Data Processing Addendum

1. Roles of the Parties

Depending on the context and applicable law, the Customer may act as controller, business, data exporter, or another legally recognized role.

ASTERIA KYC may act as processor, service provider, data importer, or another legally recognized role when processing Customer-controlled personal data according to Customer instructions.

For certain operational, security, legal, fraud prevention, service improvement, and compliance purposes, ASTERIA KYC may act independently where permitted by law.

2. Scope of Processing

Processing may include:

• collection
• upload
• transmission
• storage
• organization
• extraction
• analysis
• comparison
• verification
• screening
• risk scoring
• review support
• logging
• reporting
• deletion
• return
• retention where required

3. Subject Matter of Processing

The subject matter of processing is the provision of ASTERIA KYC identity verification, document verification, liveness detection, biometric comparison, AML screening, fraud prevention, case management, dashboard, API, SDK, reporting, and compliance workflow services to Customers.

4. Duration of Processing

Processing continues for the duration of the Customer’s use of the Services and for any additional period required by agreement, Customer instruction, legal obligation, dispute resolution, security, audit, fraud prevention, or retention policy.

5. Categories of Data Subjects

Data subjects may include:

• End Users undergoing identity verification
• Customer representatives
• Customer administrators
• compliance reviewers
• developers and integration users
• business contacts
• support contacts
• website visitors where applicable

6. Categories of Personal Data

Processed personal data may include:

• identity data
• contact data
• document images and document metadata
• facial images, selfies, or video frames
• biometric-related signals where enabled
• liveness indicators
• AML screening data
• sanctions, PEP, adverse media, or watchlist indicators where enabled
• device and technical data
• IP address and session data
• case notes and review decisions
• audit logs
• API and dashboard usage data
• risk scores and workflow statuses
• support communications

7. Special Categories and Sensitive Data

Certain workflows may involve sensitive data, biometric-related data, identity documents, government identifiers, or other protected categories of information.

Customers are responsible for determining whether such processing is lawful, necessary, proportionate, and supported by appropriate notice, consent, legal basis, and safeguards.

8. Customer Instructions

ASTERIA KYC will process Customer-controlled personal data according to documented Customer instructions, including configuration settings, workflow rules, API requests, dashboard actions, contract terms, and applicable policies.

ASTERIA KYC may decline instructions that appear unlawful, technically infeasible, unsafe, abusive, or inconsistent with applicable agreements.

9. Confidentiality

ASTERIA KYC personnel with access to personal data are subject to confidentiality obligations or equivalent professional duties.

Access to personal data is limited to personnel and systems that require access for service delivery, support, security, compliance, maintenance, or authorized operational purposes.

10. Security Measures

ASTERIA KYC maintains administrative, technical, and organizational measures designed to protect personal data. Such measures may include:

• access control
• role-based permissions
• encryption in transit
• encryption or protected storage where appropriate
• logging and monitoring
• secure development practices
• vulnerability management
• incident response procedures
• backup and recovery controls
• staff confidentiality obligations
• internal security policies
• environment segregation where applicable
• least-privilege access principles

11. Subprocessors

ASTERIA KYC may use subprocessors to support hosting, storage, security, monitoring, communications, analytics, customer support, screening infrastructure, fraud prevention, backup, and operational administration.

Subprocessors are expected to process personal data only for authorized service purposes and subject to appropriate confidentiality and security obligations.

A public Subprocessor Notice may describe categories of subprocessors without listing vendor-specific confidential information.

12. International Transfers

Personal data may be processed in jurisdictions outside the Customer’s or End User’s location.

Where required, ASTERIA KYC and Customers should use appropriate transfer safeguards, contractual mechanisms, transfer assessments, or other legal mechanisms recognized under applicable data protection laws.

Customers are responsible for determining whether their use of ASTERIA KYC involves cross-border transfer requirements.

13. Assistance with Data Subject Requests

Where ASTERIA KYC acts as processor, it may assist Customers in responding to data subject requests to the extent required by applicable law and reasonably possible through the Services.

Such requests may include access, correction, deletion, restriction, objection, portability, or consent withdrawal, depending on applicable law.

End Users should generally contact the Customer that controls the verification relationship.

14. Assistance with Security and Compliance

ASTERIA KYC may provide reasonable information to support Customer security assessments, compliance reviews, data protection inquiries, or audit requests, subject to confidentiality, security restrictions, commercial reasonableness, and applicable agreements.

15. Security Incidents

If ASTERIA KYC becomes aware of a confirmed security incident affecting Customer-controlled personal data, it will take appropriate steps to investigate, contain, mitigate, and notify affected Customers as required by applicable law or agreement.

Customer notification obligations to regulators or data subjects remain the Customer’s responsibility unless otherwise required by law or written agreement.

16. Deletion and Return

Upon termination or expiration of services, ASTERIA KYC will delete, return, anonymize, or retain Customer-controlled personal data according to Customer instruction, applicable agreement, technical feasibility, legal obligations, dispute requirements, fraud prevention needs, security requirements, and the Data Retention Policy.

17. Audit and Information Rights

Where required by applicable law or agreement, ASTERIA KYC may provide information reasonably necessary to demonstrate compliance with applicable processing obligations.

Direct audits may be subject to reasonable notice, confidentiality, security controls, scope limitations, and avoidance of disruption to service operations.

18. Customer Responsibilities

Customers are responsible for:

• providing lawful instructions
• maintaining privacy notices
• obtaining required consents
• determining legal bases
• configuring workflows lawfully
• responding to End User rights requests
• setting retention requirements
• securing Customer systems
• limiting user access
• reviewing verification outputs
• maintaining compliance records

19. Conflict with Written Agreement

If a Customer has a signed agreement with ASTERIA KYC that includes specific data processing terms, the signed agreement governs over this public Data Processing Addendum to the extent of conflict.

20. Updates

ASTERIA KYC may update this Data Processing Addendum from time to time. Updated versions will be posted on the website with a revised effective date.