Skip to content

Data Processing Agreement

Last updated:

1. Parties

This Data Processing Agreement ("DPA") is entered into between:

  • Controller: the legal entity or individual that accepts this DPA in connection with their use of PocketNode platform services. "Controller" means the party that determines the purposes and means of processing personal data.
  • Processor: PocketNode, operated by its development team, reachable at [email protected]. "Processor" means the party that processes personal data on behalf of the Controller under this DPA.

This DPA supplements and is incorporated into the PocketNode Terms of Service. In the event of a conflict between this DPA and the Terms of Service regarding data processing matters, this DPA shall prevail.

2. Subject Matter

The Processor agrees to process personal data on behalf of the Controller for the purpose of providing PocketNode platform services, including but not limited to: user account management, node operation and task routing, earnings calculation and distribution, referral program administration, push notification delivery, and security monitoring.

Processing shall be carried out only for the duration of the Controller's active use of PocketNode services and in accordance with the Controller's documented instructions as set out in this DPA and the Terms of Service.

3. Nature and Purpose of Processing

The Processor processes personal data for the following purposes on behalf of the Controller:

  • Service delivery: creating and maintaining user accounts, routing computational tasks to appropriate devices, calculating and distributing PNODE token earnings.
  • Analytics: anonymized usage analytics to measure feature adoption, session behavior, and platform performance.
  • Security monitoring: fraud detection, account integrity checks, AML pattern detection, and network abuse prevention.
  • Push notifications: delivering transactional and service-related notifications to end users via Firebase Cloud Messaging (FCM).
  • Regulatory compliance: retaining records as required by applicable law, including AML and KYC obligations.

4. Types of Personal Data

The following categories of personal data are processed under this DPA:

  • Email address: used for account authentication and transactional communications.
  • Device identifiers: anonymized hardware IDs used to measure computing capacity contributed to the network.
  • Usage analytics: anonymized app session data including screens visited and feature interaction frequency.
  • Wallet addresses: BSC blockchain wallet addresses provided voluntarily for PNODE token payouts.
  • Referral data: referral codes, referral chain links, and associated earning records.
  • KYC data (where applicable): identity documents, biometric data, and proof of address submitted under the KYC Policy.

5. Categories of Data Subjects

The personal data processed under this DPA relates to the Controller's end users of the PocketNode platform — individuals who have registered for a PocketNode account and use the platform's node operation, investment, referral, or other features. The Processor does not process data belonging to data subjects who have not consented to such processing through the platform's registration and onboarding flow.

6. Obligations of the Processor

PocketNode, acting as Processor, commits to the following obligations:

a. Processing on Instructions Only

The Processor shall process personal data only on documented instructions from the Controller, as set out in this DPA and the Terms of Service, unless required to do so by applicable law.

b. Confidentiality

The Processor shall ensure that all personnel authorized to process personal data have committed to confidentiality obligations or are under an appropriate statutory duty of confidentiality.

c. Security Measures

The Processor shall implement appropriate technical and organizational security measures pursuant to GDPR Article 32, including encryption at rest and in transit, access controls, and regular security assessments.

d. Data Subject Rights Assistance

The Processor shall assist the Controller in fulfilling obligations to respond to requests from data subjects exercising their rights under GDPR (access, rectification, erasure, portability, restriction, objection) by providing relevant data or taking requested actions within the platform's technical capabilities.

e. Data Breach Notification

The Processor shall notify the Controller without undue delay, and in any event within 72 hours of becoming aware of a personal data breach that is likely to result in a risk to the rights and freedoms of natural persons. Notification shall include, to the extent available: the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed.

f. Return or Deletion Upon Termination

Upon termination of this DPA, the Processor shall, at the Controller's election, either delete or return all personal data processed on behalf of the Controller, and delete existing copies, unless applicable law requires continued retention.

7. Sub-Processors

The Controller grants the Processor general authorization to engage the following sub-processors. The Processor shall ensure each sub-processor is bound by data protection obligations at least equivalent to those in this DPA:

  • Cloudflare, Inc. — CDN, DDoS protection, and DNS services. Data processed: IP addresses, HTTP request metadata.
  • Google LLC (Firebase Cloud Messaging) — push notification delivery to Android devices. Data processed: FCM device tokens.
  • Google LLC (Google Cloud Platform) — server hosting infrastructure. Data processed: all platform data stored on GCP servers.
  • Binance Smart Chain (BSC) — public blockchain network. Data processed: wallet addresses and transaction records (inherently public by design of the blockchain).

The Processor shall notify the Controller of any intended additions or replacements of sub-processors by updating this DPA. The Controller has the right to object to changes within 14 days of notification.

8. International Data Transfers

Where personal data is transferred outside the European Economic Area (EEA), the Processor shall ensure that such transfers are subject to appropriate safeguards pursuant to GDPR Chapter V, including Standard Contractual Clauses (SCCs) as adopted by the European Commission, or other lawful transfer mechanisms. Transfers to Google LLC and Cloudflare, Inc. are covered by SCCs incorporated into their respective data processing addenda.

9. Audit Rights

The Controller may audit the Processor's compliance with this DPA no more than once per calendar year, subject to providing at least 30 days' prior written notice to [email protected]. Audits shall be conducted during normal business hours and shall not unreasonably disrupt the Processor's operations. The Processor may require the Controller to use an independent third-party auditor subject to confidentiality obligations.

10. Term and Termination

This DPA enters into force on the date the Controller first accesses or uses PocketNode services and remains in force for as long as the Controller uses PocketNode services. Upon termination of the Controller's account or the underlying Terms of Service, the Processor's obligations under this DPA continue until all personal data has been returned or deleted in accordance with Section 6(f).

11. Governing Law

This DPA is governed by the laws applicable to the PocketNode Terms of Service. In the event of any conflict or inconsistency between this DPA and the Terms of Service, the provisions of this DPA shall govern with respect to data processing matters.

12. Contact

For DPA-related inquiries, data subject rights requests, or breach notifications, contact the Processor at:
[email protected]

Last updated: