This Data Protection Addendum (“DPA”) forms part of the Terms of Service (“Agreement”) between CapitalAcquisition.com (“Service Provider”, “Processor”, “we”, “us”) and the Customer (“Controller”, “you”) who uses our services.

This DPA reflects the parties’ agreement with respect to the processing of Personal Data in compliance with Data Protection Laws, including but not limited to the EU General Data Protection Regulation (GDPR), the UK Data Protection Act 2018, UK GDPR, and applicable Canadian privacy laws (e.g., PIPEDA).

Definitions

• Data Protection Laws: GDPR, UK GDPR, PIPEDA, and any applicable privacy laws.
  
  

• Personal Data: Any information relating to an identified or identifiable natural person.
  
  

• Processing, Controller, Processor, Data Subject: As defined in GDPR.
  
  

Roles and Scope

• You are the Controller of Personal Data.
  
  

• We are your Processor, processing Personal Data only on documented instructions from you.
  
  

Processor Obligations

We shall:

• Process Personal Data only on documented instructions from the Controller.
  
  

• Ensure that personnel authorized to process Personal Data are under confidentiality obligations.
  
  

• Implement appropriate technical and organizational measures to ensure the security of processing.
  
  

• Assist the Controller in responding to data subjects exercising their rights.
  
  

• Assist the Controller with data protection impact assessments, if required.
  
  

• Notify the Controller without undue delay after becoming aware of a personal data breach.
  
  

Subprocessors

• We may engage Subprocessors for specific processing activities.
  
  

• We will notify the Controller before adding or replacing any Subprocessors and allow for objections.
  
  

• We shall ensure all Subprocessors are bound by obligations equivalent to those in this DPA.
  
  

International Data Transfers

• Any transfer of Personal Data outside of the EEA, UK, or Canada will be made in compliance with applicable laws.
  
  

• Standard Contractual Clauses (or UK Addendum) shall apply where necessary.
  
  

Data Retention and Deletion

• Upon termination of the Agreement, at Controller’s request, we shall delete or return all Personal Data, except as required to comply with law.
  
  

Audit Rights

• The Controller may audit our compliance with this DPA once annually during business hours, with reasonable notice.
  
  

Liability and Indemnity

• Each party shall be liable for its own breach of this DPA or applicable Data Protection Laws.