Data Processing Agreement

1 Definitions

For the purposes of this Data Processing Agreement ("DPA"), the following terms shall have the meanings set out below. Where a term is not defined herein, it shall have the meaning ascribed to it in the General Data Protection Regulation (EU) 2016/679 ("GDPR").

• "Controller" means the Trading Integrity Bureau, operating IsYourTraderReal.com, which determines the purposes and means of the processing of Personal Data in connection with the Platform's trader verification, investigation, and consumer protection activities.
• "Processor" means any natural or legal person, public authority, agency, or other body which processes Personal Data on behalf of the Controller, including sub-processors engaged for specific processing activities.
• "Data Subject" means an identified or identifiable natural person whose Personal Data is processed under this DPA, including traders under investigation, evidence submitters, website visitors, and reporters.
• "Personal Data" means any information relating to an identified or identifiable natural person, as defined in Article 4(1) of the GDPR.
• "Processing" means any operation or set of operations performed on Personal Data, whether or not by automated means, as defined in Article 4(2) of the GDPR.
• "Platform" means the website IsYourTraderReal.com, including all pages, APIs, databases, investigation tools, and related services.
• "Sub-processor" means any Processor engaged by the Controller or by another Processor to carry out specific processing activities on behalf of the Controller.
• "Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed.

2 Subject Matter and Duration

2.1 Subject Matter

This DPA governs the processing of Personal Data carried out in connection with the operation of the Platform. The Controller engages in trader verification, evidence review, investigation, and publication of consumer protection reports. This DPA sets out the rights and obligations of the Controller and any Processors with respect to the Personal Data processed in the course of these activities.

2.2 Duration

This DPA shall remain in effect for as long as the Controller processes Personal Data in connection with the Platform. Upon termination of processing activities, the provisions of this DPA relating to data retention, deletion, and return of data shall continue to apply until all Personal Data has been returned or deleted in accordance with Section 12 of this DPA.

3 Nature and Purpose of Processing

The Controller processes Personal Data for the following specific purposes in connection with the Platform's mission of consumer protection and trader verification:

Processing Activity	Purpose
Trader Verification	Verification of the identity, claims, and trading performance of individuals and entities offering financial services, education, or signals to consumers.
Evidence Review	Collection, storage, review, and assessment of evidence submitted by users and gathered from publicly available sources for the purposes of investigation and editorial reporting.
User Reports	Processing of reports, testimonials, complaints, and information submitted by users regarding traders and trading groups.
Investigation & Publication	Conducting investigations and publishing editorial reports, ratings, and assessments for consumer protection.
Platform Operations	Security monitoring, abuse prevention, analytics, and technical operation of the Platform.
Communication	Responding to user inquiries, data subject access requests, and legal correspondence.

4 Types of Personal Data Processed

The following categories of Personal Data are processed in connection with the Platform's operations:

4.1 Trader / Subject Data

• Identity information: Names, aliases, trading usernames, photographs, and other public identifiers used in commercial trading activities.
• Trading performance data: Trading results, profit/loss records, account statements, and performance metrics voluntarily shared or publicly available.
• Public business information: Company registrations, regulatory filings, domain WHOIS data, social media profiles, and public marketing materials.
• Country and location: Country of residence or operation as publicly disclosed or reasonably inferable.

4.2 Evidence Submitter / Reporter Data

• Contact information: Names (or pseudonyms), email addresses provided voluntarily during submission.
• Submission content: Text descriptions, evidence files, screenshots, and other materials submitted through Platform forms.
• Technical identifiers: IP addresses (partially anonymized for public display), browser fingerprint data, country of origin derived from IP geolocation.

4.3 Website Visitor Data

• Technical data: IP addresses, browser type and version, operating system, screen resolution, language preferences, and referring URLs.
• Cookie data: Session identifiers, preference cookies, and analytics data (subject to consent).
• reCAPTCHA data: Hardware and software information collected by Google reCAPTCHA for bot prevention.

5 Data Subject Categories

This DPA applies to the processing of Personal Data relating to the following categories of data subjects:

Category	Description	Legal Basis
Traders & Mentors	Individuals and entities who publicly offer trading services, signals, education, or mentorship and are the subject of Platform investigations.	Journalistic Exemption / Legitimate Interest
Evidence Submitters	Users who submit reports, evidence, testimonials, or complaints about traders or trading groups through the Platform.	Contract / Legitimate Interest
Website Visitors	All individuals who access or browse the Platform, including users who interact with search, verification tools, or read published reports.	Consent / Legitimate Interest

6 Controller Obligations

The Controller shall:

• Process Personal Data in accordance with the GDPR and applicable data protection legislation, including Act No. 110/2019 Coll. (Czech Act on the Processing of Personal Data).
• Ensure that Personal Data is processed lawfully, fairly, and in a transparent manner in relation to data subjects.
• Collect Personal Data only for the specified, explicit, and legitimate purposes set out in this DPA and not further process it in a manner incompatible with those purposes.
• Ensure that Personal Data is adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed (data minimization).
• Take reasonable steps to ensure that Personal Data is accurate and, where necessary, kept up to date.
• Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk of processing.
• Conduct Data Protection Impact Assessments (DPIAs) where processing is likely to result in a high risk to the rights and freedoms of natural persons.
• Cooperate with the supervisory authority (UOOU) and data subjects in the exercise of their rights.
• Maintain a record of processing activities in accordance with Article 30 of the GDPR.

7 Processor Obligations

Any Processor engaged by the Controller to process Personal Data on the Controller's behalf shall:

• Process Personal Data only on documented instructions from the Controller, unless required to do so by applicable law, in which case the Processor shall inform the Controller of that legal requirement before processing.
• Ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
• Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing.
• Not engage another processor (sub-processor) without prior specific or general written authorization of the Controller. In the case of general written authorization, the Processor shall inform the Controller of any intended changes concerning the addition or replacement of sub-processors.
• Assist the Controller in responding to data subject access requests and in ensuring compliance with obligations under Articles 32 to 36 of the GDPR.
• At the choice of the Controller, delete or return all Personal Data to the Controller after the end of the provision of services, and delete existing copies unless applicable law requires storage of the Personal Data.
• Make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.

8 Sub-processors

The Controller engages the following sub-processors for specific processing activities. Each sub-processor has been assessed for GDPR compliance and appropriate safeguards:

Sub-processor	Purpose	Data Processed	Location
ip-api.com	IP geolocation service for determining the country of origin of website visitors and evidence submitters.	IP addresses	EU / International
Google reCAPTCHA	Bot prevention and anti-abuse protection for Platform submission forms.	Device information, cookies, usage data, IP addresses	United States (Google LLC)
DigitalOcean, LLC	Cloud hosting infrastructure for the Platform's servers, databases, and application services.	All data stored on Platform servers	EU (Frankfurt / Amsterdam data centers)

The Controller shall notify data subjects of any intended changes to the list of sub-processors by updating this DPA. Data subjects who object to the engagement of a new sub-processor may contact the Controller at the address provided in Section 14.

9 Data Transfers

The Platform's primary infrastructure is hosted on DigitalOcean servers located within the European Union (Frankfurt and Amsterdam data centers). Personal Data is primarily stored and processed within the EU/EEA.

Where Personal Data is transferred to sub-processors located outside the EU/EEA (specifically, Google LLC for reCAPTCHA services), such transfers are made in compliance with Chapter V of the GDPR and are subject to the following safeguards:

• Standard Contractual Clauses (SCCs): Transfers to Google LLC are governed by the European Commission's Standard Contractual Clauses for the transfer of Personal Data to processors established in third countries.
• Adequacy decisions: Where applicable, transfers are made to countries that have received an adequacy decision from the European Commission under Article 45 of the GDPR.
• Supplementary measures: The Controller implements additional technical and organizational measures, including encryption in transit, data minimization, and pseudonymization, to ensure an essentially equivalent level of protection for transferred data.

10 Data Retention

Personal Data is retained only for as long as necessary for the purposes for which it was collected, subject to the following retention periods:

Data Category	Retention Period	Justification
Evidence & submissions	Investigation duration + 2 years	Legal defense, regulatory compliance, and continuation of consumer protection mission.
Investigation reports	Indefinite (editorial archive)	Journalistic exemption — published reports serve the ongoing public interest in consumer protection.
Submitter contact data	Investigation duration + 2 years	Communication regarding submissions and legal defense.
IP addresses & logs	12 months	Security monitoring, abuse prevention, and legal compliance.
Analytics data	26 months	Platform improvement and usage analysis (anonymized/aggregated where possible).

Upon expiration of the applicable retention period, Personal Data shall be securely deleted or anonymized in a manner that prevents re-identification. The Controller reviews retention periods annually to ensure compliance with the data minimization principle.

11 Security Measures

The Controller implements the following technical and organizational measures to ensure the security and integrity of Personal Data, in accordance with Article 32 of the GDPR:

11.1 Technical Measures

• Encryption in transit: All data transmitted between users' browsers and the Platform is encrypted using TLS 1.2+ (HTTPS). All internal server-to-server communications are encrypted.
• Encryption at rest: Database volumes are encrypted using AES-256 encryption provided by the hosting infrastructure.
• Access controls: Server access is restricted to authorized personnel using SSH key-based authentication with strong passphrases. Database access is restricted by IP whitelist and requires authenticated connections over encrypted channels.
• Firewall protection: Network-level firewalls restrict access to only necessary ports and services. Intrusion detection and prevention systems are active.
• Automated security monitoring: Fail2ban and similar systems automatically block suspicious activity, including brute-force login attempts.
• Regular patching: Server operating systems, software dependencies, and application frameworks are regularly updated with security patches.

11.2 Organizational Measures

• Need-to-know access: Access to Personal Data is restricted to personnel who require it for their role, following the principle of least privilege.
• Confidentiality obligations: All personnel with access to Personal Data are bound by contractual confidentiality obligations.
• Incident response: The Controller maintains documented incident response procedures for detecting, reporting, and responding to data breaches.
• Regular review: Security measures and access permissions are reviewed at least annually.
• Data protection training: Personnel involved in data processing activities receive appropriate data protection training.

12 Data Breach Notification

In the event of a Data Breach, the Controller shall:

• Notify the supervisory authority: Without undue delay and, where feasible, not later than 72 hours after having become aware of the breach, the Controller shall notify the competent supervisory authority (UOOU — Office for Personal Data Protection, Czech Republic) in accordance with Article 33 of the GDPR, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons.
• Notify affected data subjects: Where the Data Breach is likely to result in a high risk to the rights and freedoms of natural persons, the Controller shall communicate the breach to the affected data subjects without undue delay, in accordance with Article 34 of the GDPR.
• Document the breach: The Controller shall document all Data Breaches, including the facts relating to the breach, its effects, and the remedial action taken, regardless of whether notification to the supervisory authority is required.

13 Return and Deletion of Data

Upon termination of processing activities or upon request of the Controller:

• The Processor shall, at the Controller's choice, return all Personal Data to the Controller or securely delete all Personal Data and certify such deletion in writing.
• Deletion shall be carried out using industry-standard secure deletion methods that prevent recovery or reconstruction of the deleted data.
• The Processor may retain Personal Data only to the extent required by applicable law (e.g., tax retention requirements, regulatory obligations), and only for the duration required by such law. During this retention period, the Processor shall ensure that such data is processed only for the purpose of complying with the applicable legal obligation.
• The Processor shall provide written confirmation of deletion within 30 days of the deletion request.

14 Audits

The Controller shall have the right to conduct audits, including inspections, to verify the Processor's compliance with this DPA. Audits may be conducted by the Controller directly or by an independent third-party auditor appointed by the Controller, subject to the following terms:

• The Controller shall provide the Processor with reasonable advance notice of any planned audit (not less than 30 days, except in cases of suspected Data Breach or non-compliance).
• Audits shall be conducted during normal business hours and in a manner that minimizes disruption to the Processor's operations.
• The Processor shall cooperate fully with the audit and provide all information, access, and assistance reasonably required.
• The Controller shall bear the costs of any audit, unless the audit reveals material non-compliance by the Processor, in which case the Processor shall bear the reasonable costs.
• Audit results and any information obtained during the audit shall be treated as confidential by both parties.

15 Contact Information

For any questions, requests, or concerns regarding this Data Processing Agreement or the processing of Personal Data, please contact:

This Data Processing Agreement was last updated on March 22, 2026. The Controller reserves the right to modify this DPA at any time to reflect changes in data processing practices or applicable law. Material changes will be indicated by updating the "Last Updated" date above.