Data Processing Agreement (DPA)

GDPR-Compliant Data Processing Terms

Last Updated: June 30, 2026

1. Introduction and Scope

This Data Processing Agreement ("DPA") forms part of the Terms of Service between you ("Data Controller" or "User") and SGA Investments ("Data Processor" or "we") for the SGA AlgoTrader Pro platform ("Services").

This DPA complies with the EU General Data Protection Regulation (GDPR), UK GDPR, and other applicable data protection laws. It governs the processing of personal data in connection with the Services.

2. Definitions

Personal Data: Any information relating to an identified or identifiable natural person as defined under GDPR Article 4(1)

Data Controller: You, the user who determines the purposes and means of processing personal data

Data Processor: SGA Investments, processing personal data on behalf of the Data Controller

Sub-processor: Third-party service providers engaged to process personal data

Data Subject: The individual to whom the personal data relates

Processing: Any operation performed on personal data (collection, storage, use, disclosure, deletion)

3. Data Processing Details

3.1 Subject Matter and Duration

Subject Matter: Provision of algorithmic trading platform services
Duration: Term of the Services agreement plus retention periods specified in Privacy Policy
Nature of Processing: Storage, analysis, transmission, and automated processing of trading data
Purpose: Enable automated trading, signal generation, risk management, and platform functionality

3.2 Categories of Data Subjects

Platform users (individual traders)
User account contacts (if applicable)
Support ticket requestors

3.3 Types of Personal Data Processed

Identity Data:

Name, username, email address
Account authentication credentials (hashed)

Financial Data:

Trading positions and transaction history
Broker API credentials (encrypted)
Account balances and profit/loss data
Payment information (processed by third-party payment processors)

Technical Data:

IP addresses, device identifiers, browser information
Log data, session information, cookies
Platform usage metrics and analytics

Communication Data:

Support messages and email correspondence
Platform notifications and alerts

4. Data Processor Obligations

4.1 Lawful Processing

We shall:

Process personal data only on documented instructions from you (the Data Controller)
Process data only for purposes specified in the Terms of Service and this DPA
Ensure persons authorized to process data are bound by confidentiality obligations
Not transfer personal data outside the scope of instructions without prior written consent

4.2 Security Measures (Article 32 GDPR)

We implement appropriate technical and organizational measures including:

Encryption: TLS 1.3 for data in transit, AES-256 for data at rest
Access Controls: Role-based access control (RBAC), multi-factor authentication (MFA)
Pseudonymization: Where technically feasible, personal data is pseudonymized
Data Backups: Encrypted backups with 30-day retention, geographically distributed
Vulnerability Management: Regular security audits, penetration testing, and patch management
Incident Response: 24/7 monitoring and documented incident response procedures
ISO 27001 Certification: Compliance with internationally recognized information security standards

4.3 Data Breach Notification (Article 33 GDPR)

In the event of a personal data breach, we shall:

Notify you without undue delay and within 72 hours of becoming aware of the breach
Provide details of the breach, affected data categories, approximate number of affected data subjects
Describe measures taken to mitigate harm and prevent future breaches
Cooperate with your breach notification obligations to supervisory authorities and data subjects

4.4 Data Subject Rights Assistance (Articles 12-22 GDPR)

We shall assist you in fulfilling data subject requests for:

Right of Access (Article 15): Provide data copies within 30 days
Right to Rectification (Article 16): Correct inaccurate data promptly
Right to Erasure (Article 17): Delete data when legally required ("right to be forgotten")
Right to Restriction (Article 18): Limit processing when requested
Right to Data Portability (Article 20): Provide data in structured, machine-readable format
Right to Object (Article 21): Cease processing for specific purposes

4.5 Data Protection Impact Assessments (Article 35 GDPR)

Upon request, we will provide reasonable assistance with Data Protection Impact Assessments (DPIAs) and prior consultations with supervisory authorities.

5. Sub-processors

5.1 Authorized Sub-processors

You authorize us to engage the following sub-processors:

Sub-processor	Service	Location
AWS (Amazon Web Services)	Cloud infrastructure, databases	EU/US
Cloudflare	CDN, DDoS protection	Global
Sentry	Error monitoring	US
SendGrid / Mailgun	Transactional emails	US

5.2 Sub-processor Requirements

All sub-processors are bound by contracts ensuring:

Equivalent data protection obligations as this DPA
Compliance with GDPR security and confidentiality requirements
Audit rights and regular compliance reviews

5.3 Changes to Sub-processors

We will notify you 30 days in advance before adding or replacing sub-processors. You may object on reasonable data protection grounds. If we cannot accommodate your objection, you may terminate the Services.

6. International Data Transfers

6.1 Transfer Mechanisms (Chapter V GDPR)

When transferring personal data outside the EEA, we use the following safeguards:

Standard Contractual Clauses (SCCs): EU Commission-approved SCCs (2021 version)
Adequacy Decisions: Transfers to countries with EU adequacy decisions
Supplementary Measures: Additional technical and organizational safeguards (encryption, access controls)

6.2 Data Localization

Primary data storage is in EU/EEA data centers. US-based sub-processors are covered by SCCs with supplementary security measures.

7. Data Retention and Deletion

7.1 Retention Periods

Active Accounts: Data retained for duration of Services
Closed Accounts: 7 years for financial/tax compliance
Backups: 30 days rolling retention
Technical Logs: 90 days (unless required for security investigations)

7.2 Data Deletion (Article 17 GDPR)

Upon termination or your written request, we shall:

Delete or return all personal data within 30 days (except data required for legal compliance)
Delete existing copies from backups during the next scheduled purge cycle (up to 30 days)
Provide written confirmation of deletion upon request

8. Audits and Compliance

8.1 Audit Rights (Article 28(3)(h) GDPR)

You have the right to:

Request and receive our ISO 27001 certification and SOC 2 reports
Conduct audits or appoint independent auditors (with reasonable notice and non-disclosure agreements)
Request information demonstrating compliance with this DPA

8.2 Compliance Documentation

We maintain and make available upon request:

ISO 27001 certification
SOC 2 Type II reports
Penetration test summaries (redacted)
Data processing records (Article 30 GDPR)

9. Liability and Indemnification

9.1 Liability Allocation (Article 82 GDPR)

Each party shall be liable for damages caused by its own GDPR violations. We are not liable for damages resulting from your instructions or your GDPR non-compliance.

9.2 Limitation of Liability

Liability limitations in the Terms of Service apply, except where prohibited by law (e.g., intentional misconduct or gross negligence).

10. Term and Termination

This DPA:

Takes effect upon acceptance of the Terms of Service
Remains in effect for the duration of the Services
Survives termination to the extent data is retained for legal compliance

11. Governing Law and Jurisdiction

This DPA is governed by GDPR and the laws of [Your Jurisdiction]. Disputes shall be resolved in accordance with the dispute resolution provisions in the Terms of Service.

12. Contact Information

For DPA-related inquiries or to exercise data protection rights:

Data Protection Officer: [email protected]

Privacy Team: [email protected]

Data Subject Requests: [email protected]

EU Representative: [If applicable based on GDPR Article 27]

Note: This DPA incorporates by reference the EU Standard Contractual Clauses (SCCs) for controller-to-processor data transfers. For a copy of the executed SCCs, please contact [email protected].