Data Processing Agreement
Last updated: [DATE]
[…] completed once the legal entity exists. It is designed to attach to the Terms of Service.
1. Scope & roles
This Data Processing Agreement (“DPA”) governs Cirvex’s processing of personal data on behalf of the Customer when the Customer uses the Cirvex platform. The Customer is the controller and Cirvex ([LEGAL ENTITY NAME]) is the processor for end-user verification data. It applies to processing subject to the EU GDPR and UK GDPR.
2. Definitions
“Personal data”, “processing”, “controller”, “processor”, “data subject” and “personal data breach” have the meanings in the GDPR. “End-user” means an individual the Customer submits for verification. “Sub-processor” means a third party engaged by Cirvex to process personal data.
3. Processing on instructions
Cirvex processes personal data only on the Customer’s documented instructions (including via the platform and API), as set out in Annex A, and as required by law. Cirvex will tell the Customer if an instruction appears to infringe applicable law.
4. Customer obligations
The Customer warrants it has a valid legal basis and has given any required notices to end-users to submit their data for verification, and that its instructions comply with applicable law.
5. Confidentiality
Cirvex ensures persons authorised to process personal data are bound by confidentiality and process data only as needed.
6. Security
Cirvex implements appropriate technical and organisational measures to protect personal data (Annex B), including encryption in transit, access controls, hashed credentials and secrets, audit logging and rate limiting.
7. Sub-processors
The Customer authorises Cirvex to engage the sub-processors listed in Annex C. Cirvex imposes data-protection obligations on each sub-processor no less protective than this DPA, and remains responsible for their performance. Cirvex will give at least [30] days’ notice of new or replacement sub-processors, and the Customer may object on reasonable data-protection grounds.
8. Data subject requests
Taking account of the nature of processing, Cirvex assists the Customer with appropriate measures to respond to data-subject requests (access, rectification, erasure, restriction, portability, objection), and forwards any request it receives directly to the Customer.
9. Personal data breaches
Cirvex notifies the Customer without undue delay (and in any case within [72] hours) after becoming aware of a personal data breach affecting Customer data, with the information the Customer reasonably needs to meet its own obligations.
10. Return & deletion
On termination, Cirvex will, at the Customer’s choice, delete or return Customer personal data, and delete existing copies unless retention is required by law.
11. Audits
Cirvex makes available information necessary to demonstrate compliance and allows for and contributes to audits, including inspections, conducted by the Customer or an auditor it mandates, subject to reasonable confidentiality and frequency limits.
12. International transfers
Where personal data is transferred outside the EEA/UK, Cirvex ensures an appropriate transfer mechanism (e.g. EU Standard Contractual Clauses and the UK Addendum) and supplementary measures as needed.
13. Aggregated & anonymised data; service improvement
Cirvex may create aggregated and/or anonymised data from processing (data that does not identify any data subject or the Customer) and may use such data to operate, secure, analyse, improve and develop its services, including training and improving models. Cirvex will not use a Customer’s end-user personal data to train models for the benefit of other customers except where the data has been irreversibly anonymised, or where the Customer has given a separate, specific consent or instruction. This Section survives termination.
14. Liability & precedence
This DPA forms part of the Terms of Service. In case of conflict on data protection, this DPA prevails. Liability is subject to the limitations in the Terms.
15. Governing law
This DPA is governed by the law stated in the Terms of Service ([JURISDICTION]).
Annex A — Processing details
- Subject matter: identity, business, age and AML verification services provided via the Cirvex platform.
- Duration: for the term of the Customer’s use of the Service.
- Nature & purpose: collecting and checking identity/age/AML data to return a verification decision and audit record.
- Data subjects: the Customer’s end-users (applicants, customers, players, account holders).
- Categories of data: identifiers (name, DOB), contact data, identity-document data and images, biometric/liveness data where applicable, AML/sanctions screening results, technical metadata. (Some categories may be special-category data — confirm and document.)
Annex B — Security measures (TOMs)
- Encryption of data in transit (TLS); secrets and credentials stored hashed.
- Role-based access control and least-privilege; per-tenant data isolation.
- Audit logging of administrative actions; rate limiting and abuse controls.
- Reputable cloud infrastructure with managed security; backups.
- [Add: pen-testing, incident response, staff training, data-retention controls.]
Annex C — Sub-processors
| Sub-processor | Purpose | Location |
|---|---|---|
| Veriff | Identity / age verification provider | EU (Estonia) |
| Neon | Database hosting | EU region |
| Vercel | Application hosting | US / global edge |
| Resend | Transactional email | US |
| [+ crypto/AML analytics vendor when added] | Wallet / transaction screening | […] |