This Data Processing Addendum (“DPA”) supplements the Master Subscription Agreement or any agreements (the “Agreement”) between the Chainalysis entity identified in the Agreement, and the Customer identified in the Agreement. Referred to individually as a “Party” and together the “Parties.”
This DPA sets out the terms and conditions under which Chainalysis Processes Personal Data on behalf of the Customer in connection with the Services. The Processing is limited to data that is publicly available, aggregated, or pseudonymized and to minimal technical metadata necessary for Service operation and security.
The Parties acknowledge and agree that, for the purposes of applicable Data Protection Laws, the Customer acts as the Controller and Chainalysis acts as the Processor.
This DPA ensures that such Processing is performed in accordance with Article 28 of the General Data Protection Regulation (“GDPR”) and corresponding provisions of the UK GDPR and other applicable Data Protection Laws.
Capitalized terms not defined herein have the same meaning as in the Agreement.
Chainalysis shall Process Personal Data solely on the documented instructions of the Customer, unless Processing is required by law to which Chainalysis is subject; in such cases, Chainalysis shall inform the Customer of that legal requirement before Processing, unless prohibited by law.
Chainalysis shall ensure that all persons authorized to Process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
Chainalysis shall implement and maintain appropriate technical and organizational measures (“TOMs”) designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.
Chainalysis shall assist the Customer, insofar as reasonably possible, in ensuring compliance with the Customer’s obligations relating to security of Processing, data-breach notifications, data-protection impact assessments, and consultations with supervisory authorities.
Upon termination of the Services, Chainalysis shall delete or anonymize all Personal Data and certify such deletion in writing, unless retention is required by law.
Chainalysis maintains a comprehensive information security program that includes administrative, technical, and organizational safeguards appropriate to the risk of Processing. Such measures include, without limitation:
Current security practices can be reviewed in our Trust Center. Chainalysis reviews and updates its TOMs periodically to maintain their effectiveness and appropriateness, provided that such updates do not materially decrease the overall security of Chainalysis Services.
Customer authorizes Chainalysis to engage Subprocessors to support the delivery of the Services, including providers of cloud infrastructure, data hosting, or analytics services.
Chainalysis shall enter into a written agreement with each Subprocessor imposing obligations equivalent to those in this DPA and shall remain fully liable to the Customer for the performance of the Subprocessor’s obligations.
A current list of authorized Subprocessors is available here. Chainalysis shall provide reasonable advance notice of any material changes to Subprocessors and permit the Customer to object on reasonable privacy grounds.
Where the Processing of Personal Data involves a transfer outside the European Economic Area (“EEA”), the United Kingdom (“UK”), or Switzerland, to a country not deemed to provide an adequate level of protection under applicable Data Protection Laws, the Parties acknowledge and agree that such transfers shall be conducted in accordance with a lawful transfer mechanism.
Chainalysis Inc. participates in and complies with the Data Privacy Framework (“DPF”), the UK Extension to the DPF, and the Swiss–U.S. Data Privacy Framework, as administered by the U.S. Department of Commerce, for the transfer of Personal Data from the EEA, UK, and Switzerland to the United States. Chainalysis maintains its certification under these frameworks and commits to adhere to the DPF Principles for all Personal Data received from such jurisdictions in reliance on the DPF. Chainalysis will maintain its certification for the term of this DPA and promptly notify the Customer if its certification lapses or is withdrawn.
Where the DPF does not apply or is deemed insufficient to cover a particular transfer or category of Personal Data, the Parties shall rely on the EU Standard Contractual Clauses (SCCs), together with the UK International Data Transfer Addendum and/or the Swiss SCC Modifications, as applicable.
To the extent reasonably possible, and taking into account the nature of the Processing, Chainalysis shall assist the Customer in fulfilling its obligation to respond to requests from Data Subjects under Chapter 3 of the GDPR (including rights of access, rectification, erasure, restriction, portability, and objection).
Upon termination or expiration of the Agreement, Chainalysis shall delete or anonymize all Customer Personal Data unless retention is required under applicable law, or in accordance with its standard backup or records retention policies Where deletion is impossible or impracticable, Chainalysis shall continue to protect the data in accordance with this DPA and limit further Processing to the extent necessary to comply with retention obligations.
Chainalysis maintains third-party certifications and audit reports (SOC 2, SOC 3, or equivalent) which are listed in the Trust Center. Upon written request, Chainalysis shall make available to the Customer a summary copy of relevant reports and certifications so customers can verify compliance with audit standards and this DPA.
If such documentation does not reasonably demonstrate compliance, the Customer may request additional information. The Customer shall bear any reasonable costs associated with its request for additional information or audits.
Chainalysis shall notify the Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data. The notification shall include such information as Chainalysis is reasonably able to provide at the time, including the nature of the breach and measures taken or proposed to address the breach.
Chainalysis shall reasonably cooperate with the Customer and provide such further information as the Customer may require to comply with its legal obligations under applicable Data Protection Laws in connection with the Personal Data Breach. Such cooperation shall be limited to information and actions within Chainalysis’s control and shall not require Chainalysis to (a) disclose any confidential, proprietary, or security-sensitive information, (b) take any action that would compromise the security or integrity of its systems or those of its other customers, or (c) incur costs or efforts beyond what is reasonably necessary to comply with its own legal obligations.
The liability of each Party under this DPA shall be subject to, and limited in accordance with, the limitations and exclusions of liability set forth in the Agreement.
Each Party’s and its Affiliates’ total aggregate liability arising out of or in connection with this DPA (including all data processing addenda entered into between either Party and any of its Affiliates), whether in contract, tort (including negligence), or under any other theory of liability, shall not exceed the limitations of liability applicable to that Party under the Agreement.
For the avoidance of doubt, any reference to a Party’s liability in the “Limitation of Liability” section of the Agreement shall be deemed to include the aggregate liability of that Party and all of its Affiliates under both the Agreement and all associated DPAs. References to “this DPA” shall include its Appendices and any incorporated terms.
This DPA shall be governed by and construed in accordance with the laws governing the Agreement. Any dispute arising from or relating to this DPA shall be subject to the exclusive jurisdiction set forth therein.