records of business interactions for legitimate business purposes
6. Security Monitoring: Monitoring for security threats and unauthorized access

3.6 Purpose of Data Transfer and Further Processing

Purpose of the data transfer:

The purpose of the transfer is to facilitate the performance of the Services more fully described in the Agreement and accompanying order forms, specifically:

1. Demo Booking and Lead Generation:
   • Processing demo requests submitted through the website
   • Scheduling product demonstrations
   • Managing the sales pipeline
   • Following up with prospects
2. Service Delivery:
   • Understanding customer use cases for Retail & Consumer segment
   • Tailoring GenAI solutions to customer needs
   • Providing information about services
   • Responding to inquiries
3. Business Operations:
   • Maintaining records of business interactions
   • Improving services based on feedback and usage patterns
   • Internal analytics and reporting
   • Compliance with legal obligations
4. Marketing (with consent):
   • Sending newsletters and product updates
   • Sharing relevant case studies and industry insights
   • Inviting to webinars and events

Further processing:

Questt AI will not process Customer Personal Data for any purpose other than those specified above without obtaining Customer’s prior written consent or as required by applicable law.

3.7 Period for Retention

The period for which the Customer Personal Data will be retained:

1. Active Processing: Customer Personal Data will be actively processed for the duration of the Agreement and as necessary to provide the Services;
2. Standard Retention: Customer Personal Data will be retained for 180 days from the date of collection, as specified in QuesttAI’s Privacy Policy;
3. Post-Termination: Upon termination or expiry of the Agreement, Customer Personal Data will be returned or deleted within sixty (60) days as specified in Section 5.2.11 of this Addendum;
4. Legal Requirements: Customer Personal Data may be retained for longer periods where required by applicable law or for the establishment, exercise, or defense of legal claims.

Criteria for determining retention period:

• Necessity for providing Services
• Legal and regulatory requirements
• Legitimate business purposes
• Customer’s instructions

3.8 Subprocessor Transfers

Subject matter, nature, and duration of processing by Subprocessors:

Where QuesttAI engages Subprocessors (as listed in Annex 2), such Subprocessors will process Customer Personal Data for the following purposes:

• Cloud infrastructure and hosting services
• Security and monitoring services
• Communication and email services
• Analytics and performance monitoring
• Backup and disaster recovery services

The subject matter, nature, and duration of the Processing by Subprocessors is more fully described in the Agreement, this Addendum, and accompanying order forms.

All Subprocessors are bound by written agreements requiring them to provide at least the same level of data protection as set forth in this Addendum.

---

4. Technical and Organizational Security Measures

Description of the technical and organizational security measures implemented by QuesttAI as the data processor/data importer to ensure an appropriate level of security, taking into account the nature, scope, context, and purpose of the processing, and the risks for the rights and freedoms of natural persons.

4.1 Security Management System

Organization:

• QuesttAI designates qualified security personnel whose responsibilities include development, implementation, and ongoing maintenance of the Information Security Program
• Security team reports directly to senior management
• Clear roles and responsibilities for data protection are established

Policies:

• Management reviews and supports all security-related policies to ensure the security, availability, integrity, and confidentiality of Customer Personal Data
• Policies are updated at least once annually or as required by changes in risk, technology, or applicable laws
• Policies cover areas including:
  • Information security
  • Data protection and privacy
  • Incident response
  • Business continuity
  • Access control
  • Acceptable use

Assessments:

• QuesttAI engages reputable independent third parties to perform risk assessments of all systems containing Customer Personal Data at least once annually
• Assessments include vulnerability scanning, penetration testing, and security audits
• Assessment findings are tracked and remediated based on risk priority

Risk Treatment:

• QuesttAI maintains a formal and effective risk treatment program that includes:
  • Penetration testing conducted at least annually
  • Vulnerability management with regular scanning and patching
  • Patch management to identify and protect against potential threats to the security, integrity, or confidentiality of Customer Personal Data
• Critical and high-severity vulnerabilities are remediated as soon as commercially possible
• Medium and low-severity vulnerabilities are remediated on a risk-based schedule

Vendor Management:

• QuesttAI maintains an effective vendor management program
• All vendors with access to Customer Personal Data undergo security assessments
• Vendor agreements include appropriate data protection and security clauses
• Vendor performance is monitored on an ongoing basis

Incident Management:

• QuesttAI reviews security incidents regularly, including effective determination of root cause and corrective action
• Incident response plan is tested at least annually
• Lessons learned from incidents are incorporated into security improvements

Standards:

• QuesttAI operates an information security management system that complies with the requirements of ISO/IEC 27001:2022 standard
• QuesttAI maintains compliance with SOC 2 Type II requirements

4.2 Personnel Security

Background Checks:

• QuesttAI conducts reasonably appropriate background checks on any employees who will have access to Customer Personal Data under this Agreement
• Background checks include, to the extent legally permissible:
  • Employment history verification
  • Criminal record checks (in accordance with applicable local labor law)
  • Education verification
  • Reference checks

Confidentiality:

• Personnel are required to execute a confidentiality agreement in writing at the time of hire
• Confidentiality obligations continue after termination of employment
• Personnel must protect Customer Personal Data at all times

Acknowledgment of Policies:

• Personnel must acknowledge receipt of, and compliance with, QuesttAI’s confidentiality, privacy, and security policies
• Annual re-acknowledgment is required

Training:

• Personnel are provided with privacy and security training on how to implement and comply with the Information Security Program
• Training is mandatory for all new hires within 30 days of starting
• Annual refresher training is required for all personnel
• Personnel handling Customer Personal Data are required to complete additional training appropriate to their role
• Training covers:
  • Data protection principles
  • GDPR and other applicable Data Protection Laws
  • Secure data handling practices
  • Incident reporting procedures
  • Privacy by design principles

Authorization:

• QuesttAI’s personnel will not process Customer Personal Data without authorization
• Access to Customer Personal Data is granted only on a need-to-know basis
• All access is logged and monitored

4.3 Access Controls

Access Management:

• QuesttAI maintains a formal access management process for the request, review, approval, and provisioning of all personnel with access to Customer Personal Data
• Access is limited to Customer Personal Data and systems storing, accessing, or transmitting Customer Personal Data to properly authorized persons having a need for such access
• Access requests require approval from appropriate management
• Access is granted based on principles of “least privilege” and “need to know”
• Access reviews are conducted quarterly to ensure that only those personnel with access to Customer Personal Data still require it
• Access is promptly revoked upon change of role or termination of employment

Infrastructure Security Personnel:

• QuesttAI has, and maintains, a security policy for its personnel
• Security training is mandatory as part of the training package for all personnel
• Dedicated infrastructure security personnel are responsible for:
  • Ongoing monitoring of QuesttAI’s security infrastructure
  • Review of the Services for security vulnerabilities
  • Responding to security incidents
• Security personnel are available 24/7 for critical security incidents

Access Control and Privilege Management:

• QuesttAI’s administrators and end users must authenticate themselves via Multi-Factor Authentication (MFA) system or via a single sign-on system in order to use the Services
• MFA is required for all accounts with access to Customer Personal Data
• Single sign-on integration is available for enterprise customers
• Privileged access is strictly controlled and monitored
• Privileged access management (PAM) tools are used to control and audit administrative access

Internal Data Access Processes and Policies:

• Access Policy: QuesttAI’s internal data access processes and policies are designed to protect against unauthorized access, use, disclosure, alteration, or destruction of Customer Personal Data
• System Design: QuesttAI designs its systems to only allow authorized persons to access data they are authorized to access based on principles of “least privilege” and “need to know”, and to prevent others who should not have access from obtaining access
• Authentication Requirements: QuesttAI requires the use of:
  • Unique user IDs
  • Strong passwords (minimum complexity requirements)
  • Multi-factor authentication
  • Carefully monitored access lists to minimize the potential for unauthorized account use
• Authorization Criteria: The granting or modification of access rights is based on:
  • The authorized personnel’s job responsibilities
  • Job duty requirements necessary to perform authorized tasks
  • A need-to-know basis
  • Accordance with QuesttAI’s internal data access policies and training
• Workflow Management: Approvals are managed by workflow tools that maintain audit records of all changes
• Audit Trail: Access to systems is logged to create an audit trail for accountability
• Password Policies: Where passwords are employed for authentication (e.g., login to workstations), password policies follow industry standard practices. These standards include:
  • Password complexity requirements (minimum length, character diversity)
  • Password expiry (maximum age)
  • Account lockout after failed login attempts
  • Restrictions on password reuse
  • Re-prompt for password after a period of inactivity
  • Prohibition on sharing passwords

4.4 Data Center and Network Security

Data Centers:

Infrastructure:

• QuesttAI utilizes enterprise-grade cloud infrastructure providers
• Data centers are located in India
• Data centers meet industry standards for physical security, including:
  • 24/7 security monitoring
  • Biometric access controls
  • Video surveillance
  • Environmental controls (temperature, humidity, fire suppression)

Resiliency:

• Multi-availability zones are enabled to ensure high availability
• Geographic redundancy is implemented for disaster recovery
• QuesttAI conducts backup restoration testing on a regular basis (at least quarterly) to ensure resiliency
• Recovery Time Objective (RTO) and Recovery Point Objective (RPO) targets are defined and tested

Server Operating Systems:

• QuesttAI’s servers are customized for the application environment
• Servers have been hardened for the security of the Services, including:
  • Removal of unnecessary services and applications
  • Implementation of host-based firewalls
  • Regular security patching
  • Anti-malware protection
• QuesttAI employs a code review process to increase the security of the code used to provide the Services and enhance the security of products in production environments
• Secure development lifecycle (SDL) practices are followed

Disaster Recovery:

• QuesttAI replicates data over multiple systems to help protect against accidental destruction or loss
• QuesttAI has designed and regularly plans and tests its disaster recovery programs
• Disaster recovery tests are conducted at least annually
• Disaster recovery plan is reviewed and updated at least annually

Security Logs:

• QuesttAI’s systems have logging enabled to their respective system log facility in order to:
  • Support security audits
  • Monitor and detect actual and attempted attacks on, or intrusions into, QuesttAI’s systems
• Logs are centrally collected and monitored
• Log retention period is at least 180 days
• Security Information and Event Management (SIEM) tools are used for log analysis and alerting

Vulnerability Management:

• QuesttAI performs regular vulnerability scans on all infrastructure components of its production and development environment
• Automated scanning is conducted at least weekly
• Manual penetration testing is conducted at least annually
• Vulnerabilities are remediated on a risk basis:
  • Critical security patches: Installed within 7 days
  • High-severity patches: Installed within 30 days
  • Medium-severity patches: Installed within 90 days
• Emergency patching procedures are in place for zero-day vulnerabilities

Networks and Transmission:

Data Transmission:

• Transmissions in production environment are transmitted via Internet standard protocols
• All data in transit is encrypted using TLS 1.2 or higher
• Strong cipher suites are enforced
• SSL/TLS certificates are regularly updated and monitored for expiration

External Attack Surface:

• Firewalls (virtual or physical) are in place for production environment
• Network segmentation isolates production systems from development and administrative networks
• Intrusion Detection and Prevention Systems (IDS/IPS) monitor network traffic
• Web Application Firewall (WAF) protects web applications from common attacks
• DDoS protection is implemented

Incident Response:

• QuesttAI maintains incident management policies and procedures, including detailed security incident escalation procedures
• 24/7 security monitoring is in place
• QuesttAI monitors a variety of communication channels for security incidents, including:
  • Security logs and SIEM alerts
  • Intrusion detection systems
  • Security research feeds
  • Customer reports
• QuesttAI’s security personnel will react promptly to suspected or known incidents
• Incident response includes:
  • Detection and analysis
  • Containment, eradication, and recovery
  • Post-incident activity and lessons learned
• QuesttAI will mitigate harmful effects of such security incidents and document such security incidents and their outcomes

Encryption Technologies:

• QuesttAI makes HTTPS encryption (also referred to as SSL or TLS) available for data in transit
• Industry-standard encryption protocols (TLS 1.2 or higher) are used
• QuesttAI implements encryption technologies for data at rest to ensure the security and confidentiality of Customer Personal Data
• Encryption at rest uses AES-256 or equivalent
• Encryption keys are managed securely and rotated regularly

4.5 Data Storage, Isolation, and Destruction

Data Storage:

• QuesttAI stores data in secure databases with appropriate access controls
• Database servers are hardened and regularly patched
• Database access is logged and monitored
• Regular database backups are performed

Data Isolation:

• QuesttAI logically isolates the data of different customers
• Customer data is segregated to prevent unauthorized cross-customer access
• Access controls ensure users can only access their own organization’s data
• Network segmentation provides additional isolation

Authentication:

• A central authentication system is used across all Services to increase uniform security of data
• Single sign-on (SSO) is supported for enterprise customers
• Multi-factor authentication (MFA) is required for administrative access

Data Destruction:

• QuesttAI ensures secure disposal of Customer Personal Data through the use of a series of data destruction processes, including:
  • Secure deletion using cryptographic erasure or overwriting
  • Physical destruction of storage media where appropriate
  • Certificate of destruction provided upon request
  • Verification that data cannot be recovered after destruction

4.6 Physical and Environmental Security

Physical Access Controls:

• Data center facilities have 24/7 security monitoring
• Biometric access controls restrict physical access
• Video surveillance of all entry points
• Security guards and reception desks
• Visitor logs and escort requirements

Environmental Controls:

• Redundant power supplies and backup generators
• Uninterruptible Power Supply (UPS) systems
• Climate control systems (HVAC)
• Fire detection and suppression systems
• Water leak detection systems

Asset Management:

• All physical assets containing data are inventoried and tracked
• Secure disposal procedures for hardware
• Encryption of mobile devices and removable media

4.7 Business Continuity and Availability

Business Continuity Planning:

• Comprehensive business continuity plans are maintained
• Plans are tested at least annually
• Backup personnel are identified and trained
• Communication plans are established

Backup and Recovery:

• Regular automated backups of Customer Personal Data
• Backups are encrypted and stored in geographically diverse locations
• Backup integrity is regularly verified through restoration testing
• Retention period for backups aligns with data retention requirements

High Availability:

• Services are designed for high availability
• Load balancing across multiple servers
• Automatic failover capabilities
• Regular monitoring of system performance and availability

4.8 Monitoring and Logging

Security Monitoring:

• 24/7 security monitoring of systems and networks
• Real-time alerting for security events
• Regular review of security logs
• Automated threat detection tools

Audit Logging:

• Comprehensive audit logging of all access to Customer Personal Data
• Logs include:
  • User identification
  • Date and time of access
  • Type of access (read, write, delete)
  • IP address
  • Success or failure of access attempt
• Logs are tamper-proof and securely stored
• Regular log analysis and review

4.9 Data Minimization and Purpose Limitation

Data Minimization:

• QuesttAI collects only the minimum amount of Personal Data necessary to provide the Services
• No collection of Special Categories of Personal Data
• No use of cookies or tracking technologies (beyond essential security logging)

Purpose Limitation:

• Customer Personal Data is processed only for the purposes specified in this Addendum
• No secondary uses of data without Customer consent
• Clear segregation between different processing purposes

4.10 Ongoing Security Improvements

Security Roadmap:

• Regular review and update of security measures
• Investment in new security technologies
• Participation in security research and threat intelligence sharing

Continuous Improvement:

• Security incidents are analyzed for lessons learned
• Security metrics are tracked and reported
• Regular security training updates based on evolving threats

Compliance Monitoring:

• Regular compliance assessments against ISO 27001, SOC 2, and GDPR requirements
• Internal audits conducted quarterly
• External audits conducted annually

---

Annex 2 to Data Protection Addendum

Questt AI’s Subprocessors

Last Updated: January 7, 2026

Current Subprocessors

Questt AI engages the following Subprocessors to assist in providing the Services. This list is subject to change in accordance with Section 5.2.6 of the Data Protection Addendum (with 30 days’ prior written notice to Customer).

Subprocessor Requirements

All Subprocessors are required to:

1. Enter into written agreements with Questt AI that include data protection obligations materially the same as those set out in this Addendum;
2. Process Customer Personal Data only on Questt AI’s instructions;
3. Implement and maintain appropriate technical and organizational security measures;
4. Assist Questt AI in responding to Data Subject requests and Security Incidents;
5. Delete or return Customer Personal Data upon termination of services;
6. Allow for audits and inspections as required;
7. Comply with applicable Data Protection Laws.

Updates to Subprocessor List

Questt AI will:

1. Maintain an up-to-date list of Subprocessors;
2. Notify Customer at least 30 days before adding or replacing any Subprocessor;
3. Provide Customer with the opportunity to object to new Subprocessors;
4. Work in good faith with Customer to find alternative solutions if Customer objects;
5. Publish the current Subprocessor list at https://trust.questt.ai for Customer reference.

Customer Objection Rights

If Customer objects to a new or replacement Subprocessor on reasonable data protection grounds within 30 days of notification:

1. The Parties will work in good faith for up to 30 days to find a commercially reasonable alternative;
2. If no solution is found, either Party may terminate the affected Services without penalty;
3. Customer will not be entitled to any refund for fees already paid for Services rendered before termination.

---

END OF DATA PROTECTION ADDENDUM

---

Document Information

Document Name: Questt AI Data Protection Addendum

Version: 1.0

Effective Date: January 7, 2026

Last Updated: January 7, 2026

Next Review Date: January 7, 2027

Document Owner: Data Protection Officer, Questt AI

---

Contact Information

For questions about this Data Protection Addendum, please contact:

Questt AI Data Protection Officer

Email: dheeraj@questt.com

Address: Urban Vault 1666/A, 4th Floor, 14th Main, Sector 3, Sarjapur - Marathahalli Road, HSR Layout, Bengaluru, Karnataka - 560102, India

General Inquiries:

Email: support@questt.com