Between: [CUSTOMER_LEGAL_NAME] ("Controller" or "Customer")
And: AssetShop LLC ("Processor" or "AssetShop")
This Data Processing Agreement ("DPA") forms part of the Master Services Agreement ("MSA") between Customer and AssetShop. This DPA governs the Processing of Customer Personal Data by AssetShop as a Processor on behalf of Customer in connection with the Service.
In the event of conflict between this DPA and the MSA, this DPA controls with respect to the Processing of Personal Data.
1. Definitions
Terms not defined in this DPA have the meanings given in the MSA. The following terms have the meanings set forth below:
"Applicable Data Protection Law" - all laws and regulations applicable to the Processing of Personal Data under this DPA, including: (a) GDPR (Regulation (EU) 2016/679); (b) UK Data Protection Act 2018 and UK GDPR; (c) Swiss Federal Act on Data Protection (FADP); (d) California Consumer Privacy Act (Cal. Civ. Code § 1798.100 et seq.) as amended by CPRA ("CCPA"); (e) any other applicable data protection or privacy law.
"Customer Personal Data" - any Personal Data that AssetShop Processes on behalf of Customer in connection with the Service.
"Data Subject" - an identified or identifiable natural person to whom Personal Data relates.
"Personal Data" - information relating to an identified or identifiable natural person, as defined under Applicable Data Protection Law.
"Process" / "Processing" - any operation performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, alignment, combination, restriction, erasure, or destruction.
"Sub-processor" - any third party engaged by AssetShop to Process Customer Personal Data.
"Supervisory Authority" - a competent data protection authority under Applicable Data Protection Law.
2. Roles and scope
2.1 Roles
Customer is the Controller. AssetShop is the Processor.
2.2 Subject matter
AssetShop will Process Customer Personal Data solely to provide the Service to Customer in accordance with the MSA and this DPA.
2.3 Nature and purpose of Processing
The nature and purpose of Processing is to: provide the Service; allow Authorized Users to use the Service; respond to Customer support requests; comply with legal obligations.
2.4 Duration of Processing
For the duration of the MSA, plus the retention/return period under Section 3.4 of the MSA (60 days for return/deletion plus 35 days for backups).
2.5 Types of Personal Data and categories of Data Subjects (Annex I)
See Annex I attached to this DPA. Categories typically include: employees, contractors, suppliers, customers, and other individuals appearing in Customer's operational data (e.g., supplier contacts in procurement records, buyer contacts in purchase orders, employee names in work order records).
3. Customer obligations
Customer represents and warrants that: (a) it has all necessary rights and lawful bases under Applicable Data Protection Law to provide Customer Personal Data to AssetShop for Processing; (b) any instructions Customer gives AssetShop regarding the Processing of Customer Personal Data comply with Applicable Data Protection Law; (c) Customer is responsible for obtaining and maintaining any consents, notices, or other legal bases required from Data Subjects for the Processing.
4. AssetShop obligations
4.1 Compliance with instructions
AssetShop will Process Customer Personal Data only on Customer's documented instructions, including with regard to transfers of Personal Data to a third country or international organization, unless required to do otherwise by Applicable Data Protection Law (in which case AssetShop will inform Customer of that legal requirement before Processing, unless prohibited by law). The MSA, including this DPA and the Order Form, constitute Customer's complete documented instructions.
4.2 Confidentiality
AssetShop will ensure that personnel authorized to Process Customer Personal Data are bound by confidentiality obligations and have received appropriate data-protection training.
4.3 Security
AssetShop will implement appropriate technical and organizational measures (TOMs) to ensure a level of security appropriate to the risk, taking into account the state of the art, costs of implementation, and the nature, scope, context, and purposes of Processing, as well as the risk to the rights and freedoms of natural persons. See Annex II for AssetShop's current TOMs.
4.4 Assistance to Customer
Taking into account the nature of the Processing, AssetShop will assist Customer through appropriate technical and organizational measures, insofar as possible, in fulfilling Customer's obligations to respond to requests from Data Subjects exercising their rights under Applicable Data Protection Law (access, rectification, erasure, restriction, portability, objection).
4.5 Data protection impact assessments (DPIAs)
AssetShop will provide reasonable assistance to Customer in conducting DPIAs and prior consultations with Supervisory Authorities under Articles 35-36 of the GDPR.
4.6 Records of processing
AssetShop will maintain records of Processing activities in accordance with Article 30(2) of the GDPR. AssetShop will make such records available to Customer's Supervisory Authority on request.
4.7 Cooperation with Supervisory Authorities
AssetShop will cooperate, on request, with Customer's Supervisory Authorities in the performance of their tasks.
5. Sub-processors
5.1 Authorization
Customer authorizes AssetShop to engage Sub-processors. AssetShop's current Sub-processors are listed at https://trust.enterprise.assetshop.eth.limo/#sub-processors.
5.2 Notice of new Sub-processors
AssetShop will provide at least 30 days' prior notice to Customer before engaging a new Sub-processor, by updating the published list and sending an email notice to Customer's designated privacy contact. Customer may object to the new Sub-processor in writing within 14 days of notice on reasonable data-protection grounds. The parties will work in good faith to resolve the objection. If no resolution is reached, Customer's exclusive remedy is to terminate the affected Order Form without penalty and receive a pro-rata refund of pre-paid fees.
5.3 Sub-processor obligations
AssetShop will enter into a written agreement with each Sub-processor containing data-protection obligations no less protective than those in this DPA, including the obligations regarding security, confidentiality, breach notification, and international transfers.
5.4 Liability
AssetShop remains liable to Customer for the performance of its Sub-processors' obligations under this DPA.
6. International transfers
6.1 Mechanism
For transfers of Customer Personal Data from the EEA, UK, or Switzerland to a third country without an adequacy decision, the parties enter into the Standard Contractual Clauses ("SCCs") issued by the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021 (Module Two: Controller to Processor), incorporated by reference and supplemented as set forth in Annex III. For UK transfers, the UK International Data Transfer Addendum is incorporated. For Swiss transfers, the SCCs apply with adaptations for Swiss law.
6.2 Supplementary measures
AssetShop has assessed the laws and practices of the recipient country and implements supplementary measures including: encryption in transit (TLS 1.2+); encryption at rest; per-tenant cryptographic isolation; strict access controls; the right to challenge government access requests where legally permitted; and transparent disclosure of any compelled access in the Trust Center.
6.3 EU region option
Customer may elect EU-region deployment of the Service as part of the Order Form, in which case Customer Personal Data will be Processed only within the EEA.
7. Personal Data breach
7.1 Notification
AssetShop will notify Customer's designated privacy contact without undue delay, and in any event within 72 hours, after becoming aware of a confirmed Personal Data breach affecting Customer Personal Data ("Breach Notification"). Confirmation means the security team has validated that an unauthorized access, disclosure, alteration, or destruction has actually occurred (not merely that a vulnerability or suspected event exists).
7.2 Content of notification
The Breach Notification will include, to the extent known at the time:
- The nature of the breach, including the categories and approximate number of Data Subjects and records concerned
- The likely consequences
- Measures taken or proposed to address the breach and mitigate adverse effects
- The contact details for further information
Where information is not available at the time of initial notification, AssetShop will provide it in subsequent updates without undue delay.
7.3 Status updates
AssetShop will provide status updates to Customer at least every 24 hours until the breach is contained.
7.4 Cooperation
AssetShop will cooperate with Customer's reasonable efforts to investigate and remediate the breach and to comply with Customer's notification obligations to Supervisory Authorities and Data Subjects under Applicable Data Protection Law.
7.5 No notification to third parties without Customer consent
AssetShop will not notify any third party (including Supervisory Authorities, Data Subjects, or media) of a breach affecting Customer Personal Data without Customer's prior written consent, unless required by Applicable Data Protection Law.
8. Audits
8.1 Audit rights
Customer may, at its own cost and no more than once per twelve-month period (unless required by Applicable Data Protection Law or following a Personal Data breach), audit AssetShop's compliance with this DPA. AssetShop's then-current SOC 2 Type II report (target Q1 2027) will satisfy this audit right; until SOC 2 Type II is available, AssetShop will provide its calibration ledger, control descriptions, and reasonable cooperation to Customer's reasonable audit request.
8.2 Audit conduct
Audits will be conducted: (a) on at least 30 days' prior written notice (except in case of a confirmed breach); (b) during normal business hours; (c) in a manner that does not interfere unreasonably with AssetShop's operations; (d) by Customer personnel or an independent auditor bound by confidentiality obligations.
8.3 Scope
Audit scope is limited to AssetShop's compliance with this DPA. AssetShop's confidential security details, other customers' data, and personnel records are out of scope.
8.4 Findings
AssetShop will work in good faith to address any material non-compliance findings within a reasonable time.
9. Return or deletion of Customer Personal Data
Upon termination or expiration of the MSA, AssetShop will, within 60 days, at Customer's election, return Customer Personal Data to Customer or delete it from AssetShop's production systems. Backups will be deleted within 35 additional days. Audit-chain anchor transactions on the public Base L2 blockchain will remain (as a property of immutable public ledgers), but contain only one-way SHA-256 hashes with no recoverable Personal Data.
If Customer does not specify a preference within 30 days of termination, AssetShop will delete the Customer Personal Data.
10. CCPA-specific terms
To the extent AssetShop Processes Customer Personal Data of California residents:
10.1 Service Provider status
AssetShop acts as a "Service Provider" or "Contractor" under CCPA. Customer transfers Personal Data to AssetShop for the limited and specified purposes set forth in this DPA and the MSA.
10.2 Restrictions
AssetShop will not:
- "Sell" Customer Personal Data (as "sell" is defined in CCPA)
- "Share" Customer Personal Data for cross-context behavioral advertising
- Retain, use, or disclose Customer Personal Data outside the direct business relationship with Customer
- Combine Customer Personal Data with data received from any other source for any prohibited purpose
10.3 Notification of inability to comply
AssetShop will notify Customer if it determines it can no longer meet its CCPA obligations.
11. General
11.1 Term
This DPA is effective on the same date as the MSA and remains in effect for as long as AssetShop Processes Customer Personal Data.
11.2 Order of precedence
In the event of conflict: SCCs > this DPA > the MSA.
11.3 Governing law
This DPA is governed by the same law as the MSA, except where Applicable Data Protection Law requires otherwise (e.g., the SCCs are governed by the law of the EU Member State or Customer's location as required).
11.4 Severability
If any provision is held unenforceable, the remaining provisions remain in effect.
11.5 Counterparts and electronic signatures
This DPA may be signed in counterparts (including electronic), each an original.
Annex I - Description of Processing
Categories of Data Subjects
- Customer employees who are Authorized Users
- Customer suppliers' employees (appearing in purchase orders, contracts, supplier records)
- Customer customers' employees (appearing in sales orders, shipping records, where applicable)
- Other individuals whose Personal Data is included in operational data Customer chooses to submit to the Service
Categories of Personal Data
- Contact information: name, business email, business phone, job title
- Identifiers: user ID, employee ID
- Operational context: actions taken in the Service (e.g., purchase order approver), timestamps
- Authentication metadata: login times, IP addresses, session tokens
- Customer-submitted operational data (any Personal Data Customer chooses to include)
Special categories of data
None expected by default. Customer should not submit Special Categories of Personal Data (Article 9 GDPR) to the Service without prior written agreement with AssetShop.
Nature of Processing
Storage, organization, retrieval, consultation, use (for the Service), disclosure (to Authorized Users), transmission (to Sub-processors as listed), and erasure (per Section 9).
Purposes of Processing
Provision of the Service per the MSA.
Retention period
For the duration of the MSA plus 60 days post-termination (return/deletion) plus 35 days (backups). Audit-chain anchor hashes persist on the public blockchain but contain no recoverable Personal Data.
Annex II - Technical and Organizational Measures (TOMs)
Current measures (subject to update at AssetShop's discretion, provided that no update will materially reduce the level of protection):
Access control
- Multi-factor authentication for all production access
- Role-based access controls; least-privilege principle
- Quarterly access reviews
- Authentication via customer-side OAuth 2.0 / SAML / OIDC where the Customer has SSO
Encryption
- TLS 1.2+ for all data in transit (TLS 1.3 preferred)
- AES-256 encryption at rest for all stored Customer Personal Data
- Per-tenant cryptographic isolation (each Customer's data encrypted with a Customer-specific KMS key)
Network security
- Production network segmented from corporate network
- Firewall and WAF in place
- DDoS protection
- Network and application monitoring
Application security
- Read-only architecture: AssetShop adapters cannot modify Customer's enterprise systems
- Input validation on all API endpoints
- Output encoding to prevent injection
- CSRF protection
- Dependency scanning + vulnerability management
Personnel security
- Background checks (where legally permitted) for personnel with access to Customer Personal Data
- Confidentiality obligations in employment contracts
- Security and privacy training upon hire and annually
- Documented offboarding to revoke access promptly
Physical security
- Production infrastructure hosted in SOC 2 / ISO 27001 certified cloud facilities
- Physical access controls, surveillance, environmental controls at provider facilities
Operations
- Change management with peer review
- Logging and monitoring of access to Customer Personal Data
- Incident response runbook published in the Trust Center
- Annual third-party penetration test (commencing 2026)
- SOC 2 Type I bridge letter Q4 2026; Type II report Q1 2027
Vendor risk
- Sub-processor DPAs with equivalent or stronger protections
- Sub-processor list maintained in the Trust Center
- 30-day notice of new Sub-processors
Audit and accountability
- Public audit chain (Base L2) for verifiable provenance of outputs
- Open-source verify-cli for independent verification
- Calibration ledger for transparent claim/control status
- Status page for transparency on operational health
Annex III - SCCs (where applicable)
The parties incorporate the EU Standard Contractual Clauses (Module Two: Controller to Processor, Implementing Decision (EU) 2021/914) as follows:
- Clause 7 (Docking Clause): Optional; not used unless additional parties join.
- Clause 9(a) (Use of Sub-processors): OPTION 2 (general written authorization) applies; AssetShop will inform Customer of any intended changes to Sub-processors at least 30 days in advance, providing Customer the opportunity to object.
- Clause 11(a) (Redress): Independent dispute resolution body option is not selected.
- Clause 17 (Governing law): The law of [EU MEMBER STATE - typically the location of the data exporter or, if not in EU, Ireland].
- Clause 18(b) (Choice of forum and jurisdiction): Courts of [same EU Member State].
For UK transfers, the parties incorporate the UK International Data Transfer Addendum issued by the UK Information Commissioner's Office. For Swiss transfers, the parties adapt the SCCs to Swiss law per Swiss FADP guidance.
Annexes I.A, I.B, I.C, II, and III of the SCCs are populated from Annexes I and II of this DPA.
Signatures:
For Customer (Controller):
Name: __________________________
Title: ___________________________
Date: ___________________________
Signature: ______________________
For AssetShop LLC (Processor):
Name: __________________________
Title: ___________________________
Date: ___________________________
Signature: ______________________
This Data Processing Agreement is provided as a counsel-ready draft. Please review with privacy counsel before execution.