Request Signed DPA

Enter your company details to request a signed version of our GDPR Data Processing Addendum.

Data Processing Addendum

Last Updated:

This Data Processing Addendum ("Addendum") forms part of the Contract for Services ("Principal Agreement") between [COMPANY NAME] (the "Company" or "Data Controller") and Recap Technologies Limited (the "Processor") (together referred to as the "Parties").

WHEREAS:

  1. The Company acts as a Data Controller.
  2. The Company wishes to subcontract certain Services, which imply the processing of personal data, to the Processor.
  3. The Parties seek to implement a data processing agreement that complies with applicable Data Protection Laws.
  4. The Parties wish to lay down their respective rights and obligations.

IT IS AGREED AS FOLLOWS:

1. Definitions and Interpretation

  1. Definitions: Unless otherwise defined herein, capitalised terms and expressions used in this Agreement shall have the following meanings:
    1. "Agreement" means this Data Processing Addendum and all Annexes.
    2. "Company Personal Data" means any Personal Data provided to or Processed by the Processor on behalf of the Company pursuant to or in connection with the Principal Agreement.
    3. "Data Protection Laws" means all applicable laws relating to the Processing of Personal Data and privacy, including European Data Protection Laws, the UK GDPR, Data Protection Act 2018, and the ePrivacy Directive 2002/58/EC.
    4. "Protected Data" means the Personal Data and any special category data processed by the Processor on behalf of the Data Controller.
    5. "Processing Activities" refers to the specific personal data processing tasks outlined in Annex I: Processing Activities.
    6. "Services" means the cryptocurrency portfolio tracking and tax reporting services provided by the Processor.
  2. Interpretation: The terms "Controller," "Processor," "Data Subject," "Personal Data," "Processing," and "Supervisory Authority" shall have the same meanings as defined in the GDPR and UK GDPR.

2. Processing of Company Personal Data

  1. The Company shall:
    1. Ensure that all Personal Data provided for the purposes outlined in Annex I is collected, processed, and used in compliance with Data Protection Laws.
    2. Process Company Personal Data as detailed in Annex I, following the documented instructions of the Company.
    3. Provide documented instructions to the Processor regarding the processing of Company Personal Data.
  2. The Processor shall:
    1. Comply with all applicable Data Protection Laws.
    2. Process Company Personal Data only on documented instructions from the Company.
    3. Notify the Company immediately if it believes an instruction for Processing violates applicable laws.

3. Processor Personnel

  1. The Processor shall ensure that any personnel authorised to process Company Personal Data are subject to strict confidentiality obligations and undergo regular data protection training.

4. Security Measures

  1. The Processor shall implement the technical and organisational measures specified in Annex II: Technical and Organisational Measures to ensure a level of security appropriate to the risk, including but not limited to:
    1. Encryption of Personal Data.Ensuring confidentiality, integrity, and availability of processing systems.
    2. Implementing procedures for regularly testing, assessing, and evaluating the effectiveness of security measures, as outlined in Annex II.

5. Subprocessing

  1. The Company provides the Processor with general authorisation to engage Subprocessors as listed in Annex III.
  2. The Processor shall ensure that Subprocessors agree to the same data protection obligations as those outlined in this Agreement.

6. Data Subject Rights

  1. The Processor shall:
    1. Assist the Company in responding to Data Subject requests under applicable Data Protection Laws.
    2. Notify the Company immediately upon receipt of a Data Subject request or complaint.
    3. Not respond to a Data Subject request without the documented instruction of the Company.

7. Data Retention and Deletion

  1. Upon termination of the Services or at the request of the Company, the Processor shall delete or return all Company Personal Data, unless required by law to retain such data.

8. International Transfers

  1. The Processor shall not transfer Company Personal Data outside the UK or EEA without obtaining the Company's prior written approval and ensuring that appropriate safeguards are in place (e.g., SCCs).

9. Data Breach Notification

  1. Data Breach Definition: A "Data Breach" is defined as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed.
  2. Data Breach Notification: In the event of a Data Breach affecting Company Personal Data, the Processor shall:
    1. Notify the Company without undue delay and, in any case, no later than 72 hours after becoming aware of the breach.
    2. Provide the Company with the following information:
      1. The nature of the Data Breach, including the categories and approximate number of Data Subjects concerned, and the categories and approximate number of Personal Data records concerned.
      2. The likely consequences of the Data Breach.
      3. The measures taken or proposed to be taken to address the Data Breach, including measures to mitigate its possible adverse effects.
    3. Cooperate with the Company and provide reasonable assistance to help the Company comply with its legal obligations, including notifying the Supervisory Authority and affected Data Subjects (where applicable).
  3. Mitigation: The Processor shall take immediate steps to contain and remedy the Data Breach, including making reasonable efforts to prevent further incidents.

10. Audits and Inspections

  1. The Processor shall make available all information necessary to demonstrate compliance with this Agreement and allow for audits or inspections by the Company or an appointed auditor.

11. Liability and Indemnity

  1. The Processor shall indemnify the Company against any claims, damages, or losses arising from a breach of its obligations under this Agreement.
  2. The Processor's total aggregate liability under this Agreement shall be limited to £50,000.

12. Governing Law and Jurisdiction

  1. This Agreement shall be governed by and construed in accordance with the laws of England and Wales, and the Parties submit to the exclusive jurisdiction of the English courts.

IN WITNESS WHEREOF, this Agreement is entered into with effect from the date first set out below:

Company

Signature: ________________________

Name: ___________________________

Title: ____________________________

Date: ____________________________

Recap Technologies Limited

Signature: ________________________

Name: ___________________________

Title: ____________________________

Date: ____________________________

Annex I: Processing Activities

A. Processing Details

  • Subject Matter:The Processor shall process Personal Data as necessary to provide cryptocurrency portfolio tracking and tax reporting services to the Company.
  • Nature and Purpose of the Processing: The processing includes cryptocurrency bookkeeping, reconciliation, transaction analysis, gain/loss calculations, and report generation for tax-related matters. The Personal Data processed will be used solely for the purposes set out in this Agreement and the Principal Agreement.
  • Duration of Processing: The Personal Data shall be processed for the duration of the Principal Agreement, or until such time that the data is deleted in accordance with this Agreement and applicable Data Protection Laws.
  • Categories of Data Subjects: The Personal Data processed relates to the following categories of data subjects:
  • Clients of Company.
  • Employees of the Company
  • Categories of Personal Data: The Personal Data processed comprises the following categories of data:
  • Identifying Information: Name, email address.
  • Cryptocurrency-Related Data: Wallet addresses, transaction data.
  • Financial Data: Cryptocurrency holdings, transaction amounts.
  • Behavioural Data: Service usage data, including IP addresses and browser footprints.
  • Special Categories of Personal Data: The Personal Data transferred does not include special categories of data under GDPR Article 9, such as data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or data concerning health or sex life.

B. Parties Involved

  • Data Exporter: The Data Exporter is the Company, whose contact details are as follows:
    • Name: [COMPANY NAME]
    • Address: [COMPANY ADDRESS]
    • Point of Contact: [COMPANY CONTACT]
    • Role: Controller
  • Data Importer: The Data Importer is Recap Technologies Limited, whose contact details are as follows:
    • Name: Recap Technologies Limited
    • Address: 71-75 Shelton Street, Covent Garden, London, England, WC2H 9JQ
    • Point of Contact: Daniel Howitt
    • Role: Processor

C. Description of Transfer

  • Categories of Data Subjects :See 'A. Processing Details' above.
  • Categories of Personal Data Transferred: See 'A. Processing Details' above.
  • Sensitive Data Transferred: No special categories of data (sensitive personal data) are transferred as part of this Agreement.
  • Frequency of Transfer: Personal Data is transferred on a continuous basis during the term of the Principal Agreement.
  • Nature of Processing: See 'A. Processing Details' above.
  • Purpose of Data Transfer: The purpose of the data transfer is to enable the Processor to provide the Services as defined in the Principal Agreement.
  • Retention Period: The Personal Data will be retained for the duration of the Principal Agreement or until the data is no longer required for the purpose of processing, in accordance with applicable Data Protection Laws.

Annex II: Technical and Organisational Measures

Recap Technologies Limited ("Processor") implements and maintains appropriate technical and organisational measures to protect the Personal Data processed on behalf of the Company. These measures are designed to ensure the confidentiality, integrity, and availability of Personal Data and to protect against unauthorised or unlawful processing and accidental loss, destruction, or damage.

  1. Client-Side Encryption and Zero-Knowledge Architecture
    1. All sensitive accounting data is encrypted on the client-side before transmission to Recap’s servers.
    2. Recap employs a zero-knowledge architecture where encryption keys are not accessible to Recap, ensuring that even in the unlikely event of a breach, client data remains protected.
    3. Each client has unique encryption keys, isolating and protecting individual client data from unauthorised access.
  2. Authentication and Access Control
    1. Recap uses Auth0, an industry-leading authentication and authorisation platform, to manage access to systems securely.
    2. Multi-Factor Authentication (MFA) is enforced by the use of an additional secret phrase to decrypt private accounting information.
    3. Role-Based Access Control (RBAC) ensures users have access only to necessary resources.
    4. A strong password policy is enforced, requiring complex passwords that are regularly changed.
    5. Suspicious IP throttling and brute force protection measures are in place to defend against unauthorised access attempts.
  3. Vulnerability and Patch Management
    1. Recap employs a serverless architecture with AWS Lambda and API Gateway, minimising the attack surface area.
    2. Regular OWASP (Open Web Application Security Project) penetration testing is performed to identify and address potential security vulnerabilities.
    3. Systems are continuously monitored for unusual activity that could indicate a security threat.
  4. Patch Management
    1. All systems and software are updated regularly with the latest security patches.
    2. Automated systems are used, where possible, to deploy patches quickly across the infrastructure.
    3. All patches are tested in a non-production environment before deployment to live systems.
  5. Anti-Malware Solutions
    1. Endpoints, including developer machines and servers, are protected with up-to-date anti-malware software.
    2. Network-level anti-malware scanning is employed to detect and prevent malware at the perimeter.
    3. Automated malware scans are regularly conducted on all systems.
  6. Firewalls and Network Security
    1. Advanced firewalls with deep packet inspection and intrusion prevention capabilities are utilised.
    2. A Web Application Firewall (WAF) protects web applications against common web-based attacks.
    3. The network is segmented to isolate critical systems and limit the impact of any breach.
  7. Data Minimisation and Privacy
    1. Recap follows a policy of data minimisation, collecting and processing only the Personal Data necessary for the specified purposes.
    2. Logging is limited to essential information required for system operation, debugging, or security investigations.
    3. Logs are retained only for the period necessary to fulfil their purpose, after which they are securely deleted.
  8. Physical Security
    1. Recap’s services are hosted on Amazon Web Services (AWS) in the UK (East London) and US (Virginia) regions.
    2. AWS provides state-of-the-art physical security measures, including 24/7 security staff, biometric access controls, and video surveillance at data centres.
  9. Employee Training and Awareness
    1. Recap conducts regular staff training on data security and privacy issues.
    2. New employees receive appropriate data protection training before they begin handling Personal Data.
    3. Employees are bound by confidentiality obligations with respect to any Personal Data they may access.
  10. Incident Response and Business Continuity
    1. Recap maintains an incident response plan that is tested and updated at least annually.
    2. A defined escalation process is in place for reporting and addressing incidents.
    3. Post-incident analysis is conducted to improve processes and prevent future occurrences.
    4. Regular backups of critical data and systems are performed.
    5. Disaster recovery procedures are in place and tested periodically.
  11. Sub-Processor Management
    1. Recap enters into written agreements with all Sub-Processors, imposing data protection obligations no less protective than those outlined in this Agreement.
    2. Sub-Processors are regularly reviewed to ensure compliance with data protection requirements.
  12. Compliance and Audits
    1. Recap is registered with the Information Commissioner’s Office (ICO) in the UK. ICO registration number: ZB735084
    2. Regular security audits and assessments are conducted to ensure the effectiveness of security measures.
  13. Secure Data Disposal
    1. Recap employs a comprehensive secure disposal process for digital assets containing client data.
    2. An in-house secure disposal script is used to remove data from all systems and third-party services.
    3. Manual verification is performed after script execution to ensure all data has been successfully removed.
  14. Ongoing Improvement
    1. Security measures are regularly reviewed and updated to ensure they remain effective and aligned with the latest data protection regulations and best practices.
    2. Recap stays informed about changes in data protection laws and regulations and adjusts its practices accordingly.

Annex III: Subprocessors

Amazon Web Services, Inc.

410 Terry Avenue North, Seattle, WA 98109-5210, USA

Categories of data subject

Clients and employees of the Company

Duration of the processing

Duration of the agreement

Geographical location of the processing

UK (East London), US (Virginia)

Subject matter of the processing

Provides cloud infrastructure and storage for Recap’s services.

Nature and purpose of the processing

Provides cloud infrastructure and storage for Personal Data, including customer information stored in a Postgres database. Data is securely stored and processed within a serverless architecture.

Auth0 (Okta).

415 Mission Street, Suite 300, San Francisco, CA 94105, USA

Categories of data subject

Clients and employees of the Company

Duration of the processing

Duration of the agreement

Geographical location of the processing

Germany (Frankfurt)

Subject matter of the processing

Authentication and authorisation

Nature and purpose of the processing

Provides user authentication and authorisation services to allow secure access to Recap services.

Chargebee.

340 S Lemon Ave #1537, Walnut, CA 91789, USA

Categories of data subject

Clients and employees of the Company

Duration of the processing

Financial data related to payments processed through Chargebee, will be retained for the duration of the agreement or as required to comply with legal, tax, anti-fraud, or regulatory obligations. This may include indefinite retention of certain payment data as mandated by applicable law.

Geographical location of the processing

USA (North Virginia)

Subject matter of the processing

Payment processing and Billing

Nature and purpose of the processing

Manages billing and subscription payments, including processing payment details and managing customer accounts.

Intercom.

55 2nd Street, 4th Floor, San Francisco, CA 94105, USA

Categories of data subject

Clients and employees of the Company

Duration of the processing

Duration of the agreement

Geographical location of the processing

Ireland (Dubin)

Subject matter of the processing

Customer communication and support

Nature and purpose of the processing

Facilitates customer communication and support, including managing user inquiries and service interactions.

Sentry.

1804 Embarcadero Road, Palo Alto, CA 94303, USA

Categories of data subject

Clients and employees of the Company

Duration of the processing

Duration of the agreement

Geographical location of the processing

USA (Iowa)

Subject matter of the processing

Error reporting

Nature and purpose of the processing

Tracks and reports errors within Recap’s application to ensure system stability and quick resolution of technical issues.

Postmark (ActiveCampaign).

1 N Dearborn St, 5th Floor, Chicago, IL 60602, USA

Categories of data subject

Clients and employees of the Company

Duration of the processing

Duration of the agreement

Geographical location of the processing

USA (Chicago, North Virginia)

Subject matter of the processing

Transactional email delivery

Nature and purpose of the processing

Delivers transactional and notification emails related to service updates, account management, and other user communications.

Stripe UK.

7th Floor, The Bower Warehouse, 211 Old Street, London EC1V 9NR, United Kingdom

Categories of data subject

Clients and employees of the Company

Duration of the processing

Financial data related to payments processed through Stripe, will be retained for the duration of the agreement or as required to comply with legal, tax, anti-fraud, or regulatory obligations. This may include indefinite retention of certain payment data as mandated by applicable law.

Geographical location of the processing

UK

Subject matter of the processing

Payment processing and Billing

Nature and purpose of the processing

Manages billing, subscription payments and payment processing including the processing payment details and managing customer accounts.

Paypal.

Whittaker House, Whittaker Avenue, Richmond-Upon-Thames, Surrey, United Kingdom, TW9 1EH

Categories of data subject

Clients and employees of the Company

Duration of the processing

Financial data related to payments processed through Paypal, will be retained for the duration of the agreement or as required to comply with legal, tax, anti-fraud, or regulatory obligations. This may include indefinite retention of certain payment data as mandated by applicable law.

Geographical location of the processing

UK

Subject matter of the processing

Payment processing and Billing

Nature and purpose of the processing

Manages billing, subscription payments and payment processing including the processing payment details and managing customer accounts.

Allora Labs (formally known as Upshot).

10 Williams Street, Suite 41, Boston, MA 02119, USA

Categories of data subject

Clients of the Company

Duration of the processing

Inflight requests to sync blockchain data only.

Geographical location of the processing

USA

Subject matter of the processing

Portfolio tracking and syncing transactions

Nature and purpose of the processing

Index blockchain addresses to automatically retrieve transaction activity for reporting and analysis purposes.

Moralis Web3 Technology AB.

Box 30, 116 74 Stockholm, Sweden

Categories of data subject

Clients of the Company

Duration of the processing

Inflight requests to sync blockchain data only.

Geographical location of the processing

Sweden

Subject matter of the processing

Portfolio tracking and syncing transactions

Nature and purpose of the processing

Index blockchain addresses to automatically retrieve transaction activity for reporting and analysis purposes.

QuickNode.

QuickNode, Inc. 1010 S. Federal Highway, Suite 1102 Hallandale Beach, FL, USA

Categories of data subject

Clients of the Company

Duration of the processing

Inflight requests to sync blockchain data only.

Geographical location of the processing

US

Subject matter of the processing

Portfolio tracking and syncing transactions

Nature and purpose of the processing

Index blockchain addresses to automatically retrieve transaction activity for reporting and analysis purposes.

EtherScan.

Kuala Lumpur, Malaysia

Categories of data subject

Clients of the Company

Duration of the processing

Inflight requests to sync blockchain data only.

Geographical location of the processing

US

Subject matter of the processing

Portfolio tracking and syncing transactions

Nature and purpose of the processing

Index blockchain addresses to automatically retrieve transaction activity for reporting and analysis purposes.

PostHog.

2261 Market Street #4008, San Francisco, CA 94114, USA

Categories of data subject

Clients of the Company

Duration of the processing

Stored for the duration of the service provided to the client.

Geographical location of the processing

EU, Frankfurt.

Subject matter of the processing

Product analytics and tracking user behaviour

Nature and purpose of the processing

Collect and analyse user interaction data for improving the functionality and user experience of the service.