Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the Terms of Service or other written or electronic agreement (the "Principal Agreement") between the customer ("Controller") and Priqid ("Processor") for the provision of the Priqid platform (the "Service"). It sets out the terms on which Priqid processes personal data on behalf of the Controller and is entered into to comply with Article 28 of Regulation (EU) 2016/679 (the "GDPR").

In the event of any conflict between this DPA and the Principal Agreement, this DPA prevails with respect to the processing of personal data.

1. Definitions

Capitalised terms not otherwise defined herein have the meaning given in the GDPR. "Personal Data", "Processing", "Controller", "Processor", "Sub-processor", "Data Subject" and "Personal Data Breach" have the meanings given in Article 4 GDPR.

2. Roles and Scope

With respect to Personal Data uploaded to or generated within the Service by the Controller ("Customer Personal Data"), the Controller is the controller and Priqid is the processor. Priqid will process Customer Personal Data only on documented instructions from the Controller, including those set out in the Principal Agreement, this DPA, and the Controller's use of the Service's configurable features.

The subject matter, duration, nature, purpose, types of Personal Data and categories of Data Subjects are described in Annex I.

3. Processor Obligations

Priqid shall:

• Process Customer Personal Data only on documented instructions from the Controller, unless required to do so by EU or Member State law to which Priqid is subject (in which case Priqid will inform the Controller of that legal requirement before processing, unless the law prohibits such notice on important grounds of public interest).
• Ensure that personnel authorised to process Customer Personal Data are bound by appropriate confidentiality obligations.
• Implement and maintain the technical and organisational measures set out in Annex II to ensure a level of security appropriate to the risk, in accordance with Article 32 GDPR.
• Engage Sub-processors only in accordance with Section 5.
• Taking into account the nature of the processing, assist the Controller by appropriate technical and organisational measures, insofar as possible, in fulfilling the Controller's obligation to respond to Data Subject requests under Chapter III GDPR.
• Assist the Controller in ensuring compliance with the obligations under Articles 32 to 36 GDPR, taking into account the nature of processing and the information available to Priqid.
• At the choice of the Controller, delete or return all Customer Personal Data after the end of the provision of the Service, and delete existing copies, unless EU or Member State law requires storage of the Personal Data.
• Make available to the Controller all information necessary to demonstrate compliance with Article 28 GDPR, and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller, subject to the conditions in Section 8.

4. Controller Obligations

The Controller represents and warrants that (i) it has a lawful basis for processing the Customer Personal Data, (ii) it has provided all required notices and obtained all required consents from Data Subjects, and (iii) its instructions to Priqid comply with all applicable laws. The Controller is responsible for the accuracy, quality and legality of the Customer Personal Data and the means by which it acquired such data.

5. Sub-processors

The Controller provides general written authorisation for Priqid to engage Sub-processors to process Customer Personal Data, provided that Priqid:

• Imposes data protection obligations on each Sub-processor that are no less protective than those in this DPA, in particular providing sufficient guarantees to implement appropriate technical and organisational measures.
• Remains fully liable to the Controller for the performance of each Sub-processor's obligations.
• Maintains a current list of Sub-processors in Annex III and notifies the Controller of any intended changes (addition or replacement) at least 30 days in advance, giving the Controller the opportunity to object to such changes on reasonable data-protection grounds. If the Controller objects and the parties cannot agree on a resolution, the Controller may terminate the affected portion of the Service.

6. International Transfers

Where Priqid transfers Customer Personal Data to a country outside the European Economic Area that does not benefit from a European Commission adequacy decision, Priqid will ensure that such transfers are subject to appropriate safeguards under Article 46 GDPR, in particular the Standard Contractual Clauses adopted by the European Commission in Decision (EU) 2021/914 (Module Two or Three as applicable), supplemented where necessary by additional technical, contractual and organisational measures.

7. Personal Data Breach

Priqid will notify the Controller without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data Breach affecting Customer Personal Data. The notification will include, to the extent known: the nature of the breach, the categories and approximate number of Data Subjects and records concerned, the likely consequences, and the measures taken or proposed to address the breach and mitigate its possible adverse effects.

8. Audits

Priqid will, on reasonable prior written request and no more than once per calendar year (except where required by a supervisory authority or following a Personal Data Breach), make available to the Controller information reasonably necessary to demonstrate compliance with this DPA, including third-party audit reports and security certifications. On-site audits will be conducted during normal business hours, with reasonable advance notice, subject to confidentiality obligations and at the Controller's expense.

9. Return and Deletion

Upon termination or expiry of the Principal Agreement, Priqid will, at the Controller's choice, delete or return all Customer Personal Data within 30 days, and delete all existing copies, unless EU or Member State law requires continued storage. Backups containing Customer Personal Data will be deleted in accordance with Priqid's standard backup-retention schedule (no longer than 90 days).

10. Liability and Term

The liability of each party under or in connection with this DPA is governed by the limitations and exclusions set out in the Principal Agreement. This DPA takes effect on the effective date of the Principal Agreement and continues until the end of Priqid's provision of the Service and the deletion or return of all Customer Personal Data in accordance with Section 9.

11. Governing Law

This DPA is governed by the same law as the Principal Agreement, and disputes are subject to the same jurisdiction, except where mandatory data protection law requires otherwise.

Annex I — Description of Processing

• Subject matter: provision of the Priqid platform for generating PRIIPs Key Information Documents and related fund-data management features.
• Duration: the term of the Principal Agreement, plus the retention period set out in Section 9.
• Nature and purpose: hosting, storage, computation, document generation, parsing of customer-supplied PDFs, and provision of administrative and support functions.
• Categories of Data Subjects: the Controller's personnel and authorised users; investors, fund staff, and other individuals whose personal data appears in fund records, KIDs or supporting documents that the Controller uploads.
• Types of Personal Data: identification data (name, email, role), authentication data (hashed passwords, two-factor secrets), professional information, fund-related contact data and any further personal data the Controller chooses to include.
• Special categories: none expected. The Controller agrees not to upload special-category data (Article 9 GDPR) or criminal-conviction data (Article 10 GDPR) to the Service unless expressly agreed in writing.

Annex II — Technical and Organisational Measures

• Encryption: TLS 1.2+ for data in transit; AES-256 (or equivalent) for data at rest, including managed PostgreSQL and object storage.
• Access control: role-based access control with least privilege; mandatory two-factor authentication for administrators; periodic access reviews.
• Authentication: bcrypt password hashing; JWT session tokens with short lifetimes; account lockout on repeated failed attempts.
• Network security: hosting on managed cloud infrastructure with isolated environments and managed firewalls.
• Logging and monitoring: application audit logs, access logs and security event logs retained for up to 24 months.
• Backups: automated daily backups of the production database; recovery procedures tested periodically.
• Vulnerability management: dependency scanning, timely patching, and periodic security review of changes prior to deployment.
• Personnel: all personnel with access to Customer Personal Data are bound by written confidentiality obligations and receive security awareness training.
• Incident response: documented procedure for detection, containment, notification and remediation of security incidents.
• Sub-processor controls: due-diligence assessment and contractual data-protection terms with each Sub-processor.

Annex III — Sub-processors

The following Sub-processors are currently engaged to process Customer Personal Data:

Updates to this list will be communicated in accordance with Section 5.

Acceptance and Signed Counterpart

By using the Service, the Controller accepts the terms of this DPA. A counter-signed PDF version is available on request — please contact legal@priqid.com.

For questions about this DPA, see also our Privacy Policy.