Standard DPA between Arcap Partners (Processor) and Client (Controller)
Last updated: 1 January 2025 · Version 1.0
In this DPA, unless the context requires otherwise:
Terms not otherwise defined in this DPA shall have the meanings given to them in the Arcap Terms and Conditions or Applicable Data Protection Law.
Arcap processes Personal Data as a Processor on behalf of the Controller solely for the purpose of providing the services described in the Arcap Terms and Conditions and as further detailed in Schedule A to this DPA. Arcap shall not process Personal Data for any other purpose without the prior written consent of the Controller, unless required by law.
The subject matter, duration, nature and purpose of processing, type of Personal Data, and categories of Data Subjects are as set out in Schedule A.
Arcap acknowledges that, in its capacity as Processor, it does not determine the purposes for which Personal Data is processed, and it processes Personal Data only in accordance with the documented instructions of the Controller (as set out in this DPA, the Terms and Conditions, and any further written instructions issued by the Controller).
Arcap shall process Personal Data only on documented instructions from the Controller, unless required to do so by applicable law. Where Arcap is required by law to process Personal Data, it shall notify the Controller prior to such processing unless prohibited from doing so by law.
Arcap shall ensure that all persons authorised to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. Access to Personal Data shall be limited to those personnel who need it for the provision of the services.
Arcap shall assist the Controller, taking into account the nature of the processing and the information available to Arcap, by appropriate technical and organisational measures, insofar as possible, to fulfil the Controller's obligations to respond to requests by Data Subjects to exercise their rights under Applicable Data Protection Law.
Arcap shall assist the Controller in ensuring compliance with its obligations under Articles 32 to 36 of the UK GDPR, including obligations relating to security of processing, notification and communication of Security Incidents, data protection impact assessments, and prior consultation with supervisory authorities.
Arcap shall maintain a record of all categories of processing activities carried out on behalf of the Controller as required by Article 30(2) of the UK GDPR, and shall make this record available to supervisory authorities on request.
The Controller represents, warrants, and undertakes that:
The Controller provides general written authorisation for Arcap to engage Sub-Processors. Arcap's current approved Sub-Processors are set out in Schedule B to this DPA.
Arcap shall provide the Controller with at least 14 days' prior written notice (which may be by email or by update to Schedule B on the Arcap website) before engaging any new Sub-Processor. If the Controller objects to a new Sub-Processor on reasonable data protection grounds within 14 days of receiving notice, the parties shall negotiate in good faith to resolve the objection. If unresolved within 30 days, either party may terminate the relevant services on 30 days' notice.
Where Arcap engages a Sub-Processor, it shall impose data protection obligations on that Sub-Processor that are no less protective than those contained in this DPA, including appropriate TOMs. Arcap remains liable to the Controller for the performance of Sub-Processors to the same extent as if it were performing the processing itself.
Arcap shall not transfer Personal Data to a country or territory outside the United Kingdom except where:
Where transfers are made on the basis of SCCs or IDTAs, copies of the relevant executed agreements shall be made available to the Controller on request.
Arcap shall implement and maintain the Technical and Organisational Measures set out in Schedule C to this DPA. These measures are designed to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, as well as the risk of varying likelihood and severity to the rights and freedoms of Data Subjects.
Arcap may update or modify the TOMs from time to time, provided that any such modifications do not materially decrease the overall level of security afforded to the Personal Data.
Arcap shall notify the Controller without undue delay, and in any event within 48 hours, upon becoming aware of a Security Incident affecting Personal Data processed on behalf of the Controller. Such notification shall include, to the extent then known:
Arcap shall co-operate with the Controller and provide reasonable assistance to enable the Controller to comply with its own notification obligations under Applicable Data Protection Law. The Controller is responsible for notifying the relevant supervisory authority and, where required, affected Data Subjects.
Where Arcap receives a request from a Data Subject to exercise any of their rights under Applicable Data Protection Law (including access, rectification, erasure, restriction, portability, and objection), Arcap shall promptly notify the Controller and shall not respond to such request without the Controller's prior written authorisation, unless required by law to do so. Arcap shall provide reasonable assistance to the Controller in responding to any such request, taking into account the nature of the processing and the information available to Arcap.
Arcap shall make available to the Controller all information necessary to demonstrate compliance with the obligations set out in this DPA, and shall allow for and contribute to audits, including inspections, conducted by the Controller or an independent auditor appointed by the Controller. Any audit:
Arcap may require the Controller's auditors to execute appropriate confidentiality undertakings before providing access to any systems or information. As an alternative to a direct audit, Arcap may provide the Controller with the results of a relevant third-party audit or certification (such as ISO 27001 or SOC 2 Type II), which the Controller shall accept as satisfying audit requirements for that period in the absence of specific evidence of a material breach.
Upon termination of the services or upon the Controller's written request, Arcap shall, at the Controller's option, securely delete or return all Personal Data and delete existing copies thereof unless Applicable Data Protection Law or Applicable Data Protection Law requires retention of the Personal Data. Arcap shall certify in writing to the Controller that all Personal Data has been deleted or returned as applicable, within 30 days of the termination date or receipt of the written request.
Each party's liability under this DPA (including in respect of any indemnity) shall be subject to the limitations of liability set out in the Arcap Terms and Conditions. Notwithstanding the foregoing, the limitations of liability shall not apply to the extent prohibited by Applicable Data Protection Law, including in relation to any statutory liability to Data Subjects.
This DPA constitutes the entire agreement between the parties relating to the processing of Personal Data by Arcap on behalf of the Controller, and supersedes any prior data processing agreement between the parties on the same subject matter.
Arcap may update this DPA from time to time to reflect changes in Applicable Data Protection Law or its processing activities, provided that it gives the Controller at least 14 days' notice of material changes. The Controller's continued use of the services following the effective date of any amendment constitutes acceptance.
This DPA is governed by the laws of England and Wales. Any disputes shall be resolved in accordance with the dispute resolution provisions of the Arcap Terms and Conditions.
If any provision of this DPA is held invalid or unenforceable, the remaining provisions shall continue in full force and effect.
In the event of any conflict between this DPA and the Arcap Terms and Conditions, the provisions of this DPA shall prevail in respect of the processing of Personal Data.
| Item | Details |
|---|---|
| Subject matter | Processing of personal data in connection with the provision of Arcap's OTC dealing, payment infrastructure, hosted fiat account, and related platform services |
| Duration | For the duration of the agreement between the parties, and thereafter for such period as required by applicable law or as agreed in writing |
| Nature of processing | Collection, storage, retrieval, use, disclosure, alignment, structuring, erasure, and other processing operations necessary to provide the services |
| Purposes of processing | Client onboarding and KYB verification; transaction processing and settlement; compliance monitoring; account management; reporting and audit; platform security |
| Types of Personal Data | Identity data (name, date of birth, nationality, government ID); contact data (email, phone, address); financial data (account details, transaction records); technical data (IP addresses, access logs); compliance data (KYB/AML screening results, PEP status) |
| Categories of Data Subjects | Directors and officers of corporate clients; beneficial owners; authorised users and signatories; compliance contacts; counterparties to transactions (where personal) |
| Sub-Processor | Location | Processing Activity |
|---|---|---|
| Amazon Web Services (AWS) | EU / UK / US | Cloud infrastructure hosting and storage |
| Identity Verification Provider (TBC) | EU / UK | KYB and identity document verification |
| AML Screening Provider (TBC) | UK | Sanctions and PEP screening |
| Email Service Provider (TBC) | EU / US | Transactional email delivery |
| Licensed Banking Partners | Multiple | Account holding, payment processing, fiat settlement |
This schedule will be updated as new sub-processors are engaged. Current version available at arcappartners.com/dpa
For DPA-related enquiries or to receive an executed copy of this DPA, contact: [email protected]