Data Processing Addendum

Effective March 4, 2026

Data Processing Addendum

Last Updated: March 4, 2026

To the extent Quince processes any Personal Data in connection with the services, this Data Processing Addendum (“Addendum”) is incorporated into and forms part of the Quince Logistics Solutions, LLC Commercial Terms or other agreement governing Customer’s use of Quince’s services (the “Agreement”) between Quince Logistics Solutions, LLC (“Quince” or “Provider”) and the customer that has accepted the Agreement (“Customer”). By accepting the Agreement, Customer agrees to the terms of this Addendum.

1. Definitions

For the purposes of this Addendum:

  • “Personal Data” or “Personal Information” means any information relating to an identified or identifiable individual, including as defined under applicable data protection laws, such as the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), the Personal Information Protection and Electronic Documents Act (PIPEDA), and Quebec’s Act to Modernize Legislative Provisions as Regards the Protection of Personal Information (“Law 25”).
  • “Data Controller” means the entity that determines the purposes and means of processing Personal Data.
  • “Data Processor” means the entity that processes Personal Data on behalf of the Data Controller.
  • “Data Protection Laws” or “Canadian Privacy Laws” means all applicable data protection and privacy laws, including but not limited to GDPR, CCPA, PIPEDA, Law 25, and substantially similar provincial privacy laws.

2. Purpose and Scope

Quince, in providing end-to-end logistics services, may receive Personal Data from Customer, including customer names, addresses, phone numbers, email addresses, and order details (collectively, “Customer Data”). Quince agrees to process Customer Data only as necessary to perform its obligations under the Agreement, in accordance with the terms set forth in this Addendum and in compliance with all applicable Data Protection Laws, including Canadian Privacy Laws.

3. Roles and Responsibilities

  • Data Controller: Customer is the Data Controller with respect to Customer Data.
  • Data Processor: Quince is the Data Processor with respect to Customer Data.

As Data Processor, Quince shall:

  • Process Customer Data only in accordance with the instructions provided by Customer.
  • Not use Customer Data for any purposes other than those set forth in this Addendum or the Agreement.
  • Ensure that any personnel or sub-processors who have access to Customer Data are subject to confidentiality obligations and receive appropriate training regarding data protection.

4. Compliance with Data Protection Laws

Quince shall comply with all applicable Data Protection Laws, including GDPR, CCPA, PIPEDA, and Law 25. Quince shall:

  • Implement appropriate technical and organizational measures to ensure the security of Customer Data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage.
  • Not disclose or transfer Customer Data to any third parties, except as necessary to perform the services under the Agreement or as required by law.
  • Provide assistance to Customer, as necessary, to fulfill Customer’s obligations under the Data Protection Laws (including Canadian Privacy Laws), including responding to requests for data access, rectification, erasure, and data portability from data subjects.
  • Process Personal Information in accordance with PIPEDA principles (where applicable) of accountability, consent, limiting use, safeguarding, and individual access.
  • Ensure consent, where required under Canadian laws (where applicable), is obtained and documented appropriately.
  • Acknowledge that Quince is accountable for Personal Data transferred to it by Customer and shall use contractual and other means to provide a comparable level of protection while the information is being processed by Quince or its Sub-processors.

5. Sub-processors

Quince may engage sub-processors to process Customer Data on behalf of Customer. Customer hereby provides general authorization for Quince to engage sub-processors, subject to the following conditions:

  • Ensure that any sub-processor provides sufficient guarantees to implement appropriate technical and organizational measures for data protection.
  • Enter into a written agreement with each sub-processor that imposes the same data protection obligations as those set out in this Addendum.
  • Maintain a current list of sub-processors on Quince’s website or upon Customer’s request, and provide reasonable advance notice of any new or replacement sub-processors. Customer may object to a new sub-processor on reasonable grounds within fifteen (15) days of notice; if Quince cannot accommodate the objection, Customer may terminate the affected services.

6. Data Subject Rights

Quince shall:

  • Taking into account the nature of the processing, assist Customer, at Customer’s sole expense, in responding to data subject requests related to Customer Data, including requests for access, rectification, erasure, restriction, and data portability, within commercially reasonable timeframes.
  • Notify Customer immediately upon receiving any request from a data subject to exercise their rights under applicable data protection laws, unless prohibited by law.

7. Data Retention and Deletion

Quince shall retain Customer Data only for as long as necessary to fulfill the purposes of the Agreement or as required by applicable law. Upon termination of the Agreement, Quince shall, at Customer’s election and written request made within thirty (30) days of termination:

  • Delete or anonymize Customer Data in its possession within a commercially reasonable timeframe, except where retention is required by law or for legitimate business purposes (such as backup archives); or
  • Return Customer Data in a commonly used format, subject to Customer’s payment of any reasonable costs associated with such return. Quince shall certify deletion upon Customer’s request.

8. Data Breach Notification

In the event of a data breach or security incident affecting Customer Data, Quince shall:

  • Notify Customer without undue delay after confirming a breach that affects Customer Data, and in any event within seventy-two (72) hours of such confirmation where required by applicable law.
  • Provide Customer with sufficient information to allow Customer to assess the nature and impact of the breach and comply with applicable breach notification requirements under Data Protection Laws.
  • Cooperate with Customer in fulfilling obligations under GDPR, CCPA, and Canadian Privacy Laws, including reporting to the Office of the Privacy Commissioner of Canada or the Commission d’accès à l’information du Québec, where required.
  • Cooperate with Customer in taking appropriate remedial actions and mitigating the effects of the breach.

9. Audit Rights

Upon Customer’s written request and no more than once per calendar year, Quince shall make available to Customer information reasonably necessary to demonstrate compliance with this Addendum. Such information may include summary audit reports, certifications (e.g., SOC 2, ISO 27001), or responses to reasonable written inquiries. If Customer requires an on-site audit beyond the foregoing, such audit shall be conducted at Customer’s sole expense, during normal business hours, with reasonable advance notice, and subject to appropriate confidentiality obligations.

10. International Data Transfers

If Quince processes Customer Data in a jurisdiction outside the European Economic Area (EEA) or other jurisdiction with equivalent data protection laws, Quince shall ensure that such processing complies with the applicable international data transfer mechanisms (e.g., Standard Contractual Clauses, adequacy decisions, etc.).

Where Customer Data includes Personal Information of Canadian residents and is transferred outside Canada, Quince shall:

  • Ensure equivalent protection in accordance with PIPEDA and Law 25.
  • Maintain transparency regarding jurisdictions of storage and processing.
  • Implement contractual or technical safeguards to ensure adequate protection.

11. Liability and Indemnification

Quince’s total aggregate liability arising out of or relating to this Addendum, whether in contract, tort, or otherwise, shall not exceed the amounts paid by Customer to Quince under the Agreement in the twelve (12) months preceding the claim. In no event shall Quince be liable for any indirect, incidental, special, consequential, or punitive damages, or any loss of profits, revenue, data, or business opportunities, even if advised of the possibility of such damages.

12. Termination

Upon termination of the Agreement, this Addendum shall remain in effect until all Customer Data is deleted or anonymized, or as otherwise required by applicable law.

13. Miscellaneous

  • Amendments: Quince may update this Addendum from time to time to reflect changes in applicable Data Protection Laws or Quince’s data processing practices. Material changes will be posted on Quince’s website with reasonable advance notice. Continued use of the services after such changes constitutes acceptance.
  • Governing Law: This Addendum shall be governed by the laws of the State of Delaware.
  • Conflict: In the event of any conflict between the Agreement and this Addendum, the terms of this Addendum shall prevail with respect to the processing of Customer Data.