Data Processing Agreement

1. Definitions

• "Controller" means the Merchant, who determines the purposes and means of processing personal data.
• "Processor" means SatsRail LLC, which processes personal data on behalf of the Controller.
• "Personal Data" means any information relating to an identified or identifiable natural person, as defined in GDPR Article 4(1).
• "Processing" means any operation performed on Personal Data, as defined in GDPR Article 4(2).
• "Sub-processor" means a third party engaged by SatsRail to process Personal Data on behalf of the Controller.

2. Scope of Processing

2.1 Data Processed

SatsRail processes the following categories of personal data on behalf of merchants:

2.2 Data NOT Processed

SatsRail does not process:

• End-customer personal data (buyer names, emails, or identity information)
• Content data (what is being sold)
• Wallet private keys or seed phrases

3. Obligations of the Processor

SatsRail shall:

• Process Personal Data only on documented instructions from the Controller, unless required by law
• Ensure that persons authorized to process Personal Data are bound by confidentiality obligations
• Implement appropriate technical and organizational measures to ensure security of processing, including encryption in transit (TLS) and at rest, access controls, and regular security reviews
• Not engage a Sub-processor without prior written authorization from the Controller
• Assist the Controller in responding to data subject requests (access, rectification, erasure, portability, restriction, objection)
• Assist the Controller with data protection impact assessments and prior consultations with supervisory authorities where required
• Delete or return all Personal Data upon termination of the Agreement, at the Controller's choice, subject to legal retention requirements
• Make available to the Controller all information necessary to demonstrate compliance with GDPR Article 28 obligations

4. Sub-processors

SatsRail currently uses the following sub-processors:

SatsRail will notify the Controller before adding or replacing a sub-processor. The Controller may object within 15 days. If an objection cannot be resolved, the Controller may terminate the Agreement.

5. International Transfers

Personal Data is stored and processed in the United States. For transfers of Personal Data from the EEA to the United States, SatsRail relies on the EU-U.S. Data Privacy Framework, Standard Contractual Clauses (SCCs), or other appropriate safeguards as required by GDPR Chapter V.

6. Data Breach Notification

In the event of a Personal Data breach, SatsRail shall notify the Controller without undue delay and no later than 72 hours after becoming aware of the breach. The notification shall include the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed to address the breach.

7. Data Retention

SatsRail retains Personal Data as described in the Privacy Policy. Transaction data is retained for a minimum of 7 years for legal and tax compliance. Upon termination, Personal Data is deleted or returned within 90 days, except where legal retention obligations apply.

8. Audit Rights

The Controller may audit SatsRail's compliance with this DPA once per year, with at least 30 days' written notice, during normal business hours, and at the Controller's expense. SatsRail may satisfy audit requests by providing relevant certifications, audit reports, or other documentation.

9. Contact

For questions about this DPA or to exercise rights under it, contact:

• Compliance: compliance@satsrail.com