Privacy Policy

Last updated: 1 June 2026

This Data Privacy Policy describes how CHAIN TEC LAB - FZCO (operating as “Dawn Labs”; the “Company”, “we”, “us”) collects, uses, retains, and shares personal data in the course of operating its Solana validator services and managing its business.

Controller

• Legal entity: CHAIN TEC LAB - FZCO (operating as “Dawn Labs”)
• Registration number: DSO-FZCO-50681
• Registered office: IFZA Business Park, DDP, PO Box 342001, Dubai, United Arab Emirates
• Registrar: Dubai Silicon Oasis
• Regulating authority: Dubai Integrated Economic Zones Authority (DIEZ)
• Contact email: info@dawnlabs.tech

Purpose

This policy is intended to:

• Provide transparency to data subjects regarding our processing of personal data
• Establish internal requirements consistent with SOC 2 Trust Services Criteria (Privacy and Confidentiality)
• Comply with the UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (“UAE PDPL”) and its Executive Regulations, together with any applicable extraterritorial obligations under foreign data protection laws (notably the EU General Data Protection Regulation (“GDPR”) and Japan’s Act on the Protection of Personal Information (“APPI”)) where the relevant data subjects are located in those jurisdictions

Scope

This policy applies to:

• All personal data processed by the Company in connection with our services and business operations
• All Company personnel (officers, employees, contractors) and third parties acting on our behalf
• All systems, processes, and locations used to process personal data

The Company operates a business-to-business (B2B) Solana validator service. We do not market or provide services directly to end consumers. The personal data we process is therefore limited and is described in detail below.

Definitions

Terms used in this policy have the meanings given to them in the UAE PDPL, including in particular:

• Personal data — any data relating to an identified natural person, or one who can be identified, directly or indirectly, by reference to an identifier (UAE PDPL Art. 1).
• Processing — any operation performed on personal data, whether automated or manual (collection, recording, organisation, storage, alteration, retrieval, use, disclosure, transfer, restriction, erasure, destruction).
• Data subject — the natural person to whom personal data relates.
• Controller — the establishment that determines the means and purposes of processing.
• Processor — the establishment that processes personal data on behalf of the controller.
• Cross-border transfer — transfer of personal data outside the State (UAE).

For data subjects located in the EEA, equivalent definitions under the GDPR apply. For data subjects located in Japan, equivalent definitions under the APPI apply.

Categories of Personal Data We Process

1. Officer and personnel data

• Names, contact details (email, phone), residential address (where required for legal / tax purposes)
• Government-issued identification (only when required, e.g. for company registration, banking, residency / visa procedures)
• Compensation, tax, and benefits records
• Background screening results (where applicable)
• Performance evaluations and disciplinary records

Lawful basis (UAE PDPL Art. 4): contract performance; compliance with legal obligations; legitimate interests of the controller.

2. Customer business contact data

• Names and business contact details (work email, phone, role/title) of representatives at corporate clients delegating validators to the Company
• Records of business communications (email, chat) related to service delivery

Lawful basis: contract performance; legitimate interests in service delivery and account management.

3. Vendor and partner contact data

• Names and business contact details of representatives at suppliers (AWS, Latitude.sh, Cherry Servers, Allnodes, Vanta, Google, GitHub, etc.)
• Account credentials and identifiers tied to those individuals where required for vendor portals

Lawful basis: contract performance; legitimate interests in vendor management.

4. System and security logs

• Authentication events (Identity Center, GitHub, Google Workspace, Vanta, vendor portals)
• Access logs (AWS CloudTrail, SSM Session Manager, server logs) that may contain personnel identifiers tied to administrative activity
• Security event records (e.g. detection alerts referencing personnel actions)

Lawful basis: legitimate interests in operational security, monitoring, and incident response; compliance with legal obligations in connection with audit and regulatory requirements.

What we do not process

• We do not collect personal data from end users of our customers’ services. Validator delegation is a blockchain-level operation that does not transmit personal data to the Company.
• We do not knowingly collect data from children.
• We do not process sensitive personal data as defined under UAE PDPL Art. 1 (data revealing health, racial or ethnic origin, political opinions, religious or philosophical beliefs, criminal records, biometric data uniquely identifying a natural person, genetic data, or data relating to an individual’s sex life or sexual orientation) except to the strict minimum required for employment / immigration / tax compliance.
• Solana on-chain data (block data, transaction signatures, public keys) is public information published on a public blockchain and is not personal data for the purposes of this policy.

How We Use Personal Data

• Service delivery — operating Solana validators on behalf of clients, communicating with client representatives, providing reports
• Account and access management — provisioning, reviewing, and revoking access to internal systems
• Security and incident response — detecting, investigating, and responding to security events
• Compliance and audit — meeting legal obligations and supporting SOC 2 / ISO 27001 audit activities
• Personnel administration — payroll, performance management, training, and other HR functions
• Internal business operations — accounting, finance, vendor management, and corporate governance

We do not use personal data for advertising, profiling, or sale to third parties, and we do not engage in solely automated decision-making producing legal effects on data subjects.

How We Share Personal Data

We share personal data only with the following categories of recipients, and only to the extent necessary:

• Subprocessors and service providers that support our operations, including:
  • AWS — cloud infrastructure, secrets management, monitoring
  • Latitude.sh, Cherry Servers, Allnodes — bare-metal hosting providers for validator nodes
  • Google Workspace — corporate email and document collaboration
  • GitHub — source code management and access control
  • Vanta — automated compliance monitoring and evidence management
  • Professional service providers — auditors, legal advisors, accountants, banking partners
• Clients and counterparties — limited to what is necessary for service delivery under the master service agreement
• Authorities — when required to comply with applicable law, legal process, or governmental requests (including the UAE Data Office and other competent authorities)

A list of subprocessors with their roles and processing locations is maintained internally and is available to clients on request. We do not sell personal data.

Where a third party processes personal data on our behalf, we require them — by contract — to apply protections at least equivalent to those required under UAE PDPL Art. 6 (security and integrity of processing) and to assist us in responding to data subject rights requests.

Cross-border Data Transfers (UAE PDPL Art. 22–23)

Most of our subprocessors are located outside the UAE, including in the United States, the European Union, Japan, and other regions. Cross-border transfers are conducted in accordance with UAE PDPL Articles 22 and 23:

• To countries determined to provide an adequate level of protection (UAE PDPL Art. 22) — once such adequacy decisions are issued by the UAE Data Office, transfers to listed jurisdictions proceed on that basis.
• To other countries (UAE PDPL Art. 23) — transfers proceed on the basis of one or more of the following:
  • Contractual safeguards binding the recipient (e.g. data protection terms in vendor agreements, Standard Contractual Clauses or equivalent)
  • The data subject’s explicit consent, where appropriate
  • Necessity for performance of a contract with the data subject
  • Necessity for the establishment, exercise, or defence of legal claims
  • Other lawful grounds permitted under UAE PDPL Art. 23

Where personal data of EEA-resident data subjects is transferred, we additionally rely on GDPR Chapter V transfer mechanisms (e.g. adequacy decisions, Standard Contractual Clauses). For Japan-resident data subjects, transfers are conducted in compliance with APPI Article 28.

Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law. Specifically:

• Customer business contact data — for the duration of the engagement and up to 90 days after contract termination, subject to legal retention obligations
• Personnel data — for the duration of employment plus statutory retention periods required under UAE labour and tax law and any home-jurisdiction obligations of the individual
• System and security logs — per our internal data retention schedule
• Audit and compliance records — for a minimum of 1 year following the end of the relevant audit period, or longer where required

Data Subject Rights (UAE PDPL Art. 13–19)

Subject to applicable law and the conditions in the UAE PDPL, data subjects have the following rights:

• Right to access (Art. 13) — to obtain confirmation of whether we process personal data about them and a copy of that data
• Right to data transfer (portability) (Art. 14) — to request transfer of personal data to another controller in a structured, machine-readable format, where processing is based on consent or contract and is carried out by automated means
• Right to correction or erasure (Art. 15) — to request correction of inaccurate data or erasure of data no longer needed for the purposes for which it was collected
• Right to restrict processing (Art. 16) — to request restriction of processing under specific circumstances
• Right to object to automated processing (Art. 17) — to demand that we stop processing producing legal effects or significantly affecting them on a solely automated basis
• Right to object (Art. 18) — to object to processing based on legitimate interests, marketing, or scientific / historical research
• Right to file a complaint (Art. 19) — with the UAE Data Office

For data subjects in the EEA, equivalent rights under the GDPR apply. For data subjects in Japan, equivalent rights under the APPI apply.

To exercise any of these rights, data subjects may contact us using the details in the Contact Us section. We will respond within the timelines required by the UAE PDPL Executive Regulations and any other applicable law.

Security Measures (UAE PDPL Art. 6)

The Company implements administrative, technical, and physical safeguards to protect personal data, including:

• Encryption of data at rest (AWS-managed encryption) and in transit (TLS)
• Centralized secrets management via AWS Secrets Manager and Parameter Store; no plaintext secrets are stored in source code repositories or on local devices
• Role-based access control with least-privilege principles, enforced via AWS IAM and Identity Center
• Multi-factor authentication for all access to administrative systems
• Continuous monitoring and logging via CloudWatch, CloudTrail, GuardDuty, and Vanta
• Annual security awareness training for all personnel
• Endpoint security controls (full-disk encryption, automatic screen lock) on devices used for company work
• Incident response procedures, including notification to the UAE Data Office and affected data subjects in accordance with UAE PDPL Art. 9 where required

Personal Data Breach Notification (UAE PDPL Art. 9)

Where a personal data breach is likely to result in a risk to the privacy, confidentiality, or security of data subjects, we will notify the UAE Data Office without undue delay after becoming aware of it, in accordance with the UAE PDPL and its Executive Regulations. Where the breach is likely to result in a high risk to the rights and freedoms of data subjects, we will also notify affected data subjects directly.

Children’s Privacy

The Company’s services are intended for businesses, not individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected such data, we will delete it promptly.

Cookies and Online Tracking

The Company does not operate a public consumer-facing web service that uses tracking cookies. Any corporate website operated by the Company uses only essential cookies necessary for site operation.

Data Protection Officer

UAE PDPL Art. 10 requires the appointment of a Data Protection Officer (DPO) where the controller’s or processor’s processing activities meet at least one of the following criteria:

• Processing that creates a high risk to the confidentiality and privacy of personal data, resulting from the adoption of new technologies or the volume of data;
• Processing that involves a systematic and comprehensive evaluation of sensitive personal data, including profiling and automated processing; or
• Processing of large amounts of sensitive personal data.

Based on the nature, scope, and purposes of our processing activities, the Company has assessed that none of the above criteria currently apply, and has therefore not designated a formal DPO. The Chief Executive Officer serves as the senior officer responsible for data protection matters and is the primary contact for data subject rights requests and regulatory authorities. This determination is reviewed at least annually, and additionally whenever there is a material change in processing activities. If any UAE PDPL Art. 10 criterion becomes applicable, a DPO will be designated and this policy updated accordingly.

Records of Processing (UAE PDPL Art. 7)

The Company maintains records of processing activities, including the categories of personal data processed, the purposes of processing, recipients, and any cross-border transfers. These records are kept up to date and made available to the UAE Data Office upon request.

Changes to This Policy

We may update this policy from time to time to reflect changes in our practices or legal requirements. Material changes will be communicated to data subjects through appropriate channels, and the updated policy will be made available at the same location as the current version.

Contact Us

For privacy questions, requests to exercise data subject rights, or to file a complaint, contact:

• CHAIN TEC LAB - FZCO (operating as Dawn Labs)
• Email: info@dawnlabs.tech
• Postal address: IFZA Business Park, DDP, PO Box 342001, Dubai, United Arab Emirates
• Senior responsible officer: Yutaro Nagumo, Chief Executive Officer

Please mark privacy-related correspondence with the subject line “Privacy Inquiry” so that it can be triaged appropriately.

If you are not satisfied with our response, you may also lodge a complaint with the UAE Data Office (the federal supervisory authority under the UAE PDPL), or with your local data protection authority where applicable (for example, the Personal Information Protection Commission of Japan, or the EU member state supervisory authority where you reside).