Data Processing Agreement

1.1. In this Data Processing Agreement (“DPA”), the following terms shall have the meanings set out below unless the context otherwise requires:

• “Applicable Data Protection Law” means the UK General Data Protection Regulation (UK GDPR) as retained by virtue of section 3 of the European Union (Withdrawal) Act 2018 and the Data Protection Act 2018, together with any subordinate legislation made under that Act, as amended from time to time.
• “Controller” means the Customer, being the natural or legal person which determines the purposes and means of the Processing of Personal Data.
• “Processor” means VerifyFlow Ltd, a company registered in England and Wales, which Processes Personal Data on behalf of the Controller.
• “Data Subject” means an identified or identifiable natural person whose Personal Data is Processed under this DPA.
• “Personal Data” means any information relating to a Data Subject that is Processed by the Processor on behalf of the Controller in connection with the Services.
• “Special Category Data” means Personal Data revealing racial or ethnic origin, biometric data processed for the purpose of uniquely identifying a natural person, and any other data falling within Article 9(1) of the UK GDPR.
• “Processing” means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organisation, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, alignment, restriction, erasure, or destruction.
• “Sub-processor” means any third party appointed by the Processor to Process Personal Data on behalf of the Controller.
• “Services” means the identity verification, screening, risk assessment, and compliance services provided by VerifyFlow under the principal agreement between the parties.
• “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored, or otherwise Processed.

1.2. The terms “Commissioner”, “Data Protection Impact Assessment”, and “International Transfer” shall have the meanings given to them in the Applicable Data Protection Law.

1.3. This DPA is incorporated into and forms part of the principal agreement between the Controller and the Processor for the provision of the Services (“Principal Agreement”). In the event of any conflict between this DPA and the Principal Agreement, this DPA shall prevail with respect to data protection matters.

2.1. This DPA applies to all Processing of Personal Data carried out by the Processor on behalf of the Controller in connection with the provision of the Services.

2.2. The Processor shall Process Personal Data for the duration of the Principal Agreement, unless otherwise agreed in writing or required by Applicable Data Protection Law.

2.3. Upon termination or expiry of the Principal Agreement, the Processor shall, at the Controller’s election, either return or delete all Personal Data in its possession, except to the extent that retention is required by Applicable Data Protection Law or for the establishment, exercise, or defence of legal claims. The Processor shall confirm deletion in writing upon request.

2.4. The obligations and rights of the Controller and the Processor set out in this DPA shall survive the termination or expiry of the Principal Agreement to the extent necessary to give effect to the provisions of this DPA.

3.1. The Processor shall Process Personal Data solely for the purpose of providing the Services to the Controller, which include:

• Identity document verification — optical character recognition (OCR), document classification, machine-readable zone (MRZ) parsing, and fraud detection analysis of identity documents including passports, driving licences, and national identity cards.
• Biometric verification — facial comparison between a selfie photograph and the photograph contained in the identity document, together with passive liveness detection, for the purpose of uniquely identifying the Data Subject.
• PEP and sanctions screening — screening Data Subjects against politically exposed persons lists, HM Treasury sanctions lists, United Nations sanctions lists, and OFAC sanctions lists.
• Risk assessment — automated risk scoring and customer due diligence (CDD) level determination based on verification results and screening outcomes.
• Compliance evidence generation — creation and storage of evidence packs containing verification results, audit trails, and integrity hashes for regulatory record-keeping.
• Ongoing monitoring — daily re-screening against updated sanctions lists and document expiry monitoring.

3.2. The Processor shall not Process Personal Data for any purpose other than as set out in this DPA or as otherwise instructed by the Controller in writing.

4.1. The categories of Data Subjects whose Personal Data may be Processed under this DPA include:

• Company directors and officers of the Controller’s clients
• Persons with significant control (PSCs) and beneficial owners
• Shareholders and ultimate beneficial owners (UBOs)
• Designated members and partners of limited liability partnerships
• Authorised representatives and signatories
• The Controller’s employees, agents, and consultants who access the Services

4.2. The Controller warrants that it has a lawful basis for providing the Personal Data of Data Subjects to the Processor and that all necessary consents have been obtained or other lawful bases established prior to initiating any Processing.

5.1. The following types of Personal Data may be Processed:

• Identity information — full name, date of birth, nationality, place of birth, gender as extracted from identity documents
• Contact information — email address, telephone number, correspondence address
• Identity documents — images of passports, driving licences, national identity cards, and residence permits
• Biometric data — facial photographs and facial feature descriptors used for biometric comparison (Special Category Data under Article 9 UK GDPR)
• Address information — registered address, service address, and residential address as held at Companies House or extracted from proof-of-address documents
• Screening results — PEP match data, sanctions match data, adverse media references, and associated confidence scores
• Verification outcomes — pass/fail results, risk scores, CDD levels, fraud indicators, and human review decisions
• Audit data — timestamps, IP addresses, user agent strings, and consent records

5.2. The Processor acknowledges that biometric data constitutes Special Category Data and shall apply enhanced safeguards as set out in this DPA, including obtaining explicit consent from the Data Subject prior to biometric Processing.

6.1. The Controller shall:

• Ensure that it has a lawful basis under Applicable Data Protection Law for the Processing of Personal Data by the Processor, including, where applicable, obtaining the explicit consent of Data Subjects for the Processing of Special Category Data (biometric data) under Article 9(2)(a) UK GDPR.
• Provide documented instructions to the Processor regarding the Processing of Personal Data. The Controller acknowledges that the use of the Services in accordance with the documentation constitutes its complete and final instructions to the Processor, unless supplemented in writing.
• Ensure that all Personal Data provided to the Processor is accurate, complete, and up to date, and that it has been collected in accordance with Applicable Data Protection Law.
• Fulfil its obligations to Data Subjects, including responding to data subject access requests, and shall notify the Processor promptly of any such requests that require the Processor’s assistance.
• Conduct and maintain a Data Protection Impact Assessment (“DPIA”) where required by Applicable Data Protection Law, particularly in relation to the biometric Processing carried out under this DPA.
• Comply with all notification and registration obligations imposed by Applicable Data Protection Law, including registration with the Information Commissioner’s Office (“ICO”).

7.1. The Processor shall, in accordance with Article 28(3) of the UK GDPR:

• Processing on instructions: Process Personal Data only on the documented instructions of the Controller, including with regard to transfers of Personal Data to a third country or international organisation, unless required to do so by Applicable Data Protection Law. In such a case, the Processor shall inform the Controller of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest.
• Confidentiality: Ensure that persons authorised to Process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. All personnel with access to Personal Data shall receive appropriate data protection training.
• Security measures: Implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as required by Article 32 of the UK GDPR, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.
• Sub-processor engagement: Not engage another Processor (Sub-processor) without prior specific or general written authorisation of the Controller. Where general written authorisation has been given, the Processor shall inform the Controller of any intended changes concerning the addition or replacement of Sub-processors, thereby giving the Controller the opportunity to object to such changes. Details of current Sub-processors are set out in Section 8.
• Assistance with rights: Taking into account the nature of the Processing, assist the Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller’s obligation to respond to requests for exercising the Data Subject’s rights under Chapter III of the UK GDPR.
• Assistance with compliance: Assist the Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the UK GDPR, taking into account the nature of Processing and the information available to the Processor.
• Deletion or return: At the choice of the Controller, delete or return all Personal Data to the Controller after the end of the provision of Services, and delete existing copies unless Applicable Data Protection Law requires storage of the Personal Data.
• Audit and inspection: Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the UK GDPR and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.

7.2. The Processor shall immediately inform the Controller if, in its opinion, an instruction infringes the UK GDPR or other Applicable Data Protection Law.

8.1. The Controller provides general written authorisation for the Processor to engage the Sub-processors listed below. The Processor shall impose data protection obligations no less protective than those set out in this DPA on each Sub-processor by way of a written contract.

8.2. The Processor shall remain fully liable to the Controller for the performance of each Sub-processor’s obligations.

8.3. Current authorised Sub-processors:

8.4. The Processor shall notify the Controller in writing at least 30 days prior to engaging any new Sub-processor or replacing an existing Sub-processor. The Controller may object to such changes within 14 days of receipt of notice. If the Controller objects on reasonable grounds relating to data protection, the parties shall discuss the objection in good faith. If no resolution is reached, the Controller may terminate the Principal Agreement without penalty.

9.1. The Processor shall not transfer Personal Data to a country or territory outside the United Kingdom unless:

• The Secretary of State has made regulations specifying that the country or territory ensures an adequate level of protection for Personal Data (an “adequacy decision”) pursuant to Section 17A of the Data Protection Act 2018; or
• Appropriate safeguards are in place in accordance with Article 46 of the UK GDPR, including the International Data Transfer Agreement (“IDTA”) or the UK Addendum to the EU Standard Contractual Clauses (“SCCs”), as approved by the Information Commissioner; or
• A derogation under Article 49 of the UK GDPR applies.

9.2. Where Personal Data is transferred to Sub-processors located in the United States (Vercel, Resend), such transfers are made subject to the International Data Transfer Agreement or the UK Addendum to the EU Standard Contractual Clauses, as applicable.

9.3. Where Personal Data is transferred to Sub-processors located in the European Economic Area (Hetzner, Germany), such transfers benefit from the UK adequacy decision for the EEA.

9.4. The Processor shall conduct and document a transfer risk assessment for each international transfer, evaluating the laws and practices of the destination country, and shall implement supplementary measures where necessary to ensure an essentially equivalent level of protection.

10.1. The Processor implements the following technical and organisational measures pursuant to Article 32 of the UK GDPR:

10.2. The Processor shall regularly test, assess, and evaluate the effectiveness of its technical and organisational measures for ensuring the security of Processing, and shall update such measures as necessary to address evolving threats and vulnerabilities.

11.1. The Processor shall, taking into account the nature of the Processing, assist the Controller by appropriate technical and organisational measures to fulfil the Controller’s obligation to respond to requests from Data Subjects exercising their rights under Chapter III of the UK GDPR, including:

• Right of access (Article 15)
• Right to rectification (Article 16)
• Right to erasure (Article 17)
• Right to restriction of Processing (Article 18)
• Right to data portability (Article 20)
• Right to object (Article 21)
• Rights related to automated decision-making and profiling (Article 22)

11.2. Where the Processor receives a request from a Data Subject directly, it shall promptly redirect the Data Subject to the Controller and notify the Controller of the request within 24 hours.

11.3. The Processor shall respond to the Controller’s requests for assistance in relation to Data Subject rights within 72 hours, providing all relevant information and technical support necessary for the Controller to fulfil its obligations within the statutory timeframes.

11.4. The Processor shall maintain technical capability to export, rectify, or delete Personal Data relating to individual Data Subjects without affecting the Personal Data of other Data Subjects.

12.1. The Processor shall notify the Controller without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data Breach affecting Personal Data Processed on behalf of the Controller.

12.2. Such notification shall include, to the extent available:

• A description of the nature of the Personal Data Breach, including the categories and approximate number of Data Subjects and records concerned
• The name and contact details of the Processor’s data protection contact point
• A description of the likely consequences of the Personal Data Breach
• A description of the measures taken or proposed to be taken to address the breach, including measures to mitigate its possible adverse effects

12.3. Where it is not possible to provide all information at the same time, the Processor shall provide the information in phases without further undue delay.

12.4. The Processor shall cooperate with the Controller and take such reasonable steps as directed by the Controller to assist in the investigation, mitigation, and remediation of each Personal Data Breach.

12.5. The Processor shall document all Personal Data Breaches, comprising the facts relating to the breach, its effects, and the remedial action taken, and shall make such documentation available to the Controller and the Commissioner upon request.

13.1. The Processor shall retain and delete Personal Data in accordance with the following schedule, unless the Controller provides alternative written instructions or Applicable Data Protection Law requires otherwise:

13.2. The Processor employs automated retention enforcement through scheduled processes that identify and securely delete Personal Data upon expiry of the applicable retention period.

13.3. Deletion shall be carried out using industry-standard secure deletion methods that render the Personal Data irrecoverable. The Processor shall provide written confirmation of deletion upon the Controller’s request.

13.4. Notwithstanding the above, the Processor may retain Personal Data to the extent required by Applicable Data Protection Law, provided that the Processor shall ensure the confidentiality of such Personal Data and shall Process it only for the purpose required by law.

14.1. The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA and Article 28 of the UK GDPR.

14.2. The Processor shall allow for and contribute to audits, including on-site inspections, conducted by the Controller or an independent third-party auditor mandated by the Controller, subject to the following conditions:

• The Controller shall provide the Processor with at least 30 days’ prior written notice of any proposed audit, specifying the scope and duration.
• Audits shall be conducted during normal business hours (Monday to Friday, 09:00 to 17:00 GMT/BST) and shall not unreasonably interfere with the Processor’s business operations.
• The Controller and any third-party auditor shall be required to enter into a non-disclosure agreement prior to accessing the Processor’s premises or systems.
• The Controller shall bear its own costs of any audit, unless the audit reveals material non-compliance by the Processor with this DPA, in which case the Processor shall bear the reasonable costs of the audit.
• Audits shall be limited to no more than one per calendar year, unless a Personal Data Breach has occurred or the Commissioner requires an audit.

14.3. The Processor may satisfy audit requests by providing the Controller with a summary of the results of any independent third-party audit or certification (such as SOC 2 Type II or ISO 27001) conducted within the preceding 12 months, provided that such report adequately addresses the Controller’s concerns.

15.1. This DPA shall be governed by and construed in accordance with the laws of England and Wales.

15.2. The parties submit to the exclusive jurisdiction of the courts of England and Wales for the resolution of any disputes arising out of or in connection with this DPA.

15.3. Nothing in this DPA shall limit or exclude the rights of Data Subjects or the powers of the Information Commissioner’s Office under Applicable Data Protection Law.

15.4. If any provision of this DPA is held to be invalid or unenforceable, the remaining provisions shall remain in full force and effect. The parties shall negotiate in good faith a replacement provision that achieves the same purpose as the original provision to the greatest extent permitted by law.

15.5. This DPA, together with the Principal Agreement and any schedules or annexes hereto, constitutes the entire agreement between the parties with respect to the subject matter hereof and supersedes all prior or contemporaneous agreements, understandings, and communications, whether written or oral.