Data Processing Agreement
Last updated: March 3, 2026
1. Introduction and Scope
This Data Processing Agreement (DPA) forms part of the agreement between Fyntra Tech (“Processor”) and the organization subscribing to the Fyntra platform (“Controller”). It governs the processing of personal data that the Controller submits to the Fyntra platform in connection with the services provided. This DPA applies to the extent that Fyntra processes personal data on behalf of the Controller and such processing is subject to applicable data protection laws, including the EU General Data Protection Regulation (GDPR), the UK GDPR, and other relevant legislation.
2. Definitions
“Personal Data” means any information relating to an identified or identifiable natural person processed by Fyntra on behalf of the Controller through the platform. “Processing” means any operation performed on Personal Data, including collection, storage, use, transmission, and deletion. “Sub-processor” means any third party engaged by Fyntra to process Personal Data on behalf of the Controller. All other terms used in this DPA have the meanings given to them in applicable data protection legislation.
3. Roles and Responsibilities
The Controller determines the purposes and means of processing Personal Data submitted to the Fyntra platform. Fyntra acts as a Processor, processing Personal Data only on documented instructions from the Controller, except where required by applicable law. The Controller is responsible for ensuring a lawful basis for processing, obtaining necessary consents from data subjects, and complying with data subject rights requests.
4. Types of Data Processed
The Personal Data processed through the Fyntra platform typically includes: trader names, email addresses, and contact details; identification documents submitted for KYC verification; financial data such as trading account balances, transaction history, and payout records; device and access log data including IP addresses and browser information; and any other data the Controller chooses to upload or configure within the platform.
5. Processing Instructions
Fyntra will process Personal Data only in accordance with the Controller’s documented instructions, which are defined by the Controller’s use and configuration of the platform. If Fyntra believes an instruction infringes applicable data protection law, it will promptly inform the Controller. Additional or special processing instructions may be agreed upon in writing between the parties.
6. Security Measures
Fyntra implements appropriate technical and organizational measures to protect Personal Data against unauthorized access, alteration, disclosure, or destruction. These measures include: encryption of data in transit (TLS 1.2+) and at rest (AES-256); strict role-based access controls; regular security assessments and vulnerability scanning; secure infrastructure hosted on Google Cloud Platform with SOC 2 certified data centers; automated audit logging of all administrative actions; and incident detection and response procedures.
7. Sub-processors
The Controller authorizes Fyntra to engage Sub-processors to assist in providing the services. Current Sub-processors include cloud infrastructure providers (Google Cloud Platform), payment processors (Stripe), email delivery services (Resend), and KYC verification providers (SumSub). Fyntra will maintain an up-to-date list of Sub-processors and will notify the Controller of any intended changes, giving the Controller the opportunity to object. Fyntra ensures that Sub-processors are bound by data protection obligations no less protective than those set out in this DPA.
8. International Data Transfers
Where Personal Data is transferred outside the European Economic Area (EEA) or the United Kingdom, Fyntra ensures that appropriate safeguards are in place, such as the European Commission’s Standard Contractual Clauses (SCCs), the UK International Data Transfer Agreement (IDTA), or transfers to countries with an adequacy decision. The Controller may request information about the specific transfer mechanisms in use at any time.
9. Data Subject Rights
Fyntra will assist the Controller in fulfilling data subject rights requests, including requests for access, rectification, erasure, data portability, restriction of processing, and objection to processing. If Fyntra receives a request directly from a data subject, it will promptly redirect the request to the Controller unless legally required to respond directly. The platform provides self-service tools that enable the Controller to respond to many data subject requests without requiring Fyntra’s intervention.
10. Data Breach Notification
In the event of a Personal Data breach, Fyntra will notify the Controller without undue delay and in any case within 72 hours of becoming aware of the breach. The notification will include: the nature of the breach and the categories and approximate number of data subjects affected; the likely consequences of the breach; the measures taken or proposed to mitigate the breach; and the contact details of Fyntra’s designated point of contact. Fyntra will cooperate with the Controller in investigating and remediating the breach.
11. Audits and Compliance
Fyntra will make available to the Controller all information necessary to demonstrate compliance with this DPA and applicable data protection laws. Upon reasonable notice, the Controller or its authorized auditor may conduct audits of Fyntra’s processing activities, subject to appropriate confidentiality obligations. Fyntra may also provide compliance documentation, certifications, or third-party audit reports as an alternative to on-site audits where appropriate.
12. Data Retention and Deletion
Upon termination of the services or upon the Controller’s written request, Fyntra will delete or return all Personal Data processed on behalf of the Controller, unless retention is required by applicable law. The Controller may export its data through the platform’s built-in export features at any time during the subscription period. Fyntra will certify deletion upon request.
13. Liability
Each party’s liability under this DPA is subject to the limitations and exclusions set out in the underlying service agreement between the parties. Nothing in this DPA limits either party’s liability for breaches of applicable data protection laws to the extent that such liability cannot be limited by contract.
14. Contact
For questions about this Data Processing Agreement or to exercise any rights under it, please contact Fyntra’s data protection team at privacy@fyntratech.io.