Data Processing Agreement

In this Data Processing Agreement ("DPA"):

• "Controller" means the merchant who determines the purposes and means of processing personal data.
• "Processor" means λ.digital, which processes personal data on behalf of the Controller.
• "Data Subject" means any individual whose personal data is processed (e.g. the merchant's end customers).
• "Personal Data" means any information relating to an identified or identifiable natural person.
• "Processing" means any operation performed on personal data, including collection, storage, use, and transmission.
• "GDPR" means the EU General Data Protection Regulation 2016/679.

This DPA governs the processing of personal data by λ.digital as Processor on behalf of the merchant as Controller, in connection with the provision of cryptocurrency payment infrastructure services ("the Service").

This DPA is effective from the date the merchant accepts the Terms of Service and remains in force for the duration of the service relationship.

λ.digital processes personal data solely to provide the Service, which includes:

• Detecting on-chain cryptocurrency transfers to merchant wallet addresses
• Delivering webhook notifications to the merchant about confirmed payments
• Storing transaction records (blockchain address, amount, timestamp) for audit and reconciliation purposes
• Authenticating API requests using API key hashes
• Rate limiting and abuse prevention

The personal data processed under this DPA may include:

• Blockchain addresses: Cryptocurrency wallet addresses of the merchant's customers (sender addresses visible on-chain)
• Transaction metadata: Transaction hashes, amounts, timestamps derived from public blockchain records
• IP addresses: Collected for rate limiting and security purposes
• Payment metadata: Any metadata the merchant associates with a PaymentIntent (e.g. order IDs, customer references)

Note: blockchain addresses may or may not constitute personal data depending on whether they can be linked to an identified individual. λ.digital treats them as personal data as a precautionary measure.

The Controller (merchant) agrees to:

• Have a lawful basis for processing personal data before instructing λ.digital to process it
• Inform data subjects about the processing in accordance with applicable law
• Ensure that personal data submitted to the Service is accurate and collected lawfully
• Comply with all applicable data protection laws regarding the personal data of their own customers

λ.digital as Processor agrees to:

• Process personal data only on documented instructions from the Controller (i.e. through use of the Service), except where required by law
• Ensure that persons authorised to process personal data are bound by appropriate confidentiality obligations
• Implement and maintain appropriate technical and organisational security measures as described in Section 8
• Not engage sub-processors without informing the Controller and obtaining appropriate authorisation
• Assist the Controller with data subject rights requests, security breach notifications, and DPIAs to the extent possible given the nature of the processing
• Delete or return all personal data at the end of the service relationship, unless legal obligations require retention
• Make available all information necessary to demonstrate compliance with this DPA and cooperate with audits

The Controller grants general authorisation for λ.digital to engage sub-processors. Current sub-processors include:

• Cloud infrastructure provider — for hosting, database, and compute services
• Alchemy — Ethereum and BSC RPC node provider (wallet addresses shared to monitor transactions)
• TronGrid — Tron network RPC provider
• TonCenter — TON network API provider

λ.digital will inform the Controller of any intended changes to sub-processors, giving the Controller an opportunity to object. Sub-processors are bound by data protection obligations equivalent to those in this DPA.

λ.digital implements the following technical and organisational measures:

• Encryption of data in transit (TLS 1.2+)
• Encryption of data at rest
• API key hashing (bcrypt) — plain keys are never stored
• Webhook payload signing (HMAC-SHA256) to ensure integrity
• Access controls — database accessible only from internal services
• Rate limiting and anomaly detection to prevent abuse
• Regular security updates to infrastructure and dependencies

Personal data may be transferred to countries outside the EEA in connection with sub-processors listed in Section 7. Where such transfers occur, λ.digital ensures appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) or equivalent mechanisms.

If λ.digital receives a data subject request directly, it will promptly forward it to the Controller. The Controller is responsible for responding to data subject rights requests. λ.digital will provide reasonable assistance to the Controller in fulfilling such requests.

λ.digital will notify the Controller without undue delay after becoming aware of a personal data breach affecting data processed under this DPA. The notification will include:

• Nature of the breach and categories of data affected
• Likely consequences of the breach
• Measures taken or proposed to address the breach
• Contact details for obtaining further information

The Controller may request, no more than once per year, information demonstrating λ.digital's compliance with this DPA. λ.digital may satisfy such requests through provision of relevant certifications, security documentation, or written attestations.

Upon termination of the service relationship, λ.digital will, at the Controller's choice, delete or return all personal data processed under this DPA, and delete existing copies, unless applicable law requires continued storage.

This DPA is governed by the same law as the Terms of Service. In the event of any conflict between this DPA and the Terms of Service, this DPA shall prevail with respect to data protection matters.

For questions about this DPA or data protection matters:

admin@λ.digital