CAPSLOCK
Self-Serve Platform Users
Last Updated: June 22, 2026
This Product Data ProcessingAgreement (“DPA”) forms part of the agreement between CapsLock Holdings LLC(“CapsLock,” “we,” “us”) and the individual or organization that registers for and uses the CapsLock platform on a self-serve basis (“Customer,” “you”). It is incorporated into and forms part of the CapsLock Terms of Service (the“Agreement”), which you accept when you create an account or use the platform.
This DPA governs CapsLock’s processing of personal data that you provide or connect to the platform on behalf of others (for example, the contacts in a mailbox you connect). In the event of a conflict between this DPA and the Agreement with respect to the processing of personal data, this DPA controls.
Capitalized terms not defined here have the meaning given in the Agreement or in applicable Data ProtectionLaw. For purposes of this DPA:
“Data Protection Law” means the data-protection laws and regulations applicable to a given processing activity under this DPA. These may include U.S. state privacy laws such as theCalifornia Consumer Privacy Act as amended (“CCPA/CPRA”) and, to the extent personal data originating from the European Economic Area or the United Kingdom is processed, the EU General Data Protection Regulation (“GDPR”) and the UKGDPR and Data Protection Act 2018. Each law applies only to the extent it governs the relevant processing.
“Personal Data,”“processing,” “controller,” “processor,” “data subject,” and similar terms have the meanings given in applicable Data Protection Law. Under CCPA/CPRA,CapsLock acts as a “service provider” with respect to Customer Personal Data.
“Customer Personal Data” means personal data within the data you provide or connect to the platform thatCapsLock processes on your behalf under the Agreement.
“De-Identified Data” means data derived from Customer data that has been processed so that it no longer identifies, and cannot reasonably be used to identify, you or any individual, including the Anonymized Market Data described in Section 8.
“Sub-processor” means any third party engaged by CapsLock to process Customer Personal Data.
2.1 With respect toCustomer Personal Data processed to provide the platform, you are the controller (or a processor acting on behalf of your own controller) andCapsLock is the processor (and, under CCPA/CPRA, the service provider).CapsLock processes Customer Personal Data only on your documented instructions and to provide, secure, support, and improve the platform, except as requiredby law.
2.2 The Agreement, thisDPA, and your configuration and use of the platform constitute your documented instructions. CapsLock will inform you if, in its opinion, an instruction infringes Data Protection Law.
2.3 Separately, CapsLock acts as an independent controller with respect to De-Identified Data, including the Anonymized Market Data described in Section 8, and with respect to account, usage, and security data it processes to operate its own business. This DPA governs CapsLock’s processing as processor; Section 8 and CapsLock’s PrivacyPolicy govern its independent-controller processing of De-Identified Data.
The subject matter, duration, nature, and purpose of the processing, the types of personal data, and the categories of data subjects are described in Annex 1. CapsLock will processCustomer Personal Data only for the duration of the Agreement and as needed to fulfill its obligations and exercise its rights under the Agreement and thisDPA.
CapsLock will:
• Process Customer Personal Data only on your documented instructions, including as to international transfers, unless required by law(in which case CapsLock will, where lawful, notify you);
• Ensure that persons authorized to process CustomerPersonal Data are bound by appropriate confidentiality obligations;
• Implement and maintain the technical and organizational security measures described in Section 6 and Annex 2;
• Respect the conditions in Section 5 for engagingSub-processors;
• Assist you, taking into account the nature of the processing, in responding to data-subject requests as described in Section 7;
• Assist you in ensuring compliance with your security, breach-notification, and data-protection-impact-assessment obligations, taking into account the information available to CapsLock;
• At your choice, delete or return Customer Personal Data at the end of the engagement as described in Section 10; and
• Make available to you information reasonably necessary to demonstrate compliance with this DPA.
Under CCPA/CPRA, CapsLock will not: sell or share Customer Personal Data; retain, use, or disclose it for any purpose other than the business purposes specified in the Agreement, or outside the direct business relationship, except as permitted by CCPA/CPRA; or combine it with personal data from other sources except as permitted for a service provider. CapsLock certifies that it understands and will comply with these restrictions.
5.1 You provide general authorization for CapsLock to engage Sub-processors to process CustomerPersonal Data, subject to this Section. A current list of Sub-processors is available on request and includes the categories of infrastructure andAI-processing providers CapsLock uses to operate the platform.
5.2 CapsLock will impose data-protection obligations on each Sub-processor that are no less protective than those in this DPA, and remains responsible for each Sub-processor’s performance.
5.3 CapsLock will give notice of any intended addition or replacement of a Sub-processor by updating the Sub-processor list or by notice through the platform. If you object on reasonable data-protection grounds, you may stop using the affected feature and, if the matter cannot be resolved, terminate your use of the platform asset out in the Agreement.
6.1 CapsLock will implement appropriate technical and organizational measures to protect CustomerPersonal Data against accidental or unlawful destruction, loss, alteration, and unauthorized disclosure or access, taking into account the state of the art, costs, and the nature and risks of the processing. These measures are described in Annex 2.
6.2 CapsLock stores eachCustomer’s identifiable Customer Personal Data in its own dedicated, logically separated environment, such that no Customer’s identifiable data is commingled in storage with, or disclosed to, any other Customer. CapsLock does not provideany Customer access to another Customer’s identifiable data, and does not sell or disclose such data to third parties except as permitted under this DPA and the Agreement.
7.1 Taking into account the nature of the processing, CapsLock will assist you by appropriate technical and organizational measures, insofar as possible, in fulfilling your obligations to respond to requests by data subjects to exercise their rights(including access, rectification, erasure, restriction, portability, and objection).
7.2 If CapsLock receives a request directly from a data subject regarding Customer Personal Data, it will, where permitted by law, promptly inform the data subject to direct the request to you and/or forward the request to you, and will not respond to the request itself except on your instructions or as required by law.
7.3 You acknowledge that, because CapsLock processes Customer Personal Data on your behalf, you are responsible for determining how to respond to data-subject requests regarding that data, and agree to cooperate with CapsLock as needed to locate and act on the relevant data.
8.1 You authorizeCapsLock to create De-Identified Data from the data you provide or connect, and to use such De-Identified Data, including to operate and improve CapsLock’s products and to provide market-intelligence features (the “Anonymized MarketData”), as an independent controller. Before any information contributes to theAnonymized Market Data, information identifying you or your relationship, and the content and timing of specific communications, is removed, and theAnonymized Market Data is designed to reflect firm-level and allocation-level market characteristics rather than the private dealings between you and any contact.
8.2 CapsLock will not attempt to re-identify De-Identified Data, will maintain processes reasonably designed to prevent re-identification, and will contractually obligater ecipients not to re-identify it, consistent with the standards for de-identified data under applicable Data Protection Law.
8.3 You may elect not to have your data contribute De-Identified Data to the Anonymized Market Data. If you so elect, you will continue to receive the full platform for your own use; only your contribution to the shared layer is affected. You can make or change this election in your account settings.
8.4 As between the parties, CapsLock owns the Anonymized Market Data and other De-Identified Data.Because De-Identified Data does not identify you or any individual, it is notCustomer Personal Data and is not subject to the return or deletion obligations in Section 10.
9.1 To the extentCapsLock processes Customer Personal Data originating from the EEA, the UK, orSwitzerland in a country not recognized as providing an adequate level of protection, the parties incorporate by reference the European Commission’sStandard Contractual Clauses (controller-to-processor module) and, for UK data, the UK International Data Transfer Addendum, and/or rely on CapsLock’s certification under the EU-U.S. Data Privacy Framework where applicable. These mechanisms also cover onward transfers to Sub-processors located outside theEEA or UK.
10.1 You may delete your data, or disconnect a connected account, at any time through the platform. On termination or expiry of the Agreement, CapsLock will, at your choice, return and/or delete Customer Personal Data within thirty (30) days, and delete existing copies, except to the extent retention is required by law or permitted under this DPA. On request, CapsLock will confirm deletion.
10.2 The parties acknowledge that De-Identified Data, which does not identify you or any individual, is not Customer Personal Data and is not returned or deleted under this Section, as set out in Section 8.4.
11.1 CapsLock will notify you without undue delay after becoming aware of a personal data breach affecting Customer Personal Data, and will provide information reasonably available to it to assist you in meeting your breach-notification obligations.
12.1 Each party’s liability under this DPA is subject to the limitations and exclusions of liability in the Agreement, except to the extent applicable law provides otherwise.
12.2 This DPA takes effect when you accept the Agreement and remains in force for as long asCapsLock processes Customer Personal Data. Provisions that by their nature should survive termination will survive.
12.3 This DPA is governed by the governing law of the Agreement, except where Data Protection Law requires otherwise (including the governing law specified in any incorporatedStandard Contractual Clauses).
12.4 CapsLock may update or modify this DPA from time to time, including to reflect changes in theServices, its data practices, or applicable law. CapsLock will post the updatedDPA with a revised “Last updated” date and, for material changes, will provide reasonable advance notice through the Services or by other reasonable means. No update will materially diminish the protections afforded to Customer PersonalData under this DPA. Your continued use of the Services after an update takes effect constitutes acceptance of the updated DPA; if you do not agree to a material change, your remedy is to stop using the Services and request deletion of Customer Personal Data as described in Section 10.
Subject matter
Provision of the CapsLock platform and related software features to you.
Duration
The term of the Agreement and any wind-down or return period.
Nature and purpose
Ingesting, organizing, and analyzing data you provide or connect to generate follow-up tasks, suggested communications, and relationship intelligence, and to update your records, on your behalf.
Types of personal data
Identity and contact details (names, business emails, titles, firms); communications content and metadata; engagement and activity data; derived intelligence; account and usage data. Special-category data is not intended to be processed.
Categories of data subjects
Your personnel (users); your contacts, principally prospective and existing limited partners, fund managers, and their representatives.
Frequency
Continuous, for the duration of the Agreement.
Roles
Customer = controller (or processor for its own controller); CapsLock = processor / service provider.
CapsLock maintains the following categories of technical and organizational measures:
• Per-Customer data segregation, so that each Customer’s identifiable data is stored in its own dedicated, logically separated environment, isolated from other Customers’ data;
• Access controls and authentication, limiting access toCustomer Personal Data to authorized personnel on a need-to-know basis;
• Encryption of Customer Personal Data in transit and, where appropriate, at rest;
• Logging and monitoring of access and processing activity;
• Credential isolation, so that integration credentials are not exposed to processing components or model providers beyond what is necessary to perform an authorized action;
• Secure software-development and change-management practices;
• Personnel confidentiality obligations and security training; and
• Business-continuity and incident-response procedures.