Data Processing Agreement
Version 2026-05-19 · Effective May 19, 2026
This DPA forms part of the Terms of Service and governs the processing of personal data by Smartbull ("Processor") on behalf of the Customer ("Controller") under GDPR Art. 28.
1. Subject matter & duration
The Processor shall process personal data on behalf of the Controller for the duration of the Customer's active Smartbull subscription, plus any retention period required by law.
2. Nature and purpose of processing
3. Categories of data subjects & personal data
| Data subjects | Personal data processed |
|---|---|
| End users (traders) | Wallet address, email, IP, user-agent, Telegram chat_id, exchange balances, order history, PnL, encrypted API keys |
| Admin/billing contacts | Email, name (if provided), payment tx hashes |
No special categories of personal data (Art. 9 GDPR) are processed.
4. Standard Contractual Clauses
EU SCCs incorporated
For international transfers from the EU/UK/Switzerland to third countries, the EU Commission's Standard Contractual Clauses (Module 2: Controller to Processor), Implementing Decision (EU) 2021/914, are incorporated by reference in full, together with the UK International Data Transfer Addendum where applicable.
5. Sub-processors
The following sub-processors are authorised. Controller is notified of any new sub-processor at least 30 days in advance.
| Sub-processor | Purpose | Location |
|---|---|---|
| Cloudflare, Inc. | Edge hosting, CDN, DDoS protection | Global |
| Supabase Inc. | Primary database, auth, file storage | EU (Frankfurt) |
| Upstash, Inc. | Redis cache | EU (Ireland) |
| ClickHouse, Inc. | Analytics warehouse | EU |
| Fly.io, Inc. | Research compute | EU (Frankfurt) |
| Synadia Communications | NATS event streaming | EU |
6. Annex II — Technical & organisational security measures
Encryption at rest
AES-256-GCM for API keys; database-level encryption; R2 server-side encryption
Encryption in transit
TLS 1.2+ enforced; HSTS; mutual TLS for internal Worker traffic
Access controls
SSO with hardware-key 2FA; role-based access; quarterly reviews
Secrets management
Centralised secret store; no secrets in source code; quarterly rotation
Logging & monitoring
Structured logs (14d hot, 1y cold); SLO-driven alerting; kill-switch
Backups
Daily encrypted backups; point-in-time recovery; weekly DR drill (RTO < 15 min / RPO < 5 min)
Vulnerability management
Dependency scanning; security review for every migration; quarterly pen test
Incident response
Documented runbooks; on-call rotation; notification to Controller within 72 hours (Art. 33)
7. Data subject rights
The Processor assists the Controller in responding to data subject requests (access, rectification, erasure, portability, restriction, objection) without undue delay.
End-users may self-serve at /privacy or contact privacy@smartbull.ai.
8. Audit rights
The Processor shall make available all information necessary to demonstrate compliance and allow for audits, including inspections, conducted by the Controller or an auditor mandated by the Controller, on reasonable notice and at the Controller's cost.
SOC 2 Type II certification in progress. On-site audits available for Institutional-tier customers.
9. Return or deletion of data
On termination, the Processor shall, at the Controller's choice, delete or return all personal data within 30 days, unless retention is required by Union or Member State law.
Anonymized aggregate telemetry and legally-required audit logs are retained per the Privacy Policy retention schedule.
10. How to execute this DPA
This DPA is pre-signed by Smartbull and incorporated by reference for all paid subscribers. No separate signature is required.
Need a counter-signed copy?
Email legal@smartbull.ai with subject "DPA request" — we return a counter-signed DPA via DocuSign within 5 business days.