Data Processing Agreement

Glia Quest — Data Processing Agreement Addendum
Effective date: 25 April 2026

1. Introduction and Incorporation

1.1 This Addendum

This Data Processing Agreement Addendum (this "DPA") forms part of the agreement between Glia Hong Kong Holdings Co., Limited ("Glia Quest") and the Customer (the "Agreement") and applies to the Processing by Glia Quest of Personal Data on behalf of the Customer in connection with the Service.

1.2 Acceptance

This DPA takes effect on the date the Customer accepts the Terms of Service or, if later, the date the Customer first submits Personal Data through the Service. By accepting the Terms of Service the Customer is deemed to have entered into this DPA on behalf of itself and, to the extent required by Applicable Data Protection Law, on behalf of any of its affiliates whose Personal Data is processed under the Agreement.

1.3 Order of Precedence

In case of conflict between this DPA and the Terms of Service, this DPA prevails in respect of the subject matter of this DPA. In case of conflict between this DPA and the Standard Contractual Clauses (where applicable), the Standard Contractual Clauses prevail.

1.4 Definitions

In this DPA, the following definitions apply. Other capitalised terms have the meanings given in the Terms of Service.

(a) "Applicable Data Protection Law" means all data protection and privacy laws applicable to the Processing of Personal Data under the Agreement, including the GDPR, the UK GDPR, the Singapore PDPA and the PDPO of Hong Kong.

(b) "Customer Personal Data" means Personal Data that is Processed by Glia Quest on behalf of the Customer in connection with the Service.

(c) "Data Subject", "Processing", "Personal Data", "Personal Data Breach", "Controller" and "Processor" have the meanings given in the GDPR.

(d) "Restricted Transfer" means a transfer of Personal Data that requires a transfer mechanism under Chapter V of the GDPR or the UK GDPR.

(e) "Standard Contractual Clauses" or "SCCs" means: (i) for transfers from the EEA, the standard contractual clauses for the transfer of personal data to third countries adopted by the European Commission on 4 June 2021 (Implementing Decision (EU) 2021/914); (ii) for transfers from the United Kingdom, the International Data Transfer Addendum issued by the UK Information Commissioner under section 119A of the Data Protection Act 2018; and (iii) for transfers from Switzerland, the SCCs as amended pursuant to guidance from the Swiss Federal Data Protection and Information Commissioner.

(f) "Sub-Processor" means any third party engaged by Glia Quest to Process Customer Personal Data.

2. Roles of the Parties

2.1 Allocation of Roles

The Parties acknowledge that, in respect of the Processing of Personal Data under the Agreement, the following allocation applies.

2.2 Compliance with Roles

Where Glia Quest acts as a Controller, its Processing is governed by the Privacy Policy. Where Glia Quest acts as a Processor or Sub-Processor, its Processing is governed by this DPA.

2.3 Customer's Status

The Customer warrants that, in respect of Customer Personal Data, it acts as a Controller or, as the case may be, a Processor with the necessary authority to engage Glia Quest. Where the Customer is itself a Processor, it warrants that the Controller has authorised it to engage Glia Quest as a Sub-Processor on the terms of this DPA.

3. Subject Matter and Details of Processing

3.1 Annex of Processing Details

The subject matter, nature, purpose and duration of the Processing, the types of Personal Data and the categories of Data Subjects are described in Schedule 1 (Details of Processing). The Customer may augment Schedule 1 by giving written notice to Glia Quest where required by Applicable Data Protection Law.

3.2 Authenticated Testing

The Parties acknowledge that, where the Customer enables authenticated testing by submitting Credentials, the AI agent may transiently render personal data of the Customer's end users while navigating the application. Glia Quest:

(a) does not intentionally collect or store such end-user personal data, beyond screenshots that are deleted in accordance with the retention periods set out in the Privacy Policy;

(b) Processes such data solely to perform the Test Run as instructed by the Customer; and

(c) Processes such data as a Processor on behalf of the Customer (or as a Sub-Processor where the Customer is itself a Processor in respect of that data).

The Customer is responsible for ensuring that its instructions to Glia Quest, including the submission of Credentials, are lawful and consistent with the Customer's own privacy notices and agreements with end users.

4. Obligations of Glia Quest

4.1 Processing Only on Instructions

Glia Quest shall Process Customer Personal Data only on the documented instructions of the Customer, including with regard to Restricted Transfers, except where Applicable Data Protection Law requires otherwise. The Customer's instructions are: (i) the Agreement; (ii) the Customer's use of the Service from time to time; and (iii) any other reasonable written instructions consistent with the Agreement. Glia Quest shall promptly inform the Customer if, in its opinion, an instruction infringes Applicable Data Protection Law (without obligation to provide legal advice).

4.2 Confidentiality of Personnel

Glia Quest shall ensure that any person it authorises to Process Customer Personal Data is bound by a duty of confidentiality (whether contractual or statutory) and is subject to access controls based on need to know.

4.3 Security Measures

Glia Quest shall implement appropriate technical and organisational measures to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to that data. The measures in force from time to time are set out in Schedule 2 (Technical and Organisational Measures).

4.4 Sub-Processors

(a) General Authorisation. The Customer gives Glia Quest general authorisation to engage Sub-Processors. The Sub-Processors authorised at the date of this DPA are listed in Schedule 3 (Sub-Processors).

(b) Sub-Processor Obligations. Glia Quest shall enter into a written agreement with each Sub-Processor that imposes obligations on the Sub-Processor that are no less protective than those imposed on Glia Quest under this DPA. Glia Quest remains liable to the Customer for the acts and omissions of its Sub-Processors as if they were its own.

(c) Notice of Changes. Glia Quest shall give the Customer at least thirty (30) days' prior written notice (which may be by email or by updating Schedule 3 and the Sub-Processor list published at glia.quest) of any addition or replacement of a Sub-Processor.

(d) Right to Object. The Customer may object to the engagement of a new Sub-Processor on reasonable grounds relating to data protection within thirty (30) days of receiving notice. Where the Customer objects, the Parties shall discuss the matter in good faith. If the Parties cannot agree a resolution, the Customer may, as its sole and exclusive remedy, terminate the affected portion of the Service on written notice and receive a pro-rata refund of unused Credits attributable to that portion.

4.5 Assistance with Data Subject Rights

Taking into account the nature of the Processing, Glia Quest shall provide the Customer with reasonable assistance through appropriate technical and organisational measures, insofar as possible, to enable the Customer to respond to requests from Data Subjects to exercise their rights under Applicable Data Protection Law (including rights of access, rectification, erasure, restriction, portability and objection). Where the Customer cannot fulfil a Data Subject request through the self-service functionality of the Service, Glia Quest shall provide further reasonable assistance on request.

4.6 Assistance with Compliance Obligations

Glia Quest shall provide the Customer with reasonable assistance, taking into account the nature of the Processing and the information available to Glia Quest, in respect of the Customer's obligations under Articles 32 to 36 of the GDPR (security of Processing, breach notification, communication to Data Subjects, data protection impact assessments and prior consultation).

4.7 Personal Data Breach

Glia Quest shall notify the Customer without undue delay, and in any event within twenty-four (24) hours, of becoming aware of a Personal Data Breach affecting Customer Personal Data. The notification shall, to the extent the information is then available, describe: (a) the nature of the breach, including the categories and approximate number of Data Subjects and records concerned; (b) the likely consequences; (c) the measures taken or proposed to address the breach; and (d) the contact point at Glia Quest for further information. Glia Quest shall provide further information as it becomes available.

4.8 Records

Glia Quest shall maintain records of its Processing activities under this DPA as required by Article 30 of the GDPR and shall make those records available to the Customer or to a supervisory authority on reasonable request.

4.9 Deletion or Return on Termination

On termination or expiry of the Agreement, Glia Quest shall, at the Customer's election, delete or return all Customer Personal Data Processed under this DPA within thirty (30) days, save to the extent that Applicable Data Protection Law requires Glia Quest to retain it, in which case Glia Quest shall continue to protect that data in accordance with this DPA for the duration of the retention obligation.

4.10 Audit

(a) Information Rights. Glia Quest shall make available to the Customer all information necessary to demonstrate compliance with this DPA, including responses to a reasonable data protection questionnaire and copies of relevant certifications and audit reports held by Glia Quest or its Sub-Processors.

(b) On-Site Audit. The Customer may, no more than once in any twelve (12)-month period (and otherwise where Applicable Data Protection Law requires or following a Personal Data Breach), audit Glia Quest's compliance with this DPA. Audits shall be carried out on at least thirty (30) days' written notice, during normal business hours, in a manner that does not unreasonably interfere with Glia Quest's business and subject to confidentiality obligations.

(c) Method. Glia Quest may satisfy its audit obligations under this clause 4.10 by providing certifications, audit reports or completed questionnaires in lieu of an on-site audit, where reasonable.

(d) Costs. Each Party bears its own costs in relation to an audit, except where the audit reveals a material non-compliance by Glia Quest, in which case Glia Quest shall reimburse the Customer's reasonable audit costs.

5. Customer Obligations and Warranties

5.1 Lawful Basis

The Customer warrants that it has established a lawful basis under Applicable Data Protection Law for the Processing of Customer Personal Data through the Service, including for the submission of Credentials and Target URLs and for any incidental Processing of end-user personal data during authenticated Test Runs.

5.2 Authority to Test

The Customer reaffirms the authorisation warranty given in the Terms of Service that it has lawful authority to conduct automated browser-based testing of each Target URL submitted to the Service.

5.3 Sensitive Special-Category Data

The Customer warrants that it will not submit Credentials to applications containing sensitive special-category personal data (including health, financial, biometric, children's or genetic data) unless and until the Parties have entered into additional written provisions addressing the Processing of that data, which may include enhanced security commitments and use of Anthropic's zero-data-retention API mode.

5.4 Notices and Consents

The Customer is responsible for providing all notices and obtaining all consents required from Data Subjects under Applicable Data Protection Law in connection with its use of the Service. The Customer shall ensure that its privacy notice fairly describes the role of Glia Quest as a Processor, and any onward transfers to Sub-Processors, where required by Applicable Data Protection Law.

5.5 Lawful Instructions

The Customer warrants that its instructions to Glia Quest under this DPA shall comply with Applicable Data Protection Law and shall not require Glia Quest to act in breach of Applicable Data Protection Law.

6. International Data Transfers

6.1 Transfers Disclosed

The Customer acknowledges that, in connection with the Service, Customer Personal Data may be transferred from Hong Kong, the EEA, the United Kingdom, Switzerland or Singapore (as applicable) to the locations set out in Schedule 3.

6.2 EEA Restricted Transfers

To the extent that a transfer of Customer Personal Data from the EEA to Glia Quest constitutes a Restricted Transfer, the SCCs are incorporated into this DPA as follows:

(a) Module Two (Controller-to-Processor) applies where the Customer is a Controller and Glia Quest is a Processor;

(b) Module Three (Processor-to-Processor) applies where the Customer is a Processor and Glia Quest is a Sub-Processor;

(c) Clause 7 (docking clause) is incorporated;

(d) in Clause 9, Option 2 (general written authorisation) applies and the time period for prior notice of Sub-Processor changes is thirty (30) days;

(e) in Clause 11, the optional language is not used;

(f) in Clause 17, the SCCs are governed by the laws of the Republic of Ireland;

(g) in Clause 18(b), the courts of the Republic of Ireland are designated as the competent courts in respect of any dispute arising from the SCCs;

(h) Annex I, Annex II and Annex III to the SCCs are populated by Schedules 1, 2 and 3 to this DPA respectively, with any additional information reasonably requested by the Customer to be provided on request.

6.3 UK Restricted Transfers

To the extent that a transfer of Customer Personal Data from the United Kingdom to Glia Quest constitutes a Restricted Transfer, the UK International Data Transfer Addendum issued by the UK Information Commissioner is incorporated into this DPA, with the SCCs in clause 6.2 as the approved EU SCCs to which the UK Addendum is appended. The Parties select Option 1 of the UK Addendum and confirm Table 4 of the UK Addendum applies to neither Party.

6.4 Swiss Restricted Transfers

To the extent that a transfer of Customer Personal Data from Switzerland to Glia Quest constitutes a Restricted Transfer, the SCCs are amended to reflect the requirements of the Swiss Federal Data Protection and Information Commissioner: references to the GDPR are interpreted as references to the Swiss Federal Act on Data Protection (FADP); references to "EU member state" do not preclude Data Subjects in Switzerland from exercising their rights in their place of habitual residence; and the competent supervisory authority is the Swiss Federal Data Protection and Information Commissioner.

6.5 Onward Sub-Processor Transfers

For onward transfers from Glia Quest to Sub-Processors, Glia Quest has put in place equivalent transfer mechanisms (the SCCs Module Three or Module Four as applicable) with each Sub-Processor identified in Schedule 3, in accordance with clause 4.4(b).

6.6 Transfer Impact

Glia Quest has carried out, and will keep under review, a transfer impact assessment for transfers to Sub-Processors located in the United States. Glia Quest will provide a copy of the relevant transfer impact assessment, or an executive summary of its conclusions, on the Customer's reasonable request.

6.7 Singapore Transfers

For Personal Data brought into or out of Singapore (in particular through the Supabase Sub-Processor in AWS ap-southeast-1), Glia Quest takes appropriate steps under section 26 of the Singapore PDPA to ensure that the recipient is bound by legally enforceable obligations to provide a comparable standard of protection.

7. Liability

7.1 Limitation of Liability

The Parties' liability under or in connection with this DPA is subject to the limitations and exclusions of liability set out in clause 11 of the Terms of Service. Nothing in this clause 7 limits any liability that cannot be limited under Applicable Data Protection Law (including liability of either Party to a Data Subject under the third-party-beneficiary rights in the SCCs).

8. Term and Termination

8.1 Term

This DPA takes effect on the date set out in clause 1.2 and remains in force for as long as Glia Quest Processes Customer Personal Data under the Agreement.

8.2 Survival

The obligations in clauses 4.7 (Personal Data Breach), 4.9 (Deletion or Return), 4.10 (Audit), 6 (International Data Transfers) and 7 (Liability) survive termination of this DPA to the extent necessary to give them effect.

9. General

9.1 Updates

Glia Quest may update this DPA from time to time to reflect changes in Applicable Data Protection Law, Sub-Processor arrangements or industry standards. Glia Quest shall give the Customer at least thirty (30) days' prior notice of any update that materially reduces the protections afforded to Customer Personal Data, and the Customer's sole remedy if it does not accept such an update is to terminate the Agreement in accordance with the termination provisions of the Terms of Service.

9.2 Governing Law

This DPA is governed by the laws of the Hong Kong Special Administrative Region, save that the SCCs (where applicable) are governed by the law of the Republic of Ireland as required by Clause 17 of the SCCs.

9.3 Signed Form

The Customer may request a signed PDF copy of this DPA executed by Glia Quest by emailing privacy@glia.quest.

Schedule 1 — Details of Processing

Subject matter of the Processing: provision of the Glia Quest service, including automated browser-based testing of web applications and the generation of associated reports and navigation maps.

Duration of the Processing: for the duration of the Agreement, plus the retention periods set out in the Privacy Policy.

Nature and purpose of the Processing: storing and processing Customer Account data; receiving Target URLs and configuration; executing Test Runs through Sub-Processors; rendering applications and capturing screenshots; generating Work Product; delivering and storing Work Product for the Customer; securing the Service.

Types of Personal Data:

(a) Account data: name, email, password hash, company, country, preferences;

(b) Authentication artefacts: Credentials submitted by the Customer for authenticated testing;

(c) Test Run inputs: Target URLs, configuration data;

(d) Test Run outputs: navigation maps, reachability scores, reports, screenshots (which may incidentally contain end-user personal data);

(e) Usage data: IP address, device information, log data;

(f) Communications: contents of email or support communications.

Categories of Data Subjects:

(a) the Customer's authorised users of the Account;

(b) test users whose Credentials are submitted by the Customer;

(c) end users of the Customer's application whose data may incidentally appear in screenshots or other Test Run output;

(d) prospective customers and waitlist subscribers; and

(e) people who contact Glia Quest.

Sensitive special-category data: not Processed unless the Parties have entered into additional written provisions in accordance with clause 5.3.

Frequency of the Processing: continuous for the duration of the Agreement.

Schedule 2 — Technical and Organisational Measures

Glia Quest applies the following measures, in each case as in force from time to time:

(a) Encryption: TLS 1.2 or higher for data in transit; AES-256 (or equivalent) for Credentials and other sensitive data at rest;

(b) Access controls: role-based access control; least-privilege principle; multi-factor authentication for personnel access to production systems;

(c) Network security: segmented production environment; firewalling; intrusion-detection at the application layer of the Sub-Processors;

(d) Personnel: background checks where lawful; written confidentiality undertakings; security and privacy training;

(e) Change management: code review; access review; logging of administrative actions;

(f) Logging and monitoring: audit logs of access to systems holding Customer Personal Data; security event monitoring;

(g) Backups: encrypted backups of Account data and Work Product, with documented restoration procedures;

(h) Incident response: documented incident-response procedures, including the breach notification commitments in clause 4.7;

(i) Sub-Processor management: contractual obligations on Sub-Processors that are no less protective than those imposed on Glia Quest under this DPA, periodic review;

(j) Retention: deletion of Credentials, screenshots, Test Run inputs and other Customer Personal Data in accordance with the retention periods set out in the Privacy Policy;

(k) Business continuity: documented procedures for service continuity reliant on Sub-Processor capabilities.

The current state of these measures may be evidenced through certifications, security questionnaires or audit reports held by Glia Quest or its Sub-Processors and made available on request under clause 4.10.

Schedule 3 — Sub-Processors

The following Sub-Processors are authorised to Process Customer Personal Data at the effective date of this DPA. The current list is published at glia.quest and updated in accordance with clause 4.4.

End of Schedule 3.