Data Processing Addendum

1. Definitions

Capitalized terms not defined here have the meaning given in the Terms of Service or in applicable Data Protection Law. The following definitions apply:

• Controller, Processor, Personal Data, Processing, Data Subject, Personal Data Breach have the meanings given in Article 4 GDPR.
• Customer Personal Data means Personal Data that UIP processes on behalf of Customer through the Service.
• Data Protection Law means the GDPR, UK GDPR, Swiss FADP, CCPA/CPRA, and any other privacy law applicable to the Processing.
• SCCs means the EU Standard Contractual Clauses adopted by Commission Implementing Decision (EU) 2021/914.
• UK Addendum means the UK International Data Transfer Addendum to the EU Commission SCCs issued by the UK ICO.

2. Roles & scope

For Customer Personal Data processed through the Service, Customer acts as the Controller and UIP acts as the Processor. Where required, this Addendum also applies to processing by UIP's authorized sub-processors.

UIP also acts as an independent Controller for certain data UIP collects directly from end users of the UIP app (for example, account creation, biometric template management). For that processing, UIP's Privacy Policy applies and this Addendum does not.

3. Processing details

• Subject matter: provision of identity verification, signing, and audit services to Customer.
• Duration: the term of the Terms of Service.
• Nature and purpose: identity confirmation, signed-action production, audit-record generation, fraud prevention.
• Categories of Data Subjects: Customer's end users (natural persons) who interact with Customer through UIP.
• Categories of Personal Data: identifiers (UIP user ID, business identifier), KYC fields (where Customer requests them), audit records of actions taken, technical metadata. Biometric data is processed by UIP as Controller and not under this Addendum.

4. UIP's obligations

UIP will:

• process Customer Personal Data only on Customer's documented instructions (the Terms, this Addendum, and configuration set through the API or dashboard), unless required by law;
• ensure that personnel authorized to process Customer Personal Data are bound by appropriate confidentiality obligations;
• implement appropriate technical and organizational measures as described in Annex A (Security);
• assist Customer, by appropriate technical and organizational measures, to respond to Data Subject requests under Articles 15–22 GDPR;
• assist Customer with Personal Data Breach notification, Data Protection Impact Assessments, and prior consultation under Articles 32–36 GDPR;
• at Customer's choice, delete or return Customer Personal Data at the end of the Service, subject to legal retention requirements;
• make available all information necessary to demonstrate compliance with Article 28 GDPR, and allow for and contribute to audits as described in Section 8 below.

5. Sub-processors

Customer authorizes UIP to engage sub-processors as listed at uip.digital/policies/sub-processors. UIP will:

• impose data-protection obligations on each sub-processor that are no less protective than this Addendum;
• remain liable to Customer for the acts and omissions of its sub-processors;
• provide Customer with at least 30 days' notice of any new or replacement sub-processor (by updating the sub-processor list and notifying Customer's account contact). Customer may object on reasonable data-protection grounds within that period; if the parties cannot resolve the objection, Customer may terminate the affected Service for convenience and receive a pro-rata refund of pre-paid fees.

6. International transfers

Where UIP transfers Customer Personal Data originating in the EEA, UK, or Switzerland to a country not subject to an adequacy decision, the following apply automatically and form part of this Addendum:

• EU SCCs (2021/914): Module Two (Controller-to-Processor) applies between Customer (as data exporter) and UIP (as data importer). Annexes I, II, and III are completed as set out in Annex B below.
• UK Addendum: the UK International Data Transfer Addendum applies for UK data, modifying the EU SCCs as set out in the UK Addendum.
• Swiss FADP: references to "GDPR" in the SCCs are read as also referring to the Swiss FADP, and the Swiss Federal Data Protection and Information Commissioner is recognized as the competent supervisory authority.

UIP has conducted Transfer Impact Assessments for its non-EEA sub-processors and will reassess periodically.

7. Personal Data Breaches

UIP will notify Customer without undue delay, and in any event within 72 hours of becoming aware of a Personal Data Breach affecting Customer Personal Data. Notice will describe (so far as known): the nature of the breach, categories and approximate number of Data Subjects and records concerned, the likely consequences, and the measures taken or proposed to address the breach.

8. Audits

UIP will make available to Customer, at Customer's request, summaries of its most recent third-party security assessments and policies sufficient to demonstrate compliance with this Addendum.

If those summaries are insufficient, Customer may, at its own expense, conduct an audit on reasonable prior written notice, during normal business hours, no more than once per calendar year (except in response to a material Personal Data Breach or regulator request), and subject to confidentiality. Customer will not access other customers' data or systems unrelated to the Service.

9. Return or deletion

On termination or expiry of the Terms, UIP will, at Customer's choice, delete or return Customer Personal Data within 60 days, except to the extent retention is required by law or to support the integrity of audit records of past actions. UIP will certify deletion on request.

10. CCPA / CPRA

For Personal Information of California residents, UIP acts as a "Service Provider" under the CCPA. UIP will not (a) sell or share such information, (b) retain, use, or disclose it outside the direct business relationship with Customer, or (c) combine it with information from other sources, except as expressly permitted by the CCPA.

11. Liability

Each party's liability under this Addendum is subject to the limitations of liability in the Terms of Service, except where Data Protection Law prohibits limitation.

12. Conflict & precedence

In the event of conflict between this Addendum and the Terms of Service, this Addendum prevails. In the event of conflict between this Addendum and the SCCs or UK Addendum, the SCCs or UK Addendum prevail.

Annex A — Security measures

UIP implements appropriate technical and organizational measures, including:

• Encryption in transit (TLS 1.2+) and at rest for all stored data
• Per-request hardware-attested device signatures (Apple App Attest) bound to a Secure Enclave key
• Strictly-monotonic signing counters to detect replay or device cloning
• JWT key rotation and short-lived access tokens
• IAM scoping of all biometric collection access to a dedicated role; no human access to raw face-template bytes
• Network isolation, intrusion detection, vulnerability management
• Secret rotation and per-environment credential separation
• Role-based access control for personnel; least-privilege principle
• Audit logging of administrative actions
• Documented incident-response procedures
• Background checks and confidentiality obligations for personnel with access to Customer Personal Data
• Vendor security review for each sub-processor before engagement

Annex B — SCC details

Contact

Questions about this Addendum, or to request a counter-signed copy: [email protected].