cap! Equity Management (PTY) LTD Data Processing Agreement
Last Modified: September 2022
Data Processing Agreement
This Data Processing Agreement (“DPA”) is entered into by and between Customer and Cap Equity and forms part of the Agreement entered into by the Parties. This DPA applies to and takes precedence over the Agreement to the extent of any conflict with regard to the subject matter herein. Terms defined in the Agreement have the same meaning in this DPA unless the context indicates otherwise.
Definitions
In this DPA the following terms have the following meanings:
"Agreement" has the meaning defined in the Customer Terms of Service located at www.cap-equity.com/customer-terms-of-service;
“Data Protection Laws” means the General Data Protection Regulation 2016/679 (“GDPR”) (EU), the Protection of Personal Act 4 of 2013 (South Africa), the UK’s retained EU law version of the GDPR as implemented by the Data Protection Act 2018, and other data protection or privacy laws or regulations directly applicable to Cap Equity or Customer.
"Personal Data" means any information relating to an identified or identifiable individual which information is subject to the Data Protection Laws and which is exchanged between the Parties as a part of the Services provided in the Agreement.
“Controller”, “Responsible Party”, “Processor”, “Operator”, “Data Subject” and “Processing” have the meanings as defined in the Data Protection Laws.
Data Protection
Both Parties will comply with all applicable requirements of the Data Protection Laws. This DPA is in addition to, and does not relieve, remove or replace a Party's obligations under the Data Protection Laws.
The Parties acknowledge that for the purposes of the Data Protection Laws, Customer is the Controller or Responsible Party and Cap Equity is the Processor or Operator. Schedule 1 below sets out the scope, nature and purpose of processing by Cap Equity, the duration of the Processing, the types of Personal Data, and categories of Data Subject.
Customer will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Personal Data to Cap Equity for the duration and purposes of the Agreement.
Cap Equity will, with respect to any Personal Data processed in connection with the performance of its obligations under the Agreement:
-
a) Process that Personal Data only on the reasonable written instructions of Customer unless Cap Equity is required by applicable laws to otherwise process that Personal Data (in which case Cap Equity will notify Customer, unless the law prohibits providing such notice). Customer hereby instructs Cap Equity to process Personal Data to the extent necessary to perform its obligations under the Agreement. Cap Equity shall immediately inform Customer if, in Cap Equity’s reasonable opinion, an instruction from Customer infringes the Data Protection Laws or other applicable law;
-
b) Taking into account industry standard, the costs of implementation, and the nature, scope, context and purposes of Processing, as well as the risk of varying likelihood and severity for impact on the individuals to whom the Personal Data relates, ensure that it has in place appropriate technical and organisational measures designed to ensure a level of security appropriate to the risk as identified, considering, in particular the risks associated with unauthorised or unlawful processing of Personal Data and accidental loss or destruction of, or damage to, Personal Data;
-
c) Ensure that all personnel who have access to and/or process Personal Data are obliged to keep the Personal Data confidential; and
-
d) Notify Customer without undue delay on becoming aware of a Personal Data breach;
-
e) Taking into account the nature of the processing and information available to Cap Equity, make available to Customer all information reasonably necessary to demonstrate compliance with this DPA and allow and contribute to audits, including inspections, conducted by Customer or another auditor mandated by Customer, as may be required by the Data Protection Laws, such audits to be held as far as reasonably possible at times, mutually agreed by both Parties, that are convenient to Cap Equity and do not disrupt the day to day business activities of Cap Equity;
-
f) Taking into account the nature of the processing and information available to Cap Equity, reasonably assist Customer in responding to a Data Subject request and in ensuring compliance with its obligations under the Data Protection Laws with respect to security, impact assessments and consultations with supervisory authorities or regulators;
-
g) Reasonably cooperate with Customer and take such reasonable commercial steps as are requested in writing by Customer to assist it in the investigation, mitigation and remediation of a Personal Data breach; and
-
h) At the written direction of Customer, delete or return Personal Data and copies thereof to Customer on termination or expiration of the Agreement unless required by applicable law to store the Personal Data. If Customer fails to provide direction with regard to such Personal Data within a reasonable time, not to exceed sixty (60) days following such termination or expiration, then Cap Equity may retain or destroy such Personal Data without liability with respect thereto or otherwise in compliance with the Data Protection Laws.
Customer shall reimburse Cap Equity for the cost of any assistance offered to Customer as described in this DPA (e.g., in clause 3.4) beyond what is reasonable taking into account the nature of the Processing.
Customer consents to Cap Equity appointing sub-processors of Personal Data under the Agreement in order for Cap Equity to perform its obligations under the Agreement as described in the Cap Equity list of sub-processors as set out in Schedule 2 below. Cap Equity confirms that it has entered (or will enter) into written agreements with the sub-processors listed imposing the relevant obligations required by the Data Protection Laws.
Customer acknowledges that from time to time during the term of the Agreement, Personal Data will be transferred to third countries. Customer gives its express consent to this transfer and Cap Equity agrees to do this transfer with an adequate level of data protection in line with the Data Protection Laws.
In those circumstances in which the GDPR applies, to facilitate transfer of Personal Data to third countries, the Parties agree to enter into the EU Standard Contractual Clauses:
-
a) Customer, as "data exporter", and Cap Equity, as "data importer", hereby enter into, as of the Effective Date, the Standard Contractual Clauses for the transfer of Personal Data to processors established in third countries, Regulation (EU) 2016/679 (the "SCCs") (the text of which is available at https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc/standard-contractual-clauses-international-transfers\_en) which are incorporated by this reference and constitute an integral part of this DPA. The Parties are deemed to have accepted and executed the SCCs in their entirety, including the appendices.
-
b) In cases where the SCCs apply and there is a conflict between the terms of the DPA and the terms of the SCCs, the terms of the SCCs shall apply.
-
c) The information contained in this DPA including its Schedule 1 shall fulfil the requirements of the SCCs Annex 1 (Description of Processing) and Annex 3 (List of Sub-Processors).
-
d) The terms of Cap Equity’s security documentation, available from Cap Equity upon request, shall fulfil the requirements of the SCCs Annex 2 (Technical and Organizational Measures).
CUSTOMER OBLIGATIONS
Customer agrees that:
It will comply with its obligations under the Data Protection Laws.
All of the Personal Data provided by it (or on its behalf) to Cap Equity will be collected and provided in accordance with the Data Protection Laws.
Cap Equity’s processing of such Personal Data in accordance with the Agreement will not put Cap Equity in breach of the Data Protection Laws.
If in its reasonable opinion Cap Equity needs to revise this DPA in order to comply with the Data Protection Laws, Customer agrees to enter into a written variation to make the amendments which in Cap Equity’s reasonable opinion are required.
Schedule 1: Processing, Personal Data And Data Subjects
Processing by Cap Equity
Scope
Processing of Data Subjects’ Personal Data for the purpose of providing the Services as defined in the
Agreement including those for company administration, investigating fundraising opportunities, managing investments, investigating investment opportunities, reporting investment performance and share ownership.
Nature
For the purpose of providing the Services.
Purpose of processing
Hosting, reporting, customer and technical support or as otherwise described in the Agreement or other
applicable documentation.
Duration of the processing
For the duration required in order to provide the Services unless required by applicable law to store the
Personal Data for longer.
Types of personal data
Data Subjects’ Personal Data User uploaded to the Platform including:
Users: name, email address, identification and passport number, job role, telephone number, tax reference
number and other information required for the relevant regulator’s ‘know-your-customer’ and/or anti-money-laundering purposes.
Personal Data of individuals that is included in the Customer Content: for example, employee data or director
data which may include name, email address, identification and passport number, job role, employee number, and telephone number and other information required for the relevant regulator’s ‘know-your-customer’ and/or anti-money-laundering purposes.
Categories of data subject
Users: Any individual accessing the Platform or using the Services on behalf or at the invitation of Customer.
Individuals whose Personal Data is included in the Customer Content.
SCHEDULE 2: SUB-PROCESSORS
Service Provider | Purpose | Country / Jurisdiction |
---|---|---|
Cap Equity Management (Pty) Ltd | Support services (customer, technical, finance and marketing) | South Africa |
Heroku | Web Server Hosting | EU |
Cloudinary | Cloud File Storage | United States |
Sentry | Exception Handling Tracking | United States |