Data Processing Agreement

Parties

CapQuest Software Limited, a private company incorporated in the Dubai International Financial Centre under company registration number 9388 (“CapQuest,” “we,” “our,” or “us”) and the entity on whose behalf you are acting, hereinafter called the “Customer” or “you” agree to the following terms:

Whereas

  • This Data Processing Agreement (the “DPA”) governs the processing of Personal Data by CapQuest (as Data Processor) on behalf of the Customer (as Data Controller) as part of the services provided through CapQuest’s website and application (the "Services").
  • This DPA is designed to ensure compliance with the General Data Protection Regulation, formally known as Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (the “GDPR”)
  • This DPA applies solely to the Customers who are established within the European Union or the European Economic Area who are subject to or whose data processing activities are subject to the GDPR. For the Customers outside of these jurisdictions, alternative data processing terms may be provided to address applicable legal requirements.
  • For the purposes of this DPA, the Customer will act as the Data Controller and CapQuest will function as the Data Processor.
  • The Parties wish to lay down their rights and obligations in this DPA.

1. Definitions and interpretation

1.1 Unless otherwise defined herein, capitalized terms and expressions used in this DPA shall have the following meaning:
1.2 "Data Controller" means the Customer who determines the purposes and means of processing Personal Data.
1.3 "Data Processor" means CapQuest which processes Personal Data on behalf of the Customer.
1.4 "Data Protection Laws" means EU Data Protection Laws and, to the extent applicable, the data protection or privacy laws of any other country.
1.5 The terms, "Data Subject", "Personal Data", "Personal Data Breach", "Processing" and "Supervisory Authority" shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.

2. Binding nature of the dpa

2.1 This DPA forms a legally binding agreement between CapQuest and the Customer, governing the processing of Personal Data as described herein. By using CapQuest’s Services, the Customer agrees to the terms of this DPA, which shall be binding upon the Customer and its affiliates if the Personal Data of the affiliates is provided to CapQuest for the provision of Services.
2.2 This DPA takes precedence over any conflicting provisions in other agreements or terms between the parties, including but not limited to Terms of Service concerning data protection if the Customer is falling under the jurisdiction of the GDPR.
2.3 In the event of any inconsistency between this DPA and any provisions of the Terms of Service, the terms of the DPA shall take precedence.
2.4 The parties acknowledge that compliance with this DPA is mandatory to fulfill their respective obligations under GDPR.
2.5 This DPA shall be valid for, and the processing shall continue, as long as the Services are provided under the Terms of Service or until otherwise required by applicable law.
2.6 This DPA may be executed by electronic means or by clicking "I Agree," "Accept," or similar affirmations. Such actions constitute a valid and enforceable method of execution under applicable law. The parties acknowledge and agree that this electronically accepted DPA shall have the same legal force and effect as an agreement physically signed in ink and delivered in person.

3. Processing of personal data

3.1 CapQuest shall:
  • comply with all applicable Data Protection Laws in the processing of the Customer’s Personal Data (which definition includes any Personal Data of the Customer’s affiliates, if applicable);
  • and not process the Customer’s Personal Data other than on the relevant documented instructions given to CapQuest via request for the Services.

3.2 CapQuest shall process Personal Data exclusively to provide the Services in compliance with this DPA, the Terms of Services and its Privacy Policy.
3.3 The categories of Personal Data that is being processed by CapQuest may include but are not limited to, the data of the Customer’s employees, shareholders, SAFE holders, advisors, investors, and other users of the Services.

4. Processor personnel

4.1 CapQuest shall take reasonable steps to ensure the reliability of any employee, agent, sub- processor or contractor of CapQuest who may have access to the Customer’s Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know / access the relevant Customer’s Personal Data, as strictly necessary for the purposes of provision of the Services to the Customer, and to comply with applicable laws in the context of that individual's duties to CapQuest, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.

5. Security measures

5.1 CapQuest shall in relation to the Customer’s Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR.
5.2 CapQuest shall implement appropriate technical and organizational security measures, including but not limited to:
  • encryption of data in transit and at rest;
  • regularly assessing and evaluating the effectiveness of security measures;
  • and access controls to ensure data is only accessible to authorized personnel.

6. Obligations of the data controller

6.1 The Customer shall:
  • ensure that it has acquired all required consents for processing of Personal Data and for sharing such Personal Data with CapQuest for provision of Services;
  • ensure that Data Subjects have been informed through appropriate privacy notices about the collection and processing of their Personal Data, including, but not limited to, provision of Personal Data to CapQuest for intended purposes;
  • be responsible for the accuracy, quality, and legality of Personal Data and the means by which it was acquired from the Data Subjects;
  • provide instructions to CapQuest for processing Personal Data in compliance with applicable Data Protection Laws to provide the Services;
  • ensure that any processing of the Customer’s Personal Data adheres to all applicable Data Protection Laws, and confirms that CapQuest’s processing of such data, as detailed in this DPA, will remain fully compliant with these legal requirements;
  • guarantee that the Customer’s Personal Data will be updated as necessary to maintain its accuracy and relevance over time;
  • inform Data Subjects about any relevant retention periods during which CapQuest will store their Personal Data or specific elements thereof;
  • guarantee that it will not supply CapQuest with, nor request that CapQuest processes, any types or categories of Personal Data as outlined in Articles 8–10 of the GDPR;
  • confirm that it will not provide CapQuest with Personal Data that CapQuest has no knowledge of or that is not explicitly covered under this DPA;
  • ensure that, where relevant, it will refrain from entering Personal Data into free-text fields in CapQuest’s products or Services and will not attach or upload any Personal Data outside the defined scope in this DPA;
  • undertake that its employees, contractors and agents maintain the security of login credentials used to access the Services and accepts responsibility for all access through such credentials;
  • undertake to notify CapQuest immediately in the event of unauthorized use of any login credentials or any other security breaches or Personal Data Breaches, including instances of loss, theft, or unauthorized disclosure of access credentials;
  • reasonably cooperate with CapQuest when requested to respond to any queries from the Data Subjects or in relation to any suspected, threatened, or actual Personal Data Breach.

7. Obligations of the processor

7.1 CapQuest agrees to:
  • process Personal Data only on documented instructions from the Customer, including with regard to transfers of Personal Data to a third country or international organization unless required to do so by applicable law. The Customer's documented instructions to CapQuest for the provision of Services are established through the Terms of Service and the Customer’s use of the Services. If CapQuest believes that any instructions provided by the Customer conflict with applicable Data Protection Laws, CapQuest shall notify the Customer;
  • implement appropriate technical and organizational measures to protect Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, damage, alteration, or disclosure. The parties recognize that security needs are continually evolving and that maintaining effective security demands ongoing assessment and periodic enhancement of outdated measures. CapQuest will regularly review and assess its security protocols and will enhance, strengthen, and update these measures at its discretion as deemed necessary or appropriate;
  • ensure that all persons authorized to process Personal Data, including CapQuest’s personnel, have committed themselves to confidentiality;
  • assist the Customer, by appropriate technical and organizational measures, in fulfilling the Controller’s obligation to respond to requests for exercising the Data Subject's rights if required;
  • assist the Customer on request in ensuring compliance with obligations under Articles 32 to 36 of the GDPR;
  • notify the Customer without undue delay after becoming aware of a Personal Data Breach;
  • at the choice of the Customer, delete or return all Personal Data at the end of the provision of Services and only retain the records required by law or regulation for compliance purposes;
  • ensure that any sub-processors are bound by the agreements to maintain confidentiality and integrity of the Personal Data;
  • and make available to the Customer all information reasonably necessary to demonstrate compliance with GDPR obligations.

8. Sub-processing

8.1 The Customer grants CapQuest a prior general authorization to engage sub-processors for the purpose of processing Customer’s Personal Data as part of delivering the Services.
8.2 When engaging a sub-processor, CapQuest will enter into a written agreement with the sub- processor, imposing obligations that are substantially similar to those set out in this DPA. CapQuest shall remain fully liable for any sub-processor’s failure to fulfill its data protection obligations.
8.3 The Customer has the right to request a current list of sub-processors at any time.
8.4 Prior to transferring Customer’s Personal Data to a newly appointed sub-processor, CapQuest will inform the Customer. If the Customer wishes to object to such new sub-processor's processing of its Personal Data, it must provide written notice to CapQuest within fourteen (14) days. If CapQuest has received a justified objection from the Customer under this clause, both parties will make reasonable efforts to reach an agreement regarding the processing of the Customer’s Personal Data by the proposed sub-processor. If no resolution is achieved within a reasonable time and it is necessary (in the view of CapQuest) that the proposed sub- processor needs to process the Customer’s Personal Data, the Customer reserves the right to terminate the Terms of Service.

9. Audit rights

9.1 CapQuest will keep comprehensive, accurate, and up-to-date records of processing activities performed on behalf of the Customer. These records will contain all the details necessary to demonstrate CapQuest’s adherence to this DPA and will be made available to the Customer upon request without unreasonable delay.
9.2 To evidence compliance with its obligations under applicable Data Protection Laws, CapQuest will provide the Customer on request with any information as reasonably required to verify such compliance with this DPA. If the Customer (acting reasonably) determines that the provided documentation does not adequately confirm CapQuest’s compliance with the DPA, CapQuest may allow the Customer or an authorized third-party auditor to conduct a limited audit. Such audit must take place during CapQuest’s normal business hours, be conducted no more than once in a 12-month period, and require at least six weeks’ written notice in advance. The Customer and any auditors involved must sign confidentiality agreements with CapQuest and follow all reasonable measures set by CapQuest to minimize any disruption to its business operations.

10. International transfers

10.1 CapQuest will not transfer Personal Data to a country outside the European Economic Area, without the prior consent of the Customer. If Personal Data processed under this DPA is transferred from a country within the European Economic Area to a country outside the European Economic Area, the parties shall ensure that the Personal Data are adequately protected and the parties shall, unless agreed otherwise, rely on EU approved standard contractual clauses for the transfer of Personal Data.

11. Data subjects rights

11.1 CapQuest shall, to the extent legally permitted, promptly notify the Customer if it receives a request from a Data Subject to exercise any of the Data Subject's rights (e.g., access, rectification, erasure, data portability, restriction of processing, objection to processing).
11.2 CapQuest shall not respond to such requests without the Customer’s prior written consent except to confirm receipt of a request.

12. Personal data breach

12.1 In the event of a Personal Data Breach, CapQuest shall:
  • notify the Customer without undue delay upon becoming aware of a Personal Data Breach affecting the Customer’s Personal Data;
  • supply any information within CapQuest's possession that the Customer needs to report the relevant circumstances to a Supervisory Authority and to inform impacted Data Subjects, as required by Data Protection Laws;
  • and cooperate with the Customer to take reasonable commercial steps to investigate, address and mitigate and remediate the Personal Data Breach, as required.

13. Confidentiality

13.1 Each party shall keep this DPA and information it receives about the other party and its business (“Confidential Information”) in connection with this DPA and the Services confidential and must not use or disclose such Confidential Information without the prior written consent of the other party except to the extent that: (a) disclosure is required by law; (b) the relevant information is already in the public domain.

14. Liability

14.1 The Customer recognizes that CapQuest depends on the Customer's instructions to determine the scope of use and processing of Customer’s Personal Data. As such, CapQuest shall not be liable for any losses, including direct or indirect losses or liabilities for data corruption, reputational damage, loss of goodwill or loss of profits, nor for any actions, claims, proceedings or liabilities that may arise as a result of claims brought by Data Subjects or a Supervisory Authority due to the Customer’s directives or misuse of the Services or Application in violation of the Data Protection Laws.

15. Survival

15.1 This DPA, along with the obligations contained within, will remain in effect beyond the termination or expiration of the Terms of Service, regardless of the manner or cause of such termination and will continue until CapQuest ceases processing all Customer Personal Data.

16. Law and jurisdiction

16.1 This Agreement is governed by the laws of France.
16.2 Both parties acknowledge and agree that this DPA is subject to the provisions of GDPR and any applicable local laws implementing or supplementing GDPR.
16.3 Before commencing any legal proceedings, the parties shall first seek to resolve disputes amicably through good-faith negotiations. If such negotiations fail, the dispute shall be referred to arbitration. Any dispute, controversy, or claim arising out of or in connection with this DPA, including its breach, termination, or validity, shall be finally resolved by arbitration in accordance with the ICC Arbitration Rules. The seat of arbitration shall be Paris Arbitration Center. The language of the arbitration shall be English. The arbitral tribunal shall consist of one arbitrator. The decision of the arbitrator shall be final and binding. This clause shall not prevent either party from seeking interim or injunctive relief in a court of competent jurisdiction, nor shall it limit Data Subjects' rights to seek remedies under applicable law. The tribunal shall have the right to award the costs of the parties.
Last updated on 16 December 2024