Data Processing Addendum

1. Definitions

• "Customer" means the customer entity under the Agreement.
• "Customer Personal Data" means personal data contained in Customer Data (as defined in the Agreement) that Eagle Virtual processes on Customer's behalf — for example, blockchain addresses, watchlist entries, labels, and notes Customer submits for screening, to the extent they relate to an identified or identifiable natural person.
• "Data Protection Laws" means all laws applicable to the processing of Customer Personal Data under the Agreement, including (as applicable) EU Regulation 2016/679 ("GDPR"), the GDPR as incorporated into UK law ("UK GDPR") and the UK Data Protection Act 2018, the Swiss Federal Act on Data Protection ("FADP"), and Brazil's Lei Geral de Proteção de Dados, Law 13.709/2018 ("LGPD").
• "SCCs" means the standard contractual clauses for the transfer of personal data to third countries annexed to European Commission Implementing Decision (EU) 2021/914.
• "UK Addendum" means the UK Information Commissioner's International Data Transfer Addendum to the EU SCCs (version B1.0).
• "Controller," "processor," "data subject," "personal data," "personal data breach," and "processing" have the meanings given in the GDPR; "operador" and "controlador" have the meanings given in the LGPD and map to processor and controller respectively.

2. Roles and Scope

• Customer as controller; Eagle Virtual as processor. For Customer Personal Data, Customer is the controller (or a processor acting on behalf of its own controllers, in which case Customer warrants it is authorized to engage Eagle Virtual as a sub-processor) and Eagle Virtual is a processor (LGPD: operador), processing only as described in Annex A.
• Eagle Virtual as independent controller. Eagle Virtual acts as an independent controller — not as Customer's processor — for account, billing, support, usage, and security data, and for the public-source compliance data it compiles and publishes (see the Privacy Policy and Data We Publish). That processing is outside the scope of this DPA's processor obligations.
• Customer obligations. Customer is responsible for the lawfulness of the Customer Personal Data it submits, for having a valid lawful basis, for providing any required notices to its own data subjects, and for its instructions being lawful.

3. Processing Instructions

Eagle Virtual will process Customer Personal Data only on Customer's documented instructions, including with regard to international transfers, unless required to do otherwise by law to which Eagle Virtual is subject (in which case Eagle Virtual will inform Customer of that legal requirement before processing, unless the law prohibits it). The Agreement, this DPA, and Customer's configuration and use of the Service constitute Customer's complete documented instructions. Eagle Virtual will inform Customer without undue delay if, in its opinion, an instruction infringes Data Protection Laws.

4. Confidentiality

Eagle Virtual ensures that persons it authorizes to process Customer Personal Data are bound by appropriate confidentiality obligations (contractual or statutory) and process it only as needed to provide the Service.

5. Security

Eagle Virtual implements and maintains the technical and organizational measures described in Annex B, designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, taking into account the state of the art, costs, and the nature, scope, context, and purposes of processing (GDPR Art. 32). Eagle Virtual may update Annex B from time to time, provided the updates do not materially reduce the overall level of protection.

6. Subprocessors

• General authorization. Customer authorizes Eagle Virtual to engage the subprocessors listed at eaglevirtual.com/subprocessors, and other subprocessors as set out below.
• Notice of changes. Eagle Virtual will update the subprocessor page at least 30 days before a new subprocessor first processes Customer Personal Data (except for emergency replacements needed for security or continuity, in which case notice is given as soon as practicable). Customers may subscribe to change notifications as described on that page.
• Objection right. If Customer reasonably objects on data-protection grounds within 30 days of notice, the parties will discuss in good faith a resolution (for example, a configuration change). If none is reasonably available, Customer may terminate the affected Service and receive a pro-rata refund of prepaid fees for the unused remainder.
• Flow-down and liability. Eagle Virtual will impose data protection obligations on each subprocessor that are materially no less protective than this DPA, and remains liable to Customer for its subprocessors' performance.

7. Assistance: Data Subject Requests

Taking into account the nature of the processing, Eagle Virtual will assist Customer by appropriate technical and organizational measures, insofar as possible, in fulfilling Customer's obligation to respond to data subject requests (access, rectification, erasure, restriction, portability, objection). If a data subject contacts Eagle Virtual directly about Customer Personal Data, Eagle Virtual will (where the data subject identifies Customer) promptly refer the request to Customer and will not respond substantively except as required by law. The Service's self-service tools (data viewing, editing, deletion, and export) are the primary assistance mechanism.

8. Assistance: Security, Breach, and Impact Assessments

Eagle Virtual will assist Customer in ensuring compliance with its obligations under GDPR Arts. 32–36 (security, breach notification, data protection impact assessments, and prior consultation), taking into account the nature of processing and the information available to Eagle Virtual.

9. Personal Data Breach Notification

Eagle Virtual will notify Customer without undue delay after becoming aware of a personal data breach affecting Customer Personal Data, and in any event within 72 hours of confirmation. The notification will describe, to the extent known, the nature of the breach, the categories and approximate volumes of data and data subjects concerned, the likely consequences, the measures taken or proposed, and a contact point. Eagle Virtual will provide timely updates as the investigation progresses. Notification is not an acknowledgment of fault or liability.

10. Deletion and Return

During the subscription, Customer can access, export, and delete Customer Data through the Service. Upon termination or expiry of the Agreement, Eagle Virtual will, at Customer's choice, delete or return Customer Personal Data, and will delete remaining copies within 30 days, except where storage is required by applicable law and except for issued Certified Report artifacts and their issuance records, which are retained as described in the Certified Report Terms to keep already-issued artifacts verifiable. Backup copies are deleted on the normal backup expiry cycle and remain protected until deletion.

11. Audits and Information

Eagle Virtual will make available to Customer information reasonably necessary to demonstrate compliance with this DPA, including summaries of security practices (eaglevirtual.com/security) and responses to reasonable written security questionnaires (no more than once per 12-month period). Where Data Protection Laws grant Customer a mandatory audit right that cannot be satisfied by the above, Customer (or an independent auditor that is not a competitor of Eagle Virtual, bound by confidentiality) may conduct an audit limited in scope to Customer Personal Data processing, at Customer's expense, no more than once per 12-month period, on at least 30 days' written notice, during business hours, and without access to other customers' data or to information that would compromise security.

12. International Transfers

12.1 EEA transfers (SCCs)

To the extent Customer Personal Data protected by the GDPR is transferred to Eagle Virtual in a country without an EU adequacy decision, the SCCs are incorporated into this DPA by reference and apply as follows: Module Two (controller to processor) applies where Customer is a controller; Module Three (processor to processor) applies where Customer is a processor. Clause 7 (docking) is included; under Clause 9(a), Option 2 (general written authorization) applies with the 30-day notice period in Section 6; the optional language in Clause 11 is not used; under Clause 17 (Option 1) the SCCs are governed by the law of Ireland; under Clause 18 disputes are resolved by the courts of Ireland. Annex I and II of the SCCs are completed by Annexes A and B of this DPA, and Annex III by the subprocessor list. In case of conflict between the SCCs and this DPA or the Agreement, the SCCs prevail.

12.2 UK and Switzerland

For transfers subject to the UK GDPR, the UK Addendum is incorporated and amends the SCCs as set out there, with the tables deemed completed by the information in this DPA and its Annexes. For transfers subject to the Swiss FADP, the SCCs apply with the adaptations required by the Swiss Federal Data Protection and Information Commissioner (references to the GDPR read as references to the FADP; the competent authority is the FDPIC; Swiss data subjects may enforce their rights in Switzerland).

12.3 Brazil

To the extent Customer Personal Data protected by the LGPD is transferred internationally to Eagle Virtual, the parties rely on the transfer mechanisms recognized under LGPD Arts. 33–36 and the ANPD's international data transfer regulation (Resolução CD/ANPD nº 19/2024), including the standard contractual clauses approved by the ANPD. Because the ANPD clauses must be adopted in full, without alteration, in Portuguese, and through a signed contractual instrument, Eagle Virtual will execute the ANPD standard contractual clauses with Customer as a separate addendum upon request to legal@eaglevirtual.com, completed with the information in Annexes A and B. Eagle Virtual will reasonably cooperate with Customer on any additional documentation Brazilian law requires.

13. LGPD Provisions

Where the LGPD applies to Customer Personal Data:

• Eagle Virtual acts as operador and Customer as controlador (or as another operador, as applicable); Eagle Virtual will process Customer Personal Data only per Customer's lawful instructions and the LGPD;
• Eagle Virtual will assist Customer in responding to data subject requests under LGPD Art. 18 and in security-incident communications to the ANPD and data subjects under LGPD Art. 48, consistent with Sections 7–9;
• Eagle Virtual maintains records of its processing operations as operador and makes information available per Section 11.

14. Liability, Order of Precedence, and Term

The liability of each party under this DPA is subject to the exclusions and limitations of liability in the Agreement, except where Data Protection Laws or the SCCs do not permit such limitation. This DPA takes effect when the Agreement takes effect (or, for existing customers, on the Effective Date above) and remains in force as long as Eagle Virtual processes Customer Personal Data. If there is a conflict: the SCCs (and other incorporated transfer clauses) prevail over this DPA, and this DPA prevails over the Agreement, in each case with respect to the processing of Customer Personal Data.

Annex A — Description of Processing

• Subject matter: provision of the Eagle Virtual screening Service to Customer.
• Duration: the term of the Agreement, plus the deletion period in Section 10.
• Nature and purpose: hosting, storage, screening, monitoring, report generation, export, alerting, and related support, as configured by Customer.
• Categories of personal data: blockchain addresses and associated on-chain activity references; watchlist entries; Customer-assigned labels, names, and notes; identifiers of Customer personnel using the Service (name, email, role). No special categories of data are intended or required to be submitted; Customer agrees not to submit them.
• Categories of data subjects: natural persons associated with blockchain addresses Customer screens (for example, Customer's customers and counterparties), and Customer's authorized users.
• Frequency: continuous, as driven by Customer's use.
• Competent supervisory authority (SCC Annex I.C): determined per SCC Clause 13 based on Customer's establishment or representative.

Annex B — Technical and Organizational Measures

• Encryption in transit: TLS for all public endpoints; HSTS-capable edge.
• Access control: server-side authorization on all customer and admin APIs; least-privilege administrative access; hardware-key/SSO-protected operator accounts; no shared passwords (federated sign-in only).
• Session security: HttpOnly/Secure/SameSite session cookies, CSRF-guarded state changes, idle-session expiry.
• Infrastructure: production workloads on hardened, access-controlled infrastructure (Cloudflare edge; dedicated EU servers); separation of production and development; immutable, integrity-verified data publication (signed datasets with cryptographic verification).
• Application security: bot protection on unauthenticated entry points, WAF and rate limiting at the edge, dependency and configuration review, a published vulnerability-disclosure policy (/security).
• Logging and monitoring: centralized request and audit logging, alerting on anomalous failures, documented incident response with customer notification per Section 9.
• Resilience and backup: redundant storage, periodic verified backups, documented recovery procedures.
• Data minimization: hashed or aggregated usage accounting where feasible; screening submissions stored only as needed for the Service.
• Personnel: confidentiality obligations; access limited to personnel with an operational need.
• Vendor management: subprocessors under written data protection terms; see /subprocessors.

Annex C — Subprocessors

The current list of subprocessors, including purpose, processing locations, and links to each provider's privacy and data-processing documentation, is maintained at eaglevirtual.com/subprocessors and is incorporated into this DPA.

Contact

• DPA questions and signed copies: legal@eaglevirtual.com
• Privacy: privacy@eaglevirtual.com
• Address: Eagle Virtual LLC, 8586 Potter Park Dr., Sarasota, FL 34238, United States