DRAFT TEMPLATE — for legal review only. This document is a structural starting point, not a finalized or executable agreement. Counsel must complete all [PLACEHOLDER] fields, attach Standard Contractual Clauses, and approve it before it is offered to any customer.

Data Processing Agreement

Version: [DRAFT] · Effective: [DATE]

This Data Processing Agreement (“DPA”) forms part of the agreement between IPOReady Inc. (“Processor”) and the customer (“Controller”) for the provision of the IPOReady Services. It governs the processing of personal data the Processor performs on behalf of the Controller under GDPR Article 28 and equivalent provisions of PIPEDA and the CCPA.

1. Definitions

“Personal Data”, “Processing”, “Controller”, “Processor”, “Data Subject”, and “Supervisory Authority” have the meanings given in the GDPR.

2. Roles & scope of processing

  • Subject matter: Provision of the IPOReady IPO-readiness platform.
  • Duration: The term of the underlying agreement plus any retention period.
  • Nature & purpose: Hosting, storage, analysis, and document generation to deliver the Services.
  • Categories of data subjects: Controller’s personnel, directors, officers, shareholders, and other individuals whose data the Controller uploads.
  • Categories of personal data: Identity & contact data, professional data, financial/cap-table data, and document contents. [CONFIRM — note any special-category data, e.g. government IDs in director PIFs.]

3. Processor obligations

  • Process Personal Data only on the Controller’s documented instructions.
  • Ensure persons authorized to process are bound by confidentiality.
  • Implement appropriate technical and organizational measures (Section 6).
  • Respect the conditions for engaging sub-processors (Section 4).
  • Assist the Controller in responding to data-subject-rights requests.
  • Assist with security, breach notification, DPIAs, and prior consultation (Art. 32–36).
  • Delete or return Personal Data at the end of the Services (Section 7).
  • Make available information necessary to demonstrate compliance and allow audits (Section 8).

4. Sub-processing

The Controller authorizes the Processor to engage the sub-processors listed at ipoready.com/legal/subprocessors. The Processor will give notice of intended changes and impose data-protection terms on each sub-processor no less protective than this DPA. The Controller may object to a new sub-processor on reasonable data-protection grounds. [CONFIRM notice period.]

5. International transfers

Where processing involves transfer of Personal Data outside the EEA/UK/Canada, the parties will rely on the European Commission’s Standard Contractual Clauses (and the UK Addendum) or another valid transfer mechanism, incorporated by reference. [ATTACH executed SCCs as an annex.]

6. Security measures

The Processor maintains measures including, at minimum:

  • TLS/SSL encryption in transit and AES-256 encryption at rest for sensitive data.
  • Salted password hashing and role-based access controls.
  • Audit logging, monitoring, and least-privilege access.
  • Regular security review and vendor due diligence.
  • [ADD: backup, key management, MFA enforcement, pen-test cadence as confirmed.]

7. Return & deletion of data

On termination, the Processor will, at the Controller’s choice, delete or return all Personal Data and delete existing copies within [30] days, except where retention is required by law. This aligns with the in-product account-deletion flow and the retention schedule in the Privacy Policy.

8. Audits

The Processor will make available information reasonably necessary to demonstrate compliance and will allow for and contribute to audits, including inspections, conducted by the Controller or an auditor it mandates, subject to reasonable confidentiality and scheduling terms. [CONFIRM whether third-party certifications/reports satisfy this.]

9. Personal data breach

The Processor will notify the Controller without undue delay, and in any case within [72] hours of becoming aware of a Personal Data breach affecting the Controller’s data, and will provide the information required under GDPR Art. 33(3) to help the Controller meet its own notification obligations.

10. Liability & governing law

Liability and governing law follow the underlying agreement. [CONFIRM governing law and the legal entity, registered address, and signatory details below.]

Processor: IPOReady Inc., [REGISTERED ADDRESS]

Privacy contact: privacy@ipoready.com

DPA requests: dpa@ipoready.com

To request an executed Data Processing Agreement for your organization, contact dpa@ipoready.com. See also our Sub-processors list.