Data Processing Addendum

1. Subject matter, duration, and nature of processing

AutoKYC processes personal data solely to provide the Services, including identity verification, sanctions screening, liveness checks, case management, rules-based decisioning, and audit logging. Processing lasts for the duration of the Agreement plus any post-termination retention period specified in Section 7 of this DPA.

The processing includes automated and analyst-assisted review of applicant information, document capture, biometrics, ownership structures, and regulator-mandated watchlists sourced from multiple AML providers. AutoKYC performs no profiling beyond what is necessary to deliver explicit instructions from the Customer.

2. Roles of the parties

The Customer acts as the controller (or processor where acting on behalf of another controller). AutoKYC acts as a processor and, where its Managed Services rely on downstream specialists, an additional sub-processor. Each party will comply with GDPR and all applicable data protection laws in its performance of the Agreement.

3. Customer instructions

AutoKYC processes personal data only on documented instructions from the Customer. The Agreement, this DPA, and Customer configuration within the console constitute the Customer’s instructions. AutoKYC will notify the Customer if it cannot follow an instruction due to legal or technical restrictions. Where required by law, AutoKYC may process data independently, but will inform the Customer unless prohibited.

4. Personnel and confidentiality

• AutoKYC ensures that personnel accessing personal data are bound by confidentiality obligations.
• Access to production systems follows least-privilege principles, multi-factor authentication, and quarterly access reviews.
• Case analysts handling managed operations receive jurisdiction-specific AML and data protection training.

5. Security measures

AutoKYC implements technical and organisational measures proportionate to the risk of processing identity and due diligence data. Core measures include:

• Encryption at rest (AES-256) and in transit (TLS 1.2+) with managed key rotation.
• Network segmentation, intrusion detection, and continuous vulnerability scanning.
• Immutable audit logs recording workflow actions, analyst votes, and decision overrides.
• Automated consent enforcement ensuring SDKs load analytics only after opt-in.
• Secure development lifecycle with peer review, dependency scanning, and regular penetration testing.
• Business continuity and disaster recovery plans with data replication across EU and UK availability zones as configured by the Customer.

A summary of security controls is available in the AutoKYC Trust Center and may be updated from time to time without lowering the overall protection level.

6. Subprocessors

AutoKYC may engage subprocessors to deliver components of the Services, including AML data providers, document verification vendors, communication tools, and cloud infrastructure. AutoKYC ensures that subprocessors are bound by written agreements imposing data protection obligations no less protective than this DPA.

AutoKYC will maintain an up-to-date list of subprocessors at autokyc.com/security and will notify the Customer of material changes at least 30 days in advance. Within that period, the Customer may object on reasonable grounds. If the objection cannot be resolved, either party may terminate the affected Services with a prorated refund of prepaid fees.

7. Data retention and deletion

AutoKYC retains personal data for the duration you define in the console or your statement of work. Default retention is 12 months for standard onboarding records and 6 years for case audit logs required for compliance reviews. Upon termination or Customer request, AutoKYC will delete or return personal data within 30 days unless applicable law requires longer retention.

8. Data subject rights

Taking into account the nature of the processing, AutoKYC will assist the Customer in responding to data subject requests, including rights of access, rectification, erasure, restriction, portability, and objection. The AutoKYC console provides tooling to search case history, redact data, and export machine-readable evidence. The Customer is responsible for verifying the authenticity of each request.

9. Personal data breach notification

AutoKYC will notify the Customer without undue delay after becoming aware of a personal data breach. The notice will include the nature of the breach, likely consequences, mitigation steps, and a point of contact. AutoKYC will cooperate in good faith to support regulatory notifications and communication to affected individuals.

10. Assistance with DPIAs

AutoKYC will provide reasonable information to facilitate Customer Data Protection Impact Assessments and consultations with supervisory authorities regarding processing activities that involve AutoKYC. This includes security documentation, supplier registers, and details of jurisdictions in which data is stored or accessed.

11. Audit rights

Upon written request and not more than once per calendar year, the Customer may audit AutoKYC’s compliance with this DPA. AutoKYC will make available summaries of independent audits (including ISO 27001 certification reports) and, where necessary, allow on-site inspections subject to reasonable scheduling, confidentiality, and the Customer covering associated costs.

12. International data transfers

AutoKYC stores and processes personal data in regions selected by the Customer (EU, UK, or US). Transfers outside the EU/EEA, United Kingdom, or Switzerland will comply with applicable transfer mechanisms, including the European Commission’s Standard Contractual Clauses (Module 2) and the UK International Data Transfer Addendum. AutoKYC monitors legal developments and will modify transfer safeguards as required.

13. Liability

Each party’s liability under this DPA is subject to the limitations and exclusions set out in the Agreement. Nothing in this DPA limits a party’s liability arising from breaches of data protection law to the extent such limitation is prohibited.

14. Miscellaneous

• If provisions of this DPA conflict with the Agreement, this DPA prevails with respect to data processing.
• This DPA automatically terminates upon termination of the Agreement, except for obligations that survive as stated herein.
• Amendments require mutual written consent, except where AutoKYC updates the DPA to reflect changes in law with reasonable prior notice.

Annex I – Processing details

Categories of data subjects

Applicants, beneficial owners, directors, authorised signatories, compliance reviewers, and internal case analysts as configured by the Customer.

Categories of personal data

Identification data (name, date of birth, addresses), biometrics and liveness captures, government identifiers, business registration data, beneficial ownership structures, sanctions watchlist indicators, device metadata, decisioning logs, and consent records.

Sensitive data

Processing may include special categories of data (biometric identifiers) solely for authentication and fraud prevention, subject to explicit consent or other lawful bases determined by the Customer.

Processing operations

Collection, recording, structuring, storage, retrieval, consultation, cross-matching, decisioning, and deletion as required for onboarding, ongoing due diligence, and enhanced due diligence.

Annex II – Technical and organisational measures

AutoKYC documents detailed controls in its security whitepaper available under NDA. Key measures include:

• Rules engine with layered approval ensuring sensitive actions require dual analyst review.
• Segregated environments for development, staging, and production with independent credentials.
• Comprehensive logging with tamper-evident storage and seven-year retention for escalated cases.
• Regular red-teaming and tabletop exercises simulating AML regulator requests and incident response.
• Privacy impact assessments for new integrations and compliance packs for each supported jurisdiction.

Contact

Data protection queries should be directed to dpo@autokyc.com or by mail to AutoKYC Limited, Attn: Data Protection Officer, 12 Finsbury Square, London EC2A 1AN, United Kingdom. We respond to verified requests within 48 hours on business days.