Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the Terms of Service between the Customer ("Controller") and the Operator ("Processor") and applies where the Processor processes personal data on the Controller's behalf.

1 · Roles & scope

The Controller determines the purposes and means of processing. The Processor processes personal data only on the Controller's documented instructions, including the API calls the Controller makes, for the duration of the Service.

2 · Nature & purpose of processing

• Subject matter: identity verification, authentication, consent recording, and audit logging.
• Categories of data subjects: the Controller's end-users / customers.
• Categories of personal data: identifiers, device and authentication data, consent records, transaction metadata.
• Duration: the term of the Service plus any statutory retention period.

3 · Processor obligations

• Process only on documented instructions; notify the Controller if an instruction appears to infringe RA 10173.
• Ensure persons authorized to process are bound by confidentiality.
• Implement appropriate technical and organizational security measures (Clause 6).
• Assist the Controller in responding to data-subject rights requests and in meeting breach-notification and impact-assessment obligations.
• At the Controller's choice, delete or return personal data at the end of the Service, subject to legal retention.
• Make available information necessary to demonstrate compliance and allow for audits, subject to reasonable notice and confidentiality.

4 · Sub-processors

The Controller authorizes the Processor to engage sub-processors (cloud hosting, email delivery, payment processing, and — where enabled — licensed KYC/AML screening). The Processor maintains a current sub-processor list, imposes equivalent data-protection obligations on each, and remains liable for their performance. The Controller will be notified of intended changes and may object on reasonable grounds.

5 · Data-subject rights

The Processor will, to the extent legally permitted, promptly notify the Controller of any data-subject request it receives directly and assist the Controller in fulfilling such requests, including via the consent and audit endpoints that record and evidence consent.

6 · Security measures

• Encryption of personal data in transit; phishing-resistant authentication (WebAuthn / passkeys).
• Post-quantum (NIST FIPS 204) signed, hash-chained, tamper-evident audit ledger.
• Access on a least-privilege basis; secrets stored in a managed secret store.
• Ability to restore availability and access to personal data in a timely manner after an incident.
• Regular testing and evaluation of the effectiveness of these measures.

7 · Personal-data breach

The Processor will notify the Controller without undue delay after becoming aware of a personal-data breach affecting the Controller's data, with information sufficient to meet the Controller's NPC notification obligations under RA 10173 and NPC Circular 16-03.

8 · International transfers

Where processing occurs outside the Philippines, the Processor applies appropriate safeguards consistent with RA 10173 and NPC guidance.

9 · Liability & precedence

Liability under this DPA is subject to the limitations in the Terms of Service. In case of conflict on data-protection matters, this DPA prevails. [VERIFY with legal]

10 · Signatures

This DPA is effective upon acceptance of the Terms of Service or upon separate execution by the parties' authorized representatives. Electronic execution is valid under RA 8792.