Subprocessor List

1. Introduction

1.1 Purpose

Zoryxon publishes this List to provide transparency regarding the Subprocessors engaged to Process Personal Data on its behalf in connection with the provision of the Services. The List is intended to assist Customers in evaluating Zoryxon's data Processing arrangements and in fulfilling their own accountability obligations under applicable data protection law.

1.2 Statutory and Contractual Basis

This List is maintained in furtherance of Zoryxon's transparency commitments under Article 28(2) of Regulation (EU) 2016/679 (the General Data Protection Regulation), the analogous provisions of the United Kingdom GDPR, and Section 5 (Sub-processing) of the Data Processing Agreement.

1.3 Customer Notification Rights

Customers that have executed a Data Processing Agreement with Zoryxon are entitled to prior notification of, and an opportunity to object to, changes to this List in accordance with Sections 5.3 and 5.4 of the Data Processing Agreement.

1.4 Capitalized Terms

Capitalized terms used and not otherwise defined in this List have the meanings given to them in the Data Processing Agreement, the Privacy Policy, or the Terms of Service, as the context requires.

2. Definitions

• "Subprocessor" means any third party engaged by Zoryxon to Process Personal Data on behalf of a Customer in connection with the Services, as defined in Section 1 of the Data Processing Agreement.
• "Personal Data Processing" or "Processing" means any operation or set of operations performed on Personal Data, as defined in Section 1 of the Data Processing Agreement.
• "Data Controller" or "Controller" means the natural or legal person which determines the purposes and means of the Processing of Personal Data, as defined in Section 1 of the Data Processing Agreement.
• "Data Processor" or "Processor" means the natural or legal person which Processes Personal Data on behalf of the Controller. With respect to Personal Data Processed on behalf of Customers in connection with the Services, Zoryxon acts as Processor and the Subprocessors listed in Section 3 act as sub-processors.

3. Current Subprocessors

The following entities are currently engaged by Zoryxon as Subprocessors. For each Subprocessor, this List sets out the entity name, the purpose of the Processing, the categories of Personal Data Processed, the principal Processing location, and the entity's primary website. References to "Decentralized" locations indicate that the underlying network operates across globally distributed Nodes operated by independent third parties.

4. Subprocessor Change Notification

4.1 Publication on This Page

Changes to this List are published on this page, accompanied by an updated "Last Updated" date. Material changes, including the addition or replacement of a Subprocessor that Processes Personal Data, are also communicated in accordance with the procedures set forth in the Data Processing Agreement.

4.2 DPA Customer Notification

Customers that have executed a Data Processing Agreement with Zoryxon shall receive prior written notice of intended additions or replacements of Subprocessors not less than thirty (30) days in advance of the change, in accordance with Section 5.3 of the Data Processing Agreement. Notice may be provided by email to the account contact on file, by in-product notification, or by a combination thereof.

4.3 Right to Object

Customers may object in writing to a proposed Subprocessor change on reasonable and documented data protection grounds within the period and in accordance with the procedures set forth in Section 5.4 of the Data Processing Agreement.

4.4 Subscribing to Notifications

Customers and other interested parties may request to be added to the change-notification distribution for this List by emailing privacy@zoryxon.com with the subject line "Subprocessor List Notifications" and the email address to which notifications should be sent.

5. Due Diligence

Before engaging any Subprocessor that Processes Personal Data, and on a continuing basis thereafter, Zoryxon conducts due diligence appropriate to the nature, scope, and risk profile of the Processing. Such due diligence includes, where applicable: review of the Subprocessor's information security practices and certifications (such as SOC 2 Type II reports); review of the Subprocessor's data protection policies and incident-response capabilities; assessment of the Subprocessor's processing locations and applicable transfer mechanisms; and review of the Subprocessor's contractual commitments. Zoryxon enters into a written agreement with each Subprocessor that imposes data protection obligations substantially similar to, and no less protective than, those set forth in the Data Processing Agreement.

6. International Transfers

6.1 Transfer Locations

Several of the Subprocessors listed in Section 3 Process Personal Data outside the European Economic Area, the United Kingdom, and Switzerland, including in the United States. Decentralized blockchain networks operate across globally distributed Nodes, including Nodes located in jurisdictions that have not received an adequacy decision under the GDPR.

6.2 Transfer Mechanisms

Where Personal Data is transferred from the European Economic Area, the United Kingdom, or Switzerland to a country that has not received an adequacy decision from the relevant authority, Zoryxon relies on one or more of the following transfer mechanisms in accordance with Section 9 of the Data Processing Agreement: (a) the EU Standard Contractual Clauses (Module Two: Controller to Processor) adopted by the European Commission; (b) the United Kingdom International Data Transfer Addendum or International Data Transfer Agreement, as applicable; (c) adequacy decisions where applicable; and (d) supplementary technical, contractual, and organizational measures, including encryption in transit and at rest and strict access controls.

6.3 Cross-References

Detailed information regarding international transfers is set forth in Annex I of the Data Processing Agreement and the corresponding section of the Privacy Policy.

6.4 Blockchain-Specific Note

On-chain records committed to decentralized blockchain networks are written to globally replicated ledgers and are not localized to any single jurisdiction. As described in the Data Processing Agreement and the Blockchain & Network Risk Disclosure, only cryptographic derivations and non-personal identifiers are written on-chain by the Services; such derivations are one-way and cannot be reversed to recover the underlying content.

7. Former Subprocessors

None. This is the initial publication of the Subprocessor List. This section is maintained for transparency and shall, in future revisions, identify Subprocessors that Zoryxon has discontinued engaging, together with the date of discontinuation.

8. Contact

Questions regarding this List, requests to be added to the change-notification distribution, or objections submitted under Section 5.4 of the Data Processing Agreement should be directed to: