This Data Processing Addendum (“DPA”) forms part of the UniTrust Terms of Service and any applicable Order Form (collectively, the “Agreement”) between Impierce Technologies B.V. (“Processor”) and the customer entity executing an Order Form or accessing the Services (“Controller”). By executing an Order Form or utilizing the Services, the Controller agrees to be bound by the terms of this DPA.

1. SUBJECT MATTER AND SCOPE

1.1 Purpose
The Processor will process Personal Data on behalf of the Controller solely for the purpose of providing access to and support for the UniTrust Software-as-a-Service (SaaS) Platform.

1.2 Exclusions
This Data Processor Addendum does not apply to the UniMe Digital Identity Wallet or instances where the UniTrust Platform is Self-Hosted by the Controller, as the Processor does not have access to production data in those environments.

1.3 Precedence
In the event of a conflict between this Data Processor Addendum and a separately negotiated data processor agreement executed in writing by both parties, the negotiated terms shall prevail.

1.4 Instructions
The processor shall process Personal Data only on documented instructions from the Controller. The Processor shall immediately inform the Controller if, in its opinion, an instruction infringes applicable EU or Member State data protection laws.

1.5 Personnel
The processor ensures that all personnel authorized to process Personal Data are under appropriate contractual confidentiality obligations.

2. NATURE AND PURPOSE OF PROCESSING

2.1 Nature of Processing
Processing activities include the collection, storage, and management of Service State Storage, Event Streams, and Customer Content necessary to facilitate secure identity and credential flow interactions and maintain platform integrity.

2.2 Purpose of Processing
Personal Data is processed for account administration, cryptographic verification, and ensuring PII-Off-Chain auditability and lifecycle management of verifiable credentials.

2.3 Data Sovereignty
The platform is designed so that the primary storage of portable personal data is shifted to a user's identity wallet, reducing centralized data aggregation and returning data autonomy to individuals.

3. CATEGORIES OF DATA AND DATA SUBJECTS

3.1 Data subjects:

• Authorized Users:
  Employees or contractors of the Controller granted access to the UniTrust Platform.

• Credential Subjects:
  Individuals (e.g., customers, employees, or partners) who receive, store, and manage their own attributes and credentials within their private identity wallets.

• Key Contacts:
  Personnel designated for contractual, billing, or administrative communications.

3.2 Categories of personal data:

• Administrative Data:
  Identification data (First and Last name, business email addresses), organizational data (Customer legal name, business addresses, and phone numbers), and platform roles and permissions assigned for access control.
  
  

• Operational Data & Event Streams:
  Technical identifiers (UUIDs, Schema IDs) and system events generated by usage of the Service.
  
  

• Customer Content:
  Identity attributes and personal data embedded for issuance to or provided for verification by a wallet holder.
  
  

• Authentication Data:
  Cryptographic public keys and transient session tokens used for secure decentralized identity verification, which are purged upon session conclusion.

4. SECURITY MEASURES

4.1 Technical and Organizational Measures

The Processor shall maintain appropriate technical and organizational measures to protect Personal Data, including:

• Access control and Multi-Factor Authentication (MFA)

• Encryption and pseudonymization

• Secure software development lifecycle

• Resilience and data recovery

• Monitoring and auditing

• Staff confidentiality and training

5. AI COMPLIANCE & GOVERNANCE

5.1 AI Training Restrictions
The Processor utilizes AI-assisted tools solely for internal development and operational efficiency. The Processor explicitly guarantees that no Personal Data processed on behalf of the Controller will be used to train, tune, or improve AI models.

5.2 Processor AI Oversight
The Processor shall maintain human oversight of its own AI-assisted development and operational processes to ensure the integrity and security of the Services.

5.3 Controller AI Responsibility
If the Controller integrates the Services into an AI-driven process or application, the Controller is solely responsible for its usage and compliance with applicable laws (e.g., the EU AI Act). This includes, but is not limited to: ensuring human oversight of AI-driven decisions, monitoring for algorithmic bias or risks, and completing all required regulatory impact assessments.

6. SUB-PROCESSORS

6.1 Authorization
The Controller provides general authorization for Processor to engage sub-processors necessary for the delivery of the SaaS Service.

6.2 Notification & Objection
The Processor provides a 30-day advance notice of material updates to sub-processors via the email address(es) specified for such notices in an Order Form. The Controller may object within 30 days of the notice on reasonable data protection grounds.

6.3 Sub-processor Obligations
The Processor shall ensure that any sub-processor it engages is bound by a legally binding agreement that imposes data protection obligations at least as stringent as those set out in this DPA. The Processor remains fully liable to the Controller for the performance of the sub-processor’s data protection obligations.

7. INTERNATIONAL TRANSFERS

7.1 Safeguards
Transfers outside the EEA shall only occur utilizing adequacy decisions or Standard Contractual Clauses (SCCs) to ensure a level of protection equivalent to the GDPR.

7.2 Transfer Transparency
Upon the Controller’s written request, the Processor shall provide summary evidence of the transfer mechanisms and associated Transfer Impact Assessments (TIAs) relied upon for sub-processors located outside the EEA. The Processor may redact commercially sensitive or confidential information from such documentation prior to disclosure.

8. DATA BREACH AND ASSISTANCE

8.1 Notification
The Processor shall notify the Controller via the email address(es) specified in the Order Form within twenty-four (24) hours after becoming aware of a personal data breach. Where it is not possible to provide all information at the same time, the information shall be provided in phases as it becomes available.

This notification shall, at a minimum and to the extent available:

• Describe the nature of the breach, including the categories and approximate number of data subjects and records concerned;

• Provide the name and contact details of the point of contact for the incident;

• Describe the likely consequences of the breach;

• Describe the measures taken or proposed to be taken to address the breach and mitigate its possible adverse effects.

8.2 Assistance
The Processor shall provide reasonable assistance to the Controller in responding to data subject requests and fulfilling compliance obligations, taking into account the nature of the processing and the information available to the Processor.

9. RETURN AND DELETION OF DATA

9.1 Data Deletion
Upon termination or expiry, the Processor shall delete or anonymize all personal data processed on behalf of the Controller within sixty (60) days, or earlier if requested or contractually agreed upon.

9.2 Statutory Retention
Notwithstanding Section 8.1, Relationship Management Data (contracts/billing) is retained for seven (7) years following the end of the fiscal year to comply with Dutch statutory fiscal obligations.

9.3 Export
Upon written request during the 60-day window, Processor will provide a copy of Customer Content in a machine-readable format within thirty (30) days.

10. AUDIT RIGHTS

10.1 Audit of the Processor
The Controller may conduct one (1) remote audit per calendar year, subject to thirty (30) days' notice, to verify compliance with this DPA. This includes the right to request documentation demonstrating the compliance of Sub-processors.

10.2 Audit Costs
The Controller shall bear all costs and expenses associated with the audit, including the fees of any third-party auditors. The Processor shall provide the first four (4) hours of internal staff time assisting with an audit at no cost. Any internal staff time exceeding four (4) hours shall be billed at the Processor’s then-current standard Professional Services rates.

10.3 Remediation
If an audit reveals that the Processor is failing to fulfill its obligations under this DPA, the Processor shall, at its own expense, take reasonable corrective measures to remediate non-compliance.

11. GOVERNING LAW

11.1 Jurisdiction
This Data Processor Addendum shall be governed by, and construed in accordance with, the laws of the Netherlands, without regard to its conflict of law principles.

12. ACKNOWLEDGMENT AND ACCEPTANCE

12.1 Binding Agreement
This Data Processor Addendum is incorporated into the Agreement by reference. By executing an applicable Order Form or utilizing the Services, the Controller agrees to be bound by these terms.

12.2 Amendments
The Processor may update this Data Processor Addendum to reflect changes in law or Service functionality. Material changes will be notified via email to the Controller’s designated Agreement Contact at least thirty (30) days in advance. If the Controller objects to a material change, it may terminate the affected Service(s) as its sole remedy, in which case we will provide a pro-rata refund of any prepaid fees for the remaining term.

12.3 No Signature Required
No further physical or electronic signature is required for this Data Processor Addendum to be legally binding as part of the Agreement.