Version 1.0 · Effective: date of Terms of Service acceptance · Last updated: April 2026

Data Processing Agreement

Between the Customer (Controller) and ADJV LLC trading as Valoxi (Processor). This agreement governs the processing of personal data carried out by Valoxi on behalf of its customers.

Contents

Preamble 1. Definitions 2. Scope and roles 3. Controller obligations 4. Processor obligations 5. Sub-processors 6. International transfers 7. Security incidents 8. Data subject rights 9. Term and termination 10. General Schedule 1: Processing details Schedule 2: Sub-processors Schedule 3: Security measures Request a countersigned copy

Preamble

This Data Processing Agreement (“DPA”) is entered into between the entity identified as the Customer in the Valoxi Terms of Service (the “Controller”) and ADJV LLC (trading as Valoxi), a limited liability company registered in New Mexico, United States (“Processor”), and forms part of the agreement for the provision of the Valoxi platform.

Valoxi is a global platform for SME acquisitions, incorporated in the United States and designed from the outset to meet the data protection standards of all markets in which it operates, including the United Kingdom, the European Economic Area, and the United States.

This DPA applies where the Processor processes personal data on behalf of the Controller in the course of providing the Valoxi platform and associated services.

1. Definitions

Personal Data: Any information relating to an identified or identifiable natural person, as defined under Applicable Data Protection Law.

Applicable Data Protection Law: Any data protection or privacy legislation applicable to the processing of personal data under this DPA, including (as applicable) the UK GDPR, the EU GDPR, the Data Protection Act 2018, and the California Consumer Privacy Act (CCPA) as amended.

UK GDPR: The EU General Data Protection Regulation (2016/679) as retained and amended in UK law by the European Union (Withdrawal) Act 2018.

EU GDPR: The EU General Data Protection Regulation (2016/679).

Processing: Any operation performed on personal data, as defined under Applicable Data Protection Law.

Controller: The Customer entity that determines the purposes and means of processing personal data.

Processor: ADJV LLC trading as Valoxi, which processes personal data on behalf of the Controller.

Sub-processor: Any third party engaged by the Processor to process personal data on behalf of the Controller.

Security Incident: Any breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.

Services: The Valoxi platform and associated services as described in the Valoxi Terms of Service.

2. Scope and roles

2.1 The parties acknowledge that, in relation to the processing of personal data under this DPA: (a) the Controller is the controller of personal data; and (b) the Processor is a processor of personal data on behalf of the Controller.
2.2 The subject matter, nature, purpose, and duration of processing, the types of personal data processed, and the categories of data subjects are set out in Schedule 1 to this DPA.
2.3 Nothing in this DPA relieves either party of its own obligations under Applicable Data Protection Law.

3. Controller obligations

3.1 The Controller shall, in its use of the Services:

(a) ensure it has a lawful basis for processing personal data and for instructing the Processor to process personal data on its behalf;
(b) ensure that any personal data it uploads to the platform, including data relating to third parties such as employees, directors, or customers of target businesses, is processed lawfully and in accordance with Applicable Data Protection Law;
(c) comply with its obligations as controller under Applicable Data Protection Law in relation to the processing contemplated by this DPA.

4. Processor obligations

4.1 The Processor shall process personal data only on the documented instructions of the Controller, which are set out in this DPA and the Valoxi Terms of Service, unless required to process otherwise by applicable law, in which case the Processor shall inform the Controller of that requirement before processing (unless prohibited by law).
4.2 The Processor shall ensure that persons authorised to process personal data are subject to appropriate confidentiality obligations.
4.3 The Processor shall implement and maintain appropriate technical and organisational security measures to protect personal data against unauthorised access, loss, destruction, or disclosure, as further described in Schedule 3.
4.4 The Processor shall, taking into account the nature of the processing, assist the Controller in fulfilling the Controller's obligation to respond to requests from data subjects exercising their rights under Applicable Data Protection Law.
4.5 The Processor shall assist the Controller in ensuring compliance with its obligations under Articles 32 to 36 of the UK GDPR (or equivalent provisions), taking into account the nature of the processing and the information available to the Processor.
4.6 Upon termination or expiry of the agreement for the Services, the Processor shall, at the Controller's election, delete or return all personal data and delete existing copies, unless applicable law requires storage. Deletion will occur within 30 days of account closure.
4.7 The Processor shall make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA, and shall cooperate with reasonable audits or inspections, provided that: (a) the Controller gives reasonable prior written notice; (b) any audit is conducted at the Controller's cost; and (c) the audit does not unreasonably interfere with the Processor's operations.
4.8 The Processor shall not use personal data uploaded by the Controller to train, fine-tune, or improve any AI model, including models used within the Valoxi platform.

5. Sub-processors

5.1 The Controller grants general authorisation to the Processor to engage sub-processors. The current list of sub-processors is set out in Schedule 2.
5.2 The Processor shall inform the Controller of any intended changes to the sub-processor list by updating Schedule 2 on the Valoxi website or by email notification at least 14 days before the change takes effect, giving the Controller the opportunity to object.
5.3 Where the Controller objects to a new sub-processor on reasonable data protection grounds, the Processor shall use reasonable efforts to resolve the objection. If the objection cannot be resolved, either party may terminate the relevant Services on written notice.
5.4 The Processor shall impose data protection obligations on sub-processors equivalent to those set out in this DPA, by means of a written contract. The Processor remains fully liable for the acts and omissions of sub-processors.

6. International data transfers

6.1 Where personal data originating from the UK or EEA is transferred to or processed in a country outside the UK or EEA (including the United States), the Processor shall ensure that such transfer is subject to appropriate safeguards in accordance with Applicable Data Protection Law.
6.2 For transfers of UK personal data to the United States and other third countries, the Processor relies on the following mechanisms:
- (a) Standard Contractual Clauses (SCCs) as incorporated into the data processing agreements with each US-based sub-processor listed in Schedule 2;
- (b) the UK International Data Transfer Addendum (IDTA) issued by the Information Commissioner's Office, where applicable and incorporated into sub-processor DPAs;
- (c) the UK Extension to the EU-US Data Privacy Framework where a sub-processor is certified thereunder.
6.3 The Processor's data storage and processing locations are described in Schedule 2 and in the Valoxi Privacy Policy.

7. Security incidents

7.1 The Processor shall notify the Controller without undue delay, and in any event within 48 hours of becoming aware, of any Security Incident affecting personal data processed under this DPA.
7.2 Such notification shall include: (a) the nature of the Security Incident; (b) the categories and approximate number of data subjects and personal data records affected; (c) the likely consequences of the Security Incident; and (d) the measures taken or proposed to address the Security Incident.
7.3 The Processor shall cooperate with the Controller and take such steps as the Controller reasonably requires to investigate, mitigate, and remediate the Security Incident.

8. Data subject rights

8.1 The Processor shall promptly notify the Controller of any requests received directly from data subjects in relation to personal data processed under this DPA. The Processor shall not respond to such requests without the Controller's prior written consent, except as required by law.
8.2 The Processor shall assist the Controller in responding to data subject requests within the timescales required by Applicable Data Protection Law.

9. Term and termination

9.1 This DPA shall remain in force for as long as the Processor processes personal data on behalf of the Controller under the Valoxi Terms of Service.
9.2 This DPA shall automatically terminate upon expiry or termination of the Valoxi Terms of Service, subject to the Processor's obligations with respect to deletion or return of personal data set out in clause 4.6.

10. General

10.1 This DPA is governed by the laws of England and Wales in respect of UK personal data, and by the laws of the State of New Mexico in respect of other matters, unless otherwise required by Applicable Data Protection Law.
10.2 In the event of any conflict between this DPA and the Valoxi Terms of Service, this DPA shall prevail in respect of data protection matters.
10.3 The Processor may update this DPA from time to time to reflect changes in Applicable Data Protection Law or its processing activities. Material changes will be notified to the Controller by email at least 30 days before they take effect.
10.4 If any provision of this DPA is held to be invalid or unenforceable, the remaining provisions shall continue in full force and effect.

Schedule 1: Processing details

Subject matterProcessing of personal data in connection with the provision of the Valoxi M&A analysis platform.

DurationFor the duration of the Controller's subscription to the Valoxi platform.

Nature of processingCollection, storage, transmission to AI analysis services, generation of analytical outputs, deletion on account closure.

PurposeTo provide the Valoxi platform and associated deal analysis services to the Controller.

Types of personal dataNames, email addresses, company names and roles, financial data contained in uploaded documents, data relating to employees, directors, and customers of target businesses.

Categories of data subjectsController's users (M&A practitioners); employees, directors, shareholders, and customers of target businesses whose data appears in uploaded documents.

Schedule 2: Sub-processors

The following sub-processors are currently engaged by Valoxi. Each operates under a data processing agreement incorporating appropriate transfer mechanisms for UK and EEA personal data.

Sub-processor	Location	Purpose	Transfer mechanism	DPA
Cloudflare, Inc.	Western Europe	File storage (document uploads via R2)	SCCs (Cloudflare DPA)	View DPA
Replit, Inc.	United States	Application hosting and database	SCCs (Replit DPA)	View DPA
Google LLC	Global	AI document analysis (Gemini API)	SCCs + UK supplementary terms	View DPA
Clerk, Inc.	United States	User authentication and identity	SCCs (Clerk DPA)	View DPA
Resend, Inc.	United States	Transactional email delivery	SCCs (Resend DPA)	View DPA
Stripe, Inc.	United States	Payment processing	SCCs + UK IDTA	View DPA

Schedule 3: Security measures

Valoxi implements and maintains the following technical and organisational security measures.

Access controls

— Role-based access control (RBAC) limiting which users can view which deals and documents
— Multi-factor authentication available via Clerk SSO (Google, Microsoft, Apple)
— Team-level permissions and invite-based access management
— Deal-level access isolation preventing cross-customer data access

Data protection

— Encryption of data in transit via TLS 1.2 or higher across all endpoints
— Encryption of data at rest for all stored documents via Cloudflare R2
— Document storage in Western Europe via Cloudflare R2 (WEUR region)
— Structured data and analytical outputs processed separately from raw documents

Incident management

— Security incident response procedure with Controller notification within 48 hours
— ICO notification within 72 hours for breaches affecting UK data subjects

AI processing

— AI analysis conducted only via Google Gemini paid API tier, covered by Google's Data Processing Addendum incorporating SCCs and UK supplementary terms
— No use of Controller data to train or improve any AI model

Need a countersigned copy?

If your organisation requires a physically countersigned Data Processing Agreement for compliance or legal purposes, contact our data protection team directly. Please include your company name and any specific requirements. We aim to respond within two business days.

data-protection@valoxi.ai

Questions about this agreement: data-protection@valoxi.ai

Registered legal entity: ADJV LLC (trading as Valoxi) · Registration no. 0008087631 · 1209 Mountain Rd PL NE STE R, Albuquerque, NM 87110, United States.