
Data Processing Agreement
Last updated:
This DPA forms part of the DepthSignal Terms of Service. DPA requests and legal correspondence use the published legal contact path.
1. Parties
This Data Processing Agreement (“DPA”) is entered into between:
Controller
The customer who has agreed to DepthSignal's Terms of Service (“Controller”, “you”). The Controller determines the purposes and means of processing personal data related to its use of the DepthSignal platform.
Processor
MarketDepth Analytics OÜ, registry code 17549629, Tedre tn 16, Kose alevik, Harju maakond 75101, Estonia (“Processor”, “DepthSignal”, “we”, “us”). Ravenna OÜ, registry code 14943751, provides the declared operational data-processing function under contract.
2. Scope and Purpose
Processing is carried out solely to provide the Services: authenticating access, enforcing rate limits, logging API usage for billing and abuse detection, sending transactional emails, maintaining billing-reference records, coordinating payment processing through an external provider only if a future provider is attached to the universal provider-agnostic payment runtime and a paid checkout path is then activated again, and providing optional AI-assisted interpretation features that summarize visible platform context (if enabled by the Controller).
The Processor provides order book analytics derived from publicly available market data across live cryptocurrency exchanges. This market data is not personal data. The legal basis for this DPA is Article 28 GDPR.
3. Types of Personal Data
The Processor processes the following categories of personal data:
| Category | Fields |
|---|---|
| Account data | Email, first name, last name, company name (optional), registration date |
| Authentication data | Password hash (plaintext is not retained after password processing), encrypted 2FA secrets, hashed recovery codes |
| API usage data | Endpoint called, symbol queried, timestamp, response code, response time |
| Billing references | Internal invoice and billing-reference IDs, billing interval, tier, and payment-provider customer/subscription IDs only when a future provider adapter is actively attached |
| Session data | IP address, user agent, session token hash, last active timestamp |
| Security events | Login attempts, key rotations, account changes (append-only audit log with integrity controls) |
| Communication preferences | Newsletter subscription status, consent records |
| Social linking (optional) | Discord ID and username (if customer links their account) |
| AI conversations (optional) | Messages sent for AI-assisted interpretation, AI responses |
The Processor does not process special categories of personal data as defined in Article 9 GDPR.
4. Categories of Data Subjects
- The Controller (individual or authorised representatives).
- The Controller's team members, if team API keys are issued.
5. Duration of Processing
Processing begins when the Controller creates an account and continues until the account is deleted. Upon deletion, data is removed per Section 13 and Annex 1.
6. Processor Obligations
The Processor agrees to the following obligations:
(a) Instructions
Process personal data only on documented instructions from the Controller, including those set out in this DPA and the Terms of Service. The Processor will promptly inform the Controller if an instruction is believed to violate applicable law. (Article 28(3)(a))
(b) Confidentiality
Ensure that all persons authorised to process personal data are bound by appropriate confidentiality obligations, whether by contract or statutory duty. (Article 28(3)(b))
(c) Security
Implement and maintain appropriate technical and organisational measures to protect personal data. Full details in Annex 2. (Article 28(3)(c), Article 32)
(d) Sub-processors
Provide 30 days written notice before adding or replacing any sub-processor. If the Controller objects in writing within the notice period, the Parties will work in good faith to resolve the objection.
If no resolution is reached, the Controller may terminate without penalty. (Article 28(2), 28(4))(e) Data subject rights
Assist the Controller in responding to data subject rights requests under Chapter III GDPR. Current self-service endpoints: GET /v1/customer/export for account/API/usage/security-event/AI-conversation export, DELETE /v1/customer/me (erasure), and PATCH /v1/customer/me (rectification). Newsletter subscriber export coverage remains an open support-layer gap tracked as AF-006 / NC-2026-006. (Article 28(3)(e), Articles 15-22)
(f) Security incidents
Notify the Controller within 72 hours of becoming aware of a confirmed personal data breach. See Section 11. (Article 28(3)(f), Article 33)
(g) Compliance assistance
Assist the Controller in meeting obligations under Articles 32-36 GDPR, including data protection impact assessments (DPIAs) and prior consultations with supervisory authorities. (Article 28(3)(f), Articles 32-36)
(h) Deletion and return
Delete or return live account, API, and usage data within 30 days of termination, while billing records and Article 16(m) consent evidence can remain on their own legal-retention basis. Backup rotation completes within 30 days. (Article 28(3)(g))
(i) Audit
Allow one audit per calendar year with 30 days written notice, at the Controller's expense. Where available, the Processor may satisfy the request with a current third-party audit report (such as SOC 2 Type II or ISO 27001 audit report, if obtained) in lieu of an on-site audit. (Article 28(3)(h))
7. Controller Obligations
- Ensure a lawful basis exists for all processing instructed under this DPA (GDPR Article 6).
- Provide documented instructions that comply with applicable law.
- Respond promptly to breach notifications from the Processor.
- Not instruct processing that would violate the GDPR or other applicable law.
8. Sub-processors
The Controller provides general written authorisation to engage the sub-processors listed below. The Processor will provide 30 days notice before adding or replacing any sub-processor. The Controller may object in writing within the notice period.
| Sub-processor | Purpose | Location | Transfer basis |
|---|---|---|---|
| Hetzner Online GmbH | Infrastructure hosting | Germany (EU) | No transfer required |
| Payment-provider path (currently inactive; no active payment provider currently proved) | Subscription billing and payment processing only if a future provider is attached to the universal provider-agnostic payment runtime and a paid checkout path is then activated again. While there is no active payment provider currently proved, the only published fallback is a bounded direct/manual path for manual invoicing plus SEPA bank transfer. DepthSignal's own finance/tax system remains the central authority and system of record for payment references, invoice records, refund records, settlement tracking, and VAT/GST monitoring, and any future PSP or bank rail must attach to that internal system as an adapter. This does not by itself prove operational revalidation, self-serve checkout, a current payable path, live card processing, PSP webhooks, generic automated invoice delivery, or settlement execution. Any Article 28 role remains provider-dependent until the future provider is re-published in current legal materials. | Provider-dependent | Provider-dependent |
| Resend, Inc. | Transactional email delivery | USA | GDPR Chapter V safeguards (see Section 9) |
| Linear, Inc. | Internal issue tracking for automatic bug report ticket creation and follow-up | USA | GDPR Chapter V safeguards (see Section 9) |
| OpenAI OpCo LLC | AI-assisted interpretation feature: processing user queries and generating summaries of visible market-data context | USA | GDPR Chapter V safeguards (see Section 9) |
| Anthropic PBC (inactive provider-ready path; not enabled in current production allowlist) | AI model provider reference retained for legal traceability; not enabled for current production customer AI traffic | USA | Not active in the current production allowlist; revalidation required before any enablement |
| Cloudflare, Inc. | CDN, DDoS mitigation, TLS termination; bot protection | USA (EU edge nodes for EU traffic) | GDPR Chapter V safeguards (see Section 9); EU customers served from EU edge nodes |
| Beehiiv, Inc. | Newsletter distribution (confirmed opt-in subscribers only) | USA | GDPR Chapter V safeguards (see Section 9) |
| Discord, Inc. | OAuth 2.0 authentication (customers who use Discord login); operational alert delivery via webhooks | USA | GDPR Chapter V safeguards (see Section 9) |
| Google LLC | OAuth 2.0 authentication (customers who use Google login) | USA / EU (Google Ireland for EU customers) | GDPR Chapter V safeguards (see Section 9) |
| GitHub, Inc. | OAuth 2.0 authentication (customers who use GitHub login) | USA | GDPR Chapter V safeguards (see Section 9) |
| Twilio, Inc. | SMS delivery for optional SMS two-factor authentication (phone number transmitted only when SMS 2FA is enabled and a verification code is sent) | USA | GDPR Chapter V safeguards (see Section 9) |
9. International Data Transfers
Primary infrastructure is located in the EEA. Where processing requires non-EEA transfers, those transfers are covered by GDPR Chapter V safeguards, including adequacy mechanisms and/or Standard Contractual Clauses as applicable.
- UK-restricted transfers are supported with UK transfer addendum mechanisms where legally required.
- Swiss-restricted transfers are supported with Swiss transfer mechanisms where legally required.
10. Security Measures
Summary of key technical and organisational measures. Full details in Annex 2.
- Data in transit is protected with industry-standard transport encryption controls.
- Passwords are stored using strong one-way hashing controls.
- API keys stored as irreversible one-way hashes. Raw keys are not retained after issuance.
- Sensitive stored values protected with symmetric encryption.
- Services isolated into separate network zones by function.
- Tier-based rate limiting with automated anomaly detection.
- Append-only security event audit log with integrity controls.
- Automated data retention enforcement.
11. Data Breach Notification
The Processor will notify the Controller without undue delay, and within 72 hours of becoming aware of a confirmed personal data breach (GDPR Article 33(1)). Notification will include: nature of the breach, including categories and approximate number of data subjects and records affected; likely consequences of the breach; and measures taken or proposed to address the breach and mitigate its effects.
Where full information is not yet available, an initial notification will be sent and followed up as details become known.
12. Liability
Each party's liability under this DPA is subject to the limitations set out in the DepthSignal Terms of Service. Neither party limits liability for: confidentiality breaches, deliberate or grossly negligent DPA breaches, or obligations under Article 82 GDPR.
Where a party has paid compensation to a data subject for damage caused by both parties, the other party shall reimburse the portion corresponding to its share of responsibility under Article 82 GDPR.
13. Term and Termination
Upon account deletion, the Processor will delete live account, API, and usage data within 30 days, while billing records and Article 16(m) consent evidence can remain on their own legal-retention basis. Backup rotation completes within 30 days. Billing records and related financial-significance documentation tied to the customer identity are retained for 7 years under Estonian Accounting Act § 12. The Controller may export their data before deletion via GET /v1/customer/export.
14. Governing Law and Jurisdiction
This DPA is governed by the laws of Estonia. Disputes are subject to the exclusive jurisdiction of the Estonian courts, without prejudice to a data subject's right to bring proceedings under Article 79(2) GDPR in their member state of habitual residence or place of work.
15. Amendments
The Processor may amend this DPA by providing 30 days written notice. Continued use of the Services after the notice period constitutes acceptance. Material changes will be communicated by email to the Controller's registered address.
16. Severability
If any provision of this DPA is found to be invalid or unenforceable, that provision will be modified to the minimum extent necessary to make it enforceable, and the remaining provisions will continue in full force and effect.
Annex 1: Data Retention Schedule
| Data Category | Retention | Legal Basis |
|---|---|---|
| Account data | Duration of account + 30 days | Contract |
| API usage logs | 90 days rolling | Legitimate interest (GDPR Article 6(1)(f)) |
| Usage summaries | 180 days | Legitimate interest |
| Billing records | 7 years under Estonian Accounting Act § 12 | Legal obligation (GDPR Article 6(1)(c)) |
| Security events | Retained for fraud prevention and legal integrity purposes | Legitimate interest (GDPR Article 6(1)(f)) |
| Newsletter subscribers | Until unsubscribe + 30 days | Consent (GDPR Article 6(1)(a)) |
| AI conversations | 90 days unless deleted earlier by the customer | Contract |
| Product analytics (PostHog) | 90 days raw; anonymised thereafter | Consent (GDPR Article 6(1)(a)) |
| Session data | 90 days (inactive) | Contract |
| Consent records | Duration + 3 years | Legal obligation |
| Application logs | 30 days | Legitimate interest |
Annex 2: Technical and Organisational Measures
Encryption
| Measure | Implementation |
|---|---|
| Data in transit | Industry-standard transport encryption controls on service connections |
| Passwords | Strong one-way password hashing controls |
| API keys | One-way cryptographic hash. Raw keys are not retained after creation |
| Secrets and tokens | Encryption controls for sensitive stored values |
| Session tokens | Cryptographically signed, short-lived (hours, not days) |
Access Control
| Measure | Implementation |
|---|---|
| API authentication | Cryptographic key validation with short-lived cache and conservative fallback on cache failure |
| Dashboard authentication | Signed session tokens, HttpOnly cookies, short expiry |
| Internal access | Access restricted to authorized personnel. Multi-factor authentication required. Role-based access control enforced. |
| Rate limiting | Tier-based request limits with burst control and automated anomaly detection |
| Brute-force protection | Progressive rate limiting and temporary lockout on authentication endpoints |
Infrastructure
| Measure | Implementation |
|---|---|
| Network isolation | Service components are logically segmented to reduce unauthorized lateral access |
| Hosting | Hetzner states its EU datacentre operations are covered by ISO 27001 audited controls |
| Backup | Automated hourly backups on Hetzner-managed infrastructure. Hetzner states its datacentre operations are covered by ISO 27001 audited controls; encrypted offsite backup expansion is in progress. |
| Monitoring | Centralised logging, metrics dashboards, automated alerting, and self-healing remediation |
Annex 3: Sub-processor List
Current as of June 2026. Sub-processor additions or replacements follow the 30-day notice workflow described above.
| Sub-processor | Location | Purpose | Data processed | Transfer basis |
|---|---|---|---|---|
| Hetzner Online GmbH | Germany (EU) | Infrastructure hosting | Primary personal data at rest | No transfer required |
| Payment-provider path (currently inactive; no active payment provider currently proved) | No active provider currently proved | Subscription billing and payment processing only if a future provider is attached to the universal provider-agnostic payment runtime and a paid checkout path is then activated again. While there is no active payment provider currently proved, the only published fallback is a bounded direct/manual path for manual invoicing plus SEPA bank transfer. DepthSignal's own finance/tax system remains the central authority and system of record for payment references, invoice records, refund records, settlement tracking, and VAT/GST monitoring, and any future PSP or bank rail must attach to that internal system as an adapter. This does not by itself prove operational revalidation, self-serve checkout, a current payable path, live card processing, PSP webhooks, generic automated invoice delivery, or settlement execution. | Customer name, email, billing address; payment references | There is no active payment provider currently proved. The only published fallback while there is no active payment provider currently proved is a bounded direct/manual path for manual invoicing plus SEPA bank transfer. Any future provider identity, role, location, transfer basis, and safeguards must be re-published before activation. |
| Resend, Inc. | USA | Transactional email delivery | Email address, first name, email content | GDPR Chapter V safeguards (see Section 9) |
| Linear, Inc. | USA | Internal issue tracking for automatic bug report ticket creation and follow-up | Bug report content, browser metadata, and issue-triage metadata from voluntarily submitted reports | GDPR Chapter V safeguards (see Section 9) |
| OpenAI OpCo LLC | USA | AI-assisted interpretation feature: processing user queries and generating summaries of visible market-data context | AI conversation content submitted by the customer (no email, no API key, no billing data) | GDPR Chapter V safeguards (see Section 9) |
| Anthropic PBC (inactive provider-ready path; not enabled in current production allowlist) | USA | AI model provider reference retained for legal traceability; not enabled for current production customer AI traffic | No current production customer AI traffic while the provider remains outside the active allowlist | Not active in the current production allowlist; revalidation required before any enablement |
| Cloudflare, Inc. | USA (EU edge nodes for EU traffic) | CDN, DDoS mitigation, TLS termination; bot protection | TLS-terminated request metadata (IP address, headers, URL); no long-term storage of request bodies | GDPR Chapter V safeguards (see Section 9); EU customers served from EU edge nodes |
| Beehiiv, Inc. | USA | Newsletter distribution (confirmed opt-in subscribers only) | Subscriber email address | GDPR Chapter V safeguards (see Section 9) |
| Discord, Inc. | USA | OAuth 2.0 authentication (customers who use Discord login); operational alert delivery via webhooks | Discord user ID, username, email, avatar URL (OAuth customers only); service alert metadata (no PII) for webhook delivery | GDPR Chapter V safeguards (see Section 9) |
| Google LLC | USA / EU (Google Ireland for EU customers) | OAuth 2.0 authentication (customers who use Google login) | Google account ID, email address, name, profile picture URL | GDPR Chapter V safeguards (see Section 9) |
| GitHub, Inc. | USA | OAuth 2.0 authentication (customers who use GitHub login) | GitHub user ID, primary email address, login (username), name, profile picture URL | GDPR Chapter V safeguards (see Section 9) |
Execution
Self-serve (standard)
This DPA is automatically binding upon acceptance of the DepthSignal Terms of Service. No separate signature is required for standard accounts.
Enterprise signature requests
Email [email protected] with subject “DPA Request”. Include company name, registered address, and the name and title of the authorised signatory. No fixed turnaround or countersigned-document delivery is currently claimed.
Bring your own DPA
Send your DPA to [email protected]. Review timing follows the active legal intake and review workflow.
Contact
Data protection and legal: [email protected]
MarketDepth Analytics OÜ, registry code 17549629. Full legal details at /legal/imprint.
Authoritative Legal References
GDPR: Regulation (EU) 2016/679
Articles 6, 9, 15-22, 28, 32-36, 44-49, 79, 82
Standard Contractual Clauses
Commission Implementing Decision (EU) 2021/914
EU-US Data Privacy Framework
Commission Implementing Decision (EU) 2023/1795
Schrems II judgment
CJEU Case C-311/18: Data Protection Commissioner v Facebook Ireland

DEPTHSIGNAL | ESTONIA | MARKET CONTEXT PLATFORM | SECURITY | PRIVACY | MARKET DATA ONLY | NOT FINANCIAL ADVICE