Data Processing Agreement

SBC Lab AG – Blockchain Applied (BCA)

Version: 1.0 Effective Date: 2026-05-24

Parties

This Data Processing Agreement (the “DPA”) is entered into between:

(1) SBC Lab AG, a stock corporation (Aktiengesellschaft) incorporated under the laws of Switzerland with its registered office at Winkel, Switzerland, operating the service “BCA – Blockchain Applied” (the “Processor”); and

(2) the Customer as identified in the Principal Agreement (as defined below) (the “Controller”),

each a “Party” and together the “Parties”.

Recitals

(A) The Parties have entered into a Terms of Service agreement, an Order Form and/or other written agreement governing the provision of the Services (together the “Principal Agreement”), under which the Processor processes Personal Data on behalf of the Controller.

(B) The Controller acts as a controller of Personal Data within the meaning of Article 4(7) of the GDPR and Article 5(j) of the Swiss FADP. The Processor acts as a processor on behalf of the Controller within the meaning of Article 4(8) of the GDPR and Article 5(k) of the FADP.

(C) This DPA is required by Article 28(3) of the GDPR, Article 9 of the FADP and, where applicable, the United Kingdom General Data Protection Regulation (“UK GDPR”) and the Data Protection Act 2018.

(D) This DPA forms an integral part of the Principal Agreement. In the event of conflict in matters relating to the protection of Personal Data, this DPA prevails over the Principal Agreement and over any other arrangement between the Parties, except where the other arrangement explicitly references and overrides a specific provision of this DPA.

Now, therefore, the Parties agree as follows:

1. Definitions and Interpretation

1.1 Unless otherwise defined in this DPA, capitalised terms have the meaning given to them in the Principal Agreement. The following definitions also apply:

"Applicable Data Protection Laws" means all data-protection laws applicable to the processing of Personal Data under this DPA, including (i) the GDPR; (ii) Member State laws supplementing the GDPR; (iii) the FADP and the Swiss Ordinance on Data Protection (DSV); (iv) the UK GDPR and the UK Data Protection Act 2018; and (v) any other applicable national law.

"Controller Personal Data" means the Personal Data described in Annex 1, processed by the Processor on behalf of the Controller in connection with the Principal Agreement.

"Data Subject" means an identified or identifiable natural person to whom Controller Personal Data relates.

"EEA" means the European Economic Area.

"EU SCCs" means the standard contractual clauses for the transfer of personal data to third countries adopted by Commission Implementing Decision (EU) 2021/914 of 4 June 2021, as amended.

"FDPIC" means the Swiss Federal Data Protection and Information Commissioner.

"GDPR" means Regulation (EU) 2016/679.

"Personal Data" means personal data as defined in Article 4(1) of the GDPR and Article 5(a) of the FADP.

"Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Controller Personal Data.

"Processing" means any operation or set of operations performed on Personal Data within the meaning of Article 4(2) of the GDPR; “Process” and “Processed” shall be construed accordingly.

"Restricted Transfer" means (i) where the GDPR applies, a transfer of Personal Data from the EEA to a country not benefiting from an adequacy decision under Article 45 of the GDPR; (ii) where the FADP applies, a disclosure of Personal Data from Switzerland to a country not recognised as having adequate data protection by the Swiss Federal Council; and (iii) where the UK GDPR applies, a transfer of Personal Data from the United Kingdom to a third country.

"Services" means the data services provided by the Processor under the Principal Agreement, in particular the indexing of public On-Chain Data and the related APIs, dashboards and analytics.

"Subprocessor" means any third party engaged by the Processor or by any Affiliate of the Processor to Process Controller Personal Data on the Controller’s behalf in connection with the Principal Agreement.

"Swiss Addendum" means the Swiss-specific addendum to the EU SCCs published by the FDPIC, as amended from time to time, recognising the EU SCCs as a valid transfer mechanism for transfers from Switzerland.

"UK Addendum" means the International Data Transfer Addendum to the EU SCCs issued by the UK Information Commissioner’s Office (ICO) under section 119A of the Data Protection Act 2018, version B1.0 in force 21 March 2022, as amended.

1.2 Other capitalised terms used in this DPA, including “Controller”, “Processor”, “Data Subject”, “Member State”, “Supervisory Authority” and “Special Categories of Data”, have the meaning given to them in the GDPR or, where applicable, in the FADP.

2. Subject Matter, Duration, Nature, Purpose and Categories

2.1 Subject matter and duration. The subject matter, duration, nature and purpose of the Processing, the categories of Personal Data and the categories of Data Subjects are described in Annex 1 (Details of Processing). Processing under this DPA continues for the duration of the Principal Agreement and any post-termination retention period set out in this DPA.

2.2 Roles. The Parties acknowledge that, with respect to Controller Personal Data, the Controller is the controller and the Processor is the processor. Where the Processor processes personal data for its own purposes (e.g. account management, billing, security monitoring, statutory record-keeping), it does so as an independent controller and outside the scope of this DPA; such processing is described in the Processor’s Privacy Notice.

3. Compliance and Processing Instructions

3.1 Compliance. Each Party shall comply with the Applicable Data Protection Laws applicable to it in respect of the Processing under this DPA.

3.2 Documented instructions. The Processor shall Process Controller Personal Data only on documented instructions from the Controller, including with regard to Restricted Transfers, unless required to do otherwise by Union, Member State, Swiss or other applicable law to which the Processor is subject; in such a case, the Processor shall, to the extent legally permitted, inform the Controller of that legal requirement before Processing.

3.3 Initial instructions. The Controller’s initial documented instructions are: (a) to Process Controller Personal Data as set out in this DPA, the Principal Agreement, the configuration choices made by the Controller within the Service, and the Documentation; and (b) to provide the Services in accordance therewith. Any additional instructions must be agreed between the Parties; the Processor may charge for the implementation of additional instructions to the extent reasonable.

3.4 Unlawful instructions. The Processor shall promptly inform the Controller if, in its reasonable opinion, an instruction infringes the Applicable Data Protection Laws. The Processor is not obliged to monitor the Controller’s compliance with the Applicable Data Protection Laws.

4. Confidentiality of Personnel

4.1 The Processor shall ensure that any natural person acting under its authority who has access to Controller Personal Data (a) Processes such data only on instructions from the Controller and (b) is bound by an appropriate obligation of confidentiality, whether by contract, professional duty or statute.

4.2 Access shall be granted on a strict need-to-know basis and only to such persons as need access for the performance of the Services.

5. Security – Technical and Organisational Measures

5.1 TOMs. Taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of Processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the Processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 of the GDPR and Article 8 of the FADP and Articles 1 to 6 of the DSV.

5.2 Measures. The current technical and organisational measures are described in Annex 2. The Processor may update such measures from time to time, provided that the level of protection is not materially diminished.

6. Subprocessing

6.1 General authorisation. The Controller hereby grants the Processor a general written authorisation to engage Subprocessors in accordance with Article 28(2) sentence 2 of the GDPR. The current Subprocessors are listed in Annex 3.

6.2 Notification of changes. The Processor shall notify the Controller in advance of any intended addition or replacement of Subprocessors. Such notice will be given at least thirty (30) days before the new Subprocessor begins Processing Controller Personal Data, by posting an updated list
at https://www.blockchain-applied.com/dpa, by email to the Controller, or by in-product notification.

6.3 Right to object. The Controller may object to the addition or replacement of a Subprocessor on reasonable data-protection grounds within fifteen (15) days of receipt of the notice. The Parties shall discuss the objection in good faith. If the objection cannot be resolved, the Controller may terminate the affected portion of the Principal Agreement on written notice, with no liability for either Party other than for amounts accrued before termination.

6.4 Subprocessor obligations. The Processor shall conclude a written agreement with each Subprocessor that imposes, in substance, data-protection obligations no less protective than those set out in this DPA, in particular obligations equivalent to those required under Article 28(3) of the GDPR. The Processor remains fully liable to the Controller for the performance of each Subprocessor’s obligations.

7. International Data Transfers

7.1 General rule. The Processor shall not transfer Controller Personal Data outside Switzerland or the EEA, or onward-transfer such data, unless the transfer is to a country (a) recognised as providing an adequate level of data protection under Article 45 of the GDPR or by the Swiss Federal Council, or (b) safeguarded by an appropriate transfer mechanism in accordance with Article 46 of the GDPR (or the equivalent provision of the FADP or UK GDPR).

7.2 EU SCCs. Where the Processor or any Subprocessor carries out a Restricted Transfer of Personal Data subject to the GDPR, the EU SCCs are hereby deemed to be incorporated into this DPA, with the following selections: (a) Module Two (controller-to-processor) for transfers from the Controller to the Processor; (b) Module Three (processor-to-processor) for transfers between the Processor and a Subprocessor; (c) Clause 7 (docking clause) is included; (d) Clause 9(a), Option 2 (general written authorisation) applies, with thirty (30) days’ notice; (e) Clause 11(a) optional language is excluded; (f) Clause 17, Option 1 (governing law of an EU Member State) applies, with the law of Ireland; (g) Clause 18(b), the supervisory authority of Ireland is competent.

7.3 Swiss transfers. Where the Processor or any Subprocessor carries out a Restricted Transfer of Personal Data subject to the FADP, the EU SCCs apply with the modifications set out in the Swiss Addendum, including: (i) references to the GDPR are deemed to refer also to the FADP to the extent applicable; (ii) the term “Member State” is interpreted not to exclude data subjects in Switzerland from exercising their rights at their place of habitual residence; (iii) the FDPIC is the competent supervisory authority for transfers from Switzerland; and (iv) the EU SCCs are governed by the laws of Switzerland for transfers from Switzerland.

7.4 UK transfers. Where the Processor or any Subprocessor carries out a Restricted Transfer of Personal Data subject to the UK GDPR, the EU SCCs apply as amended by the UK Addendum, the parts of which are deemed completed as set out in this DPA.

7.5 Transfer impact assessment. The Processor shall, on the Controller’s reasonable request, provide information necessary to enable the Controller to carry out a transfer impact assessment in accordance with the EU SCCs and the Schrems II principles.

7.6 Onward transfers to the United States. The Controller acknowledges and authorises the transfer of limited customer identifiers to Google in the United States for the purposes set out in Annex 3. This transfer is safeguarded by Google’s certification under the EU–US Data Privacy Framework (and its UK Extension and Swiss–US Data Privacy Framework) and, additionally and as a back-up mechanism, by the EU SCCs (as supplemented by the Swiss Addendum and, where applicable, the UK Addendum).

8. Assistance with Data Subject Rights

8.1 Assistance. Taking into account the nature of the Processing, the Processor shall assist the Controller, by appropriate technical and organisational measures, insofar as this is possible, to fulfil the Controller’s obligation to respond to requests from Data Subjects exercising their rights under Articles 15 to 22 of the GDPR, the corresponding rights under the FADP (in particular Articles 25 to 32) and any equivalent rights under the UK GDPR or other Applicable Data Protection Laws.

8.2 Forwarding requests. If the Processor receives a request directly from a Data Subject in respect of Controller Personal Data, it shall (a) without undue delay forward the request to the Controller, and (b) not respond to the request other than as instructed by the Controller or as required by applicable law.

9. Personal Data Breach

9.1 Notification. The Processor shall notify the Controller of any Personal Data Breach affecting Controller Personal Data without undue delay and in any event within seventy-two (72) hours after becoming aware of it. The notification shall include, to the extent known, the information set out in Article 33(3) of the GDPR.

9.2 Mitigation. The Processor shall take reasonable steps to contain and remediate the Personal Data Breach and, on request, provide information and assistance to the Controller in connection with notification to Supervisory Authorities and to Data Subjects under Articles 33 and 34 of the GDPR or under equivalent provisions of the FADP or UK GDPR.

9.3 Records. The Processor shall maintain a record of all Personal Data Breaches involving Controller Personal Data sufficient to enable the Controller to demonstrate compliance with Article 33 of the GDPR and to make such record available to the Controller on reasonable request.

10. Data Protection Impact Assessment and Prior Consultation

10.1 DPIA. The Processor shall provide reasonable assistance to the Controller in carrying out data protection impact assessments under Article 35 of the GDPR (and the corresponding provisions of the FADP and the UK GDPR), and in any prior consultation with Supervisory Authorities under Article 36, in each case in relation to Processing by the Processor and taking into account the nature of the Processing and the information available to the Processor.

11. Records, Information and Audits

11.1 Records. The Processor shall maintain a record of Processing activities carried out on behalf of the Controller in accordance with Article 30(2) of the GDPR (and Article 12 FADP).

11.2 Information. The Processor shall make available to the Controller, on reasonable request, all information necessary to demonstrate compliance with Article 28 of the GDPR and this DPA, including the latest available certifications, audit reports and security summaries (the “Compliance Materials”).

11.3 Audits. The Controller, or a qualified third-party auditor mandated by the Controller and accepted by the Processor (such acceptance not to be unreasonably withheld), may audit the Processor’s compliance with this DPA, subject to the following conditions: (a) the Controller shall give at least thirty (30) days’ prior written notice, except in the case of a Personal Data Breach or as required by a Supervisory Authority; (b) audits shall take place during normal business hours, no more than once per calendar year unless required by Applicable Data Protection Laws or in response to a substantiated incident; (c) the auditor must be bound by confidentiality obligations; (d) the audit shall not unreasonably interfere with the Processor’s business operations and shall not require disclosure of information confidential to other customers or to the Processor’s personnel; (e) the Controller shall bear the costs of the audit, except where the audit identifies a material breach by the Processor, in which case the Processor shall bear the reasonable cost; and (f) the Processor may satisfy its obligations under this Section 11.3 in whole or in part by providing the Compliance Materials.

12. Deletion or Return of Controller Personal Data

12.1 Retention period. Subject to Section 12.3, the Processor shall retain Controller Personal Data for thirty (30) days following the date of cessation of Services involving the Processing of Controller Personal Data (the “Cessation Date”), during which the Controller may request export of the data through standard tools or, where reasonably necessary, by written request to the Processor.

12.2 Deletion. After the retention period set out in Section 12.1, the Processor shall delete, and procure the deletion by each Subprocessor of, all copies of Controller Personal Data, save where retention is required by Union, Member State, Swiss, UK or other applicable law to which the Processor or the relevant Subprocessor is subject.

12.3 Permitted retention. Where the Processor retains Controller Personal Data under Section 12.2, the Processor shall (a) restrict access to such data to what is strictly necessary, (b) continue to protect such data in accordance with this DPA, and (c) delete such data once the legal retention obligation has expired.

12.4 Certification. The Processor shall, on the Controller’s written request, provide written certification of compliance with Section 12 within ten (10) business days of completing the deletion.

13. Liability

13.1 The liability of each Party under or in connection with this DPA is governed by the limitations and exclusions of liability set out in the Principal Agreement, except (a) for liability that cannot, by mandatory law, be limited or excluded, including under Article 82 of the GDPR, the FADP or the UK GDPR; and (b) where this DPA expressly provides otherwise.

14. Term and Termination

14.1 Term. This DPA takes effect on the Effective Date and continues for as long as the Processor Processes Controller Personal Data on behalf of the Controller, regardless of any termination of the Principal Agreement.

14.2 Survival. Sections 5, 6.4, 7, 9, 11, 12, 13, 15, 16 and 17 survive termination of this DPA.

15. General Provisions

15.1 Order of precedence. In the event of conflict, this DPA prevails over the Principal Agreement in matters relating to the Processing of Controller Personal Data; the EU SCCs (as supplemented by the Swiss Addendum or the UK Addendum, as applicable) prevail over this DPA in respect of Restricted Transfers.

15.2 Notices. Notices under this DPA shall be given in accordance with the notices clause of the Principal Agreement.

15.3 Severability. If any provision of this DPA is held to be invalid or unenforceable, the remaining provisions remain in full force and the invalid provision shall be replaced by an enforceable provision that most closely reflects the Parties’ original intent.

15.4 Form. Amendments to this DPA must be in writing (including in electronic form within the meaning of Article 14 of the Swiss Code of Obligations and Regulation (EU) No 910/2014 (“eIDAS”)) and signed or expressly accepted by both Parties.

15.5 Language. The English version of this DPA is the binding version. Any translation is provided for convenience only.

16. Governing Law and Jurisdiction

16.1 Governing law. This DPA is governed by the substantive laws of Switzerland, excluding its conflict-of-laws rules under the Swiss Federal Act on Private International Law (IPRG), without prejudice to (a) the law applicable to the EU SCCs, the Swiss Addendum or the UK Addendum where these apply, and (b) any mandatory protections of Data Subjects under the GDPR, the FADP or the UK GDPR.

16.2 Jurisdiction. The ordinary courts of the city of Zurich, Switzerland, have exclusive jurisdiction over any dispute arising out of or in connection with this DPA, without prejudice to the rights of Data Subjects to bring proceedings against the Processor or the Controller before the courts of the Member State or country of their habitual residence as provided by Applicable Data Protection Laws.

17. Acceptance

This DPA becomes effective upon the Customer’s acceptance of the Principal Agreement, or upon execution of a separate signature page below, whichever is earlier.

For SBC Lab AG

Name: _________________________________________

Title: _________________________________________

Date: _________________________________________

For the Customer (Controller)

Customer: _________________________________________
(legal name)

Name: _________________________________________

Title: _________________________________________

Date: _________________________________________

Annex 1 – Details of Processing

A.1. Categories of Data Subjects

Personal Data of the following categories of Data Subjects is Processed:

(a) Authorised Users (i.e. employees, contractors and agents of the Controller and of its Affiliates who use the Service);

(b) natural-person customers of the Controller, where the Controller submits or causes the submission of their personal identifiers to the Service;

(c) any other Data Subjects whose Personal Data is contained in Customer Data uploaded or otherwise transmitted by the Controller through the Service.

A.2. Categories of Personal Data

The Personal Data Processed under this DPA includes the following categories:

(a) identification and contact data: name, email address, employer/company name, job title;

(b) account and authentication data: username, hashed passwords, API keys, multi-factor authentication tokens;

(c) billing and commercial data: billing address, VAT/UID number, transaction identifiers, subscription tier and usage data;

(d) technical and usage data: IP address, device and browser identifiers, log files, request metadata, query history, error logs;

(e) communications data: support tickets, in-product messages, email correspondence;

(f) any other Personal Data contained in Customer Data submitted by the Controller through the Service.

Special Categories of Data within the meaning of Article 9 of the GDPR or sensitive personal data within the meaning of Article 5(c) of the FADP are not knowingly Processed under this DPA. The Controller shall not submit such data to the Service unless it has expressly agreed in writing with the Processor on additional safeguards.

A.3. Nature and Purpose of Processing

The nature of Processing comprises the collection, storage, organisation, structuring, adaptation, retrieval, consultation, transmission, restriction, erasure and destruction of Personal Data, as well as related security and back-up operations. The purpose of Processing is the provision of the Services to the Controller, including: (a) account creation, authentication and access management; (b) provision of access to indexed On-Chain Data via APIs and dashboards; (c) usage metering, billing and rate-limit enforcement; (d) operational and security monitoring; (e) customer support; and (f) fulfilment of the Processor’s contractual obligations under the Principal Agreement and this DPA.

A.4. Duration of Processing

Processing continues for the term of the Principal Agreement plus the post-termination retention period set out in Section 12.1, and any further period required by mandatory law.

A.5. Frequency of Transfers

Transfers of Personal Data take place on a continuous basis throughout the term of the Principal Agreement, in connection with the use of the Services.

Annex 2 – Technical and Organisational Measures

This Annex describes the technical and organisational measures (“TOMs”) that the Processor implements to ensure a level of security appropriate to the risk, in accordance with Article 32 of the GDPR, Article 8 of the FADP and Articles 1 to 6 of the DSV. The measures are reviewed and updated periodically; the most current version is available on request. The Processor may modify the measures provided that the level of protection is not materially diminished.

B.1. Pseudonymisation and Encryption

(a) encryption of Personal Data in transit using TLS 1.2 or higher;

(b) encryption of Personal Data at rest in primary storage and in back-ups using industry-standard algorithms (e.g. AES-256);

(d) pseudonymisation of identifiers in development, testing and analytics environments where reasonably possible.

B.2. Confidentiality

(a) physical access controls at hosting locations operated by certified data-centre providers (Hetzner Online GmbH – Germany/Finland; SBC Lab self-hosted infrastructure in Switzerland);

(b) logical access controls based on the principle of least privilege, role-based access, multi-factor authentication for administrative access, and unique user accounts;

(d) confidentiality undertakings binding all personnel and contractors who Process Personal Data;

(e) background checks on personnel with access to production systems, where permitted by law.

B.3. Integrity

(a) input controls and audit logging of administrative actions on Personal Data, with logs retained for a defined period in tamper-resistant storage;

(b) data validation on input boundaries (APIs, web interfaces);

(c) use of source-code management with code review and change-control processes for changes to systems Processing Personal Data.

B.4. Availability and Resilience

(a) regular back-ups of production data, with periodic restoration testing;

(b) redundant infrastructure for critical components, including multi-zone deployment for production services where commercially reasonable;

(d) monitoring of systems for availability, performance and security events, with on-call response.

B.5. Process for Regular Testing and Evaluation

(a) vulnerability scanning of production systems and dependencies on a recurring basis;

(b) periodic penetration testing by qualified personnel or third parties;

(d) internal review of TOMs at least annually and after material changes to systems or processes.

B.6. Data Minimisation, Retention and Deletion

(a) data-minimisation by design: collection limited to data necessary for the Services;

(b) configurable retention controls for log and telemetry data;

(c) secure deletion procedures for Personal Data at end of retention or on Controller request, including in back-ups, in accordance with documented retention schedules.

B.7. Sub-processor Management

(a) due diligence on Subprocessors prior to engagement, including security and data-protection assessments;

(b) written contracts imposing data-protection obligations equivalent to those of this DPA;

B.8. Incident Management

(a) documented incident-response procedures, including roles, escalation paths and communication templates;

(b) post-incident reviews to identify root causes and remediation steps;

Annex 3 – Authorised Subprocessors

The Controller authorises the engagement of the following Subprocessors as of the Effective Date. The Processor shall maintain an up-to-date list
at https://www.blockchain-applied.com/dpa and shall notify the Controller of changes in accordance with Section 6.2 of the DPA.

Subprocessor	Purpose	Data Categories	Location	Transfer Mechanism
SBC Lab AG (self-hosted infrastructure)	Primary data storage, processing and back-up infrastructure for the Service	All Controller Personal Data	Switzerland	Domestic Processing (no transfer)
Hetzner Online GmbH	Cloud and dedicated server hosting for API services and data processing	Controller Personal Data in transit and at rest	Germany, Finland (EU/EEA)	Intra-EEA Processing
Google LLC‍	Provisioning and managing access to blockchain data via Google BigQuery	User ID, email address	United States	EU–US Data Privacy Framework certification + EU SCCs (Module Two/Three) with Swiss Addendum / UK Addendum as applicable
Brevo (Sendinblue SAS)	Email delivery for newsletters, product updates and informational communications	Email address, name, company name, subscribed product/tier	France (EU/EEA)	Intra-EEA Processing
Infomaniak Network SA	Email hosting for the Processor’s outbound and support communications	Email address, name, message content	Switzerland	Domestic Processing (no transfer)

Notes:

• Affiliates of the Processor that Process Controller Personal Data on behalf of the Processor, where any, are deemed Subprocessors and are subject to written agreements consistent with this DPA.

• The Controller acknowledges that On-Chain Data is, by its nature, public; the Processor’s indexing of such data does not constitute the disclosure or transfer of Controller Personal Data.