Liminal secures   Read more
Request Demo
EN
TW
Request Demo
EN
TW

Data Processing Addendum

Terms & Conditions

Privacy Policy

Data Processing Addendum

Client Disclosure

Conflict of Interest Policy

Staking Terms Of Service

Table of Contents

INTRODUCTION

Last Updated on October 2025

This Data Processing Addendum (“DPA”) is an addendum to the Master Service Agreement between the entities operating under the Liminal brand (the “Processor”) and its clients (each a “Controller”) and governs the processing of Personal Data under the Principal Agreement.
This DPA is publicly available and incorporated by reference into all agreements for which you (the Controller) engage the Processor to process Personal Data on your behalf.
Definitions
  • "Controller": The entity that determines the purposes and means of the processing of Personal Data. For the purpose of this DPA, "Controller" refers to our clients.
  • "Processor": The entity that processes Personal Data on behalf of the Controller. For the purpose of this DPA, "Processor" refers to entities operating under the Liminal brand.
  • "Personal Data": Any information that relates to an identified or identifiable natural person and that the Processor processes on behalf of the Controller.
  • "Sub-processor": Any third-party processor engaged by the Processor to process Personal Data on behalf of the Controller.
  • "Services": The wallet infrastructure solutions and related services provided by the Processor to the Controller as described in the Principal Agreement.
Details of the Data Processing
The parties acknowledge that the Processor processes Personal Data in the course of providing the Services to the Controller. The general details of this processing are as follows:
USE OF THE SERVICE
  • Subject Matter of Processing: The provision of the Services to the Controller.
  • Nature and Purpose of Procesing: The Processor processes Personal Data as necessary to provide the functionality of the Services as described in the Master Service Agreement.
  • Categories of Data Subjects: Controller and its End-users and customers.
  • Categories of Personal Data: This may include, but is not limited to, contact information (e.g., name, email), identification data, technical usage data, and any other information the Controller chooses to collect through the Services.
  • Data of Processing: The duration of the Principal Agreement, unless otherwise instructed by the Controller.
Processor’s Obligations
The Processor agrees to the following obligations:
  • Processing on Instructions: The Processor will process Personal Data only on the documented instructions of the Controller.
  • Confidentiality: The Processor ensures that all personnel authorized to process Personal Data are bound by confidentiality obligations.
  • Security Measures: The Processor will implement and maintain appropriate technical and organizational measures to protect Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, or damage.
  • The Processor maintains an Information Security and Privacy Management System certified to ISO/IEC 27001 and ISO/IEC 27701, and compliant with SOC 2 Type II controls.
  • Measures include encryption in transit and at rest, access controls, monitoring, incident management, and vulnerability management.
  • Sub-Processors: The Processor may engage Sub-processors to provide the Services.
  • The list of sub-processors is maintained internally and can be provided upon request by contacting our Data Protection Officer at [email protected].
  • The Processor will impose the same data protection obligations on its Sub-processors as set out in this DPA.
  • The Controller will be notified of changes to the Sub-processor list and may object where justified.
  • Data Subject Rights: The Processor will assist the Controller, where possible and relevant to the nature of the Services, in fulfilling its obligations to respond to requests from Data Subjects.
  • Personal Data Breach Notification: The Processor will notify the Controller without undue delay after becoming aware of a Personal Data Breach, including details necessary for the Controller to meet its obligations.
  • Assistance with Compliance: The Processor will provide reasonable assistance to the Controller in conducting data protection impact assessments or prior consultations with regulators, where relevant.
  • Return or Deletion: The Processor will assist the Controller, where possible and relevant to the nature of the Services, in fulfilling its obligations to respond to requests from Data Subjects.Upon termination of the Services, the Processor will, at the Controller's request, return or securely delete all Personal Data, unless required by law to retain it.
Controller’s Obligations
The Controller is responsible for the following:
  • Compliance with Law: The Controller must comply with all applicable data protection laws in its processing of Personal Data. This includes providing a privacy policy to its end-users and obtaining a valid legal basis for processing.
  • Lawful Instructions: The Controller ensures that its instructions to the Processor comply with all relevant laws.
Audits and Compliance
  • The Processor will maintain records of its processing activities and make information available to the Controller upon request to demonstrate compliance with this DPA.
  • As primary evidence, the Processor will provide certifications and reports (e.g., ISO 27001, ISO 27701, SOC 2 Type II).
  • Where additional audits are requested, these may be conducted subject to reasonable notice, scope, and cost arrangements agreed between the Parties.
International Data Transfers
  • Where Personal Data is transferred across jurisdictions, the Processor ensures equivalent safeguards consistent with ISO/IEC 27701 privacy principles, ISO/IEC 27001 security standards, and contractual commitments with Sub-processors.
General Provisions
  • This DPA forms an integral part of the Master Services Agreement (“MSA”) and supplements it with respect to the processing of personal data. In the event of any conflict between this DPA and the MSA, the terms of this DPA shall prevail solely with respect to data protection and processing obligations.
  • This DPA and the MSA are interdependent. Termination or expiration of the MSA shall automatically terminate this DPA. Neither this DPA nor the MSA may be terminated separately while the other remains in effect.
  • This DPA is subject to the governing law and dispute resolution provisions of the MSA, except to the extent overridden by mandatory data protection laws.
  • If you have any questions or concerns about our data collection and use of your Personal Data, please contact the data protection officer at [email protected]