Sub-processors

Effective Date: September 24, 2025

1. INTRODUCTION

QUINTIX AI INC. (“Company,” “we,” “us,” or “our”) engages selected third-party service providers (“Sub-processors”) to assist in delivering, securing, and improving our Services. This document provides transparency regarding the Sub-processors we utilize and their role in processing data in connection with our Services.

2. OUR COMMITMENTS

In our engagement of Sub-processors, we commit to:

  • Selecting providers that maintain appropriate security and privacy standards
  • Implementing reasonable due diligence in provider selection
  • Ensuring appropriate safeguards for international data transfers
  • Providing transparency about material Sub-processors that directly process customer data
  • Updating this document as appropriate when material changes occur

3. CURRENT SUB-PROCESSORS

3.1 Infrastructure and Hosting

Amazon Web Services (AWS)

  • Purpose: Cloud infrastructure and services
  • Data Categories: Customer data as processed during service delivery
  • Processing Locations: Canada and United States
  • Security Standards: SOC 2 Type II, ISO 27001, PCI DSS Level 1

Google Cloud Platform

  • Purpose: Cloud infrastructure and services
  • Data Categories: Customer data as processed during service delivery
  • Processing Locations: Canada and United States
  • Security Standards: SOC 2 Type II, ISO 27001

3.2 Payment Processing

Stripe, Inc.

  • Services Used: Payments, Billing, Invoicing
  • Purpose: Payment processing, subscription management, and billing
  • Data Categories: Payment card information, billing addresses, transaction history
  • Processing Locations: United States (primary), with local processing in customer regions where available
  • Security Standards: PCI DSS Level 1, SOC 2 Type II

3.3 Productivity and Operations

Google Workspace

  • Services Used: Gmail, Google Drive, Google Docs
  • Purpose: Internal operations, email communications (including transactional and support emails), document collaboration
  • Data Categories: All email communications, support tickets, internal documentation, customer correspondence
  • Processing Locations: United States with global replication
  • Security Standards: SOC 2 Type II, ISO 27001

Linear

  • Purpose: Customer support ticket management and issue tracking
  • Data Categories: Support tickets, customer inquiries, issue descriptions, resolution history
  • Processing Locations: United States
  • Security Standards: SOC 2 Type II

3.4 Analytics and Monitoring

Google Analytics

  • Services Used: Website analytics
  • Purpose: Understanding website usage and improving user experience
  • Data Categories: Anonymized IP addresses, usage patterns, device information
  • Processing Locations: United States
  • Security Standards: Google’s security standards, IP anonymization enabled

Cookiebot

  • Services Used: Consent management platform
  • Purpose: Cookie consent collection and management
  • Data Categories: Consent preferences, cookie settings
  • Processing Locations: European Union
  • Security Standards: GDPR-compliant processor

Application Monitoring

  • Providers: NewRelic, Sentry
  • Purpose: Performance monitoring, error tracking
  • Data Categories: Application logs, error reports
  • Processing Locations: United States
  • Security Standards: Provider-specific

3.5 Artificial Intelligence Services

When AI-enhanced features are enabled, we may use:

Third-Party AI Providers

  • Providers May Include: Various API-based AI services
  • Purpose: Enhanced AI capabilities for specific features
  • Data Categories: User prompts and queries (customer data is not used for provider model training by default)
  • Processing Locations: Varies by provider (typically United States)
  • Important Note: We configure these services to minimize data retention where technically feasible. Specific providers vary based on feature requirements and optimization.

4. DATA TRANSFER SAFEGUARDS

In accordance with our obligations under applicable privacy laws, we implement appropriate safeguards when transferring data internationally, including:

  • Technical measures including encryption in transit (TLS 1.2 or higher) and at rest (AES-256 or equivalent)
  • Contractual protections appropriate to the nature of the data and destination jurisdiction
  • Compliance with applicable data transfer requirements under Canadian privacy legislation

We do not currently implement European Standard Contractual Clauses (SCCs) as we do not actively market to or target European users. Should our business operations expand to include European markets, we will implement appropriate transfer mechanisms in accordance with applicable requirements.

5. SUB-PROCESSOR UPDATES

5.1 Modification Process

We reserve the right to engage new Sub-processors or modify existing Sub-processor relationships as necessary to maintain and improve our Services. When implementing such changes:

  • This document will be updated to reflect current Sub-processor relationships
  • Material changes affecting the processing of personal data will be indicated with an updated effective date
  • We maintain the right to engage Sub-processors on an emergency basis where necessary for security, legal compliance, or operational continuity

5.2 Notification Procedures

  • Updates to Sub-processor relationships are reflected through updates to this document
  • Significant changes that materially affect data processing may be communicated to active customers through appropriate channels
  • Customers are encouraged to review this document periodically for updates

5.3 Customer Inquiries

Should you have concerns regarding any Sub-processor relationship:

  • Direct inquiries to privacy@quintix.ai for privacy-related matters
  • Review our Privacy Policy for information regarding your data rights
  • Consider whether optional features that rely on specific Sub-processors align with your requirements

6. SECURITY AND COMPLIANCE

6.1 Security Incident Response

In the event that a Sub-processor experiences a security incident affecting customer data:

  • We will comply with notification requirements as specified in our Privacy Policy
  • We will coordinate with the affected Sub-processor to understand and mitigate the impact
  • Incident response procedures will be implemented in accordance with our established protocols

7. SUB-PROCESSOR GOVERNANCE

7.1 Relationship Structure

The relationship between Company and Sub-processors is structured as follows:

  • Where we act as data processor for our customers: Sub-processors function as our sub-processors
  • Where we act as data controller: Sub-processors function as our processors
  • All Sub-processor relationships are governed by appropriate service terms

7.2 Selection and Oversight

We select Sub-processors based on:

  • Industry reputation and demonstrated reliability
  • Appropriate security certifications and attestations where available
  • Alignment with our operational and security requirements
  • Service terms that provide appropriate protections

Note: We primarily operate under standard commercial terms offered by established service providers.

7.3 Operational Considerations

  • Sub-processor practices may evolve over time
  • Certain Sub-processors may engage their own service providers
  • Processing locations may vary based on service architecture and optimization

8. CONTACT INFORMATION

For inquiries regarding our Sub-processor relationships or data processing practices:

Privacy Inquiries: privacy@quintix.ai
Legal Inquiries: legal@quintix.ai

Mailing Address:
QUINTIX AI INC.
Attn: Privacy Officer
1255 Peel St, Suite 1000
Montreal, QC H3B 2T9
Canada

This Sub-processors document forms part of our comprehensive privacy framework and should be read in conjunction with our Privacy Policy and Terms & Conditions.