Baseline DCF

Legal

Data Processing Agreement

Effective date: May 11, 2026

This Data Processing Agreement (the “DPA”) forms part of the Software License Agreement (the “Agreement”) between Baseline DCF (“Licensor,” the “Processor”) and the Licensee identified in the Agreement (“Licensee,” the “Controller”). It governs the Processing by Licensor of Personal Data on behalf of Licensee.

This DPA applies to the extent that Licensor Processes Personal Data for which Licensee is a Controller and where the General Data Protection Regulation (EU) 2016/679 (“GDPR”), the UK General Data Protection Regulation (“UK GDPR”), the Swiss Federal Act on Data Protection (“FADP”), the California Consumer Privacy Act and California Privacy Rights Act (collectively, “CCPA/CPRA”), or any other applicable data protection law (collectively, “Data Protection Laws”) applies.

In the event of any conflict between this DPA and the Agreement, this DPA prevails with respect to the Processing of Personal Data.

1. Definitions

Capitalized terms not defined herein have the meanings given in the Agreement. The terms “Personal Data,” “Processing,” “Controller,” “Processor,” “Data Subject,” “Sub-processor,” and “Supervisory Authority” have the meanings given in the GDPR.

2. Scope and Roles

2.1 Local-software architecture.The Software is installed and operated locally on Licensee’s machines. Licensee Data (including financial inputs, assumptions, comparable data, and Outputs) is not transmitted to or stored by Licensor in the ordinary course of Licensee’s use of the Software. Licensor is not a Processor of Licensee Data.

2.2 Limited Processing by Licensor.Licensor Processes the following Personal Data on Licensee’s behalf:

  • Account and authentication data: name and email address of Authorized Users who create an Account or accept the Agreement, used to issue License Keys, manage subscriptions, and provide support.
  • Trial-signup data: name, email, IP address, and timestamp captured at trial signup as evidence of acceptance of the Software License Agreement.
  • Support correspondence: any Personal Data contained in support emails or other communications initiated by Licensee or its Authorized Users.

2.3 Categories of Data Subjects.The Personal Data relates to Licensee’s employees, contractors, and other Authorized Users of the Software.

2.4 Categories of Personal Data. The Personal Data is limited to contact identifiers (name, business email), authentication identifiers (License Keys associated with individuals), technical metadata (IP address, browser user-agent, timestamps), billing identifiers held by the Payment Processor (Section 6), and any Personal Data Licensee voluntarily includes in support requests.

2.5 Subject matter, nature, and purpose of Processing. The subject matter is the operation of the trial and subscription services described in the Agreement. The nature is electronic Processing for the limited purposes set out in this DPA. The purpose is to provide and support the Software and to satisfy legal, regulatory, and contractual obligations.

2.6 Duration. Processing continues for as long as the Agreement remains in effect, plus a reasonable retention period for legal, accounting, and dispute-resolution purposes.

3. Processor Obligations

3.1 Documented Instructions.Licensor shall Process Personal Data only on Licensee’s documented instructions, which are deemed to consist of the Agreement, this DPA, and reasonable written instructions issued by Licensee from time to time consistent with the Agreement. Licensor shall promptly inform Licensee if, in its opinion, an instruction infringes applicable Data Protection Laws.

3.2 Confidentiality. Licensor shall ensure that all personnel authorized to Process Personal Data are bound by appropriate obligations of confidentiality.

3.3 Security. Licensor shall implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as further described in Schedule A.

3.4 Assistance to Licensee.Taking into account the nature of Processing, Licensor shall provide reasonable assistance to Licensee (at Licensee’s expense for non-trivial requests) in:

  • responding to requests from Data Subjects exercising their rights under Data Protection Laws;
  • ensuring compliance with Licensee’s obligations regarding security, breach notification, data protection impact assessments, and prior consultations with Supervisory Authorities; and
  • fulfilling any other obligation imposed on Licensee by Data Protection Laws to the extent within Licensor’s control.

3.5 Personal Data Breach Notification. Licensor shall notify Licensee without undue delay, and in any event within seventy-two (72) hours of confirming, any Personal Data Breach affecting Personal Data Processed under this DPA. Each such notification shall include the information required under Article 33(3) of the GDPR to the extent then available.

3.6 Records and Audits.Licensor shall make available to Licensee, upon reasonable request, the information necessary to demonstrate compliance with this DPA. Licensee may, no more than once per twelve-month period and on at least thirty (30) days’ prior written notice, conduct an audit of Licensor’s compliance with this DPA. Audits shall be conducted during business hours, shall not unreasonably disrupt Licensor’s operations, and shall be subject to confidentiality obligations no less protective than those in the Agreement. In lieu of an on-site audit, Licensor may satisfy audit requests by providing a then-current third-party audit report or written responses to a reasonable security questionnaire.

3.7 Return or Deletion.Upon termination or expiration of the Agreement, Licensor shall, at Licensee’s election, return or delete the Personal Data Processed under this DPA, except to the extent Licensor is required by applicable law to retain such Personal Data.

4. Sub-processors

4.1 General Authorization. Licensee provides a general authorization for Licensor to engage Sub-processors to assist in providing the services contemplated by the Agreement. Licensor shall enter into a written agreement with each Sub-processor that imposes data-protection obligations no less protective than those in this DPA, and shall remain liable for the acts and omissions of its Sub-processors.

4.2 Current Sub-processors. As of the effective date of this DPA, Licensor uses the following Sub-processors:

  • Stripe, Inc.(United States) — payment processing, subscription billing, and related financial data.
  • Clerk, Inc.(United States) — account authentication, identity, and user management for the customer account portal at account.baselinedcf.com.
  • Cloudflare, Inc.(United States) — content delivery network and software installer distribution.
  • Vercel, Inc.(United States) — web hosting for baselinedcf.com.
  • Google LLC(United States) — business email and productivity (Google Workspace) for support correspondence.

4.3 Notice of Changes.Licensor shall provide Licensee with at least thirty (30) days’ advance notice of the engagement of a new Sub-processor or a material change to its Sub-processors. Notice may be provided by email, through the Account, or by updating this DPA. If Licensee reasonably objects on data-protection grounds, the Parties shall cooperate in good faith to find a mutually acceptable resolution; if no resolution is reached, Licensee’s exclusive remedy is to terminate the Agreement.

5. International Data Transfers

Licensor is established in the United States and its Sub-processors are predominantly established in the United States. To the extent that Personal Data subject to the GDPR, UK GDPR, or FADP is transferred to a country not recognized as offering an adequate level of protection, the Parties agree that the European Commission’s Standard Contractual Clauses (Implementing Decision (EU) 2021/914) (the “EU SCCs”) are incorporated by reference and shall apply as follows:

  • Module 2 (Controller to Processor) shall apply where Licensee is the Controller.
  • Module 3 (Processor to Sub-processor) shall apply where Licensee is a Processor acting on behalf of a third party.
  • The optional docking clause (Clause 7) is included.
  • Under Clause 9, Option 2 (general authorization) applies with thirty (30) days’ notice as set out in Section 4.3 of this DPA.
  • Clause 11(a) optional language (independent dispute resolution body) is not included.
  • Clause 17 (governing law): the laws of the Member State of the Data Exporter; if the Data Exporter is not in an EU Member State, the laws of Ireland.
  • Clause 18 (forum): the courts of the Member State chosen for governing law; failing that, the courts of Ireland.
  • Annex I.A (Parties): Licensee is the Data Exporter; Licensor is the Data Importer.
  • Annex I.B (Description of Transfer): as set out in Sections 2.3, 2.4, 2.5, and 2.6 of this DPA.
  • Annex I.C (Competent Supervisory Authority): the supervisory authority of the Licensee’s Member State.
  • Annex II (Technical and Organizational Measures): as set out in Schedule A.
  • Annex III (List of Sub-processors): as set out in Section 4.2.

For transfers of Personal Data subject to the UK GDPR, the International Data Transfer Addendum issued by the UK Information Commissioner’s Office is incorporated by reference and applied to the EU SCCs. For transfers subject to the FADP, the EU SCCs are applied with the modifications recommended by the Swiss Federal Data Protection and Information Commissioner.

6. CCPA / CPRA

To the extent the CCPA/CPRA applies, Licensor is a “service provider” and not a “third party” as those terms are defined under the CCPA/CPRA. Licensor shall not (a) sell or share Personal Data; (b) retain, use, or disclose Personal Data for any purpose other than the specific business purpose of performing the services set out in the Agreement; or (c) combine Personal Data received from Licensee with Personal Data received from any other source, except as permitted by the CCPA/CPRA.

7. Term, Liability, and Miscellaneous

This DPA takes effect on the date Licensee accepts the Agreement and continues until the Agreement is terminated. Each Party’s liability under this DPA is subject to the limitation of liability provisions of the Agreement.

If any provision of this DPA is held unenforceable, that provision shall be modified to the minimum extent necessary to make it enforceable, and the remaining provisions will continue in full force. All other terms of the Agreement remain in effect.

Schedule A — Technical and Organizational Measures

Licensor implements and maintains the following technical and organizational measures designed to protect the security, confidentiality, and integrity of Personal Data Processed under this DPA.

Encryption.Personal Data in transit is protected by industry-standard transport encryption (TLS 1.2 or higher). Personal Data at rest in databases operated by Licensor’s Sub-processors is encrypted using industry-standard encryption (AES-256 or equivalent).

Access Controls. Access to systems Processing Personal Data is limited to personnel with a documented need to know. Authentication requires unique user identifiers and strong credentials. Privileged-access accounts use multi-factor authentication.

Network Security.Production environments are segregated from development and test environments. Inbound network traffic is restricted by Cloudflare’s edge firewall and application-layer rules.

Vulnerability Management. Licensor monitors its Sub-processors for security advisories and applies security updates to its hosted code on a timely basis.

Personnel. All personnel with access to Personal Data are bound by written confidentiality obligations and receive security awareness training.

Incident Response. Licensor maintains an incident response process that includes detection, triage, notification, and remediation of Personal Data Breaches.

Business Continuity.Licensor relies on its Sub-processors’ redundancy, backup, and disaster-recovery capabilities for the systems they operate.

Software Architecture.The Baseline DCF application is installed and operates locally on the Licensee’s machines. Licensee Data (financial inputs, models, and Outputs) does not flow to Licensor in the ordinary course of use.