Terms of Service

Appendix 1 – Privacy Notice

1. The type of personal information we collect

1. name, address and date of birth;
2. passport and other identification documentation;
3. contact numbers and email addresses;
4. financial account details and asset ownership;
5. education and employment details;
6. family details including the names and ages of children;
7. communications (e.g., letters, emails and app exchanges);
8. open data and public records.

2. How we get the personal information and why we have it

Most personal information we process is provided by you in connection with our services under these terms. We also receive personal information indirectly, from companies and individuals that you introduce to us, or where you have requested they use the Vendor’s services.

We use the information to provide our services to you, including assisting you to fulfil your own policy requirements when onboarding clients.

3. Who we may share this information with

1. all locations of the Vendor Group companies where appropriate;
2. authorities (e.g., central and local government, tax authorities, regulators including HM Revenue & Customs);
3. outside companies we work with to provide services to you (including those that store data required for AML/KYC identity verification);
4. outside companies we work with to run our business (agents, suppliers, sub‑contractors, advisers, credit reference agencies, fraud prevention agencies, etc.).

4. The lawful bases we rely on for processing

1. 1. your consent (which you can withdraw by contacting your Relationship Manager);
   2. contractual obligation;
   3. legal obligation;
   4. public task;
   5. legitimate interests.
      
      Where applicable, if we transfer your personal data to a third country, we will only do so in line with our obligations under Chapter V of the GDPR or UK GDPR. Where the transfer is to a recipient in a country without an adequacy decision, we will rely on standard contractual clauses (with supplementary measures where appropriate) or an appropriate derogation.

5. How we store your personal information

Your information is securely stored. We will keep your personal information for as long as you are a client. After you stop being a client, we may keep your data for a period to:

1. maintain records to comply with legal and regulatory obligations; and
2. respond to questions or complaints.

We regularly review retention periods to ensure data is not kept longer than necessary.

6. Your data protection rights

Under data protection law, you have rights including:

1. right of access
2. right to rectification;
3. right to erasure (in certain circumstances);
4. right to restrict processing (in certain circumstances);
5. right to object (in certain circumstances);
6. right to data portability (in certain circumstances).

There are exemptions and restrictions that may apply to some or all of these rights.

You are not required to pay any charge for exercising your rights. If you make a request, we have one month to respond. Please contact your Relationship Manager.

7. How to complain

If you have any concerns about our use of your personal information, you can complain to us at Binderr Limited, Ortigia, Tal Ferha, Limit ta’ Gharghur, GHR 1821, Malta or email privacy@binderr.com.

You can also raise concerns with the Office of the Information and Data Protection Commissioner: https://idpc.org.mt/contact/ 

Appendix 2.1 – Data Processing Agreement

IntroductionYour signed Order Form and these Terms of Service constitute your instruction to the Vendor to process your customer data in connection with the services. This Data Processing Agreement ("DPA") regulates that processing. You and the Vendor agree that this DPA sets forth obligations with respect to the Processing of 

Personal Data.

1. Definitions

(Controller, Data Importer, Data Exporter, Data Protection Legislation, Data Subject, European Data Protection Legislation, GDPR, Non‑European Data Protection Legislation, Personal Data, Processing, Processor, Pseudonymisation, Standard Contractual Clauses, Sub‑Processor, Supervisory Authority, UK GDPR) — as set out in the original text, unchanged for legal accuracy.

2. Roles & scope

This DPA applies to the Processing of your Personal Data by the Vendor pursuant to the Terms of Service and your Order Form. You are the Controller (except where you act as a Processor or Sub‑Processor, in which case the Vendor acts as your Sub‑Processor). Nothing alters the Vendor’s role as a Processor with respect to you. This DPA does not limit any data protection commitments in the Terms of Service. You acknowledge the Vendor’s security practices provide a level of security appropriate to the risk.

3. Details of processing

3.1 Data Subjects — determined and controlled by you at your sole discretion; may include your representatives, end users, employees, contractors, collaborators, clients, prospects and customers, and their personnel.

3.2 Categories of Personal Data — determined by you; may include first and last name, employer, role, title, and contact information.

3.3 Special categories of Personal Data — will not be processed by the Vendor; you agree never to share such data with the Vendor.

3.4 Processing operations — the Vendor shall Process Personal Data only: (i) to provide the services in accordance with your documented instructions; and (ii) for business operations incidental to providing the services (e.g., delivering functional capabilities, preventing/detecting/repairing problems including Security Incidents, and providing support, planning, advice and guidance).

4. Obligations of Binderr

4.1 Processing Personal Data — the Vendor will: (i) process only on documented instructions (including transfers), unless required by law; (ii) inform you if an instruction infringes applicable law and may suspend processing; (iii) ensure persons authorised to process are bound by confidentiality; (iv) provide periodic privacy and security training; (v) implement appropriate technical and organisational measures (including pseudonymisation and encryption; ensuring confidentiality, integrity, availability and resilience).

4.2 Systems and services — restore availability and access to Personal Data in a timely manner; regularly test and evaluate measures; prevent unauthorised access or disclosure; and adhere to conditions for Sub‑Processors (see clauses 6 and 7).

Documented Instructions include the Terms of Service, this DPA and the Order Form. The Vendor shall not retain, use, disclose or otherwise Process Personal Data other than for the purposes set out herein and shall not sell Personal Data.

5. Security incident management

5.1 Notice — the Vendor shall notify you without undue delay (and in any event within 48 hours) after becoming aware of any Security Incident. Notification may be provided via email to your administrators. You are responsible for your own incident notification obligations. Vendor’s reporting is not an acknowledgement of fault.

The Vendor will investigate, provide information (which may be provided in phases), and take reasonable steps to mitigate effects. If the Security Incident was not due to the Vendor’s fault, reasonable cooperation costs and expenses shall be covered by you. The Vendor will make reasonable efforts to assist with notifications to Supervisory Authorities and Data Subjects. You shall promptly notify the Vendor of any possible misuse or potential security incident related to the services.

6. Sub‑Processors

The Vendor may engage subcontractors and Sub‑Processors. The Vendor will: (i) provide prior notice of additions or replacements, giving you the opportunity to object; (ii) ensure Sub‑Processors are bound by no‑less‑protective obligations; and (iii) remain fully liable for Sub‑Processor obligations.

Approved Sub‑Processors:

• Amazon Web Services — data storage, database hosting, container hosting, logging, load balancers (Germany).
• DocuSign — data required for e‑signature verification and certification (France/Germany/Netherlands).
• Sum and Substance Ltd — data required for AML/KYC identity verification (Germany).
• ComplyAdvantage — data required for AML screening and watchlists (Germany).

7. Changes to Sub‑Processors

At least 60 days before authorising any new Sub‑Processor, the Vendor shall post notice at www.binderr.com. You may object on reasonable grounds within 30 days, and the Vendor may (at its discretion): cancel use; take corrective steps; or cease providing the particular aspect of the services, with a fee adjustment as mutually agreed. If none of these are reasonably available or agreed within 30 days, either party may terminate the affected services.

7.1 Emergency replacement — the Vendor may urgently replace a Sub‑Processor where necessary and beyond its control, with notice as soon as practicable; you retain the right to object.

8. Cooperation with requests from Data Subjects

The Vendor will reasonably assist with Data Subject requests consistent with the services’ functionality. You are responsible for costs beyond existing functionality. If the Vendor receives a request directly, it will instruct the Data Subject to contact you. Unless prevented by law, the Vendor will notify you without undue delay if a Supervisory Authority makes any inquiry or request for disclosure.

9. Other cooperation

Taking into account the nature of processing and information available, the Vendor shall provide reasonable assistance to ensure compliance with security, notifications, DPIAs, consultations with Supervisory Authorities, and audits (see clause 11).

10. Retention and deletion of Personal Data

10.1 Personal Data — the Vendor shall delete or return Personal Data in accordance with mutual agreement, save where retention is required by law (and then only for so long as required).

10.2 Services — you will have the ability to access, extract, and delete Personal Data during the term. The Vendor shall retain Personal Data for 90 days after expiration or termination so you may extract it. After 90 days, the Vendor will disable your account and delete all Personal Data within 30 days (and certify deletion where required), save where retention is required by law. Backups or other media created for disaster recovery/business continuity may be overwritten or remediated in the ordinary course and in any event not longer than 90 days after creation. The Vendor has no liability for deletion of any data as described in this clause.

11. Security reports, audits and records

Where your audit requirements cannot reasonably be satisfied through available reports and documentation, the Vendor shall, not more than once per calendar year, respond to audit requests subject to scope, timing, duration, control/evidence requirements and fees agreed in advance. Audits to be by an independent, accredited firm during business hours with at least 20 days’ notice and subject to confidentiality/security procedures. No access to other customers’ data or systems not involved in your services. You are responsible for all costs and Vendor time. Material findings will be promptly cured. Where SCCs apply, nothing here varies or modifies them. The Vendor shall maintain records of processing as required and make them available upon request.

12. Your obligations

12.1 Your acknowledgment — you shall comply with all applicable Data Protection Legislation; determine whether the services are appropriate for storage/processing of Personal Data; have the right to transfer or provide access to Personal Data to the Vendor and its Sub‑Processors; are solely responsible for third‑party notification obligations related to a Security Incident; and shall not violate any Data Subject rights.

12.2 Personal Data sharing — the services may enable authorised users to share Personal Data or invite third‑party users. Such third parties may access, view, download, and share Personal Data. Your (and/or your authorised users’) choice to share is solely your responsibility, and the Vendor cannot control third parties with whom you share Personal Data.

13. Modification, supplementation and term

The Vendor may modify or supplement this DPA with notice to you if required by a Supervisory Authority or law, to implement SCCs, or to adhere to an approved code of conduct/certification. If such changes render you non‑compliant with applicable law, you may terminate the Terms of Service and receive a pro‑rata refund for prepaid, undelivered services. This DPA is effective upon your use of the services and remains in force while the Vendor processes Personal Data on your behalf.

14. Transfer of Personal Data and location

You acknowledge the Vendor and its Sub‑Processors may process Personal Data outside the EEA and the UK (including where hosting is in the EEA/UK) if necessary to provide the services. The Vendor shall comply with applicable transfer requirements, including SCCs, adequacy decisions, or other appropriate safeguards.

14.1 Location of Personal Data — Personal Data processed by the Vendor shall be stored in the EEA. Sub‑Processors’ personnel in other regions may have access. The Vendor does not control or limit the regions from which you or authorised users may access or process Personal Data.

14.2 Miscellaneous — the Vendor has appointed a DPO, EU representative, and UK representative (as documented in the Privacy Policy at www.binderr.com). If there is a conflict between the Terms of Service and this DPA, the DPA prevails; if between this DPA and the SCCs, the SCCs prevail. Aggregate liability arising out of this DPA and/or the SCCs shall not exceed the limitations in the Terms of Service.

Appendix 2.2 – DPA Schedule 1 (SCCs and UK Addendum)

(Condensed summary; populated as in the original text for legal completeness.)

• SCCs: Module 2 (Controller→Processor), Module 3 (Processor→Processor), Module 4 (Processor→Controller) apply as appropriate.
• UK Addendum: Incorporated by reference; tables populated per Annexes and governed by England & Wales law; effective from the date you accept the Terms.
• Supplementary clauses cover erasure/deletion, audit alignment with DPA clause 11, notifications routing, sub‑processor notifications, Data Subject rights handling, transfer impact assessment (countries may include Cyprus, Germany, UK, USA), and governing law/jurisdiction (Malta; England & Wales for the UK Addendum and Module 4).

Appendix 2.3 – DPA Annex 1

(Parties and description of transfer) — as in the original text, streamlined for readability without altering legal effect.

Appendix 2.4 – DPA Annex 2 – Security Measures

Security measures implemented by the Vendor (reorganised for clarity; substance unchanged).

1. Pseudonymisation and encryption

• Hosting in AWS (Germany).
• Data encrypted at rest and in transit; key management via platform functionality.
• External systems encrypt data in transit/at rest; transfers outside the EEA only with appropriate safeguards.
• Pseudonymisation applied to residual logs upon account deletion.
• Logging retention: XXXX days (after which pseudonymised data is deleted).

2. Data protection controls

• Email: encrypted by default where supported by the recipient.
• Secure file exchange: encrypted in transit and at rest; dedicated repository per external party; least‑privilege access.

3. Ongoing confidentiality, integrity, availability, and resilience

Standards — commercially reasonable safeguards protect confidentiality, availability and integrity of Personal Data.

Confidentiality — personnel authorised to access Personal Data are bound by confidentiality or statute.

Training — personnel with access to Personal Data receive annual training.

Backups — 24/7 managed backups; at least daily; retained 90 days in primary and 90 days in secondary site.

Disaster recovery — capabilities designed to minimise disruption; incident management; recovery procedures; periodic testing.

4. Regular testing and evaluation

• Annual independent penetration testing of IT infrastructure.

5. IT security controls

Authentication — complex passwords (minimum XXXX characters) and MFA.

Infrastructure security — hardened builds; host firewalls; anti‑virus; minimal end‑user device software; application allow‑listing; no local admin rights; secure email gateway scanning inbound/outbound/internal mail; URL filtering with category blocks; managed XDR with SIEM integration (incl. AWS, firewalls, email gateway); single sign‑on where supported.

Network controls — network managed by IT; firewalls implemented; minimal on‑prem infrastructure; guest Wi‑Fi segregated; personal devices cannot connect to corporate Wi‑Fi; extensive network access controls in AWS; segregated test and production.

Backup & resilience — encryption at rest/in transit; mix of daily/weekly/monthly backups, 30‑minute snapshots and log shipping; immutable backups off‑site; cloud availability zones; cloud‑native backups; automated failure alerts; documented restore processes; periodic restore testing.

Access control — role‑based access on least‑privilege basis; administrative access limited to IT.Patching & vulnerability management — policy‑driven patching by severity; daily/weekly scans; vendor advisories monitored; XDR threat intel; staged testing; systems management tooling for deployment.

Third‑party access — rare, for support; time‑bound and disabled when no longer needed; confirmation obtained.

6. Protection of Personal Data during transmission and storage

Transmission — HTTPS and/or VPN for data in transit.Storage — encryption at rest using ciphers at least as strong as AES‑256 (or equivalent).Backups — backups encrypted and stored in a secondary data centre.

7. Physical security

Safeguards — physical access only by formal authorisation; access reviewed periodically.Facilities — Tier 3 (or higher) data centres; protections against power failure, fire and other hazards; limited access to authorised individuals.

8. Event logging

Network security — enterprise‑class SIEM; firewalls and additional controls to ensure appropriate network access.Logging — access and use of information systems containing Personal Data are logged.

9. System configuration

Malicious software — anti‑malware controls to mitigate accidental/unlawful destruction, loss, alteration, unauthorised disclosure or access.
Asset inventory — maintained for computing equipment and media; access restricted to authorised personnel.

10. Governance and management

1. 1. Information security & data protection — security and privacy embedded across technical, procedural and governance processes; controls configured robustly.
   2. Data Protection Officer ensures cyber and privacy risks are addressed (operations, projects, suppliers, regulatory)
   3. Monthly updates on cyber/privacy to senior management.
   4. Policies — security policies and Information Governance Framework reviewed at least annually; country‑specific supplements where necessary.
   5. Risk management — assessments at project start, major upgrades, supplier due diligence and ongoing; residual risks tracked; monthly reporting of significant risks to senior management.
   6. Security Working Group — monthly meetings (IT, business units, Compliance, security) to raise and address issues.
   7. Incident management — detailed process with lessons‑learned and remedial actions; customer communications where data may be affected; scenario‑based tests.
   8. Vendor personnel — written policies and procedures define roles/responsibilities for those with access to Personal Data.

11. Certification of processes

Standards — Binderr Ltd holds the following ISO certification: 

1. 1. 1. ISO9001:2015 (Certificate Number: BIND4443Q2402; Obtained: 25/11/24; Expiry: 24/11/27).
      2. ISO27001:2015 (Certificate Number: BIND4443A2401; Obtained: 25/11/24; Expiry: 24/11/27).

AWS data centres used by Binderr have numerous certifications (see provider Trust Portals).Independent assessments — annual independent security assessment.

Business continuity — plan maintained and compliant with ISO 22301.

12. Security Measure: Training of Personnel

Practices: Security Awareness Training

The Vendor uses an externally provided security training and awareness platform, which also includes an email phishing simulation component.

• Security training courses are delivered frequently throughout the year, with completion monitored and followed up where necessary.
• Phishing simulations are sent to staff periodically. If a user fails a phishing test, feedback is provided highlighting the “red flags” they should have noticed. Repeated phishing test failures are followed up by the security team.
• Security and awareness-related information is shared via staff bulletins, internal emails, and the company intranet.
• All staff are required to sign an Acceptable Use Policy.
• Mandatory annual training covers employee responsibilities relating to data protection and GDPR.
• All new starters undergo an induction session that includes security and privacy training, policy acceptance, and completion of core security modules.
• Training content and frequency are consistent for all employees, regardless of their work location (office or remote), and include best practices for secure remote work.

13. Security Measure: Accountability

Practices: Accountability

• The Vendor defines accountability as holding individuals responsible for internal control obligations.Control Activities
• An employee sanction procedure is documented, stating that employees may be terminated for noncompliance with policies and procedures.
• Annual performance reviews evaluate each employee’s performance, conduct, and adherence to internal control responsibilities.

14. Security Measure: Data Minimisation and Data Quality

Practices: Data Minimisation

The Vendor makes reasonable efforts to ensure only the minimum necessary Personal Data is collected, used, and retained to provide the services.

Practices: Data Quality

Throughout the term of the agreement, clients may amend Personal Data to maintain accuracy and fulfil their data quality obligations.

15. Security Measure: Data Retention

Practices: Data Retention

The Vendor retains Personal Data in its systems for ninety (90) days after expiration or termination of this agreement, allowing clients to extract their data.

After this 90-day period, the Vendor disables the client account and deletes all Personal Data within thirty (30) days. Where required by law, the Vendor will certify deletion. Data may be retained longer only where legally mandated.

16. Security Measure: Portability and Erasure

Practices: Portability

During the agreement, clients have the ability to access, extract, and delete their Personal Data within the Vendor’s service.

Practices: Erasure

Upon disposal or removal of storage media, the Vendor destroys, deletes, or otherwise makes Personal Data irrecoverable.

Client data is logically separated from all other Vendor customer data to ensure confidentiality and integrity.