Data Processing Addendum
Controller–processor terms (GDPR Art. 28) for personal data IdentiQube processes on your behalf.
IdentiQube · Effective 9 July 2026
1. Scope and roles
This Data Processing Addendum ("DPA") forms part of the Terms of Service between you ("Customer", the controller) and IdentiQube LLC (QFC No. 04577) ("Provenant", the processor), and applies where Provenant processes personal data on the Customer's behalf in providing the hosted Service. Where the Customer is itself a processor for its own customers, Provenant is a sub-processor and the same obligations apply.
In case of conflict on data-protection matters, this DPA prevails over the Terms of Service.
2. Definitions
"Applicable Data Protection Law" means the EU GDPR, the UK GDPR and Data Protection Act 2018, the CCPA/CPRA, and other privacy laws applicable to the processing. "Controller", "processor", "personal data", "processing", "data subject", and "personal data breach" have the meanings in the GDPR. "SCCs" means the European Commission's Standard Contractual Clauses (Decision 2021/914) and, for UK transfers, the UK International Data Transfer Addendum. "Sub-processor" means a third party engaged by Provenant to process personal data.
3. Processing of personal data
- Provenant will process personal data only on the Customer's documented instructions — including this DPA, the Terms, and the Customer's configuration and use of the Service — unless required by law, in which case Provenant will inform the Customer unless legally prohibited.
- The Customer is responsible for the lawfulness of the personal data and instructions, and for having any required notices and consents.
- Provenant will inform the Customer if, in its opinion, an instruction infringes Applicable Data Protection Law.
- The details of processing (subject matter, duration, nature, purpose, data categories, and data subjects) are set out in Annex I.
4. Confidentiality and personnel
Provenant ensures that personnel authorized to process personal data are bound by confidentiality and are trained on their obligations, and it limits access to those who need it to provide and support the Service.
5. Security
Provenant implements and maintains appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, taking into account the state of the art, costs, and the risk. Those measures are described in Annex II. Provenant may update them provided the level of protection is not materially reduced.
6. Sub-processors
The Customer authorizes Provenant to engage the sub-processors listed in Annex III, and further sub-processors under this general authorization. Provenant imposes data-protection obligations on each sub-processor that are no less protective than this DPA and remains responsible for their performance.
Provenant will give the Customer at least 30 days' prior notice (by email or in-product) before a new or replacement sub-processor begins processing the Customer's personal data. The Customer may object on reasonable data-protection grounds within that notice period, and the parties will work in good faith to resolve the objection. If they cannot resolve it, the Customer may, as its sole remedy, terminate the affected part of the Service (or the Service) on written notice and receive a pro-rata refund of any prepaid, unused fees for the terminated portion; until termination or resolution, Provenant will not use the objected-to sub-processor to process that Customer's personal data.
7. Data subject requests
Taking into account the nature of the processing, Provenant will assist the Customer by appropriate technical and organizational measures, insofar as possible, to respond to data-subject requests to exercise their rights. If Provenant receives such a request directly, it will, unless legally required to act, promptly forward it to the Customer and not respond except on the Customer's instructions. The Service also provides self-service data export and deletion tooling the Customer can use.
8. Personal data breach
Provenant will notify the Customer without undue delay after confirming a personal data breach affecting the Customer's personal data. The notification will include the information reasonably available to Provenant to help the Customer meet its own notification obligations (including any regulator deadlines that apply to the Customer), and Provenant will cooperate and take reasonable steps to mitigate and remediate the breach.
9. Assistance with compliance
Taking into account the nature of processing and the information available to it, Provenant will provide reasonable assistance to the Customer with data protection impact assessments and prior consultations (GDPR Arts. 35–36) and with the Customer's obligations regarding security and breach notification (Arts. 32–34).
10. Return and deletion
On termination of the Service, and at the Customer's choice, Provenant will delete or return the personal data it processes on the Customer's behalf, and delete existing copies, within a reasonable period (typically 30 days), unless law requires retention. Customer-initiated exports and deletions are available in-product before termination. Backups are deleted on their normal expiry cycle. On request, Provenant will certify deletion.
11. Audits and information
Provenant will make available to the Customer the information reasonably necessary to demonstrate compliance with this DPA and, on reasonable prior notice and subject to confidentiality, will allow for and contribute to audits, including inspections, conducted by the Customer or an auditor it mandates — no more than once a year absent a specific concern or a regulator's or law's requirement. Provenant may satisfy audit requests by providing relevant third-party reports or certifications where available.
12. International transfers
Where processing under this DPA involves a transfer of personal data to a country without an adequacy decision, the parties agree that the SCCs (and the UK Addendum, where applicable) are incorporated into this DPA and apply to that transfer, with the Customer as data exporter and Provenant (or the relevant sub-processor) as data importer. The modules and options are completed in Annex I(D), and Annexes I–III of this DPA populate the corresponding SCC annexes. Where the Customer is a controller, Module Two applies; where the Customer is itself a processor, Module Three applies.
13. California (CCPA/CPRA)
To the extent the CCPA/CPRA applies, Provenant acts as a service provider and processes personal information only to provide the Service under the Terms. Provenant will not sell or share personal information, will not retain, use, or disclose it for any purpose other than the business purposes specified, and will not combine it with data from other sources except as permitted. Provenant certifies it understands and will comply with these restrictions.
14. Liability and precedence
Each party's liability under this DPA is subject to the limitations and exclusions in the Terms of Service. Nothing in this DPA limits liability that cannot be limited under Applicable Data Protection Law. In the event of conflict, the order of precedence is: the SCCs, then this DPA, then the Terms.
Annex I — Details of processing
A. Parties
Data exporter / controller: the Customer (as identified in its account). Data importer / processor: IdentiQube LLC (QFC No. 04577), Qatar Financial Centre, Doha, State of Qatar, contact [email protected].
B. Description of processing
| Item | Detail |
|---|---|
| Subject matter | Provision of the Provenant hosted control-plane and audit-ledger Service. |
| Duration | For the term of the Service and the return/deletion period after termination. |
| Nature and purpose | Hosting, storing, transmitting, evaluating, and recording data to govern and audit the Customer’s Agents, and to secure and support the Service. |
| Categories of personal data | Identity and contact data of the Customer’s members (name, work email, role); authentication data (MFA status, passkey public keys, token/recovery-code hashes); and any personal data the Customer or its Agents include in configuration, action metadata, or content routed through the Service. |
| Special categories | None intended; the Customer must not submit special-category data without a separate written agreement. |
| Data subjects | The Customer’s members and administrators, and individuals whose data the Customer’s Agents process through the Service. |
| Frequency | Continuous, for the duration of the Service. |
| Retention | Per the Customer’s Plan retention window and Section 10 of this DPA. |
C. Competent supervisory authority
the QFC Data Protection Office; EU/UK data subjects may also contact their local authority (or the authority determined under the SCCs).
D. Standard Contractual Clauses — selected options
- Module: Module Two (controller-to-processor) where the Customer is a controller; Module Three (processor-to-processor) where the Customer is a processor.
- Clause 7 (docking): included — other entities may accede by agreement.
- Clause 9 (sub-processors): Option 2, general written authorization, with the 30-day prior-notice period in Section 6 of this DPA.
- Clause 11 (independent dispute resolution): the optional redress-body language is not used.
- Clause 17 (governing law): the law of the Qatar Financial Centre, State of Qatar (or, where that is not an EU Member State law, the law of the Republic of Ireland for EU transfers).
- Clause 18 (forum): the Civil and Commercial Court of the Qatar Financial Centre (or, for EU transfers, the courts of the Member State whose law governs under Clause 17).
- UK Addendum: for UK transfers, the UK International Data Transfer Addendum applies to these SCCs; the "Approved Addendum" tables are populated from Annexes I–III and this Section D.
Annex II — Technical and organizational measures
- Encryption — TLS in transit; stored secrets and credentials (connector credentials, webhook and TOTP secrets, SSO client secrets, notification and egress configuration) encrypted at rest with AES-256-GCM under per-organization derived keys, and never returned by the API. Data at rest is stored on managed hosting and database infrastructure that provides disk-level encryption.
- Authentication — password hashing with scrypt; multi-factor authentication (TOTP) and WebAuthn passkeys; single-use recovery codes; short-lived, signed session and step tokens.
- Access control — role-based access (admin / operator / viewer); per-agent approval ownership; least-privilege internal access; and per-query tenant scoping on every request so that each organization can reach only its own data, with database row-level security available as an additional enforced backstop.
- Network — egress protections against SSRF and DNS-rebinding on outbound calls; in the hosted Service the API is reachable only through the front proxy, not directly from the public internet.
- Integrity & auditability — append-only, hash-chained, tamper-evident audit ledger with independent offline verification and external anchoring options.
- Resilience — managed, backed-up datastore; retention controls with pre-pruning warnings; horizontal scaling with a single background-job runner.
- Governance — least-privilege personnel access under confidentiality; secure development practices; logging and monitoring; incident response and breach notification; vendor due diligence for sub-processors.
Annex III — Authorized sub-processors
Provenant uses a small set of vetted sub-processors to run the hosted Service (payment processing, transactional email, cloud hosting and managed database, and operational monitoring). The current sub-processor list — identifying each sub-processor, its purpose, and its processing location — is available on request at [email protected] and is provided to the Customer on execution of this DPA, at which point it is incorporated as this Annex III.
Changes to the list are notified, and may be objected to, as described in Section 6.