Skip to main content
Tie
HomeAbout UsSecurity
Sign In
HomeAbout UsSecurity
Sign In
Back to Legal

DATA PROCESSING ADDENDUM

Last Updated: July 10, 2026

This Data Processing Addendum, including its Exhibits (this "DPA"), forms part of the Platform Services Agreement between Tie QC, Inc. ("Tie") and the customer identified in the applicable Order Form ("Customer" or "You") (the "Agreement"). This DPA applies where Tie Processes Personal Data on Your behalf in connection with the Services.

By entering into the Agreement, You also enter into this DPA on behalf of Yourself and, to the extent required under Applicable Data Protection Law, in the name and on behalf of Your Authorized Affiliates. Capitalized terms used but not defined in this DPA have the meanings set forth in the Agreement.

You will limit the Personal Data You provide to, or otherwise make available to, Tie in connection with the Services to only that which is necessary for the Services. You will not submit Sensitive Personal Data to the Services.

Relationship to the Agreement; Order of Precedence. This DPA is Confidential Information of both Parties under the Agreement. This DPA is incorporated by reference into the Agreement and takes effect when the Agreement takes effect. In the event of any conflict or inconsistency between this DPA and the Agreement regarding the Processing of Personal Data, this DPA controls. In the event of any conflict or inconsistency between this DPA and any Standard Contractual Clauses incorporated into this DPA, the Standard Contractual Clauses control.

1. DEFINITIONS

Capitalized terms used in this DPA have the meanings set forth below. Where a term is defined by Applicable Data Protection Law and used in this DPA, the meaning under the applicable law controls for that purpose.

"Applicable Data Protection Law" means all data privacy, data protection, and cybersecurity laws, rules, and regulations applicable to the Processing of Personal Data under this DPA, each as amended from time to time, including: (i) the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act, and any binding regulations issued thereunder ("CCPA"); (ii) any other applicable U.S. state privacy law; (iii) the EU General Data Protection Regulation 2016/679, including applicable Member State implementing legislation (the "EU GDPR"); (iv) the UK Data Protection Act 2018 and the UK General Data Protection Regulation (the "UK GDPR" and, together with the EU GDPR, the "GDPR"); (v) the Swiss Federal Act on Data Protection of 25 September 2020; and (vi) any guidance or statutory codes of practice issued by a relevant regulatory authority.

"Authorized Affiliate" means an Affiliate of Customer that (a) is subject to Applicable Data Protection Law and (b) is permitted to use the Services under the Agreement, but has not entered into its own Order Form with Tie.

"Controller" means the entity that determines the purposes and means of the Processing of Personal Data, including any "Business" as defined under the CCPA.

"Customer Personal Data" means Personal Data that Tie Processes on Customer's behalf in connection with the Services. Customer Personal Data is a subset of Customer Data (as defined in the Agreement).

"Data Subject" means (i) the natural person or household to whom Personal Data pertains and (ii) any "consumer" or "data subject" as defined under Applicable Data Protection Law.

"Data Subject Request" means a request from a Data Subject to exercise rights granted under Applicable Data Protection Law, including a request to access, correct, delete, port, opt out of, or object to the Processing of Personal Data.

"Personal Data" means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular Data Subject. This term includes any "personal information," "personal data," or equivalent term as defined under Applicable Data Protection Law.

"Process," "Processing," or "Processed" means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, transmission, alignment, combination, restriction, erasure, or destruction.

"Processor" means the party that Processes Personal Data on behalf of the Controller, including any "Service Provider" as defined under the CCPA.

"Sell" has the meaning ascribed under the CCPA or, where applicable, equivalent meanings under other Applicable Data Protection Law.

"Sensitive Personal Data" means "special category data," "sensitive data," "sensitive personal information," or the equivalent as defined under Applicable Data Protection Law, and includes information about a Data Subject's health, biometric identifiers, government identifiers, precise geolocation, racial or ethnic origin, religious or philosophical beliefs, sexual orientation, or information about a known child.

"Security Incident" means a confirmed unauthorized access to, or unauthorized use or disclosure of, Customer Personal Data in Tie's possession or control.

"Standard Contractual Clauses" or "SCCs" means (i) with respect to restricted transfers subject to the EU GDPR, the Controller-to-Processor standard contractual clauses set out in Annex 1 to Commission Implementing Decision (EU) 2021/914 of 4 June 2021 (the "EU SCCs"); and (ii) with respect to restricted transfers subject to the UK GDPR, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner's Office (the "UK SCCs").

"Subprocessor" means a third party (including a Tie Affiliate) engaged by Tie to Process Customer Personal Data in connection with the Services.

2. PROCESSING OF CUSTOMER PERSONAL DATA

2.1 Roles of the Parties. The Parties acknowledge that, with respect to the Processing of Customer Personal Data under this DPA, Customer is the Controller (or Business, under the CCPA) and Tie is the Processor (or Service Provider, under the CCPA).

2.2 Duration. Tie will Process Customer Personal Data throughout the term of the Agreement and any renewal term. On termination or expiration of the Agreement, Tie will cease Processing Customer Personal Data in accordance with Section 4.2 (Deletion of Customer Personal Data) and the return-and-deletion provisions of the Agreement.

2.3 Customer's Processing of Personal Data. You will Process Personal Data in accordance with Applicable Data Protection Law, including any requirement to provide notice to Data Subjects that Tie acts as Your Processor. You are solely responsible for the accuracy, quality, and legality of Personal Data and the means by which You acquired it. You represent and warrant that You have established a lawful basis to Process Personal Data, that Your use of the Services will not violate the rights of any Data Subject, and that You have the right to transfer, or provide access to, Personal Data to Tie for Processing under the Agreement. You will not disclose or make available to Tie, request that Tie Process, or use the Services to Process, Sensitive Personal Data.

2.4 Tie's Processing of Customer Personal Data. Tie will Process Customer Personal Data only for the purpose of providing the Services and in accordance with Your documented instructions. The Agreement (including this DPA) and Your configuration and use of the Services constitute Your complete and final documented instructions. With respect to Customer Personal Data Processed under the Agreement, Tie will:

  • comply with Applicable Data Protection Law at all times;
  • notify You in writing if Tie determines that (i) an instruction from You would breach Applicable Data Protection Law or the Agreement or (ii) Tie can no longer meet its obligations under Applicable Data Protection Law or the Agreement;
  • not Sell Customer Personal Data or Share Customer Personal Data with any third party for the purpose of cross-context behavioral advertising;
  • not retain, use, or disclose Customer Personal Data for any purpose other than the specific purpose of performing the Services or as otherwise permitted by Applicable Data Protection Law;
  • not retain, use, or disclose Customer Personal Data outside of the direct business relationship between You and Tie; and
  • not combine Customer Personal Data with Personal Data received from or on behalf of another person, or that Tie collects from its own interactions with Data Subjects, except as permitted under Applicable Data Protection Law.

2.5 De-Identified Data. To the extent Tie receives de-identified data from You, or the Services enable de-identification of Customer Personal Data, Tie will not re-identify, attempt to re-identify, or direct any third party to re-identify such de-identified data. Tie's use of De-Identified Data derived from Customer Data is governed by the Agreement.

2.6 Details of Processing. The subject matter, nature, purpose, and duration of Tie's Processing of Customer Personal Data, the types of Customer Personal Data, and the categories of Data Subjects are set out in Exhibit A (Details of Processing).

3. RIGHTS OF DATA SUBJECTS

To the extent legally permitted, Tie will promptly notify You if Tie receives a Data Subject Request relating to Customer Personal Data. Taking into account the nature of the Processing, and to the extent Tie is legally permitted to do so, Tie will assist You by appropriate technical and organizational measures to fulfill Your obligation to respond to the Data Subject Request under Applicable Data Protection Law. You are solely responsible for responding substantively to Data Subject Requests and for all costs associated with Your response.

4. TIE OBLIGATIONS

4.1 Assistance to Customer. Tie will provide You with reasonable assistance in conducting data protection impact assessments, responding to requests from regulatory authorities, and performing prior consultations with regulatory authorities, in each case only to the extent required by Applicable Data Protection Law and taking into account the nature of the Processing and the information available to Tie.

4.2 Deletion of Customer Personal Data. On termination or expiration of the Agreement, Tie will make Customer Personal Data available for export for thirty (30) days in accordance with Section 10.4 of the Agreement. After that period, Tie will delete Customer Personal Data, subject to any longer retention required by law, legal hold, or routine encrypted backups that will be deleted in accordance with Tie's standard retention practices. If Tie is required by law to retain any Customer Personal Data, Tie will retain the minimum amount required and will continue to safeguard it in accordance with this DPA.

4.3 Confidentiality of Personnel. Tie will ensure that all persons Processing Customer Personal Data on its behalf, including its and its Subprocessors' employees, agents, and contractors, are subject to a contractual or statutory duty of confidentiality with respect to Customer Personal Data.

4.4 Security. Tie will implement and maintain the technical and organizational measures set forth in Section 4 (Security) of the Agreement and summarized in Exhibit B to this DPA, designed to ensure the security of Customer Personal Data.

4.5 Records; Reports; Audits. Tie will maintain records regarding its Processing of Customer Personal Data as required by Applicable Data Protection Law. To demonstrate compliance with this DPA, Tie will provide, upon Your reasonable written request no more than once per calendar year, its then-current SOC 2 Type II report and an executive summary of its most recent independent penetration test, in each case subject to Your confidentiality obligations under the Agreement. If a further on-site audit is required by Applicable Data Protection Law or by a regulatory authority with jurisdiction over You, Tie will cooperate in good faith with a mutually agreed audit at Your expense, on at least sixty (60) days' prior written notice, at a time and manner that minimizes disruption to Tie's operations, and no more than once per calendar year, subject to reasonable confidentiality and operational restrictions.

4.6 Third-Party Disclosure Requests. Unless prohibited by law, Tie will notify You of any inquiry, communication, request, or complaint from a government authority or private entity relating to Tie's Processing of Customer Personal Data. Tie will not disclose Customer Personal Data to any such person or entity unless legally required to do so and, in that event, will proceed in accordance with Section 8 (Government Access Requests).

5. DATA LOCATION AND CROSS-BORDER TRANSFERS

5.1 U.S. Data Residency. Tie Processes Customer Personal Data solely within the United States. Tie will not transfer Customer Personal Data outside the United States without Your prior written consent. The provisions of Sections 5.2 through 5.5 apply only if Tie transfers Customer Personal Data outside the United States with Your consent or, in the future, generally expands its Processing outside the United States on notice to You in accordance with Section 11.

5.2 EEA Transfers. To the extent Tie transfers Customer Personal Data from the European Union or European Economic Area to a country that does not ensure an adequate level of protection according to the European Commission, the EU SCCs will apply, as follows:

  • Module 2 (Controller-to-Processor) will apply where You are the data exporter and Tie is the data importer;
  • the optional docking clause (Clause 7) will not apply;
  • Clause 9, Option 2 (general written authorization) will apply, in accordance with Section 6 of this DPA;
  • the optional language in Clause 11 will not apply;
  • Clause 17, Option 1 will apply, and the EU SCCs will be governed by the laws of Ireland;
  • under Clause 18(b), disputes will be resolved by the courts of Ireland;
  • Annex I of the EU SCCs will be deemed completed with the information set out in Exhibit A;
  • Annex II of the EU SCCs will be deemed completed with the information set out in Exhibit B; and
  • Annex III of the EU SCCs will be deemed completed with the information set out in Exhibit C.

5.3 UK Transfers. To the extent Tie transfers Customer Personal Data from the United Kingdom to a country that does not ensure an adequate level of protection according to the UK Information Commissioner's Office, the UK SCCs will apply, as follows:

  • the Parties' contact information required by Table 1 is satisfied by the information in Exhibit A;
  • the Approved EU SCCs in Table 2 are the EU SCCs, Module 2 (Controller-to-Processor), as set out in Section 5.2 of this DPA;
  • the requirements of Table 3 are satisfied by the information in Exhibits A, B, and C; and
  • under Table 4, the Importer will have the rights described in Section 19 of the UK SCCs.

5.4 Swiss Transfers. To the extent Tie transfers Customer Personal Data from Switzerland to a country that does not ensure an adequate level of protection according to the Swiss Federal Data Protection and Information Commissioner: (a) the term "Member State" as used in the EU SCCs will be read to include Switzerland and Data Subjects in Switzerland; and (b) Data Subjects whose regular place of residence is Switzerland may bring a lawsuit in Switzerland against either the data exporter or the data importer in accordance with Clause 18(c) of the EU SCCs.

5.5 Other Jurisdictions. For transfers from jurisdictions not addressed above, Tie will cooperate with You in good faith to ensure the transfers comply with Applicable Data Protection Law, including by amending this DPA or entering into applicable model agreements.

5.6 Supervisory Authority. The competent supervisory authority in Ireland is designated for purposes of the EU SCCs, and applies only in the event of EU transfers under Section 5.2.

6. SUBPROCESSORS

6.1 Authorization; Liability. You authorize Tie to engage Subprocessors to Process Customer Personal Data under the Agreement. Tie will remain responsible for its Subprocessors' acts and omissions to the same extent as if performed by Tie. Tie will impose on each Subprocessor written contractual obligations that are substantially similar to, and no less protective than, those imposed on Tie under this DPA.

6.2 Current Subprocessors. The current list of Subprocessors is set out in Exhibit C and is updated from time to time at https://www.tieqc.com/legal.

6.3 New Subprocessors; Objection Right. Tie will provide You with notice at least thirty (30) days before authorizing a new Subprocessor to Process Customer Personal Data. You may object to a new Subprocessor for reasonable data protection grounds by notifying Tie in writing within thirty (30) days after receipt of Tie's notice. If the Parties cannot resolve Your objection in good faith, You may terminate the affected Services and receive a pro rata refund of any prepaid, unused fees for the terminated portion of the Term.

7. SECURITY INCIDENT NOTIFICATION

Tie will notify You without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a Security Incident. Tie's notice will include information reasonably necessary to allow You to meet Your notification obligations under Applicable Data Protection Law. Tie will investigate each Security Incident, take reasonable steps to mitigate its effects, and provide You with reasonable cooperation to satisfy Your legal obligations in relation to the Security Incident. This Section 7 is consistent with, and supplemented by, Section 4.3 of the Agreement (Security Incident Notification).

8. GOVERNMENT ACCESS REQUESTS

If Tie receives a legally binding request from a public authority to access Customer Personal Data, Tie will, unless legally prohibited, promptly notify You. Tie will challenge any request that, after careful assessment, it concludes is unlawful. Tie will provide the minimum amount of information legally permitted in response to any such request. Tie will promptly notify You if it becomes aware of any direct access by a public authority to Customer Personal Data, to the extent permitted by law.

9. LIMITATION OF LIABILITY

Each Party's and its Affiliates' aggregate liability arising out of or related to this DPA, whether in contract, tort, or otherwise, is subject to Section 9 (Limitation of Liability) of the Agreement. For clarity, Tie's and its Affiliates' total aggregate liability for all claims by You and all of Your Authorized Affiliates arising out of or related to the Agreement and this DPA applies in the aggregate and is subject to a single Cap as defined in the Agreement.

10. U.S. STATE-SPECIFIC PROVISIONS

With respect to Personal Data subject to the CCPA, Tie acts as Customer's Service Provider and Processes such Personal Data solely for the business purpose of providing the Services. Tie will not: (i) Sell Customer Personal Data; (ii) Share Customer Personal Data for cross-context behavioral advertising; (iii) retain, use, or disclose Customer Personal Data for a commercial purpose other than the business purpose of providing the Services or as otherwise permitted by the CCPA; or (iv) retain, use, or disclose Customer Personal Data outside of the direct business relationship between You and Tie. Tie certifies that it understands the restrictions set forth in this Section and will comply with them. This Section 10 also applies to Personal Data subject to any other U.S. state privacy law with materially equivalent requirements.

11. GENERAL

11.1 Order of Precedence. Except as modified in this DPA, the terms of the Agreement remain in full force and effect. In the event of any conflict between this DPA and the Agreement regarding the Processing of Personal Data, this DPA controls. In the event of any conflict between this DPA and the Standard Contractual Clauses incorporated herein, the Standard Contractual Clauses control.

11.2 Amendments. Tie may modify this DPA from time to time in accordance with Section 11 (Changes to the Agreement) of the Agreement. Material changes to this DPA are subject to the thirty (30) day advance-notice-and-objection procedure set forth in Section 11 of the Agreement.

11.3 Governing Law. This DPA is governed by the laws of the State of Delaware, without regard to conflicts-of-laws principles, except that the Standard Contractual Clauses are governed as specified therein.

11.4 Severability. If any provision of this DPA is held to be unenforceable, that provision will be modified to the minimum extent necessary to make it enforceable, or, if that is not possible, severed, and the remaining provisions will remain in full force and effect.

EXHIBIT A — DETAILS OF PROCESSING OF PERSONAL DATA

A. List of Parties

Data Exporter: Data Exporter (Controller): Customer

  • Name and address: As set forth in the applicable Order Form.
  • Contact person: As set forth in the applicable Order Form.
  • Activities relevant to the transfer: Receipt of the Services as described in the Agreement.
  • Role: Controller (or Business, under the CCPA).
  • Signature and date: The Parties' execution of the Agreement satisfies the signature requirement for the Standard Contractual Clauses.

Data Importer: Data Importer (Processor): Tie QC, Inc.

  • Name: Tie QC, Inc.
  • Address: c/o Cogency Global Inc., 850 New Burton Road, Suite 201, Dover, DE 19904
  • Contact person: Chief Executive Officer, contactus@tieqc.io
  • Activities relevant to the transfer: Provision of the Services as described in the Agreement.
  • Role: Processor (or Service Provider, under the CCPA).
  • Signature and date: The Parties' execution of the Agreement satisfies the signature requirement for the Standard Contractual Clauses.

B. Description of Transfer

Categories of Data Subjects. Data Subjects whose Personal Data appears in the financial and business documents that Customer submits to the Services for quality-control review, which typically includes employees, contractors, executives, investors, counterparties, and other individuals referenced in such documents.

Categories of Personal Data. Personal Data appearing in the financial and business documents that Customer submits to the Services, which may include names, contact information, business titles and roles, employment or professional information, and other Personal Data appearing in the ordinary course of such documents. Customer will not submit Sensitive Personal Data (see Section 2.3).

Sensitive / Special Category Personal Data. None. Customer is prohibited under Section 2.3 from submitting Sensitive Personal Data.

Frequency of Processing / Transfers. Continuous for the duration of the Agreement.

Nature and Purpose of Processing. Provision of the Services as described in the Agreement and any applicable Order Form, including document ingestion, extraction, structuring, automated consistency checks, and generation of Outputs.

Retention Period. Tie will Process Customer Personal Data for the term of the Agreement and this DPA, or until You instruct Tie in writing to cease Processing, and will delete Customer Personal Data in accordance with Section 4.2 of this DPA and Section 10.4 of the Agreement.

Transfers to Subprocessors. Any Subprocessor engaged by Tie will Process Customer Personal Data for the same nature, purpose, and duration as specified above, in each case only to the extent necessary to provide the Services.

C. Competent Supervisory Authority

For purposes of any EU transfers under Section 5.2, the competent supervisory authority is the Irish Data Protection Commission. This designation applies only in the event of such transfers.

EXHIBIT B — TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES

Tie maintains the information security program described in Section 4 (Security) of the Agreement, which is incorporated by reference into this Exhibit B and, together with the summary below, is deemed to satisfy Annex II of the EU SCCs.

The security program includes, at a minimum:

  • SOC 2 Type II certification maintained throughout the term of the Agreement, with the then-current report available to Customer on request in accordance with Section 4.2 of the Agreement;
  • multi-factor authentication for all privileged access to systems that store or process Customer Personal Data;
  • encryption of Customer Personal Data in transit using TLS 1.2 or higher and at rest using industry-standard AES-256 encryption;
  • a vulnerability management and security patching program, including regular vulnerability scans;
  • an independent penetration test conducted at least annually, with an executive summary available to Customer on request in accordance with Section 4.2 of the Agreement;
  • role-based access controls and enforcement of the principle of least privilege, with periodic access reviews;
  • network and system security controls including firewalls, intrusion detection or prevention systems, endpoint protection, and monitoring;
  • a documented incident response program covering identification, investigation, containment, remediation, and Security Incident notification in accordance with Section 7 of this DPA;
  • mandatory periodic data security and privacy training for personnel with access to Customer Personal Data, and contractual confidentiality obligations for all such personnel; and
  • commercially reasonable disaster recovery and business continuity plans designed to support restoration of the Services following an interruption.

Tie may update these measures from time to time, provided that any update does not materially diminish the overall level of protection for Customer Personal Data.

EXHIBIT C — LIST OF SUBPROCESSORS

Tie engages Subprocessors to Process Customer Personal Data in connection with the Services. The current list of Subprocessors, including each Subprocessor’s name, the purpose for which it is engaged, and the categories of Customer Personal Data Processed, is maintained by Tie at https://www.tieqc.com/legal and is updated in accordance with Section 6 of this DPA. Tie will also provide the current list to You on written request.

All Subprocessors currently engaged by Tie Process Customer Personal Data solely within the United States, consistent with Section 5.1 of this DPA and Section 3.5 of the Agreement. Tie will not engage a Subprocessor that Processes Customer Personal Data outside the United States without providing prior notice to You in accordance with Section 6.3 of this DPA.

Tie
XLinkedInInstagram
SOC 2 CompliantFAQTerms of UsePrivacy PolicyTrust CenterContact Us