Ce DPA complète les Conditions d'utilisation de Kryptos pour les clients qui traitent des données personnelles via le Service.
1. Définitions
"Controller", "Processor", "Data Subject", "Personal Data" et "Processing" ont les significations données dans le RGPD.
"Customer Personal Data" désigne les données personnelles que le Client (en qualité de Controller) fournit à Kryptos pour traitement sous les Conditions d'utilisation.
2. Champ et rôles
Ce DPA s'applique quand Kryptos traite des Customer Personal Data pour le compte du Client. Le Client est Controller. Kryptos est Processor.
3. Categories of Personal Data and Data Subjects
The Controller authorizes permission to the Processor to process the Personal Data to the extent of which is determined and regulated by the Controller. The current nature of the Personal Data is specified in Annex I to Schedule 1 to this DPA.
3. Instructions de traitement
Kryptos traite les Customer Personal Data uniquement sur instructions documentées du Client, sauf si le droit UE/EEE ou national l'exige autrement. L'objet, la durée, la nature et la finalité du traitement, les catégories de Personnes concernées et les types de données personnelles sont décrits en Annexe 1 (disponible sur demande).
9. Durée et résiliation
Ce DPA reste en vigueur tant que Kryptos traite des Customer Personal Data. À la fin des Conditions d'utilisation sous-jacentes, Kryptos restitue ou supprime les Customer Personal Data selon instructions du Client, sous réserve de toute obligation légale de conservation.
6. Data Controller's Obligations
The Data Controller shall warrant that it has all necessary rights to provide the Personal Data to the Data Processor for the Processing to be performed in relation to the agreed services. To the extent required by Data Privacy Laws, Data Controller is responsible for ensuring that it provides such Personal Data to Data Processor based on an appropriate legal basis allowing lawful processing activities, including any necessary Data Subject consents to this Processing are obtained, and for ensuring that a record of such consents is maintained.
The Data Controller shall provide all natural persons from whom it collects Personal Data with the relevant privacy notice.
7. Data Processor's Obligations
The Processor will follow written and documented instructions received, including email, from the Controller, its affiliate, agents, or personnel, with respect to the Processing of Personal Data. The Processing described in the Agreement and the relating documentation shall be considered as Instruction from the Controller.
At the Data Controller's request, the Data Processor will provide reasonable assistance to the Data Controller in responding to requests by Data Subjects in exercising their rights or of the applicable regulatory authorities regarding Data Processor's Processing of Personal Data.
8. Data Secrecy
To Process the Personal Data, the Processor will use personnel who are informed of the confidential nature of the Personal Data and perform the Services in accordance with the Agreement. The Processor will regularly train individuals having access to Personal Data in data security and data privacy in accordance with accepted industry practice and shall ensure that all the Personal Data is kept strictly confidential.
9. Audit Rights
Upon Controller's reasonable request, the Processor will make available to the Controller information as is reasonably necessary to demonstrate Processor's compliance with its obligations under the EU GDPR or other applicable laws in respect of its Processing of the Personal Data. When the Controller wishes to conduct an audit at Processor's site, it shall provide at least fifteen (15) days' prior written notice. The Controller shall bear the expense of such an audit.
6. Transferts internationaux
En cas de transfert de Customer Personal Data depuis l'EEE, le UK ou la Suisse vers un pays sans décision d'adéquation, les parties s'appuient sur les Clauses Contractuelles Types (Module 2) adoptées par la Commission européenne, incorporées par référence.
4. Sous-traitants ultérieurs
Le Client autorise Kryptos à engager des Sous-traitants. Les sous-traitants actuels sont listés sur notre page sécurité. Kryptos notifiera le Client des nouveaux sous-traitants au moins 14 jours avant engagement.
8. Incidents de sécurité
Kryptos notifie le Client de toute violation de Customer Personal Data sans délai indu après en avoir eu connaissance. La notification contient les informations nécessaires au Client pour remplir ses propres obligations RGPD.
13. Return and Deletion of Personal Data
The Processor shall, at least thirty (30) days from the end of the Agreement or cessation of the Processor's Services under the Agreement, whichever occurs earlier, return to the Controller all the Personal Data, or if the Controller so instructs, the Processor shall have the Personal Data deleted. In any case, the Processor shall delete Personal Data including all the copies of it as soon as reasonably practicable following the end of the Agreement.
5. Sécurité
Kryptos met en œuvre des mesures techniques et organisationnelles appropriées pour protéger les Customer Personal Data, dont chiffrement en transit et au repos, contrôles d'accès, gestion des vulnérabilités et réponse à incident. Certifié SOC 2 Type II ; rapport disponible sous NDA.
7. Droits des personnes concernées
Kryptos assiste le Client pour répondre aux demandes des Personnes concernées exerçant leurs droits, dont accès, rectification, effacement, limitation, portabilité et opposition.
10. Général
Ce DPA est incorporé aux Conditions d'utilisation et en fait partie. En cas de conflit, ce DPA prévaut pour les questions de protection des données. Kryptos peut le mettre à jour ; les changements matériels sont notifiés au moins 30 jours à l'avance.
Schedule 1 — Annex I.A. List of parties
Data exporter(s): Customer (as set forth in the relevant Order Form). Role: Controller.
Data importer(s): Kryptoskatt AB. Address: A2-1101, Frida Hjertbergs Gata 12, Göteborg, Sweden 41281. Contact: Sukesh Kumar Tedla (CEO, sukeshtedla@kryptos.io), Akash Srivastava (CTO, akash.srivastava@kryptos.io), DPO: dpo@kryptos.io. Role: Processor.
Schedule 1 — Annex I.B. Description of transfer
Categories of data subjects: End users/customers of the application.
Categories of personal data: Email address; name (optional); person/user ID (optional).
Sensitive data: None intentionally collected.
Frequency: Continuous.
Nature of processing: SaaS platform and API service for crypto financial data processing, tax compliance, and portfolio management.
Retention: PITR 7 days; daily backups retained 15 days; deletion on user request, subject to backup cycle and legal retention.
Sub-processors: Google Cloud, SendGrid, Mixpanel.
Annex II — Security Management System
Kryptoskatt AB designates qualified security personnel. Management reviews and supports security policies, updated at least annually. Independent third-party risk assessments at least annually. Monthly penetration testing, weekly vulnerability scans, formal patch management. Vendor management program with sub-processor DPAs. Incident response time expectation: less than 5 minutes. SOC 2 Type II certified; ISO/IEC 27001:2022 in process.
Annex II — Personnel Security
Background checks on employees with access to client data, to the extent legally permissible. Confidentiality agreements executed at hire. Privacy and security training. Role-specific certifications where appropriate. Personnel do not process Customer Personal Data without authorization.
Annex II — Access Controls
Formal access management with periodic reviews. OAuth (Google SSO) or email + password authentication; MFA available. Internal data access policies enforce least-privilege and need-to-know. Unique user IDs, strong passwords, monitored access lists. Audit trail of all access changes and system access events.
Annex II — Data Center and Network Security
Primary platform: Google Cloud Platform. Primary region: europe-west3 (Paris); secondary: eu-central1 (Frankfurt). Multi-AZ for resiliency; regular backup restoration testing. RTO < 15 minutes; RPO 1-5 minutes. TLS 1.3 enforced in transit; AES-256-GCM at rest via Google KMS. Centralized logging; weekly vulnerability scans; incident response < 5 minutes. Daily backups, 15-day retention; PITR 7 days.
Annex III — List of Sub-processors
The Controller has authorized:
- Google Cloud Platform — Cloud infrastructure and hosting (database, storage, KMS).
- SendGrid (Twilio) — Transactional email delivery.
- Mixpanel — Product analytics.
The Processor will notify the Controller of any addition or replacement of Sub-processors at least 30 calendar days in advance.
Signature du DPA
Les clients Enterprise peuvent demander un DPA signé à notre DPO.
dpo@kryptos.io