Data Processing Agreement

Version 1.0 — March 2026

Need a countersigned DPA?

Enterprise customers can request a countersigned copy by contacting legal@xident.io. This DPA is automatically accepted via the Xident Dashboard for all customers.

Pursuant to Article 28 of the General Data Protection Regulation (EU) 2016/679

Between the Customer (“Data Controller”) and Xident (“Data Processor”)

Definitions and Interpretation
Scope, Roles, and Purpose of Processing
Special Provisions for Biometric and Special Category Data
Processor Obligations
Sub-Processors
International Data Transfers
Personal Data Breach Notification
Audit and Inspection Rights
Data Subject Rights
Digital Services Act Compliance
Liability and Indemnification
Term and Termination
General Provisions
Annexes

1. DEFINITIONS AND INTERPRETATION

1.1 In this Data Processing Agreement (“DPA”), the following terms shall have the meanings set out below:

Term	Definition
”Agreement”	The master service agreement, terms of service, or other agreement between the Customer and Xident governing the provision of the Services.
”Applicable Data Protection Law”	The General Data Protection Regulation (EU) 2016/679 (“GDPR”), the ePrivacy Directive 2002/58/EC, the Digital Services Act (EU) 2022/2065 (“DSA”), and any applicable national implementing legislation, including but not limited to Member State laws transposing or supplementing the GDPR.
”Controller”	The Customer, who determines the purposes and means of the Processing of Personal Data.
”Data Subject”	An identified or identifiable natural person whose Personal Data is Processed under this DPA, including End Users undergoing age or identity verification.
”End User”	A natural person who interacts with the Xident verification widget or SDK as deployed by the Customer on their platform.
”Personal Data”	Any information relating to an identified or identifiable natural person as defined in Article 4(1) GDPR, processed by Xident on behalf of the Customer under this DPA.
”Personal Data Breach”	A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed, as defined in Article 4(12) GDPR.
”Processing”	Any operation or set of operations performed on Personal Data, as defined in Article 4(2) GDPR.
”Processor”	Xident, which Processes Personal Data on behalf of the Controller.
”Services”	The age and identity verification services provided by Xident to the Customer, as described in the Agreement and Annex 1.
”Special Category Data”	Personal Data revealing racial or ethnic origin, or biometric data for the purpose of uniquely identifying a natural person, as defined in Article 9(1) GDPR.
”Sub-Processor”	Any third party engaged by Xident to Process Personal Data on behalf of the Customer.
”Supervisory Authority”	An independent public authority established by an EU Member State pursuant to Article 51 GDPR.
”Technical and Organisational Measures” (“TOMs”)	The security measures described in Annex 2, implemented to protect Personal Data against unauthorised or unlawful Processing and accidental loss, destruction, or damage.

1.2 This DPA forms an integral part of the Agreement. In the event of any conflict between this DPA and the Agreement, this DPA shall prevail with respect to the Processing of Personal Data.

1.3 References to Articles are to Articles of the GDPR unless otherwise stated.

2. SCOPE, ROLES, AND PURPOSE OF PROCESSING

2.1 Scope. This DPA applies to the Processing of Personal Data by Xident (Processor) on behalf of the Customer (Controller) in connection with the provision of the Services as described in Annex 1.

2.2 Roles. The Customer acts as the Controller within the meaning of Article 4(7) GDPR, determining the purposes and means of Processing. Xident acts as the Processor within the meaning of Article 4(8) GDPR, Processing Personal Data solely on behalf of and under the documented instructions of the Controller.

2.3 Purpose Limitation. Xident shall Process Personal Data only for the specific purposes set out in Annex 1 and only in accordance with the Controller’s documented instructions, unless required to do so by Union or Member State law to which Xident is subject. In such case, Xident shall inform the Controller of that legal requirement before Processing, unless the law prohibits such information on important grounds of public interest (Article 28(3)(a) GDPR).

2.4 Prohibited Processing. Xident shall not:

(a) Process Personal Data for its own purposes or for the purposes of any third party;
(b) sell, rent, or otherwise commercialise Personal Data;
(c) combine Personal Data received from or on behalf of the Controller with Personal Data from other sources except as necessary to provide the Services; or
(d) retain Personal Data beyond the periods specified in Annex 1.

2.5 Controller Obligations. The Controller warrants that:

(a) it has a valid legal basis under Article 6 GDPR for the Processing of Personal Data;
(b) where Special Category Data is Processed, it has identified a valid condition under Article 9(2) GDPR;
(c) it has provided adequate notice to Data Subjects in accordance with Articles 13 and 14 GDPR; and
(d) it has conducted, or will conduct, a Data Protection Impact Assessment (DPIA) where required under Article 35 GDPR, particularly in relation to the use of biometric and age verification technologies.

3. SPECIAL PROVISIONS FOR BIOMETRIC AND SPECIAL CATEGORY DATA

3.1 Acknowledgment. The parties acknowledge that the Services may involve the Processing of biometric data and other Special Category Data as defined in Article 9(1) GDPR. Both parties recognise the heightened obligations and risks associated with such Processing.

3.2 Privacy by Design — Client-Side Processing. Xident’s verification architecture is designed to minimise the Processing of biometric data on server infrastructure:

ML Fast Path (Path A): Liveness detection and age bracket recognition are performed entirely within the End User’s browser using on-device ONNX Runtime (WebAssembly). No facial images are transmitted to Xident’s servers. The binary age threshold result (pass/fail) is transmitted — not the facial image or biometric template.
Document Fallback Path (Path B): Where client-side verification is insufficient, identity documents may be uploaded to Xident’s servers for OCR processing. Document images are deleted immediately upon completion of OCR extraction. Only DOB-derived age bracket data is retained.
Xident Token Path (Path D): Returning verified users are authenticated via token lookup. No biometric processing occurs.

3.3 Data Minimisation for Biometric Data. In accordance with the EDPB Statement 1/2025 on Age Assurance:

Xident employs binary age bracket classifiers (e.g., is this person above 18?), not age estimation, minimising the granularity of biometric inference.
Raw biometric data (facial images) processed client-side are never stored, transmitted, or logged by Xident.
Where facial embeddings are generated for face-match verification (Path B), only 512-dimensional vector representations are stored. These embeddings are mathematically non-reversible and cannot reconstruct the original facial image.
Document images submitted for OCR are processed in-memory and deleted immediately upon extraction completion. No copies are retained.

3.4 Enhanced Security. Xident shall apply the enhanced Technical and Organisational Measures specified in Annex 2, Section B (Special Category Data Protections), including AES-256-GCM encryption at rest for all biometric embeddings and OCR-derived data.

3.5 DPIA Support. Xident shall provide the Controller with all information reasonably necessary to support the Controller’s obligation to conduct a Data Protection Impact Assessment under Article 35 GDPR in relation to the Services.

4. PROCESSOR OBLIGATIONS

4.1 Documented Instructions. Xident shall Process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country or an international organisation (Article 28(3)(a) GDPR). The instructions as of the effective date of this DPA are set out in Annex 4.

4.2 Confidentiality. Xident shall ensure that all persons authorised to Process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality (Article 28(3)(b) GDPR). This obligation shall survive the termination of this DPA.

4.3 Security of Processing. Xident shall implement and maintain the Technical and Organisational Measures set out in Annex 2, appropriate to the nature, scope, context, and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons (Article 32 GDPR). These measures include, at minimum:

Pseudonymisation and encryption of Personal Data (Article 32(1)(a));
The ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services (Article 32(1)(b));
The ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident (Article 32(1)(c));
A process for regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures (Article 32(1)(d)).

4.4 Assistance with Data Subject Rights. Taking into account the nature of the Processing, Xident shall assist the Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller’s obligation to respond to requests for exercising the Data Subject’s rights under Chapter III GDPR (Articles 15–22), including the right of access, rectification, erasure, restriction, data portability, and objection (Article 28(3)(e) GDPR).

4.5 Assistance with Controller Obligations. Xident shall assist the Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 GDPR, taking into account the nature of Processing and the information available to Xident (Article 28(3)(f) GDPR). This includes assistance with:

Security of Processing (Article 32);
Notification of a Personal Data Breach to the Supervisory Authority (Article 33);
Communication of a Personal Data Breach to the Data Subject (Article 34);
Data Protection Impact Assessments (Article 35);
Prior consultation with the Supervisory Authority (Article 36).

4.6 Deletion and Return. At the choice of the Controller, Xident shall delete or return all Personal Data to the Controller after the end of the provision of Services, and shall delete existing copies unless Union or Member State law requires storage of the Personal Data (Article 28(3)(g) GDPR). The specific data retention and deletion schedule is set out in Annex 1, Section 5.

4.7 Demonstration of Compliance. Xident shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller (Article 28(3)(h) GDPR). Xident shall immediately inform the Controller if, in its opinion, an instruction from the Controller infringes the GDPR or other Union or Member State data protection provisions.

5. SUB-PROCESSORS

5.1 General Authorisation. The Controller provides general written authorisation to Xident to engage Sub-Processors for the provision of the Services, subject to the conditions set out in this Section 5 (Article 28(2) GDPR).

5.2 Current Sub-Processors. The list of Sub-Processors engaged by Xident as of the effective date of this DPA is set out in Annex 3. The Controller has reviewed and approved this list by entering into this DPA.

5.3 Notification of Changes. Xident shall inform the Controller of any intended changes concerning the addition or replacement of Sub-Processors, thereby giving the Controller the opportunity to object to such changes (Article 28(2) GDPR). Xident shall provide at least thirty (30) calendar days’ prior written notice before engaging a new Sub-Processor or replacing an existing one.

5.4 Objection Right. If the Controller objects to the engagement of a new Sub-Processor on reasonable grounds relating to data protection, the parties shall discuss the objection in good faith. If the parties cannot reach a resolution within thirty (30) calendar days, the Controller may terminate the affected Services without penalty. Xident shall not engage the objected-to Sub-Processor for the Controller’s data until the objection is resolved.

5.5 Sub-Processor Obligations. Where Xident engages a Sub-Processor, Xident shall:

(a) impose data protection obligations on the Sub-Processor by way of a written contract that are no less protective than those set out in this DPA (Article 28(4) GDPR);
(b) remain fully liable to the Controller for the performance of the Sub-Processor’s obligations; and
(c) ensure that the Sub-Processor provides sufficient guarantees to implement appropriate technical and organisational measures.

6. INTERNATIONAL DATA TRANSFERS

6.1 Transfer Restriction. Xident shall not transfer Personal Data to any country outside the European Economic Area (EEA) unless:

(a) the European Commission has decided that the third country ensures an adequate level of protection (Article 45 GDPR);
(b) appropriate safeguards have been provided in accordance with Article 46 GDPR, including the EU Standard Contractual Clauses adopted pursuant to Commission Implementing Decision (EU) 2021/914; or
(c) a derogation under Article 49 GDPR applies.

6.2 EU-Based Infrastructure. As of the effective date of this DPA, Xident’s primary data processing infrastructure, including database servers, application servers, and cache/queue systems, is located within the European Union. Xident shall notify the Controller prior to any change in the location of processing infrastructure that would result in Personal Data being processed outside the EEA.

6.3 Sub-Processor Transfers. Where a Sub-Processor is located outside the EEA or processes Personal Data outside the EEA, Xident shall ensure that the transfer is subject to appropriate safeguards as described in Section 6.1, and shall make the relevant transfer mechanism available to the Controller upon request.

6.4 Transfer Impact Assessment. Where transfers are made pursuant to Standard Contractual Clauses, Xident shall conduct a transfer impact assessment in accordance with the CJEU’s Schrems II judgment (Case C-311/18) and the EDPB Recommendations 01/2020, and shall implement supplementary measures where necessary to ensure an essentially equivalent level of protection.

7. PERSONAL DATA BREACH NOTIFICATION

7.1 Notification to Controller. Xident shall notify the Controller without undue delay, and in any event within twenty-four (24) hours, after becoming aware of a Personal Data Breach affecting Personal Data processed on behalf of the Controller (Article 33(2) GDPR).

7.2 Content of Notification. The notification shall include, at minimum:

A description of the nature of the Personal Data Breach, including where possible the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned;
The name and contact details of the Processor’s data protection contact point;
A description of the likely consequences of the Personal Data Breach;
A description of the measures taken or proposed to be taken to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.

7.3 Cooperation. Xident shall cooperate with and assist the Controller in investigating, mitigating, and remediating any Personal Data Breach, and shall provide such additional information as becomes available. Xident shall not notify any Supervisory Authority or Data Subject on behalf of the Controller without the Controller’s prior written consent, unless required by Applicable Data Protection Law.

7.4 Documentation. Xident shall document any Personal Data Breach, including the facts relating to the breach, its effects, and the remedial action taken, in accordance with Article 33(5) GDPR.

8. AUDIT AND INSPECTION RIGHTS

8.1 Information Access. Xident shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR.

8.2 Audit Right. The Controller (or its authorised independent auditor) shall have the right to conduct audits of Xident’s Processing activities, including inspections of Xident’s premises, equipment, and records, to verify compliance with this DPA. Audits shall be conducted:

(a) with at least thirty (30) calendar days’ prior written notice;
(b) during normal business hours;
(c) subject to reasonable confidentiality obligations; and
(d) in a manner that minimises disruption to Xident’s operations.

8.3 Frequency. The Controller may conduct one (1) audit per calendar year under this Section 8, unless:

(a) a Personal Data Breach has occurred;
(b) the Controller is required to conduct an additional audit by a Supervisory Authority; or
(c) the Controller has reasonable grounds to believe that Xident is not complying with this DPA.

8.4 Third-Party Certifications. Xident may satisfy audit requests by providing the Controller with:

(a) copies of relevant third-party certifications (e.g., ISO 27001, SOC 2 Type II);
(b) summary audit reports prepared by qualified independent auditors; or
(c) completed security questionnaires.

The Controller may still exercise its audit right under Section 8.2 if such documentation is insufficient to verify compliance.

8.5 Costs. Each party shall bear its own costs in relation to audits. If an audit reveals material non-compliance by Xident with this DPA, Xident shall bear the reasonable costs of the audit.

9. DATA SUBJECT RIGHTS

9.1 Assistance. Xident shall promptly notify the Controller if it receives a request from a Data Subject to exercise rights under Chapter III GDPR (including access, rectification, erasure, restriction, portability, and objection). Xident shall not respond to such requests directly unless authorised by the Controller.

9.2 Technical Measures. Xident shall implement appropriate technical measures to enable the Controller to fulfil Data Subject requests, including the ability to:

(a) search for and retrieve Personal Data relating to a specific Data Subject;
(b) export Personal Data in a structured, commonly used, machine-readable format;
(c) delete Personal Data relating to a specific Data Subject; and
(d) restrict further Processing of specific Personal Data.

9.3 GDPR Erasure — Hard Delete. In accordance with Article 17 GDPR and the principle of storage limitation, deletion of Personal Data under this DPA means permanent, irrecoverable deletion (hard delete). Soft deletion, anonymisation-in-place, or logical deletion shall not satisfy erasure obligations. Database cascading delete mechanisms shall be employed to ensure deletion of all related records across associated tables.

10. DIGITAL SERVICES ACT COMPLIANCE

10.1 DSA Obligations. The parties acknowledge that the Customer may be subject to obligations under the Digital Services Act (EU) 2022/2065 (“DSA”), including Article 28 DSA (protection of minors). Xident’s Services are designed to support the Customer’s compliance with these obligations.

10.2 Proportionality. In accordance with the European Commission’s guidelines on the protection of minors (July 2025) and the EDPB Statement 1/2025 on Age Assurance, Xident’s verification methods are designed to be accurate, reliable, robust, non-discriminatory, and as non-invasive as possible.

10.3 Binary Threshold Confirmation. In line with the EDPB’s recommendation for tokenised approaches, Xident transmits only binary age threshold confirmations (pass/fail) to the Controller. The Controller receives no actual age, date of birth, or biometric data.

10.4 No Additional Profiling. In compliance with Article 28(2) DSA, Xident shall not use Personal Data collected for age verification purposes for profiling, targeted advertising, or any purpose other than the provision of the verification Services.

11. LIABILITY AND INDEMNIFICATION

11.1 Liability. Each party’s liability under this DPA shall be subject to the limitations and exclusions of liability set out in the Agreement, except that neither party’s liability for breaches of Applicable Data Protection Law shall be limited below the minimum required by such law.

11.2 Processor Liability. Xident shall be liable for damage caused by Processing only where it has not complied with obligations of the GDPR specifically directed to Processors, or where it has acted outside or contrary to the Controller’s lawful instructions (Article 82(2) GDPR).

11.3 Indemnification. Xident shall indemnify, defend, and hold harmless the Controller from and against any losses, damages, costs, and expenses (including reasonable legal fees) arising from:

(a) any breach by Xident of this DPA;
(b) any breach by Xident or its Sub-Processors of Applicable Data Protection Law; or
(c) any claim by a Data Subject or Supervisory Authority arising from Xident’s failure to comply with its obligations under this DPA.

12. TERM AND TERMINATION

12.1 Term. This DPA shall commence on the effective date and shall continue in force for as long as Xident Processes Personal Data on behalf of the Controller, including any period after termination of the Agreement during which Xident retains Personal Data.

12.2 Termination for Breach. Either party may terminate this DPA with immediate effect by written notice if the other party:

(a) materially breaches this DPA and fails to remedy such breach within thirty (30) days of written notice; or
(b) is in persistent breach of this DPA.

12.3 Effect of Termination. Upon termination of this DPA or the Agreement:

(a) Xident shall cease all Processing of Personal Data;
(b) at the Controller’s election, Xident shall return or delete all Personal Data within thirty (30) calendar days, and shall certify such deletion in writing;
(c) Xident may retain Personal Data only where required by Union or Member State law, and only for the period and purposes required by such law; and
(d) Sections 4.2 (Confidentiality), 7 (Data Breach), 8 (Audit), 11 (Liability), and 13 (General) shall survive termination.

13. GENERAL PROVISIONS

13.1 Governing Law. This DPA shall be governed by and construed in accordance with the laws of the European Union and, to the extent applicable, the laws of the Member State in which the Controller is established.

13.2 Entire Agreement. This DPA, together with its Annexes and the Agreement, constitutes the entire agreement between the parties with respect to the Processing of Personal Data and supersedes all prior agreements, understandings, and representations.

13.3 Amendments. This DPA may only be amended by a written instrument signed by both parties. Xident may update the Technical and Organisational Measures in Annex 2 from time to time, provided that such updates do not materially diminish the level of protection afforded to Personal Data.

13.4 Severability. If any provision of this DPA is held to be invalid, illegal, or unenforceable, the remaining provisions shall continue in full force and effect.

13.5 Notices. All notices under this DPA shall be in writing and sent to:

Controller: The address specified in the Agreement.
Processor: privacy@xident.io

13.6 No Waiver. A failure or delay by either party to exercise any right or remedy under this DPA shall not be construed as a waiver of that right or remedy.

SIGNATURES

IN WITNESS WHEREOF, the parties have caused this Data Processing Agreement to be executed by their duly authorised representatives.

	DATA CONTROLLER (Customer)	DATA PROCESSOR (Xident)
Company	________________________________	Xident
Name	________________________________	________________________________
Title	________________________________	________________________________
Date	________________________________	________________________________
Signature	________________________________	________________________________

Annexes

ANNEX 1: DETAILS OF PROCESSING

A1.1 Subject Matter and Duration

Field	Description
Subject Matter	Provision of age and identity verification services via the Xident platform, SDK, and verification widget.
Duration	The duration of the Agreement plus any post-termination retention period specified in this Annex.
Nature of Processing	Collection, recording, organisation, structuring, storage, retrieval, consultation, use, disclosure by transmission, alignment, combination, restriction, erasure, and destruction of Personal Data as necessary to perform age and identity verification.

A1.2 Purposes of Processing

#	Purpose
1	Performing liveness detection to confirm the End User is a real person present at the time of verification
2	Performing client-side age bracket recognition (binary threshold: above/below specified age) using on-device ML models
3	Processing identity documents via OCR to extract date of birth when client-side verification is insufficient or when required by applicable regulation
4	Face matching between liveness image and document photo for identity confirmation during document verification
5	Generating, storing, and verifying Xident verification tokens for returning verified users
6	Maintaining verification session records for audit and compliance purposes
7	Providing verification status and results to the Controller via API
8	Performing blacklist checks as requested by the Controller

A1.3 Categories of Data Subjects

End Users of the Controller’s platform who are subject to age or identity verification
Individuals who create a Xident account for cross-platform verification

A1.4 Types of Personal Data

Category	Data Elements	Retention
Session Data	Session ID, API key identifier, IP address (hashed), User-Agent, timestamp, verification status, age threshold requested	90 days after session completion, then hard deleted
Liveness Data	Liveness challenge ID, challenge actions performed, liveness score, HMAC-signed challenge token	Deleted upon session completion (not retained)
Age Bracket Result	Binary pass/fail result per age threshold (e.g., is_above_18: true), confidence score	Retained with session data (90 days)
Document Data (Path B only)	Document type, document image (temporary), OCR-extracted fields: date of birth, document number (encrypted), face region crop (temporary)	Document images: deleted immediately after OCR. Extracted DOB: hashed, retained 90 days. Document number: encrypted at rest, retained 90 days
Facial Embeddings (Path B only)	512-dimensional vector representation derived from facial image for face-match verification	Encrypted at rest (AES-256-GCM). Retained for the duration of the Xident account or 90 days if no account created
Xident Account Data (if applicable)	Email address, hashed password (bcrypt), verified age brackets, passkey credentials, account creation date	Duration of account plus 30 days after account deletion
Verification Tokens	Token ID (hashed), associated age brackets, issuing tenant, issuance timestamp, expiry timestamp	Until token expiry or revocation, then hard deleted within 30 days

A1.5 Data Deletion Schedule

Upon termination of the Agreement or upon Controller’s request:

All session data, liveness data, age bracket results: deleted within 30 days
All facial embeddings associated with the Controller: deleted within 30 days
All document-derived data associated with the Controller: deleted within 30 days
Xident account data: retained only where the End User has an independent relationship with Xident (cross-platform account). Controller-specific token associations are severed within 30 days
Audit logs: retained for the minimum period required by applicable law, then deleted

ANNEX 2: TECHNICAL AND ORGANISATIONAL MEASURES

A2.1 Section A — General Security Measures

Encryption in Transit: All data in transit is protected using TLS 1.2 or higher. HTTP Strict Transport Security (HSTS) is enforced on all endpoints.

Encryption at Rest: All databases and storage systems employ encryption at rest. PostgreSQL instances use AES-256 encryption. S3-compatible storage uses server-side encryption (SSE).

Access Control: Role-based access control (RBAC) is enforced across all systems. Administrative access requires multi-factor authentication (MFA). Access follows the principle of least privilege.

Authentication Security: Passwords are hashed using bcrypt with cost factor 12. Verification tokens are 32 bytes of cryptographically random data, stored hashed (SHA-256). API keys use constant-time comparison to prevent timing attacks. Session cookies are HTTP-only and Secure-flagged.

Network Security: Firewalls restrict access to production systems. SSRF protections cover both IPv4 and IPv6 (including IPv4-mapped IPv6 bypass via ::ffff:0:0/96). Rate limiting is applied to all public-facing endpoints.

Infrastructure Security: Production infrastructure is hosted within the EU. Infrastructure-as-code practices ensure reproducible, auditable deployments. Production configuration is validated at startup, rejecting default secrets or insecure settings (e.g., sslmode=disable).

Monitoring and Logging: Structured logging captures security-relevant events without logging sensitive Personal Data. Audit logs record all administrative actions, authentication events, and data access patterns. Anomaly detection monitors for unusual access patterns.

Employee Measures: All personnel with access to Personal Data are subject to confidentiality agreements. Regular security awareness training is provided. Background checks are conducted where permitted by applicable law.

Incident Response: A documented incident response plan exists, including defined roles, communication procedures, and escalation paths. The plan is tested regularly. Post-incident reviews are conducted to identify and implement improvements.

Business Continuity: Database backups are performed regularly with encryption. Recovery procedures are tested periodically. Redundancy measures ensure service availability.

A2.2 Section B — Special Category Data Protections

The following enhanced measures apply to the Processing of biometric data and other Special Category Data:

Biometric Data Encryption: Facial embeddings (512-dimensional vectors) are encrypted at rest using AES-256-GCM with per-record encryption keys derived from a hardware-protected master key.

Document Data Handling: Identity document images are processed in volatile memory only. No document images are written to persistent storage. OCR results containing PII (date of birth, document number) are encrypted immediately upon extraction using AES-256-GCM.

Client-Side Processing: Age bracket recognition and liveness detection are performed entirely within the End User’s browser via ONNX Runtime WebAssembly. No facial images are transmitted to Xident servers on the ML fast path. This architecture is verified through code review and network traffic analysis.

Data Isolation: Multi-tenant data isolation ensures that each Controller’s data is logically separated. Database queries are scoped to the authenticated tenant. Cross-tenant data access is architecturally prevented.

Embedding Non-Reversibility: Facial embeddings stored as pgvector vector(512) with HNSW indexing (cosine distance) are mathematically non-reversible. The embedding extraction process is a lossy dimensionality reduction that cannot reconstruct the original facial image.

SQL Injection Prevention: All database queries use parameterised queries. SQL LIKE operations escape wildcard characters (%, _, \) to prevent injection via search parameters.

Challenge Security: Liveness challenges are HMAC-SHA256 signed with a 5-minute expiry to prevent replay attacks. Challenge tokens are single-use and invalidated upon verification.

ANNEX 3: AUTHORISED SUB-PROCESSORS

The following Sub-Processors are authorised as of the effective date of this DPA:

Sub-Processor	Purpose	Data Processed	Location	Safeguards
Neon (Neon Inc.)	Managed PostgreSQL database hosting	All persistent data (session records, encrypted embeddings, account data, tokens)	EU (Frankfurt, DE)	DPA, encryption at rest, SOC 2
[Cloud Provider]	Application hosting and compute infrastructure	All data in transit and during processing	EU	DPA, ISO 27001, SOC 2
[Object Storage Provider]	Temporary document upload storage (presigned URLs)	Identity document images (temporary, deleted after OCR)	EU	DPA, SSE, access logging
[Redis Provider]	In-memory cache and job queue	Session state, job metadata (no PII in cache values)	EU	DPA, encryption in transit
[Email Provider]	Transactional email delivery	Email addresses (Xident account holders only)	EU/US	DPA, SCCs (if US)
Lago (Self-hosted)	Usage-based billing and metering	Tenant identifiers, verification event counts (no End User PII)	EU (self-hosted)	Self-hosted, no external transfer

Note: Sub-Processors marked with [brackets] shall be specified with exact entity names prior to execution of this DPA. The Controller shall be notified of any changes in accordance with Section 5 of this DPA.

Sub-Processor Notification Channel: Updates to this list will be communicated to the Controller’s designated contact via email at least 30 days prior to engagement. The current Sub-Processor list is also maintained at: https://xident.io/legal/sub-processors

ANNEX 4: CONTROLLER’S DOCUMENTED INSTRUCTIONS

The following constitutes the Controller’s documented instructions to Xident as of the effective date of this DPA:

Process Personal Data only for the purposes described in Annex 1 and only to the extent necessary to provide the Services.
Apply the verification methods determined by the Controller’s rule configuration (regime: low, medium, or strict) and any country-specific overrides.
For ML Fast Path (Path A) verification: perform liveness detection and age bracket recognition entirely client-side; transmit only binary pass/fail results to server.
For Document Fallback Path (Path B): accept document uploads, perform OCR, extract date of birth, perform face matching, and delete document images immediately upon OCR completion.
For Xident Token Path (Path D): verify existing tokens and return pass/fail result without additional biometric processing.
Store facial embeddings encrypted at rest using AES-256-GCM. Do not store raw facial images.
Apply data retention periods as specified in Annex 1, Section A1.4. Hard delete data upon expiry.
Notify the Controller within 24 hours of any Personal Data Breach.
Maintain an up-to-date list of Sub-Processors and provide 30 days’ notice of changes.
Do not transfer Personal Data outside the EEA without prior notification and appropriate safeguards.
Support the Controller in responding to Data Subject requests within the timeframes required by GDPR.
Provide verification status and results to the Controller via API. The Controller receives only pass/fail verification status and associated metadata — never raw biometric data, facial images, or actual date of birth.

Additional or modified instructions may be provided by the Controller in writing to privacy@xident.io. Xident shall confirm receipt and feasibility within five (5) business days.