Data Processing Addendum (GDPR Terms)

Effective Date: January 1, 2026

This Data Processing Addendum (“DPA”) forms part of the agreement between Immut Inc. (“Processor,” “we,” “us,” or “our”) and you (the “Controller” or “Customer”) for the provision of our SaaS platform for intellectual property (IP) protection using XRPL blockchain technology (the “Services”). This DPA applies where we process personal data on your behalf as a processor under the EU General Data Protection Regulation (GDPR) and/or UK GDPR. It supplements our Privacy Policy and any main services agreement.

By using the Services, you agree to this DPA. Capitalized terms not defined here have the meanings given in the GDPR/UK GDPR.

1. Definitions

  • “Controller”: Your organization, responsible for determining the purposes and means of processing personal data.
  • “Processor”: Immut Inc., processing personal data on your behalf.
  • “Personal Data”: Any information relating to an identified or identifiable natural person processed via the Services (as described below).
  • “Processing”: Any operation performed on personal data, such as collection, storage, or disclosure.
  • “Subprocessor”: Any third party engaged by us to process personal data.

2. Processing Details

  • Subject Matter and Duration: Processing is for the provision of the Services, including IP uploads, encryption, hashing, and XRPL timestamping. Duration aligns with the Services term plus the retention period in our Privacy Policy (active subscription plus 12 months post-last payment).
  • Nature and Purpose: To enable account management, file storage/encryption, blockchain logging, user role access (e.g., sharing with viewers), audit logging, and compliance support.
  • Types of Personal Data: Names, email addresses, company names; any personal data incidentally included in uploaded IP files (e.g., within documents).
  • Categories of Data Subjects: Your employees, admins, contributors, viewers, and any individuals mentioned in uploaded content.
  • Special Categories: We do not intentionally process sensitive data, but if included in uploads, it is handled with the same security measures.

3. Obligations of the Processor

  • Instructions: We will process personal data only on your documented instructions (including this DPA and the Services agreement) unless required by law (in which case, we'll notify you unless prohibited).
  • Confidentiality: We ensure that all personnel authorized to process personal data are bound by confidentiality obligations.
  • Security: We implement appropriate technical and organizational measures, including AES-256 encryption, 2FA, role-based access, and audit logging. We comply with ISO 27001.
  • Subprocessors: We may engage subprocessors (e.g., AWS for storage, Google for analytics, Stripe for payments). Current list available upon request. We remain liable for subprocessors and will notify you of changes, allowing objection within 30 days.
  • Assistance: We will assist you with data subject requests, data protection impact assessments, prior consultations with authorities, and audits (at your expense, once annually).
  • Data Subject Requests: We'll forward requests to you and assist in fulfilling them (e.g., via data portability tools).
  • Breach Notification: We'll notify you without undue delay (within 24 hours of awareness) of any personal data breach, providing details to support your reporting obligations.
  • Data Transfers: For transfers outside the EU/UK (e.g., to US servers), we use Standard Contractual Clauses (SCCs), the EU-US Data Privacy Framework, or equivalent mechanisms.
  • Records: We maintain records of processing activities and make them available to you or authorities upon request.

4. Obligations of the Controller

  • You warrant that you have a lawful basis for processing and that instructions comply with data protection laws.
  • You are responsible for obtaining consents (if needed) and handling data subject requests directed to you.
  • You agree to our use of subprocessors as listed.

5. Audit Rights

You (or an independent auditor) may audit our compliance with this DPA once per year, with 30 days' notice, during business hours, and at your expense. Audits are limited to relevant documentation and facilities.

6. End of Processing

At the end of the Services or upon request, we'll delete or return all personal data (except where retention is required by law or for immutable XRPL blockchain hashes, which cannot be deleted). Deletion will occur within 30 days.

7. Liability

Our liability under this DPA is limited to direct damages, subject to the limitations in our main agreement. Each party's aggregate liability shall not exceed the fees paid in the 12 months preceding the claim.

8. Governing Law and Jurisdiction

This DPA is governed by Delaware law, without regard to conflict of laws principles. Disputes shall be resolved in the courts of Delaware.

9. Changes

We may update this DPA to reflect legal changes. We'll notify you of material updates via email or the Platform.

10. Contact

For questions, contact:

privacy@immut.io

Immut Inc.
56 Portland Street
London, UK
Back to Home