Data Processing Agreement 〔Summary terms〕

• Parties: Customer as Controller, BridgTime as Processor

  
  

• Purpose: preparation of RVA drafts, evidence standardization, issue flags, proof links, optional on chain hash of RVA, audit logging

  
  

• Data subjects and categories: customer staff contact data, transaction related evidence in uploads, technical logs necessary for security and support

  
  

• Security measures: encryption in transit and at rest, key management with KMS or HSM, access control with RBAC and ABAC, request signing and mTLS, audit logs with retention controls

  
  

• Subprocessors: BridgTime may engage cloud and logging providers and will maintain a public list and notify of changes; the same level of protection applies

  
  

• International transfers: where applicable apply EU standard contractual clauses and UK addendum with a transfer impact assessment

  
  

• Assistance: reasonable help with data subject requests, DPIA, incident handling

  
  

• Breach notice: without undue delay after becoming aware and with continuous updates

  
  

• Deletion and return: upon termination delete or return off chain data at customer choice; on chain records are public and immutable but contain only hash and minimal status

  
  

• Audit: documentary audits and security summaries first; site visits on reasonable notice and scope

• Contact: Info@bridgtime.com