Data Processing Agreement

Effective date: February 18, 2026 · Last updated: 2026-05-18

Pursuant to Article 28 of the General Data Protection Regulation (EU) 2016/679

1. Subject Matter and Duration

This Data Processing Agreement (“DPA”) governs the processing of personal data by Caelith (“Processor”) on behalf of the Client (“Controller”) in connection with the provision of the Caelith compliance support platform.

Processing shall continue for the duration of the service agreement between the parties, plus any retention period specified herein or required by applicable law.

2. Nature and Purpose of Processing

Purpose: Providing compliance support and documentation services as described in the Terms of Service, including investor eligibility evaluation, transfer validation, audit trail generation, regulatory reporting, and AI-assisted compliance querying.

Nature: Automated processing including structured data storage, deterministic rule evaluation, hash-chained audit record generation, and AI-powered natural language processing.

3. Types of Personal Data

Investor identification data (name, email, tax ID, LEI)
Investor classification data (investor type, KYC status, KYC expiry, accreditation status)
Financial data (investment amounts, holding positions, transfer history)
Jurisdiction data (country of residence, applicable regulatory frameworks)
Compliance decision data (eligibility results, rule evaluations, onboarding status)
Classification evidence (documents referenced for investor categorisation)

4. Categories of Data Subjects

Investors in the Controller’s funds
Controller’s personnel (Authorised Users of the Platform)

5. Processor Obligations

The Processor shall:

(a) Process personal data only on documented instructions from the Controller, including with regard to transfers to third countries (unless required by applicable EU or Member State law).
(b) Ensure that persons authorised to process personal data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality.
(c) Implement appropriate technical and organisational measures pursuant to GDPR Article 32, including: encryption at rest and in transit, database-level tenant isolation via Row-Level Security, role-based access control, rate limiting, audit logging, and PII stripping for AI sub-processor transmissions.
(d) Not engage another processor (sub-processor) without prior written authorisation from the Controller. The Processor shall maintain an up-to-date list of sub-processors and provide 30 days’ advance notice of any intended changes.
(e) Assist the Controller in fulfilling its obligation to respond to data subject requests under GDPR Articles 15–22.
(f) Assist the Controller in ensuring compliance with GDPR Articles 32–36 (security, data protection impact assessment, breach notification, prior consultation).
(g) At the choice of the Controller, delete or return all personal data upon termination of the service. The Processor provides a 30-day data export window following termination, after which data is deleted.
(h) Make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits and inspections.

6. Sub-processors

The Controller authorises the sub-processors listed in Caelith's canonical sub-processor registry at docs/legal/sub-processors.md (authoritative for this DPA, /security, /privacy, /trust, and docs/legal/dpa-template.md). Active providers as of 2026-05-15:

Sub-processor	Purpose	Location
Anthropic, PBC	AI compliance agent + copilot inference (Claude); document extraction. PII stripped before transmission.	USA (EU-US DPF); EU enterprise tier verification pending
Railway, Inc.	Application hosting and managed PostgreSQL	EU-West (Amsterdam, Netherlands)
OpenAI	Text embeddings (OPTIONAL fallback). No LLM inference.	USA (EU-US DPF)
Sentry	Error monitoring (CONDITIONAL — only when SENTRY_DSN configured)	Region depends on DSN (verification pending)
OpenSanctions	Sanctions / PEP screening corpus	EU (Berlin). Mocked in sandbox.
Plausible Analytics	Privacy-first website analytics (cookieless). Marketing site only.	EU (Germany)

See docs/legal/sub-processors.md §2 for providers previously referenced in legacy copy but NOT currently active (MiniMax — reverted before any production data was processed; Voyage AI — available embeddings alternative, not configured; Nemotron — type-defined, not implemented).

The Controller may object to a new sub-processor within 30 days of notification. If the objection is not resolved, the Controller may terminate the service agreement. The Processor remains fully liable for the acts and omissions of its sub-processors.

7. International Data Transfers

Transfers of personal data to Anthropic, Inc. (United States) are conducted under a valid GDPR Chapter V mechanism, which may include the EU-US Data Privacy Framework adequacy decision or Standard Contractual Clauses.

The Processor implements supplementary measures including PII stripping (removal of investor names, email addresses, tax IDs, LEIs, and other identifiers from AI queries before transmission) to minimise data exposure.

All other processing occurs within the European Economic Area.

8. Security Measures (Article 32)

Technical measures: Encryption in transit (TLS 1.2+) and at rest, role-based access control with principle of least privilege, database-level Row-Level Security for tenant isolation, rate limiting, input validation and sanitisation, hash-chained audit trail with tamper detection, PII stripping for external API transmissions.

Organisational measures: Access limited to personnel who require it, confidentiality obligations for all personnel, security incident response procedures, regular review of security measures.

9. Data Breach Notification

The Processor shall notify the Controller without undue delay, and in any event within 72 hours of becoming aware of a personal data breach affecting Controller data (GDPR Article 33).

Notification shall include: the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed to address the breach.

The Processor shall assist the Controller with notifications to the supervisory authority (Article 33) and data subjects (Article 34) where required.

10. Data Protection Impact Assessment

The Processor shall assist the Controller in conducting Data Protection Impact Assessments where required under GDPR Article 35. Processing of investor data through automated eligibility decisions may trigger a DPIA requirement under Article 35(3)(a).

11. Audit Rights

The Controller, or an auditor mandated by the Controller, may audit the Processor’s compliance with this DPA upon 30 days’ reasonable notice. The Processor may provide relevant certifications or audit reports in lieu of on-site audits where appropriate.

12. Term and Termination

This DPA shall remain in effect for the duration of the service agreement. Upon termination, the Processor shall delete all personal data within 30 days of the expiry of the data export period, unless retention is required by applicable EU or Member State law.

Obligations relating to confidentiality, liability, and data protection survive termination.

Back