Studio Building
9point8 Collective – Data Processing Agreement
Last Updated: December 5, 2025
Effective Date: December 5, 2025
Version: 1.2 (Updated for GDPR Article 28 and SCC Compliance)
Introduction
This Data Processing Agreement (“DPA”) describes how 9point8 Collective, LLC (“9point8,” “we,” “us,” or “our”) processes and protects personal data on behalf of its customers, users, and partners (“you,” “Customer,” or “Controller”) in connection with the use of 9point8 technologies, software, websites, and related services (collectively, the “Services”).
By accessing or using any 9point8 Service, you acknowledge and agree to this DPA.
If you do not agree, you must immediately discontinue use of all 9point8 Services.
This DPA supplements and forms part of the 9point8 Terms of Service and Privacy Policy.
Scope of Application
This DPA applies to all 9point8 products and affiliated technologies, including but not limited to LaunchIQ, StudioIQ, VentureIQ, TransferIQ, and Nexus: Studio, as well as any successor or related offerings operated by 9point8 Collective, LLC.
1. Definitions
  • “Personal Data” means any information relating to an identified or identifiable natural person.
  • “Data Subject” means an individual to whom the Personal Data relates.
  • “Controller” means the entity that determines the purposes and means of the processing of Personal Data.
  • “Processor” means the entity that processes Personal Data on behalf of the Controller.
  • “Service Provider” has the meaning given under the California Consumer Privacy Act (CCPA).
  • “Processing” means any operation performed on Personal Data, such as collection, storage, analysis, transmission, or deletion.
  • “Subprocessor” means any third party engaged by 9point8 to assist in processing Personal Data.
2. Roles and Relationship
  1. Controller–Processor Relationship. When 9point8 processes Personal Data on behalf of a customer, the customer is the Controller and 9point8 acts as the Processor (and as a “Service Provider” under the CCPA/CPRA).
  1. Independent Controller Processing. To the extent 9point8 processes Personal Data for its own legitimate purposes (e.g., product analytics, security monitoring, internal records), such processing is subject to a separate privacy notice and lawful basis under GDPR.
  1. Instructions and Lawful Basis. 9point8 processes Personal Data only on documented, lawful instructions from the Controller or as required by law.
  1. Supervisory Authority. The lead supervisory authority shall be determined by the Controller’s EU establishment.
  1. HIPAA Limitation. HIPAA applies only where the parties have executed a separate Business Associate Agreement (BAA).
3. Subject Matter, Purpose, and Duration
  • Subject Matter: The provision of 9point8 Services, including technology assessment, analytics, venture-studio operations, and related business intelligence.
  • Purpose: To collect, store, analyze, and transfer Personal Data as required to deliver the Services described in the applicable Terms or agreements.
  • Duration: For as long as you use the Services and until all data is deleted or returned, unless retention is legally required.
4. 9point8 Obligations as Processor
9point8 shall:
  1. Process Personal Data only as instructed by the Controller or as required by law.
  1. Ensure that persons authorized to process Personal Data are bound by confidentiality.
  1. Implement and maintain technical and organizational measures ensuring a level of security appropriate to risk (see Schedule C).
  1. Assist the Controller in complying with obligations under applicable laws, including responding to data-subject requests and conducting DPIAs or consultations with authorities as required by Articles 35 and 36 GDPR.
  1. Notify the Controller without undue delay (and within 72 hours) upon becoming aware of a Personal Data Breach.
  1. Delete or return all Personal Data to the Controller upon termination as described in Section 8.
  1. Not sell or share Personal Data nor retain, use, or disclose it for any purpose other than delivering the Services.
  1. Maintain records of processing activities as required by Article 30 GDPR.
5. Controller Obligations
You as Controller shall:
  • Comply with all applicable data-protection laws.
  • Provide clear and lawful instructions to 9point8.
  • Obtain all necessary consents and ensure lawful transfers.
  • Provide accurate and relevant Personal Data.
  • Promptly notify 9point8 of any data-subject requests requiring assistance.
6. Data Subject Rights
9point8 shall assist the Controller in responding to requests from Data Subjects exercising their rights under GDPR, CCPA, or other laws, including access, rectification, erasure, restriction, portability, and objection.
If 9point8 receives a request directly, it will promptly notify the Controller and not respond except as legally required.
7. Subprocessing
  1. Authorization – 9point8 may engage subprocessors to support Service delivery.
  1. Requirements – Each subprocessor must be bound by written obligations offering data-protection assurances equivalent to this DPA.
  1. Transparency – Authorized subprocessors are listed in Schedule B.
  1. Liability – 9point8 remains fully liable for its subprocessors’ performance under this DPA.
8. Erasure and Return of Data
Deletion shall occur within thirty (30) days of termination of Services, including from active systems and scheduled backup cycles, unless retention is legally required.
Upon written request, 9point8 will provide certification of deletion or anonymization.
9. Security and Audit Rights
9point8 implements appropriate security measures as set forth in Schedule C (Annex II of the SCCs). Upon reasonable notice, 9point8 will make available information necessary to demonstrate compliance and permit confidential audits without unreasonable interference to operations.
10. International Transfers and SCC Integration
  1. Standard Contractual Clauses (SCCs). The EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914, Module 2 – Controller → Processor) and the UK Addendum are hereby incorporated by reference and form an integral part of this DPA.
  • Annex I–III of the SCCs are completed by reference to Schedules A–C below.
  • The SCCs prevail in the event of any conflict with this DPA.
  • A copy is available here.
  1. Transfer Impact Assessment (Schrems II Compliance). 9point8 represents that it has conducted and shall maintain a documented Transfer Impact Assessment for Personal Data transferred outside the EEA and will implement supplementary measures to ensure essentially equivalent protection.
  1. Data Storage Locations. Data is primarily stored and processed in the United States and EEA regions using approved subprocessors listed in Schedule B.
11. Liability and Indemnity
Each party is liable for any breach of its obligations under this DPA and shall indemnify the other from claims or penalties resulting from such breach, subject to the limitations set forth in the 9point8 Terms of Service.
12. Term and Termination
This DPA remains in effect for as long as 9point8 processes Personal Data on behalf of the Controller.
Upon termination, 9point8 will delete or return Personal Data in accordance with Section 8.
13. Governing Law
For EEA/UK data subjects, this DPA is governed by Irish law and subject to the jurisdiction of the Irish courts.
For U.S. relationships, the laws of the State of Montana apply, without regard to conflicts rules.
Schedules / Annex References
  • Schedule A (Annex I): Description of Processing
  • Schedule B (Annex III): Subprocessors
  • Schedule C (Annex II): Security Measures
Schedule A – Description of Processing (Annex I)
Schedule B – Authorized Subprocessors (Annex III)
Schedule C – Security Measures (Annex II)
9point8 and its subprocessors maintain technical and organizational measures to protect Personal Data, including:
  • Access Controls: Role-based access, multi-factor authentication, least-privilege principle.
  • Encryption: TLS 1.2+ in transit; AES-256 or equivalent at rest.
  • Data Backup & Recovery: Encrypted backups and geographically redundant storage.
  • Incident Response: Detection, notification, and remediation procedures for security events.
  • Employee Training: Regular security and privacy awareness programs.
  • Audits & Assessments: Routine review of subprocessor compliance and internal controls.
  • Third-Party Reliance: Verification of security certifications (e.g., SOC 2, ISO 27001) for critical subprocessors.
Schedule D – EU Standard Contractual Clauses
The EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914, Module 2 – Controller to Processor) and the UK Addendum are incorporated by reference and available at the official Commission website:
Acceptance
By continuing to use or access any 9point8 technology, software, website, or Service, you acknowledge that you have read, understood, and agree to this Data Processing Agreement.
If you do not agree, you must immediately discontinue use of all 9point8 Services.
For questions, requests, or data-protection inquiries, contact us at connect@9point8.co.
© 2025 9point8 Collective, LLC — All Rights Reserved
© 2025 9point8 Collective. All rights reserved.