— Legal / DPA
Data Processing Addendum
Last updated: April 2026 · Version 1.0
This Data Processing Addendum ("DPA") forms part of the agreement between the customer ("Controller") and Twinfin Ltd. ("TWINFIN™", "Processor") and applies to the processing of Personal Data by Twinfin on behalf of the Controller. It incorporates Article 28 of the GDPR (Regulation (EU) 2016/679) and, where applicable to payment-related processing, PSD2 (Directive (EU) 2015/2366) and the EU Standard Contractual Clauses.
1. Definitions
Terms used in this DPA have the meanings given to them in the GDPR, including "Personal Data", "Processing", "Controller", "Processor", "Sub-processor", "Data Subject", and "Supervisory Authority".
2. Subject-matter, nature, and duration
Subject-matter: processing necessary for Twinfin to provide the services agreed in the main contract.
Nature and purpose: operation, monitoring, support, security, and compliance obligations of an EU-regulated payment and crypto settlement platform.
Duration: the term of the main contract, plus legally required retention periods.
3. Categories of data & data subjects
| Category | Examples |
|---|---|
| Identity | Name, DOB, nationality, ID document |
| Contact | Email, phone, address |
| Financial | IBAN, wallet addresses, transactions |
| KYC / KYB | UBO, source of funds, corporate registry extracts |
| Technical | IP, device, logs, API usage |
Data subjects: Controller's end customers and end users, Controller's authorised representatives, employees, and contractors.
4. Processor obligations
- Process Personal Data only on documented instructions from the Controller.
- Ensure confidentiality obligations on persons authorised to process data.
- Implement appropriate technical and organisational security measures (see Annex).
- Assist the Controller in responding to data subject requests and regulatory inquiries.
- Notify the Controller of a Personal Data Breach without undue delay, and within 72 hours where feasible.
- On termination, delete or return all Personal Data, except where storage is required by law.
5. Sub-processors
Controller grants a general authorisation for Twinfin to engage Sub-processors subject to the list below and the same level of data protection obligations. Twinfin will maintain a current list and will notify Controller of planned changes, giving 30 days to object.
| Sub-processor | Purpose | Location |
|---|---|---|
| AWS (eu-central-1, eu-west-1) | Cloud infrastructure | EU |
| Sumsub | KYC / document verification | EU |
| Chainalysis | Blockchain analytics, travel rule | USA (SCCs + supplementary measures) |
| Twilio SendGrid | Transactional email | EU |
| PostHog Cloud EU | Product analytics (pseudonymised) | EU |
| Regulated EMI partner (to be named upon engagement; controllers will be notified prior to processing) | Fiat settlement (interim) | EU |
6. International transfers
Where transfers outside the EEA are required (e.g. certain analytics or blockchain services), Twinfin relies on an EU adequacy decision or executes the EU Standard Contractual Clauses (Controller-to-Processor or Processor-to-Sub-processor modules, as appropriate) with supplementary measures assessed via a Transfer Impact Assessment.
7. Security — technical & organisational measures (Annex)
- Encryption of data in transit (TLS 1.3) and at rest (AES-256).
- Role-based access control, least-privilege, quarterly access reviews.
- MFA for administrative access; hardware-backed keys where practical.
- Centralised logging, SIEM, and 24/7 alerting.
- Isolation between environments; reproducible infrastructure.
- Regular vulnerability scanning and third-party penetration testing.
- Secure SDLC, code review, and dependency scanning.
- Documented incident response plan with regulator notification paths.
- Staff training on GDPR, AML, and secure coding.
8. Audit rights
Upon reasonable prior notice, and not more than once per year (except following a Personal Data Breach or regulatory request), Controller may audit Twinfin's compliance with this DPA. Audits are performed under confidentiality, during business hours, and without disrupting operations. Twinfin may satisfy audit requests by providing SOC 2 Type II or equivalent reports once issued.
9. Execution
This DPA is deemed executed upon the Controller's acceptance of Twinfin's main Terms of Service or a separate order form that references this DPA, without need for a separate signature.
10. Contact
Data Protection Officer: dpo@twinfin.tech. Privacy inquiries: privacy@twinfin.tech.
© 2026 Twinfin Ltd. All rights reserved.