Data Processing Agreement

Last updated: [DATE]

Template — review required. This DPA must be reviewed and finalised by a qualified data-protection lawyer before it is offered to customers, and bracketed placeholders […] completed once the legal entity exists. It is designed to attach to the Terms of Service.

1. Scope & roles

This Data Processing Agreement (“DPA”) governs Cirvex’s processing of personal data on behalf of the Customer when the Customer uses the Cirvex platform. The Customer is the controller and Cirvex ([LEGAL ENTITY NAME]) is the processor for end-user verification data. It applies to processing subject to the EU GDPR and UK GDPR.

2. Definitions

“Personal data”, “processing”, “controller”, “processor”, “data subject” and “personal data breach” have the meanings in the GDPR. “End-user” means an individual the Customer submits for verification. “Sub-processor” means a third party engaged by Cirvex to process personal data.

3. Processing on instructions

Cirvex processes personal data only on the Customer’s documented instructions (including via the platform and API), as set out in Annex A, and as required by law. Cirvex will tell the Customer if an instruction appears to infringe applicable law.

4. Customer obligations

The Customer warrants it has a valid legal basis and has given any required notices to end-users to submit their data for verification, and that its instructions comply with applicable law.

5. Confidentiality

Cirvex ensures persons authorised to process personal data are bound by confidentiality and process data only as needed.

6. Security

Cirvex implements appropriate technical and organisational measures to protect personal data (Annex B), including encryption in transit, access controls, hashed credentials and secrets, audit logging and rate limiting.

7. Sub-processors

The Customer authorises Cirvex to engage the sub-processors listed in Annex C. Cirvex imposes data-protection obligations on each sub-processor no less protective than this DPA, and remains responsible for their performance. Cirvex will give at least [30] days’ notice of new or replacement sub-processors, and the Customer may object on reasonable data-protection grounds.

8. Data subject requests

Taking account of the nature of processing, Cirvex assists the Customer with appropriate measures to respond to data-subject requests (access, rectification, erasure, restriction, portability, objection), and forwards any request it receives directly to the Customer.

9. Personal data breaches

Cirvex notifies the Customer without undue delay (and in any case within [72] hours) after becoming aware of a personal data breach affecting Customer data, with the information the Customer reasonably needs to meet its own obligations.

10. Return & deletion

On termination, Cirvex will, at the Customer’s choice, delete or return Customer personal data, and delete existing copies unless retention is required by law.

11. Audits

Cirvex makes available information necessary to demonstrate compliance and allows for and contributes to audits, including inspections, conducted by the Customer or an auditor it mandates, subject to reasonable confidentiality and frequency limits.

12. International transfers

Where personal data is transferred outside the EEA/UK, Cirvex ensures an appropriate transfer mechanism (e.g. EU Standard Contractual Clauses and the UK Addendum) and supplementary measures as needed.

13. Aggregated & anonymised data; service improvement

Cirvex may create aggregated and/or anonymised data from processing (data that does not identify any data subject or the Customer) and may use such data to operate, secure, analyse, improve and develop its services, including training and improving models. Cirvex will not use a Customer’s end-user personal data to train models for the benefit of other customers except where the data has been irreversibly anonymised, or where the Customer has given a separate, specific consent or instruction. This Section survives termination.

14. Liability & precedence

This DPA forms part of the Terms of Service. In case of conflict on data protection, this DPA prevails. Liability is subject to the limitations in the Terms.

15. Governing law

This DPA is governed by the law stated in the Terms of Service ([JURISDICTION]).

Annex A — Processing details

Annex B — Security measures (TOMs)

Annex C — Sub-processors

Sub-processorPurposeLocation
VeriffIdentity / age verification providerEU (Estonia)
NeonDatabase hostingEU region
VercelApplication hostingUS / global edge
ResendTransactional emailUS
[+ crypto/AML analytics vendor when added]Wallet / transaction screening[…]