GDPR Readiness - Comprehensive Proof Document

Version: 1.0.0
Last Updated: 18-11-2025
Status: GDPR Compliant - Production Ready
Legal Entity: Chain-Fi Limited (England & Wales)
Data Protection Officer: privacy@chain-fi.io

Overview

This document provides comprehensive evidence of Chain-Fi's GDPR compliance across all technical and organizational measures. It maps GDPR articles to specific technical implementations, organizational procedures, and architectural evidence.

Chain-Fi (operated by Chain-Fi Limited, registered in England & Wales) is a non-custodial Web3 security and identity infrastructure platform that has implemented comprehensive technical and organizational measures to ensure full GDPR compliance.

Key Compliance Highlights

✅ Data Controller Status: Chain-Fi acts as a controller for initial onboarding, account creation, and KYC/AML checks
✅ Data Minimization: Only collects data strictly necessary for service delivery, security, and legal compliance
✅ Purpose Limitation: Clear privacy policy, consent management, and scope-based data access
✅ Storage Limitation: Automated retention policies with defined retention periods
✅ Data Subject Rights: Full implementation of all GDPR rights (access, rectification, erasure, portability, restriction, objection)
✅ Security by Design: AES-256 encryption at rest, TLS 1.3+ in transit, RBAC, network segmentation
✅ Article 30 Records: Comprehensive compliance logging of all data processing activities
✅ Data Protection Impact Assessments: Privacy impact assessments for new features
✅ Breach Notification: 72-hour notification procedures in place
✅ Sub-Processor Management: Risk assessment and contractual safeguards for all vendors

Legal Basis for Processing

Processing Activity	Legal Basis (GDPR Art. 6)	Evidence
Account Creation & Authentication	Contract Performance (6(1)(b))	User agreement, Terms of Service
KYC/AML Checks	Legal Obligation (6(1)(c))	AML directives, regulatory requirements
Security Logging	Legitimate Interest (6(1)(f))	Security policy, fraud prevention
Billing & Tax Records	Legal Obligation (6(1)(c))	UK/EU tax law, VAT requirements
Marketing Communications	Consent (6(1)(a))	Opt-in consent, unsubscribe mechanism
Service Improvement Analytics	Legitimate Interest (6(1)(f))	Privacy policy, anonymization

For detailed information on legal basis, see our Data Protection & Privacy page.

Data Subject Rights Implementation

Chain-Fi provides comprehensive mechanisms for users to exercise their GDPR rights:

Right to Access (Article 15)

User data export via OAuth Portal
Response within one month
Portable data formats (JSON/CSV)
Complete data package including profile, wallets, transactions, consent history

Right to Rectification (Article 16)

Profile update capabilities in OAuth Portal
Self-service portal for correctable data
Email update with verification
All changes logged in compliance_events

Right to Erasure (Article 17)

Account deletion procedures
Automated deletion of non-essential data
Retention of legally required records (tax, AML)
Subject to legal retention requirements (6-7 years for tax, 5 years for AML)

Right to Portability (Article 20)

Data export in machine-readable format (JSON/CSV)
Complete user data package
Secure download link

Right to Restriction (Article 18)

Account suspension capabilities
Data restriction procedures
Processing limited to legal obligations only

Right to Object (Article 21)

Marketing opt-out mechanism
Legitimate interest processing can be objected to
Clear objection procedures

Request Channel: privacy@chain-fi.io

For detailed information on data subject rights, see our Data Protection & Privacy page.

Data Protection by Design & by Default

Technical Measures

Encryption:

At Rest: AES-256 for databases, file storage, key management
In Transit: TLS 1.3+ for all HTTP/HTTPS, mTLS for service-to-service
Key Management: Hashicorp Vault with rotation policies

Access Controls:

Multi-factor authentication (password + wallet-based 2FA)
Role-based access control (RBAC)
OAuth scope-based access
Principle of least privilege
Annual access reviews

Pseudonymization:

User IDs, emails, wallet addresses hashed in logs
Device fingerprints hashed
Transaction data pseudonymized where possible

Network Security:

Network segmentation (5 security zones)
Firewall rules and DDoS protection
WAF (Web Application Firewall)
Intrusion detection and prevention

Organizational Measures

Privacy Impact Assessments:

Mandatory for all new features processing personal data
Risk assessment and mitigation measures
Documentation and approval process

Staff Training:

Regular GDPR compliance training
Data protection awareness
Security best practices

Audit Trails:

Comprehensive logging of all data access and processing
Immutable log storage
Access controls on log data
7-year retention

Incident Response:

Detailed breach response plan
72-hour notification procedures
Roles and responsibilities defined
Communication procedures

For detailed technical architecture, see our System Architecture Overview documentation.

Data Processing Records (Article 30)

Chain-Fi maintains comprehensive records of all data processing activities:

Compliance Logger Service:

Tracks all data processing activities
Storage: PostgreSQL compliance_events table
7-year retention
Immutable log storage

Event Categories:

Authentication events (login, logout, registration)
OAuth events (authorization grants, token issuance)
Data modification events (profile updates, wallet linking)
Security events (failed logins, suspicious activity)
2FA events (setup, verification, resets)
Access control events (permission changes, role assignments)

Log Format:

Structured JSON with standardized fields
Timestamp, user ID, event type, IP address, user agent, metadata
Access controls on log data

For detailed information on compliance logging, see our System Architecture Overview documentation.

Data Retention Policies

Data Category	Retention Period	Legal Justification
Billing & Tax Records	6-7 years	UK/EU tax law
AML Logs	5 years	AML directives
General Logs	6-36 months	Security & debugging
KYC Data	Based on provider	Sumsub retention policy
Wallet & Device Binding	As long as account exists	Service delivery
Compliance Events	7 years	ISO 27001, GDPR

Automated retention policies ensure data is deleted after the retention period (subject to legal requirements).

For detailed information on data retention, see our Data Protection & Privacy and Governance & Record-Keeping pages.

Security of Processing

Encryption

At Rest:

PostgreSQL: AES-256 encryption (cloud provider managed)
File Storage: AES-256 encryption
Key Management: Hashicorp Vault with encrypted key storage

In Transit:

TLS 1.3+ for all HTTP/HTTPS communications
mTLS for service-to-service authentication
Certificate management with automated rotation

Access Controls

Multi-factor authentication (password + wallet-based 2FA)
Role-based access control (RBAC)
OAuth scope-based access
Principle of least privilege
Annual access reviews

Network Security

Network segmentation (5 security zones)
Firewall rules and DDoS protection
WAF (Web Application Firewall)
Intrusion detection and prevention

For detailed security architecture, see our System Architecture Overview documentation.

Data Breach Notification

Article 33 - Notification to Supervisory Authority

Procedure:

Detection via automated monitoring, security event detection, or user reports
Assessment by security team (severity and impact)
Notification coordinated by DPO to supervisory authority within 72 hours
Documentation of breach details, affected data, and mitigation measures

Roles:

Security Engineering Lead: Incident commander, breach assessment
Data Protection Officer: Coordinates notification to supervisory authority
Backend Engineering Team: Technical investigation and remediation

Article 34 - Communication to Data Subject

Procedure:

High-risk breaches: notification to affected users
Communication via email to registered email address
Clear explanation of breach, risks, mitigation measures, and contact information

For detailed incident response procedures, see our System Architecture Overview documentation.

Data Transfers & Third Countries

Transfer Locations

UK: Primary data storage (Chain-Fi Limited registered in England & Wales)
EU: Data replication for EU users
US: Cloud infrastructure (with appropriate safeguards)

Transfer Safeguards

EU → US Transfers:

Standard Contractual Clauses (SCCs)
DPA with cloud providers and sub-processors

UK → US Transfers:

UK International Data Transfer Agreement (IDTA) or Addendum to EU SCCs
DPA with cloud providers and sub-processors

Other Regions:

Equivalent safeguards as required by local law (PDPA, UAE DP Law, APPI, PIPA)

For detailed information on data transfers, see our Data Protection & Privacy page.

Sub-Processors & Vendor Management

Sub-Processor Inventory

Sub-Processor	Purpose	Location	Safeguards
Stripe	Payment processing	US, EU	DPA, SOC 2 Type II
Sumsub	KYC/AML (optional)	EU, US	DPA, ISO 27001, SOC 2
Cloud Provider	Infrastructure	UK, EU, US	DPA, SCCs, ISO 27001
Logging/Monitoring	Operational logs	EU, US	DPA, SCCs

Vendor Management Process

Onboarding:

Security questionnaire
Compliance certification review (ISO 27001, SOC 2, GDPR)
Contract negotiation (DPA, liability clauses)
Risk assessment
Approval process

Ongoing Management:

Annual security assessments
Regular contract reviews
Incident notification procedures
Performance monitoring
Compliance verification

For detailed information on sub-processors, see our Data Protection & Privacy page.

GDPR Article Mapping

This document provides comprehensive mapping of GDPR articles to technical implementations. Key articles covered:

Chapter I - General Provisions

Article 1: Subject Matter and Objectives ✅
Article 2: Material Scope ✅
Article 3: Territorial Scope ✅

Chapter II - Principles

Article 5(1)(a): Lawfulness, Fairness, and Transparency ✅
Article 5(1)(b): Purpose Limitation ✅
Article 5(1)(c): Data Minimization ✅
Article 5(1)(d): Accuracy ✅
Article 5(1)(e): Storage Limitation ✅
Article 5(1)(f): Integrity and Confidentiality ✅

Chapter III - Rights of the Data Subject

Article 12: Transparent Information ✅
Article 13: Information to be Provided (Direct) ✅
Article 14: Information to be Provided (Indirect) ✅
Article 15: Right of Access ✅
Article 16: Right to Rectification ✅
Article 17: Right to Erasure ✅
Article 18: Right to Restriction ✅
Article 20: Right to Portability ✅
Article 21: Right to Object ✅

Chapter IV - Controller and Processor

Article 24: Responsibility of the Controller ✅
Article 25: Data Protection by Design and by Default ✅
Article 28: Processor ✅
Article 30: Records of Processing Activities ✅
Article 32: Security of Processing ✅
Article 33: Notification of Breach to Supervisory Authority ✅
Article 34: Communication of Breach to Data Subject ✅
Article 35: Data Protection Impact Assessment ✅

Chapter V - Transfers

Article 44: General Principle for Transfers ✅

Architecture Evidence

System Architecture Documentation

Primary Reference: System Architecture Overview

Key Sections:

Data Protection Architecture (GDPR Alignment)
Encryption Architecture
Security Architecture
Audit Logging Architecture
Access Control Matrix
ISO 27001 Compliance Architecture

Component Architecture Documents:

Backend Server Architecture - Authentication, OAuth, compliance logging
OAuth Portal Architecture - User management, consent screens, data export
Frontend DApp Architecture - Privacy policy, compliance center
Mobile App Architecture - 2FA, secure storage
Forwarder Server Architecture - Transaction processing, security
Blockchain Listener Architecture - Transaction monitoring
Payment Service Architecture - Payment processing, Stripe integration
Vault Architecture - Non-custodial vault operations

Compliance Documentation

Primary References:

Data Protection & Privacy - Privacy policy, data collection, user rights
Governance & Record-Keeping - Roles, responsibilities, retention policies
VAT & AML - Legal obligations, tax compliance
KYC & Account Lifecycle - Identity verification, screening, account actions
Compliance Center pages (EU, UK, USA, etc.) - Jurisdiction-specific compliance

Compliance Monitoring & Auditing

Internal Auditing

Compliance Monitoring:

Regular review of compliance logs
Access control audits
Data retention policy compliance
Sub-processor monitoring
Security event analysis

Audit Frequency:

Access Reviews: Annual
Compliance Log Review: Quarterly
Security Audits: Annual
Vendor Assessments: Annual
DPIA Reviews: As needed (new features)

External Auditing

Certifications & Assessments:

ISO 27001: Architecture ready for certification
SOC 2: Sub-processors (Stripe, Sumsub) certified
GDPR Compliance: Self-assessment and comprehensive documentation

Audit Readiness:

Comprehensive documentation
Evidence trail for all processing activities
Compliance logging (7-year retention)
Access controls and audit trails

Full Documentation

This page provides the complete GDPR Readiness Proof Document with detailed article-by-article mapping, technical implementations, and evidence trail.

This comprehensive document includes:

Complete GDPR article mapping (50+ articles)
Technical implementation evidence
Organizational measures documentation
Architecture references
Compliance monitoring procedures
Full evidence trail

Contact

Data Protection Officer (DPO)
Email: privacy@chain-fi.io

Privacy Inquiries
Email: privacy@chain-fi.io

Legal Entity
Chain-Fi Limited
Registered in England & Wales

Document Version: 1.0.0
Last Updated: 18-11-2025
Status: GDPR Compliant - Production Ready