Este DPA complementa los Términos de servicio para clientes que tratan datos personales vía el Servicio.
1. Definiciones
"Controller", "Processor", "Data Subject", "Personal Data" y "Processing" tienen el significado del GDPR.
"Customer Personal Data" significa los datos personales que el Cliente (como Controller) entrega a Kryptos para tratamiento bajo los Términos.
2. Alcance y roles
Este DPA aplica cuando Kryptos trata Customer Personal Data por cuenta del Cliente. El Cliente es Controller. Kryptos es Processor.
3. Categories of Personal Data and Data Subjects
The Controller authorizes permission to the Processor to process the Personal Data to the extent of which is determined and regulated by the Controller. The current nature of the Personal Data is specified in Annex I to Schedule 1 to this DPA.
3. Instrucciones de tratamiento
Kryptos trata Customer Personal Data solo bajo instrucciones documentadas del Cliente, salvo cuando la ley UE/EEE o de Estado miembro exija otra cosa. El objeto, duración, naturaleza y finalidad del tratamiento, las categorías de Interesados y tipos de datos se describen en el Anexo 1 (disponible a petición).
9. Duración y terminación
Este DPA está vigente mientras Kryptos trate Customer Personal Data. Al terminar los Términos subyacentes, Kryptos devuelve o elimina los Customer Personal Data según instrucciones del Cliente, sujeto a obligaciones legales de retención.
6. Data Controller's Obligations
The Data Controller shall warrant that it has all necessary rights to provide the Personal Data to the Data Processor for the Processing to be performed in relation to the agreed services. To the extent required by Data Privacy Laws, Data Controller is responsible for ensuring that it provides such Personal Data to Data Processor based on an appropriate legal basis allowing lawful processing activities, including any necessary Data Subject consents to this Processing are obtained, and for ensuring that a record of such consents is maintained.
The Data Controller shall provide all natural persons from whom it collects Personal Data with the relevant privacy notice.
7. Data Processor's Obligations
The Processor will follow written and documented instructions received, including email, from the Controller, its affiliate, agents, or personnel, with respect to the Processing of Personal Data. The Processing described in the Agreement and the relating documentation shall be considered as Instruction from the Controller.
At the Data Controller's request, the Data Processor will provide reasonable assistance to the Data Controller in responding to requests by Data Subjects in exercising their rights or of the applicable regulatory authorities regarding Data Processor's Processing of Personal Data.
8. Data Secrecy
To Process the Personal Data, the Processor will use personnel who are informed of the confidential nature of the Personal Data and perform the Services in accordance with the Agreement. The Processor will regularly train individuals having access to Personal Data in data security and data privacy in accordance with accepted industry practice and shall ensure that all the Personal Data is kept strictly confidential.
9. Audit Rights
Upon Controller's reasonable request, the Processor will make available to the Controller information as is reasonably necessary to demonstrate Processor's compliance with its obligations under the EU GDPR or other applicable laws in respect of its Processing of the Personal Data. When the Controller wishes to conduct an audit at Processor's site, it shall provide at least fifteen (15) days' prior written notice. The Controller shall bear the expense of such an audit.
6. Transferencias internacionales
Cuando Customer Personal Data se transfiere desde el EEE, UK o Suiza a un país sin decisión de adecuación, las partes se apoyan en Cláusulas Contractuales Tipo (Módulo 2) de la Comisión Europea, incorporadas por referencia.
4. Sub-procesadores
El Cliente autoriza a Kryptos a contratar sub-procesadores. Los actuales se listan en nuestra página de seguridad. Kryptos notificará al Cliente de nuevos sub-procesadores al menos 14 días antes de contratarlos.
8. Incidentes de seguridad
Kryptos notifica al Cliente sobre cualquier brecha que afecte a Customer Personal Data sin demora indebida tras tener conocimiento. La notificación contiene la información necesaria para que el Cliente cumpla sus propias obligaciones GDPR.
13. Return and Deletion of Personal Data
The Processor shall, at least thirty (30) days from the end of the Agreement or cessation of the Processor's Services under the Agreement, whichever occurs earlier, return to the Controller all the Personal Data, or if the Controller so instructs, the Processor shall have the Personal Data deleted. In any case, the Processor shall delete Personal Data including all the copies of it as soon as reasonably practicable following the end of the Agreement.
5. Seguridad
Kryptos implementa medidas técnicas y organizativas apropiadas para proteger Customer Personal Data, incluyendo cifrado en tránsito y en reposo, controles de acceso, gestión de vulnerabilidades y respuesta a incidentes. Certificado SOC 2 Type II; informe disponible bajo NDA.
7. Derechos de los interesados
Kryptos asiste al Cliente para responder a solicitudes de Interesados ejerciendo sus derechos, incluido acceso, rectificación, supresión, limitación, portabilidad y oposición.
10. General
Este DPA se incorpora a los Términos y forma parte de ellos. En caso de conflicto, este DPA prevalece para protección de datos. Kryptos puede actualizarlo; los cambios materiales se notifican al menos 30 días antes.
Schedule 1 — Annex I.A. List of parties
Data exporter(s): Customer (as set forth in the relevant Order Form). Role: Controller.
Data importer(s): Kryptoskatt AB. Address: A2-1101, Frida Hjertbergs Gata 12, Göteborg, Sweden 41281. Contact: Sukesh Kumar Tedla (CEO, sukeshtedla@kryptos.io), Akash Srivastava (CTO, akash.srivastava@kryptos.io), DPO: dpo@kryptos.io. Role: Processor.
Schedule 1 — Annex I.B. Description of transfer
Categories of data subjects: End users/customers of the application.
Categories of personal data: Email address; name (optional); person/user ID (optional).
Sensitive data: None intentionally collected.
Frequency: Continuous.
Nature of processing: SaaS platform and API service for crypto financial data processing, tax compliance, and portfolio management.
Retention: PITR 7 days; daily backups retained 15 days; deletion on user request, subject to backup cycle and legal retention.
Sub-processors: Google Cloud, SendGrid, Mixpanel.
Annex II — Security Management System
Kryptoskatt AB designates qualified security personnel. Management reviews and supports security policies, updated at least annually. Independent third-party risk assessments at least annually. Monthly penetration testing, weekly vulnerability scans, formal patch management. Vendor management program with sub-processor DPAs. Incident response time expectation: less than 5 minutes. SOC 2 Type II certified; ISO/IEC 27001:2022 in process.
Annex II — Personnel Security
Background checks on employees with access to client data, to the extent legally permissible. Confidentiality agreements executed at hire. Privacy and security training. Role-specific certifications where appropriate. Personnel do not process Customer Personal Data without authorization.
Annex II — Access Controls
Formal access management with periodic reviews. OAuth (Google SSO) or email + password authentication; MFA available. Internal data access policies enforce least-privilege and need-to-know. Unique user IDs, strong passwords, monitored access lists. Audit trail of all access changes and system access events.
Annex II — Data Center and Network Security
Primary platform: Google Cloud Platform. Primary region: europe-west3 (Paris); secondary: eu-central1 (Frankfurt). Multi-AZ for resiliency; regular backup restoration testing. RTO < 15 minutes; RPO 1-5 minutes. TLS 1.3 enforced in transit; AES-256-GCM at rest via Google KMS. Centralized logging; weekly vulnerability scans; incident response < 5 minutes. Daily backups, 15-day retention; PITR 7 days.
Annex III — List of Sub-processors
The Controller has authorized:
- Google Cloud Platform — Cloud infrastructure and hosting (database, storage, KMS).
- SendGrid (Twilio) — Transactional email delivery.
- Mixpanel — Product analytics.
The Processor will notify the Controller of any addition or replacement of Sub-processors at least 30 calendar days in advance.
Firma del DPA
Los clientes Enterprise pueden solicitar un DPA firmado a nuestro DPO.
dpo@kryptos.io