Allshares
Book a demo
Legal

Data Processing Agreement.

Updated 19 March 2026

Versions

26 May 202520 October 202519 March 2026 (current)

1. INTRODUCTION

  • This Data Processing agreement (”DPA”) is an inseparable part of the agreement between the Provider and the Company concerning the Services offered by the Provider (”Agreement”). This DPA applies when the Provider Processes Personal Data in providing the Services under the Agreement to the Company and its Group Companies. If the Provider Processes Personal Data on behalf of the Company’s Group Company, the Company is entering this DPA on behalf of itself and such Group Company to the extent required under the Data Protection Laws.
  • If the terms concerning the Processing of Personal Data of the DPA and the Agreement are in conflict, the terms of this DPA shall prevail.

2. DEFINITIONS

  • The following definitions shall be applied to this DPA. Any terms used but not defined herein shall be given the meaning allocated to them in the Data Protection Laws. a) “Controller” means the one that determines the purposes and means of the Processing of Personal Data. b) “Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed. c) “Data Protection Laws” means all applicable legislation and regulations, including regulations issued by relevant supervisory authorities, protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data that from time to time apply to the Controller and the Provider, including without limitation the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (“GDPR”); d) “Personal Data” means any information relating to an identified or identifiable natural person, hereinafter ”Data Subject”; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. e) “Processing” means any operation or set of operation which is performed on Personal Data or sets of Personal Data using automated means or manually, such as data collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. f) “Processor” means the Allshares entity indicated in the Agreement, who will Process Personal Data on behalf of the Controller based on the Agreement. g) “Sub-processor” means a subcontractor or another Processor of Personal Data engaged by the Processor for carrying out specific processing activities on behalf of the Controller.

3. GENERAL RIGHTS AND OBLIGATIONS OF THE PARTIES

  • The Provider shall Process the Personal Data of the Company on behalf of, and per instructions issued by the Company, on the grounds of the Agreement. The Company shall be the Controller and the Provider shall be the Processor of the Personal Data Processed when the Provider provides the Services to the Company under the Agreement. The Parties undertake to Process Personal Data in compliance with the Data Protection Laws.
  • The Company, acting as a Controller, is responsible for ensuring that the Processing of Personal Data is undertaken in compliance with Data Protection Laws. Information regarding e.g. the purpose of the Processing, types of Personal Data Processed and categories of Data Subjects whose Personal Data is Processed when providing the Services are listed in the Processing Specification Form (Annex 1 of this DPA).
  • The Provider is entitled to Process the Personal Data of the Company only on the grounds of the Agreement, this DPA and according to the written instructions of the Company and only to the extent and in a manner it is necessary in order to provide the Services. The Provider shall immediately inform the Company if, in its opinion, an instruction of the Company infringes Data Protection Laws and in such event, the Provider may immediately decline and stop the application of such instruction.
  • The Provider may anonymize the Personal Data and use the anonymized data for the purposes of analyzing, maintaining, and developing its Services, provided that the anonymization is irreversible and renders the Data Subjects and the Company no longer identifiable. Once fully anonymized, such data is no longer considered Personal Data and falls outside the scope of Data Protection Laws.

4. SUB-PROCESSORS

  • The Provider is entitled to engage Sub-processors for the Processing the Company’s Personal Data and is hereby given a general authorization by the Company to do so.
  • With respect to each Sub-processor, the Provider shall ensure that the Sub-processor is capable of providing the level of protection for the Personal Data required under this DPA, and the arrangement between the Provider and the Sub-processor is governed by a written contract including terms which offer at least the same level of protection for the Personal Data as those set out in this DPA and impose materially the same obligations on the Sub-processor as this DPA.
  • The Provider remains fully liable to the Company for the performance of the Sub-processor’s obligations and for any acts or omissions of the Sub-processor in relation to the Processing of Personal Data.
  • The currently authorized and engaged Sub-processors are listed in Allshares’ Sub-processor list (https://www.allshares.com/allshares-subprocessors). The Provider shall inform the Company in advance of any changes concerning the addition or replacement of Sub-processors with thirty (30) days prior written notice by e-mail to the contact person of the Company. The Company may object to such engagement of a Sub-processor by written notice to the Provider within twenty (20) days of the Company’s receipt of the notice from the Provider. The Provider may satisfy the objection by not using the Sub-processor to Process the Company’s Personal Data, taking corrective steps requested by the Company, or ceasing to provide the part of the Services that involve the Sub-processor, Subject to a mutual agreement of the Parties to adjust the fees for the Services considering their reduced scope. If none of these options are reasonably available, either Party may terminate the Agreement for the Services that cannot be reasonably provided without the Sub-processor. In the absence of any written objection from the Company, the Company shall be deemed to have consented to such change.

5. PROVIDER’S OBLIGATION TO PROVIDE ASSISTANCE

  • The Provider shall immediately forward all requests to inspect, rectify, erase or object to the Processing of Personal Data or other requests received from the Data Subjects under GDPR to the Company. If requested by the Company, the Provider shall support the Company in fulfilling the requests of the Data Subjects.
  • The Provider is obligated, taking into account the nature of the Processing of Personal Data and the information available to the Provider, to assist the Company in ensuring that the Company complies with Articles 32–36 of the GDPR, including assisting the Company in data protection impact assessments and prior consultations related to the Services. The Provider is obligated to assist the Company only in relation to Processing of the Company’s Personal Data by the Provider. The Provider has the right to invoice the Company for such assistance if the Company’s requests are exceptionally extensive or frequently repeated.
  • The Provider shall forward all inquiries made by the data protection authorities or other authorities directly to the Company and await further guidance from the Company. Unless otherwise agreed, the Provider is not authorized to represent the Company or act on behalf of the Company in relation to any authorities.

6. TRANSFERS OF PERSONAL DATA OUTSIDE THE EU/EEA

  • The Provider and its Sub-processors may from time to time Process Personal Data outside the EU/EEA when providing the Services within the Agreement.
  • Where Personal Data is Processed or transferred outside the EU/EEA, the Provider shall ensure that the transfer is either (a) to countries for which the European Commission has issued an adequacy decision, according to which the country offers an adequate level of data protection; or (b) subject to standard contractual clauses approved by the European Commission or other appropriate transfer mechanism as per Article 46 of the GDPR. Upon request, the Provider shall give information on the protective measures used in accordance with Chapter V of the GDPR and how adequate data protection has been ensured when Personal Data is Processed outside of the EU/EEA.

7. AUDIT RIGHTS

  • The Provider shall make available to the Company all information reasonably necessary to demonstrate compliance with its obligations under Article 28 of the GDPR and this DPA.
  • The Provider shall allow for and contribute to audits, including inspections, conducted by the Company or an auditor mandated by the Company (however, not a competitor of the Provider) in relation to the Processing of the Company’s Personal Data by the Provider or its Sub-processors. Such audits are limited to one (1) per calendar year, unless otherwise required by a competent supervisory authority or in the event of a Personal Data breach. Unless otherwise required by a supervisory authority, the Parties shall agree on the time of the audit and other details ahead of time and at least fourteen (14) days before the audit. The audits must be conducted during normal business hours (unless there is a weighty reason to conduct the audit outside those hours, or if so required by the supervisory authority), in a manner that minimises disruption to the Provider’s business operations. The representatives of the Company and the auditor must sign conventional non-disclosure commitments.
  • Each Party shall bear its own costs associated with the audit. However, if the audit reveals the Provider being in a material breach of this DPA, the Provider shall compensate the Company for the costs and expenses of the audit.

8. TECHNICAL AND ORGANIZATIONAL MEASURES

  • The Provider implements and maintains appropriate technical and organizational measures, including the measures outlined in Annex 2 of this DPA, to protect the Personal Data of the Company, taking into account all the risks of Processing, especially the unintentional or illegal destruction, loss, alteration, unauthorized disclosure or access to Personal Data that has been transferred, saved or otherwise Processed, and other requirements of the GDPR. When organizing the security measures, the technical options and their costs will be assessed in relation to the special risks of the Processing at hand and the sensitivity of the Personal Data.
  • The Provider shall ensure that the personnel of the Provider and the Sub-processors of the Provider are bound by appropriate non-disclosure and confidentiality commitments.

9. DATA BREACHES

  • The Provider must notify the Company of all Data Breaches without undue delay, and in any event within forty-eight (48) hours, after becoming aware of the Data Breach. The Provider shall, without undue delay, give the Company all relevant information concerning the Data Breach.

  • The Provider shall describe at least the following to the Company (a) the occurred Data Breach, (b) the nature of the personal data including, where if possible, the sets of Data Subjects and the number thereof, as well as the sets of Personal Data types and estimated numbers; (c) a description of the likely consequences caused by the Data Breach, and (d) a description of reparative measures that the Provider has implemented or will implement in order to prevent Data Breaches in the future, and if necessary, the measures to minimize the harmful effects of the Data Breach.

  • Where, and in so far as, it is not possible to provide the information listed out in Section 9.2 at the same time, the Provider may provide the information in phases without undue further delay.

  • The Provider shall promptly take corrective actions that it deems necessary and advisable to identify and remediate the cause of the Data Breach, and work in cooperation with the Company to mitigate the harmful effects of the Data Breach. The Provider shall document the Data Breaches and the consequences thereof, along with the corrective actions it has taken or plans to take.

10. LIABILITY

  • The Provider shall be liable for the damage only insofar that it has not abided by the obligations directed to Processors in the GDPR or this DPA. Both Parties are obligated to pay only the part of the damages or administrative fine that corresponds to the liability for damage imposed on the Party in breach of its obligations in the final decision of a data protection authority or a court of law, and, in consequence, neither Party shall bear the other Party’s administrative fines to the extent that it is not the Party’s contractual breach that has given rise to the circumstances for which the administrative fine has been imposed.
  • In all cases the Parties’ liability for damages under this DPA shall be limited in scope and to the maximum amounts set out in the Agreement. The limitations of liability shall not apply to damages caused by willful conduct or gross negligence; death or personal injury caused by a Party’s negligence; or any liability that cannot be excluded or limited in accordance with the applicable mandatory law.

11. OTHER PROVISIONS

  • The Provider shall notify the Company in writing of all changes that may affect its ability or chances to abide by this DPA and the written guidance of the Company. The Parties shall agree on all additions and amendments to this DPA in writing. If the Data Protection Laws change, the Parties shall agree on required amendments to this DPA to comply with the Data Protection Laws.
  • The DPA shall remain in force as long as (a) the Agreement is in force or (b) the Provider Processes Personal Data on behalf of the Company.
  • Upon termination of the Agreement, the Provider shall, at the Company’s choice, either (a) delete or permanently anonymize all Personal Data Processed on behalf of the Company; or (b) return it to the Company and delete all copies thereof. If the Company does not request the deletion or return of the Personal Data, the Provider shall retain the Personal Data for thirty (30) calendar days from the termination of the Agreement, after which the Provider shall delete or permanently anonymize the Personal Data. However, the Provider will continue to retain the Personal Data if required to comply with applicable laws. The Provider shall comply with this DPA until the Personal Data is deleted, permanently anonymized or returned.
  • Those obligations that due to their nature are meant to survive the expiry of this DPA shall remain in force after the expiry of the DPA.
  • This DPA shall be governed by the same laws as the Agreement, and disputes arising out of this DPA shall be subject to the dispute resolution procedure applicable to the Agreement.

12. ANNEXES

  • The following annexes form an integral part of this DPA: (a)Annex 1 Data Processing Specification Form (b) Annex 2 Technical and Organizational Security Measures

ANNEX 1: DATA PROCESSING SPECIFICATION FORM

Purpose of Processing

The Personal Data is Processed to provide the Services to the Company in accordance with the Agreement.

Approved Sub-processors

The Sub-processors used in the Processing and approved by the Company at the time of entering into this DPA are listed out on the following website: https://www.allshares.com/allshares-subprocessors The Provider will inform the Company in advance of any changes concerning the addition or replacement of Sub-processors, in accordance with Section 4.4 of the DPA.

Cloud Data Center Location

Data centers are located in the EU/EEA.

Categories of Data Subjects

The categories of Data Subjects depend on the relevant Service and usually consist of the following: Employees, directors, and consultants; Board members; Shareholders; and Any other categories of Data Subjects instructed to be Processed in the Services by the Controller

Types of Personal Data Processed

The types of Personal Data depend on the relevant Service and usually consist of the following: Contact and identifying information such as name, email, address, phone number, date of birth, social security number, bank account number, custody account number; Employment information such as title, legal and business unit, country, employment status, personnel ID, tax residence; Compensation information such as salary, incentive schemes and grants, incentive ownerships and payouts; Electronic identification such as login credentials, IP addresses, online identifiers (cookies), logs, connection duration, voice recordings, location; and Any other types of Personal Data instructed to be Processed in the Services by the Controller

Special Categories¹ of Personal Data Processed

Special categories of Personal Data are not Processed in the Services, unless specifically requested by the Company.

Processing Duration

As long as the Agreement is in force and for the data retrieval period defined in the Agreement.

¹ Racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data (for the purpose of uniquely identifying a natural person), health data, sex life or sexual orientation, criminal convictions and offences or related security measures

ANNEX 2: TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES

The Provider implements appropriate technical and organizational security measures which are designed to meet the data protection principles in an effective manner, and ensures that appropriate safeguards are integrated into the Personal Data Processing in order to meet the requirements of the Data Protection Laws and to protect the rights of Data Subjects as described below.

1. DATA PROTECTION RISK ASSESSMENT

The Provider executes a risk assessment for each product or service. The Provider executes the data protection risk assessment in order to decide which data security measures are implemented. The aim is to define the appropriate level of data security measures for each product or service. In all cases, the Provider has implemented at least the security measures described below.

2. SECURITY MEASURES

The Provider maintains security and privacy policies. The policies comply with the Data Protection Law. These policies are subject to a regular internal review process and may be reviewed by third parties, in accordance with Data Protection Law.

The published ISO2700 standards related to information security, cybersecurity and privacy protection are used internally as a guiding framework, however, the Provider is not ISO certified. The cloud hosting service providers are ISO certified and undergo regular independent third party audits for ISO compliance.

3. SECURITY OF PERSONAL DATA

The Provider is implementing the following measures based on Article 32 of the GDPR (Security of processing).

3.1 Pseudonymizing and encryption of personal data

The Provider is utilizing encryption and/or pseudonymizing in its operations to mitigate data protection risks where appropriate. Encryption and pseudonymizing techniques may vary between services upon the service requirements and data protection risk assessment. Details of the used measures are available upon request.

3.2 Ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services

Protection of personal data requires implementation of multiple security controls. Operational processes follow good industry practice and help to secure quality of service and safeguard data processing.

The Provider has a centralized system to manage administrative access to customer environments. To access a customer system, the employee must have a valid reason and access is only approved by utilizing a jointly agreed process with the customer. At minimum all access to customer environments requires an encrypted tunnel within Provider’s network. Connections to customer environments are logged to provide a full audit trail on administrative operations in customer environments. All remote access to the Provider’s services requires an encrypted connection and other possible measures (e.g. MFA, strong authentication, or IP-verification) as required by the data protection risk assessment.

Unauthorized persons are prevented from gaining physical access to data processing facilities. Datacenters are designed, built and operated in a way that strictly controls physical access to the areas where the personal data is stored. Datacenter service providers conduct periodical security reviews of facilities. Personal Data is protected against accidental and unlawful destruction utilizing physical and environmental controls.

The Provider controls, monitors and audits all administrative connections, third party access and file transfers which are deployed within the Provider’s infrastructure.

The Provider executes a framework for planning, executing and controlling customer business related operations. The organizational structure assigns roles and responsibilities to provide for adequate staffing and efficiency of operative capabilities. The Provider management establishes authority and appropriate lines of reporting for key personnel. As part of the hiring processes, education verification and background checks are conducted based on the employee's position and level of access to the Provider’s processing facilities and systems.

The Provider maintains and controls the execution of the Provider’s security policy, provides security training to employees, and performs application security reviews. These reviews assess the confidentiality, integrity, and availability of data, as well as conformance to the Provider information security policy.

3.3 Ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident

To restore the availability and access to personal data in a timely manner in the event of a physical or technical incident, the Provider has backup and business continuity management processes and strategies which ensure rapid restoration of business-critical systems as and when necessary.

The Provider has defined continuity and disaster recovery plans for the Provider infrastructure supporting service delivery to customers. These plans are regularly updated and tested and are subject to auditing.

3.4 A process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the process

The Provider emergency processes, plans and systems are regularly tested to assess and evaluate the effectiveness of technical and organizational measures for ensuring the security of personal data processing. Customer specific disaster recovery testing is agreed separately.

The Provider conducts internal security testing and vulnerability scanning.