This Data Protection Addendum (“DPA”) forms part of the agreement between BTQ Technologies Corp. (“BTQ,” “Processor,” “Service Provider,” “Contractor,” “we,” “us”) and the customer identified in the underlying agreement (“Customer,” “Controller,” “Business,” “you”) (the “Agreement”).

This DPA applies to the extent BTQ processes Customer Personal Data on behalf of Customer in providing the Services.

Note: BTQ is a public company. Nothing in this DPA requires BTQ to disclose confidential, security-sensitive, or regulated information beyond what is required by Applicable Data Protection Laws, and BTQ may satisfy certain obligations (e.g., audit) through reasonable alternatives such as independent third-party reports and controlled access.

1. Parties

Processor / Service Provider / Contractor:
 BTQ Technologies Corp.
 Suite 2500, 700 West Georgia Street, Vancouver, BC, Canada

Customer / Controller / Business: The entity entering into the Agreement with BTQ.

2. Definitions

Applicable Data Protection Laws” means laws and regulations applicable to the processing of Personal Data under the Agreement, including, where applicable: the EU GDPR, UK GDPR, Swiss FDPA (as applicable), PIPEDA (Canada), and CCPA/CPRA (California), plus any implementing regulations and guidance.

Capitalized terms not defined in this DPA have the meaning in the Agreement. The terms “Controller,” “Processor,” “Personal Data,” “Personal Information,” “Processing,” “Data Subject,” and “Personal Data Breach” have the meanings given under Applicable Data Protection Laws.

Customer Personal Data” means Personal Data processed by BTQ on behalf of Customer under this DPA.

Subprocessor” means a third party engaged by BTQ to process Customer Personal Data.

Security Incident” means a confirmed breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data in BTQ’s control.

Customer Confidential Information” includes Customer Personal Data.

3. Roles and Scope

3.1 Customer as Controller / Business. Customer determines the purposes and means of processing Customer Personal Data and is responsible for the lawfulness of processing, including providing notices and obtaining consents where required.

3.2 BTQ as Processor / Service Provider / Contractor. BTQ processes Customer Personal Data only:

  • to provide the Services under the Agreement,

  • on Customer’s documented instructions, and

  • as otherwise permitted by Applicable Data Protection Laws.

3.3 BTQ as Controller (separate context). This DPA does not apply to Personal Data BTQ processes as a Controller (e.g., BTQ website visitor analytics, marketing subscriptions, investor relations inquiries), which is governed by BTQ’s Privacy Policy and applicable disclosures.

4. Processing Details

4.1 Subject matter: Provision, security, and support of the Services.

4.2 Duration: For the term of the Agreement plus the period required to return/delete data in Section 11, unless retention is required by law.

4.3 Nature and purpose: Hosting, storage, transmission, retrieval, and other processing necessary to provide, maintain, secure, and improve the Services; customer support; fraud/abuse prevention; and compliance.

4.4 Categories of Data Subjects: Customer’s end users, employees, contractors, representatives, and other individuals whose Personal Data Customer submits to the Services.

4.5 Categories of Personal Data: Determined by Customer and may include identifiers (name, email), professional data (company, title), account/authentication data, and usage/technical data; and any other data Customer uploads or makes available.

4.6 Special categories / sensitive data: Customer will not provide special category data or sensitive data (e.g., health, biometrics, precise geolocation, financial account credentials) unless expressly agreed in writing and appropriate safeguards are implemented.

5. Customer Instructions

5.1 Customer instructs BTQ to process Customer Personal Data to provide the Services and as set out in the Agreement and this DPA.

5.2 Additional instructions outside the Agreement must be agreed in writing, and may be subject to reasonable fees and feasibility constraints.

6. BTQ Obligations

BTQ will:

6.1 Process on instructions as described in Section 5, unless required by law. If legally required to process otherwise, BTQ will (to the extent permitted) inform Customer.

6.2 Confidentiality. Ensure personnel authorized to process Customer Personal Data are subject to confidentiality obligations.

6.3 Security measures. Implement appropriate technical and organizational measures designed to protect Customer Personal Data against Security Incidents (see Exhibit B).

6.4 Data minimization and access control. Limit access to Customer Personal Data to personnel who need it to provide the Services.

6.5 Assistance. Provide reasonable assistance to Customer to meet Customer’s obligations under Applicable Data Protection Laws, including security, breach notification support, and DPIAs (Section 9), in each case to the extent BTQ has relevant information and the assistance is reasonable and proportionate.

7. Subprocessors

7.1 General authorization. Customer authorizes BTQ to engage Subprocessors to process Customer Personal Data.

7.2 Flow-down terms. BTQ will impose written obligations on Subprocessors that are no less protective than those in this DPA.

7.3 Subprocessor list and changes. BTQ will make available a list of Subprocessors upon request. Where required by Applicable Data Protection Laws, BTQ will provide a reasonable mechanism for notice of material Subprocessor changes and an opportunity to object on reasonable grounds related to data protection.

7.4 Liability. BTQ remains responsible for Subprocessors’ performance of their obligations with respect to Customer Personal Data.

8. Data Subject Requests

8.1 Customer responsibility. Customer is responsible for responding to Data Subject requests.

8.2 BTQ assistance. BTQ will, to the extent legally permitted and reasonably feasible, assist Customer in fulfilling Data Subject requests regarding Customer Personal Data.

8.3 Direct requests. If BTQ receives a Data Subject request relating to Customer Personal Data, BTQ will refer the request to Customer unless legally required to respond.

9. Security Incidents

9.1 Notification. BTQ will notify Customer without undue delay after becoming aware of a Security Incident.

9.2 Details. BTQ will provide information reasonably required for Customer’s compliance, to the extent available, such as:

  • nature of the incident,

  • categories of data involved,

  • approximate number of affected records/data subjects (if known),

  • mitigation steps taken or planned, and

  • recommended steps Customer can take (if applicable).

9.3 Cooperation. BTQ will reasonably cooperate with Customer’s investigation and remediation efforts, subject to confidentiality, privilege, and security restrictions.

9.4 No admission. Notification is not an admission of fault or liability.

10. DPIAs and Prior Consultation

Where required by Applicable Data Protection Laws, BTQ will provide reasonable information and assistance for Customer to carry out DPIAs and consultations with regulators, taking into account the nature of processing and information available to BTQ.

11. Return and Deletion

11.1 At termination. Upon termination or expiration of the Agreement, BTQ will, at Customer’s choice and as supported by the Services:

  • return Customer Personal Data, and/or

  • delete Customer Personal Data,

unless retention is required by applicable law.

11.2 Backups. Customer Personal Data may remain in backups for a limited period, provided it remains protected and is deleted in accordance with BTQ’s backup retention and deletion cycles.

12. International Transfers

12.1 Locations. BTQ is based in Canada, and Customer Personal Data may be processed in Canada and other jurisdictions where BTQ or its Subprocessors operate.

12.2 Transfer mechanisms. Where required, the parties will rely on lawful transfer mechanisms, including:

  • the EU Standard Contractual Clauses (SCCs) (Controller-to-Processor), and/or

  • the UK International Data Transfer Addendum (or UK SCCs), and/or

  • any other valid mechanism recognized under Applicable Data Protection Laws.

12.3 SCC incorporation (if applicable). If SCCs apply, they are incorporated by reference as follows:

  • Customer is the “data exporter” and BTQ is the “data importer,”

  • the applicable module is Controller-to-Processor,

  • Annex I/II are satisfied by Exhibit A and Exhibit B of this DPA,

  • the competent supervisory authority and governing law are determined per SCCs and Customer’s establishment (EEA) or per UK Addendum (UK).

13. Audit and Compliance

13.1 Independent assurance. To the extent available, BTQ may provide summaries of independent assessments (e.g., SOC 2 Type II, ISO 27001) or other security documentation as a reasonable method to demonstrate compliance.

13.2 Customer audits. Where required by Applicable Data Protection Laws, Customer may audit BTQ’s compliance with this DPA, subject to:

  • reasonable prior written notice,

  • audits no more than once per 12 months (unless a Security Incident materially affects Customer),

  • scope limited to Customer Personal Data and relevant controls,

  • audits conducted during normal business hours,

  • strict confidentiality and security requirements,

  • and any on-site audit being subject to BTQ’s policies to protect other customers, system integrity, and BTQ’s confidential information.

13.3 Public-company constraints. Customer acknowledges BTQ may restrict or redact information to avoid disclosure of security-sensitive details or information subject to legal, regulatory, or stock exchange obligations, and may propose reasonable alternatives (virtual review, attestations, reports) to satisfy audit requirements.

14. CCPA/CPRA (If Applicable)

To the extent BTQ processes Personal Information subject to CCPA/CPRA on Customer’s behalf:

  • BTQ acts as a Service Provider/Contractor.

  • BTQ will not sell or share Personal Information (as defined by CCPA/CPRA).

  • BTQ will not retain, use, or disclose Personal Information outside the direct business relationship with Customer except as necessary to provide the Services, for permitted business purposes, or as otherwise permitted by CCPA/CPRA.

  • BTQ will require Subprocessors to comply with equivalent restrictions.

  • BTQ will assist Customer with reasonable steps to meet CCPA/CPRA obligations, to the extent applicable.

15. Confidentiality; Public Disclosures

15.1 Confidentiality. Each party will protect the other party’s Confidential Information in accordance with the Agreement.

15.2 Compelled disclosures. If BTQ is required by law, regulation, subpoena, or governmental request to disclose Customer Confidential Information (including Customer Personal Data), BTQ will (to the extent permitted) provide notice to Customer and cooperate reasonably with efforts to seek protective treatment.

15.3 Securities-law and regulatory disclosures. Customer acknowledges BTQ may make disclosures required under applicable securities laws, stock exchange rules, or regulatory obligations. BTQ will not disclose Customer Personal Data in public filings unless required by law, and if required, will use reasonable efforts to limit disclosed information.

16. Liability and Order of Precedence

16.1 Liability. Liability under this DPA is subject to the limitations and exclusions in the Agreement, unless prohibited by Applicable Data Protection Laws.

16.2 Precedence. If there is a conflict between this DPA and the Agreement regarding data protection, this DPA controls. If SCCs apply and conflict with this DPA, SCCs control to the extent of the conflict.

17. Contact

Questions about this DPA or privacy matters:

BTQ Technologies Corp.
Suite 2500, 700 West Georgia Street
Vancouver, BC, Canada