Data Processing Agreement

1.1“Personal Data” means any information relating to an identified or identifiable natural person as defined in GDPR Art. 4(1).

1.2“Controller” means the developer or company that determines the purposes and means of processing Personal Data of their End Users.

1.3“Processor” means Cavos Labs, which processes Personal Data on behalf of the Controller.

1.4“End Users” means the natural persons who use the Controller’s application and whose data is processed through Cavos infrastructure.

1.5“Services” means the embedded wallet infrastructure, SDK, and dashboard provided by Cavos Labs at cavos.xyz.

2.1Cavos processes Personal Data submitted through the Services for the purpose of providing the embedded wallet infrastructure to the Controller’s application.

2.2This DPA is effective for the duration of the Controller’s active account and terminates automatically upon account deletion. Retention obligations in Section 8 survive termination.

3.1The Processor provides the following processing activities on behalf of the Controller:

• Storing pseudonymous wallet addresses (Starknet account addresses) to compute Monthly Active Users for billing
• Recording transaction counts (without transaction hashes) per wallet per application
• Sending transactional emails (verification, password reset) to End Users on behalf of the Controller, using email addresses provided by the Controller
• Verifying identity via OAuth providers (Google, Apple) and email/password (Firebase) as configured by the Controller

3.2The Processor shall not process Personal Data for any purpose other than those specified in this DPA, unless required by applicable law.

4.1Data subjects: End Users of the Controller’s application.

4.2Types of data processed:

• Pseudonymous blockchain wallet addresses
• Transaction counts (no hashes, no amounts)
• Email addresses (only when Controller enables email/password authentication)
• OAuth identifiers (opaque sub claim from Google/Apple)

4.3No special categories of personal data (Art. 9 GDPR) are processed.

5.1The Controller shall ensure that it has a lawful basis for processing End Users’ personal data and that it has provided appropriate privacy notices to its End Users.

5.2The Controller shall only instruct the Processor to process Personal Data in accordance with applicable data protection law.

5.3The Controller shall inform the Processor without undue delay if it becomes aware that any processing instruction infringes applicable law.

In accordance with GDPR Art. 28(3), Cavos shall:

• Process Personal Data only on documented instructions from the Controller (i.e., use of the Services).
• Ensure that persons authorised to process Personal Data are bound by confidentiality obligations.
• Implement appropriate technical and organisational security measures per GDPR Art. 32.
• Respect the conditions for engaging sub-processors set out in Section 7.
• Assist the Controller in responding to Data Subject requests (Art. 15–22) to the extent technically feasible.
• Notify the Controller without undue delay (and no later than 48 hours) upon becoming aware of a personal data breach affecting Controller’s data.
• Delete or return all Personal Data upon termination of the Services, at the Controller’s choice, and delete existing copies unless storage is required by law.
• Make available all information necessary to demonstrate compliance with Art. 28, and allow for and contribute to audits conducted by the Controller or a mandated auditor.

7.1The Controller grants Cavos general authorisation to engage the following sub-processors:

7.2Cavos shall inform the Controller of any intended changes to this list at least 14 days in advance via email or in-dashboard notice, giving the Controller the opportunity to object. If the Controller objects and no reasonable solution can be found, either party may terminate the Services with 30 days’ notice.

7.3Cavos shall impose data protection obligations on sub-processors equivalent to those in this DPA and shall remain liable to the Controller for the performance of sub-processors’ obligations.

8.1Upon termination of the Services or upon written request, Cavos shall delete all Personal Data processed on behalf of the Controller within 30 days, unless retention is required by applicable law.

8.2Aggregated, anonymised usage statistics that cannot be linked to any individual or Controller may be retained by Cavos for product improvement purposes.

9.1Where sub-processors are located outside the EEA (see Section 7), Cavos relies on the European Commission’s Standard Contractual Clauses (SCCs) as the transfer mechanism, ensuring an adequate level of protection for Personal Data.

10.1Cavos implements and maintains appropriate technical and organisational measures including:

• Encryption of data in transit (TLS 1.2+) and at rest
• Row-level security policies in the database
• Access controls limiting production access to authorised personnel only
• Regular dependency updates and security patching
• Pseudonymisation of analytics data (wallet addresses without linked identifiers)

11.1This DPA is governed by the laws of the European Union where applicable, and otherwise by the laws of the jurisdiction of the Controller’s place of establishment.

11.2Each party retains the right to lodge a complaint with its competent data protection supervisory authority.

For any questions regarding this DPA or to exercise audit rights, contact: hello@cavos.xyz