Last Amended:      February 1, 2024

1.1 This DPA relates to personal data processed as part of FXE’s SmartFinance Hub service (“SFH”) and is supplemental to the SmartFinance Hub terms and conditions (the “SFH Terms of Service”) that apply to the use of SFH. Unless specifically defined in this DPA, capitalised terms shall have the same meanings as set out in the SFH Terms.

1.2 In providing SFH, FXE will process Customer Personal Data submitted or collected (through SFH) as part of any applications for finance or other lending as a Processor for the relevant Broker or Finance Provider (the relevant “Subscriber”).

1.3 Schedule 1 to this DPA sets out certain information regarding the nature and scope of such processing of Customer Personal Data.

1.4 FXE shall process Customer Personal Data in accordance with applicable Data Protection Legislation.

1.5 FXE shall not process Customer Personal Data except:

a) to the extent necessary for the provision of services under the SFH Terms of Service;

b) as otherwise expressly approved or instructed by the Subscriber in writing;

c) as required by an applicable regulator; or

d) as required to comply with applicable laws.

1.6 FXE shall promptly inform the relevant Subscriber if, in its opinion, an instruction from that Subscriber infringes any Data Protection Legislation.

1.7 Each Subscriber consents to the engagement of the sub-processors listed in Schedule 1.

1.8 FXE shall remain fully liable for any failure by each sub-processor to fulfil its obligations in relation to the processing of any Customer Personal Data, in the same manner and to the same extent as it would be as if they were failures by FXE.

1.9 Each Subscriber agrees that FXE may change or add to the sub-processors listed in Schedule 1, subject to details of such changes being provided to the Subscriber.

1.10 FXE shall ensure that it has in place a written agreement with all applicable sub-processors that requires such sub-processors to safeguard Customer Personal Data in a manner no less restrictive than FXE’s obligations under this DPA and offers at least the same protection of Customer Personal Data as those terms set out in this DPA and which meet the requirements of the Data Protection Legislation and Article 28(3) of the UK GDPR.

1.11 FXE shall implement and maintain appropriate technical and organisational measures to maintain the confidentiality and integrity of Customer Personal Data being processed by FXE.

1.12 Without limiting the foregoing, such safeguards and measures shall be appropriate to protect against the harm that may result from accidental or unauthorised destruction, loss, alteration, unauthorised disclosure of, or access to Customer Personal Data.

1.13 FXE shall put in place and maintain a process for regularly testing, assessing and evaluating the safeguards and measures referred to above.

1.14 Without prejudice to any other provision of this DPA, each Subscriber may, at reasonable intervals and on reasonable notice, request a detailed written description of the information security and other safeguards and measures implemented by FXE in compliance with the above.

1.15 FXE shall take reasonable steps to ensure the reliability of any employee, agent or subcontractor who may have access to Customer Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know / access the relevant Customer Personal Data and ensuring that all such individuals are subject to confidentiality undertakings or other obligations of confidentiality.

1.16 Each Subscriber shall be entitled to request that FXE provide written details of its compliance with the terms of this DPA. If, having done so, the relevant Subscriber is not (acting reasonably) satisfied with the information provided that Subscriber shall be entitled conduct an audit of the FXE’s records to the extent only that they relate to the requirements of and FXE’s performance of its obligations under this DPA and as they relate the processing of Customer Personal Data for that Subscriber, subject to the following requirements:

a) on giving reasonable notice of such an audit to FXE;

b) any such audit shall be conducted during FXE’s normal working hours and in such a manner as to minimise any interruption to FXE’s business;

c) any such audit shall be conducted no more frequently than once every twelve (12) months;

d) any such audit shall not entitle the Subscriber to have access to any systems used by FXE for or data of any of FXE’s other customers (including that of other Subscribers);

e) any person conducting the audit entering into any non-disclosure agreement reasonably required by FXE; and

f) provided that each party shall (subject to the above) bear its own costs in respect of any such audits.

1.17 FXE shall not process Customer Personal Data outside the UK (other than in the European Economic Area (“EEA”) or in a country deemed to provide an adequate level of protection for personal data by any applicable regulator) without the prior written consent of the relevant Subscriber.

1.18 FXE shall, if requested by the relevant Subscriber and where FXE is processing any Customer Personal Data outside (a) the UK and the European Economic Area (“EEA”); or (b) in a country not deemed to provide an adequate level of protection for personal data by any applicable regulator, enter into a data transfer agreement consistent with applicable Data Protection Legislation.

1.19 FXE shall promptly notify the relevant Subscriber if the subject of any Customer Personal Data (which FXE is processing for that Subscriber) makes a written request to have access to or be provided with details his or her Customer Personal Data and shall (at the relevant Subscriber’s costs) provide reasonable cooperation and assistance to the Subscriber in relation to any such request or otherwise in responding to any subject access request received by the Subscriber (relating to Customer Personal Data).

1.20 FXE shall also (at the Subscriber’s costs) provide reasonable assistance to each Subscriber in ensuring that Subscriber’s compliance with applicable Data Protection Legislation, including but not limited, reasonable assistance in the preparation of any data protection impact assessments relating to the processing.

1.21 In the event of any actual or suspected personal data breach due to a failure of the security safeguards of FXE, FXE shall (to the extent that the breach or suspected breach relates to Customer Personal Data processed for the Subscriber concerned):

a) notify the relevant Subscriber without undue delay; and

b) provide prompt and reasonable cooperation, information and assistance to the Subscriber in respect of such event; and

c) co-operate with the relevant Subscriber and take reasonable commercial steps to assist that Subscriber in the investigation, mitigation and remediation of any such (actual) personal data breach.

1.22 FXE shall, for up to 30 days following the termination or expiry of a Subscriber’s access to and use of SFH, provide that Subscriber with such access to SFH as is required to enable that Subscriber to access and download its Customer Personal Data (but not to otherwise use SFH) following which FXE shall (save where provided otherwise in the Terms) destroy all such Customer Personal Data, unless FXE is prevented from returning or destroying all or part of the Customer Personal Data by a regulator or applicable law.

FXE will process data for the following purposes:

a) to carry out its obligations arising from, and to exercise its rights under, the agreements in place between FXE and relevant Subscribers;

b) for statistical analysis;

c) to develop and improve SFH;

d) to identify, prevent, detect or tackle fraud, money laundering and other crime; and

e) to carry out checks required by applicable regulation or regulatory guidance

Subject to the following, any Customer Personal Data will be retained for 6 years or until the termination of the relevant Subscriber’s access to SFH, whichever is sooner.

Subject to applicable law, as the (sole or joint) Controller, Subscribers have the right to request that all Customer Personal Data being processed on their behalf is returned or deleted upon their access to and use of SFH terminating.

Customer Personal Data may include:

a) information about financial interests or financial position, including (where applicable)

I. management accounts information;

II. open banking and other bank statement information;

b) contact details, including e-mail address, date of birth, home address and telephone numbers;

c) details about the business, which may include details of directors, shareholders or persons with significant control;

d) copies of passports or other identification evidence that are provided for anti-money laundering and anti-fraud purposes;

e) credit checks from referencing agencies to assess creditworthiness of the individuals or their business; and/or

f) user details including e-mail address and telephone number

Customer Personal Data may be disclosed in the following specific circumstances:

a) to

I. finance providers;

II. open banking providers;

III. accounting software aggregators

b) to FXE’s agents and sub-processors to use for the purpose of operating SFH, including customer support and providing services to FXE;

c) for audit purposes and to meet obligations to any relevant regulatory authority or taxing authority;

d) if FXE are under a duty to disclose or share data in order to comply with any legal obligation, or in order to enforce or apply any agreements to which the Subscriber is a party; or to protect FXE’s rights, property, or safety, or that of FXE’s customers or others (which includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction);

e) to a purchaser if substantially all of FXE’s assets are acquired by a third party; and/or

f) to investigate, prevent or detect fraud.

FXE shall maintain appropriate technical and organization security measures designed to protect and preserve the security, confidentiality and integrity of Customer Personal Data. These security measures will include as a minimum:

a) Segregation of environments

b) Firewalls

c) Data encryption at rest and in transit

d) Redundant services for high-availability

e) Role based access

f) A business continuity policy

FXE uses the following sub-processors but reserves the right to add or remove sub-processors to facilitate the continued operation of SFH and to add new features as needed.

AMAZON WEB SERVICES EMEA SARL (“AWS”)38 Avenue John. Kennedy, Luxembourg 1855, Luxembourg