Skip to main content

Data Processing Addendum — GeraCash

Last updated: 2026-05-10 · Version 2026.05.09

This Data Processing Addendum ("DPA") supplements the GeraCash Terms of Service between Gera Systems Ltd ("Processor") and the customer ("Controller") who agrees to it. It applies where the Controller submits personal data to GeraCash for processing on its behalf.

1. Subject matter and duration

Processor processes personal data described below for the duration of the Controller's subscription or until the data is deleted in accordance with the Terms.

2. Nature and purpose of processing

GeraCash is a multi-currency wallet supporting transfers across 30+ currencies. KYC verification is required above stated thresholds; transaction monitoring is performed for AML compliance.

3. Categories of data subjects and personal data

  • Data subjects: the Controller's customers, end users, employees, contractors, suppliers, and prospects, as applicable to the use case.
  • Categories of data: identification, contact, authentication, usage, payment metadata; plus any further categories the Controller chooses to submit.

4. Controller and Processor obligations

  • Processor will process personal data only on documented instructions from the Controller, except where required by Union or Member State law.
  • Processor ensures persons authorised to process the data are bound by confidentiality.
  • Processor implements appropriate technical and organisational measures (Annex A).
  • Processor will assist the Controller with data-subject requests and DPIA / Article 36 prior consultation where reasonably required.
  • On termination Processor will, at Controller's choice, delete or return all personal data and delete copies, save where applicable law requires retention.

5. Sub-processors

Controller authorises Processor to engage sub-processors. The current list is published at /legal/sub-processors. Processor will give Controller at least 14 days notice of new sub-processors; Controller may object on reasonable grounds within that period.

6. International transfers

For transfers from the UK / EEA to third countries lacking an adequacy decision, Processor relies on the UK International Data Transfer Agreement (IDTA) or the EU Standard Contractual Clauses 2021/914 (Module 2 or 3 as applicable), incorporated by reference into this DPA. Where a sub-processor participates in the EU-US Data Privacy Framework, that adequacy mechanism applies.

7. Security incident notification

Processor will notify Controller without undue delay (and no later than 72 hours) after becoming aware of a personal data breach, with the information required by GDPR Article 33(3).

8. Audits

Processor makes available the information necessary to demonstrate compliance and allows for and contributes to audits, including inspections, conducted by Controller or another auditor mandated by Controller. Audits may be satisfied by independent third-party reports (e.g. ISO 27001, SOC 2 — when available).

Annex A — Technical and organisational measures

  • TLS 1.2+ in transit, AES-256 at rest for sensitive data stores.
  • Role-based access control with least-privilege defaults; multi-factor authentication for admin accounts.
  • Comprehensive audit logging on admin and tenant-isolating endpoints (M3 controls in `core-compliance`).
  • Quarterly vulnerability scanning; annual external pen-testing once budget permits.
  • Backup and restore procedures with documented RTO/RPO (see /legal/dr).
  • Sub-processor onboarding requires DPA and security review.
  • Data minimisation by design; user data export and deletion endpoints exposed (see /account/export and /account/delete).

To execute this DPA contact legal@gera.services. A countersigned PDF will be returned within 5 business days.