As of March 18, 2025
This Data Processing Agreement and its Appendixes, including the Standard Contractual Clauses and their Annexes, (collectively, the “Agreement”) is incorporated into and forms a part of the written (including in electronic form) agreement between StepStone Group LP or one of its consolidated subsidiaries (the “Company”) and Vendor for the provision of the services identified in the relevant agreement (“Services”) between Company and Vendor (the “Main Contract”) to reflect the Parties’ agreement with regard to the Processing of Personal Data. For the avoidance of doubt, execution of the Main Contract shall be deemed to constitute signature and acceptance of the Standard Contractual Clauses incorporated herein, including their Annexes.
- Subject matter and duration
1.1 Unless otherwise set out below, each capitalized term in this Agreement shall have the meaning set out in the Main Contract:
“Company Personal Data” means any Personal Data Vendor Processes in relation to the Services, including Personal Data (i) provided by or on behalf of Company to Vendor, (ii) obtained, developed, produced or otherwise Processed by Vendor, or its agents or Subprocessors, for purposes of providing the Services, and (iii) any information derived therefrom.
“Affiliates” means the current and future respective affiliated companies of Company.
“Applicable Data Protection Law” means all applicable laws, rules, regulations, and governmental requirements currently in effect, or as they become effective, relating in any way to the privacy, confidentiality, or security of Personal Data, including but not limited to the California Consumer Privacy Act of 2018, Cal. Civ. Code §§ 1798.100 et seq., as amended, including by the California Privacy Rights Act, and including any amendments and implementing regulations thereto that become effective on or after the effective date of this Agreement (the “CCPA”), the European Union General Data Protection Regulation 2016/679 of the European Parliament and of the Council (the “GDPR”) and any applicable national legislation implementing or supplementing the GDPR, the UK General Data Protection Regulation, the revised Swiss Federal Data Protection Act of 2023 and its revised Data Protection Ordinance, and the Australian Privacy Act 1988, in each case as amended, replaced or superseded from time to time, and all applicable legislation protecting the fundamental rights and freedoms of persons and their right to privacy with regard to the Processing of Personal Data.
“Business Purpose” means the specific purpose of performing the Services identified in the Main Contract and Processing the Company Personal Data in accordance with Company’s written instructions.
“Controller” means the natural or legal person which alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
“Data Subject” means an identified, or identifiable, natural person to whom Personal Data relates.
“Personal Data” means any information relating to an identified or identifiable individual, or is otherwise “personal data,” “personal information,” “personally identifiable information,” or similar designation under and regulated by Applicable Data Protection Law. Specifically, under the CCPA, “personal information” means any information relating to any identifiable person or household directly or indirectly.
“Process(ing)” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, adaptation or alteration, retrieval, consultation, use, modification, storage, disclosure, restriction, erasure or destruction. The nature and purpose of the Processing as well as the types of Personal Data and the categories of Data Subjects that are subject to this Agreement are set out in Annex I.
“Processor” means a natural or legal person which Processes Personal Data on behalf of the Controller subject to contractual restrictions consistent and in compliance with Applicable Data Protection Law, including a “processor” as such term is defined by the GDPR and a “service provider” or a “contractor” as applicable and defined in each case by the CCPA.
“Subprocessor” means a natural or legal person engaged by the Vendor who Processes any Company Personal Data on behalf of the Vendor.
1.2 The subject matter of this Agreement is the Processing of Company Personal Data by Vendor.
1.3 The Parties acknowledge and agree that Company is disclosing the Company Personal Data to the Vendor only for the limited and specified Business Purpose(s) set forth in this Agreement.
1.4 The Parties acknowledge and agree that Vendor shall act as a Processor in relation to its Processing of Company Personal Data and Vendor shall only Process Company Personal Data in accordance with:
(a) the Main Contract and this Agreement, to the extent necessary to provide the Services to Company, and
(b) Company’s written instructions.
1.5 This Agreement shall commence with the signature by both Parties of the Main Contract and shall terminate automatically following the termination of the Main Contract upon the completion of the last Processing activity carried out thereunder. The right of either Party to terminate this Agreement with immediate effect for cause remains unaffected, provided that if this Agreement is terminated, the Parties acknowledge and agree that no further Processing of Company Personal Data is permitted under the Main Contract. Any notice of termination must be given in writing in order to be legally effective.
2. Processing location and Standard Contractual Clauses
2.1 Where Applicable Data Protection Law restricts international data transfers or requires that Company imposes particular data processing terms for Company Personal Data transfers to Processors, Vendor agrees that the standard contractual clauses apply (“Standard Contractual Clauses”), as set forth in Appendix 1. The country/countries where Vendor will process Company Personal Data shall be set forth in Appendix 2. In the event that Vendor intends to change the country/countries it processes Company Personal Data, the Parties shall amend Appendix 2 in writing to reflect such change. Without limiting the foregoing, any Processor who will Process data in a country that does not ensure an adequate level of data protection in accordance with Applicable Data Protection Law are bound by the Standard Contractual Clauses appended to this Agreement. For transfers of Company Personal Data that is subject to the laws of Switzerland, Vendor agrees to the Standard Contractual Clauses subject to the following amendments: The Federal Data Protection and Information Commissioner is the competent supervisory authority in so far as the data transfer falls under Swiss law. Switzerland is also to be considered as a Member State within the meaning of the Standard Contractual Clauses so that data subjects can file claims according to clause 18c of the Standard Contractual Clauses at their habitual residence in Switzerland. Applicable Law for Contractual Claims under Clause 17 of the Standard Contractual Clauses: Swiss law (or the law of a country that allows and grants rights as a third party beneficiary for contractual claims regarding data transfers pursuant to the Federal Data Protection Act. References to the General Data Protection Regulation and the Regulation (EU) 2016/679 are to be understood as references to the Federal Data Protection Act. With respect to any Company Personal Data that is subject to the UK General Data Protection Regulation, Vendor accepts the UK International Data Transfer Addendum to the Standard Contractual Clauses in Appendix 3.
2.2 In the event of a change in any Applicable Data Protection Law relating to the country/countries where an adequate level of data protection exists, the Parties will discuss and agree on an alternative solution permitting Vendor to continue to Process the Personal Data in said country/countries.
2.3 In the case of any inconsistency between any of the provisions of the Main Contract, this Agreement and the Standard Contractual Clauses respectively, the provisions of the Standard Contractual Clauses shall prevail in preference to the Main Contract and this Agreement, and the provisions of this Agreement shall prevail over the provisions of the Main Contract. Notwithstanding the foregoing, if the Main Contract includes or references a security plan (“Security Plan”), the provisions of the Security Plan shall prevail over the provisions of this Agreement (including Annex II), and a provision in the Main Contract otherwise conflicting with a provision in this Agreement shall further prevail, in each case solely to the extent such provision relates to information other than Company Personal Data, provides greater protection for Company Personal Data or imposes additional restrictions on Vendor’s Processing of Company Personal Data.
3. Instructions of Company
3.1 Company has the sole right to give Vendor instructions with regard to the Processing of Company Personal Data.
3.2 Company herewith instructs Vendor to Process the Company Personal Data to the extent required to provide the Services.
3.3 Instructions of Company will regularly be given in writing. Oral instructions will be confirmed in writing without undue delay.
3.4 If the execution of an instruction of Company would result in the breach of this Agreement, the Main Contract, the Standard Contractual Clauses (if any), or Applicable Data Protection Law, Vendor will immediately notify Company thereof in writing. Such notification shall be duly justified and documented. In such case, Vendor will suspend the execution of the instruction until the instruction is confirmed by Company in writing.
3.5 It is incumbent upon Vendor to prove that it has acted as a Processor under Company’s instruction pursuant to Applicable Data Protection Law when Processing Company Personal Data. Company remains the Controller of the Personal Data within the meaning of Applicable Data Protection Laws. As a consequence, Vendor recognizes and agrees that it is not permitted to:
- sell, share for cross-contextual advertising, retain, use, disclose nor otherwise Process the Company Personal Data for its own commercial purposes or for any purpose other than for the specific Business Purpose(s) set forth in this Agreement;
- sell, share for cross-contextual advertising, retain, use, disclose nor otherwise Process the Company Personal Data outside the direct business relationship between the Vendor and Company;
- combine the Company Personal Data with Personal Data that Vendor receives from or on behalf of another person or entity, or collects from its own interaction with a Data Subject; and
- use Company Personal Data to perform services on behalf of another person or entity other than Company.
4. General obligations of Vendor
4.1 Vendor will only Process Company Personal Data in accordance with the instructions given by Company and for the Business Purpose(s) set forth within it, the Standard Contractual Clauses (if applicable), and Applicable Data Protection Law, and shall not cause Company to be in breach of Applicable Data Protection Law. Without limiting the generality of the foregoing, Vendor shall comply with all applicable sections of the CCPA with respect to the Company Personal Data, including but not limited to the obligations to provide the same level of privacy protection as required of Company by the CCPA. Vendor shall notify Company immediately if it makes a determination that it can no longer meet its obligations under Applicable Data Protection Law.
4.2 Vendor shall, however, have the right to Process Company Personal Data outside the scope set out in section 4.1: (a) in the case of Personal Data of Data Subjects resident in the European Economic Area, to the extent required by the laws of the European Economic Area or its member states; and (b) in the case of Personal Data of data subjects not resident in the European Economic Area, to the extent required by any country’s laws to which Vendor may be subject. In such a case, Vendor shall inform Company of that legal requirement in writing before the Processing and provide such details as may be required by Company to evaluate whether the Data Subjects should be notified, unless to the extent that law prohibits such information.
4.3 Vendor will provide Company with such assistance and co-operation as Company may reasonably request to enable Company to comply with any obligations imposed on Company in relation to Company Personal Data including, but not limited to, providing any assistance with any data protection impact assessments and prior consultations of Company required under Applicable Data Protection Law, or other binding legal obligations, which may include litigation holds and responding to binding orders of a court or regulatory authority with jurisdiction. Vendor attests to having provided accurate responses to transfer impact assessments or other related Company provided questionnaires.
4.4 Vendor shall inform Company immediately, in writing, of any inquiry, complaint, notice, or other communication it receives from any supervisory authority or other governmental body or any individual, relating to either Vendor’s or Company’s Processing of Company Personal Data or related compliance with Applicable Data Protection Law. Vendor shall present, upon request, to Company such inquiries, complaints, notices, or other communications and shall provide all necessary assistance to Company to enable Company to respond to such inquiries, complaints, notices, or other communications. For the avoidance of doubt, Vendor shall not respond to any such inquiry, complaint, notice, or other communication without the prior written consent of Company.
4.5 Vendor will notify Company as soon as possible, and as far as it is legally permitted to do so, of any access request for disclosure of data which concerns Company Personal Data (or any part thereof) by any governmental or other regulatory authority, or by a court or other authority of competent jurisdiction. For the avoidance of doubt and as far as it is legally permitted to do so, Vendor shall not disclose or release any Company Personal Data in response to such request served on Vendor without first consulting with, and obtaining the written consent of, Company.
4.6 Company shall have the right, upon notice, to take reasonable and appropriate steps to stop and remediate the Vendor’s unauthorized use of Company Personal Data, including but not limited to the right to request Vendor to provide sufficient documentation that verifies its compliance with its obligations under this Agreement.
5. Technical and organizational security measures
5.1 Vendor will monitor its compliance with this Agreement on an ongoing basis.
5.2 Vendor has designated or will designate a data protection officer and/or a representative in the EU and/or any other jurisdiction to the extent required under Applicable Data Protection Law. Vendor will notify Company of (and of any changes to) the identity and contact details of any data protection officer and/or representative (if any) without undue delay in writing.
5.3 Vendor will maintain a record of all categories of Processing activities carried out on behalf of Company by Vendor to the extent required to enable Company to comply with its obligations under Applicable Data Protection Law. Vendor will cause each Subprocessor it retains to maintain a record of all categories of Processing activities carried out on behalf of Vendor by the Subprocessor to the extent required to enable Company or Vendor to comply with its obligations under Applicable Data Protection Law. The records required by this section 5.3 must include, without limitation:
- a description of the categories of Company Personal Data being Processed and the categories of the Processing activities undertaken;
- where permitted in accordance with this Agreement, details of any transfer of Company Personal Data, including details of: (i) the country in which the recipient is located and, if applicable, the recipient international organization; and (ii) the suitable safeguards implemented for the protection of Company Personal Data; and
- a general description of the technical and organizational security measures implemented pursuant to section 5.6.
Vendor shall make available (and shall cause any Subprocessor to make available) to Company copies of such records in electronic form or such other form acceptable to Company on no less than an annual basis or without undue delay upon first demand from Company.
5.4 Vendor will notify Company prior to Vendor or its Subprocessors adopting or implementing a new type of Processing activities (including, without limitation, the use of new technology to continue current Processing) in respect of Company Personal Data, and at Company’s request, Vendor shall participate in a data protection impact assessment in respect of the new type of Processing which is being proposed, in accordance with Applicable Data Protection Laws.
5.5 Vendor will take reasonable steps to ensure the reliability of any person, including employees and other personnel, authorized by Vendor to Process Company Personal Data, and will ensure that such persons have committed themselves in writing to confidentiality or are under an appropriate obligation of confidentiality and an obligation to act in compliance with Applicable Data Protection Law. Vendor will make available to Company an electronic copy of such commitment or appropriate evidence of such obligation without undue delay upon first demand.
5.6 Vendor will implement and maintain reasonable technical and organizational data protection and security measures appropriate to the nature of the Company Personal Data to ensure security of Company Personal Data, including but not limited to protection against unauthorized or unlawful Processing, unauthorized or unlawful disclosure of, access to and/or alteration of Company Personal Data, accidental loss, and destruction or damage of or to Company Personal Data, in accordance with Applicable Data Protection Law including but not limited to the requirements under California Civil Code section 1798.81.5 and APP 11 of the Privacy Act.
5.7 Vendor will implement and maintain as a minimum standard the measures set out in Annex II. Vendor will constantly improve such measures in line with the development of best market practices and technical standards. Vendor will notify Company in writing in advance of any material changes to such security measures. Any changes that may adversely affect the security of Company Personal Data require Company’s prior written consent.
6. Data breach notifications
6.1 Vendor will immediately notify Company in writing of any breach of this Agreement, the Standard Contractual Clauses (if any), Applicable Data Protection Law applicable to the Processing of Company Personal Data, or any instruction by Company in connection with the Processing of Company Personal Data under this Agreement.
6.2 Without limiting the generality of Section 6.1, Vendor shall notify Company without undue delay and, in any event, not later than 36 hours after the discovery of any possible breach of security that is likely to lead to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to (including unauthorized internal access to), Company Personal Data transmitted, stored, or otherwise Processed by Vendor or any of its Subprocessors, and reasonably cooperate in the investigation of any such possible breach of security.
6.3 Where, and insofar it is possible for Vendor, the notification shall at least:
- describe the nature of the possible breach including, where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned; and
- describe the likely consequences of the possible breach and the measures taken or proposed to be taken to address the possible breach, including, where appropriate, measures to mitigate its possible adverse effects.
Where, and in so far as it is not possible to provide the information at the same time, the information may be provided in phases without undue delay.
6.4 Vendor shall take all steps to restore, re-constitute, and/or reconstruct any Company Personal Data which is lost, damaged, destroyed, altered, or corrupted as a result of such a breach as if they were Vendor’s own data at its own cost with all possible speed. Vendor shall, without undue delay, send Company a detailed report of all the measures implemented pursuant to section 6.4.
6.5 Vendor will provide any assistance with Company’s investigation of the possible breach and any obligation of Company under Applicable Data Protection Law to make any notifications to the Data Subjects, supervisory authorities, or the public in respect of such breach as reasonably requested by Company. Vendor will not make any statement or notification to any Data Subject, supervisory authority, or otherwise relating to such breach without the prior written approval of Company.
6.6 Vendor shall provide any assistance with any obligation of Company under Applicable Data Protection Law to document any such possible breach as reasonably requested by Company.
7. Rights of the Data Subjects
7.1 As between the Parties, Company shall have sole discretion in responding to the rights asserted by any Data Subjects in relation to Company Personal Data.
7.2 Vendor will forward to Company without undue delay any request received by the Vendor or any Subprocessor from a Data Subject in respect of the Company Personal Data, and shall not respond to the Data Subject without first consulting with and obtaining the written consent of Company.
7.3 While respecting the technical and organizational security measures, Vendor will provide any cooperation and assistance in fulfilling any rights of the Data Subjects to the extent these rights relate to the Processing of Company Personal Data by Vendor as reasonably requested by Company, including:
- complying with any request from Company requiring Vendor to amend, transfer, or delete Company Personal Data as soon as possible and notifying its own service providers or contractors to do the same, unless otherwise exempted from Applicable Data Protection Law and provided that Company provides the information necessary for Vendor to comply with the request;
- taking all technical and organizational measures allowing Company to comply with any right of portability request formulated pursuant to Applicable Data Protection Law; and
- implementing, so far as possible, appropriate technical and organizational measures to provide Company with co-operation and assistance in complying with any Data Subject rights requests received by, or on behalf of, Company.
7.4 At Company’s request, Vendor will immediately send evidence of the accomplishment of measures taken pursuant to section 7.3.
8. Deletion and return of data upon termination of this Agreement
8.1 Upon Company’s first demand or, at the latest, upon termination or expiration of this Agreement, Vendor will at the choice of Company, while respecting data protection and security measures, delete or return to Company all Company Personal Data Processed and delete all existing copies unless: (a) in the case of the Personal Data of Data Subjects in the European Economic Area, the laws of the European Economic Area or its member states require a longer retention period; and (b) in the case of the Personal Data of Data Subjects not in the European Economic Area, to the extent any country’s laws to which Vendor is subject require a longer retention period. Vendor shall provide any evidence of such deletion of Company Personal Data as reasonably requested by Company.
9. Right to engage Subprocessors
9.1 Vendor shall not engage, and shall not transfer or disclose any Company Personal Data to, another party (including any other Processor or Subprocessor) without prior specific or general written authorization of Company.
9.2 In the case of general written authorization, Vendor shall inform Company of its intention to engage such other third party in writing at least sixty days in advance of the date of the intended commencement of the engagement. Company may object to such intended engagement by giving written notice at the latest two weeks in advance of the date of the intended commencement of the engagement.
9.3 Where Vendor engages a Subprocessor in accordance with this Agreement, obligations providing at least for the level of data protection as established by this Agreement shall be imposed on that other party by way of a written contract such as a data processing agreement. Vendor shall make available to Company an electronic copy of such written contract (redacted for commercial terms) or other evidence acceptable to Company, acting reasonably, without undue delay, upon first demand. Where the Subprocessor fails to fulfil its data protection obligations, Vendor shall remain fully responsible to Company for the performance of that other party’s obligations and shall be liable to Company for the acts and omissions of the Subprocessor as if they were the acts and omissions of the Vendor.
10. Audits and inspections of Company, co-operation obligations of Vendor, co-operation with supervisory authorities
10.1 Company (itself or through a third-party) has the right to reasonably inspect or audit Vendor’s compliance with this Agreement. For this purpose, Vendor will grant Company, or a designated third-party, access to its business premises during Vendor’s regular business hours and without undue delay make available all information necessary to demonstrate compliance with this Agreement as reasonably requested by Company.
10.2 Company will notify Vendor in writing of any such audit or inspection at least 2 weeks in advance. Company will not conduct more than one audit or inspection per calendar year. However, if: (i) Vendor has provided a notice under section 6.1 or 6.2 of this Agreement; or (ii) Company reasonably believes that Vendor is in breach of this Agreement, the Standard Contractual Clauses (if any), Applicable Data Protection Law Applicable, or any direction by Company in connection with Processing of Company Personal Data; Company may, as the case may be without or with shorter prior notice, conduct such additional inspections within the same calendar year reasonably required to confirm compliance with this Agreement.
10.3 Vendor will provide any assistance in connection with any audits of any competent supervisory authority to the extent such audit relates to the Processing of Company Personal Data by Vendor under this Agreement as reasonably requested by Company.
10.4 Vendor shall ensure that substantially similar provisions are included in its agreements with Subprocessors.
11. Indemnification
11.1 Vendor agrees to indemnify, defend at its own expense and hold harmless, without setoff or deduction, Company from and against any and all claims, damages, costs and expenses (including, without limitation, reasonable legal costs) incurred by Company or its Affiliates arising from, or in connection with, the Processing of Company Personal Data by Vendor or breach of this Agreement by Vendor.
11.2 Any provision of this Agreement or the Main Contract excluding or limiting the liability of Vendor shall not apply to Vendor’s liability under Section 11.1 (Indemnification).
12. Insurance Obligation
12.1 At all times during the performance of Services pursuant to the Main Contract, Vendor shall (and shall cause Vendor personnel who are providing Services to) keep in full force and effect and maintain, at no additional cost to Company, technology/professional and network security/privacy (cyber) errors and omissions liability insurance covering acts, errors, omissions, breach of contract, and violation of any privacy or data protection laws (if applicable) arising out of Vendor’s operations or Services at levels consistent with prudent industry standards. Vendor shall notify the Company if it reduces materially the level or amount of insurance coverage during the performance of the Services.
12.2 By requiring insurance as provided in this Section 12, Company does not represent that coverage and limits shall be necessarily adequate to protect Company and Company’s Affiliates, and their officers, directors, employees and agents, and such limits shall not be deemed as a limitation of Vendor’s liability under this Agreement.
13. Final provisions
13.1 This Agreement is subject to the laws of the jurisdiction as stated in the Main Contract save that the Standard Contractual Clauses shall be governed by the law of the jurisdiction in which Company is established. The Parties exclusively submit to the courts of the chosen jurisdiction as set out in the Main Contract.
13.2 All rights granted to Company under this Agreement are for the benefit of Company and for the additional purpose of conferring the same benefit on each of its Affiliates as if they were a party hereto. Any claims in connection with this Agreement may be brought by Company, whether acting for itself or on behalf of an Affiliate.
13.3 Any amendments or supplements to, or a termination of, this Agreement must be in writing in order to be legally effective; this requirement applies accordingly to any waiver of this written form requirement. For the avoidance of doubt, any references to any written form requirement in this Agreement (e.g. “written” or “in writing”) include declarations and documents in electronic and text form whether bearing a signature or not (e.g. emails, fax copies or scans).
13.4 All notices, requests, consents, claims, demands, waivers, and other communications by Vendor to Company under this Agreement (each, a “Notice”) shall be made in writing and, at a minimum, delivered by email to legal@stepstonegroup.com (with confirmation of transmission). Notice pursuant to Section 5.7 and 6.2 shall also be delivered by email to privacy@stepstonegroup.com (with confirmation of transmission), and Notice pursuant to Section 6.2 shall also be delivered by overnight mail to:
StepStone Group LP
Attention: 4225 Executive Square, Suite 1600
La Jolla, CA 92037, United States
Notice pursuant to Section 6.2 relating to Company Personal Data in or from the European Economic Area or the United Kingdom shall also be delivered by email to PrivacyEurope@stepstonegroup.com. Notice under this Agreement is only effective (a) upon receipt by Company, and (b) if Vendor has complied with the requirements of this Section.
13.5 If a provision of this Agreement is or becomes ineffective in whole or in part, or if there is an omission, the remaining provisions of this Agreement shall remain unaffected. In place of the ineffective provision, and to fill the omission, the Parties will agree on a reasonable provision which comes – to the extent legally possible – closest to what the Parties agreed or would have agreed if they had considered this point.
13.6 Either Party’s failure to enforce any provisions of this Agreement shall not constitute a waiver of that or any other provision and will not relieve the other Party from the obligation to comply with such provision.
13.7 Any claim or dispute between the Parties arising out of, or in connection with, this Agreement (a “Dispute”) that cannot be resolved by direct discussions between the Parties shall be resolved in accordance with the procedure set out in the Main Contract, if any.
