Legal
Data Processing Addendum
Last updated: 15 July 2026
This Data Processing Addendum ("DPA") supplements the engagement agreement between BWE Consulting Private Limited ("Processor") and the client organisation ("Controller") for the processing of personal data through QUANTRA.
1. Scope
This DPA applies to personal data processed by BWE on the Controller's behalf in the course of delivering QUANTRA. It reflects obligations arising under the DPDP Act, 2023 and, where applicable, the EU GDPR.
2. Nature and purpose of processing
- Purpose: quantum-readiness auditing, risk scoring, reporting and continuous monitoring.
- Categories: system inventories, cryptographic asset metadata, engagement participant identifiers.
- Duration: for the term of the engagement and any post-engagement retention agreed in writing.
3. Sub-processors
Current sub-processors are:
- Supabase — managed Postgres, authentication and storage, ap-south-1 region.
- Cloudflare — CDN and DDoS protection.
- Resend — transactional email.
- Sentry — error monitoring (metadata only; no engagement data).
BWE will notify the Controller of proposed additions to this list. The Controller may object within 30 days.
4. Technical and organisational measures
- Row-level security enforced in Postgres on every table.
- MFA mandatory for all human users; role-based access control.
- Encryption in transit (TLS 1.3) and at rest (AES-256).
- Private, engagement-scoped storage buckets for report artifacts.
- Immutable audit logs for all intake, scoring, approval and delivery actions.
- Penetration testing and dependency scanning as part of the release pipeline.
5. Data subject rights
BWE will assist the Controller in responding to data subject requests where the personal data is held within QUANTRA. Requests should be directed to privacy@bwe.one.
6. Breach notification
BWE will notify the Controller without undue delay, and in any event within 72 hours of confirmed detection, of any personal data breach affecting Controller data.
7. Return and deletion
On termination, and unless applicable law requires retention, BWE will delete or return all Controller personal data within 30 days.
8. International transfers
Primary storage remains in India. Where a sub-processor operates outside India, transfers occur under contractual safeguards equivalent to Standard Contractual Clauses.
9. Contact
DPA queries: privacy@bwe.one.
