"Controller" means the Customer, who determines the purposes and means of processing Personal Data. "Processor" means Dataspike, which processes Personal Data on behalf of the Controller. "Data Subject" means the individual whose Personal Data is being processed (i.e. the Controller's end-users undergoing identity verification). "Personal Data" means any information relating to an identified or identifiable natural person processed under this DPA. "Special Categories of Personal Data" means biometric data, identity document data, and other sensitive data as defined under Article 9 of the EU GDPR and UK GDPR. "Processing" has the meaning given in Article 4(2) of the EU GDPR. "Sub-processor" means any third party engaged by Dataspike to process Personal Data in connection with the Service. "GDPR" means EU Regulation 2016/679 and, where applicable, the UK GDPR as implemented under the Data Protection Act 2018.

This DPA applies to all processing of Personal Data carried out by Dataspike on behalf of the Controller in connection with the provision of identity verification (KYC), AML screening, document verification, and related compliance services (the "Service"). The nature, purpose, subject matter, duration of processing, types of Personal Data, and categories of Data Subjects are set out in Annex 1.

The Controller shall:

• ensure it has a valid legal basis for processing Personal Data under applicable law before submitting data to the Service;
• obtain all necessary consents and provide all required notices to Data Subjects prior to initiating verification procedures;
• ensure that instructions given to Dataspike comply with applicable data protection laws;
• promptly inform Dataspike if any instruction given by the Controller would, in the Controller's reasonable opinion, breach applicable law.

Dataspike shall:

• process Personal Data only on documented instructions from the Controller, unless required to do so by applicable law;
• ensure that personnel authorised to process Personal Data are subject to confidentiality obligations;
• implement appropriate technical and organisational security measures as set out in Annex 2;
• assist the Controller in responding to Data Subject requests in accordance with Section 7;
• notify the Controller without undue delay upon becoming aware of a Personal Data breach in accordance with Section 8;
• delete or return Personal Data upon termination of the Agreement in accordance with Section 9;
• make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA.

The Controller provides general authorisation for Dataspike to engage sub-processors for the provision of the Service. A current list of sub-processors is available at dataspike.io/subprocessor-policy. Dataspike shall:

• impose data protection obligations on sub-processors equivalent to those set out in this DPA;
• provide the Controller with at least thirty (30) days' advance written notice of any intended addition or replacement of a sub-processor;
• remain fully liable to the Controller for the acts and omissions of its sub-processors.

The Controller may object to a new sub-processor within fourteen (14) days of notice. If the parties cannot resolve the objection in good faith, the Controller may terminate the relevant part of the Service without penalty.

Personal Data is stored on servers located within the EEA and/or UK by default. Certain sub-processors engaged by Dataspike to support the provision of the Service (such as those providing AML data analysis and enrichment) may process Personal Data outside the EEA or UK. Where any transfer of Personal Data outside the EEA or UK is required, whether directly by Dataspike or through a sub-processor, Dataspike shall ensure such transfer is made subject to appropriate safeguards, including:

• an adequacy decision by the European Commission or UK Government; or
• Standard Contractual Clauses (SCCs) as adopted by the European Commission or UK Addendum as applicable.

Upon request, Dataspike shall provide the Controller with copies of applicable SCCs or other transfer mechanisms in place with relevant sub-processors.

Where a Data Subject exercises their rights under applicable law (including rights of access, rectification, erasure, restriction, portability, and objection), Dataspike shall:

• promptly forward such requests to the Controller where received directly;
• provide the Controller with reasonable assistance to respond to such requests within applicable timeframes.

The Controller remains responsible for responding to Data Subject requests. Dataspike shall not respond directly to Data Subjects on the Controller's behalf unless specifically instructed to do so.

In the event of a confirmed or suspected Personal Data breach, Dataspike shall:

• notify the Controller without undue delay and, where feasible, within 72 hours of becoming aware;
• provide the Controller with sufficient information to enable it to meet its own notification obligations to supervisory authorities and Data Subjects;
• cooperate with the Controller to investigate, mitigate, and remediate the breach.

Breach notifications shall be sent to the contact details provided by the Controller at registration or as otherwise agreed.

Upon expiry or termination of the Agreement, or upon written instruction from the Controller, Dataspike shall, at the Controller's election:

• securely delete all Personal Data processed on behalf of the Controller in its capacity as Processor; or
• return Personal Data to the Controller in a commonly used format.

Deletion shall be completed within thirty (30) days of the relevant instruction or termination date. Dataspike may retain Personal Data where required by applicable law, for the duration of such legal obligation only. For the avoidance of doubt, this Section applies solely to Personal Data processed by Dataspike in its capacity as Processor on behalf of the Controller. Personal Data processed by Dataspike as a Data Controller in its own right (including for fraud detection, service development, and compliance record-keeping purposes) is governed by Dataspike's Privacy Policy, available at dataspike.io/privacy-policy.

The Controller may, no more than once per calendar year and upon reasonable written notice of at least thirty (30) days, request:

• copies of Dataspike's current security certifications (including ISO 27001, SOC 2 Type 2); or
• completion of a reasonable security questionnaire.

Where an on-site audit is required, the parties shall agree the scope, timing, and cost in advance. Audits shall be conducted during business hours and shall not unreasonably disrupt Dataspike's operations. Dataspike may require the Controller or its appointed auditor to execute a confidentiality agreement prior to the audit.

Each party's liability under this DPA shall be subject to the limitations and caps set out in Section 15 of the Agreement, including the aggregate liability cap equal to the total fees paid by the Customer to Dataspike during the twelve (12) months preceding the event giving rise to the claim. Nothing in this DPA shall limit either party's liability to Data Subjects or supervisory authorities under applicable data protection law.

This DPA shall be governed by the laws of the Republic of Cyprus, consistent with the governing law of the Agreement, unless otherwise required by applicable data protection law.

Access controls — role-based access controls, mandatory multi-factor authentication (2FA), single sign-on (SSO) support, principle of least privilege. Encryption — Personal Data is encrypted in transit (TLS 1.2+) and at rest (AES-256). Infrastructure security — data stored in Tier 3+ data centres within the EEA; regular vulnerability assessments and penetration testing. Certifications — ISO/IEC 27001, SOC 2 Type 2. Personnel — background checks where required by law; mandatory data protection training; confidentiality obligations for all staff with access to Personal Data. Incident response — documented breach response procedures; DPO assigned and reachable at [email protected]. Deletion — secure deletion procedures rendering biometric and Personal Data non-recoverable, including physical destruction of media where required. Processing integrity — Dataspike implements controls to ensure that Personal Data is processed completely, accurately, and in a timely manner in accordance with the Controller's instructions. Any processing errors or anomalies are logged, monitored, and resolved as part of Dataspike's operational procedures. Monitoring and logging — Dataspike maintains continuous monitoring of its systems and infrastructure, including automated alerting for anomalous activity, detection of suspicious behaviour (such as logins from multiple devices, repeated authentication failures, and unauthorised API key usage), access logs, and audit trails. Change management — Dataspike operates a formal change management process governing modifications to infrastructure, software, and configurations. Changes are assessed, approved, tested, and documented prior to deployment to production environments. Business continuity — Dataspike maintains a Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP), reviewed and tested at least annually, to ensure continued availability of the Service and protection of Personal Data in the event of a significant disruption.