DATA PROCESSING AGREEMENT
Version. 1.1. Last updated on 8 September 2025
This data processing agreement (hereinafter referred to as the “processing agreement”) has been entered on this day between the Client (hereinafter the “Personal Data Controller”) and Modular Finance (hereinafter “Modular Finance”) - hereinafter referred to as the “Parties”.
BACKGROUND AND PURPOSE
Modular Finance has developed Monitor, MFN and Strictlog (each a ”Service” and collectively the “Services”). The Parties have entered into an agreement under which Modular Finance shall provide certain Services to the Personal Data Controller. For the provision of such Services, Modular Finance will process personal data on behalf of the Personal Data Controller. Such processing shall be governed by the terms of this processing agreement.
Monitor
Monitor is an analytical platform through which Modular Finance’s clients can access certain financial information regarding, among other things, ownership-, short-, and liquidity data. The data is collected and aggregated by Modular Finance. Monitor also has functionality for logging tasks, such as meetings with investors and other stakeholders and follow up on these. There is also functionality for compiling and exporting information.
MFN
MFN is a news distribution platform through which Modular Finance facilitates distribution of information on behalf of its clients.
Strictlog
Strictlog is a digital logbook provided to listed companies for the purpose of creating and managing insider lists.
The Parties acknowledge that this processing agreement may describe data processing activities relating to multiple services offered by Modular Finance. Notwithstanding the foregoing, this processing agreement shall apply solely to those Services that have been purchased by the Client pursuant to the applicable agreement between the Parties.
All references in this processing agreement to Regulation 2016/679/EU (the “General Data Protection Regulation”) shall include any other rules governing the processing of personal data that may apply in addition to or in place of the General Data Protection Regulation, including but not limited to the UK General Data Protection Regulation as defined by section 3(10) of the Data Protection Act 2018.
1. THE PROCESSING AGREEMENT IN RELATION TO OTHER AGREEMENTS
If a provision of the processing agreement contradicts a provision in any other agreement between the Parties, the processing agreement shall take precedence in questions regarding personal data processing.
2. THE EXTENT OF THE PROCESSING AGREEMENT
The processing agreement includes the personal data processing necessary for Modular Finance’s accommodation of certain parts of the Service to the Personal Data Controller and their use of those parts of the Service.
3. THE VALIDITY OF THE PROCESSING AGREEMENT
The processing agreement is valid from the effective date of the agreement between the Parties and will expire when Modular Finance ceases to process personal data for the Personal Data Controller or when this processing agreement is replaced by another personal data processing agreement.
4. MODULAR FINANCE’S PROCESSING OF PERSONAL DATA
4.1. The personal data shall only be processed within the EU/EEA area. The transfer of personal data to countries outside the EU/EEA area must be approved in writing by the Personal Data Controller and requires compliance with the requirements of the General Data Protection Regulation, articles 44-49.
4.2. Modular Finance will process the following categories of personal data for the data subjects stated below on behalf of the Personal Data Controller.
Monitor:
- Name: First name, surname.
- Contact details: Phone number to work (landline and mobile), e-mail address, company name and company address.
- Particularly regarding physical shareholders: Home address, national ID number, name.
- Shareholding: Information about current and historic holding of shares.
- Function: Role, function, title.
- Meetings: Time and place for various meetings, phone calls and attached notes.
- Data Subjects: Shareholders, investors, analysts, brokers, journalists, advisors, board members, auditors.
MFN:
- Name: First name, surname.
- Contact details: Phone number to work (landline and mobile), e-mail address, company name and company address.
- Data Subjects: Shareholders, investors, analysts, brokers, journalists, advisors, auditors and other stakeholders who want to receive news from the Personal Data Controller.
Strictlog:
- Name: First name, surname
- National identification number: National identification number and date of birth.
- Contact details: Phone number to work (landline and mobile), e-mail address, home address, company name and company address.
- Function: Role, function, title and reason for being included in an insider list.
- Time stamps: Time stamps for when one was added to an insider list, when e-mails were opened, when verifications were made and when reminders were sent out.
- Data Subjects: Client employees and board members, advisors, related people to PDMR as stated by applicable law.
5. TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES
Modular Finance shall take appropriate technical and organizational measures at any time to ensure an appropriate level of security in relation to the risks associated with the current personal data processing.
6. STORAGE, CHANGE, DELETION AND BLOCKING
6.1. Modular Finance may only modify, delete or block personal data processed on behalf of the Personal Data Controller on the instructions of the Personal Data Controller, see section 11 below. If a data subject applies directly to Modular Finance regarding the modification or deletion of the personal data of the data subject, Modular Finance shall forward such request to the Personal Data Controller as soon as possible.
6.2. Personal data processed in the Service will be stored throughout the duration of the service agreement and legal requirements. Upon termination of the service agreement, the Personal Data Controller may request that the personal data processed in the Service shall be transferred to the Personal Data Controller.
7. CONTROL FUNCTIONS AND MODULAR FINANCE’S OTHER COMMITMENTS REGARDING PERSONAL DATA PROCESSING
In addition to complying with the provisions of the processing agreement, Modular Finance has the following obligations regarding the processing of personal data.
- When implementing the processing agreement, apply and comply with all relevant provisions regarding the processing of personal data in force in Sweden.
- Ensure that all persons who may have access to personal data processed on behalf of the Personal Data Controller shall be bound by a confidentiality obligation and shall be informed of the special privacy data protection measures applicable under the processing agreement and the limited processing of personal data that may only take place in accordance with instructions from the Personal Data Controller.
- Assist as much as possible the Personal Data Controller to fulfil its obligations under applicable rules on the protection of personal data vis-à-vis regulatory authorities and data subject(s).
8. SUB-PROCESSORS
8.1. Through this agreement, the Personal Data Controller provides a written permission to Modular Finance to transfer and grant access to the personal data covered by this agreement to one or more other Personal Data Processors (Sub-Processors) that Modular Finance employ. Modular Finance is fully responsible towards the Personal Data Controller for the Sub-Processor’s fulfilments of their obligations with regards to data protection in the same way and to the extent that Modular Finance performs the processing. Modular Finance shall enter into written agreements with each and all the Sub-Processors.
Upon hiring or change of Sub-Processors, Modular Finance shall inform the Personal Data Controller in advance to let the Personal Data Controller object to the change. The Personal Data Controller shall upon receipt of the information, notify Modular Finance without delay and no later than within 30 days, of any objections and the reasons for them. Should the Personal Data Controller object, Modular Finance has the right to negotiate with the Personal Data Controller to reach a satisfactory solution for both Parties based on the objection. If the Personal Data Controller does not raise an objection as stated above, then the Personal Data Controller shall be deemed to have approved the appointment or replacement of the Sub- Processor.
8.2. These provisions do not prevent Modular Finance from hiring and entering into agreements with third parties for support functions that are necessary for its operation, such as telecommunication-, cleaning- or audit services. However, to protect the personal data of the Personal Data Controller, Modular Finance shall when employing such support functions ensure that necessary contractual terms are in place and applied.
8.3. By signing this processing agreement, the Personal Data Controller agrees that Modular Finance uses the following Sub-Processors. Regardless of the location of the headquarters of the Sub-Processors, all data will be stored and processed within the EU/EEA at all times.
General:
E-mail service: Twilio Ireland Limited, 70 Sir John Rogerson’s Quay, Dublin 2, D02 R296, Ireland
Processing will occur in data centers located in the EU.
https://www.dataprivacyframework.gov/participant/5394Server space provider: Amazon Web Services, EMEA SARL, 38 Avenue John F. Kennedy, L-1855, Luxembourg, Luxembourg.
Processing will occur in data centers located in the EU.
https://www.dataprivacyframework.gov/participant/5776Server space provider: Digital Ocean, 101 Avenue of the Americas, 10th Floor, New York, NY, 10013, USA.
Processing will occur in data centers located in the EU.
https://www.dataprivacyframework.gov/participant/5296Server space provider, e-mail services and document handling: Google Cloud EMEA Limited, Clanwilliam Place, Dublin 2, Ireland.
Processing will occur in data centers located in the EU.
https://www.dataprivacyframework.gov/participant/5780Content delivery network, DNS, and security services: Cloudflare, Inc., 101 Townsend Street, San Francisco, CA 94107, USA.
Processing will occur in data centers located in the EU.
https://www.dataprivacyframework.gov/participant/5666
Strictlog specific sub processors:
- Server space provider: Glesys Internet Services AB, org.nr. 556647-9241, Badhusvägen 45, 311 32 Falkenberg, Sweden.
Located in Sweden.
9. RIGHT TO AUDIT
9.1. Modular Finance shall provide the Personal Data Controller with the information, including documentation, that may be deemed necessary to enable the Personal Data Controller to comply with their responsibilities.
9.2. If the Personal Data Controller or their appointed auditor will carry out on-site inspections, the operation of Modular Finance’s activities shall be considered, and the Personal Data Controller shall notify Modular Finance of such inspection at least two weeks in advance. Modular Finance shall assist the Personal Data Controller in connection with such inspection in the best conceivable way.
10. OBLIGATION TO REPORT SHORTCOMINGS
Modular Finance and the Personal Data Controller shall immediately notify each other if any errors, deficiencies or violations of the personal data protection occur or are suspected to have occurred. This includes incidents or events where loss of or accidental disclosure or access to personal data occurs or is suspected to have occurred. The Parties undertake to take all reasonable steps to resolve any violations immediately.
11. PERSONAL DATA CONTROLLER’S RIGHT TO ISSUE INSTRUCTIONS
11.1. Modular Finance may only process the personal data of the Personal Data Controller in accordance with its instructions. Modular Finance may only disclose personal data to third Parties or the data subject(s) with the written consent of the Personal Data Controller. All instructions from the Personal Data Controller must be in written form.
11.2. Modular Finance may not use personal data for any purpose other than for the completion of the processing agreement. No copies or duplicates may be made without the knowledge of the Personal Data Controller. This does not apply to backups, log files etc. when these are necessary to ensure legal processing of personal data and to fulfil the requirements of the agreement between the Parties, provided that the data are not changed and that the processing does not violate the interests of the Personal Data Controller.
11.3. Modular Finance shall immediately notify the Personal Data Controller in case Modular Finance considers that an instruction is in violation of any applicable rules on the protection and processing of personal data. Modular Finance may then postpone the completion of the instruction until it has been confirmed or modified by the Personal Data Controller.
12. CHANGES AND ADDITIONS
Changes and additions to the processing agreement shall be in writing and signed by both Parties to be valid.
13. LIABILITY
In case of a breach of the Personal Data Processing Agreement of one of the Parties, that party shall indemnify the other against any losses, damages or sanctions incurred as a result of the breach of this agreement.
14. INVALIDITY
If a provision of the processing agreement is declared partly invalid or invalid, this shall not affect the validity and applicability of the other provisions of the processing agreement. The Parties agree to replace such provisions with a valid provision that best corresponds to the Parties’ original intention and financial interest.
15. FORCE MAJEURE, CAUSES OF EXEMPTION
Modular Finance is exempted from penalties for failure to fulfil its obligations under this processing agreement, if the failure is due to circumstances beyond their control. This includes, without limitation, government action or failure, new or amended legislation, illness or other impairment of work ability, death, occupational conflict, blockade, fire, flood, data- or telecommunications breakdown, loss or destruction of data or property of major importance or accidents of greater extent.