# DPA — Sumsub # Data Processing Agreement — Sumsub **Between:** - **Data Controller:** ALAI Holding AS, Org. No. 932 516 136 ("Controller") - **Data Processor:** Sumsub Limited ("Processor") **Effective Date:** [DATE] **Product:** Drop payment services — KYC/Identity Verification --- This DPA supplements the generic DPA template (`dpa-template.md`) with Sumsub-specific processing details. All general terms from the template apply unless overridden below. --- ## Appendix 1 — Processing Details | Field | Description | |-------|-------------| | **Purpose** | Identity verification (KYC/CDD) for Drop users, including document verification, liveness checks, PEP screening, and sanctions list checks in accordance with Norwegian AML legislation (hvitvaskingsloven) | | **Nature** | Collection, verification, storage, and analysis of identity documents and biometric data | | **Duration** | Duration of service agreement between Controller and Sumsub | | **Data subjects** | Drop end users (natural persons in Norway applying for or holding Drop accounts) | | **Data types** | Full name, date of birth, national ID number (encrypted), nationality, identity document images (passport/ID card), selfie/liveness capture, PEP screening results, sanctions check results, risk score, verification status | | **Special categories** | Biometric data for identity verification (GDPR Art. 9(2)(g) — substantial public interest: AML obligations) | --- ## Appendix 2 — Security Measures (Sumsub) 1. **Encryption:** TLS 1.3 in transit; AES-256 at rest for all stored documents and data 2. **Access Control:** Role-based access, MFA for all staff, principle of least privilege 3. **Data Residency:** EU data centers (primary processing within EEA) 4. **Logging:** Comprehensive audit trail for all verification events and data access 5. **Data Retention:** Verification data retained for the period specified by Controller (aligned with hvitvaskingsloven 5-year requirement), then securely deleted 6. **Incident Response:** 24/7 security operations, breach notification within 24 hours 7. **Certifications:** SOC 2 Type II, ISO 27001, PCI DSS compliant 8. **Sub-processors:** List maintained and available at Sumsub's sub-processor page; 30-day advance notice of changes --- ## Additional Sumsub-Specific Terms ### Biometric Data - Biometric data (liveness/selfie) processed solely for identity verification purposes - Not used for surveillance, profiling, or any purpose beyond KYC verification - Deleted upon completion of verification cycle (not retained beyond verification outcome) ### Data Subject Rights - Sumsub shall assist Controller in responding to data subject access, erasure, and portability requests within 10 business days - Verification results and risk scores can be exported in machine-readable format ### Transfer Impact Assessment - Primary processing: EU/EEA data centers - Any processing outside EEA covered by EU SCCs (Decision 2021/914) - TIA documentation available upon request --- ## Signatures **Data Controller — ALAI Holding AS** Name: ___________________________ Title: ___________________________ Date: ___________________________ **Data Processor — Sumsub Limited** Name: ___________________________ Title: ___________________________ Date: ___________________________