This Data Processing Addendum ("DPA") forms part of the agreement between CipherJudge Forensic Engine ("Processor") and the customer ("Controller") for use of 5CIP. It applies whenever the Controller is subject to GDPR, UK GDPR, CCPA, or comparable privacy regimes (PIPL, APPI, PDPA, PDPB).
1. Roles & scope
Controller determines the purposes of processing personal data ingested into the Service (e.g., investigation subject details, contact addresses). Processor processes Personal Data only on documented instructions from Controller.
2. Processing details
- Subject matter: court-grade crypto forensic investigation services.
- Duration: the term of the Service agreement plus the retention window in the Privacy Policy.
- Nature & purpose: hosting, analysis, evidence packaging, report generation.
- Categories of data subjects: Controller's end-users (where applicable), suspects under investigation, victims, witnesses identified in case narratives.
- Categories of data: name, email, organization, wallet addresses, transaction history (publicly observable on chain), narrative descriptions, uploaded documents.
3. Security of processing
Processor maintains a documented Information Security Management program including: TLS 1.3 transport encryption; AES-256 at-rest encryption; Argon2id credential hashing; MFA on privileged accounts; WORM (MinIO Object Lock GOVERNANCE, 90-day) evidence storage; least-privilege RBAC; audit logging; signed PDF reports (GPG); independent code review; quarterly penetration testing; incident response runbook with 24h notification target for confirmed personal-data breaches.
4. Subprocessors
Controller authorizes the subprocessors listed at /subprocessors. Processor will notify Controller at least 30 days before adding a new subprocessor. Controller may object within 14 days; Processor will work in good faith to resolve the objection or suspend the affected processing.
5. International transfers
Where Personal Data of EU/EEA, UK, or Swiss data subjects is transferred outside the EEA, the Standard Contractual Clauses (Module 2 — Controller to Processor) approved by EU Commission Implementing Decision 2021/914 apply. For data subjects in the US, Processor relies on the EU-US Data Privacy Framework where applicable to its U.S. subprocessors.
6. Assistance with data-subject rights
Processor will provide reasonable assistance for Controller to respond to data-subject access, correction, deletion, and portability requests. Requests should be directed first to the Controller's own DPO; Processor responds to Controller forwards within 15 business days.
7. Breach notification
Processor will notify Controller without undue delay, and in any event within 48 hours, of becoming aware of a confirmed Personal Data breach affecting Controller data. Notification will include the nature of the breach, categories and approximate volume of data, likely consequences, and measures taken or proposed.
8. Audits
Controller may request a summary of the most recent independent security assessment ("attestation pack") annually. On-site audits may be requested with 30 days notice and are limited to one per 12-month period.
9. Deletion or return of data
On termination, Controller may export Personal Data and evidence artifacts for 60 days. After that window, Processor deletes Personal Data within 30 days, except where retention is required by law (e.g., AML record-keeping).
10. Contact for DPA matters
Email [email protected] with subject "DPA execution" to receive a counter-signed PDF copy of this DPA with Controller-specific schedules. We can sign through DocuSign, HelloSign, or via wet ink upon request.