Data Act Addendum
This Addendum (the “Data Act Addendum”) is entered into between QEVLAR AI, a French société par actions simplifiée with share capital of EUR 18 298,30, having its registered office at 15 rue Auguste Gervais, 92130 Issy-les-Moulineaux, France, registered with the Trade and Companies Register of Nanterre under number 952 849 115 (“Provider”), and the customer identified in the Agreement (“Customer”). This Data Act Addendum is incorporated into and forms part of the Master Services Agreement between the Parties (the “Agreement”). Capitalised terms used but not defined have the meanings given in the Agreement or the Data Act.
Preamble
The Parties acknowledge that Provider qualifies as a “provider of a data processing service” within the meaning of Article 2(8) of Regulation (EU) 2023/2854 (the “Data Act”), and that the Services therefore fall within the scope of Chapter VI of the Data Act (Articles 23 to 31) on switching between data processing services, as well as Article 32 on international access to and transfer of non-personal data. This Data Act Addendum sets out the contractual provisions required by Article 25 of the Data Act, the operational arrangements for switching, the safeguards applicable to non-personal data under Article 32, and ancillary provisions.
1. Definitions
In addition to the terms defined in the Agreement, the following terms have the meanings given below. Where the Data Act itself defines a term, that Data Act definition prevails.
“Data Act” means Regulation (EU) 2023/2854 of the European Parliament and of the Council of 13 December 2023 on harmonised rules on fair access to and use of data, as amended, supplemented, or replaced from time to time, together with any delegated acts and implementing acts issued thereunder.
“Destination Service” means any third-party data processing service, on-premises ICT infrastructure, or hybrid arrangement to which Customer instructs Provider to facilitate the porting of Exportable Data and Customer Digital Assets in connection with a Switching Process.
“Exportable Data” means all (i) Customer Data (including any personal data within the meaning of the GDPR, processed in accordance with the DPA), (ii) any other input, output, or content generated by or on behalf of Customer in the course of using the Services, and (iii) any Customer Digital Assets, in each case in machine-readable form and to the extent technically feasible to extract using the standard interfaces and tools provided by Provider.
“Customer Digital Assets” means elements of Customer’s use of the Services that are tangible or intangible assets owned or controlled by Customer in connection with the Services, including configuration files, integration definitions, dashboards, alerting rules, custom playbooks, user accounts, and any other artefact that is portable in accordance with the technical capabilities of the Services.
“Functional Equivalence” means the re-establishment, based on the Exportable Data and Customer Digital Assets, of a minimum level of functionality in the environment of a Destination Service of the same service type as the Services, such that the Destination Service delivers, after Switching, a materially comparable output for the same input, on the basis of inputs provided by Customer, within the meaning of Article 2(31) of the Data Act.
“Mandatory Maximum Notice Period” means the maximum notice period applicable to a Switching Process as set out in Article 25(2)(a) of the Data Act, which is two (2) months from the date Customer notifies Provider of its intention to initiate a Switching Process.
“Mandatory Transition Period” means the mandatory transitional period during which Provider continues to provide the Services to allow Switching, as set out in Article 25(2)(b) of the Data Act, which is thirty (30) days starting at the end of the Mandatory Maximum Notice Period (with optional extensions on Customer’s request).
“Switching” means the change of provider of a data processing service, in accordance with Articles 23 –31 of the Data Act.
“Switching Charges” means any charges payable by Customer to Provider in connection with a Switching Process, governed by Article 29 of the Data Act.
“Switching Process” means the process initiated by Customer to switch from the Services to a Destination Service, as set out in Article 25 of the Data Act and this Addendum.
2. Scope and Application
2.1 Application.
This Data Act Addendum applies to all Services provided by Provider to Customer under the Agreement that constitute a data processing service within the meaning of Article 2(8) of the Data Act. Where the Agreement is governed by the law of a third country, the substantive obligations of this Data Act Addendum nonetheless apply with respect to data processing services provided to customers established in the European Union.
2.2 Order of precedence.
In the event of any conflict between this Data Act Addendum and the Agreement (including the DPA, the Service Level Agreement, or any Order Form) with respect to subject matter covered by Chapter VI or Article 32 of the Data Act, this Data Act Addendum prevails. Otherwise, the order of precedence in the Agreement applies.
2.3 Term.
This Data Act Addendum takes effect on the later of (a) 12 September 2025 (the date of application of Chapter VI of the Data Act) and (b) the effective date of the Agreement, and remains in force for so long as the Agreement rem ains in force. Provisions intended to survive (including Sections 4, 5, 6, 7, 8, 9, and 10) survive termination of the Agreement.
3. Information Obligations (Data Act Art. 26)
3.1 Pre-contractual information.
Provider publishes on its website (currently at https://www.qevlar.com/legal/data-act- information or such other URL as Provider may designate from time to time) the information required by Article 26 of the Data Act, including (a) the available procedures for Switching and porting; (b) the categories of data and Customer Digital Assets that can be ported; (c) the jurisdictions in which the Services are provided; (d) the means by which Customer may exercise its right to terminate the Agreement; (e) the technical formats, methods, and protocols supported for porting; and (f) the foreseeable Switching Charges and the schedule for their reduction in accordance with Article 29 of the Data Act.
3.2 Updates.
Provider shall update the information referenced in Section 3.1 promptly to reflect any material change. Material changes will be notified to Customer in writing at least thirty (30) days in advance, unless a shorter period is required by law.
4. Right to Switch and Initiation (Data Act Art. 23, 25)
4.1 Customer’s right to switch.
Customer may terminate the Agreement and initiate a Switching Process at any time, by written notice to Provider, in order to switch the Services to a Destination Service or to bring the relevant functions in-house.
4.2 Notice period.
The notice period for terminating the Agreement and initiating a Switching Process does not exceed the Mandatory Maximum Notice Period. Customer may, in its notice, elect a shorter notice period; in such case, Provider shall comply with the elected shorter period to the extent technically and operationally feasible.
4.3 Transition period.
On expiry of the notice period referred to in Section 4.2, Provider shall continue to provide the Services on the existing commercial terms for the duration of the Mandatory Transition Period (or for a longer period mutually agreed by the Parties in writing), to allow Customer to complete the Switching Process.
4.4 Extensions.
Customer may extend the Mandatory Transition Period once for an additional period reasonably necessary to complete the Switching Process, not exceeding the period required to ensure continuity for Customer; Provider shall, in particular, accommodate extensions as required by Article 25(2)(d) of the Data Act for technically complex cases. Provider shall provide such extension on Customer’s reasonable written request.
5. Portability and Functional Equivalence (Data Act Art. 23, 25, 30)
5.1 Portability.
Provider shall take all reasonable measures within its control to enable Customer to export and to port to a Destination Service the Exportable Data and Customer Digital Assets, including by providing (a) common-format export functionality through the Services, (b) documented application programming interfaces (APIs) where supported by the Services, (c) reasonable structured and machine-readable export of Customer Digital Assets, and (d) documentation describing the export functionality and any limitations.
5.2 Functional equivalence.
To the extent the Destination Service is a data processing service of the same service type as the Services (e.g., a competing cybersecurity SaaS), Provider shall provide reasonable assistance to enable the Destination Service to achieve Functional Equivalence, provided that Provider is not required to disclose or share its proprietary Provider IP (including model weights, training data, source code, or trade secrets) and that Functional Equivalence is achievable based on the Exportable Data and the Customer Digital Assets provided by Customer. Provider shall not be required to support porting to a service that is materially different in service type.
5.3 Formats and standards.
Provider supports the export of Exportable Data and Customer Digital Assets in industry-standard formats (including JSON, CSV, and Parquet where technically feasible). Where applicable harmonised standards or common specifications are adopted under Article 35 of the Data Act, Provider shall comply with such standards within a reasonable transition period.
5.4 Personal data.
Personal data within Exportable Data is processed in accordance with the DPA and applicable data-protection law. The Switching Process does not, of itself, lawfully justify a transfer of personal data outside of the legal bases set out in the DPA; Customer remains the controller and shall determine the lawful basis for any onward transfer.
6. Switching Assistance (Data Act Art. 27, 28)
6.1 Provider obligations.
During the Mandatory Maximum Notice Period and the Mandatory Transition Period, Provider shall (a)
reasonably cooperate with Customer and any Destination Service provider designated by Customer to facilitate the Switching Process; (b) make available technical documentation, APIs, and operational guidance re asonably necessary to extract and port the Exportable Data and Customer Digital Assets; (c) not impose any unreasonable obstacle to the Switching Process; (d) maintain the security and integrity of the Exportable Data during the Switching Process; and (e) communicate promptly with Customer on the progress of the Switching Process and any technical issues.
6.2 Customer obligations.
Customer shall (a) provide Provider with all information reasonably necessary to plan and execute the Switching Process, including the identity of the Destination Service provider (subject to confidentiality), the desired schedule, and any specific technical requirements; (b) cooperate in good faith and respond to reasonable requests from Provider during the Switching Process; and (c) bear the relationship with, and pay any fees of, the Destination Service provider and any third party retained by Customer.
6.3 Limitations.
Provider is not required to (a) develop new functionality not present in the Services as of the Order Form Date, (b) disclose proprietary Provider IP (including model weights, training data, source code, or trade secrets), (c) provide services that exceed the scope of the Services or that involve direct services to the Destination Service provider beyond reasonable cooperation, or (d) provide assistance beyond the Mandatory Transition Period (subject to extension under Section 4.4) or at no cost beyond the Switching Charges payable in accordance with Section 7.
7. Switching Charges (Data Act Art. 29)
7.1 Reduction schedule.
In accordance with Article 29(1) of the Data Act, Switching Charges payable by Customer to Provider in connection with a Switching Process are subject to the following schedule: (a) from 12 January 2024 until 11 January 2027, Provider may impose Switching Charges reduced from the standard charges of Provider, calculated as the cost reasonably incurred by Provider in providing the Switching, plus a margin; and (b) from 12 January 2027, Provider shall not impose any Switching Charges other than charges for the standard provision of the Services during the Mandatory Transition Period and for any Customer-requested bespoke services.
7.2 Transparency.
Provider shall disclose its applicable Switching Charges in the information made available pursuant to Section 3.1, including the basis of calculation and any changes from time to time. Switching Charges are notified to Customer in advance of the relevant Switching Process.
7.3 Data egress charges.
From 12 January 2027, Provider shall not impose any data egress charge in connection with a Switching Process other than charges to cover the cost incurred by Provider, in accordance with Article 29(3) of the Data Act.
7.4 No financial penalty.
Provider shall not impose any financial penalty on Customer for exercising its right to switch under this Data Act Addendum and the Data Act.
8. Mandatory Contractual Provisions (Data Act Art. 25)
8.1 Required terms.
The Parties confirm that this Data Act Addendum and the Agreement together include the contractual provisions required by Article 25 of the Data Act, in particular: (a) clauses allowing Customer to switch (Sections 4 and 5); (b) the Mandatory Maximum Notice Period of two (2) months (Section 4.2); (c) the Mandatory Transition Period of thirty (30) days, extendable (Sections 4.3 and 4.4); (d) Provider’s assistance obligations during the Switching Process (Section 6); (e) information transparency under Article 26 (Section 3); (f) Switching Charges in accordance with Article 29 (Section 7); and (g) clauses preventing unjustified contractual barriers to switching (Section 6.3).
8.2 Restoration of data.
Following the completion of the Switching Process and the expiry of the Mandatory Transition Period (or such longer period as agreed), Provider shall delete all Exportable Data and Customer Digital Assets in Provider’s possession or control in accordance with Section 6 of the DPA and the Agreement, subject to applicable legal retention obligations.
9. Non-Personal Data Protection from Third-Country Authorities (Data Act Art. 32)
9.1 Safeguards against unlawful access.
Provider shall take all adequate technical, organisational, and legal measures, including encryption, contractual safeguards, and resistance procedures, designed to prevent unlawful access by, or tr ansfer of non- personal data to, any third-country government, court, tribunal, or administrative authority, where such access or transfer would conflict with Union law or applicable national law of any Member State.
9.2 Third-country access requests.
If Provider receives an access request or order from a third-country authority concerning non- personal data held by Provider on behalf of Customer, Provider shall (a) where lawful, notify Customer promptly of such request, (b) take all reasonable steps to challenge the request to the extent permitted by applicable law, (c) seek interim or alternative measures from the requesting authority, and (d) disclose only the minimum amount of non-personal data legally required to comply, after exhausting reasonable legal remedies. Where notification to Customer is prohibited, Provider shall use commercially reasonable efforts to obtain a waiver.
9.3 International transfers.
Provider shall not transfer non-personal data outside the European Union to a third country in a manner that would violate Article 32 of the Data Act. Where transfers are necessary for the provision of the Services, Provider shall ensure appropriate safeguards in accordance with Article 32(3) of the Data Act.
10. General
10.1 No prejudice to other rights.
This Data Act Addendum is without prejudice to any other rights and remedies of the Parties under the Agreement or applicable law, including the right of Customer to terminate the Agreement for material breach. Switching under this Data Act Addendum is in addition to, and not in lieu of, such rights.
10.2 Updates.
Provider may update this Data Act Addendum from time to time to reflect changes in the Data Act, delegated or implementing acts, harmonised standards, or supervisory guidance, on reasonable prior written notice, provided that no update materially diminishes Customer’s rights or Provider’s obligations.
10.3 Governing law.
This Data Act Addendum is governed by, and construed in accordance with, the governing law specified in the Agreement.
