QNSP
Start building free
Why QNSP
The Quantum ImperativeWhy QNSPPQC Migration GuideCompetitive AnalysisVet PQC Vendors
Platform
Platform ArchitectureCapabilitiesUse Cases by IndustryKnowledge BaseBlogResearch
Trust
Trust HubCompliance MappingNIST ACVP ConformancePerformance BenchmarksEntropy ChainAlgorithm CatalogSystem Status
Developers
Developer HubUse CasesAI Assistants (MCP)
PricingContactStart building free

Data Processing Addendum (DPA)

Processor terms for QNSP Cloud — GDPR Article 28, UK GDPR, and Singapore PDPA. Includes the current sub-processor list and notification commitments.

Last updated: 2026-05-15

This page summarises the Data Processing Addendum (DPA) that applies when CUI Labs (Pte.) Ltd. processes personal data on your behalf as a data processor through QNSP Cloud. The DPA is incorporated into the Terms of Service and is available as a counter-signed agreement on request.

Parties and roles

Controller: you (or your organization), as the entity that determines the purposes and means of processing Customer Data.

Processor: CUI Labs (Pte.) Ltd. ("CUI Labs"), a company incorporated in Singapore with registered office at 552 Ang Mo Kio, Avenue 10, #21-1982, Cheng San Place, Singapore 560552.

For personal data CUI Labs collects directly — for example, your account-holder data when you sign up — CUI Labs acts as a controller under the Privacy Policy.

Scope and subject matter

This DPA governs processing of Customer Data that you submit to QNSP Cloud — secrets, encrypted objects, search indexes, audit events, key material handles, and metadata generated by your applications.

The duration of processing is the duration of your subscription, plus any retention period required by law or your plan's audit-trail-retention configuration.

Purposes of processing

  • Provide the QNSP Cloud services you have subscribed to.
  • Operate, maintain, secure, and improve QNSP — including capacity management, performance monitoring, and security incident detection.
  • Respond to your support requests.
  • Comply with legal obligations and lawful requests from authorities.

Categories of data subjects and personal data

Customer Data may include personal data of your employees, contractors, customers, or end users, depending on how you use QNSP. CUI Labs does not direct the contents of Customer Data and does not inspect Customer Data except as required to provide the services or as authorised by you.

Processor obligations

CUI Labs will:

  • Process Customer Data only on documented instructions from you (the controller) — your QNSP Cloud configuration constitutes documented instructions for the standard processing required to deliver the services.
  • Ensure personnel authorised to process Customer Data are bound by confidentiality obligations.
  • Implement appropriate technical and organizational measures (see Security below).
  • Engage sub-processors only under the conditions described under "Sub-processors".
  • Assist you with data-subject requests, security incident notifications, data protection impact assessments, and consultations with supervisory authorities, taking into account the nature of processing and the information available to CUI Labs.
  • At the end of the provision of services, delete or return all Customer Data, subject to any retention required by law.
  • Make available all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by you or another auditor mandated by you. Audits are subject to reasonable confidentiality and scheduling terms.

Security

CUI Labs implements technical and organizational measures designed to protect Customer Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. These include, at a minimum:

  • Encryption in transit (TLS 1.3, with hybrid post-quantum key exchange on the edge-gateway).
  • Encryption at rest with managed and customer-controlled keys (KMS, vault, SSE-X storage).
  • Hardware-backed key management for enterprise and government tiers (CloudHSM, BYO HSM, air-gapped enclaves).
  • SPIFFE-based service identity, mTLS for all inter-service traffic, JWT audience validation on every protected route, tenant isolation enforced at the proxy layer.
  • Tamper-evident audit trails (PQC-signed Merkle-tree audit chain), immutable retention per plan configuration.
  • Continuous monitoring, intrusion detection, and a published incident-response procedure (see the Security page).

Sub-processors

You authorise CUI Labs to engage the sub-processors listed below to process Customer Data on behalf of CUI Labs in connection with the provision of QNSP. CUI Labs will impose data-protection obligations on each sub-processor that are no less protective than those in this DPA.

Sub-processorPurposeHosting regionTransfer mechanism
Amazon Web Services (AWS)Primary cloud infrastructure for QNSP Cloud — compute (ECS, Lambda), storage (S3, RDS), networking (CloudFront, ELB), key management (KMS, Secrets Manager).Singapore (ap-southeast-1)EU SCCs + UK IDTA in place for EU/UK customer data routed through AWS edges.
StripeSubscription billing, payment processing, tax calculation, and invoicing for self-serve plans.Global (controller-to-processor)Stripe's published SCCs; cardholder data is tokenised and never touches QNSP infrastructure.
Namecheap (PrivateEmail)Transactional email delivery for account verification, invoices, support correspondence, and incident notifications.United StatesEU SCCs in place for EU/UK recipient addresses.
CloudflareDNS authoritative resolution and DDoS protection for cuilabs.io and qnsp.cuilabs.io zones.Global edge networkCloudflare's data processing addendum + EU SCCs.
GitHub (Microsoft)Source-code hosting, CI/CD orchestration for QNSP build pipelines. Customer Data is never stored in GitHub.United StatesMicrosoft EU Data Boundary commitments + SCCs.
npm, Inc. (GitHub Packages)Public SDK distribution. No Customer Data is processed; only published artifact metadata.United StatesNot applicable — public package registry.

Notification of changes

CUI Labs will provide reasonable advance notice (typically 30 days) before engaging a new sub-processor that processes Customer Data, via update to this page and, for enterprise customers, via your designated administrative contact. You may object on reasonable, documented grounds; if the objection cannot be resolved, you may terminate the affected services as your sole remedy.

International transfers

QNSP Cloud is operated from Singapore by default. Where Customer Data is transferred to a jurisdiction without an adequacy decision (e.g. transfers from the EU/EEA to the United States via a sub-processor), CUI Labs relies on:

  • EU Standard Contractual Clauses (Commission Decision (EU) 2021/914), where applicable.
  • UK International Data Transfer Addendum (IDTA), where applicable.
  • Equivalent contractual safeguards under the Singapore PDPA and other applicable privacy laws.

Personal data breach notification

CUI Labs will notify you without undue delay (and in any event within 72 hours where feasible) after becoming aware of a personal data breach affecting Customer Data, providing the information you reasonably need to meet your own notification obligations under GDPR Article 33, PDPA, or equivalent laws.

Requesting a counter-signed DPA

If your procurement process requires a counter-signed Data Processing Addendum, contact qnsp-legal@cuilabs.io with your legal entity name, registered address, and jurisdiction. We will return a signed copy of the standard DPA within 5 business days for most cases. Customers on enterprise and government tiers may negotiate bespoke terms.

Contact

Privacy or DPA questions: qnsp-legal@cuilabs.io.