Solidgate logo in black and white.
Log inGet a demo
Get a demo

DPA

Version 1.1, June 2026
This Data Processing Agreement (the “DPA”), presented below is the part of the Agreement between Customer and Solidgate that has the reference to this DPA and form an integral part of the Agreement.

1. DEFINITIONS

The following definitions shall apply in this DPA in addition to other defined in the Agreement; and, for the avoidance of doubt, in the event of any inconsistency or conflict, the applicable special definitions below shall supersede and/or amend the definitions in the Agreement.
Data Breachmeans a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored, or otherwise processed.
Data Controllermeans the Party that has authority over the processing of Personal Data, determining the purpose for its use and the manner that it is processed.
Data Exporterthe Party disclosing the Personal Data.
Data Importerthe Party receiving the Personal Data.
Data Protection Authoritymeans the official body that ensures compliance with the Data Protection Laws within its applicable jurisdiction.
Data Subjectmeans the directly or indirectly identified or identifiable person to whom the Personal Data relates.
Employeesmeans employees, officers, consultants, suppliers, freelancers and individual subcontractors.
Personal Datameans any information regulated by Data Protection Laws, including information concerning an identified or identifiable individual, such as, name, address, age, gender, email address, etc., that is processed in connection with the Agreement.
Processing, processes and processmean either any activity that involves the use of Personal Data or as the Data Protection Laws may otherwise define processing, processes or process. It includes any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction. Processing also includes transferring Personal Data to third parties.
Representativesmeans the beneficial owners, principals, officers, authorized users, and employees.
Standard Contractual Clauses (“SCC”)means contractual clauses established by the European Commission concerning the international transfer of Personal Data, as set out in the Annex to Commission Implementing Decision (EU) 2021/914 of 04 June 2021.

2. GENERAL PROVISIONS

2.1. With regard to Personal Data processed in connection with this Agreement, the Parties will each be independent Data Controllers. 
2.2. This Schedule sets out the framework for the sharing of Personal Data when one Data Controller (the Data Exporter) discloses Personal Data to another Data Controller (the Data Importer). This Schedule defines the principles and procedures that the Parties shall adhere to and the responsibilities the Parties owe to each other in respect of the disclosure of the Personal Data in this context.
2.3. Each Party shall comply with the requirements of the Data Protection Laws applicable to Data Controllers and otherwise in connection with this Agreement. For the avoidance of doubt, each Party shall, inter alia, have their own, independently determined privacy policy, notices and procedures for the Personal Data they hold and shall bear responsibility for its own compliance obligations under applicable Data Protection Laws in relation to the processing of Personal Data. 
2.4. The Parties shall provide one another with reasonable assistance, on request, for the purposes of achieving and demonstrating compliance with applicable Data Protection Laws in relation to such Processing.
2.5. Each Party shall ensure that it processes all Personal Data fairly and lawfully during the term of the Agreement. Each Party shall ensure that it has legitimate grounds under the Data Protection Laws for the Processing of Personal Data.
2.6. The Parties shall, in respect of Personal Data, ensure that, in advance of the disclosure of any Personal Data, the Data Subjects are provided with clear and sufficient information to the affected Data Subjects, in accordance with the requirements of applicable Data Protection Laws, of the purposes for which their Personal Data will be processed, the legal basis for such purposes, and such other information as is required by applicable Data Protection Laws.
2.7. Customer undertakes to inform the Data Subjects, in accordance with the Data Protection Laws, of the purposes for which their Personal Data will be processed by Customer and Solidgate under this Agreement, the legal basis for such purposes and such other information as is required by applicable Data Protection Laws. 
2.8. Customer shall ensure that all Data Subjects, whose Personal Data is processed under the terms of this Agreement, are duly apprised of Soligate's Privacy Policy, available at 
https://solidgate.com/privacy-policy-3/
.

3. TECHNICAL AND ORGANISATIONAL MEASURES

3.1. Each Party shall implement and maintain at all times all appropriate technical, security, and organizational measures in relation to the processing of Personal Data in order to:
3.1.1. Prevent unauthorised or unlawful processing of Personal Data, the accidental loss or destruction of, or damage to Personal Data.
3.1.2. Ensure a level of security appropriate to the harm that might result from such unauthorised or unlawful processing or accidental loss, destruction or damage, and the nature of Personal Data.
3.2. In assessing the appropriate level of security, the Parties shall take into account the risks that are presented by the Processing, in particular risks arising from a Data Breach.
3.3. The Parties undertake to ensure the security of Personal Data entrusted for Personal Data processing in accordance with the Data Protection Laws and industry practices, in particular, to formulate and apply appropriate documentation and procedures for Personal Data processing, as well as technical, informational and legal security measures, as required by the Data Protection Laws.
3.4. Each Party shall maintain records of all processing activities carried out under this Agreement. 
3.5. The Parties shall not knowingly do anything or permit anything to be done which might lead to a Data Breach or to a breach by the other Party of the Data Protection Laws.

4. EMPLOYEES

4.1. The Parties shall ensure that all Employees with access to the Personal Data are legally bound by confidentiality obligations during and after the termination of the DPA, including after the termination of their employment and/or other contractual arrangements with the Party.
4.2. The Parties shall provide access to Personal Data to its Employees on a need-to-know basis only and shall make sure that the Employees are aware and compliant with the DPA and the Data Protection Laws.
4.3. The Parties shall keep records of persons authorised for Personal Data processing.
4.4. The Parties shall train their Employees involved in the processing of Personal Data to comply with the Data Protection Laws and with the requirements established in this DPA.
4.5. Solidgate shall process Personal Data of the Customer’s Representatives to fulfil its legal and contractual obligations under this Agreement, to comply with its legal obligations as a financial institution, such as the applicable European Union and/or EU member states’ legislation to combat money laundering and terrorist financing, for fraud security, risk management, analytics and assessing credit and information security risks. Customer shall ensure that all Representatives and Authorized Users whose Personal Data is processed under the terms of this Agreement, are duly apprised of Soligate's Privacy Policy, available at 
https://solidgate.com/privacy-policy-3/
.

5. DATA BREACHES

5.1. Each Party shall comply with its obligation to report a Data Breach to the appropriate Data Protection Authority and (where applicable) Data Subjects under applicable Data Protection Laws and shall, to the extent permitted by Applicable Law, each inform the other Party of any material Data Breach relevant to Personal Data irrespective of whether there is a requirement to notify any Data Protection Authority or Data Subject(s).
5.2. Where a Data Breach is related to the Processing under this Agreement the affected Party shall also notify the other Party to this Agreement. The notification should inter alia include:
(a) Description of the Data Breach, including, if possible, the categories of data and records concerned, the category and number of Data Subjects affected;
(b) Likely consequences of the Data Breach;
(c) Measures taken or proposed to address and/or mitigate the effects of the Data Breach.
5.3. Each Party shall, without undue delay, take all urgent measures as are agreed by the Parties or necessary under the Data Protection Laws, to investigate, mitigate and remedy the Data Breach and to protect the Personal Data.
5.4. Each Party needs the prior approval of the other Party to include and identify the other Party in the breach notifications. The other Party should not delay or withhold the approval without a reasonable cause.

6. COOPERATION

6.1. Upon request, the Parties shall assist each other to comply with its obligations under the Data Protection Laws when related to the processing of the Personal Data, including but not limited to:
(a) Data Breaches;
(b) data protection impact assessments (DPIA);
(c) consultations with the Data Protection Authority; and
(d) enquiries, complaints, audits, claims or requests from any individual, Data Subject, court, government official, or Data Protection Authority.
6.2. Taking into account the nature of the processing, the Parties shall assist each other by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of their obligation, including but not limited to, to respond to requests for exercising the Data Subject's rights laid down in the Data Protection Laws.
6.3. Each Party shall promptly transfer each other any request received from Data Subjects according to their responsibilities defined in the Agreement. Where the required information can be retrieved by Customer itself from the website of Solidgate, the Customer may retrieve such information itself.
6.4. In the event of a dispute or claim brought by a Data Subject or a competent Data Protection Authority concerning the processing of Personal Data against either or both Parties, the Parties shall, to the extent permitted by applicable law: (i) inform each other about any such disputes or claims, and (ii) cooperate with a view to settling them amicably in a timely fashion.
6.5. Customer shall not share with Solidgate any Personal Data which is not necessary or relevant for receiving the Services under this Agreement.

7. SUBPROCESSING

7.1. Each Party may engage sub-processors in connection with the processing of Personal Data under this Agreement, provided that:
7.1.1. The sub-processors are bound by written agreements imposing data protection obligations that ensure a level of protection equivalent to this Agreement and Applicable Law;
7.1.2. Each Party remains responsible for ensuring the compliance of its sub-processors with such obligations.

8. CALIFORNIA CONSUMERS PRIVACY RIGHTS

8.1. This Clause 7 is applicable to processing of Personal Information of Consumers. The terms “Personal Information” and “Consumer” shall have the meanings stipulated in the California Consumer Privacy Act of 2018, as amended from time to time (“CCPA”).
8.2. The Parties should not retain, use, or disclose Personal Information for any purpose other than for the specific purpose of performing the services specified in the Agreement.
8.3. The Parties should not retain, use, or disclose Personal Information for a commercial purpose other than providing the services specified in the Agreement.
8.4. The Parties should not retain, use, or disclose Personal Information outside of the direct business relationship between each other.
8.5. The Parties should refrain from selling Personal Information, as the term “sell” is defined in the CCPA.
8.6. The Parties certify that they understand the restrictions in Clauses 8.2 – 8.5 hereof and will comply with them.

9. TERMINATION

9.1. This DPA will come into effect on the same date as the acceptance of the Agreement by Customer and shall remain in force until the termination of it except for those clauses which, by their nature, are intended to remain valid and enforceable.
9.2. Termination of this DPA shall not affect Parties’ accrued rights and obligations before or at the date of termination.
9.3. The Parties may retain Personal Data to the extent required by Applicable Law and only to the extent and for such period as required by Data Protection Laws and always provided that each Party shall ensure the confidentiality of such Personal Data and shall ensure that such Personal Data is only processed as necessary for the purpose(s) specified in the Data Protection Laws requiring its storage and for no other purpose.

10. MISCELLANEOUS

10.1. In the case of conflict or ambiguity between any provision of the DPA and any other provision of the Agreement, the provisions of the DPA shall prevail.
 

ANNEX A TO DATA PROCESSING AGREEMENT

DETAILS OF PERSONAL DATA PROCESSING BY SOLIDGATE
The nature of the processing of Personal Data:The scope of Personal Data processing shall include the following operations performed on the Personal Data: collecting, recording, storing, transferring, preparing, amending, making the data available, profiling with the use of personal data, deleting personal data both in paper form, as well as in the IT systems required for the provision of Services and for other purposes as may be required from time to time under the Agreement and Applicable Law.
Purpose of the data transfer and further processing:
Personal Data may be transferred and processed for the following purposes:
  1. To provide Data Subjects with services, necessary for the performance of the Agreement (account opening and maintaining, transaction processing, support, other ancillary services).
  2. To comply with applicable anti-money laundering (AML), counter-terrorism financing (CTF), and other relevant financial regulations.
  3. To detect, analyse, and report suspicious transactions in accordance with regulatory requirements.
  4. To verify the identities of individuals involved in transactions.
  5. To provide customer support and address customer-related inquiries.
Each purpose of data transfer and processing will be in accordance with the Agreement and Applicable Law, ensuring compliance with all relevant data protection obligations.
The frequency and duration of the processing of Personal Data:The Personal Data shall be processed on a continuous basis until no further processing is required by the Agreement or Applicable Law. The applicable retention period is set as required under Applicable Law and in any case not less than five (5) years in light of our obligations under anti-money laundering laws or six (6) years because of other Applicable Laws, including fiscal, corporate and other statutory obligations, or to protect our legal rights.
The categories of Data Subjects and Personal Data: 
  1. Personal Data of Customer:
    1. Transactional and Financial Data, including but not limited to:
      - Date, time, and amount of transactions;
      - The payment amount and currency;
      - Transaction history;
      - Beneficiary details (name, BIC, bank name, address and payment reference);
      - Intermediary banks details (if applicable);
      - Any other information required for KYC, AML, and compliance purposes;
      - Beneficiary's IBAN (or account number when no IBAN is available.
       
    2. Authentication and Access Control Data of Authorized Users of Customer, including but not limited to:
      - User logins and credentials (Login ID, Password, Digipass);
      - Role-based access permissions;
      - Device identifiers and login timestamps.
       
    3. Card details, including, but not limited to:
      - Cardholder name;
      - Card number (16-digit card account number (Primary Account Number/ PAN).
  2. Personal Data required for the onboarding of Customer (regarding Customers’ UBOs, directors/other Authorized Users):
    1. UBO:
      - Full legal name and Residence address;
      - Contact information (email, phone number);
      - ID / passport details;
      - Residence permit and Utility bill;
      - Tax number;
      - Bank details, personal income and source of wealth;
      - Ownership and directorship in onboarding company and/or other companies;
      - Adverse media and law enforcement information;
      - Presence in PEP, sanction, and watch lists;
      - Our correspondence;
      - Information related to fraud detection and risk assessments;
      - Publicly available Data. 
       
    2. Authorized User:
      - Full legal name and Residence address; 
      - Contact information (email, phone number);
      - ID / passport details;
      - Tax number;
      - Bank details (if confirming residence address with bank statement).
Authorized disclosures of Personal Data:
Personal Data may be accessed or disclosed only on a need-to-know basis and in accordance with the purposes defined in the Agreement or as required by Applicable Law. Disclosure of Personal Data may occur only to the following categories of recipients:
  1. Authorised personnel of either Party, where access is required for the performance of the Agreement;
  2. Approved vendors and partners acting on behalf of the Data Controller, who may process Personal Data in accordance with the terms of the Agreement and are considered sub-processors under GDPR;
  3. Beneficiaries, where required for the fulfilment of transactions or compliance with legal obligations;
  4. Regulatory authorities, competent bodies, and external auditors, as required under Applicable Law or upon lawful request.
Data Protection Authority:Office of the Commissioner for Personal Data Protection in Cyprus.