Terms and Conditions

1 Terms of Service and Parties

The “Terms and Conditions” (referred to as the “Terms”) outline the conditions that regulate how you access and utilize the equity management software and associated services, including legal templates (collectively known as the “Services”). These Services are provided on capboard.io (the “Website”/”Application”) by Capboard Tech, S.L., Spain (“Capboard”,“we”,“our” or “us”) for your use as the recipient of these Services ( the “Customer” ,“you” or “your” each referred to as a “Party” and collectively known as the “Parties”).  In order to utilize the Services, you must consent to and comply with these Terms. Together with the online order confirmation, if any, (the “Order Confirmation”) and other documents referenced herein, these Terms constitute a legally binding agreement (the “Agreement”) between the Parties.

These Terms become effective when you electronically confirm your consent by clicking the ‘Accept’ button, and they override all prior or contemporaneous negotiations or communications between you and us regarding the Services, unless expressly agreed otherwise. The date of entering into this Agreement will be referred to as the “Effective Date”.

2 The Services

We provide both free and purchased services to you as outlined in the comprehensive description on the Website. These services are offered in accordance with the terms specified on the Website, as well as those detailed in these Terms and/or specific terms specified in the Order Confirmation. It’s important to note that all services, whether free or purchased, are subject to the terms outlined in these Terms.

Free Trial Services

For free trial services (“Free Trial Services”), you are granted access to and use of our services for a limited duration on a trial basis, as outlined on our Website or in the Order Confirmation. Following the conclusion of this trial period, any data (referred to as the “Data”) entered by you will be deleted after 30 days according to the Data Processing Agreement,  unless you choose to continue under a purchased services arrangement (referred to as the “Purchased Services”) or export the Data before the conclusion of the Free Trial Services period.

Free Services

You, may have access to our services as an external user, whether as an employee, consultant, or lawyer (referred to as an “External User”), without incurring any charges (referred to as “Free Services”). In the case of Free Services, we will provide access to the services in accordance with these Terms and any relevant Order Confirmations. For information regarding the Order Confirmation, please get in touch with the Customer for whom you are accessing the data.

Purchased Services

In case of Purchased Services, you are granted access to and use of our services on a paid basis as outlined in the Order Confirmation. Please note that we do not provide refunds for fees that have already been paid for Purchased Services, and we do not adjust fees in the event of a downgrade before the conclusion of the Purchased Services Period, as indicated in the Order Confirmation, except at our sole discretion.

Support

We will provide basic support and training as specified on the Website free of charge. Any additional support and training services are subject to a separate agreement in the Order Confirmation.

We offer basic support, as outlined on the Website, free of charge. However, any additional support services are subject to a separate agreement specified in an Order Confirmation.

Initial Implementation

The initial implementation services, referred to as “Initial Implementation”, encompass the process of importing your data before the commencement of your use of the services. We will inform you of any discrepancies identified during the Initial Implementation. It is your responsibility to review the data for accuracy and provide approval within 20 business days of receiving such notice. If you do not confirm the Initial Implementation within this 20 -business-day period, it will be considered as complete and accepted.

Third-Party Services and E-Signatures

We may incorporate or make reference to specific third-party services within our Services, referred to as “Third Party Services” such as e-signature solutions or legal advisory services. These ThirdParty Services are clearly identified as such on the Website and necessitate your entry into a separate agreement with the respective Third Party Services provider. It is your sole responsibility to evaluate the suitability of Third Party Services for your specific needs. Additionally, in the case of e-signatures, you are responsible for verifying whether the chosen e-signature meets the form requirements for the legal transaction to be electronically signed. Capboard explicitly disclaims any liability for damages arising from or related to such Third Party Services and further disclaims all warranties, whether express or implied, concerning such Third Party Services.

3 Intellectual Property Rights and Data Ownership

3.1 Your Data

Data imported into the Application by you or by External Users on your behalf.

Ownership

Your Data belongs to you or the individual or entity you represent, irrespective of whether it was imported into the Application by you, third parties, or us on your behalf.

Related rights

As long as your account is accessible (not suspended or terminated), you have the ability to export your Data from the Application in an industry-standard format, whether your account is free or purchased. In the event of the termination of this Agreement, you can request a copy of your Data within 30 days. If Capboard faces bankruptcy, you may need to contact the bankruptcy administrator for access to your Data. Please be aware that the bankruptcy administrator may deny requests or charge reasonable fees, particularly if the request is repetitive, manifestly unfounded, or excessive.

In situations where there is a partial service discontinuation blocking the export function, or if your account becomes inaccessible, you can request assistance from us to deliver an export of your Data. We commit to completing such requests within 30 days unless circumstances beyond Capboard’s control make the export impossible.

Capboard utilizes your Data exclusively for the provision of the Services. Additionally, Capboard may perform anonymized data analytics based on your Data, such as generating anonymized statistics.

3.2 Intellectual property rights in the Services, the Website, and the Application

Ownership

All intellectual an industrial property rights  over the Application, including, without limitation, all software used herein, the graphic design, programming and structure of the Application, as well as other rights and know-how related the Application (including any modifications or enhancements) and all associated rights under copyright, trademarks and patents belong to Capboard and/or Capboard’s subcontractors, business partners, licensors, affiliates, and third-party providers (collectively, the “Subcontractors”).

Customers may not alter, copy, download, modify, decompile, disassemble, reverse engineer, license, lease, sell or imitate the Application or its underlying software. Capboard may exercise all the judicial and extrajudicial actions it deems appropriate in the event of any breach of its rights

Related right

Capboard provides you with a revocable, non-exclusive, non-sublicensable, and non-transferable license to access and use the Services in accordance with these Terms. This license is subject to the terms outlined herein. It is important to note that, apart from the granted right to access and use, you do not acquire any additional rights under these Terms from Capboard or its subcontractors.

4 Service Level

Capboard commits to making reasonable efforts and employing commercially reasonable measures to ensure the satisfactory availability of the Application, delivering a Services experience that is reasonably error-free, timely, and reliable.

Throughout the term of the Services, a minimum monthly uptime percentage of at least 99.9% during business hours, referred to as the “Service Level Objective” or “SLO,” will be provided to you.

Should Capboard fail to meet the SLO for three consecutive months, and assuming you fulfill your obligations under this Agreement, you have the option to terminate your Agreement with Capboard immediately. This constitutes your sole and exclusive remedy for any failure by Capboard to meet the SLO.

It’s important to note that this section does not apply to: (a) features or Services excluded from the SLA (as specified in the associated Order Confirmation), (b) errors caused by factors beyond Capboard’s reasonable control, (c) errors resulting from your software or hardware or third-party software or hardware, or both, or (d) errors resulting from abuses or other behaviors that violate the Agreement.

5 Security and privacy

We highly value your privacy at Capboard, and as such, we enforce stringent security measures to safeguard your Data. These measures include encryption during Data transmissions and regular backups to protect against accidental loss, theft, or unauthorized access or disclosure. Additionally, the following documents are considered integral parts of this Agreement:

–       Privacy Policy: This document outlines the types of Data we collect from you, how we use it, the legal basis for processing, and your rights.

–       Data Processing Agreement (DPA): Attached to this agreement as Annex 1, this DPA comes into effect if you qualify as the data controller. The DPA delineates the terms under which we process your Data on behalf of the data controller, typically the company whose equity we manage. If we are processing your Data on behalf of a data controller, kindly contact the data controller directly for further information and requests related to the processing of your Data.

6 Your Use of the Services and Your Account Activity

By utilizing the Services, you agree to adhere to the following terms:

1. You shall not employ the Services for any illegal or unauthorized purpose.
2. The legal templates available are strictly for your individual internal use and may not be published or shared with third parties.
3. You are accountable for all activities occurring during the use of your usernames and passwords, encompassing both authorized and unauthorized actions. This responsibility extends to instances of unauthorized access caused by your gross negligence. Capboard disclaims responsibility for unauthorized account access, except in cases of a security breach, as detailed in our DPA.
4. Safeguarding your username and password from unauthorized use and disclosure is your responsibility. In the event of any breach of security, such as theft or unauthorized use of your credentials or information, you must promptly notify Capboard.
5. You grant consent for the Website to send emails to third parties on your behalf as part of delivering the Services, triggered by your account activity.
6. You shall ensure that any Data registered, uploaded, or shared via the Services, as well as your overall usage of the Services, complies with both the agreements you have with Capboard and applicable laws.
7. Your use of the Services and the sharing of materials on Capboard’s platform should comply with legal requirements. If you are in a jurisdiction where such use is illegal or restricted, Capboard reserves the right to terminate your access.
8. The Services are provided solely for informational purposes, without consideration for specific investment objectives, financial situations, or means of any particular entity. Capboard does not solicit any action based on this information. The content is not a recommendation, offer, or solicitation to buy or sell any security, financial product, or instrument. Investments in unlisted companies involve substantial risks, and you should only engage in such transactions after fully understanding the risks and determining their appropriateness for you. The material should not be construed as business, financial, investment, legal, regulatory, tax, or accounting advice. Capboard bears no responsibility for actions or omissions made based on the information provided on Capboard.

7 Duration and Termination

7.1 Duration and Renewal

This Agreement will commence on the Effective Date and will continue until terminated in accordance with the clauses outlined in this Section. The Effective Date and duration will be specified in the Order Confirmation. Unless otherwise agreed, the subscribed Services will automatically renew after the designated duration for additional renewal periods, as per the Order Confirmation. Either Party has the right to terminate the subscribed services by providing 30 days’ notice before the end of a term.

7.2 Termination

In addition to the termination rights outlined above, you have the option to terminate this Agreement immediately if the reason for termination is your explicit disagreement with our material alteration of these Terms or the Services, provided that the termination notice falls within the change assessment period defined in Section 8.

Capboard reserves the right, at its sole discretion and at any time, to suspend or discontinue your use of the Services without prior notice and without any liabilities if Capboard reasonably suspects or determines that your use of the Services materially violates this Agreement, is fraudulent, or is necessary to comply with the law or requests from public authorities.

Furthermore, Capboard may, at its sole discretion and at any time, with 10 days’ prior notice and without any liabilities, suspend or discontinue your use of the Services if Capboard suspects or determines that your use poses a security risk, could impact the operations of our systems or delivery of the Services, could subject Capboard or a third party to substantial liability, or if you become the subject of bankruptcy, dissolution, liquidation, or a similar situation. In such cases, Capboard will provide a reasonably detailed explanation for the suspension or discontinuation. During any suspension, you remain liable for all fees and charges incurred.

7.3 After Termination

Upon the termination, you remain responsible for all fees and charges you have incurred until the termination date. We will not take action to remove, block, anonymize, reduce the availability of, or in any way alter any of your Data until 30 days after the termination date and you may request to export your Data. Thereafter, we may delete your Data.

8 Changes to the Terms and Services

8.1 Changes to these Terms

Non-material

Changes resulting in a development in the Terms which is not substantially different from the one which has been approved by the Customer.

Notification: Directly, at least 14 days ahead, except where impossible.

Termination right: No termination right

Material

Changes which significantly alter the nature and scope of the Terms.

Notification: Directly, at least 14 days ahead, except where impossible.

Termination right: Termination right with immediate effect (pursuant to the termination conditions set out in Section 7) within 14 days upon notice (the “Change Assessment Period”). This termination right is your sole and exclusive remedy if you object to any change in these Terms. Your continued use of the Services after the expiration of the Change Assessment Period will constitute acceptance of these Terms, as amended.

8.2 Changes to the Services

Non-material

Changes resulting in development in the Services which is not substantially different from the one which has been approved by the Customer.

Notification: Capboard may exercise full discretion in modifying or discontinuing any part or whole of the Services subject to these Terms at any time without cause or prior notice.

Termination right: No termination right.

Material

Changes which significantly alter the nature and scope of the Services.

Notification: We will notify you of any material change to or material discontinuation of the Services, at least 30 days ahead, unless impossible.

Termination right: Termination right with immediate effect (pursuant to the termination conditions set out in Section 7) within the Change Assessment Period. This termination right is your sole and exclusive remedy if you object to any change in the Services. Your continued use of the Services after the expiration of the Change Assessment Period will constitute acceptance of the change.

9 Payment for Purchased Services

Access to Purchased Services will not be granted until outstanding fees are paid, unless otherwise specified in the Order Confirmation.

We calculate and invoice fees and charges regularly in accordance with the Order Confirmation in a standard format. All prices are exclusive of VAT unless explicitly specified otherwise.

Due amounts are to be paid without set-off or counterclaim, and without any deduction or withholding, following the payment methods and conditions specified on each invoice.

Payments that are more than 30 days late are subject to an interest rate of 8% per year. After providing notice of non-payment and allowing 30 days to cure, non-payment may lead to the suspension or termination of this Agreement, resulting in the loss of access to your account and Data.

Unless otherwise stipulated by law or a specific agreement with Capboard, all purchases are considered final and non-refundable. If you believe there has been an erroneous charge, you must contact us within 30 days of such charge, as outlined in Section 1. While we reserve the right to issue refunds at our discretion, we are not obligated to issue the same or similar refund in the future.

We may update fees and charges for parts or all of the Services, or new Services, or if parts of Services are discontinued. Such updates will be effective when we publish information on the updated fees and charges on the Capboard Website or at another time if we inform you so in writing. If we increase or add fees or charges, we will notify you at least 30 days in advance.

10 Limitation of Liabilities and Indemnification

No provision in these Terms, the Order Confirmation (if applicable), or any other referenced document is intended to exempt, restrict, or confine the liability of either party (or their respective agents or subcontractors) for (i) death or personal injury resulting from negligence, (ii) fraud or fraudulent misrepresentation (iii) any other losses or damages that cannot be excluded or limited by applicable law. This Section 10 does not limit the Customer’s obligation to pay the proper and due fees or any claims against the Customer for intellectual property infringement (including, but not limited to, copyrights in the software).

In case of breach of this Terms, the total combined liability of Capboard (including their respective agents and subcontractors) under, arising from, or related to the Agreement, whether arising in contract, tort (including negligence), or otherwise, will not exceed the total fees paid by the Customer to us in the twelve months preceding the date of the claim (or the earliest claim if there is more than one), or EUR 1000 where no fees have been paid during that period.

To the extent permitted by Law, Capboard shall not be liable for any loss of profits, data, business, or business benefits, or the cost of procuring substitute products or services by the Customer, business interruption, loss of management time, loss of use, loss of contracts, loss of opportunity, loss of goodwill (whether direct or indirect) or any special, indirect, incidental, or consequential losses or punitive damages of any nature whatsoever; regardless of whether such losses are caused by negligence, breach of statutory duties, or breach of obligations, even if the possibility of such losses has been advised.

Subject to the conditions stated in the initial paragraph of this section and to the fullest extent allowed by applicable law, we shall bear no responsibility for any loss, injury, expenses, costs, or damage, whether wholly or partially caused by (i) any failure, delay, interruption, or other issues in the provision of the Services; or (ii) actions taken by the Customer as a consequence of using or relying on the Services.The parties acknowledge that the limitations and exclusions outlined in these Terms are deemed reasonable considering all circumstances.

11 Warranties and Disclaimers

Capboard does not provide any warranties, express or implied, guarantees, or conditions regarding your use of the Services, except as explicitly stated herein. This includes, but is not limited to, any warranty of merchantability, fitness for a particular purpose, title, satisfactory quality, quiet enjoyment, or non-infringement.

The Services are provided on an “as is” and “as available” basis, without any promise, guarantee, or responsibility for accuracy, timeliness, correctness, reliability, or completeness. Capboard does not warrant that the availability, use, or function of the Services or third-party content will be uninterrupted, error-free, or free of harmful components. Specific conditions outlined in our DPA apply to the processing of your Data, including the security of your Data.

The Website and Application may include links to other websites governed by separate terms of use. Capboard, to the extent possible, disclaims responsibility for such other websites, including but not limited to the contents of such other websites or your use of them.

12 Force Majeure

Under no circumstances shall Capboard be held liable for an delay or failure or disruption of the content or Services delivered under this Agreement resulting directly or indirectly from acts of nature, forces or causes beyond its reasonable control, including without limitation, Internet failures, computer, telecommunications or any other equipment failures, electrical power failures, strikes, labor disputes, riots, insurrections, civil disturbances, shortages of labor or materials, fires, flood, storms, explosions, war, governmental actions, orders of domestic or foreign courts or tribunals or non-performance of third parties.

13 Contact and Notice

Communication to Capboard	Channel
Contact	Email to: info@capboard.io
Communication to you	Channel
Contact	Notice on the Website or Message to the email address associated with your customer account

 

It is your responsibility to keep your email address associated with your account current. You will be deemed as having received an email sent to the email address then associated with your account when we send the email, regardless of whether you actually receive the email.

All notices made or given must be in the English or Spanish language.

14 Law and Jurisdiction

These Terms and any dispute or claim arising out of or in connection with it or its subject matter or formation (including non-contractual disputes or claims) shall be governed by and construed in accordance with the laws of Spain.. The provisions of the United Nations Convention on the International Sale of Goods shall not apply to this Agreement.

Each Party irrevocably agrees that the courts of the city of Barcelona shall have exclusive jurisdiction to settle any dispute or claim arising out of or in connection with these Terms or its subject matter or formation (including non-contractual disputes or claims).

Annex 1

DATA PROCESSING AGREEMENT

The present Data Processing Agreement (DPA) is part of:

• The Terms and Conditions of Capboard (Terms); or, as the case may be,
• Any other agreement signed between you and Capboard to regulate the hiring and use of the Platform (collectively, the “Agreement”).

This Data Processing Agreement and the rest of the clauses in the Agreement are supplementary; however, in the event of a conflict regarding data protection, this Data Processing Agreement shall prevail.

1 EFFECTIVE DATE

These DPA take effect when you confirm your consent to the Capboard Terms electronically by clicking on the ‘Accept’ button. The date of the entering into this Agreement will be referred to as the “Effective Date”.

2 EFFECTIVENESS

–          The person who accepts or, as applicable, signs the Agreement or the Data Processing Contract independently on behalf of the Client, declares to Capboard that they have the legal authority to bind the Client and are legally competent to enter into contracts.

–          The duration of this Data Processing Agreement will be the same as that of the Agreement. This means that this Data Processing Agreement will automatically terminate upon the termination of the Agreement or when resolved earlier in accordance with the terms of this Data Processing Agreement.

3 TERMS OF THE DATA PROCESSING AGREEMENT

1. Definitions

The terms below shall have the following meanings:”Capboard,” “we,” “us,” “our” refers to Capboard Tech, S.L., a Spanish company located at Avenida Para·lel, 56, 7º-3ª, 08001, Barcelona, the author, creator, and developer of the Platform.

“Platform” means our software developed and run on a platform aimed at managing equity and incentive plans. The Platform is the product provided to you under the Agreement and includes any other product added to the Platform.

“Data Controller,” “Data Processor,” “Data Subject,” “Personal Data,” “Processing,” “Appropriate Technical and Organizational Measures,” “Standard Contractual Clauses,” “Personal Data Breach,” as used in this Data Processing Agreement, shall have the meanings ascribed to them in the GDPR.

“Client,” “you,” “your” refers to the entity that contracts the Capboard Platform.

“End Users” means the person(s) whom you allow or invite to use the Platform. For clarity, End Users include individuals behind accounts managed by you, particularly your employees.

“Data Protection Regulations” means: (i) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“GDPR”); (ii) Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector; and (iii) any applicable national regulations, whether developing or transposing European or international regulations.

“Subprocessors” shall have the meaning given to the term “other processor” in Article 28.4 of the GDPR.

2. Scope of Data Protection Regulations

The parties acknowledge that the Data Protection Regulations will only apply to the Client’s personal data covered by the definitions contained in such laws.

3. Identification of the Parties

A los efectos del presente Contrato de Encargo:

For the purposes of this Data Processing Agreement:

–          Capboard shall be considered the Data Processor.

–          The Client shall be considered the Data Controller.

4. Description of Processing and Security Standards

Attached to this Data Processing Agreement as Appendix 1 is a detailed description of the processing to be carried out (nature and purpose of the processing, types of personal data, and categories of data subjects). In Appendix 2, a list of the security standards implemented by Capboard can be found. Appendix 3 contains the list of Subprocessors appointed by Capboard.

5. Customer Responsibility

As the Data Controller, the Customer is responsible for ensuring that their use of the Platform complies with Data Protection Regulations and for overseeing and monitoring Capboard’s compliance with Data Protection Regulations throughout the processing.

In this regard, before contracting the Platform or requesting the activation of additional features, the Customer agrees to independently assess the need for a data protection impact assessment, conduct any necessary prior consultations, and fulfill any obligations applicable to them under Data Protection Regulations.

The Customer commits to refrain from requesting Capboard to contract or activate any functionality of the Platform for which a data protection impact assessment has yielded a negative result, or, if positive, the Customer has not implemented the measures identified in the impact assessment. The Customer releases Capboard from liability arising from the Customer’s non-compliance with this clause.

The Customer is aware that, for the purpose of providing the Service, Capboard may access and process the mentioned Personal Data on its behalf without the prior informed consent of the data subject. The Parties agree that processing the Personal Data on behalf of the Customer as part of the Services is legitimized by the Customer’s acceptance of the Terms during the sign-up process.

The Customer acknowledges the risk that Data Subjects may object to the processing under the Terms and Conditions, request the deletion or suppression of their data, request limitations or restrictions on processing, or file claims against either party for breaching their privacy rights under applicable data protection laws.

In the event of any claim or proceeding against either party regarding the processing of Personal Data under this agreement, with continued compliance with the remaining terms of this Annex, the Customer will be responsible for addressing such claims, with the support of Capboard. Both parties undertake to promptly comply with applicable privacy laws and minimize any harm to Data Subjects’ rights and cooperate in good faith to respond to such claims.

Notwithstanding the above, the Customer agrees to indemnify and hold Capboard harmless from all claims, losses, and fines related to the processing of personal data under this agreement, provided Capboard complies with the terms of this Annex. In any event of liability, Capboard’s liability under this agreement is capped at twice the annual contract value.

4 GENERAL PROVISIONS OF PERSONAL DATA PROCESSING

In processing personal data on behalf of the Customer, Capboard commits to comply with Data Protection Regulations.

The purpose of processing personal data on behalf of the Customer will solely be to provide the Platform service on terms dictated by the Customer.

Capboard will process data on behalf of the Customer in accordance with the obligations established in Article 28 of the GDPR, meaning that Capboard will:

1. Process the Customer’s personal data only in accordance with documented instructions from the Customer (as set forth in this Data Processing Agreement or in the Agreement, or as instructed by the Customer through the Platform or email) for the provision of the service.
2. Implement appropriate technical and organizational measures in accordance with Article 32 of the GDPR, as specified in Clause VII of this Data Processing Agreement and as set out in Appendix 2.
3. Immediately inform the Customer if, in its opinion, an instruction violates Data Protection Regulations.
4. Make available to the Customer all information reasonably requested to demonstrate compliance with the obligations set out in Article 28 of the GDPR and allow audits by the Customer or an auditor authorized by the Customer. In any case, any audit should be conducted during Capboard’s regular working hours, with reasonable advance notice not less than 15 days, and subject to reasonable confidentiality protocols.

Under no circumstances shall audits compel Capboard to disclose or allow the Customer or its auditors or authorized representatives access to: (i) any data or information of any other Capboard client; (ii) any internal accounting or financial information of Capboard; (iii) any trade secrets of Capboard; (iv) any information that, in Capboard’s reasonable opinion, may compromise the security of its systems or facilities or cause Capboard to breach its obligations under Data Protection Regulations or any other applicable regulations; or (v) any information that the Customer, its auditors, or authorized representatives seek to access for any reason other than verifying Capboard’s compliance with the terms of Article 28 of the GDPR.

Furthermore, audits will be limited to once a year, unless Capboard has experienced a personal data security breach in the preceding twelve (12) months that has affected the personal data processed on behalf of the Customer.

1. Assist the Customer in ensuring compliance with the obligations set out in Articles 35 and 36 of the GDPR, considering the nature of the processing and information available to Capboard.
2. Support the Customer, considering the nature of the processing, through appropriate technical and organizational measures, whenever possible, to enable compliance with its obligation to respond to requests exercising the rights of data subjects established in Chapter III of the GDPR.
3. Ensure that Capboard personnel accessing the Customer’s personal data are committed to confidentiality or are subject to a statutory obligation of confidentiality.
4. Notify the Customer of personal data security breaches affecting the personal data processed on behalf of the Customer. Notification will occur in the terms indicated in Clause VII of this Data Processing Agreement.
5. Delete or return all personal data once the provision of processing services ends, and delete existing copies unless retention of personal data is required by Union or Member State law.
6. DATA SUBJECT RIGHTS

Capboard will promptly notify the Customer of any requests received from the data subject. Capboard will not respond to such a request on its own unless authorized to do so by the Data Controller.

Additionally, Capboard will assist the Customer in fulfilling its obligations to respond to requests for the exercise of data subject rights, taking into account the nature of the processing.

5 SUBPROCESSORS

Capboard has a general authorization from the Customer to engage subprocessors listed in Appendix 3. Capboard will inform the Customer specifically and in writing of any additions or replacements of subprocessors planned in that list at least 5 days in advance, allowing the Customer sufficient time to object to such changes before the subprocessor(s) is engaged. Capboard will provide the Customer with the necessary information to exercise its right to object.

For the purpose of receiving notifications of additions or replacements of subprocessors as mentioned above, the Customer must send an email to info@capboard.io.

If the Customer opposes the replacement or hiring of a new subprocessor, the parties will negotiate in good faith alternative solutions that are commercially reasonable.

Capboard will require its subprocessors to protect the Customer’s personal data no less strictly than required by this Data Processing Agreement and Data Protection Regulations.

At the Customer’s request, and upon signing a confidentiality agreement, Capboard will provide a copy of the contract with the subprocessor and any subsequent modifications. To the extent necessary to protect trade secrets or other confidential information, such as personal data, Capboard may redact the text of the contract before sharing the copy.

6 SECURITY OF PROCESSING AND PERSONAL DATA SECURITY BREACHES

Capboard will implement and maintain appropriate technical and organizational measures to protect the personal data processed on behalf of the Customer against unauthorized or unlawful access and processing, as well as accidental loss, destruction, damage, theft, alteration, or disclosure, in accordance with the Data Processing Agreement. These measures will be suitable to ensure a level of security appropriate to the risk and will be adopted considering the state of the art, implementation costs, and the nature, scope, context, and purposes of the processing, as well as varying risks of probability and severity to the rights and freedoms of individuals. In this regard, Capboard may update technical and organizational measures, provided that such modifications do not decrease the overall security level.

In the event of a security breach of the personal data processed by Capboard, Capboard will notify the Customer without undue delay and, in any case, within 48 hours from when Capboard becomes aware of it. This notification shall include at least:

1. A description of the nature of the personal data security breach (including, where possible, the categories and approximate number of data subjects and records of data affected).
2. Contact details of a point where further information about the personal data security breach can be obtained.
3. Likely consequences and measures taken or proposed to remedy the personal data security breach, including measures taken to mitigate potential negative effects.

If, and to the extent, all information cannot be provided at the same time, the initial notification will provide the information available at that time, and additional information will be provided without undue delay as it is collected.

7 DATA TRANSFERS

Capboard ensures that international transfers of personal data processed on behalf of the Customer will be carried out in accordance with Chapter V of the GDPR.

If Capboard were to make any international transfer for which the transfer mechanism used becomes invalid under the GDPR, the Customer will grant Capboard a reasonable period to remedy the non-compliance. This is to identify additional safeguards or other measures that can be adopted to ensure compliance with Data Protection Regulations.

1. MISCELLANEOUS

The Customer acknowledges and agrees that, as part of the provision of the Platform, Capboard has the right to use data related to or obtained in connection with the operation, support, or use of the Platform for its legitimate internal business purposes. This includes assisting in account setup, Platform administration, improvement, benchmarking, and the development of products and services, compliance with applicable laws (including law enforcement requests), ensuring the security of our Platform, and preventing fraud or mitigating risk.

Regarding the processed personal data, Capboard guarantees that it will not use them for its own purposes unless it has aggregated and anonymized the data to the extent that it does not identify the Customer or any other person, particularly End Users.

This Data Processing Agreement is subject to the applicable law and jurisdiction conditions of the Agreement.

Notwithstanding the above, to the extent permitted by applicable law, all liability arising from this Data Processing Agreement will be governed by the liability limitations (including liability caps) of the Agreement.

 

APENDIX 1 (Description of the Processing)

Categories of Data Subjects to whom the data pertains
The personal data pertains to the End Users of the Platform, as well as individuals whose personal data is provided by the End Users of the Platform.
Categories of Personal Data
·       The processed personal data may include the following categories of data:Direct identification information (e.g., name, email address, phone number). ·       Indirect identification information (e.g., position, gender, date of birth, user ID). ·       Information related to incentives (quantity of Phantom shares and their potential value). ·       Device identification data and traffic data (e.g., IP addresses, MAC addresses, web logs). ·       Any personal data provided by users of the Platform in the cloud. ·       Any personal data contained in a document provided by the Customer.
Purpose of Processing
The personal data is processed for the purpose of providing access to and usage of the Capboard Platform in accordance with the Agreement.
Types of Processing
●	Collection or recording of personal data.
●	Storage or retention of personal data.
●	Communication of personal data.
●	Use of personal data..

 

Appendix 2 (Relevant Security Standards)

Access Control to Systems

Measures must be taken to prevent unauthorized access to computer systems. These must include the following technical and organizational measures for user identification and authentication:   ·       Password Protocols (including special characters, minimum length, mandatory password change). ·       No access for guest users or anonymous accounts. ·       Centralized management of system access. Access to computer systems is subject to approval from the HR department and the administrators of the computer system.

Data Access Control

Measures must be taken to prevent authorized users from accessing data beyond their authorized access rights and to prevent unauthorized introduction, reading, copying, deletion, modification, or disclosure of data. These measures should include: Differentiated access rights. Access rights defined according to the roles of Capboard employees. Automated logging of user access through computer systems. Measures to prevent the use of automated data processing systems by unauthorized individuals using data communication equipment.

 

Disclosure Control

Measures must be taken to prevent unauthorized access, alteration, or deletion of data during transfer and to ensure that all transfers are secure and logged. These measures will include ·       Mandatory use of encrypted private networks for all data transfers. ·       Creation of an audit log for all data transfers

Assignment Control

Measures must be established to ensure that the processing of data strictly adheres to the instructions of the data controller. These measures should include: –          Monitoring the execution of the contract

 

Availability Control

●      Control de la segregación

Measures must be established to allow the separate treatment of data collected for different purposes. These measures should include: •       Restriction of access to stored data for different purposes based on the functions of the personnel. •       Segregation of the company’s computer systems. •       Segregation of IT test and production environments.

 

Appendix 3 (List of Subprocessors)

Subprocessors	Function	Country
Amazon Web Services (AWS)	Web hosting	Frankfurt (Alemania)
Stripe	Payment management	US
Hubspot	Inbound marketing, sales, and customer service	Irland
Sendgrid (Twilio)	Email delivery service	Irland