Data Processing Agreement

Finsight Alpha · Effective date: 15 March 2026

This Data Processing Agreement (“DPA”) applies when you (“Customer”, “Controller”) use Finsight Alpha’s Services and we (“Processor”) process personal data on your behalf under applicable data protection law (including the GDPR and UK GDPR where they apply).

1. Subject matter and duration

We process personal data as needed to provide the Services under our agreement with you (including the Terms of Service) for the term of that agreement.

2. Nature and purpose

Processing may include hosting, authentication, generation and storage of reports, support, security monitoring, and subprocessors as described in our Privacy Policy. Purposes are limited to providing the Services and complying with law.

3. Types of data and data subjects

Typically: account identifiers, professional contact details, and content you submit (e.g. tickers, saved reports). Data subjects may include your personnel and, where you upload it, third parties described in your content. You are responsible for having a lawful basis to provide such data.

4. Instructions

We process personal data only on documented instructions from you (including this DPA and the Terms) unless required by law — in which case we will inform you unless prohibited.

5. Confidentiality

We ensure that persons authorised to process data are bound by confidentiality obligations.

6. Security

We implement appropriate technical and organisational measures as described in our Security Policy.

7. Subprocessors

We may engage subprocessors (e.g. hosting, email, AI, analytics with consent). We remain responsible for their performance. A current list may be provided on request or on our website. We will notify you of material changes where required by law.

8. Data subject rights

Taking into account the nature of processing, we will assist you by appropriate technical and organisational measures in responding to requests from data subjects, to the extent possible.

9. Assistance

We will assist you with security incidents, impact assessments, and consultations with supervisory authorities where required by law, considering the nature of processing and information available to us.

10. Deletion or return

On termination, we will delete or return personal data in our possession as Controller data, except where retention is required by law or covered by backup cycles (then deleted according to our retention schedule).

11. Audits

We will make available information necessary to demonstrate compliance and allow audits reasonable in scope and frequency, subject to confidentiality and security safeguards.

12. International transfers

Where personal data is transferred outside the UK/EEA, we will use appropriate safeguards (e.g. standard contractual clauses) as required.

13. Contact

Processor contact: steve@libertypoint.io.