This Data Processing Agreement ("DPA") forms part of the Semaverse Terms of Service or other written or electronic agreement ("Agreement") between Semaverse Ltd ("Semaverse", "we", "us", "Processor") and the customer ("Customer", "you", "Controller") for the use of the Semaverse platform.
Definitions
"Data Protection Laws" means all applicable laws relating to privacy and the processing of personal data, including the UK GDPR, the Data Protection Act 2018, and the EU General Data Protection Regulation (2016/679) ("EU GDPR").
Terms such as "Personal Data", "Processing", "Data Controller", "Data Processor", and "Data Subject" shall have the meanings given to them in the Data Protection Laws.
Roles And Scope of Processing
2.1 Roles. For the purposes of Data Protection Laws, the Customer is the Data Controller and Semaverse is the Data Processor of the Customer Personal Data.
2.2 Instructions. Semaverse will only process Customer Personal Data in accordance with the Customer’s documented instructions, which are strictly limited to: (a) providing the Service as outlined in the Agreement; and (b) complying with applicable law.
2.3 AI Training Restriction. As stated in our Terms of Service, Semaverse strictly prohibits the use of Customer Personal Data to train, fine-tune, or improve our foundation AI models or those of our third-party AI providers.
3.1 Authorisation. Customer provides general written authorisation for Semaverse to engage third-party sub-processors to assist in providing the Service (e.g., cloud hosting providers, LLM API providers).
3.2 Sub-processor List. A current list of our sub-processors is available upon request [contact legal@semaverse.]. We will notify you of any intended changes as requests, giving you the opportunity to object.
3.3 Liability. We remain fully liable to you for the performance of our sub-processors' data protection obligations.
Security
4.1 Security Measures. Semaverse will implement and maintain commercially reasonable technical and organisational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, and unauthorised disclosure.
4.2 Personnel. We ensure that all Semaverse personnel authorised to process Personal Data are subject to strict obligations of confidentiality.
5. Data Subject Rights & Cooperation
5.1 Assistance. Taking into account the nature of the processing, we will assist you (at your expense) by implementing appropriate technical and organisational measures to help you fulfill your obligations to respond to Data Subjects' requests to exercise their rights under Data Protection Laws.
5.2 Regulatory Assistance. We will provide reasonable assistance to help you conduct Data Protection Impact Assessments (DPIAs) or consult with regulators, if required by law.
Personal Data Breaches
If we become aware of a confirmed breach of security leading to the accidental or unlawful destruction, loss, alteration, or unauthorised disclosure of Customer Personal Data ("Data Breach"), we will notify you without undue delay. We will provide reasonable information to help you meet your breach reporting obligations.
International Data Transfers
If the processing of Customer Personal Data involves a transfer outside of the UK or European Economic Area (EEA) to a jurisdiction that is not recognised as providing an adequate level of protection, the following transfer mechanisms shall apply and are incorporated by reference:
For UK Data: The UK International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (the "UK Addendum"), as issued by the ICO.
For EEA Data: The standard contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 ("EU SCCs").
Schedule 1: Details of Processing
Subject Matter & Purpose: Providing AI-powered M&A workflow tools, deal analysis, and document review as defined in the Terms of Service.
Nature of Processing: Computing, storing, AI-assisted analysis (specifically isolated from foundational model training), and deleting data.
Duration: For the duration of the Customer's subscription term, plus the standard deletion period (e.g., 60 days post-termination).
Categories of Data Subjects: Customer’s employees, contractors, clients, and personnel of prospective M&A target companies whose data is included in uploaded documents (e.g., data room contents).
Types of Personal Data: Identification data (names, titles), contact details, financial/compensation details (often found in M&A cap tables or employment contracts), and any other personal data the Customer chooses to upload to the platform.