Data Processing
Last Updated: 1 September 2025
This page applies only to customers and data subjects who are covered by the European Union Data Act (Regulation (EU) 2023/2854). It sets out the required information that the provider of data processing services, in this case DigiShares A/S (provider of a white-label platform solution), must make publicly available in order to comply with the obligations set forth in the Regulation.
The details provided herein relate specifically to:
- Procedures for switching and porting to other data processing services;
- Data structures, formats, and relevant interoperability standards;
- Jurisdictional information for ICT infrastructure; and
- Technical, organisational, and contractual measures implemented to prevent unlawful international access to non-personal data held within the Union.
This page is not applicable to customers outside the territorial scope of the EU Data Act, nor does it create any contractual rights or obligations beyond those required by the Regulation.
1. Switching and Porting Procedures
1.1 Overview
For the standard white-label solution, customers have the ability to export their dataset in a CSV format which contains an up-to-date table of their current sharecap table. If the API variant is chosen, the data can be extracted via APIs allowing the data to be passed through certain ETL processes (Extract, Transform, Load process) of choice. That will allow the information to be transferred over to the new service provider. We do not assist with the creation and development of the ETL functions that make up the application.
1.2 Available Methods and Formats
- Supported Export Formats:
- CSV
- JSON
- GQL API responses
- Export Methods:
- API endpoint
- Web download in the above mentioned formats
- Import/Porting Methods (if applicable):
- Direct API
- CSV uploads via the admin panel
1.3 Restrictions or Technical Limitations
Depending on the variant chosen, only certain types of export methods could be available. API exports are only possible on the Advanced version of the platform with API access. In terms of partial data export, project based selection of investors exporting is possible.
1.4 Charges for Switching
Any charges for these switching data processing services shall not exceed cost-based compensation as permitted by applicable law, which shall be assessed on a case-by-case basis. Although subject to a case-by-case basis, standard services fees amount to EUR 150 per hour. In cases where the data processing solution has been highly customized for the customer, as requested by the customer, it may be impossible to switch to another data processing service due to significant interference in the data, digital assets or service architecture.
2. Data Structures, Formats & Interoperability Standards
2.1 Exportable Data Standards (Article 25(2)(e))
Formats and specifications concerning exportable data standards are listed below:
Data Type | Format | Standard / Specification | Open? (Y/N) |
User Profiles/Investment information | CSV | RFC 4180 | Yes |
Transactions | API | GQL | Yes |
3. ICT Infrastructure Jurisdiction
3.1 Legal Jurisdiction(s)
DigiShares is committed to transparency regarding how and where customer data is processed. The following information outlines our corporate structure, primary data processing locations, and the third-party service providers we work with to provide an overview of legal jurisdictions.
3.2 Corporate Structure
- DigiShares, Inc. (United States) – parent company.
- DigiShares A/S (Denmark) – wholly-owned subsidiary, responsible for daily operations and development within the European Union.
3.3 Primary Data Processing Location
Operational data processing and software development activities are carried out within the European Union.
3.4 Sub-Processors
To deliver our services effectively and securely, DigiShares A/S and DigiShares, Inc. engage a limited number of trusted third-party providers:
- Google Cloud Platform
- Jurisdictions: European Union and United States
- Services: Cloud hosting and infrastructure
- Further sub-processors: Details are available here: link
- Cloudflare, Inc.
- Jurisdiction: United States
- Services: Content delivery network (CDN), DNS service provider, and DDoS protection and reverse proxy service provider
- Further sub-processors: Details are available here: link
- GitHub, Inc.
- Jurisdiction: United States
- Services: Cloud version control and CI/CD system provider
- Further sub-processors: Details are available here: link
3.5 Oversight of Sub-Processors
All sub-processors engaged by DigiShares are bound by written agreements (Data Protection Agreements) in accordance with EU data privacy regulation to ensure appropriate security and confidentiality of data. Sub-processors may only engage additional subcontractors with proper authorization and oversight. Customers are notified of material changes to our sub-processor list where relevant.
3.6 Data Sovereignty and Jurisdiction
Data stored within the EU remains subject to EU jurisdiction and safeguards. Where third-party providers are subject to non-EU jurisdictions, DigiShares applies appropriate contractual safeguards to protect customer data and maintain compliance with applicable requirements.
4. Measures Against Unlawful International Access
4.1 Technical Measures
Listed below are the technical measures implemented to prevent unlawful non-EU governmental access:
- Data encryption at rest (AES-256) and in transit (TLS 1.3)
- Role-based access control controlled by the administrators
- 2FA can be enabled for all administrators
- Admin or Investor lockout after X number of failed attempts
- Session based access to the environment (the same things that banks use where they log you out after X amount of inactivity)
- Region based access limitation for files and certain user journeys
- No admin access from non-EU IP ranges is possible from the standard and advanced solutions
4.2 Organisational Measures
- Internal policy prohibiting transfer of non-personal EU data outside the EU without legal basis (Data Processing Policy).
- Access request logging and review security measures
4.3 Contractual Measures
- Data processing agreements with sub-processors in alignment with EU data protection regulations.
- Clauses prohibiting disclosure of EU data to third-country authorities unless compliant with EU law
