Data Protection

Data Processing Agreement

Effective date: March 31, 2026 · Version 1.0

Summary for non-legal readers: This DPA establishes the legally binding terms for how CurrencyBlazer handles your FX transaction data. Key commitments: your data is anonymised before analysis, deleted within 30 days, never shared with providers, and processed under GDPR and CCPA standards. This document is designed to satisfy enterprise procurement and compliance requirements.

This Data Processing Agreement ("DPA") is entered into between the client submitting data ("Data Controller" or "Client") and CurrencyBlazer ("Data Processor" or "Processor") and supplements our Terms of Service and Privacy Policy.

1. Definitions

"Personal Data" means any information relating to an identified or identifiable natural person within the transaction data, including email addresses and names.
"Transaction Data" means the FX transaction records submitted by the Client in CSV format for benchmarking analysis.
"Processing" means any operation performed on Personal Data, including collection, storage, analysis, and deletion.
"Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Client.

2. Scope and Purpose of Processing

The Processor shall process Transaction Data solely for the purpose of:

Parsing and validating CSV transaction records
Anonymising any Personal Data contained within transaction records
Benchmarking executed FX rates against independent mid-market rate data from Fixer.io
Calculating per-transaction and aggregate variance metrics
Generating and delivering the Client's benchmark audit report

3. Data Anonymisation

The Processor commits to the following anonymisation protocol:

All personally identifiable information (names, email addresses, account numbers) within Transaction Data is automatically stripped upon ingestion, before any analytical processing begins
Transaction records are assigned randomised internal identifiers that cannot be reverse-mapped to the original data
Only anonymised, aggregated data is used in the benchmarking engine
The Client's business contact details (email, company name) are stored separately from Transaction Data and are used solely for communication and report delivery

4. Data Retention and Deletion

Data Category	Retention Period	Deletion Method
Raw Transaction Data (CSV)	30 calendar days from upload	Permanent deletion from all systems, including backups
Anonymised analytical results	Duration of engagement + 12 months	Permanent deletion upon request or expiry
Client contact information	Duration of engagement + 24 months	Permanent deletion upon request or expiry
Audit reports (delivered copy)	Retained by Client; Processor copy deleted after 90 days	Permanent deletion

The Client may request early deletion of all data at any time by emailing client-inquiry@currencyblazer.com. Early deletion will be completed within 5 business days and confirmed in writing.

5. Security Measures

The Processor implements the following technical and organisational measures:

Encryption in transit: TLS 1.3 for all data transmission
Encryption at rest: AES-256 for all stored data
Access control: Role-based access limited to authorised personnel; principle of least privilege enforced
Environment isolation: Each Client's data is processed in a logically isolated environment
Audit logging: All access to Client data is logged with timestamps and user identifiers
Automated deletion: Automated workflows enforce retention periods; no manual intervention required for scheduled deletion
Incident response: Documented breach notification procedures (see Section 7)

6. Sub-processors

The Processor currently uses the following sub-processors:

Sub-processor	Purpose	Data Access	Location
Fixer.io (Apilayer)	Mid-market FX rate data	Currency pairs and dates only — no Client data transmitted	EU (Austria)
Netlify	Website and form hosting	Form submissions (email, company name, CSV file)	US
Google Workspace	Email communication	Client email correspondence	US / Global

The Processor will provide 30 days' written notice before engaging any new sub-processor. The Client may object to a new sub-processor within 14 days of notification.

7. Data Breach Notification

In the event of a data breach affecting Client data, the Processor will:

Notify the Client within 72 hours of becoming aware of the breach
Provide a written incident report including: nature of the breach, categories and approximate number of records affected, likely consequences, and measures taken to address and mitigate the breach
Cooperate with the Client in meeting any regulatory notification obligations
Take immediate remedial action to contain and resolve the breach

8. Data Subject Rights

The Processor will assist the Client in responding to data subject requests (access, rectification, erasure, portability, restriction, objection) within the timeframes required by applicable law. Given that Transaction Data is anonymised upon ingestion, most data subject rights will apply only to Client contact information.

9. International Transfers

Where Client data is transferred outside the European Economic Area or the United Kingdom, the Processor ensures adequate safeguards through EU Standard Contractual Clauses (SCCs) as approved by the European Commission, or equivalent transfer mechanisms recognised under applicable law.

10. Audit Rights

The Client has the right to audit the Processor's compliance with this DPA. Audits may be conducted:

Once per calendar year, with 30 days' prior written notice
By the Client or a qualified third-party auditor bound by confidentiality obligations
During normal business hours, with reasonable scope limitations to protect other clients' confidentiality

The Processor will also make available relevant compliance documentation, certifications, and security assessment summaries upon reasonable request.

11. Term and Termination

This DPA remains in effect for the duration of the Client's engagement with CurrencyBlazer. Upon termination, the Processor will delete all Client data in accordance with the retention schedules in Section 4 and provide written confirmation of deletion within 10 business days.

12. Governing Law

This DPA is governed by the same law that governs the Terms of Service. For EU/UK data subjects, the provisions of the GDPR and UK GDPR shall apply to the extent they provide additional protections.

13. Contact

For data protection inquiries, deletion requests, or to request a signed copy of this DPA:

CurrencyBlazer — Data Protection
Email: client-inquiry@currencyblazer.com
Web: currencyblazer.com

To request a signed, countersigned PDF copy of this DPA for your compliance records, email client-inquiry@currencyblazer.com with the subject line "DPA Request — [Company Name]."