Data Processing Agreement


Last updated October 1, 2023

This Data Processing Agreement (“DPA”) supplements the Order Form and Platform Access and Services Agreement (the “Platform Terms”) (the DPA, along with the Platform Terms, is collectively referred to as the “Agreement”) entered into between Aumni, Inc. (“Aumni”) and the Customer (collectively with its affiliates and subsidiaries worldwide, “Customer”) the terms of this DPA are incorporated by reference therein. This DPA shall apply to all Processing of Customer Personal Data by Aumni.

If there is any conflict between this DPA and the Platform Terms, this DPA shall prevail solely to the extent of such conflict and solely in respect of the Processing of Customer Personal Data by Aumni acting as a Processor or Subprocessor to provide the Services (as defined below).

1. DEFINITIONS

In this DPA, the following terms shall have the meanings set out below and their cognate terms shall be construed accordingly:

1.1 Customer Data has the meaning given to it in the Platform Terms.

1.2 Customer Personal Data means any Customer Data that is Personal Data processed by Aumni for and on behalf of Customer in connection with the provision of the Services. Customer Personal Data does not include Out of Scope Customer Personal Data (as defined in Section 3.1 below).  

1.3 Data Protection Law means  the laws, rules, and regulations applicable to the privacy, security or protection of Personal Data, solely to the extent applicable to Customer Personal Data. If applicable to Customer Data, Data Protection Laws include EEA Law and the California Consumer Protection Act, as amended by the California Privacy Rights Act of 2021 (“CCPA”).

1.4 EEA means the European Economic Area and the European Union, Switzerland, and the United Kingdom of Great Britain and Northern Ireland (“UK”).  

1.5 EEA Law means EU General Data Protection Regulation (Regulation 2016/679) (“GDPR”), the GDPR as amended and incorporated into UK law under the UK European Union (Withdrawal) Act 2018 and as amended by Schedule 1 to the Data Protection, Privacy and Electronic Communications (Addendums etc.) (EU Exit) Regulations 2019 (SI 2019/419) (“UK GDPR”), the Swiss Federal Data Protection Act of 19 June 1992 and its corresponding ordinances (“Swiss DPA”) and any successor or amendments thereto (including without limitation implementation of GDPR by Member States into their national law), and any other law relating to the data protection, security, or privacy of individuals that applies in the EEA.

1.6 Personal Data has the meaning ascribed to it and equivalent terms (such as “personal information” or “personally identifiable information”) under the Data Protection Law that is applicable to such data. Personal Data excludes anonymous or de-identified data.  

1.7 Process, processed, or processing means “processing” or the equivalent term as defined in Data Protection Law.  

1.8 Protected Information means Confidential Information and Customer Personal Data.

1.9 Security Incident means (i) unauthorized access to, disclosure or use of Confidential Information or (ii) unauthorized access to Aumni systems that store, process or transmit Confidential Information and such unauthorized access (a) creates a material risk of harm to the Customer or (b) has a direct, adverse impact on Aumni’s ability to perform its obligations under the Agreement.

1.10 Services means Aumni’s provision of the Product to the extent the Services involve the processing of Customer Personal Data in accordance with the Platform Terms, and any business purpose permitted under Data Protection Law.

1.11 Share means, solely to the extent applicable to Aumni under Data Protection Law, (a) “share” as defined in the CCPA, or (b) processing Personal Data for purposes of targeted advertising.

1.12 Standard Contractual Clauses means (i) the standard contractual clauses for international transfers promulgated by the European Commission governing the transfer of EEA Personal Data to Third Countries and as adopted by the Swiss Federal Data Protection and Information Commissioner (“Swiss FDPIC”) relating to data transfers to Third Countries (collectively “EU SCCs”); (ii) the international data transfer addendum to the EU SCCs (“UK Transfer Addendum”) issued by the UK Information Commissioner’s Office (UK ICO) for data transfers from the UK to Third Countries; and (iii) any successor clauses thereto.

1.13 Third Country means countries that have not received an adequacy decision from an applicable authority relating its relevant laws and practices in the context of cross-border transfers of Personal Data, including authorities such as the European Commission, UK ICO, or Swiss FDPIC.

1.14 Valid Data Rights Request means a valid request from an individual to exercise rights afforded under Data Protection Law in relation to their Customer Personal Data, either (i) received by Customer and submitted to Aumni and Processed by Aumni where Customer cannot independently fulfil such request and Customer is obligated under Data Protection Law to forward such request to Aumni; or (ii) received by Aumni, and Aumni is specifically obligated under applicable law to respond to the request or to forward it to the Customer.

1.15 The terms “Business”, “business purpose”, Controller, Data Processor, Subprocessor, Data Subjects, Deidentify, Sell, Service Provider, and Third Party shall have the same meaning as in the applicable Data Protection Laws, and their cognate terms shall be construed accordingly. Other terms not defined in this DPA have the meaning ascribed to them in the Platform Terms.

2.  GENERAL DATA PROCESSING OBLIGATIONS

2.1 Role of Parties. The parties acknowledge and agree that with respect to processing of Customer Personal Data, Aumni is a Data Processor and a Service Provider (collectively “Processor”) and Customer is a Controller, except that Aumni is a Subprocsesor if Customer is itself a Data Processor.  Customer represents and warrants that it has the requisite legal authority to instruct Aumni to process Customer Personal Data in accordance with the Agreement.  

This DPA shall apply solely to the Processing of Customer Data by Aumni acting as a Processor or Subprocessor to provide the Services.

2.2 Compliance with Data Protection Laws. Each party will comply with obligations under applicable Data Protection Laws in connection with Processing of Customer Personal Data.

2.3 Purpose of Processing.  The purpose of Processing under this DPA is the provision of the Services pursuant to the Agreement and related ordering documentation.  Exhibit 1 (Details of Processing of Customer Personal Data) describes the subject matter and details of the Processing of Customer Personal Data.

2.4 Customer Instructions and Restrictions on Processing.  

2.4.1. Aumni shall use, retain, disclose, or otherwise Process Customer Personal Data only on behalf of the Customer and for the business purpose of providing the Services,  as authorized by the Platform Terms, and in accordance with Customer’s instructions, including as described in the Agreement. Aumni shall not Sell or Share Customer Personal Data, nor use, retain, disclose, or otherwise Process Customer Personal Data outside of its business relationship with the Customer or for any other purpose except as required by law or as otherwise explicitly permitted under Data Protection Laws. Aumni will inform Customer if Aumni determines that it is no longer able to meet its obligations under Data Protection Laws or where in Aumni’s reasonable opinion, any of Customer’s instructions infringes any Data Protection Laws. Customer reserves the right to take reasonable and appropriate steps to ensure Aumni’s Processing of Customer Personal Data is consistent with Customer’s obligations under Data Protection Law and discontinue and remediate unauthorized use of Customer Personal Data.

2.4.2. Aumni shall have rights to Process Customer Personal Data (i) to (a) perform its obligations under this Agreement; (b) provide, operate, manage, test, maintain and enhance the Services and as authorized by the Platform Terms, including as part of its business operations; (c) disclose aggregate statistics about the Services in a manner that prevents individual identification or reidentification of Customer Personal Data; (d) protect the Services from a threat to the Services or Customer Personal Data; or (ii) if required by court order of a court or authorized governmental or regulatory agency; (iii) as otherwise expressly authorized by the Customer or as otherwise permitted under Data Protection Law; and/or (e) to carry any other business purpose permitted by Data Protection Law.  

2.4.3. Except where authorized by Customer or as otherwise permitted under Data Protection Law, Aumni will not combine the Customer Personal Data, with Personal Data which it receives from or on behalf of another person or persons, or collects from its own interaction with individuals, provided that Aumni may combine Personal Data to perform any business purpose permitted or required under the Agreement.

2.4.4 The obligations imposed by this Section 2.4 apply to Personal Data only to the extent that Data Protection Laws require such obligations with respect to Customer Personal Data where Aumni is acting as a processor.  

3. CUSTOMER’S OBLIGATIONS

3.1 Customer is solely responsible for the accuracy, quality, and legality of Customer Personal Data that Customer provides or causes to be provided to Aumni including, without limitation, the means by which Customer collected or obtained Customer Personal Data. Customer will not provide to Aumni or cause to be provided to Aumni any data or information with Customer Personal Data that is not typically included in equity financing or fund transaction documents, or is not otherwise necessary for the provision of the Services (“Out of Scope Customer Personal Data”). If Aumni discovers such Out of Scope Customer Personal Data, Aumni may require Customer to remove such information from what is provided to Aumni . If Out of Scope Customer Personal Data is provided to Aumni, it will be handled in the same way as all other data provided to Aumni under this Agreement. Customer is solely responsible for the security and integrity of any Customer’s systems from which Customer Personal Data is provided to Aumni.

3.2 Customer shall, in its use of the Services, Process Customer Personal Data in compliance with the requirements of Data Protection Laws, including any applicable industry standards and self-regulatory programs that are binding on Customer. Customer shall be responsible for complying with any notice and consent obligations under such Data Protection Laws.

4. AUMNI OBLIGATIONS

4.1 Data Protection Compliance Assistance.

4.1.1 To the extent required by Data  Protection Law, where Aumni is acting as a Processor, Aumni will reasonably assist Customer in complying with its obligations under the applicable Data Protection Laws, including without limitation, providing reasoabel assistance in connection with Customer’s conducting data protection impact assessments, and any consultations with the supervisory or regulatory authority.  

4.1.2 Aumni shall not perform its obligations under this Agreement in such a way as to cause Customer to breach any of its obligations under applicable Data Protection Laws.

4.2 Data Subject Rights. Aumni will reasonably cooperate with the Customer in responding to Valid Data Rights Requests. If Customer receives a Valid Data Rights Request, Customer shall, as soon as reasonably practicable, notify Aumni of any such request and Aumni will, as soon as reasonably practicable, and to the extent permitted by and within any timeframe specified by applicable law, provide, at Customer’s cost, details of the Customer Personal Data to enable Customer to comply with any such Valid Data Rights Request.

4.3 Subprocessors.

4.3.1 Customer provides Aumni with general authorization to use Subprocessors that have agreed,  to the extent required by Data Protection Law, by written contract to comply with terms substantially similar to those contained in this DPA to assist in performing its rights and obligations under the Agreement. Customer may object to Aumni’s use of a particular Subprocessor, however such objection may result in Customer being unable to use Aumni’s Services.  

4.3.2 For EEA Customer Personal Data, Customer authorizes Aumni to use Vendor’s Subprocessors (as described in Clause 9 of the Standard Contractual Clauses). Aumni shall inform Customer of any intended changes concerning the addition or replacement of Subprocessors in accordance with Clause 9(a) of the Standard Contractual Clauses. Where a Subprocessor fails to fulfil its data protection obligations, Aumni shall remain fully liable to Customer for the performance of its Subprocessor’s obligations. Without limiting the foregoing, Aumni will develop and use reasonable steps to select and retain Subprocessors that are capable of maintaining security practices consistent with this DPA and requiring such Subprocessors to agree by written contract to comply with terms substantially similar to those contained in this DPA.

4.4 Personnel. Aumni regularly informs its personnel about relevant information privacy and security policies and procedures, the employees’ respective roles, and the possible consequences of breaching the information privacy and security policies and procedures.  Employees are trained on their security roles and responsibilities and are required to agree to a code of conduct that requires them to keep confidential and personal data of Aumni customers confidential.  Security awareness training is mandatory and required to be completed on an annual basis. Periodic security awareness messages are communicated to users to educate and strengthen compliance with policy.

4.5 Security. Aumni will implement and maintain commercially reasonable administrative, technical and physical safeguards, including procedures and practices commensurate with the level of sensitivity of the Customer Personal Data and the nature of its activities under the Platform Terms, to protect the security, confidentiality and integrity of such information Processed by Aumni including such safeguards (a) designed to ensure the security of systems upon which such information is Processed; and (b) designed to prevent a Security Incident. The description of technical and organization measures designed to ensure the security of Customer Personal Data is described more fully in Exhibit 2 (Aumni Security Measures) to the DPA.

4.6 Unauthorized Access to Protected Information. In the event Aumni confirms an event which results in a Security Incident, Aumni shall take the following actions:

4.6.1 notify Customer without undue delay, in compliance with appliable law and regulations, unless otherwise instructed by a law enforcement or supervisory authority;

4.6.2 identify to Customer the Protected Information impacted by the Security Incident, if known;

4.6.3 monitor affected Services for anomalous activity (if appropriate);

4.6.4 take commercially reasonable measures to mitigate the effects of the Security Incident; and

4.6.5 reasonably cooperate with Customer as necessary to facilitate Customer’s compliance with any applicable law in relation to the Security Incident.

4.7 Audits.

4.7.1 Upon written request from Customer, Aumni shall make available to the Customer once a year such information as is reasonably required by the Customer to demonstrate Aumni’s compliance with its obligations under this DPA. Aumni may supply a summary report of its most recent third party assessment with respect to its security controls, if Aumni has had such an assessment.  Such assessments and any copies thereof constitute Aumni’s Confidential Information under the Platform Terms.  Customer agrees that such assessments will satisfy any audit or inspection requests by or on behalf of Customer.

4.7.2 If Customer can demonstrate why the information provided under Section 7.1 is insufficient to satisfy a Customer obligation under applicable law, Aumni will provide Customer with additional information as is reasonably necessary to satisfy such obligation.

5. DATA TRANSFERS

5.1 Transfers of EEA Customer Personal Data by Customer to Aumni in Third Countries are subject to the Standard Contractual Clauses, Module Two (“Controller to Processor”), and Module Three (“Processor to Processor”), each as applicable, attached to this DPA and incorporated by reference. The information required for the purposes of the SCCs is provided in Exhibit 1 (“Description of Processing and Transfer Details”) to this DPA. The Parties agree that the SCCs are incorporated into this DPA without further need for reference, incorporation, or attachment and that by signing the Agreement and executing this DPA, each party is deemed to have signed and executed the SCCs.

5.2 Where the Customer Personal Data is subject to the Swiss DPA, the SCCs above shall be read to be modified as follows as applicable:

a. References to “Regulation (EU) 2016/679” and any articles therefrom shall be interpreted to include references to the Swiss DPA.  

b. References to “EU”, “Union” and “Member State” shall be interpreted to include references to “Switzerland”.

c. the terms “personal data”, “special categories of data”, “process/processing”, “controller”, “processor”, “data subject”, “supervisory authority”, “Data Protection Authority”, “automated decision”, “personal data breach” and “third country” shall be interpreted in accordance with their equivalent terms in the Swiss DPA.

5.3 For Customer Personal Data transfers subject to UK Data Protection Law and transferred in accordance with the UK Transfer Addendum, the Parties agree as follows:

a. Each Party agrees to be bound by the terms and conditions set out in the UK Transfer Addendum, in exchange for the other Party also agreeing to be bound by the UK Transfer Addendum.

b. The Standard Contractual Clauses will be interpreted in accordance with Part 2 of the UK Transfer Addendum.  

c. Sections ‎9 to ‎11 of the UK Transfer Addendum override Clause 5 (Hierarchy) of the EU SCCs

d. For the purposes of Section 12 of the UK Transfer Addendum, the EU SCCs will be amended in accordance with Section 15 of the UK Transfer Addendum.  

e. Information required by Part 1 of the UK Transfer Addendum is provided as Exhibit 1 to this DPA.

6. RETURN OR DESTRUCTION OF CUSTOMER PERSONAL DATA

To the extent Customer does not already have the ability to do so as part of the Services, Aumni will, either upon request or direction by Customer, reasonably assist and cooperate with the Customer (a) to provide a copy of all Customer Personal Data in Aumni’s possession to the Customer; and (b) solely to the extent required by Data Protection Law, securely destroy all such Customer Personal Data or render the Customer Personal Data unusable as it awaits destruction.  

Exhibit 1 to Data Protection Agreement

DETAILS OF PROCESSING OF CUSTOMER PERSONAL DATA

This Exhibit 1 includes details of the Processing of Customer Personal Data by Aumni.

1. Customer Details (for SCC purposes, the “Data Exporter”)

Company Name - As mentioned in the applicable Order Form

Address - As mentioned in the applicable Order Form

Contact name, position, and contact information - As mentioned in the applicable Order Form

Role - Controller

2. Aumni Details (for SCC purposes, the “Data Importer”)

Company Name - Aumni, Inc.  

Address - 2800 E. Cottonwood Parkway, Suite 110, Cottonwood Heights, Utah 84121

Contact name, position, and contact information - As mentioned in the applicable Order Form

Role - Processor

3. Activities relevant to the data processed in accordance with this DPA (and, for SCC purposes, transferred under these Clauses)

The activities relevant to the data transferred in connection with the Services more fully described in the Agreement and applicable ordering documents.

For processing involving Customer Personal Data relating to California consumers, we process such Customer Personal Data for the following business purposes:

  • Helping to ensure security and integrity to the extent the use of the consumer’s personal information is reasonably necessary and proportionate for these purposes.
  • Debugging to identify and repair errors that impair existing intended functionality.
  • Performing the Services, including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing financing, providing analytic services, providing storage, or providing similar services on behalf of the business.
  • Undertaking internal research for technological development and demonstration.
  • Undertaking activities to verify or maintain the quality or safety of a service or device that is owned, manufactured, manufactured for, or controlled by the business, and to improve, upgrade, or enhance the service or device that is owned, manufactured, manufactured for, or controlled by the business.
  • To retain and employ another service provider or contractor as a subcontractor, where the subcontractor meets the requirements for a service provider or contractor under CCPA and the accompanying regulations.
  • To build or improve the quality of the Services we provide.
  • To prevent, detect, or investigate data security incidents or protect against malicious, deceptive, fraudulent, or illegal activity.

4. Processing Information

Categories of data subjects whose personal data is processed –

Customer may submit or give access to Customer Personal Data to Aumni, the extent of which is determined and controlled by Customer in its sole discretion, and which may include but is not limited to Customer Data relating to the following categories of data subjects:

• Customer’s authorized users, employees, agents, or representatives

• Customer’s customers

Categories of personal data processed –

Aumni may process the following categories of Customer Personal Data: As to Customer’s authorized users, employees, agents, or representatives, contact details of the individual which may include first and last name, email address and IP address.

To the extent Customer provides or causes to provide the following Customer Personal Data to Aumni, the following categories of Personal Data may be processed:

• Contact details including phone numbers and postal address

• Government identification numbers (e.g., W-9 (including SSN), passport, driver’s license, national ID card, etc.)

• Documents for address verification (e.g., copies of utility bills)

• Financial account numbers and related information (e.g., wire transfer details)

• Documents for verification of relationships between the investor and its beneficial owners.

Sensitive personal data processed – None

Frequency of the processing – Continuous

Nature of the processing and purpose of the data processing and further processing – The objective of Processing of Customer Personal Data by Aumni is the performance of the Agreement and this DPA.

Period for which the personal data will be retained or criteria used to determine that period - Subject to Section 6 (Return or Deletion of Customer Personal Data) of this DPA, Aumni will process Customer Data for the duration of the Agreement, unless otherwise agreed upon in writing.  

Subprocessor (subject matter, nature, and duration of processing) - In addition to the following, the subject matter, nature, and duration of the Processing more fully described in the Agreement, DPA, and accompanying order forms.

Exhibit 2 to Data Protection Agreement

SECURITY MEASURES

Aumni will implement and maintain a written security program with commercially reasonable administrative, technical, and physical safeguards, including procedures and practices commensurate with the level of sensitivity of the Customer Data and the nature of its activities under the Agreement, to protect the security, confidentiality, availability, and integrity of Customer Data Processed by Aumni or in its possession and control including such safeguards (a) to protect the security of systems upon which such data is Processed; and (b) designed to prevent a Security Incident.

Aumni’s personnel will not Process Customer Data without authorization. Aumni’s Personnel are obligated to maintain the confidentiality of any Customer Data and this obligation continues even after its engagement ends.

Without limiting the foregoing, Aumni will:

1. Develop and use reasonable steps to select and retain agents and subcontractors that assist in performing its obligations under the Agreement that are capable of maintaining security practices consistent with this DPA and requiring such Subprocessors to agree by written contract to comply with terms substantially similar to those contained in this DPA;

2. Conduct routine risk assessments to identify, document, and remediate material internal and external risks to the security, confidentiality, availability, and integrity of Customer Data that could result in a Security Incident, and assess the sufficiency of any security measures in place to control these risks;

3. At a minimum, the risk assessments required by subpart (2) should include assessment of risks in each area of relevant operation, including, but not limited to:

i. employee training and management;

ii. secure system design and testing;

iii. quarterly (at a minimum) security and vulnerability scans; and

iv. review, assessment, and response to internal and third-party security vulnerability reports;

4. Design and implement reasonable safeguards to control the risks identified through the risk assessments, including through reasonable and appropriate security policies and guidelines and regular testing or monitoring of the effectiveness of the safeguards’ key controls, systems, and procedures;

5. Establish and enforce written procedures that follow role based access control principles to control access to systems, networks, services, and facilities that may Process or store Customer Data and make such procedures available to Customer upon request.

6. Monitor access by Aumni personnel to Customer Data and limit any such access to those with a need to know in order to perform its obligations under the Agreement;

7. Implement multi-factor authentication for any system Processing Customer Data;

8. Implement and conduct routine security training for personnel with access to Customer Data;

9. Implement anti-malware software on any systems that Process Customer Data;

10. Commensurate with the nature and sensitivity of the Customer Data, encrypt Customer Data in transit across public networks or outside of Aumni’s physical or logical controls and at rest when stored on any device or storage media (such as servers, databases, backups, etc.) using industry standard encryption tools.

11. Provide reasonable assistance to Customer in Customer’s assessment and implementation of appropriate administrative, technical, and physical safeguards to provide an appropriate level of security of Customer Data, including (upon Customer’s reasonable request) completion of periodic assessments;

12. Automatically collect system, application, and user level logs on an ongoing basis for any network or system Processing Customer Data and retain such logs for security response for at least one year;

13. Implement, maintain, and monitor physical security controls for any processing facilities that are used for Processing Customer Data, including without limitation appropriate perimeter security that provide protection against unauthorized access, damage, or interference; and

14. Evaluate and adjust its security program in light of the results of the testing and monitoring required by subpart (2), any material changes to Aumni’s operations or business arrangements, or any other circumstances that Aumni knows or has reason to know may have a material impact on the effectiveness of its security program.

Business Continuity and Disaster Recovery Requirements:

During the term of the Agreement or so long as Aumni Processes Customer Data, whichever is longer, Aumni shall implement and maintain a disaster recovery plan that ensures that all Customer Data Processed by Aumni is capable of being recovered, and that the integrity of all such recovered Customer  Data is retained, in the event that Aumni’s network, systems or other facilities experience a Security Incident or any significant interruption or impairment of operation or any loss, deletion, corruption, or alteration of Personal Information (“Disaster Recovery Plan”).