Data Processing Addendum

Last modified: May 21, 2026 (view changelog)

This Data Processing Addendum (the “DPA”) sets out the parties’ respective rights and obligations with respect to the processing of Personal Data by Eleven on behalf of Customer in connection with the Software. This DPA is incorporated by reference into, and forms part of, the Manager Account Agreement and any other written agreement between Eleven and Customer governing use of the Software (each, the “Agreement”). It supplements, and should be read together with, the Security & Data Protection Addendum (the “SDPA”). Capitalized terms not defined here have the meanings given in the Agreement or the SDPA.

1. Definitions

2. Scope and Roles

Eleven may process, access, receive, or collect Personal Data relating to Customer’s (and its Affiliates’) employees, directors, agents, clients, investors, or other individuals associated with such clients or investors as part of the operation of the Agreement and as required to provide the Software and any related services to Customer. The parties agree that Eleven is authorized to process such Personal Data solely for purposes related to the carrying out of the Software and any related services and in compliance with this DPA.

To the extent Eleven processes Personal Data on Customer's behalf in connection with providing the Software, Customer acts as Controller (or, as applicable, as Processor on behalf of another Controller) and Eleven acts as Processor (or, as applicable, as Subprocessor).

Where Customer acts as Processor on behalf of an underlying Data Controller, Customer represents and warrants that (a) it has the authority of such underlying Data Controller to bind it to the terms of this DPA and the SDPA, and (b) its agreement with such underlying Data Controller imposes data protection obligations on Customer that are no less protective than those imposed on Customer under this DPA. Customer shall indemnify Eleven against any claim by an underlying Data Controller arising from Customer's failure to obtain such authority or impose such obligations.

Migration of Customer Data from Other Systems. Customer may import or migrate Customer Data (including Personal Data of investors and other downstream individuals) from other systems or platforms to the Software. Customer represents and warrants that (a) Customer has all necessary rights, authority, and lawful basis under Applicable Data Protection Laws to import and have Eleven process such Customer Data; (b) the original collection of such Customer Data was lawful and the privacy notices, agreements, and consents under which it was collected permit transfer to and processing by service providers such as Eleven; and (c) Customer has used appropriate technical safeguards in the migration process. Eleven processes migrated Customer Data as Processor in accordance with Customer's instructions, this DPA, and the SDPA. Customer shall indemnify Eleven against any third-party claim arising from Customer's breach of the foregoing representations.

3. Processor Obligations

Eleven shall, with respect to Personal Data processed under this DPA:

1. process such Personal Data only for the purposes and in the manner specified in writing by, or agreed to in writing by, Customer, including as set forth in the Agreement, this DPA, and the SDPA;
2. take appropriate organizational, security, and technical measures against unauthorized or unlawful processing of such Personal Data and against accidental loss or destruction of, or damage to, such Personal Data, including the measures described in the SDPA;
3. not disclose Personal Data to any third party except as permitted under the Agreement, this DPA, or the SDPA, or as required by applicable law;
4. ensure that personnel authorized to process Personal Data are committed to appropriate confidentiality obligations and receive appropriate training on data protection;
5. promptly and reasonably assist Customer in responding to requests from data subjects to exercise their rights under Applicable Data Protection Laws (including rights of access, rectification, erasure, restriction, portability, and objection), and in fulfilling Customer’s obligations to respond to inquiries from supervisory authorities;
6. maintain a record of the categories of processing of Personal Data carried out on behalf of Customer, as required by Applicable Data Protection Laws;
7. reasonably cooperate with Customer in connection with data protection impact assessments and prior consultations with supervisory authorities that relate to the processing of Personal Data under this DPA; and
8. notify Customer without undue delay if Eleven receives any notice or communication from a supervisory, regulatory, or governmental body that relates directly to the processing of Personal Data under this DPA, to the extent legally permitted.

4. Security and Security Incident Notification

The security measures applicable to Eleven’s processing of Personal Data are described in the SDPA. For the avoidance of doubt, references in Applicable Data Protection Laws to “personal data breaches” are addressed by the Security Incident notification commitments set forth in the SDPA, which shall apply in lieu of any separate timing standard for the notification of personal data breaches under this DPA.

5. Subprocessing

Customer provides general written authorization to Eleven to engage Subprocessors to process Personal Data on its behalf, subject to the requirements set forth in Section 4 of the SDPA (including Eleven’s obligation to maintain a public list of Subprocessors, to provide prior notice of additions or replacements, and to honor Customer’s right to object on reasonable grounds relating to data protection, security, or compliance with Applicable Data Protection Laws).

Each Subprocessor processes Personal Data on behalf of Eleven subject to a written agreement with Eleven as set forth in Section 4 of the SDPA. Eleven shall remain responsible to Customer for any acts or omissions of its Subprocessors that cause Eleven to breach this DPA.

6. International Data Transfers

To the extent that Eleven’s processing of Personal Data subject to European Data Protection Laws involves a transfer of such Personal Data outside the European Economic Area (or, as applicable, the United Kingdom) to a country that has not been recognized by the European Commission (or, as applicable, the UK competent authority) as providing an adequate level of protection, the parties agree that:

1. the EU SCCs (Module 2 — Controller to Processor, or Module 3 — Processor to Processor, as applicable) are hereby incorporated by reference into this DPA and shall apply to such transfer, with Customer acting as the data exporter and Eleven acting as the data importer;
2. for transfers subject to UK law, the UK Addendum is incorporated by reference and applies to such transfer in conjunction with the EU SCCs;
3. the parties agree that the Agreement, this DPA, the SDPA, and the Subprocessor list referenced therein collectively constitute completion of the relevant annexes to the EU SCCs (and the UK Addendum), including the description of the processing, the categories of data subjects and Personal Data, the technical and organizational measures, and the list of sub-processors; and
4. in the event of any conflict between the EU SCCs (or the UK Addendum) and the other terms of the Agreement with respect to the relevant transfer, the EU SCCs (or the UK Addendum, as applicable) shall control.

7. Data Subject Requests

If Eleven receives any request from a data subject relating to Personal Data processed on behalf of Customer, Eleven shall, to the extent legally permitted, promptly forward the request to Customer and shall not respond to the data subject except on Customer’s documented instructions or as required by applicable law. Eleven shall provide reasonable assistance to Customer in responding to such requests in a timely manner.

8. Return and Deletion of Personal Data

The return and deletion of Personal Data following termination or expiration of the Agreement is governed by Section 8 of the SDPA.

9. Audits

Customer’s rights to audit Eleven’s compliance with this DPA are governed by Section 9 of the SDPA. To the extent required by Applicable Data Protection Laws (including Article 28(3)(h) of the GDPR), the parties agree that the audit mechanisms set forth in the SDPA satisfy such requirements.

10. Conflict; Term

In the event of any conflict between this DPA and the other terms of the Agreement with respect to the processing of Personal Data, this DPA controls. Where required by Applicable Data Protection Laws, the EU SCCs (and the UK Addendum, as applicable) control over this DPA. This DPA applies for so long as Eleven processes Personal Data on Customer’s behalf under the Agreement.

11. Contact

Questions about this DPA, or data protection requests under it, may be directed to Eleven at legal@platformeleven.io.

Changelog