1. Definitions

1.1. “Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law (Article 4 (7) GDPR)

.1.2. “Data Subject” shall have the meaning set out in Section 1.3.

1.3. “Personal Data” means any information relating to an identified or identifiable natural person (“Data Subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person (Article 4 (1) GDPR).

1.4. “Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction (Article 4 (2) GDPR).

1.5. “Processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller (Article 4 (8) GDPR).

2. Subject matter and duration of the DPA

2.1. Subject matter. The Subject matter of this Data Processing Agreement (the “DPA”) results from the Tokenize.it Startup Tools as a Service Agreement (SSA), to which this DPA is an addendum, and does not concern any Processing of Personal Data by Tokenize.it as a separate Controller, as applicable, based an appropriate legal basis.

2.2. Duration. The duration of this DPA corresponds to the duration of the SSA.

3. Specification of the Order or Contract Details

3.1. Nature and Purpose of the intended Processing of Data. Nature and Purpose of Processing of personal data by the Supplier for the Client are precisely defined in the SSA. According to Section 11.2 of the Startup Tools Terms and Conditions available at https://www.tokenize.it/saas-terms, Client remains the Controller for any Processing of Personal Data by Tokenize.it in connection with the provision of the Services. With regard to the provision of the Services, Tokenize.it is a Processor.

3.2. The undertaking of the contractually agreed commissioned Processing of Personal Data shall be carried out exclusively within a Member State of the European Union (EU) or within a Member State of the European Economic Area (EEA). Each and every Transfer of Data to a State which is not a Member State of either the EU or the EEA requires the prior agreement of Client and shall only occur if the specific Conditions of Articles 44 et seq. GDPR have been fulfilled.

3.3. Categories of Personal Data. The subject matter of the commissioned Processing of Personal Data under this DPA comprises the following data types/categories:
▪ Personal master data (key personal data)
▪ Contact data
▪ Key transaction data (contractual/legal relationships, investment or product interest)

3.4. Categories of Data Subjects. The Categories of Data Subjects comprise:
▪ Administrative Users
▪ Investors

4. Technical and Organizational Measures

4.1. Material requirements for TOMs. Tokenize.it shall implement Technical and Organizational Measures (“TOMs”) in order to establish the security in accordance with Article 28 (3) lit. c and Article 32 GDPR. The measures to be taken are measures of data security and measures that guarantee a protection level appropriate to the risk concerning confidentiality, integrity, availability and resilience of the systems. The state of the art, implementation costs, the nature, scope and purposes of processing as well as the probability of occurrence and the severity of the risk to the rights and freedoms of natural persons within the meaning of Article 32 (1) GDPR must be taken into account. The TOMs are described in more detail in Appendix 1 to this DPA.

4.2. Further development of TOMs. The TOMs are subject to technical progress and further development. In this respect, it is permissible for Tokenize.it to implement alternative adequate measures. In so doing, the security level of the defined measures must not be reduced. Substantial changes must be documented.

5. Rectification, restriction and erasure of Personal Data

5.1. Tokenize.it may not on its own authority rectify, erase or restrict the Processing of Personal Data that is being processed on behalf of Client, but only on documented instructions from Client.

5.2. Insofar as a Data Subject contacts Tokenize.it directly concerning a rectification, erasure, or restriction of processing, Tokenize.it will immediately forward the Data Subject’s request to Client.

6. Quality assurance and other duties of Tokenize.it
In addition to complying with the rules set out in this DPA, Tokenize.it shall comply with the statutory requirements referred to in Articles 28 to 33 GDPR. Accordingly, Tokenize.it ensures, in particular, compliance with the following requirements:

6.1. Confidentiality in accordance with Article 28 Paragraph 3 Sentence 2 Point b, Articles 29 and 32 Paragraph 4 GDPR. Tokenize.it entrusts only such employees with the Processing outlined in this DPA who have been bound to confidentiality and have previously been familiarized with the data protection provisions relevant to their work. Tokenize.it and any person acting under Tokenize.it’s authority who has access to Personal Data shall not process that Personal Data unless on instructions from Client, which includes the powers granted in this contract, unless required to do so by Union or Member State law to which the processor is subject; in such a case, the processor shall inform the controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.

6.2. Implementation of and compliance with TOMs. Tokenize.it complies with all TOMs necessary for this DPA in accordance with Article 28 (3) s. 2 lit. c, Article 32 GDPR (details in Section 4 and Appendix 1).

6.3. Cooperation with supervisory authority. Client and Tokenize.it shall cooperate, on request, with the supervisory authority in performance of its tasks.

6.4. Information about investigations. Client shall be informed immediately of any inspections and measures conducted by the supervisory authority, insofar as they relate to this DPA. This also applies insofar as Tokenize.it is under investigation or is party to an investigation by a competent authority in connection with infringements to any Civil or Criminal Law, or Administrative Rule or Regulation regarding the Processing of Personal Data in connection with the fulfilment of this DPA.

6.5. Support of Client. Insofar as Client is subject to an inspection by the supervisory authority, an administrative offence or criminal procedure, a liability claim by a Data Subject or by a third party or any other claim in connection with the Processing of Personal Data under this DPA by Tokenize.it, Tokenize.it shall make every reasonable effort to support the Client.

6.6. Ongoing monitoring of processes. Tokenize.it shall periodically monitor the internal processes and the TOMs to ensure that processing within Tokenize.it’s area of responsibility is in accordance with the requirements of applicable data protection law and the protection of the rights of the Data Subjects.

7. Sub-processing

7.1. “Sub-processing” for the purpose of this DPA is to be understood as meaning services which relate directly to the provision of the principal Services. This does not include ancillary services, such as telecommunication services, postal / transport services, maintenance and user support services or the disposal of data carriers, as well as other measures to ensure the confidentiality, availability, integrity and resilience of the hardware and software of data processing equipment.

7.2. Contractual safeguards. Tokenize.it shall, however, be obliged to make appropriate and legally binding contractual arrangements and take appropriate inspection measures to ensure the data protection and the data security of Client’s data, even in the case of outsourced ancillary services.

7.3. Consent from Client. Tokenize.it may commission sub-processors only after prior explicit written or documented consent from the Client.

7.3.1. Client agrees to the commissioning of the sub-processors identified in Appendix 2 to this DPA on the condition of a contractual agreement in accordance with Article 28 (2)-(4) GDPR. Tokenize.it will keep this list updated and will ensure that the list will be accessible for Client. Client has the right to request the list via email or postal service by Tokenize.it.

7.3.2. Client hereby grants to Tokenize.it the general written authorization to commission additional other sub- processors than those set out in Appendix 2 on the condition of a contractual agreement in accordance with Article 28 (2)-(4) GDPR. Tokenize.it shall inform Client with an advance notice of 14 days of any intended changes concerning the addition or replacement of sub-processors, thereby giving Client the opportunity to object to such changes.

7.4. The transfer of Personal Data from Client to the sub-processor and the commencement of the data Processing by the sub-processor shall only be undertaken after compliance with all requirements has been achieved.

7.5. If the sub-processor provides the agreed service outside the EU/EEA, Tokenize.it shall ensure compliance with EU Data Protection Regulations by appropriate measures. The same applies if service providers are to be used within the meaning of Section 7.1 s. 2.

8. Supervisory powers of Client

8.1. Inspections. Client has the right, after consultation with Tokenize.it, to carry out inspections or to have them carried out by an auditor to be designated in each individual case. It has the right to convince itself of the compliance with this agreement by Tokenize.it in his business operations by means of random checks. Inspections and random checks shall (i) ordinarily to be announced in writing with two weeks prior notice and (ii) at the request of Tokenize.it be performed in the presence of a representative of Tokenize.it.

8.2. Information. Tokenize.it shall ensure that Client is able to verify compliance with the obligations of Tokenize.it in accordance with Article 28 GDPR. Tokenize.it undertakes to give Client the necessary information on request and, in particular, to demonstrate the execution of the TOMs.

8.3. Remuneration. Tokenize.it may claim remuneration for enabling Client inspections.

9. Supporting services by Tokenize.it

9.1. Tokenize.it shall assist Client in complying with the obligations concerning the security of Personal Data, reporting requirements for data breaches, data protection impact assessments and prior consultations, referred to in Articles 32 to 36 of the GDPR. These include:

9.1.1. Ensuring an appropriate level of protection through TOMs that take into account the circumstances and purposes of the processing as well as the projected probability and severity of a possible infringement of the law as a result of security vulnerabilities and that enable an immediate detection of relevant infringement events;

9.1.2. The obligation to report a personal data breach immediately to Client;

9.1.3. The duty to assist Client with regard to Client’s obligation to provide information to the Data Subject concerned and to immediately provide Client with all relevant information in this regard;

9.1.4. Supporting Client with its data protection impact assessment;9.1.5. Supporting Client with regard to prior consultation of the supervisory authority.

9.2. Tokenize.it may claim compensation for support services which are not included in the Service Plan in Addendum 1 and which are not attributable to failures on the part of Tokenize.it.

10. Authority of Client to issue instructions

10.1. Client shall immediately confirm oral instructions (at the minimum in text form).

10.2. Tokenize.it shall inform Client immediately if Tokenize.it considers that an instruction violates applicable Data Protection Regulations. Tokenize.it shall then be entitled to suspend the execution of the relevant instructions until Client confirms or changes them.

11. Deletion and return of Personal Data

11.1. Copies or duplicates of Personal Data shall never be created without the knowledge of Client, with the exception of back-up copies as far as they are necessary to ensure orderly data Processing, as well as data required to meet regulatory requirements to retain data.

11.2. After conclusion of the contracted work, or earlier upon request by Client, at the latest upon termination of the SSA, Tokenize.it shall hand over to Client or – subject to prior consent – destroy all documents, processing and utilization results, and data sets related to the contract that have come into its possession, in a data-protection compliant manner. The same applies to any and all connected test, waste, redundant and discarded material. The log of the destruction or deletion shall be provided on request.

11.3.  Client understands and acknowledges that the key benefit of the blockchain technology is that data cannot be changed or deleted once they have been put on the blockchain. This is the key technical feature which makes the blockchain reliable and ensures integrity of the data put on the blockchain. Client therefore agrees to inform any Authorized Users, Administrative Users, Investors and/or other Data Subjects, the Personal Data of whom will be put on the blockchain in connection with Client using the Startup Tools, accordingly. Client remains responsible to obtain, where required, consent from any Data Subjects the Personal Data of whom are processed through the Startup Tools.

11.4.  Documentation which is used to demonstrate orderly data Processing in accordance with the DPA shall be stored beyond the contract duration by Tokenize.it in accordance with the respective retention periods. It may hand such documentation over to Client at the end of the contract duration to relieve Tokenize.it of this contractual obligation.

Appendix 1 – Technical and Organizational Measures

1. Confidentiality (Article 32 (1) lit. b GDPR)

1.1. Physical access control. No unauthorized access to data processing facilities, e.g.: access control concept, magnetic or chip cards, keys, electronic door openers, facility security services and/or entrance security staff, alarm systems, video/CCTV Systems

1.2. Electronic access control. No unauthorized use of the data processing and data storage systems, e.g.: (secure) passwords, automatic blocking/locking mechanisms, two-factor authentication, encryption of data carriers/storage media

1.3. Internal access control (permissions for user rights of access to and amendment of data). No unauthorized reading, copying, changes or deletions of data within the system, e.g. rights authorization concept, need-based rights of access, logging of system access events

1.4. Pseudonymization (Article 32 (1) lit. a GDPR; Article 25 (1) GDPR). The processing of Personal Data in such a method/way, that - where possible - the data cannot be associated with a specific Data Subject without the assistance of additional Information, provided that this additional information is stored separately, and is subject to appropriate technical and organizational measures.

2. Integrity (Article 32 (1) lit. b GDPR)

2.1. Data transfer control. No unauthorized reading, copying, changes or deletions of data with electronic transfer or transport, e.g.: company-issued device full-disk encryption, implementation of data handling rules;

2.2. Data entry control. Verification, whether and by whom personal data is entered into a data processing system, is changed or deleted, e.g.: logging, document management.

3. Availability and resilience (Article 32 (1) lit. b GDPR)

3.1. Availability control. Prevention of accidental or willful destruction or loss, e.g.: backup strategy (online/offline; on-site/off-site), uninterruptible power supply (UPS), virus protection, firewall, reporting procedures and contingency planning

3.2. Rapid recovery (Article 32 (1) lit. c, Article 32 (1) lit. c GDPR), e.g.: retaining data in a safe, outsourced location, recording and storing transaction information in an anonymized fashion on blockchain networks.

4. Procedures for regular testing, assessment and evaluation (Article 32 (1) lit. d GDPR; Article 25 (1) GDPR)

4.1. Data protection management;

4.2. Incident response management;

4.3. Data protection by design and default (Article 25 (2) GDPR);

4.4. Contract Control. No third-party data processing as per Article 28 GDPR without corresponding instructions from Client, e.g.: clear and unambiguous contractual arrangements, formalized order management, strict controls on the selection of the relevant service provider, duty of pre-evaluation, supervisory follow-up checks.

Appendix 2 – List of Sub-Processors

Client is in knowledge and agrees to the commissioning of the following sub-processors on the condition of a contractual agreement in accordance with Article 28(2)-(4) GDPR:

AWS - Amazon Web Services EMEA SARL (Germany Branch), Regional Office Germany, Ankerstrasse 110117 Berlin, Germany (webhosting & database)

SendGrid - Twilio Ireland Limited, 70 Sir John Rogerson’s Quay, Dublin 2, D02 R296, Ireland (API-triggered email notifications)

Cloudflare - Cloudflare, Inc., 101 Townsend Street, San Francisco, CA 94107, USA (spam protection)

Last updated: January 10, 2025