Last Updated: September 2025
This Data Processing Agreement ("DPA") is an addendum to our Terms of Service and Privacy Policy and forms part of the contract between Axel Adler Jr. ("Company", "we", "us", or "our") and users or customers who are subject to data protection laws like the GDPR and who engage us in a manner where we might process personal data on their behalf ("Customer" or "Controller"). This DPA is intended to fulfill the requirements of Article 28 of the EU General Data Protection Regulation (GDPR) and equivalent provisions of other data protection laws, ensuring adequate safeguards and obligations when we act as a processor of personal data on behalf of the Customer.
By using our services or by executing an Order or agreement that references this DPA, you agree to the terms of this DPA. In case of any conflict between this DPA and other terms in our Terms of Service or Privacy Policy regarding the processing of personal data, the terms of this DPA shall prevail.
1. Definitions
For the purposes of this DPA, the following definitions apply:
"Personal Data" means any information relating to an identified or identifiable natural person ("Data Subject"); an identifiable person is one who can be identified, directly or indirectly, by reference to such data (as defined by GDPR Article 4(1)). Personal Data under this DPA is limited to the information we process on behalf of the Customer as a Processor.
"Processing" means any operation or set of operations performed on Personal Data, whether or not by automated means, such as collection, recording, organizing, structuring, storing, altering, retrieving, using, disclosing, erasing, or destroying (as defined by GDPR Article 4(2)).
"Controller" means the natural or legal person which determines the purposes and means of the processing of Personal Data. In this context, the Customer (you) is the Controller with respect to any Personal Data you provide to us for processing on your behalf. For example, if you are an organization subscribing to our service and you upload or give us personal data of your employees or clients for us to send them our reports, you are the Controller of that data.
"Processor" means the party which processes Personal Data on behalf of the Controller. In this context, Axel Adler Jr. acts as the Processor to you (the Customer) for the limited purpose of processing Personal Data strictly for the provision of our services to you.
"Sub-processor" means any downstream processor engaged by us (the Processor) who agrees to receive Personal Data from us exclusively for processing activities to provide parts of the services on our behalf. Sub-processors are bound by contractual terms no less protective than those in this DPA with respect to the protection of Personal Data.
"Data Protection Laws" means all laws and regulations applicable to the processing of Personal Data under this DPA, including, where applicable, the GDPR; the UK Data Protection Act 2018 and UK GDPR; the Swiss Federal Act on Data Protection; and any other applicable data privacy or data protection regulations (e.g., LGPD in Brazil, etc.) that apply to the Controller's jurisdiction.
Other capitalized terms not defined here have the meanings given to them in the Terms of Service or Privacy Policy.
2. Details of Processing
Subject Matter: The subject matter of the processing is the Personal Data that the Controller provides to the Processor in connection with the services described in our Terms of Service. This typically includes contact information (like email addresses) and any other data needed to deliver financial content and communications as instructed by the Controller.
Duration: We will process Personal Data only as long as the Customer (Controller) instructs us to, typically for the duration of the Customer's use of our services. The processing shall terminate upon deletion of all Personal Data as per Controller's request or upon termination of services, subject to retention requirements outlined in Section 7 of this DPA.
Nature and Purpose: The processing involves collection, storage, and transmission of Personal Data as necessary to provide our analytics and newsletter services to the Customer. Specifically, we process data for purposes such as: managing subscriber lists, sending email briefings or reports, providing account access (if applicable), and analyzing engagement as directed by the Controller. We will only process Personal Data in accordance with the documented instructions of the Controller (as per Section 3 below). We do not process the Personal Data for any purpose other than delivering the agreed services, unless otherwise required by law.
Type of Personal Data: The Personal Data processed under this DPA typically includes: names, email addresses, and possibly other identifiers or preferences of end-users or individuals that the Controller asks us to send content to or manage on their behalf. It might also include usage data or interaction data related to those individuals (e.g., email open/click information) if such data is linked to identifiable individuals and provided back to the Controller. We do not intentionally process any special categories of data (such as sensitive personal data revealing health, religious beliefs, etc.) or data about children under this DPA, unless specifically agreed and necessary for the service (which is unlikely given our service scope).
Categories of Data Subjects: Data Subjects could include the Controller's employees, customers, or other end-users who have their data provided to us by the Controller for processing. For example, if the Controller is a company that signs up to receive our research reports for its staff or clients, those staff or clients are data subjects whose personal data (contact info) we process under instructions.
3. Controller's Instructions and Processor's Compliance
We (the Processor) will only process Personal Data on documented instructions from the Controller, including with regard to transfers of personal data to a third country, unless required to do otherwise by applicable law (in which case we will inform you of that legal requirement prior to processing, unless the law prohibits such notice on important grounds of public interest). The Terms of Service, this DPA, and your use of features in our services constitute your complete and final instructions to us for the processing of Personal Data. Any additional or alternate instructions must be agreed to in writing.
The Controller is responsible for ensuring that its instructions to the Processor are lawful and consistent with applicable Data Protection Laws. The Controller shall have sole responsibility for the accuracy, quality, and legality of Personal Data provided to us and the means by which the Controller acquired Personal Data.
If we believe an instruction violates Data Protection Laws or is beyond the scope of what was agreed, we will inform the Controller and may suspend processing until the issue is resolved. We will not be liable for any consequences resulting from following the Controller's instructions.
4. Confidentiality and Personnel
Confidentiality: We will treat all Personal Data as Confidential Information and ensure that any personnel authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. This obligation continues even after the end of such personnel's engagements.
Limiting Access: Access to Personal Data is limited to personnel who need access to perform the services and who are bound by enforceable confidentiality obligations. We regularly review who has access and revoke access immediately upon it no longer being required.
Training: Our employees and contractors who are involved in processing Personal Data are informed about the sensitive nature of the data and trained in data protection requirements and privacy best practices relevant to their job duties.
5. Security Measures
We implement and maintain appropriate technical and organizational security measures to protect Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, damage, theft, alteration, or disclosure. In particular, we have measures as described in our Privacy Policy (Security section) including encryption, access controls, pseudonymization where applicable, regular security assessments, etc. A summary of our security measures can be provided upon request.
These measures are designed to ensure a level of security appropriate to the risk, taking into account the state of the art, implementation costs, and nature of the processing (e.g., the sensitivity of the data). Specific measures include (but are not limited to): encryption of data in transit (TLS), hashed or encrypted storage of credentials, network firewalls, intrusion detection systems, regular vulnerability scans, and organizational controls as described earlier.
We will also assist the Controller, upon request and considering the nature of processing and information available to us, with Controller's obligation to ensure security of Personal Data (for example, by providing information on our security practices). However, the Controller is responsible for reviewing the information we make available and determining that our measures meet any requirements needed for the Controller's compliance.
6. Sub-processors
Authorized Sub-processors: The Controller provides general authorization for us to engage third-party Sub-processors as necessary to provide our services. Our key Sub-processors are listed in our Privacy Policy and may include services such as hosting providers, email delivery platforms, payment processors, and analytics providers. We commit to entering into a written agreement with each Sub-processor imposing data protection obligations no less protective than those in this DPA, particularly with respect to implementing appropriate technical and organizational measures.
Changes to Sub-processors: We will maintain an up-to-date list of Sub-processors on our website or provide it upon request. We will notify the Controller (via email or site notification) of any intended addition or replacement of Sub-processors with at least 10 days' notice, thereby giving the Controller the opportunity to object. If the Controller has a reasonable objection to a new Sub-processor on legitimate data protection grounds, it shall notify us in writing within 10 days of the notice. We will then work in good faith to resolve the objection, which may include: examining the Controller's concerns, providing additional safeguards or information, or in some cases, offering an alternative arrangement. If we cannot resolve the objection to Controller's reasonable satisfaction, the Controller may have the right to terminate the service (in which case we will refund any prepaid fees for the remaining term of the service which cannot be provided without the use of the objected Sub-processor).
Liability for Sub-processors: We remain fully liable to the Controller for the performance of any Sub-processor's obligations that are subcontracted to them. In other words, any breaches by a Sub-processor will be treated as a breach by us, vis-à-vis the Controller, and we will take necessary steps to remediate any breach caused by our Sub-processor.
7. Data Subject Rights Assistance
Handling Requests: If the Controller receives a request from a Data Subject to exercise any of their rights under Data Protection Laws (such as access, rectification, deletion, restriction, data portability, or objection) and the Controller needs our assistance to fulfill this request, we shall provide reasonable assistance. For example, if a Data Subject whose data we process on your behalf asks you to delete their info, and you do not have the ability to fully delete it via the service interface, we will comply with your instructions to delete the data (unless an exception applies).
Redirecting Data Subjects: If we receive a direct request from a Data Subject pertaining to Personal Data that we process solely on behalf of a Controller, we will promptly inform the Controller and not respond directly (unless instructed by the Controller or required by law). We will advise the Data Subject to contact the Controller directly, if possible.
Scope of Assistance: Our assistance will cover technical/organizational measures to retrieve, correct, or delete data as needed, or to forward Data Subject requests. The Controller is responsible for reviewing and responding to Data Subject requests, but we will provide necessary input from our systems. Where applicable law requires, we will also assist the Controller in ensuring compliance with obligations to respond to Data Subject requests (taking into account the nature of processing and information available to us).
8. Breach Notification
Notification: We will notify the Controller without undue delay (and in any case within 48 hours) after becoming aware of a personal data breach involving the Personal Data we process on behalf of the Controller. A "Personal Data Breach" in this context means a confirmed security incident leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or processed by us under this DPA.
Contents of Notice: Our notification to Controller will include, to the extent known at the time, the following: a description of the nature of the breach including, where possible, categories and approximate number of data subjects and data records concerned; the likely consequences of the breach; and the measures taken or proposed to address the breach and mitigate its possible adverse effects. If we do not yet have all this information, we will provide initial notice with the information we do have, and then update the Controller as more details are learned.
Investigation and Response: We will promptly investigate the breach and take reasonable steps to mitigate, remediate, and cure the breach. We will cooperate with the Controller's reasonable instructions to assist in the investigation and complying with any obligations under Data Protection Laws (such as notifying supervisory authorities or impacted individuals). The Controller bears the responsibility for determining whether to notify supervisory authorities or data subjects and for making any required notifications, but we will assist by providing available information.
Documentation: We will maintain documentation of the facts relating to any breach, its effects, and remedial actions taken, and will provide such information to Controller upon request, as needed for Controller to meet any legal reporting obligations.
Limitation: Notification of a breach to Controller shall not be construed as an acknowledgment by us of any fault or liability with respect to the breach.
9. Audit and Compliance
Audit Rights: The Controller has the right to audit our compliance with this DPA, up to once per year (and additionally in the event of a material security incident or upon instruction by a relevant data protection authority). Audits must be conducted during regular business hours, with reasonable advance notice (at least 30 days) to us, and subject to agreed scope and confidentiality controls.
Procedure: At Controller's option, the audit may consist initially of us providing relevant and up-to-date third-party certifications or audit reports (e.g., ISO 27001, SOC 2, or similar) or other documentation demonstrating our compliance with the DPA. If such reports are insufficient or not available, the Controller may request an on-site or remote audit of procedures directly relevant to the processing of Personal Data. Any on-site audits shall be conducted by Controller or its mandated auditor in a manner that avoids undue disruption to our operations and respects our confidentiality obligations to other customers (i.e., ensuring the auditor doesn't access data of others).
Costs: Each party shall bear its own costs of any audit. If the audit requires us to contribute resources beyond normal operational capacity (for example, extensive staff time or technical support), the parties will discuss in good faith an appropriate cost reimbursement to us for those efforts, to be agreed in writing before the audit commences.
Results and Remediation: The Controller will share the audit results with us and we will work together to address any identified gaps. We will promptly take corrective action to address any deficiencies discovered by the audit that we agree violate the terms of this DPA. Both parties agree that all information and reports of any audits are confidential information and will be kept secret and not disclosed to third parties, except as required by law or for regulatory oversight.
10. Data Transfers
International Transfers: We are based in the U.S. and may engage Sub-processors in other countries. When we transfer Personal Data from the European Economic Area, UK, or Switzerland to countries not deemed to provide an adequate level of protection, we will ensure appropriate safeguards are in place. This includes, as relevant, adherence to the European Commission's Standard Contractual Clauses (SCCs) for processors (2021/915/EU) and the UK International Data Transfer Addendum, or any other transfer mechanism approved under applicable law.
SCC Incorporation: If required by the Controller's jurisdiction, by reference this DPA incorporates the Standard Contractual Clauses between the Controller (as data exporter) and us (as data importer), including the following details: Module Two (Controller to Processor) of the EU SCCs shall apply; the "optional" Clause 7 docking clause is included (if needed to allow new parties to join); for Clause 9 on Sub-processors, Option 2 (General Authorization) is selected with a notice period as in Section 6 of this DPA; the optional redress clause is omitted; for Clause 17 (Governing law), the parties agree the law of the EU member state where the Controller is established (or, if not applicable, of The Netherlands); for Clause 18 (Choice of forum), the courts corresponding to that law will have jurisdiction. Appendix 1 of the SCCs (List of Parties, Description of Transfer) is satisfied by references in Section 2 (Details of Processing) of this DPA. Appendix 2 (Security Measures) is satisfied by references in Section 5 (Security Measures) of this DPA and our Privacy Policy's security section. The UK Addendum or Swiss-specific provisions will apply as needed for those transfers (e.g., UK law for disputes for UK data).
Alternative Mechanism: If the EU SCCs or other chosen transfer mechanism is modified, replaced, or invalidated by competent authorities, the parties will work together in good faith to promptly adopt an alternative valid mechanism or additional supplementary measures to ensure continued compliant transfer of data. We may also implement additional technical safeguards (like encryption or pseudonymization) upon Controller's request to supplement transfer protections.
11. Return or Deletion of Data
Upon Termination: Upon termination or expiration of the Controller's use of our services, or upon Controller's written request at any time, we will, at Controller's choice, either delete or return all Personal Data processed on behalf of the Controller, in a reasonably accessible format, to the Controller. Unless applicable law requires storage of the personal data (in which case we will inform the Controller), we will delete the data from our active systems.
Deletion: Our deletion efforts will involve removing personal data in our production systems and securely overwriting or wiping it. Some data may remain in backups for a limited period (which are subsequently overwritten on routine cycles), but we ensure that any such residual data remains protected and is not readily accessible, and is deleted according to our data retention and deletion policies shortly thereafter. We will not actively process any personal data retained in backups except if needed for security and restoration, and even then, only for the period until deletion is possible.
Acknowledgment: Upon the Controller's request, we will provide a written confirmation that we have complied with the deletion or return obligation to the extent feasible.
12. Liability and Indemnities
Liability Cap: Each party's liability under or in connection with this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service. In no event shall either party be liable to the other party for indirect or consequential losses arising from any breach of this DPA, to the extent permitted by applicable law.
Indemnification: The Controller shall indemnify and hold harmless the Processor from any losses arising from the Processor following Controller's unlawful instructions or from any breach of this DPA or applicable data protection law by the Controller. Conversely, the Processor shall indemnify and hold harmless the Controller for losses arising from the Processor's breach of this DPA or violation of applicable data protection law, but in each case only to the extent that the Terms of Service provide for such indemnification. Notably, since we generally do not separately indemnify under our standard Terms for privacy compliance, this clause is subject to any indemnity or liability arrangements in the main agreement.
13. General Provisions
Conflict: In the event of any conflict between the provisions of this DPA and the Terms of Service or other agreements between the parties, the provisions of this DPA shall prevail with regard to the subject matter of data protection.
Duration: This DPA is effective for as long as we process Personal Data on behalf of the Controller (i.e., the term of our service relationship) and until deletion of such data.
Changes: We may update the terms of this DPA from time to time in line with changes in data protection law or our services. If we do, we will notify the Controller in accordance with the notice provisions of the Terms of Service. Continued use of the services after the effective date of an updated DPA will constitute acceptance.
Governing Law: This DPA is governed by the same law as the Terms of Service, except where overriding data protection law provisions apply or where the Standard Contractual Clauses mandate a specific governing law for that part of the agreement (as noted in Section 10 above).
Severability: If any provision of this DPA is found to be invalid or unenforceable, the remainder of this DPA will remain in full force and effect. The parties will negotiate in good faith to replace the invalid provision with a valid one that comes closest to the original intent and economic effect.
Entire Agreement: This DPA (including any schedules or annexes, such as the SCCs if applicable) constitutes the entire agreement between the parties with respect to the subject matter and supersedes all prior or contemporaneous understandings, agreements, or communications, whether written or oral, regarding such subject matter.
By using our services or signing an applicable contract, you (Controller) acknowledge that you have read and agree to this Data Processing Agreement. Both parties affirm their intention to fulfill their respective obligations under this DPA in good faith and in compliance with applicable data protection laws.