Dieser Auftragsverarbeitungsvertrag ("AVV") ergänzt die Kryptos-Nutzungsbedingungen für Kunden, die personenbezogene Daten über den Dienst verarbeiten.
1. Definitionen
"Controller", "Processor", "Data Subject", "Personal Data" und "Processing" haben die in der DSGVO genannten Bedeutungen.
"Customer Personal Data" bedeutet personenbezogene Daten, die der Kunde (als Controller) Kryptos zur Verarbeitung unter den Nutzungsbedingungen bereitstellt.
2. Geltungsbereich und Rollen
Dieser AVV gilt, wenn Kryptos Customer Personal Data im Auftrag des Kunden verarbeitet. Der Kunde ist Controller. Kryptos ist Processor.
3. Categories of Personal Data and Data Subjects
The Controller authorizes permission to the Processor to process the Personal Data to the extent of which is determined and regulated by the Controller. The current nature of the Personal Data is specified in Annex I to Schedule 1 to this DPA.
3. Verarbeitungsanweisungen
Kryptos verarbeitet Customer Personal Data nur auf dokumentierte Anweisungen des Kunden, sofern nicht durch EU/EWR- oder Mitgliedstaatsrecht erforderlich. Gegenstand, Dauer, Art und Zweck der Verarbeitung, die Kategorien der Betroffenen und Arten der personenbezogenen Daten werden in Anhang 1 (auf Anfrage verfügbar) beschrieben.
9. Dauer und Beendigung
Dieser AVV bleibt in Kraft, solange Kryptos Customer Personal Data verarbeitet. Bei Beendigung der zugrundeliegenden Nutzungsbedingungen gibt Kryptos Customer Personal Data nach Anweisung des Kunden zurück oder löscht sie, vorbehaltlich gesetzlicher Aufbewahrungspflichten.
6. Data Controller's Obligations
The Data Controller shall warrant that it has all necessary rights to provide the Personal Data to the Data Processor for the Processing to be performed in relation to the agreed services. To the extent required by Data Privacy Laws, Data Controller is responsible for ensuring that it provides such Personal Data to Data Processor based on an appropriate legal basis allowing lawful processing activities, including any necessary Data Subject consents to this Processing are obtained, and for ensuring that a record of such consents is maintained.
The Data Controller shall provide all natural persons from whom it collects Personal Data with the relevant privacy notice.
7. Data Processor's Obligations
The Processor will follow written and documented instructions received, including email, from the Controller, its affiliate, agents, or personnel, with respect to the Processing of Personal Data. The Processing described in the Agreement and the relating documentation shall be considered as Instruction from the Controller.
At the Data Controller's request, the Data Processor will provide reasonable assistance to the Data Controller in responding to requests by Data Subjects in exercising their rights or of the applicable regulatory authorities regarding Data Processor's Processing of Personal Data.
8. Data Secrecy
To Process the Personal Data, the Processor will use personnel who are informed of the confidential nature of the Personal Data and perform the Services in accordance with the Agreement. The Processor will regularly train individuals having access to Personal Data in data security and data privacy in accordance with accepted industry practice and shall ensure that all the Personal Data is kept strictly confidential.
9. Audit Rights
Upon Controller's reasonable request, the Processor will make available to the Controller information as is reasonably necessary to demonstrate Processor's compliance with its obligations under the EU GDPR or other applicable laws in respect of its Processing of the Personal Data. When the Controller wishes to conduct an audit at Processor's site, it shall provide at least fifteen (15) days' prior written notice. The Controller shall bear the expense of such an audit.
6. Internationale Übermittlungen
Bei Übermittlung von Customer Personal Data aus dem EWR, UK oder der Schweiz in ein Land ohne Angemessenheitsentscheidung stützen sich die Parteien auf Standardvertragsklauseln (Modul 2) der Europäischen Kommission, durch Verweis in diesen AVV einbezogen.
4. Sub-Auftragsverarbeiter
Der Kunde ermächtigt Kryptos, Sub-Auftragsverarbeiter zu beauftragen. Aktuelle Sub-Auftragsverarbeiter sind auf unserer Sicherheitsübersicht aufgelistet. Kryptos informiert den Kunden über neue Sub-Auftragsverarbeiter mindestens 14 Tage vor Beauftragung.
8. Sicherheitsvorfälle
Kryptos benachrichtigt den Kunden über jede Personal Data Breach betreffend Customer Personal Data unverzüglich nach Kenntnisnahme. Die Benachrichtigung enthält die Informationen, die der Kunde zur Erfüllung seiner DSGVO-Meldepflichten benötigt.
13. Return and Deletion of Personal Data
The Processor shall, at least thirty (30) days from the end of the Agreement or cessation of the Processor's Services under the Agreement, whichever occurs earlier, return to the Controller all the Personal Data, or if the Controller so instructs, the Processor shall have the Personal Data deleted. In any case, the Processor shall delete Personal Data including all the copies of it as soon as reasonably practicable following the end of the Agreement.
5. Sicherheit
Kryptos implementiert geeignete technische und organisatorische Maßnahmen zum Schutz von Customer Personal Data, einschließlich Verschlüsselung im Transit und im Ruhezustand, Zugriffskontrollen, Schwachstellenmanagement und Vorfallsreaktion. Kryptos ist SOC 2 Type II zertifiziert; der Auditbericht ist unter NDA verfügbar.
7. Rechte der Betroffenen
Kryptos unterstützt den Kunden bei der Beantwortung von Anfragen Betroffener zur Ausübung ihrer Rechte, einschließlich Auskunft, Berichtigung, Löschung, Einschränkung, Portabilität und Widerspruch.
10. Allgemein
Dieser AVV ist in die Nutzungsbedingungen einbezogen und Teil davon. Bei Konflikt zwischen AVV und Bedingungen geht dieser AVV bei Datenschutzfragen vor. Kryptos kann diesen AVV von Zeit zu Zeit aktualisieren; wesentliche Änderungen werden mindestens 30 Tage im Voraus mitgeteilt.
Schedule 1 — Annex I.A. List of parties
Data exporter(s): Customer (as set forth in the relevant Order Form). Role: Controller.
Data importer(s): Kryptoskatt AB. Address: A2-1101, Frida Hjertbergs Gata 12, Göteborg, Sweden 41281. Contact: Sukesh Kumar Tedla (CEO, sukeshtedla@kryptos.io), Akash Srivastava (CTO, akash.srivastava@kryptos.io), DPO: dpo@kryptos.io. Role: Processor.
Schedule 1 — Annex I.B. Description of transfer
Categories of data subjects: End users/customers of the application.
Categories of personal data: Email address; name (optional); person/user ID (optional).
Sensitive data: None intentionally collected.
Frequency: Continuous.
Nature of processing: SaaS platform and API service for crypto financial data processing, tax compliance, and portfolio management.
Retention: PITR 7 days; daily backups retained 15 days; deletion on user request, subject to backup cycle and legal retention.
Sub-processors: Google Cloud, SendGrid, Mixpanel.
Annex II — Security Management System
Kryptoskatt AB designates qualified security personnel. Management reviews and supports security policies, updated at least annually. Independent third-party risk assessments at least annually. Monthly penetration testing, weekly vulnerability scans, formal patch management. Vendor management program with sub-processor DPAs. Incident response time expectation: less than 5 minutes. SOC 2 Type II certified; ISO/IEC 27001:2022 in process.
Annex II — Personnel Security
Background checks on employees with access to client data, to the extent legally permissible. Confidentiality agreements executed at hire. Privacy and security training. Role-specific certifications where appropriate. Personnel do not process Customer Personal Data without authorization.
Annex II — Access Controls
Formal access management with periodic reviews. OAuth (Google SSO) or email + password authentication; MFA available. Internal data access policies enforce least-privilege and need-to-know. Unique user IDs, strong passwords, monitored access lists. Audit trail of all access changes and system access events.
Annex II — Data Center and Network Security
Primary platform: Google Cloud Platform. Primary region: europe-west3 (Paris); secondary: eu-central1 (Frankfurt). Multi-AZ for resiliency; regular backup restoration testing. RTO < 15 minutes; RPO 1-5 minutes. TLS 1.3 enforced in transit; AES-256-GCM at rest via Google KMS. Centralized logging; weekly vulnerability scans; incident response < 5 minutes. Daily backups, 15-day retention; PITR 7 days.
Annex III — List of Sub-processors
The Controller has authorized:
- Google Cloud Platform — Cloud infrastructure and hosting (database, storage, KMS).
- SendGrid (Twilio) — Transactional email delivery.
- Mixpanel — Product analytics.
The Processor will notify the Controller of any addition or replacement of Sub-processors at least 30 calendar days in advance.
AVV-Unterzeichnung
Enterprise-Kunden können einen unterzeichneten AVV von unserem Datenschutzbeauftragten anfordern.
dpo@kryptos.io