Data Processing Agreement
Governing MYID Self Verify's role as data processor on behalf of enterprise Clients.
This Data Processing Agreement ("DPA") is incorporated by reference into the Terms of Service and any applicable Order Form or Master Services Agreement between the parties (collectively, the "Agreement"). In the event of a conflict between this DPA and the Agreement, this DPA governs with respect to the processing of personal data.
Contents
- 1. Definitions
- 2. Scope and Role of the Parties
- 3. Controller Instructions
- 4. Nature and Purpose of Processing
- 5. Processor Obligations
- 6. Security Incident Notification
- 7. Sub-Processors
- 8. Data Transfers
- 9. Data Retention and Deletion
- 10. Audit Rights
- 11. Controller Obligations
- 12. Limitation of Liability
- 13. Term
- 14. Governing Law
- Annex A — Security Measures
- Annex B — Authorized Sub-Processors
1. Definitions
- "Personal Data" means any information relating to an identified or identifiable natural person processed by Processor on behalf of Controller through the Services
- "Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, deletion, or any automated decision-making
- "Controller" means the enterprise Client that determines the purposes and means of processing Personal Data
- "Processor" means Software Productivity Strategists, Inc., which processes Personal Data on behalf of the Controller
- "Sub-Processor" means any third party engaged by Processor to process Personal Data in connection with delivering the Services
- "Services" has the meaning given in the Terms of Service
- "Security Incident" means any confirmed unauthorized access to, disclosure of, alteration of, or destruction of Personal Data
- "Applicable Data Protection Law" means all laws and regulations applicable to the processing of Personal Data under this DPA, including where relevant: US state privacy laws (CCPA and equivalents), the UAE Federal Decree-Law No. 45 of 2021 (PDPL), and any other applicable jurisdiction-specific requirements
2. Scope and Role of the Parties
2.1 This DPA applies to all Personal Data processed by Processor on behalf of Controller through the MYID Self Verify platform.
2.2 Controller is the data controller. Controller determines what Personal Data is submitted to the Services, for what purposes, and under what legal basis.
2.3 Processor is the data processor. Processor processes Personal Data only on documented instructions from Controller, as set out in this DPA and the Agreement.
2.4 Each party will comply with its respective obligations under Applicable Data Protection Law.
3. Controller Instructions
3.1 Processor will process Personal Data only on Controller's documented instructions. The Agreement and this DPA constitute Controller's initial and primary instructions.
3.2 Controller may issue additional written instructions via support ticket or written notice to legal@ext.myidselfverify.com. Processor will acknowledge receipt within 5 business days.
3.3 If Processor believes any instruction violates Applicable Data Protection Law, Processor will promptly notify Controller. Processor may suspend processing of the affected data pending Controller's clarification, without liability.
3.4 Processor will not process Personal Data for its own purposes, for advertising, or for any purpose unrelated to delivering the Services.
4. Nature and Purpose of Processing
| Element | Detail |
|---|---|
| Subject matter | Identity and access management security services |
| Duration | For the term of the Agreement, plus any post-termination retention period required by law |
| Nature of processing | Collection, storage, use, disclosure, deletion, automated analysis, and audit logging |
| Purpose | Delivery of MYID Manage, MYID Protect, MYID Learn, MYID Autopilot, and MYID Agent services |
| Types of Personal Data | Identity attributes, authentication events, session data, credential lifecycle events, security incident data, MFA responses, training records, audit logs |
| Categories of Data Subjects | Controller's employees, contractors, and authorized personnel |
5. Processor Obligations
Processor will:
5.1 Confidentiality. Ensure all personnel authorized to process Personal Data are bound by confidentiality obligations and receive appropriate data protection training.
5.2 Security. Implement and maintain the technical and organizational security measures described in Annex A of this DPA, appropriate to the risk presented by the processing.
5.3 Sub-Processors. Not engage new Sub-Processors without providing Controller with prior written notice and an opportunity to object (see Section 7).
5.4 Data Subject Rights. Assist Controller, using appropriate technical and organizational measures, to fulfill its obligations to respond to data subject rights requests (access, correction, deletion, portability, restriction, and objection) to the extent technically feasible.
5.5 Data Protection Impact Assessments. Provide reasonable assistance to Controller in conducting data protection impact assessments (DPIAs) where required by Applicable Data Protection Law, to the extent the processing by Processor is relevant.
5.6 Compliance Assistance. On reasonable written request and at Controller's cost, provide information necessary to demonstrate compliance with Processor's obligations under this DPA, subject to confidentiality protections.
5.7 No Sale or Sharing. Not sell, rent, disclose, or make available Personal Data to any third party except as necessary to deliver the Services or as required by law.
6. Security Incident Notification
6.1 Processor will notify Controller without undue delay, and in any event within 72 hours of Processor confirming a Security Incident affecting Controller's Personal Data.
6.2 Notification will be provided to the Controller's account email of record and will include, to the extent then known: the nature of the Security Incident and categories of Personal Data affected; approximate number of data subjects and records involved; likely consequences of the incident; and measures taken or proposed to address and mitigate the incident.
6.3 Notification under this Section does not constitute an admission of fault or liability.
6.4 Processor will cooperate with Controller's investigation and provide reasonable updates as additional information becomes available.
7. Sub-Processors
7.1 Controller provides general authorization for Processor to engage Sub-Processors for the provision of the Services, subject to the requirements of this Section.
7.2 Processor will maintain an up-to-date list of Sub-Processors used in the delivery of Services (Annex B). Processor will notify Controller at least 30 days in advance of adding or replacing a Sub-Processor.
7.3 Controller may object to a new Sub-Processor by written notice within 15 days of notification. If the parties cannot resolve the objection within 30 days, Controller may terminate the affected Services without penalty upon written notice.
7.4 Processor will impose data protection obligations on all Sub-Processors equivalent to those in this DPA, and remains fully liable to Controller for the acts and omissions of its Sub-Processors.
8. Data Transfers
8.1 Personal Data stored in the US-East region is processed within the United States.
8.2 Personal Data stored in the UAE-North region is processed within the United Arab Emirates and handled in accordance with UAE PDPL requirements.
8.3 Processor will not transfer Personal Data from one region to another without Controller's prior written consent, except as necessary to deliver support services or respond to a Security Incident, and subject to appropriate contractual protections.
8.4 Where a transfer of Personal Data to a country without an adequate level of data protection is required to deliver the Services, Processor will implement appropriate safeguards (including contractual clauses or equivalent mechanisms) and notify Controller.
9. Data Retention and Deletion
9.1 Processor will retain Personal Data only for as long as necessary to deliver the Services and as specified in the Agreement.
9.2 Audit logs are retained for a minimum of 12 months to support Client compliance obligations.
9.3 Upon expiration or termination of the Agreement, Processor will, at Controller's election: delete all Personal Data within 30 days of the termination date, or return all Personal Data to Controller in a machine-readable format within 30 days.
9.4 Upon completion of deletion, Processor will provide Controller with written confirmation.
9.5 Extended retention may apply where Processor is required to retain data under applicable law, in which case Processor will notify Controller and restrict processing of that data to the legally required purpose only.
10. Audit Rights
10.1 Processor will make available to Controller all information reasonably necessary to demonstrate compliance with this DPA.
10.2 Processor will permit audits of its data processing activities upon 30 days written notice, no more than once per calendar year, conducted during normal business hours and subject to reasonable confidentiality restrictions. Audits may be conducted by Controller or a qualified third-party auditor that is not a competitor of Processor.
10.3 Controller will bear the cost of any audit unless the audit reveals a material non-compliance, in which case Processor will bear reasonable audit costs.
10.4 Processor may satisfy audit obligations by providing current third-party audit reports (e.g., security assessment reports, penetration test summaries) subject to appropriate NDA.
11. Controller Obligations
Controller represents and warrants that:
11.1 It has a valid legal basis under Applicable Data Protection Law for collecting and submitting Personal Data to the Services.
11.2 It has provided all required notices to and obtained all required consents from data subjects for the processing described in this DPA.
11.3 It will configure the Services appropriately for its regulatory environment and will not submit Special Category data (health, biometric, financial account data, or government-issued identifiers) to the Services unless expressly agreed in writing with Processor.
11.4 It will promptly notify Processor of any changes to its processing instructions or legal basis that may affect Processor's obligations.
12. Limitation of Liability
The liability of each party under this DPA is subject to the limitations and exclusions set out in the Limitation of Liability section of the Terms of Service. Nothing in this DPA limits either party's liability for fraud, willful misconduct, or obligations that cannot be limited under Applicable Data Protection Law.
13. Term
This DPA is effective as of the date the Agreement becomes effective and remains in force for the duration of the Agreement. Sections 5 (Processor Obligations), 6 (Security Incident Notification), 9 (Data Retention and Deletion), 10 (Audit Rights), and 12 (Limitation of Liability) survive termination.
14. Governing Law
This DPA is governed by the laws of the State of Maryland, consistent with the Agreement. Any disputes arising under this DPA are subject to the dispute resolution provisions of the Terms of Service.
Annex A — Technical and Organizational Security Measures
The following measures are maintained by Software Productivity Strategists, Inc. as of the effective date of this DPA:
| Control Category | Measure |
|---|---|
| Encryption in Transit | TLS 1.2 minimum; TLS 1.3 preferred on all endpoints |
| Encryption at Rest | AES-256 for all stored Personal Data |
| Key Management | Azure Managed KMS; environment-scoped keys |
| Access Control | Role-based, least-privilege; MFA mandatory for all production access |
| Network Security | WAF, DDoS protection, network segmentation, environment isolation |
| Logging and Monitoring | Tamper-evident audit logging; 24/7 automated monitoring with alerting |
| Vulnerability Management | SAST/DAST in CI/CD; annual third-party penetration testing |
| Incident Response | Documented IR plan; 72-hour breach notification commitment |
| Business Continuity | RTO: 2 hours; RPO: 2 hours; annual DR testing |
| Personnel Security | Background checks; security training at onboarding and annually |
| Sub-Processor Controls | Contractual DPA obligations; annual security review |
| Physical Security | Managed by Microsoft Azure (SOC 2 Type II certified infrastructure) |
Annex B — Authorized Sub-Processors
| Sub-Processor | Location | Purpose |
|---|---|---|
| Microsoft Azure | United States, UAE | Cloud infrastructure, hosting, storage, networking |
| [Email / Support Platform] | [Location] | Customer support and communication |
| [Monitoring / Logging Tool] | [Location] | Platform monitoring and security alerting |
| [Analytics Tool] | [Location] | Website and product analytics |
Execution
This DPA is incorporated into and subject to the Agreement between the parties. No separate signature is required where the Agreement has been executed and references this DPA. Where a separately signed DPA is required by Controller, the parties may execute below:
Software Productivity Strategists, Inc.
Client (Controller)
To request a countersigned copy of this DPA, contact legal@ext.myidselfverify.com.
Software Productivity Strategists, Inc. — Legal
Email: legal@ext.myidselfverify.com
Address: 2400 Research Blvd, Ste 115, Rockville, MD 20850