Version 2 · Effective: April 27, 2026 · Published: April 27, 2026
Malcolm
This Data Processing Addendum ("DPA") forms part of the Master Services Agreement or Terms of Service ("Agreement") between Malcolm Inc., a Delaware corporation ("Processor" or "Malcolm"), and the client utilizing the Services ("Controller" or "Customer").
"Data Protection Laws" means all applicable data protection and privacy laws, including the EU General Data Protection Regulation (EU GDPR), the UK General Data Protection Regulation (UK GDPR), and the UK Data Protection Act 2018.
"Standard Contractual Clauses (SCCs)" means the standard contractual clauses for the transfer of personal data to third countries adopted by the European Commission in its Implementing Decision (EU) 2021/914.
"UK Addendum" means the International Data Transfer Addendum to the EU Commission SCCs issued by the UK Information Commissioner under Section 119A(1) of the Data Protection Act 2018.
2.1 Roles of the Parties. For the purposes of this DPA, the Customer is the Data Controller and Malcolm Inc. is the Data Processor of the Customer Data.
2.2 Customer Instructions. Processor shall process Personal Data only on the documented lawful instructions of the Controller, as set forth in the Agreement and this DPA, to provide the AI-powered investment management Services.
2.3 Compliance. Each party shall comply with its respective obligations under applicable Data Protection Laws.
3.1 Authorized Subprocessors. Controller grants Processor a general authorization to engage the third-party Subprocessors listed in Annex III.
3.2 Changes to Subprocessors. Processor shall notify Controller (via email or in-app notification) at least 15 days prior to adding or replacing any Subprocessor. If Controller objects on reasonable data protection grounds, and the parties cannot resolve the objection, Controller may terminate the applicable portion of the Services.
3.3 AI and Machine Learning. Processor agrees that Personal Data processed via Subprocessors providing Large Language Model (LLM) infrastructure (e.g., Google Cloud Vertex AI) shall be processed strictly via enterprise API endpoints. Customer Data will not be used by Processor or its Subprocessors to train, retrain, or improve public or foundational AI models.
To the extent Processor processes Personal Data originating from the European Economic Area (EEA), the United Kingdom, or Switzerland in a country that has not received an adequacy decision, the parties agree that:
For EEA Data: The EU SCCs (Module Two: Controller to Processor) are hereby incorporated by reference and form an integral part of this DPA.
For UK Data: The UK Addendum is hereby incorporated by reference, amending the EU SCCs to apply to data transfers governed by the UK GDPR.
Malcolm Inc. agrees to abide by the obligations of the "data importer," and Customer acts as the "data exporter."
5.1 Technical and Organizational Measures (TOMs). Processor shall implement and maintain appropriate technical and organizational security measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, or unauthorized disclosure, as detailed in Annex II.
5.2 Confidentiality. Processor shall ensure that all personnel authorized to process Personal Data are bound by strict obligations of confidentiality.
Upon becoming aware of a confirmed Personal Data Breach affecting Customer Data, Processor shall notify Controller without undue delay (and in no event later than 48 hours). Processor shall provide reasonable assistance to Controller in fulfilling Controller’s obligations to notify regulatory authorities and affected data subjects.
Processor shall, taking into account the nature of the processing, assist Controller by implementing appropriate technical and organizational measures to enable Controller to respond to requests from Data Subjects exercising their rights under Data Protection Laws (e.g., access, deletion, portability).
Upon termination or expiration of the Agreement:
Export (Days 1-30): Controller shall have thirty (30) days to export their Personal Data from the Services.
Deletion (Days 31-60): Following the export period, Processor shall securely delete or irreversibly anonymize all active Customer Personal Data within sixty (60) days.
Backups (Up to 90 Days): Controller acknowledges that Personal Data may remain in encrypted, immutable disaster recovery backups for up to ninety (90) days until it is naturally overwritten, provided it remains subject to the security standards of this DPA and is not actively processed.
Upon Controller's written request, Processor shall provide all information reasonably necessary to demonstrate compliance with this DPA. Processor may satisfy this requirement by providing Controller with a copy of its most recent third-party security audit report (e.g., SOC 2 Type II) and/or a summary of its penetration test results, subject to a non-disclosure agreement.
A. Categories of Data Subjects:
Employees, partners, directors, and authorized users of the Controller (the VC/PE fund).
Limited Partners (LPs), investors, and co-investors in the Controller’s funds.
Founders, executives, employees, and board members of current or prospective portfolio companies.
Individuals whose data is included in dealflow materials, CRM records, and meeting transcripts.
B. Categories of Personal Data:
Identity and Contact Data (e.g., names, email addresses, phone numbers, job titles).
Professional and Employment Data (e.g., work history, equity ownership, board seats).
Financial Data (e.g., investment amounts, bank details if applicable).
System Usage Data (e.g., IP addresses, login timestamps).
C. Sensitive / Special Category Data:
The Services are generally not intended for the processing of Special Category data (e.g., health or medical data). However, the Controller may submit identity documents (e.g., passports, government IDs) or background check reports for KYC (Know Your Customer) and AML (Anti-Money Laundering) compliance, which may incidentally contain biometric data or data relating to criminal convictions.
D. Nature and Purpose of Processing:
The provision of an AI-enabled investment management platform (ERP/CRM), dealflow automation, portfolio reporting, and generation of AI-assisted meeting intelligence.
Processor implements the following security measures:
Encryption at Rest: All Customer Data and databases are encrypted at rest using AES-256 encryption.
Encryption in Transit: All data transmitted between the Customer and the Services, and between Processor's internal systems, is encrypted using TLS 1.3 or higher.
Access Controls & MFA: Strict principle-of-least-privilege access controls are enforced. Multi-Factor Authentication (MFA) is strictly required for all Processor personnel accessing the production environment, cloud infrastructure (AWS/Azure), code repositories (GitHub), and internal identity providers.
Cloud Infrastructure Security: The Services are hosted on enterprise-grade cloud providers (AWS, Azure) located in the United Kingdom, which maintain rigorous physical and logical security standards.
Logging and Monitoring: System activities, access logs, and security events are actively monitored and retained via AWS CloudWatch.
Compliance Roadmap: Processor is actively maintaining controls aligned with industry best practices and is working towards formalized SOC 2 Type II compliance.
The Controller authorizes the use of the following Subprocessors:
Subprocessor Name | Purpose of Processing | Location |
Amazon Web Services (AWS) | Cloud infrastructure, core hosting, database (S3), email delivery (SES), logging (CloudWatch). | United Kingdom |
Microsoft Azure | Cloud infrastructure and database services. | United Kingdom |
Google LLC (Vertex AI) | Enterprise API provider for Large Language Model (LLM) artificial intelligence processing. | EU/UK/US |
Stripe, Inc. | Payment processing and billing management. | United States |
(Note: Data processed by Google LLC via Vertex AI enterprise APIs is explicitly excluded from being used to train Google's public or foundational AI models).