Legal
Data Processing Agreement
Template version: 1.0 — 1 May 2026
For Enterprise clients — EU data residency: Cloudflare EU region
1. Parties
This Data Processing Agreement (“DPA”) is entered into between:
- Data Controller: the Enterprise client entity that has executed a MiCAReady Enterprise service agreement (“Controller”); and
- Data Processor: MiCAReady (“Processor”), operating the MiCAReady platform as described in the applicable service agreement.
This DPA forms part of and is subject to the terms of the Enterprise service agreement between the parties. In the event of conflict, this DPA prevails with respect to data protection matters.
2. Subject Matter and Duration (Art. 28(3)(a) GDPR)
The Processor provides MiCA compliance gap-analysis services, including automated analysis of whitepapers and compliance documentation uploaded by the Controller. Processing occurs for the duration of the Enterprise service agreement and for such additional period as required for deletion under Section 11.
3. Nature and Purpose of Processing (Art. 28(3) GDPR)
Personal data is processed solely for the purpose of delivering MiCA compliance analysis services to the Controller, including:
- Storing and parsing uploaded compliance documents;
- Running automated gap-analysis against MiCA Regulation (EU) 2023/1114 requirements;
- Generating compliance reports and readiness dossiers;
- Authentication and access control for authorised users.
4. Categories of Personal Data Processed
- User account data: email address, Auth0 user identifier (
subclaim). Authentication credentials (password/passkey) are managed exclusively by Auth0 and never transmitted to or stored by MiCAReady. - Usage and audit metadata: audit run IDs, timestamps, MiCA gap counts, status transitions.
- Document data: content of whitepapers and compliance documents uploaded by the Controller's authorised users, which may contain personal data of natural persons named in such documents (e.g., Compliance Officers, responsible persons).
- Access logs: request timestamps, IP addresses, correlation IDs (retained for 12 months for security purposes).
5. Categories of Data Subjects
- Authorised users of the Controller who access the MiCAReady platform (employees, compliance officers, legal counsel);
- Natural persons whose personal data may appear incidentally in uploaded compliance documents.
6. EU Data Residency — Cloudflare EU Region (Art. 44–49 GDPR)
All personal data processed under this DPA is stored and processed exclusively within the European Union. The Processor's infrastructure runs on Cloudflare's EU region for all storage components (D1 database, KV, R2 object storage) and edge compute. No personal data is transferred outside the EEA without an appropriate legal basis (Standard Contractual Clauses or adequacy decision under Art. 46 GDPR).
Data residency: Cloudflare EU region — auditable on request. No personal data is transferred outside the EEA without an appropriate legal basis (Standard Contractual Clauses or adequacy decision under Art. 46 GDPR).
7. Processor Obligations (Art. 28(3) GDPR)
The Processor shall:
- (a) Instructions: process personal data only on documented instructions from the Controller, unless required to do so by Union or Member State law; in such case, inform the Controller before processing, unless prohibited on grounds of public interest;
- (b) Confidentiality: ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality (Art. 28(3)(b) GDPR);
- (c) Security: implement appropriate technical and organisational measures as set out in Section 9 of this DPA (Art. 28(3)(c) GDPR);
- (d) Sub-processors: not engage another processor without prior specific or general written authorisation of the Controller; where general written authorisation is used, inform the Controller of intended changes (Art. 28(3)(d) GDPR);
- (e) Data subject rights: assist the Controller by appropriate technical and organisational measures, insofar as possible, to fulfil the Controller's obligation to respond to requests for exercising data subject rights (Art. 28(3)(e) GDPR);
- (f) Assist Controller: assist the Controller in ensuring compliance with Art. 32–36 GDPR (security, breach notification, DPIA, prior consultation) (Art. 28(3)(f) GDPR);
- (g) Deletion or return: at the choice of the Controller, delete or return all personal data after the end of the provision of services, and delete existing copies unless Union or Member State law requires storage (Art. 28(3)(g) GDPR);
- (h) Audit: make available to the Controller all information necessary to demonstrate compliance with Art. 28 GDPR and allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller (Art. 28(3)(h) GDPR).
8. Controller Obligations
The Controller warrants and undertakes that:
- It has a valid legal basis under Art. 6 GDPR (and Art. 9 GDPR where applicable) for all personal data submitted to the Processor;
- It has provided data subjects with the information required by Art. 13–14 GDPR regarding processing by the Processor;
- Instructions given to the Processor comply with applicable data protection law.
9. Technical and Organisational Security Measures (Art. 32 GDPR)
The Processor implements the following technical and organisational security measures:
- Encryption in transit: TLS 1.3 enforced on all connections.
- Encryption at rest: all stored data encrypted at rest by Cloudflare's infrastructure (AES-256).
- Authentication: Auth0 (OAuth 2.0 + OpenID Connect, PKCE); credentials managed by Auth0, not stored by MiCAReady.
- Access control: role-based access control; data isolated per Enterprise account; no cross-tenant access.
- Pseudonymisation: audit runs and documents identified by UUIDs; personally identifiable fields access-controlled.
- Monitoring: structured logging with correlation IDs; error tracking with PII scrubbing before transmission.
- Vulnerability management: automated dependency audit on every build; security patches applied within 72 hours of critical CVE disclosure.
- Rate limiting: Cloudflare WAF rate limiting on all authentication and API endpoints.
10. Sub-processors (Art. 28(4) GDPR)
The Controller provides general written authorisation for the Processor to engage the following sub-processors. The Processor shall notify the Controller of any intended changes (addition or replacement) at least 30 days in advance.
| Sub-processor | Location | Purpose | Safeguard |
|---|---|---|---|
| Cloudflare | EU region | Infrastructure, CDN, edge compute, D1 database, KV, R2 storage | Cloudflare DPA + SCCs (EU adequacy) |
| Stripe | EU (Ireland) | Payment processing — billing metadata only; no whitepaper content shared | Stripe DPA + SCCs; PCI-DSS Level 1 |
11. Data Retention and Deletion (Art. 28(3)(g) GDPR)
- Uploaded documents and gap-analysis outputs: retained for the duration of the service agreement plus 30 days, then permanently deleted from all systems including backups.
- Account data: deleted within 30 days of account closure.
- Access and security logs: 12 months, then deleted automatically.
- Billing records: 7 years (legal obligation under applicable tax and financial regulations).
- Upon written request by the Controller, the Processor will confirm deletion in writing within 30 days.
12. Personal Data Breach Notification (Art. 33–34 GDPR)
The Processor shall notify the Controller without undue delay, and in any event within 48 hours, after becoming aware of a personal data breach affecting personal data processed under this DPA. The notification shall include:
- A description of the nature of the breach;
- The categories and approximate number of data subjects and personal data records concerned;
- The likely consequences of the breach;
- Measures taken or proposed to address the breach and mitigate its effects.
Breach notifications must be sent to info@infinite-scape.com and the Controller's designated data protection contact.
13. Data Subject Rights Assistance (Art. 28(3)(e) GDPR)
Upon written request from the Controller, the Processor will assist within 5 business days with:
- Data subject access requests (Art. 15 GDPR);
- Rectification (Art. 16 GDPR);
- Erasure (Art. 17 GDPR);
- Restriction of processing (Art. 18 GDPR);
- Data portability (Art. 20 GDPR);
- Objection (Art. 21 GDPR).
14. Audit Rights (Art. 28(3)(h) GDPR)
The Controller may, upon at least 30 days' written notice and no more than once per calendar year (except where a regulatory authority requires otherwise), conduct or commission an audit of the Processor's data processing facilities and practices relevant to this DPA. The Processor shall provide reasonable cooperation. Audit costs are borne by the Controller unless the audit reveals a material breach by the Processor.
15. Liability and Indemnification
Each party shall be liable to the other for any direct damages arising from its failure to comply with the applicable GDPR obligations under this DPA. Liability is subject to the limitations set out in the Enterprise service agreement. Nothing in this DPA limits either party's liability to data subjects or supervisory authorities under applicable data protection law.
16. Governing Law and Supervisory Authority
This DPA is governed by the laws of the European Union. The parties submit to the jurisdiction of the competent EU supervisory authorities. The Controller's lead supervisory authority under Art. 56 GDPR shall apply.
17. Contact and DPO
For data protection and DPA enquiries, contact:
- Data protection: info@infinite-scape.com
- Security incidents: info@infinite-scape.com
- Legal: info@infinite-scape.com
To execute a signed DPA for your Enterprise account, contact info@infinite-scape.com.