Platform

Overview

How It Works

Beneficiary Identity

Policy Corridors

Deterministic Finality

Architecture

Security Model

Governance

Integration
Solutions

Corridors Overview

Institutional Overview

Pricing

All Scenarios

Humanitarian Impact Fund
Assurance

Technical Assurance

Verify Receipt

Receipt Example
Developers

Documentation

APIs & Bridges

Architecture Docs

Glossary

BID API
Company

About

Team

Partners

Roadmap

Investors

Contact

Blog

All Documentation
Schedule Consultation
Legal

Data Processing Agreement

How JIL Sovereign processes personal data on behalf of institutional clients and enterprise partners.

Effective Date: February 26, 2026  |  Last Updated: February 26, 2026

Table of Contents

  1. Definitions
  2. Scope and Purpose
  3. Data Processing Details
  4. Obligations of the Processor
  5. Sub-processors
  6. International Data Transfers
  7. Security Measures
  8. Data Breach Notification
  9. Data Subject Rights
  10. Data Protection Impact Assessments
  11. Audit Rights
  12. Term and Termination
  13. Liability
  14. Governing Law

This Data Processing Agreement (“DPA”) forms part of the Master Services Agreement or equivalent engagement agreement (“Principal Agreement”) between JIL Sovereign Technologies, Inc. (“Processor” or “JIL Sovereign”) and the institutional client identified in the Principal Agreement (“Controller”). This DPA governs the processing of Personal Data by JIL Sovereign on behalf of the Controller in connection with the provision of settlement, custody, compliance, and related blockchain infrastructure services (“Services”).

Where the terms of this DPA conflict with the terms of the Principal Agreement with respect to the processing of Personal Data, the terms of this DPA shall prevail. This DPA is effective as of the date the Controller executes the Principal Agreement or otherwise begins using the Services, whichever occurs first.

1. Definitions

For the purposes of this DPA, the following terms shall have the meanings set out below. Any capitalized terms not defined in this DPA shall have the meanings assigned in the Principal Agreement or in Applicable Data Protection Law.

  • “Applicable Data Protection Law” means all laws and regulations applicable to the processing of Personal Data under this DPA, including but not limited to the General Data Protection Regulation (EU) 2016/679 (“GDPR”), the UK Data Protection Act 2018, the California Consumer Privacy Act (“CCPA”), the Swiss Federal Act on Data Protection (“FADP”), and the Singapore Personal Data Protection Act (“PDPA”), each as amended from time to time.
  • “Controller” means the institutional client that determines the purposes and means of the processing of Personal Data and on whose behalf JIL Sovereign processes such data pursuant to the Services.
  • “Data Subject” means an identified or identifiable natural person to whom Personal Data relates, including authorized users, beneficial owners, signatories, and other individuals whose data is submitted to the Services.
  • “Personal Data” means any information relating to a Data Subject that is processed by JIL Sovereign in the course of providing the Services, as further described in Section 3 of this DPA.
  • “Processing” means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.
  • “Processor” means JIL Sovereign Technologies, Inc., which processes Personal Data on behalf of the Controller in accordance with this DPA and the Principal Agreement.
  • “Sub-processor” means any third party engaged by JIL Sovereign to process Personal Data on behalf of the Controller in connection with the Services, as described in Section 5 of this DPA.
  • “Supervisory Authority” means an independent public authority established by a member state of the European Union pursuant to Article 51 of the GDPR, or any equivalent regulatory body under Applicable Data Protection Law in any jurisdiction where the processing of Personal Data takes place.
  • “Security Incident” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed by JIL Sovereign in connection with the Services.

2. Scope and Purpose

This DPA applies to the processing of Personal Data by JIL Sovereign in its capacity as a Processor acting on behalf of the Controller. The processing is carried out for the following purposes, each as necessary for the performance of the Services under the Principal Agreement:

  • Settlement and Transaction Processing - executing, validating, and recording digital asset transactions on the JIL Sovereign Layer 1 blockchain and associated cross-chain bridges.
  • Identity Verification - performing Know Your Customer (KYC) and Know Your Business (KYB) procedures as required by the Controller and Applicable Data Protection Law.
  • Compliance and Regulatory Screening - conducting Anti-Money Laundering (AML), Counter-Terrorism Financing (CTF), and sanctions screening in connection with the Controller's regulatory obligations.
  • Audit Trail Maintenance - generating and retaining immutable audit records of transactions, approvals, and compliance events for the Controller's regulatory reporting and internal governance requirements.
  • Custody and Key Management - facilitating multi-party computation (MPC) threshold signing and secure key shard management in support of the Controller's self-custody operations.
  • Platform Administration - managing account credentials, access controls, role-based permissions, and session management for authorized users of the Controller.

JIL Sovereign shall not process Personal Data for any purpose other than those set out in this DPA or as otherwise instructed by the Controller in writing, unless required to do so by applicable law. In such a case, JIL Sovereign shall inform the Controller of that legal requirement before processing, unless the law prohibits such notification on important grounds of public interest.

3. Data Processing Details

3.1 Types of Personal Data

The following categories of Personal Data may be processed by JIL Sovereign in the course of providing the Services:

  • Identity Information - full legal name, date of birth, nationality, government-issued identification numbers, and copies of identity documents (passport, national ID, driver's license).
  • Biometric Data - facial recognition data and liveness detection artifacts collected during identity verification procedures, processed solely for KYC authentication purposes.
  • Contact Information - email address, telephone number, physical address, and business correspondence details.
  • Financial and Transaction Records - wallet addresses, public keys, transaction hashes, settlement amounts, fee records, bridge transfer details, and on-chain activity logs.
  • KYC/AML Screening Data - sanctions screening results, politically exposed person (PEP) status, adverse media findings, risk scores, and compliance decision records.
  • Authentication Credentials - MPC key shard metadata (not the key material itself), WebAuthn credential identifiers, session tokens, and multi-factor authentication records.
  • Technical Data - IP addresses, device identifiers, browser type, operating system, access timestamps, and API request logs.
  • Corporate Entity Data - entity registration documents, articles of incorporation, beneficial ownership structures, authorized signatory lists, and corporate governance records.

3.2 Categories of Data Subjects

Personal Data processed under this DPA relates to the following categories of Data Subjects:

  • Institutional Clients - officers, directors, and authorized representatives of the Controller entity.
  • Authorized Users - individuals granted access to the JIL Sovereign platform by the Controller, including portfolio managers, compliance officers, treasury operators, and technical administrators.
  • Beneficial Owners - ultimate beneficial owners of the Controller entity as required by applicable KYC/AML regulations.
  • Counterparties and Beneficiaries - recipients of transactions initiated by the Controller, including settlement counterparties and bridge transfer recipients, to the extent their Personal Data is provided to JIL Sovereign.
  • Authorized Signatories - individuals designated to approve transactions, policy changes, and governance decisions on behalf of the Controller.

3.3 Processing Activities

JIL Sovereign performs the following processing activities on behalf of the Controller:

  • Identity Verification - collection, validation, and storage of KYC/KYB documentation; biometric matching and liveness detection; verification against government databases and third-party identity providers.
  • Compliance Screening - real-time and periodic screening of Data Subjects against global sanctions lists, PEP databases, and adverse media sources; generation of risk scores and compliance determinations.
  • Settlement Processing - recording transaction instructions, executing on-chain transfers, computing settlement finality, and generating cryptographic proofs of settlement.
  • Audit Trail Maintenance - creating tamper-evident logs of all processing operations, compliance decisions, and access events; maintaining chain-of-custody records for regulatory audit purposes.
  • Access Management - provisioning and deprovisioning user accounts, enforcing role-based access controls, and maintaining authentication event logs.
  • Data Storage and Retrieval - encrypted storage of Personal Data across geographically distributed infrastructure, with retrieval capabilities for the Controller's reporting and regulatory obligations.

4. Obligations of the Processor

4.1 Processing on Documented Instructions

JIL Sovereign shall process Personal Data only on documented instructions from the Controller, including with respect to transfers of Personal Data to a third country or an international organization, unless required to do so by applicable law. The Principal Agreement, this DPA, and any written instructions provided by the Controller constitute the Controller's complete processing instructions. JIL Sovereign shall promptly inform the Controller if, in its opinion, an instruction infringes Applicable Data Protection Law.

4.2 Confidentiality

JIL Sovereign shall ensure that all personnel authorized to process Personal Data have committed themselves to confidentiality obligations or are under an appropriate statutory obligation of confidentiality. Access to Personal Data shall be limited to those personnel who require access for the performance of the Services, and all such personnel shall receive appropriate training on data protection requirements.

4.3 Security of Processing

JIL Sovereign shall implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk of processing, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of Data Subjects. These measures include, but are not limited to:

  • Encryption at Rest - all Personal Data stored by JIL Sovereign is encrypted using AES-256-GCM. Validator key material is encrypted with per-node master keys and stored in hardware-backed secure enclaves where available.
  • Encryption in Transit - all data transmitted between services, validator nodes, and client applications is protected by TLS 1.3. Inter-validator communication is additionally authenticated using HMAC signatures.
  • MPC Key Management - cryptographic key material used for custody operations is split using 2-of-3 multi-party computation threshold signing. The user retains one shard at all times, ensuring that JIL Sovereign alone cannot access or reconstruct private keys.
  • Post-Quantum Cryptography - JIL Sovereign deploys Dilithium digital signatures and Kyber key encapsulation as supplementary cryptographic layers, providing defense against future quantum computing threats.
  • Zone-Based Isolation - validator infrastructure is distributed across 13 jurisdictions. Data processed by validators in a given jurisdiction can be isolated to that jurisdiction where required by applicable law or the Controller's instructions.
  • Access Controls - role-based access control (RBAC) with mandatory multi-factor authentication for all administrative access. Privileged operations require multi-party approval.
  • Network Segmentation - production systems are isolated from development and testing environments. Internal services communicate over private networks with mutual TLS authentication.

4.4 Assistance with Data Subject Requests

JIL Sovereign shall, taking into account the nature of the processing, assist the Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Controller's obligation to respond to requests for exercising Data Subject rights under Applicable Data Protection Law. JIL Sovereign shall promptly notify the Controller if it receives a request directly from a Data Subject and shall not respond to such request without the Controller's prior written authorization, unless required by applicable law.

4.5 Deletion and Return of Data

Upon termination of the Services or upon the Controller's written request, JIL Sovereign shall, at the Controller's election, either return all Personal Data to the Controller in a structured, commonly used, and machine-readable format, or securely delete all Personal Data in its possession, including all copies, backups, and replicas, except to the extent that retention is required by applicable law or regulation. JIL Sovereign shall certify in writing that such deletion has been completed. Where retention is required by law, JIL Sovereign shall isolate the retained data and restrict processing to only that which is necessary to comply with the legal obligation.

4.6 Accountability and Records

JIL Sovereign shall maintain a record of all categories of processing activities carried out on behalf of the Controller in accordance with Article 30(2) of the GDPR or equivalent provisions under Applicable Data Protection Law. Such records shall include the name and contact details of the Processor, the categories of processing carried out, details of any transfers to third countries, and a general description of the technical and organizational security measures in place.

5. Sub-processors

5.1 Authorization

The Controller provides general written authorization for JIL Sovereign to engage Sub-processors for the performance of specific processing activities on behalf of the Controller. JIL Sovereign shall impose data protection obligations on each Sub-processor by way of a written agreement that provides at least the same level of protection for Personal Data as set out in this DPA.

5.2 Notification of Changes

JIL Sovereign shall notify the Controller in writing at least thirty (30) days prior to engaging any new Sub-processor or replacing an existing Sub-processor. The notification shall identify the Sub-processor, describe the processing activities to be performed, and specify the jurisdiction in which the processing will take place. The Controller shall have the right to object to the engagement of a new Sub-processor on reasonable grounds related to data protection. If the Controller objects, JIL Sovereign shall use commercially reasonable efforts to make available an alternative arrangement that does not involve the objected-to Sub-processor. If no such alternative is reasonably available, either party may terminate the affected Services upon thirty (30) days written notice.

5.3 List of Sub-processors

A current list of Sub-processors, including their names, processing activities, and jurisdictions, is available upon written request from the Controller. JIL Sovereign shall keep this list current and make updates available to the Controller in accordance with the notification procedures described in Section 5.2.

5.4 Liability for Sub-processors

JIL Sovereign shall remain fully liable to the Controller for the performance of each Sub-processor's obligations under the sub-processing agreement. Where a Sub-processor fails to fulfill its data protection obligations, JIL Sovereign shall be liable to the Controller for the acts and omissions of the Sub-processor as if they were the acts and omissions of JIL Sovereign itself.

6. International Data Transfers

6.1 Transfer Mechanisms

JIL Sovereign operates validator infrastructure across 13 jurisdictions, including the United States, Germany, the European Union, Singapore, Switzerland, Japan, the United Kingdom, the United Arab Emirates, and Brazil. Personal Data may be processed in any jurisdiction where JIL Sovereign maintains validator nodes or infrastructure, as required for the performance of the Services.

Where Personal Data is transferred from the European Economic Area (EEA), the United Kingdom, or Switzerland to a jurisdiction that has not been recognized as providing an adequate level of data protection, JIL Sovereign shall ensure that such transfers are subject to appropriate safeguards, including:

  • Standard Contractual Clauses (SCCs) - JIL Sovereign shall enter into the European Commission's Standard Contractual Clauses (Module Two: Controller to Processor) with the Controller, or the UK International Data Transfer Agreement / Addendum where applicable.
  • Supplementary Measures - in addition to the SCCs, JIL Sovereign implements technical supplementary measures including end-to-end encryption, pseudonymization, and zone-based data isolation to protect Personal Data in transit and at rest.
  • Transfer Impact Assessments - JIL Sovereign shall conduct and document a transfer impact assessment for each jurisdiction in which Personal Data is processed, evaluating the legal framework and any risks to Data Subject rights, and shall make such assessments available to the Controller upon request.

6.2 Jurisdictional Data Residency

Where the Controller requires that certain categories of Personal Data remain within a specific jurisdiction or set of jurisdictions, JIL Sovereign shall accommodate such requirements through its zone-based validator architecture. Data residency configurations shall be documented in writing as part of the Principal Agreement or a supplementary data residency addendum. JIL Sovereign shall not transfer Personal Data subject to a data residency restriction outside the designated jurisdiction without the Controller's prior written consent.

6.3 Government Access Requests

JIL Sovereign shall promptly notify the Controller of any legally binding request from a government authority or law enforcement agency for access to Personal Data processed on behalf of the Controller, unless such notification is prohibited by applicable law. JIL Sovereign shall not voluntarily disclose Personal Data to any government authority and shall challenge any request that it reasonably believes to be unlawful or excessive, seeking to limit the scope of disclosure to the minimum required by law.

7. Security Measures

7.1 Technical Measures

JIL Sovereign maintains the following technical security measures for the protection of Personal Data:

  • Encryption - AES-256-GCM encryption at rest for all stored Personal Data. TLS 1.3 encryption in transit for all network communications. Per-validator master key encryption for sensitive key material.
  • MPC Threshold Signing - 2-of-3 multi-party computation for all custody-related cryptographic operations. No single party, including JIL Sovereign, can reconstruct a complete private key.
  • Post-Quantum Cryptography - Dilithium (NIST FIPS 204) digital signatures and Kyber (NIST FIPS 203) key encapsulation deployed as supplementary security layers for long-term data protection against quantum computing threats.
  • Network Isolation - validator nodes operate on private networks with firewall rules restricting inbound and outbound traffic to authorized endpoints. Public-facing services are isolated behind reverse proxies and load balancers.
  • Access Controls - role-based access control with principle of least privilege. All administrative access requires multi-factor authentication. Privileged actions are logged and subject to automated anomaly detection.
  • Intrusion Detection - real-time monitoring of all validator nodes and infrastructure using the SentinelAI Fleet Inspector, which performs continuous threat scoring, behavioral analysis, and automated response to anomalous activity.
  • Secure Boot and Attestation - validator nodes follow a 7-gate startup sequence with cryptographic attestation at each stage, including configuration digest verification, key integrity checks, and image signature validation.
  • Key Rotation - time-limited consensus authorization tokens (24-hour expiry) and periodic rotation of all cryptographic key material in accordance with industry best practices.

7.2 Organizational Measures

JIL Sovereign maintains the following organizational security measures:

  • Personnel Screening - background checks and security clearances for all personnel with access to Personal Data or production infrastructure.
  • Training - mandatory data protection and information security training for all personnel upon hiring and at least annually thereafter, with additional specialized training for personnel handling sensitive data categories.
  • Incident Response - documented incident response procedures with defined roles, escalation paths, and communication protocols. Incident response plans are tested at least annually through tabletop exercises and simulated breach scenarios.
  • Business Continuity - redundant infrastructure across multiple geographic zones with automated failover. The 14-of-20 validator consensus model ensures continuity of operations even if multiple validator nodes become unavailable.
  • Vendor Management - due diligence and ongoing monitoring of all Sub-processors, including periodic assessments of their data protection and security practices.
  • Regular Audits - periodic internal audits of data protection practices, security controls, and compliance with this DPA, supplemented by independent third-party assessments where appropriate.

8. Data Breach Notification

8.1 Notification to Controller

JIL Sovereign shall notify the Controller without undue delay, and in any event within seventy-two (72) hours after becoming aware of a Security Incident that affects Personal Data processed on behalf of the Controller. The notification shall be provided to the Controller's designated data protection contact by email and, where available, through the JIL Sovereign platform notification system.

8.2 Content of Notification

The Security Incident notification shall include, to the extent known at the time of notification:

  • A description of the nature of the Security Incident, including, where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned.
  • The name and contact details of JIL Sovereign's data protection officer or other designated contact from whom additional information may be obtained.
  • A description of the likely consequences of the Security Incident for affected Data Subjects.
  • A description of the measures taken or proposed to be taken by JIL Sovereign to address the Security Incident, including measures to mitigate its possible adverse effects.

Where it is not possible to provide all required information simultaneously, JIL Sovereign shall provide the information in phases without further undue delay as it becomes available.

8.3 Cooperation

JIL Sovereign shall cooperate with the Controller and take all reasonable steps as directed by the Controller to assist in the investigation, mitigation, and remediation of the Security Incident. JIL Sovereign shall also cooperate with any Supervisory Authority or other competent authority investigating the Security Incident, to the extent required by applicable law and as directed by the Controller.

8.4 Documentation

JIL Sovereign shall maintain a record of all Security Incidents, including the facts relating to each incident, its effects, and the remedial actions taken. This record shall be made available to the Controller and, upon request, to any competent Supervisory Authority.

9. Data Subject Rights

9.1 Assistance with Requests

JIL Sovereign shall assist the Controller in fulfilling its obligations to respond to Data Subject requests under Applicable Data Protection Law. This includes requests for:

  • Access - providing Data Subjects with a copy of their Personal Data being processed, together with information about the purposes, categories, and recipients of processing.
  • Rectification - correcting inaccurate Personal Data or completing incomplete Personal Data upon instruction from the Controller.
  • Erasure - deleting Personal Data where the Controller instructs such deletion and no legal obligation requires continued retention. Where erasure of on-chain data is technically infeasible, JIL Sovereign shall implement effective pseudonymization or anonymization measures as an alternative.
  • Restriction of Processing - marking stored Personal Data with the aim of limiting its processing in the future, upon instruction from the Controller.
  • Data Portability - providing Personal Data in a structured, commonly used, and machine-readable format, and transmitting such data to another controller where technically feasible and instructed by the Controller.
  • Objection - ceasing processing of Personal Data where the Controller instructs such cessation in response to a Data Subject's objection.

9.2 Response Timelines

JIL Sovereign shall respond to the Controller's data subject request assistance inquiries without undue delay and in any event within ten (10) business days. Where the technical complexity of a request requires additional time, JIL Sovereign shall notify the Controller within the initial ten-day period and provide a reasonable estimated completion date.

9.3 On-Chain Data Considerations

The parties acknowledge that certain data recorded on the JIL Sovereign Layer 1 blockchain may be immutable by design. Where a Data Subject request relates to data that has been recorded on-chain, JIL Sovereign shall work with the Controller to implement the most effective available measures, which may include encryption of the associated off-chain data, revocation of access keys, or pseudonymization, to give practical effect to the Data Subject's rights to the greatest extent technically feasible.

10. Data Protection Impact Assessments

JIL Sovereign shall provide reasonable assistance to the Controller in conducting Data Protection Impact Assessments (“DPIAs”) as required under Article 35 of the GDPR or equivalent provisions of Applicable Data Protection Law. Such assistance shall include:

  • Providing the Controller with detailed information about the processing operations performed by JIL Sovereign, including the technical architecture, data flows, and security measures in place.
  • Assisting the Controller in assessing the necessity and proportionality of the processing in relation to its purposes.
  • Assisting the Controller in identifying and evaluating the risks to the rights and freedoms of Data Subjects arising from the processing.
  • Providing information about the measures implemented by JIL Sovereign to address identified risks, including safeguards, security measures, and mechanisms to ensure the protection of Personal Data.

Where required by Applicable Data Protection Law, JIL Sovereign shall also assist the Controller with any prior consultation with a Supervisory Authority in connection with processing activities that present a high risk to the rights and freedoms of Data Subjects.

11. Audit Rights

11.1 Right to Audit

JIL Sovereign shall make available to the Controller all information necessary to demonstrate compliance with the obligations set out in this DPA and Applicable Data Protection Law. The Controller, or an independent third-party auditor appointed by the Controller and bound by appropriate confidentiality obligations, shall have the right to conduct audits and inspections of JIL Sovereign's processing activities, systems, and facilities to verify compliance with this DPA.

11.2 Audit Procedures

Audits shall be conducted subject to the following conditions:

  • The Controller shall provide JIL Sovereign with at least thirty (30) days prior written notice of any planned audit, specifying the scope, duration, and start date of the audit.
  • Audits shall be conducted during normal business hours and shall not unreasonably interfere with JIL Sovereign's operations or the security of its systems.
  • The Controller shall bear its own costs associated with the audit, except where the audit reveals a material breach of this DPA by JIL Sovereign, in which case JIL Sovereign shall bear the reasonable costs of the audit.
  • The Controller shall be entitled to conduct no more than one (1) audit per calendar year, unless a Security Incident has occurred or a Supervisory Authority requests or requires an additional audit.
  • Auditors shall comply with JIL Sovereign's security policies and shall not access or copy any data belonging to other clients of JIL Sovereign.

11.3 Audit Reports and Certifications

In lieu of or in addition to on-site audits, JIL Sovereign may provide the Controller with relevant third-party audit reports, certifications, or compliance attestations (such as SOC 2 Type II, ISO 27001, or equivalent standards) that are reasonably sufficient to demonstrate compliance with this DPA. The Controller shall consider such reports in good faith when assessing the need for additional audits.

12. Term and Termination

12.1 Duration

This DPA shall remain in effect for the duration of the Principal Agreement and for as long as JIL Sovereign processes Personal Data on behalf of the Controller. Upon termination or expiration of the Principal Agreement, the provisions of this DPA shall continue to apply to any Personal Data retained by JIL Sovereign until such data is deleted or returned in accordance with Section 4.5.

12.2 Termination for Cause

Either party may terminate this DPA immediately upon written notice if the other party materially breaches its obligations under this DPA and fails to cure such breach within thirty (30) days after receiving written notice of the breach. A material breach of this DPA shall be deemed a material breach of the Principal Agreement.

12.3 Post-Termination Obligations

Upon termination of this DPA or the Principal Agreement, JIL Sovereign shall:

  • Cease all processing of Personal Data on behalf of the Controller, except as necessary to comply with applicable legal obligations.
  • At the Controller's election, return all Personal Data in a structured, commonly used, and machine-readable format within thirty (30) days, or securely delete all Personal Data and provide written certification of deletion within sixty (60) days.
  • Delete all copies of Personal Data from its systems, including backup and disaster recovery systems, within ninety (90) days, except where retention is required by applicable law.
  • Ensure that all Sub-processors comply with the same post-termination obligations with respect to any Personal Data they have processed under this DPA.

13. Liability

13.1 Allocation of Liability

Each party shall be liable for any damage caused by processing that infringes Applicable Data Protection Law. The Controller shall be liable for the lawfulness of its instructions and for ensuring that a legal basis exists for the processing. JIL Sovereign shall be liable for any damage caused by processing where it has acted outside of or contrary to the Controller's lawful instructions, or where it has failed to comply with obligations under Applicable Data Protection Law that are specifically directed at processors.

13.2 Limitation of Liability

The total aggregate liability of each party arising out of or in connection with this DPA shall be subject to the limitation of liability provisions set forth in the Principal Agreement. Nothing in this DPA shall be construed to limit or exclude either party's liability for: (a) fraud or willful misconduct; (b) death or personal injury caused by negligence; or (c) any liability that cannot be limited or excluded under applicable law.

13.3 Indemnification

JIL Sovereign shall indemnify and hold harmless the Controller from and against any fines, penalties, damages, costs, and expenses (including reasonable legal fees) arising from JIL Sovereign's breach of this DPA or Applicable Data Protection Law, except to the extent that such fines, penalties, damages, costs, or expenses result from the Controller's instructions, the Controller's breach of its own obligations, or circumstances beyond JIL Sovereign's reasonable control.

14. Governing Law

14.1 Applicable Law

This DPA shall be governed by and construed in accordance with the laws of the State of Delaware, United States, without regard to its conflict of laws principles. Any dispute arising out of or in connection with this DPA that is not resolved by negotiation between the parties within thirty (30) days shall be submitted to the exclusive jurisdiction of the federal and state courts located in the State of Delaware.

14.2 Regulatory Primacy

Notwithstanding Section 14.1, to the extent that Applicable Data Protection Law in the Controller's jurisdiction imposes mandatory data protection requirements that cannot be contractually overridden, such requirements shall apply in addition to the terms of this DPA. In the event of a conflict between this DPA and mandatory provisions of Applicable Data Protection Law, the mandatory provisions shall prevail.

14.3 Entire Agreement

This DPA, together with the Principal Agreement and any annexes or schedules incorporated by reference, constitutes the entire agreement between the parties with respect to the processing of Personal Data and supersedes all prior or contemporaneous oral or written agreements, representations, and understandings relating to such subject matter.

14.4 Amendments

This DPA may only be amended by a written instrument signed by authorized representatives of both parties. Notwithstanding the foregoing, JIL Sovereign may update the technical and organizational security measures described in this DPA from time to time, provided that such updates do not materially decrease the overall level of protection afforded to Personal Data. JIL Sovereign shall notify the Controller of any material updates to the security measures.

14.5 Severability

If any provision of this DPA is held to be invalid or unenforceable by a court of competent jurisdiction, the remaining provisions shall continue in full force and effect. The parties shall negotiate in good faith to replace any invalid or unenforceable provision with a valid and enforceable provision that achieves, to the greatest extent possible, the economic, legal, and commercial objectives of the original provision.

14.6 Contact

For questions or requests regarding this Data Processing Agreement, please contact:

JIL Sovereign Technologies, Inc.
Data Protection Office
Wilmington, Delaware, United States
Email: contact@jilsovereign.com
Web: https://jilsovereign.com