Data Processing Agreement

A Data Processing Agreement (DPA) under GDPR Article 28 governs the relationship between you (the Controller, processing your customers' personal data) and ChainMore (the Processor, processing that data on your behalf). Every paying merchant signs one before production data starts flowing.

Get the DPA: request your copy by emailing support@chainmore.io with subject "DPA request". We send the populated template (DPA, TOMs as Annex 2, sub-processor list as Annex 3) within one business day. Both Markdown and PDF versions are available.

What's in the DPA

Standard GDPR Article 28 structure, written for an Estonian-incorporated processor working with EU-resident merchants:

Subject matter, duration, and purpose of processing
Processor obligations (process only on documented instructions, confidentiality, security, sub-processors, data-subject-rights assistance, breach notification, return/deletion at end of processing, audit cooperation)
Controller obligations (lawful basis, accuracy, instructions)
International data transfers, EU SCCs Module 2 incorporated by reference for any non-EEA sub-processor
Liability allocation (proportional to fault, subject to the master agreement's caps)
Annex 1: Description of processing
Annex 2: Technical and Organisational Measures (TOMs)
Annex 3: Approved sub-processors

What we commit to in the TOMs

The Technical and Organisational Measures annex is grounded in the actual security work shipped in our codebase. Every measure is traceable to a specific file, ADR, or test, and the underlying evidence pack is shared with controllers and partner-bank diligence teams on request. Highlights:

HTTPS / TLS 1.2+ on every customer-facing surface, with HSTS, CSP, X-Frame-Options, Permissions-Policy, COOP, CORP, and Cross-Origin-Resource-Policy all enforced
Cookie hardening with explicit per-cookie HttpOnly / SameSite / Secure / __Host- prefixes
OIDC-based authentication (Keycloak), role-based authorisation, audience-separated tokens (the gateway accepts only access tokens with aud=chainmore-gateway)
Hash-chained audit log for all administrative actions
72-hour personal-data-breach notification commitment to controllers, with regulatory notification windows aligned to DORA Article 19 and GDPR Article 33
Disaster Recovery plan with documented RTO/RPO per component
Incident-response runbook covering severity classification, communication, and blameless postmortems within 5 business days
Automated regression test matrix covering frontend security headers, cookie hardening, accessibility (axe-core), and backend security middleware, run on every CI build

The full TOMs document is provided as Annex 2 of every signed DPA. A reviewer-friendly summary is available on request to controllers, prospects, and partner-bank diligence teams at support@chainmore.io with subject "TOMs request".

Sub-processors

The current list of sub-processors that may process personal data on your behalf is published at /legal/sub-processors.html. We give 14 calendar days' written notice before any new sub-processor begins processing your data, with a right to object on reasonable data-protection grounds.

Status of this template

This DPA template was drafted by Chainmore OÜ in-house. It has not yet been reviewed by external legal counsel. We commit to engaging Estonian fintech-specialist counsel for a review before the first signed execution and notifying merchants of any material change resulting from that review.

Both parties are encouraged to have their own legal counsel review the DPA before execution. The template is a defensible starting point, not an immovable take-it-or-leave-it document, material concerns raised by a merchant's counsel are negotiated in good faith.

Questions

For DPA-specific questions: support@chainmore.io with subject "DPA question". For data-protection-officer escalations: same address with subject "DPO escalation".

Last updated: April 2026. Canonical version is held by Chainmore OÜ and provided on request.