1. Definitions
Capitalized terms not defined here have the meanings given in the EU General Data Protection Regulation 2016/679 (“GDPR”) or in the BchainPay Terms of Service.
2. Roles & subject matter
The Controller determines the purposes and means of processing personal data submitted to the Services. BchainPay processes such personal data only on the Controller's documented instructions (which include the Terms of Service, the documentation, and the Controller's configuration of the Services).
3. Categories of data & data subjects
- Categories of data subjects: the Controller's end-customers, employees, beneficial owners and authorized users.
- Categories of personal data: identifiers (email, name, IP), wallet addresses, payment metadata (amounts, memos), KYC documents (when production access is enabled), authentication and audit records.
4. Sub-processors
BchainPay engages the following sub-processors to deliver the Services. The Controller authorizes their use.
- Vercel Inc. (USA) — application hosting and edge delivery;
- Supabase, Inc. (USA, EU regions available) — managed Postgres database;
- Cloudflare, Inc. (USA) — DNS, WAF and DDoS protection;
- Resend, Inc. (USA) — transactional email delivery;
- Sentry / observability provider — error monitoring and performance traces (PII redacted);
- Persona / Sumsub (when KYC is enabled) — identity verification and sanctions screening.
We will give the Controller at least 30 days' advance notice before adding or replacing a sub-processor. Notice is given by email and on this page. The Controller may object on reasonable data- protection grounds; if we cannot accommodate the objection, the Controller may terminate the affected Services.
5. Security measures
BchainPay implements appropriate technical and organizational measures (Article 32 GDPR), including:
- TLS 1.2+ in transit; AES-256 at rest;
- Hardware-backed key custody for signing keys;
- HMAC-SHA256 signed webhooks with replay-resistant timestamps;
- Role-based access control with audit logging of every privileged action;
- Least-privilege production access; mandatory MFA for staff;
- Annual independent penetration testing;
- Documented incident-response and business-continuity procedures.
6. International transfers
Where personal data is transferred outside the EEA / UK to a country without an adequacy decision, the parties rely on the EU Standard Contractual Clauses (Module Two: Controller-to-Processor) and the UK International Data Transfer Addendum, incorporated by reference.
7. Assistance & data-subject requests
BchainPay will, taking into account the nature of the processing, assist the Controller by appropriate technical and organizational measures, insofar as possible, in fulfilling its obligation to respond to data-subject requests and to comply with Articles 32–36 GDPR.
8. Personal-data breach notification
BchainPay will notify the Controller without undue delay and in any event within 72 hours after becoming aware of a personal-data breach affecting Controller data, providing the information reasonably required for the Controller to meet its own notification obligations.
9. Audits
BchainPay will make available to the Controller all information necessary to demonstrate compliance with this DPA, and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller — subject to reasonable confidentiality and security restrictions.
10. Return or deletion
Upon termination of the Services, BchainPay will, at the Controller's choice, delete or return all personal data processed on its behalf, unless retention is required by law (for example, AML record-keeping).
11. Order of precedence
In case of conflict between this DPA and the Terms of Service, this DPA prevails with respect to the processing of personal data.
12. Contact
Data-protection enquiries: privacy@bchainpay.com.
This document is provided as a template starting point and is not legal advice. Engage qualified counsel before relying on it for a live business.