Data Processing Agreement

1. Definitions

"Personal Data"

Any information relating to an identified or identifiable natural person that is processed by the Processor on behalf of the Controller in connection with the Services.

"Biometric Data"

Personal data resulting from specific technical processing relating to the physical, physiological, or behavioural characteristics of a natural person, which allows or confirms the unique identification of that natural person, including facial images and biometric templates.

"Processing"

Any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organisation, structuring, storage, adaptation, retrieval, consultation, use, disclosure, alignment, restriction, erasure, or destruction.

"Sub-processor"

Any third party engaged by the Processor to process Personal Data on behalf of the Controller in connection with the Services.

"Data Breach"

A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed.

2. Scope and Purpose

This DPA applies to the processing of Personal Data by the Processor on behalf of the Controller in connection with the provision of the Bifense platform services.

The Processor shall process Personal Data only on documented instructions from the Controller, including with respect to transfers of Personal Data to a third country, unless required to do so by applicable law. In such a case, the Processor shall inform the Controller of that legal requirement before processing, unless the law prohibits such notification.

The Processor shall immediately inform the Controller if, in the Processor's opinion, an instruction from the Controller infringes applicable data protection law.

3. Data Processing Details

Subject matter and duration

The processing is carried out for the duration of the service agreement and concerns biometric verification, identity enrolment, facial recognition, and related identity operations as specified in the service agreement.

Nature and purpose of processing

The Processor processes Personal Data to provide biometric verification services, including facial image processing, biometric template generation and comparison, liveness detection, identity enrolment and management, and related operational analytics.

Types of Personal Data

• Facial images and biometric templates (special category data)
• Identity reference data (names, identifiers assigned by Controller)
• Verification transaction metadata (timestamps, confidence scores, device information)
• Audit trail data (operator actions, access logs)

Categories of data subjects

• Individuals undergoing biometric verification or enrolment
• Authorised operators and administrators of the Controller

4. Security Measures

The Processor shall implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:

• Encryption: AES-256 encryption at rest; TLS 1.3 for data in transit; per-tenant encryption keys for biometric templates
• Access controls: role-based access control; multi-factor authentication; least-privilege enforcement; comprehensive audit logging
• Infrastructure: network segmentation; DDoS mitigation; automated patching; intrusion detection systems
• Business continuity: automated backups; disaster recovery procedures; regular testing of recovery processes
• Personnel: background checks; security awareness training; confidentiality obligations; access revocation upon role change or departure

The Processor shall regularly test, assess, and evaluate the effectiveness of these measures and shall notify the Controller of any Data Breach without undue delay and in any event within 48 hours of becoming aware of such a breach.

5. Sub-processors

The Controller provides general authorisation for the Processor to engage sub-processors, subject to the following conditions:

• The Processor shall maintain a current list of sub-processors and make it available to the Controller upon request
• The Processor shall notify the Controller at least 30 days before engaging a new sub-processor or replacing an existing one
• The Controller may object to a new sub-processor within 14 days of notification. If a reasonable objection cannot be resolved, the Controller may terminate the affected services without penalty
• The Processor shall impose data protection obligations on sub-processors that are no less protective than those in this DPA
• The Processor remains fully liable for the acts and omissions of its sub-processors

6. Data Subject Rights

The Processor shall assist the Controller in fulfilling its obligations to respond to data subject requests under applicable data protection law, including requests for:

• Access to Personal Data
• Rectification of inaccurate data
• Erasure of Personal Data
• Restriction of processing
• Data portability
• Objection to processing

The Processor shall promptly notify the Controller if it receives a request directly from a data subject and shall not respond to such requests directly unless authorised by the Controller or required by law.

The Platform provides self-service tools for the Controller to manage data subject requests, including data export and deletion functionality. The Processor shall assist with requests that cannot be fulfilled through these tools.

7. International Data Transfers

The Processor shall not transfer Personal Data to a country outside the European Economic Area (EEA) or the United Kingdom unless:

• The destination country has been deemed to provide an adequate level of data protection by the relevant authority
• Appropriate safeguards are in place, such as Standard Contractual Clauses approved by the European Commission
• The Controller has provided specific written authorisation for the transfer

Where Standard Contractual Clauses are used, they are incorporated into this DPA by reference. The Processor shall conduct transfer impact assessments where required and implement supplementary measures as necessary.

8. Audit Rights

The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA and applicable data protection law.

The Controller (or its authorised auditor) may conduct audits of the Processor's processing activities, subject to the following conditions:

• Audits shall be conducted with at least 30 days prior written notice
• Audits shall be conducted during normal business hours and shall not unreasonably interfere with the Processor's operations
• The Controller shall bear the costs of the audit unless the audit reveals material non-compliance
• The Processor may satisfy audit requests by providing relevant third-party audit reports or security certifications where available

9. Term and Termination

This DPA shall remain in effect for the duration of the service agreement and for as long as the Processor continues to process Personal Data on behalf of the Controller.

Upon termination of the service agreement or upon the Controller's written request, the Processor shall, at the Controller's election:

• Return all Personal Data to the Controller in a structured, commonly used, machine-readable format
• Securely delete all Personal Data, including copies, and provide written certification of destruction

The Processor shall complete the return or deletion within 30 days of the request, unless applicable law requires longer retention. Any data retained for legal compliance purposes shall continue to be protected under the terms of this DPA.

Contact

For questions about this Data Processing Agreement or to request a signed copy for your records, please contact us:

See also our Privacy Policy and Security Practices for additional information about how we protect your data.