This Data Processing Addendum (“DPA”) forms part of the UniTrust Terms of Service and any applicable Order Form (collectively, the “Agreement”) between Impierce Technologies B.V. (“Processor”) and the customer entity executing an Order Form or accessing the Services (“Controller”). By executing an Order Form or utilizing the Services, the Controller agrees to be bound by the terms of this DPA.

1. SUBJECT MATTER AND SCOPE

1.1 Purpose
The Processor will process Personal Data on behalf of the Controller solely for the purpose of providing access to and support for the UniTrust Software-as-a-Service (SaaS) Platform.

1.2 Exclusions
This Data Processor Addendum does not apply to the UniMe Digital Identity Wallet or instances where the UniTrust Platform is Self-Hosted by the Controller, as the Processor does not have access to production data in those environments.

1.3 Precedence
In the event of a conflict between this Data Processor Addendum and a separately negotiated data processor agreement executed in writing by both parties, the negotiated terms shall prevail.

1.4 Instructions
The processor shall process Personal Data only on documented instructions from the Controller. The Processor shall immediately inform the Controller if, in its opinion, an instruction infringes applicable EU or Member State data protection laws.

1.5 Personnel
The processor ensures that all personnel authorized to process Personal Data are under appropriate contractual confidentiality obligations.

2. NATURE AND PURPOSE OF PROCESSING

2.1 Nature of Processing
Processing activities include the collection, storage, and management of Service State Storage, Event Streams, and Customer Content necessary to facilitate secure identity and credential flow interactions and maintain platform integrity.

2.2 Purpose of Processing
Personal Data is processed for account administration, cryptographic verification, and ensuring PII-Off-Chain auditability and lifecycle management of verifiable credentials.

2.3 Data Sovereignty
The platform is designed so that the primary storage of portable personal data is shifted to a user's identity wallet, reducing centralized data aggregation and returning data autonomy to individuals.

3. CATEGORIES OF DATA AND DATA SUBJECTS

3.1 Data subjects:

• Authorized Users:
  Employees or contractors of the Controller granted access to the UniTrust Platform.

• Credential Subjects:
  Individuals (e.g., customers, employees, or partners) who receive, store, and manage their own attributes and credentials within their private identity wallets.

• Key Contacts:
  Personnel designated for contractual, billing, or administrative communications.

3.2 Categories of personal data:

• Administrative Data:
  Identification data (First and Last name, business email addresses), organizational data (Customer legal name, business addresses, and phone numbers), and platform roles and permissions assigned for access control.
  
  

• Operational Data & Event Streams:
  Technical identifiers (UUIDs, Schema IDs) and system events generated by usage of the Service.
  
  

• Customer Content:
  Identity attributes and personal data embedded for issuance to or provided for verification by a wallet holder.
  
  

• Authentication Data:
  Cryptographic public keys and transient session tokens used for secure decentralized identity verification, which are purged upon session conclusion.

4. SECURITY MEASURES

4.1 Technical and Organizational Measures

The Processor shall maintain appropriate technical and organizational measures to protect Personal Data, including:

• Access control and Multi-Factor Authentication (MFA)

• Encryption and pseudonymization

• Secure software development lifecycle

• Resilience and data recovery

• Monitoring and auditing

• Staff confidentiality and training

5. AI COMPLIANCE & GOVERNANCE

5.1 Processor AI Oversight
The Processor shall maintain human oversight of its own AI-assisted development and operational processes to ensure the integrity and security of the Services.

5.2 Controller AI Responsibility
If the Controller integrates the Services into an AI-driven process or application, the Controller is solely responsible for its usage and compliance with applicable laws, such as the EU AI Act. This includes ensuring human oversight of AI-driven decisions, monitoring for risks, and completing any required assessments.

6. SUB-PROCESSORS

6.1 Authorization
The Controller provides general authorization for Processor to engage sub-processors necessary for the delivery of the SaaS Service.

6.2 Notification & Objection
The Processor provides a 30-day advance notice of material updates to the sub-processor list (available at impierce.com/legal/sub-processors) via email. The Controller may object within 30 days of the notice on reasonable data protection grounds.

7. INTERNATIONAL TRANSFERS

7.1 Safeguards
Transfers outside the EEA shall only occur utilizing adequacy decisions or Standard Contractual Clauses (SCCs) to ensure a level of protection equivalent to the GDPR.

8. DATA BREACH AND ASSISTANCE

8.1 Notification
The Processor shall notify the Controller without undue delay after becoming aware of a personal data breach.

8.2 Support
The Processor shall assist the Controller in responding to data subject requests and fulfilling compliance obligations (e.g., impact assessments).

9. RETURN AND DELETION OF DATA

9.1 Data Deletion
Upon termination or expiry, the Processor shall delete or anonymize all personal data processed on behalf of the Controller within sixty (60) days, or earlier if requested or contractually agreed upon.

9.2 Statutory Retention
Notwithstanding Section 8.1, Relationship Management Data (contracts/billing) is retained for seven (7) years following the end of the fiscal year to comply with Dutch statutory fiscal obligations.

9.3 Export
Upon written request during the 60-day window, Processor will provide a copy of Customer Content in a machine-readable format within thirty (30) days.

10. AUDIT RIGHTS

10.1 Process
The Controller may conduct one (1) remote audit per calendar year, subject to thirty (30) days notice.

10.2 Costs
The Controller shall bear all costs and expenses associated with the audit, including the fees of any third-party auditors. The processor shall provide the first four (4) hours of internal staff time assisting with the audit at no cost. Any internal staff time exceeding four (4) hours shall be billed at the Processor’s then-current standard Professional Services rates.

11. GOVERNING LAW

11.1 Jurisdiction
This Data Processor Addendum shall be governed by, and construed in accordance with, the laws of the Netherlands, without regard to its conflict of law principles.

12. ACKNOWLEDGMENT AND ACCEPTANCE

12.1 Binding Agreement
This Data Processor Addendum is incorporated into the Agreement by reference. By executing an applicable Order Form or utilizing the Services, the Controller agrees to be bound by these terms.

12.2 Amendments
The Processor may update this Data Processor Addendum to reflect changes in law or Service functionality. Material changes will be notified via email to the Controller’s designated Agreement Contact at least thirty (30) days in advance. If the Controller objects to a material change, it may terminate the affected Service(s) as its sole remedy, in which case we will provide a pro-rata refund of any prepaid fees for the remaining term.

12.3No Signature Required
No further physical or electronic signature is required for this Data Processor Addendum to be legally binding as part of the Agreement.