Data Processing Agreement

Effective Date: 24 February 2026

This Data Processing Agreement (“DPA”) forms part of the Terms of Service (the “Agreement”) between MoonshotNX, Inc., a Delaware corporation with its principal address at 160 Madison Ave, New York, NY 10016 (“MoonshotNX”, “Processor”, “we”, “us”), and the customer accepting the Terms of Service (“Customer”, “Controller”, “you”).

By accepting the Terms of Service, Customer accepts this DPA. No separate signature is required.

If there is a conflict between this DPA and the Terms of Service, this DPA shall prevail with respect to data protection matters.

1. Roles of the Parties

1.1 Controller and Processor

To the extent that MoonshotNX processes Personal Data on behalf of Customer:

  • Customer is the Data Controller (or equivalent under applicable law).

  • MoonshotNX is the Data Processor.

Customer determines the purposes and means of processing Personal Data submitted to the Services.

MoonshotNX processes Personal Data only in accordance with Customer’s documented instructions as set out in the Agreement and this DPA.

2. Definitions

“Personal Data” means any information relating to an identified or identifiable natural person processed under the Agreement.

“Data Protection Laws” means applicable laws relating to data protection and privacy, including but not limited to GDPR, UK GDPR, and other applicable jurisdictional laws.

“Subprocessor” means a third party engaged by MoonshotNX to process Personal Data.

3. Scope of Processing

3.1 Subject Matter

Processing of Personal Data in connection with the provision of the Services.

3.2 Duration

Processing will continue for the duration of the Agreement and any applicable data retention period.

3.3 Nature and Purpose

Processing includes:

  • Hosting

  • Storage

  • Organisation

  • Retrieval

  • Transmission

  • Structured visibility sharing as directed by Customer

  • Security monitoring

  • Technical support

3.4 Categories of Data Subjects

May include:

  • Founders

  • Company directors

  • Employees

  • Shareholders

  • Investors

  • Advisors

3.5 Types of Personal Data

May include:

  • Name

  • Email address

  • Contact details

  • IP address

  • Account credentials

  • Uploaded documents

  • Financial data included within submitted materials

MoonshotNX does not intentionally collect special category data unless uploaded by Customer.

4. Processor Obligations

MoonshotNX shall:

4.1 Process Personal Data only on documented instructions from Customer.

4.2 Ensure persons authorised to process Personal Data are bound by confidentiality obligations.

4.3 Implement appropriate technical and organisational measures to protect Personal Data.

4.4 Not sell Personal Data.

4.5 Not use Personal Data for its own marketing purposes.

5. Security Measures

MoonshotNX implements reasonable administrative, technical, and physical safeguards including:

  • Encrypted data transmission (TLS)

  • Access controls and role-based permissions

  • Secure cloud hosting environments

  • Multi-factor authentication where applicable

  • Logging and monitoring of system access

  • Vendor risk assessment procedures

Security measures are designed to protect against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access.

6. Subprocessors

6.1 Authorisation

Customer authorises MoonshotNX to engage Subprocessors to support delivery of the Services.

6.2 Current Categories of Subprocessors

May include:

  • Cloud infrastructure providers

  • Hosting providers

  • Email service providers

  • Analytics providers

  • Payment processors

  • Security monitoring vendors

6.3 Subprocessor Protections

MoonshotNX shall ensure Subprocessors are bound by written agreements imposing data protection obligations substantially similar to this DPA.

MoonshotNX remains responsible for Subprocessor compliance with this DPA.

7. International Transfers

MoonshotNX may process Personal Data in the United States and other jurisdictions where Subprocessors operate.

Where required by Data Protection Laws, MoonshotNX shall implement appropriate safeguards for international transfers, including:

  • Standard Contractual Clauses (where applicable)

  • Other recognised transfer mechanisms

By accepting the Terms of Service, Customer acknowledges and authorises such transfers.

8. Data Subject Rights

To the extent required under Data Protection Laws:

8.1 MoonshotNX shall reasonably assist Customer in responding to Data Subject requests.

8.2 Customer remains responsible for handling and responding to Data Subject requests.

MoonshotNX may redirect Data Subject requests directly to Customer where appropriate.

9. Security Incidents

MoonshotNX shall notify Customer without undue delay after becoming aware of a confirmed Personal Data breach affecting Customer Data.

Notification shall include information reasonably necessary for Customer to meet legal obligations.

10. Deletion or Return of Data

Upon termination of the Agreement:

  • Customer may request deletion of Personal Data.

  • MoonshotNX shall delete or anonymise Personal Data in accordance with its retention policies unless retention is required by law.

11. Audits

MoonshotNX shall make available information reasonably necessary to demonstrate compliance with this DPA.

Any audit:

  • Must be reasonable in scope

  • Conducted during normal business hours

  • Subject to confidentiality

  • Not more than once annually unless required by law

MoonshotNX may satisfy audit obligations through third-party certifications or security documentation.

12. Limitation of Liability

Liability under this DPA shall be subject to the limitations of liability set forth in the Terms of Service.

13. Acceptance

This DPA is accepted automatically upon Customer’s acceptance of the Terms of Service.

No separate signature is required.

ANNEX 1

UK GDPR Addendum

This UK GDPR Addendum (“UK Addendum”) supplements the Data Processing Agreement (“DPA”) between MoonshotNX, Inc. (“Processor”) and the Customer (“Controller”).

This UK Addendum applies where Personal Data is subject to the UK General Data Protection Regulation (“UK GDPR”).

Acceptance of the Terms of Service and DPA constitutes acceptance of this UK Addendum.

1. Scope

This UK Addendum applies to the processing of Personal Data that is:

  • Subject to UK GDPR; and

  • Processed by MoonshotNX on behalf of Customer under the Agreement.

2. Roles

For purposes of UK GDPR:

  • Customer acts as Data Controller.

  • MoonshotNX acts as Data Processor.

The parties acknowledge that the roles may vary depending on factual circumstances. This Addendum applies only where MoonshotNX acts as Processor.

3. Processing Obligations

MoonshotNX shall:

  • Process UK Personal Data only on documented instructions from Customer.

  • Ensure confidentiality obligations bind authorised personnel.

  • Implement appropriate technical and organisational measures under Article 32 UK GDPR.

  • Not engage Subprocessors without appropriate contractual protections.

  • Assist Customer, taking into account the nature of processing, in fulfilling obligations under Articles 32–36 UK GDPR.

  • Make available information reasonably necessary to demonstrate compliance.

4. International Transfers from the UK

Where UK Personal Data is transferred outside the United Kingdom:

MoonshotNX shall ensure appropriate safeguards are in place, including:

  • The UK International Data Transfer Agreement (IDTA); or

  • The UK Addendum to the EU Standard Contractual Clauses; or

  • Another lawful transfer mechanism recognised under UK GDPR.

Customer authorises such transfers by accepting the Agreement and DPA.

5. UK Data Subject Rights

MoonshotNX shall reasonably assist Customer in responding to:

  • Access requests

  • Erasure requests

  • Restriction requests

  • Objection requests

  • Portability requests

Customer remains responsible for responding to UK data subjects.

6. Conflict

In the event of conflict between this UK Addendum and the DPA, this UK Addendum governs with respect to UK Personal Data.

7. Governing Law (UK Personal Data)

This UK Addendum shall be governed by the laws of England and Wales solely with respect to matters required under UK GDPR.

For all other matters, the governing law provisions in the Terms of Service apply.

ANNEX 2

Standard Contractual Clauses (SCC) Rider

This SCC Rider supplements the Data Processing Agreement between MoonshotNX, Inc. (“Data Importer”) and Customer (“Data Exporter”).

This Rider incorporates the European Commission Standard Contractual Clauses adopted by Commission Implementing Decision (EU) 2021/914 (the “EU SCCs”).

Acceptance of the Terms of Service and DPA constitutes execution of this SCC Rider.

1. Applicability

This SCC Rider applies where:

  • Personal Data subject to the EU GDPR is transferred from the European Economic Area (EEA) to MoonshotNX in the United States or another third country; and

  • Such transfer requires appropriate safeguards under Chapter V of GDPR.

2. Applicable SCC Module

The parties agree that:

  • Module Two (Controller to Processor) applies.

Customer acts as Data Exporter.
MoonshotNX acts as Data Importer.

3. Completion of SCC Clauses

For purposes of completing the EU SCCs:

Clause 7 – Docking Clause

The optional docking clause applies.

Clause 9 – Use of Subprocessors

Option 2 applies (general written authorisation).
MoonshotNX shall inform Customer of intended Subprocessor changes.

Clause 11 – Redress

The optional language shall not apply unless required by law.

Clause 17 – Governing Law

The governing law shall be Ireland.

Clause 18 – Forum and Jurisdiction

Disputes shall be resolved in the courts of Ireland, solely for matters relating to the SCCs.

4. Annex I – Description of Transfer

A. List of Parties

Data Exporter: Customer accepting the Agreement
Data Importer: MoonshotNX, Inc., 160 Madison Ave, New York, NY 10016

B. Description of Transfer

Categories of Data Subjects may include:

  • Founders

  • Directors

  • Employees

  • Investors

  • Advisors

Categories of Personal Data may include:

  • Names

  • Email addresses

  • Contact details

  • Account credentials

  • IP addresses

  • Uploaded documents

  • Financial data included in submissions

Nature of processing:

  • Hosting

  • Storage

  • Retrieval

  • Transmission

  • Structured sharing as directed

  • Security monitoring

  • Support services

Purpose of transfer:

Provision of subscription-based capital infrastructure platform services.

Duration:

For the duration of the Agreement and applicable retention period.

5. Annex II – Technical and Organisational Measures

MoonshotNX implements appropriate measures including:

  • Encrypted data transmission (TLS)

  • Secure cloud hosting

  • Access controls and role-based permissions

  • Multi-factor authentication where applicable

  • Logging and monitoring

  • Vendor security reviews

  • Incident response procedures

Measures are proportionate to risk and nature of processing.

6. Annex III – Subprocessors

Subprocessors may include:

  • Cloud hosting providers

  • Email service providers

  • Analytics providers

  • Payment processors

  • Security vendors

MoonshotNX shall maintain appropriate written agreements with Subprocessors.

7. Conflict and Priority

In the event of conflict between the SCCs and the DPA, the SCCs shall prevail with respect to EU Personal Data transfers.

8. Acceptance

This SCC Rider becomes effective upon Customer’s acceptance of the Terms of Service and DPA.

No separate signature is required.

ANNEX 3

California Privacy Addendum (CCPA / CPRA)

This California Privacy Addendum (“California Addendum”) supplements the Data Processing Agreement (“DPA”) between MoonshotNX, Inc. (“Service Provider”) and the Customer (“Business”).

This Addendum applies to the extent the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, “CCPA”), applies to the processing of Personal Information under the Agreement.

Acceptance of the Terms of Service and DPA constitutes acceptance of this California Addendum.

1. Roles Under CCPA

For purposes of CCPA:

  • Customer is the “Business.”

  • MoonshotNX is the “Service Provider.”

MoonshotNX shall process Personal Information only on behalf of and for the benefit of Customer.

2. Definitions

“Personal Information” has the meaning set forth in CCPA.

“Sensitive Personal Information” has the meaning set forth in CCPA.

Terms not defined here have the meaning given in CCPA.

3. Service Provider Commitments

MoonshotNX certifies that it:

  • Processes Personal Information solely for the business purposes specified in the Agreement.

  • Does not sell Personal Information.

  • Does not share Personal Information for cross-context behavioural advertising.

  • Does not retain, use, or disclose Personal Information outside the direct business relationship with Customer.

  • Does not combine Personal Information received from Customer with Personal Information received from other sources, except as permitted by CCPA.

MoonshotNX shall not use Personal Information for its own commercial purposes outside providing the Services.

4. Business Purpose Limitation

MoonshotNX may process Personal Information only for the following business purposes:

  • Providing and maintaining the Services

  • Detecting security incidents

  • Protecting against fraudulent or illegal activity

  • Debugging and error detection

  • Short-term transient use

  • Performing internal research to improve the Services

  • Ensuring compliance with applicable laws

Processing shall be reasonably necessary and proportionate to these purposes.

5. Subprocessors

MoonshotNX may engage subprocessors that qualify as “Service Providers” or “Contractors” under CCPA.

MoonshotNX shall:

  • Enter into written agreements with subprocessors imposing CCPA-compliant obligations

  • Require subprocessors to process Personal Information only for specified business purposes

  • Remain responsible for compliance consistent with the DPA

6. Consumer Rights Assistance

To the extent required by CCPA, MoonshotNX shall reasonably assist Customer in responding to verifiable consumer requests, including:

  • Requests to know

  • Requests to delete

  • Requests to correct

  • Requests to limit use of Sensitive Personal Information

Customer remains responsible for responding to California consumer requests.

MoonshotNX may redirect consumer requests directly to Customer where appropriate.

7. Sensitive Personal Information

MoonshotNX shall process Sensitive Personal Information only:

  • For purposes necessary to provide the Services

  • As permitted by CCPA

  • In accordance with Customer’s instructions

MoonshotNX shall not use Sensitive Personal Information for profiling, marketing, or unrelated purposes.

8. Security Obligations

MoonshotNX shall implement reasonable security procedures and practices appropriate to the nature of the Personal Information to protect it from unauthorised access, destruction, use, modification, or disclosure.

9. No Sale or Sharing Certification

MoonshotNX certifies that it understands and will comply with the restrictions imposed by this California Addendum and CCPA.

MoonshotNX does not sell or share Personal Information as defined under CCPA.

10. Audit Rights

Customer may take reasonable and appropriate steps to ensure MoonshotNX uses Personal Information consistent with CCPA.

Any audit:

  • Must be reasonable in scope

  • Subject to confidentiality

  • Not more than once annually unless legally required

MoonshotNX may satisfy audit requests through security certifications or compliance documentation.

11. Conflict and Priority

If there is a conflict between this California Addendum and the DPA, this California Addendum governs solely with respect to Personal Information subject to CCPA.

All other provisions of the Agreement remain in effect.

12. Acceptance

This California Addendum is accepted automatically upon acceptance of the Terms of Service and DPA.

No separate signature is required.

Data Exporter / Data Importer Information

Data Importer:
MoonshotNX, Inc.
169 Madison Ave
New York, NY 10016
Email: onboarding@moonshotnx.com

Accepted electronically via Terms of Service.