Data Processing Addendum (DPA)

• “Personal Data”: Any information relating to an identified or identifiable natural person.
• “Processing”: Any operation performed on personal data (collection, storage, use, etc.).
• “Controller”: You, the User who determines the purpose and means of processing.
• “Processor”: IPrio, processing data on your behalf.
• “Sub-Processor”: Third parties engaged by IPrio to support the service.
• “Applicable Law”: GDPR and relevant data protection laws.

IPrio processes Personal Data to provide:

• Account creation and authentication
• File upload, hashing, timestamping, and secure storage
• Certificate generation and verification
• Token purchases and invoicing
• Platform communication and support
• Security, logging, analytics, and service operations

Personal Data is processed solely for providing the Service and never for advertising, resale, profiling, or unrelated purposes.

3.1. Provided by the Controller

• Name
• Email address
• Account credentials
• Uploaded digital files (for hashing + timestamping only)
• Support requests

3.2. Collected Automatically

• Device information
• IP address
• Browser/OS details
• Usage logs
• Cookies

3.3. Payment Data

Processed by Lemon Squeezy (Merchant of Record), not by IPrio.
IPrio never stores or accesses credit card numbers.

We agree to:

4.1. Process Only Under Instructions

We process Personal Data only:

• under your documented instructions, and
• as required to deliver the IPrio Service.

4.2. Confidentiality

All personnel handling data are:

• bound by confidentiality obligations
• trained in data protection practices

4.3. Security Measures

We implement technical & organizational measures including:

• Encryption in transit & at rest
• Access control and audit logs
• Secure hashing
• Redundant backups
• Infrastructure hardening
• Continuous monitoring

Details appear in our Security & Compliance section.

4.4. No Access to File Content

Uploaded files are never opened, viewed, analyzed, or processed beyond:

• hashing
• timestamping
• verification

4.5. Sub-Processors

We use GDPR-compliant Sub-Processors including:

• Cloud hosting providers
• Trusted timestamp authorities (TSPs)
• Blockchain networks (hash only)
• Email and operational tools
• Lemon Squeezy (payments)

A full list is available upon request.

We remain fully responsible for Sub-Processors.

4.6. Data Breach Notification

If a Personal Data breach occurs, we will:

• notify you without undue delay
• provide known details
• support remediation

You agree to:

• Ensure you have lawful basis for uploading files containing personal data
• Secure your account credentials
• Comply with GDPR obligations as a Controller
• Not upload illegal or prohibited content
• Provide accurate and lawful instructions

Your data may be processed or stored outside the EU/EEA.
IPrio ensures that all transfers comply with:

• GDPR Chapter V
• Standard Contractual Clauses (SCCs), where required
• Adequacy decisions
• Equivalent safeguards

IPrio assists the Controller in fulfilling GDPR rights requests:

• Access
• Rectification
• Erasure (“Right to be forgotten”)
• Restriction
• Portability
• Objection
• Withdrawal of consent

Requests must be submitted via: support@iprio.io

8.1. During the Subscription

We store Personal Data only as long as necessary to provide the Service.

8.2. Upon Account Closure

Upon request or account deletion:

• Personal Data is deleted
• Files are removed from storage
• Backups purge data within the standard cycle

Blockchain timestamps cannot be deleted (immutable).
Only the hash — not the file nor personal data — is stored on-chain.

The Controller may request information to verify compliance.
IPrio will provide:

• security summaries
• compliance documentation
• answers to reasonable data protection inquiries

Formal audits require 30-day notice and may be subject to fees.

Current Sub-Processors include (but are not limited to):

• Lemon Squeezy – Payments
• Cloud infrastructure providers – File storage & servers
• Email delivery services – Notifications
• Trusted Timestamp Providers (TSPs)
• Blockchain networks – Hash anchoring (no personal data)

We will notify you of material changes to Sub-Processors.

Liability is governed by the main Terms of Service.
Nothing in this DPA increases either party’s liability beyond what is stated in the Agreement.

This DPA remains in effect while IPrio processes Personal Data on your behalf.

Upon termination:

• All processing ceases
• Data is deleted or anonymized per Section 8
• Blockchain entries remain immutable (hash only)

This DPA is governed by the laws of the Republic of North Macedonia, unless overriding customer protection laws apply.

For privacy or data processing inquiries:

IPrio Data Protection Office
Email: support@iprio.io
Website: https://iprio.io