Cookies

We'd like to use optional analytics cookies to understand site usage and improve AcquireEU. You can accept or reject them. See our Privacy Notice.

Data Processing Agreement

Last updated: April 2026

This Data Processing Agreement ("DPA") supplements the AcquireEU Terms of Service and applies whenever AcquireEU processes personal data on behalf of a customer ("Controller") in the course of providing the service. It is automatically incorporated into the Terms upon acceptance and is binding without further signature.

Enterprise customers requiring a counter-signed copy may request one at hello@acquireeu.com.

1. Definitions

"Personal Data", "Controller", "Processor", "Sub-processor", "Processing", and "Data Subject" have the meanings given in the EU General Data Protection Regulation 2016/679 ("GDPR"). "Service" means the AcquireEU platform.

2. Roles and scope

For Personal Data submitted by the Controller (e.g. user account data of seats invited to a Team plan, watchlist annotations, exported lists), AcquireEU acts as the Processor. The Controller is responsible for ensuring it has a lawful basis to provide such data to AcquireEU.

For Personal Data that AcquireEU independently aggregates from public registries (corporate officers, insolvency practitioners), AcquireEU acts as an independent Controller, processing on the basis of legitimate interest as described in our Privacy Notice. This DPA does not apply to that aggregation activity.

3. Subject matter, duration, and categories

  • Subject matter: Provision of the AcquireEU platform.
  • Duration: The term of the Controller's subscription, plus retention periods stated in the Privacy Notice.
  • Nature and purpose: Hosting, displaying, and operating the platform on the Controller's behalf.
  • Categories of Data Subjects: The Controller's authorized users (employees, contractors).
  • Categories of Personal Data: Email addresses, authentication credentials, IP addresses, device/browser metadata, in-product activity (saved companies, alerts, search history), and any free-text content submitted by the Controller's users.
  • Special categories: The Controller agrees not to submit special-category data (Article 9 GDPR) to the platform.

4. Processor obligations

AcquireEU shall:

  • Process Personal Data only on documented instructions from the Controller, including the instructions captured in the Terms of Service and this DPA.
  • Ensure that personnel authorized to process the Personal Data are bound by appropriate confidentiality obligations.
  • Implement appropriate technical and organizational measures to protect the Personal Data (see Section 6).
  • Assist the Controller in responding to Data Subject requests under Articles 15–22 GDPR, taking into account the nature of the processing.
  • Notify the Controller without undue delay (and within 72 hours where feasible) of any Personal Data breach affecting the Controller's data.
  • At the Controller's choice, delete or return all Personal Data after the end of the service, save where retention is required by law.
  • Make available all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.

5. Sub-processors

The Controller grants AcquireEU general authorization to engage Sub-processors. The current list of Sub-processors is published in our Privacy Notice, Section 4. AcquireEU shall give the Controller at least 14 days' notice (via email or in-app banner) of any intended changes concerning the addition or replacement of a Sub-processor. The Controller may object on reasonable data-protection grounds; if the parties cannot resolve the objection, the Controller may terminate the affected services.

AcquireEU imposes data-protection obligations on each Sub-processor that are no less protective than those in this DPA, and remains fully liable for any failure by a Sub-processor to fulfill its obligations.

6. Security measures

AcquireEU implements appropriate technical and organizational measures, including:

  • Encryption in transit (TLS 1.2+) for all client-server communication.
  • Encryption at rest for the primary database and backups (managed by Supabase).
  • Role-based access control with the principle of least privilege; production access restricted to named personnel.
  • Daily backups with documented restore procedures.
  • Centralized logging and uptime monitoring with automated alerting.
  • Multi-factor authentication on all administrative accounts.
  • Annual review of security controls and incident response procedures.

7. International transfers

Where Personal Data is transferred to a Sub-processor located outside the European Economic Area (EEA) in a country without an adequacy decision, the parties incorporate by reference the European Commission's Standard Contractual Clauses (Module 2 — Controller to Processor) as set out in Commission Implementing Decision (EU) 2021/914. The Controller is the "data exporter" and AcquireEU (or the relevant Sub-processor) is the "data importer".

8. Liability

Each party's liability under this DPA is subject to the limitations of liability set out in the Terms of Service. Nothing in this DPA limits liability where it cannot be limited by law (including liability for personal injury or fraud).

9. Governing law

This DPA is governed by the laws of the Republic of Portugal, consistent with the Terms of Service.

10. Contact

Data-protection inquiries: hello@acquireeu.com.

This DPA is provided for general information and is not legal advice. Enterprise customers should review with their own counsel before reliance.