We use cookies

We use essential cookies to run the site, and optional cookies for analytics. We never sell your data. Cookie Policy · Privacy Policy

Sign InGet Started Free

Data Processing Agreement

Last updated: March 30, 2026

Processor: CryptaCount, Inc., 131 Continental Dr, Suite 305, Newark DE 19713, USA (File Number 10054523 (Delaware Division of Corporations)), trading as “CryptaTax” (the “Processor”).

This Data Processing Agreement (“DPA”) forms part of the Terms of Service between you (“Controller”) and CryptaCount, Inc. (“Processor”) and governs the processing of personal data by the Processor on behalf of the Controller.

This DPA applies to Tax Adviser accounts that manage data on behalf of their clients. By accepting this DPA during account registration, you confirm that you are authorised to enter into this agreement on behalf of the Controller organisation.

1. Definitions

1.1. “Personal Data” means any information relating to an identified or identifiable natural person processed by the Processor on behalf of the Controller through the Service. For the avoidance of doubt, public blockchain wallet addresses alone do not constitute Personal Data; however, data derived from centralised exchange (“CEX”) API integrations (trade history, balances, account-level transaction data) does constitute Personal Data.

1.2. “Processing” means any operation performed on Personal Data, including collection, storage, retrieval, computation, transmission, and deletion.

1.3. “Applicable Data Protection Law” means all applicable data protection and privacy laws, including but not limited to the California Consumer Privacy Act (“CCPA”), as amended by the California Privacy Rights Act (“CPRA”), and any other applicable US state privacy laws.

2. Subject Matter and Duration

2.1. Subject matter. The Processor processes Personal Data on behalf of the Controller for the purpose of providing crypto-asset tax compliance and personal tax filing services through the CryptaTax platform.

2.2. Duration. This DPA applies for the duration of the Controller’s use of the Service and terminates upon deletion of all Personal Data following account termination.

3. Nature and Purpose of Processing

3.1. The Processor processes Personal Data to:

  • Fetch and store transaction data from blockchain networks and centralised exchanges via API integrations configured by the Controller;
  • Compute cost basis, capital gains and losses, and tax calculations using methods selected by the Controller (FIFO, LIFO, HIFO, WAVG, and others);
  • Generate tax reports, tax form outputs, and tax-relevant summaries;
  • Store and manage wallet, transaction, and portfolio data within the Controller’s workspace.

4. Types of Personal Data Processed

  • CEX API-derived data: trade history, account balances, deposit and withdrawal records, order history;
  • Platform user data: IP addresses, email addresses, names of authorised users;
  • Derived data: cost basis records, tax calculations, tax form outputs, capital gains/losses data linked to the above.

4.2. Not Personal Data: Public blockchain data (wallet addresses, transaction hashes, block data) fetched from public networks is not Personal Data. The Processor fetches this data from public blockchain infrastructure without knowledge of the identity of address owners.

5. Categories of Data Subjects

Data subjects are the Tax Adviser’s individual clients and any other natural persons whose wallet data, exchange data, and tax-related financial data is connected to the Service by the Tax Adviser.

6. Obligations of the Processor

6.1. Documented instructions. The Processor shall process Personal Data only on the documented instructions of the Controller, including with regard to transfers of Personal Data outside the EEA, unless required by law.

6.2. Confidentiality. The Processor ensures that persons authorised to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

6.3. Security measures. The Processor implements appropriate technical and organisational measures as described in Annex A, including:

  • Encryption of data in transit (TLS 1.2+) and at rest (AES-256);
  • Role-based access controls and multi-tenant data isolation;
  • Audit logging of data access and modifications;
  • Regular security assessments of infrastructure.

6.4. Assistance with data subject rights. The Processor shall assist the Controller in responding to requests from data subjects exercising their rights under Applicable Data Protection Law (access, rectification, erasure, portability, restriction, objection).

6.5. Data breach notification. The Processor shall notify the Controller without undue delay after becoming aware of a personal data breach affecting the Controller’s data.

6.6. Data Protection Impact Assessments. The Processor shall assist the Controller with data protection impact assessments and prior consultations with supervisory authorities where required.

6.7. Deletion or return. Upon termination of the Service, the Processor shall, at the Controller’s choice:

  • Provide a complete data export in machine-readable format (CSV, JSON); and/or
  • Delete all Personal Data within 30 days of the Controller’s confirmed deletion request.

The Controller must download their data export before confirming deletion.

6.8. Audit. The Processor shall make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for audits conducted by the Controller or an independent auditor mandated by the Controller, subject to reasonable notice and confidentiality obligations.

7. Sub-processors

7.1. The Controller grants the Processor general authorisation to engage sub-processors, subject to the Processor:

  • Maintaining an up-to-date list of sub-processors;
  • Notifying the Controller of any intended changes to sub-processors;
  • Ensuring each sub-processor is bound by data protection obligations no less protective than this DPA.

7.2. Current sub-processors:

  • Google Cloud Platform — Infrastructure hosting and data storage.

7.3. Not sub-processors: Blockchain data providers receive only public blockchain wallet addresses — not Personal Data — and are therefore not sub-processors. Centralised exchange (CEX) API providers already hold the relevant data independently; the Processor’s API calls to CEX providers are made on the Controller’s instructions using the Controller’s own API credentials.

8. International Data Transfers

8.1. Personal Data may be stored in the United States and/or the European Union depending on infrastructure configuration.

8.2. Where Personal Data originating from the EEA, UK, or Switzerland is processed, the Processor relies on the EU-US Data Privacy Framework, UK extension thereto, or Standard Contractual Clauses as applicable.

9. United States Supplemental Terms (CCPA/CPRA)

9.1. Service Provider status. For purposes of the California Consumer Privacy Act (CCPA, Cal. Civ. Code §1798.140), CryptaCount, Inc. acts as a “Service Provider” processing Personal Information solely for the “Business Purpose” of providing the contracted services.

9.2. No sale of Personal Information. CryptaCount, Inc. does not sell, share, or use Personal Information for any purpose other than providing the contracted services. CryptaCount, Inc. does not sell Personal Information as defined by CCPA §1798.140(ad) or share Personal Information for cross-context behavioural advertising.

9.3. Cooperation with consumer rights. CryptaCount, Inc. will cooperate with the Controller’s obligations to honour consumer opt-out, deletion, and access requests under applicable US state privacy laws.

10. Governing Law

This DPA is governed by the laws of the State of Delaware, United States. Disputes shall be submitted to the state and federal courts located in the State of Delaware.

11. Contact

CryptaCount, Inc.
131 Continental Dr, Suite 305, Newark DE 19713, USA
File Number 10054523 (Delaware Division of Corporations)
Email: info@cryptacount.com

Annex A — Technical and Organisational Measures

The Processor implements the following measures to protect Personal Data:

  • Encryption: TLS 1.2+ for data in transit; AES-256 encryption at rest via provider-managed encryption keys.
  • Access control: Role-based access control (RBAC) with hierarchical permissions. Multi-tenant data isolation at the workspace level.
  • Authentication: OAuth 2.0 / OpenID Connect via trusted identity providers. Bot protection on authentication endpoints. Session management with short-lived access tokens and refresh token rotation.
  • Audit logging: All data access and modification events are logged with timestamps, user identifiers, and action types.
  • Infrastructure: Cloud infrastructure provider with automated backups, monitoring, and incident alerting.
  • Development practices: Automated CI/CD pipelines, dependency scanning, and code review requirements.