Data Processing Addendum (DPA) — Template
DRAFT — TEMPLATE — FOR REVIEW BY INDEPENDENT LEGAL COUNSEL. Designed to satisfy GDPR Article 28, UK GDPR equivalents, CCPA service provider requirements, and the data-protection obligations EU/UK trade- finance banks impose on third-party processors. Customer-specific modifications likely required (e.g., DPF certification status, sub- processor lists, cross-border transfer mechanisms).
This Data Processing Addendum ("DPA") is incorporated by reference into the Master Services Agreement ("MSA") between OilFlow Network, Inc. ("Processor" or "OilFlow") and the Customer named in the MSA ("Controller" or "Customer").
1. Subject Matter and Roles
1.1 OilFlow processes Customer Data solely on Customer's documented instructions, as a Processor (GDPR) / Service Provider (CCPA). Customer is the Controller / Business.
1.2 The subject matter, nature, purpose, duration, and categories of Personal Data are described in Schedule 1.
2. Customer Instructions
2.1 The MSA, this DPA, and any Order Form constitute Customer's complete and final instructions to OilFlow for processing Personal Data.
2.2 OilFlow will not process Personal Data for any purpose other than performing the Services, except where required by law (in which case OilFlow will notify Customer unless prohibited).
3. Confidentiality
3.1 OilFlow ensures personnel authorized to process Personal Data are bound by appropriate confidentiality obligations.
4. Security Measures
4.1 OilFlow shall implement the technical and organizational measures described in Schedule 2, including encryption in transit (TLS 1.2+), encryption at rest (AES-256 via Supabase + Vercel KMS), role-based access control, audit logging (via apirequestlog, migration 118), and principle-of-least-privilege service-role separation.
4.2 OilFlow shall regularly review and update measures to account for state-of-the-art protections.
5. Sub-processors
5.1 Customer authorizes OilFlow to engage the sub-processors listed in Schedule 3 (the "Approved Sub-processors").
5.2 OilFlow will notify Customer of any new or replaced sub-processor at least 30 days in advance. Customer may object on reasonable data- protection grounds; if not resolved, Customer may terminate the affected Services.
5.3 OilFlow shall impose data-protection obligations on each sub-processor at least as protective as those in this DPA, and shall remain liable for sub-processor performance.
6. Data Subject Rights
6.1 OilFlow shall, taking into account the nature of processing, assist Customer (insofar as possible) in fulfilling Customer's obligation to respond to data-subject requests for access, rectification, erasure, restriction, portability, and objection.
6.2 If OilFlow receives a request directly from a data subject, OilFlow shall not respond directly except to confirm that the request must go through Customer, and shall forward the request to Customer promptly.
7. Personal Data Breach
7.1 OilFlow shall notify Customer without undue delay (and in any event within 72 hours of becoming aware) of any Personal Data breach affecting Customer Data. The notice shall include the information required under Article 33(3) GDPR.
7.2 OilFlow shall cooperate with Customer's investigation and remediation.
8. International Data Transfers
8.1 Where OilFlow processes Personal Data in a third country that lacks an adequacy decision, the parties shall execute the EU Standard Contractual Clauses (Module Two: Controller-to-Processor) and the UK International Data Transfer Addendum, incorporated by reference.
8.2 Customer acknowledges OilFlow's primary processing infrastructure is operated by:
- Supabase (Singapore region for APAC customers; Frankfurt for EEA; US-East-1 for US)
- Vercel (edge globally; primary in US)
- Anthropic API (US-based)
9. Audit Rights
9.1 OilFlow shall make available all information necessary to demonstrate compliance with this DPA.
9.2 OilFlow shall, upon Customer's reasonable request and no more than once per twelve (12) months (or more frequently following a Personal Data breach), allow Customer or an independent auditor (subject to confidentiality) to audit OilFlow's compliance. The audit shall not unreasonably interfere with OilFlow's operations and shall be at Customer's cost (unless the audit identifies material non-compliance, in which case OilFlow bears reasonable costs).
9.3 OilFlow may satisfy this obligation by providing a current third-party attestation (SOC 2 Type II or equivalent) when available.
10. Deletion or Return on Termination
10.1 On termination of the MSA, OilFlow shall, at Customer's option, delete or return all Personal Data within 30 days, except where retention is required by law. Audit logs (apirequestlog) are retained for the period required to support Customer's regulatory obligations, typically 7 years for financial-services customers.
11. CCPA-Specific Terms (where applicable)
11.1 OilFlow shall not (a) sell or share Personal Data; (b) retain, use, or disclose Personal Data for any purpose other than performing the Services; (c) combine Personal Data received from Customer with data from any other source except as needed to perform the Services.
12. Liability
12.1 Liability under this DPA is governed by the limitation-of-liability provisions in the MSA, except where applicable law prohibits such limitation (e.g., direct GDPR Article 82 claims by data subjects).
Schedule 1 — Processing Description
| Item | Description |
|---|---|
| Subject matter | Compliance-screening services (sanctions, regulatory tradability, scam-cluster intelligence) for counterparty due diligence in physical commodity trade |
| Duration | The term of the MSA + any retention period required by law |
| Nature and purpose | Automated screening of counterparty data against sanctions lists, regulatory rule databases, and verified fraud-cluster intelligence; provision of structured results for Customer's compliance workflows |
| Types of Personal Data | Counterparty company names, director names, beneficial-owner names, addresses, identifiers; data submitted via /api/v1/kyc/screen and /api/v1/clusters/check |
| Categories of data subjects | Directors, officers, and beneficial owners of Customer's counterparties; individuals named in counterparty submissions |
Schedule 2 — Technical and Organizational Measures
| Control area | Measure |
|---|---|
| Encryption in transit | TLS 1.2+ (HTTPS only) for all customer-facing endpoints |
| Encryption at rest | AES-256 via Supabase managed Postgres + Vercel KMS |
| Access control | Role-based (RBAC) via Supabase auth + service-role separation; MFA enforced for admin access |
| Audit logging | Append-only apirequestlog table; retention per Section 10 |
| Vulnerability management | Automated dependency scanning via Dependabot; Sentry instrumentation for runtime errors |
| Personnel security | Background checks for personnel with production access; confidentiality obligations |
| Sub-processor management | Documented in Schedule 3; 30-day notice for changes |
| Incident response | Defined runbook; 72-hour breach notification commitment |
| Business continuity | Daily Supabase point-in-time backups (7-day window standard, longer on request); Vercel global edge redundancy |
| Data minimization | Raw request body and raw response body NOT stored; only redacted summaries + cryptographic hashes |
Schedule 3 — Approved Sub-processors
| Sub-processor | Purpose | Location | DPA / SCCs |
|---|---|---|---|
| Supabase Inc. | Managed Postgres + auth + storage | Region-specific (per customer preference) | Supabase DPA + SCCs |
| Vercel Inc. | Application hosting + edge CDN | US primary, global edge | Vercel DPA + SCCs |
| Anthropic, PBC | AI inference (Claude API) — used internally for agent reasoning; NOT used for customer-screening output | US | Anthropic DPA + SCCs |
| Resend (Resend Inc.) | Transactional email (e.g., audit log export delivery) | US | Resend DPA + SCCs |
| Stripe, Inc. | Billing and invoicing | US | Stripe DPA + SCCs |
OilFlow will provide an updated list on request and in advance of any material change.
[Customer signature block] [OilFlow signature block]