Data Processing Agreement
This Data Processing Agreement ("DPA") forms part of the agreement between Veros Inc. (doing business as "VeryAI"), acting as Processor, and the customer ("Customer"), acting as Controller, for the provision of biometric verification services (the "Agreement").
This DPA sets forth the terms and conditions under which VeryAI processes Personal Data on behalf of the Customer in connection with the Service.
1. Definitions
- "Biometric Data" means personal data resulting from specific technical processing relating to the physical characteristics of a natural person, including palm models, palm feature vectors, and any data derived from palm images that allows or confirms the unique identification of that natural person.
- "Data Protection Laws" means all applicable laws and regulations relating to the processing of Personal Data, including but not limited to the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the United Kingdom General Data Protection Regulation ("UK GDPR"), the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA"), and any other applicable data protection legislation.
- "Personal Data" means any information relating to an identified or identifiable natural person that is processed by VeryAI on behalf of the Customer in connection with the Service.
- "Processing" means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure, dissemination, alignment, combination, restriction, erasure, or destruction.
- "Sub-processor" means any third party engaged by VeryAI to process Personal Data on behalf of the Customer in connection with the Service.
2. Roles and Responsibilities
For the purposes of this DPA and applicable Data Protection Laws:
- The Customer acts as the Controller and determines the purposes and means of processing Personal Data.
- VeryAI acts as the Processor and processes Personal Data solely on behalf of and in accordance with the documented instructions of the Customer.
3. Details of Processing
Subject Matter
The processing concerns biometric verification services provided by VeryAI to the Customer, enabling the Customer's end users to authenticate their identity through palm recognition technology.
Processing Activities
VeryAI performs the following processing activities on behalf of the Customer:
- Palm feature extraction: Processing palm images to derive non-reversible palm models.
- Encryption: Encrypting palm models for secure storage and transmission.
- Verification: Comparing palm models against enrolled templates to authenticate end user identity.
- Storage: Securely storing encrypted palm models in isolated biometric databases.
- Fraud prevention: Monitoring for and investigating suspected fraudulent or unauthorized use.
Duration
Processing shall continue for the term of the Agreement plus any applicable data retention period as described in Section 11 of this DPA.
Categories of Data
| Category | Description |
|---|---|
| Biometric Data | Palm models (encrypted, non-reversible mathematical representations) |
| Palm Images | Processed transiently; not stored after model generation |
| Account Identifiers | Pseudonymous, randomly generated account IDs |
| Authentication Logs | Timestamps and metadata of verification events |
| Email Addresses | Optional; provided by end users for account recovery |
Data Subjects
The data subjects are the Customer's end users who enroll in and use the biometric verification service.
4. Processor Obligations
VeryAI shall:
- Process on instructions: Process Personal Data only on the documented instructions of the Customer, unless required to do so by applicable law, in which case VeryAI shall inform the Customer of such legal requirement before processing (unless prohibited from doing so by law).
- Confidentiality: Ensure that all persons authorized to process Personal Data are subject to appropriate confidentiality obligations.
- Security: Implement and maintain appropriate technical and organizational measures to ensure the security of Biometric Data, as described in Section 5 of this DPA.
- No sale or monetization: Not sell, rent, lease, or otherwise commercially exploit Personal Data or Biometric Data for any purpose other than providing the Service.
- No AI training: Not use Personal Data or Biometric Data to train artificial intelligence models, machine learning systems, or any other automated decision-making systems, except as strictly necessary to provide the Service and as authorized by the Customer.
- Assistance: Assist the Customer in fulfilling its obligations to respond to data subject rights requests and to conduct data protection impact assessments (DPIAs), where required by applicable Data Protection Laws.
5. Security Measures
VeryAI implements and maintains the following technical and organizational security measures for the protection of Biometric Data:
- Encryption in transit: TLS 1.2 or higher for all data transmitted between systems.
- Encryption at rest: AES-256 or equivalent encryption for all stored Biometric Data.
- Non-reversible templates: Palm models are generated using one-way transformations that prevent reconstruction of the original palm image.
- Data segregation: Biometric Data is stored in isolated, dedicated databases separate from other account and application data.
- Role-based access control (RBAC): Access to Biometric Data is restricted to authorized personnel based on the principle of least privilege.
- Multi-factor authentication (MFA): Required for all internal access to systems containing Biometric Data.
- Monitoring and logging: Continuous monitoring and logging of access to Biometric Data systems for audit and incident detection.
- Penetration testing: Regular third-party penetration testing and vulnerability assessments.
VeryAI maintains SOC 2 Type II certification, evidencing the effectiveness of its security controls.
6. Sub-processors
The Customer provides VeryAI with general authorization to engage Sub-processors for the processing of Personal Data in connection with the Service, subject to the following conditions:
- VeryAI shall ensure that each Sub-processor is bound by data protection obligations equivalent to those set out in this DPA.
- VeryAI shall notify the Customer of any intended changes to Sub-processors, providing the Customer with the opportunity to object.
- VeryAI remains fully responsible for the acts and omissions of its Sub-processors as if they were VeryAI's own acts and omissions.
7. Data Subject Rights
VeryAI shall assist the Customer in responding to requests from data subjects exercising their rights under applicable Data Protection Laws, including but not limited to rights of:
- Access to Personal Data
- Rectification of inaccurate data
- Erasure of Personal Data
- Restriction of processing
- Data portability
- Objection to processing
VeryAI shall promptly notify the Customer if it receives a data subject rights request directly, and shall not respond to such request without the Customer's prior written authorization, unless required by applicable law.
8. Breach Notification
In the event of a personal data breach affecting Personal Data processed under this DPA, VeryAI shall notify the Customer within 24 hours of becoming aware of the breach. The notification shall include:
- A description of the nature of the breach, including the categories and approximate number of data subjects and records affected.
- The name and contact details of VeryAI's data protection contact.
- A description of the likely consequences of the breach.
- A description of the measures taken or proposed to address the breach, including measures to mitigate its potential adverse effects.
9. Audit
VeryAI shall make available to the Customer, on an annual basis, all information reasonably necessary to demonstrate compliance with this DPA and applicable Data Protection Laws. This includes:
- Provision of current SOC 2 Type II audit reports.
- Responses to reasonable written audit questionnaires.
- Cooperation with audits or inspections conducted by the Customer or an independent third-party auditor appointed by the Customer, subject to reasonable advance notice and scope limitations.
10. Data Retention and Deletion
Upon termination or expiration of the Agreement, VeryAI shall delete or return all Personal Data processed under this DPA within 90 days, unless retention is required by applicable law. VeryAI shall provide written certification of deletion upon the Customer's request.
11. International Transfers
Where the processing of Personal Data involves transfers outside the European Economic Area (EEA), United Kingdom, or other jurisdictions with data transfer restrictions, VeryAI shall ensure that appropriate transfer mechanisms are in place, including:
- EU Standard Contractual Clauses (SCCs): As approved by the European Commission under Decision 2021/914.
- UK International Data Transfer Addendum: As issued by the UK Information Commissioner's Office.
- Adequacy decisions: Where the European Commission or other competent authority has determined that the receiving country provides an adequate level of data protection.
12. CCPA/CPRA Compliance
To the extent that the CCPA/CPRA applies to the processing of Personal Data under this DPA:
- VeryAI acts as a Service Provider (as defined under the CCPA/CPRA) with respect to Personal Data received from the Customer.
- VeryAI shall not sell or share Personal Data as those terms are defined under the CCPA/CPRA.
- VeryAI shall not retain, use, or disclose Personal Data for any purpose other than providing the Service as specified in the Agreement, or as otherwise permitted by the CCPA/CPRA.
- VeryAI shall not combine Personal Data received from the Customer with personal information received from other sources, except as permitted by the CCPA/CPRA.
13. Contact
For any questions or requests related to this Data Processing Agreement, please contact:
Veros Inc.
Email: legal@veros.org
