Notice on Data Protection Standards to EU Customers

Purpose of this Document

Protection of personal data is a major concern for Platform Group – as it is for our customers. In particular, our customers from the European Union ("EU") take great care to ensure compliance with data protection laws, most notably the EU General Data Protection Regulation ("GDPR").

Against this background, this notice informs our EU customers about the data protection law framework for the Irwin platform. We are confident that we have everything in place for our EU customers to use the full spectrum of Irwin features in line with GDPR and Canadian law.

For our technical and organizational measures of data security to prevent, inter alia, accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data please refer to our Information Security and Disaster Recovery Overview.

For the purposes of this document, "personal data" shall have the meaning set out in Art. 4 no 1 GDPR ("any information relating to an identified or identifiable natural person ('data subject')"). "Platform Group", "us", we" refer to Platform Group Limited.

What Types of Personal Data does Platform Group Process on the Irwin Platform?

As an investor relations management tool, Irwin relies on information. While some of the information may qualify as personal data in the terms of data protection laws, all information we provide on individuals is related to their respective professional capacities. Such information may include office contact details, business affiliations, shareholder notifications, or beneficial owner information.

Our research team collects such information primarily from public sources and professional investor information providers, such as FactSet. We do not collect any personal data that is not business-related. In particular Irwin does not use any particularly sensitive, so-called "special categories of personal data" within the meaning of Art. 9 GDPR (i.e., information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation).

Which Laws Apply to the Processing of Personal Data for Irwin?
Platform Group is bound by the strict standards of the Personal Information Protection and Elec-tronic Documents Act ("PIPEDA"). PIPEDA is the cornerstone of federal Canadian legislation on data protection in the private sector and enforced by the Office of the Privacy Commissioner of Canada. You can find its full text (as amended) here.

The comprehensive protection of personal data under PIPEDA is based on the ten fair informationprinciples that businesses processing personal data must follow (see Schedule 1 to PIPEDA):
1. Accountability
2. Identifying Purposes
3. Consent
4. Limiting Collection
5. Limiting Use, Disclosure, and Retention
6. Accuracy
7. Safeguards
8. Openness
9. Individual Access
10. Challenging Compliance

We take these principles seriously and have designed Irwin to adhere to them. For instance, we take great care to ensure accuracy of our data, to only provide relevant information and to delete data that is no longer relevant.The European Commission has officially determined that PIPEDA offers an adequate level of protection for personal data that is at least materially equivalent to EU standards (Commission Decision of 20 December 2001, 2002/2/EC; "Canada Adequacy Decision")*. Please note that the recent repeal of the EU-U.S. Privacy Shield by the European Court of Justice (judgment of 16 July 2020, Case C-311/18, Schrems II) in no way affects the Canada Adequacy Decision. In fact, many EU businesses now seek cooperation with Canadian partners due to their high data protection standards.

*Note that the Canada Adequacy Decision was issued under Directive 95/46/EC, the predecessor of GDPR. It
remains in force until amended, replaced or repealed by subsequent Commission decision (Art. 45 para. 9

Is Platform Group also Subject to GDPR?

As a Canadian legal entity, Platform Group is itself not subject to GDPR. The territorial scope of GDPR does not extend to Platform Group:

We do not currently have any establishment in the EU (Art. 3 para. 1 GDPR). We distribute Irwin remotely by way of software-as-a-service and we do not require any physical presence or – in the words of the European Court of Justice – any other "stable arrangements" in the EU such as a branch offices, subsidiaries or permanent sales representatives.

We do not offer goods or services to data subjects in the EU (Art. 3 para. 2 (a) GDPR). Since we provide the Irwin platform solely to public companies on a B2B basis, we are not targeting individual data subjects to become our customers. We do not monitor the behavior of data subjects in the EU (Art. 3 para. 2 (b) GDPR).

What Is Required for EU Customers to Add Personal Data to Their Individual Irwin Platform?

In addition to the investor information collected, curated and provided by Platform Group, Irwin users can themselves add information on (prospective) investors to their personal Irwin platform (defined as "Uploaded Information" in our General Terms of Service). Such Uploaded Information may include personal data, e.g., notes on an investor's key contact ("Uploaded Personal Data").

When providing Uploaded Personal Data to Platform Group, Irwin users must comply with their local laws, including on data protection (see Clauses 3 (h) and 7 (b), (d) of our General Terms of Service). For our EU customers, this means that any submission of Uploaded Personal Data to us needs to comply with GDPR requirements.

This has, in particular, the following implications:

If and to the extent our EU customers add Uploaded Personal Data to their Irwin platform, we act on their behalf as a data processor within the meaning of Art. 28 GDPR. We only process Uploaded Personal Data for the purposes of and under instructions from the respective customer. Therefore, EU customers intending to add Uploaded Personal Data to their Irwin platform are required under Art. 28 GDPR to agree to our standard data processing agreement ("DPA"). The DPA lays out our
rights and obligations in respect of Uploaded Personal Data.

EU customers do not have to implement any additional safeguards in respect of the international data transfer of Uploaded Personal Data to us (such as, e.g., EU standard contractual clauses under Art. 46 GDPR). By virtue of the European Commission's Canada Adequacy Decision, data exports to Platform Group are considered safe and do not require any specific authorization (Art. 45 para. 1, 9 GDPR).

Where Do I Get More Information?

For additional information on our data protection efforts, please see our Privacy Policy and our Information Security and Disaster Recovery Overview. You may also contact us with any queries at