Gateway logoGateway mascotGATEWAY
Get started
    • Get started
    Back to Legal Info

    Data Processing Addendum

    January 1, 2026

    Effective Date: 01.01.2026
    Version: 1.0

    This Data Processing Addendum ("DPA") forms part of the End User License Agreement ("EULA") entered into between Gateway.FM AS ("Processor"), a company incorporated under the laws of Norway under the registration number 926 882147, having its registered office at Løkkeveien 109, 4007 STAVANGER, Norway and the customer identified in the applicable Order Form or EULA ("Customer" or "Controller").

    This DPA is incorporated by reference into the EULA and becomes effective upon Customer's acceptance of the EULA. In the event of a conflict between this DPA and the EULA with respect to the processing of Personal Data, this DPA shall prevail solely to the extent required by applicable data protection law. Except as required by such law, the EULA shall prevail. Terms not defined in this DPA have the meanings given to them in the EULA or applicable Data Protection Law.

    1. Scope and Roles

    1.1 This DPA applies to the extent Processor processes Personal Data on behalf of Customer in connection with the Services.

    1.2 For purposes of applicable data protection laws, including Regulation (EU) 2016/679 ("GDPR"), Customer acts as Controller and Processor acts as Processor.

    2. Processing of Personal Data

    Processor shall process Personal Data only on documented instructions from Customer and ensure persons authorized to process Personal Data are subject to confidentiality obligations. The Processor shall not use Personal Data for its own purposes.

    3. Security Measures

    3.1 General Obligation

    Processor shall implement appropriate technical and organisational measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access, taking into account the nature of the Services, the state of the art, implementation costs, and the risks to data subjects.

    3.2 Nature of Measures

    Such measures may include, as appropriate, access controls and authentication mechanisms; encryption or equivalent protections for data in transit and/or at rest; logging and monitoring of system access; segregation of environments; incident detection and response procedures.

    Processor does not warrant or guarantee the use of any specific technology, algorithm, or tool, and may implement functionally equivalent measures consistent with industry standards and its information security management system.

    4. Sub-processors

    4.1 Customer grants Processor general authorisation to engage sub-processors for the processing of Personal Data. A current list of authorised sub-processors is available on our Subprocessor List page. Processor shall update the sub-processor list to reflect any intended additions or replacements.

    4.3 Processor shall remain fully responsible for the performance of each sub-processor in accordance with this DPA.

    4.4 Customer may object to the engagement of a new sub-processor on reasonable data protection grounds by providing written notice within a reasonable period following the update. Where an objection cannot be resolved, Processor may, at its sole discretion, either refrain from engaging the sub-processor in question or terminate the affected Services in accordance with the EULA.

    5. Data Subject Rights

    5.1 Processor shall, to the extent legally required and commercially reasonable, assist Customer in responding to requests from data subjects to exercise their rights.

    5.2 Processor shall, upon reasonable request, assist Customer with compliance relating to data protection impact assessments and consultations with supervisory authorities, taking into account the nature of processing and information available to Processor.

    6. Personal Data Breach

    Processor shall notify Customer without undue delay after becoming aware of a Personal Data Breach and shall provide information reasonably available at the time to enable Customer to comply with its obligations under applicable Data Protection Law.

    7. Audits and Compliance Information

    7.1 Processor shall make available to Customer all information reasonably necessary to demonstrate compliance with the obligations set forth in this DPA.

    7.2 Independent Audit Reports: In satisfaction of Customer's audit rights, Processor shall, upon written request and subject to confidentiality, provide Customer with a summary of its most recent independent third-party audit reports or certifications (e.g., SOC 2 Type II or ISO/IEC 27001 certificate).

    7.3 Customer may request a direct audit of Processor's compliance, subject to the following:

    • (a) Frequency: No more than once per calendar year, unless following a confirmed Personal Data Breach;
    • (b) Notice: Subject to at least 30 days' prior written notice;
    • (c) Cost: At Customer's sole expense;
    • (d) Manner: Conducted during normal business hours and in a manner that does not unreasonably interfere with Processor's operations;
    • (e) Confidentiality: Subject to the confidentiality terms of the EULA and a specific non-disclosure agreement (NDA) if required by the Processor.

    7.4 Processor may object to or limit the scope of any audit that would compromise the security, confidentiality, or privacy of Processor's systems or other customers. In the event of such an objection, Processor shall work in good faith with Customer to provide alternative evidence or a redacted report that satisfies Customer's underlying compliance concern.

    8. Return of Personal Data and Deletion

    Upon termination of the EULA, Processor shall, at Customer's choice, delete or return Personal Data within a reasonable period, not exceeding ninety (90) days, following termination, unless retention is statutorily required.

    9. Processing Details

    The subject matter and details of processing are set out in Schedule 1 and form part of this DPA.

    12. Liability and Order of Precedence

    12.1 This DPA is subject to the limitations of liability and exclusions set forth in the EULA.

    12.2 In the event of a conflict between this DPA and the EULA with respect to data protection obligations, this DPA shall prevail solely to the extent required by applicable Data Protection Law. Except as required by such law, the EULA shall prevail.

    12.3 Nothing in this DPA limits a party's obligation to comply with applicable Data Protection Law.

    13. Governing Law

    This DPA is governed by the same law and jurisdiction as the EULA.

    Schedule I: Subject Matter and Details of Processing

    • Subject matter: Provision of blockchain infrastructure and related services.
    • Duration: For the term of the EULA.
    • Nature and purpose: Service delivery, security, support, compliance.
    • Categories of data subjects: Customer personnel; end users.
    • Types of personal data: Identifiers, technical metadata, logs.
    • Special categories of data: Not intended to be processed.
    logo
    Sign in to your
    Gateway account
    Choose the product you want to sign in right below:
    Apps
    Essential services for your chain
    Rollups
    Custom blockchain environments deployed in minutes with built-in scaling
    RPC
    High-performance blockchain connectivity with industry-leading latency
    Staking
    Stake and Mint your assets and multiply your ETH rewards
    Don't have an account yet?

    Thank you

    Your request has been received!