IonQ Data Processing Addendum v1.2
Last revised on: December 6, 2023
This Data Processing Addendum (“DPA”) is entered into by and between IonQ, Inc. (“IonQ”) and you (“Client” or “you”) and sets forth the parties’ obligations with respect to the Processing of Personal Data (definitions below). For purposes of this DPA, the “Agreement” refers to that certain agreement between you and IonQ, under which IonQ provides quantum computing and/or consulting services to you (as applicable to you). This DPA is incorporated by reference into the Agreement.
A. Definitions
Some capitalized terms are defined in this section, and others are defined contextually elsewhere in this DPA. Any capitalized terms that are not defined in this DPA have the meanings assigned to such terms in the Agreement.
“Data Privacy Laws” means all applicable laws, regulations, and other legal or self-regulatory requirements in any jurisdiction relating to privacy, data protection, data security, breach notification, or the Processing of Personal Data, including without limitation, to the extent applicable, the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq. along with its associated amendments in the California Privacy Rights Act of 2020 (“CCPA”), as well as U.S. state laws similar to the CCPA (together with the CCPA, as they become effective, the “U.S. State Privacy Laws”), the General Data Protection Regulation, Regulation (EU) 2016/679 (“GDPR”), the Swiss Federal Act on Data Protection (“FADP”), and the United Kingdom Data Protection Act of 2018 (“UK Privacy Act”). For the avoidance of doubt, if IonQ’s Processing activities involving Personal Data are not within the scope of a given Data Privacy Law, such law is not applicable for purposes of this DPA.
“Data Subject” means an identified or identifiable natural person about whom Personal Data relates.
“EU SCCs” means the Standard Contractual Clauses issued pursuant to Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council.1
“Personal Data” includes “personal data,” “personal information,” “personally identifiable information,” and similar terms, and such terms will have the same meaning as defined by applicable Data Privacy Laws, that is Processed in connection with the purchase or performance of the Services under your Agreement. In light of the protections afforded by Data Privacy Laws and this DPA, Personal Data is not considered Confidential Information under the Agreement.
“Process” and “Processing” mean any operation or set of operations performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, creating, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
“Subprocessing” means any sub-contracted Processing that relates directly to the provision of the Services. This does not include ancillary services, such as telecommunication services, postal or transport services, maintenance and user support services or the disposal of data carriers, as well as other measures to ensure the confidentiality, availability, integrity and resilience of the hardware and software of data processing equipment. A “Subprocessor” is the person with which IonQ has sub-contracted such Processing.
“Subprocessor List” means the list of Subprocessors available here.
“UK SCC’s” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, as published by the UK Information Commissioner’s Office and in force as of 21 March 2022.2
B. IonQ as a Processor
This section applies to the applicable Services listed in Schedule D.
1. Scope and Purposes of Processing
With respect to the applicable Services referenced in Schedule D, IonQ will act as a “[sub]processor” or “service provider” (as defined by and as applicable under applicable Data Privacy Laws) and Process Personal Data in connection with such applicable Services solely: to fulfill our obligations to you under the Agreement, including this DPA; and on your behalf pursuant to your instructions. In compliance with Data Protection Laws, IonQ will not: (i) “sell” Personal Data (as such term is defined in applicable Data Protection Laws); (ii) “share” or Process Personal Data for purposes of “cross-context behavioral advertising” or “targeted advertising” (as such terms are defined in applicable Data Protection Laws); (iii) retain, use, or disclose Personal Data outside of the Agreement or outside of the direct business relationship between Client and IonQ; (iv) combine Personal Data with personal information received from other sources; (v) attempt to link, identify, or otherwise create a relationship between Personal Data and non-personal data or any other data without your express authorization; or (vi) otherwise Process Personal Data for any purpose other than for the specific purposes set forth herein or outside of the Agreement. IonQ will provide the same level of protection for the Personal Data subject to the CCPA as is required under the CCPA The scope, nature, purposes, and duration of the processing, the types of Personal Data Processed, and the Data Subjects concerned are set forth in this DPA, including without limitation Schedule D to this DPA. The details provided in Schedule D are deemed to satisfy any requirement to provide such details under any Data Protection Law. Client has the right to take reasonable and appropriate steps to (a) ensure that IonQ is using the Personal Data consistent with applicable Data Privacy Law, and (b) stop and remediate unauthorized use of the Personal Data.
2. Scope and Purposes of Processing
2.1
IonQ will, to the extent legally permitted, promptly notify you or refer the Data Subject to you for handling if we receive any requests from a Data Subject seeking to exercise any rights afforded to them under Data Privacy Laws regarding their Personal Data. Such requests related to Personal Data may include: access, rectification, restriction of processing, erasure (“right to be forgotten”), data portability, objection to the processing, or to not be subject to an automated individual decision making (each, a “Data Subject Request”). IonQ will not respond to such Data Subject Requests itself, and you authorize IonQ to redirect the Data Subject Request as necessary to you for handling. In the event you are unable to address a Data Subject Request through the Services’ self-service capabilities, IonQ will, upon your request, provide commercially reasonable efforts to assist you in responding to the Data Subject Request, to the extent we are legally permitted to do so and the response to such Data Subject Request is required under Data Privacy Laws. To the extent legally permitted, you will be responsible for any costs arising from IonQ’s provision of this additional support to assist you with a Data Subject Request.
2.2
IonQ will, to the extent legally permitted, notify you without undue delay if it receives a legally binding request for disclosure of or access to Personal Data from a public authority (including judicial or administrative authorities, or national security or intelligence agencies) or becomes aware of any direct access by a public authority to Personal Data. Such notification will include information about the Personal Data requested or accessed, the requesting or accessing authority, the legal basis for the request or access, and any response provided. If IonQ is prohibited by applicable law or regulation from notifying you or disclosing the details of a public authority request to you, IonQ will use its best efforts to obtain a waiver of the prohibition, with a view to communicating as much information as possible, as soon as possible.
2.3
IonQ will use all reasonably available legal mechanisms to challenge any binding legal requests for disclosure of or access to Personal Data made by a public authority that it receives, as well as any non-disclosure provisions attached to any such request. IonQ will provide the minimum amount of information permissible when responding to a request for disclosure, based on a reasonable interpretation of the request.
2.4
IonQ will, to the extent legally permitted, and no more than once per calendar year unless otherwise required by Data Privacy Laws, upon Client’s written request, provide a report to Client regarding binding legal requests for disclosure of or access to Personal Data it has received from public authorities (including with respect to national security requests), the report to include the number of requests, the type of Personal Data requested, the requesting authority(ies), whether the requests have been challenged, and the outcome of such challenges. Requests for transparency reports should be sent to: [email protected]
2.5
IonQ will promptly and without undue delay notify Client if we determine that either: (i) we can no longer meet our obligations under this DPA or applicable Data Protection Laws; or (ii) in our opinion an instruction from Client infringes applicable Data Protection Laws; and await your further instructions. Such notice will entitle you to terminate the Agreement (or, if applicable, only the affected Order (s)) and receive a prompt pro-rata refund of any prepaid amounts thereunder. This right to terminate and refund will be your sole and exclusive remedy.
2.6
IonQ certifies that we understand our obligations under this DPA (including without limitation the restrictions under this Section 2.1) and that we will comply with them.
2.7
IonQ will ensure that the persons we authorize to Process the Personal Data are subject to a written confidentiality agreement covering the Personal Data or are under an appropriate statutory obligation of confidentiality
2.8
Each party will, to the extent legally permitted, notify the other party without undue delay of any inspections or measures conducted by that party’s supervisory or regulatory authority, insofar as they relate to this DPA. Each party will cooperate with the supervisory authority of the other party to aid in their supervisory or regulatory authority’s performance of its tasks (insofar as they relate to this DPA) at the reasonable cost and expense of the party being inspected. In addition, at Client’s reasonable cost and expense, IonQ will provide Client with reasonable cooperation and assistance for Client’s consultation with regulatory authorities in relation to the Processing or proposed Processing of Personal Data, including complying with any obligation applicable to IonQ under Data Privacy Laws to consult with a supervisory or regulatory authority in relation to IonQ’s Processing or proposed Processing of Personal Data.
2.9
Each party will, to the extent legally permitted, inform Data Subjects of a contact point authorized to handle Data Subject complaints regarding the Processing of Personal Data under this DPA. Unless prohibited by applicable law, each party will promptly notify the other party of any complaints or Claims regarding the Processing of Personal Data under this DPA. The parties will work together and provide reasonable cooperation and assistance to each other to promptly address any complaint or respond to the Claim (as applicable).
2.10
Each party understands and acknowledges that its successful compliance with this DPA and Data Privacy Laws will require the reasonable communication, cooperation and assistance of the other party. To that end, each party commits that it will operate in good faith and provide such reasonable cooperation and assistance.
3. Security Measures
IonQ will maintain our Security Measures to provide a level of protection that is appropriate to the risks concerning confidentiality, integrity, availability and resilience of our systems and Services, while also taking into account the state of the art, implementation costs, the nature, scope and purposes of Processing, as well as the probability of occurrence and the severity of the risk to the rights and freedoms of Data Subjects. IonQ’s Security Measures are as described in Schedule F.
4. Personal Data Incidents
IonQ will notify you without undue delay (and in any event within 72 hours) of any known Security Incident that impacts Personal Data (a “Personal Data Incident”). We will also provide reasonable assistance to you in your compliance with your Personal Data Incident-related obligations, including without limitation by: (a) taking steps to mitigate the effects of the Personal Data Incident and reduce the risk to Data Subjects whose Personal Data was involved (such steps to be determined by IonQ in our sole discretion); and (b) providing you with the following information, to the extent known: (i) the nature of the Personal Data Incident, including, where possible, how the Personal Data Incident occurred, the categories and approximate number of Data Subjects concerned, and the categories and approximate number of Personal Data records concerned; (ii) the likely consequences of the Personal Data Incident; and (iii) the measures we have taken or propose to take to address the Personal Data Incident, including where appropriate measures to mitigate its possible adverse efects. Where, and in so far as, it is not possible to provide all information at the same time, the initial notification will contain the information then available and further information will, as it becomes available, subsequently be provided without undue delay.
5. Subprocessors
You acknowledge and agree that IonQ may use its affiliates and third party Subprocessors to Process Personal Data in accordance with this DPA and applicable Data Privacy Laws. Where IonQ sub-contracts any of its rights or obligations concerning Personal Data, IonQ will take steps to select and retain Subprocessors that are capable of maintaining appropriate privacy and security measures to protect Personal Data consistent with this DPA and applicable Data Privacy Laws. IonQ will remain liable for the acts and omissions of its Subprocessors as if they were its own. You hereby consent to the use of Subprocessors listed at the Subprocessor List as of the effective date of this DPA. IonQ will maintain the Subprocessor List. The Subprocessor List available here. IonQ will provide you details of any changes to the Subprocessor List upon request. If you object to a new Subprocessor, you must notify IonQ of your objection, if any, in writing within ten days of receipt of information about the change. You will be entitled to terminate the Agreement with immediate effect and without liability in the event IonQ does not consider your objections within a commercially reasonable period of time. Upon such termination, IonQ will refund any prepaid fees covering our Services on a pro-rata basis following the effective date of such termination. This right to terminate and refund will be Client’s sole and exclusive remedy.
6. International Data Transfers
6.1
Client understands and acknowledges that certain Services are cloud-based and that IonQ is a global organization with headquarters in the United States. As such, it may be necessary to transfer Personal Data to the United States or other jurisdictions outside of the primary jurisdiction of residence of your Authorized Users. We rely on standard contractual clauses (including the EU SCCs and UK SCCs) as the legal mechanism for transferring data under applicable Data Privacy Laws. Client hereby expressly authorizes IonQ to make international transfers of the Personal Data as necessary to perform the Services to Client, including without limitation to the United States, so long as such transfer is conducted in accordance with this DPA and applicable Data Privacy Laws for such transfers are respected. Client will ensure that Client and Client’s Authorized Users are entitled to transfer the Personal Data to IonQ so that IonQ may lawfully Process the Personal Data in accordance with this DPA, including without limitation by sub-contracting any Processing to an affiliate or third party Subprocessor.
6.1
To the extent legally required, the EU SCCs form part of this DPA and will be deemed completed as set forth in Schedule A. In the event of a conflict between the terms of the EU SCCs and this DPA, the EU SCCs will prevail.
6.2
To the extent legally required, the UK SCCs form part of this DPA and will be deemed completed as set forth in Schedule C. In the event of a conflict between the terms of the UK SCCs and this DPA, the UK SCCs will prevail.
6.3
With respect to Personal Data transferred from Switzerland for which Swiss law (and not the law in any European Economic Area jurisdiction or the United Kingdom) governs the international nature of the transfer, (1) references to the GDPR in the EU SCCs are amended to refer to FADP or its successor instead, insofar as the data transfers are subject exclusively to the FADP and not to the GDPR; (2) references to personal data in the EU SCCs also refer to data about identifiable legal entities until the entry into force of revisions to the FADP that eliminate this broader scope; (3) the term “member state” in EU SCCs shall not be interpreted in such a way as to exclude Data Subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the EU SCCs; and (4) the relevant supervisory authority will be the Swiss Federal Data Protection and Information Commissioner (for transfers subject to the FADP and not the GDPR), or both such Commissioner and the supervisory authority identified in the EU SCCs (where the FADP and GDPR apply, respectively). In the event of a conflict between the terms of the EU SCCs as amended by this Section 6.1.3 and this DPA, the EU SCCs as amended by this Section 6.1.3 will prevail.
6.4
IonQ maintains transfer impact assessment materials, which are considered “IonQ Confidential Information”. We will provide these materials to customers upon written request to [email protected].
7. Auditing Compliance
Upon your written request, and no more than once during each Order Form Term or Subscription Term (as applicable), we will provide you with our most recent security review reports and/or certifications (such as, for example, SOC2 or SOC3 reports) for the applicable Services and provide reasonable assistance and information to you to understand the information in such reports. If you have a reasonable objection that the information provided is not sufficient to demonstrate IonQ’s compliance with this DPA, you may conduct an audit, or select a mutually-agreed upon third-party to conduct an audit, of IonQ’s practices related to Processing Personal Data in compliance with this DPA, at your sole expense (an “Audit”). To the extent you use a third-party representative to conduct the Audit, you will ensure that such third-party representative is bound by obligations of confidentiality no less protective than those contained in this DPA and the Agreement. You will provide IonQ with thirty days prior written notice of its intention to conduct an Audit. Before any Audit, the parties will mutually agree upon the scope, timing, and duration of the Audit, as well as the IonQ reimbursement rate for which you will be responsible. All reimbursement rates will be reasonable, taking into account the resources expended by or on behalf of IonQ. You and your third-party representatives will conduct any Audit: (i) acting reasonably, in good faith, and in a proportional manner, taking into account the nature and complexity of the Services; and (ii) in a manner that will result in minimal disruption to IonQ’s business operations. Neither you nor your third-party representatives will be entitled to receive data or information of other IonQ customers or any other IonQ Confidential Information that is not directly relevant for the authorized purposes of the Audit in accordance with this provision. You will promptly provide us with the Audit results upon completion of the Audit. All Audit related materials will be considered “Confidential Information” subject to the confidentiality provisions of the Agreement.
8. Retention; Return or Destruction
IonQ will retain Personal Data Processed under this DPA in accordance with its standard data retention policies and procedures (“Retention Procedures”). Upon your written request, IonQ will make available to you those portions of its Retention Procedures, redacted as necessary to protect IonQ Confidential Information, relevant to our Processing of your Personal Data. Except to the extent required otherwise by Data Privacy Laws, IonQ will, at your choice and upon your written request, return to you or securely destroy all Personal Data upon such request or at termination or expiration of the Agreement. IonQ will provide you with a certificate of destruction only upon your written request. In case of local laws applicable to IonQ that prohibit the return or deletion of Personal Data, we warrant that we will continue to ensure compliance with this DPA and will only process the Personal Data to the extent and for as long as required under such local laws.
C. IonQ as a Controller
This section applies to the applicable Services listed in Schedule E.
1. Parties as Independent Controllers
With respect to the applicable Services referenced in Schedule E, each Party will act as a “controller” or “business” (as defined by and as applicable under applicable Data Privacy Laws) with respect to Personal Data Processed in connection with such applicable Services and will independently determine the purposes and means of such Processing.
2. Compliance with Law
Each party is solely responsible for compliance with applicable Data Privacy Laws with respect to its own Processing of Personal Data in connection with the Agreement, and represents and warrants that it has fully complied with any legal requirement: (1) to provide notice or transparency to Data Subjects regarding its own Processing of Personal Data; (2) to obtain a Data Subject’s consent with respect to Processing Personal Data; (3) applicable to its own transfer of Personal Data to the other party; (4) to have an appropriate "legal basis" for Processing Personal Data. Each party will disclose Personal Data to the other party solely for the purposes permitted by the Agreement. The recipient of any such Personal Data will not “sell” or “share” (as such terms are defined in applicable Data Privacy Laws) such Personal Data provided by the disclosing party pursuant, or otherwise retain, use, disclose, or process such Personal Data, for any purposes other than for the specific purposes set forth herein or otherwise outside the direct business relationship between the parties.
3. Cooperation Between the Parties
If a Party receives a request by a Data Subject to exercise rights under applicable Data Privacy Laws with respect to Personal Data (such as an applicable right to access such Personal Data), or a request purporting to exercise such rights, or a complaint related to the Processing of such data by a Data Subject or applicable supervisory authority, the parties will reasonably cooperate to address such request or complaint promptly and in compliance with applicable Data Privacy Laws. The parties also agree to reasonably cooperate with one another in demonstrating compliance with this DPA and applicable Data Privacy Laws in their Processing of Personal Data.
4. Security
IonQ will maintain our Security Measures to provide a level of protection that is appropriate to the risks concerning confidentiality, integrity, availability and resilience of our systems and Services, while also taking into account the state of the art, implementation costs, the nature, scope and purposes of Processing, as well as the probability of occurrence and the severity of the risk to the rights and freedoms of Data Subjects. IonQ’s Security Measures are as described in Schedule F. If a party discovers a Personal Data Incident ("Breached Party") relating to Personal Data Processed in relation to applicable Services under this Section, it will notify the other party without undue delay after discovery. In such an event, the Breached Party will provide reasonable assistance and cooperation to the other Party in addressing the Breach.
5. Data Transfers
With respect to data transfers between the parties, to the extent legally required, the parties agree that the EU SCCs or UK SCCs, as applicable, form part of this DPA and will be deemed completed as set forth in Schedule B and Schedule C. With respect to Personal Data transferred from Switzerland for which Swiss law (and not the law in any European Economic Area jurisdiction or the United Kingdom) governs the international nature of the transfer, (1) references to the GDPR in the EU SCCs are, amended to refer to FADP or its successor instead, insofar as the data transfers are subject exclusively to the FADP and not to the GDPR; (2) references to personal data in the EU SCCs also refer to data about identifiable legal entities until the entry into force of revisions to the FADP that eliminate this broader scope; (3) the term “member state” in EU SCCs shall not be interpreted in such a way as to exclude Data Subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the EU SCCs; and (4) the supervisory authority will be the Swiss Federal Data Protection and Information Commissioner (for transfers subject to the FADP and not the GDPR), or both such Commissioner and the supervisory authority identified in the EU SCCs (where the FADP and GDPR apply, respectively).
In the event of a conflict between the DPA and either the EU SCCs or UK SCCs, the applicable SCCs will govern.
D. Miscellaneous
We may need to update this DPA from time to time as laws, regulations and industry standards evolve, or as we make changes to our business or the Services. For example, if we release a new feature, product or service, we may need to update the information in the Schedules accordingly. If that happens, we will promptly post the revised DPA to our Site and update the “last updated” date. If we make changes that materially change the parties’ rights or obligations under this DPA, we will provide additional notice in accordance with applicable legal requirements, such as via email, on our Sites, or through our Services. For the sake of clarity: updating this DPA to include a newly released feature, product or service does not by default constitute such a material change; and we will only make updates for features, products or services that are generally released (not for any Product Research). By continuing to access and use IonQ Services after the effective date of the revised DPA, you agree to be bound by the revised DPA. If you do not agree with the revised DPA, do not use our Services.
Each party represents, warrants, and covenants that it understands and will comply with the restrictions and obligations set forth in this DPA. Each party further represents, warrants, and covenants that it will comply with all Data Privacy Laws applicable to such party in its role as data controller, business, data processor, service provider, or Subprocessor (as applicable under Data Privacy Laws). If applicable to Client, Client represents and warrants that it is authorized to enter into this DPA, issue instructions, and make and receive any communications or notifications in relation to this DPA on behalf of Client affiliates. The parties acknowledge and agree that the exchange of Personal Data between the parties does not constitute a “sale” or “share” of Personal Data under any US Data Privacy Laws, and does not form part of any monetary or other valuable consideration exchange between the parties with respect to the Agreement or this DPA. Each party's liability arising out of or related to this DPA is subject to the “Limitations of Liability” section of the Agreement, and any reference in such section to the liability of a party means the aggregate liability of that party under the Agreement and this DPA together. The provisions of this DPA survive the termination or expiration of the Agreement for so long as IonQ or its Subprocessors Process the Personal Data.
1 Available at: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri= CELEX:32021D0914&from=EN.
2 Available at: https://ico.org.uk/media/for-organisations/documents/40195 39/international-data-transfer-addendum.pdf.
SCHEDULE A
EU SCCS - Modules Two or Three IonQ as a Processor
By entering into this DPA and Schedule A, the parties are deemed to be signing the EU SCCs, including without limitation the applicable Annex Information set forth below. Any undefined capitalized terms used in this Schedule A have the meanings assigned to such terms in the EU SCCs.
Module Two or Module Three of the EU SCCs will apply as applicable to you.
The docking option under Clause 7 (Optional - Docking Clause) will apply.
This DPA and the Agreement are Client’s complete and final instructions at the time of execution of the DPA for the Processing of Personal Data. Any additional or alternate instructions must be consistent with the terms of the DPA and the Agreement.
For purposes of Clause 8.1(a) (Instructions), the instructions will be deemed provided as set forth in Section B of the DPA, and include onward transfers to Subprocessors located outside the EU / EEA for the purpose of performance of the Services.
For purposes of Clause 8.6(a) (Security of processing), Client is solely responsible for making an independent determination as to whether the technical and organizational measures set forth in Schedule F meet Client’s requirements. By signing this DPA, Client agrees that such measures provide a level of security appropriate to the risk with respect to its Personal Data.
For purposes of Clause 8.6(c), any personal data breach will be handled in accordance with Section B.4 of the DPA.
The parties agree that the audits described in Clause 8.9 (Documentation and Compliance) will be carried out in accordance with Section B.7 of the DPA.
For purposes of Clause 9(a) (Use of Subprocessors), Client will be deemed to have given general written authorization in accordance with Section B.5 of the DPA.
The parties agree that the certificate of deletion of Personal Data that is described in Clauses 8.5 (Duration of processing and erasure or return of data) and 16(d) (Non-compliance with the Clauses and termination) will be carried out in accordance with Section B.8 of the DPA.
For purposes of Clause 15(1)(a) (Notification), IonQ will notify Client only and not the Data Subject(s) in case of requests from public authorities. Client will be solely responsible for promptly notifying the Data Subject(s) as necessary.
For purposes of Clause 17 (Governing law), the parties agree that the EU SCCs will be governed by the laws of Ireland.
For purposes of Clause 18 (Choice of forum and jurisdiction), the parties agree that any dispute arising from the EU SCCs will be resolved by the courts in Ireland. A Data Subject may also bring legal proceedings against Client and/or IonQ before the courts of the Member State in which the Data Subject has their habitual residence. The parties agree to submit themselves to the jurisdiction of such courts.
Annex I(A): List of Parties
The Parties | Data Exporter | Data Importer |
Name | Client | IonQ Quantum, Inc. |
Address | As provided in your IonQ Client account information | 4505 Campus Drive College Park, MD 20740 |
Contact Person | As provided in your IonQ Client account information | General Representative General Counsel EU Representative Osano International Compliance Services Limited ATTN: 68RC 3 Dublin Landings North Wall Quay Dublin 1 D01C4E0 |
Activities relevant to the transfer | Processing necessary to provide the applicable Services to you and for any disclosures of Personal Data in accordance with the Agreement and our Privacy Policy. | |
Role | Controller or Processor (as applicable) | Processor or Subprocessor (as applicable) |
Annex I(B): Description of Processing & Transfer
As provided in Schedule D to this DPA.
Annex I(C): Competent Supervisory Authority
The competent supervisory authority will be in accordance with the provision applicable to Client as provided in Clause 13(a) of the EU SCCs, and where possible, will be the Irish Data Protection Commissioner.
Annex II: Technical and Organizational Measures
As provided in Schedule F to this DPA.
Annex III: List of Subprocessors
Not applicable; Client has given general written authorization in accordance with Section B.6 of the DPA. IonQ’s current list of Subprocessors as of the effective date, for which Client grants general written authorization by signing this DPA, is available at the Subprocessor List.
SCHEDULE B
EU SCCS - Module One
IonQ as a Controller
By entering into this DPA and Schedule B, the parties are deemed to be signing the EU SCCs, including without limitation the applicable Annex Information set forth below. Any undefined capitalized terms used in this Schedule B have the meanings assigned to such terms in the EU SCCs.
Module One of the EU SCCs will apply to the transfer of Personal Data between the Parties as independent controllers.
The docking option under Clause 7 (Optional - Docking Clause) will apply.
For purposes of Clause 8.5 (Security of processing), the Parties agree to the Security Measures contained in this DPA and Schedule F.
For purposes of Clause 15(1)(a) (Notification), the Parties agree to cooperate in respect of any such notification in accordance with Section C.3.
For purposes of Clause 17 (Governing law), the parties agree that the EU SCCs will be governed by the laws of Ireland.
For purposes of Clause 18 (Choice of forum and jurisdiction), the parties agree that any dispute arising from the EU SCCs will be resolved by the courts in Ireland. A Data Subject may also bring legal proceedings against Client and/or IonQ before the courts of the Member State in which the Data Subject has their habitual residence. The parties agree to submit themselves to the jurisdiction of such courts.
Annex I(A): List of Parties
The Parties | Data Exporter | Data Importer |
Name | Client | IonQ Quantum, Inc. |
Address | As provided in your IonQ Client account information | 4505 Campus Drive College Park, MD 20740 |
Contact Person | As provided in your IonQ Client account information | General Representative General Counsel EU Representative Osano International Compliance Services Limited ATTN: 68RC 3 Dublin Landings North Wall Quay Dublin 1 D01C4E0 |
Activities relevant to the transfer | Processing necessary to provide the applicable Services to you and for any disclosures of Personal Data in accordance with the Agreement and our Privacy Policy. | |
Role | Controller | Controller |
Annex I(B): Description of Processing & Transfer
As provided in Schedule E to this DPA.
Annex I(C): Competent Supervisory Authority
The competent supervisory authority will be in accordance with the provision applicable to Client as provided in Clause 13(a) of the EU SCCs, and where possible, will be the Irish Data Protection Commissioner.
Annex II: Technical and Organizational Measures
As provided in Schedule F to this DPA.
SCHEDULE C
UK SCCS
United Kingdom International Data Transfer Agreement
By entering into this DPA and Schedule C, the parties are deemed to be signing the UK SCCs, including without limitation the Mandatory Clauses in Part 2 and its applicable Tables and Appendix Information. The parties agree that this Schedule C appends both Schedule A and Schedule B, as appropriate. Any undefined capitalized terms used in this Schedule C have the meanings assigned to such terms in the UK SCCs.
Table 1: List of Parties
Start Date | Coterminous with the Agreement | |
The Parties | Data Exporter | Data Importer |
Full Legal Name | Client’s full legal name | IonQ Quantum, Inc. |
Trading Name (if different) | Client’s trading name | IonQ |
Address | As provided in your IonQ Client account information | 4505 Campus Drive College Park, MD 20740 |
Official Registration Number | As applicable to Client | N/a |
Key Contact | As provided in your IonQ Client account information | General Representative General Counsel UK Representative Osano UK Compliance LTD ATTN: 68RC 42-46 Fountain Street Belfast Antrim BT1 - 5EF |
Table 2: Selected SCCs, Modules and Selected Clauses
The “Approved EU SCCs” referenced in Table 2, to which this Addendum is appended, will be the EU SCCs as executed by the parties and completed as set forth in Schedule A and/or Schedule B, as appropriate.
Table 3: Appendix Information
As provided in Schedule A and/or Schedule B to this DPA, as appropriate, with specific reference to Annex I(A), Annex I(B), Annex II, and Annex III.
Table 4: Ending this Addendum with the Approved Addendum Changes
Either party may end the UK SCCs as set out in Section 19 of the UK SCCs.
SCHEDULE D
Details of Processing - IonQ as a Processor
Applicable Services | The applicable Services include the IonQ’s quantum computing cloud services |
Categories of Data Subjects | Authorized Users |
Categories of Personal Data | Quantum Cloud Usage information: quantum workload data, feature usage data, timing, and related operational metrics Profile information: parent organization and unique ID (as provided, which may be an email address or anonymized ID) |
Sensitive Data | Not applicable (as provided in the Agreement) |
Frequency of the Transfer | Continuous during the Term of the Agreement |
Nature & Purpose of Processing | Processing necessary to provide the applicable Services to you and your Authorized Users. Processing necessary for any sharing or disclosures of Personal Data in accordance with the Agreement and our Privacy Policy. |
Purpose of Transfer | To provide the applicable Services to Client |
Duration of Processing | The Processing commences upon your acceptance of the Agreement and will terminate upon termination or expiration of the Agreement |
Transfers to Subprocessors | Same as above with respect to the subject matter, nature and duration of the Processing |
SCHEDULE E
Details of Processing - IonQ as a Controller
Applicable Services | The applicable Services include the IonQ’s quantum computing cloud services |
Categories of Data Subjects | Authorized Users |
Categories of Personal Data | Quantum Cloud Contact information (including name, email, organization, employee ID) Profile information (including employer, job title, location, team, role, account ID) Device information (including IP address, general location derived from IP address) Associated usage information related to quantum workloads (including target backend, usage of optional features like error mitigation, timing of execution stages, and details of quantum program including qubits, shots, and gates), cloud console usage (including features used and session timestamps), and API usage (including timestamp and response status of requests, and selected API options), and related operational metrics that IonQ may collect to provide or improve the Services |
Sensitive Data | Not applicable (as provided in the Agreement) |
Frequency of the Transfer | Continuous during the Term of the Agreement |
Nature & Purpose of Processing | Processing necessary to provide the applicable Services to you and your Authorized Users and as otherwise permitted by the Agreement, DPA, and applicable Data Privacy Laws Processing necessary for any sharing or disclosures of Personal Data in accordance with the Agreement and our Privacy Policy |
Purpose of Transfer | To provide the applicable Services to Client |
Duration of Processing | The Processing commences upon your agreement to the Agreement and will terminate upon termination or expiration of the Agreement |
Transfers to Subprocessors | Not applicable |
SCHEDULE F
Security Measures
IonQ places great importance on the security of the Services, and we have adopted a variety of administrative, technical, physical, and organizational measures to protect the Services against accidental or unlawful destruction, loss, alteration, disclosure or access (a “Security Incident”) (collectively the “Security Measures”). The following provides an overview of some of IonQ’s key Security Measures. The specific Security Measures utilized will depend on the Services that you use. The Services and security standards are subject to evolving risks, technical progress, and further development, and we reserve the right to implement alternative Security Measures or make future replacements or updates to our Security Measures. More information is available upon request to [email protected].
Encryption | At Rest: Data resides in the production environment encrypted with at least AES-256 In Transit: All network communication uses at least TLS v1.2, and it is encrypted and authenticated using at least AES_128_GCM and uses ECDHE_RSA as the key exchange mechanism |
Password Hashing | Passwords are salted and hashed using industry standard accepted algorithms appropriate for the data processed. |
Standards Based Identity | We support Single Sign On (SSO). Non-SSO users are required to separately validate their accounts. |
Infrastructure | We utilize trusted cloud providers for our products (ex: Microsoft Azure and Amazon Web Services) and leverage their tools to set up appropriate firewall rules, intrusion, and DMZ policies. Every component of our infrastructure has redundancy. We utilize a Web Application Firewall in addition to other technologies to perform real-time monitoring and proactive blocking of malicious user behavior. All actions on the back-end are logged. |
Continuous Security Assessments | We periodically utilize an independent 3rd party to perform penetration tests. We run continuous automated security tests. The attestations and SOC 2 reports applicable to our various products and services are available on the IonQ website or upon request (subject to confidentiality). |
Vendor Selection | All of our vendors offer industry-leading products and go through a security audit as a standard part of our vendor management policy, to ensure their practices meet our security and compliance standards. |
Personnel | Level of access is determined by role. Logical access reviews are performed periodically and access is immediately removed when no longer necessary. Multi-factor authentication is enforced for all personnel. Personnel devices are monitored in real time, with antivirus, disk encryption, automatic device blocking, and security patches. We run background checks and sign confidentiality agreements with all personnel. We regularly provide security training for all personnel. |
Policies & Plans | Among other company policies and plans, IonQ has a Disaster Recovery Business Continuity Plan that is routinely tested to maximize availability, and an incident response plan in the event of a Security Incident or Personal Data Incident. Where appropriate, we also maintain formal software development lifecycle methodology and change management procedures. |