Data Processing Addendum (template)

Where we process personal data on behalf of a customer (the controller), we act as processor under GDPR Art. 28.

Subject matter & duration

Age and identity verification for the duration of the customer's subscription.

Nature & purpose

One-time biometric comparison and document validation to produce an over-threshold age decision.

Categories of data

Special-category biometric data (transient, not stored).
Document-derived date of birth (used to compute the result, not stored as raw DOB by default).
Pseudonymous identifiers: customer-supplied subject reference, salted IP hash.

Sub-processors

Hosting / database provider.
Stripe (billing only — never receives verification data).
Optional, off by default: wavespeed.ai for advisory age estimation (requires opt-in and updated consent copy).

Security measures

In-memory-only biometric processing; data minimisation by design.
Encryption in transit; hashed API keys and IPs; tamper-evident audit log.
Documented retention and automated erasure.

This template is provided as engineering scaffolding and is not legal advice. Have your DPO / counsel review before going live, and complete a DPIA.