Data Processing Agreement (DPA)
Why is Verifai not required to acquire a Data Processing Agreement?
Verifai is developed in such a way that it does never process or store personal data, neither local nor on our servers. Pictures and/or scans taken of identity documents will never be sent to Verifai’s servers, since scanning, classifying, extracting and processing data all happens on the device itself. Moreover, scanned and/or photographed identity documents on the phone’s storage or cache will be directly removed or overwritten with random data. This implies that Verifai never gets access to personal data and therefore only facilities data transmission from the client to the controller. This means that data can be processed on the servers of our clients.
If Verifai’s SDK has been integrated in an application that processes personal data as a third-party, then a DPA is required between the controller and processor of that application. Coming to such a formal agreement is the responsibility of the controller. Verifai B.V. cannot be held responsible for arranging this agreement.
What’s a Data Processing Agreement?
A Data Processing Agreement (DPA) manages the responsibilities needed when one firm asks another third-party firm to process personal data.
The responsible party (controller) is the firm that determines the goal and the resources needed for processing sensitive personal data. For example, this could be an employer which needs to administer employee data to pay out salaries (name, address, bank account, etc.). The controller is responsible for carefully handling and managing the data.
The processor is the one who processes data on behalf of the controller without being under direct authority of the controller. For example, a third-party administrative firm could be hired to ensure salary payments to employees of the controller, which would in this case be a processor.
When is a DPA required?
If a controller lets a processor process data, a formal DPA is required. This also holds when the processor is a subsidiary of the focal firm or if the firm is stationed abroad. Each time a controller outsources the processing of sensitive personal data, a formal DPA is required by law.