Data Processing Agreement
For accountancy firms processing client data via CryptoLens
Template last updated: 2 May 2026
1. Parties
This Data Processing Agreement (the "DPA") is entered into between:
2. Subject matter
CryptoLens processes personal data on behalf of the Firm in order to:
- Read public blockchain data for wallet addresses supplied by the Firm
- Store wallet addresses and tax classifications associated with the Firm's end-clients
- Generate HMRC-compatible Self Assessment reports (SA108 capital gains, SA103 trading income)
- Maintain an append-only audit trail of materially-significant actions
3. Categories of data
The following categories of personal data are processed:
- Wallet addresses (public on-chain identifiers)
- Email addresses (Firm staff and, where supplied, end-clients)
- Names and optional client reference codes (e.g. UTR, NINO, internal reference)
- Tax classifications, notes and computed tax figures
CryptoLens explicitly does NOT process or request the following — and the Firm warrants it will never submit them through the platform:
- Private keys
- Seed phrases or mnemonics
- Financial account credentials, exchange passwords or 2FA secrets
4. Categories of data subjects
The end-clients of the Firm whose tax position is being computed.
5. Sub-processors
CryptoLens uses the following sub-processors. The Firm consents to their engagement on the terms below.
| Sub-processor | Purpose | Region |
|---|---|---|
| Supabase | Application database + auth | EU / UK |
| Vercel | Application hosting + edge functions | EU edge |
| Stripe | Subscription + one-off billing | UK |
| Resend | Transactional email delivery | EU |
| CoinGecko | Market price data (no PII transferred) | Global |
6. Security measures
- Postgres row-level security (RLS) isolates every Firm's data from every other Firm's data
- API keys and OAuth refresh tokens are encrypted at rest with AES-256
- All in-flight traffic is protected by TLS 1.2 or higher
- ICO registration: not yet applied for — CryptoLens is operated as a personal project and will register with the UK Information Commissioner's Office before commercial processing begins (i.e. when paying clients are signed up). Once issued, the registration number will be published here.
- Production access is restricted to the service-role admin and is itself audit-logged
7. Data retention
- Wallets and transactions: retained until the Firm or end-user deletes them
- Filed-report snapshots: retained until the Firm requests deletion
- Audit log entries: retained immutably for 7 years to cover the HMRC enquiry window
- On account closure, all non-audit data is purged within 30 days
8. Sub-processor changes
CryptoLens will give the Firm at least 30 days' notice before engaging a new sub-processor or replacing an existing one. The Firm may object to the change in writing within that period; if the parties cannot agree on safeguards, the Firm may terminate the agreement on a pro-rata refund.
9. Term and termination
This DPA takes effect on the date of signature and continues for the life of the Firm's CryptoLens subscription. On termination, CryptoLens will, at the Firm's option, return or delete all personal data within 30 days, except where retention is required by law (audit log — clause 7).