Data Processing Agreement
Standard DPA template for Sentinel and Enterprise customers processing personal data through Allowance Guard.
Who Needs a DPA?
A Data Processing Agreement is available for Sentinel tier and Enterprise API customers who process personal data (e.g., monitoring wallets on behalf of third parties, compliance reporting for organizations).
If you are using Allowance Guard for your own wallets only, a DPA is typically not required. Contact us if you are unsure.
1. Parties
This Data Processing Agreement ("DPA") is entered into between:
- • Data Controller ("Customer"): The entity subscribing to Allowance Guard Sentinel or Enterprise tier
- • Data Processor ("Allowance Guard"): The Allowance Guard platform and its operators
This DPA supplements and forms part of the Terms of Service.
2. Definitions
"Personal Data" means any information relating to an identified or identifiable natural person, as defined by GDPR Article 4(1).
"Processing" means any operation performed on personal data, including collection, storage, retrieval, consultation, use, disclosure, erasure, or destruction.
"Data Subject" means the identified or identifiable person to whom the personal data relates.
"Sub-processor" means a third party engaged by the Processor to process personal data on behalf of the Controller.
3. Scope of Processing
| Subject matter | Provision of wallet security monitoring and token approval management services |
| Duration | For the term of the Customer's subscription, plus data retention periods specified in the Privacy Policy |
| Nature & purpose | Scanning blockchain networks for token approvals, calculating risk scores, sending alerts, generating compliance reports |
| Categories of data | Wallet addresses (public blockchain data), email addresses, team member names, monitoring preferences, approval/risk data |
| Categories of data subjects | Customer's team members, wallet owners monitored by the Customer |
4. Processor Obligations
Allowance Guard shall:
- a) Process personal data only on documented instructions from the Customer, including transfers to third countries
- b) Ensure that persons authorized to process personal data have committed to confidentiality
- c) Implement appropriate technical and organizational security measures (see Section 5)
- d) Engage sub-processors only with prior written consent and under a written contract imposing equivalent obligations
- e) Assist the Customer in responding to data subject requests (access, rectification, erasure, portability)
- f) Assist with Data Protection Impact Assessments where required
- g) Delete or return all personal data upon termination at the Customer's choice, unless retention is required by law
- h) Make available all information necessary to demonstrate compliance with GDPR Article 28
- i) Notify the Customer without undue delay (and within 72 hours) upon becoming aware of a personal data breach
5. Technical & Organizational Measures
Encryption
Data encrypted at rest (AES-256) and in transit (TLS 1.2+). API keys hashed before storage.
Access Control
Role-based access, session-based authentication, CSRF protection, rate limiting on all endpoints.
Audit Logging
All data access and modifications logged with actor, timestamp, and action. Logs retained for 90 days.
Infrastructure
Hosted on Vercel (SOC 2). Database on Neon (encrypted, isolated). Redis on Upstash (encrypted).
Incident Response
Automated error monitoring (Rollbar). Breach notification within 72 hours per GDPR Article 33.
Data Minimization
Only data necessary for service delivery is collected. Automated cleanup of expired data.
6. Sub-processors
The Customer consents to the use of the following sub-processors. Allowance Guard will notify the Customer at least 30 days before adding or replacing a sub-processor.
| Sub-processor | Purpose | Location |
|---|---|---|
| Vercel Inc. | Application hosting & CDN | US / Global Edge |
| Neon Inc. | PostgreSQL database hosting | US / EU |
| Upstash Inc. | Redis caching & rate limiting | US / EU |
| Stripe Inc. | Payment processing | US / EU |
| Postmark (ActiveCampaign) | Email delivery | US |
| Rollbar Inc. | Error monitoring (anonymized) | US |
7. International Data Transfers
Where personal data is transferred outside the EEA, Allowance Guard relies on Standard Contractual Clauses (SCCs) as adopted by the European Commission, or other valid transfer mechanisms under GDPR Chapter V. Copies of applicable SCCs are available upon request.
8. Data Subject Rights
Allowance Guard provides the following tools to help Customers fulfill data subject requests:
- • Access & Portability:
GET /api/user/export— full data export in JSON format - • Erasure:
DELETE /api/user/delete— complete account and data deletion - • Rectification: Account settings page for profile updates
- • Restriction: Wallet monitoring can be paused per-wallet
9. Term & Termination
This DPA is effective for the duration of the Customer's subscription. Upon termination, Allowance Guard will delete all Customer personal data within 30 days, unless retention is required by law. The Customer may request a data export before termination.
Provisions related to confidentiality, liability, and data protection survive termination.
Request a Signed DPA
To execute this DPA for your organization, contact us with your company details:
- Email: legal.support@allowanceguard.com
- Subject: "DPA Request — [Company Name]"
- Include: Company name, registered address, Allowance Guard account email, subscription tier
We aim to process DPA requests within 5 business days.
Last updated: April 2, 2026
This DPA template is part of our Terms of Service and Privacy Policy.