REGIUM.
Demo → Book a call
10 / DPA [10]

Data Processing Agreement

Last updated: May 2026 — GDPR Article 28 compliant

Note

This DPA is incorporated by reference into all Regium subscription agreements. A countersigned copy is available on request at communication@regium.io.

1. Definitions

"Controller" means the Customer (the licensed EU CASP or other regulated entity) that determines the purposes and means of processing personal data using the Regium platform.

"Processor" means Regium Ltd, which processes personal data on behalf of the Controller as part of the platform service.

"Personal Data" has the meaning given in GDPR Article 4(1).

"Processing" has the meaning given in GDPR Article 4(2).

"Sub-processor" means any third party appointed by Regium to process Personal Data on behalf of the Controller.

2. Subject matter and nature of processing

Regium processes personal data solely to provide the compliance platform service described in the subscription agreement. Processing activities include: storage, retrieval, organisation, structuring, and export of compliance-related records including customer due diligence data, transaction records, employee records, and vendor records.

Regium processes personal data only on documented instructions from the Controller (as set out in the subscription agreement and this DPA). Regium will inform the Controller if any instruction infringes applicable data protection law.

3. Types of personal data and data subjects

Customer / end-user data

Names, tax identification numbers, jurisdiction, self-certification responses, KYC document metadata

Transaction data

Wallet addresses, transaction identifiers, counterparty VASP data, Travel Rule message metadata

Employee data

MLRO and compliance officer names, roles, audit trail actions

Vendor data

ICT third-party contact details, contract references, risk classifications

4. Processor obligations

Regium shall:

  • Process personal data only on documented Controller instructions;
  • Ensure that persons authorised to process personal data are bound by confidentiality obligations;
  • Implement appropriate technical and organisational security measures (see Section 5);
  • Notify the Controller without undue delay after becoming aware of a personal data breach (target: within 24 hours; in all cases within 72 hours);
  • Assist the Controller in responding to data subject rights requests under GDPR Articles 15–22;
  • Delete or return all personal data to the Controller upon termination of the subscription agreement, and delete existing copies unless retention is required by law;
  • Make available all information necessary to demonstrate compliance with GDPR Article 28, and allow and contribute to audits conducted by the Controller or its mandated auditor.

5. Security measures

Encryption at rest AES-256 — Google Cloud KMS. Customer-managed encryption keys available on Enterprise tier.
Encryption in transit TLS 1.3 on all API and browser connections.
Access control Role-based access control. Principle of least privilege. MFA enforced for all Regium staff.
Audit logging Immutable audit trail of all data access and administrative actions. 7-year retention.
Penetration testing Annual third-party penetration testing. Results available under NDA.
Vulnerability management Continuous dependency scanning. Critical vulnerabilities patched within 72 hours.
Data residency All personal data stored in Google Cloud, Frankfurt region (europe-west3). No data transferred outside the EEA.

6. Sub-processors

The Controller grants general written authorisation to use the following sub-processors. Regium will notify the Controller at least 30 days before adding or replacing a sub-processor, giving the Controller the opportunity to object.

Google Cloud Platform EU — Frankfurt (europe-west3) Platform hosting, storage, and compute
Cal.com (EU instance) EU Booking and scheduling (website only — not platform data)

7. Data transfers

No personal data processed under this DPA is transferred outside the European Economic Area. All sub-processors operate within the EEA. Should a transfer become necessary, Regium will implement appropriate safeguards (Standard Contractual Clauses or equivalent) and notify the Controller in advance.

8. Governing law

This DPA is governed by the law of England and Wales for UK customers and by the law of the customer's EU member state for EU-domiciled customers. In case of conflict with the GDPR, the GDPR prevails.

To request a countersigned copy of this DPA, or to raise a sub-processor objection, contact communication@regium.io.