Data Processing Addendum
Effective date: April 24, 2026
1. About this document
This Data Processing Addendum (the "DPA") forms part of the Terms of Service between you ("Controller") and abi group GmbH, Am Ring 7A, 84051 Essenbach, Germany ("Processor", "we", "us").
It applies whenever you use the evmquery service (the "Service") to process personal data in the sense of Article 4(1) of the General Data Protection Regulation (EU) 2016/679 ("GDPR") for which you are the controller. The DPA is incorporated automatically; you do not need to sign it separately. If you require a counter-signed copy for your internal records, email support@evmquery.com.
In the event of a conflict between this DPA and the Terms of Service with respect to the processing of personal data, this DPA prevails. All other provisions of the Terms of Service, including limitations of liability, apply to processing under this DPA and are not duplicated here.
2. Subject matter and duration
Subject matter and purpose. Processor processes personal data on behalf of Controller in order to provide the Service, i.e. to execute Expressions against public EVM blockchain data and to return decoded Results, together with related account management, billing, and support.
Nature of processing. Collection, storage, organisation, structuring, retrieval, consultation, use, alignment or combination, restriction, erasure, and destruction of the personal data, as necessary to provide the Service.
Duration. The DPA takes effect on the effective date shown above and continues for the duration of the Controller's subscription or use of the Service, plus any period during which Processor is still lawfully processing personal data on Controller's behalf (for example during export or deletion windows).
3. Types of personal data and categories of data subjects
Categories of personal data
- Account identifiers: email address, hashed password or OIDC subject, API Keys (stored hashed), plan tier.
- Billing data: name, billing address, VAT ID, tax status, Stripe customer and subscription identifiers.
- Connection data: IP address, user agent, timestamps, rough geolocation derived from IP.
- Content provided through the Service: Expressions you submit, wallet addresses and other on-chain identifiers referenced in them, webhook URLs, free-text fields, and the associated query metadata (timestamp, chain, contract address, Expression hash, result status, Credit cost).
- Support data: correspondence and attachments you send to our support channels.
Categories of data subjects
- Controller's employees, contractors, and administrators using the Service.
- Controller's end users whose personal data (for example wallet addresses tied to identity) Controller routes through the Service.
- Counterparties or other natural persons referenced in Expressions.
4. Controller and Processor roles
Controller determines the purposes and means of the processing of personal data submitted to the Service. Processor processes personal data only on Controller's documented instructions, which are set out in (i) the Terms of Service, (ii) this DPA, and (iii) the product configuration settings Controller applies in its Account. Ad-hoc instructions are possible in writing (email to support@evmquery.com); we may charge a reasonable fee if implementing them requires material effort.
Controller is responsible for ensuring that it has a valid legal basis for the processing, that appropriate information has been provided to data subjects, and that consent, where required, has been obtained.
Processor will inform Controller if, in its opinion, an instruction infringes the GDPR or other applicable data protection law. Processor may suspend the relevant processing pending clarification.
5. Confidentiality and staff
Processor will ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. Access is granted on a need-to-know basis and is regularly reviewed.
6. Technical and organisational measures
Processor implements the technical and organisational measures ("TOMs") required by Article 32 GDPR, in particular:
- Encryption of personal data in transit (TLS) and at rest for credentials and sensitive records.
- Access controls with role-based permissions, least privilege, and periodic access reviews.
- Separate environments for development, staging, and production, with production data access restricted to authorised personnel.
- Logging of administrative actions and of access to sensitive systems.
- Regular backups and tested restore procedures.
- Patch management, vulnerability scanning, and incident-response procedures.
- Secure software-development practices, including code review and dependency updates.
A more detailed description of the current TOMs is available on request. Processor may update its TOMs from time to time, provided the overall level of protection is not reduced.
7. Sub-processors
Controller gives general authorisation to Processor to engage sub-processors to deliver the Service. Processor imposes data-protection obligations on each sub-processor that are no less protective than those in this DPA.
The current sub-processors are:
| Sub-processor | Role | Location | Transfer basis |
|---|---|---|---|
| Stripe Payments Europe, Ltd. | Payments and billing (Stripe Tax, Stripe Billing) | Ireland; US (onward transfer for card networks) | Standard Contractual Clauses; EU-US Data Privacy Framework where applicable |
| Hosting provider (as listed in the product documentation) | Application hosting, databases, object storage | EU | Not applicable (EU hosting) |
| Public RPC providers and ABI explorers | Execution of eth_call requests and ABI retrieval | Varies by provider and chain | Standard Contractual Clauses where applicable |
| Google Ireland Limited | Website analytics and advertising (see Privacy Policy) | Ireland; US | Standard Contractual Clauses; EU-US Data Privacy Framework |
Processor will announce new sub-processors or changes that materially affect the processing of personal data at least 30 days before the change takes effect, either by email to the Controller contact on file or through a visible notice in the dashboard. Controller may object on reasonable data-protection grounds within that notice period; if the objection cannot be resolved, Controller may terminate the affected parts of the Service for the remaining paid period.
8. Assistance to Controller
Taking into account the nature of the processing, Processor will assist Controller by appropriate technical and organisational measures, insofar as possible, with the fulfilment of Controller's obligations to respond to requests by data subjects under Chapter III GDPR (Articles 15 to 22). If we receive such a request addressed directly to us, we will forward it to Controller without undue delay and will not respond ourselves except to confirm the forwarding.
Processor will also assist Controller, to the extent reasonably required, in complying with its obligations under Articles 32 to 36 GDPR, including data-breach notifications, data-protection impact assessments, and prior consultation with supervisory authorities.
9. Personal data breaches
Processor will notify Controller without undue delay, and in any case within 72 hours, after becoming aware of a personal data breach affecting personal data processed on Controller's behalf. The notification will include the information required by Article 33(3) GDPR to the extent it is available at the time.
Controller is responsible for notifying the competent supervisory authority and, where applicable, affected data subjects.
10. International transfers
Where personal data is transferred outside the European Economic Area, Processor ensures an appropriate level of protection, for example through the European Commission's Standard Contractual Clauses, an adequacy decision, or certification under the EU-US Data Privacy Framework. The legal basis for each current sub-processor is listed in Section 7.
11. Audit rights
Processor will make available to Controller all information necessary to demonstrate compliance with this DPA and with Article 28 GDPR. On reasonable written request and no more than once per calendar year (except in the event of a documented security incident or supervisory-authority request), Controller may conduct an audit.
Audits are conducted first by review of written information and relevant certifications. On-site audits are available only where this is demonstrably insufficient, are subject to reasonable notice (at least 30 days), occur during business hours without disrupting normal operations, and are carried out at Controller's cost. A confidentiality agreement may be required. If the auditor is a competitor of Processor, Processor may request the appointment of an independent third-party auditor bound by confidentiality.
12. Return and deletion of personal data
On expiry or termination of the Controller's subscription, Processor will, at Controller's choice and on reasonable request within 30 days, return the personal data to Controller in a commonly used format or delete it, unless Union or Member State law requires retention of the personal data (for example invoicing records retained for the statutory period under the German Fiscal Code and the German Commercial Code).
Absent a specific request, Processor will delete personal data in accordance with the retention periods described in the Privacy Policy.
13. Governing law
This DPA is governed by German law, excluding its conflict-of-laws rules.
14. Contact
For data-protection matters under this DPA, contact support@evmquery.com. We will forward enquiries to the relevant internal contact without undue delay.