Data Processing Agreement (DPA) — B2B Template

This Data Processing Agreement ("DPA") template is provided for B2B partners that engage ScanToProve as a data processor — typically:

• DNA laboratories using DNA Rails to authenticate samples;
• OPCLS Gateway partner registries;
• White-label deployment customers under whose brand the Platform operates.

A signed copy of this DPA forms part of the Master Services Agreement (or equivalent commercial contract) between you (the "Controller") and ⚠TODO: Legal entity name (the "Processor").

To execute, email a signed copy to legal@scantoprove.com or request a DocuSign link.

• Terms not defined here have the meaning given in the Data Protection (Jersey) Law 2018, the UK GDPR and the EU GDPR.
• Personal Data, Processing, Controller, Processor, and Data Subject have the meanings given in those laws.
• Sub-processor means any third party engaged by the Processor to process Personal Data on behalf of the Controller.

The Processor will Process Personal Data on behalf of the Controller solely to provide the ScanToProve services described in the underlying contract — including sample authentication, chip lookup federation, blockchain anchoring, scan event recording, and related platform functions.

Details of the Processing (categories of data, categories of data subject, duration) are set out in Annex 1.

The Processor shall:

• Process Personal Data only on documented written instructions from the Controller, including with regard to international transfers;
• Ensure that personnel authorised to Process Personal Data are subject to confidentiality obligations;
• Implement appropriate technical and organisational measures, including those listed in Annex 2;
• Engage Sub-processors only with the Controller's prior general or specific authorisation (see Annex 3);
• Assist the Controller in responding to Data Subject requests (access, rectification, erasure, restriction, portability, objection);
• Notify the Controller without undue delay (and in any event within 72 hours) after becoming aware of a Personal Data breach;
• Make available all information necessary to demonstrate compliance with this DPA and allow for audits (subject to reasonable confidentiality and notice requirements);
• At the choice of the Controller, delete or return all Personal Data after the end of the provision of the services, subject to the blockchain caveat in Section 7.

The Controller authorises the Processor to use the Sub-processors listed in Annex 3 (which mirrors Section 7 of our Privacy Policy). The Processor will give the Controller at least 30 days' notice before adding or replacing a Sub-processor. The Controller may object to the change on reasonable data-protection grounds.

Transfers of Personal Data outside Jersey, the UK or the EEA are permitted only where an adequacy decision applies, the parties have entered into the relevant Standard Contractual Clauses with appropriate supplementary measures, or another lawful transfer mechanism applies.

The Controller acknowledges that the Platform anchors cryptographic hashes derived from selected events to the Polygon public blockchain (see Section 9 of the Terms of Service and Section 6 of the Privacy Policy).

The Processor will, on request, delete off-chain Personal Data such that the on-chain hash is no longer practically linkable to a Data Subject. The Processor cannot delete the on-chain hash itself, which is an immutable feature of public blockchains.

The Controller agrees to disclose this caveat to its own Data Subjects in its public-facing privacy notice.

The liability provisions of the underlying commercial contract apply to this DPA. Nothing in this DPA limits a Data Subject's rights against either party under applicable data-protection laws.

This DPA is governed by the laws of Jersey, Channel Islands, with the Royal Court of Jersey having exclusive jurisdiction, save where mandatory data-protection laws require otherwise.

• Subject matter: Provision of the ScanToProve services to the Controller.
• Duration: The term of the underlying commercial contract, plus any retention period required by law.
• Nature & purpose: Authentication of samples or assets, federated chip lookup, scan event logging, blockchain anchoring, white-label hosting.
• Categories of Data Subject: Pet owners, vets, finders, vehicle owners, lab technicians, asset custodians, end customers of white-label deployments.
• Categories of Personal Data: Name, contact details, organisation, role, microchip number, sample identifiers, scan event metadata, IP-derived location.
• Special categories: Limited veterinary clinical notes where the Controller chooses to record them.

• TLS 1.2+ in transit, at-rest encryption in MongoDB Atlas and Cloudflare R2;
• Bcrypt-hashed passwords; JWT-based session control with short-lived tokens;
• Role-based access control with organisation- and vertical-scoped queries;
• NTAG 424 SUN AES-128 cryptographic verification with rolling-counter clone detection;
• Cloudflare DDoS protection and Turnstile bot captcha on authentication and public endpoints;
• Real-time error monitoring (Sentry) and audit logging of mutations;
• Restricted production access (4-eyes principle), background-screened personnel;
• Documented incident-response runbook with 72-hour breach-notification SLA.

• MongoDB Atlas — primary database (region: ⚠TODO: e.g. eu-west-1).
• Cloudflare — CDN, R2 object storage, Turnstile bot protection.
• Resend — transactional email (alerts@scantoprove.com).
• Sentry — application error monitoring.
• Emergent — LLM infrastructure (GPT-4o-mini and equivalents) for in-app assistants.
• Polygon — public blockchain network for event anchoring.
• Paddle — payment processing (where applicable).