Data Processing Agreement
This Data Processing Agreement ("DPA") governs the processing of personal data by IntelliGrowth on behalf of our customers, in compliance with GDPR and other applicable data protection laws.
This DPA automatically applies to all Enterprise plan customers processing personal data through IntelliGrowth Compliance. If you require a custom DPA or signed copy, please contact our legal team.
1. Overview
This Data Processing Agreement ("DPA") forms part of the agreement between IntelliGrowth, Inc. ("Processor" or "IntelliGrowth") and the customer ("Controller" or "Customer") for the provision of the IntelliGrowth Compliance platform (the "Services").
This DPA is designed to ensure compliance with Article 28 of the General Data Protection Regulation (EU) 2016/679 ("GDPR") and other applicable data protection legislation including the UK GDPR and the California Consumer Privacy Act ("CCPA").
By using the Services, the Customer enters into this DPA on behalf of itself and, to the extent required under applicable data protection laws, in the name and on behalf of its authorized users.
2. Definitions
For the purposes of this DPA, the following definitions apply:
| Personal Data | Any information relating to an identified or identifiable natural person processed by IntelliGrowth on behalf of the Customer. |
| Data Subject | An individual whose Personal Data is processed under this DPA. |
| Controller | The Customer, who determines the purposes and means of processing Personal Data. |
| Processor | IntelliGrowth, who processes Personal Data on behalf of the Controller. |
| Sub-Processor | A third party engaged by IntelliGrowth to process Personal Data on behalf of the Customer. |
| Standard Contractual Clauses (SCCs) | The contractual clauses approved by the European Commission for international data transfers. |
3. Scope of Processing
3.1 Subject Matter
IntelliGrowth will process Personal Data as necessary to provide the compliance infrastructure services described in the main service agreement.
3.2 Types of Personal Data
The following categories of Personal Data may be processed:
- Investor identification data (name, address, date of birth)
- Contact information (email, phone number)
- KYC/AML verification status and documentation identifiers
- Investor accreditation status
- Jurisdiction and residency information
- Token holdings and transfer records
- Account credentials and access logs
3.3 Categories of Data Subjects
- Investors in tokenized securities
- Customer's employees and authorized users
- Customer's counterparties and business contacts
3.4 Processing Activities
- Storage and retrieval of investor registry data
- Compliance verification for token transfers
- Generation of audit reports and compliance documentation
- User authentication and access management
- Technical support and troubleshooting
4. Processor Obligations
IntelliGrowth shall:
5. Security Measures
IntelliGrowth implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:
5.1 Technical Measures
- Encryption of Personal Data at rest (AES-256) and in transit (TLS 1.3)
- Access controls with multi-factor authentication
- Regular security testing and vulnerability assessments
- Continuous monitoring and logging of system access
- Network security including firewalls and intrusion detection
5.2 Organizational Measures
- Information security policies and procedures
- Employee security training and awareness programs
- Background checks for personnel with data access
- Incident response and data breach procedures
- Regular security audits (SOC 2 Type II)
6. Sub-Processors
The Customer provides general authorization for IntelliGrowth to engage Sub-Processors. IntelliGrowth shall:
- Maintain a list of authorized Sub-Processors
- Notify the Customer of any intended changes to Sub-Processors
- Allow the Customer to object to new Sub-Processors within 30 days
- Ensure Sub-Processors are bound by data protection obligations equivalent to this DPA
6.1 Current Sub-Processors
| Sub-Processor | Purpose | Location |
|---|---|---|
| Amazon Web Services (AWS) | Cloud infrastructure hosting | USA (with EU regions available) |
| Vercel Inc. | Application hosting and CDN | USA |
| Neon Inc. | PostgreSQL database hosting | USA (with EU regions available) |
| Stripe, Inc. | Payment processing | USA |
| Resend | Transactional email delivery | USA |
| PostHog Inc. | Product analytics | USA (EU datacenter available) |
Last updated: January 21, 2026. Subscribe to Sub-Processor updates by contacting dpa@intelligrowth.xyz.
7. Data Subject Rights
IntelliGrowth shall assist the Controller in fulfilling its obligations to respond to Data Subject requests, including:
- Right of access — Provide copies of Personal Data upon request
- Right to rectification — Correct inaccurate Personal Data
- Right to erasure — Delete Personal Data where applicable
- Right to restriction — Restrict processing upon request
- Right to data portability — Export data in structured format
- Right to object — Cease processing where applicable
The Controller shall notify IntelliGrowth of any Data Subject request. IntelliGrowth shall provide reasonable assistance at the Controller's expense (for requests exceeding standard support).
8. International Data Transfers
IntelliGrowth is based in the United States. For transfers of Personal Data from the European Economic Area (EEA), United Kingdom (UK), or Switzerland, IntelliGrowth relies on:
8.1 Standard Contractual Clauses
IntelliGrowth offers the European Commission's Standard Contractual Clauses (SCCs) as adopted in Commission Decision (EU) 2021/914, incorporated by reference into this DPA. The applicable modules are:
- Module Two: Controller to Processor (for Customer Personal Data)
- Module Three: Processor to Processor (for Sub-Processor transfers)
8.2 Supplementary Measures
In addition to the SCCs, IntelliGrowth implements supplementary measures including:
- Technical measures (encryption, access controls)
- Organizational measures (policies, training)
- Contractual measures (binding Sub-Processor agreements)
EU Data Residency: Enterprise customers may request EU-only data residency where Personal Data is processed and stored exclusively within the European Union.
9. Audit Rights
IntelliGrowth shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR.
9.1 Documentation
Upon request, IntelliGrowth shall provide:
- SOC 2 Type II audit report (under NDA)
- Penetration test summary
- Security questionnaire responses
- Evidence of Sub-Processor compliance
9.2 On-Site Audits
The Controller may conduct audits, including inspections, subject to:
- 30 days' advance written notice
- Reasonable scope and duration
- Conducted during normal business hours
- Subject to confidentiality obligations
- Controller bears costs of audit
10. Duration & Termination
10.1 Duration
This DPA shall remain in effect for the duration of the main service agreement between the parties.
10.2 Data Return or Deletion
Upon termination of the service agreement, IntelliGrowth shall, at the Controller's choice:
- Return all Personal Data and delete existing copies, or
- Delete all Personal Data and certify such deletion
IntelliGrowth may retain Personal Data to the extent required by applicable law or for legitimate internal purposes (e.g., compliance records), subject to confidentiality.
10.3 Survival
The confidentiality obligations and any provisions necessary to interpret or enforce this DPA shall survive termination.
11. How to Execute This DPA
For Enterprise Customers
To execute a signed DPA or request a customized version:
- 1.Contact our legal team at legal@intelligrowth.xyz
- 2.Provide your company name and main agreement reference
- 3.Specify any customization requirements (EU residency, specific SCCs, etc.)
- 4.We will provide a countersigned copy within 5 business days
Note: This online DPA is incorporated by reference into your service agreement. If you require a separate signed DPA for your records, please contact our legal team.
12. Contact Us
For questions about this DPA or to exercise your rights:
254 Chapman Rd Ste 208
Newark, DE 19702
United States