Data Processing Agreement
Last updated: 31 October 2025
This Data Processing Agreement (“DPA”) forms part of the Master Subscription Agreement or other written or electronic agreement between Precision Forward Ltd and the Customer (the “Agreement”) for the purchase and use of the Quadrant platform and related services (the “Services”) supplied by Precision Forward Ltd.
1. Purpose and Scope
This DPA reflects the Parties’ agreement with respect to the processing of Customer Data in accordance with applicable data protection laws and regulations, including the UK GDPR, the Data Protection Act 2018, and, where relevant, the EU GDPR (“Data Protection Laws”).
The Parties agree that for the purposes of the Data Protection Laws, Customer acts as the Data Controller and Precision Forward Ltd acts as the Data Processor when processing Customer Data on Customer’s behalf in providing the Services.
2. Definitions
“Customer Data” means any personal data or information that the Customer or its Users submit to the Quadrant Services.
“Personal Data”, “Data Subject”, “Processing”, “Controller”, and “Processor” have the meanings given under the UK GDPR.
“Sub-Processor” means any entity engaged by Precision Forward Ltd to process Customer Data on its behalf.
3. Duration and Processing of Data
The duration, nature and purpose of processing, types of personal data, and categories of data subjects are set out in Annex I. Precision Forward Ltd shall process Customer Data only on documented instructions from Customer, unless required to do so by applicable law.
4. Obligations of the Processor
Precision Forward Ltd shall:
(a) process Customer Data only in accordance with Customer’s documented instructions;
(b) ensure persons authorised to process Customer Data have committed to confidentiality;
(c) implement appropriate technical and organisational measures in accordance with Article 32 of the UK GDPR;
(d) assist Customer in ensuring compliance with Data Subject rights;
(e) delete or return all Customer Data after termination; and
(f) make available to Customer all information necessary to demonstrate compliance.
Precision Forward Ltd shall not use Customer Data for its own purposes or for any purpose other than providing the Services under the Agreement.
5. Security
Precision Forward Ltd shall implement and maintain appropriate technical and organisational security measures to protect Customer Data against unauthorised or unlawful processing, accidental loss, destruction, or damage.
Precision Forward Ltd follows best practices consistent with ISO 27001 and SOC 2 frameworks and is actively pursuing formal certification under these standards.
In the event of a Security Incident involving Customer Data, Precision Forward Ltd shall notify Customer without undue delay (and within 72 hours of becoming aware of it), describing the nature of the breach, categories of data affected, and remedial actions taken.
6. Sub-Processors
Customer authorises Precision Forward Ltd to engage Sub-Processors for the processing of Customer Data. A list of current Sub-Processors is provided in Annex III.
Precision Forward Ltd shall ensure that any Sub-Processor it engages is subject to written terms imposing data-protection obligations no less protective than those set out in this DPA and shall remain fully liable to the Customer for their performance.
7. Data Subject Rights
Precision Forward Ltd shall, to the extent legally permitted, promptly notify Customer if it receives a request from a Data Subject to exercise their rights under Data Protection Laws. Precision Forward Ltd shall provide reasonable assistance to Customer in responding to such requests.
8. International Data Transfers
Precision Forward Ltd is a company established in the United Kingdom and hosts Customer Data primarily in the UK and European Economic Area (EEA).
Where Customer Data is transferred outside the UK or EEA to a country not deemed adequate by the UK Secretary of State or the European Commission, Precision Forward Ltd shall ensure that such transfer is made under an appropriate safeguard, such as the UK International Data Transfer Addendum (IDTA) or the EU Standard Contractual Clauses (SCCs).
9. Assistance and Cooperation
Precision Forward Ltd shall assist Customer with conducting data-protection impact assessments (DPIAs) where applicable and cooperate with the Information Commissioner’s Office (ICO) or other competent supervisory authority upon request.
10. Return or Deletion of Data
Upon termination or expiry of the Agreement, Precision Forward Ltd shall, at Customer’s written request, delete or return all Customer Data within 60 days, unless retention is required by law or necessary for legitimate business purposes such as dispute resolution or auditing.
11. Audit Rights
Precision Forward Ltd shall make available all information reasonably necessary to demonstrate compliance with this DPA and allow for audits by Customer or an independent auditor mandated by Customer, limited to once per 12-month period, subject to confidentiality obligations.
12. Liability
Each Party’s liability arising out of or related to this DPA is subject to the limitations of liability set forth in the Agreement.
13. Governing Law
This DPA and any dispute or claim arising out of or in connection with it shall be governed by and construed in accordance with the laws of England and Wales, and the courts of England and Wales shall have exclusive jurisdiction.
Annex I – Details of Processing
Data Exporter: Customer (Controller)
Data Importer: Precision Forward Ltd (Processor)
Subject Matter: Provision of Quadrant SaaS platform and analytics services
Nature and Purpose: Processing necessary to deliver, monitor, and improve the Services
Types of Personal Data: Contact details, account credentials, activity logs, analytics identifiers
Categories of Data Subjects: Customer’s authorised Users, employees, representatives
Retention Period: As defined in the Agreement and until deletion upon termination
Transfers: Possible limited transfers outside UK/EEA under approved safeguards.
Annex II – Technical and Organisational Measures
Precision Forward Ltd implements the following key measures to ensure the security and confidentiality of Customer Data:
- Encryption at rest and in transit (TLS 1.2+ / AES-256)
- Role-based access control (RBAC) and multi-factor authentication
- Secure coding and vulnerability management
- Data backup and disaster-recovery procedures
- Regular penetration testing and risk assessments
- Employee data-protection and security training.
Annex III – Sub-Processors
Name / Location of Processing / Nature and Purpose of Processing
Vercel / Europe (Frankfurt, Germany / EU Region) / Cloud / Application Hosting Provider
OpenAI / United States / EU data regions where available / AI Model Service Provider
Anthropic / United States / AI Model Service Provider
Google / Europe (EU data centres and Ireland) / AI Model Service Provider / User authentication services
Supabase / Europe (Dublin, Ireland) / Database Provider
Clerk / Europe (EU data centres / fallback US) / User authentication services
Clay / United States / Customer Support
Stripe / Europe (Ireland) / Payment Processing
Microsoft Azure AI / United Kingdom / Europe (Netherlands and Ireland regions) / Cloud Infrastructure / AI Model and Compute Provider
