Data Protection Agreement

1. Parties

2. Details of the Processing

2.1. Subject matter

2.2. Duration

2.3. Nature and purpose.

2.4. Categories of data

• Personal and Professional Data: Names, birth dates, email addresses, contact details, family information, job titles, and company information.

• Ownership, Financial and Transactional Data: Information related to business deals, such as deal values, transaction details, and timelines.

• Relevant legal information: Data concerning mandates, legal powers, cash flow records, and board meeting minutes.

• Documents: Any documentation uploaded by the Controller related to the categories above.

• Usage Data: Anonymized or pseudonymized data related to user interaction with the platform for analytics and service improvement.

2.5. Data Subjects

3. Technical and Organizational Security Measures

• Technical Measures: As described in detail in the Processor's Security White Paper, these measures include but are not limited to the encryption of different data types (via cryptographic methods), the levels of access control available and the architecture of the data stored.

Additional measures are taken for opt-in functionalities, such as for ORCA Sonar (AI-led functionality)

• Organizational Measures: The Processor maintains an Information Security Management System (ISMS) in accordance with ISO/IEC 27001 and 9001. Measures include incident detection and response protocols, personnel security, and risk management. The Processor's ISO certificate is available in ORCA’s Audit.

4. Subprocessors

6. Data Processing Terms

6.1. Scope and Definitions

1. Customer Data means data submitted, stored, sent or received by, and processed by the Processor in encrypted form, on behalf of the Controller;

2. Data Breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Customer Data;

3. Effective Date means the date when this Agreement or the Main Contract is signed by both Parties (including a customary electronic signature such as DocuSign);

4. Subprocessor means any person or entity (other than an employee of the Processor or of any Subprocessor) appointed by or on behalf of the Processor to process Customer Data.

6.2. Processing of Customer Data

1. The Controller hereby instructs the Processor to process Customer Data to provide the Services in accordance with this Agreement and any other instructions given by the Controller for purposes of this Agreement in writing (including e-mail) or directly interacting with the Processor's systems (if these systems allow direct interaction).

2. The Parties agree that the subject matter and details of the processing are as set out in sec. 2.

3. The Controller agrees that the Processor may store and process Customer Data in Switzerland, the European Economic Area and any other country in which any of its Subprocessors maintains facilities.

6.3. Data Security

1. The Processor will implement and maintain during the Term technical and organizational measures to protect Customer Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access as required under Data Protection Legislation but at least the measures set out in Sec. 3 (the Security Measures). The Processor may update or modify the Security Measures from time to time provided such updates and modifications have no material negative effect on the overall security and provided that the Controller is informed about material updates or modifications in advance.

2. The Processor will take appropriate steps to ensure compliance with the Security Measures by its employees, agents and contractors and the Subprocessors and their personnel, including ensuring that all persons authorized to access and/or otherwise process Customer Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

3. If the Processor becomes aware of a Data Breach, the Processor will notify the Controller without delay [but no later than 24 hours from becoming aware of the Data Breach], stating at least the following information, to the extent available at the time of the notification, and where not all information is available at that time the Processor will follow up with missing information as soon as reasonably possible:
1. the nature of the Data Breach including where possible, the categories and approximate number of individuals concerned and the categories and approximate number of personal data records concerned;
2. the name and contact details of a contact point where more information can be obtained;
3. the likely consequences of the personal data breach;
4. the measures taken or proposed to be taken by the Processor to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

4. The Processor will reasonably cooperate with the Controller to assist in the investigation, mitigation and remediation of such Data Breach, and will keep the Controller informed of all material developments in connection with the Data Breach.

6.4. Subprocessors

1. The Controller authorizes the engagement of Subprocessors by the Processor, provided the Processor acts in accordance with the obligations under this Section 6.4. The Controller further authorizes the ongoing use of the Subprocessors existing at the Effective Date, as stated in Sec. 4, on condition that Section 6.4(c)(ii) is met prior to these Subprocessors first having access to Customer Data. For clarity, Sections 6.4(d) and 6.4(e) will apply for these Subprocessors.

2. Where any new Subprocessor is to be engaged during the Term, the Processor will, at least 30 days before such new Subprocessor is first given access to any Customer Data, inform the Controller of the intended engagement stating the name and location of the Subprocessor and the nature and intended start date of the subprocessing. The Controller may object to such new Subprocessor on reasonable grounds. The Parties will work together to resolve any such objection but without agreement on such resolution the Controller may terminate this Agreement by giving written notice of termination within 30 days of being informed of the new Subprocessor.

3. Prior to engaging any Subprocessor, the Processor will ensure that the arrangement between the Processor and the Subprocessor is governed by an agreement that includes terms which offer at least the same level of protection for Customer Data as those set out in this Agreement and any other agreement between the Parties (if applicable) and meet the requirements of Applicable Data Protection Law.

4. The Processor will provide to the Controller for review copies of the Processor's agreement with the Subprocessor (which may be redacted to remove confidential commercial information not relevant for this Agreement).

5. The Processor will be fully liable for any acts or omissions of the Subprocessors as if they were its own.

6.5. Cooperation and Assistance

1. The Processor will enable the Controller to access, rectify and restrict processing of Customer Data, and to export Customer Data in a manner consistent with the Services.

2. The Processor will promptly notify the Controller if the Processor or a Subprocessor receives a request from a data subject in respect of Customer Data.

3. The Processor will reasonably assist the Controller in ensuring compliance with any of the Controller’s obligations in respect of the security of personal data and personal data breaches, including the Controller’s obligations pursuant to articles 32-34 of the GDPR (or equivalent provisions under the Data Protection Legislation).

4. The Processor will (taking into account the nature of the processing and the information available to the Processor) assist the Controller in ensuring compliance with any obligations of the Controller in respect of data protection impact assessments and prior consultation including the Controller’s obligations pursuant to the Data Protection Legislation.

6.6. Data Deletion

1. On expiry of the Term the Controller instructs the Processor to delete or return and then delete all Customer Data in its possession or control from the Processor's (and any Subprocessor's, where applicable) systems. The Processor will comply with this instruction without delay, provided the Processor may continue to store Customer Data securely and protected against unnecessary access, as necessary under applicable law.

6.7. Audits

1. The Processor will allow the Controller or an independent and suitably qualified auditor appointed by the Controller to conduct audits including inspections to verify the Processor's compliance with its obligations under this Agreement in accordance with Section 6.8(b). The Processor will reasonably cooperate in and contribute to such audits or inspections. In addition, the Processor will allow the Controller or an independent auditor appointed by the Controller to conduct audits as described in the Standard Clauses (if applicable) in accordance with Section 6.8(b).

2. Following receipt of a request for an audit, the Processor and the Controller will discuss and agree in advance on the date(s) of and the start date, scope and duration of and security and confidentiality controls applicable to any audit or inspection.

6.8. Liability and Indemnity

1. To the extent permitted by applicable law, neither party shall be liable to the other party, except for gross negligence and wilful intent. Liability shall be governed by the Main Contract.

6.9. Term and Termination

1. The obligations set out in this Agreement will enter into force as of the Effective Date and continue to apply for as long as the Processor continues to process or have access to Customer Data (the Term).

2. The Controller may terminate this Agreement (each Controller individually with effect only for the relevant Controller) at any time by providing at least one month' notice in text form to the Processor, provided that the where the processing is required for the Processor to comply with any other agreement with the Controller, the termination options under that agreement will prevail.

3. Notwithstanding Sec. 6.10(a), the Controller may terminate this Agreement at any time with immediate effect (1) where the Processor is in material breach of this Agreement (including the Standard Clauses), and (2) where the Controller terminates the Standard Clauses in accordance with its terms.

6.10. General Terms

1. This Agreement (not limited to the Standard Clauses) will be subject to the law and jurisdiction agreed in Sec. 6.5(c) and 6.5(d).

2. If a provision of this Agreement is invalid or unenforceable and in case of an omission (intended or unintended), then the remaining provisions will remain unaffected, and the invalid, unenforceable or missing provision(s) will be deemed replaced by valid and enforceable terms that most nearly achieve the purpose of the invalid provision(s).

7. Signatures