Register

Legal

Data Processing Addendum

Last Updated: 3 June 2026

This Data Processing Addendum ("DPA") forms part of the legal terms governing the use of the Services provided by Vaultody Ltd. ("Vaultody", "Provider", "we", "our", or "us") and applies only to the extent Vaultody processes personal data on behalf of a Client as a processor under Applicable Data Protection Laws.

This DPA should be read together with the Digital Wallet as a Service (DWaaS) Software as a Service Agreement (Non-Custodial), the Privacy Policy, the Data Security Policy, the Terms & Conditions, and other legal documents published by Vaultody.

Capitalized terms not defined in this DPA have the meanings given to them in the DWaaS Software as a Service Agreement.

1. Purpose and Scope

This DPA applies where and to the extent that:

(a) Client uses the Services to process personal data;

(b) such personal data is processed by Vaultody on behalf of Client; and

(c) Vaultody acts as a processor or sub-processor under Applicable Data Protection Laws.

This DPA does not apply to personal data that Vaultody processes as an independent controller, including personal data processed for account registration, onboarding, subscription management, billing, legal acceptance records, website operation, marketing, security, fraud prevention, legal compliance, business administration, and communications. Such processing is governed by Vaultody's Privacy Policy.

2. Definitions

For purposes of this DPA:

2.1 "Applicable Data Protection Laws"

means all data protection, privacy, and electronic communications laws applicable to the processing of personal data under this DPA, including, where applicable, the General Data Protection Regulation (EU) 2016/679 ("GDPR"), applicable EU Member State data protection laws, the UK GDPR, the Swiss Federal Act on Data Protection, and any other applicable privacy or data protection laws.

2.2 "Client Personal Data"

means personal data processed by Vaultody on behalf of Client in connection with the Services, where Client determines the purposes and means of processing.

2.3 "Controller", "Processor", "Processing", "Personal Data", "Personal Data Breach", and "Data Subject"

have the meanings given to them under Applicable Data Protection Laws.

2.4 "Sub-processor"

means any third party engaged by Vaultody to process Client Personal Data on behalf of Client in connection with the Services.

2.5 "Standard Contractual Clauses" or "SCCs"

means the standard contractual clauses adopted or approved by the European Commission or other competent authority for the lawful transfer of personal data to countries not recognized as providing an adequate level of data protection.

3. Roles of the Parties

For Client Personal Data processed under this DPA:

(a) Client acts as controller and Vaultody acts as processor; or

(b) where Client acts as processor on behalf of a third-party controller, Vaultody acts as sub-processor.

Client is responsible for determining whether it acts as controller or processor in relation to Client Personal Data and for ensuring that it has all necessary rights, consents, notices, legal bases, and authority to provide Client Personal Data to Vaultody for processing through the Services.

4. Details of Processing

The subject matter, duration, nature, purpose, categories of personal data, and categories of data subjects are described in Annex 1 of this DPA.

The technical and organizational measures are described in Annex 2 of this DPA and in Vaultody's Data Security Policy.

5. Processing Instructions

Vaultody shall process Client Personal Data only on documented instructions from Client, unless required to do otherwise by Applicable Law.

Client's documented instructions include:

(a) this DPA;

(b) the DWaaS Software as a Service Agreement;

(c) Client's configuration and use of the Services;

(d) instructions submitted through the Services;

(e) support requests and written instructions provided by authorized representatives of Client; and

(f) any other written instructions accepted by Vaultody.

Vaultody may refuse to process instructions that it reasonably believes violate Applicable Law, the DWaaS Software as a Service Agreement, this DPA, security requirements, or the rights of third parties.

If Vaultody is required by Applicable Law to process Client Personal Data other than on Client's instructions, Vaultody will inform Client of that legal requirement before processing, unless legally prohibited from doing so.

6. Client Responsibilities

Client represents and warrants that:

(a) Client has provided all required privacy notices to Data Subjects;

(b) Client has established a valid legal basis for processing Client Personal Data;

(c) Client has obtained all consents required by Applicable Data Protection Laws;

(d) Client's instructions comply with Applicable Data Protection Laws;

(e) Client has the right to provide Client Personal Data to Vaultody for processing;

(f) Client will not use the Services to process prohibited or unlawful personal data;

(g) Client will not provide special categories of personal data unless expressly agreed by Vaultody in writing; and

(h) Client will not provide private keys, seed phrases, recovery phrases, recovery material, Client-controlled signing components, government identification documents, biometric data, payment card numbers, or other highly sensitive data unless expressly requested and agreed by Vaultody in writing.

Client is responsible for the accuracy, quality, legality, and lawfulness of Client Personal Data and the means by which Client acquired such data.

7. Vaultody Responsibilities

Vaultody shall:

(a) process Client Personal Data only in accordance with Client's documented instructions;

(b) ensure that persons authorized to process Client Personal Data are subject to confidentiality obligations;

(c) implement appropriate technical and organizational measures designed to protect Client Personal Data;

(d) assist Client with Data Subject requests where required and reasonably possible;

(e) assist Client with security, breach notification, data protection impact assessment, and supervisory authority consultation obligations where required and reasonably possible;

(f) comply with the sub-processor requirements set out in this DPA;

(g) make available information reasonably necessary to demonstrate compliance with this DPA; and

(h) delete or return Client Personal Data in accordance with this DPA.

8. Confidentiality

Vaultody shall ensure that personnel authorized to process Client Personal Data are subject to confidentiality obligations or appropriate statutory obligations of confidentiality.

Vaultody shall use Client Personal Data only for purposes of providing, maintaining, securing, supporting, improving, and administering the Services, complying with Client's documented instructions, complying with Applicable Law, and performing obligations under the applicable legal documents.

9. Security Measures

Vaultody shall implement and maintain commercially reasonable technical, administrative, organizational, and security measures designed to protect Client Personal Data against unauthorized access, disclosure, alteration, loss, destruction, or misuse.

Such measures may include access controls, authentication mechanisms, encryption technologies where appropriate, logging, monitoring, vulnerability management, incident response procedures, vendor management, and other measures described in Vaultody's Data Security Policy.

Client acknowledges that no system, software, infrastructure, blockchain, network, method of transmission, or security control can be guaranteed to be completely secure.

This DPA does not create any service level agreement, uptime commitment, recovery commitment, recovery point objective, recovery time objective, or service credit obligation.

10. Sub-processors

Client grants Vaultody general written authorization to engage Sub-processors to process Client Personal Data in connection with the Services.

Vaultody shall ensure that each Sub-processor is subject to written contractual obligations that are substantially similar to the data protection obligations imposed on Vaultody under this DPA, to the extent applicable to the nature of the services provided by the Sub-processor.

Vaultody remains responsible for the performance of its Sub-processors' data protection obligations to the extent required by Applicable Data Protection Laws.

Vaultody may engage Sub-processors for services such as cloud hosting, infrastructure, data storage, security, monitoring, logging, analytics, communications, support, billing, payment processing, professional services, and business administration.

Vaultody may make information regarding Sub-processors available upon reasonable request or through a published Sub-processor list.

Vaultody will use commercially reasonable efforts to provide notice of material changes to Sub-processors where required by Applicable Data Protection Laws.

Client may object to a new Sub-processor on reasonable data protection grounds by notifying Vaultody in writing within ten (10) business days after receiving notice. If the Parties cannot resolve the objection in good faith, Vaultody may, where commercially reasonable, offer an alternative solution. If no commercially reasonable alternative is available, the Parties' rights and obligations shall be governed by the DWaaS Software as a Service Agreement and Applicable Law.

11. International Transfers

Client acknowledges that Vaultody and its Sub-processors may process Client Personal Data in countries where Vaultody, its affiliates, personnel, service providers, or Sub-processors operate.

Where Client Personal Data is transferred outside the European Economic Area, the United Kingdom, Switzerland, or another jurisdiction that restricts international transfers, Vaultody shall use appropriate transfer mechanisms where required by Applicable Data Protection Laws.

Such mechanisms may include:

(a) an adequacy decision;

(b) Standard Contractual Clauses;

(c) contractual safeguards;

(d) technical and organizational safeguards; or

(e) another lawful transfer mechanism.

Where required, the applicable Standard Contractual Clauses are incorporated by reference into this DPA.

For transfers from the European Economic Area:

(a) Module Two applies where Client is a controller and Vaultody is a processor;

(b) Module Three applies where Client is a processor and Vaultody is a sub-processor;

(c) Annex 1 of this DPA shall serve as Annex I to the Standard Contractual Clauses;

(d) Annex 2 of this DPA shall serve as Annex II to the Standard Contractual Clauses; and

(e) Sub-processor information made available by Vaultody shall serve as Annex III, where required.

In the event of a conflict between the Standard Contractual Clauses and this DPA, the Standard Contractual Clauses shall prevail solely with respect to the restricted transfer of personal data.

12. Data Subject Requests

If Vaultody receives a request from a Data Subject relating to Client Personal Data, Vaultody may refer the Data Subject to Client unless Vaultody is legally required to respond directly.

Taking into account the nature of the processing, Vaultody shall provide reasonable assistance to Client, where required by Applicable Data Protection Laws and reasonably possible, to help Client respond to Data Subject requests.

Client is responsible for responding to Data Subject requests relating to Client Personal Data.

Vaultody shall not be required to delete, modify, disclose, restrict, or export Client Personal Data except upon Client's documented instruction or as required by Applicable Law.

13. Assistance with Compliance

Taking into account the nature of the processing and the information available to Vaultody, Vaultody shall provide reasonable assistance to Client, where required by Applicable Data Protection Laws, in relation to:

(a) security obligations;

(b) Personal Data Breach notifications;

(c) data protection impact assessments;

(d) prior consultations with supervisory authorities; and

(e) other obligations required under Applicable Data Protection Laws.

Vaultody may charge reasonable fees for assistance that is outside the ordinary operation of the Services, unless such assistance is required due to Vaultody's breach of this DPA.

14. Personal Data Breach

Vaultody shall notify Client without undue delay after becoming aware of a Personal Data Breach affecting Client Personal Data.

Where available and appropriate, Vaultody's notification may include:

(a) a description of the nature of the Personal Data Breach;

(b) categories of Client Personal Data affected;

(c) categories of Data Subjects affected;

(d) likely consequences of the Personal Data Breach;

(e) measures taken or proposed to address the Personal Data Breach;

(f) measures recommended to Client; and

(g) contact information for follow-up.

Vaultody may provide such information in phases as it becomes available.

Vaultody's notification of or response to a Personal Data Breach shall not constitute an admission of fault, liability, wrongdoing, or breach.

Client is responsible for determining whether it must notify Data Subjects, supervisory authorities, customers, regulators, or other third parties.

15. Deletion or Return of Client Personal Data

Upon termination or expiration of the Services, or upon Client's written request, Vaultody shall delete or return Client Personal Data in Provider-controlled systems within a reasonable period, unless retention is required or permitted by Applicable Law.

Vaultody may retain Client Personal Data where necessary to:

(a) comply with legal, tax, accounting, audit, or regulatory obligations;

(b) maintain security, fraud prevention, abuse prevention, and incident records;

(c) resolve disputes;

(d) enforce legal rights;

(e) maintain backup or archival copies in accordance with ordinary retention practices; or

(f) protect Vaultody, Clients, users, or third parties.

Vaultody may delete backup, archived, cached, or logged copies in accordance with its ordinary retention and deletion cycles.

This Section does not require Vaultody to delete information that is anonymized, aggregated, de-identified, or no longer personal data.

Vaultody cannot delete, reverse, modify, or remove information recorded on public blockchain networks or third-party systems outside Vaultody's control.

16. Audit and Compliance Information

Vaultody shall make available information reasonably necessary to demonstrate compliance with this DPA, subject to confidentiality, security, legal, and operational restrictions.

Vaultody may satisfy audit obligations by providing security documentation, summaries, questionnaires, third-party reports, certifications, attestations, or other appropriate information, where available.

Client may request an audit only where required by Applicable Data Protection Laws and only where the information made available by Vaultody is insufficient to demonstrate compliance.

Any audit must:

(a) be conducted on reasonable written notice;

(b) occur during normal business hours;

(c) be limited to once per calendar year unless required due to a confirmed Personal Data Breach affecting Client Personal Data;

(d) be conducted by an independent auditor subject to confidentiality obligations;

(e) avoid disruption to Vaultody's business, systems, security, and other customers;

(f) not compromise the confidentiality, security, or availability of Vaultody systems; and

(g) be at Client's expense unless otherwise required by Applicable Law.

Vaultody is not required to disclose information that would compromise security, reveal trade secrets, expose confidential information of other customers, violate legal obligations, or create unreasonable operational risk.

17. Client-Controlled Systems and Security

Client is responsible for securing its own systems, devices, networks, applications, credentials, API keys, access tokens, authentication devices, configurations, workflows, user permissions, Client Applications, and operational environment.

Client is responsible for ensuring that any personal data submitted to or processed through the Services is appropriate, lawful, accurate, and limited to what is necessary.

Vaultody shall not be responsible for Personal Data Breaches, unauthorized access, data loss, or security incidents caused by Client-controlled systems, credentials, devices, integrations, misconfigurations, Client Applications, third-party systems, or Client's failure to comply with the applicable legal documents.

18. Non-Custodial Clarification

Vaultody is a technology-only, non-custodial software-as-a-service provider.

This DPA does not create any custody, possession, control, fiduciary, trustee, escrow, agency, bailment, financial institution, payment service provider, or similar relationship with respect to Digital Assets.

Vaultody does not hold, custody, possess, control, administer, or manage Client Digital Assets.

Vaultody does not store or control Client private keys, seed phrases, recovery phrases, recovery material, or Client-controlled signing components.

Vaultody does not have the ability to independently access, reconstruct, combine, or use Client signing authority or transfer Client Digital Assets.

19. Prohibited and Restricted Data

Client shall not submit, upload, transmit, or otherwise process through the Services any personal data that is not necessary for the use of the Services.

Unless expressly agreed by Vaultody in writing, Client shall not use the Services to process:

(a) special categories of personal data;

(b) criminal conviction or offense data;

(c) children's personal data;

(d) biometric data;

(e) health data;

(f) government identification documents;

(g) full payment card numbers;

(h) sensitive financial account credentials;

(i) private keys, seed phrases, recovery phrases, recovery material, or Client-controlled signing components; or

(j) any data requiring heightened legal, regulatory, or security controls not expressly agreed by Vaultody.

Vaultody may suspend, restrict, delete, or reject processing of data that violates this Section, the DWaaS Software as a Service Agreement, Applicable Law, or Vaultody's security requirements.

20. Records and Documentation

Vaultody may maintain records relating to processing activities where required by Applicable Data Protection Laws.

Client is responsible for maintaining its own records of processing activities, privacy notices, legal bases, consents, Data Subject requests, and compliance documentation.

21. Government and Law Enforcement Requests

If Vaultody receives a legally binding request from a public authority, court, law enforcement agency, regulator, or governmental body relating to Client Personal Data, Vaultody may disclose Client Personal Data where required by Applicable Law.

Where legally permitted, Vaultody will use commercially reasonable efforts to notify Client of such request.

Vaultody may challenge or limit requests where legally permissible and commercially reasonable.

22. Term and Termination

This DPA becomes effective when Client accepts the DWaaS Software as a Service Agreement or otherwise uses the Services in a manner that causes Vaultody to process Client Personal Data on behalf of Client.

This DPA remains in effect for as long as Vaultody processes Client Personal Data on behalf of Client.

Termination or expiration of the DWaaS Software as a Service Agreement shall terminate this DPA, except for provisions that by their nature should survive, including confidentiality, deletion, audit, liability, international transfer, and legal compliance provisions.

23. Relationship with Other Legal Documents

In the event of a conflict between this DPA and the DWaaS Software as a Service Agreement, this DPA shall prevail solely with respect to the processing of Client Personal Data by Vaultody as processor or sub-processor.

The DWaaS Software as a Service Agreement shall prevail with respect to commercial terms, fees, subscription obligations, payment, suspension, termination, liability, non-custodial status, intellectual property, service use, and other contractual matters.

The Privacy Policy shall govern personal data processed by Vaultody as controller.

The Data Security Policy shall govern the operational security measures described therein to the extent not inconsistent with this DPA.

The Standard Contractual Clauses shall prevail solely with respect to restricted transfers of personal data to the extent required by Applicable Data Protection Laws.

24. Liability

The liability of each Party under this DPA shall be governed by the DWaaS Software as a Service Agreement.

Nothing in this DPA expands, increases, or modifies the liability limitations, exclusions, disclaimers, or remedies set forth in the DWaaS Software as a Service Agreement, except to the extent such limitation is prohibited by Applicable Law.

25. Contact Information

Questions regarding this DPA may be directed to:

Vaultody Ltd.
Sofia, Studentski grad, Doctor Yordan Yosifov str., 1A
Republic of Bulgaria

Email: [email protected]

 

 

Annex 1 — Details of Processing

A. Subject Matter

The subject matter of processing is Vaultody's provision of non-custodial digital wallet infrastructure software-as-a-service, dashboards, APIs, operational tools, support, security, maintenance, and related services to Client.

B. Duration

The duration of processing is the term of the DWaaS Software as a Service Agreement and any additional period during which Vaultody processes Client Personal Data in accordance with the Agreement, this DPA, the Privacy Policy, retention obligations, or Applicable Law.

C. Nature of Processing

The nature of processing may include collection, receipt, recording, organization, structuring, hosting, storage, access, retrieval, consultation, use, transmission, disclosure, alignment, combination, restriction, deletion, logging, monitoring, troubleshooting, support, security review, and other processing necessary to provide, secure, maintain, support, improve, and administer the Services.

D. Purpose of Processing

The purposes of processing include:

(a) providing the Services;

(b) enabling Client to configure, operate, monitor, and manage wallet infrastructure;

(c) enabling authorized users to access dashboards, APIs, and account functionality;

(d) providing support and troubleshooting;

(e) maintaining operational logs and technical records;

(f) securing the Services;

(g) preventing fraud, abuse, unauthorized access, and security incidents;

(h) maintaining account and system integrity;

(i) complying with Client's documented instructions;

(j) complying with Applicable Law; and

(k) performing obligations under applicable legal documents.

E. Categories of Data Subjects

Client Personal Data may relate to:

(a) Client personnel;

(b) Client administrators;

(c) authorized users;

(d) employees;

(e) contractors;

(f) consultants;

(g) representatives;

(h) support contacts;

(i) business contacts;

(j) customers or end users of Client, where Client chooses to process such data through the Services; and

(k) other individuals whose personal data Client submits to or processes through the Services.

F. Categories of Personal Data

Client Personal Data may include:

(a) names;

(b) business email addresses;

(c) account identifiers;

(d) user IDs;

(e) roles and permissions;

(f) authentication events;

(g) IP addresses;

(h) device and browser information;

(i) API activity;

(j) operational logs;

(k) support communications;

(l) wallet infrastructure metadata;

(m) blockchain addresses, transaction identifiers, and related operational metadata, where such information constitutes personal data under Applicable Data Protection Laws;

(n) workflow and policy configuration metadata;

(o) technical identifiers;

(p) usage information; and

(q) other personal data submitted by Client through the Services.

G. Special Categories of Personal Data

The Services are not intended for processing special categories of personal data.

Client shall not submit special categories of personal data unless expressly agreed by Vaultody in writing.

H. Frequency of Processing

Processing may occur on a continuous basis during Client's use of the Services.

I. Transfers

Client Personal Data may be transferred to or accessed from countries where Vaultody, its personnel, service providers, or Sub-processors operate, subject to the international transfer provisions of this DPA.

 

 

Annex 2 — Technical and Organizational Measures

Vaultody maintains commercially reasonable technical, administrative, organizational, and security measures designed to protect Client Personal Data processed through Provider-controlled systems.

Such measures may include, as appropriate:

1. Access Control

(a) role-based access controls;

(b) access approval processes;

(c) least-privilege access practices;

(d) authentication mechanisms;

(e) access review, modification, suspension, or revocation; and

(f) restrictions on access to Provider-controlled systems based on legitimate business need.

2. Confidentiality Measures

(a) personnel confidentiality obligations;

(b) contractor confidentiality obligations;

(c) internal policies and procedures; and

(d) restrictions on disclosure of Client Confidential Information and Client Personal Data.

3. Encryption and Transmission Security

(a) commercially reasonable measures designed to protect data transmitted to and from the Services;

(b) secure communication protocols where appropriate;

(c) encryption technologies where appropriate; and

(d) access restrictions and network security controls.

4. Logging and Monitoring

(a) authentication logs;

(b) API activity logs;

(c) system event logs;

(d) operational telemetry;

(e) security event monitoring;

(f) error logs; and

(g) investigation and incident response support.

5. Vulnerability Management

(a) vulnerability identification;

(b) risk assessment;

(c) patch management;

(d) remediation prioritization;

(e) security testing where appropriate;

(f) secure development practices; and

(g) remediation tracking.

6. Incident Response

(a) incident identification;

(b) investigation;

(c) containment;

(d) mitigation;

(e) remediation;

(f) communication;

(g) recovery; and

(h) post-incident review where appropriate.

7. Backup and Recovery

(a) backup, redundancy, recovery, or continuity measures where appropriate;

(b) recovery processes for Provider-controlled systems; and

(c) periodic review of selected resilience measures.

This does not create an SLA, uptime guarantee, recovery time guarantee, recovery point guarantee, or service credit obligation.

8. Vendor and Sub-processor Controls

(a) service provider review processes;

(b) contractual safeguards where appropriate;

(c) vendor security considerations;

(d) data protection obligations for Sub-processors; and

(e) monitoring or review of selected provider practices where appropriate.

9. Change Management

(a) review of material system changes;

(b) testing where appropriate;

(c) deployment controls;

(d) monitoring; and

(e) emergency change procedures where necessary to address security, legal, availability, or operational risks.

10. Shared Security Responsibility

Client remains responsible for securing its own Account, users, credentials, authentication devices, API keys, access tokens, devices, systems, networks, Client Applications, integrations, private keys, key shares, recovery material, configurations, workflows, and operational environment.

Vaultody's technical and organizational measures apply to Provider-controlled systems and do not extend to Client-controlled systems, third-party systems, blockchain networks, protocols, smart contracts, bridges, validators, wallets, or Client Applications.

 

 

Annex 3 — Authorized Sub-processor Categories

Client authorizes Vaultody to use Sub-processors in the following categories:

(a) cloud hosting and infrastructure providers;

(b) database and storage providers;

(c) monitoring and logging providers;

(d) security tooling providers;

(e) communication and email providers;

(f) customer support and ticketing providers;

(g) payment processing and billing providers;

(h) analytics providers;

(i) fraud prevention and abuse prevention providers;

(j) professional service providers;

(k) business administration tools; and

(l) other vendors reasonably necessary to provide, secure, support, maintain, improve, or administer the Services.

Vaultody may maintain additional Sub-processor information internally or make it available upon reasonable request, subject to confidentiality, security, and operational limitations.