Data Processing Policy | STM Global Solutions

This Data Processing Policy is made by and between STM Global Solutions LLC ("STM") and the relevant client ("Client"). It supplements our Terms and Conditions, our Privacy Policy and any agreement governing covered services. It is intended to describe how client data may be processed where STM acts on behalf of a Client in the course of delivering advisory or related support services.

1. Definitions

For purposes of this Policy, Client Data means personal data and other information submitted to or processed by STM on behalf of the Client. Covered Services means the services governed by the applicable engagement, terms or order. Data Protection Laws means applicable laws and regulations relating to privacy, data protection and cross-border data transfers. Sub-processor means a third party engaged by STM to process Client Data on STM’s behalf.

2. Scope of Data Processing and Roles of the Parties

To the extent STM processes Client Data on behalf of the Client, the Client acts as controller or processor as determined by applicable law, and STM acts as processor or sub-processor. STM will process Client Data only for the purpose of providing the Covered Services, performing related administrative functions, complying with legal obligations and following documented instructions from the Client, unless otherwise required by law.

3. Confidentiality of Client Data

STM will treat Client Data as confidential and will not disclose it to third parties except as necessary to provide the Covered Services, to comply with law, to protect legal rights or to support the engagement through appropriately bound service providers or professional partners.

4. Shared Responsibility Model of Security

STM is responsible for implementing commercially reasonable technical and organizational measures for the systems, tools and workflows under its control. The Client remains responsible for the lawfulness of the data it provides, the instructions it issues, the permissions and notices it obtains, and the security of its own systems, credentials, devices and communication channels.

5. Data Subject Requests

Where legally required and commercially reasonable, STM will provide appropriate assistance to help the Client respond to requests from data subjects seeking access, correction, deletion, restriction, portability or objection in relation to Client Data processed by STM on the Client’s behalf.

6. Sub-processing

The Client authorizes STM to engage sub-processors and supporting providers where reasonably necessary for hosting, communications, administration, analytics, document handling, payments, workflow support or comparable business operations. STM may also coordinate with external attorneys, CPAs and other professionals where relevant to a mandate. STM will take commercially reasonable steps to ensure that such parties are subject to obligations materially consistent with the nature of their role.

7. Security Incidents

If STM becomes aware of a confirmed security incident affecting Client Data under its control, STM will take commercially reasonable steps to contain, investigate and mitigate the incident and, where required by law or contract, notify the Client without undue delay. Events that do not result in unauthorized access to Client Data may not require notification.

8. Client Rights and Compliance

The Client remains responsible for determining whether the Covered Services are appropriate for its regulatory environment and for ensuring that its use of the Covered Services complies with applicable Data Protection Laws. Upon reasonable request and subject to confidentiality, proportionality and operational feasibility, STM may provide information relevant to the Client’s assessment of compliance.

9. International Transfers of Client Data

STM operates internationally and may process Client Data in the United States and other jurisdictions where STM, its providers or its professional partners operate. Where required by applicable law, the parties will rely on appropriate transfer mechanisms and safeguards for international transfers.

10. Duration and Termination

This Policy remains in effect for as long as STM processes Client Data in connection with the Covered Services. It terminates when STM no longer processes Client Data under the relevant relationship, subject to any legal retention obligations.

11. Return or Deletion of Client Data

Following termination of the relevant services and subject to applicable law, contractual obligations, professional recordkeeping requirements and legitimate business needs, STM will delete or return Client Data within a commercially reasonable period, unless continued retention is required or permitted.

12. Limitation of Liability

Any liability arising under or in connection with this Policy is subject to the exclusions, limitations and risk allocations contained in the applicable Terms and Conditions or other governing agreement, except to the extent prohibited by law.

13. Order of Precedence

This Policy supplements the broader legal framework governing the relationship between STM and the Client. In the event of a direct conflict regarding data processing, this Policy governs that specific processing issue unless the applicable engagement or mandatory law requires otherwise.

14. Appendix – Nature of Processing

Subject matter: advisory, administrative and support services provided by STM Global Solutions LLC. Duration: for the period necessary to provide the Covered Services and satisfy related compliance or recordkeeping obligations. Nature and purpose: collection, organization, storage, review, communication, transfer and deletion of Client Data in connection with advisory mandates and supporting operations. Categories of data subjects: clients, prospective clients, beneficial owners, directors, officers, representatives, employees, family members or counterparties where relevant to a mandate. Types of data: identity data, contact data, corporate information, transaction-related information, correspondence and other materials voluntarily submitted or lawfully required for the engagement.