Data Processing Addendum

This addendum governs how Fidera processes personal data on behalf of the customer when delivering identity verification and KYC/AML services. For most processing, the customer is the controller and Fidera is the processor acting on the customer's documented instructions.

• Customer is the controller and determines the purposes and means of the verifications it runs.
• Fidera acts as a processor and processes personal data only on the customer's documented instructions, including those set out in the order and this addendum.
• For some limited processing — such as fraud prevention, network-level abuse detection, and meeting Fidera's own legal and regulatory obligations — Fidera acts as an independent controller.

The subject-matter of the processing is the identity verification and compliance screening services the customer configures and uses. Processing continues for the duration of the agreement and for any limited wind-down period needed to return or delete data, plus any retention required to meet legal and regulatory obligations.

Fidera processes personal data to perform identity verification and KYC/AML checks on the customer's applicants. This includes document verification and OCR, biometric face match and liveness, and sanctions, PEP, and adverse-media screening, together with the workflow, decisioning, audit, and support functions that surround them.

• Verifying identity documents and extracting the data they carry.
• Comparing a live selfie against the document portrait and confirming liveness.
• Running sanctions, PEP, and adverse-media screening and recording decisions.
• Maintaining an audit trail and providing the service, support, and security operations.

The data subjects are the customer's applicants and end-users who are submitted for verification. The categories of personal data processed depend on the checks the customer configures.

• Data subjects: applicants and end-users the customer submits for verification.
• Identity document data: images and parsed fields from passports, national IDs, driver's licenses, residence permits, and visas.
• Biometric data: selfie images and facial-comparison and liveness data used to confirm the holder is real and present.
• Contact and profile data: name, date of birth, address, and similar attributes provided for screening.
• Verification metadata: check results, scores, decisions, and audit records.

Fidera engages a limited set of sub-processors to help deliver the service. The current sub-processors are available from Fidera on request, and Fidera gives notice of changes so the customer has an opportunity to review them.

• The current list of sub-processors is available from Fidera on request.
• Fidera provides notice before adding or replacing a sub-processor that processes personal data.
• Each sub-processor is bound by data-protection terms consistent with this addendum.

Fidera maintains technical and organizational measures designed to protect personal data, including encryption in transit and at rest, least-privilege access control, and an immutable audit trail. These measures, and Fidera's broader compliance posture, are available from Fidera on request.

• Encryption in transit and at rest, with least-privilege, access-controlled production systems.
• Built to SOC 2 Type II and ISO 27001 controls; SOC 2 Type II audit in progress.
• Full detail of the program is available from Fidera on request.

Where a data subject exercises a right — such as access, correction, or deletion — Fidera assists the controller in responding. Fidera provides the tools and reasonable support the controller needs to honor these requests, taking into account the nature of the processing.

• Fidera promptly informs the controller of requests it receives directly that relate to the controller's data.
• Fidera assists the controller, by appropriate technical and organizational measures, in fulfilling data-subject rights.

Where personal data is transferred across borders, Fidera relies on appropriate safeguards. Standard Contractual Clauses apply where applicable, alongside any additional measures required to give the data an equivalent level of protection.

Fidera makes available the information reasonably necessary to demonstrate compliance with this addendum and allows for and contributes to audits, including inspections, conducted by the controller or an auditor it mandates, on reasonable notice and subject to confidentiality.

On termination of the service, and at the controller's choice, Fidera returns or deletes the personal data it processes on the controller's behalf, unless retention is required by law. Existing copies are deleted once they are no longer required for that purpose.