Data Processing Agreement
Effective Date: March 3, 2026
1. Introduction and Scope
This Data Processing Agreement ("DPA") describes how New Way Capital Advisory Limited ("NWCA", "Processor", "we") processes personal and financial data on behalf of users ("Controller", "you") when you use our Portfolio Consolidation service and related analytics tools.
This DPA supplements our Privacy Policy and Terms of Service, and governs the processing of data that you submit to our platform, including portfolio statements and financial documents.
This DPA is entered into in accordance with the requirements of the Swiss Federal Act on Data Protection (FADP/nDSG) and, where applicable, Article 28 of the EU General Data Protection Regulation (GDPR).
2. Definitions
- "Portfolio Data" refers to any financial data contained in documents you upload, including but not limited to: custodian names, account identifiers, ISIN codes, security names, market values, asset allocations, and portfolio weights.
- "Personal Data" refers to any information relating to an identified or identifiable natural person contained within uploaded documents or account registration, including names, email addresses, and any personal data appearing in portfolio statements.
- "Processing" means any operation performed on data, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, alignment, combination, restriction, erasure, or destruction.
- "Sub-processor" means any third party engaged by NWCA to process data on the Controller's behalf.
3. Subject Matter and Duration of Processing
| Subject matter | Processing of portfolio PDF documents and financial data for analysis, consolidation, and report generation |
|---|---|
| Nature of processing | Automated parsing, classification, aggregation, look-through analysis, fee calculation, and PDF/JSON report generation |
| Purpose | To provide portfolio consolidation, risk analytics, and reporting services as requested by the Controller |
| Duration | Processing occurs only during active use. Uploaded files are deleted after download or within 24 hours, whichever comes first |
| Categories of data subjects | Users of the platform, and any individuals whose personal data appears in uploaded portfolio statements |
| Types of data | Portfolio holdings, asset allocations, market values, custodian information, ISIN codes, account holder names (if present in uploaded documents), user account data (email, name, company) |
4. Data Processing Lifecycle
When you upload portfolio documents to our platform, data flows through the following stages:
Upload
You upload one or more PDF portfolio statements via HTTPS-encrypted connection. Files are received and stored temporarily on our server in a job-specific directory.
Parsing
Our automated system extracts text and tabular data from the PDF files. Custodian format is detected automatically (e.g., Vontobel, BCGE, Rothschild). Holdings are identified and classified by ISIN, asset class, and market value.
Analysis
Extracted data is processed for consolidation (merging holdings by ISIN across custodians), look-through analysis (decomposing fund holdings), TER calculation, and allocation assessment. All processing occurs in memory on our servers.
Report Generation
A structured PDF report and/or JSON file is generated containing the analysis results. The report is made available for download through your authenticated session.
Deletion
After you download the report, or within 24 hours of upload (whichever comes first), all uploaded source files and generated outputs are permanently deleted from our servers. No copies or backups are retained.
5. Sub-processors
No sub-processors. NWCA does not engage any third-party sub-processors for the processing of your portfolio data. All data parsing, analysis, and report generation is performed entirely on infrastructure owned and operated by NWCA, located in Switzerland.
Specifically:
- No cloud platforms (AWS, Azure, GCP) are used for portfolio data processing
- No third-party OCR, parsing, or AI services receive your documents
- No data is sent to external APIs for enrichment or analysis
- Look-through analysis uses publicly available ETF factsheet data, not your portfolio data -- your holdings are matched locally against cached public data
If NWCA ever intends to engage a sub-processor, we will provide advance written notice and obtain your consent before any data is shared. You will have the right to object to any new sub-processor.
6. Security Measures
NWCA implements the following technical and organizational measures to protect your data during processing:
6.1 Encryption
- In transit: All data is transmitted over HTTPS using TLS 1.2 or higher. No unencrypted HTTP connections are accepted for any authenticated endpoints.
- At rest: Server storage uses standard filesystem permissions with restricted access controls.
6.2 Authentication and Access Control
- User authentication: JWT (JSON Web Token) based authentication with token expiration. Each user session is independently authenticated.
- Password storage: User passwords are hashed using bcrypt with an appropriate cost factor. Plaintext passwords are never stored or logged.
- Job isolation: Each processing job is assigned a unique identifier. Users can only access their own jobs -- no cross-user data access is possible through the application.
6.3 Data Isolation
- Each upload is processed in an isolated job directory
- No uploaded data is shared between users or sessions
- Processing results are only accessible via authenticated API endpoints with job-specific authorization
6.4 Infrastructure Security
- Server access restricted to SSH key authentication (no password-based SSH access)
- Nginx reverse proxy with security headers
- Regular server access log monitoring
- Server located in Switzerland
6.5 Logging
Server access logs record HTTP requests (IP address, timestamp, URL, status code) for security monitoring purposes. These logs do not contain portfolio data content. Access logs are retained for a maximum of 90 days.
7. Data Retention and Deletion
| Data Category | Retention Period | Deletion Method |
|---|---|---|
| Uploaded PDF documents | Deleted after download or within 24 hours | Permanent file deletion from server filesystem |
| Generated reports (PDF/JSON) | Deleted after download or within 24 hours | Permanent file deletion from server filesystem |
| Processing metadata (job ID, timestamps, status) | Deleted with job files (within 24 hours) | Database record deletion |
| User account data (email, name, company) | Until account deletion requested | Database record deletion upon request |
| Hashed passwords | Until account deletion requested | Database record deletion upon request |
Automatic deletion: You do not need to request deletion of uploaded portfolio files. All uploaded documents and generated reports are automatically and permanently deleted within 24 hours of processing, regardless of whether you download the results.
8. Obligations of the Processor
NWCA, as Processor, undertakes the following obligations:
- Purpose limitation: We process your data only for the purposes described in this DPA and only based on your documented instructions (i.e., your use of the platform constitutes your instruction to process).
- Confidentiality: All personnel with access to the processing infrastructure are bound by confidentiality obligations.
- Security: We implement and maintain the technical and organizational measures described in Section 6.
- No sub-processing: We do not engage sub-processors for portfolio data processing without your prior consent.
- Data subject rights: We assist you in responding to data subject requests (access, rectification, erasure, portability) to the extent technically feasible.
- Deletion: Upon termination of services or upon request, we delete all personal data in our possession, subject to any legal retention requirements.
- Audit cooperation: Upon reasonable request and at your cost, we will provide information necessary to demonstrate compliance with this DPA.
9. Obligations of the Controller
As Controller, you are responsible for:
- Lawful basis: Ensuring you have the legal authority to upload and process the portfolio data, including any personal data of third parties contained in the documents.
- Data subject notification: Informing any data subjects whose personal data appears in uploaded documents about the processing, as required by applicable law.
- Accuracy: Ensuring the data you provide is accurate and up to date.
- Instructions: Providing documented, lawful processing instructions.
10. International Data Transfers
All portfolio data processing occurs on servers located in Switzerland. No portfolio data is transferred to any other country.
Switzerland is recognized by the European Commission as providing an adequate level of data protection (adequacy decision under GDPR Article 45). Therefore, transfers of personal data from the EU/EEA to Switzerland do not require additional safeguards.
Account registration data (email, name, company) is stored exclusively on Swiss servers. The only external data transfer involves anonymized website usage data sent to Google Analytics, as described in our Privacy Policy.
11. Data Breach Notification
In the event of a personal data breach affecting your data, NWCA will:
- Notify you without undue delay, and in any case within 72 hours of becoming aware of the breach
- Provide a description of the nature of the breach, including the categories and approximate number of data subjects and records affected
- Describe the likely consequences of the breach
- Describe the measures taken or proposed to address the breach and mitigate its effects
- Cooperate with you in meeting any notification obligations you may have towards supervisory authorities or affected data subjects
12. Data Protection Impact Assessment
Where required, NWCA will assist you in conducting a Data Protection Impact Assessment (DPIA) relating to the processing activities described in this DPA. We will provide reasonable information about our processing operations, technical measures, and organizational safeguards to support your assessment.
13. Termination
This DPA remains in effect for as long as you maintain an account with NWCA or use our services.
Upon termination of the service relationship:
- All uploaded portfolio data will have already been deleted (within 24 hours of each upload)
- Account data (email, name, company, hashed password) will be deleted upon your request
- Server access logs will expire per the 90-day retention policy
You may request complete account deletion at any time by contacting info@nwc-advisory.com.
14. Governing Law and Jurisdiction
This DPA is governed by Swiss law. Any disputes arising from or in connection with this DPA shall be subject to the exclusive jurisdiction of the competent courts of Geneva, Switzerland.
15. Contact
Data Processing Inquiries
New Way Capital Advisory Limited
Email: info@nwc-advisory.com
Website: nwc-advisory.com
For data subject requests (access, correction, deletion), please email us with the subject line "Data Subject Request" and we will respond within 30 days.