Data Processing Agreement

1. Objective and Application

1.1 Agreement Scope

TrustPath (Commercial Register No. 17209075; registered seat: Sepapaja tn 6, 15551 Tallinn, Harju Maakond, Estonia; “BytePath OÜ”) has entered into a SaaS agreement or any other agreement (the “Agreement”) with its customer (“Customer” or “Controller”) under which TrustPath provides specific Services to Customer. Within the scope of the Agreement, TrustPath will process Customer Data for which Customer is the data controller and TrustPath is the data processor in accordance with applicable Data Protection Legislation.

1.2 DPA Integration

This DPA forms part of and complements the Agreement provisions, regulating the processing and transfer of Customer Data as specified in Appendix 1. Any issues not regulated by this DPA shall be governed by the Agreement provisions. By signing this Agreement, clicking through the click-through mechanism at trustpath.io, or expressing agreement otherwise, Customer agrees to this DPA and it becomes binding between Customer and TrustPath.

1.3 The objective of this DPA is to comply with the requirements in the Data Protection Legislation for a written agreement between data controllers and data processors.

1.4 Parties state that the Standard Contractual Clauses specified in Appendix 3 shall apply to the transfer from TrustPath to Customer of any Customer Data (including the processing thereof) if Customer is outside the EEA and its processing does not fall within the scope of the Data Protection Legislation, whereas Clause 14 and 15 of the Standard Contractual Clauses specified in Appendix 3 shall apply to such transfer provided additionally that TrustPath combines Customer Data received from Customer with Customer Data collected by TrustPath in the EEA. Parties agree that when Standard Contractual Clauses specified in Appendix 3 apply to the processing and transfer of Customer Data, the other provisions of this DPA complement the provisions of Standard Contractual Clauses specified in Appendix 3 to the fullest extent permitted by law and by the provisions of the Standard Contractual Clauses specified in Appendix 3. Where the other provisions of the DPA contradicts the provisions of the Standard Contractual Clauses specified in Appendix 3, the Standard Contractual Clauses specified in Appendix 3 shall prevail.

1.5 This DPA is incorporated into the Agreement. Interpretations and defined terms set forth in the Agreement apply to the interpretation of this DPA.

1.6 Any Annexes to this DPA form a part of this DPA and will have effect as if set out in full in this DPA. Any reference to this DPA includes Annexes. The DPA includes the following Annexes: **Appendix 1: Details of the processing of personal data; Appendix 2: List of Subprocessors; Appendix 3: Standard Contractual Clauses; Appendix 4:

2. Personal Data Processing

2.1 Roles and Responsibilities

Controller and Processor Roles

The Customer and TrustPath acknowledge that for the purposes of Data Protection Legislation:

TrustPath processes Personal Data as a processor
The Customer is the controller, determining processing purposes and scope
The Customer provides processing instructions to TrustPath
TrustPath implements appropriate technical and organizational measures

Processing Activities

TrustPath is responsible for:

Storing Applicant information with corresponding risk levels
Assigning risk scores when fraud is suspected
Processing data according to the Customer’s instructions

2.2 Where applicable, TrustPath is responsible for storing Applicant information, including any Personal Data, tagged with the corresponding risk level assigned by the Customer. In cases where there is a reasonably high suspicion or indication of fraud, the Customer, for its fraud prevention or avoidance purposes, authorizes TrustPath to assign a relevant risk score to the applicant’s information. Where TrustPath acts as a processor on the Customer’s behalf, the Parties shall also comply with the processor-related obligations set out in this DPA.

2.3 In some circumstances, TrustPath may process and aggregate certain Personal Data provided by the Customer with data obtained from other sources (including data providers and other customers) as an independent controller, for the purposes of developing and improving the Services. This may include using artificial intelligence (e.g., machine-learning techniques), identifying potentially fraudulent patterns that could indicate illicit activity, providing customers with calculated risk scores or alerts regarding elevated fraud risk, and maintaining appropriate audit logs. Such processing is permissible only if TrustPath’s processing objectives are compatible with the Customer’s. TrustPath warrants that this processing is undertaken to prevent and detect fraud and other illicit activities in the substantial public interest, and the Customer hereby authorizes such use, including profiling of Personal Data for these purposes.

2.4 Even after the Customer’s relationship with TrustPath ends, TrustPath may continue to retain the Personal Data and any related inferences where it has a lawful basis for doing so. Such lawful bases include TrustPath’s legitimate interests in providing services to all of its customers, fulfilling its legal obligations, resolving disputes, enforcing agreements, or otherwise serving the substantial public interest. Where TrustPath acts as an independent controller, each Party remains individually responsible for its own processing of the Personal Data and for compliance with the applicable Data Protection Legislation, unless otherwise stated herein.

3. Definitions

The following terms have specific meanings in this DPA:

Term	Definition
Applicant’s Information	Any information of Applicant, including Personal Data, tags of approval/rejection/resubmission, and log information
Business Purposes	Execution of the Agreement or purposes defined in Appendix 1
Controller’s Email Address	Email address for administrator accounts at trustpath.io
Documentation	Service documentation available at docs.trustpath.io
DPA	This data processing agreement together with its Appendices, and other documents explicitly referenced herein
data controller	means anyone who alone or jointly with others determines the purposes and means of the processing of personal data
data processor	means anyone who processes personal data on behalf of the data controller
Data Protection Legislation	means the applicable data protection legislation, including (i) Regulation (EU) 2016/679 of the European Parliament of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation; the “GDPR”; (ii) if applicable, national legislation implementing the GDPR; (iii) , the US Data Protection Legislation and (iv) the UK General Data Protection Regulation (‘UK GDPR’).
data subject	means identified or identifiable natural person
European Economic Area	or “EEA” means the economic area consisting of the territory of the EU Member States and the member states of the European Free Trade Association (Iceland, Liechtenstein and Norway), excluding Switzerland.
EU Member States	means then-current member states of the European Union.
personal data	means any information that, directly or indirectly, can identify a living natural person
Customer Data	means personal data that is processed by TrustPath on behalf of Customer
Personal Data Breach	means breach of data security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed, as defined by GDPR
processing	means any operation or set of operations performed with regard to personal data, whether or not performed by automated means, for example collection, recording, organisation, storage, adaptation or alteration, retrieval, gathering, use, disclosure by transmission, dissemination or otherwise making information available, alignment or combination, restriction, erasure or destruction
Services	mean TrustPath’s fraud prevention services as provided from time to time
Standard Contractual Clauses	means the standard agreement for Customer Data transfers (as defined in Data Protection Legislation) concluded between a data exporter and a data importer that fulfils the requirements of Article 46 GDPR, in particular the standard agreement as adopted by the European Commission by any of the following instruments:
UK Transfer Addendum	means the standard agreement for Customer Data transfers (as defined in Data Protection Legislation) concluded between a data exporter and a data importer that fulfils the requirements of Article 46 of the UK Data Privacy Act (2018), in particular the standard agreement as adopted by the UK Information Commissioner’s Office (“UK ICO”), as applicable to the situation at hand, provided that the referenced standard agreement may be deemed to provide appropriate safeguards within the meaning of Article 46(1) of UK Data Privacy Act (2018).
sub-processor	means a processor that is engaged by TrustPath. The sub-processor processes Customer Data on behalf of Controller in accordance with the sub-processor’s obligation to provide its services to TrustPath
US Data Protection Legislation	means those laws, rules, and regulations of the United States of America relating to privacy, security, or data protection, including, as applicable, the California Consumer Privacy Act (‘CCPA’) and its replacement, the California Privacy Rights Act (‘CPRA’), the Virginia Consumer Data Protection Act (‘VCDPA’), the Colorado Privacy Act (‘CPA’), the Utah Consumer Privacy Act (‘UCPA’), the Illinois Biometric Information Privacy Act (‘BIPA’), the Washington’s Biometric Identifiers Law (‘H.B. 1493’), Texas Capture or Use of Biometric Identifier Act (‘CUBI’) and other laws that may apply to the processing of

4. Undertaking and Instruction

4.1 TrustPath undertakes:

to process and transfer Customer Data in accordance with the Data Protection Legislation, the Agreement and as further documented in any other written instructions given by Controller and acknowledged by TrustPath as constituting instructions for purposes of this DPA;
to inform Controller prior to processing that TrustPath is required by laws of the European Union or EU Member States, to which TrustPath is subject, to process Customer Data, provided that TrustPath is not prohibited to give such information on important grounds of public interest;
to immediately inform Controller if, in its opinion, an instruction of Controller infringes applicable Data Protection Legislation. TrustPath will be under no obligation to follow such instruction, until the matter is resolved in good-faith between the parties;
to keep Customer Data confidential and ensure that persons authorised to process Customer Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
to implement all appropriate technical and organisational measures necessary in order to ensure a level of security, as required pursuant to the Data Protection Legislation, and necessary in order for TrustPath to comply with the security requirements set out in Appendix 1 of the DPA. TrustPath shall notify Controller about changes in the applied technical and organizational security measures that significantly affect the security of the processing of Customer Data;
to assist Controller in the fulfilment of Controller’s obligation to respond to and to fulfil requests from data subjects exercising their rights laid down in the Data Protection Legislation taking into account the nature of the processing, by implementing appropriate technical and organisational measures, insofar as this is possible. TrustPath shall notify Controller in case of receiving a request to exercise the data subjects’ rights under the Data Protection Legislation without undue delay after receiving such request, and TrustPath should reasonably cooperate with Controller in addressing such request. Unless Controller otherwise instructs TrustPath, the notification of such request shall be sent to Controller’s Email Address. If Controller provided more than one Controller’s Email Address, notification sent to at least one of Controller’s Email Address shall be sufficient to comply with this section. TrustPath is not responsible or liable for responding to the data subject;
to assist Controller in the implementation of appropriate technical and organisational measures, the notification of a Personal Data Breach to data protection supervisory authorities and affected data subjects, preparation of data protection impact assessments and prior consultation with data protection supervisory authorities. TrustPath shall make available to Controller all information necessary to demonstrate compliance with applicable Data Protection Legislation, to the extent Controller does not otherwise have access to the relevant information, and that such information is available to TrustPath. Except for negligible costs, TrustPath reserves the right to claim the reimbursement of costs and expenses incurred by TrustPath in connection with the provision of assistance to Controller under this DPA;
to inform and consult with Controller without undue delay in the event that a data protection supervisory authority initiates or takes any action in relation to TrustPath with regard to the processing of Customer Data; and
to process Customer Data only until the purposes of the processing for which the data was collected have been fulfilled, but in any case, at the latest until 1 year starting from the completion of the query to which Customer Data relate. Upon the expiration of this period, TrustPath shall delete or anonymize Customer Data, unless it follows from the requirements of European Union law or EU Member State law that TrustPath is required to store Customer Data for a longer period or unless Controller has instructed TrustPath otherwise.

5. Audit

5.1 TrustPath shall facilitate and participate in audits, including inspections, carried out by Controller or by a third party authorised by Controller. If Controller uses a third party to carry out the audit that third party shall be a well-regarded international service provider that is not a competitor of TrustPath. Controller and third party authorised by Controller shall undertake confidentiality in relation to TrustPath’s confidential information prior to the audit. The details of the audits are subject to the prior approval of TrustPath. Controller shall carry out the audits at its own costs.

5.2 TrustPath may satisfy the audit obligation under this section by providing Customer with attestations, certifications and summaries of audit reports conducted by third party auditors.

6. Engaging Sub-Processors

6.1 Controller provides a general authorization to TrustPath to engage or replace a sub-processor for the performance of its duties and responsibilities under this DPA in accordance with the provisions of this section.

6.2 The list of current sub-processors is attached as Appendix 2 to this DPA. Controller hereby provides written authorization to use sub-processors listed in Appendix 2.

6.3 TrustPath will update Appendix 2 regularly. Controller may object to any new sub-processors within 14 days starting from the then-current update of Appendix 2. Any objection made by Controller regarding the use of any sub-processors has to be reasonable. TrustPath will within its discretion make all reasonable efforts necessary to accommodate the requests of Controller. If it is commercially reasonable, TrustPath will review the possibility of finding another equivalent sub-processor.

6.4 TrustPath and the sub-processor shall enter into a written data processing agreement that imposes substantively equivalent obligations on the sub-processor as those specified in this DPA and TrustPath shall ensure that the sub-processor provide appropriate level of protection for Customer Data as required by the Data Protection Legislation.

6.5 Controller authorizes TrustPath to engage sub-processors which process Customer Data in a country outside the European Economic Area. Provided that the European Commission has not determined, in accordance with the Data Protection Legislation, that such country ensures an adequate level of protection to the processing of Customer Data, TrustPath undertakes to provide appropriate safeguards when transferring Customer Data to such sub-processors, in particular, to conclude Standard Contractual Clauses and to take all necessary steps to ensure that the transfer is lawful under the Data Protection Legislation.

8. Deletion of Personal Data

8.1 At the Customer’s written request, TrustPath shall promptly provide the Customer with a copy of, or access to, all or any portion of the Customer’s Personal Data in TrustPath’s possession or control, in the format and on the media reasonably specified by the Customer.

8.2 TrustPath shall, upon the Customer’s written instruction, cease processing and promptly delete and/or return all or any Personal Data subject to this DPA, including (i) upon the Customer’s instruction in connection with the Services, or (ii) upon the written request of the Customer in connection with the termination or expiry of the Master Agreement for any reason. This clause does not apply to any processing of Personal Data carried out in accordance with Clause 2.1(b) of this DPA.

8.3 If TrustPath is required by any applicable law, regulation, or governmental or regulatory authority to retain any documents or materials that it would otherwise be required to return or destroy under this DPA, TrustPath shall promptly notify the Customer in writing. Such notice shall specify the legal basis for the retention requirement, identify the particular documents or materials to be retained, and set out a timeline for destruction once the retention requirement ceases to apply.

8.4 Where the Customer instructs TrustPath to delete any Personal Data, TrustPath shall, within thirty (30) days of completing the deletion, provide the Customer with a written certification confirming that the relevant Personal Data has been destroyed.

9. Reporting Personal Data Breach

9.1 If TrustPath becomes aware of any Personal Data Breach, TrustPath shall notify Controller without undue delay and shall fully cooperate in order to reasonably remedy the issue. The notification shall include all available significant information on the circumstances of the Personal Data Breach.

9.2 The notification on Personal Data Breach shall be sent to Controller’s Email Address. If Controller provided more than one Controller’s Email Address, notification sent to at least one of Controller’s Email Address shall be sufficient to comply with this section.

10. Responsibilities of Controller

10.1 Controller shall have sole responsibility for the accuracy, quality, and legality of Customer Data, the means by which Controller acquired Customer Data and for all other obligations imposed on Controller by Data Protection Legislation.

10.2 Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, Controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with the Data Protection Legislation. Those measures shall be reviewed and updated where necessary. Where proportionate in relation to the processing, the above measures shall include the implementation of appropriate data protection policies by Controller.

10.3 Controller shall inform the data subjects in accordance with Article 13-14 of the GDPR.

10.4 Controller shall secure all necessary permissions, authorizations and consents for processing Customer Data and ensure that the processing of Customer Data is based on a valid legal basis provided in the Data Protection Legislation.

10.5 Where the processing of biometric data or similarly regulated categories of personal data is contemplated, the Controller shall ensure that Data Subjects are adequately informed of, and have provided (where required) valid, explicit, and informed consent to the processing of such data. Specifically, the Controller shall incorporate, or otherwise make available to the Data Subjects, the notice and consent language set out in the Consent and Privacy Notice Wording (Appendix 4) prior to initiating any relevant processing activities.

10.6 In particular, the Controller shall:

Ensure all required data protection notices and consents are consistent with the guidelines in the Consent and Privacy Notice Wording,
Provide Data Subjects with direct access (via hyperlink or otherwise) to TrustPath’s privacy notice, and
Implement the relevant technical or API-based mechanisms to capture and document that Data Subjects have been presented with, and agreed to, the foregoing.

Failure to comply with these requirements may result in a breach of Data Protection Legislation, for which the Controller shall remain solely liable.

11. Limitation of Liability

11.1 Subject to the Section 11.2 and 11.3, neither party shall be responsible or liable under this DPA to the other party:

for any indirect, exemplary, incidental, punitive, special or consequential damages; or
for any amounts that exceed the fees actually paid or payable by Controller to TrustPath under the Agreement in the twelve (12) months prior to the act that gave rise to the relevant claim.

11.2 The limitation of liability provisions of the Agreement shall prevail over Section 11.1, and shall be applied mutatis mutandis in the context of this DPA.

11.3 For the avoidance of doubt, the Parties agree that the limitation of liability set out in section 11.1 shall be interpreted in accordance with the applicable laws,

12. Contact Information

12.1 TrustPath and the Customer agree to designate a point of contact for urgent security issues (“Designated POC”). The Designated POC for both parties are:

TrustPath Designated POC: legal@trustpath.io

13. Term, Termination

13.1 The DPA is effective from the date TrustPath starts processing Customer Data and for as long as TrustPath processes Customer Data.

13.2 Parties may terminate this DPA anytime for any reason by providing thirty (30) days’ notice to the other party. Controller acknowledges that TrustPath will be under no obligation to provide the Services, until a Data Protection Legislation compliant data processing agreement is concluded between the parties.

13.3 Within thirty (30) days from the expiration of the Agreement or the receipt of the notice of termination, TrustPath shall delete (or anonymize) or, based on Controller’s instruction, return to Controller all Customer Data, and delete (or anonymize) existing copies unless the storage of Customer Data is required pursuant to European Union law or EU Member State’s law.

13.14 All provisions of this DPA that are expressly or consequently intended to be fulfilled or remain in force following the termination of this DPA shall fully remain in force following the termination of this DPA, in particular, Section 3 (Definitions), Section 10 (Responsibilities of Controller), Section 11 (Limitation of Liability),

14. Miscellaneous

14.1 Governing Law and Dispute Resolution. This DPA shall be governed by and construed in accordance with the laws of Estonia and the courts of Estonia shall have jurisdiction over any dispute, or claim arising out of, or in connection with this DPA, including its formation. Disputes regarding interpretation and application of this DPA shall be settled in accordance with the provisions in the Agreement regarding dispute resolution.

14.2 Amendments. This DPA shall be amended in accordance with the Agreement’s provisions on amendments.

14.3 Severability. Should any provision of this DPA be invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall be either: (i) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible; (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.

14.4 Entire Agreement. This DPA, together with its Appendixes supersedes and repeals all current or prior oral or written undertakings, covenants, agreements or communications, in particular all current or prior data processing agreements between Controller and TrustPath with respect to the subject matter of this DPA. In the case of conflict between any provision contained in this DPA and any provision contained in any Annex hereto, the provision in this DPA will prevail. In the case of conflict

Appendix 1

details of the processing of personal data

1. The subject matter of the processing

Providing the Services of TrustPath.

2. The nature and purpose of the processing

2.1 Fraud Prevention Service (if applicable): Carrying out data-driven fraud detection measures for the Customer (Controller), which entails executing the processing procedures outlined in TrustPath’s documentation (available at https://docs.trustpath.io/), including IT support and debugging (e.g., during beta testing or integration assistance). Such processing may involve the Controller collecting user or transaction-related data (e.g., IP address, email address, phone number, device/browser fingerprints) in its own systems and transmitting such data to TrustPath’s APIs for real-time or near real-time risk analysis. The purpose of this processing is to generate a fraud risk score and relevant insights, which are then returned to the Customer (Controller) for review and further action. By identifying potentially fraudulent or high-risk activities, TrustPath’s services enable the Customer (Controller) to make informed decisions, enhance security measures, and reduce fraudulent behavior.

3. Categories of data subjects

The users and customers of the services of Controller.

4. Categories of personal data

This is a non-exhaustive summary of the categories of personal data that may be processed by TrustPath in connection with its Services. The exact categories of personal data depend on (i) the specific services used, (ii) the Customer (Controller)’s configuration and customization choices, and (iii) the data provided by the Customer to TrustPath in order to enable the services. The complete list of categories of personal data is available in TrustPath’s documentation (available at https://docs.trustpath.io/).

4.1 Fraud Prevention Service (if applicable): Contact and Identification Data; Email address; Phone number; Online and Technical Data; IP address; Device information (including device/browser fingerprints, operating system, browser version, unique device identifiers); Session information; (e.g., session IDs, timestamps) Metadata related to the method and context of accessing the Customer’s system or site (e.g., referral URL); Behavioral and Transactional Data Transaction details (e.g., time of transaction, amount, payment method); User behavior patterns on the Customer’s platform (e.g., frequency or timing of transactions or account logins); Location Data Geolocation information; Derived or Machine-Generated Data Risk; scores and analytical insights generated by TrustPath’s systems (e.g., fraud risk assessment or flags).

5. duration of processing

TrustPath will continue to process Customer Data related to any queries for a period of one (1) year from the completion of the relevant query, unless the Customer (Controller) instructs TrustPath otherwise by configuring a custom data retention period as set out below (“Data Retention Period”).

The Customer (Controller) has the right to configure different Data Retention Periods for each TrustPath domain or product, as applicable within the TrustPath platform. The Customer is responsible for ensuring that the configured Data Retention Periods comply with applicable Data Protection Legislation and for updating the retention settings as necessary.

If TrustPath processes Customer Data related to testing the Service by Customer, TrustPath will delete all Customer Data processed during testing within thirty (30) days after completion of the testing period.

Appendix 2

List of Sub-Processors

Subcontractor’s company & business name	Nature of the Subcontractor’s work	Server location	Data Processing Agreement
Google Cloud Platform	Hosting and cloud computing	Frankfurt, DE	DPA

Appendix 3

Processor to Controller Standard Contractual clauses

The Parties agree that the EU Standard Contractual Clauses and the UK Transfer Addendum are incorporated by reference and that by executing the Agreement, each party is deemed to have executed the EU Standard Contractual Clauses and the UK Transfer Addendum.

SCC Clause	GDPR	UK Data Protection Law
Module in operation: module two (controller to processor) and module three (processor to processor)
Clause 7- Docking Clause	An entity that is not a party to these Standard Contractual Clauses may, with the agreement of the parties, accede to these Standard Contractual Clauses at any time, either as a data exporter or as a data importer, by completing the Appendix and signing Annex 1.A of the Standard Contractual Clauses.

Annex I.

to Appendix 3 Processor to Controller Standard Contractual clauses

A. LIST OF PARTIES

Data exporter(s):

Controller, as defined by the DPA.

Contact person’s name, position and contact details: Controller’s Email Address as defined by the DPA.

Activities relevant to the data transferred under these Clauses: As defined by Appendix 1 of the DPA

Signature and date: Pursuant to Section 1.2 of the DPA.

Role (controller/processor): Controller.

Data importer(s):

Name: TrustPath

Address: Sepapaja tn 6, 15551 Tallinn, Harju Maakond, Estonia

Contact person’s name, position and contact details: legal@trustpath.io.

Activities relevant to the data transferred under these Clauses: As defined by Appendix 1 of the DPA.

Signature and date: Pursuant to Section 1.2 of the DPA.

Role (controller/processor): Processor.

B. DESCRIPTION OF TRANSFER


Categories of data subjects whose personal data is transferred	As specified under Section 3 of Appendix 1 of the DPA.
Categories of personal data transferred	As specified under Section 4 of Appendix 1 of the DPA.
Sensitive Personal Data transferred	Not applicable.
Frequency of the transfer	Data is transferred on a continuous basis.
Nature and purpose of the data transfer and further processing	As specified under Section 2 of Appendix 1 of the DPA.
Period for which the personal data will be retained or criteria used to determine that period	As specified under Section 5 of Appendix 1 of the DPA.
Sub-processor transfers – subject matter, nature, and duration of processing	See as described in the Agreement, Appendix 2, EU SCCs and the UK

Appendix 4

Consent and Privacy Notice Wording

The Customer must secure valid, explicit, and informed consent from Data Subjects for processing Biometric Personal Data when required by Data Protection Legislation.

2. Required Notice Language

The following notice must be shown before onboarding:

“I understand and voluntarily agree that my Personal Data may be processed by:

The organization verifying my identity (the “Company”)
TrustPath (the “Service Provider”)

Both parties act in accordance with applicable privacy and data protection laws.

3. Hyperlinks to TrustPath’s Privacy Notice

The Customer must ensure that the notice and consent includes direct hyperlinks to TrustPath’s Privacy Notice, available at: https://trustpath.io/legal/privacy.

4. Additional Requirements in Customer Documentation

In addition to incorporating the above notice and consent wording, the Customer must ensure its own policies, notices, and agreements with Data Subjects contain any further requisite terms to meet applicable Data Protection Legislation. These terms should address, among other matters:

Processing of Personal Data at the point of facial capture,
The specific purposes for which personal data is processed,
The Customer’s use of third-party service providers (such as TrustPath) to perform identity verification and any related services,
Storage, retention periods, international transfers (if applicable), and any other legally mandated disclosures.

5. Legitimate Interest for Fraud Prevention

TrustPath processes Customer Data, including IP addresses and email addresses, for fraud detection and prevention under Article 6(1)(f) of the GDPR (Legitimate Interests). This processing is necessary to protect Customers and Data Subjects from fraudulent activities and ensure service integrity.

Customers must inform Data Subjects that their data may be processed for fraud prevention based on legitimate interest and provide a mechanism to exercise their rights under Article 21 GDPR (right to object). TrustPath will assess objections and cease processing unless overriding legitimate grounds exist.

TrustPath applies strict security measures to protect processed data and ensures compliance with applicable Data Protection Laws.