Data Processing Agreement

This Data Processing Agreement (”DPA”) forms part of the Terms of Service between Witnium Technologies AB (”Witnium”, “Processor”) and the Customer (”Controller”) (each a “party” and together the “parties”) and applies where Witnium processes Personal Data on behalf of the Controller in connection with the Services.

§1. Definitions

Capitalised terms not defined in this DPA have the meanings given in the Terms of Service. The following additional terms apply:

“Applicable Data Protection Laws” means all laws and regulations applicable to the processing of Personal Data under this DPA, including the GDPR, the Swedish Data Protection Act (lag (2018:218)), and equivalent or successor laws.

“Data Subject”, “Personal Data”, “Personal Data Breach”, “Processing”, “Controller”, “Processor”, and “Sub-processor” have the meanings given in the GDPR.

“Standard Contractual Clauses” or “SCCs” means the Standard Contractual Clauses for the transfer of Personal Data to third countries approved by Commission Implementing Decision (EU) 2021/914 of 4 June 2021.

§2. Subject matter and duration

2.1 Subject matter

The subject matter of this DPA is the Processing of Personal Data by Witnium on behalf of the Controller in the course of providing the Services.

2.2 Duration

This DPA applies for as long as Witnium Processes Personal Data on behalf of the Controller under the Terms of Service.

2.3 Nature, purpose, types of data, and categories of data subjects

A description of the Processing, including the nature, purpose, types of Personal Data, and categories of Data Subjects, is set out in Annex 1.

§3. Processing instructions

3.1 Controller responsibilities

The Controller represents and warrants that: (a) it has a lawful basis under Applicable Data Protection Laws for the Processing of Personal Data, including any disclosure to and Processing by Witnium; (b) where required, it has obtained and will maintain all necessary consents from Data Subjects; (c) its instructions to Witnium are lawful; and (d) the Personal Data has been collected and provided to Witnium in compliance with Applicable Data Protection Laws.

3.2 Processor obligations

Witnium will Process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country, unless required to do so by Union or Member State law to which Witnium is subject. In such a case, Witnium will inform the Controller of that legal requirement before Processing, unless the law prohibits this on important grounds of public interest.

The Controller’s instructions are set out in the Terms of Service, this DPA, and the Documentation. Additional instructions outside the scope of the Services may be agreed in writing and may be subject to additional fees.

3.3 Architectural privacy

The parties acknowledge that, by the architectural design of the Platform, Witnium does not receive or have the technical means to access (i) the content of files, documents, model outputs, or other materials that the Controller submits to a Witness operation, or (ii) the Controller’s private keys. The Controller’s client computes a SHA-256 fingerprint of the content before transmission, and only the fingerprint, public keys, signatures, and operational metadata reach Witnium. This architecture materially reduces the categories and volume of Personal Data Processed by Witnium under this DPA.

3.4 Instructions in conflict with law

If Witnium considers that an instruction from the Controller infringes Applicable Data Protection Laws, Witnium will inform the Controller without undue delay.

§4. Categories of Personal Data and Data Subjects

The categories of Personal Data and Data Subjects are set out in Annex 1. No special categories of Personal Data within the meaning of Article 9 GDPR or data relating to criminal convictions and offences within the meaning of Article 10 GDPR are knowingly Processed under this DPA. If the Controller intends to instruct Witnium to Process such categories, the parties will first agree in writing on the additional safeguards required.

§5. Obligations of the Processor

5.1 Confidentiality

Witnium ensures that persons authorised to Process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

5.2 Security

Witnium implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing, as well as the risk to the rights and freedoms of natural persons. The measures are described in Annex 2 and at witniumchain.com/security.

5.3 Assistance with Data Subject requests

Taking into account the nature of the Processing, Witnium will assist the Controller by appropriate technical and organisational measures, insofar as possible, in fulfilling the Controller’s obligation to respond to requests for exercising Data Subjects’ rights under Chapter III of the GDPR. The Controller acknowledges the architectural limitations described in Section 3.3 and Section 8.3 of the Privacy Policy as they relate to the right of erasure of chain records.

5.4 Assistance with Articles 32 to 36 GDPR

Witnium will assist the Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 GDPR taking into account the nature of the Processing and the information available to Witnium.

5.5 Records of processing

Witnium maintains a record of Processing activities carried out on behalf of the Controller in accordance with Article 30(2) GDPR.

5.6 Demonstration of compliance

Witnium makes available to the Controller all information necessary to demonstrate compliance with this DPA and Article 28 GDPR, in accordance with Section 11 of this DPA.

§6. Sub-processors

6.1 General authorisation

The Controller provides general authorisation for Witnium to engage Sub-processors, subject to the conditions in this Section.

6.2 Current Sub-processors

The current list of Sub-processors is published at witniumchain.com/subprocessors and is incorporated into this DPA by reference. The Controller is responsible for monitoring that page or subscribing to the change notification mechanism described at that URL.

6.3 Changes

Witnium will give the Controller at least 30 days’ prior notice of the addition or replacement of a Sub-processor by updating the list at witniumchain.com/subprocessors and, for Customers who have subscribed to the notification mechanism, by email. The Controller may object on reasonable data-protection grounds within 14 days of the notice. If the parties cannot resolve the objection within a further 30 days, the Controller may terminate the affected Services by giving 30 days’ written notice, with refund of prepaid fees for the unused portion of the Subscription Term as the Controller’s sole remedy.

6.4 Sub-processor obligations

Witnium will impose on each Sub-processor data protection obligations no less protective than those in this DPA, by means of a written contract. Witnium remains liable to the Controller for the performance of each Sub-processor’s obligations.

§7. Data Subject requests

If Witnium receives a request from a Data Subject in respect of Personal Data Processed under this DPA, Witnium will, without undue delay, forward the request to the Controller and not respond directly except to confirm receipt and to direct the Data Subject to the Controller, unless the Controller has instructed Witnium otherwise or applicable law requires direct response.

§8. Personal Data Breach

8.1 Notification

Witnium will notify the Controller without undue delay, and in any event within 72 hours of becoming aware, of any Personal Data Breach affecting Personal Data Processed under this DPA.

8.2 Information provided

The notification will include, to the extent then known and as may be updated as further information becomes available: (a) a description of the nature of the breach, including, where possible, the categories and approximate number of Data Subjects and Personal Data records concerned; (b) the name and contact details of the Witnium contact for further information; (c) a description of the likely consequences; and (d) a description of the measures taken or proposed to address the breach.

8.3 Cooperation

Witnium will cooperate with the Controller and take such reasonable steps as are directed by the Controller to assist in the investigation, mitigation, and remediation of the breach, and to assist the Controller’s compliance with its own notification obligations.

§9. DPIA and prior consultation

Where the Controller is required under Articles 35 or 36 GDPR to conduct a data protection impact assessment or to consult with a supervisory authority, Witnium will provide, on reasonable request, the information necessary in respect of Witnium’s Processing under this DPA, taking into account the information available to Witnium.

§10. International data transfers

10.1 Hosting

Witnium Processes Personal Data on infrastructure located within the European Union or the European Economic Area.

10.2 Transfers outside the EEA

Where transfers of Personal Data outside the EEA are necessary (in particular, in connection with Sub-processors established in third countries), Witnium ensures that an adequate level of protection is provided by one of the mechanisms set out in Chapter V GDPR. Where the SCCs apply, the parties are deemed to have entered into them on the following basis:

• Module Two applies to transfers from Controller (Controller) to Witnium (Processor);
• Module Three applies where Witnium acts as Processor and a Sub-processor receives the data as Sub-processor;
• in Clause 7, the docking clause applies;
• in Clause 9, Option 2 (general written authorisation) applies, with the time period set out in Section 6.3 above;
• in Clause 11, the optional independent dispute resolution mechanism does not apply;
• in Clause 17, the parties select Option 1 (the law of an EU Member State), specifically Swedish law;
• in Clause 18, the parties select Sweden as the place of jurisdiction; and
• Annexes I, II, and III of the SCCs are populated by the corresponding Annexes to this DPA.

§11. Audit rights

11.1 Information

Witnium will, on reasonable request and not more than once per calendar year (except following a Personal Data Breach), make available to the Controller a copy of Witnium’s most recent third-party audit reports (such as ISO 27001 or SOC 2, where available) and security questionnaires.

11.2 On-site audit

Where the information referred to in Section 11.1 is, in the Controller’s reasonable opinion, insufficient to demonstrate compliance with this DPA, the Controller may, on at least 30 days’ prior written notice and not more than once per calendar year (except following a Personal Data Breach), conduct or have conducted by an independent auditor (subject to a confidentiality undertaking acceptable to Witnium) an audit of Witnium’s facilities and operations relevant to the Processing under this DPA. The audit will be conducted during normal business hours, with minimum disruption to Witnium’s operations, and at the Controller’s expense, except where the audit reveals a material breach by Witnium, in which case Witnium will bear its own costs.

11.3 Confidentiality

Audit findings and reports are Confidential Information of both parties.

§12. Return or deletion of data

On termination of the Services, Witnium will, at the choice of the Controller, delete or return all Personal Data Processed under this DPA and delete existing copies, unless Union or Member State law requires storage of the Personal Data. The choice must be communicated within 30 days of termination; in the absence of a choice, Witnium will delete the Personal Data.

The parties acknowledge that records sealed on the chain cannot be deleted by Witnium. Such records contain only fingerprints, public keys, signatures, and operational metadata, and do not contain content. Where such records constitute Personal Data, the considerations in Section 8.3 of the Privacy Policy apply.

§13. Liability

The liability of each party under this DPA is subject to the limitations and exclusions set out in the Terms of Service, except that limitations on liability under the Terms of Service do not limit liability under the SCCs to Data Subjects acting as third-party beneficiaries.

§14. Term and termination

This DPA terminates automatically on termination of the Terms of Service, except that obligations relating to deletion or return of Personal Data (Section 12), liability (Section 13), and confidentiality (in the Terms of Service) survive termination.

§15. Conflict

In the event of conflict between this DPA and the Terms of Service in respect of the Processing of Personal Data, this DPA prevails. In the event of conflict between this DPA and the SCCs, the SCCs prevail.

§16. Governing law and jurisdiction

This DPA is governed by the laws of Sweden and subject to the jurisdiction provisions of the Terms of Service, save that the SCCs are governed and construed as set out in Section 10.2.

---

§DPA ANNEX 1 — Description of Processing

Subject matter: Processing of Personal Data in connection with the provision of the Services.

Duration: For the duration of the Terms of Service, plus any retention period required for billing, security audit, or legal compliance.

Nature and purpose: To enable the Controller to use the Services to record cryptographic fingerprints, operational metadata, and signatures of content the Controller chooses to witness; to provide associated authentication, billing, support, and platform operation services.

Categories of Data Subjects:

• The Controller’s employees, contractors, and other personnel who hold accounts with Witnium as Authorised Users;
• Where the Controller chooses to include identifiers in the operational context of a Witness, the natural persons identified by such identifiers (for example, end users of the Controller’s product whose AI interactions are witnessed);
• Individuals who contact Witnium support on behalf of the Controller.

Categories of Personal Data:

• Identity and contact data of Authorised Users (name, email, role);
• Authentication data of Authorised Users (hashed credentials, MFA enrolment status);
• Operational metadata of Witness operations attributable to identified natural persons;
• Public keys associated with Authorised Users;
• IP addresses, device identifiers, and usage logs;
• Communications between Authorised Users and Witnium support;
• Any additional identifiers the Controller chooses to include in the operational context of a Witness.

Special categories: None Processed by Witnium under this DPA, unless the Controller voluntarily includes such data in the operational context of a Witness, in which case the Controller is solely responsible for the lawfulness of such inclusion.

Frequency: Continuous, for the duration of the Services.

Retention: As set out in Section 7 of the Privacy Policy and Section 12 of this DPA.

§DPA ANNEX 2 — Technical and Organisational Measures

A summary of Witnium’s technical and organisational measures is set out below. The full description is at witniumchain.com/security.

Architectural measures

• Client-side generation of owner keypairs (Ed25519); private keys never reach Witnium.
• Client-side hashing of witness content; only SHA-256 fingerprints reach Witnium.
• Cryptographic separation: Witnium has no technical means to access content witnessed by Customers or to alter records sealed on the chain.
• Tamper-evident chain records using Hyperledger Besu with QBFT consensus.

Access control

• Role-based access to internal systems with least-privilege principle.
• Multi-factor authentication required for all Witnium personnel with access to production systems.
• Hardware security keys required for sensitive operations.
• Periodic access reviews.

Encryption

• Encryption in transit using TLS 1.3 or higher.
• Encryption at rest using AES-256.
• Cryptographic key management via dedicated key management services with separation of duties.

Network security

• Production environments segregated from development and corporate networks.
• Web application firewalls.
• Distributed denial of service mitigation.
• Intrusion detection and continuous network monitoring.

Application security

• Secure development lifecycle including code review and dependency scanning.
• Regular penetration testing by independent third parties.
• Vulnerability management with defined remediation SLAs.

Operational security

• Continuous logging and monitoring with retention as set out in the Privacy Policy.
• Incident response procedures, including a 72-hour breach notification commitment.
• Documented backup and recovery procedures.
• Business continuity and disaster recovery testing.

Personnel security

• Background checks where permitted by law.
• Confidentiality undertakings from all personnel.
• Security awareness training on hire and annually.
• Defined offboarding procedures.

Vendor security

• Due diligence and contractual data protection commitments from all Sub-processors.
• Periodic review of Sub-processor security posture.

Compliance

• Compliance program covering GDPR, the EU AI Act, and other applicable regulations.
• Architectural privacy as the primary security control: the Platform is designed so that Witnium has no technical means to access customer content or hold customer private keys, materially reducing the categories and volume of Personal Data we process and the impact of any incident.
• Witnium does not currently hold ISO 27001 or SOC 2 certification. Our security posture is documented in this Annex and at witniumchain.com/security, and is made available to Customers on request, including through completed security questionnaires.

§DPA ANNEX 3 — Sub-processors

The current list of Sub-processors authorised under Section 6 of this DPA is published at witniumchain.com/subprocessors and is incorporated into this DPA by reference.