⚠ DRAFT — This is a template.
Reviewed and approved by [LAW FIRM NAME] on [REVIEW DATE]. Last updated 2026-05-28. Contact founders@unfoldingvalues.com with legal questions.
Data Processing Agreement
Last updated 2026-05-28
This Data Processing Agreement ("DPA") forms part of the agreement between [Customer Name] ("Controller") and Unfold Equity ("Processor"), effective as of [Effective Date]. It is structured to follow the European Commission's Standard Contractual Clauses adopted June 4, 2021 ("SCCs"). Capitalized terms not defined here have the meaning given in the Terms of Service and applicable data-protection law (GDPR/UK GDPR).
Custom DPAs are available on the Enterprise plan — contact founders@unfoldingvalues.com.
1. Subject Matter and Roles
The Controller determines the purposes and means of processing Personal Data; the Processor processes Personal Data only on the Controller's documented instructions, including the provision of the Service under the Terms. This DPA reflects Module Two (Controller-to-Processor) of the SCCs where applicable.
2. Duration and Termination
This DPA applies for the duration of the Processor's processing of Personal Data on the Controller's behalf, and terminates automatically upon termination of the underlying agreement, subject to the survival of obligations regarding return or deletion of data.
3. Processor Obligations (SCC Clause 8)
The Processor will: process Personal Data only on documented instructions; ensure persons authorized to process are bound by confidentiality; implement appropriate technical and organizational measures (Article 32); assist the Controller with data-subject requests and with its obligations under Articles 32–36; and make available information necessary to demonstrate compliance.
4. Security of Processing (SCC Clause 8.6; Article 32)
The Processor maintains encryption at rest and in transit, database-level tenant isolation (row-level security), access controls, logging and monitoring, and an incident-response process, as further described in the Security Policy and in Schedule B below.
5. Sub-processing (SCC Clause 9)
The Controller provides general authorization for the Processor to engage the sub-processors listed in Schedule C. The Processor will inform the Controller of intended changes and give the Controller the opportunity to object. The Processor remains liable for its sub-processors' compliance.
6. Data-Subject Rights (SCC Clause 10)
The Processor will assist the Controller, by appropriate technical and organizational measures, in responding to requests to exercise data-subject rights. Account-level self-service export and erasure tooling is provided in the Service.
7. Personal Data Breach (SCC Clause 8.6(c))
The Processor will notify the Controller without undue delay after becoming aware of a Personal Data breach affecting the Controller's data, and will provide information reasonably necessary for the Controller to meet its notification obligations.
8. International Transfers (SCC Clauses 14–15)
Where Personal Data is transferred outside the EEA/UK, the parties rely on the SCCs and any required supplementary measures. The Processor will assess and document the legal regime of any onward transfer destination.
9. Return or Deletion (SCC Clause 8.5)
Upon termination, the Processor will, at the Controller's choice, delete or return all Personal Data, subject to any legal retention obligations (including a 7-year regulatory hold on securities and audit records).
10. Audit (SCC Clause 8.9)
The Processor will make available information necessary to demonstrate compliance and allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller, subject to reasonable confidentiality and security conditions.
11. Schedule A — Processing Details
[Schedule A: Processing Details] — Categories of data subjects: the Controller's employees, officers, directors, and equity recipients. Categories of Personal Data: identity and contact data, role, equity grant and compensation data, and the last four digits of tax identifiers where required. Nature and purpose: provision of equity-compliance software. Duration: the term of the agreement.
12. Schedule B — Technical and Organizational Measures
Encryption at rest (AES-256) and in transit (TLS 1.3); database-level row-level-security tenant isolation; role-based access control and multi-factor authentication; audit logging; continuous dependency and secret scanning; and a documented incident-response process.
13. Schedule C — Approved Sub-processors
Supabase (database, auth, storage); Vercel (hosting); Resend (transactional email); Sentry (error monitoring, when configured). The current list is published on our Security page.