Data Processing Agreement

This Data Processing Agreement (“DPA”) forms part of the agreement between Veros Inc, doing business as VeryAI (“VeryAI”, “Processor”, “we”, “us”) and the customer or entity that has agreed to VeryAI’s Terms of Service (“Customer”, “Controller”). This DPA governs the Processing of Personal Data, including biometric data, in connection with the Services.

This DPA is incorporated by reference into the applicable Terms of Service, Master Services Agreement, or other written agreement between the parties (“Agreement”).

1. DEFINITIONS

• “Biometric Data” means personal data resulting from specific technical processing relating to the physical, physiological, or behavioral characteristics of a natural person, including palm images, palm vein patterns, or biometric templates.

• “Data Protection Laws” means all applicable privacy and data protection laws, including Regulation (EU) 2016/679 (“GDPR”), UK GDPR, the California Consumer Privacy Act as amended by the CPRA (“CCPA/CPRA”), and similar laws.

• “Personal Data” means any information relating to an identified or identifiable natural person.

• “Processing” has the meaning given in Article 4 of the GDPR.

• “Sub-processor” means any third party engaged by VeryAI to Process Personal Data.

2. ROLES OF THE PARTIES

• Customer acts as the Data Controller (or “Business” under CCPA/CPRA).

• VeryAI acts as a Data Processor (or “Service Provider”).

Customer determines:

• The lawful basis for processing Biometric Data

• Whether explicit consent or another Article 9 exemption applies

• The purposes for which biometric processing occurs

VeryAI Processes Personal Data solely on documented instructions from Customer and does not determine the purposes or means of Processing.

3. DETAILS OF PROCESSING

3.1 Subject Matter

The Processing of Personal Data in connection with the provision of biometric identity verification and authentication services, including palm-based biometric technology, software, APIs, hardware integrations, and related services.

Processing activities may include:

• Extraction and collection of palm features images from the palm scan data initiated by Customer

• Conversion of palm features into secure, encrypted biometric templates

• Matching, verification, and authentication operations

• Storage, transmission, and retrieval of encrypted biometric templates and associated metadata

• Security monitoring, fraud prevention, and misuse detection

• Customer support, troubleshooting, and system optimization

VeryAI does not use Biometric Data for profiling, marketing, advertising, or model training unrelated to Customer instructions.

3.2 Duration

For the term of the Agreement, plus any retention period required by applicable law or expressly instructed by Customer.

3.3 Nature and Purpose of Processing

• Identity verification and authentication

• Fraud prevention and security

• Operation, maintenance, and support of biometric systems

• Compliance with legal and regulatory obligations

3.4 Categories of Personal Data

As determined by Customer, which may include:

• Biometric Data (encrypted palm biometric templates)

• Names, identifiers, and user IDs

• Account and device metadata

• Usage logs and security event data

3.5 Categories of Data Subjects

• Customer employees

• End users or individuals enrolled in Customer’s biometric systems

• Authorized users and contractors

4. PROCESSOR OBLIGATIONS

VeryAI shall:

1. Process Personal Data only on documented instructions from Customer

2. Ensure personnel are bound by confidentiality obligations

3. Implement heightened security controls appropriate for Biometric Data

4. Not sell, share, or monetize Personal Data or Biometric Data

5. Not use Biometric Data for training generalized AI or biometric models

6. Assist Customer with:

7. Data subject rights requests

8. Data protection impact assessments (DPIAs)

9. Regulatory or supervisory authority inquiries

10. Notify Customer if an instruction violates Data Protection Laws

5. SECURITY MEASURES (BIOMETRIC-ENHANCED)

VeryAI maintains enhanced security measures appropriate to the sensitivity of biometric data.

Technical Measures

• Encryption in transit (TLS 1.2+) and at rest (AES-256 or stronger)

• One-way or non-reversible biometric template generation where feasible

• Segregation of biometric data from identifying information

• Strict role-based access control and least-privilege access

• Multi-factor authentication for privileged access

• Continuous logging, monitoring, and anomaly detection

• Regular penetration testing and vulnerability management

Organizational Measures

• Mandatory biometric data handling training

• Restricted access approvals for biometric systems

• Documented incident response and breach escalation procedures

• Vendor and sub-processor risk assessments

VeryAI maintains a SOC 2 Type II or equivalent security program and makes compliance materials available upon reasonable request.

6. SUB-PROCESSORS

6.1 Authorization

Customer grants VeryAI general authorization to engage Sub-processors strictly necessary to provide the Services.

6.2 Safeguards

VeryAI ensures Sub-processors:

• Are contractually bound to equivalent biometric data protections

• Are prohibited from independent use of Biometric Data

• Process data only on VeryAI’s instructions

6.3 Responsibility

VeryAI remains fully responsible for Sub-processor compliance.

7. DATA SUBJECT RIGHTS

VeryAI shall assist Customer, where legally required and technically feasible, with requests relating to:

• Access

• Rectification

• Erasure

• Restriction

• Objection

VeryAI will not respond directly to data subjects unless legally required.

8. PERSONAL DATA BREACH

VeryAI will notify Customer without undue delay, and in any event within 24 hours, after becoming aware of a Personal Data or Biometric Data breach.

Notification will include:

• Nature and scope of the breach

• Categories of data affected

• Mitigation actions taken or proposed

9. AUDIT AND COMPLIANCE

Customer may audit VeryAI’s compliance:

• No more than once annually

• With reasonable advance notice

• Via documentation, certifications, or third-party audit reports

On-site audits require mutual agreement and confidentiality safeguards.

10. DATA RETURN AND DELETION

Upon termination of the Services, VeryAI shall, at Customer’s instruction:

• Securely delete Biometric Data using industry-standard methods, or

• Return data in a structured format

Deletion will occur within 90 days, unless retention is legally required.

11. INTERNATIONAL DATA TRANSFERS

Where Personal Data is transferred outside the EEA, UK, or Switzerland, VeryAI relies on:

• EU Standard Contractual Clauses

• UK International Data Transfer Addendum

• Adequacy decisions or other lawful mechanisms

Supplementary measures will be applied where required.

12. CCPA / CPRA TERMS

For purposes of CCPA/CPRA, VeryAI:

• Acts as a Service Provider

• Does not sell or share Personal Data or Biometric Information

• Processes data solely to provide the Services

• Certifies compliance with CPRA requirements

13. LIABILITY

Each party’s liability under this DPA is subject to the limitations of liability set forth in the Agreement, except where prohibited by applicable law.

14. TERM AND TERMINATION

This DPA remains effective for the duration of the Agreement and survives termination only with respect to obligations that by nature should survive.

15. GOVERNING LAW

This DPA is governed by the law specified in the Agreement.

16. ORDER OF PRECEDENCE

In the event of a conflict, this DPA controls with respect to data protection obligations.

CONTACT

For privacy or legal inquiries: [email protected]