Data Processing Agreement

1. Definitions

Capitalized terms used in this DPA and not otherwise defined shall have the meanings set forth below. Terms defined in the GDPR but not defined in this DPA shall have the meanings given in the GDPR.

1.1 General Definitions

• "Controller" means the natural or legal person which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data. For purposes of this DPA, Customer is the Controller with respect to Personal Data Processed by Zoryxon on its behalf in connection with the Services.
• "Processor" means the natural or legal person which Processes Personal Data on behalf of the Controller. For purposes of this DPA, Zoryxon is the Processor with respect to Personal Data Processed on behalf of Customer.
• "Sub-processor" means any third party engaged by Zoryxon to Process Personal Data on behalf of Customer in connection with the Services, including cloud infrastructure providers, managed database providers, and blockchain remote procedure call (RPC) providers.
• "Data Subject" means an identified or identifiable natural person to whom Personal Data relates.
• "Personal Data" means any information relating to a Data Subject that is Processed by Zoryxon on behalf of Customer in connection with the Services, as further described in Annex I.
• "Processing" (and its cognates, including "Process" and "Processed") means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, transmission, dissemination, alignment, combination, restriction, erasure, or destruction.
• "Services" means the Zoryxon platform and related services made available to Customer under the Services Agreement, including IP registration, client-side-encrypted Vault storage references, licensing, marketplace, proof generation, and identity trust features.
• "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of Personal Data to third countries adopted by the European Commission in Implementing Decision (EU) 2021/914 of 4 June 2021, as amended or superseded from time to time.
• "Supervisory Authority" means an independent public authority established by a Member State pursuant to Article 51 GDPR, or a functionally equivalent authority under other applicable data protection law.
• "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise Processed.
• "Applicable Data Protection Law" means all laws and regulations applicable to the Processing of Personal Data under this DPA, including the GDPR, the UK GDPR, the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA"), and other comparable laws.

1.2 Zoryxon-Specific Definitions

• "Vault" means a client-side encrypted container created by a user through the Services to store or reference intellectual property and associated metadata. Vault contents are encrypted on the user's device using AES-256-GCM prior to transmission; Zoryxon does not hold the decryption keys and cannot access Vault ciphertext in plaintext form.
• "Trust Attestation" means a cryptographically signed statement issued under the Zoryxon attestation framework, including EIP-712 typed structured data signatures and ML-DSA-65 post-quantum signature hash anchoring, attesting to identity, authenticity, or provenance properties of a wallet, asset, or content hash. Trust Attestations reference identity hashes (one-way derivations) rather than raw identity documents.
• "Verification Record" means a record generated by the Services evidencing the outcome of a verification or screening event, including humanity verification tier, OFAC sanctions screening result, and the tamper-evident hash-chained audit entry associated with such event.
• "Content Hash" means a SHA-256 or perceptual hash derived from user content for the purpose of blockchain anchoring, integrity verification, or duplicate detection. Content Hashes are one-way cryptographic derivations and cannot be reversed to reconstruct the underlying content.
• "On-Chain Record" means a transaction, event, or state entry recorded to a public blockchain network (including Arbitrum One, Ethereum, and Hedera) by or through the Services. On-Chain Records are, by design, immutable and globally replicated.

2. Scope and Applicability

2.1 Scope

This DPA applies to the Processing of Personal Data by Zoryxon on behalf of Customer in connection with Customer's use of the Services. The subject matter, duration, nature, and purpose of the Processing, the types of Personal Data, and the categories of Data Subjects are set out in Annex I.

2.2 Roles of the Parties

The parties acknowledge and agree that, with respect to the Processing of Personal Data under this DPA:

• Customer acts as the Controller, and Zoryxon acts as the Processor, with respect to Personal Data submitted to the Services by Customer or its authorized users, including Vault metadata, licensing records, content metadata, Verification Records associated with Customer users, and other data Processed at Customer's direction in connection with the Services.
• Zoryxon acts as an independent Controller with respect to Personal Data it collects and Processes for its own business purposes, including account registration data, billing and payment records, support communications, product analytics of Zoryxon's own service usage, security logging, and records required for Zoryxon's compliance with legal obligations (including sanctions screening, anti-money-laundering controls, and tax reporting). The Processing of such data is governed by Zoryxon's Privacy Policy, not this DPA.

2.3 Order of Precedence

In the event of any conflict or inconsistency between the provisions of this DPA and the Services Agreement with respect to the Processing of Personal Data, the provisions of this DPA shall prevail. In the event of any conflict or inconsistency between this DPA and the Standard Contractual Clauses incorporated by reference in Section 14, the Standard Contractual Clauses shall prevail.

3. Customer Obligations

3.1 Lawful Basis and Accuracy

Customer represents and warrants that (a) it has a valid and lawful basis under Applicable Data Protection Law for the Processing of Personal Data by Zoryxon on its behalf in connection with the Services; (b) any Personal Data Customer provides or causes to be provided to the Services is accurate, complete, and kept up to date; and (c) Customer has provided all required notices to, and obtained all required consents from, Data Subjects necessary for the Processing contemplated by the Services Agreement and this DPA.

3.2 Controller Compliance

Customer is responsible for its own compliance with Applicable Data Protection Law, including Articles 12 through 22 GDPR (rights of the Data Subject), Articles 24 and 25 GDPR (responsibility of the Controller and data protection by design and by default), Article 30 GDPR (records of processing activities), and Articles 35 and 36 GDPR (data protection impact assessments and prior consultation) where applicable.

3.3 Instructions

Customer shall provide documented instructions for the Processing of Personal Data by Zoryxon. The Services Agreement (including Customer's configuration of the Services) and this DPA constitute Customer's initial and complete documented instructions to Zoryxon with respect to the Processing of Personal Data. Additional or alternative instructions must be agreed between the parties in writing.

3.4 Prohibited Data

Customer shall not submit, or cause to be submitted, to the Services any special categories of Personal Data under Article 9 GDPR (including data concerning health, biometric data for the purpose of uniquely identifying a natural person, data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, or data concerning a natural person's sex life or sexual orientation) or Personal Data relating to criminal convictions and offences under Article 10 GDPR, except where such Processing has been expressly agreed in writing and appropriate safeguards have been implemented.

4. Zoryxon's Processing Obligations

4.1 Processing on Instructions

Zoryxon shall Process Personal Data only on documented instructions from Customer, including with regard to transfers of Personal Data to a third country or an international organization, unless required to do so by Union or Member State law to which Zoryxon is subject; in such a case, Zoryxon shall inform Customer of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest.

4.2 Notification of Unlawful Instruction

Zoryxon shall immediately inform Customer if, in its opinion, an instruction issued by Customer infringes the GDPR or other Applicable Data Protection Law.

4.3 Confidentiality of Personnel

Zoryxon shall ensure that persons authorized to Process Personal Data (including employees, contractors, and subcontractors) have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. Access to Personal Data is limited to personnel whose role requires such access in order to perform the Services and is enforced through role-based access controls.

4.4 Technical and Organizational Measures

Zoryxon shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of Data Subjects. A description of the measures implemented by Zoryxon is set forth in Annex II and referenced in Section 7 below. These measures include, without limitation:

• AES-256-GCM encryption of Vault contents at rest, performed client-side on the user's device prior to transmission, with key material that never leaves the user's possession;
• TLS 1.3 encryption in transit for all traffic between clients, the Services, and Sub-processor endpoints;
• ML-DSA-65 (FIPS 204) post-quantum signature hash anchoring for critical Trust Attestation records;
• A non-custodial architecture under which Zoryxon does not generate, hold, or have access to user private keys or wallet seed phrases;
• Role-based access control, least-privilege provisioning, and periodic access reviews;
• Automated, tamper-evident audit logging using a SHA-256 hash-chained, append-only log structure; and
• Rate limiting, input validation, and application-layer security controls consistent with OWASP recommendations.

4.5 Assistance to Controller

Zoryxon shall, taking into account the nature of the Processing and the information available to Zoryxon, assist Customer in ensuring compliance with Customer's obligations under Articles 32 through 36 GDPR, including obligations relating to security of Processing, notification of a Personal Data Breach to the Supervisory Authority and to Data Subjects, data protection impact assessments, and prior consultation.

5. Sub-processing

5.1 General Authorization

Customer grants Zoryxon a general authorization to engage Sub-processors to Process Personal Data on its behalf in connection with the Services, subject to the conditions set forth in this Section 5 and the requirements of Article 28 GDPR.

5.2 Current Sub-processors

Zoryxon maintains a current list of Sub-processors engaged in the Processing of Personal Data in connection with the Services at /subprocessors. By entering into this DPA, Customer is deemed to have authorized the engagement of the Sub-processors listed on such page as of the Effective Date.

5.3 Changes to Sub-processors

Zoryxon shall provide Customer with prior written notice of any intended additions to or replacements of Sub-processors not less than thirty (30) days in advance of the change (or, in the case of urgent replacements required for security, continuity, or legal reasons, as promptly as reasonably practicable). Notice may be given by updating the Sub-processor list, by email to the account contact on file, or through in-product notification.

5.4 Right to Object

Customer may object in writing to the engagement of a new Sub-processor on reasonable and documented data protection grounds within fourteen (14) days of receiving notice under Section 5.3. The parties shall work together in good faith to resolve the objection. If the parties cannot reach a mutually acceptable resolution, Customer may, as its sole and exclusive remedy, terminate the affected Services without penalty, subject to any prepaid fees being refunded on a pro rata basis for the unused portion of the subscription term.

5.5 Sub-processor Obligations

Zoryxon shall enter into a written agreement with each Sub-processor that imposes data protection obligations substantially similar to, and no less protective than, those set forth in this DPA. Zoryxon shall remain liable to Customer for the performance of each Sub-processor's obligations under such agreement.

6. Data Subject Rights

6.1 Assistance

Zoryxon shall, taking into account the nature of the Processing, assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of Customer's obligation to respond to requests from Data Subjects for the exercise of their rights under Articles 15 through 22 GDPR, including rights of access, rectification, erasure, restriction of Processing, data portability, objection, and rights related to automated decision-making and profiling.

6.2 Direct Requests

If Zoryxon receives a request from a Data Subject in relation to Personal Data Processed by Zoryxon on behalf of Customer, Zoryxon shall, without undue delay, forward such request to Customer and shall not respond to the request itself except on Customer's documented instructions or as required by Applicable Data Protection Law.

6.3 Response Timeframe

Zoryxon shall respond to Customer's reasonable requests for assistance in responding to Data Subject requests within ten (10) business days of receipt of a complete request, subject to any verification steps reasonably required to authenticate the request.

6.4 Blockchain-Anchored Hashes

The parties acknowledge the following properties of the Services, which are directly relevant to the exercise of Data Subject rights:

• Content Hashes, identity hashes, and similar cryptographic derivations written to On-Chain Records are the output of one-way cryptographic functions and cannot, by computational means, be reversed to recover the underlying content or identity information to which they relate. Such hashes therefore do not, on their own, constitute Personal Data within the meaning of Article 4(1) GDPR, except to the extent they can be linked to an identifiable natural person through data held or controlled by Customer or Zoryxon off-chain.
• Personal Data stored off-chain in Zoryxon's managed PostgreSQL database and associated application stores (including Vault metadata references, profile data, and Verification Records) can be rectified, restricted, or deleted by Zoryxon upon valid and authenticated request from Customer, subject to legal retention obligations.
• On-Chain Records are, by design, immutable and cannot be modified or deleted once confirmed on the underlying blockchain network. Where a Data Subject requests erasure of information that has been committed to an On-Chain Record, Zoryxon will, as an appropriate technical measure, delete or anonymize associated off-chain identifiers such that the On-Chain Record can no longer be linked to the Data Subject through data held or controlled by Zoryxon.

7. Security Measures

7.1 General Standard

Zoryxon shall implement and maintain appropriate technical and organizational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, in accordance with Article 32 GDPR. A description of the measures is set forth in Annex II and summarized below.

7.2 Encryption

• Data at Rest. Vault contents are encrypted on the user's device using AES-256-GCM prior to upload. Managed database storage is encrypted at the storage layer using industry-standard AES-256 encryption.
• Data in Transit. All network communications between clients, the Services, and Sub-processor endpoints are protected using TLS 1.3 with modern cipher suites. Certificates are issued and rotated through automated public certificate authorities.
• Post-Quantum Signatures. Selected Trust Attestation records are anchored using ML-DSA-65 (FIPS 204) post-quantum digital signatures, with signature hashes committed on-chain, to provide defense against future quantum-capable adversaries.

7.3 Infrastructure and Sub-processors

• Managed PostgreSQL (Neon). Primary Personal Data store, operated by a provider maintaining a SOC 2 Type II compliance program and industry-standard key management.
• API Hosting (Railway). Backend services are deployed on a managed cloud platform with infrastructure-level isolation, automated patching, and operational monitoring.
• Frontend Hosting (Vercel). Static and server-rendered front-end assets are delivered via a managed edge network with TLS termination and DDoS protection.
• Blockchain RPC (Alchemy). Read and write traffic to supported blockchain networks is routed through managed RPC providers.

7.4 Access Controls

• Role-based access control (RBAC) enforced at the application layer and at the smart contract layer, with privileged roles assigned only to identified personnel or multisignature accounts;
• JSON Web Token (JWT) session authentication, with signed, short-lived tokens and server-side session revocation;
• Sign-In With Ethereum (SIWE, EIP-4361) wallet-based authentication as the primary authentication mechanism for end users; and
• Administrative access gated by multi-factor authentication and restricted to a defined allowlist of personnel.

7.5 Monitoring and Logging

• Automated application and infrastructure logging with centralized retention and access controls;
• Tamper-evident compliance audit logging using a SHA-256 hash-chained, append-only log structure, covering administrative actions, screening decisions, and security-relevant events;
• Rate limiting, anomaly detection, and request validation at the application boundary; and
• OFAC sanctions screening on wallet authentication events, configured in a fail-closed mode such that screening failures do not result in unscreened authorization.

7.6 Non-Custodial Architecture

Zoryxon does not generate, hold, or have access to user private keys, wallet seed phrases, or the decryption keys for Vault contents. This architectural property materially reduces the categories of Personal Data that Zoryxon is capable of accessing or disclosing, whether inadvertently or in response to legal process.

7.7 Incident Response

Zoryxon maintains a documented incident response plan covering detection, triage, containment, eradication, recovery, and post-incident review. Security contacts are reachable at security@zoryxon.com. Personal Data Breach notification obligations are addressed in Section 8.

8. Data Breach Notification

8.1 Notification Obligation

Zoryxon shall notify Customer without undue delay, and in any event no later than seventy-two (72) hours, after becoming aware of a Personal Data Breach affecting Personal Data Processed on behalf of Customer.

8.2 Content of Notification

To the extent the information is available at the time of notification, Zoryxon's notification shall include:

• A description of the nature of the Personal Data Breach, including, where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned;
• The name and contact details of the Zoryxon security contact (or data protection officer, where applicable) from whom further information can be obtained;
• A description of the likely consequences of the Personal Data Breach; and
• A description of the measures taken or proposed to be taken by Zoryxon to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.

8.3 Ongoing Cooperation

Where, and insofar as, it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay. Zoryxon shall cooperate with Customer and provide such information and assistance as Customer may reasonably request to enable Customer to comply with its obligations under Articles 33 and 34 GDPR (notification to the Supervisory Authority and communication to Data Subjects).

8.4 No Admission of Liability

Zoryxon's notification of, or response to, a Personal Data Breach shall not be construed as an acknowledgment by Zoryxon of any fault or liability with respect to the Personal Data Breach.

9. Data Transfers

9.1 Transfer Mechanisms

Where Personal Data originating in the European Economic Area (EEA), the United Kingdom, or Switzerland is transferred to a country that has not been deemed to provide an adequate level of data protection by the European Commission (or the relevant UK or Swiss authority), Zoryxon shall rely on one or more of the following transfer mechanisms:

• The Standard Contractual Clauses, incorporated by reference in Section 14 below, in Module Two (Controller to Processor) form;
• An adequacy decision issued by the European Commission or the relevant UK or Swiss authority for the destination country, where applicable;
• The UK International Data Transfer Addendum or the UK International Data Transfer Agreement, as applicable to transfers originating in the United Kingdom; and
• Supplementary technical, contractual, and organizational measures, including encryption in transit and at rest, strict access controls, and contractual obligations on Sub-processors to notify Zoryxon of any governmental access requests to the extent legally permitted.

9.2 Blockchain-Specific Considerations

The parties acknowledge that On-Chain Records written to Arbitrum One, Ethereum, Hedera, and other supported blockchain networks are, by design, globally replicated across nodes operated by independent third parties in multiple jurisdictions. Only cryptographic derivations (such as Content Hashes and identity hashes) and public transaction metadata are written on-chain; no plaintext Personal Data is committed to any On-Chain Record by the Services. For the reasons set forth in Section 6.4, the cryptographic derivations written to On-Chain Records do not, on their own, constitute Personal Data.

9.3 Transfer Impact Assessment

Zoryxon shall, upon reasonable written request, make available to Customer information reasonably necessary for Customer to conduct a transfer impact assessment, including information regarding the jurisdictions in which Sub-processors Process Personal Data and any government-access requests received by Zoryxon during the preceding twelve (12) months (to the extent Zoryxon is legally permitted to disclose such information).

10. Data Retention and Deletion

10.1 Retention During the Term

Zoryxon shall retain Personal Data Processed on behalf of Customer only for so long as is necessary to provide the Services and to comply with its obligations under the Services Agreement, this DPA, and Applicable Data Protection Law.

10.2 Deletion or Return Upon Termination

Upon termination or expiration of the Services Agreement, or upon earlier written request by Customer, Zoryxon shall, at Customer's election, delete or return to Customer all Personal Data Processed on Customer's behalf, and shall delete existing copies, within thirty (30) days of such termination, expiration, or request, except to the extent that retention is required by applicable law, in which case Zoryxon shall continue to protect the retained Personal Data in accordance with this DPA.

10.3 Immutability of On-Chain Records

The parties acknowledge that On-Chain Records, including Content Hashes and identity hashes committed to supported blockchain networks, are immutable by design and cannot be modified or deleted by Zoryxon. As described in Section 6.4 and Section 9.2, such cryptographic derivations do not, on their own, constitute Personal Data. Where Customer requests deletion of information anchored on-chain, Zoryxon shall delete or anonymize the associated off-chain identifiers such that the On-Chain Record cannot be linked to the relevant Data Subject through data held or controlled by Zoryxon.

10.4 Backups

Personal Data residing in backups shall be deleted in accordance with Zoryxon's documented backup rotation schedule. During the period between primary deletion and backup expiry, Personal Data remains subject to the protections of this DPA.

11. Audit Rights

11.1 Scope

Upon Customer's reasonable written request, and subject to the conditions set forth in this Section 11, Zoryxon shall make available to Customer such information as is reasonably necessary to demonstrate compliance with this DPA and shall allow for and contribute to audits, including inspections, conducted by Customer or another auditor mandated by Customer.

11.2 Frequency and Notice

Customer may exercise its audit rights under this Section 11 no more than once in any twelve (12) month period, except where required by a Supervisory Authority or where Customer reasonably believes, based on credible evidence, that Zoryxon has materially breached this DPA. Customer shall provide not less than thirty (30) days' prior written notice of any audit, and any audit shall be conducted during regular business hours, at Customer's expense.

11.3 Audit Alternatives

Zoryxon may satisfy Customer's audit rights by providing, at Customer's reasonable request, one or more of the following: (a) summary reports or attestations prepared by independent third-party auditors, including SOC 2 Type II reports covering Zoryxon or its Sub-processors; (b) redacted summaries of penetration tests or vulnerability assessments; or (c) written responses to reasonable data-protection questionnaires. On-site audits shall be permitted only where the information provided under (a) through (c) is insufficient to demonstrate compliance with respect to the matter under review.

11.4 Confidentiality

Information obtained by Customer or its auditors pursuant to this Section 11 is Zoryxon's confidential information and may be used solely for the purpose of verifying compliance with this DPA. Customer shall ensure that its auditors are bound by written confidentiality obligations no less protective than those of the Services Agreement.

12. Liability

Each party's liability arising out of or related to this DPA, whether in contract, tort, or under any other theory of liability, is subject to the exclusions and limitations of liability set forth in the Services Agreement. In no event shall either party's aggregate liability arising out of or relating to this DPA exceed the aggregate amounts paid by Customer to Zoryxon for the Services during the twelve (12) months preceding the event giving rise to the claim. Nothing in this DPA limits any liability that cannot be limited or excluded under Applicable Data Protection Law, including liability of Zoryxon or Customer to a Data Subject under Article 82 GDPR.

13. Term and Termination

This DPA shall remain in effect for so long as Zoryxon Processes Personal Data on behalf of Customer under the Services Agreement and shall terminate automatically upon expiration or termination of the Services Agreement, subject to the obligations of the parties that, by their nature, are intended to survive such termination, including obligations relating to the confidentiality, return, or deletion of Personal Data, liability, audit, and governing law.

14. Standard Contractual Clauses

14.1 Incorporation

Where the Processing of Personal Data involves a "transfer" within the meaning of Chapter V GDPR from the EEA to a third country that has not been deemed adequate, the Standard Contractual Clauses adopted by the European Commission in Implementing Decision (EU) 2021/914 of 4 June 2021 are hereby incorporated into this DPA by reference and shall apply to such transfers, with Module Two (Controller to Processor) applying to transfers between Customer (as data exporter) and Zoryxon (as data importer).

14.2 Selections and Options

• Clause 7 (Docking Clause) shall apply.
• Clause 9(a) — Option 2 (General written authorization) shall apply, with a notice period of thirty (30) days as set forth in Section 5.3.
• Clause 11(a) — the optional independent dispute resolution language shall not apply.
• Clause 17 — the parties elect Option 1; the governing law of the Standard Contractual Clauses shall be the law of Ireland.
• Clause 18(b) — the parties elect the courts of Ireland as the competent courts.

14.3 United Kingdom Transfers

For transfers from the United Kingdom, the parties agree that the UK International Data Transfer Addendum to the Standard Contractual Clauses, issued by the UK Information Commissioner's Office under Section 119A of the Data Protection Act 2018, is incorporated by reference and shall apply to such transfers, with the Standard Contractual Clauses as modified by the UK Addendum governing the relevant Processing activities.

14.4 Precedence

In the event of any conflict or inconsistency between this DPA and the Standard Contractual Clauses (as supplemented by any applicable UK Addendum), the Standard Contractual Clauses shall prevail.

15. Governing Law

Except as expressly set forth in Section 14 with respect to the Standard Contractual Clauses, this DPA is governed by, and shall be construed in accordance with, the laws of the State of Ohio, United States, without regard to its conflict-of-laws provisions. Any disputes arising out of or relating to this DPA shall be resolved in accordance with the dispute resolution provisions of the Services Agreement, except where Applicable Data Protection Law requires that particular disputes be resolved in a specified forum, in which case such requirement shall control.

Annex I — List of Parties, Description of Transfer, and Competent Supervisory Authority

A. List of Parties

Data Exporter (Controller): The Customer identified in the Services Agreement. Customer's full legal name, registered address, contact person name, position, and contact details are those set forth in the Services Agreement or associated order form. Activities relevant to the data transferred under the Standard Contractual Clauses: Customer's use of the Services to Process Personal Data in connection with Customer's own business purposes.

Data Importer (Processor): Zoryxon LLC, an Ohio limited liability company. Registered address: State of Ohio, United States. Contact person: Privacy Office. Contact details: privacy@zoryxon.com. Activities relevant to the data transferred under the Standard Contractual Clauses: provision of the Zoryxon Services, including IP registration, Vault storage references, licensing, marketplace functionality, proof generation, and identity trust features.

B. Description of Transfer

C. Competent Supervisory Authority

The competent Supervisory Authority shall be determined in accordance with Clause 13 of the Standard Contractual Clauses, based on the data exporter's establishment and the Data Subjects concerned. Where the data exporter is not established in the EEA but has appointed a representative pursuant to Article 27 GDPR, the competent Supervisory Authority shall be that of the Member State in which the representative is established.

Annex II — Technical and Organisational Measures

This Annex describes the technical and organizational measures implemented by Zoryxon, as the data importer, to ensure an appropriate level of security for the Personal Data transferred. These measures supplement, and do not limit, the security-related obligations set forth in Sections 4 and 7 of this DPA.

1. Measures of Pseudonymization and Encryption of Personal Data

• Client-side AES-256-GCM encryption of Vault contents prior to transmission, with keys held exclusively by the user;
• Server-side AES-256 encryption at rest for managed database and object storage;
• TLS 1.3 encryption in transit on all network paths;
• Pseudonymization of identity information through cryptographic hashing for on-chain references;
• ML-DSA-65 (FIPS 204) post-quantum signature hash anchoring for selected Trust Attestations.

2. Measures for Ensuring Ongoing Confidentiality, Integrity, Availability, and Resilience

• Role-based access control and least-privilege provisioning at the application and infrastructure layers;
• Tamper-evident, append-only audit logging with SHA-256 hash chaining;
• Automated integrity checks on anchored Content Hashes and Verification Records;
• Managed infrastructure with automated failover, health checks, and redundancy at the cloud provider layer;
• Rate limiting, input validation, and boundary hardening in accordance with OWASP guidance.

3. Measures for Regular Testing, Assessing, and Evaluating the Effectiveness of Security Measures

• Periodic security reviews and, as the Services mature, independent third-party penetration testing and audit engagements;
• Continuous monitoring of application and infrastructure logs for anomalous activity;
• Dependency vulnerability scanning and remediation workflows integrated into the software delivery pipeline;
• Smart contract security reviews and professional audits prior to mainnet deployment of material contract upgrades.

4. Measures for User Identification and Authorization

• Sign-In With Ethereum (SIWE, EIP-4361) wallet-based authentication;
• JWT session authentication with short-lived tokens and server-side revocation;
• Multi-factor authentication for administrative access;
• OFAC sanctions screening on wallet authentication, configured to fail closed.

5. Measures for the Protection of Data During Transmission and Storage

• TLS 1.3 with modern cipher suites on all external network connections;
• Encrypted inter-service communication where supported by the managed infrastructure provider;
• Server-side encryption at rest for all managed data stores, including database storage and object storage.

6. Measures for Ensuring Physical Security of Processing Locations

• Physical security of processing locations is provided by Zoryxon's cloud infrastructure Sub-processors, which maintain industry-standard data center physical security programs (including 24/7 physical access controls, video surveillance, and biometric or multi-factor access controls).

7. Measures for Ensuring Events Logging

• Structured application and infrastructure logging with centralized collection and restricted access;
• Compliance audit logging of administrative actions and screening decisions, with SHA-256 hash-chained tamper-evidence;
• Retention of audit logs in accordance with Zoryxon's retention policy and applicable legal obligations.

8. Measures for Ensuring System Configuration, Including Default Configuration

• Infrastructure-as-code for reproducible environment configuration;
• Secure defaults for application and smart contract configurations, including pausable emergency stops on all upgradeable contracts;
• Change management procedures for production configuration modifications.

9. Measures for Internal IT and IT Security Governance and Management

• Documented information security policies and acceptable use requirements for personnel;
• Onboarding and offboarding procedures for personnel with access to Personal Data;
• Designated security contact reachable at security@zoryxon.com.

10. Measures for Certification/Assurance of Processes and Products

• Engagement of Sub-processors that maintain recognized third-party security assurance programs (including SOC 2 Type II) where available;
• Planned professional security audits of smart contracts and application components, with summaries available to Customer on request.

11. Measures for Ensuring Data Minimisation

• Collection limited to data necessary to provide the Services;
• Client-side encryption architecture that prevents Zoryxon from accessing Vault content;
• Use of cryptographic hashes in place of raw identifiers where feasible.

12. Measures for Ensuring Data Quality

• Self-service tools enabling Customer and authorized users to review, correct, and update their Personal Data;
• Input validation and schema enforcement at the application boundary.

13. Measures for Ensuring Limited Data Retention

• Retention aligned to the period necessary to provide the Services and to comply with legal obligations, as described in Section 10;
• Deletion or anonymization upon termination of the Services Agreement or on valid instruction from Customer.

14. Measures for Ensuring Accountability

• Maintenance of records of Processing activities reasonably necessary to demonstrate compliance with this DPA;
• Internal governance processes for reviewing and approving material changes to Processing activities or Sub-processors.

15. Measures for Allowing Data Portability and Ensuring Erasure

• Support for Customer-initiated export of Personal Data in commonly used, machine-readable formats, subject to reasonable authentication;
• Support for Customer-initiated deletion of off-chain Personal Data, with the on-chain considerations described in Sections 6.4 and 10.3.

16. Measures for Sub-processors

• Contractual flow-down of data protection obligations substantially similar to, and no less protective than, this DPA;
• Ongoing monitoring of Sub-processor security posture and incident notifications;
• Publication of the current Sub-processor list at /subprocessors.

Contact

Questions about this DPA or requests relating to Personal Data Processed under it should be directed to: