Data Processing Agreement

"Controller" means the regulated organization (hedge fund, broker-dealer, family office, RIA, or similar firm) whose CCO establishes and manages the organization account on Quavix Messenger. The Controller determines the purposes and means of processing its employees' and members' communication data.

"Processor" means Quavix, Inc., which processes personal data on behalf of the Controller to deliver the Quavix Messenger service.

"Personal Data" means any information relating to an identified or identifiable natural person, including names, email addresses, message content, IP addresses, and organizational affiliation data processed through the platform.

"Processing" means any operation performed on Personal Data, including collection, storage, retrieval, transmission, archiving, and deletion.

"Sub-Processor" means any third party engaged by Quavix to process Personal Data on behalf of the Controller.

"Compliance Archive" means the immutable, append-only record of all messages sent through the platform, retained for regulatory compliance purposes.

Quavix processes Personal Data on behalf of the Controller solely for the following purposes:

• Delivering the messaging service — transmitting messages between authorized users within and across organizations.
• Compliance archiving — creating and maintaining an immutable record of all communications, as required by applicable financial regulations including SEC Rule 17a-4 and FINRA Rule 4511.
• CCO portal access — making archived communications available to the Controller's authorized compliance personnel for review, search, export, and keyword monitoring.
• Account and seat management — managing user accounts, seat allocations, and access permissions as directed by the Controller.
• Security and audit logging — maintaining access logs and security event records to detect unauthorized access and support regulatory examination responses.

Quavix will not process Personal Data for any purpose other than those listed above without the Controller's prior written instruction, except where required by applicable law.

Data subjects: Employees, members, and authorized users of the Controller's organization; and counterparties with whom those users communicate on the platform.

Categories of Personal Data processed:

• Identity data: full name, email address, job title, role.
• Organization data: firm name, regulatory registration numbers, organizational affiliation at the time of each communication.
• Communication content: the full text of all messages sent through the platform.
• Metadata: timestamps, conversation type, IP addresses, device and browser information.
• Compliance portal activity: records of searches, message views, and exports conducted by the Controller's compliance personnel.

Quavix will process Personal Data for the duration of the Controller's active subscription and, thereafter, for the mandatory data retention period applicable to the Compliance Archive.

The Compliance Archive is subject to a minimum 7-year retention period enforced at the storage infrastructure level (AWS S3 Object Lock in Compliance mode). This retention period cannot be shortened by either party during the retention window, as it reflects a legal obligation rather than a commercial agreement. At the expiry of the retention period, archived records will be permanently deleted.

Non-archive data (account profiles, seat records, billing data) will be retained for the duration of the subscription plus 12 months for reconciliation purposes, then deleted or anonymized.

Quavix will process Personal Data only on the documented instructions of the Controller. The Controller's instructions are deemed to include: (a) the Terms of Service accepted at signup, (b) configuration actions taken through the platform (e.g., adding users, setting keyword monitoring rules, initiating exports), and (c) any written instructions provided to Quavix support.

If Quavix believes an instruction violates applicable law, Quavix will notify the Controller and may decline to act on the instruction.

The compliance archiving obligation is not subject to Controller instruction — Quavix cannot disable archiving on instruction because it is an infrastructure-level mechanism reflecting both parties' regulatory obligations.

Quavix agrees to:

• Process Personal Data only as described in this agreement and the Terms of Service.
• Ensure that personnel with access to Personal Data are bound by appropriate confidentiality obligations.
• Implement and maintain the technical and organizational security measures described in Section 8 and in the Security Overview at /security.
• Notify the Controller without undue delay (and within 72 hours where feasible) if Quavix becomes aware of a personal data breach affecting the Controller's data.
• Assist the Controller in responding to data subject rights requests, to the extent technically possible and consistent with applicable law.
• Make available to the Controller all information reasonably necessary to demonstrate compliance with this agreement, and cooperate with audits conducted by the Controller or its authorized auditor, subject to reasonable advance notice and confidentiality protections.
• Not engage Sub-Processors beyond those listed in Section 9 without providing the Controller with prior notice and an opportunity to object.

If Quavix receives a data subject rights request (access, rectification, erasure, portability, objection) directly from a data subject whose data is processed under this agreement, Quavix will promptly forward the request to the Controller and will not respond to the data subject directly except as instructed by the Controller or required by law.

Quavix will assist the Controller in fulfilling data subject requests to the extent technically feasible. For erasure requests specifically: Quavix will delete or anonymize account-level personal data on valid request, but cannot delete records from the Compliance Archive during the mandatory retention period. Quavix will communicate this limitation clearly to the Controller and, through the Controller, to the data subject.

Quavix implements the following measures to protect Personal Data against unauthorized access, loss, or destruction:

• Encryption in transit: All data transmitted between users and the platform is encrypted using TLS 1.2 or higher.
• Encryption at rest: All stored data is encrypted using AES-256.
• Compliance archive immutability: Message archives are stored using AWS S3 Object Lock in Compliance mode (WORM storage), preventing deletion or overwriting for the duration of the retention period.
• Access controls: Role-based access controls restrict data access to authorized personnel only. Compliance archive access is limited to users with explicit compliance portal permissions.
• Access logging: All access to the compliance portal and sensitive functions is logged with actor identity, action, timestamp, and IP address.
• Infrastructure isolation: Each organization's compliance data is logically isolated within the platform.
• Breach detection: We monitor for unauthorized access patterns and maintain an incident response plan.

Full details are available in the Security Overview.

The Controller authorizes Quavix to engage the following Sub-Processors. Quavix will impose data processing obligations on each Sub-Processor equivalent to those in this agreement.

Quavix will provide the Controller with at least 14 days' advance notice before adding or replacing Sub-Processors, allowing the Controller to object. If the Controller objects and Quavix cannot accommodate the objection, either party may terminate the agreement.

Personal Data is processed in the United States. For transfers of Personal Data from the EEA, UK, or Switzerland to the United States, Quavix relies on the Standard Contractual Clauses (SCCs) issued by the European Commission (Controller-to-Processor module), which are incorporated by reference into this agreement. Copies are available on request at legal@quavix.com.

On termination of the Controller's subscription, Quavix will:

• Provide the Controller with a 90-day window to export all compliance archive records in JSONL format via the compliance portal.
• After the 90-day window, delete all account-level Personal Data (user profiles, seat records, configuration data).
• Retain Compliance Archive records for the remainder of the mandatory 7-year retention period, after which they will be permanently deleted.

The Controller may request a certificate of deletion for account-level data. We cannot issue a certificate of deletion for Compliance Archive records during the retention period, as deletion is technically prevented by the S3 Object Lock configuration.

This Data Processing Agreement is incorporated by reference into the Quavix Messenger Terms of Service. By completing the regulated organization onboarding flow, the CCO or authorized representative of the Controller accepts this agreement on behalf of their organization. Acceptance is recorded with a timestamp in our systems.

For questions or to request a signed copy of this agreement for your records: legal@quavix.com