Data Processing Agreement

Last updated: September 23, 2025

1. Introduction

This Data Processing Agreement (“DPA”) is part of the Terms of Service (“Principal Agreement”) between Subsignal (“Processor”, “we”, “us”, or “our”) and you (“Controller”, “Customer”, “you”).

This DPA sets out the terms for the processing of Personal Data in accordance with applicable Data Protection Laws, including the General Data Protection Regulation (EU) 2016/679 (“GDPR”), the California Consumer Privacy Act (“CCPA”), and other applicable privacy laws.

2. Definitions

  • Personal Data: Any information relating to an identified or identifiable natural person, including but not limited to email addresses, names, company affiliations, and usage data.
  • Processing: Any operation performed on Personal Data, such as collection, storage, use, analysis, transfer, or deletion.
  • Data Controller: The entity that determines the purposes and means of Processing Personal Data.
  • Data Processor: The entity that processes Personal Data on behalf of the Data Controller.
  • Subprocessor: Any third party appointed by the Processor to assist with Processing activities.
  • Market Intelligence Data: Publicly available company information, market data, and business intelligence collected from external sources.

3. Scope and Roles

You, as the Customer, are the Data Controller of any Personal Data processed through Subsignal's competitive intelligence and market monitoring platform. Subsignal acts as the Data Processor, processing Personal Data on your behalf solely to provide our market intelligence, deal flow monitoring, and competitive analysis services.

This DPA applies to Personal Data processed in connection with your use of Subsignal's platform, including user account information, company tracking preferences, and any personal information contained within monitored data sources.

4. Processing of Personal Data

4.1 Processing Instructions

  • We process Personal Data only on your documented instructions, unless required by law to act otherwise.
  • Processing is limited to activities necessary for providing market intelligence, competitive monitoring, deal flow tracking, and related analytics services.
  • We do not use Personal Data for our own business purposes beyond providing the contracted services.

4.2 Security and Confidentiality

  • Persons authorized to process Personal Data are bound by confidentiality obligations.
  • We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including encryption of data in transit and at rest.
  • Access to Personal Data is restricted to personnel who require such access for the performance of their duties.

4.3 Data Subject Rights Support

  • We assist you, as far as possible, in fulfilling your obligations to respond to Data Subject requests for access, rectification, erasure, portability, and restriction of processing.
  • We provide reasonable assistance in ensuring compliance with security, breach notifications, data protection impact assessments, and consultations with supervisory authorities.

4.4 Data Retention and Deletion

  • Personal Data is retained only for as long as necessary to fulfill the purposes for which it was collected or as required by law.
  • Upon termination of services, at your choice, we will delete or return all Personal Data within 30 days, unless otherwise required by law.
  • Market intelligence data derived from public sources may be retained for historical analysis purposes, with any Personal Data elements anonymized.

5. Subprocessors

Subsignal may engage Subprocessors to process Personal Data on your behalf, including cloud infrastructure providers, data analytics services, and email delivery platforms. We maintain a current list of Subprocessors and will notify Customers of any material changes as required by applicable Data Protection Laws.

All Subprocessors are bound by data protection obligations equivalent to those set out in this DPA. We remain fully liable for the acts and omissions of our Subprocessors.

6. International Data Transfers

When transferring Personal Data outside the European Economic Area (EEA), United Kingdom, or other jurisdictions with data localization requirements, Subsignal ensures such transfers comply with applicable Data Protection Laws.

We rely on appropriate safeguards such as Standard Contractual Clauses (SCCs), adequacy decisions, or other legally recognized transfer mechanisms for international data transfers. Details of specific transfer mechanisms are available upon request.

7. Data Subject Rights

We assist you, to the extent reasonably possible, in fulfilling your obligations to respond to requests by Data Subjects to exercise their rights under applicable Data Protection Laws, including:

  • Right of access to Personal Data
  • Right to rectification of inaccurate Personal Data
  • Right to erasure (“right to be forgotten”)
  • Right to restrict processing
  • Right to data portability
  • Right to object to processing
  • Rights related to automated decision-making and profiling

For Data Subject requests, please contact us at the information provided in Section 11 below.

8. Security Measures

Subsignal implements and maintains appropriate technical and organizational security measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, including:

  • Encryption of data in transit and at rest
  • Regular security assessments and vulnerability testing
  • Access controls and authentication mechanisms
  • Employee training on data protection and security
  • Incident response and business continuity procedures
  • Regular backup and recovery processes

9. Personal Data Breach

In the event of a Personal Data breach affecting your Personal Data, Subsignal will notify you without undue delay and no later than 72 hours after becoming aware of the breach. We will provide all necessary information to enable you to comply with your breach notification obligations under applicable Data Protection Laws.

Breach notifications will include details of the nature of the breach, categories and approximate number of Data Subjects affected, likely consequences, and measures taken or proposed to address the breach.

10. Data Protection Impact Assessments

Where required by applicable Data Protection Laws, we will provide reasonable assistance in conducting Data Protection Impact Assessments (DPIAs) related to our processing of Personal Data, including providing information about our processing activities and security measures.

11. Termination

Upon termination of the Principal Agreement, you may request deletion of your Personal Data processed by Subsignal. We will comply with such a request within 30 days unless otherwise required to retain the data under applicable law.

Market intelligence data that has been anonymized or aggregated in a way that prevents re-identification may be retained for analytical and service improvement purposes.

12. Audits and Records

Subsignal maintains records of all processing activities carried out on behalf of Controllers. We will make available to you all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by you or an auditor mandated by you.

Any such audits will be conducted during regular business hours, with reasonable advance notice, and at your expense unless a breach of this DPA is identified.

13. Contact Information

For questions regarding this DPA or to exercise Data Subject rights, please contact us at:

Email: [email protected]

Data Protection Officer: [email protected]

Address: [Your Company Address]

By using Subsignal's market intelligence platform, you agree to this Data Processing Agreement and acknowledge that it forms part of our Terms of Service.