Legal

Data Processing Agreement

Effective: to be set per-execution upon counter-signature by the Company.

Governing law: Commonwealth of Pennsylvania. Regulatory basis: GDPR Article 28(3); UK GDPR Article 28(3); and analogous data-processor agreement requirements of other applicable data-protection regimes.


TEMPLATE STATUS. This document is a template, not a generally applicable agreement. It is executed on request when a controller (typically an EU- or UK-resident Operator, or another customer subject to data-protection regulation requiring a controller-processor agreement) requests one. The template is not signed by default. Operator's general use of the Platform is governed by the EULA, the Terms of Service, the Subscription Agreement, and the Privacy Policy; a DPA supplements those agreements with the specific controller-processor language required by GDPR Article 28(3) (and analogous data-protection statutes), without modifying the underlying commercial terms.

Execution workflow

  1. Controller request. A controller (Operator or other customer) requests a DPA by emailing contact@rubicontrading.io with the subject line "DPA Request."
  2. Template population. The Company populates the Schedule 1 — Processing details annex (see end of this template) with the controller-specific subject matter, duration, nature, purpose, data categories, and data-subject categories relevant to the controller's use of the Platform.
  3. Counter-signature. The Company and the controller counter-sign the populated template. The Effective Date is the date of counter-signature.

Parties

This Data Processing Agreement (this "DPA") is entered into by and between:

  • [CONTROLLER NAME], a [ENTITY TYPE AND JURISDICTION] with its principal place of business at [ADDRESS] (the "Controller"); and
  • ShapeUp LLC, a Pennsylvania limited liability company doing business as Rubicon Systems, with its principal place of business at 2040 Linglestown Road, Suite 109, Harrisburg, Pennsylvania 17110, United States (the "Processor" or the "Company").

The Controller and the Processor are each a "Party" and collectively the "Parties."


1. Subject matter of processing

1.1 This DPA governs the Processor's processing of Personal Data on behalf of the Controller in connection with the Controller's use of the Rubicon platform (the "Platform") under the EULA, the Terms of Service, the Subscription Agreement, and the Privacy Policy between the Parties (collectively, the "Underlying Agreement").

1.2 To the extent the Processor processes Personal Data in the course of providing the Platform and related services to the Controller, the Processor acts as a "processor" (as defined under GDPR Article 4(8) and analogous statutes) and the Controller acts as a "controller" (as defined under GDPR Article 4(7) and analogous statutes).

1.3 The specific subject matter, duration, nature, purpose, Personal Data categories, and data-subject categories for this DPA are set forth in Schedule 1 — Processing details at the end of this template.


2. Duration of processing

2.1 The Processor's processing of Personal Data on behalf of the Controller continues for the duration of the Underlying Agreement, subject to the data-return / deletion provisions of §12 below upon termination of the Underlying Agreement or upon Controller's written request.

2.2 The duration of any specific processing activity (e.g., a processing activity related to a discrete support inquiry) may be shorter than the duration of the Underlying Agreement, as further described in Schedule 1.


3. Nature and purpose of processing

3.1 The Processor processes Personal Data on behalf of the Controller for the limited purposes of: (a) providing the Platform and related services to the Controller under the Underlying Agreement; (b) administering the Controller's Subscription (including billing and account management); (c) providing support to the Controller through the support channels described in the Terms of Service §4.3; (d) responding to the Controller's exercise of data-subject rights on behalf of data subjects (per §9 below); and (e) complying with the Processor's legal obligations applicable to such processing.

3.2 The Processor shall not process Personal Data for any purpose other than the purposes set forth in this §3 and in Schedule 1, except: (a) on the Controller's documented instructions; or (b) as required by applicable law (in which case the Processor will inform the Controller of the legal requirement before processing unless legally prohibited from doing so).


4. Type of personal data

4.1 The types of Personal Data processed under this DPA are set forth in Schedule 1 and may include (without limitation): the Controller's account-administrator email address; the Controller's billing contact information; License Key metadata; deterministic machine-fingerprinting metadata for seat-allocation enforcement per the EULA §2.3; support-ticket content submitted to the Processor by the Controller's authorized representatives; and similar Personal Data necessary for the operation of the Platform.

4.2 The Processor does not process the following categories of Personal Data under this DPA, except to the extent the Controller voluntarily submits them in a support inquiry (in which case the Processor applies the same protections as to other Personal Data):

(a) broker credentials, market-data vendor credentials, and LLM provider API keys (these remain on the Controller's installed device under the BYOK provisions of the EULA §1.7 and §4.2);

(b) the Controller's trading account numbers, position data, profit-and-loss data, trade history, or strategy parameters (these remain on the Controller's installed device per the Privacy Policy NEVER list);

(c) raw market-data feed content (this remains on the Controller's installed device); and

(d) the content of Operator Strategies (these remain on the Controller's installed device per EULA §2.2 and the Privacy Policy NEVER list).

4.3 Special-category data. The Processor does not anticipate processing "special categories of personal data" (GDPR Article 9) or "personal data relating to criminal convictions and offences" (GDPR Article 10) under this DPA. If the Controller wishes to submit such data to the Processor (e.g., in a support inquiry), the Controller shall notify the Processor in writing in advance, and the Parties shall execute an addendum to this DPA imposing additional safeguards before any such processing.


5. Categories of data subjects

5.1 The categories of data subjects whose Personal Data is processed under this DPA are set forth in Schedule 1 and typically include: the Controller's natural-person account holders and authorized representatives; the Controller's billing contacts; and natural-person end users of the Controller's own services to the extent (and only to the extent) the Controller chooses to provision Platform access to such end users.


6. Obligations and rights of the Controller

6.1 The Controller represents and warrants that: (a) it has a valid legal basis under applicable data-protection law for the processing of Personal Data by the Processor under this DPA; (b) it has provided all required notices and obtained all required consents from data subjects; and (c) its instructions to the Processor comply with applicable data-protection law.

6.2 The Controller may issue documented instructions to the Processor regarding the processing of Personal Data. Instructions must be sent to contact@rubicontrading.io with the subject line "DPA Instruction — [Controller Name]."

6.3 The Controller is responsible for the lawfulness of the underlying processing, the accuracy of the Personal Data transmitted to the Processor, and the Controller's compliance with applicable data-protection law in its capacity as controller.

6.4 The Controller has the right to verify the Processor's compliance with this DPA in accordance with the audit-rights provisions of §11 below.


7. Obligations of the Processor

The Processor shall:

7.1 Process only on documented instructions. Process Personal Data only on the documented instructions of the Controller as set forth in this DPA, in Schedule 1, and in such other documented instructions as the Controller may issue under §6.2; except as required by applicable law per §3.2(b).

7.2 Confidentiality. Ensure that personnel authorized to process Personal Data are bound by confidentiality obligations (whether contractual, statutory, or by professional duty).

7.3 Security measures. Implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk of the processing, including (to the extent appropriate): (a) pseudonymization and encryption of Personal Data in transit and at rest where reasonable; (b) measures to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services; (c) measures to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and (d) a process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures. The Processor's current security measures are described in Schedule 2 — Security measures (to be populated at execution).

7.4 Sub-processor management. Manage sub-processors per §8.

7.5 Data-subject rights assistance. Assist the Controller in responding to data-subject rights requests per §9.

7.6 Breach notification. Notify the Controller of a Personal Data breach per §10.

7.7 Cooperation with regulators. Make available to the Controller and the relevant supervisory authority, upon request, the information necessary to demonstrate compliance with the obligations set forth in this DPA and in applicable data-protection law.

7.8 Data Protection Impact Assessment ("DPIA") support. Where the Controller is required to carry out a DPIA or prior consultation with a supervisory authority under GDPR Articles 35 or 36 (or analogous provisions), the Processor shall, upon the Controller's reasonable request, provide reasonable assistance to the Controller for that purpose.


8. Sub-processor management

8.1 General authorization. The Controller authorizes the Processor to engage sub-processors in connection with processing under this DPA, subject to the conditions of this §8.

8.2 Current sub-processors. As of the Effective Date, the Processor uses the following sub-processors:

(a) Stripe, Inc. — payment processing (Subscription Agreement §7);

(b) SendGrid (Twilio Inc.) — transactional email delivery (account notifications, license notifications, pre-renewal reminders);

(c) Sentry (Functional Software, Inc.) — error monitoring and diagnostic event ingestion (subject to the Processor's PII-scrub architecture described in the Privacy Policy);

(d) Cloudflare, Inc. — Site hosting, license server hosting, CDN, and DNS;

(e) such additional sub-processors as may be set forth in Schedule 3 — Sub-processor list (populated at execution and maintained current by the Processor).

8.3 Sub-processor changes. The Processor shall notify the Controller of any intended additions or replacements of sub-processors that process Personal Data under this DPA at least thirty (30) days in advance of the change taking effect.

8.4 Right to object. The Controller may, within the notice period in §8.3, object on reasonable data-protection grounds to a proposed sub-processor change by sending written notice to contact@rubicontrading.io. If the Controller objects and the Parties cannot resolve the objection in good faith within thirty (30) days, the Controller may terminate the Underlying Agreement without penalty as to the affected processing.

8.5 Sub-processor contracts. The Processor shall ensure that each sub-processor is bound by contractual obligations no less protective than those set forth in this DPA, including confidentiality, security, breach notification, and audit obligations.

8.6 Sub-processor liability. The Processor remains fully liable to the Controller for the performance of each sub-processor's obligations under the sub-processor contracts.


9. Data-subject rights

9.1 Forwarding requests. If the Processor receives a request directly from a data subject relating to Personal Data processed under this DPA, the Processor shall, without undue delay, forward the request to the Controller and (unless legally prohibited from doing so) inform the data subject that the Controller is responsible for responding to the request.

9.2 Assistance to Controller. The Processor shall, upon the Controller's reasonable request and at the Controller's expense (except where applicable law requires otherwise), assist the Controller in fulfilling the Controller's obligations to respond to data-subject rights requests under GDPR Chapter III and analogous statutes, including the rights of access, rectification, erasure, restriction of processing, data portability, and objection.

9.3 Reasonable measures. Where the Processor's assistance is required and the Controller's processing is configured such that the Processor cannot directly action the data-subject request without specific Controller cooperation (e.g., where the Personal Data is held in encrypted form to which only the Controller has keys), the Processor shall describe the cooperation required and shall act on the Controller's cooperative instructions.


10. Personal-data breach notification

10.1 Notification timing. The Processor shall notify the Controller of any Personal Data breach (as defined under GDPR Article 4(12) or analogous statute) affecting Personal Data processed under this DPA without undue delay after becoming aware of the breach, and in any event within the timeframe required under applicable data-protection law.

10.2 Notification content. The notification shall include, to the extent then known to the Processor and to the extent the Processor is permitted by law to disclose: (a) the nature of the breach; (b) the categories and approximate number of data subjects and data records affected; (c) the likely consequences of the breach; (d) measures the Processor has taken or proposes to take to address the breach and mitigate its possible adverse effects; and (e) a contact point at the Processor for further information.

10.3 Cooperation. The Processor shall reasonably cooperate with the Controller in the Controller's investigation, notification, and remediation of any Personal Data breach, including (where required by applicable law) the Controller's notification of the breach to the relevant supervisory authority and to affected data subjects.

10.4 Records. The Processor shall maintain records of all Personal Data breaches affecting processing under this DPA, sufficient to enable the Controller to comply with its own record-keeping obligations under applicable data-protection law.


11. Audit rights

11.1 Right to audit. The Controller has the right, on reasonable prior written notice of not less than thirty (30) days and not more often than once per twelve-month period (except as otherwise required by applicable law or a supervisory authority), to audit the Processor's compliance with this DPA.

11.2 Audit form. The Controller may exercise the audit right by: (a) reviewing audit reports, certifications, or attestations that the Processor makes generally available (e.g., SOC 2 Type 2 reports, ISO 27001 certifications, or equivalent); or (b) where such generally available materials are insufficient to satisfy the Controller's specific compliance verification need, by requesting a tailored audit conducted by a mutually agreed independent third-party auditor bound by appropriate confidentiality obligations.

11.3 Audit scope. Audits shall be limited to information necessary to verify the Processor's compliance with this DPA and shall not extend to information of other customers of the Processor or to Processor trade secrets unrelated to compliance verification.

11.4 Audit cost. Audits are at the Controller's expense except where the audit reveals a material breach of this DPA by the Processor, in which case the Processor shall reimburse the Controller's reasonable audit costs.


12. Data return / deletion on termination

12.1 Choice of return or deletion. Upon termination of the Underlying Agreement or upon the Controller's earlier written request, the Processor shall, at the Controller's option:

(a) return all Personal Data processed under this DPA to the Controller in a commonly used and machine-readable format; or

(b) delete all Personal Data processed under this DPA from the Processor's systems.

12.2 Default to deletion. If the Controller does not exercise its election under §12.1 within thirty (30) days after termination, the Processor shall delete the Personal Data.

12.3 Retention exceptions. The Processor may retain Personal Data after termination only to the extent required by applicable law and only for the period required by such law. The Processor shall describe to the Controller, upon request, the categories of retained Personal Data and the applicable retention basis.

12.4 Backup media. Personal Data residing on backup media at the time of termination shall be deleted on the Processor's ordinary backup-rotation schedule. During any interim retention period, the Processor shall continue to apply the security measures of §7.3 and the confidentiality obligations of §7.2.

12.5 Certification of deletion. Upon the Controller's reasonable request, the Processor shall certify in writing the deletion of Personal Data carried out under this §12.


13. Cross-border transfer mechanisms

13.1 Transfer disclosure. The Processor processes Personal Data primarily in the United States. To the extent the Controller or any data subject is located in the European Economic Area ("EEA"), the United Kingdom, or another jurisdiction whose data-protection law restricts cross-border transfers of Personal Data, the Processor's processing of Personal Data on behalf of such Controller constitutes a cross-border transfer.

13.2 SCC selection. Cross-border transfers of Personal Data from the EEA to the United States under this DPA are governed by the European Commission's Standard Contractual Clauses for the transfer of personal data to third countries (Commission Implementing Decision (EU) 2021/914, the "EU SCCs"), in the applicable Module Two (controller-to-processor) form, which are incorporated by reference into this DPA as if fully set forth herein.

13.3 UK transfers. Cross-border transfers from the United Kingdom are governed by the UK Information Commissioner's International Data Transfer Addendum ("UK IDTA") to the EU SCCs, in the form in effect as of the Effective Date, incorporated by reference.

13.4 Other jurisdictions. Cross-border transfers from jurisdictions other than the EEA or the UK are governed by such transfer mechanism (e.g., adequacy decision, binding corporate rules, equivalent standard clauses) as may be required by the data-protection law of the data exporter's jurisdiction.

13.5 Conflict. In the event of a conflict between this DPA and the EU SCCs or UK IDTA, the EU SCCs or UK IDTA control as to matters within their scope.


14. Liability and indemnification

14.1 Liability cap. The Processor's aggregate liability under this DPA, for any and all claims arising out of or related to this DPA, shall not exceed the aggregate fees paid by the Controller to the Processor under the Underlying Agreement in the twelve (12) months preceding the event giving rise to the claim.

14.2 Carve-outs. The liability cap in §14.1 does not apply to: (a) the Processor's indemnification obligations under §14.3; (b) the Processor's confidentiality obligations under §7.2; (c) the Processor's gross negligence or willful misconduct; or (d) where applicable law prohibits limitation of liability.

14.3 Indemnification — Processor. The Processor shall defend, indemnify, and hold harmless the Controller from and against any third-party claim, demand, action, or proceeding (and any associated damages, costs, and reasonable attorneys' fees) to the extent arising out of the Processor's breach of this DPA.

14.4 Indemnification — Controller. The Controller shall defend, indemnify, and hold harmless the Processor from and against any third-party claim, demand, action, or proceeding (and any associated damages, costs, and reasonable attorneys' fees) to the extent arising out of: (a) the Controller's breach of this DPA; (b) the Controller's breach of applicable data-protection law in its capacity as controller; or (c) the Controller's instructions to the Processor where the instructions themselves violate applicable data-protection law.


15. Governing law; venue

15.1 This DPA is governed by, and construed in accordance with, the laws of the Commonwealth of Pennsylvania, without regard to its conflict-of-laws principles, except that the EU SCCs (and, where applicable, the UK IDTA) incorporated under §13 are governed by the law specified in those instruments (typically the law of an EU Member State, or the United Kingdom, respectively).

15.2 Venue and dispute-resolution provisions for disputes arising under this DPA (other than those governed by the EU SCCs or UK IDTA) track the EULA §13.3 (binding individual arbitration administered by the American Arbitration Association under its Consumer Arbitration Rules; seat in Harrisburg, Pennsylvania; class-action waiver with severability rebound; 30-day opt-out per EULA §13.3(e)). Nothing in this §15.2 restricts a supervisory authority's exercise of its statutory or regulatory authority over either Party.

15.3 Severability. If any provision of this DPA is held invalid or unenforceable, the remaining provisions remain in full force and effect, and the invalid provision shall be modified to the minimum extent necessary to render it enforceable while preserving the Parties' intent.


16. Entire agreement; relationship with Underlying Agreement

16.1 This DPA, together with the Underlying Agreement and the Schedules attached hereto, constitutes the entire agreement between the Parties regarding the Processor's processing of Personal Data on behalf of the Controller. In the event of a conflict between this DPA and the Underlying Agreement regarding matters of data protection within this DPA's scope, this DPA controls.

16.2 Except as expressly modified by this DPA, the Underlying Agreement remains in full force and effect.


Signatures

CONTROLLER:

By: [] Name: [] Title: [] Date: []

PROCESSOR (ShapeUp LLC d/b/a Rubicon Systems):

By: [] Name: [] Title: [] Date: []


Schedule 1 — Processing details

  • Subject matter of processing: [to be populated at execution based on Controller's specific use case]
  • Duration of processing: Coterminous with the Underlying Agreement, subject to §12.
  • Nature and purpose of processing: [to be populated at execution; default per §3.1]
  • Type of personal data: [to be populated at execution per §4.1]
  • Categories of data subjects: [to be populated at execution per §5.1]

Schedule 2 — Security measures

[to be populated at execution; describes the Processor's then-current technical and organizational security measures per §7.3]


Schedule 3 — Sub-processor list

[to be populated at execution; lists the Processor's then-current sub-processors per §8.2]


End of DPA Template v2.0.