Standard DPA for customers acting as controller.

Terms not defined here have the meaning set out in the Privacy Policy, the Terms of Service, and the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914).

The processing is the operation of the 4invest platform on behalf of the customer for the duration of the subscription term plus the 30-day post-termination export window.

Nature and purpose: hosting and processing real-estate operating data — leads, deals, units, documents, payments, approvals, communications — so the customer can run its real-estate operations.

Types of data: contact, identification, financial, transactional, communication, and where the customer chooses, special-category data submitted by clients (we recommend against this).

Categories of data subjects: authorized users, clients/buyers, investors, brokers, sales agents.

4invest will process Customer Data only on documented instructions from the customer, will ensure persons authorized to process Customer Data are bound by confidentiality, will implement the security measures described in the Security Overview, and will assist the customer with data-subject requests and impact assessments.

4invest engages a limited set of sub-processors to deliver the service. The current list is published at the bottom of this page and updated whenever it changes. Customers receive at least 30 days' notice of any addition or replacement.

If a customer objects to a new sub-processor, the parties will work in good faith for 30 days; failing resolution, the customer may terminate the affected portion of the service.

Where Customer Data is transferred from the EEA, UK, or Switzerland to a country without an adequacy decision, the parties enter into the relevant EU Standard Contractual Clauses (Modules 2 and 3 as applicable), the UK International Data Transfer Addendum, and any region-specific clauses required by Singapore PDPA, Canada's PIPEDA, or other applicable frameworks.

The measures listed in Annex II of the SCCs are reflected in the published Security Overview and are part of this DPA by reference.

4invest will notify the customer of any personal-data breach affecting Customer Data within 48 hours of becoming aware. Notifications will include the categories and approximate numbers of data subjects and records affected, likely consequences, and remediation measures.

At the customer's choice, 4invest will return or delete all Customer Data within 60 days of the end of the subscription, except where retention is required by law (in which case the data remains protected by this DPA).

Customers may audit 4invest's compliance with this DPA once per year, on reasonable notice, by reviewing the most recent independent assessment (SOC 2 once available) and through a written questionnaire. On-site audits are available for Private package customers under a separate scope and at the requesting customer's expense.

The current list — cloud infrastructure provider, transactional email provider, monitoring vendor, and customer-support tooling — is published at status.4invest.co alongside the change log. Email legal@4invest.co to subscribe to the change-notification feed.