Data Processing Agreement

This Data Processing Agreement ("DPA") is concluded between Okanewatch LTD, a private limited company registered in England and Wales under company number 14728041 with its registered office at 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom ("Processor"), and the enterprise customer identified in the main services agreement ("Controller"). Collectively, the parties are referred to as the "Parties".

This DPA sets out the terms on which the Processor will process personal data on behalf of the Controller in connection with the provision of AMLRegister (the "Service"). It supplements and forms an integral part of the main services agreement between the Parties and applies to any processing of personal data within the scope of the UK GDPR, the EU GDPR, or other equivalent privacy legislation.

In the event of any conflict between this DPA and the main services agreement, this DPA shall prevail with respect to the subject matter it covers.

Unless otherwise defined in this DPA, terms such as "personal data", "processing", "controller", "processor", "data subject", "personal data breach", and "supervisory authority" have the meanings set out in the UK GDPR (United Kingdom General Data Protection Regulation) and the EU GDPR (Regulation (EU) 2016/679). For the avoidance of doubt, references to "GDPR" mean both the UK GDPR and the EU GDPR, as applicable based on the Controller's location and the location of the data subjects.

"Services" means the AMLRegister services provided by the Processor to the Controller under the main services agreement. "Sub-processor" means any third party engaged by the Processor to process personal data on behalf of the Controller.

"Standard Contractual Clauses" or "SCCs" means the standard contractual clauses approved by the European Commission or issued by the UK Information Commissioner's Office, as applicable. "International Data Transfer Agreement" or "IDTA" means the agreement issued by the UK Information Commissioner's Office.

Subject matter: processing of personal data by the Processor on behalf of the Controller in connection with the provision of the Services. Duration: for as long as the main services agreement is in force, plus any agreed transition period during which personal data is returned or deleted.

Nature and purpose of processing: to deliver the wallet-check functionality, user account management, support, and related features that the Controller requests as part of the Services. The Processor does not use personal data for its own marketing or profiling purposes.

Types of personal data: technical identifiers (IP address, browser data), usage data (wallet addresses submitted for screening, reports generated), account data (where accounts are used) including email address and hashed password, and any additional data the Controller submits through enterprise interfaces (for example, analyst notes).

Categories of data subjects: the Controller's personnel who use the Service; end users whose data is submitted by the Controller; and any individuals identified in wallet-attribution notes.

The Controller is responsible for determining the purposes and means of processing, ensuring a valid legal basis for processing, and for providing appropriate information to data subjects as required by the GDPR. The Controller retains all obligations of a controller under the GDPR.

The Processor processes personal data only on documented instructions from the Controller — including those set out in the main services agreement and this DPA — unless required to do otherwise by Union or Member State law, in which case the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.

The Processor will promptly inform the Controller if, in its opinion, an instruction infringes applicable data protection law. The Processor is not obliged to carry out an instruction it reasonably believes to be unlawful.

The Processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.

Measures include but are not limited to: encryption of personal data in transit and at rest for sensitive fields; access controls based on the principle of least privilege; multi-factor authentication for privileged access; audit logging; regular testing and evaluation of effectiveness; staff training; and documented business continuity and disaster recovery procedures.

A summary of the current technical and organisational measures is available to the Controller on request. Material changes to the security posture will be communicated to enterprise customers in a timely manner. Enterprise customers may reasonably request additional security information subject to reasonable confidentiality arrangements.

The Controller provides a general authorisation for the Processor to use sub-processors to perform the Services. A list of sub-processors is available to the Controller on request and is updated to reflect changes. Current categories of sub-processor include: hosting and infrastructure, blockchain data providers, email and messaging, analytics, and identity verification vendors.

The Processor shall impose data-protection obligations on each sub-processor that are no less stringent than those set out in this DPA, by way of a written contract. The Processor remains liable to the Controller for the performance of any sub-processor.

The Processor will inform the Controller of any intended changes concerning the addition or replacement of sub-processors at least thirty (30) days before the change takes effect. The Controller has the right to object to a proposed sub-processor on reasonable data-protection grounds; if the Parties cannot resolve the objection in good faith, the Controller may terminate the affected Service.

Where the Processor transfers personal data outside the United Kingdom or the European Economic Area to a jurisdiction not covered by an adequacy decision, the Parties enter into the applicable Standard Contractual Clauses or International Data Transfer Agreement, which are incorporated into this DPA by reference.

The Controller authorises the Processor to enter into such transfer mechanisms on its behalf with sub-processors in third countries, provided that the Processor ensures equivalent protection for the personal data.

Supplementary measures, such as encryption, access controls, and limits on government access requests, shall be assessed on a case-by-case basis based on applicable Schrems II guidance. The Processor keeps transfer impact assessments on file and makes them available to the Controller on request.

The Processor shall, taking into account the nature of the processing, assist the Controller by appropriate technical and organisational measures insofar as possible for the fulfilment of the Controller's obligation to respond to data subjects exercising their rights under Chapter III of the GDPR.

Where a data subject contacts the Processor directly with a request, the Processor will promptly forward the request to the Controller without responding on substance, except to acknowledge receipt.

The Processor may charge a reasonable fee for assistance with data-subject requests where the volume or complexity of the requests is materially outside the ordinary course of business. Any such fee will be agreed in advance.

The Processor shall notify the Controller without undue delay, and in any event within seventy-two (72) hours, upon becoming aware of a personal data breach affecting personal data processed on behalf of the Controller. The notification shall include (a) the nature of the breach, (b) the categories and approximate number of data subjects and records affected, (c) the likely consequences, (d) the measures taken or proposed, and (e) the contact point for further information.

The Processor shall cooperate with the Controller in the investigation, mitigation, and remediation of any personal data breach, and in preparing any required notification to supervisory authorities and affected data subjects.

The Parties recognise that notification of an incident does not admit fault or liability. Any allocation of liability for a breach shall be determined in accordance with the main services agreement and applicable law.

The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations in Article 28 of the GDPR and this DPA, and shall allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.

Audits shall be limited to once per calendar year, except where a material incident has occurred or a regulator requires more frequent review. The Controller shall give at least thirty (30) days' notice and conduct audits during normal business hours in a manner that does not unreasonably interfere with the Processor's operations. The costs of an audit are borne by the Controller unless the audit reveals a material non-compliance.

The Processor may fulfil audit obligations by providing independent third-party attestations (for example, ISO 27001, SOC 2) where relevant, in addition to or in lieu of on-site inspections.

On termination of the main services agreement, or at any earlier time at the Controller's request, the Processor shall, at the Controller's choice, delete or return all personal data to the Controller and delete existing copies, unless applicable law requires storage of the personal data for a specified period, in which case the Processor will isolate the data and protect it from further processing until deletion becomes permissible.

Standard retention periods for wallet-check records (30 days) apply automatically and are not affected by this clause. The Controller is responsible for exporting any data it wishes to retain beyond the applicable retention period.

The Processor will provide a written confirmation of deletion on request after the termination-related deletion has completed.

This schedule supplements the description of subject matter and duration in Section 3. It sets out the technical details of processing undertaken by the Processor on behalf of the Controller in connection with the Services, and is intended to satisfy the requirements of Article 28(3) GDPR for a documented scope.

Processing operations performed include: collection of personal data submitted by authorised Controller users; storage in encrypted form on infrastructure operated by the Processor's hosting sub-processor; analysis and scoring against internal and third-party attribution datasets; generation of reports; transient caching for performance; backup and disaster-recovery copying; and deletion on expiry of retention periods.

Retention periods applied by the Processor are documented in the Privacy Policy and summarised here: wallet-check records thirty (30) days by default; rate-limit records twenty-four (24) hours; authentication session tokens thirty (30) days; internal audit logs seven (7) years; account data for the life of the account plus retention required for legal compliance. The Controller may request alternative retention periods for specific categories; changes are subject to agreement and to the constraints of applicable law.

Locations of processing: the primary data centre is located in the United Kingdom or the European Economic Area depending on the Controller's region. Disaster recovery replicas are held in a second EEA region. Access by the Processor's staff is restricted to persons located in jurisdictions approved under this DPA. A current list of processing locations is maintained and made available on request.

Liability under this DPA is governed by the main services agreement. In the event of any inconsistency, the allocations in the main services agreement control, provided they comply with applicable law.

This DPA shall be governed by the laws of England and Wales, without regard to its conflict-of-laws principles. Any dispute arising out of or in connection with this DPA shall be subject to the exclusive jurisdiction of the courts of England and Wales, subject to any alternative dispute resolution provisions in the main services agreement.

If any provision of this DPA is held to be invalid or unenforceable, the remaining provisions shall continue in full force and effect. The Parties agree to negotiate in good faith a replacement provision that, to the greatest extent possible, achieves the original intent.

Questions about this DPA can be directed to dpo@amlregister.com.

This DPA supersedes any earlier version agreed between the Parties and will prevail over any inconsistent terms in a purchase order, acceptance document, or other ancillary paperwork that has not been specifically negotiated and signed by an authorised representative of both Parties. Modifications or supplemental terms must be in writing and expressly reference this DPA. Notices under this DPA shall be in writing and delivered by email to the DPO contact specified above, with delivery deemed effective on the next business day.