Data Processing Agreement¶
Last Updated: December 2024
This Data Processing Agreement ("DPA") forms part of the Terms of Service between Circuit KYC Network ("Processor," "we," "us") and you ("Controller," "Partner").
1. Definitions¶
- "Data Protection Laws": GDPR, CCPA, and other applicable privacy regulations
- "Personal Data": Information relating to an identified or identifiable individual
- "Processing": Any operation performed on Personal Data
- "Sub-processor": Third party engaged by Processor to process data
2. Scope and Roles¶
2.1 Controller¶
You (the Partner) are the Controller for End User data you submit to our API.
2.2 Processor¶
Circuit is the Processor, processing data on your behalf per your instructions.
2.3 Processing Details¶
| Category | Details |
|---|---|
| Subject Matter | Identity verification services |
| Duration | Term of service agreement |
| Nature | Automated processing, matching, storage |
| Purpose | KYC verification, fraud prevention |
| Data Types | Name, email, phone, DOB, ID data |
| Data Subjects | Your customers (End Users) |
3. Processor Obligations¶
We shall:
3.1 Process Only on Instructions¶
- Process Personal Data only on your documented instructions
- Inform you if an instruction violates Data Protection Laws
- Not process data for our own purposes
3.2 Confidentiality¶
- Ensure personnel are bound by confidentiality obligations
- Limit access to authorized personnel only
3.3 Security Measures¶
Implement appropriate technical and organizational measures:
- Encryption at rest (AES-256) and in transit (TLS 1.3)
- Blind indexing of PII (HMAC-SHA256)
- Access controls and authentication
- Regular security testing
- Incident response procedures
- Business continuity plans
3.4 Sub-processors¶
- Use Sub-processors only with your authorization (see Annex A)
- Ensure Sub-processors are bound by equivalent obligations
- Notify you of Sub-processor changes
- Remain liable for Sub-processor compliance
3.5 Data Subject Rights¶
- Assist you in responding to data subject requests
- Provide API endpoints for data access and deletion
- Notify you of direct requests we receive
3.6 Data Breach Notification¶
- Notify you without undue delay (within 72 hours)
- Provide details of the breach and affected data
- Assist with breach notification to authorities/subjects
3.7 Audits¶
- Make available information to demonstrate compliance
- Allow for audits by you or your auditor
- Contribute to audits as reasonably required
3.8 Deletion¶
- Delete or return data upon termination
- Certify deletion upon request
- Retain only as required by law
4. Controller Obligations¶
You shall:
- Ensure lawful basis for processing
- Obtain appropriate consent from End Users
- Provide accurate data subject information
- Comply with data protection principles
- Respond to data subject requests
5. International Transfers¶
5.1 Standard Contractual Clauses¶
For transfers outside EEA/UK, we rely on EU Standard Contractual Clauses (Module 2: Controller to Processor).
5.2 Additional Safeguards¶
- Data encrypted in transit and at rest
- Access limited to authorized personnel
- Sub-processors vetted for compliance
6. Liability¶
Liability is governed by the Terms of Service. Each party is liable for damages caused by non-compliance with this DPA.
7. Term¶
This DPA remains in effect for the duration of the service agreement and until all Personal Data is deleted.
Annex A: Authorized Sub-processors¶
| Sub-processor | Purpose | Location |
|---|---|---|
| Amazon Web Services | Cloud infrastructure | US (us-east-1) |
| Supabase | Database hosting | US |
| Stripe | Payment processing | US |
| SendGrid / Postmark | Email delivery | US |
Updates to this list will be communicated with 30 days notice.
Annex B: Technical and Organizational Measures¶
Security Measures¶
| Category | Measures |
|---|---|
| Access Control | API key authentication, JWT tokens, 2FA, role-based access |
| Encryption | TLS 1.3 in transit, AES-256 at rest, Ed25519 signatures |
| Data Minimization | Blind indexing, no raw PII storage, automatic expiry |
| Monitoring | Audit logs, intrusion detection, anomaly alerts |
| Incident Response | 24/7 on-call, documented procedures, 72hr notification |
| Business Continuity | Multi-AZ deployment, automated backups, disaster recovery |
| Personnel | Background checks, security training, confidentiality agreements |
Certifications¶
- SOC 2 Type I (in progress)
- GDPR compliant
- PCI DSS compliant (via Stripe)
Annex C: Standard Contractual Clauses¶
The EU Standard Contractual Clauses (2021/914) are incorporated by reference:
- Module: Module 2 (Controller to Processor)
- Clause 7 (docking clause): Not applicable
- Clause 9 (sub-processors): Option 2 (general authorization)
- Clause 11 (redress): Not applicable
- Clause 17 (governing law): Ireland
- Clause 18 (forum): Courts of Ireland
For questions about this DPA, contact privacy@circuitkyc.com