Data Processing Agreement (DPA)

Last updated: 26 December 2025

This Data Processing Agreement (“Agreement”) forms part of the Terms of Service and governs the processing of personal data by Global Innovator Fund, operating under the brand Planck Security (“Processor”), on behalf of its customers (“Controller”).

1. Subject Matter and Duration

This Agreement applies to all processing of personal data performed by the Processor on behalf of the Controller in connection with the use of the Planck Security platform.

The duration of the processing corresponds to the term of the applicable service agreement.

2. Nature and Purpose of Processing

The Processor processes personal data solely for the purpose of providing, operating, securing, and improving the Planck Security platform, including:

• Identity and access management
• Security monitoring and logging
• Incident detection and response
• Platform administration and support

3. Types of Personal Data and Data Subjects

Types of Personal Data

• User identification data (e.g. name, email address, user ID)
• Authentication and access data
• Security and audit logs
• Technical and usage metadata

Categories of Data Subjects

• Customer employees
• Authorized users
• Contractors and administrators

4. Processor Obligations

The Processor shall:

• Process personal data only on documented instructions of the Controller
• Ensure confidentiality of all authorized personnel
• Implement appropriate technical and organizational security measures
• Assist the Controller in fulfilling data subject rights
• Notify the Controller without undue delay of any personal data breach
• Delete or return personal data upon termination of the services

5. Sub-Processors

The Processor may engage sub-processors for hosting, monitoring, and support services.

Sub-processors are contractually bound to data protection obligations no less protective than those set out in this Agreement.

A current list of sub-processors is available upon request.

6. International Data Transfers

Where personal data is transferred outside Switzerland or the European Economic Area, the Processor ensures appropriate safeguards, including standard contractual clauses where required.

7. Audits and Compliance

The Processor shall make available information reasonably necessary to demonstrate compliance with this Agreement and applicable data protection laws.

Audits may be conducted upon reasonable prior notice and subject to confidentiality obligations.

8. Liability

Liability under this Agreement is subject to the limitations set out in the Terms of Service.

9. Governing Law

This Agreement is governed by the laws of Switzerland.