top of page

Data Processing Agreement

DATA PROCESSING AGREEMENT

This Data Processing Agreement ("DPA") forms part of and supplements the General Terms and Conditions ("GTCs") between Day One Advisory Ltd ("Processor", "we", "us") and the subscriber ("Controller", "you") governing the use of the Services as defined in the GTCs.

1. Definitions and Interpretation

1.1 Definitions

Unless otherwise defined in this DPA, capitalized terms shall have the meanings set out in the GTCs and the Privacy Policy. For the purposes of this DPA:

  • "Controller" means the User who determines the purposes and means of Processing Personal Data through their use of the Services.

  • "Data Subject" means an identified or identifiable natural person whose Personal Data is Processed under this DPA.

  • "GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.

  • "Maltese DPA" means the Data Protection Act (Chapter 586 of the Laws of Malta).

  • "Personal Data" means any personal data submitted by the Controller or its authorized users through the Services that is Processed by the Processor on behalf of the Controller. For clarity, this excludes Usage Data as defined in the GTCs.

  • "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed.

  • "Processing" (and related terms such as "Process" or "Processed") has the meaning given in Article 4(2) of the GDPR.

  • "Sub-processor" means any third party engaged by the Processor to Process Personal Data on behalf of the Controller under this DPA.

  • "Supervisory Authority" means the Office of the Information and Data Protection Commissioner (IDPC) in Malta or any other competent data protection authority.

1.2 Interpretation

In the event of any conflict or inconsistency between the provisions of this DPA and the GTCs or Privacy Policy, the provisions of this DPA shall prevail solely with respect to data protection matters.

2. Scope and Purpose of Processing

2.1 Roles and Relationship

The parties acknowledge that with regard to the Processing of Personal Data under this DPA:

(a) The Controller is the data controller who determines the purposes and means of Processing Personal Data;

(b) The Processor is the data processor who Processes Personal Data on behalf of and in accordance with the documented instructions of the Controller;

(c) This DPA governs the Processing relationship and the obligations under Articles 28, 32, and related provisions of the GDPR.

2.2 Subject Matter and Nature of Processing

The Processor shall Process Personal Data only to the extent necessary to provide the Services to the Controller as described in the GTCs.

2.3 Duration of Processing

Processing shall commence on the Effective Date and continue for the duration of the Controller's subscription to the Services, unless earlier terminated in accordance with the GTCs or this DPA.

2.4 Categories of Personal Data

Personal Data Processed under this DPA may include, but is not limited to:

  • Personal Data used within the Input which generates an Output which features any Personal Data

For clarity, the Processor does not process special categories of personal data as defined in Article 9 GDPR, and the Controller warrants it shall not submit such data through the Services.

2.5 Categories of Data Subjects

Data Subjects whose Personal Data may be Processed include:

  • Data subjects whose personal data is included in the data sources used by the Services

3. Processor's Obligations

3.1 Processing Instructions

The Processor shall:

(a) Process Personal Data only on documented instructions from the Controller, which are set out in this DPA, the GTCs, and any written instructions issued by the Controller from time to time;

(b) Immediately inform the Controller if, in the Processor's opinion, any instruction infringes the GDPR, Maltese DPA, or other applicable data protection law;

(c) Not Process Personal Data for any purpose other than as expressly authorized by the Controller in writing.

The Controller's initial instructions are that the Processor shall Process Personal Data to provide the Services as described in the GTCs, including maintaining user accounts, processing queries, providing customer support, and ensuring platform security.

3.2 Confidentiality

The Processor shall ensure that all personnel authorized to Process Personal Data are bound by obligations of confidentiality or are under an appropriate statutory obligation of confidentiality.

3.3 Technical and Organizational Measures

The Processor shall implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as required by Article 32 of the GDPR, including:

(a) Pseudonymization and encryption of Personal Data where appropriate;

(b) The ability to ensure ongoing confidentiality, integrity, availability, and resilience of Processing systems and services;

(c) The ability to restore availability and access to Personal Data in a timely manner in the event of a physical or technical incident;

(d) Regular testing, assessment, and evaluation of the effectiveness of technical and organizational measures;

(e) Access controls to ensure that only authorized personnel can access Personal Data;

A detailed description of the Processor's current technical and organizational measures is set out in Annex A to this DPA.

3.4 Sub-processing

(a) The Controller grants the Processor general written authorization to engage Sub-processors for the Processing of Personal Data, provided the Processor complies with the requirements of this Clause 3.4 and Article 28(2) and 28(4) of the GDPR.

(b) A list of authorized Sub-processors as at the Effective Date is set out in Annex B to this DPA.

(c) The Processor shall notify the Controller in writing (which may be by email to the Controller's registered email address) at least thirty (30) days in advance of any intended changes to the list of Sub-processors, including the addition or replacement of Sub-processors.

(d) The Controller may object to the Processor's engagement of a new Sub-processor on reasonable data protection grounds by notifying the Processor in writing within fourteen (14) days of receipt of the Processor's notice. If the Controller reasonably objects, the parties shall discuss the objection in good faith to achieve a commercially reasonable resolution. If no resolution is reached, the Controller may terminate the affected Services in accordance with the GTCs without penalty.

(e) The Processor shall ensure that each Sub-processor is bound by a written agreement imposing data protection obligations substantially similar to those set out in this DPA, including obligations relating to sufficient guarantees to implement appropriate technical and organizational measures.

(f) The Processor shall remain fully liable to the Controller for the performance of any Sub-processor's obligations under this DPA.

4. Data Subject Rights

4.1 Assistance Obligations

Taking into account the nature of the Processing, the Processor shall, to the extent reasonably possible, assist the Controller by implementing appropriate technical and organizational measures to enable the Controller to fulfill its obligations to respond to requests from Data Subjects exercising their rights under Chapter III of the GDPR, including:

(a) Right of access (Article 15);

(b) Right to rectification (Article 16);

(c) Right to erasure / "right to be forgotten" (Article 17);

(d) Right to restriction of processing (Article 18);

(e) Right to data portability (Article 20);

(f) Right to object (Article 21).

4.2 Request Handling

If the Processor receives a request from a Data Subject to exercise any of the above rights in relation to Personal Data, the Processor shall promptly (and in any event within five (5) business days) notify the Controller and shall not respond to such request except on the Controller's documented instructions or as required by applicable law.

4.3 Assistance Fees

The Processor shall provide reasonable assistance to the Controller in responding to Data Subject requests at no additional charge. If assistance requires substantial resources beyond routine cooperation (e.g., complex data extraction, extensive technical work), the Processor may charge reasonable fees on a time-and-materials basis upon prior written agreement with the Controller.

5. Personal Data Breaches

5.1 Breach Notification to Controller

The Processor shall notify the Controller without undue delay and in any event within twenty-four (24) hours of becoming aware of a Personal Data Breach affecting the Controller's Personal Data.

5.2 Breach Information

The notification shall, to the extent possible, include:

(a) A description of the nature of the Personal Data Breach, including the categories and approximate number of Data Subjects and Personal Data records concerned;

(b) The name and contact details of the Processor's data protection contact point;

(c) A description of the likely consequences of the Personal Data Breach;

(d) A description of the measures taken or proposed to be taken to address the Personal Data Breach, including measures to mitigate its possible adverse effects.

5.3 Cooperation

The Processor shall cooperate with the Controller and provide such further information and assistance as the Controller may reasonably require to enable the Controller to comply with its obligations under Articles 33 and 34 of the GDPR.

5.4 No Admission of Liability

Notification of a Personal Data Breach under this Clause 5 shall not be construed as an admission of fault or liability by the Processor.

6. Data Protection Impact Assessment and Prior Consultation

Taking into account the nature of the Processing and the information available to the Processor, the Processor shall provide reasonable assistance to the Controller (at the Controller's cost) to enable the Controller to comply with its obligations under Articles 35 and 36 of the GDPR (data protection impact assessments and prior consultation with Supervisory Authorities).

7. Audit Rights

7.1 Controller's Audit Rights

The Controller may, upon reasonable written notice (at least thirty (30) days in advance) and during normal business hours, conduct audits (including inspections) to verify the Processor's compliance with its obligations under this DPA, subject to the following conditions:

(a) Audits shall be conducted no more than once per year unless required by a Supervisory Authority or in response to a suspected Personal Data Breach;

(b) Audits shall be conducted in a manner that does not unreasonably interfere with the Processor's business operations;

(c) The Controller shall provide the Processor with a detailed audit plan at least fourteen (14) days before the proposed audit date;

(d) The Controller (or its auditor) shall execute a confidentiality agreement acceptable to the Processor before accessing the Processor's systems or facilities;

(e) The Controller shall be responsible for all costs and expenses associated with such audits.

7.2 Alternative Compliance Verification

In lieu of an on-site audit, the Processor may, at its discretion, provide the Controller with copies of recent independent third-party audit reports, certifications (e.g., ISO 27001, SOC 2), or other evidence demonstrating compliance with this DPA and applicable data protection law.

8. International Data Transfers

8.1 Transfers Outside the EEA

The Controller acknowledges that the Processor may transfer Personal Data to countries outside the European Economic Area (EEA), including the United States, where the Processor's Sub-processors (cloud infrastructure and AI service providers) operate.

8.2 Transfer Mechanisms

The Processor shall ensure that all international transfers of Personal Data are protected by appropriate safeguards in accordance with Chapter V of the GDPR, including:

(a) Standard Contractual Clauses (SCCs) approved by the European Commission pursuant to Commission Implementing Decision (EU) 2021/914 of 4 June 2021;

(b) Adequacy decisions adopted by the European Commission pursuant to Article 45 GDPR (where applicable);

(c) Other legally recognized transfer mechanisms under Article 46 GDPR.

8.3 Transfer Impact Assessment

The Processor represents that it has conducted (and shall maintain) a Transfer Impact Assessment (TIA) evaluating the legal framework and practical circumstances of data transfers to third countries, including risks related to foreign government surveillance and legal protections for Data Subjects, in accordance with the requirements established by the Court of Justice of the European Union in Schrems II (Case C-311/18).

8.4 Supplementary Measures

The Processor implements the following technical and organizational measures to supplement legal transfer mechanisms:

(a) Encryption of Personal Data in transit and at rest;

(b) Strict access controls and authentication mechanisms;

(c) Pseudonymization of Personal Data where feasible;

(d) Regular security audits and monitoring.

8.5 Standard Contractual Clauses

To the extent that the Processor transfers Personal Data outside the EEA, the parties agree that the Standard Contractual Clauses set out in Annex C to this DPA (Module Two: Controller-to-Processor) are hereby incorporated by reference and form an integral part of this DPA.

9. Data Deletion and Return

9.1 Deletion Upon Termination

Upon termination or expiry of the Controller's subscription to the Services, or upon the Controller's written request, the Processor shall (at the Controller's election):

(a) Delete all Personal Data Processed on behalf of the Controller; or

(b) Return a complete copy of all Personal Data to the Controller in a structured, commonly used, and machine-readable format, and thereafter delete all Personal Data.

9.2 Timeframe

Deletion or return shall be completed within thirty (30) days of termination or the Controller's request, unless otherwise required by EU or Member State law.

9.3 Certification of Deletion

Upon the Controller's written request, the Processor shall provide written certification that all Personal Data has been deleted or returned in accordance with this Clause 9.

9.4 Legal Retention

Notwithstanding Clause 9.1, the Processor may retain Personal Data to the extent and for such period as required by applicable law (e.g., for accounting, tax, or regulatory purposes under Maltese law), provided that the Processor shall ensure the confidentiality of such Personal Data and shall Process it only as necessary to comply with such legal obligations.

10. Records and Cooperation

10.1 Records of Processing Activities

The Processor shall maintain written records of all categories of Processing activities carried out on behalf of the Controller in accordance with Article 30(2) of the GDPR, including:

(a) The name and contact details of the Processor and each Controller on behalf of which the Processor is acting;

(b) The categories of Processing carried out on behalf of each Controller;

(c) Where applicable, transfers of Personal Data to third countries or international organizations, including identification of that third country or international organization;

(d) A general description of the technical and organizational security measures.

10.2 Records Availability

The Processor shall make such records available to the Controller or any Supervisory Authority upon request.

10.3 Cooperation with Supervisory Authorities

The Processor shall cooperate with and assist the Controller in responding to any inquiries, investigations, or enforcement actions by Supervisory Authorities relating to the Processing of Personal Data under this DPA.

11. Liability and Indemnification

11.1 Liability Allocation

Each party's liability arising out of or related to this DPA, whether in contract, tort, or under any other theory of liability, shall be subject to the limitation of liability provisions set out in the GTCs.

11.2 GDPR Liability Provisions

Without prejudice to Clause 11.1, each party acknowledges that under Article 82 of the GDPR:

(a) Any Controller or Processor involved in Processing shall be liable for the damage caused by Processing which infringes the GDPR;

(b) A Processor shall be liable for damage only where it has not complied with obligations specifically directed to processors or where it has acted outside or contrary to lawful instructions of the Controller;

(c) The Processor shall be exempt from liability if it proves that it is not in any way responsible for the event giving rise to the damage.

11.3 Indemnification

The Processor shall indemnify and hold harmless the Controller against any claims, losses, damages, costs, or expenses (including reasonable legal fees) arising from the Processor's breach of this DPA or failure to comply with applicable data protection law, except to the extent such breach or failure results from the Controller's instructions or actions.

12. Term and Termination

12.1 Term

This DPA shall commence on the Effective Date and shall remain in force for as long as the Processor Processes Personal Data on behalf of the Controller.

12.2 Termination for Breach

Without prejudice to the termination provisions in the GTCs, either party may terminate this DPA with immediate effect by written notice if:

(a) The other party commits a material breach of this DPA and fails to remedy such breach within thirty (30) days of receiving written notice specifying the breach;

(b) The other party becomes subject to insolvency proceedings or ceases to carry on business.

12.3 Effect of Termination

Upon termination of this DPA:

(a) The Processor shall cease all Processing of Personal Data (except as required by applicable law);

(b) The Processor shall comply with the data deletion or return obligations set out in Clause 9;

(c) All rights and obligations that by their nature should survive termination (including Clauses 3.2, 9, 11, and 13) shall survive.

12.4 Termination of GTCs

This DPA shall automatically terminate upon termination or expiry of the GTCs, unless otherwise agreed in writing by the parties.

13. General Provisions

13.1 Governing Law

This DPA and any disputes or claims arising out of or in connection with it or its subject matter or formation (including non-contractual disputes or claims) shall be governed by and construed in accordance with the laws of Malta.

13.2 Jurisdiction

The Malta Arbitration Centre shall have exclusive jurisdiction to settle any dispute or claim arising out of or in connection with this DPA or its subject matter or formation (including non-contractual disputes or claims).

13.3 Amendments

The Processor may amend this DPA from time to time to reflect changes in applicable law, regulatory guidance, or industry best practices. The Processor shall notify the Controller of any material amendments at least thirty (30) days in advance by email or through the Platform. The Controller's continued use of the Services after such notice period constitutes acceptance of the amended DPA. If the Controller does not accept the amendments, the Controller may terminate the Services in accordance with the GTCs.

13.4 Severability

If any provision of this DPA is held to be invalid, illegal, or unenforceable, the remaining provisions shall continue in full force and effect. The parties shall negotiate in good faith to replace any invalid, illegal, or unenforceable provision with a valid provision that achieves, to the greatest extent possible, the original intent.

13.5 Waiver

No failure or delay by either party in exercising any right or remedy under this DPA shall constitute a waiver of that right or remedy. No waiver shall be effective unless made in writing and signed by an authorized representative of the waiving party.

13.6 Entire Agreement

This DPA, together with the GTCs and Privacy Policy, constitutes the entire agreement between the parties concerning the Processing of Personal Data and supersedes all prior agreements, understandings, and arrangements (whether written or oral) relating to such subject matter.

13.7 Third-Party Rights

No third party shall have any rights under this DPA except as expressly provided herein.

13.8 Notices

All notices under this DPA shall be delivered in accordance with the notice provisions set out in the GTCs. The Processor's data protection contact details are:

Email: [email protected]

14. Processor Contact Information

Data Protection Officer / Contact Point:

Day One Advisory Ltd

Email: [email protected]

 

 

ANNEXES

Annex A: Technical and Organizational Measures

The Processor implements the following technical and organizational measures to ensure the security of Personal Data:

A. Access Control

  1. Physical Access Control: Restricted physical access to data centers and server rooms through biometric authentication, access cards, and 24/7 surveillance.

  2. Logical Access Control: Multi-factor authentication (MFA) required for all system access; role-based access controls (RBAC) limiting access to Personal Data on a need-to-know basis; regular access reviews and revocation procedures.

  3. Identity and Authentication Management: Strong password policies; unique user credentials; automatic session timeouts; logging of all access attempts.

B. Data Security

  1. Encryption:

    • Data at rest: AES-256 encryption for stored Personal Data

    • Database encryption and encrypted backups

  2. Pseudonymization and Anonymization: Where technically feasible, Personal Data is pseudonymized to reduce identification risks.

C. Availability and Resilience

  1. Backup and Recovery: Automated daily backups; geographically distributed backup storage; tested disaster recovery procedures with defined Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO).

  2. Business Continuity: Documented business continuity and disaster recovery plans; redundant infrastructure and failover mechanisms.

  3. System Monitoring: 24/7 monitoring of systems for availability, performance, and security incidents; automated alerting for anomalies.

D. Incident Response

  1. Security Incident Management: Documented incident response plan; dedicated security team; procedures for detection, containment, investigation, and remediation of security incidents.

  2. Breach Notification: Processes for timely identification and notification of Personal Data Breaches in accordance with Clause 5 of this DPA.

E. Data Minimization and Retention

  1. Purpose Limitation: Personal Data Processed only for specified purposes as instructed by the Controller.

  2. Retention Controls: Automated deletion of Personal Data in accordance with retention schedules defined in the GTCs and Privacy Policy.

F. Organizational Measures

  1. Personnel Security:

    • Confidentiality obligations in employment contracts

    • Regular data protection training and awareness programs

  2. Vendor Management: Due diligence assessments of Sub-processors; contractual obligations requiring equivalent security standards.

  3. Policies and Procedures: Documented information security policies; regular policy reviews and updates.

G. Testing and Auditing

  1. Vulnerability Management: Regular vulnerability scans and penetration testing; patch management procedures.

  2. Security Audits: Annual third-party security audits; certifications (e.g., ISO 27001, SOC 2 where applicable).

  3. Logging and Monitoring: Comprehensive audit logging of access and Processing activities; log retention for forensic investigation.

H. Compliance and Governance

  1. Data Protection by Design and Default: Privacy considerations integrated into system design and development processes.

  2. Compliance Reviews: Regular compliance assessments against GDPR and other applicable data protection laws.

The Processor shall review and update these measures regularly to ensure they remain appropriate to the risks presented by the Processing and comply with evolving legal requirements.

 

 

Annex B: List of Sub-processors

The following Sub-processors are authorized to Process Personal Data on behalf of the Controller as at the Effective Date:

Sub-processor Name

Service Provided

Location of Processing

Data Categories Processed

Neural Ai Ltd

Technical Infrastracture

Germany

All

Google Cloud Platform / Gemini API

Cloud infrastructure and AI processing

United States / EEA

Input Queries

Note: The Processor reserves the right to update this list in accordance with Clause 3.4(c) of this DPA.

Sub-processor Change Notification: The Processor will provide at least thirty (30) days' advance written notice to the Controller of any additions or replacements to the Sub-processor list.

 

 

Annex C: Standard Contractual Clauses

Module Two: Controller-to-Processor

The parties agree that the Standard Contractual Clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679, as approved by Commission Implementing Decision (EU) 2021/914 of 4 June 2021, are incorporated by reference into this DPA.

For the purposes of the Standard Contractual Clauses:

  • Module Two (Controller-to-Processor) applies.

  • The data exporter is the Controller (subscriber to the Services).

  • The data importer is the Processor (Day One Advisory Ltd).

  • The optional clauses are completed as follows:

    • Clause 7 (Docking clause): Not applicable

    • Clause 9(a) (Prior authorization for Sub-processors): General authorization applies as per Clause 3.4 of this DPA

    • Clause 11(a) (Redress): Data Subjects may lodge complaints with the competent Supervisory Authority

    • Clause 17 (Governing law): The laws of Malta (EU Member State) apply

    • Clause 18 (Choice of forum and jurisdiction): The courts of Malta have jurisdiction

  • Annex I to the Standard Contractual Clauses is completed using the information set out in Clauses 2.2, 2.4, and 2.5 of this DPA.

  • Annex II to the Standard Contractual Clauses is completed using the technical and organizational measures described in Annex A of this DPA.

  • Annex III to the Standard Contractual Clauses (List of Sub-processors) is completed using the information set out in Annex B of this DPA.

The complete text of the Standard Contractual Clauses is available at: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj

In the event of any conflict between the provisions of this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail with respect to international data transfers.

bottom of page