This Data Processing Addendum (“DPA”) shall automatically become essential part to any contractual arrangement or agreement that is concluded between Crystal and Customer (each a “Party” and together the “Parties”), but only in case processing of personal data is part of or essential to the aforementioned contractual arrangement or agreement. In the event of a conflict between this DPA and any contractual arrangement or agreement that is concluded between Crystal and Customer, this DPA will prevail.
Whereas:
- Crystal is a blockchain analytics company that builds solutions to streamline crypto compliance operations and aid investigations into financial crime. Crystal’s all-in-one blockchain analytics tool provides blockchain analytics and compliance tools to streamline Know Your Transaction (KYT) and Anti-Money Laundering (AML) processes to detect financial crime and streamline operations.
- Crystal, through Crystal Expert or Crystal Public Explorer (as applicable), provides access to personnel of its Customer (by obtaining said persons personal data to provide access) to perform checks of crypto wallet addresses (which may include personal data) against data in Crystal’s database (which data may include personal data).
- In order for Crystal to perform the aforementioned services and for Customer to make use of these services, personal data is processed, which is part of or essential to these services; and
- This DPA serves to outline the various flows of personal data between Crystal and Customer and explains the various, roles, rights, obligations and more for Crystal and Customer.
1. Definitions
The following definitions apply to this DPA.
– The terms “data processor”, “data controller”, “processing” and “supervisory authority” shall each have the meaning ascribed to it in the GDPR from time to time.
– “Crystal” means Crystal Blockchain B.V., a limited liability company, with registered address at Strawinskylaan 3051, 1077ZX Amsterdam, the Netherlands, Chamber of Commerce registration number 60269618 and all its subsidiaries as defined in article 24a of Book 2 of the Dutch Civil Code.
– “Crystal Expert” or “Crystal Public Explorer” means Crystal Expert and/or Crystal Public Explorer web application operating on the Internet and accessible for use by means of web browsing software (such as Google Chrome®, Microsoft Internet Explorer®, Microsoft Edge®, Mozilla Firefox® or other compatible software, (hereinafter “Browser”)) and, if applicable, the Crystal API.
– “Customer” means the party (other than Crystal) who has executed Crystal’s order form and/or accepted Crystal’s EULA and/or Crystal’s master service agreement and/or schedule(s).
– “Customer Data” means any data that is inputted by Customer in using Crystal Expert or Crystal Public Explorer (as applicable).
– “Cryptocurrency Personal Data” means any personal data that is comprised in Customer Data.
– “Crystal Data” means any data, media, information or other content that is accessible via Crystal Expert or Crystal Public Explorer (as applicable) but excludes any Cryptocurrency Personal Data.
– “Customer Personal Data” means any personally identifiable information of authorized users and other employees, agents and independent contractors of the Customer or clients of Customers.
– “Data Breach” means (i) loss or theft of Customer Personal Data; or (ii) unauthorized use, disclosure, acquisition of, access to or other unauthorized processing of Customer Personal Data that materially compromises the privacy or confidentiality of Customer Personal Data.
– “Data Protection Legislation” means (i) the EU General Data Protection Regulation 2016/679 (the “GDPR”), together with any applicable implementing legislation, and references to “Articles” or “Chapters” of the GDPR in this DPA shall be construed accordingly; and (ii) to the extent applicable, the data protection or privacy laws of any other country or territory.
– “EULA” means Crystal’s End User License Agreement.
– “Personal Data” includes Cryptocurrency Personal Data, Crystal Data and Customer Personal Data and has the meaning as defined in Art. 4 no. 1 GDPR.
– “Restricted Country” means a country or territory outside the European Economic Area that has not been deemed to provide an adequate level of protection for Personal Data by the European Commission.
– “Restricted Transfer” means (i) a transfer of Personal Data from Customer to Crystal in a Restricted Country; or (ii) an onward transfer of Personal Data from Crystal to a Subprocessor in a Restricted Country, (in each case) where such transfer would be prohibited by GDPR without an appropriate safeguard in place.
– “SCC” means the standard contractual clauses annexed to Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council.
– “Subject Request” means a written request made in accordance with applicable Data Protection Legislation from a data subject for any of the following:
(i) requesting information concerning the processing of, or copies of, his or her personal data;
(ii) requiring the rectification of any inaccurate or incomplete personal data;
(iii) requiring the erasure of personal data;
(iv) restricting the processing of personal data;
(v) exercising his or her right to obtain and reuse their personal data for their own purposes across different services; or
(vi) objecting to the processing of his or her personal data.
– “Subprocessor” means any third party appointed by or on behalf of Crystal to process Personal Data.
– „Relevant Data Subject“ means an identifiable natural person whose personal data is processed.
2. Customer Compliance
Customer warrants and represents (on an ongoing basis) that it has complied, and undertakes that it shall comply, with all applicable Data Protection Legislation in respect of its collection, use, processing, disclosure, protection, retention and/or transfer of Personal Data in connection with the order form executed between the Customer and Crystal, including the provision of all relevant Personal Data to Crystal for processing hereunder.
3. Crystal Compliance
Crystal warrants and represents (on an ongoing basis) that it has complied, and undertakes that it shall comply, with all applicable Data Protection Legislation in respect of its services and operations.
4. Non-Disclosure
Crystal will not retain, use, or disclose Personal Data other than: (i) to provide the services to Customer, (ii) to improve the services generally, or (iii) as otherwise directed by Customer (provided always that such directions are consistent with the order form executed between the Customer and Crystal).
5. Protection
Crystal will implement and maintain reasonable and appropriate technical and organizational security measures with the aim of protecting Personal Data from security incidents in accordance with the measures listed in Appendix 2 (“Security Measures”). Customer acknowledges that the Security Measures are subject to technical progress and development and that Crystal may update or modify the Security Measures from time to time, provided that such updates and modifications do not degrade or diminish overall security of the services.
6. Confidentiality
Crystal and its employees shall hold confidential all Personal Data. Crystal shall limit access to Personal Data to its employees that have a need to know the Personal Data as a condition to Crystal’s performance of services for or on behalf of Customer.
7. Safeguards
Except with respect to disclosures anticipated or required by this DPA or by law, prior to providing access to Personal Data to any third-party subcontractor or vendor, Crystal shall take reasonable steps to verify that such third party is capable of maintaining the privacy, confidentiality and security of Personal Data; and contractually require the third party to maintain reasonable safeguards for Personal Data.
8. Data Breach
If Crystal becomes aware of a Data Breach involving Customer Personal Data processed on behalf of Customer, Crystal will (a) notify Customer of the Data Breach without undue delay and, where feasible, not later than twenty four (24) hours after having become aware of it; and (b) take reasonable steps to identify the cause of such Data Breach, minimize harm, and prevent a recurrence. Customer shall be responsible for providing any required notices under data breach notification laws. Crystal’s notification of or response to a Data Breach shall not be construed as an acknowledgement by Crystal of any fault or liability with respect to the Data Breach.
9. Conflict
In the event of a conflict between these General Data Protection Provisions and the remaining provisions of this DPA, the latter shall prevail.
10. Personal Data
The Parties acknowledge and agree that Crystal is expressly authorized to process the Cryptocurrency Personal Data and the Customer Personal Data, as described below, in connection with the performance of the order form, which is composed of the following categories of personal data, the specified categories of data subject and the description of processing activities.
Categories of Data | Categories of Data Subject | Description of processing activities |
Cryptocurrency Personal Data
Cryptocurrency addresses and Cryptocurrency transaction information. |
Cryptocurrency users, including users of
Cryptocurrency exchange services, Cryptocurrency payment processing services, Cryptocurrency wallet services and other Cryptocurrency services. |
To process such personal data through Crystal Expert or Crystal Public Explorer and to perform the obligations outlined in the order form. |
Customer Personal Data
First and last name; title; position; employer; contact information (company, email, phone, physical business address), logged logins and authorization. |
Authorized users and other employees,
agents and independent contractors of the Customer and/or clients of the Customer. |
To process such personal data to provide Customer or client of Customer with access to Crystal Expert.
To manage the relationship between the Parties. |
Crystal Data
First and last name, inclusion on sanctions lists or enforcement actions |
Persons who have been marked as such by Crystal | To allow Customers to perform checks on Cryptocurrency Data against Crystal Data |
11. GDPR roles
With respect to the Parties’ rights and obligations under the Agreement relating to the processing, collection or storage of Customer Personal Data, the Parties acknowledge and agree that in respect of:
– Customer Personal Data, the Customer is a data controller and Crystal is the data processor; and
– Cryptocurrency Personal Data, the Customer is a data controller and Crystal is a data processor; and
– Crystal Data, the Customer is a data processor and Crystal is a data controller.
12. Crystal’s obligations
In respect of the Customer Data, Crystal shall in accordance with Art. 28 (3) GDPR:
– act only on documented instructions from Customer in relation to the processing of Cryptocurrency Personal Data;
– comply with its obligations as a data processor of the Cryptocurrency Personal Data under the GDPR;
– take reasonable steps to ensure the reliability of any Crystal personnel who process Cryptocurrency Personal Data, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality;
– implement and maintain, at its cost and expense, the Security Measures;
– prior to engaging any Subprocessor to carry out any processing activities in respect of the Cryptocurrency Personal Data, appoint the Subprocessor under a written contract including terms which offer at least an equivalent level of protection for Cryptocurrency Personal Data as those set out in this Clause 12. For the avoidance of doubt, Crystal confirms that any Subprocessors already engaged by Crystal as at the date of the execution of the order form, shall already have a written contract affording at least an equivalent level of protection for Cryptocurrency Personal Data as those set out in this Clause 12. Crystal shall inform the Customer of any intended changes concerning the addition or replacement of its Subprocessors, thereby giving the Customer the opportunity to object to such changes.
– taking into account the nature of the processing and the information available to it, provide Customer with such assistance as may be reasonably necessary and technically possible in the circumstances, to assist Customer in fulfilling its obligation to respond to Subject Requests. Crystal shall promptly notify the Customer if it receives a Subject Request relating to the Cryptocurrency Personal Data;
– provide reasonable assistance to the Customer, at the Customer’s cost, with any data protection impact assessments, and prior consultations with supervisory authorities taking into account the nature of the processing by, and information available to, Crystal;
– notify Customer of a Data Breach according to Clause 8; and
– subject to any requirement for Crystal to retain Customer Personal Data and Cryptocurrency Personal Data by applicable law, at the Customer’s written request, either delete or return all the Customer Personal Data and Cryptocurrency Personal Data to the Customer within a reasonable time after the expiry or termination of the order form. Crystal shall ensure that its Subprocessors shall also either delete or return such data in its possession;
– make available to the Customer all information necessary to demonstrate compliance with the obligations laid down in Art. 28 GDPR and allow for and contribute to data protection audits, including data protection inspections, conducted by the Customer or another auditor mandated by the Customer; and
– immediately inform the Customer if, in its opinion, an instruction infringes the Data Protection Legislation.
13. Customers obligations
In respect of the Crystal Data, Customer shall in accordance with Art. 28 (3) GDPR:
– act only on documented instructions from Crystal in relation to the processing of Crystal Data;
– comply with its obligations as a data processor of the Crystal Data under the GDPR;
– take reasonable steps to ensure the reliability of any Customer personnel who process Crystal Data, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality;
– implement and maintain, at its cost and expense, the Security Measures;
– prior to engaging any Subprocessor to carry out any processing activities in respect of the Crystal Data, appoint the Subprocessor under a written contract including terms which offer at least an equivalent level of protection for Crystal Data as those set out in this Clause 13. For the avoidance of doubt, Customer confirms that any Subprocessors already engaged by Customer as at the date of the execution of the order form, shall already have a written contract affording at least an equivalent level of protection for Crystal Data as those set out in this Clause 13.
– taking into account the nature of the processing and the information available to it, provide Crystal with such assistance as may be reasonably necessary and technically possible in the circumstances, to assist Crystal in fulfilling its obligation to respond to Subject Requests. Customer shall promptly notify Crystal if it receives a Subject Request relating to the Crystal Data;
– provide reasonable assistance to Crystal, at Crystal’s cost, with any data protection impact assessments, and prior consultations with supervisory authorities taking into account the nature of the processing by, and information available to, Customer;
– notify Crystal without undue delay, where feasible, not later than twenty-four (24) hours upon Customer becoming aware of a Data Breach affecting any Crystal Data, providing Crystal with sufficient information (insofar as such information is, at such time, within Customer’s possession) to allow Crystal to meet any obligations under the GDPR;
– subject to any requirement for Customer to retain Crystal Data by applicable law, at Crystal’s written request, either delete or return all the Crystal Data to Crystal within a reasonable time after the expiry or termination of the order form. Customer shall ensure that its Subprocessors shall also either delete or return such Crystal Data in its possession; and
– make available to Crystal all information necessary to demonstrate compliance with the obligations laid down in Art. 28 GDPR and allow for and contribute to data protection audits, including data protection inspections, conducted by Crystal or another auditor mandated by Crystal.
14. Data controller compliance
In respect of the Cryptocurrency Personal Data, the Customer warrants and represents on an ongoing basis that it has complied, and undertakes that it shall comply, with its obligations as a data controller of the Cryptocurrency Personal Data under the GDPR (including ensuring Crystal has a valid legal basis(es) for its processing of Cryptocurrency Personal Data).
In respect of the Crystal Data, Crystal warrants and represents on an ongoing basis that it has complied, and undertakes that it shall comply, with its obligations as a data controller of the Crystal Data under the GDPR (including ensuring Customer has a valid legal basis(es) for its processing of Crystal Data).
15. Relevant Data Subject’s rights
As between Crystal and Customer, Customer shall be responsible for complying with any Relevant Data Subject’s exercise of their rights under Data Protection Legislation (including Chapter III of the GDPR) in connection with the processing covered by Clause 13, provided that Crystal shall provide Customer with reasonably necessary and available information and assistance to enable Customer to comply with its obligations under this Clause 15 and its obligations under Data Protection Legislation with respect to any such data subject request.
16. Transparency obligations
Customer undertakes that it shall comply with its own, and shall assist Crystal in discharging Crystal’s, transparency obligations under Data Protection Legislation (including Articles 13/14 of the GDPR), including by:
– informing Relevant Data Subjects of the transfer of Customer Personal Data to Crystal;
– informing Relevant Data Subjects of the nature and consequences of the Parties’ processing activities covered by Clause 15; and
– providing Relevant Data Subjects with a prominent link to Crystal’s privacy policy from time-to-time.
17. Restricted Transfers of Personal Data
Where relevant, e.g. where the Customer is based outside of the EEA, the Parties agree that they shall only perform Restricted Transfers of any Personal Data between them in reliance on an adequacy decision or with an appropriate safeguard in place to ensure the continued treatment of Personal Data in accordance with the GDPR or otherwise as permitted by Chapter V of the GDPR. In that regard and as applicable, the Parties shall be deemed to have entered into the SCC under which Customer shall be the “data importer” and the Crystal shall be the “data exporter”.
For the purposes of the SCC, the relevant annexes, appendices or tables shall be deemed populated with the relevant information set out in Appendix 1 and Appendix 2. If any provision of this DPA contradicts, directly or indirectly, the SCCs, the SCC shall prevail.
18. General Indemnity
A Party will indemnify, defend and hold the other Party and its officers, directors, employees and agents harmless from and against any and all losses arising from or in connection with any failure by the Party, its employees, consultants or agents to comply with any of its obligations under this DPA or the Data Protection Legislation.
As stated in Art. 82 (2) 2 GDPR, Crystal shall be liable for the damage caused by processing only where it has not complied with obligations of the Data Protection Legislation specifically directed to processors or where it has acted outside or contrary to lawful instructions of the Customer.
19. Governing Law
This DPA shall be governed by and construed in accordance with the governing law and jurisdiction provisions in Crystal’s EULA, unless required otherwise by Data Protection Legislation or the SCC.
APPENDIX 1
COMPETENT SUPERVISORY AUTHORITY
The supervisory authority for Crystal is:
Autoriteit Persoonsgegevens
Hoge Nieuwstraat 8
2514 EL Den Haag
The Netherlands
LIST OF CRYSTAL BLOCKCHAIN’S SUB-PROCESSORS
Sub-Processor | Purpose | Location | More Information |
Hetzner | Data hosting | Industriestrasse 25, 91710 Gunzenhausen, Germany | https://www.hetzner.com/ |
Refinitiv | KYC verification | Five Canada Square, Canary Wharf, London E145AQ, United Kingdom | https://www.refinitiv.com/en |
DocuSign | Document processing | 5 Hanover Quay, Grand Canal Dock, Dublin 2, Ireland, D02 VY79 | https://www.docusign.com/ |
Hubspot | Relation management | HubSpot House, One Sir John Rogerson’s Quay, Dublin 2, Ireland | https://www.hubspot.com |
APPENDIX 2 – TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
Technical and organizational security measures described herein define the controls implemented by Crystal for the development, acquisition, maintenance and operation of Crystal services supplied in a Software-as-a-service model. This Appendix II also constitutes an Annex under applicable Standard Contractual Clauses.
A. Quality Assurance and Customer Service Policy
Data importer maintains a rigorous Quality Management System (QMS) that aligns with ISO 9001:2015 standards. This QMS covers all aspects of data importer’s operations, including the development and delivery of forensic software and support services. By adhering to these internationally recognised standards, the consistent quality and reliability can be ensured.
B. Contingency and Business Continuity Planning
Data importer has developed robust contingency and business continuity plans that conform to ISO 22301:2012 standards. These plans are designed to minimize disruption and ensure the continuity of its services. Certain key elements are:
- Risk assessment and mitigation: Regular risk assessments to identify potential threats to its operations, such as natural disasters, cyber-attacks, or equipment failure. Based on the identified risks, mitigation strategies are implemented to reduce the likelihood and impact of such events.
- Redundant infrastructure: To ensure uninterrupted service, no redundant infrastructure is maintained across multiple geographic locations. This includes data centres, servers, and network components, which enable to quickly switch to backup systems in case of a failure or disruption.
- Data backup and recovery: comprehensive data backup procedures are implemented to safeguard information. Data is regularly backed up to secure off-site locations, and recovery processes have been established to restore lost or damaged data quickly and efficiently.
- Emergency response and communication: In the event of an incident, a clearly defined emergency response plan is available to manage the situation effectively. This plan includes designated roles and responsibilities for team members, as well as communication protocols to ensure that relevant parties are informed and updated throughout the incident.
- Regular testing and updating: Through continuous review and updating the contingency and business continuity plans reflect changes in our operations and the evolving threat landscape. This includes conducting regular tests and simulations to validate the effectiveness of plans and identify areas for improvement.
- Employee training and awareness: employees play a critical role in maintaining business continuity. Ongoing training and resources are provided to ensure that all team members understand their roles and responsibilities during an incident and are prepared to respond effectively.
By implementing these comprehensive contingency and business continuity measures, data importer is well-equipped to address potential disruptions and maintain the high level of service.
C. Security, Availability, Integrity, and Confidentiality of Personal Data
Data importer employs state-of-the-art technical and organizational measures to secure personal data:
- Encryption: All personal data is encrypted both at rest and in transit using advanced cryptographic algorithms. secure key management practices are utilized to ensure the confidentiality of the encryption keys.
- Access Control: role-based access controls are implemented, ensuring that only authorized personnel can access personal data. Access is granted based on the principle of least privilege, and all accesses are monitored and logged.
- Data Backup and Redundancy: regular backups of personal data are created and stored in a secure data centre to maintain data availability and integrity. The data is stored in a data centre, which is ISO 27001 certified. It is stored on dedicated servers on a separate rack. In such a way the data is logically and physically isolated and saved separately from other data in the data centre.
- Intrusion Detection and Prevention: data importer’s systems employ advanced intrusion detection and prevention mechanisms to protect against external and internal threats. This includes regular vulnerability assessments and penetration testing.
- Security Training and Awareness: All data importer employees receive comprehensive training on data security and privacy.
- Compliance Documentation: Data importer maintains detailed records of its data processing activities.