Data Processing Agreement
Last updated: January 1, 2025
This Data Processing Agreement ("DPA") forms part of the agreement between Xident Technologies Inc. ("Xident," "Processor," "we," or "us") and the entity agreeing to these terms ("Customer," "Controller," or "you") for the provision of age verification services (the "Services").
Need a signed DPA?
Enterprise customers can request a countersigned copy of this DPA by contacting legal@xident.io.
1. Definitions
- "Personal Data" means any information relating to an identified or identifiable natural person processed by Xident on behalf of Customer.
- "Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion.
- "Data Subject" means the individual to whom Personal Data relates.
- "Sub-processor" means any third party engaged by Xident to process Personal Data on behalf of Customer.
- "Data Protection Laws" means GDPR, UK GDPR, and other applicable data protection legislation.
- "Standard Contractual Clauses" or "SCCs" means the EU Commission's standard contractual clauses for international data transfers.
2. Scope and Roles
2.1 Scope
This DPA applies to the Processing of Personal Data by Xident on behalf of Customer in connection with the Services. The subject matter, duration, nature, purpose, and categories of data are described in Annex I.
2.2 Roles
For the purposes of this DPA, Customer is the Controller and Xident is the Processor of the Personal Data processed under the Agreement.
3. Processing Instructions
3.1 Customer Instructions
Xident shall only process Personal Data in accordance with Customer's documented instructions, including with regard to transfers of Personal Data to a third country, unless required to do so by applicable law.
3.2 Compliance
Xident shall inform Customer if, in its opinion, an instruction infringes Data Protection Laws. Customer is responsible for ensuring that its instructions comply with applicable laws.
4. Security Measures
4.1 Technical and Organizational Measures
Xident shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:
- Encryption of Personal Data at rest and in transit
- Access controls and authentication mechanisms
- Regular security testing and vulnerability assessments
- Incident response and business continuity procedures
- Employee training and confidentiality obligations
4.2 Confidentiality
Xident shall ensure that persons authorized to process Personal Data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality.
5. Sub-processors
5.1 Authorization
Customer provides general authorization for Xident to engage Sub-processors to process Personal Data. Current Sub-processors are listed in Annex II.
5.2 Notification
Xident shall notify Customer of any intended changes to Sub-processors at least 30 days in advance. Customer may object to such changes on reasonable grounds.
5.3 Sub-processor Obligations
Xident shall ensure that each Sub-processor is bound by data protection obligations no less protective than those in this DPA.
6. Data Subject Rights
Xident shall assist Customer in fulfilling its obligation to respond to requests from Data Subjects exercising their rights under Data Protection Laws. Xident shall promptly notify Customer of any such requests received directly.
7. Data Breach Notification
7.1 Notification
Xident shall notify Customer without undue delay upon becoming aware of a Personal Data breach, and in any event within 48 hours.
7.2 Information
The notification shall include:
- Description of the nature of the breach
- Categories and approximate number of Data Subjects affected
- Likely consequences of the breach
- Measures taken or proposed to address the breach
8. Audits and Assessments
8.1 Information
Xident shall make available to Customer all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits.
8.2 Audit Rights
Customer may conduct audits (or appoint an independent auditor) no more than once per year, with reasonable notice and during normal business hours. Customer shall bear the costs of any audit.
8.3 Certifications
Xident maintains SOC 2 Type II certification and can provide audit reports upon request under NDA.
9. International Transfers
9.1 Transfer Mechanisms
For transfers of Personal Data outside the EEA to countries not subject to an adequacy decision, Xident shall ensure appropriate safeguards are in place, including:
- Standard Contractual Clauses (Module 2: Controller to Processor)
- Supplementary measures where required by Schrems II
9.2 SCCs
The Standard Contractual Clauses are incorporated by reference into this DPA. In the event of any conflict between this DPA and the SCCs, the SCCs shall prevail.
10. Data Retention and Deletion
10.1 Retention
Xident shall not retain Personal Data longer than necessary for the purposes of Processing or as required by applicable law.
10.2 Deletion
Upon termination of the Agreement or upon Customer's request, Xident shall delete or return all Personal Data within 30 days, unless retention is required by law.
11. Liability
Each party's liability under this DPA shall be subject to the limitations and exclusions of liability set out in the Agreement, except that limitations shall not apply to liability arising from willful misconduct or gross negligence.
12. Term
This DPA shall remain in effect for as long as Xident processes Personal Data on behalf of Customer under the Agreement.
Annex I: Processing Details
Subject Matter
Provision of age and identity verification services.
Duration
For the term of the Agreement between Customer and Xident.
Nature and Purpose of Processing
Processing Personal Data to verify the age and/or identity of Customer's end users, including face recognition, document verification, and liveness detection.
Categories of Data Subjects
End users of Customer's services who undergo age or identity verification.
Categories of Personal Data
- Identity data: Name, date of birth, document numbers
- Biometric data: Facial images and face embeddings
- Document data: ID document images and extracted information
- Technical data: IP address, device information, session data
Special Categories of Data
Biometric data for the purpose of uniquely identifying a natural person.
Annex II: Sub-processors
| Sub-processor | Location | Purpose |
|---|---|---|
| Amazon Web Services | USA (with EU data residency option) | Cloud infrastructure and hosting |
| Neon | USA | Database services |
| Cloudflare | USA (global edge network) | CDN and security services |
| Stripe | USA | Payment processing |
This list is current as of the date of this DPA. Updates will be communicated to Customers with 30 days' notice.
Contact
For questions about this DPA or to request a signed copy, contact:
Xident Technologies Inc.
548 Market St, Suite 95234
San Francisco, CA 94104
Email: legal@xident.io