Data Processing Agreement

Purpose: This Data Processing Agreement ("DPA") forms part of the Terms of Service between Gyre Holdings LLC, a Delaware limited liability company, d/b/a Gyre Research ("Processor" or "Gyre Research") and the Client ("Controller") and governs the processing of personal data by Gyre Research on behalf of the Client. This DPA is designed to comply with GDPR, UK GDPR, and applicable APAC data protection laws.

1. Definitions

Capitalized terms not defined in this DPA have the meanings given in the Terms of Service. In addition:

Term	Definition
"Data Protection Laws"	All applicable legislation relating to data protection and privacy, including but not limited to GDPR (Regulation (EU) 2016/679), UK GDPR, CCPA/CPRA, APPI (Japan), PDPA (Singapore), PDPO (Hong Kong), Privacy Act 1988 (Australia), PIPA (South Korea), and any implementing or supplementary legislation.
"Personal Data"	Any information relating to an identified or identifiable natural person that is processed by Gyre Research on behalf of the Controller in connection with the Platform.
"Processing"	Any operation or set of operations performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure, dissemination, restriction, erasure, or destruction.
"Sub-Processor"	Any third party engaged by Gyre Research to process Personal Data on behalf of the Controller.
"Data Breach"	A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.
"Standard Contractual Clauses" or "SCCs"	The standard contractual clauses for the transfer of personal data approved by the European Commission (Decision 2021/914) and/or the UK International Data Transfer Addendum.

2. Scope and Roles

2.1 Roles

For the purposes of this DPA, the Client is the Controller (or, where the Client processes Personal Data on behalf of its own clients, a Processor), and Gyre Research is the Processor (or Sub-Processor, as applicable). The details of processing are set forth in Annex A.

2.2 Scope of Processing

This DPA applies to all Personal Data that Gyre Research processes on behalf of the Controller in connection with the provision of the Platform and related services. This includes Personal Data contained within Client Data uploaded to the Platform, such as names and contact details of portfolio managers, beneficial owners, or counterparties that may be embedded in transaction or holdings data.

2.3 Duration

This DPA shall remain in effect for the duration of the Terms of Service and for as long as Gyre Research retains Personal Data processed on behalf of the Controller.

3. Controller Obligations

The Controller shall:

Ensure that Personal Data is collected and transferred to Gyre Research in compliance with Data Protection Laws, including obtaining all necessary consents and providing all required notices to data subjects.
Provide Gyre Research with documented instructions regarding the processing of Personal Data. The Terms of Service, this DPA, and the Client's use of Platform features constitute the Controller's complete instructions unless additional written instructions are provided.
Ensure that the processing instructions given to Gyre Research do not cause Gyre Research to violate applicable Data Protection Laws.
Promptly inform Gyre Research of any changes to Data Protection Laws that may materially affect Gyre Research's obligations under this DPA.

4. Processor Obligations

Gyre Research shall:

Process Personal Data only on documented instructions from the Controller, unless required to do so by applicable law (in which case Gyre Research shall inform the Controller of that legal requirement before processing, unless prohibited by law).
Ensure that persons authorized to process Personal Data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality.
Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as described in Section 7 and Annex B.
Assist the Controller, taking into account the nature of processing and information available to Gyre Research, in fulfilling its obligations to respond to data subject requests (Section 9).
Assist the Controller in ensuring compliance with obligations relating to security, breach notification, data protection impact assessments, and prior consultation, taking into account the nature of processing and information available to Gyre Research.
At the Controller's choice, delete or return all Personal Data upon termination or expiration of the Terms of Service, and delete existing copies unless storage is required by applicable law (Section 12).
Make available to the Controller all information necessary to demonstrate compliance with the obligations set forth in this DPA and allow for and contribute to audits (Section 11).
Immediately inform the Controller if, in Gyre Research's opinion, an instruction from the Controller infringes applicable Data Protection Laws.

4.3 AI and Large Language Model (LLM) Processing Restrictions

The Platform incorporates AI features powered by third-party large language model providers (currently Anthropic, PBC). With respect to LLM processing of Personal Data and Client Data, Gyre Research commits to the following:

No Training Use. Client Data, including any Personal Data contained therein, shall never be used to train, fine-tune, improve, or otherwise develop any large language model, machine learning model, or artificial intelligence system — whether operated by Gyre Research, Anthropic, or any other Sub-Processor. This prohibition applies to all forms of model training, including but not limited to supervised learning, reinforcement learning from human feedback (RLHF), embedding generation for model improvement, and any analogous technique.
Inference Only. Where Client Data is processed by an LLM provider, such processing is limited strictly to real-time inference (i.e., generating a response to a specific query) and is not retained by the LLM provider beyond the duration of the individual request, except for transient processing logs retained solely for abuse monitoring and deleted within 30 days.
Contractual Safeguards. Gyre Research maintains contractual agreements with all LLM Sub-Processors that expressly prohibit the use of input and output data for model training or improvement, and that require deletion of data promptly following inference.
Opt-Out of LLM Processing. The Controller and its Authorized Users may disable all LLM-powered features at any time through the Platform's control panel settings. When LLM processing is disabled: (a) no Client Data or Personal Data will be transmitted to any LLM Sub-Processor; (b) AI-powered features (including natural language queries, AI-generated insights, and LLM-enhanced analytics) will be unavailable; and (c) all other Platform features will continue to function normally. The opt-out may be configured at the account level (affecting all Authorized Users) or at the individual user level, at the Controller's discretion.
Transparency. Gyre Research will clearly identify which Platform features involve LLM processing in the Documentation and will notify the Controller in advance of any material changes to the scope of LLM processing or the addition of new LLM Sub-Processors.

5. Sub-Processors

5.1 General Authorization

The Controller grants Gyre Research general written authorization to engage Sub-Processors to process Personal Data on behalf of the Controller, subject to the requirements of this Section 5.

5.2 Current Sub-Processors

A list of current Sub-Processors is maintained at gyreresearch.com/legal/sub-processors and is also available upon request. The current list as of the effective date of this DPA is included in Annex C.

5.3 Notification of Changes

Gyre Research shall notify the Controller at least 30 days in advance of any intended addition or replacement of a Sub-Processor, providing the name, location, and description of processing activities of the proposed Sub-Processor.

5.4 Objection Right

The Controller may object to the appointment of a new Sub-Processor by providing written notice within 15 days of receiving notification, setting forth reasonable grounds for the objection. The parties shall discuss the objection in good faith. If the parties cannot resolve the objection within 30 days, the Controller may terminate the affected services without penalty.

5.5 Sub-Processor Obligations

Gyre Research shall impose on each Sub-Processor data protection obligations no less protective than those set forth in this DPA. Gyre Research remains fully liable to the Controller for the performance of each Sub-Processor's obligations.

6. International Data Transfers

6.1 Transfer Safeguards

Where Personal Data originating from the EEA, UK, or Switzerland is transferred to a country not recognized as providing adequate data protection, Gyre Research shall ensure that one or more of the following safeguards is in place:

The EU Standard Contractual Clauses (Module 2: Controller to Processor, or Module 3: Processor to Processor, as applicable), which are incorporated by reference into this DPA as Annex D.
The UK International Data Transfer Addendum (IDTA), appended to the EU SCCs as Annex E.
An adequacy decision by the relevant authority recognizing the destination country as providing adequate protection.
Any other valid transfer mechanism recognized under applicable Data Protection Laws.

6.2 APAC Transfers

For Personal Data originating from APAC jurisdictions with cross-border transfer requirements, Gyre Research shall comply with the applicable local requirements, including: consent-based transfers (Japan APPI Art. 28), contractual safeguards (Singapore PDPA), and reasonable steps to ensure recipient compliance (Australia APP 8). Additional transfer requirements are addressed in the Regional Addenda.

6.3 Supplementary Measures

Where required by the Schrems II decision, ICO guidance, or equivalent APAC requirements, Gyre Research shall implement supplementary technical and organizational measures, including encryption, pseudonymization, access controls, and transfer impact assessments.

6.4 Government Access Requests

If Gyre Research receives a request from a government authority for access to Personal Data processed under this DPA, Gyre Research shall: (a) notify the Controller promptly (to the extent legally permissible); (b) challenge the request where there are reasonable grounds to believe it is unlawful; and (c) provide only the minimum amount of Personal Data necessary to comply with the request.

7. Security Measures

Gyre Research shall implement and maintain appropriate technical and organizational security measures as described in Annex B, including but not limited to:

Encryption of Personal Data at rest (AES-256) and in transit (TLS 1.2+).
Role-based access controls with the principle of least privilege.
Multi-factor authentication for access to systems containing Personal Data.
Regular vulnerability assessments and penetration testing.
Network segmentation and firewalls.
Logging and monitoring of access to Personal Data.
Secure disposal of media and data when no longer needed.
Background checks for personnel with access to Personal Data (to the extent permitted by law).
Regular security awareness training for all personnel.
Business continuity and disaster recovery procedures.

Gyre Research shall periodically review and update these measures to address evolving threats and ensure continued adequacy.

8. Data Breach Notification

8.1 Notification to Controller

Gyre Research shall notify the Controller without undue delay (and in any event within 48 hours) upon becoming aware of a Data Breach affecting Personal Data processed under this DPA. This timeline is designed to allow the Controller to comply with its own notification obligations (e.g., 72 hours under GDPR).

8.2 Notification Contents

The notification shall include, to the extent available:

A description of the nature of the Data Breach, including the categories and approximate number of data subjects and records affected.
The name and contact details of Gyre Research's point of contact for the incident.
A description of the likely consequences of the Data Breach.
A description of the measures taken or proposed to be taken to address the Data Breach, including measures to mitigate its possible adverse effects.

8.3 Ongoing Cooperation

Gyre Research shall cooperate with the Controller and take reasonable commercial steps to assist in the investigation, mitigation, and remediation of the Data Breach, including preserving relevant evidence and logs.

9. Data Subject Rights

Gyre Research shall, taking into account the nature of the processing, assist the Controller by appropriate technical and organizational measures for the fulfillment of the Controller's obligation to respond to requests from data subjects exercising their rights under applicable Data Protection Laws, including rights of access, rectification, erasure, restriction, portability, and objection.

If Gyre Research receives a request directly from a data subject, Gyre Research shall promptly redirect the data subject to the Controller and notify the Controller of the request, unless otherwise instructed by the Controller.

10. Data Protection Impact Assessments

Gyre Research shall provide reasonable assistance to the Controller with any data protection impact assessment and any prior consultation with a supervisory authority that the Controller is required to carry out under Article 35 or 36 of the GDPR, UK GDPR, or equivalent provisions under applicable APAC Data Protection Laws, taking into account the nature of processing and information available to Gyre Research.

11. Audit Rights

11.1 Information and Audit

Gyre Research shall make available to the Controller, upon reasonable request and subject to confidentiality obligations, all information reasonably necessary to demonstrate compliance with this DPA. Gyre Research shall allow for and contribute to audits, including inspections, conducted by the Controller or an independent auditor mandated by the Controller.

11.2 Audit Conditions

Audits shall be conducted: (a) no more than once per calendar year (unless a Data Breach has occurred or a supervisory authority requires more frequent audits); (b) upon at least 30 days' written notice; (c) during normal business hours; (d) in a manner that does not unreasonably disrupt Gyre Research's operations; and (e) at the Controller's expense.

11.3 Third-Party Certifications

In lieu of an on-site audit, Gyre Research may provide the Controller with: (a) a copy of its most recent SOC 2 Type II report (or equivalent certification); (b) the results of independent penetration testing; or (c) responses to a reasonable security questionnaire, provided these are no more than 12 months old at the time of the request.

12. Data Deletion and Return

Upon termination or expiration of the Terms of Service, Gyre Research shall, at the Controller's election:

Return: Make all Personal Data available for export in a standard machine-readable format within 30 days of termination; or
Delete: Securely delete all Personal Data, including all copies, backups, and archives, within 90 days of termination, and provide written confirmation of deletion upon request.

Gyre Research may retain Personal Data to the extent required by applicable law, in which case it shall inform the Controller of the legal basis and scope of retention and shall continue to protect such data in accordance with this DPA.

13. Liability

Each party's liability under this DPA is subject to the limitations of liability set forth in the Terms of Service, except that neither party's liability for breach of this DPA shall be limited where such limitation is prohibited by applicable Data Protection Laws. Nothing in this DPA limits either party's liability for damages arising from a party's violation of Data Protection Laws to the extent such liability cannot be limited under applicable law.

14. Term and Termination

This DPA commences on the effective date of the Terms of Service and continues until all Personal Data has been deleted or returned in accordance with Section 12. Termination of the Terms of Service shall automatically trigger the data return/deletion process in Section 12.

15. Regional Addenda

This DPA is intended to comply with Article 28 GDPR and UK GDPR Article 28. The Standard Contractual Clauses (Annex D) and the UK IDTA (Annex E) are incorporated by reference and shall prevail over conflicting terms of this DPA to the extent required by applicable law.

Records of Processing: Gyre Research shall maintain records of processing activities carried out on behalf of the Controller in accordance with Article 30(2) GDPR.

Where the Controller is subject to the APPI, Gyre Research shall implement necessary and appropriate supervision of the handling of Personal Data in accordance with Article 25 APPI (entrustment of handling). Cross-border transfer provisions under Article 28 APPI shall apply to transfers of Personal Data from Japan.

Where the Controller is subject to the PDPA, Gyre Research shall ensure that Personal Data transferred outside Singapore is protected to a standard comparable to the PDPA, through contractual or other legally recognized means, in accordance with the PDPA transfer limitation obligation.

Where the Controller is subject to the Privacy Act 1988, Gyre Research acknowledges that the Controller remains accountable for Gyre Research's handling of Personal Data under APP 8. Gyre Research shall take reasonable steps to ensure compliance with the APPs in relation to the Personal Data it processes.

Where the Controller is subject to PIPA, Gyre Research shall comply with the entrustment requirements under PIPA Article 26, including restrictions on purpose limitation, technical and administrative safeguards, supervision obligations, and liability for damages caused by the Processor's violation of PIPA.

Annex A — Details of Processing

Element	Description
Subject Matter	Provision of the Gyre Research portfolio analytics Platform and related services.
Duration	The term of the subscription as specified in the Order Form, plus any post-termination retention period.
Nature and Purpose	Processing of Personal Data to provide portfolio aggregation, analytics, reporting, and related services as described in the Terms of Service.
Categories of Data Subjects	Authorized Users of the Platform; portfolio managers, beneficial owners, counterparties, and other natural persons whose data may be contained within Client Data.
Categories of Personal Data	Names, job titles, business email addresses, business phone numbers, IP addresses, and any Personal Data contained within Client Data (which may include names, addresses, account numbers, and transaction details of the Controller's own clients or counterparties).
Sensitive Data	None intentionally processed. If Client Data contains sensitive data, the Controller must inform Gyre Research and obtain appropriate consent.
Processing Operations	Collection (via Platform upload/API), storage, organization, structuring, retrieval, consultation, use (analytics/reporting), disclosure (to Authorized Users), restriction, erasure, and destruction.
Frequency	Continuous during the subscription term.

Annex B — Technical and Organizational Measures

Category	Measures
Encryption	AES-256 at rest; TLS 1.2+ in transit; encrypted backups.
Access Control	Role-based access; principle of least privilege; MFA for production access; quarterly access reviews.
Network Security	Firewalls; IDS/IPS; VPN for administrative access; network segmentation; DDoS mitigation.
Physical Security	Data center certifications (SOC 2, ISO 27001 or equivalent); restricted physical access; environmental controls.
Monitoring	24/7 security event monitoring; centralized logging; automated alerting; log retention per policy.
Availability	Redundant infrastructure; automated failover; regular backups with tested restore procedures; documented disaster recovery plan.
Personnel	Background checks (where legally permitted); confidentiality agreements; role-specific security training; off-boarding procedures including immediate access revocation.
Development	Secure SDLC; code reviews; dependency scanning; staging environments; change management procedures.
Incident Response	Documented IR plan; defined roles and escalation paths; post-incident review process; annual testing of IR procedures.

Annex C — Approved Sub-Processors

Sub-Processor	Location	Processing Activity
DigitalOcean, LLC	United States	Cloud hosting and infrastructure
Microsoft Corporation	United States	Database services (Microsoft SQL Server), cloud infrastructure, and productivity tools
Anthropic, PBC	United States	Large language model (LLM) inference for Platform AI features; subject to the AI Processing Restrictions in Section 4.3 of this DPA
Twilio Inc.	United States	Transactional SMS message delivery (two-factor authentication, account alerts, platform notifications)

The current list of Sub-Processors is maintained at gyreresearch.com/legal/sub-processors and is updated in accordance with Section 5.3 of this DPA.

Annex D — Standard Contractual Clauses (Reference)

The Standard Contractual Clauses approved by the European Commission pursuant to Implementing Decision (EU) 2021/914 are incorporated by reference into this DPA. The applicable module is Module 2 (Controller to Processor) or Module 3 (Processor to Processor), as determined by the Controller's role. The parties agree to the following selections within the SCCs:

Clause 7 (Docking Clause): Included.
Clause 9(a) (Sub-Processor Authorization): Option 2 — General Written Authorization, with 30 days' prior notice.
Clause 11 (Redress): The optional language is not included.
Clause 17 (Governing Law): The SCCs shall be governed by the laws of Ireland.
Clause 18 (Forum): Disputes shall be resolved before the courts of Ireland.

The full text of the SCCs is available at https://commission.europa.eu/law/law-topic/data-protection_en.

Annex E — UK International Data Transfer Addendum (Reference)

For transfers of Personal Data from the United Kingdom, the UK International Data Transfer Addendum to the EU SCCs (Version B1.0, in force 21 March 2022), issued by the Information Commissioner under section 119A(1) of the Data Protection Act 2018, is incorporated by reference. The Addendum shall apply to the SCCs in Annex D to the extent that the UK GDPR applies to the processing.

The full text of the UK IDTA is available at ico.org.uk.