Data Processing Addendum

Version number: 3.0
Date updated October 2023
Go to Data Process Addendum home
Arrow

Ledgy AG, a stock corporation formed under the laws of Switzerland, with
company number CHE-261.454.963 (“Ledgy”), and the customer (the
“Customer”) (each a “Party” and together the “Parties”), hereby agree as
follows:

1 Scope

1.1

This data processing addendum (the “Addendum”) applies exclusively to the
processing of personal data (the “Customer Personal Data”) by Ledgy on
behalf of the Customer where such processing is subject to European Union
(EU), United Kingdom (UK), or Swiss data privacy law. This Addendum,
including its annexes, forms part of, and is subject to, the provisions of the
agreement between the parties (the “Services Agreement”) in respect of the
performance of services (the “Services”) by Ledgy to the Customer that
include the processing of such Customer Personal Data.

1.2

The term “EU Data Privacy Law” means Regulation (EU) 2016/679 of the
European Parliament and of the Council of 27 April 2016 on the protection of
natural persons with regard to the processing of personal data and on the
free movement of such data, including any future revision therefor, and
repealing Directive 95/46/EC (General Data Protection Regulation or GDPR).
The term “UK Data Privacy Law” means all laws relating to data protection,
the processing of personal data, privacy and/or electronic communications in
force from time to time in the UK, including the GDPR to the extent that it
forms part of the United Kingdom’s local law as a result of Section 3 of the
European Union (Withdrawal Act) 2018 and the Data Protection Act 2018.
The term “Swiss Data Privacy Law” means the Revised Federal Data
Protection Act, including any future revision thereof. EU Data Privacy Law, UK
Data Privacy Law and Swiss Data Privacy Law are collectively referred to as
“Data Privacy Law”.

1.3

Terms such as “processing”, “Personal Data”, “Controller”, “Processor”,
“Data Subject”, “Sub-Processors” and “Data Breach” shall have the meaning
ascribed to them in Data Privacy Law, as applicable to the processing.

2 Binding Character of this Addendum

The Parties hereby agree to be bound by the provisions and obligations set
forth in this Addendum in respect of all their data protection obligations and
agree that any data protection and data processing obligations as agreed to
previously amongst the Parties shall be deleted and repealed in its entirety
and be replaced with this Addendum.

Any changes to this Addendum shall be made in accordance with the
provisions of the applicable Services Agreement.

3 Details of Processing

The processing carried out by Ledgy will be as follows:

3.1 Subject matter of processing

Equity management services by means of an online software application (the
“Application”) and the fulfillment of contractual obligations under the
Services Agreement and this Addendum.

3.2 Duration of processing

For the duration of the Services Agreement until terminated or once
processing by Ledgy of any Customer Personal Data is no longer required for
the performance of its relevant obligations under the Services Agreement or
Addendum.

3.3 Purpose of processing

The provision of the Services.

3.4 Categories of Personal Data

Equity data: Shareholder information (including their General Personal Data),
any personal data that may be included in the company information, share
ledger transaction history, legal documents or other cap table details.

General Personal Data: data about an identified or identifiable Data Subject,
including, but not limited to name, surname, title, date of birth, country of
origin, telephone number, email, postal address.

Any other personal data requested by the Customer through its use of the
Services and Application, provided always that the Customer should
not use the Services or Application to process special category data.

3.5 Categories of Data Subjects

Shareholders and any other natural persons who access and use your
account (e.g., advisors).

4 Roles of the Parties

The Customer and Ledgy hereby agree that for the purposes of this
Addendum, the Customer shall be the Controller and Ledgy shall be the
Processor.

5 Ledgy’s obligations

Ledgy, acting as Processor, shall:

5.1

only process Customer Personal Data on documented instructions from the
Customer, unless required to do so by applicable laws to Ledgy (provided
that Ledgy first informs the Customer of that legal requirement before
processing, unless that law prohibits this on important grounds of public
interest). The Services Agreement, this Addendum along with the Customer's
use of the Services constitute the Customer's documented instructions to
Ledgy for the purpose of providing the Services. Ledgy shall immediately
inform the Customer if instructions given by the Customer, in the opinion of
Ledgy, contravene Data Privacy Law.

5.2

ensure that all personnel who have access to Customer Personal Data have
committed themselves to appropriate obligations of confidentiality;

5.3

maintain appropriate technical and organizational measures to protect the
Customer Personal Data. The Parties acknowledge that security
requirements are constantly changing and that effective security requires
frequent evaluation and regular improvements of outdated security
measures. Ledgy will, therefore, evaluate the measures on an on-going basis
and will tighten, supplement and improve these measures as it deems
necessary or appropriate in its sole discretion. An overview of the current
technical and organizational measures can be found on Annex 1 of this
Addendum;

5.4

assist the Customer, to the extent possible, to fulfill the Customer’s
obligations in responding to requests for exercising of Data Subject rights set
out in the applicable Data Privacy Law;

5.5

assist the Customer in complying with Article 35 (Data protection impact
assessment) and Article 36 (Prior consultation) of the GDPR (or the
respective definitions in the Swiss and UK Data Privacy Law) in respect of
any new type of processing proposed, in accordance with Data Privacy Law.

6 The Customer’s obligations

The Customer, acting as the Controller, hereby warrants and represents:

6.1

that all processing of Customer Personal Data will be in compliance with all
Data Privacy Law, and that the processing of the Customer Personal Data by
Ledgy in accordance with this Addendum will not breach Data Privacy Law;

6.2

that Customer Personal Data provided to Ledgy are accurate and will be
updated to ensure continued accuracy as and when required;

6.3

that it has notified Data Subjects of any applicable period for which Customer
Personal Data or any element of Customer Personal Data will be stored by
Ledgy;

6.4

that the Customer has the right to provide Customer Personal Data to Ledgy
and has provided Data Subjects with all necessary information and data
protection notices on or in connection with the collection of such Customer
Personal Data from data subjects including, but not limited to, the supply of
Customer Personal Data to Ledgy and details of the purposes for which such

Customer Personal Data will be processed by Ledgy including, if applicable,
as set out in Ledgy’s retention policy;

6.5

Customer warrants and represents:

6.5.1

that the Customer will not provide Ledgy with nor request Ledgy to process
the types and categories of Personal Data listed, defined, or referenced to in
Articles 8–10 of the GDPR or respective definitions in the UK and the Swiss
Data Privacy Law, and

6.5.2

that the Customer will not provide Ledgy with nor pass to Ledgy personal
data for which Ledgy has no knowledge of, is unaware of, or which is not
explicitly provided for under this Addendum, and that where applicable, the
Customer will not enter any personal data into free text fields embedded in
relevant Ledgy products and/or Services and will not incorporate any
personal data outside of the scope of Personal Data as contemplated in the
Services Agreement and this Addendum into any attachments that are to be
uploaded into Ledgy’s Application;

6.6

that the Customer shall, and shall procure its employees, contractors, and/or
agents to keep the login credentials used to access to the Services secure
and shall be liable for the access to the Services through such login
credentials. The Customer further shall promptly notify Ledgy of any
unauthorized use of any login credentials, or other breaches of security,
including loss, theft or unauthorized disclosure of login credentials.

7 Sub-processors

7.1

The Customer hereby provides its prior, general authorisation for Ledgy to
appoint Sub-Processors to process the Customer Personal Data in connection
with the provision of the Services.

 7.2  

Ledgy shall:

7.2.1

enter into an agreement with each Sub-Processor containing obligations
which are materially similar to those set out in this Addendum to the extent
applicable to the nature of the services provided by such Sub-Processor;

7.2.2

remain responsible for the acts and omissions of any such Sub-Processor as
if they were the acts and omissions of Ledgy.

7.3

A list of Ledgy’s current Sub-Processors is set out at Annex 2.  The Customer
may request an up-to-date list of Sub-Processors at any time.

7.4

Ledgy will notify the Customer prior to transferring any Customer Personal
Data to a new Sub-Processor.  The Customer will notify Ledgy in writing
within 30 days after being notified of such new Sub-Processor if it objects to
the processing of its Customer Personal Data by the new Sub-Processor. In
such event the parties will, acting reasonably, try to come to an agreement
over the transfer of the Customer Personal Data to the applicable Sub-
Processor.  Where agreement is not possible the Customer shall be entitled
to terminate the Services Agreement.

8 Audit Rights

8.1

Ledgy shall maintain complete, accurate and up to date written records of all
categories of processing activities carried out on behalf of the Customer.

8.2

Such records shall include all information necessary to demonstrate Ledgy’s
compliance with this Addendum. Ledgy shall make copies of such records
referred to at clause 8.1 available to the Customer promptly on request.

8.3

Ledgy shall promptly make available to the Customer such information as is
required to demonstrate Ledgy’s compliance with its obligations under the
Data Privacy Law. If the Customer can reasonably show that the

documentation made available to it does not provide sufficient information
for the Customer to confirm Ledgy’s compliance with the terms of this
Addendum, Ledgy shall permit the Customer or an accredited third-party
auditor to conduct an audit to confirm such compliance.  Such audit shall
take place during Ledgy’s regular hours of business, not more than once in
any 12 month period, and on not less than 4 weeks prior written notice.  The
Customer and its auditors (if any) shall enter into confidentiality agreements
with Ledgy and shall comply with all Ledgy’s reasonable requirements to
minimise disruption to Ledgy’s business.

9 Personal Data Breach


Ledgy shall, without undue delay:

(a) notify the Customer after it (or any of the Sub-Processors’ or Ledgy’s
personnel) becomes aware of a Personal Data Breach in respect of any
Customer Personal Data;

(b) provide all information as the Customer requires (to the extent that it is
available to Ledgy) to report the circumstances to a supervisory
authority and to notify affected data subjects under Data Privacy Law;
and

(c)  provide the Customer with reasonable assistance in responding to and
mitigating the Personal Data Breach.

10 Overseas Transfers

Ledgy may transfer Customer Personal Data outside of the European
Economic Area, United Kingdom or Switzerland as required to process the
Customer Personal Data for the purpose under this Addendum, provided that
Ledgy shall ensure that all such transfers are made in accordance with
applicable Data Privacy Law, including by way of entering into standard data
protection clauses adopted by the EU Commission (where the EU GDPR
applies to the transfer) together with any applicable additional clauses
required for transfers out of the United Kingdom or Switzerland, as
applicable.

11 Liability

The Customer acknowledges that Ledgy is reliant on the Customer for
instructions as to the extent to which Ledgy is entitled to use and process

the Customer Personal Data. Consequently, Ledgy will not be liable for losses
(including indirect losses, loss or corruption of data, loss of reputation,
goodwill and profits), actions, proceedings and liabilities of whatsoever
nature incurred by Ledgy or for which Ledgy may become liable due to any
claim brought by a Data Subject or Supervisory Authority arising from the
Customer’s instructions or use of the Services or Application in breach of the
Data Privacy Law.


12 Order of Precedence


To the extent of any conflict between this Addendum and any parts of the
Services Agreement, this Addendum shall prevail, govern, and supersede.

13 Survival

This Addendum and the obligations hereunder shall survive the termination
or expiry of the Services Agreement however effected or arising, and shall
continue until Ledgy no longer processes any Customer Personal Data.  The
Customer Personal Data will be returned to the Customer and deleted by
Ledgy in accordance with the Services Agreement.

Annex 1 - Technical and Organisational Measures

This annex to the Data Processing Addendum outlines the technical and
organizational measures implemented by Ledgy AG (“Ledgy”, "Processor" or
the “data processor”) in compliance with its data protection obligations as a
data processor.

These measures aim to ensure the security and protection of personal data
processed on behalf of ‘Customer’ ("Controller") in accordance with
applicable data protection laws, including the Federal Act on Data Protection
(FADP) and the General Data Protection Regulation (GDPR).


Organizational Security Measures

Security Management

  • Security Governance: Ledgy has a dedicated team with regular
    involvement from senior leadership to oversee information security.
    Responsibilities of the team include defining policies, enforcing
    security practices, and monitoring overall security.
  • Risk Management: A structured program for ongoing identification,
    measurement, and management of IT-related risks is in place and
    overseen by relevant personnel and senior leadership.
  • Roles and Responsibilities: Responsibilities for processing personal
    data are clearly defined in line with security policies.
  • Resource/Asset Management: Ledgy maintains registers of IT
    resources used for personal data processing, including hardware,
    software, and network. Designated personnel are responsible for
    maintaining and updating the registers.

Incident Response and Business Continuity

Incidents Handling / Personal Data Breaches:

  • ncident procedures are in place to ensure effective responses to
    security incidents, including those involving personal data.
  • Ledgy promptly reports any security incident leading to the loss,
    misuse, or unauthorized access to personal data to affected data
    controller(s).


Business Continuity: Ledgy has established procedures and controls
to ensure the required level of IT system continuity and availability for
processing personal data in case of an incident or data breach.

  • Multiple Availability Zones to provide improved redundancy and
    fault tolerance.
  • Periodic Disaster Recovery and/or Business Continuity exercises
    are conducted.

Human Resource Security

  • Verification: Ledgy verifies and validates all candidates prior to
    hiring, including background checks, to assess their suitability and
    manage risk.
  • Policy Compliance: Ledgy ensures that all employees understand
    their responsibilities and obligations regarding personal data
    processing and compliance with security policies.
  • Onboarding and Offboarding: Ledgy maintains clear procedures for
    management of access rights for new joiners and during termination.
    Processes are also defined for transferring rights and responsibilities
    during internal reorganizations or other changes in employment.
  • Training: Ledgy trains employees about security controls and
    requirements relevant to their work. Employees are regularly educated
    on data protection requirements and legal obligations through
    awareness campaigns and monthly training on general security topics.

Technical Security Measures

Access Control and Authentication

  • Least Privilege: Access control rights are specifically assigned to
    roles involved in personal data processing, following the principle of
    least privilege. Access is granted following the "need-to-know"
    principle to limit access to personal data to those who require it.
    Periodic reviews of all access levels are conducted.
  • Authentication: An access control system applicable to all IT system
    users is implemented, allowing for user account creation, approval,
    review, and deletion. Multi-factor authentication (MFA) is enforced
    where possible.
  • Unique Accounts: The use of common user accounts is prohibited,
    and if necessary, users with common accounts have the same roles
    and responsibilities.
  • Passwords: Where passwords are used, they are required to be at
    least 16 characters long, meet strong password control parameters
    (length, complexity, non-repeatability), and are never transmitted over
    the network unprotected.

Logging and Monitoring

  • Log Creation: Log files are enabled for systems and applications used
    in personal data processing, tracking data access (view, modification,
    deletion) and other security and system events.
  • Log Monitoring: Ledgy has implemented comprehensive logging and
    monitoring mechanisms to track data access and system activities.
    Ledgy personnel also perform periodic reviews and analysis of logs to
    identify and mitigate security incidents and anomalies.

Data Protection and Security

  • Data Protection: Database(s) and application servers run in separate
    environments and separate systems to ensure data protection.
    Personal data is only processed as required to fulfill the service’s
    intended purpose.
  • Data Access Controls: Database access is highly restricted to
    database administrators and only granted on a need-to-know basis.
  • Data Disposal: Stored personal data is only stored in cloud storage
    where secure deletion assurance is provided by the cloud hosting
    provider. Policies are in place prohibiting the storage of personal data
    on paper or local drives to prevent data loss through these methods.
  • Data Encryption: Stored data is encrypted at rest using AES-256.
    When accessed through the Internet, communication is encrypted
    using TLS 1.2 or better.
  • Backup Security: Ledgy manages a backup/snapshot service hourly,
    which is tested periodically. Backup and data restore procedures are
    defined, documented, and linked to specific roles and responsibilities.

Secure System Architecture

  • Perimeter Controls: Network traffic to and from the IT system is
    monitored and controlled using firewalls and/or security groups and
    other network security technologies. A Web-Application Firewall (WAF)
    is used to monitor web traffic and help prevent abuses.
  • Network Segmentation: The production service environment is
    divided into multiple zones and VPCs depending on the security
    requirements of individual services.

Application and System Lifecycle

  • Secure SDLC: Ledgy adheres to a structured Software Development
    Lifecycle (SDLC) throughout its software and system development
    practices. Security is integrated throughout the phases of the
    development lifecycle.
  • Change Management: Ledgy ensures that IT system changes are
    recorded and monitored by designated personnel, subjected to
    appropriate testing, and approved prior to release.
  • Vulnerability Management: Software, system components, and 3rd
    party dependencies are subjected to regular reviews to proactively
    identify and track potential security vulnerabilities, which are then
    tracked until addressed.
  • Security Testing: System components are subjected to periodic and
    ongoing security testing, including penetration tests, security scans,
    and code analysis. Findings are tracked until addressed.

Physical and Environmental Security

Data Centers: Ledgy hosts all Customer Data in Google Cloud
Platform (GCP). Ledgy regularly reviews Google’s physical and
environmental controls for relevant data centers, as audited by

Google’s third-party auditors. Such controls include, but are not limited to:

  • Physical access to the facilities is controlled at the building ingress points;
  • Visitors are required to present ID and sign in;
  • Physical access to servers is managed by access control devices;
  • Physical access privileges are reviewed regularly;
  • Facilities utilize monitor and alarm procedures;
  • Fire detection and protection systems;
  • Power back-up and redundancy systems; and Climate control systems.

Last updated: October 23, 2023.

Name of sub-processors
Location of servers
Purpose
Data processed
Google Cloud
Zurich, Switzerland (Google)
Hosting
Stakeholders
and
transaction
data,
uploaded
documents
Mailgun
Frankfurt,
Germany
(AWS)
Email
Email
address,
content of the
emails
MongoDB atlas
Zurich, Switzerland (google)
Database
Stakeholders and transaction data, uploaded documents
Skribble (if applicable)
Zurich, Switzerland
Electronic signatures
Documents signed with AES or QES