DPA — Sumsub

Data Processing Agreement — Sumsub

Between:

Data Controller: ALAI Holding AS, Org. No. 932 516 136 ("Controller")
Data Processor: Sumsub Limited ("Processor")

Effective Date: [DATE] Product: Drop payment services — KYC/Identity Verification

This DPA supplements the generic DPA template (dpa-template.md) with Sumsub-specific processing details. All general terms from the template apply unless overridden below.

Appendix 1 — Processing Details

Field	Description
Purpose	Identity verification (KYC/CDD) for Drop users, including document verification, liveness checks, PEP screening, and sanctions list checks in accordance with Norwegian AML legislation (hvitvaskingsloven)
Nature	Collection, verification, storage, and analysis of identity documents and biometric data
Duration	Duration of service agreement between Controller and Sumsub
Data subjects	Drop end users (natural persons in Norway applying for or holding Drop accounts)
Data types	Full name, date of birth, national ID number (encrypted), nationality, identity document images (passport/ID card), selfie/liveness capture, PEP screening results, sanctions check results, risk score, verification status
Special categories	Biometric data for identity verification (GDPR Art. 9(2)(g) — substantial public interest: AML obligations)

Appendix 2 — Security Measures (Sumsub)

Encryption: TLS 1.3 in transit; AES-256 at rest for all stored documents and data
Access Control: Role-based access, MFA for all staff, principle of least privilege
Data Residency: EU data centers (primary processing within EEA)
Logging: Comprehensive audit trail for all verification events and data access
Data Retention: Verification data retained for the period specified by Controller (aligned with hvitvaskingsloven 5-year requirement), then securely deleted
Incident Response: 24/7 security operations, breach notification within 24 hours
Certifications: SOC 2 Type II, ISO 27001, PCI DSS compliant
Sub-processors: List maintained and available at Sumsub's sub-processor page; 30-day advance notice of changes

Additional Sumsub-Specific Terms

Biometric Data

Biometric data (liveness/selfie) processed solely for identity verification purposes
Not used for surveillance, profiling, or any purpose beyond KYC verification
Deleted upon completion of verification cycle (not retained beyond verification outcome)

Data Subject Rights

Sumsub shall assist Controller in responding to data subject access, erasure, and portability requests within 10 business days
Verification results and risk scores can be exported in machine-readable format

Transfer Impact Assessment

Primary processing: EU/EEA data centers
Any processing outside EEA covered by EU SCCs (Decision 2021/914)
TIA documentation available upon request

Signatures

Data Controller — ALAI Holding AS

Name: ___________________________ Title: ___________________________ Date: ___________________________

Data Processor — Sumsub Limited

Name: ___________________________ Title: ___________________________ Date: ___________________________

Regulatory Map

Compliance Gap Analysis

License Application Prep

Business Plan (Regulatory)

Compliance Gap (Feb 2026)

Privacy Policy

DPIA Assessment

Data Processing Protocol

Outsourcing Policy

AML Procedures

AML Risk Assessment

Suitability Assessment

DPA Template

DPA — Swan

DPA — Sumsub

DPA — Sentry

ICT Security Policy

Internal Controls

Incident Management

Contingency Plan

Complaints Handling

Terms of Service

Fee Schedule

Framework Agreement

Legal Overview

DPA — Sumsub

Data Processing Agreement — Sumsub

Appendix 1 — Processing Details

Appendix 2 — Security Measures (Sumsub)

Additional Sumsub-Specific Terms

Biometric Data

Data Subject Rights

Transfer Impact Assessment

Signatures