Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the agreement, order form, subscription terms, website terms, statement of work, or other written arrangement (collectively, the "Main Agreement") between Pion Global Private Limited ("Pion Global", "NexGenQE", "PIEDAP", "Processor", "we", "us", or "our") and the customer, user organization, or contracting entity ("Customer", "Controller", "Data Fiduciary", "Business", "you", or "your").

This DPA governs the processing of Personal Data by Pion Global on behalf of the Customer in connection with NexGenQE, an AI-powered Quality Engineering, test management, test automation, defect intelligence, and software quality analytics product built on the PIEDAP platform.

This DPA is intended to support compliance with applicable data protection laws, including the Digital Personal Data Protection Act, 2023 and the Digital Personal Data Protection Rules, 2025 (India), the General Data Protection Regulation (EU) 2016/679 (GDPR), the UK GDPR where applicable, the California Consumer Privacy Act as amended by the CPRA where applicable, and other privacy or cybersecurity laws that apply to the parties and the relevant processing.

For Customer Personal Data, Customer determines the purposes and means of processing and acts as Controller, Data Fiduciary, Business, or equivalent role under Applicable Data Protection Laws. Pion Global processes Customer Personal Data on behalf of Customer and acts as Processor, Data Processor, Service Provider, Contractor, or equivalent role.

Where Pion Global independently determines the purposes and means of processing limited business contact data, billing data, website usage data, security telemetry, or account administration data, Pion Global acts as an independent controller for that data and processes it under its Privacy Policy and applicable law.

Nothing in this DPA permits Pion Global to sell Customer Personal Data, share Customer Personal Data for cross-context behavioral advertising, or process Customer Personal Data for purposes unrelated to the Services, except as expressly authorized by Customer or required by law.

Processing is limited to what is necessary to provide, secure, maintain, support, improve, and troubleshoot NexGenQE and the PIEDAP platform components used to deliver NexGenQE.

Processing may include hosting, storage, transmission, indexing, querying, test analytics, workflow automation, test execution orchestration, defect analysis, report generation, integration synchronization, audit logging, backup, deletion, and customer support.

The duration of processing is the term of the Services and any post-termination period required to return, delete, archive, or retain data as permitted by the Main Agreement, this DPA, or applicable law.

User and account data: names, business email addresses, usernames, roles, access permissions, organization identifiers, project/workspace identifiers, authentication metadata, and support contacts.

Quality engineering data: requirements, user stories, acceptance criteria, test cases, test suites, test execution results, screenshots, video or session logs where enabled, browser/device metadata, defect descriptions, comments, attachments, and traceability records.

Technical and telemetry data: system logs, IP addresses, device and browser information, API logs, integration events, CI/CD execution metadata, audit trails, error traces, and security logs.

Optional sensitive or regulated data: only if Customer chooses to include it in test data, attachments, logs, evidence, or integrations. Customer should avoid uploading production personal data, special category data, children data, health data, financial data, government identifiers, or secrets unless necessary, lawful, and appropriately protected.

Data subjects may include Customer employees, contractors, developers, testers, project team members, end users represented in test data, customer support users, vendors, client stakeholders, and other individuals whose data is uploaded or integrated by Customer.

Customer instructs Pion Global to process Customer Personal Data only to provide the Services, comply with the Main Agreement, and perform documented support or implementation activities requested by Customer.

Customer is responsible for the lawfulness, accuracy, quality, and minimization of Customer Data, including obtaining all required notices, consents, authorizations, and legal bases for processing.

Customer is responsible for configuring roles, permissions, access controls, retention settings, integrations, environments, test data policies, and user access in accordance with its internal governance requirements.

Customer should use masked, synthetic, anonymized, or minimized test data wherever feasible and should not upload secrets, API keys, passwords, production credentials, or highly sensitive data into test cases, logs, screenshots, prompts, or attachments unless expressly required and secured.

Customer shall not use NexGenQE to process Personal Data in a manner that violates Applicable Data Protection Laws, intellectual property rights, employment laws, sectoral regulations, export control laws, or the rights of individuals.

Process Customer Personal Data only on documented Customer instructions, including instructions in the Main Agreement, this DPA, product configuration, support requests, or Customer-approved integrations.

Ensure that personnel authorized to process Customer Personal Data are subject to confidentiality obligations and receive appropriate privacy and security awareness training.

Implement appropriate technical and organizational measures designed to protect Customer Personal Data against unauthorized or unlawful processing, accidental loss, destruction, damage, alteration, or disclosure.

Promptly inform Customer if, in Pion Global's reasonable opinion, an instruction infringes Applicable Data Protection Laws, unless prohibited by law from doing so.

Assist Customer with data subject requests, breach notifications, DPIAs, audits, regulatory inquiries, and security assessments to the extent the request relates to Pion Global's processing under this DPA.

Maintain records of processing activities required by Applicable Data Protection Laws and make relevant information available to Customer as described in this DPA.

Ensure that Sub-Processors are bound by written obligations that provide at least substantially similar data protection, confidentiality, and security commitments as this DPA.

NexGenQE may process software quality artifacts, including requirements, test cases, test scripts, defect records, traceability maps, quality metrics, automation results, CI/CD job information, and test evidence.

Where enabled by Customer, NexGenQE may connect to issue trackers, test management systems, source code repositories, CI/CD pipelines, cloud environments, application lifecycle management tools, observability tools, browser automation platforms, or communication tools.

Pion Global will use integration data only to provide the configured functionality, such as test generation, test execution, defect synchronization, reporting, dashboarding, quality analytics, root-cause assistance, and workflow automation.

Customer should avoid synchronizing unnecessary source code, secrets, credentials, production databases, production screenshots, or production logs containing personal or regulated data. Where integration scopes can be limited, Customer should apply least-privilege integration permissions.

If Customer enables recording, screenshots, logs, or evidence capture, Customer is responsible for notifying relevant users and ensuring that captured data is lawful, minimized, and consistent with workplace monitoring, privacy, and confidentiality obligations.

NexGenQE may use AI-assisted features for test case generation, test optimization, defect classification, risk-based testing, impact analysis, summarization, requirements-to-test traceability, quality insights, and recommendation generation.

AI outputs are generated to assist Customer personnel and are not a substitute for professional judgment, secure coding review, independent QA validation, regulatory assessment, or human approval where required.

Pion Global will not use Customer Personal Data to train generalized, public, foundation, or external AI models without Customer's prior written authorization. Where model improvement is enabled by Customer, it will be governed by documented scope, safeguards, and opt-out or contractual controls as applicable.

Pion Global will apply reasonable safeguards to AI processing, including access controls, logging, prompt and output security controls where feasible, human oversight workflows, output review capabilities, and measures to reduce unauthorized disclosure of Customer Data.

Customer is responsible for reviewing AI-generated test cases, scripts, defect insights, risk scores, and recommendations before relying on them, especially for safety-critical, regulated, employment, financial, healthcare, or high-impact contexts.

Where AI features involve third-party AI providers or model hosting vendors, such providers will be treated as Sub-Processors or equivalent service providers where they process Customer Personal Data on behalf of Pion Global.

Pion Global will maintain an information security program appropriate to the nature of Customer Personal Data and the risk of processing, aligned with recognized practices such as ISO/IEC 27001, SOC 2 Trust Services Criteria, secure SDLC, vulnerability management, and incident response practices.

Security controls may include encryption in transit and at rest, role-based access control, multi-factor authentication support, least-privilege administration, network segmentation, secure API controls, audit logging, malware protection, secrets management, secure backup, vulnerability scanning, patch management, and monitoring.

Pion Global will periodically evaluate the effectiveness of technical and organizational measures and will remediate identified vulnerabilities based on severity, exploitability, and customer impact.

Customer remains responsible for endpoint security, user account management, identity provider configuration, integration credentials, secure test data practices, and proper use of available product security features.

Customer provides general authorization for Pion Global to engage Sub-Processors necessary to provide the Services, including cloud infrastructure, hosting, logging, analytics, support, security, email, monitoring, and AI-service providers.

Pion Global will maintain an up-to-date list of material Sub-Processors or make such information available upon request or through a designated website, trust portal, order form, or customer notice mechanism.

Pion Global will impose written data protection obligations on Sub-Processors that are no less protective than those required by this DPA, considering the nature of the services provided by the Sub-Processor.

Pion Global remains responsible for the performance of its Sub-Processors to the extent required by Applicable Data Protection Laws and the Main Agreement.

Where required by law or contract, Customer may object to a new Sub-Processor on reasonable data protection grounds within the notice period specified by Pion Global. The parties will work in good faith to address the objection.

Customer Personal Data may be processed in jurisdictions where Pion Global, its affiliates, infrastructure providers, support teams, or Sub-Processors operate, subject to applicable legal safeguards.

Where Customer Personal Data originating from the EEA, UK, or Switzerland is transferred to a country that does not provide an adequate level of protection, the parties will apply appropriate transfer mechanisms such as the EU Standard Contractual Clauses, the UK International Data Transfer Addendum or Agreement, Swiss addenda, or other lawful safeguards.

Where required, Pion Global will support transfer impact assessments by providing reasonable information about transfer locations, Sub-Processors, security measures, and applicable safeguards.

If a government, law enforcement, or regulatory authority requests access to Customer Personal Data, Pion Global will review the request, disclose only what is legally required, and notify Customer unless legally prohibited.

Pion Global will provide reasonable assistance to Customer to respond to requests from Data Subjects or Data Principals, including access, correction, erasure, portability, restriction, objection, withdrawal of consent, nomination, grievance, or other rights recognized by Applicable Data Protection Laws.

If Pion Global receives a request directly from a Data Subject relating to Customer Personal Data, Pion Global will, where legally permitted and reasonably identifiable as Customer data, direct the requester to Customer or notify Customer for handling.

Customer is responsible for verifying the identity and authority of the requester and deciding whether and how to respond to the request, unless Pion Global is independently required by law to respond.

Pion Global will notify Customer without undue delay after becoming aware of a confirmed Personal Data Breach involving Customer Personal Data. Where feasible and subject to reasonable investigation, Pion Global will aim to provide initial notice within forty-eight (48) hours of confirmation.

The notice will include available information reasonably required for Customer to meet its notification obligations, such as the nature of the breach, affected categories of data and individuals, likely consequences, containment measures, mitigation steps, and contact information for follow-up.

Pion Global will investigate, contain, mitigate, and remediate the breach in accordance with its incident response procedures and will provide updates as additional information becomes available.

Pion Global's notification of a breach is not an admission of fault or liability. Customer is responsible for determining whether notices to regulators, Data Principals, Data Subjects, customers, or other parties are legally required, except where Pion Global has an independent legal obligation.

Customer Personal Data will be retained only for the period necessary to provide the Services, comply with Customer configuration, meet contractual commitments, maintain security and audit logs, resolve disputes, comply with legal obligations, or as otherwise permitted by this DPA.

Upon termination or expiration of the Services, Pion Global will, upon Customer instruction and subject to the Main Agreement, return or delete Customer Personal Data within a commercially reasonable period, unless retention is required by law or legitimate backup, security, audit, or dispute resolution needs.

Backups are maintained for resilience and security. Customer Personal Data in backups may not be immediately deleted from all backup media but will be protected and overwritten or deleted according to standard backup retention cycles.

Pion Global may retain aggregated, anonymized, or de-identified information that does not identify Customer, Customer users, or Data Subjects, for service analytics, benchmarking, security, and product improvement, provided such information is not used to re-identify individuals.

Pion Global will make available information reasonably necessary to demonstrate compliance with this DPA, including summaries of security controls, policies, certifications, audit reports, penetration test summaries, or other assurance materials where available and subject to confidentiality.

Customer may request an audit or assessment on reasonable written notice where required by Applicable Data Protection Laws. Audits must be conducted during normal business hours, in a manner that does not compromise security, confidentiality, operations, or other customers' data.

Pion Global may satisfy audit requests by providing independent third-party reports, certifications, completed security questionnaires, product documentation, and written responses. On-site audits are subject to prior agreement, scope limitations, confidentiality, and reasonable frequency limits.

Pion Global will reasonably assist Customer with data protection impact assessments, transfer impact assessments, prior consultations, regulatory inquiries, and compliance documentation where the request relates to Pion Global's processing of Customer Personal Data.

Each party will protect confidential information disclosed in connection with this DPA using at least reasonable care and will use such information only for the purposes of the Main Agreement and this DPA.

Customer retains all rights, title, and interest in Customer Data. Pion Global retains all rights, title, and interest in NexGenQE, PIEDAP, software, platform architecture, workflows, algorithms, AI orchestration methods, product know-how, templates, documentation, and service improvements.

Pion Global may process usage telemetry, performance data, diagnostic data, security logs, and operational metadata to provide, secure, maintain, and improve the Services, provided that any such processing of Customer Personal Data remains subject to this DPA.

Pion Global will not disclose Customer Data to third parties except as necessary to provide the Services, as authorized by Customer, as required by law, or as otherwise permitted under the Main Agreement and this DPA.

Each party's liability under this DPA is subject to the limitations, exclusions, and remedies in the Main Agreement, unless prohibited by Applicable Data Protection Laws.

This DPA remains in effect for as long as Pion Global processes Customer Personal Data on behalf of Customer.

Pion Global may update this DPA from time to time to reflect changes in law, security practices, product features, Sub-Processors, or operational requirements. Material changes will be posted on the NexGenQE website or otherwise communicated where required.

If there is a conflict between this DPA and the Main Agreement regarding processing of Customer Personal Data, this DPA controls to the extent of the conflict. If Standard Contractual Clauses or other mandatory transfer terms apply, those terms control to the extent required by law.

This DPA shall be governed by the laws of India unless the Main Agreement specifies another governing law for data processing terms or mandatory data protection laws require otherwise.

Disputes arising from this DPA shall be resolved in accordance with the dispute resolution provisions of the Main Agreement. Where the Main Agreement is silent, courts located in Bengaluru, Karnataka, India shall have jurisdiction, subject to any mandatory arbitration or regulatory rights under applicable law.

For questions, requests, or notices regarding this DPA or NexGenQE data processing, contact: [email protected] or [email protected].

This DPA shall remain in effect for the duration of the Services and any period during which Pion Global processes Personal Data on behalf of the Customer. Pion Global may update this DPA to reflect changes in legal, regulatory, or operational requirements, with appropriate notice provided to the Customer where required.

Pion Global may update this Data Processing Agreement from time to time. The updated version will be posted on the website with a revised "Last Updated" date. Continued use of the Product and Platform after changes constitutes acceptance of the updated policy.

Pion Global may use Sub-Processors for cloud hosting, storage, databases, email delivery, monitoring, logging, analytics, customer support, security scanning, AI services, and integration enablement.

Pion Global will maintain a current list of material Sub-Processors and provide it through the NexGenQE website, trust portal, order form, or upon written request.

Each Sub-Processor must be bound by written obligations covering confidentiality, security, data protection, breach cooperation, return/deletion, and onward transfer restrictions appropriate to the services performed.

Customer may request additional information about Sub-Processor location, purpose, and safeguards where required for legal or regulatory compliance, subject to confidentiality and security limitations.

For EEA, UK, or Swiss Personal Data transferred to a country without an adequacy decision, the parties agree to implement appropriate transfer safeguards, including the applicable module of the EU Standard Contractual Clauses or UK/Swiss equivalent transfer terms, as required by law.

For Controller-to-Processor transfers under the EU SCCs, Module Two will generally apply where Customer is a Controller and Pion Global is a Processor. For Processor-to-Processor transfers, Module Three may apply where Customer acts as Processor for another controller.

The Annexes to this DPA are intended to provide processing details, security measures, and Sub-Processor information required to complete applicable transfer documentation. If mandatory clauses conflict with this DPA, mandatory transfer clauses prevail for the relevant transfer.

Pion Global will apply technical, organizational, and contractual safeguards designed to protect transferred Personal Data, including encryption, access controls, confidentiality obligations, incident response, and vendor management.

No default use of Customer Personal Data for generalized model training: Pion Global will not use Customer Personal Data to train public, generalized, foundation, or external models unless Customer provides prior written authorization or enables a documented feature that expressly permits such use.

Test data minimization: Customer should prefer synthetic, anonymized, tokenized, or masked test data, especially for production-like testing, regression suites, screenshots, logs, and evidence capture.

Prompt and output controls: Customer should avoid placing credentials, secrets, production Personal Data, source code not required for the task, or regulated data in prompts or AI inputs. Pion Global will apply reasonable controls to protect AI inputs and outputs within the Service.

Human oversight: Customer should review AI-generated test cases, scripts, summaries, defect predictions, risk scores, and recommendations before use in production release decisions or regulated contexts.

Security and quality: AI-assisted outputs may be incomplete, incorrect, biased, or unsuitable for a specific application. Customer remains responsible for validation, safety review, security review, and release approval.

Transparency and logs: Where technically feasible, NexGenQE may maintain logs of AI interactions, input context, output, user, timestamp, and configuration to support auditability, troubleshooting, quality review, and abuse prevention.

Restrictions: Customer must not use AI features to generate malicious code, evade security controls, violate intellectual property rights, perform unlawful monitoring, process data without required authorization, or create discriminatory or harmful outcomes.