Data Processing Addendum

Version number: 4.0
Publish date: June 17th, 2025
Go to Data Process Addendum home
Arrow
Version latest update October 2023
Arrow

Ledgy AG, a stock corporation formed under the laws of Switzerland, with
company number CHE-261.454.963 (“Ledgy”), and the customer (the
“Customer”) (each a “Party” and together the “Parties”), hereby agree as
follows:

  1. Scope

1.1 This data processing addendum (the “Addendum”) applies exclusively to the
processing of personal data (the “Customer Personal Data”) by Ledgy on
behalf of the Customer where such processing is subject to European Union
(EU), United Kingdom (UK), or Swiss data privacy law. This Addendum,
including its annexes, forms part of, and is subject to, the provisions of the
agreement between the parties (the “Services Agreement”) in respect of the
performance of services (the “Services”) by Ledgy to the Customer that
include the processing of such Customer Personal Data.

1.2 The term “EU Data Privacy Law” means Regulation (EU) 2016/679 of the
European Parliament and of the Council of 27 April 2016 on the protection of
natural persons with regard to the processing of personal data and on the
free movement of such data, including any future revision thereof, and
repealing Directive 95/46/EC (General Data Protection Regulation or GDPR).
The term “UK Data Privacy Law” means all laws relating to data protection,
the processing of personal data, privacy and/or electronic communications in
force from time to time in the UK, including the GDPR to the extent that it
forms part of the United Kingdom’s local law as a result of Section 3 of the
European Union (Withdrawal Act) 2018 and the Data Protection Act 2018.
The term “Swiss Data Privacy Law” means the Revised Federal Data
Protection Act, including any future revision thereof. EU Data Privacy Law, UK
Data Privacy Law and Swiss Data Privacy Law are collectively referred to as
“Data Privacy Law”.

1.3 Terms such as “processing”, “Personal Data”, “Controller”, “Processor”,
“Data Subject”, “Sub-Processors” and “Data Breach” shall have the meaning
ascribed to them in Data Privacy Law, as applicable to the processing.

  1. Binding Character of this Addendum

The Parties hereby agree to be bound by the provisions and obligations set
forth in this Addendum in respect of all their data protection obligations and
agree that any data protection and data processing obligations as agreed to
previously amongst the Parties shall be deleted and repealed in its entirety
and be replaced with this Addendum.

Any changes to this Addendum shall be made in accordance with the
provisions of the applicable Services Agreement.

  1. Details of Processing

The processing carried out by Ledgy will be as follows:

  1. Subject matter of processing

Equity management services by means of an online software application (the
“Application”) and the fulfilment of contractual obligations under the
Services Agreement and this Addendum.

  1. Duration of processing

For the duration of the Services Agreement until terminated or once
processing by Ledgy of any Customer Personal Data is no longer required for
the performance of its relevant obligations under the Services Agreement or
the Addendum.

  1. Purpose of processing

The provision of the Services.

  1. Categories of Personal Data

Equity data: Shareholder information (including their General Personal Data),
any personal data that may be included in the company information, share
ledger transaction history, legal documents or other cap table details.

General Personal Data: data about an identified or identifiable Data Subject,
including, but not limited to name, surname, title, date of birth, country of
origin, telephone number, email, postal address, user account details and tax details (when applicable).

Any other personal data requested by the Customer through its use of the
Services and Application, provided always that the Customer should
not use the Services or Application to process special categories of data.

  1. Categories of Data Subjects

Shareholders and any other natural persons who access and use your
account (e.g., advisors).

  1. Roles of the Parties

The Customer and Ledgy hereby agree that for the purposes of this
Addendum, the Customer shall be the Controller and Ledgy shall be the
Processor.

  1. Ledgy’s obligations

Ledgy, acting as Processor, shall:

5.1 only process Customer Personal Data on documented instructions from the
Customer, unless required to do otherwise by applicable laws (provided
that Ledgy first informs the Customer of that legal requirement before
processing, unless that law prohibits this on important grounds of public
interest). The Services Agreement, this Addendum along with the Customer's
use of the Services constitute the Customer's documented instructions to
Ledgy for the purpose of providing the Services. Ledgy shall immediately
inform the Customer if instructions given by the Customer, in the opinion of
Ledgy, contravene Data Privacy Law.

5.2 ensure that all personnel who have access to Customer Personal Data have
committed themselves to appropriate obligations of confidentiality and only involve personnel in processing Customer Personal Data who have had appropriate training on the care and handling of Personal Data;

5.3 maintain appropriate technical and organizational measures to protect the
Customer Personal Data. The Parties acknowledge that security
requirements are constantly changing and that effective security requires
frequent evaluation and regular improvements of outdated security
measures. Ledgy will, therefore, evaluate the measures on an on-going basis
and will tighten, supplement and improve these measures as it deems
necessary or appropriate in its sole discretion. An overview of the current
technical and organizational measures can be found on Annex 1 of this
Addendum;

5.4 assist the Customer, to the extent possible, to fulfill the Customer’s
obligations in responding to requests for exercising of Data Subject rights set
out in the applicable Data Privacy Law and to notify the Customer without unreasonable delay if Ledgy receives a request from a Data Subject to exercise the Data Subject’s privacy rights under applicable Data Protection Laws;

5.5 assist the Customer in complying with Article 35 (Data protection impact
assessment) and Article 36 (Prior consultation) of the GDPR (or the
respective definitions in the Swiss and UK Data Privacy Law) in respect of
any new type of processing proposed, in accordance with Data Privacy Law.

5.6 deal promptly and properly with all reasonable inquiries from the Customer that relate to the processing under this Addendum.

5.7 In case of two years of inactivity of a user account, Ledgy shall delete all personal data processed on behalf of the Customer and certify to the data controller that it has done so and delete existing copies unless applicable law requires storage of the personal data.

  1. The Customer’s obligations

The Customer, acting as the Controller, hereby warrants and represents:

6.1 that its instructions to Ledgy to process the Customer Personal Data will not breach Data Privacy Law, especially in regards to its lawfulness and the existence of legal basis for the data processing;

6.2 that Customer Personal Data provided to Ledgy is accurate and will be
updated to ensure continued accuracy as and when required;

6.3 that it has notified Data Subjects of any applicable period for which Customer
Personal Data or any element of Customer Personal Data will be stored by
Ledgy;

6.4 that the Customer has the right to provide Customer Personal Data to Ledgy
and has provided Data Subjects with all necessary information and data
protection notices on or in connection with the collection of such Customer
Personal Data from data subjects including, but not limited to, the supply of
Customer Personal Data to Ledgy and details of the purposes for which such Customer Personal Data will be processed by Ledgy including, if applicable,
as set out in Ledgy’s retention policy;

6.5 The Customer further warrants and represents:

6.5.1 that the Customer will not provide Ledgy with nor request Ledgy to process
the types and categories of Personal Data listed, defined, or referenced to in
Articles 8–10 of the GDPR or respective definitions in the UK and the Swiss
Data Privacy Law, and

6.5.2 that the Customer will not provide Ledgy with nor pass to Ledgy personal
data for which Ledgy has no knowledge of, is unaware of, or which is not
explicitly provided for under this Addendum, and that where applicable, the
Customer will not enter any personal data into free text fields embedded in
relevant Ledgy products and/or Services and will not incorporate any
personal data outside of the scope of Personal Data as contemplated in the
Services Agreement and this Addendum into any attachments that are to be
uploaded into Ledgy’s Application;

6.6 that the Customer shall, and shall procure its employees, contractors, and/or
agents to keep the login credentials used to access to the Services secure
and shall be liable for the access to the Services through such login
credentials. The Customer further shall promptly notify Ledgy of any
unauthorized use of any login credentials, or other breaches of security,
including loss, theft or unauthorized disclosure of login credentials.

  1. Sub-processors

7.1 The Customer hereby provides its prior, general authorisation for Ledgy to
appoint the Sub-Processors listed in Annex 2 to process the Customer Personal Data in connection
with the provision of the Services.

7.2  Ledgy shall:

7.2.1 enter into an agreement with each Sub-Processor containing obligations
which are materially similar to those set out in this Addendum to the extent
applicable to the nature of the services provided by such Sub-Processor; and

7.2.2 remain responsible for the acts and omissions of any such Sub-Processor as
if they were the acts and omissions of Ledgy.

7.3 A list of Ledgy’s current Sub-Processors is set out at Annex 2.  The Customer
may request an up-to-date list of Sub-Processors at any time.

7.4 Ledgy will notify the Customer prior to transferring any Customer Personal
Data to a new Sub-Processor.  The Customer will notify Ledgy in writing
within 30 days after being notified of such new Sub-Processor if it objects to
the processing of its Customer Personal Data by the new Sub-Processor. In
such event the parties will, acting reasonably, try to come to an agreement
over the transfer of the Customer Personal Data to the applicable Sub-
Processor.  Where agreement is not possible the Customer shall be entitled
to terminate the Services Agreement.

  1. Audit Rights

8.1 Ledgy shall maintain complete, accurate and up to date written records of all
categories of processing activities carried out on behalf of the Customer.

8.2 Such records shall include all information necessary to demonstrate Ledgy’s
compliance with this Addendum. Ledgy shall make copies of such records
referred to at clause 8.1 available to the Customer promptly on request.

8.3 Ledgy shall promptly make available to the Customer such information as is
required to demonstrate Ledgy’s compliance with its obligations under the
Data Privacy Law. Ledgy shall further permit the Customer or an accredited third-party
auditor to conduct an audit to confirm such compliance.  Such audit shall
take place during Ledgy’s regular hours of business, not more than once in
any 12 month period, and on not less than 8 weeks prior written notice.  The
Customer and its auditors (if any) shall enter into confidentiality agreements
with Ledgy and shall comply with all Ledgy’s reasonable requirements to
minimise disruption to Ledgy’s business. Any audit and request for information shall be limited to information necessary for the purposes of this Addendum and shall give due regard to Ledgy’s confidentiality obligations and legitimate interest to protect business secrets.

  1. Personal Data Breach

9.1 In the event of a personal data breach concerning data processed by Ledgy, it shall notify the Customer without undue delay after having become aware of the breach. Such notification shall contain the details of a contact point where more information concerning the personal data breach can be obtained, a description of the nature of the breach (including, where possible, categories and approximate number of data subjects and data records concerned), its likely consequences and the measures taken or proposed to be taken to mitigate its possible adverse effects. Where, and insofar as, it is not possible to provide all information at the same time, the initial notification shall contain the information then available and further information shall be provided as it becomes available without undue delay.

9.2 Ledgy shall cooperate in good faith with and assist the Customer in any way necessary to enable the Customer to notify, where relevant, the competent data protection authority and the affected data subjects, taking into account the nature of processing and the information available to Ledgy.

  1. International Transfers

Ledgy may transfer Customer Personal Data outside of the European
Economic Area, United Kingdom or Switzerland as required to process the
Customer Personal Data for the purpose under this Addendum, provided that
Ledgy shall ensure that all such transfers are made in accordance with
applicable Data Privacy Law, including by way of entering into standard contractual clauses adopted by the EU Commission (where the EU GDPR
applies to the transfer) together with any applicable additional clauses
required for transfers out of the United Kingdom or Switzerland, as
applicable.

  1. Data Subject Rights

Ledgy shall:

a) promptly notify the Customer about any request received directly from the data subject. It shall not respond to that request itself, unless and until it has been authorized to do so by the Customer.

b) reasonably assist the Customer in fulfilling its obligations to respond to data subjects’ requests for the exercise of their rights in accordance with applicable Data Privacy Law.

c) reasonably assist the Customer in case a data subject has lodged a complaint to the competent supervisory authority that concerns Customer Personal Data processed on the basis of this Addendum.

  1. Liability

The Customer acknowledges that Ledgy is reliant on the Customer for
instructions as to the extent to which Ledgy is entitled to use and process the Customer Personal Data. Consequently, Ledgy will not be liable for losses
(including indirect losses, loss or corruption of data, loss of reputation,
goodwill and profits), actions, proceedings and liabilities of whatsoever
nature incurred by Ledgy or for which Ledgy may become liable due to any
claim brought by a Data Subject or Supervisory Authority arising from the
Customer’s instructions or use of the Services or Application in breach of the
Data Privacy Law.

  1. Order of Precedence

‍To the extent of any conflict between this Addendum and any parts of the
Services Agreement, this Addendum shall prevail, govern, and supersede.

  1. Survival

This Addendum and the obligations hereunder shall survive the termination
or expiry of the Services Agreement however effected or arising, and shall
continue until Ledgy no longer processes any Customer Personal Data.  The
Customer Personal Data will be returned to the Customer and deleted by
Ledgy in accordance with the Services Agreement.

Annex 1

Annex 1 - Technical and Organisational Measures 

This annex to the Data Processing Addendum outlines the technical and organizational measures implemented by Ledgy AG (“Ledgy”, "Processor" or the “data processor”) in compliance with its data protection obligations as a data processor. 

These measures aim to ensure the security and protection of personal data processed on behalf of ‘Customer’ ("Controller") in accordance with applicable data protection laws, including the Federal Act on Data Protection (FADP) and the General Data Protection Regulation (GDPR).

Organizational Security Measures

Security Management

  • Security Governance: Ledgy has a dedicated team with regular involvement from senior leadership to oversee information security. Responsibilities of the team include defining policies, enforcing security practices, and monitoring overall security.
  • Risk Management: A structured program for ongoing identification, measurement, and management of IT-related risks is in place and overseen by relevant personnel and senior leadership.
  • Roles and Responsibilities: Responsibilities for processing personal data are clearly defined in line with security policies.
  • Resource/Asset Management: Ledgy maintains registers of IT resources used for personal data processing, including hardware, software, and network. Designated personnel are responsible for maintaining and updating the registers.

Incident Response and Business Continuity

  • Incidents Handling / Personal Data Breaches:
    • Incident procedures are in place to ensure effective responses to security incidents, including those involving personal data.
    • Ledgy promptly reports any security incident leading to the loss, misuse, or unauthorized access to personal data to affected data controller(s).
  • Business Continuity: Ledgy has established procedures and controls to ensure the required level of IT system continuity and availability for processing personal data in case of an incident or data breach.
    • Multiple Availability Zones to provide improved redundancy and fault tolerance.
    • Periodic Disaster Recovery and/or Business Continuity exercises are conducted.

Human Resource Security

  • Verification: Ledgy verifies and validates all candidates prior to hiring, including background checks, to assess their suitability and manage risk.
  • Policy Compliance: Ledgy ensures that all employees understand their responsibilities and obligations regarding personal data processing and compliance with security policies.
  • Onboarding and Offboarding: Ledgy maintains clear procedures for management of access rights for new joiners and during termination. Processes are also defined for transferring rights and responsibilities during internal reorganizations or other changes in employment.
  • Training: Ledgy trains employees about security controls and requirements relevant to their work. Employees are regularly educated on data protection requirements and legal obligations through awareness campaigns and monthly training on general security topics.

Technical Security Measures

Access Control and Authentication

  • Least Privilege: Access control rights are specifically assigned to roles involved in personal data processing, following the principle of least privilege. Access is granted following the "need-to-know" principle to limit access to personal data to those who require it. Periodic reviews of all access levels are conducted.
  • Authentication: An access control system applicable to all IT system users is implemented, allowing for user account creation, approval, review, and deletion. Multi-factor authentication (MFA) is enforced where possible.
  • Unique Accounts: The use of common user accounts is prohibited, and if necessary, users with common accounts have the same roles and responsibilities.
  • Passwords: Where passwords are used, they are required to be at least 16 characters long, meet strong password control parameters (length, complexity, non-repeatability), and are never transmitted over the network unprotected.

Logging and Monitoring

  • Log Creation: Log files are enabled for systems and applications used in personal data processing, tracking data access (view, modification, deletion) and other security and system events.
  • Log Monitoring: Ledgy has implemented comprehensive logging and monitoring mechanisms to track data access and system activities. Ledgy personnel also perform periodic reviews and analysis of logs to identify and mitigate security incidents and anomalies.

Data Protection and Security

  • Data Protection: Database(s) and application servers run in separate environments and separate systems to ensure data protection. Personal data is only processed as required to fulfill the service’s intended purpose.
  • Data Access Controls: Database access is highly restricted to database administrators and only granted on a need-to-know basis.
  • Data Disposal: Stored personal data is only stored in cloud storage where secure deletion assurance is provided by the cloud hosting provider. Policies are in place prohibiting the storage of personal data on paper or local drives to prevent data loss through these methods.
  • Data Encryption: Stored data is encrypted at rest using AES-256. When accessed through the Internet, communication is encrypted using TLS 1.2 or better.
  • Backup Security: Ledgy manages a backup/snapshot service hourly, which is tested periodically. Backup and data restore procedures are defined, documented, and linked to specific roles and responsibilities.

Secure System Architecture

  • Perimeter Controls: Network traffic to and from the IT system is monitored and controlled using firewalls and/or security groups and other network security technologies. A Web-Application Firewall (WAF) is used to monitor web traffic and help prevent abuses.
  • Network Segmentation: The production service environment is divided into multiple zones and VPCs depending on the security requirements of individual services.

Application and System Lifecycle

  • Secure SDLC: Ledgy adheres to a structured Software Development Lifecycle (SDLC) throughout its software and system development practices. Security is integrated throughout the phases of the development lifecycle.
  • Change Management: Ledgy ensures that IT system changes are recorded and monitored by designated personnel, subjected to appropriate testing, and approved prior to release.
  • Vulnerability Management: Software, system components, and 3rd party dependencies are subjected to regular reviews to proactively identify and track potential security vulnerabilities, which are then tracked until addressed.
  • Security Testing: System components are subjected to periodic and ongoing security testing, including penetration tests, security scans, and code analysis. Findings are tracked until addressed.

Physical and Environmental Security

  • Data Centers: Ledgy hosts all Customer Data in Google Cloud Platform (GCP). Ledgy regularly reviews Google’s physical and environmental controls for relevant data centers, as audited by Google’s third-party auditors. Such controls include, but are not limited to:
    • Physical access to the facilities is controlled at the building ingress points;
    • Visitors are required to present ID and sign in;
    • Physical access to servers is managed by access control devices;
    • Physical access privileges are reviewed regularly;
    • Facilities utilize monitor and alarm procedures;
    • Fire detection and protection systems;
    • Power back-up and redundancy systems; and Climate control systems.

Vulnerability Management

  • Automated Scanning:
    • Industry-leading vulnerability scanning tools continuously monitor infrastructure, applications and dependencies
    • Continuous automated scanning of production environment, container images and third-party dependencies
  • Manual Testing:
    • Annual penetration testing by independent third-party security firms
    • Quarterly internal security assessment by security ytea,
    • Regular code reviews with security-focused acceptance criteria
  • Risk Assessment and Prioritisation:
    • CVSS (Common Vulnerability Scoring System) score review
    • Assessment of potential impact on customer data and business operations
    • Evaluation of exploitability in our specific environment
    • Analysis of compensating controls
  • Remediation Timeline Commitments:
    • Critical (CVSS 9.10-10.0): Blocker, max 30 days
    • High (CVSS 7.0 – 8.9): 30 days
    • Medium (CVSS 4.0 – 6.9): 90 days
    • Low (CVSS 0.1 – 3.9): 90 days
  • Patch Management:
    • Automated patch deployment for non-critical updates via CI/CD pipeline
    • Emergency patch procedures for critical vulnerabilities
    • Regular maintenance windows for system updates
    • Change management process to ensure service availability
  • Vulnerability Disclosure:
    • Bug bounty program through Federacy
    • Responsible disclosure process for security researchers
    • Regular security advisories for relevant vulnerabilities 
  • Compliance and Reporting:
    • Quarterly vulnerability metrics reporting to executive management
    • Quarterly trend analysis and program effectiveness review
    • Annual independent audit of vulnerability management program
    • Compliance with ISO 27001 requirements
  • Tools and Technologies:
    • Industry-standard dependency vulnerability scanners
    • Statis application security testing (SAST)
    • Open Source Software Library 9OSS) scanners
    • Container security scanning
    • CIS benchmark cloud security posture scanning
  • Continuous Improvement:
    • Post-incident reviews and lessons learned
    • Industry best practice adoption
    • Regular team training and certification
    • Participation in security communities and information sharing programs

Annex 2 List of Sub-Processors

Name of sub-processor Location of servers Purpose Data processed
Google Cloud Zurich, Switzerland (Google) Hosting, workspace Stakeholders and transaction data, uploaded documents
Mailgun Frankfurt, Germany (AWS) E-mail Email address, content of the emails
MongoDB atlas Zurich, Switzerland (Google) Database Stakeholders and transaction data, uploaded documents
Skribble (if applicable) Zurich, Switzerland Electronic signatures Documents signed with AES or QES
Temporal Cloud Frankfurt, Germany (AWS) Monitoring workflows in the application E-mail address
Microsoft Office 365 Zurich, Switzerland Assisted onboarding Stakeholders and transaction data
Merge API Inc (if applicable) Stockholm, Sweden HRIS integration Employee identity information, organisational data, employment details, compensation data
AWS Dublin, Ireland Offsite backup Stakeholders and transaction data