Data Processing Agreement (DPA)

Definitions

• "Controller": The entity that determines the purposes and means of processing Personal Data
• "Processor": VCOS AI, which processes Personal Data on behalf of the Controller
• "Data Subject": An identified or identifiable natural person
• "Personal Data": Any information relating to a Data Subject
• "Processing": Any operation performed on Personal Data
• "Sub-processor": Any third party engaged by Processor to process Personal Data
• "Data Protection Laws": All applicable data protection and privacy laws including GDPR, CCPA, and others
• "Security Incident": Any breach of security leading to unauthorized access, loss, or disclosure of Personal Data

Processing of Personal Data

Scope and Purpose

The Processor shall process Personal Data only:

• To provide the Services as described in the Terms of Service
• In accordance with documented instructions from the Controller
• As required by applicable law (with notice to Controller unless prohibited)

Categories of Personal Data Processed

• Contact information (names, emails, phone numbers)
• Company and professional information
• Investment and financial data
• Communication records
• Usage and analytics data
• Any data inputted into our document generation tools

Categories of Data Subjects

• Controller's employees and authorized users
• Investors and limited partners
• Portfolio company representatives
• Prospective investment contacts
• Other individuals whose data is processed through the Services

Controller Obligations

The Controller warrants and represents that:

• It has all necessary rights to provide Personal Data to Processor
• It has obtained all required consents and provided necessary notices
• Its instructions comply with applicable Data Protection Laws
• It will not provide sensitive categories of Personal Data without prior agreement

Processor Obligations

Compliance

The Processor shall:

• Process Personal Data in compliance with Data Protection Laws
• Implement appropriate technical and organizational measures
• Ensure personnel are subject to confidentiality obligations
• Notify Controller of any legally binding requests for disclosure

Assistance

The Processor shall assist the Controller with:

• Responding to Data Subject requests
• Security notifications and breach reporting
• Data protection impact assessments
• Consultations with supervisory authorities

Security Measures

Technical and Organizational Measures

The Processor implements and maintains:

• Encryption of data in transit and at rest
• Access controls and authentication mechanisms
• Regular security testing and assessments
• Physical security controls
• Incident detection and response procedures
• Business continuity and disaster recovery plans
• Regular security training for personnel

Security Updates

The Processor shall:

• Regularly update security measures to reflect current threats
• Implement patches and security updates promptly
• Conduct periodic security reviews

Sub-processors

Authorized Sub-processors

The Controller authorizes the use of the following Sub-processors:

New Sub-processors

• Processor shall notify Controller of intended additions or replacements
• Controller has 30 days to object to new Sub-processors
• If Controller reasonably objects, parties will work in good faith to resolve

Sub-processor Obligations

The Processor shall:

• Enter into written agreements with Sub-processors
• Ensure Sub-processors comply with equivalent data protection obligations
• Remain fully liable for Sub-processor performance

Data Subject Rights

Assistance with Requests

The Processor shall:

• Promptly notify Controller of Data Subject requests
• Provide reasonable assistance in responding to requests
• Not respond directly to Data Subjects unless authorized

Supported Rights

Assistance includes requests for:

• Access to Personal Data
• Rectification or erasure
• Restriction of processing
• Data portability
• Objection to processing

Security Incidents

Notification

Upon becoming aware of a Security Incident, Processor shall:

• Notify Controller without undue delay (within 72 hours)
• Provide initial assessment and impact analysis
• Cooperate with investigation and remediation

Incident Information

Notification shall include:

• Nature and categories of Personal Data affected
• Categories and approximate number of Data Subjects affected
• Likely consequences of the incident
• Measures taken or proposed to address the incident

Documentation

Processor shall maintain records of all Security Incidents, including:

• Facts relating to the incident
• Effects and consequences
• Remedial actions taken

International Data Transfers

Transfer Mechanisms

For transfers outside the EEA, parties rely on:

• Standard Contractual Clauses (where applicable)
• Adequacy decisions
• Other valid transfer mechanisms under Data Protection Laws

Transfer Safeguards

The Processor shall:

• Only transfer Personal Data with appropriate safeguards
• Maintain records of transfer mechanisms
• Notify Controller of any inability to comply with transfer requirements

Audits and Inspections

Audit Rights

The Controller has the right to:

• Request information demonstrating compliance
• Conduct audits (with reasonable notice)
• Engage third-party auditors (subject to confidentiality)

Audit Process

• Maximum of one audit per year (unless required by authorities)
• 30 days written notice required
• Conducted during business hours
• Minimal disruption to operations

Audit Costs

• Controller bears its own audit costs
• If audit reveals material non-compliance, Processor bears remediation costs

Data Retention and Deletion

Retention Period

Personal Data shall be retained:

• For the duration of the Services
• As required by applicable law
• Until deletion is requested and confirmed

Data Deletion

Upon termination or upon request:

• Processor shall delete or return all Personal Data
• Delete existing copies unless retention is required by law
• Provide written certification of deletion

Exceptions

Processor may retain Personal Data:

• As required by applicable law
• For establishment or defense of legal claims
• In anonymized or aggregated form

Liability and Indemnification

Limitation of Liability

Liability is governed by the limitation of liability provisions in the Terms of Service, except as prohibited by Data Protection Laws.

Indemnification

Each party shall indemnify the other against damages arising from:

• Its breach of this DPA
• Its violation of Data Protection Laws
• Its negligent or wrongful acts or omissions

Term and Termination

Duration

This DPA remains in effect for the duration of the Terms of Service.

Survival

Provisions relating to confidentiality, data deletion, and liability survive termination.

Termination for Breach

Either party may terminate if the other materially breaches and fails to cure within 30 days of notice.

Miscellaneous

Conflict

In case of conflict between this DPA and the Terms of Service regarding data protection, this DPA prevails.

Amendments

Amendments required by Data Protection Laws shall be incorporated automatically.

Severability

If any provision is invalid, the remainder continues in full force.

Governing Law

This DPA is governed by the same law as the Terms of Service, subject to mandatory Data Protection Laws.

Contact Information

For data processing inquiries:

Annex 1: Standard Contractual Clauses

[If applicable, Standard Contractual Clauses would be attached here for international data transfers]

Annex 2: Technical and Organizational Measures

Security Controls

• AES-256 encryption for data at rest
• TLS 1.3 for data in transit
• Multi-factor authentication
• Role-based access controls
• Regular penetration testing
• 24/7 security monitoring
• Automated backup systems
• Incident response procedures

Organizational Measures

• Background checks for personnel
• Confidentiality agreements
• Regular security training
• Access on need-to-know basis
• Clean desk policy
• Secure disposal procedures