Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the agreement between DIGITRUST TECHNOLOGIES - FZCO ("Processor", "Digitrust") and the business entity using the Service ("Controller", "Customer").

It applies to Personal Data about verification Subjects that Digitrust processes on Customer's documented instructions via the Service. It does not apply to data for which Digitrust is an independent controller (see Privacy Policy).

Terms in this DPA have the meanings in the UAE PDPL and, where applicable, GDPR. "Personal Data", "Processing", "Controller", "Processor", and "Data Subject" apply accordingly.

Capitalised terms not defined here have the meanings in the Terms of Service.

Digitrust will process Personal Data only on documented instructions from Customer, including configuration of Verification Requests, retention settings within published limits, and use of platform features.

Customer instructs Digitrust to process Subject data to perform identity verification, channel verification (OTP), storage of results, and related support as described in Annex I.

If Digitrust believes an instruction infringes applicable law, we will inform Customer without undue delay.

Customer will: (a) establish and document a lawful basis for processing; (b) provide required privacy notices to Subjects; (c) ensure instructions comply with law; (d) not request unlawful or excessive processing; (e) respond to Data Subject requests to the extent Customer is responsible.

Digitrust will: process only on instructions; ensure personnel confidentiality; implement appropriate technical and organisational measures; assist with Data Subject requests and regulatory enquiries as described below; delete or return data per Section 9.

Customer provides general authorisation for Digitrust to engage sub-processors listed in Annex II. Digitrust will impose data protection obligations on sub-processors substantially similar to this DPA.

We will notify Customer of intended additions or replacements via email or in-app notice with reasonable time to object on reasonable grounds relating to data protection.

Digitrust will promptly notify Customer if we receive a request from a Data Subject unless prohibited by law. Customer is responsible for responding. Digitrust will provide reasonable assistance at Customer's expense for complex requests.

Digitrust will notify Customer without undue delay and in any event within seventy-two (72) hours after becoming aware of a Personal Data breach affecting Customer Personal Data, with information reasonably available to assist Customer's obligations.

Digitrust will provide reasonable assistance for data protection impact assessments and prior consultations where required, subject to reimbursement of material costs.

On termination or written request, Customer may export data for thirty (30) days. Thereafter Digitrust will delete or anonymise Customer Personal Data within ninety (90) days unless law requires retention.

Digitrust will make available information reasonably necessary to demonstrate compliance and allow audits no more than once per twelve (12) months on thirty (30) days' notice, subject to confidentiality and reimbursement of reasonable costs, unless a supervisory authority requires otherwise.

Where Personal Data is transferred outside the UAE or EEA/UK, Digitrust will ensure appropriate safeguards as described in Annex III.

Liability arising from this DPA is subject to the limitations and exclusions in the Terms of Service unless mandatory law provides otherwise.

This DPA applies for the duration of Customer's use of the Service and survives termination until deletion obligations are fulfilled.

This DPA is governed by the laws of the United Arab Emirates. Courts of Dubai, UAE have exclusive jurisdiction, subject to mandatory law.

Subjects: individuals invited by Customer via verification link.

Categories: identification data, contact data, biometric/liveness data, document images, verification outcomes, AML signals, technical logs.

Purposes: verify identity and channel ownership for Customer's stated purpose.

Duration: typically 24 months after verification completion unless otherwise agreed or required by law.

Nature of processing: collection, storage, analysis via IDV Provider, display to authorised Customer users, deletion/anonymisation per retention.

Supabase, Inc. — Database, authentication, and private file storage (verification images). Location: United States / EU (project region as configured). Data: Account, request, verification, and document data.

Vercel Inc. — Application hosting and edge delivery. Location: United States / global edge. Data: Application logs and request metadata.

Didit (identity verification provider) — Document verification, liveness, NFC, face match, and AML screening. Location: As per Didit infrastructure. Data: Subject ID, biometric, and verification decision data.

Twilio Inc. — SMS OTP delivery (Twilio Verify). Location: United States / global. Data: Subject and user phone numbers.

Resend, Inc. — Transactional email delivery. Location: United States. Data: Email addresses and email content.

Stripe, Inc. — Payment processing and invoicing. Location: United States / Ireland (Stripe entities as applicable). Data: Billing contact, payment metadata (card data processed by Stripe only).

Seline Analytics — Product analytics (first-party proxied). Location: As per Seline infrastructure. Data: Usage events, device/browser metadata.

Transfers may occur to countries where sub-processors operate, including the United States and the European Union.

Safeguards may include: (a) adequacy decisions where recognised; (b) Standard Contractual Clauses (EU Commission 2021/914 or UK IDTA/addendum) where applicable; (c) contractual protections with sub-processors; (d) other mechanisms permitted under UAE PDPL and applicable law.

Customer may request further information about transfer safeguards via legal@digitrust.ae.