Capitalised terms have the meanings given in the Terms and the Privacy Policy.

This Data Processing Agreement (“DPA”) forms an integral part of the Agreement between AstrisNexus and the Client.

This DPA governs the processing of Personal Data by AstrisNexus in its capacity as Processor on behalf of the Client as Controller, in the context of the Services provided via the Platform.

This DPA applies only to the extent that AstrisNexus processes Personal Data as a Processor within the meaning of Article 4(8) GDPR. For all other processing activities where AstrisNexus acts as Controller, the Privacy Policy applies.

This DPA supplements the data protection and security provisions set out in the Terms and the Privacy Policy.

1. Purpose and Scope

AstrisNexus shall process Personal Data solely on the documented instructions of the Client and only to the extent necessary to provide the Services.

The processing concerns the following:

1. Subject matter and purpose: preparation, storage, and controlled disclosure of Client Documentation via the Platform for the purpose of creating Engagement Suites, enabling Expert Review, and facilitating Introductions to Advisors and Investors.

2. Duration: for the term of the Agreement, unless otherwise required by Union or Member State law.

3. Categories of Data Subjects: Client representatives (Users), employees or contractors named in Documentation, business contacts and stakeholders identified in Engagement Suites, and other individuals whose data the Client lawfully submits to the Platform.

4. Types of Personal Data: identification and contact data (e.g., name, title, email, phone, organisation), professional and financial information contained in Documentation, technical identifiers (e.g., IP address, device information), and metadata generated by Platform use.

AstrisNexus shall not process Personal Data for any other purpose unless required to do so under Union or Member State law. In such cases, AstrisNexus shall inform the Client of that legal requirement before processing, unless the law prohibits such disclosure on important grounds of public interest.

2. Legal Requirements under Article 28 GDPR

AstrisNexus shall:

1. Process Personal Data only on the documented instructions of the Client, as set out in this DPA, the Terms, and the Privacy Policy.

2. Promptly inform the Client if, in its opinion, an instruction infringes Union or Member State data protection law.

3. Ensure that all personnel authorised to process Personal Data are subject to appropriate confidentiality obligations.

4. Implement and maintain appropriate technical and organisational measures (“TOMs”) within its ISO 27001-certified Information Security Management System (ISMS), as further described in the Privacy Policy and the AstrisNexus Trust Centre.

5. Not engage any subprocessor without a written agreement imposing data protection obligations substantially similar to those in this DPA. The current list of subprocessors is available in the AstrisNexus Trust Centre.

6. Provide reasonable assistance to the Client in responding to Data Subject rights requests under Articles 12–23 GDPR.

7. Provide reasonable assistance with data protection impact assessments (DPIAs) and prior consultations pursuant to Articles 35 and 36 GDPR, to the extent that processing under this DPA is likely to result in a high risk to the rights and freedoms of natural persons.

8. Notify the Client of a Personal Data Breach without undue delay and, where feasible, within 48 hours after becoming aware of it.

9. Upon termination of the Agreement, return or delete Personal Data in accordance with the retention and deletion rules set out in the Privacy Policy, unless continued retention is required by Union or Member State law.

10. Make available to the Client, upon written request, information reasonably necessary to demonstrate compliance with this DPA, insofar as it relates to the processing of the Client’s Personal Data, and allow for and contribute to audits solely relating to such processing, subject to reasonable notice, scope limitations, and confidentiality obligations.

Audits may occur no more than once in any twelve (12) month period, must be notified at least thirty (30) days in advance, and may not unreasonably disrupt AstrisNexus’s operations. No audit shall extend to other Clients’ data or to general infrastructure unrelated to the Client’s Personal Data

3. Restrictions on Use

AstrisNexus shall not:

1. Use Personal Data for its own purposes or for the benefit of any third party, except as expressly permitted under the Privacy Policy or as necessary to provide the Services to the Client.

2. Use Personal Data to train, fine-tune, or otherwise improve any machine-learning or AI model, except where such processing is carried out on anonymised or aggregated data that no longer constitutes Personal Data.

4. Subprocessors and International Transfers

AstrisNexus may engage trusted subprocessors and, where necessary, transfer Personal Data outside the European Union, subject to the following conditions:

1. The Client grants AstrisNexus a general authorisation to engage subprocessors, provided that each subprocessor is bound by written obligations substantially similar to those set out in this DPA.

2. The current list of approved subprocessors and their data locations is published in the AstrisNexus Trust Centre. AstrisNexus shall provide notice of material changes through the Trust Centre, in accordance with the procedure described in the Privacy Policy.

3. Where Personal Data is transferred outside the European Union, such transfers shall take place only under lawful mechanisms recognised by the GDPR, including the EU–US Data Privacy Framework and Standard Contractual Clauses (SCCs), supplemented with additional safeguards where required. Details are described in the Privacy Policy.

5. Precedence

In the event of any conflict between this DPA and the Terms or the Privacy Policy, this DPA shall prevail, but only with respect to the processing of Personal Data under the GDPR.

6. Governing Law and Jurisdiction

This DPA is governed by Dutch law. Any dispute arising from or in connection with this DPA shall be submitted to the exclusive jurisdiction of the competent court of Amsterdam, the Netherlands.

7. References

The subject matter, duration, nature and purpose of processing, the categories of Personal Data, and the categories of Data Subjects are described in Section 1 of this DPA.

The current technical and organisational measures (TOMs) and the list of approved subprocessors, including their data locations and applicable transfer mechanisms, are published in the AstrisNexus Trust Centre and further described in the Privacy Policy. These resources form an integral part of this DPA.

8. Contact

For any questions regarding this DPA or the processing of Personal Data under it, the Client may contact AstrisNexus at:

AstrisNexus B.V.
Strawinskylaan 3051
1077 ZX Amsterdam
The Netherlands
Email: legal@astrisnexus.com