Додаток про обробку даних

This Data Processing Agreement ("DPA") forms part of the Master Subscription Agreement or Terms of Service ("Agreement") between you ("Controller") and Sanctuary ("Processor") for the processing of personal data as described below.

1. Definitions

"Personal Data," "Processing," "Data Subject," "Controller," "Processor," and "Supervisory Authority" have the meanings given in Article 4 of the GDPR (Regulation (EU) 2016/679).

"Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.

2. Scope and purpose of processing

The Processor processes Personal Data for the purpose of providing blockchain risk analytics services as described in the Agreement. The nature and purpose of processing include:

AML Intelligence Services

• Receiving wallet addresses submitted by Controller for risk analysis
• Applying cryptographic hashing to convert addresses to pseudonymous identifiers
• Querying internal and external intelligence databases using pseudonymized identifiers
• Generating risk scores, flags, and compliance reports
• Storing check results as pseudonymised snapshots linked to Controller's account

Categories of data subjects: (a) end users whose wallet addresses are submitted for AML checking; (b) Merchant and enterprise personnel.

Categories of personal data: blockchain wallet addresses (pseudonymised via Blind Protocol for AML Services), check timestamps, IP addresses (server logs, 30 days), transaction amounts.

3. Controller obligations

The Controller warrants that it has a lawful basis for submitting wallet addresses for processing, and that any Data Subjects have been informed of the processing in accordance with Articles 13 and 14 of the GDPR.

4. Processor obligations

The Processor shall:

• Process Personal Data only on documented instructions from the Controller
• Ensure that persons authorised to process Personal Data have committed themselves to confidentiality
• Implement appropriate technical and organisational measures (Art. 32), including address pseudonymisation via cryptographic hashing
• Not engage another processor without prior written authorisation of the Controller (see Sub-processor list)
• Assist the Controller with Data Subject requests (access, rectification, erasure, portability)
• Delete or return all Personal Data at the end of the service period, unless retention is required by law
• Make available all information necessary to demonstrate compliance and allow for audits

5. Security measures

The Processor implements the following measures:

• Blind Protocol: cryptographic pseudonymisation of all wallet addresses before storage
• Encryption at rest: database volumes with full-disk encryption
• Encryption in transit: TLS 1.3 for all connections
• Access control: role-based access control, intrusion detection, and network-level protection
• Data retention per contract: 7 years for billing records (tax law), configurable for check data
• Incident response: Priority 0 within 1 hour, Security events within 72 hours (GDPR Art. 33)

6. Sub-processors

The current list of approved sub-processors is maintained at sanctuary.cv/legal/subprocessors. The Controller will be notified of any changes with at least 30 days notice.

7. International transfers

If Personal Data is transferred outside the European Economic Area, the Processor ensures appropriate safeguards are in place in accordance with Chapter V of the GDPR, including Standard Contractual Clauses (Commission Decision 2021/914) where applicable.

8. Data breach notification

The Processor will notify the Controller without undue delay after becoming aware of a personal data breach. Notification will include: nature of the breach, categories and approximate number of Data Subjects affected, likely consequences, and measures taken or proposed to mitigate.

9. Duration and termination

This DPA continues for the duration of the Agreement. Upon termination, the Processor will delete all Personal Data within 30 days unless retention is required by applicable law.

10. Governing law

This DPA is governed by the laws of England and Wales, without regard to conflict of laws principles.