1. INTRODUCTION
1.1 This Data Processing agreement ("DPA") is an inseparable part of the agreement between the Provider and the Company concerning the Services offered by the Provider ("Agreement"). This DPA applies when the Provider Processes Personal Data in providing the Services under the Agreement to the Company and its Group Companies. If the Provider Processes Personal Data on behalf of the Company's Group Company, the Company is entering this DPA on behalf of itself and such Group Company to the extent required under the Data Protection Laws.
1.2 If the terms concerning the Processing of Personal Data of the DPA and the Agreement are in conflict, the terms of this DPA shall prevail.
2. DEFINITIONS
2.1 The following definitions shall be applied to this DPA. Any terms used but not defined herein shall be given the meaning allocated to them in the Data Protection Laws.
- a. "Controller" means the one that determines the purposes and means of the Processing of Personal Data.
- b. "Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed.
- c. "Data Protection Laws" means all applicable legislation and regulations, including regulations issued by relevant supervisory authorities, protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data that from time to time apply to the Controller and the Provider, including without limitation the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) ("GDPR");
- d. "Personal Data" means any information relating to an identified or identifiable natural person, hereinafter "Data Subject"; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
- e. "Processing" means any operation or set of operation which is performed on Personal Data or sets of Personal Data using automated means or manually, such as data collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
- f. "Processor" means the Allshares entity indicated in the Agreement, who will Process Personal Data on behalf of the Controller based on the Agreement.
- g. "Sub-processor" means a subcontractor or another Processor of Personal Data engaged by the Processor for carrying out specific processing activities on behalf of the Controller.
3. GENERAL RIGHTS AND OBLIGATIONS OF THE PARTIES
3.1 The Provider shall Process the Personal Data of the Company on behalf of, and per instructions issued by the Company, on the grounds of the Agreement. The Company shall be the Controller and the Provider shall be the Processor of the Personal Data Processed when the Provider provides the Services to the Company under the Agreement. The Parties undertake to Process Personal Data in compliance with the Data Protection Laws.
3.2 The Company, acting as a Controller, is responsible for ensuring that the Processing of Personal Data is undertaken in compliance with Data Protection Laws. Information regarding e.g. the purpose of the Processing, types of Personal Data Processed and categories of Data Subjects whose Personal Data is Processed when providing the Services are listed in the Processing Specification Form (Annex 1 of this DPA).
3.3 The Provider is entitled to Process the Personal Data of the Company only on the grounds of the Agreement, this DPA and according to the written instructions of the Company and only to the extent and in a manner it is necessary in order to provide the Services. The Provider shall immediately inform the Company if, in its opinion, an instruction of the Company infringes Data Protection Laws and in such event, the Provider may immediately decline and stop the application of such instruction.
3.4 The Provider may anonymize the Personal Data and use the anonymized data for the purposes of analyzing, maintaining, and developing its Services, provided that the anonymization is irreversible and renders the Data Subjects and the Company no longer identifiable. Once fully anonymized, such data is no longer considered Personal Data and falls outside the scope of Data Protection Laws.
4. SUB-PROCESSORS
4.1 The Provider is entitled to engage Sub-processors for the Processing the Company's Personal Data and is hereby given a general authorization by the Company to do so.
4.2 With respect to each Sub-processor, the Provider shall ensure that the Sub-processor is capable of providing the level of protection for the Personal Data required under this DPA, and the arrangement between the Provider and the Sub-processor is governed by a written contract including terms which offer at least the same level of protection for the Personal Data as those set out in this DPA and impose materially the same obligations on the Sub-processor as this DPA.
4.3 The Provider remains fully liable to the Company for the performance of the Sub-processor's obligations and for any acts or omissions of the Sub-processor in relation to the Processing of Personal Data.
4.4 The currently authorized and engaged Sub-processors are listed in Allshares' Sub-processor list (https://www.allshares.com/allshares-subprocessors). The Provider shall inform the Company in advance of any changes concerning the addition or replacement of Sub-processors with thirty (30) days prior written notice by e-mail to the contact person of the Company. The Company may object to such engagement of a Sub-processor by written notice to the Provider within twenty (20) days of the Company's receipt of the notice from the Provider. The Provider may satisfy the objection by not using the Sub-processor to Process the Company's Personal Data, taking corrective steps requested by the Company, or ceasing to provide the part of the Services that involve the Sub-processor, Subject to a mutual agreement of the Parties to adjust the fees for the Services considering their reduced scope. If none of these options are reasonably available, either Party may terminate the Agreement for the Services that cannot be reasonably provided without the Sub-processor. In the absence of any written objection from the Company, the Company shall be deemed to have consented to such change.
5. PROVIDER'S OBLIGATION TO PROVIDE ASSISTANCE
5.1 The Provider shall immediately forward all requests to inspect, rectify, erase or object to the Processing of Personal Data or other requests received from the Data Subjects under GDPR to the Company. If requested by the Company, the Provider shall support the Company in fulfilling the requests of the Data Subjects.
5.2 The Provider is obligated, taking into account the nature of the Processing of Personal Data and the information available to the Provider, to assist the Company in ensuring that the Company complies with Articles 32–36 of the GDPR, including assisting the Company in data protection impact assessments and prior consultations related to the Services. The Provider is obligated to assist the Company only in relation to Processing of the Company's Personal Data by the Provider. The Provider has the right to invoice the Company for such assistance if the Company's requests are exceptionally extensive or frequently repeated.
5.3 The Provider shall forward all inquiries made by the data protection authorities or other authorities directly to the Company and await further guidance from the Company. Unless otherwise agreed, the Provider is not authorized to represent the Company or act on behalf of the Company in relation to any authorities.
6. TRANSFERS OF PERSONAL DATA OUTSIDE THE EU/EEA
6.1 The Provider and its Sub-processors may from time to time Process Personal Data outside the EU/EEA when providing the Services within the Agreement.
6.2 Where Personal Data is Processed or transferred outside the EU/EEA, the Provider shall ensure that the transfer is either (a) to countries for which the European Commission has issued an adequacy decision, according to which the country offers an adequate level of data protection; or (b) subject to standard contractual clauses approved by the European Commission or other appropriate transfer mechanism as per Article 46 of the GDPR. Upon request, the Provider shall give information on the protective measures used in accordance with Chapter V of the GDPR and how adequate data protection has been ensured when Personal Data is Processed outside of the EU/EEA.
7. AUDIT RIGHTS
7.1 The Provider shall make available to the Company all information reasonably necessary to demonstrate compliance with its obligations under Article 28 of the GDPR and this DPA.
7.2 The Provider shall allow for and contribute to audits, including inspections, conducted by the Company or an auditor mandated by the Company (however, not a competitor of the Provider) in relation to the Processing of the Company's Personal Data by the Provider or its Sub-processors. Such audits are limited to one (1) per calendar year, unless otherwise required by a competent supervisory authority or in the event of a Personal Data breach. Unless otherwise required by a supervisory authority, the Parties shall agree on the time of the audit and other details ahead of time and at least fourteen (14) days before the audit. The audits must be conducted during normal business hours (unless there is a weighty reason to conduct the audit outside those hours, or if so required by the supervisory authority), in a manner that minimises disruption to the Provider's business operations. The representatives of the Company and the auditor must sign conventional non-disclosure commitments.
7.3 Each Party shall bear its own costs associated with the audit. However, if the audit reveals the Provider being in a material breach of this DPA, the Provider shall compensate the Company for the costs and expenses of the audit.
8. TECHNICAL AND ORGANIZATIONAL MEASURES
8.1 The Provider implements and maintains appropriate technical and organizational measures, including the measures outlined in Annex 2 of this DPA, to protect the Personal Data of the Company, taking into account all the risks of Processing, especially the unintentional or illegal destruction, loss, alteration, unauthorized disclosure or access to Personal Data that has been transferred, saved or otherwise Processed, and other requirements of the GDPR. When organizing the security measures, the technical options and their costs will be assessed in relation to the special risks of the Processing at hand and the sensitivity of the Personal Data.
8.2 The Provider shall ensure that the personnel of the Provider and the Sub-processors of the Provider are bound by appropriate non-disclosure and confidentiality commitments.
9. DATA BREACHES
9.1 The Provider must notify the Company of all Data Breaches without undue delay, and in any event within forty-eight (48) hours, after becoming aware of the Data Breach. The Provider shall, without undue delay, give the Company all relevant information concerning the Data Breach.
9.2 The Provider shall describe at least the following to the Company:
- a. the occurred Data Breach;
- b. the nature of the personal data including, where if possible, the sets of Data Subjects and the number thereof, as well as the sets of Personal Data types and estimated numbers;
- c. a description of the likely consequences caused by the Data Breach; and
- d. a description of reparative measures that the Provider has implemented or will implement in order to prevent Data Breaches in the future, and if necessary, the measures to minimize the harmful effects of the Data Breach.
9.3 Where, and in so far as, it is not possible to provide the information listed out in Section 9.2 at the same time, the Provider may provide the information in phases without undue further delay.
9.4 The Provider shall promptly take corrective actions that it deems necessary and advisable to identify and remediate the cause of the Data Breach, and work in cooperation with the Company to mitigate the harmful effects of the Data Breach. The Provider shall document the Data Breaches and the consequences thereof, along with the corrective actions it has taken or plans to take.
10. LIABILITY
10.1 The Provider shall be liable for the damage only insofar that it has not abided by the obligations directed to Processors in the GDPR or this DPA. Both Parties are obligated to pay only the part of the damages or administrative fine that corresponds to the liability for damage imposed on the Party in breach of its obligations in the final decision of a data protection authority or a court of law, and, in consequence, neither Party shall bear the other Party's administrative fines to the extent that it is not the Party's contractual breach that has given rise to the circumstances for which the administrative fine has been imposed.
10.2 In all cases the Parties' liability for damages under this DPA shall be limited in scope and to the maximum amounts set out in the Agreement. The limitations of liability shall not apply to damages caused by willful conduct or gross negligence; death or personal injury caused by a Party's negligence; or any liability that cannot be excluded or limited in accordance with the applicable mandatory law.
11. OTHER PROVISIONS
11.1 The Provider shall notify the Company in writing of all changes that may affect its ability or chances to abide by this DPA and the written guidance of the Company. The Parties shall agree on all additions and amendments to this DPA in writing. If the Data Protection Laws change, the Parties shall agree on required amendments to this DPA to comply with the Data Protection Laws.
11.2 The DPA shall remain in force as long as (a) the Agreement is in force or (b) the Provider Processes Personal Data on behalf of the Company.
11.3 Upon termination of the Agreement, the Provider shall, at the Company's choice, either (a) delete or permanently anonymize all Personal Data Processed on behalf of the Company; or (b) return it to the Company and delete all copies thereof. If the Company does not request the deletion or return of the Personal Data, the Provider shall retain the Personal Data for thirty (30) calendar days from the termination of the Agreement, after which the Provider shall delete or permanently anonymize the Personal Data. However, the Provider will continue to retain the Personal Data if required to comply with applicable laws. The Provider shall comply with this DPA until the Personal Data is deleted, permanently anonymized or returned.
11.4 Those obligations that due to their nature are meant to survive the expiry of this DPA shall remain in force after the expiry of the DPA.
11.5 This DPA shall be governed by the same laws as the Agreement, and disputes arising out of this DPA shall be subject to the dispute resolution procedure applicable to the Agreement.
12. ANNEXES
The following annexes form an integral part of this DPA:
- a. Annex 1 Data Processing Specification Form
- b. Annex 2 Allshares Technical and Organizational Measures (TOMs)
ANNEX 1: DATA PROCESSING SPECIFICATION FORM
| Item | Specification |
|---|---|
| Purpose of Processing | The Personal Data is Processed to provide the Services to the Company in accordance with the Agreement. |
| Approved Sub-processors | The Sub-processors used in the Processing and approved by the Company at the time of entering into this DPA are listed out on the following website: https://www.allshares.com/allshares-subprocessors. The Provider will inform the Company in advance of any changes concerning the addition or replacement of Sub-processors, in accordance with Section 4.4 of the DPA. |
| Cloud Data Center Location | Data centers are located in the EU/EEA. |
| Categories of Data Subjects | The categories of Data Subjects depend on the relevant Service and usually consist of the following: employees, directors, and consultants; Board members; shareholders; and any other categories of Data Subjects instructed to be Processed in the Services by the Controller. |
| Types of Personal Data Processed | The types of Personal Data depend on the relevant Service and usually consist of the following: contact and identifying information such as name, email, address, phone number, date of birth, social security number, bank account number, custody account number; employment information such as title, legal and business unit, country, employment status, personnel ID, tax residence; compensation information such as salary, incentive schemes and grants, incentive ownerships and payouts; electronic identification such as login credentials, IP addresses, online identifiers (cookies), logs, connection duration, voice recordings, location; and any other types of Personal Data instructed to be Processed in the Services by the Controller. |
| Special Categories of Personal Data Processed | Special categories of Personal Data (racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, health data, sex life or sexual orientation, criminal convictions and offences or related security measures) are not Processed in the Services, unless specifically requested by the Company. |
| Processing Duration | As long as the Agreement is in force and for the data retrieval period defined in the Agreement. |
ANNEX 2: ALLSHARES TECHNICAL AND ORGANIZATIONAL MEASURES (TOMS)
1. Introduction
As a DATA PROCESSOR acting on behalf of our clients (the Data Controllers), Allshares is committed to maintaining a robust AI, security and privacy framework. This document summarizes the Technical and Organizational Measures (TOMs) implemented to secure and protect the equity and financial data entrusted to Allshares.
2. Compliance
Allshares maintains compliance with leading industry standards for information security and privacy management:
- ISO 27001:2022 (Information Security Management System)
- ISO 27017:2015 (Cloud Security Controls as Service Provider)
- ISO 27018:2025 (Privacy in the Public Cloud as Data Processor)
- ISO 42001:2023 (Artificial Intelligence Management System)
- SOC 2 Type II (Security Controls Assurance)
Compliance is reviewed and validated annually by independent third-party auditors.
3. Security Requirements
In accordance with Article 32 of the EU-GDPR, Allshares employs the following controls to protect Personal Data.
3.1 Organization
- Privacy and Security Framework: Management-approved security policies are reviewed at least annually to ensure they remain comprehensive.
- Risk Assessment: Our risk management process aligns with major frameworks like NIST CSF, COSO ERM, and ISO/IEC 27001. It includes asset identification, risk evaluation, and ongoing management with regular executive oversight.
- Responsibility: All information security responsibilities are clearly defined and allocated.
- Segregation of Duties: Conflicting duties are segregated to reduce opportunities for unauthorized modification or misuse of assets.
3.2 Human Resources
- Vetting: Background verification checks are performed on all candidates for employment, proportional to the risks of their role.
- Awareness: All employees and contractors receive mandatory security awareness training and regular updates on organizational policies.
- Confidentiality: All personnel are bound by formal, signed confidentiality agreements that remain valid after termination.
- Disciplinary Process: A formal and communicated process is in place to take action against those who commit security breaches.
3.3 Access Control and Authorization
- Logical Access:
- Authentication: Multi-Factor Authentication is enabled for all systems processing confidential information.
- Authorization: Access is granted based on the principle of least privilege using Roles Based Access Control (RBAC).
- Password Policy: Consistent with NIST recommendations, Allshares prioritizes long passphrases over traditional passwords, as length is a more critical factor for security and usability than complexity.
- De-registration: Formal processes are in place to revoke or adjust access rights immediately upon termination of employment or contract.
- Privileged Access: The allocation of privileged access rights is strictly restricted and reviewed regularly by asset owners.
- Review: User access rights are reviewed at regular intervals, and access is revoked immediately upon termination.
- Physical Security:
- Offices: Security perimeters and entry controls protect Allshares offices.
- Clear Desk/Screen: A clear desk policy for physical media and a clear screen policy for workstations are enforced.
- Data Centers: Allshares leverages top-tier cloud providers (e.g., Azure/GCP) that meet rigorous standards (SOC 2, ISO 27001, ISO 22301) for physical protection against natural disasters and maintain rigorous physical security perimeters, CCTV monitoring, and 24/7 onsite security to prevent unauthorized entry.
3.4 Information Classification, Asset Management & Disposal
- Inventory: Allshares identifies and maintains an inventory of all assets associated with information processing.
- Classification: Information is classified based on legal requirements, value, and sensitivity to unauthorized disclosure.
- Media Disposal: Formal procedures are implemented for the secure disposal of media, including overwriting sensitive data prior to reuse or disposal.
3.5 Data Protection and Data Masking
- Encryption at Rest: All client production data is encrypted using industry-standard algorithms (e.g., AES-256). Encryption keys are stored securely in dedicated hardware security modules or key vaults.
- Encryption in Transit: All data transmissions between the client and Allshares, as well as between internal application components, are protected by end-to-end TLS encryption.
- Pseudonymization and Anonymization of Data: To lower data protection risks, Allshares may employ anonymizing or pseudonymizing methods where suitable. These techniques are applied based on specific service needs and the results of data protection risk assessments.
- Data Separation: Allshares employs a multi-tenant architecture where each client's data is logically separated to prevent cross-client data access.
3.6 Operational Security
- Logging: Event logs recording user activities, system exceptions, and security events are produced and protected against tampering.
- Vulnerability Management: Allshares performs regular technical vulnerability assessments and addresses identified risks in a timely fashion.
- Change Control: A formal IT governance process is in place to manage changes to code and infrastructure, including rigorous testing in separated development/testing environments.
- Resilience: Automated backups are taken daily, encrypted, and tested regularly. Comprehensive Business Continuity and Disaster Recovery plans are reviewed and tested annually.
3.7 Systems and Network Security
- Network Segregation: Information services, users, and systems are segregated on networks to protect sensitive data.
- Secure Development: Engineering principles for secure systems are applied throughout the entire system development lifecycle (SDLC).
- Malware Protection: Detection and prevention controls are implemented to protect against malware, combined with user awareness training.
- Cryptography: Allshares implements cryptographic controls for the protection of information in compliance with relevant legislation.
3.8 Control of Data and Instructions
- Transfer Control: Information passing over public networks is protected from unauthorized disclosure through TLS/SSL and other encryption methods.
- Data Separation: Personal data is isolated in multi-tenant systems; development, testing, and operational environments are strictly separated.
- Customer Instructions: Personal data is processed solely according to customer instructions and is never used for independent purposes like marketing without consent.
- Subcontracting: Agreements with subprocessors include minimum technical and organizational measures that meet Allshares' security obligations.
3.9 Supplier Security (Third-Party Subcontracting)
- Subprocessor Requirements: Security protocols for all subprocessors are formally established and agreed upon.
- Binding Contractual Terms: Subprocessor agreements include mandatory technical and organizational safeguards that cannot be decreased without authorization.
- Continuous Oversight: Allshares performs regular audits and ongoing monitoring of subprocessor service delivery to ensure compliance.
3.10 Management of Information Security Incidents
- Response Procedures: Procedures are established to ensure a quick, effective, and orderly response to security incidents.
- Reporting: Security events are reported through management channels as quickly as possible.
- Client Notification: Allshares will promptly notify customers of any unauthorized access resulting in the loss, disclosure, or alteration of Personal Data.
3.11 Compliance
- System Review: Systems are regularly reviewed for compliance with internal security standards.
- Identification of Requirements: All legislative, regulatory, and contractual requirements are explicitly identified and kept up to date.
- Independent Review: Allshares' information security management approach is reviewed independently at planned intervals.
4. Cross-border Transfers
Allshares complies with international data transfer requirements. For processing outside the EEA, UK, or Switzerland, Allshares utilizes EU/UK Standard Contractual Clauses (SCCs) and relies on recognized international certification mechanisms to ensure an adequate level of protection.
5. Artificial Intelligence
Operating in the capacity of an AI Provider, Allshares integrates specialized controls within its service offerings to facilitate the ethical usage of AI technologies for our clients. The use of the AI features is fully optional to our clients.
5.1 AI Governance and Accountability
- AI Policy: A dedicated AI Management Policy is defined to govern the ethical use, transparency, and accountability of AI systems.
- Roles and Responsibilities: Specific roles are assigned to oversee the governance of AI systems in coordination with Business Owners, Data Owners and Technical Owners.
- AI Asset and Data Registry: Allshares maintains a centralized registry to track the lifecycle, data provenance, and risk profile of all AI systems in production.
5.2 AI Risk Assessment and Impact Analysis
- Risk Management: AI-specific risks are assessed as part of the overall risk framework.
- Impact Assessments: Allshares conducts assessments to determine the possible effects on societal wellbeing and the safety and rights of individuals.
5.3 Data for AI Systems
- Data Provenance: Allshares maintains records of the origin and quality of data used to train or fine-tune AI models to ensure data integrity.
- Privacy by Design: AI models are designed to minimize the processing of personal data, utilizing techniques such as anonymization or synthetic data where applicable.
5.4 Transparency and Explainability
- Model Transparency: Allshares provides documentation regarding the intended purpose, limitations, and performance characteristics of its AI systems.
- Explainability: Where AI influences significant decisions (e.g., equity valuations or plan eligibility), mechanisms are implemented to provide human-readable explanations of the AI's output.
5.5 Continuous Monitoring and Human Oversight
- Human-in-the-Loop: High-stakes AI outputs are subject to mandatory human review before being finalized or communicated to clients.
- Performance Monitoring: AI systems are continuously monitored for "model drift" (where performance degrades over time) and are recalibrated as necessary.
- Incident Reporting: AI-specific failures (such as unexpected bias or security vulnerabilities) are handled through the standard Incident Management process.
- External AI Providers: When utilizing third-party AI models via API, Allshares implements 'Zero-Retention' or 'No-Training' configurations to ensure client data is not used for the provider's base model training.
