Data Processing Agreement
Effective date: February 18, 2026 · Last updated: 2026-05-18
Pursuant to Article 28 of the General Data Protection Regulation (EU) 2016/679
§ 01Subject Matter and Duration
This Data Processing Agreement (“DPA”) governs the processing of personal data by Caelith — Julian Laycock, Einzelunternehmen, Badensche Straße 52, 10825 Berlin (“Processor”) on behalf of the Client (“Controller”) in connection with the provision of the Caelith compliance support platform.
Processing shall continue for the duration of the service agreement between the parties, plus any retention period specified herein or required by applicable law.
§ 02Nature and Purpose of Processing
Purpose: Providing compliance support and documentation services as described in the Terms of Service, including investor eligibility evaluation, transfer validation, audit trail generation, regulatory reporting, and AI-assisted compliance querying.
Nature: Automated processing including structured data storage, deterministic rule evaluation, hash-chained audit record generation, and AI-powered natural language processing.
§ 03Types of Personal Data
- Investor identification data (name, email, tax ID, LEI)
- Investor classification data (investor type, KYC status, KYC expiry, accreditation status)
- Financial data (investment amounts, holding positions, transfer history)
- Jurisdiction data (country of residence, applicable regulatory frameworks)
- Compliance decision data (eligibility results, rule evaluations, onboarding status)
- Classification evidence (documents referenced for investor categorisation)
§ 04Categories of Data Subjects
- Investors in the Controller’s funds
- Controller’s personnel (Authorised Users of the Platform)
§ 05Processor Obligations
The Processor shall:
- (a) Process personal data only on documented instructions from the Controller, including with regard to transfers to third countries (unless required by applicable EU or Member State law).
- (b) Ensure that persons authorised to process personal data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality.
- (c) Implement appropriate technical and organisational measures pursuant to GDPR Article 32, including: encryption at rest and in transit, database-level tenant isolation via Row-Level Security, role-based access control, rate limiting, audit logging, and PII stripping for AI sub-processor transmissions.
- (d) Not engage another processor (sub-processor) without prior written authorisation from the Controller. The Processor shall maintain an up-to-date list of sub-processors and provide 30 days’ advance notice of any intended changes.
- (e) Assist the Controller in fulfilling its obligation to respond to data subject requests under GDPR Articles 15–22.
- (f) Assist the Controller in ensuring compliance with GDPR Articles 32–36 (security, data protection impact assessment, breach notification, prior consultation).
- (g) At the choice of the Controller, delete or return all personal data upon termination of the service. The Processor provides a 30-day data export window following termination, after which data is deleted.
- (h) Make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits and inspections.
§ 06Sub-processors
The Controller authorises the sub-processors listed in Caelith's canonical sub-processor registry at docs/legal/sub-processors.md (authoritative for this DPA, /security, /privacy, /trust, and docs/legal/dpa-template.md). Active providers as of 2026-05-15:
| Sub-processor | Purpose | Location |
|---|---|---|
| Anthropic, PBC | AI compliance agent + copilot inference (Claude); document extraction. PII stripped before transmission. | USA (EU-US DPF). EU enterprise tier not currently configured; if enabled, this row + the canonical sub-processor registry (docs/legal/sub-processors.md) will be updated per the Art. 28(2) change-discipline commitment. |
| Railway, Inc. | Application hosting and managed PostgreSQL | EU-West (Netherlands (EU-West region)) |
| OpenAI | Text embeddings (OPTIONAL fallback). No LLM inference. | USA (EU-US DPF) |
| Sentry | Error monitoring (CONDITIONAL — only when SENTRY_DSN configured) | NOT CURRENTLY ENGAGED. If enabled via SENTRY_DSN, the region will be declared on this page before activation. |
| OpenSanctions | Sanctions / PEP screening corpus | EU (Berlin). Mocked in sandbox. |
| Plausible Analytics | Privacy-first website analytics (cookieless). Marketing site only. | EU (Germany) |
See docs/legal/sub-processors.md §2 for providers previously referenced in legacy copy but NOT currently active (MiniMax — reverted before any production data was processed; Voyage AI — available embeddings alternative, not configured; Nemotron — type-defined, not implemented).
The Controller may object to a new sub-processor within 30 days of notification. If the objection is not resolved, the Controller may terminate the service agreement. The Processor remains fully liable for the acts and omissions of its sub-processors.
§ 07International Data Transfers
Transfers of personal data to Anthropic, Inc. (United States) are conducted under a valid GDPR Chapter V mechanism, which may include the EU-US Data Privacy Framework adequacy decision or Standard Contractual Clauses.
The Processor implements supplementary measures including PII stripping (removal of investor names, email addresses, tax IDs, LEIs, and other identifiers from AI queries before transmission) to minimise data exposure.
All other processing occurs within the European Economic Area.
§ 08Security Measures (Article 32)
Technical measures: Encryption in transit (TLS 1.2+) and at rest, role-based access control with principle of least privilege, database-level Row-Level Security for tenant isolation, rate limiting, input validation and sanitisation, hash-chained audit trail with tamper detection, PII stripping for external API transmissions.
Organisational measures: Access limited to personnel who require it, confidentiality obligations for all personnel, security incident response procedures, regular review of security measures.
§ 09Data Breach Notification
The Processor shall notify the Controller without undue delay, and in any event within 72 hours of becoming aware of a personal data breach affecting Controller data (GDPR Article 33).
Notification shall include: the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed to address the breach.
The Processor shall assist the Controller with notifications to the supervisory authority (Article 33) and data subjects (Article 34) where required.
§ 10Data Protection Impact Assessment
The Processor shall assist the Controller in conducting Data Protection Impact Assessments where required under GDPR Article 35. Processing of investor data through automated eligibility decisions may trigger a DPIA requirement under Article 35(3)(a).
§ 11Audit Rights
The Controller, or an auditor mandated by the Controller, may audit the Processor’s compliance with this DPA upon 30 days’ reasonable notice. The Processor may provide relevant certifications or audit reports in lieu of on-site audits where appropriate.
§ 12Term and Termination
This DPA shall remain in effect for the duration of the service agreement. Upon termination, the Processor shall delete all personal data within 30 days of the expiry of the data export period, unless retention is required by applicable EU or Member State law.
Obligations relating to confidentiality, liability, and data protection survive termination.