VERIFIME DATA PROCESSING AGREEMENT

GreenGate Fintech Holdings Pty Ltd (ABN 97 664 286 515)

Effective Date: 01/06/2025
Last Updated: 29/08/2025

This Data Processing Agreement supplements the VerifiMe Terms of Agreement available at www.verifime.com/terms and governs the processing of personal data where the Customer engages VerifiMe as a data processor.

1. DEFINITIONS AND SCOPE

1.1 Relationship Definition

  • Controller: The Client organisation determining purposes and means of personal data processing

  • Processor: GreenGate Fintech Holdings Pty Ltd (ABN 97 664 286 515) operating VerifiMe platform

  • Processing: Identity verification, document validation, AML/CTF compliance checking, and related services

1.2 Data Categories Processed

  • Identity verification data (names, addresses, dates of birth)

  • Government-issued document data (passport, license numbers)

  • Biometric data (facial recognition, document photos)

  • Entity verification data (company/trust details)

  • Compliance assessment results

2. PROCESSING INSTRUCTIONS AND RESTRICTIONS

2.1 Lawful Processing Instructions The Processor shall only process personal data:

  • For identity verification and compliance assessment purposes as specified in the main agreement

  • According to documented instructions from the Controller

  • In accordance with applicable privacy laws (Privacy Act 1988, AML/CTF Act)

  • Using the technical and organisational measures outlined in Schedule A

2.2 Processing Restrictions The Processor shall NOT:

  • Process personal data for own commercial purposes beyond service delivery

  • Transfer data outside Australia without Controller's written consent and adequate safeguards

  • Retain personal data longer than necessary or beyond agreed retention periods

  • Grant access to unauthorised personnel or third parties

3. CONTROLLER RIGHTS AND OVERSIGHT

3.1 Audit Rights The Controller may:

  • Request annual compliance reports and certifications

  • Conduct security assessments with reasonable notice

  • Access processing logs and incident reports upon request

  • Engage third-party auditors (costs shared if no material issues found)

3.2 Data Subject Request Assistance The Processor shall:

  • Notify Controller of any direct data subject requests within 48 hours

  • Provide technical assistance for data access, rectification, and deletion requests

  • Implement Controller's instructions for data subject rights fulfillment

  • Maintain records of all data subject requests and responses

3.3 Transparency Reporting Monthly reports shall include:

  • Number of verification transactions processed

  • Any security incidents or system access issues

  • Sub-processor changes or additions

  • Data retention and deletion activities

4. SECURITY AND TECHNICAL MEASURES

4.1 Mandatory Security Controls (Reference: VerifiMe Security Whitepaper)

  • AWS infrastructure with encryption at rest and in transit (AES-256, TLS 1.3)

  • Multi-factor authentication for all system access

  • Role-based access controls with least privilege principles

  • Regular vulnerability scanning and penetration testing

  • 24/7 monitoring with intrusion detection systems

4.2 Additional Controller-Specific Requirements

  • Data segregation ensuring Controller's data is logically separated

  • Dedicated encryption keys for Controller's data processing

  • Real-time breach notification within 4 hours of discovery

  • Incident response plan with defined escalation procedures

5. SUB-PROCESSOR MANAGEMENT

5.1 Authorised Sub-Processors (as of agreement date)

  • Amazon Web Services (hosting and infrastructure)

  • Third-party identity verification services (as documented)

  • [List other current sub-processors]

5.2 Sub-Processor Changes

  • 30 days advance notice of any new sub-processors

  • Controller right to object with termination option if objection not resolved

  • Same data protection standards required for all sub-processors

  • Direct liability chain ensuring Controller can claim against any sub-processor

6. DATA BREACH AND INCIDENT MANAGEMENT

6.1 Breach Notification Timeline

  • Initial notification to Controller: within 4 hours of discovery

  • Detailed incident report: within 24 hours

  • Regulatory notification assistance: as required by applicable law

  • Post-incident review: within 7 days of resolution

6.2 Breach Response Responsibilities The Processor shall:

  • Implement immediate containment measures

  • Preserve forensic evidence

  • Assist with regulatory reporting and data subject notifications

  • Provide detailed impact assessment and remediation plan

7. DATA RETENTION AND DELETION

7.1 Standard Retention Periods

  • Identity verification data: 7 years (AML/CTF compliance requirement)

  • Processing logs: 2 years

  • Audit evidence: 7 years from last processing activity

  • Controller may specify shorter periods where legally permissible

7.2 Data Return and Deletion Upon agreement termination or Controller request:

  • Return or secure deletion of all personal data within 30 days

  • Certificate of destruction provided

  • Exception: data required for legal compliance may be retained in secure offline storage

  • No personal data retained for Processor's own purposes

8. LIABILITY AND INDEMNIFICATION

8.1 Liability Allocation

  • Processor liable for damages caused by processing outside Controller instructions

  • Processor liable for failure to implement adequate technical and organisational measures

  • Joint liability for violations involving both parties' actions

  • Liability caps as defined in main agreement apply unless excluded by law

8.2 Indemnification The Processor shall indemnify Controller against:

  • Claims arising from unauthorised data processing

  • Breaches of this DPA by Processor or its sub-processors

  • Regulatory fines resulting from Processor non-compliance

  • Third-party claims related to data security failures

9. CROSS-BORDER TRANSFERS

9.1 Data Localisation

  • All personal data stored within Australia unless Controller consent obtained

  • Any offshore processing requires Controller approval and adequate safeguards

  • Standard Contractual Clauses or equivalent mechanisms for international transfers

  • Regular compliance monitoring for cross-border data flows

10. TERMINATION AND TRANSITION

10.1 Agreement Termination Either party may terminate with 30 days notice for material breach (uncured after 14 days) Controller may terminate immediately if:

  • Processor suffers major security breach

  • Unauthorised cross-border transfer occurs

  • Regulatory investigation commenced against Processor

10.2 Transition Assistance Upon termination, Processor shall:

  • Provide data export in standard formats

  • Assist with migration to new processor (fees may apply)

  • Maintain confidentiality obligations for 3 years post-termination

SCHEDULE A: TECHNICAL AND ORGANISATIONAL MEASURES

Security Controls Matrix

Compliance Certifications

  • ISO 9001 (Quality Management Systems)

  • AWS security best practices compliance

  • OAIC privacy compliance (Australian Privacy Principles)

SCHEDULE B: DATA PROCESSING DETAILS

Categories of Personal Data

  • Identity Data: Names, addresses, DOB,

  • Document Data: Passport/license numbers, photos, medicare cards

  • Biometric Data: Facial images, document verification

  • Entity Data: Company/trust registration details

  • Compliance Data: Risk scores, verification status

Data Subjects

  • Individual customers requiring identity verification

  • Beneficial owners and controllers of entities

  • Authorised representatives and signatories

Processing Purposes

  • Identity verification for AML/CTF compliance

  • Document authenticity validation

  • Risk assessment and scoring

  • Audit trail creation and maintenance

  • Regulatory reporting support

This DPA is governed by the laws of New South Wales, Australia and takes precedence over conflicting terms in other agreements.