'%20d='M122.4%208.25q.16.07.3.21a37%2037%200%200%200%204.28%203.59l.26.19.26.18.25.16.24.17.12.07.22.15.22.14.22.13.2.12.2.12.1.05.19.1.18.1.18.1.17.09.24.12.22.11.22.1.72.33.2.1.13.06.08.05.08.04.07.04.04.03.06.04.07.05.05.05.06.05a1.84%201.84%200%200%201-1.51%203.16l-.07-.02-3.5-.61a.6.6%200%200%200-.71.67l.01.14.01.06a9.65%209.65%200%200%200%2014.1%207l.15-.07a3.67%203.67%200%201%201%203.6%206.4%2017%2017%200%200%201-25.04-17.78c.3-1.77.73-3.48%201.46-5.05l.1-.21c.29-.58.99-.82%201.57-.53M138.96.26a17%2017%200%200%201%2013.78%2019.7%2020%2020%200%200%201-1.47%205.05l-.1.21a1.17%201.17%200%200%201-1.87.32%2037%2037%200%200%200-4.28-3.59l-.13-.1-.26-.18-.13-.09-.25-.16-.24-.17-.23-.15-.23-.14-.21-.13-.21-.13-.2-.12-.2-.11-.19-.1-.27-.16-.17-.09-.17-.08-.23-.12-.23-.1-.4-.2-.46-.2-.15-.07-.13-.07-.13-.07-.04-.02-.07-.04-.08-.05-.06-.04-.07-.05-.05-.05-.06-.05a1.84%201.84%200%200%201%201.51-3.16l.07.02%203.5.61a.6.6%200%200%200%20.71-.67l-.03-.2-.01-.12a9.65%209.65%200%200%200-14.09-6.88l-.14.07a3.67%203.67%200%201%201-3.6-6.4A17%2017%200%200%201%20138.96.26'/%3e%3c/g%3e%3c/svg%3e){kind=small}
Data Processing Agreement (DPA)
Last Updated: March 16, 2026
3.0 How This DPA Applies to You
4.0 What Data We Process and Why
5.0 Our Obligations as Data Processor
5.1 Processing on your instructions only
6.0 Your Obligations as Data Controller
7.0 International Data Transfers
8.0 Security Incident Notification
1.0 Introduction
This Data Processing Agreement (“DPA”) is published by Vezgo Inc. (“we,” “us,” or “the Company”), a corporation incorporated under the laws of Ontario, Canada.
This DPA applies to all clients (“you” or “Client”) who use our services (the “Services”) and, in doing so, cause personal data of their end-users or other individuals to be processed by us on their behalf. By accepting the applicable Terms of Service — whether by clicking “I agree,” creating an account, or otherwise using the Services — you agree to this DPA.
Where you act as a Data Controller and we act as a Data Processor on your behalf, this DPA governs that relationship. Where we process personal data for our own purposes (e.g., your account data), that processing is governed by our Privacy Policy.
This DPA is incorporated by reference into our Terms of Service, available at https://vezgo.com/terms-of-service/. In the event of any conflict between this DPA and the Terms of Service on data protection matters, this DPA prevails.
2.0 Definitions
| Term | Meaning |
|---|---|
| Personal Data | Any information relating to an identified or identifiable natural person, including cryptocurrency holdings, digital asset data, NFT records, transaction histories, and associated metadata. |
| Processing | Any operation performed on Personal Data, including collection, storage, retrieval, use, disclosure, or deletion. |
| Data Controller | You — the Client who determines the purposes and means of processing Personal Data through the Services. |
| Data Processor | Us — which processes Personal Data on your behalf in connection with the Services. |
| Sub-processor | Any third party we engage to assist in processing Personal Data on your behalf. |
| Data Subject | An individual whose Personal Data is processed under this DPA (typically your end-users). |
| Services | The cryptocurrency and digital asset data API services provided by the Company, as described in our Terms of Service. |
| Applicable Law | All applicable data protection legislation governing the processing of Personal Data under this DPA, including at minimum: (a) Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA); and (b) where Personal Data relates to individuals in the European Union or European Economic Area, the EU General Data Protection Regulation (GDPR) to the extent that you, as Data Controller, are subject to it. |
| Security Incident | Any confirmed breach of security leading to unauthorized access to, loss of, or alteration of Personal Data. |
| Anonymized Data | Data irreversibly de-identified so that no individual can reasonably be re-identified. |
3.0 How This DPA Applies to You
This DPA applies when you use the Services provided by the Company and, in doing so, cause Personal Data of your end-users to be processed on your behalf. We act as Data Processor; you remain the Data Controller and are responsible for the lawfulness of your processing instructions.
This DPA is designed to satisfy the requirements of a data processing agreement under Canadian law (PIPEDA) and, where relevant, Article 28 of the EU General Data Protection Regulation (GDPR). If your end-users are located in the EU or EEA, this DPA governs our processing on your behalf in that capacity as well. This DPA is intended to satisfy Article 28 processor agreement requirements.
If you have questions about how this DPA applies to your GDPR obligations, please contact us as specified in Section 13.0.
4.0 What Data We Process and Why
We process Personal Data only to deliver the Services. The table below describes our processing activities.
| Service Description | |
|---|---|
| Purpose | Aggregation of cryptocurrency, digital asset, and NFT data via API to enable portfolio tracking, tax reporting, and analytics in your product. |
| Data Subjects | Your end-users; your authorized personnel. |
| Data Processed | Wallet addresses, exchange account data, token balances, blockchain transaction records, NFT ownership data, and technical metadata (e.g. IP addresses, API Keys, session data). |
| Legal Basis | Your instructions as Data Controller, pursuant to the Terms of Service and this DPA. |
| Retention | For the duration of your subscription plus any legally required period. Upon termination, see Section 9.0. |
We do not process special categories of personal data (e.g. health, biometric, or religious data) through the Services. You must not instruct us to process such data without a separate written agreement.
5.0 Our Obligations as Data Processor
5.1 Processing on your instructions only
We process Personal Data only as necessary to deliver the Services and in accordance with your instructions, including as set out in the Terms of Service and this DPA. If we are required by law to process beyond those instructions, we will inform you to the extent legally permitted.
5.2 Confidentiality
Our personnel who access Personal Data are subject to binding confidentiality obligations and receive regular data protection training. Access is limited to those who need it to deliver the Services.
5.3 Security
We implement and maintain appropriate technical and organizational security measures, including:
- Encryption in transit (TLS 1.2+) and at rest (AES-256 or equivalent);
- Role-based access controls and the least-privilege principle; MFA for privileged access;
- Annual penetration testing by qualified third-party specialists;
- SOC 2 Type II audits by independent auditors; alignment with ISO/IEC 27001;
- Documented incident response and business continuity procedures.
5.4 Sub-processors
We may engage Sub-processors to help deliver the Services. By accepting this DPA, you grant us general authorization to do so, subject to: (a) we maintain an up-to-date Sub-processor list at https://vezgo.com/sub-processors; (b) we give at least 30 days’ advance notice of material changes; © all Sub-processors are bound by obligations no less protective than this DPA; and (d) we remain fully responsible for their compliance.
5.5 Data Subject Rights
We will assist you in responding to Data Subject rights requests (access, correction, deletion, portability). If we receive such a request directly from one of your end-users, we will not act on it unilaterally — we will redirect the individual to you as the Data Controller and notify you promptly, unless we are required by law to respond directly.
5.6 Audit Rights
We will demonstrate compliance with this DPA primarily through our current SOC 2 Type II report, which we will share upon written request. On-site or third-party audits are available only where you have reasonable documented grounds to believe the SOC 2 report is insufficient to demonstrate compliance with a specific obligation under this DPA, and are subject to our prior written approval, reasonable notice of no less than 60 days, a confidentiality agreement, and conducted at your expense. Audits may not be conducted more than once per calendar year absent a confirmed Security Incident.
6.0 Your Obligations as Data Controller
As Data Controller, you are responsible for:
- Ensuring you have a lawful basis for all processing instructions you give us;
- Providing end-users with appropriate privacy notices and obtaining all required consents or otherwise establishing a lawful basis for processing;
- Keeping access credentials, API keys, and authentication mechanisms secure;
- Ensuring your end-users and personnel comply with our Terms of Service;
- Notifying us promptly if you become aware of a Security Incident originating from your environment.
You represent and warrant that your instructions comply with Applicable Law. We are not responsible for your failure to meet data protection obligations that rest with you as Controller.
7.0 International Data Transfers
We primarily process Personal Data in Canada, in compliance with PIPEDA. Some Sub-processors are located outside Canada, including in the United States. Where Personal Data is transferred internationally, we ensure appropriate safeguards are in place — such as contractual clauses or recognized adequacy mechanisms — to maintain a level of protection equivalent to Canadian standards. Details are available in our Sub-processor list; refer to Section 5.4.
If your end-users are located in the European Union or European Economic Area, any transfer of their Personal Data to us is subject to GDPR Chapter V. We rely on Canada’s adequacy status under EU law and, where applicable, appropriate transfer mechanisms with our Sub-processors to ensure lawful international transfers. If you have specific questions about transfer mechanisms, please contact us as specified in Section 13.0.
8.0 Security Incident Notification
If we become aware of a Security Incident affecting Personal Data we process on your behalf, we will notify you without undue delay and, where feasible, within 72 hours. Our notification will include: the nature of the incident; the categories and estimated volume of affected Personal Data and Data Subjects; the likely consequences; and the measures taken or planned. We will cooperate with you on any notifications required to regulators or Data Subjects, and will not make public statements about an incident involving your data without your prior consent, which may be given by email, except as required by law.
9.0 Term and Data Return
This DPA remains in effect for as long as we process Personal Data on your behalf under the Terms of Service. Upon termination or expiration of your subscription, we will — at your written request made within 30 days of termination — return your Personal Data via the API or, where that is no longer available, in a commonly used electronic format upon request, or securely delete it within a reasonable period. We may retain Personal Data in secure backup systems for up to 3 months following termination, after which it will be permanently deleted. We may also retain Personal Data beyond that period only where required by law, and will continue to protect it in accordance with this DPA. Upon your request, we will confirm deletion in writing, which may be by email. Sections 1, 2, 8, 10, 11, and 12 survive termination.
10.0 Confidentiality and Data Use
We will not use Personal Data processed on your behalf for any purpose other than delivering the Services. We will not sell, rent, or otherwise make available for commercial gain your end-users’ Personal Data, and will not combine it with other clients’ data without your explicit consent. We may generate and use Anonymized Data for service improvement and performance monitoring. Both parties agree to keep confidential any non-public information exchanged in the course of using the Services.
11.0 Liability
Our liability under this DPA is subject to the limitation of liability provisions in the applicable Terms of Service. We are liable for direct losses arising from our material breach of this DPA. Neither party is liable for indirect, consequential, or punitive damages, except as required by Applicable Law. You are liable for losses arising from unlawful instructions, failure to obtain required consents, or unauthorized use of the Services by you or your end-users. Where both parties bear responsibility for a breach, liability is allocated in proportion to each party’s responsibility.
12.0 General
12.1 Governing Law
This DPA is governed by the laws of the Province of Ontario and the federal laws of Canada. Disputes shall be resolved before the courts of Ontario.
12.2 Updates to this DPA
We may update this DPA from time to time. We will post the updated version at https://vezgo.com/data-processing-agreement and notify you via email or in-product notice at least 30 days before material changes take effect. Continued use of the Services after the effective date constitutes acceptance.
12.3 Entire Agreement
Together with the applicable Terms of Service and Privacy Policy, this DPA constitutes the full agreement between the parties on data processing and supersedes any prior understandings on this subject.
12.4 Severability
If any provision of this DPA is found unenforceable, the remaining provisions continue in full force.
13.0 Contact
For questions about this DPA or data protection matters, please contact us at privacy@vezgo.com.
Facebook 
Twitter 
LinkedIn 
Reddit