Browse Documents
Data Processing Agreement

Effective Date: Upon execution of Main Services Agreement

Parties: Nomyx Technology Labs Inc. ("Processor") and Customer ("Controller")

1. Scope and Roles

This DPA governs how we handle personal data in our blockchain infrastructure and securities tokenization services:

You (Controller): Determine what data to process and why

We (Processor): Process data on your behalf per your instructions

Automatic application: This DPA applies automatically to all customers

Securities-specific: Enhanced requirements for tokenized securities data

2. Our Processing Commitments

2.1 We Will:

• Process data only per your instructions

• Maintain confidentiality (all staff under NDAs)

• Implement appropriate security measures

• Assist with data subject requests

• Delete data per our deletion policy barring any blockchain transaction records or data

stored in accordance with compliance requirements

• Maintain processing records

• Coordinate with approved sub-processors

• Ensure securities compliance data integrity

2.2 We Won't:

• Use your data for our own purposes

• Transfer data without legal basis

• Process data after termination (except legal requirements)

• Modify data without instruction

• Share investor data outside approved channels

3. Security Measures

We implement industry-standard protections:

Access controls: Role-based, MFA required

Monitoring: 24/7 security operations

Incident response: 48-hour breach notification

Securities-specific: Enhanced controls for investor data

Third-party security: Verified sub-processor compliance

4. Sub-processors

4.1 Authorized Sub-processors

Current list at www.nomyx.io/legal/documents:

4.2 Changes

  • 30-day advance notice for new processors
  • Right to object within 14 days
  • Alternative arrangements where possible
  • Securities processors require additional vetting

5. International Transfers

We transfer data internationally using:

  • EU/UK → US: Standard Contractual Clauses
  • Other regions: Appropriate safeguards per local law
  • Blockchain exception: On-chain data is globally distributed
  • Securities data: Additional controls for investor information

6. Your Rights and Obligations

6.1 You Must:

  • Have legal basis for processing
  • Provide lawful instructions
  • Handle data subject requests
  • Ensure accuracy of data
  • Comply with securities regulations
  • Maintain investor consents

6.2 You Can:

  • Audit our compliance (annually)
  • Export your data anytime
  • Object to sub-processors
  • Request deletion (off-chain only)
  • Review sub-processor security
  • Access compliance reports

7. Blockchain-Specific Provisions

7.1 Immutability Acknowledgment

On-chain personal data cannot be deleted. You acknowledge:

  • Blockchain transactions are permanent
  • We cannot comply with erasure requests for on-chain data
  • You must design privacy into your implementation
  • Securities transactions create permanent records

7.2 Recommended Practices:

  • Store only hashes on-chain
  • Keep personal data off-chain (via Persona integration)
  • Implement proxy patterns for upgradability
  • Separate PII storage from blockchain transactions
  • Maintain audit trail in secure off-chain database

7.3 Securities-Specific Data Handling

  • Investor accreditation documentation: Stored off-chain with Persona
  • SEC filings: Public links on-chain, documents off-chain
  • Trading restrictions: Embedded in smart contracts
  • Audit reports: Stored off-chain with controlled access
  • KYC/KYB data: Managed with appropriate retention
  • Transaction history: Permanent on-chain record
  • Communications: Stored off-chain per regulations

8. Data Subject Requests

10. Audit Rights

10.1 Self-Service

  • Security documentation in dashboard
  • Compliance certificates on request
  • Sub-processor audit reports (summary)

10.2 On-Site Audits

  • Once annually with 30 days notice
  • Reasonable costs reimbursed
  • NDA required
  • Business hours only
  • Securities compliance focus permitted

11. Liability

11.1 Our Liability

Subject to MSA limitations except:

  • Direct damages from our data protection breach
  • Regulatory fines from our non-compliance
  • Maximum: $1000.00

11.2 Indemnification

You indemnify us for:

  • Your unlawful instructions
  • On-chain personal data issues
  • Your security failures
  • Securities law violations
  • Investor data misuse

12. Term and Termination

  • Duration: Same as Main Services Agreement
  • Survival: Obligations survive for retained data
  • Post-termination: 30-day export window
  • Securities data: Retained per regulatory requirements

13. Region-Specific Terms

13.1 European Union (GDPR)

  • Article 28 compliance
  • EU Standard Contractual Clauses apply
  • DPO contact: privacy@nomyx.io
  • Special categories data processing

13.2 California (CCPA)

  • Service provider obligations apply
  • No sale of personal information
  • Consumer rights support provided
  • Financial data exemptions

13.3 Other Regions

  • UK: UK SCCs and adequacy
  • Switzerland: Swiss requirements
  • Brazil: LGPD compliance
  • Singapore: PDPA compliance

13.4 US Securities Regulations

  • SEC Rule 17a-4 compliance
  • FINRA recordkeeping requirements
  • State blue sky law compliance
  • Transfer agent regulations

14. Definitions

Personal Data: Information relating to identified/identifiable individuals
Processing: Any operation on personal data
Blockchain Data: Data written to distributed ledger
Off-chain Data: Data in our traditional databases
Securities Data: Information related to tokenized securities offerings
Investor Data: KYC/KYB and accreditation information

15. Contact Information

Privacy Officer: privacy@nomyx.io
Security Team: security@nomyx.io
Legal/Compliance: legal@nomyx.io
Support: support@nomyx.io

Schedule 1: Processing Details

Nature and Purpose

  • Providing blockchain infrastructure services
  • Smart contract deployment and management
  • Transaction processing and monitoring
  • Analytics and reporting
  • Securities tokenization services
  • Investor onboarding and compliance
  • Fund administration support
  • Regulatory reporting assistance

Categories of Data Subjects

  • Your employees (users)
  • Your customers (end users)
  • Transaction counterparties
  • Smart contract interactors
  • Accredited investors
  • Fund managers
  • Compliance officers
  • Auditors and service providers

Types of Personal Data

  • Account information (name, email)
  • Wallet addresses (pseudonymous)
  • Transaction history
  • IP addresses and usage logs
  • Government IDs (via Persona)
  • Accreditation documentation
  • Banking information (via Bridge.xyz)
  • Investment history

Retention Periods

  • See Service Data Deletion Policy at www.nomyx.io/legal/documents
  • On-chain: Permanent
  • Off-chain: Per service type
  • Securities compliance data: 7 years minimum
  • KYC/KYB data: 5 years post-relationship

Schedule 2: Technical and Organizational Measures

See Security Measures Summary at www.nomyx.io/legal/documents for detailed security measures including:

  • Encryption standards
  • Access controls
  • Network security
  • Physical security
  • Incident response
  • Business continuity
  • Securities-specific controls
  • Third-party integration security

Schedule 3: Securities Data Processing

Specific Requirements

  • Investor identity verification via approved providers only
  • Segregation of investor data by fund
  • Enhanced access controls for financial data
  • Audit trail for all data access
  • Compliance with SEC cybersecurity rules
  • Coordination with transfer agents

Data Flows

  1. Investor → Bridge.xyz → Bank verification
  1. Nomyx → 1Transfer → Cap table management

This DPA supplements and is incorporated into the Main Services Agreement. No separate signature required.

Version: 2.0 | Effective: July 1, 2025 | Latest: www.nomyx.io/legal/documents

Block quo
© 2025 by Nomyx. All Rights Reserved.​​