Back to Dashboard

Data Processing Agreement

Last updated: 5/16/2026

GDPR Compliance Notice

This Data Processing Agreement (DPA) is designed to comply with the General Data Protection Regulation (GDPR) (EU) 2016/679 and applicable data protection laws. It governs the processing of personal data by SGA Investments as a data processor on behalf of you, the data controller.

1. Definitions

Data Controller:

The natural or legal person which determines the purposes and means of processing personal data (typically, you, the user of our Service).

Data Processor:

SGA Investments, which processes personal data on behalf of the Data Controller.

Personal Data:

Any information relating to an identified or identifiable natural person as defined in the GDPR.

Processing:

Any operation performed on personal data, including collection, storage, use, disclosure, and deletion.

Sub-processor:

Any third party engaged by the Data Processor to process personal data.

2. Scope and Purpose

This DPA applies to all personal data processed by SGA Investments through the SGA Daytrader platform on your behalf, including but not limited to:

  • User account information and credentials
  • Trading activity and transaction data
  • Broker API credentials and trading account details
  • Performance metrics and analytics data
  • Communication logs and support tickets

The purpose of processing is to provide algorithmic trading services, signal generation, portfolio management, and related functionalities as described in our Terms of Service.

3. Processor Obligations

3.1 Lawful Processing

SGA Investments shall:

  • Process personal data only on documented instructions from the Data Controller
  • Ensure that persons authorized to process personal data are bound by confidentiality
  • Not transfer personal data outside the EEA without appropriate safeguards
  • Process data only for the purposes specified in this DPA

3.2 Security Measures

We implement appropriate technical and organizational measures including:

  • Encryption: AES-256 encryption for data at rest, TLS 1.3 for data in transit
  • Access Controls: Role-based access control (RBAC) and multi-factor authentication (MFA)
  • Pseudonymization: Where applicable, to minimize personal data exposure
  • Security Audits: Regular penetration testing and vulnerability assessments
  • ISO 27001: Alignment with ISO 27001 information security standards
  • Incident Response: Documented procedures for data breach notification

3.3 Data Breach Notification

In the event of a personal data breach, SGA Investments shall notify the Data Controller without undue delay and no later than 72 hours after becoming aware of the breach, providing all relevant information required by Article 33 of the GDPR.

4. Sub-Processors

SGA Investments may engage sub-processors to assist in providing the Service. The Data Controller provides general authorization for the use of sub-processors, subject to the following conditions:

  • All sub-processors must enter into written agreements with equivalent data protection obligations
  • SGA Investments shall maintain an up-to-date list of sub-processors
  • The Data Controller will be notified of any intended changes concerning sub-processors
  • The Data Controller may object to new sub-processors within 30 days of notification

Current Sub-Processors

Cloud Infrastructure Provider

Active

Hosting and infrastructure services

Location: EU Region | Safeguards: Standard Contractual Clauses (SCCs)

Email Service Provider

Active

Transactional email delivery

Location: US | Safeguards: Standard Contractual Clauses (SCCs)

Analytics Provider

Active

Performance monitoring and error tracking

Location: EU Region | Safeguards: GDPR Compliant

5. Data Subject Rights

SGA Investments shall assist the Data Controller in responding to data subject requests, including:

  • Right of Access: Provide access to personal data upon request
  • Right to Rectification: Correct inaccurate personal data
  • Right to Erasure: Delete personal data ("right to be forgotten")
  • Right to Restriction: Restrict processing in certain circumstances
  • Right to Portability: Provide data in a structured, machine-readable format
  • Right to Object: Cease processing based on legitimate interests

SGA Investments will respond to data subject requests within 30 days and will not charge fees unless requests are manifestly unfounded or excessive.

6. Data Transfers

Personal data may be transferred to countries outside the European Economic Area (EEA) only when appropriate safeguards are in place:

  • Standard Contractual Clauses (SCCs): Approved by the European Commission
  • Adequacy Decisions: Transfers to countries with adequate data protection levels
  • Binding Corporate Rules (BCRs): For intra-group transfers

The Data Controller will be informed of any international data transfers and the safeguards applied.

7. Data Retention and Deletion

Personal data shall be:

  • Retained only for as long as necessary to fulfill the purposes outlined in this DPA
  • Deleted or returned to the Data Controller upon termination of the Service
  • Securely deleted in accordance with industry best practices
  • Retained longer only if required by applicable law

Standard Retention Periods

  • • Account Data: 30 days after account closure
  • • Trading Records: 7 years (regulatory requirement)
  • • Audit Logs: 2 years
  • • Support Tickets: 3 years

8. Audits and Compliance

The Data Controller has the right to audit SGA Investments' compliance with this DPA:

  • Upon reasonable notice (at least 30 days)
  • No more than once per year unless there is a suspected breach
  • SGA Investments will provide reasonable assistance and access to relevant information
  • Audits may be conducted by the Data Controller or an independent auditor

SGA Investments maintains SOC 2 Type II certification and undergoes annual third-party security audits, which reports are available upon request.

9. Liability and Indemnification

Each party shall be liable for damages caused by its processing of personal data in violation of this DPA or applicable data protection laws. SGA Investments shall:

  • Indemnify the Data Controller for damages resulting from SGA Investments' breach of this DPA
  • Maintain appropriate cyber liability insurance coverage
  • Cooperate fully in the defense of any data protection claims

10. Term and Termination

This DPA is effective as of the date you first use our Service and shall remain in effect until termination of the Service. Upon termination:

  • SGA Investments shall cease all processing of personal data
  • Personal data shall be deleted or returned to the Data Controller within 30 days
  • Exceptions apply where retention is required by law
  • A certificate of deletion may be provided upon request

11. Amendments

This DPA may be amended to comply with changes in data protection laws or regulations. Material changes will be communicated to the Data Controller with at least 30 days' notice.

12. Governing Law

This DPA shall be governed by the laws of the European Union and the GDPR, supplemented by the national data protection laws applicable to the Data Controller's jurisdiction.

13. Contact Information

For DPA-related inquiries, contact:

Data Protection Officer (DPO):

Email: [email protected]

Email: [email protected]

Response time: Within 2 business days

This DPA complies with GDPR Article 28 and ISO 27001 standards