Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the Terms of Service between you ("Controller") and Muskepo B.V. ("Processor") for the provision of Dealspace services. This DPA governs the processing of personal data in accordance with GDPR Article 28 and other applicable data protection laws.

1. Definitions

"Personal Data" means any information relating to an identified or identifiable natural person, as defined in GDPR Article 4(1).

"Processing" means any operation performed on Personal Data, as defined in GDPR Article 4(2).

"Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.

"Data Subjects" means the individuals whose Personal Data is processed under this DPA.

"Confidential M&A Transaction Data" means all documents, communications, and information uploaded to or generated within Dealspace in connection with mergers, acquisitions, due diligence, or related transactions.

2. Scope of Processing

2.1 Subject Matter

The Processor processes Personal Data to provide Dealspace services including document storage, access management, request workflow, communication facilitation, and audit logging for M&A transactions.

2.2 Nature and Purpose

Processing includes storage, retrieval, transmission, encryption, watermarking, and deletion of Personal Data as necessary to provide the services described in the Terms of Service.

2.3 Categories of Data Subjects

• Account holders and authorized users
• Deal participants (sellers, buyers, advisors, and their personnel)
• Individuals whose data is contained in uploaded documents

2.4 Types of Personal Data

• Contact information (name, email, phone, organization)
• Account credentials and authentication data
• Activity logs (access times, IP addresses, actions taken)
• Personal data contained in uploaded M&A transaction documents

2.5 Duration

Processing continues for the duration of the service agreement plus any retention period required by law or agreed with the Controller.

3. Processor Obligations

3.1 Processing Instructions

The Processor shall process Personal Data only on documented instructions from the Controller, including transfers to third countries, unless required by EU or Member State law. The Processor shall inform the Controller of any such legal requirement before processing, unless prohibited by law.

3.2 Confidentiality

The Processor shall ensure that persons authorized to process Personal Data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality.

3.3 Security Measures

The Processor implements technical and organizational measures to ensure a level of security appropriate to the risk, including:

• FIPS 140-3 validated encryption of Personal Data at rest and in transit
• Per-deal encryption keys with secure key management
• Multi-factor authentication for all system access
• Role-based access controls with least-privilege principles
• Continuous monitoring and intrusion detection
• Regular security assessments and penetration testing
• Incident response procedures
• Business continuity and disaster recovery capabilities

3.4 Sub-processing

The Processor shall not engage Sub-processors without prior specific or general written authorization from the Controller. In the case of general authorization, the Processor shall inform the Controller of any intended changes concerning the addition or replacement of Sub-processors, giving the Controller an opportunity to object. Sub-processors are bound by equivalent data protection obligations.

3.5 Data Subject Rights

The Processor shall assist the Controller in responding to requests from Data Subjects exercising their rights under GDPR (access, rectification, erasure, restriction, portability, and objection). The Processor shall promptly notify the Controller of any such requests received directly.

3.6 Data Protection Impact Assessments

The Processor shall assist the Controller in conducting data protection impact assessments and prior consultations with supervisory authorities where required.

3.7 Deletion and Return

Upon termination of the service, the Processor shall, at the Controller's choice, delete or return all Personal Data and delete existing copies, unless EU or Member State law requires storage. The Controller has 30 days following termination to export data before deletion.

3.8 Audit Rights

The Processor shall make available to the Controller all information necessary to demonstrate compliance with GDPR Article 28 and allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller. For Enterprise customers, specific audit procedures and schedules may be agreed in writing.

4. Controller Obligations

The Controller warrants that:

• It has a lawful basis for processing Personal Data and transferring it to the Processor
• Data Subjects have been informed of the processing in accordance with GDPR requirements
• Instructions given to the Processor comply with applicable data protection laws
• It will promptly notify the Processor of any changes to processing instructions

5. Data Breach Notification

In the event of a Personal Data breach, the Processor shall notify the Controller without undue delay and in any event within 48 hours of becoming aware of the breach. The notification shall include:

• Description of the nature of the breach
• Categories and approximate number of Data Subjects affected
• Categories and approximate number of records concerned
• Likely consequences of the breach
• Measures taken or proposed to address the breach

The Processor shall cooperate with the Controller in investigating and remediating the breach and in meeting notification obligations to supervisory authorities and Data Subjects.

6. International Transfers

The Processor may transfer Personal Data outside the European Economic Area only where appropriate safeguards are in place, including:

• Standard Contractual Clauses approved by the European Commission
• Binding Corporate Rules approved by a supervisory authority
• Adequacy decisions by the European Commission
• Other mechanisms permitted under GDPR Chapter V

The current list of data processing locations and applicable transfer mechanisms is available upon request.

7. Sub-processors

The Controller grants general authorization for the use of Sub-processors subject to the requirements of Section 3.4. Current Sub-processors include:

The Controller will be notified of Sub-processor changes via email at least 30 days in advance, with the opportunity to object.

8. Certifications and Compliance

The Processor maintains the following certifications and compliance measures:

• SOC 2 Type II — Annual audit of security, availability, and confidentiality controls
• ISO 27001 — Information Security Management System certification
• FIPS 140-3 — Use of validated cryptographic modules for encryption
• GDPR — Compliance with EU General Data Protection Regulation

Copies of relevant certifications and audit reports are available to Enterprise customers under NDA.

9. Liability

Liability under this DPA is governed by the limitation of liability provisions in the Terms of Service. Each party shall be liable for damages caused by processing that infringes GDPR or this DPA to the extent provided by applicable law.

10. Term and Termination

This DPA is effective from the date the Controller begins using Dealspace and continues until termination of all service agreements. Sections that by their nature should survive termination will survive, including data deletion, audit rights, and confidentiality obligations.

11. Governing Law

This DPA is governed by the laws of the Netherlands. The competent courts of Amsterdam have exclusive jurisdiction over disputes arising from this DPA.