This DPA is required when you use the QCA API to process personal data on behalf of your organisation. Enterprise and Sovereign tier clients receive a signed physical copy. Pro tier clients are covered by this standard DPA.
Processor: QuantChainAnalysis UG (haftungsbeschränkt), Schorndorfer Straße 5, 70374 Stuttgart ("QCA")
Controller: The API client entity identified in the subscription agreement ("Client")
QCA processes blockchain wallet addresses, transaction data, and associated risk information submitted by the Client for the purpose of AML/CFT screening, sanctions checking, forensic analysis, and compliance report generation.
Processing is continuous for the duration of the subscription. Data submitted via API is processed in real time and not retained beyond the purposes described in the Privacy Policy, except where required by law.
Wallet addresses (pseudonymous identifiers), transaction hashes, IP addresses of API callers, email addresses of account holders. No special category data (Art. 9 GDPR) is processed unless the Client submits it voluntarily.
QCA shall: (a) process data only on documented instructions from the Controller; (b) ensure all persons authorised to process data are bound by confidentiality; (c) implement appropriate technical and organisational security measures per GDPR Art. 32; (d) assist the Controller in responding to data subject rights requests; (e) delete or return all personal data at the end of services; (f) provide all information necessary to demonstrate compliance with Art. 28.
QCA uses the following approved sub-processors:
QCA will notify the Client of any intended changes to sub-processors with 30 days' notice.
QCA implements: SHA-256 / Keccak-256 hashing of all sensitive identifiers; HMAC-SHA256 signing of forensic reports; TLS 1.3 for all data in transit; API keys stored as SHA-256 hashes only; no persistent storage of raw wallet screening results; Netlify's SOC 2 Type II certified infrastructure.
Given that wallet addresses are pseudonymous and QCA does not link them to natural persons, most Art. 15–22 requests will be satisfied by confirming no identifiable personal data is held. For cases where personal data was submitted, QCA will respond within 72 hours of a written request.
The Client has the right to conduct audits or instruct an independent auditor, with 30 days' written notice and at the Client's cost. Audits are limited to data processing activities and security measures relevant to this DPA.
Data transfers to the USA (Netlify, Stripe) are made under Standard Contractual Clauses (Commission Decision 2021/914/EU). Copies are available on request.
This DPA is governed by German law. Disputes: courts of Stuttgart. For Enterprise/Sovereign clients requiring a countersigned physical DPA, contact: contact@quantchainanalysis.com