'%20d='M122.4%208.25q.16.07.3.21a37%2037%200%200%200%204.28%203.59l.26.19.26.18.25.16.24.17.12.07.22.15.22.14.22.13.2.12.2.12.1.05.19.1.18.1.18.1.17.09.24.12.22.11.22.1.72.33.2.1.13.06.08.05.08.04.07.04.04.03.06.04.07.05.05.05.06.05a1.84%201.84%200%200%201-1.51%203.16l-.07-.02-3.5-.61a.6.6%200%200%200-.71.67l.01.14.01.06a9.65%209.65%200%200%200%2014.1%207l.15-.07a3.67%203.67%200%201%201%203.6%206.4%2017%2017%200%200%201-25.04-17.78c.3-1.77.73-3.48%201.46-5.05l.1-.21c.29-.58.99-.82%201.57-.53M138.96.26a17%2017%200%200%201%2013.78%2019.7%2020%2020%200%200%201-1.47%205.05l-.1.21a1.17%201.17%200%200%201-1.87.32%2037%2037%200%200%200-4.28-3.59l-.13-.1-.26-.18-.13-.09-.25-.16-.24-.17-.23-.15-.23-.14-.21-.13-.21-.13-.2-.12-.2-.11-.19-.1-.27-.16-.17-.09-.17-.08-.23-.12-.23-.1-.4-.2-.46-.2-.15-.07-.13-.07-.13-.07-.04-.02-.07-.04-.08-.05-.06-.04-.07-.05-.05-.05-.06-.05a1.84%201.84%200%200%201%201.51-3.16l.07.02%203.5.61a.6.6%200%200%200%20.71-.67l-.03-.2-.01-.12a9.65%209.65%200%200%200-14.09-6.88l-.14.07a3.67%203.67%200%201%201-3.6-6.4A17%2017%200%200%201%20138.96.26'/%3e%3c/g%3e%3c/svg%3e){kind=small}
Data Processing Agreement (DPA)
Last Updated: May 4, 2026
3.0 How This DPA Applies to You
4.0 Nature and Purpose of Processing
5.0 Our Obligations as Data Processor
5.1 Processing on your instructions only
6.0 Your Obligations as Data Controller
7.0 International Data Transfers
8.0 Security Incident Notification
10.0 Confidentiality and Data Use
11.0 KYC Data Retrieval (Optional Feature)
11.2 Nature and Purpose of Processing
11.6 Special Categories of Data
1.0 Introduction
This Data Processing Agreement (“DPA”) is published by Vezgo Inc. (“we,” “us,” or “the Company”), a corporation incorporated under the laws of Ontario, Canada.
This DPA applies to all clients (“you” or “Client”) who use our services (the “Services”) and, in doing so, cause personal data of their end-users or other individuals to be processed by us on their behalf. By accepting the applicable Terms of Service — whether by clicking “I agree,” creating an account, or otherwise using the Services — you agree to this DPA.
Where you act as a Data Controller and we act as a Data Processor on your behalf, this DPA governs that relationship. Where we process personal data for our own purposes (e.g., your account data), that processing is governed by our Privacy Policy.
This DPA is incorporated by reference into our Terms of Service, available at https://vezgo.com/terms-of-service/. In the event of any conflict between this DPA and the Terms of Service on data protection matters, this DPA prevails.
2.0 Definitions
| Term | Meaning |
|---|---|
| Applicable Law | All applicable data protection legislation governing the processing of Personal Data under this DPA, including at minimum: (a) Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA); and (b) where Personal Data relates to individuals in the European Union or European Economic Area, the EU General Data Protection Regulation (GDPR) to the extent that you, as Data Controller, are subject to it. |
| Anonymized Data | Data irreversibly de-identified so that no individual can reasonably be re-identified. |
| Data Controller | You — the Client who determines the purposes and means of processing Personal Data through the Services. |
| Data Processor | Us — which processes Personal Data on your behalf in connection with the Services. |
| Data Subject | An individual whose Personal Data is processed under this DPA (typically your end-users). |
| Exchange | Any third-party cryptocurrency exchange, wallet provider, or data provider from which Vezgo retrieves KYC Data pursuant to the Client’s instruction. |
| KYC Data | Identity information retrieved from exchanges or data providers on behalf of a Client who has enabled the KYC Data Retrieval feature, including but not limited to name, email address, and exchange-specific identity fields such as date of birth, address, citizenship, and account status. |
| Personal Data | Any information relating to an identified or identifiable natural person, retrieved from Exchanges or other data sources, including cryptocurrency holdings, digital asset data, NFT records, transaction histories, and associated metadata. |
| Processing | Any operation performed on Personal Data, including collection, storage, retrieval, use, disclosure, or deletion. |
| Security Incident | Any confirmed breach of security leading to unauthorized access to, loss of, or alteration of Personal Data. |
| Services | The cryptocurrency and digital asset data API services provided by the Company, as described in our Terms of Service. |
| Sub-processor | Any third party we engage to assist in processing Personal Data on your behalf. |
3.0 How This DPA Applies to You
This DPA applies when you use the Services provided by the Company and, in doing so, cause Personal Data of your end-users to be processed on your behalf. We act as Data Processor; you remain the Data Controller and are responsible for the lawfulness of your processing instructions.
This DPA is designed to satisfy the requirements of a data processing agreement under Canadian law (PIPEDA) and, where relevant, Article 28 of the EU General Data Protection Regulation (GDPR). If your end-users are located in the EU or EEA, this DPA governs our processing on your behalf in that capacity as well. This DPA is intended to satisfy Article 28 processor agreement requirements.
If you have questions about how this DPA applies to your GDPR obligations, please contact us as specified in Section 14.0.
4.0 Nature and Purpose of Processing
We process Personal Data only to deliver the Services. The table below describes our processing activities.
| Service Description | |
|---|---|
| Purpose | Aggregation of cryptocurrency, digital asset, and NFT data via API to enable portfolio tracking, tax reporting, and analytics in your product. |
| Data Subjects | Your end-users; your authorized personnel. |
| Data Processed | Wallet addresses, Exchange account data, token balances, blockchain transaction records, NFT ownership data, and technical metadata (e.g. IP addresses, API Keys, session data), as retrieved from Exchanges on the Client’s behalf. |
| Source | Exchange-provided data returned via Exchange APIs pursuant to the Client’s instruction. |
| Legal Basis | Your instructions as Data Controller, pursuant to the Terms of Service and this DPA. |
| Frequency | Periodic, as configured by the Client or triggered by Client API calls. |
| Retention | For the duration of your subscription plus any legally required period. Upon termination, see Section 9.0. |
We do not process special categories of personal data (e.g. health, biometric, or religious data) through the Services. You must not instruct us to process such data without a separate written agreement.
Clients may enable optional features that expand the scope of Personal Data processed. Where such features are enabled, the applicable section of this DPA governs that additional processing. Current optional features include KYC Data Retrieval (Section 11.0).
5.0 Our Obligations as Data Processor
5.1 Processing on your instructions only
We process Personal Data only as necessary to deliver the Services and in accordance with your instructions, including as set out in the Terms of Service and this DPA. If we are required by law to process beyond those instructions, we will inform you to the extent legally permitted.
5.2 Confidentiality
Our personnel who access Personal Data are subject to binding confidentiality obligations and receive regular data protection training. Access is limited to those who need it to deliver the Services.
5.3 Security
We implement and maintain appropriate technical and organizational security measures, including:
- Encryption in transit (TLS 1.2+) and at rest (AES-256 or equivalent);
- Role-based access controls and the least-privilege principle; MFA for privileged access;
- Annual penetration testing by qualified third-party specialists;
- SOC 2 Type II audits by independent auditors; alignment with ISO/IEC 27001;
- Documented incident response and business continuity procedures.
5.4 Sub-processors
We may engage Sub-processors to help deliver the Services. By accepting this DPA, you grant us general authorization to do so, subject to: (a) we maintain an up-to-date Sub-processor list at https://vezgo.com/sub-processors/; (b) we give at least 30 days’ advance notice of material changes; © all Sub-processors are bound by obligations no less protective than this DPA; and (d) we remain fully responsible for their compliance.
5.5 Data Subject Rights
We will assist you in responding to Data Subject rights requests (access, correction, deletion, portability). If we receive such a request directly from one of your end-users, we will not act on it unilaterally — we will redirect the individual to you as the Data Controller and notify you promptly, unless we are required by law to respond directly.
5.6 Audit Rights
We will demonstrate compliance with this DPA primarily through our current SOC 2 Type II report, which we will share upon written request. On-site or third-party audits are available only where you have reasonable documented grounds to believe the SOC 2 report is insufficient to demonstrate compliance with a specific obligation under this DPA, and are subject to our prior written approval, reasonable notice of no less than 60 days, a confidentiality agreement, and conducted at your expense. Audits may not be conducted more than once per calendar year absent a confirmed Security Incident.
6.0 Your Obligations as Data Controller
As Data Controller, you are responsible for:
- Ensuring you have a lawful basis for all processing instructions you give us;
- Providing end-users with appropriate privacy notices and obtaining all required consents or otherwise establishing a lawful basis for processing;
- Keeping access credentials, API keys, and authentication mechanisms secure;
- Ensuring your end-users and personnel comply with our Terms of Service;
- Notifying us promptly if you become aware of a Security Incident originating from your environment.
You represent and warrant that your instructions comply with Applicable Law. We are not responsible for your failure to meet data protection obligations that rest with you as Controller.
7.0 International Data Transfers
We primarily process Personal Data in Canada, in compliance with PIPEDA. Some Sub-processors are located outside Canada, including in the United States. Where Personal Data is transferred internationally, we ensure appropriate safeguards are in place — such as contractual clauses or recognized adequacy mechanisms — to maintain a level of protection equivalent to Canadian standards. Details are available in our Sub-processor list; refer to Section 5.4.
If your end-users are located in the European Union or European Economic Area, any transfer of their Personal Data to us is subject to GDPR Chapter V. We rely on Canada’s adequacy status under EU law and, where applicable, appropriate transfer mechanisms with our Sub-processors to ensure lawful international transfers. If you have specific questions about transfer mechanisms, please contact us as specified in Section 14.0.
8.0 Security Incident Notification
If we become aware of a Security Incident affecting Personal Data we process on your behalf, we will notify you without undue delay and, where feasible, within 72 hours. Our notification will include: the nature of the incident; the categories and estimated volume of affected Personal Data and Data Subjects; the likely consequences; and the measures taken or planned. We will cooperate with you on any notifications required to regulators or Data Subjects, and will not make public statements about an incident involving your data without your prior consent, which may be given by email, except as required by law.
9.0 Term and Data Return
This DPA remains in effect for as long as we process Personal Data on your behalf under the Terms of Service. Upon termination or expiration of your subscription, we will — at your written request made within 30 days of termination — return your Personal Data via the API or, where that is no longer available, in a commonly used electronic format upon request, or securely delete it within a reasonable period. We may retain Personal Data in secure backup systems for up to 3 months following termination, after which it will be permanently deleted. We may also retain Personal Data beyond that period only where required by law, and will continue to protect it in accordance with this DPA. Upon your request, we will confirm deletion in writing, which may be by email. Sections 1, 2, 8, 10, 12, and 13 survive termination.
10.0 Confidentiality and Data Use
We will not use Personal Data processed on your behalf for any purpose other than delivering the Services. We will not sell, rent, or otherwise make available for commercial gain your end-users’ Personal Data, and will not combine it with other clients’ data without your explicit consent. We may generate and use Anonymized Data for service improvement and performance monitoring. Both parties agree to keep confidential any non-public information exchanged in the course of using the Services.
11.0 KYC Data Retrieval (Optional Feature)
11.1 Applicability
This section applies only where the Client has explicitly enabled the KYC Data Retrieval feature through the Vezgo Portal or API configuration. By enabling this feature, the Client provides a documented instruction to Vezgo to retrieve and store KYC Data on its behalf. In the event of conflict between this section and any other provision of this DPA on KYC-specific matters, this section prevails.
11.2 Nature and Purpose of Processing
| Purpose | Retrieval and storage of identity data from Exchanges on behalf of the Client, to support the Client’s KYC, AML, compliance, or identity verification workflows. |
|---|---|
| Data Subjects | The Client’s end-users who hold accounts at connected Exchanges. |
| Data Processed | KYC Data as defined in Section 2.0. |
| Source | Exchange-provided data returned via Exchange APIs at the time of retrieval. |
| Legal Basis | The Client’s instruction as Data Controller, pursuant to the Terms of Service and this DPA, as documented by the Client’s enablement of this feature through the Vezgo Portal or written agreement with Vezgo. |
| Frequency | Periodic, as configured by the Client or triggered by Client API calls. |
| Retention | As set out in Section 11.5 below. |
11.3 Scope and Limitations
Vezgo retrieves KYC Data as a processor acting strictly on the Client’s instruction. Accordingly:
- Vezgo does not independently collect KYC Data directly from end-users;
- Vezgo does not verify, validate, or vouch for the accuracy, completeness, or lawfulness of KYC Data as provided by the Exchange;
- Vezgo processes KYC Data only to the extent necessary to deliver this feature and in accordance with the Client’s instructions;
- Vezgo will not use KYC Data for any purpose other than delivering the Services, consistent with Section 10.0.
11.4 Client Obligations
In addition to the obligations set out in Section 6.0, by enabling this feature the Client represents and warrants that:
- it has established a lawful basis under Applicable Law for the processing of KYC Data, including for the transfer of that data from the Exchange to Vezgo on the Client’s behalf;
- its end-users have been provided with appropriate notice that their identity data held at connected Exchanges may be retrieved and processed by the Client’s service provider;
- where required by Applicable Law, it has obtained the necessary consents from end-users prior to enabling this feature for their accounts;
- it acknowledges that KYC Data fields returned by each connected Exchange may vary and has taken appropriate steps to assess whether retrieving and storing such data is consistent with its privacy obligations and the purpose for which it was originally collected;
- it will not instruct Vezgo to retrieve KYC Data in circumstances where doing so would violate Applicable Law or the terms under which the end-user’s data is held at the Exchange.
Vezgo is not responsible for the Client’s failure to establish a lawful basis or provide adequate notice to end-users in connection with this feature.
11.5 Retention
KYC Data is retained for the duration of the Client’s subscription. Upon termination, the provisions of Section 9.0 apply. Where the Client is subject to regulatory retention obligations (e.g., AML/KYC record-keeping requirements under applicable law), the Client is responsible for ensuring that any required retention periods are met, whether by exporting KYC Data prior to termination or through other means. Vezgo’s standard deletion timelines under Section 9.0 are not modified to accommodate regulatory retention obligations unless separately agreed in writing.
11.6 Special Categories of Data
Certain identity fields returned by Exchanges, such as citizenship or nationality, may, depending on applicable jurisdiction, be considered sensitive or subject to heightened protections. The Client is responsible for identifying whether any KYC Data returned through this feature constitutes a special category of personal data under Applicable Law and for ensuring that processing of such data is lawfully conducted. The Client must not rely on Vezgo to make this determination.
11.7 Security
In addition to the measures described in Section 5.3, Vezgo applies the following controls specifically to KYC Data:
- field-level encryption or equivalent protection for sensitive identity fields at rest;
- access to KYC Data is restricted to personnel and systems that require it to deliver this feature;
- access to KYC Data is logged and subject to periodic review.
11.8 Activation and Deactivation
The KYC Data Retrieval feature may be enabled directly through the Vezgo Portal where it is available on the Client’s plan. Where the feature is not available on the Client’s current plan, the Client must contact their Vezgo sales representative to discuss eligibility. The Client may disable this feature at any time through the Vezgo Portal or API configuration. Upon deactivation, Vezgo will cease retrieving new KYC Data. Previously retrieved KYC Data will be retained and deleted in accordance with Section 11.5 and Section 9.0, unless the Client requests earlier deletion in writing.
12.0 Liability
Our liability under this DPA is subject to the limitation of liability provisions in the applicable Terms of Service. We are liable for direct losses arising from our material breach of this DPA. Neither party is liable for indirect, consequential, or punitive damages, except as required by Applicable Law. You are liable for losses arising from unlawful instructions, failure to obtain required consents, or unauthorized use of the Services by you or your end-users. Where both parties bear responsibility for a breach, liability is allocated in proportion to each party’s responsibility.
13.0 General
13.1 Governing Law
This DPA is governed by the laws of the Province of Ontario and the federal laws of Canada. Disputes shall be resolved before the courts of Ontario.
13.2 Updates to this DPA
We may update this DPA from time to time. We will post the updated version at https://vezgo.com/data-processing-agreement/ and notify you via email or in-product notice at least 30 days before material changes take effect. Continued use of the Services after the effective date constitutes acceptance.
13.3 Entire Agreement
Together with the applicable Terms of Service and Privacy Policy, this DPA constitutes the full agreement between the parties on data processing and supersedes any prior understandings on this subject.
13.4 Severability
If any provision of this DPA is found unenforceable, the remaining provisions continue in full force.
14.0 Contact
For questions about this DPA or data protection matters, please contact us at privacy@vezgo.com.
Facebook 
Twitter 
LinkedIn 
Reddit