Data Processing Agreement

“GDPR” means Regulation (EU) 2016/679 and, where applicable, the UK GDPR. “Personal Data,” “Processing,” and “Data Subject” have the meanings given in the GDPR. “Sub-processor” means a third party engaged by Eniyan Trust to process personal data on your behalf. “SCCs” means the European Commission's 2021 Standard Contractual Clauses (2021/914).

Eniyan Trust processes personal data on your behalf solely to provide the identity verification and agent registration Services described in the Terms of Service. This DPA remains in effect for the duration of your use of the Services and survives termination to the extent necessary to complete deletion obligations.

The processing covers:

• Purpose — identity verification of your end users and AI-agent registration.
• Categories of personal data — external user identifiers, optional email addresses, verification status, trust level, risk scores, fraud signals, and biometric consent records.
• Special-category data — biometric verification is performed by identity-verification providers as sub-processors; Eniyan Trust does not store raw biometric source data.
• Data subjects — your end users whose identities are verified via the Services.

You represent and warrant that you will:

• Maintain a valid legal basis under GDPR Article 6 (and Article 9 where applicable) for each processing activity;
• Obtain required explicit consent from end users for biometric data under Article 9(2)(a) and applicable member-state law;
• Provide end users with a privacy notice as required by Articles 13 and 14;
• Forward data-subject rights requests to Eniyan Trust in time for us to assist within the statutory window; and
• Notify Eniyan Trust promptly of any potential personal data breach involving the Services.

Eniyan Trust will:

• Process personal data only on your documented instructions, and tell you if an instruction appears to infringe data-protection law;
• Ensure personnel authorized to process personal data are bound by confidentiality;
• Implement appropriate technical and organizational security measures under GDPR Article 32 (see Section 8);
• Engage sub-processors only in accordance with Section 6, and remain responsible for their processing under Article 28(4);
• Provide reasonable assistance with data-subject rights requests and with Data Protection Impact Assessments;
• Notify you without undue delay (and within 72 hours where feasible) upon becoming aware of a personal data breach affecting your data; and
• On termination, delete or return personal data at your choice and certify deletion, retaining only what the law requires.

Eniyan Trust currently engages Stripe, Inc. (US) and Persona Identities Inc. (US) for biometric identity verification, and Amazon Web Services (US) for hosting — each under Standard Contractual Clauses. We will provide at least 30 days' notice before engaging a new sub-processor or materially changing an existing one's role, and you may object in writing. A current list of sub-processors is available on request.

Where personal data is transferred from the EU/EEA or UK to countries without an adequacy decision, the 2021 EU Standard Contractual Clauses (Modules 2 and 3, as applicable) govern transfers from the EU/EEA, and the UK International Data Transfer Agreement or Addendum applies to transfers from the UK. Eniyan Trust has conducted a Transfer Impact Assessment, available to customers on request.

Our technical and organizational measures include:

• Encryption of all API communication in transit (TLS 1.2+);
• Role-based access controls applying the principle of least privilege;
• Strong one-way hashing of credentials and API keys;
• An immutable audit trail for security-sensitive operations;
• A documented security-incident response process;
• Managed database backups with point-in-time recovery; and
• Assessment of sub-processors for data-protection compliance before onboarding.

Verification session and credential metadata are retained for up to 5 years and then anonymized. Biometric consent records, erasure-request records, and audit logs are retained for 7 years to meet legal-evidence and accountability obligations. Raw biometric source data is held by the identity-verification provider, not by Eniyan Trust.

Eniyan Trust provides tooling to help you respond to data-subject requests — including access and portability, erasure, and retrieval of consent records. You remain the data controller responsible for responding to data subjects within the statutory 30-day window (extendable for complex requests). End users may also exercise their rights directly through our privacy portal.

This DPA is governed by the law of the EU member state in which you are established, or by English law for UK customers, to the extent required to give effect to the SCCs.

If this DPA conflicts with the Terms of Service, this DPA prevails with respect to the processing of personal data. If this DPA conflicts with the SCCs, the SCCs prevail. The full executed DPA — including the description of processing and the appended Standard Contractual Clauses — is provided to enterprise customers during onboarding; contact privacy@eniyantrust.com to request it.