— Legal / DPA
Data Processing Addendum
Last updated: May 2026 · Version 2.0
Scope notice. This DPA applies only when a business customer ("Controller") is onboarded to the live Twinfin payments platform under a separately executed Order Form or B2B subscription. It does not apply to use of the twinfin.tech marketing website, the waitlist, the contact form, or scheduled calls — those interactions are governed solely by our Privacy Policy.
This Data Processing Addendum ("DPA") forms part of the agreement between the Controller and Twinfin Ltd. ("TWINFIN™", "Processor") and applies to Twinfin's processing of Personal Data on behalf of the Controller as part of the live platform engagement. It incorporates Article 28 of the GDPR (Regulation (EU) 2016/679) and, where applicable to payment-related processing, PSD2 (Directive (EU) 2015/2366) and the EU Standard Contractual Clauses.
1. Definitions
Terms used in this DPA have the meanings given to them in the GDPR, including "Personal Data", "Processing", "Controller", "Processor", "Sub-processor", "Data Subject", and "Supervisory Authority".
2. Subject-matter, nature, and duration
Subject-matter: processing necessary for Twinfin to provide the platform services agreed in the Order Form.
Nature and purpose: operation, monitoring, support, security, and compliance obligations of a payment and crypto settlement platform built to operate under MiCA CASP and EMI authorisations once granted.
Duration: the term of the Order Form, plus legally required retention periods.
3. Categories of data & data subjects
| Category | Examples |
|---|---|
| Identity | Name, DOB, nationality, ID document |
| Contact | Email, phone, address |
| Financial | IBAN, wallet addresses, transactions |
| KYC / KYB | UBO, source of funds, corporate registry extracts |
| Technical | IP, device, logs, API usage |
Data subjects: Controller's end customers and end users, Controller's authorised representatives, employees, and contractors.
4. Processor obligations
- Process Personal Data only on documented instructions from the Controller.
- Ensure confidentiality obligations on persons authorised to process data.
- Implement appropriate technical and organisational security measures (see Annex).
- Assist the Controller in responding to data subject requests and regulatory inquiries.
- Notify the Controller of a Personal Data Breach without undue delay, and within 72 hours where feasible.
- On termination, delete or return all Personal Data, except where storage is required by law.
5. Sub-processors
Controller grants a general authorisation for Twinfin to engage Sub-processors subject to the list below and to the same level of data-protection obligations. Twinfin maintains a current list and will notify Controller of planned changes, giving 30 days to object.
5.1 Sub-processors engaged for the marketing website today (in scope of the Privacy Policy, not this DPA): Vercel (hosting), Cloudflare (DNS), Plausible (analytics), Formspree (forms), Calendly (scheduling), Google Workspace (mail/calendar). Listed for transparency only — these processors do not handle Controller end-user data and are not Sub-processors under this DPA unless and until they are used for live platform processing.
5.2 Sub-processors that will be engaged for the live platform (from Controller onboarding):
| Sub-processor | Purpose | Location · Transfer basis |
|---|---|---|
| Vercel Inc. | Application hosting, edge logs | USA · EU SCCs + DPF |
| Cloudflare, Inc. | DNS, edge security | USA · EU SCCs + DPF |
| Sumsub | KYC / KYB / document verification | EU |
| Chainalysis | Blockchain analytics, Travel Rule | USA · EU SCCs + DPF |
| Google Workspace | Operational mail / calendar / docs | USA · EU SCCs + DPF |
| Regulated EMI partner | Interim fiat settlement until Twinfin's own EMI authorisation is granted (named to Controller in the Order Form prior to processing) | EU/EEA |
Additional sub-processors engaged for transactional email, secrets management, observability and pen-testing will be listed in the active Sub-processor register accompanying the Order Form. The Sub-processor list is updated and Controllers notified of changes per §5 above.
6. International transfers
Where transfers outside the EEA are required, Twinfin relies on an EU adequacy decision (including the EU-US Data Privacy Framework where the recipient is certified) or executes the EU Standard Contractual Clauses (Controller-to-Processor or Processor-to-Sub-processor modules, as appropriate) with supplementary measures assessed via a Transfer Impact Assessment.
7. Security — technical & organisational measures (Annex)
- Encryption of data in transit (TLS 1.3) and at rest (AES-256).
- Role-based access control, least-privilege, periodic access reviews.
- MFA for administrative access; hardware-backed keys where practical.
- Centralised logging and alerting; SIEM at platform launch.
- Isolation between environments; reproducible infrastructure.
- Vulnerability scanning and third-party penetration testing scheduled prior to platform launch and recurring thereafter.
- Secure SDLC, code review, and dependency scanning.
- Documented incident-response plan with regulator-notification paths.
- Staff training on GDPR, AML, and secure coding.
8. Audit rights
Upon reasonable prior notice, and not more than once per year (except following a Personal Data Breach or regulatory request), Controller may audit Twinfin's compliance with this DPA. Audits are performed under confidentiality, during business hours, and without disrupting operations. Twinfin may satisfy audit requests by providing SOC 2 Type II or equivalent reports once issued.
9. Execution and scope
This DPA is deemed executed upon (a) the Controller's signature of an Order Form that references this DPA, or (b) the Controller's acceptance of a B2B onboarding flow that incorporates this DPA by reference, in each case where the Controller is a business engaging Twinfin to process Personal Data of its end users on the live platform. This DPA does not apply to consumer/retail use of the website or waitlist, and is not auto-attached to general use of the marketing site.
10. Contact
Data Protection Officer: dpo@twinfin.tech (Sergey Semeniuk). Privacy inquiries: privacy@twinfin.tech.
© 2026 Twinfin Ltd. All rights reserved.