Data Processing Addendum
This Data Processing Addendum ("Addendum") forms part of the agreement for services ("Principal Agreement") between the entity identified in the Principal Agreement (the "Customer") and Recap Technologies Limited ("Recap") (together referred to as the "Parties").
This Addendum applies where Recap processes Personal Data on behalf of the Customer in connection with the provision of the Recap platform and services.
1. Definitions and Interpretation
1.1 In this Addendum, unless the context requires otherwise:
"Advisor" means any individual or entity that uses the Platform to provide professional services to clients, including but not limited to accountants, tax advisors, bookkeepers, financial planners, and other professional service providers, regardless of their legal structure (whether sole trader, partnership, limited company, LLP, or otherwise).
"Advisor-Controlled Portfolio" means a portfolio created and controlled by an Advisor on behalf of an End Client.
"Authorised User" means any individual granted access to the Platform by the Customer, including the Customer's employees, contractors, and End Clients.
"Customer" means the Advisor or other entity identified in the Principal Agreement that engages Recap to process Personal Data on its behalf.
"Customer Personal Data" means any Personal Data processed by Recap on behalf of the Customer pursuant to or in connection with the Principal Agreement.
"Data Protection Laws" means all applicable laws relating to the processing of Personal Data, including the UK GDPR, the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003.
"End Client" means a client or prospective client of an Advisor who is granted access to the Platform to input, view, or manage their own data within a portfolio, or on whose behalf an Advisor manages a portfolio or performs due diligence.
"Platform" means the Recap cryptoasset portfolio tracking and tax reporting platform.
"Self-Service Portfolio" means a portfolio created by an individual or business who subscribes to the Platform directly and controls their own data.
"Subprocessor" means any third party engaged by Recap to process Customer Personal Data.
1.2 The terms "Controller", "Processor", "Data Subject", "Personal Data", "Processing", and "Supervisory Authority" shall have the meanings given to them in the UK GDPR.
2. Platform Access Model and Controller Roles
2.1 The Platform supports multiple access models, and the identity of the Controller depends on how the Platform is used:
(a) Advisor-Controlled Portfolios (Customer as Controller)
Where the Customer (an Advisor such as an accountant, tax advisor, bookkeeper, or financial planner) creates a portfolio on behalf of an End Client, the Customer acts as Controller and Recap processes Personal Data on the Customer's behalf as Processor under this Addendum. In this model:
(i) The Customer may invite the End Client to access the Platform to input their own data (such as wallet addresses, transaction records, and supporting documentation).
(ii) The Customer's authorised personnel may access, reconcile, and process the End Client's data to provide professional services (such as tax calculations, report generation, and filing assistance).
(iii) The Customer remains responsible for establishing the legal basis for processing, providing appropriate privacy notices to the End Client, and responding to Data Subject requests.
(iv) Recap processes all such data solely on the Customer's documented instructions.
(v) The portfolio licence may be paid for by either the Customer or the End Client; the payment arrangement does not affect which party acts as Controller.
(b) Self-Service Portfolios (End Client as Controller)
Where an individual or business subscribes to the Platform directly and creates their own portfolio, that individual or business acts as Controller of their own Personal Data. Recap processes their data under Recap's standard Terms of Service. In this model:
(i) The End Client may grant access to a third party (such as their accountant or tax advisor) to view and work with their portfolio.
(ii) The third party accesses the data as the End Client's authorised representative or agent, not as Controller.
(iii) This Addendum does not apply to Self-Service Portfolios; instead, Recap's standard Data Processing Addendum (available at https://recap.io/legal/dpa) applies directly between Recap and the End Client.
(iv) The portfolio licence may be paid for by either the End Client or a third party (such as their accountant); the payment arrangement does not affect which party acts as Controller.
(c) Recap's Role
For the avoidance of doubt, Recap acts as Processor in all scenarios described above. Recap does not determine the purposes or means of processing Customer Personal Data and processes such data only in accordance with the Controller's documented instructions (subject to applicable law).
3. Scope of Processing
3.1 Recap shall process Customer Personal Data only:
(a) to provide the Platform and services described in the Principal Agreement;
(b) in accordance with the Customer's documented instructions; and
(c) as required by applicable law (in which case Recap shall notify the Customer of such legal requirement before processing, unless prohibited by law).
3.2 The subject matter, nature, purpose, and duration of processing, the categories of Personal Data, and the categories of Data Subjects are described in Annex I.
3.3 Recap shall immediately inform the Customer if, in Recap's opinion, an instruction infringes Data Protection Laws. Recap shall not be required to assess independently whether the Customer's instructions comply with Data Protection Laws.
3.4 Authorised User Data. For the avoidance of doubt, personal data relating to the Customer's own employees, contractors, or other Authorised Users (such as their names, email addresses, and login credentials) is processed by Recap as Controller in accordance with Recap's Privacy Policy, not as Processor under this Addendum. This Addendum applies to End Client and prospective client personal data processed by Recap on the Customer's behalf.
4. Customer Obligations
4.1 The Customer warrants and represents that:
(a) it has the legal authority to engage Recap as a Processor and to provide documented instructions regarding the processing of Customer Personal Data;
(b) it has established a valid legal basis for the processing of all Customer Personal Data, including any data input by End Clients;
(c) it has provided (or will provide) all necessary privacy notices to Data Subjects, including End Clients invited to use the Platform; and
(d) its instructions to Recap comply with Data Protection Laws.
4.2 Where the Customer invites End Clients to access the Platform, the Customer is responsible for ensuring that such End Clients understand how their data will be processed and by whom.
5. Recap Obligations
5.1 Recap shall:
(a) process Customer Personal Data only as necessary to provide the Services and as described in this Addendum, unless required by law to process for another purpose;
(b) ensure that persons authorised to process Customer Personal Data are subject to appropriate confidentiality obligations;
(c) implement and maintain appropriate technical and organisational measures as described in Annex II;
(d) comply with the conditions for engaging Subprocessors set out in clause 6;
(e) taking into account the nature of the processing, assist the Customer (at the Customer's cost) in responding to Data Subject requests;
(f) assist the Customer (at the Customer's cost) in ensuring compliance with the Customer's obligations regarding security, breach notification, data protection impact assessments, and prior consultation;
(g) at the Customer's choice, delete or return all Customer Personal Data upon termination of the services, unless retention is required by law; and
(h) make available to the Customer information necessary to demonstrate compliance with this Addendum and allow for audits as described in clause 10.
6. Subprocessors
6.1 The Customer provides general authorisation for Recap to engage Subprocessors to process Customer Personal Data. The current list of Subprocessors is set out in Annex III.
6.2 Recap shall:
(a) enter into a written agreement with each Subprocessor imposing data protection obligations no less protective than those in this Addendum;
(b) remain liable for the acts and omissions of its Subprocessors; and
(c) notify the Customer of any intended changes to Subprocessors, giving the Customer reasonable opportunity to object.
6.3 If the Customer objects to a new Subprocessor on reasonable data protection grounds, the Parties shall discuss the concerns in good faith. If no resolution is reached, the Customer may terminate the affected services without penalty.
7. International Transfers
7.1 Recap shall not transfer Customer Personal Data outside the UK or EEA unless:
(a) the transfer is to a country recognised as providing adequate protection under UK data protection law;
(b) appropriate safeguards are in place, such as the UK Addendum to the EU Standard Contractual Clauses; or
(c) the transfer falls within a derogation under Data Protection Laws.
7.2 Details of Recap's international transfers and the safeguards in place are set out in Annex III.
8. Security
8.1 Recap shall implement and maintain appropriate technical and organisational measures to protect Customer Personal Data against unauthorised or unlawful processing and against accidental loss, destruction, damage, theft, alteration, or disclosure.
8.2 The security measures implemented by Recap are described in Annex II. Recap may update these measures from time to time, provided that such updates do not materiallyreduce the overall level of protection.
9. Personal Data Breach
9.1 Recap shall notify the Customer without undue delay (and in any event within 72 hours) after becoming aware of a Personal Data Breach affecting Customer Personal Data.
9.2 Such notification shall include (to the extent known):
(a) a description of the nature of the breach, including the categories and approximate number of Data Subjects and records concerned;
(b) the likely consequences of the breach; and
(c) the measures taken or proposed to address the breach and mitigate its effects.
9.3 Recap shall co-operate with the Customer and take reasonable steps to assist in the investigation and mitigation of any breach.
10. Audits and Compliance
10.1 Recap shall make available to the Customer all information reasonably necessary to demonstrate compliance with this Addendum.
10.2 Recap shall allow for and contribute to audits, including inspections, conducted by the Customer or an independent auditor appointed by the Customer, subject to:
(a) reasonable advance notice (at least 30 days, unless a shorter period is required by a Supervisory Authority);
(b) the auditor entering into appropriate confidentiality undertakings; and
(c) the audit being conducted during normal business hours and in a manner that minimises disruption to Recap's operations.
10.3 Recap is registered with the Information Commissioner's Office (ICO). Registration number: ZB735084.
11. Data Subject Rights
11.1 Recap shall promptly notify the Customer if it receives a request from a Data Subject to exercise their rights under Data Protection Laws in relation to Customer Personal Data.
11.2 Recap shall not respond directly to any Data Subject request without the Customer's prior written authorisation, unless required by law.
11.3 Recap shall provide reasonable assistance to enable the Customer to respond to Data Subject requests, taking into account the nature of the processing and the information available to Recap.
12. Data Retention and Deletion
12.1 Upon termination or expiry of the Principal Agreement, or upon the Customer's earlier written request, Recap shall (at the Customer's election):
(a) return all Customer Personal Data to the Customer in a commonly used format; and/or
(b) securely delete all Customer Personal Data in Recap's possession or control.
12.2 Recap may retain Customer Personal Data to the extent required by applicable law, subject to maintaining the confidentiality and security of such data.
13. Liability
13.1 Each Party's liability under or in connection with this Addendum shall be subject to the limitations and exclusions of liability set out in the Principal Agreement.
13.2 Notwithstanding the above, Recap's total aggregate liability for any claims arising under this Addendum shall not exceed £50,000.
14. Term and Termination
14.1 This Addendum shall come into effect on the date of the Principal Agreement and shall continue until the Principal Agreement is terminated or expires.
14.2 Any provisions of this Addendum that by their nature should survive termination (including clauses relating to confidentiality, data deletion, and liability) shall survive.
15. Governing Law and Jurisdiction
This Addendum shall be governed by and construed in accordance with the laws of England and Wales. The Parties irrevocably submit to the exclusive jurisdiction of the courts of England and Wales.
Annex I: Processing Details
A. Subject Matter and Purpose
Subject Matter: The provision of cryptoasset portfolio tracking and tax reporting services via the Recap platform.
Nature of Processing: Recap operates a zero-knowledge architecture where portfolio data is encrypted client-side before transmission to Recap's servers. The processing activities differ depending on whether data is encrypted or unencrypted:
Processing performed client-side (in the user's browser):
- Aggregating transaction data from exchanges, wallets, and manual uploads
- Categorising and reconciling transactions
- Calculating capital gains/losses and income tax positions
- Generating reports for tax filing
- Encrypting data using keys derived from the user's secret phrase
Recap's servers store only the resulting encrypted ciphertext and cannot access or process this data without the user's secret phrase.
Processing performed by Recap (unencrypted data):
- Storing and transmitting encrypted portfolio data (ciphertext only)
- Processing user account data (email addresses, authentication credentials)
- Processing wallet addresses when syncing blockchain data or performing wallet screening
- Processing transaction data and portfolio balances retrieved from cryptoasset exchanges and CASPs via Recap's proxy infrastructure (this data passes through Recap's servers before being encrypted client-side)
- Processing authentication tokens during API connections to third-party exchanges
- Processing billing and payment information
- Processing customer support communications (where the user initiates contact)
- Processing limited portfolio metadata shared with support tools (transaction counts, account counts)
- Error logging and platform monitoring (technical data, email addresses, and in somecases wallet addresses or transaction data included in error traces)
Purpose of Processing: To enable the Customer (and, where applicable, End Clients) to track cryptoasset portfolios, calculate UK tax liabilities, and generate reports suitable for HMRC submissions.
Duration of Processing: For the term of the Principal Agreement, plus any retention period required by law or as set out in clause 12.
B. Categories of Data Subjects
The Personal Data processed under this Addendum relates to the following categories of Data Subjects:
- End Clients of the Customer (individuals and representatives of businesses)
- Prospective clients of the Customer (where the Customer uses the Platform for pre-engagement due diligence such as wallet screening or source of wealth checks)
- Any other individuals whose personal data is uploaded to the Platform by the Customer or its Authorised Users
Note: Personal data of the Customer's own employees and Authorised Users (such as names, emails, and login credentials) is processed by Recap as Controller under Recap's Privacy Policy, not under this Addendum. See clause 3.4.
C. Categories of Personal Data
The following categories of Personal Data may be processed:
| Category | Examples |
|---|---|
| Identifying Information | Name, email address, user account credentials |
| Cryptoasset Data | Wallet addresses, transaction hashes, transaction history, exchange account identifiers |
| Financial Data | Cryptoasset holdings, transaction amounts, cost basis information, gain/loss calculations |
| Technical Data | IP addresses, browser information, device identifiers, usage logs |
| Communications | Support inquiries, in-app messages, notes added to portfolios |
Special Category Data: The processing does not involve special category data (as defined in Article 9 of the UK GDPR) unless inadvertently included by the Customer or an End Client in free-text fields or uploaded documents.
D. Data Flows in the Platform
Advisor-Controlled Portfolio Model:
- Customer (Advisor) creates a portfolio for an End Client
- Customer invites End Client to access the Platform (optional)
- End Client inputs data, or Customer enters data on End Client's behalf
- Platform syncs blockchain data and calculates tax positions
- Customer's personnel access, reconcile, and review the data
- Customer generates reports and files returns on End Client's behalf
Self-Service Portfolio Model:
- Individual/business subscribes directly to the Platform
- User inputs their own data
- User grants access to their accountant/advisor (optional)
- Accountant accesses data as authorised representative
Annex II: Technical and Organisational Measures
Recap implements and maintains the following technical and organisational measures to protect Personal Data:
1. Encryption and Zero-Knowledge Architecture
- All sensitive accounting data is encrypted client-side before transmission to Recap's servers
- Client-side encryption: portfolio data is encrypted on the user's device before upload
- Encryption keys are derived from the user's secret phrase, which Recap does not store or have access to
- Data in transit protected by TLS 1.2 or higher
2. Authentication and Access Control
- Industry-standard authentication via Auth0
- Multi-factor authentication available
- Role-based access control (RBAC)
- Strong password policies enforced
- Brute force protection and suspicious IP throttling
3. Infrastructure Security
- Serverless architecture on AWS (UK and US regions) minimising attack surface
- Web Application Firewall (WAF) protection
- Network segmentation
- Regular OWASP penetration testing
- Continuous security monitoring
4. Patch and Vulnerability Management
- Regular security patching
- Automated patch deployment where possible
- Testing in non-production environments before deployment
5. Anti-Malware
- Endpoint protection on all systems
- Network-level malware scanning
- Automated malware scans
6. Data Minimisation
- Collection limited to data necessary for service provision
- Logging limited to essential operational data
- Logs retained only as long as necessary
7. Physical Security
- AWS data centres with 24/7 security, biometric access, video surveillance
- Primary hosting in UK (London) region
8. Personnel Security
- Regular staff training on data protection
- Confidentiality obligations for all personnel
- Access limited to personnel who require it
9. Incident Response and Business Continuity
- Documented incident response plan, tested annually
- Defined escalation procedures
- Regular backups
- Disaster recovery procedures tested periodically
10. Secure Disposal
- Secure deletion procedures for all client data
- Automated and manual verification of deletion
- Deletion from all systems and third-party services
11. Public Blockchain Data Queries
- Recap queries public blockchain data via third-party indexing services (such as blockchain explorers and node providers) to retrieve transaction history. Only wallet addresses (public blockchain identifiers) are used in these queries; no identifying information is shared with these services. Wallet addresses are pseudonymous public data and do not constitute Personal Data when processed in isolation.
12. Certifications
- Recap maintains Cyber Essentials Plus certification, audited annually
13. Use of Artificial Intelligence
- Recap does not use AI for core tax calculation, portfolio management, or cryptoasset processing services
- Some Subprocessors (Intercom, Sentry) include AI features for customer support automation and error analysis
- AI features process only limited data (identifying information, portfolio metadata, technical logs) and do not have access to encrypted portfolio data
- No AI is used for automated decision-making with legal or significant effects on individuals
Annex III: Subprocessors
Note on Data Sharing: The categories of Personal Data shared with each Subprocessor are limited to the minimum necessary for that Subprocessor to perform its specific function. Due to Recap's zero-knowledge architecture, most Subprocessors receive only encrypted ciphertext (which they cannot decrypt) or limited unencrypted data such as email addresses. Sentry (error tracking) may additionally receive wallet addresses or transaction data where these appear in error traces or are shared by the user for debugging purposes.
Amazon Web Services, Inc.
410 Terry Avenue North, Seattle, WA 98109-5210, USA
| Categories of Personal Data | All categories (encrypted): identifying information, cryptoasset data, financial data, technical data |
|---|---|
| Purpose | Cloud infrastructure and data storage |
| Location | UK (London), US (Virginia) |
| Transfer Mechanism | UK Addendum to EU SCCs |
Auth0 (Okta)
415 Mission Street, Suite 300, San Francisco, CA 94105, USA
| Categories of Personal Data | Identifying information only: name, email, authentication credentials |
|---|---|
| Purpose | User authentication and authorisation |
| Location | Germany (Frankfurt) |
| Transfer Mechanism | EU adequacy (data stored in EU) |
Chargebee
340 S Lemon Ave #1537, Walnut, CA 91789, USA
| Categories of Personal Data | Identifying and payment information: name, email, billing address, payment details |
|---|---|
| Purpose | Subscription billing and payment processing |
| Location | USA (North Virginia) |
| Transfer Mechanism | UK Addendum to EU SCCs |
Intercom
55 2nd Street, 4th Floor, San Francisco, CA 94105, USA
| Categories of Personal Data | Identifying information and limited portfolio metadata: name, email, support conversation content, portfolio statistics (transaction counts, connected account counts). Note: Intercom's Fin AI feature may process this data for automated support responses. |
|---|---|
| Purpose | Customer support and communication |
| Location | USA |
| Transfer Mechanism | UK Addendum to EU SCCs |
Sentry
1804 Embarcadero Road, Palo Alto, CA 94303, USA
| Categories of Personal Data | Technical data, user identifiers, and error context: IP address, browser information, error logs, user email address (for error correlation), and where included in error traces, wallet addresses or transaction data. Note: Sentry's AI features may process this data for error analysis. |
|---|---|
| Purpose | Application error tracking and monitoring |
| Location | USA (Iowa) |
| Transfer Mechanism | UK Addendum to EU SCCs |
Postmark (ActiveCampaign)
1 N Dearborn St, 5th Floor, Chicago, IL 60602, USA
| Categories of Personal Data | Identifying information only: name, email address |
|---|---|
| Purpose | Transactional email delivery |
| Location | USA (Chicago, North Virginia) |
| Transfer Mechanism | UK Addendum to EU SCCs |
Stripe UK
7th Floor, The Bower Warehouse, 211 Old Street, London EC1V 9NR, UK
| Categories of Personal Data | Identifying and payment information: name, email, billing address, payment card details |
|---|---|
| Purpose | Payment processing |
| Location | UK |
| Transfer Mechanism | N/A (UK entity) |
PayPal
Whittaker House, Whittaker Avenue, Richmond-Upon-Thames, Surrey, TW9 1EH, UK
| Categories of Personal Data | Identifying and payment information: name, email, payment details |
|---|---|
| Purpose | Payment processing |
| Location | UK |
| Transfer Mechanism | N/A (UK entity) |
PostHog
2261 Market Street #4008, San Francisco, CA 94114, USA
| Categories of Personal Data | Technical/behavioural data only: usage analytics, feature interactions |
|---|---|
| Purpose | Product analytics |
| Location | EU (Frankfurt) |
| Transfer Mechanism | EU adequacy (data stored in EU) |
This Addendum is effective as of the date of the Principal Agreement or, if later, the date on which the Customer begins using the Platform to process Personal Data on behalf of End Clients.