This Data Processing Agreement (“Agreement”) is intended for business customers of Invesst, Inc. (“Company”) who, under the applicable data protection laws (including the GDPR), engage Invesst as a data processor. This Agreement governs the processing of personal data in connection with services provided by Invesst.

This Agreement forms part of the contractual relationship (the “Principal Agreement”) between:

• Company: Invesst, Inc., a Delaware corporation

• Processor: The customer or partner entity who has engaged Invesst for services involving the processing of personal data

• Collectively, the “Parties”

By using Invesst’s services in a manner that involves the processing of personal data on behalf of a business customer, this Data Processing Agreement is deemed accepted and binding under Article 28 of the GDPR.

WHEREAS

(A) The Company acts as a Data Controller. (B) The Company wishes to subcontract certain Services, which involve the processing of personal data, to the Processor. (C) The Parties aim to implement a data processing agreement compliant with Regulation (EU) 2016/679 (GDPR) and applicable data protection laws. (D) The Parties agree to the following terms:

1. Definitions and Interpretation

1.1 Unless otherwise defined herein, capitalized terms shall have the meanings assigned in the GDPR.

1.2 Specific definitions:

• "Agreement": This Data Processing Agreement and all annexes.

• "Company Personal Data": Any personal data processed by the Processor on behalf of the Company.

• "Contracted Processor": Any Subprocessor engaged by the Processor.

• "Data Protection Laws": GDPR and all other applicable data protection or privacy laws.

• "Services": The AI-driven analytics and investment services provided by Invesst.

• "Subprocessor": Any entity engaged to process personal data on behalf of the Processor.

• 
  

2. Processing of Company Personal Data

2.1 Processor shall:

• Comply with applicable Data Protection Laws;

• Process Company Personal Data only on documented instructions from the Company.

2.2 The Company instructs the Processor to process Company Personal Data strictly to deliver Services defined in the Principal Agreement.

2.3 If the Processor uses machine learning algorithms on Company Personal Data, it must obtain explicit consent unless data is anonymized.

3. Processor Personnel

Processor shall ensure only authorized personnel access personal data and are bound by confidentiality obligations.

4. Security

4.1 Processor must implement technical and organizational security measures appropriate to the risk, aligned with:

• Article 32 of GDPR

• SOC 2 Type II

• ISO 27001 standards

4.2 Processor shall assess and mitigate risks of Personal Data Breaches.

5. Subprocessing

5.1 Processor shall not appoint any Subprocessor without prior written notice and at least 30 days' notice for objection.

5.2 All Subprocessors must comply with obligations equivalent to this Agreement.

6. Data Subject Rights

Processor shall assist the Company in responding to data subject requests and notify the Company without delay upon receiving such requests.

7. Personal Data Breach

Processor must notify the Company without undue delay of any Personal Data Breach and cooperate with the investigation and mitigation.

8. Data Protection Impact Assessment

Processor shall support the Company in data protection impact assessments and consultations with authorities as required under Articles 35 and 36 of GDPR.

9. Data Return and Deletion

9.1 Within 10 business days of service cessation, Processor shall delete or return all Company Personal Data. 9.2 Processor must certify deletion in writing within that period.

10. Audit Rights

Processor shall provide necessary documentation and access for audits or inspections by the Company or its designated auditor.

11. Data Transfers

11.1 Processor shall not transfer data outside the EEA without prior written consent and without ensuring adequate protections via SCCs or other GDPR-compliant mechanisms.

12. Confidentiality and Notices

12.1 Both Parties must keep confidential all information disclosed under this Agreement. 12.2 Notices must be delivered via email or registered mail to the contacts listed above.

13. Governing Law and Jurisdiction

13.1 This Agreement shall be governed by the laws of the State of Delaware. 13.2 Any disputes shall be resolved by the competent courts of Delaware, USA.

14. Machine Learning and AI

14.1 The Processor shall not use Company Personal Data for AI model training or profiling without explicit written consent. 14.2 Aggregated and anonymized datasets may be used for product improvement only if they cannot re-identify any Data Subject.

15. Subprocessors

Invesst uses carefully selected subprocessors to support the delivery of our AI-powered financial research and analytics services. These subprocessors handle data strictly within the limits of our Data Processing Agreement.

Subprocessor	Purpose	Location
OpenAI	Natural language processing	USA
PostHog	Product analytics	EU/US
Sentry	Error monitoring	USA
Cloudflare	CDN & Security	Global
AWS	Infrastructure Hosting	Global
Azure	Infrastructure Hosting	Global
GCP	Infrastructure Hosting	Global
Supabase	Realtime backend + Auth	EU/US