Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the Terms of Service between NoxVerify Ltd. ("Processor" or "NoxVerify") and the Tenant ("Controller") and governs the processing of personal data by NoxVerify on behalf of the Controller in connection with the provision of identity verification services.

1. Definitions

The following definitions apply to this DPA:

• "Controller" means the Tenant that determines the purposes and means of the processing of personal data and on whose behalf NoxVerify processes personal data.
• "Processor" means NoxVerify Ltd., which processes personal data on behalf of the Controller.
• "Sub-processor" means any third party engaged by NoxVerify to process personal data on behalf of the Controller.
• "Personal Data" means any information relating to an identified or identifiable natural person that is processed by NoxVerify on behalf of the Controller under this DPA.
• "Data Subject" means the individual to whom the personal data relates, including Applicants whose identity is being verified.
• "Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.
• "Applicable Data Protection Law" means all laws and regulations applicable to the processing of personal data under this DPA, including GDPR, KVKK, CCPA, and any other relevant legislation.

2. Scope & Purpose

NoxVerify processes personal data on behalf of the Controller solely for the purpose of providing identity verification services as described in the Terms of Service. The scope of processing includes:

• Know Your Customer (KYC) individual identity verification, including document processing, OCR extraction, biometric matching, and liveness detection.
• Know Your Business (KYB) business verification, including registry lookups, corporate document analysis, and ultimate beneficial owner identification.
• Know Your Merchant (KYM) merchant monitoring, including website scanning, risk signal detection, and compliance checks.
• Anti-money laundering (AML) screening against sanctions lists, PEP databases, and adverse media sources.
• Ongoing monitoring and periodic rescreening of previously verified subjects.

Categories of data subjects include: individuals undergoing KYC verification, directors and beneficial owners of businesses undergoing KYB verification, merchants undergoing KYM onboarding, and representatives of the Controller who access the platform.

3. Processor Obligations

NoxVerify, as Processor, shall:

• Process personal data only on documented instructions from the Controller, unless required to do so by applicable law. Where processing is required by law, NoxVerify will inform the Controller of the legal requirement before processing (unless prohibited by law).
• Ensure that persons authorized to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
• Implement and maintain appropriate technical and organizational security measures as set out in Section 5.
• Respect the conditions for engaging sub-processors as set out in Section 4.
• Assist the Controller, taking into account the nature of processing, in fulfilling its obligations to respond to data subject requests as set out in Section 7.
• Assist the Controller in ensuring compliance with obligations related to security, breach notification, data protection impact assessments, and prior consultation with supervisory authorities.
• At the choice of the Controller, delete or return all personal data after the end of the provision of services, and delete existing copies unless storage is required by applicable law.
• Make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits as set out in Section 9.

4. Sub-processors

The Controller provides general written authorization for NoxVerify to engage sub-processors to assist in the provision of services. NoxVerify maintains a current list of sub-processors and shall notify the Controller of any intended changes to the list at least thirty (30) days in advance.

Current Sub-processors

If the Controller objects to a new sub-processor on reasonable grounds related to data protection, NoxVerify will use commercially reasonable efforts to provide an alternative or allow the Controller to terminate the affected services without penalty.

NoxVerify shall impose data protection obligations on each sub-processor that are no less protective than those set out in this DPA. NoxVerify remains fully liable to the Controller for the performance of its sub-processors' obligations.

5. Security Measures

NoxVerify implements the following technical and organizational security measures:

• Encryption at rest: AES-256 encryption for all stored personal data, including evidence files, database records, and backups.
• Encryption in transit: TLS 1.3 for all data transmitted between clients, services, and sub-processors.
• Access controls: role-based access control (RBAC) with principle of least privilege. Multi-factor authentication for all administrative access.
• Audit logging: comprehensive logging of all access to and processing of personal data, with tamper-resistant storage and 10-year retention.
• Incident response: documented incident response plan with defined severity levels, escalation procedures, and communication templates.
• Vulnerability management: regular automated vulnerability scanning and annual penetration testing by qualified independent assessors.
• Business continuity: redundant infrastructure across multiple availability zones with defined recovery time and recovery point objectives.
• Personnel security: background checks for employees with access to personal data. Mandatory security awareness training.

6. Data Breach Notification

NoxVerify shall notify the Controller of any Data Breach without undue delay and in any event no later than seventy-two (72) hours after becoming aware of the breach. The notification shall include:

• A description of the nature of the Data Breach, including the categories and approximate number of data subjects and personal data records concerned.
• The name and contact details of NoxVerify's data protection officer or other contact point for further information.
• A description of the likely consequences of the Data Breach.
• A description of the measures taken or proposed to be taken to address the Data Breach, including measures to mitigate its possible adverse effects.

NoxVerify shall cooperate with the Controller and take reasonable commercial steps to assist in the investigation, mitigation, and remediation of the breach. NoxVerify shall document all Data Breaches, including the facts, effects, and remedial actions taken.

7. Data Subject Rights

NoxVerify shall assist the Controller in fulfilling its obligations to respond to requests from Data Subjects to exercise their rights under Applicable Data Protection Law, including rights of access, rectification, erasure, restriction, portability, and objection.

If NoxVerify receives a request directly from a Data Subject, NoxVerify shall promptly forward the request to the Controller and shall not respond directly to the Data Subject unless authorized by the Controller or required by law.

NoxVerify shall provide the Controller with the technical capability to export, correct, or delete personal data in response to Data Subject requests. Reasonable assistance will be provided at no additional charge; requests requiring significant custom effort may be subject to fees agreed in advance.

8. Data Deletion

Upon termination of the service agreement, NoxVerify shall, at the Controller's election:

• Return all personal data to the Controller in a structured, commonly used, machine-readable format; or
• Delete all personal data and certify such deletion in writing.

Data export or deletion will be completed within thirty (30) days of termination. NoxVerify may retain personal data beyond this period only where required by Applicable Data Protection Law (for example, AML/CTF record retention obligations). Any data retained will continue to be protected in accordance with this DPA.

9. Audit Rights

The Controller may audit NoxVerify's compliance with this DPA. Audits shall be conducted subject to the following conditions:

• The Controller may conduct or commission one audit per year, with at least thirty (30) days prior written notice.
• Audits shall be conducted during normal business hours and in a manner that minimizes disruption to NoxVerify's operations.
• The Controller shall bear the cost of the audit unless the audit reveals a material non-compliance by NoxVerify.
• Auditors must execute appropriate confidentiality agreements before accessing NoxVerify's systems or facilities.
• NoxVerify may satisfy audit requests by providing the Controller with relevant third-party audit reports (e.g., SOC 2 Type II) or certification documentation.

10. International Transfers

Where personal data is transferred outside the jurisdiction of the Controller, NoxVerify shall ensure that appropriate safeguards are in place in accordance with Applicable Data Protection Law:

• Standard Contractual Clauses (SCCs) as adopted by the European Commission (Implementing Decision (EU) 2021/914) are incorporated by reference into this DPA for transfers from the EEA.
• Adequacy decisions: where the European Commission or other relevant authority has issued an adequacy decision for the destination country, that decision serves as the transfer mechanism.
• Supplementary measures: where required by the results of a transfer impact assessment, NoxVerify implements additional technical and organizational measures to ensure the effectiveness of the transfer mechanism.
• Data residency: Enterprise Tenants may configure jurisdiction-locked storage to restrict specific categories of personal data to designated geographic regions.

11. Duration

This DPA takes effect on the date the Controller first accesses the NoxVerify platform and remains in effect for the duration of the service agreement between the parties. Provisions of this DPA that by their nature should survive termination (including Sections 6, 8, 9, 10, and 12) shall continue to apply after termination.

12. Liability

Liability under this DPA is subject to the limitations set out in the Terms of Service. Each party's aggregate liability under this DPA shall not exceed the liability cap established in the Terms of Service.

For questions about this DPA, contact us: