Seraf Privacy Policy

Last Updated: May 2023 (EU Required Standard Clauses)

The privacy of Users is important to Seraf LLC (“Seraf”). This privacy policy (“Policy”) applies to the Seraf Website and services and tells users of the website, https://seraf-investor.com, how personal information and investment information is collected, used, disclosed, and protected by Seraf. This statement includes Seraf’s EU-U.S. Privacy Shield Framework Privacy Statements and the Website Privacy Statements as well as the Standard Contractual Clauses for the Transfer of Personal Data to third countries pursuant to Regulation (EU 2016/679 of the European Parliament and of the Council (“EU Standard Contractual Clauses”) which are attached here to as Annex One and incorporated by reference. To the extent there is any conflict between an aspect of this Privacy Policy and the EU Standard Contractual Clauses, the EU Standard Contractual Clauses shall govern. This Privacy Policy governs your access to and use of Seraf at seraf-investor.com (the “Seraf Website" or “Website”), as well as the information and materials on the Seraf Website (the "Content"). Capitalized terms not defined in this Policy shall have the definitions set forth in the Seraf Terms of Service.

Please read this Privacy Policy carefully when using our Website or services or transacting business with us. By using the Website, you are accepting the practices described in this Privacy Policy and the Terms of Use. If we make any material changes to our privacy practices, we will post a revised Privacy Policy on this page.

Changes to This Policy

We may change this Policy at any time from time to time. If we make any changes to this Policy, we will change the “last updated” date above. All such updates and amendments are effective immediately upon notice thereof. If there are material changes to this Policy, we will notify Users directly either at the time of login or by email to the address on record or both. We encourage Users to check this Policy regularly as they use our Websites and services to understand how personal information is used.

Information Collected

Summary:

We collect and store the name, physical and email addresses you submit to us along with any investment and transaction details you submit. We use that data to provide you with the service including your account and performance summaries. We do not sell or share your personal data. We do not collect or store any payment data: when you use a credit card to pay for Seraf, you are transacting with third party payment provider Stripe, Inc. and the use of their data will the subject to their privacy policies. This paragraph is a summary; see details in following section.

Detail:

We do not want any personal information not absolutely necessary to provide Seraf services. The best protection for personal information is not to share it in the first place. For example, Account Owners’ digital locker on Seraf is not an appropriate place to store personal or other sensitive information unrelated to a User’s investment activities. We ask, and Users agree, that neither Account Owners nor, if applicable, their Enterprise Administrators will put any personal or private information on the system beyond what it necessary for us to provide and Users to consume the Seraf services.

That said, in the process of providing the Seraf services, we collect information from Users in various ways when they use our Websites and services. We may also supplement this information with information from other companies. We collect two general types of information, namely limited and specific forms of personal information and relevant investment data. As used in this Policy, the term “Personal Information” means information that specifically identifies an individual (such as a name and email address), and demographic and other information when directly linked to information that can identify an individual.

Our definition of Personal Information does not include “aggregate” data. Aggregate data is information we collect about a group or category of services or users from which individual user identities have been removed. In other words, no Personal Information is included in aggregate data. Aggregate data helps us understand trends in our Users’ needs so that we can better consider new features or otherwise tailor our services. This Policy in no way restricts or limits our collection and use of aggregate data, and we may share aggregate data about our Users with third parties for various purposes, including education, research, or to help us better understand our customer needs and improve our services and for advertising and marketing purposes.

The following are the specific types of information we collect from Users.

Information Enterprise Administrator Give Us. We collect information from Enterprise Administrators on behalf of Account Owners on our Web site when they register for and use our services. Examples include the following:

Registration and Profile Information. When an Account Owner is registered to use our services or update their profile, we may collect various kinds of information about the Account Owner including, their name (or the pseudonym they supply) and email address; their title, company and other profile information they choose to provide; demographic information they choose to provide; and information they choose to upload like photos, files, and documents.

Contact Information. We collect the email addresses from Account Owners or Enterprise Administrators on behalf of the Account Owner for contact purposes. When an Account Owner or Enterprise Administrator on behalf of the Account Owner chooses to collaborate or share company, round, or transaction information or related files with others, we also collect email addresses the Enterprise Administrator provides in order for us to email invitations to those individuals on the Account Owner’s behalf.

Payment Information. When an Account Owner chooses to use a paid Seraf account or service, our 3^rd party payment processing vendor collects their credit card information and billing address (or that of their Enterprise Administrator).

Submissions and Customer Service. From time to time we may use surveys requesting personal or demographic information and customer feedback.

Automatically Collected Information. We automatically receive certain types of information when Users interact with our Web pages, services and communications. For example, it is standard for a Web browser to automatically send information to every Website it visits, including ours. That information includes IP address at which the computer is located, access times, the browser type and language, and referring Website addresses. This data typically accretes automatically in server logs and we may need to refer to it for trouble-shooting or service improvement purposes. Our systems may also collect routine server logs or information about the type of operating system a User uses, their account activity, and files and pages accessed or used by them.

Cookies and Web Beacons. We may also use certain kinds of technology such as cookies and Web beacons to collect information. Among other things, the use of cookies and Web beacons enables us to improve our Websites and emails by seeing which areas and features are most popular, to count the number of computers accessing our Website, to personalize and improve a User’s experience, to record a User’s preferences, to remarket our advertising messages to people who have visited our site via advertising networks across participating websites, and to allow a User to visit our Website without re-entering their member ID and/or password. A cookie is a small amount of data which is sent to a User’s browser from a Website’s computers and stored on the User’s computer’s hard drive. Most browsers automatically accept cookies as the default setting. Users can modify their browser setting to reject our cookies or to prompt them before accepting a cookie by editing their browser options. However, if a browser is set not to accept cookies or if a User rejects a cookie, some portions of the Website and services may not function properly or conveniently. For example, a User may not be able to sign in, authenticate, and access certain Web page features or services. A Web beacon is an electronic image, also called a "gif," that may be used on our Web pages to deliver cookies, count visits and compile statistics on usage and campaign effectiveness or in our emails to tell if an email has been opened and acted upon.

Use of Personal Information

We use Personal Information to process a User’s requests or transactions, to provide a User with their Content, information or services they request, to inform them about other information, products or services we think will be of interest to them, to facilitate their use of, and our administration and operation of, the Website and services and to otherwise serve our Users. For example, Seraf (itself, not its partners) may use a User’s Personal Information:

• to request feedback and to enable us to develop, customize and improve the Website and our publications, products and services;

• to conduct marketing analysis, to send Users surveys or newsletters, to contact Users about services, products, activities, special events or offers from Seraf and for other marketing, informational, product development and promotional purposes;

• to send Users a welcoming email and to contact Users about their use of the Website and services; to respond to their emails, submissions, comments, requests or complaints; to perform after-sales services; to anticipate and resolve problems with our service; to respond to customer support inquiries, for assistance with our product and service development; and to inform Users of updates to products and services from Seraf that better meet User needs;

• to store contacts that an Enterprise Administrator or Account Owner enters or uploads into their contacts list for their private use and viewing;

• to send emails to persons a User invites to collaborate and access their files;

• to enable Users to communicate, collaborate, and share their Content with Users they designate; and

• for other purposes about which we notify Users.

EU Standard Contractual Clauses

The Standard Contractual Clauses for the Transfer of Personal Data to third countries pursuant to Regulation (EU 2016/679 of the European Parliament and of the Council (“EU Standard Contractual Clauses”) are attached here to as Annex One and incorporated by reference. To the extent there is any conflict between an aspect of this Privacy Policy and the EU Standard Contractual Clauses, the EU Standard Contractual Clauses shall govern.

EU – U.S. Privacy Shield

Seraf complies with the EU-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union the United States. Seraf has certified to the Department of Commerce that it adheres to the Privacy Shield Principles. If there is any conflict between the terms in this privacy policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield Framework or our status as an active listed participant, visit the U.S. Department of Commerce’s Privacy Shield List. https://www.privacyshield.gov/list.

Under the Privacy Shield Framework we are responsible for the processing of personal data we receive and subsequently transfer to a third party acting as an agent on our behalf. We comply with the Privacy Shield Principles for all onward transfers of personal data from the EU, including the onward transfer liability provisions.

With respect to personal data received or transferred pursuant to the Privacy Shield Framework, we are subject to the regulatory enforcement powers of the U.S. Federal Trade Commission. In certain situations, we may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

If you have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact our U.S.-based third party dispute resolution provider (free of charge) at https://www.jamsadr.com/eu-us-privacy-shield.

In compliance with the Privacy Shield Principles, we commit to resolve complaints about our collection or use of your personal information. EU individuals with inquiries or complaints regarding our Privacy Shield policy should contact our U.S.-based third party dispute resolution provider (free of charge) at https://www.jamsadr.com/eu-us-privacy-shield.

Under certain conditions, more fully described on the Privacy Shield websitehttps://www.privacyshield.gov/article?id=How-to-Submit-a-Complaint, you may invoke binding arbitration when other dispute resolution procedures have been exhausted.

This Privacy Policy applies only to your relationship with us. It does not apply to the interactions that you have with any other individual, entity, investor or other group through the Seraf Website. For example, the Enterprise Administrator of an organization has the ability to disclose or share with other members of the organization any information that you submit to us. We have no control over this disclosure or sharing, and are not responsible for it. The protection of your personal data when you interact with an organization through the Seraf Website is governed solely by any agreements that you may enter into with the Organization and is beyond the scope of this Privacy Policy.

Sharing of Personal Information

We will not share a User’s Personal Information outside of the Seraf employees who have a need to know it to maintain an Account Owner’s services.

Seraf reserves the right to share aggregated demographic information (i.e. not Personal Information) about our customers, sales, and traffic to our commercial partners and sponsors and/or with education and research partners. We will not give, sell, rent, share, or trade any of a User’s Personal Information or any data that a User stores using our services to any third party except as outlined in this Policy or with a User’s consent. We may disclose information to a third party to (a) comply with laws or respond to lawful requests and legal process, (b) to protect Seraf, agents, customers, and others including to enforce our agreements, policies and Terms of Service or (c) in the good faith belief that disclosure is needed to respond to an emergency, or protect the personal safety of any person.

Conversion of Individual Accounts to Group Accounts

If a User is a natural person and an individual Seraf Account Owner, and belongs to a group or organization (such as an investing group, network, fund, incubator, family office or angel group), and that organization later wishes to establish a Seraf Enterprise account (i.e. become an Account Owner at the entity level) and add the individual Seraf Account Owner to the entity’s account, then certain information concerning past use of the individual Seraf Account Owner’s account may become accessible by way of that entity’s account and individuals who are given access by the entity/Account Owner to such information (for example an Enterprise Administrator for the entity/Account Owner), including the individual Seraf Account Owner’s email address. Similarly, if an individual Seraf Account Owner is later set up as an Authorized Designee by an Enterprise Administrator for the Account Owner’s organization, then certain information concerning the individual Seraf Account Owner may become accessible to the Enterprise Administrator including their email address.

If a User is an individual Seraf Account Owner, and the domain of the primary email address associated with their individual Seraf account is owned by their employer, and that email address was assigned to them as an employee of that organization, and that organization later wishes to establish a Seraf corporate Enterprise account and add the individual Seraf Account Owner to the Seraf corporate Enterprise account, then certain information concerning past use of the individual Seraf Account Owner’s account may become accessible to the corporate organization’s Enterprise Administrator including the individual Seraf Account Owner’s email address. Similarly, if an individual Seraf Account Owner’s account is set up by an Enterprise Administrator, then certain information concerning the individual Seraf Account Owner may become accessible to the Enterprise Administrator including their email address.

Be advised that Seraf offers collaboration features that by their nature support sharing with others a User chooses. Such Users would be able to see the sharing User’s name, email address, and possibly their photo or other information from their account profile and any files the User might choose to share; and they may be able to post comments and email accessible to the sharing User. Collaborators a User invites as editors may also be able to edit that User’s shared files, upload documents and photos to their shared files, share those documents outside of Seraf, and give other Users rights to view the shared files.

Seraf may provide a User with opportunities to connect with third party applications or services, such as estate planning advisors or valuation experts. If a User chooses to use any such third party applications or services, at the User’s instruction, we may facilitate sharing of the User’s information including their Seraf username and documents they choose to use with those applications and services and such third parties may contact the User directly as necessary. A User’s use of such applications and services is not governed by Seraf’s Terms of Service or Privacy Policy. Seraf does not control the applications or services of those third parties or how they use a User’s information and documents. Be sure to review the terms and the privacy policies of those third parties before using their applications or services.

Links to Other Sites

For your convenience, we may provide links to other websites and web pages that we do not control (collectively, “Linked Sites”). We cannot be responsible for the privacy practices of any websites or pages not under our control and we do not endorse any of these websites or pages, the services or products described or offered on such sites or pages, or any of the content contained on those sites or pages. We make no representations or warranties regarding the correctness, accuracy, performance, or quality of any content, software, service, or application found at any Linked Site. We are not responsible for the availability of the Linked Sites or the content or activities of such sites. If you decide to access any Linked Site, you do so at your own risk. In addition, should you initiate a transaction on a website that our Website links to, even if you reached that site through the Website, the information that you submit to complete that transaction becomes subject to the privacy practices of the operator of that linked website. Your use of any Linked Site is subject to the policies, terms of use, and privacy policies of such Linked Site, if any. We encourage you to seek out and read the privacy policy of each website that you visit.

California Privacy Rights

Under California Law, California residents have the right to request in writing from businesses with whom they have an established business relationship, (a) a list of the categories of personal information, such as name, email and mailing address and the type of services provided to the customer, that a business has disclosed to third parties (including affiliates that are separate legal entities) during the immediately preceding calendar year for the third parties’ direct marketing purposes and (b) the names and addresses of all such third parties. To request the above information, please contact us via email through our Contact Us page or write to us at the address indicated below.

California and Delaware Do Not Track Disclosures

California and Delaware law require us to indicate whether we honor “Do Not Track” settings in your browser concerning targeted advertising. “Do Not Track” is a standard that is currently under development. As it is not yet finalized, Seraf adheres to the standards set out in this Privacy Policy and does not monitor or follow any Do Not Track browser requests.

If necessary we may share Personal Information in connection with an acquisition, merger, or sale of all or a substantial portion of our business, with or to another company. In any such event, Account Owners or Enterprise Administrators on behalf of Account Owners will receive notice, in advance if possible, if their data is transferred and becomes subject to a substantially different privacy policy.

Network and Information Security

Seraf takes commercially reasonable steps to protect information we collect from Users to prevent loss, misuse and unauthorized access, disclosure, alteration, and destruction. In addition, highly confidential personal information (such as a User’s password) we request from a User on our Website is protected with encryption, such as Secured Socket Layer (SSL) protocol, during transmission over the Internet. Seraf uses a third party payment processor and does NOT store any credit card information on any Users behalf.

The servers on which information is stored are kept in a controlled environment with physically limited access. While we take commercially reasonable efforts to guard personal information we knowingly collect directly from Users, Users acknowledge that no security system is completely impenetrable. In addition, we cannot guarantee that any passively-collected personal information an Account Owner or Enterprise Administrator chooses to include in documents or Content they store on our systems without our involvement are maintained at adequate levels of protection to meet specific needs or obligations an Account Owner may have relating to that information (i.e., if someone uploads Content that contains Personal Information, we will not know about it and cannot prevent it).

An Account Owners account information and access to our service is accessible only through the use of an individual User ID and password. To protect the confidentiality of Personal Information, the User must keep their password confidential and not disclose it to any other person. A User is requested to please advise us immediately if they believe their password has been misused. In addition, Users should always logout and close their browser when they finish their session. Please note that we will never ask a User to disclose their password in an unsolicited phone call or email.

Updating and Accessing Personal Information

If an Account Owner or their Enterprise Administrator’s personal information changes in any way, we invite them to correct or update their information as soon as possible. Account Owners or Enterprise Administrators on behalf of Account Owners can make updates to their profile information by logging into their account on Seraf at any time. Enterprise Administrators on behalf of Account Owners can also request changes or access to their information by emailing support@seraf-investor.com.

Choice/Opt-Out

Seraf may send Users communications or data regarding our Websites and services, including but not limited to (i) notices about their use of our Websites and services, including any notices concerning violations of use, (ii) updates, and (iii) promotional information and materials regarding our products and services. Users may opt-out of receiving promotional emails from Seraf by following the opt-out instructions provided in those emails. Users may also opt-out of receiving promotional emails and other promotional communications from us at any time by emailing support@seraf-investor.com with their specific request. Opt-out requests will not apply to transactional service messages, such as security alerts, reminders, confirmations and notices about a User’s current account and services.

Contacting Us

If a User has any comments or questions about this Policy, they should contact us at support@seraf-investor.com.

If you correspond with us through the Website or via email, the collected information may include the content of, and metadata regarding, any correspondence you may have with us. We may share your messages with those within our organization that are most capable of addressing the issues contained in your message. We will keep a copy of your message until we have had an opportunity to address your concerns.

Acknowledgement

BY ACCESSING OR USING THE WEBSITE, OR ANY PORTION THEREOF, YOU ACKNOWLEDGE THAT YOU HAVE READ, UNDERSTAND, AND CONSENT TO THE TERMS OF SERVICE AND PRIVACY POLICY, AND TO THE USES AND DISCLOSURES OF COLLECTED INFORMATION ABOUT YOU, THAT ARE DESCRIBED IN THIS PRIVACY POLICY AND YOU AGREE TO BE BOUND BY THE TERMS REFERENCED ABOVE. THE COMPANY DOES NOT ACCEPT LIABILITY FOR ANY DAMAGE OR LOSS YOU MAY SUFFER IN CONNECTION WITH USING THIS WEBSITE, INCLUDING AS A RESULT OF NOT FOLLOWING THE GUIDELINES PROVIDED IN THIS PRIVACY POLICY AND/OR THE TERMS OF SERVICE.

Annex One – EU Standard Contractual Clauses follow below

Annex One – EU Standard Clauses

ANNEX

STANDARD CONTRACTUAL CLAUSES

SECTION I

Clause 1

Purpose and scope

1. The purpose of these standard contractual clauses is to ensure compliance with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) for the transfer of personal data to a third country.

2. The Parties:

   1. the natural or legal person(s), public authority/ies, agency/ies or other body/ies (hereinafter “entity/ies”) transferring the personal data, as listed in Annex I.A. (hereinafter each “data exporter”), and

   2. the entity/ies in a third country receiving the personal data from the data exporter, directly or indirectly via another entity also Party to these Clauses, as listed in Annex I.A. (hereinafter each “data importer”)

   have agreed to these standard contractual clauses (hereinafter: “Clauses”).

3. These Clauses apply with respect to the transfer of personal data as specified in Annex I.B.

4. The Appendix to these Clauses containing the Annexes referred to therein forms an integral part of these Clauses.

Clause 2

Effect and invariability of the Clauses

1. These Clauses set out appropriate safeguards, including enforceable data subject rights and effective legal remedies, pursuant to Article 46(1) and Article 46 (2)(c) of Regulation (EU) 2016/679 and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679, provided they are not modified, except to select the appropriate Module(s) or to add or update information in the Appendix. This does not prevent the Parties from including the standard contractual clauses laid down in these Clauses in a wider contract and/or to add other clauses or additional safeguards, provided that they do not contradict, directly or indirectly, these Clauses or prejudice the fundamental rights or freedoms of data subjects.

2. These Clauses are without prejudice to obligations to which the data exporter is subject by virtue of Regulation (EU) 2016/679.

Clause 3

Third-party beneficiaries

1. Data subjects may invoke and enforce these Clauses, as third-party beneficiaries, against the data exporter and/or data importer, with the following exceptions:

   1. Clause 1, Clause 2, Clause 3, Clause 6, Clause 7;

   2. Clause 8 - Module One: Clause 8.5 (e) and Clause 8.9(b); Module Two: Clause 8.1(b), 8.9(a), (c), (d) and (e); Module Three: Clause 8.1(a), (c) and (d) and Clause 8.9(a), (c), (d), (e), (f) and (g); Module Four: Clause 8.1 (b) and Clause 8.3(b);

   3. Clause 9 - Module Two: Clause 9(a), (c), (d) and (e); Module Three: Clause 9(a), (c), (d) and (e);

   4. Clause 12 - Module One: Clause 12(a) and (d); Modules Two and Three: Clause 12(a), (d) and (f);

   5. Clause 13;

   6. Clause 15.1(c), (d) and (e);

   7. Clause 16(e);

   8. Clause 18 - Modules One, Two and Three: Clause 18(a) and (b); Module Four: Clause 18.

2. Paragraph (a) is without prejudice to rights of data subjects under Regulation (EU) 2016/679.

Clause 4

Interpretation

1. Where these Clauses use terms that are defined in Regulation (EU) 2016/679, those terms shall have the same meaning as in that Regulation.

2. These Clauses shall be read and interpreted in the light of the provisions of Regulation (EU) 2016/679.

3. These Clauses shall not be interpreted in a way that conflicts with rights and obligations provided for in Regulation (EU) 2016/679.

Clause 5

Hierarchy

In the event of a contradiction between these Clauses and the provisions of related agreements between the Parties, existing at the time these Clauses are agreed or entered into thereafter, these Clauses shall prevail.

Clause 6

Description of the transfer(s)

The details of the transfer(s), and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred, are specified in Annex I.B.

Clause 7 - Optional

Docking clause

1. An entity that is not a Party to these Clauses may, with the agreement of the Parties, accede to these Clauses at any time, either as a data exporter or as a data importer, by completing the Appendix and signing Annex I.A.

2. Once it has completed the Appendix and signed Annex I.A, the acceding entity shall become a Party to these Clauses and have the rights and obligations of a data exporter or data importer in accordance with its designation in Annex I.A.

3. The acceding entity shall have no rights or obligations arising under these Clauses from the period prior to becoming a Party.

SECTION II – OBLIGATIONS OF THE PARTIES

Clause 8

Data protection safeguards

The data exporter warrants that it has used reasonable efforts to determine that the data importer is able, through the implementation of appropriate technical and organisational measures, to satisfy its obligations under these Clauses.

MODULE TWO: Transfer controller to processor

8.1 Instructions

1. The data importer shall process the personal data only on documented instructions from the data exporter. The data exporter may give such instructions throughout the duration of the contract.

2. The data importer shall immediately inform the data exporter if it is unable to follow those instructions.

8.2 Purpose limitation

The data importer shall process the personal data only for the specific purpose(s) of the transfer, as set out in Annex I.B, unless on further instructions from the data exporter.

8.3 Transparency

On request, the data exporter shall make a copy of these Clauses, including the Appendix as completed by the Parties, available to the data subject free of charge. To the extent necessary to protect business secrets or other confidential information, including the measures described in Annex II and personal data, the data exporter may redact part of the text of the Appendix to these Clauses prior to sharing a copy, but shall provide a meaningful summary where the data subject would otherwise not be able to understand the its content or exercise his/her rights. On request, the Parties shall provide the data subject with the reasons for the redactions, to the extent possible without revealing the redacted information. This Clause is without prejudice to the obligations of the data exporter under Articles 13 and 14 of Regulation (EU) 2016/679.

8.4 Accuracy

If the data importer becomes aware that the personal data it has received is inaccurate, or has become outdated, it shall inform the data exporter without undue delay. In this case, the data importer shall cooperate with the data exporter to erase or rectify the data.

8.5 Duration of processing and erasure or return of data

Processing by the data importer shall only take place for the duration specified in Annex I.B. After the end of the provision of the processing services, the data importer shall, at the choice of the data exporter, delete all personal data processed on behalf of the data exporter and certify to the data exporter that it has done so, or return to the data exporter all personal data processed on its behalf and delete existing copies. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit return or deletion of the personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process it to the extent and for as long as required under that local law. This is without prejudice to Clause 14, in particular the requirement for the data importer under Clause 14(e) to notify the data exporter throughout the duration of the contract if it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under Clause 14(a).

8.6 Security of processing

1. The data importer and, during transmission, also the data exporter shall implement appropriate technical and organisational measures to ensure the security of the data, including protection against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to that data (hereinafter “personal data breach”). In assessing the appropriate level of security, the Parties shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purpose(s) of processing and the risks involved in the processing for the data subjects. The Parties shall in particular consider having recourse to encryption or pseudonymisation, including during transmission, where the purpose of processing can be fulfilled in that manner. In case of pseudonymisation, the additional information for attributing the personal data to a specific data subject shall, where possible, remain under the exclusive control of the data exporter. In complying with its obligations under this paragraph, the data importer shall at least implement the technical and organisational measures specified in Annex II. The data importer shall carry out regular checks to ensure that these measures continue to provide an appropriate level of security.

2. The data importer shall grant access to the personal data to members of its personnel only to the extent strictly necessary for the implementation, management and monitoring of the contract. It shall ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

3. In the event of a personal data breach concerning personal data processed by the data importer under these Clauses, the data importer shall take appropriate measures to address the breach, including measures to mitigate its adverse effects. The data importer shall also notify the data exporter without undue delay after having become aware of the breach. Such notification shall contain the details of a contact point where more information can be obtained, a description of the nature of the breach (including, where possible, categories and approximate number of data subjects and personal data records concerned), its likely consequences and the measures taken or proposed to address the breach including, where appropriate, measures to mitigate its possible adverse effects. Where, and in so far as, it is not possible to provide all information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.

4. The data importer shall cooperate with and assist the data exporter to enable the data exporter to comply with its obligations under Regulation (EU) 2016/679, in particular to notify the competent supervisory authority and the affected data subjects, taking into account the nature of processing and the information available to the data importer.

8.7 Sensitive data

Where the transfer involves personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions and offences (hereinafter “sensitive data”), the data importer shall apply the specific restrictions and/or additional safeguards described in Annex I.B.

8.8 Onward transfers

The data importer shall only disclose the personal data to a third party on documented instructions from the data exporter. In addition, the data may only be disclosed to a third party located outside the European Union (in the same country as the data importer or in another third country, hereinafter “onward transfer”) if the third party is or agrees to be bound by these Clauses, under the appropriate Module, or if:

1. the onward transfer is to a country benefitting from an adequacy decision pursuant to Article 45 of Regulation (EU) 2016/679 that covers the onward transfer;

2. the third party otherwise ensures appropriate safeguards pursuant to Articles 46 or 47 Regulation of (EU) 2016/679 with respect to the processing in question;

3. the onward transfer is necessary for the establishment, exercise or defence of legal claims in the context of specific administrative, regulatory or judicial proceedings; or

4. the onward transfer is necessary in order to protect the vital interests of the data subject or of another natural person.

Any onward transfer is subject to compliance by the data importer with all the other safeguards under these Clauses, in particular purpose limitation.

8.9 Documentation and compliance

1. The data importer shall promptly and adequately deal with enquiries from the data exporter that relate to the processing under these Clauses.

2. The Parties shall be able to demonstrate compliance with these Clauses. In particular, the data importer shall keep appropriate documentation on the processing activities carried out on behalf of the data exporter.

3. The data importer shall make available to the data exporter all information necessary to demonstrate compliance with the obligations set out in these Clauses and at the data exporter’s request, allow for and contribute to audits of the processing activities covered by these Clauses, at reasonable intervals or if there are indications of non-compliance. In deciding on a review or audit, the data exporter may take into account relevant certifications held by the data importer.

4. The data exporter may choose to conduct the audit by itself or mandate an independent auditor. Audits may include inspections at the premises or physical facilities of the data importer and shall, where appropriate, be carried out with reasonable notice.

5. The Parties shall make the information referred to in paragraphs (b) and (c), including the results of any audits, available to the competent supervisory authority on request.

Clause 9

Use of sub-processors

MODULE TWO: Transfer controller to processor

1. OPTION 2: GENERAL WRITTEN AUTHORISATION The data importer has the data exporter’s general authorisation for the engagement of sub-processor(s) from an agreed list. The data importer shall specifically inform the data exporter in writing of any intended changes to that list through the addition or replacement of sub-processors at least 30 days in advance, thereby giving the data exporter sufficient time to be able to object to such changes prior to the engagement of the sub-processor(s). The data importer shall provide the data exporter with the information necessary to enable the data exporter to exercise its right to object.

2. Where the data importer engages a sub-processor to carry out specific processing activities (on behalf of the data exporter), it shall do so by way of a written contract that provides for, in substance, the same data protection obligations as those binding the data importer under these Clauses, including in terms of third-party beneficiary rights for data subjects. The Parties agree that, by complying with this Clause, the data importer fulfils its obligations under Clause 8.8. The data importer shall ensure that the sub-processor complies with the obligations to which the data importer is subject pursuant to these Clauses.

3. The data importer shall provide, at the data exporter’s request, a copy of such a sub-processor agreement and any subsequent amendments to the data exporter. To the extent necessary to protect business secrets or other confidential information, including personal data, the data importer may redact the text of the agreement prior to sharing a copy.

4. The data importer shall remain fully responsible to the data exporter for the performance of the sub-processor’s obligations under its contract with the data importer. The data importer shall notify the data exporter of any failure by the sub-processor to fulfil its obligations under that contract.

5. The data importer shall agree a third-party beneficiary clause with the sub-processor whereby - in the event the data importer has factually disappeared, ceased to exist in law or has become insolvent - the data exporter shall have the right to terminate the sub-processor contract and to instruct the sub-processor to erase or return the personal data.

Clause 10

Data subject rights

MODULE TWO: Transfer controller to processor

1. The data importer shall promptly notify the data exporter of any request it has received from a data subject. It shall not respond to that request itself unless it has been authorised to do so by the data exporter.

2. The data importer shall assist the data exporter in fulfilling its obligations to respond to data subjects’ requests for the exercise of their rights under Regulation (EU) 2016/679. In this regard, the Parties shall set out in Annex II the appropriate technical and organisational measures, taking into account the nature of the processing, by which the assistance shall be provided, as well as the scope and the extent of the assistance required.

3. In fulfilling its obligations under paragraphs (a) and (b), the data importer shall comply with the instructions from the data exporter.

Clause 11

Redress

1. The data importer shall inform data subjects in a transparent and easily accessible format, through individual notice or on its website, of a contact point authorised to handle complaints. It shall deal promptly with any complaints it receives from a data subject.

MODULE TWO: Transfer controller to processor

2. In case of a dispute between a data subject and one of the Parties as regards compliance with these Clauses, that Party shall use its best efforts to resolve the issue amicably in a timely fashion. The Parties shall keep each other informed about such disputes and, where appropriate, cooperate in resolving them.

3. Where the data subject invokes a third-party beneficiary right pursuant to Clause 3, the data importer shall accept the decision of the data subject to:

   1. lodge a complaint with the supervisory authority in the Member State of his/her habitual residence or place of work, or the competent supervisory authority pursuant to Clause 13;

   2. refer the dispute to the competent courts within the meaning of Clause 18.

4. The Parties accept that the data subject may be represented by a not-for-profit body, organisation or association under the conditions set out in Article 80(1) of Regulation (EU) 2016/679.

5. The data importer shall abide by a decision that is binding under the applicable EU or Member State law.

6. The data importer agrees that the choice made by the data subject will not prejudice his/her substantive and procedural rights to seek remedies in accordance with applicable laws.

Clause 12

Liability

MODULE TWO: Transfer controller to processor

1. Each Party shall be liable to the other Party/ies for any damages it causes the other Party/ies by any breach of these Clauses.

2. The data importer shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages the data importer or its sub-processor causes the data subject by breaching the third-party beneficiary rights under these Clauses.

3. Notwithstanding paragraph (b), the data exporter shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages the data exporter or the data importer (or its sub-processor) causes the data subject by breaching the third-party beneficiary rights under these Clauses. This is without prejudice to the liability of the data exporter and, where the data exporter is a processor acting on behalf of a controller, to the liability of the controller under Regulation (EU) 2016/679 or Regulation (EU) 2018/1725, as applicable.

4. The Parties agree that if the data exporter is held liable under paragraph (c) for damages caused by the data importer (or its sub-processor), it shall be entitled to claim back from the data importer that part of the compensation corresponding to the data importer’s responsibility for the damage.

5. Where more than one Party is responsible for any damage caused to the data subject as a result of a breach of these Clauses, all responsible Parties shall be jointly and severally liable and the data subject is entitled to bring an action in court against any of these Parties.

6. The Parties agree that if one Party is held liable under paragraph (e), it shall be entitled to claim back from the other Party/ies that part of the compensation corresponding to its / their responsibility for the damage.

7. The data importer may not invoke the conduct of a sub-processor to avoid its own liability.

Clause 13

Supervision

MODULE TWO: Transfer controller to processor

1. [Where the data exporter is established in an EU Member State:] The supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer, as indicated in Annex I.C, shall act as competent supervisory authority.

   [Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) of Regulation (EU) 2016/679:] The supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established, as indicated in Annex I.C, shall act as competent supervisory authority.

   [Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) without however having to appoint a representative pursuant to Article 27(2) of Regulation (EU) 2016/679:] The supervisory authority of one of the Member States in which the data subjects whose personal data is transferred under these Clauses in relation to the offering of goods or services to them, or whose behaviour is monitored, are located, as indicated in Annex I.C, shall act as competent supervisory authority.

2. The data importer agrees to submit itself to the jurisdiction of and cooperate with the competent supervisory authority in any procedures aimed at ensuring compliance with these Clauses. In particular, the data importer agrees to respond to enquiries, submit to audits and comply with the measures adopted by the supervisory authority, including remedial and compensatory measures. It shall provide the supervisory authority with written confirmation that the necessary actions have been taken.

SECTION III – LOCAL LAWS AND OBLIGATIONS IN CASE OF ACCESS BY PUBLIC AUTHORITIES

Clause 14

Local laws and practices affecting compliance with the Clauses

MODULE TWO: Transfer controller to processor

1. The Parties warrant that they have no reason to believe that the laws and practices in the third country of destination applicable to the processing of the personal data by the data importer, including any requirements to disclose personal data or measures authorising access by public authorities, prevent the data importer from fulfilling its obligations under these Clauses. This is based on the understanding that laws and practices that respect the essence of the fundamental rights and freedoms and do not exceed what is necessary and proportionate in a democratic society to safeguard one of the objectives listed in Article 23(1) of Regulation (EU) 2016/679, are not in contradiction with these Clauses.

2. The Parties declare that in providing the warranty in paragraph (a), they have taken due account in particular of the following elements:

   1. the specific circumstances of the transfer, including the length of the processing chain, the number of actors involved and the transmission channels used; intended onward transfers; the type of recipient; the purpose of processing; the categories and format of the transferred personal data; the economic sector in which the transfer occurs; the storage location of the data transferred;

   2. the laws and practices of the third country of destination– including those requiring the disclosure of data to public authorities or authorising access by such authorities – relevant in light of the specific circumstances of the transfer, and the applicable limitations and safeguards;

   3. any relevant contractual, technical or organisational safeguards put in place to supplement the safeguards under these Clauses, including measures applied during transmission and to the processing of the personal data in the country of destination.

3. The data importer warrants that, in carrying out the assessment under paragraph (b), it has made its best efforts to provide the data exporter with relevant information and agrees that it will continue to cooperate with the data exporter in ensuring compliance with these Clauses.

4. The Parties agree to document the assessment under paragraph (b) and make it available to the competent supervisory authority on request.

5. The data importer agrees to notify the data exporter promptly if, after having agreed to these Clauses and for the duration of the contract, it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under paragraph (a), including following a change in the laws of the third country or a measure (such as a disclosure request) indicating an application of such laws in practice that is not in line with the requirements in paragraph (a).

6. Following a notification pursuant to paragraph (e), or if the data exporter otherwise has reason to believe that the data importer can no longer fulfil its obligations under these Clauses, the data exporter shall promptly identify appropriate measures (e.g. technical or organisational measures to ensure security and confidentiality) to be adopted by the data exporter and/or data importer to address the situation. The data exporter shall suspend the data transfer if it considers that no appropriate safeguards for such transfer can be ensured, or if instructed by the competent supervisory authority to do so. In this case, the data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses. If the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise. Where the contract is terminated pursuant to this Clause, Clause 16(d) and (e) shall apply.

Clause 15

Obligations of the data importer in case of access by public authorities

MODULE TWO: Transfer controller to processor

15.1 Notification

1. The data importer agrees to notify the data exporter and, where possible, the data subject promptly (if necessary with the help of the data exporter) if it:

   1. receives a legally binding request from a public authority, including judicial authorities, under the laws of the country of destination for the disclosure of personal data transferred pursuant to these Clauses; such notification shall include information about the personal data requested, the requesting authority, the legal basis for the request and the response provided; or

   2. becomes aware of any direct access by public authorities to personal data transferred pursuant to these Clauses in accordance with the laws of the country of destination; such notification shall include all information available to the importer.

2. If the data importer is prohibited from notifying the data exporter and/or the data subject under the laws of the country of destination, the data importer agrees to use its best efforts to obtain a waiver of the prohibition, with a view to communicating as much information as possible, as soon as possible. The data importer agrees to document its best efforts in order to be able to demonstrate them on request of the data exporter.

3. Where permissible under the laws of the country of destination, the data importer agrees to provide the data exporter, at regular intervals for the duration of the contract, with as much relevant information as possible on the requests received (in particular, number of requests, type of data requested, requesting authority/ies, whether requests have been challenged and the outcome of such challenges, etc.).

4. The data importer agrees to preserve the information pursuant to paragraphs (a) to (c) for the duration of the contract and make it available to the competent supervisory authority on request.

5. Paragraphs (a) to (c) are without prejudice to the obligation of the data importer pursuant to Clause 14(e) and Clause 16 to inform the data exporter promptly where it is unable to comply with these Clauses.

15.2 Review of legality and data minimisation

1. The data importer agrees to review the legality of the request for disclosure, in particular whether it remains within the powers granted to the requesting public authority, and to challenge the request if, after careful assessment, it concludes that there are reasonable grounds to consider that the request is unlawful under the laws of the country of destination, applicable obligations under international law and principles of international comity. The data importer shall, under the same conditions, pursue possibilities of appeal. When challenging a request, the data importer shall seek interim measures with a view to suspending the effects of the request until the competent judicial authority has decided on its merits. It shall not disclose the personal data requested until required to do so under the applicable procedural rules. These requirements are without prejudice to the obligations of the data importer under Clause 14(e).

2. The data importer agrees to document its legal assessment and any challenge to the request for disclosure and, to the extent permissible under the laws of the country of destination, make the documentation available to the data exporter. It shall also make it available to the competent supervisory authority on request.

3. The data importer agrees to provide the minimum amount of information permissible when responding to a request for disclosure, based on a reasonable interpretation of the request.

SECTION IV – FINAL PROVISIONS

Clause 16

Non-compliance with the Clauses and termination

1. The data importer shall promptly inform the data exporter if it is unable to comply with these Clauses, for whatever reason.

2. In the event that the data importer is in breach of these Clauses or unable to comply with these Clauses, the data exporter shall suspend the transfer of personal data to the data importer until compliance is again ensured or the contract is terminated. This is without prejudice to Clause 14(f).

3. The data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses, where:

   1. the data exporter has suspended the transfer of personal data to the data importer pursuant to paragraph (b) and compliance with these Clauses is not restored within a reasonable time and in any event within one month of suspension;

   2. the data importer is in substantial or persistent breach of these Clauses; or

   3. the data importer fails to comply with a binding decision of a competent court or supervisory authority regarding its obligations under these Clauses.

   In these cases, it shall inform the competent supervisory authority of such non-compliance. Where the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise.

4. Personal data that has been transferred prior to the termination of the contract pursuant to paragraph (c) shall at the choice of the data exporter immediately be returned to the data exporter or deleted in its entirety. The same shall apply to any copies of the data. The data importer shall certify the deletion of the data to the data exporter. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit the return or deletion of the transferred personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process the data to the extent and for as long as required under that local law.

5. Either Party may revoke its agreement to be bound by these Clauses where (i) the European Commission adopts a decision pursuant to Article 45(3) of Regulation (EU) 2016/679 that covers the transfer of personal data to which these Clauses apply; or (ii) Regulation (EU) 2016/679 becomes part of the legal framework of the country to which the personal data is transferred. This is without prejudice to other obligations applying to the processing in question under Regulation (EU) 2016/679.

Clause 17

Governing law

MODULE TWO: Transfer controller to processor

These Clauses shall be governed by the law of the EU Member State in which the data exporter is established. Where such law does not allow for third-party beneficiary rights, they shall be governed by the law of another EU Member State that does allow for third-party beneficiary rights. The Parties agree that this shall be the law of Germany.

Clause 18

Choice of forum and jurisdiction

MODULE TWO: Transfer controller to processor

1. Any dispute arising from these Clauses shall be resolved by the courts of an EU Member State.

2. The Parties agree that those shall be the courts of Germany (specify Member State).

3. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of the Member State in which he/she has his/her habitual residence.

4. The Parties agree to submit themselves to the jurisdiction of such courts.

 

APPENDIX

EXPLANATORY NOTE:

It must be possible to clearly distinguish the information applicable to each transfer or category of transfers and, in this regard, to determine the respective role(s) of the Parties as data exporter(s) and/or data importer(s). This does not necessarily require completing and signing separate appendices for each transfer/category of transfers and/or contractual relationship, where this transparency can achieved through one appendix. However, where necessary to ensure sufficient clarity, separate appendices should be used.

ANNEX I

A. LIST OF PARTIES

MODULE TWO: Transfer controller to processor

Data exporter(s): [Identity and contact details of the data exporter(s) and, where applicable, of its/their data protection officer and/or representative in the European Union]

1. Name: Seraf LLC

Address: 9 Acacia Street, Cambridge MA 02138 United States

Contact person’s name, position and contact details: Christopher Mirabile, Managing Director

Activities relevant to the data transferred under these Clauses: No direct operational involvement with data.

Signature and date: /s/ Christopher Mirabile, Managing Director 10 November 2022

Role (controller/processor): Controller

B. DESCRIPTION OF TRANSFER

MODULE TWO: Transfer controller to processor

Categories of data subjects whose personal data is transferred: Customers/Users of the Seraf-Investor.com website

………………………

Categories of personal data transferred: User Name (or alias – natural name not required by system), email, investments, investment related details.

………………………

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures. Other than to the extent an optional name, email and investment data, might be considered sensitive data, there is no sensitive data being transferred.

………………………

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis). Data is transferred when a User uses the system (i) as a function of serving webpages and from the User (ii) in connection with the routine system storage of the User’s information and (iii) in connection with regularly daily backup of system data.

…………………………

Nature of the processing. Data is stored, served as part of a webpage, and arithmetic functions such as summation, averaging, and aggregation may be applied to serve the User various portfolio analytics.

…………………………

Purpose(s) of the data transfer and further processing. Data is transferred (i) as a function of serving webpages and from the User (ii) in connection with the routine system storage of the User’s information and (iii) in connection with backup of system data

………………………

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period. Data is stored for so long as User is a paid licensed User of the system and temporarily for so long as older backups may be temporarily stored. Return of data may be requested by User as specified in the Terms and Conditions and/or Privacy Policy.

……………………

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing. Data is transmitted to processors for storage and retrieval as part of serving webviews to Users and it is transmitted as part of routine daily backups.

……………………

C. COMPETENT SUPERVISORY AUTHORITY

MODULE TWO: Transfer controller to processor

The European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) for the transfer of personal data to a third country.

ANNEX II - TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

MODULE TWO: Transfer controller to processor

Data Structure

Introduction and Terminology

Seraf leverages Drupal’s built-in capabilities for managing data in related chunks. Each chunk of data, such as a user, an investment account, a company, a transaction, etc, is referred to as an “entity” (this is Drupal’s preferred nomenclature). An entity is a set of information about a thing, for instance the user name and password of a user.

Each Drupal entity has an identifying number, plus one or more “fields,” such as name, or number of shares, or date. Drupal’s GUI permits you to add and edit (most of) these fields and their settings on the fly. Depending on the settings, some of these fields may be required, while others are optional. Note that Seraf makes heavy use of a special kind of field called an “entity reference” field, in which you can store references to other entities, such as the company that a transaction relates to, or the user that owns an investment account.

The entities Seraf maintains may be grouped into categories: information about clients; information about portfolio investments; information about groups; information about products and orders; and miscellaneous.

Clients

Users

Each Seraf client is represented by a User entity, sometimes referred to as the login account, which ties together everything for and about a Seraf client. Users are a core Drupal feature, and contain by default a user name (login name, which may or may not be their real name), an email address, a password, the user’s status (activated or blocked), one or more “roles,” and a preferred timezone. When created, a user gets an identifying number, their “uid.”

A User’s status determines whether or not the User is allowed to log in. A User’s roles (and group membership and group role, see below) determine what the User can see and do once they do log in. A role is a set of permissions, such as “can add a new transaction,” or “can upload a file.” Roles are also heavily used in the investor area to determine what content a User sees when they visit: for instance, individual clients see a different menu than enterprise clients; and when they go to analysis/X, they see different tabs and different content.

Note: The user name and email address are required to be unique - you can’t have two users with the same user name, or the same email address. But no user is required to use their real name, so personally identifiable data is at the user’s option.

Profiles

In order to store additional information about users above and beyond the information in the core User entity, each User has a “Client Profile” in which we store real name information, preferred currency, address and contact information. Each Profile has an id (a “pid”), but in general the Profiles are so closely tied to User accounts that you access them by uid, rather than pid. Each User is supposed to have one and only one Client Profile.

Note: the Profile includes email fields, mainly so that group administrators can maintain contact information for their group members independently of whatever email address the individual member uses to log in. The “Primary Email” field in the Profile is synchronized with the User’s email field under some circumstances.

Investment Accounts

In order to permit investors to group their investments into separate buckets, Users have Investment Accounts. Investment Accounts don’t contain much information, as they are mainly used for categorization of other stuff, rather than real information. Investments Accounts have a name (which defaults to the user’s real name from their Profile), a memo field, and a check box indicating whether the investment account is the user’s default investment account.

Licenses

Each User should own at least one License that entitles them to one or more roles for a period of time. Each license is normally tied to a Stripe customer account with a Stripe subscription id.

Portfolio Investments

A given portfolio investment is represented in Seraf by a target company or investment fund, in the case of a company, a round of investment (i.e. a type of security), and one or more transactions.

Clients can record ancillary information about their investments, specifically documents, events, valuations, and updates. Documents are an opportunity to upload and store documentation related to an investment, and may be tagged by company/fund and by round. Events are generally created automatically to reflect dates associated with particular investments (maturity dates and the like), and valuations are used to update the values of investments.

Seraf takes transactional data and valuations and rolls them up to compute values such as total number of shares held, or total value of all investments, or the internal rate of return. These calculated values are sliced and categorized so that subsets may be retrieved by user, account, investment group, company or investment fund, round, or date.

Hosting: Pantheon

The actual website is hosted at Pantheon.io, a Drupal- and Wordpress-specific hosting platform. In addition to hosting the live site, Pantheon also hosts separate “dev” and “test” servers, plus a varying number of development environments that can be spun up as needed.

Note that Seraf does not use a third-party content delivery network, but instead relies on Pantheon’s home-grown CDN.

Hosting Files: Amazon

Most client file uploads are not stored at Pantheon, but are instead uploaded to a private Amazon S3 bucket. The Seraf website uses a separate IAM user account to gain access to this bucket, and an access analyzer is configured to ensure that access to the buckets is configured to be private. Bucket versioning is enabled on the live “seraf” bucket so that accidentally deleted and altered files can be recovered if needed.

In addition to the bucket for live files, there is also a “test” bucket that is used by the other environments to prevent accidental loss of customer files.

Subscriptions: Stripe
Credit card processing, invoicing, and renewals are handled by Stripe.com.

Data Security
Security is architected into the Seraf platform. Seraf enforces a SSL/TLS encrypted session every time you log on. SSL certificates protect data in transit between users and the websites they are connected to. The lock box before the Seraf URL at the top of your screen is your visual confirmation that a session is secure, and can be clicked on for more informationSeraf runs on a secure stack. We start with the Pantheon platform described here - https://pantheon.io/security - and we run Drupal 7 on top of that. Drupal 7 is subject to regular security audits and updates. Drupal is used by government agencies and large organizations who depend on its security. Both we and Pantheon monitor security developments, and we implement all security patches, usually the same day they are released. Drupal's architecture implements protections against SQL injection, CSRF attacks, XSS attacks, and similar common problems. We follow best practices for all custom code we write on top of the Drupal 7 platform, including those enumerated here - https://www.drupal.org/docs/7/security/writing-secure-code.

We require HTTPS for all connections to the website, and use an HSTS header so that even the initial visit is encrypted.

Phishing attacks are a problem for everyone. However, our staff members are knowledgeable, and their activities on the website are logged. We keep daily backups, and can roll back the site in the event we are compromised.

Even the most secure websites are vulnerable to attack. Weak credentials of users is a possible issue, so it’s important for users to choose a strong password. We require 8 characters minimum and 2 character types. We also recommend that our clients try to minimize the amount of personal data they load into Seraf. For example, any documents that contain detailed personal information such as social security numbers shouldn’t be uploaded.

In fact, we have a few clients who wish to remain anonymous and have chosen to provide a non-traceable account name and use an email address that is specific to Seraf. This limits a hacker’s ability to track down the individual investor.

Security is a process. No website is ever 100% secure, and we regularly review our own practices to try to improve where we can.

ANNEX III – LIST OF SUB-PROCESSORS

MODULE TWO: Transfer controller to processor

The controller has authorised the use of the following sub-processors:

Hosting: Pantheon

The actual website is hosted at Pantheon.io, a Drupal- and Wordpress-specific hosting platform. In addition to hosting the live site, Pantheon also hosts separate “dev” and “test” servers, plus a varying number of development environments that can be spun up as needed.

Note that Seraf does not use a third-party content delivery network, but instead relies on Pantheon’s home-grown CDN.

Hosting Files: Amazon

Most client file uploads are not stored at Pantheon, but are instead uploaded to a private Amazon S3 bucket. The Seraf website uses a separate IAM user account to gain access to this bucket, and an access analyzer is configured to ensure that access to the buckets is configured to be private. Bucket versioning is enabled on the live “seraf” bucket so that accidentally deleted and altered files can be recovered if needed.

In addition to the bucket for live files, there is also a “test” bucket that is used by the other environments to prevent accidental loss of customer files.

Subscriptions: Stripe
Credit card processing, invoicing, and renewals are handled by Stripe.com.