Template — execute one per controller

Data Processing Agreement

Template version 1.0 · 2026-05-16

For partners: contact legal@okto.io to receive an executable PDF + signing flow. The text below is the authoritative reference.

This Data Processing Agreement (the “DPA”) supplements the master services agreement between Okto([TODO: legal entity + address], the “Processor”) and the contracting party (the “Controller”) and governs the processing of personal data carried out by the Processor on behalf of the Controller in connection with the Okto identity-verification service.

1. Definitions

Capitalised terms not defined herein have the meaning given to them in Regulation (EU) 2016/679 (“GDPR”).

2. Subject matter, duration, nature and purpose

Subject matter — verification of natural-person identity for hospitality check-in and AML compliance.
Duration — for the term of the underlying master agreement.
Nature — collection, OCR, biometric matching, sanctions screening, secure storage, deletion.
Purpose — fulfilling the Controller's legal / contractual obligations toward the data subject (the verified guest).

3. Categories of data subjects and personal data

Data subjects: natural persons completing a verification.

Categories of data:

Identity document images and extracted fields (see Privacy Policy §2).
Selfie and biometric similarity scores.
Technical metadata (IP, user agent, timestamps).

4. Processor obligations

The Processor shall:

Process personal data only on documented instructions from the Controller (this DPA + the API requests Controller sends);
Ensure that persons authorised to process the data are subject to confidentiality;
Implement the technical and organisational measures listed in Annex A;
Not engage sub-processors without the Controller's prior written authorisation (a list of pre-approved sub-processors is in Annex B);
Assist the Controller in responding to data-subject rights requests within five (5) business days;
Make available to the Controller all information necessary to demonstrate compliance with GDPR Art. 28 and submit to audits with reasonable notice;
Notify the Controller without undue delay (and in any event within 48 hours) of any personal-data breach;
At the choice of the Controller, delete or return all personal data after the end of the provision of services.

5. Sub-processors

The Controller authorises the Processor to engage the sub-processors listed in Annex B. The Processor will notify the Controller in writing at least 30 days before any change to the sub-processor list; the Controller may object on reasonable grounds.

6. International transfers

Where personal data is transferred outside the EU/EEA, the parties rely on the Standard Contractual Clauses set out in Commission Implementing Decision (EU) 2021/914 (Module 2: controller to processor). The clauses are deemed incorporated into this DPA by reference.

7. Term and termination

This DPA enters into force on signature and remains in effect for the duration of the master agreement. On termination, the Processor will return or delete all personal data within 30 days, unless retention is required by Union or Member-State law.

8. Liability

Liability under this DPA is governed by the master agreement, except that liability for breaches of GDPR is allocated under Art. 82.

9. Governing law

This DPA is governed by [TODO: legal review — typically the law of the Controller's establishment or French/Luxembourg law].

Annex A — Technical and organisational measures

The Processor implements at minimum:

TLS 1.2+ for all transport; HSTS enabled.
AES-256 encryption at rest for stored files (AWS S3 SSE).
Row-level security in the application database isolating Controllers' data.
Multi-factor authentication for all administrator accounts.
Audit logging for every state change with retention of [TODO] years.
30-day default retention for photo media with automated purge cron.
Webhook delivery signed with HMAC-SHA256 + retry queue.
Per-step attempt caps + per-host rate limiting (anti-abuse).
Quarterly penetration test reports available to the Controller on request.

Annex B — Authorised sub-processors

Sub-processor	Purpose	Location
Amazon Web Services EMEA SARL	Storage (S3), OCR (Textract), biometric matching (Rekognition)	EU (eu-west-1, Ireland)
Supabase Inc.	Application database + auth	EU [TODO: confirm region]
Vercel Inc.	Application hosting + cron	[TODO: confirm region pinning]
(self-hosted) moov-io/Watchman	OFAC + EU + UN + BIS sanctions screening	Same region as Okto core (no third-party transfer)

Signed copies and any amendments are retained for the duration of the master agreement + 5 years.