Get started

Data Processing Agreements

Meld Data Processing Addendum

This Data Processing Agreement (“DPA”) amends and forms part of the Meld Software as a Service Agreement or the Meld Universal Inc. Clickthrough Terms of Service Agreement between Meld and Customer (the “Agreement”). This DPA supersedes any existing data protection terms concluded in relation to the Services and prevails over any conflicting term of the Agreement but does not otherwise modify the Agreement.

1. Definitions

  1. 1.1. In this DPA:

    1. a) Controller”, “Data Subject”, “Personal Data”, “Personal Data Breach”, “Processing”, and “Supervisory Authority” have the meaning given to them in Data Protection Law. “Data Subject” includes “Consumer” as that term is defined under U.S. Privacy Laws;

    2. b) Customer Personal Data” means Personal Data Processed by Meld as a Processor on behalf of Customer or Third Party Controller;

    3. c) Data Protection Law” means U.S. Privacy Laws, the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and the e-Privacy Directive 2002/58/EC (as amended by Directive 2009/136/EC), their national implementations in the European Economic Area (“EEA”), including the European Union, and all other data protection laws of the EEA, the United Kingdom (“UK”), and Switzerland, each as applicable, and as may be amended or replaced from time to time;

    4. d) Data Subject Rights” means Data Subjects’ rights to information, access, rectification, erasure, restriction, portability, objection, the right to withdraw consent, and the right not to be subject to automated individual decision-making in accordance with Data Protection Law;

    5. e) International Data Transfer” means any disclosure of Customer Personal Data by an organization subject to Data Protection Law to another organization located outside the EEA, the UK, or Switzerland;

    6. f) Processor” means “Processor,” “Service Provider,” or “Contractor” as those terms are defined in Data Protection Law.

    7. g) Sale” and “Selling” have the meaning defined in the U.S. Privacy Laws.

    8. h) Services” means the services provided by Meld to Customer under the Agreement;

    9. i) Share,” “Shared,” and “Sharing” have the meaning defined in the CCPA;

    10. j) Subprocessor” means a Processor engaged by Meld to Process Customer Personal Data;

    11. k) SCCs” means the clauses annexed to the EU Commission Implementing Decision 2021/914 of June 4, 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council as amended or replaced from time to time;

    12. l) Third-Party Controller” means a Controller for which Customer is a Processor; and

    13. m) UK Addendum” means the addendum to the SCCs issued by the UK Information Commissioner under Section 119A(1) of the UK Data Protection Act 2018 (version B1.0, in force March 21, 2022).

    14. n) U.S. Privacy Laws” means, collectively, all United States federal and state privacy laws and their implementing regulations, as amended or superseded from time to time, that apply generally to the processing of individuals’ Personal Data and that do not apply solely to specific industry sectors (e.g., financial institutions), or specific demographics (e.g., children). U.S. Privacy Laws include, but are not limited to, U.S. Privacy Laws include, but are not limited to, the following:

      1. 1.1.n.1. Alabama Personal Data Protection Act;

      2. 1.1.n.2. California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act of 2020 (“CCPA”);

      3. 1.1.n.3. Colorado Privacy Act;

      4. 1.1.n.4. Connecticut Personal Data Privacy and Online Monitoring Act;

      5. 1.1.n.5. Delaware Personal Data Privacy Act;

      6. 1.1.n.6. Indiana Consumer Data Protection Act;

      7. 1.1.n.7. Iowa Consumer Data Protection Act;

      8. 1.1.n.8. Kentucky Consumer Data Protection Act;

      9. 1.1.n.9. Maryland Online Data Privacy Act;

      10. 1.1.n.10. Minnesota Consumer Data Privacy Act;

      11. 1.1.n.11. Montana Consumer Data Privacy Act;

      12. 1.1.n.12. Nebraska Data Privacy Act;

      13. 1.1.n.13. New Hampshire Act Relative to the Expectation of Privacy;

      14. 1.1.n.14. New Jersey Act Concerning Online Services, Consumers, and Personal Data;

      15. 1.1.n.15. Oklahoma Data Privacy Act;

      16. 1.1.n.16. Oregon Consumer Privacy Act;

      17. 1.1.n.17. Rhode Island Data Transparency and Privacy Protection Act;

      18. 1.1.n.18. Tennessee Information Privacy Act;

      19. 1.1.n.19. Texas Data Privacy and Security Act;

      20. 1.1.n.20. Utah Consumer Privacy Act; and

      21. 1.1.n.21. Virginia Consumer Data Protection Act.

  2. 1.2. Capitalized terms used but not defined herein have the meaning given to them in the Agreement.

  3. 1.3. In the event of a conflict in the meanings of defined terms in Data Protection Law, the meaning from the Data Protection Law applicable to the relevant jurisdiction of the Data Subject applies.

2. Scope

  1. 2.1. This DPA applies to the Processing of Customer Personal Data by Meld subject to Data Protection Law to provide the Services.

  2. 2.2. The subject matter, limited and specific nature and purpose of the Processing, the types of Customer Personal Data and categories of Data Subjects are set out in Annex I, which is an integral part of this DPA.

  3. 2.3. Customer appoints Meld as a Processor on behalf of Customer. Unless Customer is a Processor on behalf of a Third-Party Controller, Customer is responsible for compliance with the requirements of Data Protection Law applicable to Controllers.

  4. 2.4. If Customer is a Processor on behalf of a Third-Party Controller, then Customer: is the single point of contact for Meld; must obtain all necessary authorizations from such Third-Party Controller; and undertakes to issue all instructions and exercise all rights on behalf of such other Third-Party Controller.

  5. 2.5. Customer acknowledges that Meld may Process Personal Data, including Personal Data of End Users, relating to the operation, support, or use of the Services for Meld’s own business purposes, such as: (i) to Process End User Verification Data to enable broader identity-verification data sharing across platforms that provide services to purchase, transfer, and sell cryptocurrencies and digital assets; (ii) to prevent, detect, protect against, investigate, or otherwise respond to data security incidents, theft, harassment, or malicious, deceptive, fraudulent or illegal activity; (iii) for benchmarking, (iv) for product development and product improvement, and (v) for compliance with law. Meld is the Controller for such Processing and will Process such data in accordance with Data Protection Law.

  6. 2.6. Meld shall comply with the obligations of, and provide the level of privacy protection required by, Data Protection Law.

3. Instructions

  1. 3.1. Meld will Process Customer Personal Data to provide the Services and in accordance with Customer’s documented instructions.

  2. 3.2. The Controller’s instructions are documented in this DPA, the Agreement, and any applicable statement of work or order form.

  3. 3.3. Customer may reasonably issue additional instructions as necessary to comply with Data Protection Law. Meld may charge a reasonable fee to comply with any additional instructions.

  4. 3.4. Except as set forth in section 2.5 of this DPA and as expressly permitted under applicable Data Protection Law, Meld is prohibited from (i) Selling or Sharing Customer Personal Data, (ii) retaining, using, or disclosing Customer Personal Data for any purpose other than for the specific purpose documented in the Customer instructions, (iii) retaining, using, or disclosing Customer Personal Data outside of the direct business relationship between Customer and Meld, and (iv) combining Customer Personal Data with Personal Data obtained from, or on behalf of, sources other than Customer.

  5. 3.5. Meld certifies that it understands the Processing restrictions set forth in this DPA and will comply with them.

  6. 3.6. Unless prohibited by applicable law, Meld will inform Customer if Meld is subject to a legal obligation that requires Meld to Process Customer Personal Data in contravention of Customer’s documented instructions.

  7. 3.7. Meld shall provide any required privacy notices to Data Subjects and obtain Data Subjects’ consent where required for Meld’s processing of Customer Personal Data as set forth in this DPA.

4. Personnel

  1. 4.1. Meld will ensure that all personnel authorized to Process Customer Personal Data are subject to an obligation of confidentiality.

5. Security and Personal Data Breaches

  1. 5.1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Meld will implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including the measures listed in Annex II.

  2. 5.2. Customer acknowledges that the security measures in Annex II are appropriate in relation to the risks associated with Customer’s intended Processing and will notify Meld prior to any intended Processing for which Meld’s security measures may not be appropriate.

  3. 5.3. Meld will notify Customer without undue delay after becoming aware of a Personal Data Breach involving Customer Personal Data. If Meld’s notification is delayed, it will be accompanied by reasons for the delay.

6. Subprocessing

  1. 6.1. Customer hereby authorizes Meld to engage Subprocessors. A list of Meld’s current Subprocessors is included in Annex III.

  2. 6.2. Meld will enter into a written agreement with Subprocessors which imposes the same obligations as required by Data Protection Law, including the same duty of confidentiality with respect to Customer Personal Data.

  3. 6.3. Meld will notify Customer prior to any intended change to Subprocessors. Customer may object to the addition of a Subprocessor based on reasonable grounds relating to a potential or actual violation of Data Protection Law by providing written notice detailing the grounds of such objection within thirty (30) days following Meld’s notification of the intended change. Customer and Meld will work together in good faith to address Customer’s objection. If Meld chooses to retain the Subprocessor, Meld will inform Customer at least thirty (30) days before authorizing the Subprocessor to Process Customer Personal Data, and either party may immediately discontinue providing or using the relevant parts of the Services, as applicable, and may terminate the relevant parts of the Services within thirty (30) days.

7. Assistance

  1. 7.1. Taking into account the nature of the Processing, and the information available to Meld, Meld will assist Customer, including, as appropriate, by implementing technical and organizational measures, with the fulfillment of Customer’s own obligations under Data Protection Law to: comply with requests to exercise Data Subject Rights; conduct data protection impact assessments, and prior consultations with Supervisory Authorities; and notify a Personal Data Breach.

  2. 7.2. Meld may charge a reasonable fee for assistance under this Section 7. If Meld is at fault, Meld and Customer shall each bear their own costs related to assistance.

  3. 7.3. Upon receiving notice from Meld that it is unable to comply with Data Protection Law or this DPA, Customer may direct Meld to take reasonable and appropriate steps to stop and remediate unauthorized Processing of Customer Personal Data.

  4. 7.4. Meld shall not be required to delete any Customer Personal Data to comply with a Consumer’s request directed by Customer if retaining such information is specifically permitted by applicable Data Protection Laws; provided, however, that in such case, Meld will promptly inform Customer of the exceptions relied upon under applicable Data Protection Laws and Meld shall not use Customer Personal Data retained for any purpose other than provided for by that exception.

8. Audit

  1. 8.1. Upon reasonable request, Meld must make available to Customer all information necessary to demonstrate compliance with the obligations of this DPA and allow for and contribute to audits, including inspections, as mandated by a Supervisory Authority or reasonably requested no more than once every 12 months by Customer, and performed by an independent auditor as agreed upon by Customer and Meld. The foregoing shall only extend to those documents and facilities relevant and material to the Processing of Customer Personal Data and shall be conducted during normal business hours and in a manner that causes minimal disruption.

  2. 8.2. Meld will inform Customer if Meld believes that Customer’s instruction under Section 8.1 infringes Data Protection Law. Meld may suspend the audit or inspection or withhold requested information until Customer has modified or confirmed the lawfulness of the instructions in writing.

  3. 8.3. Meld and Customer each bear their own costs related to an audit.

9. International Data Transfers

  1. 9.1. Customer hereby authorizes Meld to perform International Data Transfers to any country deemed to have an adequate level of data protection by the European Commission or the competent authorities, as appropriate; on the basis of adequate safeguards in accordance with Data Protection Law; or pursuant to the SCCs and the UK Addendum referred to in Sections 9.2 and 9.3.

  2. 9.2. By signing this DPA, Meld and Customer conclude Module 2 (controller-to-processor) of the SCCs, to the extent Customer is a Processor on behalf of a Third-Party Controller, Module 3 (Processor-to-Subprocessor) of the SCCs, and to the extent the parties are independent Controllers Module 1 (Controller-to-Controller) of the SCCs, which are hereby incorporated and completed as follows: the “data exporter” is Customer; the “data importer” is Meld; the optional docking clause in Clause 7 is implemented; Option 2 of Clause 9(a) is implemented and the time period therein is specified in Section 6.3 above; the optional redress clause in Clause 11(a) is struck; Option 1 in Clause 17 is implemented and the governing law is the law of Ireland; the courts in Clause 18(b) are the Courts of Ireland; Annex I and II to Modules 1, 2 and 3 of the SCCs are Annex I and II to this DPA respectively. For International Data Transfers from Switzerland, Data Subjects who have their habitual residence in Switzerland may bring claims under the SCCs before the courts of Switzerland.

  3. 9.3. By signing this DPA, Meld and Customer conclude the UK Addendum, which is hereby incorporated and applies to International Data Transfers outside the UK. Part 1 of the UK Addendum is completed as follows: (i) in Table 1, the “Exporter” is Customer and the “Importer” is Meld, their details are set forth in this DPA, and the Agreement; (ii) in Table 2, the first option is selected and the “Approved EU SCCs” are the SCCs referred to in Section 9.2 of this DPA; (iii) in Table 3, Annexes 1 (A and B) and II to the “Approved EU SCCs” are Annex I and II respectively; and (iv) in Table 4, both the “Importer” and the “Exporter” can terminate the UK Addendum.

  4. 9.4. If Meld’s compliance with Data Protection Law applicable to International Data Transfers is affected by circumstances outside of Meld’s control, including if a legal instrument for International Data Transfers is invalidated, amended, or replaced, then Customer and Meld will work together in good faith to reasonably resolve such non-compliance. In the event that additional, replacement or alternative standard contractual clauses or UK standard contractual clauses are approved by Supervisory Authorities, Meld reserves the right to amend the Agreement and this DPA by adding to or replacing, the standard contractual clauses or UK standard contractual clauses that form part of it at the date of signature in order to ensure continued compliance with Data Protection Law.

10. Notifications

  1. 10.1. Customer will send all notifications, requests and instructions under this DPA to Meld’s Legal Department via email to legal@meld.io.

  2. 10.2. Meld will send all notifications under this DPA to Customer’s contact set forth in the Agreement.

11. Liability

  1. 11.1. Where Meld has paid compensation, damages or fines, Meld is entitled to claim back from Customer that part of the compensation, damages or fines, corresponding to Customer’s part of responsibility for the compensation, damages or fines.

12. Termination and return or deletion

  1. 12.1. This DPA is terminated upon the termination of the Agreement.

  2. 12.2. Customer may request either return of Customer Personal Data up to ninety (90) days after termination of the Agreement or deletion of Customer Personal Data at Customer’s expense. Unless required or permitted by applicable law, Meld will delete all remaining copies of Customer Personal Data within one hundred eighty (180) days after returning Customer Personal Data to Customer.

13. Sale of Data

  1. 13.1. The Parties acknowledge and agree that the disclosure or making available of Customer Personal Data between the Parties does not form part of any monetary or other valuable consideration exchanged between the Parties with respect to the Agreement or this DPA.

14. Applicable law and jurisdiction

  1. 14.1. This DPA is governed by the laws set forth in the Agreement. Any disputes relating to this DPA will be subject to the exclusive jurisdiction of the courts set forth in the Agreement.

  2. 14.2. Notwithstanding any provision to the contrary in the Agreement or this DPA, the terms of this DPA shall not apply to Meld’s Processing of Customer Personal Data that is exempt from applicable Data Protection Laws.

15. Modification of this DPA

  1. 15.1. This DPA may only be modified by a written amendment signed by both Meld and Customer.

16. Invalidity and severability

  1. 16.1. If any provision of this DPA is found by any court or administrative body of a competent jurisdiction to be invalid or unenforceable, then the invalidity or unenforceability of such provision does not affect any other provision of this DPA and all provisions not affected by such invalidity or unenforceability will remain in full force and effect.

DESCRIPTION OF THE TRANSFER

A. LIST OF PARTIES

Data exporter:

  • Name: Customer (as defined in the Agreement)

  • Address: on file with Meld.

  • Contact person’s name, position and contact details: on file with Meld.

  • Activities relevant to the data transferred under these Clauses: Customer receives Meld’s services as described in the Agreement and Customer provides Personal Data to Meld in that context.

  • Signature and date: on file with Meld.

  • Role (controller/processor): Controller, or Processor on behalf of Third-Party Controller

Data importer:

  • Name: Meld (as defined in the Agreement)

  • Address: on file with Meld.

  • Contact person’s name, position and contact details: on file with Meld.

  • Activities relevant to the data transferred under these Clauses: Meld provides its services to Customer as described in the Agreement and Processes Personal Data on behalf of Customer in that context, or as a separate controller in limited cases.

  • Signature and date: on file with Meld.

  • Role (controller/processor): Processor on behalf of Customer, or Subprocessor on behalf of Third-Party Controller, or separate Controller

B. DESCRIPTION OF INTERNATIONAL DATA TRANSFER

  • Categories of Data Subjects whose Personal Data is transferred:

#

Category of Data Subjects

1.

Customer’s End Users

2.

Customer’s personnel, staff and contractors

  • Categories of Personal Data transferred:

#

Category of Personal Data

1.

(professional) contact details – Name, email address, and phone number of the Customer’s representative will be shared directly with Meld and stored in Meld systems.

2.

Identification information – Name, email address, and phone number of End Users. Other identifiers include End User Verification Data. In certain instances, Meld may collect a pseudonymous Verification Token pertaining to an End User from Customer.

  • Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures:

#

Category of Sensitive Data

Applied restrictions or safeguards

Verification Token

Sensitive data is stored in secure databases and transmitted in an encrypted manner.

  • The frequency of the transfer (e.g., whether the data is transferred on a one-off or continuous basis): On a continuous basis.

  • Nature of the processing: The Personal Data will be processed and transferred as described in the Agreement, including but not limited to processing information through an API, such as identification information that Customer shares with Meld and Meld stores on Meld’s systems.

    • This does not apply to the processing of information End Users supply directly to Meld to enable Meld’s collection, use, and disclosure of an End User’s Verification Data or Verification Token, as described in the Agreement.

  • Purpose(s) of the data transfer and further processing: The Personal Data will be transferred and further processed for the provision of the Services as described in the Agreement. Meld will provide the Services described in the Agreement, including finding applicable digital asset and cryptocurrency exchanges to support End Users’ requests and to integrate various network partners.

    • This does not apply to the processing of information End Users supply directly to Meld to enable Meld’s collection, use, and disclosure of an End User’s Reusable Identity Data or Verification Token, as described in the Agreement.

  • The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: Personal Data will be retained for as long as necessary taking into account the purpose of the Processing, and in compliance with applicable laws, including laws on the statute of limitations and Data Protection Law.

  • For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing: For the subject matter and nature of the Processing, reference is made to the Agreement and this DPA. The Processing will take place for the duration of the Agreement.

C. COMPETENT SUPERVISORY AUTHORITY

  • The competent authority for the Processing of Personal Data relating to Data Subjects located in the EEA is the Supervisory Authority a) of Customer’s country of establishment, or, where not applicable, b) of the country where Customer’s EU data protection representative is located, or, where not applicable, c) of one of the EEA countries where the Data Subjects are located.

  • The competent authority for the Processing of Personal Data relating to Data Subjects located in the UK is the UK Information Commissioner.

  • The competent authority for the Processing of Personal Data relating to Data Subjects located in Switzerland is the Swiss Federal Data Protection and Information Commissioner.

TECHNICAL AND ORGANIZATIONAL MEASURES INCLUDING TECHNICAL AND ORGANIZATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

Meld will, at a minimum, implement the following security measures in Meld Security Practices to Customer’s Data and Customer’s Personal Data. To see the full list of Meld’s security measures in place, please visit https://www.meld.io/policy/security-policy.

LIST OF SUBPROCESSORS

Customer authorizes Meld to engage the Subprocessors identified at https://www.meld.io/policy/data-processing-subprocessors