This Data Processing Addendum (“DPA”) governs Geofund’s processing of Customer Data (i) provided by Customer to Geofund through Geofund’s Services or (ii) pursuant to the Geofund Services Agreement, or other agreement between Customer and Geofund governing Customer’s use of Services (the “Agreement”) and is hereby incorporated into the Agreement. If and to the extent language in this DPA conflicts with the Agreement, the conflicting terms in this DPA shall control.  This DPA may be executed separately by the parties or deemed accepted by Customer’s execution of, or continued performance under, the Agreement. Capitalized terms not defined in this DPA have the meaning set forth in the Agreement. For the purposes of this DPA only, “Customer” includes any affiliate entity of Customer’s that (a) has entered into an Order Form with Geofund and that (b) directly or indirectly, through one or more intermediary controls, is controlled by, or is under common control with Customer. “Geofund” refers to Geofund LLC, or any other entity affiliated or controlled by Geofund which is contracting with Customer.

Geofund and Customer each agree to comply with their respective obligations under applicable data privacy and protection laws (collectively, “Data Protection Laws”) in connection with Services. Data Protection Laws may include, depending on the circumstances, Cal. Civ. Code §§ 1798.100 et seq., as amended by the California Privacy Rights Act of 2020 (the California Consumer Privacy Act) (“CCPA”), Colo. Rev. Stat. §§ 6-1-1301 et seq. (the Colorado Privacy Act) (“CPA”), Connecticut’s Data Privacy Act (“CTDPA”), Utah Code Ann. §§ 13-61-101 et seq. (the Utah Consumer Privacy Act) (“UCPA”), VA Code Ann. §§ 59.1-575 et seq. (the Virginia Consumer Data Protection Act) (“VCDPA”) (collectively “U.S. Privacy Laws”), and the United Kingdom and/or European Union General Data Protection Regulation (Regulation (EU) 2016/679) (collectively the “GDPR”), and applicable subordinate legislation and regulations implementing those laws.

In connection with the Agreement, Customer is the person that determines the purposes and means for which Customer Data (as defined below) is processed (a “Data Controller”), whereas Geofund processes Customer Data in accordance with the Data Controller’s instructions and on behalf of the Data Controller (as a “Data Processor”). “Data Controller” and “Data Processor” also mean the equivalent concepts under Data Protection Laws. For the purposes of the Agreement and this DPA, (i) “Personal Data” has the meaning assigned to the term “personal data” or “personal information” under applicable Data Protection Laws; and (ii) “Customer Data” means Personal Data that Customer provides to Geofund that Geofund processes on behalf of Customer to provide the Services. Geofund will process Customer Data as Customer’s Data Processor to provide or maintain the Services and for the purposes set forth in this DPA, the Agreement and/or in any other applicable agreements between Customer and Geofund.

This DPA governs Geofund and Customer's obligations as to the protection of Personal Data, Content, and other Customer Confidential Information pursuant to Data Protection Law.

1. Definitions

• "Affiliate": Any entity that controls, is controlled by, or is under common control with a party.

• "Personal Data": Any information relating to an identified or identifiable natural person.

• "Data Protection Laws": All applicable privacy and data protection laws, including GDPR, UK GDPR, CCPA, and other relevant regulations.

• "Processing": Any operation performed on Personal Data.

• "Subprocessor": Any third party engaged by Geofund to process Personal Data on its behalf.

• "Controller", "Data Subject", "Process" and "Processor": Have the meanings provided in the GDPR and include analogous provisions under Data Protection Laws in other jurisdictions.

2. Processing of Personal Data

2.1 Roles of the Parties. Customer may be the controller of Personal Data or a processor. Geofund will act as a processor or Sub-processor, as appropriate. Geofund will comply with obligations under Data Protection Laws that govern Geofund’s activities when processing Personal Data. Customer shall be solely responsible for compliance with Data Protection Laws regarding the collection of and transfer to Geofund of Personal Data, and for advising Geofund of any obligations imposed on Geofund as a Sub-processor of or service provider to Customer.

2.2 Details of the Processing. The subject matter of processing of Personal Data by Geofund is the performance of the Services pursuant to the Agreement. The duration of the processing, the nature and purpose of the processing, the types of Personal Data and categories of Data Subjects processed under this DPA are further specified in Annex A.

2.3 Processing in Accordance with Data Protection Law. Geofund shall only process Personal Data on behalf of and in accordance with Customer’s documented instructions for the following purposes: (a) processing in accordance with the Agreement and applicable Order Form(s); (b) processing initiated by Users in their use of the Services; and (c) processing to comply with other documented instructions provided by Customer. Geofund will promptly inform Customer if it becomes aware that processing requested by Customer infringes Data Protection Law.

2.4 Processing in Accordance with California Law. In accordance with the CCPA, and with respect to Personal Data to which CCPA applies: (a) Geofund will not “sell” (as defined in the CCPA) any Personal Data; and (b) Geofund will not collect, share or use any Personal Data except as necessary to perform services for Customer.

2.5 Confidentiality of Processing. Geofund will treat Personal Data as Customer’s Confidential Information and protect it in accordance with the confidentiality obligations in the Agreement. Geofund shall ensure that its personnel engaged in the processing of Personal Data are informed of the confidential nature of the Personal Data, have received appropriate training on their responsibilities and have executed written confidentiality agreements no less protective of Customer’s rights in such data as this DPA.

2.6 Data Subject Requests; Data Impact Assessments. Geofund shall, taking into account the nature of the processing, assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Customer’s obligation to respond to: (a) any request from a data subject to exercise any of its rights under Data Protection Laws; (b) any other correspondence, enquiry or complaint received from a data subject, regulator or other third party in connection with the processing of Personal Data, and (c) any data protection impact assessment that Customer may be required to perform under Data Protection Law. If any such request, correspondence, enquiry or complaint is made directly to Geofund, Geofund will promptly inform Customer providing full details of the same. Geofund shall not respond to a data subject request without Customer’s prior written consent except to confirm that such request relates to Customer.

3. Subprocessors

3.1 Authorized Subprocessors. Customer consents to Geofund engaging Geofund Affiliates and third-party Subprocessors to process Personal Data for the purposes described in the Agreement and this DPA. The Subprocessors currently engaged by Geofund are available here. Geofund or a Geofund Affiliate will enter a written agreement with each Subprocessor imposing data protection terms on the Subprocessor substantially equivalent to, and no less protective of data subjects’ rights in Personal Data than, this DPA. Geofund shall notify Customer if it adds or removes Subprocessors within fifteen (15) business days of such changes if Customer opts in to receive such notifications here. Customer may object to Geofund's appointment or replacement of a Subprocessor, provided such objection is based on reasonable grounds relating to data protection. If Customer does not object to a new Subprocessor within fifteen (15) business days, Customer will be deemed to have authorized Geofund’s use of the new Subprocessor and to have waived its right to object. If Customer objects to a new Subprocessor, Geofund will use reasonable efforts to avoid using that Subprocessor to process Personal Data, either by adapting or recommending a change in Customer’s configuration of the Services. If neither of the foregoing is commercially practicable, Geofund will terminate the applicable subscription with respect to the portion of the Services that can only be provided by Geofund using that Subprocessor. Customer will not receive a refund of any unused prepaid fees on such termination, and if fees remain unpaid for a subscription term, Customer will immediately pay the remaining balance due for the remainder of the subscription term.

3.2 Liability for Subprocessors. Where a Subprocessor fails to fulfil its data protection obligations, Geofund shall remain fully liable to Customer for the performance of that Subprocessor's obligations.

4. Security

4.1 Security Measures. Geofund will use procedural, technical and administrative safeguards designed to ensure the confidentiality, security, integrity, availability and privacy of Content, Personal Data and other Customer Confidential Information stored in the Geofund Services. Geofund may update or modify such measures from time to time provided that such updates and modifications do not result in a material decrease of the overall security of the Services during Customer’s subscription term. Geofund is not responsible for any breach or loss solely caused by Customer, Customer’s users, or by Customer’s configuration of and deployment specifications for the Services.

4.2 Audit Rights. Geofund will make available to Customer such information as Customer may reasonably request to demonstrate Geofund’s compliance with the obligations under Data Protection Laws. Geofund will further allow for and contribute to audits conducted by Customer or an auditor mandated by Customer so long as it is not a competitor of Geofund. All such information and audit requests and procedures: (a) must be reasonable based on the nature of the Services and the categories of Personal Data processed, (b) must be subject to an appropriate confidentiality agreement; and (c) may be made no more than once per year unless otherwise required by instruction of a competent data protection authority. Before the commencement of any such audit, Customer and Geofund shall mutually agree upon the scope, timing, and duration of the audit and the reimbursement rate for any travel or other expenses Geofund incurs in the course of such audit. All reimbursement rates shall be reasonable, taking into account the resources expended by Geofund. Customer shall promptly notify Geofund with information regarding any non-compliance discovered during the course of an audit.

4.3 Breach Notice. Geofund will inform Customer via email without undue delay, and no later than 72 hours by applicable Data Protection Law, upon discovery of a Security Incident. Geofund will take all actions reasonably necessary to remedy or mitigate the effects of the Security Incident. Geofund will further keep Customer informed of all material developments regarding the incident and provide such information and cooperation as Customer may reasonably require in order to fulfil its data breach reporting obligations under Data Protection Law.

5. International Transfers

Geofund processes Personal Data for the purposes described in this DPA and the Agreement. While data protection laws vary by country and some countries may not offer the same level of protection as the Customer’s home jurisdiction, Geofund applies the protections described in this DPA to Personal Data regardless of where it is processed. When transferring Personal Data outside of the EEA, Switzerland, or the UK, Geofund relies on the following transfer mechanisms to comply with applicable Data Protection Law:

• The European Commission’s adequacy decisions pursuant to Article 45(1) GDPR when transferring Personal Data to any country that has been deemed to provide an adequate level of protection.

• For other jurisdictions, the Standard Contractual Clauses (“SCCs”) approved by the European Commission pursuant to Article 46(2)(c) GDPR, and the UK International Data Transfer Addendum.

For more information or to obtain a copy of the appropriate safeguards in place when transferring Personal Data, Customers may contact Geofund at privacy@geofund.io. 

6. Return and Deletion of Personal Data

Upon termination or expiration of the Agreement, Geofund shall (at Customer’s election) delete or return to Customer all Personal Data (including copies) in its possession or control, except that this requirement shall not apply to the extent Geofund is required by applicable law to retain some or all of the Personal Data, or to Personal Data it has archived on back-up systems, which Personal Data Geofund shall securely isolate, protect from any further processing and eventually delete in accordance with Geofund’s deletion policies, except to the extent required by applicable law. The parties agree that the certification of deletion of Personal Data described in Clause 8.5 and 16(d) of the 2021 Controller-to-Processor Clauses and 2021 Processor-to-Processor Clauses (as applicable) shall be provided by Geofund to Customer only upon Customer’s written request.

7. Miscellaneous

7.1 Limits of Liability. Each party’s liability to the other under this DPA is subject to the limitations of liability in the Agreement.

7.2 Construction; Interpretation. This DPA is not a standalone agreement and is only effective while the Agreement is in effect between Geofund and Customer. This DPA and the Agreement are the complete and exclusive statement of the mutual understanding of the parties and supersede all prior agreements related to its subject matter. Headings are for convenience only.

7.3 Severability. If any provision is adjudicated invalid or unenforceable, it will be amended to the minimum extent necessary to achieve the original intent to the maximum extent possible. To the extent permitted by law, the parties waive any provision that would render any clause prohibited or unenforceable.

7.4 Amendment; Enforcement of Rights. No modification or waiver will be effective unless in writing signed by both parties. Failure to enforce any rights is not a waiver.

7.5 Assignment. This DPA may be assigned only in connection with a valid assignment pursuant to the Agreement. If the Agreement is assigned in accordance with its terms, this DPA is automatically assigned to the same assignee.

7.6 Governing Law. This DPA will be governed by the laws of the jurisdiction governing the Agreement unless otherwise required by the GDPR.

7.7 Counterparts. This DPA may be executed and delivered electronically and in counterparts, each deemed an original, together constituting one instrument.

Annex A: Details of the Processing

Subject Matter of Processing

Geofund will process Personal Data as necessary to provide the Geofund Services to Customer pursuant to the Agreement.

Duration of Processing

Geofund will process Personal Data for the duration of the Agreement until termination of the Agreement, unless otherwise agreed in writing.

Categories of Data Subjects

Geofund collects Personal Data from Customer’s authorized users and relevant counterparties in order to provide the Services.

Nature and Purpose of Processing

The purpose of processing Customer Personal Data by Geofund is the provision, maintenance, and improvement of the Services pursuant to the Agreement, including certificate issuance, data validation, and transaction traceability.

Types of Personal Data

Personal Data collected from Customer’s authorized users and counterparties may include without limitation: identification data such as name, company name, and email address; electronic identification data such as IP address and other online identifiers; and business contact details such as physical address, telephone/mobile number, and role/title. Additional types of Personal Data may include transaction-related identifiers, location data related to facilities, and device IDs. Geofund does not actively monitor content uploaded into the Services, but if Personal Data is included in transaction or certificate data, it will be processed in accordance with this DPA.

Sensitive Personal Data Transferred

Customer is not required to submit sensitive Personal Data to the Services. If Customer elects to provide sensitive Personal Data, it will be processed only as necessary for the provision of Services.

Frequency of Transfer of Data

Continuous.

Period for which the Personal Data will be retained

The period for which the Personal Data will be retained is as described in the Agreement, this DPA, and any applicable Order Forms.

Obligations and Rights of the Customer

The obligations and rights of Customer as a Controller are set out in the Agreement and this DPA.

Annex B: Security Controls

Description of Geofund’s Technical and Organizational Security Measures

Geofund maintains data security in accordance with applicable laws. The Technical and Organizational Security Measures implemented are designed to provide a level of protection appropriate to the risk, considering confidentiality, integrity, availability, and resilience of systems and services. The state of the art, implementation costs, the nature, scope, and purposes of processing, as well as the probability and severity of risk to the rights and freedoms of natural persons, are taken into account. Geofund may implement alternative measures from time to time, provided such measures do not materially decrease the overall security level.

Geofund can provide Customer, upon reasonable request, adequate evidence of compliance with its data processing obligations under the Agreement.

Security Measures include:

• Measures of pseudonymization and encryption of personal data

• Measures for ensuring ongoing confidentiality, integrity, availability, and resilience of processing systems and services

• Measures for ensuring the ability to restore availability and access to personal data in a timely manner in the event of a physical or technical incident

• Processes for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures to ensure security of processing

• Measures for user identification and authorization

• Measures for the protection of data during transmission

• Measures for the protection of data during storage

• Measures for ensuring physical security of locations at which personal data are processed

• Measures for ensuring event logging

• Measures for ensuring secure system configuration, including default configuration

• Measures for internal IT and IT security governance and management

• Measures for certification/assurance of processes and products

• Measures for ensuring data minimization

• Measures for ensuring data quality

• Measures for ensuring limited data retention

• Measures for ensuring accountability

• Measures for allowing data portability and ensuring erasure