Data Processing Addendum

Scope & Incorporation

This Addendum (“DPA”) forms part of any written or electronic agreement between a customer (“Controller”) and Task Venture Capital GmbH (“Processor”) under which the Processor processes personal data on behalf of the Controller.

Where the principal agreement and this DPA conflict on a question of data protection, this DPA prevails. Capitalised terms not defined here take the meaning given in the GDPR.

Roles of the Parties

The Controller determines the purposes and means of processing. The Processor processes personal data only on the documented instructions of the Controller, including with regard to transfers to a third country, unless required to do so by Union or Member State law.

Each party is and remains responsible for compliance with its own obligations under applicable data protection law. Nothing in this DPA creates a joint-controller relationship in the sense of Art. 26 GDPR.

Subject Matter, Duration, Nature, Purpose

Subject matter

Processing incidental to the services described in the principal agreement.

Duration

Term of the principal agreement plus any period of lawful retention.

Nature

Storage, transmission, retrieval, disclosure by transmission, erasure.

Purpose

Performance of the principal agreement and the Controller's documented instructions.

Data subjects

Controller's end users, employees, and counterparties, as applicable.

Categories

Identification, contact, transactional, and technical metadata; no special categories unless expressly agreed.

Processor Obligations

1. Process personal data only on the Controller's documented instructions.
2. Ensure persons authorised to process personal data have committed themselves to confidentiality.
3. Implement appropriate technical and organisational measures.
4. Engage sub-processors only with authorisation and subject to equivalent obligations.
5. Assist the Controller, by appropriate measures, in responding to requests for the exercise of data-subject rights.
6. Assist the Controller in ensuring compliance with Articles 32 to 36 GDPR.
7. At the Controller's choice, delete or return all personal data at the end of the provision of services.
8. Make available to the Controller all information necessary to demonstrate compliance with Art. 28 GDPR.

Sub-processors

The Controller grants general written authorisation to engage sub-processors where required to provide the agreed services. The Processor informs the Controller of intended material changes by updating the relevant list or agreement notice, giving the Controller the opportunity to object where required by law.

Technical & Organisational Measures

1. Pseudonymisation and encryption. Transport encryption on public endpoints and encryption at rest where supported by the underlying service.
2. Confidentiality. Role-based access, named owners per dataset, and least-privilege review.
3. Integrity. Change-management through reviewed changes and operational logging where applicable.
4. Availability. Backups and redundancy appropriate to the service tier.
5. Resilience. Incident-response processes and restore practices appropriate to the service tier.
6. Process. Regular review and update of these measures against the state of the art.

Audit & Inspection

The Controller may audit the Processor's compliance with this DPA on reasonable advance notice, during business hours, and in a manner that does not unreasonably disrupt the Processor's operations.

Third-party auditors must be reasonably acceptable to the Processor and bound by confidentiality at least equivalent to this DPA.

Termination

On termination or expiry of the principal agreement, the Processor shall, at the Controller's election, return or delete all personal data and existing copies within a reasonable period, except to the extent retention is required by Union or Member State law.

Deletion on termination is the default. We do not hold data speculatively.