Data Processing Addendum

This Data Processing Addendum (“DPA”) is made part of the Master Services Agreement (“Agreement”), entered into by and between Customer and IDScan.net. By accepting the Agreement or accessing or using the Services, Customer agrees to be bound by this DPA. In the event of any conflict between this DPA and the Agreement, the provision of this DPA will control. Any capitalized terms used, but not otherwise defined herein shall have the meaning set forth in the Agreement. 

Section 1 : Definitions

1. “Data Protection Law” means any laws, rules, or regulations relating to privacy, security, or data protection applicable to a party in the performance of its obligations under this DPA, including, as applicable (i) those of the United States, including the California Consumer Protection Act, as amended (“CCPA”); (ii) those of the European Union, the European Economic Area, their member states, and the United Kingdom, including Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 (“GDPR”), the UK Data Protection Act 2018 as saved into United Kingdom law by virtue of Section 3 of the United Kingdom’s European Union (Withdrawal) Act 2018 (“UK GDPR”), and the Swiss Federal Data Protection Act; (iii) those of any other relevant jurisdictions; and (iv) any replacements, additions, successors, implementing requirements or legislation, or amendments to any of the foregoing.
2. “Data Subject” means a data subject, consumer, or identified or identifiable natural person.
3. “Personal Data” means any Customer Data that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular Data Subject or household, or that is personal data, personal information, or similarly protected data as ascribed under Data Protection Law.
4. “Subprocessor” means any subcontractor engaged by IDScan.net to help provide the Services and that processes Personal Data on behalf of IDScan.net in connection with Customer’s use of the Services. Where applicable, the terms “controller,” “business,” “processor,” “service provider,” “data subject,” “consumer,” “process,” “personal data,” “personal information,” “sell,” “share,” “business purpose,” “commercial purpose,” “supervisory authority,” “third party,” “deidentified,” “aggregate consumer information” (or any equivalent terms) shall have the meaning ascribed to them under Data Protection Law.

Section 2 : Data Processing

1. This DPA applies to the processing of Personal Data by IDScan.net on behalf of Customer. In this context, with respect to Personal Data (i) IDScan.net acts as processor or service provider for Customer; and (ii) Customer acts as controller or as processor to another person. 
2. Customer hereby instructs IDScan.net to process Personal Data in accordance with (i) the Agreement and this DPA (including the details of data processing set out in Schedule 1); and (ii) any other documented written instructions by Customer (e.g., via email) where such instructions are consistent with the terms of the Agreement and this DPA (collectively, “Documented Instructions”). If IDScan.net must process Personal Data as otherwise required by applicable law, IDScan.net shall inform Customer of that legal requirement before processing Personal Data, unless that law prohibits such disclosure on important grounds of public interest. 
3. The obligations in this subsection apply only to Personal Data that is personal information subject to the CCPA. Customer makes Personal Data available to IDScan.net for the business purposes specified in Schedule 1 below. IDScan.net agrees that: (1) IDScan.net will use the Personal Data only for those limited specified purposes; (2) IDScan.net will provide the same level of privacy protection to the Personal Data as is required of businesses by CCPA; (3) Customer has the right to take reasonable and appropriate steps as outlined in Section 8 of this DPA to help ensure that IDScan.net uses the Personal Data in a manner consistent with Customer’s obligations under CCPA; (4) IDScan.net will notify Customer if it makes a determination that it can no longer meet its obligations under CCPA with respect to the Personal Data; (5) Customer has the right, upon notice and in accordance with the applicable sections of this DPA, to take reasonable and appropriate steps to stop and remediate unauthorized use of the Personal Data; (6) IDScan.net will not sell or share the Personal Data; (7) IDScan.net will not retain, use, or disclose the Personal Data for any purpose, including a commercial purpose, other than the business purposes specified herein; (8) IDScan.net will not retain, use, or disclose the Personal Data outside of the direct business relationship between IDScan.net and Customer other than for the business purposes specified herein; and (9) IDScan.net will not combine the Personal Data with personal information that IDScan.net receives from or on behalf of another customer, or collects from its own interaction with the consumer, unless otherwise permitted of a service provider by the CCPA. 
4. As between the parties, Customer is solely responsible for the accuracy, quality, and legality of Personal Data. Customer agrees that: (i) Customer has provided all necessary notice and choice, and secured all necessary rights, consents, privileges, and a lawful basis for the processing of Personal Data as contemplated under the Agreement (including by IDScan.net and its Subprocessors); (ii) Customer has complied (and will continue to comply) with all Data Protection Laws and applicable third party terms; (iii) Customer will not provide to IDScan.net or cause IDScan.net to process any sensitive category of Personal Data (such as data concerning health, finances, sex life or sexual orientation, children or teens, or other data defined as sensitive or a special category of data under Data Protection Law) unless expressly set out in Schedule 1 below; (iv) to the extent Customer uses the Services in a manner that involves the collection, use, storage, or other processing of biometric identifiers or biometric information (as defined under applicable law), Customer has provided all legally required notices and disclosures, obtained all required express or written consents, and complied with all applicable biometric privacy laws, including any applicable requirements relating to data retention and destruction; and (v) IDScan.net’s processing of Personal Data in accordance with Customer’s instructions will not violate or cause IDScan.net to violate any Data Protection Laws or applicable third party terms. Notwithstanding anything to the contrary, to the extent permitted by Data Protection Law, IDScan.net may use and retain any deidentified or aggregate consumer information related to the Services for any purpose in accordance with Data Protection Law, including but not limited to developing analytics and improving the Services.

Section 3 : Security

IDScan.net shall implement and maintain security procedures and practices appropriate to the nature of the Personal Data designed to protect the Personal Data from a Security Incident. The minimum technical and organizational measures to be implemented by IDScan.net are set forth in Schedule 2. IDScan.net shall regularly monitor compliance with these measures, and shall not materially decrease the overall security of the Services with respect to Personal Data during its provision of the Services. IDScan.net shall ensure that persons authorized to carry out processing have committed themselves to confidentiality or are under the appropriate statutory obligation of confidentiality.

Section 4 : Security Incidents

IDScan.net shall notify Customer without undue delay after becoming aware of an accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data in possession or control of IDScan.net (a “Security Incident”). IDScan.net shall make reasonable efforts to identify the cause of such Security Incident and take steps as IDScan.net deems necessary and reasonable in order to remediate the cause of such Security Incident to the extent the remediation is within IDScan.net’s reasonable control and required by law.

Section 5 : Subprocessors

Customer provides general written authorization for IDScan.net to engage Subprocessors to process Personal Data in connection with the Services. A current list of IDScan.net’s Subprocessors is available in our Trust Center (the “Subprocessor List”). IDScan.net will enter into a written agreement with each Subprocessor containing data protection obligations no less protective than those in this DPA with respect to the protection of Personal Data. IDScan.net shall make available notice of any intended addition or replacement of a Subprocessor by updating the Subprocessor List.

IDScan.net will provide Customer with a reasonable opportunity to object to any new Subprocessor by providing written notice to IDScan.net within ten (10) days following the posting of the updated Subprocessor List. In the event Customer reasonably objects to the new Subprocessor, IDScan.net will use commercially reasonable efforts to make available to Customer a change in the Services to avoid processing of Personal Data by the objected-to Subprocessor. If IDScan.net is unable to make available such change within a reasonable period of time, which shall not exceed thirty (30) days, Customer may terminate the applicable Services which cannot be provided by IDScan.net without the use of the objected-to new Subprocessor by providing written notice to IDScan.net. IDScan.net shall be liable for the acts and omissions of its Subprocessors to the same extent IDScan.net would be liable if performing the services of each Subprocessor directly under the terms of this DPA.

Section 6 : Requests & Assistance

To the extent legally permitted, IDScan.net shall: (a) promptly notify Customer if IDScan.net receives a request from a Data Subject to exercise their rights under Data Protection Law or receives a request or complaint from a supervisory authority, regulator, or other third party (“Request”); and (b) not respond to the Request without written approval from Customer. Taking into account the nature of the processing, IDScan.net shall reasonably assist Customer in the fulfilment of Customer’s obligation to respond to the Request. Upon request by Customer, IDScan.net shall reasonably assist Customer as necessary to carry out data protection impact assessments related to Customer’s use of the Services, and in the cooperation or prior consultation with supervisory authorities or regulators in the performance of IDScan.net’s tasks relating to the data protection impact assessments. To the extent legally permitted, Customer shall be responsible for any costs arising from IDScan.net’s provision of assistance hereunder. Customer acknowledges that IDScan.net may not be able to fulfill Requests where doing so would interfere with IDScan.net’s ability to comply with applicable law or legal obligation, or protect its rights or those of a third party. Each party shall provide reasonable assistance to the other party as necessary for the other party to fulfill its obligations under Data Protection Law.

Section 7 : Return & Deletion

IDScan.net shall return or delete (at Customer’s discretion) all Personal Data when such Personal Data is no longer needed to perform the Services, or sixty (60) days following termination of the Agreement. IDScan.net may retain Personal Data where necessary for Customer to comply with applicable law or legal obligation, or protect its rights or those of a third party.

Section 8 : Audit

IDScan.net shall allow for and contribute to reasonable audits conducted by Customer or a third party auditor designated by Customer to ascertain IDScan.net’s compliance with this DPA to the extent required by Data Protection Law, provided that such audits shall be conducted upon request of Customer at reasonable intervals (no greater than once per year), be limited to any IDScan.net facilities where it processes Personal Data, require at least thirty (30) days prior notice, take place during normal business hours, and not require IDScan.net to provide access to systems or information relating to its other customers. Any third party auditor must be agreed upon by IDScan.net (not to be unreasonably withheld) and submit to a duty of confidentiality with respect to the audit. As an alternative to the foregoing at IDScan.net’s discretion, to the extent permitted by Data Protection Law, at least annually IDScan.net may arrange for a qualified and independent third party to conduct a comprehensive audit of IDScan.net’s policies and technical and organizational measures in support of its obligations under this DPA using an appropriate and accepted control standard or framework and audit procedure for such audits, and provide the results of such audit to Customer upon request of Customer. To the extent permitted by Data Protection Law, Customer is responsible for and shall reimburse IDScan.net for any expenses associated with this Section 8. Any information associated with this audit right shall be IDScan.net’s confidential information and subject to obligations of confidentiality. The parties agree that, to the extent permitted by Data Protection Law, any audits described in the Standard Contractual Clauses shall be carried out in accordance with this Section 8.

Section 9 | Data Transfer

Customer acknowledges that Personal Data will be stored and processed in the United States and other countries in which IDScan.net or its Subprocessors maintain facilities. By using the Services, Customer agrees to the transfer of Personal Data outside of the country in which it was provided. For any transfers of Personal Data subject to GDPR to countries (or territories or sectors within a country) or international organizations which do not benefit from an adequacy decision under GDPR, the parties hereby agree to transfer the Personal Data pursuant to the standard contractual clauses set out in the Annex to Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (available at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj) (“Standard Contractual Clauses”), which are incorporated herein as follows:

1. When Customer is acting as a controller, Module Two will apply. When Customer is acting as a processor, Module Three will apply. 
2. In Clause 7 (Docking clause), the optional docking clause will apply.
3. In Clause 9 (Use of sub-processors), Option 2 will apply and the time period for prior notice of Subprocessor change shall be set out in Section 5 of this DPA. 
4. In Clause 11 (Redress), the optional language shall not apply.
5. In Clause 17 (Governing Law), Option 1 will apply, and the member state will be Ireland.
6. In Clause 18 (Choice of Forum and Jurisdiction), the member state will be Ireland.
7. Annex I is completed as follows:
   1. List of Parties: Customer is the data exporter and IDScan.net is the data importer. The address, contact details and activities relevant to the transfer for the data exporter and data importer are set out in the Agreement and this DPA. By signing this DPA, the data exporter and data importer will be deemed to have signed Annex I. 
   2. Description of Transfer: The required information is set out in Schedule 1. 
   3. Competent Supervisory Authority: The data exporter’s competent supervisory authority will be determined in accordance with GDPR.
8. Annex II is completed as follows: The required information is set out in Schedule 2.
9. Annex III is completed as follows: The required information is set out in our Trust Center. 

For any transfers of Personal Data subject to UK GDPR to countries (or territories or sectors within a country) or international organizations which do not benefit from an adequacy decision under UK GDPR, the parties hereby agree to transfer the Personal Data pursuant to the same Standard Contractual Clauses, subject to the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses available at https://ico.org.uk/media2/migrated/4019539/international-data-transfer-addendum.pdf (“UK Addendum”). With respect to the UK Addendum, Table 1 is completed using the information set out in “List of Parties” above. Table 2 is completed using the version of the Standard Contractual Clauses listed above. Table 3 is completed using the information set out in “List of Parties” and “Description of “Transfer” above, and in Schedule 2 and at [URL]. Table 4 is completed so that either the data importer or data exporter may end the UK Addendum when the approved Addendum changes.

Section 10 : Liability

To the maximum extent permitted by applicable law, and notwithstanding anything to the contrary, each party’s liability under this DPA is subject to the disclaimers and limitations of liability in the MSA. 

Section 11 : Modification

IDScan.net may modify this DPA from time to time by providing notice to Customer, which may be given by posting the modified DPA in its online portal or by email to the email address associated with Customer’s account. Unless otherwise stated by IDScan.net, modifications will become effective upon Customer’s continued access to or use of the Services after the effective date of the modified DPA. Customer may not modify this DPA.

Schedule 1

Details of Processing Activities

• Subject Matter: The subject matter of the processing is Personal Data.
• Duration: The duration of the processing is until the earlier of (i) request by Customer to stop further processing; (ii) expiration/termination of the DPA; or (iii) when processing is no longer necessary for purposes of IDScan.net performing its obligations pursuant to the DPA.
• Categories of Data Subjects: The categories of Data Subjects whose Personal Data is processed include: (i) end users of Customer; (ii) personnel and agents of Customer; (iii) personnel and agents of Customer’s customers, business partners, and vendors; and (iv) any other natural persons authorized by Customer.

• Categories of Personal Data. The categories of Personal Data processed include:
  • First and last name
  • Mailing address
  • Age/date of birth
  • Gender
  • Height/weight
  • Veteran status
  • Government identification number such as drivers license number, passport number, etc.
  • IP address
  • Information about the device being used (operating system, make/model of device)
  • IP-address based location information
  • Phone number
  • Web analytics
  • Face image or videos (selfies)
  • Identifying information such as communication via email, text, phone, etc.
• Sensitive Data. The sensitive Personal Data processed include any data identified above that is considered sensitive under Data Protection Law.
• Frequency of Transfers: The frequency of the transfer of Personal Data from Customer to IDScan.net will be on a continuous basis.
• Nature of Processing: The nature of the processing is the Services as described in the Agreement.
• Purpose: The purpose of the processing is for IDScan.net to provide the Services to Customer as set out in the Agreement. 
• Business Purpose: The business purpose as defined by CCPA is performing services on behalf of Customer, including fraud prevention, access management, and age verification. 
• Location. The Services are intended to be global. 
• Retention: IDScan.net may retain Personal Data through the duration as described above, and after the duration where applicable law requires retention of the Personal Data, and subject to the obligations in the DPA.
• Subprocessors: Any transfer of Personal Data from IDScan.net to Subprocessors will be in accordance with the obligations set out in the DPA. The subject matter, nature, and duration of the processing by Subprocessors are as described above.

Schedule 2

Technical & Organizational Measures to Ensure the Security of Personal Data

This Schedule 2 describes the technical and organizational measures implemented by IDScan.net to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.

Minimum Technical and Organization Measures 

1. IDScan.net shall implement and maintain appropriate technical and organizational measures to protect Personal Data against accidental loss, destruction or alteration, unauthorized disclosure or access, or unlawful destruction, including the policies, and procedures and internal controls set forth in this Schedule 2.
2. More specifically, IDScan.net’s security program shall include, at a minimum:

Access Control of Processing Areas 

IDScan.net shall implement and maintain appropriate measures to prevent unauthorized access to the data processing equipment (namely telephones, database and application servers and related hardware) where Personal Data is processed or used, including:

• establishing security areas and physical controls;
• protection and restriction of access paths;
• establishing access authorizations for employees and third parties, including the respective documentation;
• access to the data center where Personal Data is hosted is logged, monitored, and tracked; and
• the data center where Personal Data is hosted is secured by a security alarm system, and other appropriate security measures.

Access Control to Data Processing Systems 

IDScan.net shall implement and maintain appropriate measures to prevent data processing systems where Personal Data is processed and used from being used by unauthorized persons, including:

• use of industry standard encryption technologies; 
• automatic temporary lock-out of user terminal if left idle, identification and password required to reopen;
• automatic temporary lock-out of the user ID when several erroneous passwords are entered, log file of events, monitoring of break-in-attempts (alerts); and
• access to data content is logged, monitored, and tracked.

Access Control to Use Specific Areas of Data Processing Systems

IDScan.net shall implement and maintain appropriate measures to help ensure that the persons entitled to use data processing system where Personal Data is processed and used are only able to access the data within the scope and to the extent covered by their respective access permission (authorization) and that personal data cannot be read, copied or modified or removed without authorization. This shall be accomplished by various measures including:

• employee policies and training in respect of each employee’s access rights to the Personal Data;
• allocation of individual terminals and /or terminal user, and identification characteristics exclusive to specific functions;
• monitoring capability in respect of individuals who delete, add or modify the Personal Data;
• release of data only to authorized persons, including allocation of differentiated access rights and roles; 
• use of industry standard encryption technologies; and
• control of files, controlled and documented destruction of data.

Availability Control 

IDScan.net shall implement and maintain appropriate measures to ensure that Personal Data is protected from accidental destruction or loss, including:

• infrastructure redundancy; and
• backup is stored at an alternative site and available for restore in case of failure of the primary system.

Transmission Control 

IDScan.net shall implement and maintain appropriate measures to help prevent Personal Data from being read, copied, altered or deleted by unauthorized parties during the transmission thereof or during the transport of the data media. This is accomplished by various measures including:

• use of industry standard firewall, VPN and encryption technologies to protect the gateways and pipelines through which the data travels; 
• providing user alert upon incomplete transfer of data (end to end check); and
• data transmissions are logged, monitored and tracked.

Input Control 

IDScan.net shall implement and maintain appropriate input control measures, including:

• an authorization policy for the input, reading, alteration and deletion of data; 
• authentication of the authorized personnel;
• protective measures for the data input into memory, as well as for the reading, alteration and deletion of stored data;
• utilization of unique authentication credentials or codes (passwords);
• providing that entries to data processing facilities (the rooms housing the computer hardware and related equipment) are kept locked;
• automatic log-off of user ID’s that have not been used for a substantial period of time; and
• proof established within IDScan.net’s organization of the input authorization; and
• electronic recording of entries.

Separation of Processing for different Purposes  

IDScan.net shall implement and maintain appropriate measures to ensure that data collected for different purposes can be processed separately, including:

• access to data is separated through application security for the appropriate users;
• modules within IDScan.net’s data base separate which data is used for which purpose, i.e. by functionality and function;
• at the database level, data is stored in different normalized tables, separated per module, or function they support; and
• interfaces, batch processes and reports are designed for only specific purposes and functions, so data collected for specific purposes is processed separately.

Documentation

IDScan.net will keep documentation of technical and organizational measures in case of audits and for the conservation of evidence. IDScan.net will ensure that persons employed by it, and other persons at the place of work concerned, are aware of and comply with the technical and organizational measures set forth in this Schedule 2.

Monitoring

IDScan.net shall implement and maintain appropriate measures to monitor access restrictions to IDScan.net’s system administrators and to help ensure that they act in accordance with instructions received. This is accomplished by various measures including:

• individual appointment of system administrators;
• adoption of measures to register system administrators’ access logs to the infrastructure and keep them secure;
• audits of system administrators’ activity to assess compliance with assigned tasks and applicable laws;  and
• keeping an updated list with system administrators’ identification details (e.g. name, surname, function or organizational area) and tasks assigned.

Limits on Retention/Destruction

IDScan.net shall implement and maintain appropriate measures to securely destroy Personal Data. Methods of performing these actions may include the use of a third party disk scrubbing utility or destruction of the drive, such as by degaussing, shredding, or other means of physically destroying data through specialized equipment and services.