What This Policy Covers
V. Impact Assessments and Consultations
VII. Sub-Processing Provisions
IX. Information Security Assessments and Audits
X. Incident Management & Notification
XI. Return or Deletion of Personal Data
XII. International Transfers of Data
XIII. Permitted Disclosures of Customer Data
XVII. Relationship with Main Agreement
Annex 1: Details of Processing
Annex 2: Technical and Organisational Measures
Annex 3: List of Sub-Processors
Annex 4: UK Addendum to the EU Commission Standard Contractual Clauses
Data Processing Agreement
Effective Date: March 11, 2025
This Data Processing Agreement including its Annexes and the Standard Contractual Clauses, (“DPA”) forms an integral part of the Main Agreement (“Main Agreement”) between Fireblocks and/or its subsidiaries and between the counterparty agreeing to these terms (“Customer“); each a “Party” and together “Parties”, and applies to the extent that Company processes Personal Data on behalf of the Customer, in the course of its performance of its obligations.
Capitalized terms in this DPA shall have the meanings set out below or if not defined herein, the meanings set forth in the relevant Data Protection Laws or the Main Agreement.
a. “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control”, for purposes solely of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.
b. “Authorized Affiliate” means any of Controller’s Affiliate(s) which (a) is subject to the Data Protection Laws of the European Union, the European Economic Area and/or their member states, Switzerland and/or the United Kingdom, and (b) is permitted to use the Services pursuant to the Main Agreement between Controller and Processor, but (c) has not signed its own Main Agreement or DPA with Processor and thus is not a “Customer” as defined under the Main Agreement.
c. “Business Day” means, if the deadline applies to the Controller, Monday to Friday except statutory holidays at the place of business of the Controller, and, if the deadline applies to the Processor, Monday to Friday except statutory holidays at the place of business of the Processor. With respect to Fireblocks Ltd. in Israel, Business Days means the days Sunday to Thursday.
d. “CCPA” means the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq., as amended by the California Privacy Rights Act of 2020, and its implementing regulations.
e. “Controller” means the entity or Business which solely or jointly with other entities determines the purposes and means of the Processing of Personal Data.
f. “Data Protection Laws” means all applicable laws and regulations relating to the processing of Personal Data and privacy that may exist in the relevant jurisdictions, including, where applicable, EU Data Protection Law and Non-EU Data Protection Laws.
g. “Data Subject” means the identified or identifiable person to whom the Personal Data relates, as may be defined in applicable Data Protection Laws.
h. “EU Standard Contractual Clauses” means the Standard Contractual Clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and the Council approved by European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, as may be amended, superseded, or replaced.
i. “Fireblocks” means the Fireblocks entity which has entered into the Main Agreement with the Customer to which this DPA is attached. The address and place of business of that Fireblocks entity can be found in the Main Agreement, and all communication or declarations, including notices, shall be sent to the address indicated in the Main Agreement for that Fireblocks entity.
j. “GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
k. “Member State” means a country that belongs to the European Union and/or the European Economic Area.
l. “Personal Data” means (i) any data or information relating to an identified or identifiable living individual, including information that can be linked, directly or indirectly, with a particular Data Subject or (ii) is otherwise “personal information”, “personally identifiable information” or similarly defined information under the applicable Data Protection Laws.
m. “Process”, “Processing” or “Processed” means any operation or set of operations which is performed upon Customer data, including Personal Data, whether or not by automated means, according to the definitions given to such terms in the GDPR.
n. “Processor” means the entity or Service Provider which Processes Personal Data on behalf of the Controller or on the instruction of another Processor acting on behalf of a Controller.
o. “Service(s)” means the services provided by Processor to Controller as set forth in the Main Agreement between the Parties.
p. “Sub-processor” means any Processor Affiliate and any sub-contractor engaged in the Processing of Personal Data in connection with the Services.
q. “Supervisory Authority” means any regulatory, supervisory, governmental, or other competent authority with jurisdiction or oversight over compliance with the Data Protection Laws.
a. Applicability. This DPA, which may be revised or updated periodically, will apply only to the extent that Fireblocks processes, on behalf of Customer, Personal Data to which applicable Data Protection Laws apply.
b. Scope. The duration of the Processing, the nature and specific purposes of the Processing, as well as the types of Personal Data Processed and categories of Data Subjects under this DPA are further specified in Annex I (Details of Processing) to this DPA and, on a more general level, in the Main Agreement.
a. General. The parties acknowledge and agree that regarding the processing of Personal Data, Customer may act either as a Controller or Processor and Fireblocks is a Processor. Fireblocks will process Personal Data in accordance with Customer’s instructions and shall be the Customer’s “Service Provider,” as such term is defined under applicable Data Protection Laws.
b. Controllers’ Obligations. Controller shall, in its use of the Service, Process Personal Data in accordance with the requirements of Data Protection Laws, including any applicable requirements to provide notice to Data Subjects of the use of Processor. For the avoidance of doubt, Controller’s instructions for the Processing of Personal Data shall comply with Data Protection Laws and Regulations. Controller shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Controller acquired Personal Data. Controller specifically acknowledges that its use of the Service will not violate the rights of any Data Subject that has opted-out from sales, or other disclosures of Personal Data, to the extent applicable under the CCPA or other Data Protection Laws and Regulations. Controller is responsible for obtaining all of the necessary consents, authorizations and approvals to enter, use, provide, store, and Process Personal Data to enable Processor to provide the Services. Controller shall defend, hold harmless and indemnify the Processor and its Sub-processors authorized under this DPA (including without limitation their directors, officers, agents, subcontractors and/or employees) from and against any liability of any kind related to any breach, violation or infringement by the Controller and/or its authorized users under applicable Data Protection Laws and/or this DPA and/or this Section.
c. Processor’s Obligations.
Processor shall process Personal Data only in accordance with the Customer’s documented, lawful/ business instructions as set forth in the Main Agreement and this DPA, as necessary to comply with applicable Data Protection Laws, or as otherwise agreed in writing.
If the Processor or its Sub-processors determine that a request from the Controller or its authorized users regarding the Processing of Personal Data (including, but not limited to, any instruction, direction, code of conduct, certification, or change issued by the Controller) falls outside the scope of this DPA or is unlawful, the Processor shall:
i. promptly inform the Controller, providing relevant details outlining the issue or the reasons for considering the request unlawful (without offering legal advice); and
ii. temporarily suspend the Processing of the affected Personal Data (except for securely storing such data) without incurring liability under this DPA, until the Controller provides further instructions on how to proceed.
d. If the Controller directs the Processor to continue the Processing as originally instructed, the Controller shall bear full responsibility for any resulting damages or liabilities. The Controller agrees to defend, indemnify, and hold harmless the Processor and its authorized Sub-processors (including their directors, officers, agents, subcontractors, and employees) against any claims, damages, fines, or liabilities arising from such Processing or from breaches, violations, or infringements caused by the Controller’s decision.
If the Processor has reasonable grounds to believe that, despite the Controller’s assumption of liability, it may still face accountability (including regulatory fines imposed by competent data protection authorities), the Processor reserves the right to terminate the Main Agreement and this DPA for the affected Processing. Upon such termination, the Controller shall pay all outstanding amounts owed to the Processor as of the termination date. The Controller shall not be entitled to make any further claims against the Processor, including claims for refunds of Services, except as required by termination-related obligations expressly set forth in this DPA.
e. Processor acknowledges that it shall act as Controller’s “Service Provider” with respect to Personal Data that Processor Processes for the performance of the Main Agreement and this DPA. Processor shall not: (i) sell this Personal Data; (ii) collect, retain, use, or disclose this Personal Data (a) for any purpose other than providing the Services specified in the Main Agreement and this DPA or (b) outside of the direct business relationship between Controller and Processor; or (iii) combine this Personal Data with Personal Data that Processor obtains from other sources except for any permitted purposes under the applicable Data Protection Laws. Processor certifies that it understands the prohibitions outlined in this Section 3.3.2 and will comply with them.
f. Processor will not be liable in the event of any claim brought by a third party, including, without limitation, a Data Subject, arising from any act or omission of the Processor, to the extent that such act or omission is a result of the Controller’s instructions.
If Processor receives a request from Controller’s Data Subject to exercise one or more of its rights under applicable Data Protection Laws in connection with the Services governed by the Main Agreement, Processor will redirect the Data Subject to make its request directly to Controller. Controller will be responsible for responding to any such request including, where necessary, by using the functionality of the Services. Upon Controller’s request, Processor shall, taking into account the nature of the processing, provide reasonable assistance to Controller where possible and at Controller’s cost and expense, to enable Controller to respond to requests from a Data Subject.
Processor shall, to the extent required by applicable Data Protection Law, provide Controller with reasonable assistance (at Controller’s cost and expense) with data protection impact assessments or prior consultations with data protection authorities that Controller is required to carry out under such legislation.
The Processor shall take reasonable steps to ensure the reliability of any employee, agent or contractor of any Contracted Processor who may have access to the Company Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know or access the relevant Company Personal Data, as strictly necessary for the purposes of the Main Agreement, and to comply with Data Protection Laws in the context of that individual’s duties to the Contracted Processor, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.
a. General Authorization. By entering into this DPA, Controller acknowledges and agrees that Processor may engage third-party Sub-processors in connection with the provision of the Services, to fulfil its contractual obligations under this DPA, or to provide certain services on its behalf, such as providing support services to Processor. Processor must: (i) enter into a written agreement with each Sub-processor imposing data protection terms that require the Sub-processor to protect Personal Data to the standard required by applicable Data Protection Law and to the same standard provided by this DPA; and (ii) remain liable to Controller if such Sub-processor fails to fulfil its data protection obligations with regard to the relevant Processing activities under the Main Agreement.
Processor currently utilizes the Sub-processors set forth here and Annex III, which will be updated from time to time.
b. Notice of New Sub-processors. Processor shall notify the Controller of intended changes concerning the addition or replacement of Sub-processors by updating its webpage. Processor will notify Controller if it intends to add or replace Sub-processors at least 30 days prior to any such changes. To receive such notification, Customers can email [email protected] to join Processor’s distribution list.
c. Objection to New Sub-processors. Controller may reasonably object to Processors’ use of a new Sub-processor by notifying the Processor without undue delay in writing no later than three (3) Business Days after receipt of the Processors’ notice in accordance with the mechanism set out in Section 7.2. of the DPA, and such written objection shall include the applicable reasons for objecting to Processors’ use of such new Sub-processor. Failure to object to new Sub-processor in writing within the three (3) Business Day period, shall be deemed as acceptance of the new Sub-processor. In the event Controller reasonably objects to a new Sub-processor, as permitted above, the Processor will use reasonable efforts to make available to Controller a change in the Services or recommend a commercially reasonable change to Controller’s use of the Services to avoid Processing of Personal Data by the objected-to new Sub-processor without unreasonably burdening the Controller. Such change may include a change in the remuneration to be paid under the Main Agreement in order to cover higher costs of an alternative sub-processor agreeable to the Controller. If the Processor is unable to make available such change within a reasonable period of time, which shall not exceed thirty (30) business days, Controller may, as a sole remedy, terminate the applicable Main Agreement and this DPA with respect only to those Services which cannot be provided by the Processor without the use of the objected-to new Sub-processor by providing written notice to the Processor, provided that all amounts due under the Main Agreement before the termination date with respect to the Processing at issue shall be duly paid to the Processor. Until a decision is made regarding the new Sub-processor, the Processor may temporarily suspend the Processing of the affected Personal Data. The Controller will have no further claims against the Processor due to the termination of the Main Agreement (including, without limitation, requesting refunds) and/or the DPA in the situation described in this paragraph.
a. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing, Processor shall maintain appropriate organizational and technical measures for protection of the security (including protection against unauthorized or unlawful Processing, and against unlawful or accidental destruction, alteration or damage or loss, unauthorized disclosure of, or access to, customer data), confidentiality, and integrity of Customer data.
b. Controller acknowledges that the security measures are subject to technical progress and development and that Processor may update or modify the security measures from time to time, provided that such updates and modifications do not materially decrease the overall security of the data.
c. Notwithstanding the above, the Controller agrees that except as provided in this DPA, the Controller is responsible for its secure use of the Services, including securing its account authentication credentials and any API credentials (if applicable), protecting the security of customer data when in transit to and from the Services, and taking any appropriate steps to securely encrypt or backup any customer data uploaded to the Services.
a. Processor Assistance. Processor will provide to the Controller and its duly authorized designees, during the term of this DPA, the information necessary to demonstrate the adequacy of Processor’s information security measures and compliance with each applicable Data Protection Law.
b. Third-Party Certifications and Audit Results. Upon the Controller’s written request, at no cost, and subject to the confidentiality obligations set forth in the Main Agreement, Processor shall make available to the Controller a copy of Processor’s most recent third-party audits or certifications, as applicable.
c. On-site Audits. Only to the extent Controller cannot reasonably satisfy Processor’s compliance with this DPA through the exercise of its rights under Section 9.2 above, or where required by a regulatory authority, Controller, or its authorized representatives, may, at Controller’s sole expense, conduct audits (including inspections) during the term of the Main Agreement to assess Processor’s compliance with the terms of this DPA. Any audit must (i) be conducted during Processor’s regular business hours, with reasonable advance written notice of at least ninety (90) calendar days; (ii) be conducted according to a methodology and timetable to be agreed upon between the Parties (acting reasonably and in good faith), (iii) be subject to reasonable confidentiality controls obligating Controller (and its authorized representatives) to keep confidential any information disclosed that, by its nature, should be confidential; (iv) occur no more than once every twelve (12) months; and (v) restrict its findings to only information relevant to Controller.
a. Notification. Processor shall notify Controller without undue delay after becoming aware of the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data, including Personal Data, transmitted, stored or otherwise Processed by Processor or its Sub-processors of which Processor becomes aware (a “Personal Data Incident”).
b. Material Personal Data Incidents. The requirements in section 10.1 shall apply to material Personal Data Incidents, defined as a confirmed breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data that:
(i) Is likely to result in a risk to the rights and freedoms of data subjects;
(ii) Requires notification to a supervisory authority or data subjects under applicable data protection laws.
A Personal Data Incident shall not include an unsuccessful attempt or activity that does not compromise the security of Customer Personal Data, including incidents that have been successfully blocked, mitigated, or contained before causing harm.
c. Remedial Measures. Processor shall make commercially reasonable efforts to identify the cause of such Personal Data Incident and take those steps as Processor deems necessary, possible and reasonable in light of the circumstances and severity of the Personal Data Incident in order to remediate and mitigate the cause of such a Personal Data Incident, to the extent the remediation and/or mitigation is within the Processors’ reasonable control. The obligations herein shall not apply to incidents that are caused by Controller and/or Controller users. In any event, Controller will be the party responsible for notifying supervisory authorities and/or concerned data subjects (where required by Data Protection Laws).
d. Processor’s notification of or response to a Personal Data Incident shall not be construed as an acknowledgement by Processor of any fault or liability with respect to the Personal Data Incident.
e. Controller is solely responsible for its use of the Service, including (a) making appropriate use of the Service to ensure a level of security appropriate to the risk in respect of Personal Data; (b) securing the account authentication credentials, systems and devices Controller uses to access the Service; and (c) backing up Personal Data.
Subject to the Main Agreement, the Processor shall, at the choice of the Controller, delete or return the Personal Data to the Controller after the end of the provision of the Services relating to the Processing, and shall delete existing copies unless the applicable law requires storage of the Personal Data. In any event, to the extent required or allowed by applicable law, Fireblocks may retain one copy of the Personal Data for evidence purposes and/or for the establishment, exercise or defence of legal claims and/or to comply with applicable laws and regulations.
a. Transfers to countries that offer adequate level of data protection. Personal Data may be transferred to locations outside the originating country. For countries that offer an adequate level of data protection under or pursuant to the adequacy decisions published by the relevant data protection authorities of the originating countries (“Adequacy Decisions”), no further safeguards are necessary.
b. Transfers to countries without Adequacy Decisions. If the Processing of Personal Data includes transfers to other countries which do not offer an adequate level of data protection or which have not been subject to an Adequacy Decision (“Third Countries”), the Parties shall abide by the applicable Standard Contractual Clauses (SCCs) issued or approved by the European Commission, or similar clauses required by the jurisdiction of transfer, to ensure compliance with data protection standards. The Standard Contractual Clauses are incorporated by reference and form an integral part of this DPA.
c. Transfers from the EEA/ EU. Where Personal Data may be transferred from the EU Member States and the three EEA member countries, Norway, Liechtenstein and Iceland (collectively, “EEA”), the EU SCCs shall apply as follows:
i. Module Two (Controller to Processor) will apply.
ii. in Clause 7, the optional docking clause will apply.
iii. in Clause 9, Option 2 will apply, and the time period for prior notice of Sub-processor changes shall be thirty (30) days.
iv. in Clause 11, the optional language will not apply.
v. in Clause 17, Option 1 will apply, and the EU SCCs will be governed by Irish law.
vi. in Clause 18(b), disputes shall be resolved before the courts of Ireland.
vii. Annex I of the EU SCCs shall be deemed completed with the information set out in Annex I to this DPA; and
viii. Annex II of the EU SCCs shall be deemed completed with the information set out in Annex II to this DPA.
d. Transfers from the United Kingdom and Switzerland. In relation to transfers of Personal Data protected by the UK General Data Protection Regulation (GDPR) or Swiss Federal Act on Data Protection (FADP), the EU SCCs as implemented under section 11.2 above will apply with the following modifications:
i. references to “Regulation (EU) 2016/679” shall be interpreted as references to the UK or Swiss Privacy Laws (as applicable).
ii. references to specific Articles of “Regulation (EU) 2016/679” shall be replaced with the equivalent article or section of UK Privacy Laws or the Swiss FADP (as applicable).
iii. references to “EU”, “Union”, “Member State” and “Member State law” shall be replaced with references to “UK” or “Switzerland”, or “UK law” or “Swiss law” (as applicable).
iv. the term “Member State” shall not be interpreted in such a way as to exclude data subjects in the UK or Switzerland from the possibility of suing for their rights in their place of habitual residence (i.e., the UK or Switzerland).
v. The “competent Supervisory Authority” is the UK Information Commissioner or Swiss Federal Data Protection Information Commissioner (as applicable).
vi. references to the “competent Supervisory Authority” and “competent courts” shall be replaced with references to the “Information Commissioner” and the “courts of England and Wales” or the “Swiss Federal Data Protection Information Commissioner” and “applicable courts of Switzerland” (as applicable).
vi.. in Clause 17, the Standard Contractual Clauses shall be governed by the laws of England and Wales or Switzerland (as applicable); and
vii. with respect to transfers to which UK Privacy Laws apply, Clause 18 shall be amended to state “Any dispute arising from these Clauses shall be resolved by the courts of England and Wales. A data subject may bring legal proceedings against the data exporter and/or data importer before the courts of any country in the UK. The Parties agree to submit themselves to the jurisdiction of such courts”, and with respect to transfers to which the Swiss DPA applies, Clause 18(b) shall state that disputes shall be resolved before the applicable courts of Switzerland.
e. Transfers from Abu Dhabi. Where the transfer of Personal Data involves a transfer from the Abu Dhabi Global Market (ADGM), in a manner that would trigger obligations under the ADGM Data Protection Regulations 2021 (DPR), the parties agree that such transfers shall be governed by the EU SCCs and the ADGM SCCs as issued or recognized by the ADGM Office of Data Protection, where applicable. For purposes of transfers under this section, the SCCs shall be deemed to be modified to incorporate relevant references and definitions in a manner that would render such SCCs an adequate tool for such transfers under the DPR.
f. Annexes. The parties hereby agree that data processing details set out in Annex A of this DPA shall apply for the purposes of Annex 1 of the EU Standard Contractual Clauses and the technical and organizational security measures set out in Annex B of this DPA shall apply for the purpose of Annex 2 to the EU Standard Contractual Clauses. Fireblocks shall be deemed the “data importer” and Customer the “data exporter” under the EU Standard Contractual Clauses, and the parties will comply with their respective obligations under the EU Standard Contractual Clauses. Customer grants Fireblocks a mandate to execute the EU Standard Contractual Clauses (Module 3) with any relevant Sub-processor (including Fireblocks Affiliates). Unless Fireblocks notifies Customer to the contrary, if the European Commission subsequently amends the EU Standard Contractual Clauses at a later date, such amended terms will supersede and replace any EU Standard Contractual Clauses executed between the parties.
g. In the event that any provision of this DPA contradicts, directly or indirectly, the Standard Contractual Clauses shall prevail.
h. Alternative Data Export Solution. The parties agree that the data export solutions identified in Section 12 will not apply if and to the extent that Customer adopts an alternative data export solution for the lawful transfer of Personal Data (as recognized under the Data Protection Laws), in which event, Customer shall reasonably cooperate with Processor to implement such solution and such alternative data export solution will apply instead (but solely to the extent such alternative data export solution extends to the territories to which Personal Data is transferred under this DPA).
e. For clarity, responsibility for compliance with the obligations corresponding to Data Controllers under Data Protection Laws shall rest with Customer and not with Fireblocks. Fireblocks may, at Customer’s cost, provide reasonable assistance to Customer with regards to such obligations.
a. Processor may disclose Customer data to the extent such data is required to be disclosed by law, by any government or regulatory authority, or by a valid and binding order of a law enforcement agency (such as a subpoena or court order), or other authority of competent jurisdiction.
b. If any law enforcement agency government or regulatory authority sends Processor a demand for disclosure of the Customer data, then Processor will attempt to redirect the law enforcement agency government or regulatory authority to request that data directly from the Customer and Processor is entitled to provide the Customer’s basic contact information to such law enforcement agency government or regulatory authority.
c. If compelled to disclose Customer data pursuant to Section 13.1, then Processor will give the Customer reasonable notice of the demand to allow the Customer to seek a protective order or other appropriate remedy.
Each Party’s and all of its Affiliates’ liability, taken together and in the aggregate, arising out of or related to this DPA shall, in all cases, be limited to the extent that the same shall have been caused by such Party’s actions, and shall be further subject to the exclusions and limitations of liability set forth in the Main Agreement, to the extent permitted by applicable Data Protection Laws.
a. Permitted Affiliates. You enter into this DPA (including, where applicable, the Standard Contractual Clauses) on behalf of yourself and in the name and on behalf of your Permitted Affiliates. For the purposes of this DPA only, and except where indicated otherwise, the terms “Customer”, “you” and “your” will include you and such Permitted Affiliates.
b. Authorization. The legal entity agreeing to this DPA as Customer represents that it is authorized to agree to and enter into this DPA for and on behalf of itself and, as applicable, each of its Permitted Affiliates.
c. Remedies. The parties agree that (i) solely the Customer entity that is the contracting party to the Main Agreement will exercise any right or seek any remedy any Permitted Affiliate may have under this DPA on behalf of its Affiliates, and (ii) the Customer entity that is the contracting party to the Main Agreement will exercise any such rights under this DPA not separately for each Permitted Affiliate individually but in a combined manner for itself and all of its Permitted Affiliates together. The Customer entity that is the contracting entity is responsible for coordinating all Instructions, authorizations and communications with us under the DPA and will be entitled to make and receive any communications related to this DPA on behalf of its Permitted Affiliates.
This DPA shall automatically terminate upon the termination or expiration of the Main Agreement under which the Services are provided. Sections 3.2, 3.3 and 17 of this DPA shall survive the termination or expiration of this DPA for any reason. This DPA cannot, in principle, be terminated separately to the Main Agreement, except where the Processing ends before the termination of the Main Agreement, in which case, this DPA shall automatically terminate.
In the event of any conflict between the provisions of this DPA and the provisions of the Main Agreement, the provisions of this DPA shall prevail over the conflicting provisions of the Main Agreement. Each Party’s liability for damages under this DPA is governed by the Main Agreement.
This DPA has been pre-signed by Fireblocks and shall be deemed fully executed and effective (including the Standard Contractual Clauses and annexes) upon the date of the Customer’s signature.
The parties’ authorized signatories have duly executed this Agreement as of the date of the last signature (the ‘Effective Date’).
a. List of Parties
Data Exporter(s): Identity and contact details of the controller(s) /data exporter(s) and, where applicable, of its/their data protection officer and/or representative in the European Union
| Name of Data Exporter: | The party identified as the “Customer” in the Main Agreement and this DPA |
| Address: | As set forth in the Main Agreement |
| Contact person’s name, position, and contact details: | As set forth in the Main Agreement |
| Activities relevant to the data transferred under these Clauses: | See Annex I(B) below |
| Signature and date: | This Annex I shall automatically be deemed executed when the Main Agreement is executed by Customer |
| Role (controller/processor): | Controller or Processor |
Data Importer(s): Identity and contact details of the processor(s) /data importer(s), including any contact person with responsibility for data protection
| Name of Data Importer: | Fireblocks |
| Address: | As set forth in the Main Agreement |
| Contact person’s name, position, and contact details: | [email protected] |
| Activities relevant to the data transferred under these Clauses: | See Annex I(B) below |
| Signature and date: | This Annex I shall automatically be deemed executed when the Main Agreement is executed by Customer |
| Role (controller/processor): | Processor |
b. Description of Transfer
Categories of data subjects whose personal data is transferred are:
- Customer personnel
- Personnel of Customer’s customers and partners
- Other
The categories of Personal Data transferred are determined and controller by the Customer may include:
- First and last name
- Contact details (email address)
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
No sensitive data will be transferred from the data exporter to the data importer.
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
The frequency of the transfer will be on a continuous basis.
Nature of the processing.
The nature of the Processing of Personal Data is to provide the Services in accordance with the Main Agreement.
Purpose(s) of the data transfer and further processing.
Processor will process Personal Data as necessary to perform the Services pursuant to the Main Agreement, as further specified in the DPA, and as further instructed by Customer in its use of the Services.
The subject matter, nature and duration of the processing by sub-processors are as set forth in this DPA.
This Annex II sets forth the security measures that Processor shall maintain in connection with the Personal Data submitted by Controller to Processor to enable it to provide the Services under the Main Agreement.
| Controls | Description |
| Measures of pseudonymisation and encryption of personal data: | Customer data including website traffic and platform data are encrypted while at rest and in transit. |
| Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services: | Processor applies a combination of: – Application layer security controls, including authentication schemas, such as Multi-Factor Authentication (MFA), logical security, data encryption and IP address source restriction. – Network and infrastructure layer security controls, including network architecture, risk management and cloud operation security. – Processor relies on a number of Cloud service providers: Amazon Web Services, Microsoft Azure and Google Cloud Services for its global infrastructure, including the facilities, network, hardware, and operational software that support the provisioning and use of basic computing resources and storage. This infrastructure is designed and managed according to security best practices as well as a variety of security compliance standards such as but not limited to: FedRAMP, ISO27001:2023, AICPA SOC 1, SOC 2. |
| Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident: | Processor maintains an in-house 24*7 Security Operation Centre (SOC) and dedicated procedures to respond to security incidents promptly and minimise the impact of any incidents. |
| Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing: | Processor conducts regular security audits to identify potential vulnerabilities and ensure that our systems remain secure. |
| Measures for user identification and authorisation | Processor maintains various authentication schemas, such as Multi-Factor Authentication (MFA), logical security, data encryption , IP address source restriction, and conditional access |
| Measures for the protection of data during transmission | Customer data is encrypted while in transit, using recognised industry standards. |
| Measures for the protection of data during storage | Data stored in AWS is encrypted at the storage level using AES256. |
| Measures for ensuring physical security of locations at which personal data are processed | Physical access methods, procedures and controls have been implemented by cloud providers to help prevent unauthorized access to data, assets, and restricted areas. Policies, procedures, and supporting business processes are in place to maintain a safe and secure working environment in Processor’s offices and control physical access, including appropriate alarms, access provisioning, CCTV cameras, and escorting visitors. Physical access is restricted to authorized personnel using personal electronic identification cards. Processor operates under the framework of the Cloud shared responsibility model. |
| Measures for ensuring events logging | Critical system components generate logs and are monitored by a set of dedicated tools for identifying trends that may have a potential impact on the Processor’s ability to achieve its system and security objectives. Operations and security personnel follow defined protocols for resolving and escalating reported events. This includes root cause analysis that is escalated to management as required. |
| Measures for ensuring system configuration, including default configuration | Access Control Policy and Procedures Change Management Procedures |
| Measures for internal IT and IT security governance and management | Processor has implemented information security management procedures in accordance with the ISO 27001 standards. These policies include but are not limited to the: – Information Security and Incident Response Policy, Secure Development Policy, – Network and Communication Security Policy, – Access Control Policy, – Change Management Policy, and – Patch Management Policy |
| Measures for certification/assurance of processes and products | Processor is certified for the following International Standards: – ISO 27001 (Information Security) – ISO 27017 (information Security for CSPs) – ISO 27018 (Privacy in Cloud Computing) – ISO 22301 (Business Continuity Management) |
| Measures for ensuring data minimisation | Data collection is limited to the purposes of processing (or the data that the customer chooses to provide). Security measures are in place to provide only the minimum amount of access (least privilege) necessary to perform required functions. |
| Measures for ensuring data quality | Customer is responsible for the data entered into the platform, however, Processor has a process that allows data subjects to exercise their privacy rights (including a right to amend and update their Personal Data), as described in Processor’s Privacy Policy. |
| Measures for ensuring limited data retention | Upon termination or expiry of this Agreement, Processor will delete or return Personal Data when no longer required pursuant to the Main Agreement, save that this requirement will not apply to the extent that Processor is required by applicable law to retain some or all of the Personal Data. |
| Measures for ensuring accountability | Processor has implemented and will maintain a comprehensive set of formal policies, controls, and practices for proper auditing and accountability purposes. |
Processor has implemented and maintains policies and procedures to engage third-party suppliers and to regularly monitor, review, and audit its suppliers’ service delivery. Processor third-party suppliers’ involvement in processing Personal Data is subject to the conditions established in this DPA.
This annex is available, as amended from time to time in accordance with Section 7, at: Fireblocks.com/sub-processors.
Part 1: Tables
Table 1: Parties
| Start date | ||
| The Parties | Exporter (who sends the Restricted Transfer) | Importer (who receives the Restricted Transfer) |
| Key Contacts | See Annex I(A) – List of Parties | See Annex I(A) – List of Parties |
| Key Contacts | See Annex I(A) – List of Parties | See Annex I(A) – List of Parties |
Table 2: Selected SCCs, Modules and Selected Clauses
| “Addendum EU SCCs” | The version of the approved EU SCCs agreed to in the DPA which this Addendum is appended to, detailed below, including the Appendix Information |
Table 3: Appendix Information
“Appendix Information” means the information which must be provided for the selected modules as set out in the Appendix of the Approved EU SCCs (other than the Parties), and which for this
Addendum is set out in:
| Annex 1A: List of Parties: See Annex I(A) – List of Parties |
| Annex 1B: Description of Transfer: Annex I(B) – Description of Transfer |
| Annex II: Technical and organisational measures including technical and organisational measures to ensure the security of the data: Annex II |
| Annex III: List of Sub processors: Addressed in Section 7 of the DPA and Annex III |
Table 4: Ending this Addendum when the Approved Addendum Changes
| Ending this Addendum when the Approved Addendum changes | Which Parties may end this Addendum as set out in Section 19 of the UK Addendum: ☐ Importer ☐ Exporter ☒ Neither Party |
Part 2: Mandatory Clauses
| “Mandatory Clauses” | Part 2: Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of those Mandatory Clauses. |