johan
/
dealspace
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
dealspace/cmd/server/website/dpa.html

377 lines
22 KiB
HTML
Raw Blame History

<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Data Processing Agreement — Dealspace</title>
<meta name="description" content="GDPR Article 28 compliant Data Processing Agreement for Dealspace M&A platform.">
<!-- OpenGraph -->
<meta property="og:title" content="Data Processing Agreement — Dealspace">
<meta property="og:description" content="GDPR Article 28 compliant Data Processing Agreement for Dealspace M&A platform.">
<meta property="og:url" content="https://muskepo.com/dpa">
<meta property="og:type" content="website">
<meta property="og:image" content="https://muskepo.com/og-image.png">
<!-- Twitter -->
<meta name="twitter:card" content="summary_large_image">
<meta name="twitter:title" content="Data Processing Agreement — Dealspace">
<meta name="twitter:description" content="GDPR Article 28 compliant Data Processing Agreement for Dealspace M&A platform.">
<meta name="twitter:image" content="https://muskepo.com/og-image.png">
<link rel="preconnect" href="https://fonts.googleapis.com">
<link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
<link href="https://fonts.googleapis.com/css2?family=Inter:wght@300;400;500;600;700&display=swap" rel="stylesheet">
<script src="https://cdn.tailwindcss.com"></script>
<script>
tailwind.config = {
theme: {
extend: {
colors: {
navy: '#0F1B35',
'navy-light': '#1a2847',
slate: '#2B4680',
gold: '#C9A84C',
'gold-light': '#d4b85f',
},
fontFamily: {
sans: ['Inter', 'system-ui', 'sans-serif'],
}
}
}
}
</script>
</head>
<body class="bg-navy font-sans text-white antialiased">
<!-- Navigation -->
<nav class="fixed top-0 left-0 right-0 z-50 bg-navy/95 backdrop-blur-sm border-b border-white/10">
<div class="max-w-7xl mx-auto px-6 py-4">
<div class="flex items-center justify-between">
<a href="index.html" class="flex items-center space-x-2">
<span class="text-2xl font-bold text-white">Deal<span class="text-gold">space</span></span>
</a>
<div class="hidden md:flex items-center space-x-8">
<a href="features.html" class="text-gray-300 hover:text-white transition-colors">Features</a>
<a href="security.html" class="text-gray-300 hover:text-white transition-colors">Security</a>
<a href="pricing.html" class="text-gray-300 hover:text-white transition-colors">Pricing</a>
<a href="/app/login" class="text-gray-300 hover:text-white transition-colors">Sign In</a>
<a href="index.html#demo" class="bg-gold hover:bg-gold-light text-navy font-semibold px-5 py-2.5 rounded-lg transition-colors">Request Demo</a>
</div>
</div>
</div>
</nav>
<!-- Content -->
<div class="pt-32 pb-24 px-6">
<div class="max-w-3xl mx-auto">
<div class="mb-12">
<h1 class="text-4xl font-bold mb-4">Data Processing Agreement</h1>
<p class="text-gray-400">Last updated: February 28, 2026</p>
</div>
<div class="prose prose-invert max-w-none">
<div class="bg-navy-light border border-white/10 rounded-xl p-8 mb-8">
<p class="text-lg text-gray-300 leading-relaxed m-0">
This Data Processing Agreement ("DPA") forms part of the Terms of Service between you ("Controller") and Muskepo B.V. ("Processor") for the provision of Dealspace services. This DPA governs the processing of personal data in accordance with GDPR Article 28 and other applicable data protection laws.
</p>
</div>
<div class="bg-navy-light border border-white/10 rounded-xl p-8 mb-8">
<h2 class="text-xl font-semibold text-white mt-0 mb-4">1. Definitions</h2>
<p class="text-gray-400 leading-relaxed mb-4">
<strong class="text-white">"Personal Data"</strong> means any information relating to an identified or identifiable natural person, as defined in GDPR Article 4(1).
</p>
<p class="text-gray-400 leading-relaxed mb-4">
<strong class="text-white">"Processing"</strong> means any operation performed on Personal Data, as defined in GDPR Article 4(2).
</p>
<p class="text-gray-400 leading-relaxed mb-4">
<strong class="text-white">"Sub-processor"</strong> means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
</p>
<p class="text-gray-400 leading-relaxed mb-4">
<strong class="text-white">"Data Subjects"</strong> means the individuals whose Personal Data is processed under this DPA.
</p>
<p class="text-gray-400 leading-relaxed">
<strong class="text-white">"Confidential M&A Transaction Data"</strong> means all documents, communications, and information uploaded to or generated within Dealspace in connection with mergers, acquisitions, due diligence, or related transactions.
</p>
</div>
<div class="bg-navy-light border border-white/10 rounded-xl p-8 mb-8">
<h2 class="text-xl font-semibold text-white mt-0 mb-4">2. Scope of Processing</h2>
<h3 class="text-lg font-medium text-gold mt-6 mb-2">2.1 Subject Matter</h3>
<p class="text-gray-400 leading-relaxed">
The Processor processes Personal Data to provide Dealspace services including document storage, access management, request workflow, communication facilitation, and audit logging for M&A transactions.
</p>
<h3 class="text-lg font-medium text-gold mt-6 mb-2">2.2 Nature and Purpose</h3>
<p class="text-gray-400 leading-relaxed">
Processing includes storage, retrieval, transmission, encryption, watermarking, and deletion of Personal Data as necessary to provide the services described in the Terms of Service.
</p>
<h3 class="text-lg font-medium text-gold mt-6 mb-2">2.3 Categories of Data Subjects</h3>
<ul class="text-gray-400 space-y-2 list-disc list-inside">
<li>Account holders and authorized users</li>
<li>Deal participants (sellers, buyers, advisors, and their personnel)</li>
<li>Individuals whose data is contained in uploaded documents</li>
</ul>
<h3 class="text-lg font-medium text-gold mt-6 mb-2">2.4 Types of Personal Data</h3>
<ul class="text-gray-400 space-y-2 list-disc list-inside">
<li>Contact information (name, email, phone, organization)</li>
<li>Account credentials and authentication data</li>
<li>Activity logs (access times, IP addresses, actions taken)</li>
<li>Personal data contained in uploaded M&A transaction documents</li>
</ul>
<h3 class="text-lg font-medium text-gold mt-6 mb-2">2.5 Duration</h3>
<p class="text-gray-400 leading-relaxed">
Processing continues for the duration of the service agreement plus any retention period required by law or agreed with the Controller.
</p>
</div>
<div class="bg-navy-light border border-white/10 rounded-xl p-8 mb-8">
<h2 class="text-xl font-semibold text-white mt-0 mb-4">3. Processor Obligations</h2>
<h3 class="text-lg font-medium text-gold mt-6 mb-2">3.1 Processing Instructions</h3>
<p class="text-gray-400 leading-relaxed">
The Processor shall process Personal Data only on documented instructions from the Controller, including transfers to third countries, unless required by EU or Member State law. The Processor shall inform the Controller of any such legal requirement before processing, unless prohibited by law.
</p>
<h3 class="text-lg font-medium text-gold mt-6 mb-2">3.2 Confidentiality</h3>
<p class="text-gray-400 leading-relaxed">
The Processor shall ensure that persons authorized to process Personal Data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality.
</p>
<h3 class="text-lg font-medium text-gold mt-6 mb-2">3.3 Security Measures</h3>
<p class="text-gray-400 leading-relaxed mb-4">
The Processor implements technical and organizational measures to ensure a level of security appropriate to the risk, including:
</p>
<ul class="text-gray-400 space-y-2 list-disc list-inside">
<li>FIPS 140-3 validated encryption of Personal Data at rest and in transit</li>
<li>Per-deal encryption keys with secure key management</li>
<li>Multi-factor authentication for all system access</li>
<li>Role-based access controls with least-privilege principles</li>
<li>Continuous monitoring and intrusion detection</li>
<li>Regular security assessments and penetration testing</li>
<li>Incident response procedures</li>
<li>Business continuity and disaster recovery capabilities</li>
</ul>
<h3 class="text-lg font-medium text-gold mt-6 mb-2">3.4 Sub-processing</h3>
<p class="text-gray-400 leading-relaxed">
The Processor shall not engage Sub-processors without prior specific or general written authorization from the Controller. In the case of general authorization, the Processor shall inform the Controller of any intended changes concerning the addition or replacement of Sub-processors, giving the Controller an opportunity to object. Sub-processors are bound by equivalent data protection obligations.
</p>
<h3 class="text-lg font-medium text-gold mt-6 mb-2">3.5 Data Subject Rights</h3>
<p class="text-gray-400 leading-relaxed">
The Processor shall assist the Controller in responding to requests from Data Subjects exercising their rights under GDPR (access, rectification, erasure, restriction, portability, and objection). The Processor shall promptly notify the Controller of any such requests received directly.
</p>
<h3 class="text-lg font-medium text-gold mt-6 mb-2">3.6 Data Protection Impact Assessments</h3>
<p class="text-gray-400 leading-relaxed">
The Processor shall assist the Controller in conducting data protection impact assessments and prior consultations with supervisory authorities where required.
</p>
<h3 class="text-lg font-medium text-gold mt-6 mb-2">3.7 Deletion and Return</h3>
<p class="text-gray-400 leading-relaxed">
Upon termination of the service, the Processor shall, at the Controller's choice, delete or return all Personal Data and delete existing copies, unless EU or Member State law requires storage. The Controller has 30 days following termination to export data before deletion.
</p>
<h3 class="text-lg font-medium text-gold mt-6 mb-2">3.8 Audit Rights</h3>
<p class="text-gray-400 leading-relaxed">
The Processor shall make available to the Controller all information necessary to demonstrate compliance with GDPR Article 28 and allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller. For Enterprise customers, specific audit procedures and schedules may be agreed in writing.
</p>
</div>
<div class="bg-navy-light border border-white/10 rounded-xl p-8 mb-8">
<h2 class="text-xl font-semibold text-white mt-0 mb-4">4. Controller Obligations</h2>
<p class="text-gray-400 leading-relaxed mb-4">The Controller warrants that:</p>
<ul class="text-gray-400 space-y-2 list-disc list-inside">
<li>It has a lawful basis for processing Personal Data and transferring it to the Processor</li>
<li>Data Subjects have been informed of the processing in accordance with GDPR requirements</li>
<li>Instructions given to the Processor comply with applicable data protection laws</li>
<li>It will promptly notify the Processor of any changes to processing instructions</li>
</ul>
</div>
<div class="bg-navy-light border border-white/10 rounded-xl p-8 mb-8">
<h2 class="text-xl font-semibold text-white mt-0 mb-4">5. Data Breach Notification</h2>
<p class="text-gray-400 leading-relaxed mb-4">
In the event of a Personal Data breach, the Processor shall notify the Controller without undue delay and in any event within 48 hours of becoming aware of the breach. The notification shall include:
</p>
<ul class="text-gray-400 space-y-2 list-disc list-inside">
<li>Description of the nature of the breach</li>
<li>Categories and approximate number of Data Subjects affected</li>
<li>Categories and approximate number of records concerned</li>
<li>Likely consequences of the breach</li>
<li>Measures taken or proposed to address the breach</li>
</ul>
<p class="text-gray-400 leading-relaxed mt-4">
The Processor shall cooperate with the Controller in investigating and remediating the breach and in meeting notification obligations to supervisory authorities and Data Subjects.
</p>
</div>
<div class="bg-navy-light border border-white/10 rounded-xl p-8 mb-8">
<h2 class="text-xl font-semibold text-white mt-0 mb-4">6. International Transfers</h2>
<p class="text-gray-400 leading-relaxed mb-4">
The Processor may transfer Personal Data outside the European Economic Area only where appropriate safeguards are in place, including:
</p>
<ul class="text-gray-400 space-y-2 list-disc list-inside">
<li>Standard Contractual Clauses approved by the European Commission</li>
<li>Binding Corporate Rules approved by a supervisory authority</li>
<li>Adequacy decisions by the European Commission</li>
<li>Other mechanisms permitted under GDPR Chapter V</li>
</ul>
<p class="text-gray-400 leading-relaxed mt-4">
The current list of data processing locations and applicable transfer mechanisms is available upon request.
</p>
</div>
<div class="bg-navy-light border border-white/10 rounded-xl p-8 mb-8">
<h2 class="text-xl font-semibold text-white mt-0 mb-4">7. Sub-processors</h2>
<p class="text-gray-400 leading-relaxed mb-4">
The Controller grants general authorization for the use of Sub-processors subject to the requirements of Section 3.4. Current Sub-processors include:
</p>
<div class="overflow-x-auto">
<table class="w-full text-gray-400 text-sm">
<thead>
<tr class="border-b border-white/10">
<th class="text-left py-3 text-white">Sub-processor</th>
<th class="text-left py-3 text-white">Purpose</th>
<th class="text-left py-3 text-white">Location</th>
</tr>
</thead>
<tbody>
<tr class="border-b border-white/10">
<td class="py-3">Infrastructure Provider</td>
<td class="py-3">Cloud infrastructure</td>
<td class="py-3">EU / US</td>
</tr>
<tr class="border-b border-white/10">
<td class="py-3">Stripe, Inc.</td>
<td class="py-3">Payment processing</td>
<td class="py-3">US</td>
</tr>
<tr class="border-b border-white/10">
<td class="py-3">AI Embedding Provider</td>
<td class="py-3">Document matching (zero retention)</td>
<td class="py-3">US</td>
</tr>
</tbody>
</table>
</div>
<p class="text-gray-400 leading-relaxed mt-4">
The Controller will be notified of Sub-processor changes via email at least 30 days in advance, with the opportunity to object.
</p>
</div>
<div class="bg-navy-light border border-white/10 rounded-xl p-8 mb-8">
<h2 class="text-xl font-semibold text-white mt-0 mb-4">8. Certifications and Compliance</h2>
<p class="text-gray-400 leading-relaxed mb-4">
The Processor maintains the following certifications and compliance measures:
</p>
<ul class="text-gray-400 space-y-2 list-disc list-inside">
<li><strong class="text-white">SOC 2 Type II</strong> — Annual audit of security, availability, and confidentiality controls</li>
<li><strong class="text-white">ISO 27001</strong> — Information Security Management System certification</li>
<li><strong class="text-white">FIPS 140-3</strong> — Use of validated cryptographic modules for encryption</li>
<li><strong class="text-white">GDPR</strong> — Compliance with EU General Data Protection Regulation</li>
</ul>
<p class="text-gray-400 leading-relaxed mt-4">
Copies of relevant certifications and audit reports are available to Enterprise customers under NDA.
</p>
</div>
<div class="bg-navy-light border border-white/10 rounded-xl p-8 mb-8">
<h2 class="text-xl font-semibold text-white mt-0 mb-4">9. Liability</h2>
<p class="text-gray-400 leading-relaxed">
Liability under this DPA is governed by the limitation of liability provisions in the Terms of Service. Each party shall be liable for damages caused by processing that infringes GDPR or this DPA to the extent provided by applicable law.
</p>
</div>
<div class="bg-navy-light border border-white/10 rounded-xl p-8 mb-8">
<h2 class="text-xl font-semibold text-white mt-0 mb-4">10. Term and Termination</h2>
<p class="text-gray-400 leading-relaxed">
This DPA is effective from the date the Controller begins using Dealspace and continues until termination of all service agreements. Sections that by their nature should survive termination will survive, including data deletion, audit rights, and confidentiality obligations.
</p>
</div>
<div class="bg-navy-light border border-white/10 rounded-xl p-8 mb-8">
<h2 class="text-xl font-semibold text-white mt-0 mb-4">11. Governing Law</h2>
<p class="text-gray-400 leading-relaxed">
This DPA is governed by the laws of the Netherlands. The competent courts of Amsterdam have exclusive jurisdiction over disputes arising from this DPA.
</p>
</div>
<div class="bg-navy-light border border-white/10 rounded-xl p-8">
<h2 class="text-xl font-semibold text-white mt-0 mb-4">Contact</h2>
<p class="text-gray-400 leading-relaxed mb-4">
Data Protection Officer:<br>
<a href="mailto:privacy@dealspace.io" class="text-gold hover:text-gold-light">privacy@dealspace.io</a>
</p>
<p class="text-gray-400 leading-relaxed">
For Enterprise customers requiring executed DPAs or custom terms, contact <a href="mailto:legal@dealspace.io" class="text-gold hover:text-gold-light">legal@dealspace.io</a>.
</p>
</div>
</div>
</div>
</div>
<!-- Footer -->
<footer class="border-t border-white/10 py-12 px-6">
<div class="max-w-7xl mx-auto">
<div class="grid md:grid-cols-4 gap-8 mb-12">
<div>
<span class="text-2xl font-bold text-white">Deal<span class="text-gold">space</span></span>
<p class="text-gray-400 mt-4">The M&A workflow platform that Investment Banks trust.</p>
</div>
<div>
<h4 class="font-semibold mb-4">Product</h4>
<ul class="space-y-2 text-gray-400">
<li><a href="features.html" class="hover:text-white transition-colors">Features</a></li>
<li><a href="security.html" class="hover:text-white transition-colors">Security</a></li>
<li><a href="pricing.html" class="hover:text-white transition-colors">Pricing</a></li>
</ul>
</div>
<div>
<h4 class="font-semibold mb-4">Legal</h4>
<ul class="space-y-2 text-gray-400">
<li><a href="privacy.html" class="hover:text-white transition-colors">Privacy Policy</a></li>
<li><a href="terms.html" class="hover:text-white transition-colors">Terms of Service</a></li>
<li><a href="dpa.html" class="hover:text-white transition-colors">DPA</a></li>
<li><a href="soc2.html" class="hover:text-white transition-colors">SOC 2</a></li>
</ul>
</div>
<div>
<h4 class="font-semibold mb-4">Contact</h4>
<ul class="space-y-2 text-gray-400">
<li><a href="mailto:sales@dealspace.io" class="hover:text-white transition-colors">sales@dealspace.io</a></li>
<li><a href="mailto:security@dealspace.io" class="hover:text-white transition-colors">security@dealspace.io</a></li>
</ul>
</div>
</div>
<div class="border-t border-white/10 pt-8 flex flex-col md:flex-row justify-between items-center">
<p class="text-gray-500 text-sm">&copy; 2026 Muskepo B.V. All rights reserved.</p>
<p class="text-gray-500 text-sm mt-4 md:mt-0">Amsterdam &middot; New York &middot; London</p>
</div>
</div>
</footer>
<link rel="stylesheet" href="/chat.css">
<script src="/chat.js"></script>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink