DATA-PROCESSING ADDENDUM
Last updated on 25 June, 2025
("DPA")
This DPA explains how Cadmos LTD ("Cadmos") processes Personal Data on behalf of any customer ("Customer") who uses the Cadmos Wallet and Cadmos Tokenization Platform (the "Services"). By accessing or using the Services, the Customer accepts this DPA.
1 DEFINITIONS
- Applicable Data-Protection Laws - all privacy laws that apply to the Processing (including Regulation (EU) 2016/679 "GDPR", the UK GDPR and national implementations).
- Controller, Processor, Data Subject, Personal Data, Personal Data Breach, Supervisory Authority, Processing, International Transfer - as defined in Applicable Data-Protection Laws.
- Standard Contractual Clauses ("SCCs") - Commission Implementing Decision (EU) 2021/914 (modules 2 & 3) and, where the UK GDPR applies, the UK addendum.
- Sub-processor - a third party engaged by Cadmos to Process Personal Data.
2 ROLES OF THE PARTIES
2.1 Customer acts as Controller (or as a Processor acting for a third-party Controller).
2.2 Cadmos acts as Processor for the Personal Data handled through the Services.
2.3 Each party complies with the obligations that apply to it under Applicable Data-Protection Laws.
2.4 Customer is responsible for:
- obtaining any required consents;
- providing all notices to Data Subjects; and
- ensuring a lawful basis for Cadmos to Process Personal Data.
3 DURATION & PURPOSE
Cadmos Processes Personal Data only:
- while the Customer uses the Services, and
- for the purposes listed in Annex I.
Afterwards Cadmos deletes or returns the data as described in Section 11.
4 DOCUMENTED INSTRUCTIONS
Cadmos Processes Personal Data solely on Customer's documented instructions (this DPA and any later written instructions), unless EU or Member-State law requires otherwise. If an instruction appears to breach Applicable Data-Protection Laws, Cadmos will inform Customer.
5 CONFIDENTIALITY & SECURITY
5.1 Cadmos ensures that all personnel authorised to Process Personal Data are bound by confidentiality obligations.
5.2 Cadmos applies the technical and organisational measures in Annex II and any additional measures required by Article 32 GDPR.
6 SUB-PROCESSORS
6.1 Authorised Sub-processors are listed in Annex III.
6.2 Cadmos relies on the standard, publicly available Data-Processing Agreements (or equivalent terms) provided by each Sub-processor. Those online DPAs already incorporate the EU Standard Contractual Clauses or reference the Sub-processor's certification under the EU-US Data-Privacy Framework (DPF) where applicable. Cadmos keeps a registry of these DPAs and makes them available to Customers on request.
6.3 Cadmos will notify Customer at least 10 days before appointing or replacing a Sub-processor; Customer may object on reasonable data-protection grounds.
7 INTERNATIONAL TRANSFERS
Cadmos or a Sub-processor will not make an International Transfer unless:
a) the destination benefits from an adequacy decision, or
b) appropriate safeguards such as SCCs are in place (with supplementary measures where required).
Cadmos will provide copies of the relevant transfer mechanism on request (redacted where necessary).
8 CUSTOMER ASSISTANCE
- Data-Subject requests - Cadmos assists Customer, as far as practicable, to respond to verified requests to exercise rights under Applicable Data-Protection Laws.
- Data-Protection Impact Assessments - Cadmos gives reasonable help with DPIAs and prior consultations.
- Information - Cadmos makes available information demonstrating compliance with this DPA.
9 PERSONAL DATA BREACH
Cadmos notifies Customer without undue delay after becoming aware of a Personal Data Breach and cooperates with Customer's efforts to meet any notification duties.
10 AUDIT RIGHTS
On reasonable written notice, Cadmos will allow and contribute to audits (including inspections) carried out by Customer or an independent auditor mandated by Customer, provided that audits:
- occur no more than once per year (unless required by law or following a material incident);
- take place during normal business hours; and
- are subject to customary confidentiality undertakings.
11 DELETION OR RETURN
Upon termination of the Customer's use of the Services (or earlier on written request), Cadmos will delete or return all Personal Data, unless EU, Member-State or UK law requires retention. Cadmos will confirm deletion in writing if requested.
12 CO-OPERATION WITH SUPERVISORY AUTHORITIES
Cadmos will cooperate, on request, with any competent Supervisory Authority in the performance of its tasks.
13 LIABILITY
Any liability arising under or in connection with this DPA shall be limited and excluded to the same extent (and subject to the same caps) as in Cadmos's publicly posted Service Terms.
14 GOVERNING LAW & JURISDICTION
Unless the SCCs specify otherwise, this DPA is governed by the laws of Cyprus and disputes are subject to the exclusive jurisdiction of the courts of Cyprus.
15 ORDER OF PRECEDENCE
If there is a conflict between this DPA and any other Cadmos terms:
- the SCCs (if applicable) take precedence;
- then this DPA;
- then the other terms of service.
ANNEX I - DETAILS OF PROCESSING
Subject-matter and purpose
Operation of the Cadmos Wallet (self-custody, on-/off-ramp, DeFi integrations) and Cadmos Tokenization Platform (issuance, subscription, custody and transfer of tokenised securities), plus related support and compliance operations.
Nature of Processing
Collection, recording, structuring, storage, retrieval, transmission, analysis, identity verification (KYC/AML), communication, electronic signature workflows and deletion.
Data-Subject categories
- End-users (investors, wallet holders)
- Authorised representatives and signatories
- Prospective users
- Customer-support contacts
Personal-data types
Identification data (name, date of birth, nationality, ID numbers, facial images); contact data (email, phone, address, WhatsApp handle); financial data (IBAN, wallet address, transaction records); KYC documents; e-signature artefacts; support logs; IP address and device data.
Special-category data
None intentionally collected; biometric data may be incidentally processed in ID-verification images.
Duration
While Customer uses the Services plus up to 90 days for orderly deletion or longer where legally required.
ANNEX II - TECHNICAL & ORGANISATIONAL SECURITY MEASURES
- Encryption in transit (TLS 1.2 or higher) and at rest (AES-256 or equivalent).
- Role-based access control; multi-factor authentication for privileged accounts; quarterly access reviews.
- Segmented VPCs, firewall rules, and DDoS mitigation via Cloudflare.
- Secure-development lifecycle with code reviews, SAST/DAST and penetration tests.
- Centralised, tamper-resistant logging with automated alerting; 24 × 7 incident response.
- Encrypted backups replicated across multiple AWS regions and restore tests.
- Logical segregation of customer data in multi-tenant systems.
- Personnel screening (where legal) and mandatory privacy/security training.
ANNEX III - AUTHORISED SUB-PROCESSORS
| Sub-processor | Service | Hosting Region(s)* | International-transfer safeguard |
|---|---|---|---|
| Amazon Web Services (AWS) | Hosting & infra | EU / USA | AWS online DPA with SCCs; AWS is DPF-certified (aws.amazon.com, dataprivacyframework.gov) |
| Cloudflare, Inc. | CDN, WAF, DDoS | EU / USA | Cloudflare online DPA with SCCs; DPF-certified (dataprivacyframework.gov, cloudflare.com) |
| Vonage (Nexmo) | SMS / voice | EU / USA | Vonage online DPA incl. SCCs; DPF-certified (vonage.com) |
| Meta Platforms (WhatsApp Business API) | WhatsApp messaging | USA | Meta Data-Transfer Addendum with SCCs; DPF-certified (dataprivacyframework.gov, facebook.com) |
| Postmark (ActiveCampaign) | Transaction-al email | USA | ActiveCampaign online DPA with SCCs; DPF-certified (activecampaign.com, help.activecampaign.com) |
| Sumsub Ltd. | KYC / AML | UK (primary) / EU | Sumsub online DPA with SCCs (UK → EEA transfer is adequate) (sumsub.com, sumsub.com) |
| Didit Technologies Ltd. | KYC / AML | EEA | No international transfer (EEA-hosted) |
| Assentify Ltd. | KYC / AML | Cyprus | No international transfer (EEA-hosted) |
| DocuSign, Inc. | E-signature | USA | DocuSign online DPA with SCCs; DPF-certified (docusign.com, docusign.com) |
| Docuseal Inc. | E-signature & document automation | EU / USA | Docuseal GDPR DPA incl. SCCs (docuseal.com, docuseal.com) |
Cadmos will give at least 10 days' prior notice before adding or replacing a Sub-processor and will honour any reasonable objection as set out in Section 6.
Data-Protection Officer
Cadmos LTD
Tzon Kennenty 8, IRIS HOUSE, 3rd floor
3106 Limassol, Cyprus
privacy@cadmos.finance
How can you contact us about this notice?
If you have any questions or concerns contact us.