DATA PROCESSING ADDENDUM
Quantum Heaps Pte. Ltd.
Last updated: April 2026 · Primary jurisdiction: Singapore PDPA 2012 (as amended)
This Data Processing Addendum (“DPA”) forms part of the Quantum Heaps Customer Agreement between Quantum Heaps Pte. Ltd. (UEN: [to be inserted]), a company incorporated in Singapore (“Quantum Heaps”), and the Customer. It sets out the terms on which Quantum Heaps may process personal data on behalf of the Customer. By accepting the Customer Agreement, Customer agrees to the terms of this DPA.
1. Definitions
Capitalised terms used but not defined have the meaning set out in the Quantum Heaps Customer Agreement. The following additional definitions apply:
Account Data: Personal Data collected by Quantum Heaps to provide and control access to the Platform, including name, email address, IP address, and profile photo.
Customer Personal Data: Personal Data comprised in Customer Data uploaded to or processed through the Platform. Account Data is not Customer Personal Data.
Data Protection Laws: The Singapore Personal Data Protection Act 2012 (No. 26 of 2012) and its subsidiary legislation and guidelines issued by the PDPC, as amended from time to time; and, to the extent applicable, the EU GDPR, UK GDPR, U.S. Privacy Laws, and any other laws relating to the processing of Personal Data in any jurisdiction in which Customer operates.
EU GDPR: Regulation (EU) 2016/679 of the European Parliament and of the Council.
EU SCCs: Standard contractual clauses approved by the European Commission in Decision 2021/914 (as amended from time to time).
PDPA: The Singapore Personal Data Protection Act 2012, as amended by the Personal Data Protection (Amendment) Act 2020.
PDPC: The Personal Data Protection Commission of Singapore.
Platform: The Quantum Heaps Revenue OS and Revenue OS + CRM software platform available at quantumheaps.com.
Sub-processor: A third party engaged by Quantum Heaps to process Customer Personal Data on Quantum Heaps’ behalf.
UK GDPR: The EU GDPR as retained in UK law by the European Union (Withdrawal) Act 2018 and amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019.
U.S. Privacy Laws: Applicable U.S. federal and state privacy laws including the CCPA/CPRA, Colorado Privacy Act, Virginia CDPA, and analogous state privacy laws, as amended from time to time.
2. Roles and Processing Purposes
2.1 Quantum Heaps processes Customer Personal Data as a data intermediary (under the PDPA) or processor (under the EU/UK GDPR, as applicable) on behalf of Customer, who acts as the organisation or controller responsible for determining the purposes and means of processing.
2.2 Quantum Heaps acknowledges that it is an organisation in its own right under the PDPA when it processes Account Data and when it processes data for its own legitimate purposes such as billing, security, product development, and regulatory compliance.
2.3 Customer remains responsible for its obligations under applicable Data Protection Laws, including obtaining all necessary consents, providing required notices, and ensuring its instructions to Quantum Heaps are lawful.
2.4 The subject matter, nature, purpose, duration, and categories of data processed are set out in Annex A.
3. Quantum Heaps’ Obligations
To the extent that Quantum Heaps processes Customer Personal Data, Quantum Heaps will:
3.1 Process Customer Personal Data only on Customer’s documented instructions and only for the Business Purposes, unless required to do so by applicable law, in which case Quantum Heaps will inform Customer to the extent permitted by law.
3.2 Not disclose Customer Personal Data to any third party except as necessary to perform the services, as authorised by Customer, or as required by law.
3.3 Implement and maintain appropriate technical and organisational security measures as described in Annex B, proportionate to the harm that could result from unauthorised or unlawful processing or accidental loss or destruction of Customer Personal Data.
3.4 Ensure that personnel authorised to process Customer Personal Data are subject to written confidentiality obligations and receive appropriate data protection training.
3.5 Notify Customer without undue delay — and in any event within three (3) business days — upon becoming aware of any data breach involving Customer Personal Data, in accordance with Quantum Heaps’ obligations under the PDPA’s mandatory data breach notification regime. The notification shall include information about the nature of the breach, categories and approximate number of individuals affected, and the measures taken or proposed to address the breach.
3.6 During the term and for thirty (30) days following expiry or termination of the Customer Agreement, provide Customer with the ability to export Customer Personal Data. Following this period, Quantum Heaps shall delete or anonymise Customer Personal Data unless retention is required by applicable law.
3.7 Maintain records of processing activities involving Customer Personal Data and, on Customer’s written request and at Customer’s reasonable cost, make available information necessary to demonstrate compliance with this DPA and applicable Data Protection Laws. Audits may be conducted by an independent third party upon thirty (30) days’ notice, no more than once in any twelve-month period, at Customer’s cost, and in a manner that minimises disruption to Quantum Heaps’ business.
3.8 Notify Customer promptly if, in Quantum Heaps’ reasonable opinion, any instruction from Customer would breach applicable Data Protection Laws.
3.9 Provide reasonable assistance to Customer in fulfilling its obligations to respond to data access, correction, and other requests from individuals under the PDPA and other applicable Data Protection Laws.
4. Customer’s Obligations
4.1 Customer warrants that it has obtained all necessary consents and provided all required notifications under applicable Data Protection Laws to permit Quantum Heaps to process Customer Personal Data in accordance with this DPA.
4.2 Customer shall ensure that its instructions to Quantum Heaps comply with applicable Data Protection Laws at all times.
4.3 Customer is responsible for the accuracy, quality, and legality of Customer Personal Data and for the means by which Customer acquired it.
5. Transfers of Personal Data Outside Singapore
5.1 Quantum Heaps may transfer Customer Personal Data outside of Singapore in accordance with Section 26 of the PDPA. Before making any such transfer, Quantum Heaps will ensure that the recipient provides a standard of protection to the transferred data that is at least comparable to the protection under the PDPA, by way of contractual arrangements, binding corporate rules, or other legally recognised mechanisms.
5.2 For transfers to countries within the European Economic Area or the United Kingdom, Quantum Heaps will ensure that Appropriate Safeguards are in place, including the EU SCCs or UK Addendum as applicable (see Annex C).
5.3 Customer consents to Quantum Heaps transferring Customer Personal Data to the approved Sub-processors listed in Annex A, subject to the conditions in Clauses 5.1 and 5.2 above.
6. Sub-processors
6.1 Customer authorises Quantum Heaps to appoint the Sub-processors listed in Annex A. Quantum Heaps will notify Customer at least thirty (30) days prior to appointing any new Sub-processor or making material changes to existing Sub-processors.
6.2 Customer may object to a new Sub-processor appointment in writing within fourteen (14) days on reasonable grounds relating to data protection. If the parties cannot resolve the objection, Customer may terminate the relevant portion of the services on written notice.
6.3 Quantum Heaps will impose data protection obligations on each Sub-processor that are no less protective than those in this DPA, and remains fully liable for each Sub-processor’s compliance.
7. Artificial Intelligence
7.1 The Platform includes native AI capabilities (“Quantum AI”). All Customer Personal Data processed by AI components of the Platform is subject to the same protections and obligations under this DPA.
7.2 Quantum Heaps will not use Customer Personal Data to train its own AI models without Customer’s explicit written consent.
7.3 Customers who are subject to the EU AI Act shall ensure that their use of AI components of the Platform complies with that regulation.
8. Governing Law and Dispute Resolution
8.1 This DPA shall be governed by and construed in accordance with the laws of Singapore.
8.2 Any dispute arising out of or in connection with this DPA, including any question regarding its existence, validity, or termination, shall be subject to the exclusive jurisdiction of the courts of Singapore.
8.3 Notwithstanding Clause 8.1, where Customer is located in the EU or UK, the applicable EU SCCs or UK Addendum (Annex C) shall govern transfers of personal data and, in the event of conflict with this Clause 8, shall prevail with respect to such transfers.
9. Term and Termination
This DPA shall remain in full force and effect so long as the Quantum Heaps Customer Agreement remains in effect. Obligations regarding data deletion and confidentiality shall survive termination.
10. Liability
Liability for breach of this DPA is subject to the limitation of liability provisions in the Quantum Heaps Customer Agreement. Nothing in this DPA limits either party’s liability for breaches of applicable Data Protection Laws where such limitation is prohibited by law.
11. General
11.1 If a change in any applicable Data Protection Laws prevents either party from fulfilling all or part of its obligations under this DPA, the parties shall cooperate in good faith to bring the processing into compliance within sixty (60) calendar days. If compliance cannot be achieved, either party may terminate the Customer Agreement on thirty (30) calendar days’ written notice.
11.2 This DPA constitutes the entire agreement between the parties in relation to the subject matter hereof and supersedes all prior representations, agreements, and understandings relating to the same.
11.3 Any notice under this DPA shall be given in accordance with the notice provisions of the Quantum Heaps Customer Agreement.
ANNEX A — Personal Data Processing Details
Data Controller / Organisation
Customer, as identified in the Quantum Heaps Customer Agreement.
Data Intermediary / Processor
Quantum Heaps Pte. Ltd., [registered address, Singapore] (UEN: [to be inserted]).
Subject Matter of Processing
Personal data of users and contacts uploaded to or processed through the Platform, including employees, contractors, prospects, clients, customers, and suppliers of the Customer.
Duration of Processing
The period during which Customer receives the Platform services, and until Customer requests deletion of the relevant personal data or thirty (30) days after termination of the Customer Agreement, whichever is earlier.
Nature of Processing
Collecting, storing, displaying, using, analysing, and presenting personal data through the Platform, including CRM functions, email and call tracking, meeting intelligence, sales forecasting, commission calculations, AI-powered insights, workflow automation, and related analytics.
Business Purposes
Provision of the Quantum Heaps Revenue OS and Revenue OS + CRM platform, including pipeline management, sales execution, commission automation, AI reporting, and related analytics and workflow services.
Personal Data Categories
Name, email address, phone number, contact information, IP address, profile image, work history, professional opinions and notes, call recordings, meeting transcripts, CRM activity data, sales pipeline and forecast data, commission and quota data, and location data.
Data Subject Types
Employees, contractors, prospective employees; clients, customers, suppliers, leads, prospects, and other business contacts stored or managed in the Platform.
Retention
Personal data is retained for the duration of the Customer Agreement and for up to thirty (30) days thereafter, unless a longer retention period is required by applicable law or agreed in writing.
Approved Sub-processors
|
Sub-processor |
Location |
Transfer mechanism |
Purpose |
|
Amazon Web Services |
USA / Singapore |
PDPA comparable protection; SCCs where applicable |
Cloud infrastructure and hosting |
|
Google Cloud Platform |
USA / Singapore |
PDPA comparable protection; SCCs where applicable |
Hosting; AI/ML platform functionality |
|
Cloudflare, Inc. |
USA |
PDPA comparable protection; SCCs and UK Addendum |
Web infrastructure and security |
|
OpenAI, LLC |
USA |
PDPA comparable protection; SCCs and UK Addendum |
Large language model — Quantum AI |
|
Anthropic Ireland, Ltd. |
Ireland / USA |
SCCs and UK Addendum |
Large language model — Quantum AI |
|
Postmark / SendGrid |
USA |
PDPA comparable protection; SCCs and UK Addendum |
Transactional email delivery |
|
Recall.ai (Hyperdoc Inc.) |
USA |
PDPA comparable protection; SCCs and UK Addendum |
Call and meeting recording |
|
Gladia SAS |
France |
SCCs |
Call recording transcription |
|
Stripe, Inc. |
USA / Singapore |
PDPA comparable protection; SCCs where applicable |
Payment processing |
|
Intercom R&D Unlimited |
Ireland |
SCCs and UK Addendum |
Customer support |
ANNEX B — Security Measures
Access Controls
All access to environments hosting Customer Personal Data is restricted in accordance with the principle of least privilege, granted on a time-bound basis with mandatory Multi-Factor Authentication. Physical data centre security is managed by Quantum Heaps’ cloud infrastructure providers.
Encryption
All Customer Personal Data is encrypted at rest (AES-256) and in transit (TLS 1.2 or higher).
Monitoring and Testing
Quantum Heaps maintains automated security monitoring and logging. Independent third-party penetration testing is conducted at least once per year, with critical findings remediated on agreed timelines.
Data Backup
Automated backup systems replicate Customer Personal Data to a geographically separate region on a regular basis to ensure recoverability.
Availability and Resilience
The Platform is deployed across multiple cloud availability zones. Quantum Heaps maintains documented business continuity and disaster recovery plans that are tested regularly.
Personnel and Confidentiality
All personnel with access to Customer Personal Data are subject to written confidentiality obligations and receive appropriate data protection and security training on hiring and annually thereafter.
Incident Response
Quantum Heaps maintains a documented data breach response plan consistent with the PDPA’s mandatory data breach notification obligations. The plan includes procedures for detection, containment, assessment, notification, and post-incident review.
ANNEX C — Cross-Border Transfer Mechanisms (EU/UK Customers)
This Annex applies where the Customer is located in the European Economic Area or the United Kingdom and transfers Personal Data to Quantum Heaps in Singapore, which is not currently recognised as providing adequate protection under the EU GDPR or UK GDPR.
EU Standard Contractual Clauses
Module Two (Controller to Processor) of the EU SCCs (Commission Decision 2021/914) applies to transfers from EU-located Customers to Quantum Heaps. The parties are deemed to have signed the EU SCCs by entering into the Customer Agreement. Governing law: laws of Ireland. Disputes: courts of Ireland. Competent supervisory authority: Irish Data Protection Commission. Annex B of this DPA serves as Annex II of the EU SCCs.
UK Addendum
For transfers from UK-located Customers, the UK International Data Transfer Addendum (Version B1.0, in force 21 March 2022) issued by the UK Information Commissioner is incorporated by reference and appended to the EU SCCs. Either party may terminate the UK Addendum in accordance with its terms.
Conflict
In the event of any conflict between the EU SCCs or UK Addendum and any other provision of this DPA or the Customer Agreement, the EU SCCs or UK Addendum (as applicable) shall prevail in respect of cross-border transfers of personal data.