Legal

Data Processing Agreement

Template version 1.0 — effective 13 May 2026

Download PDF

This Data Processing Agreement ('DPA') forms part of the DueVestor Terms of Service between DueVestor ('Processor') and the customer ('Controller'). It governs the processing of personal data described below and incorporates the Standard Contractual Clauses where required.

1. Subject matter

Processor will process personal data on behalf of Controller solely to provide the DueVestor due-diligence platform under the Terms of Service. Personal data here means information about Controller's end users (people who use the platform) and about the subjects Controller chooses to investigate.

2. Duration

Processing continues for the term of the Terms of Service and the retention windows documented in the Privacy Policy. Either party may terminate per the Terms; on termination Processor will delete or return personal data within 30 days unless retention is required by law.

3. Nature and purpose of processing

Storage, lookup, and LLM-driven analysis of investigation subjects against public records sources, generation of due-diligence reports, billing, support, and audit logging.

4. Categories of data subjects and personal data

Data subjects: Controller's end users and the investigation subjects Controller submits. Categories: identification data, professional history, sanctions lists, court records, adverse media, and any free-text notes Controller chooses to attach.

5. Processor obligations

Process personal data only on Controller's documented instructions. Maintain confidentiality. Assist Controller with data-subject rights (export + erase endpoints are self-service). Notify Controller of a personal-data breach within 72 hours of discovery. Make audit information available on request.

6. Sub-processors

Processor uses the sub-processors listed at /security. Processor will give Controller 30 days' notice before adding a new sub-processor that processes EU personal data; Controller may terminate without penalty if it objects.

7. International transfers

Where personal data is transferred from the EEA / UK to a country without an adequacy decision, the parties incorporate the EU Standard Contractual Clauses (Module 2: Controller-to-Processor) by reference. The transfer impact assessment is available on request.

8. Security measures

Encryption in transit and at rest, single-operator access on least-privilege Cloudflare Access, append-only audit log with 2-year retention, ephemeral per-report compute sandbox, daily encrypted backups with documented restore procedure. SOC 2 Type I report targeted for Q4 2026.

9. Personal-data breach notification

Processor will notify Controller without undue delay and in any case within 72 hours of becoming aware of a personal-data breach affecting Controller's data, including (where known) the nature of the breach, the categories and approximate number of records affected, likely consequences, and measures taken or proposed.

10. Return and deletion on termination

On termination Processor will, at Controller's choice, return or delete all personal data within 30 days, subject to any legal retention obligation Processor must document in writing if invoked.