DATA PROCESSING ADDENDUM (DPA)

This Data Processing Addendum ("DPA") forms an integral part of the IVQA Terms of Service ("Terms") and applies where IVQA processes Personal Data on behalf of a Customer in its capacity as a Data Processor.

This DPA is entered into between:

Customer / Organization ("Customer", "You")

and

IVQA – International Verification & Quality Academy ("IVQA", "We", "Us")

Together referred to as the "Parties".

1. Definitions

Terms not defined herein shall have the meaning given in the Terms.

1.1 “Data Protection Laws” means all applicable laws relating to data protection and privacy, including:

• Regulation (EU) 2016/679 (GDPR)
• UK GDPR, where applicable
• Moroccan Law No. 09-08 and guidance issued by the CNDP
• Any other applicable national data protection law

1.2 “Personal Data” means any information relating to an identified or identifiable natural person processed by IVQA on behalf of the Customer.

1.3 “Controller”, “Processor”, “Data Subject”, “Processing”, “Personal Data Breach” shall have the meanings set out in the GDPR.

1.4 “Service Data” means all data submitted, stored, transmitted, or otherwise processed through the IVQA Services by or on behalf of the Customer.

1.5 “Services” means IVQA’s digital verification services including QR verification, verification pages, dashboards, APIs, audit logs, and related tools.

2. Scope and Roles

2.1 This DPA applies to the Processing of Personal Data contained within Service Data.

2.2 Customer is the Data Controller and IVQA is the Data Processor for Personal Data processed on behalf of the Customer.

2.3 Each Party shall comply with its respective obligations under applicable Data Protection Laws.

3. Duration

3.1 This DPA becomes effective when the Customer accepts the Terms and remains in effect for as long as IVQA processes Personal Data on behalf of the Customer.

3.2 This DPA terminates automatically upon cessation of all Processing of Personal Data by IVQA.

4. Processing Instructions

4.1 IVQA shall Process Personal Data only on documented instructions from the Customer, including as set out in this DPA and the Terms.

4.2 The Parties agree that use of the Services in accordance with the Terms constitutes the Customer’s initial instructions.

4.3 IVQA shall inform the Customer without undue delay if it believes an instruction violates Data Protection Laws.

5. Confidentiality & Personnel

5.1 IVQA ensures that personnel authorized to Process Personal Data:

• are bound by confidentiality obligations, and
• receive appropriate data protection and security training.

5.2 Access to Personal Data is limited to personnel strictly necessary to provide the Services.

6. Data Subject Requests

6.1 IVQA shall not respond directly to Data Subject requests unless legally required.

6.2 IVQA shall promptly forward any Data Subject request to the Customer and provide reasonable assistance where required.

7. Security Measures (ISO 27001-Aligned)

7.1 IVQA implements appropriate technical and organizational measures (TOMs) to protect Personal Data, including:

• Access control and least-privilege policies
• Authentication and authorization mechanisms
• Encryption in transit (TLS)
• Logging and audit trails
• Secure development practices
• Incident response and recovery procedures
• Vendor and sub-processor risk management

7.2 IVQA maintains an information security program aligned with ISO/IEC 27001 principles.

8. Personal Data Breach

8.1 IVQA shall notify the Customer without undue delay after becoming aware of a Personal Data Breach.

8.2 IVQA shall provide reasonable assistance to enable the Customer to notify supervisory authorities (within 72 hours if required) and communicate with affected Data Subjects.

9. Sub-Processors

9.1 The Customer authorizes IVQA to engage sub-processors for the provision of the Services.

9.2 IVQA shall:

• ensure sub-processors are bound by data protection obligations equivalent to this DPA;
• remain fully liable for sub-processor compliance.

9.3 A list of sub-processors may be provided upon request.

10. International Data Transfers

10.1 Where Personal Data is transferred outside the Customer’s jurisdiction, IVQA shall ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) where required.

10.2 IVQA shall comply with GDPR Chapter V and equivalent transfer requirements under applicable laws.

11. Deletion or Return of Data

11.1 Upon termination of the Services, IVQA shall delete or return Personal Data in accordance with the Terms, unless retention is required by law.

11.2 Any retained data shall be isolated and protected from further Processing.

12. Audit & Compliance

12.1 IVQA shall make available information reasonably necessary to demonstrate compliance with this DPA.

12.2 Audits may be conducted no more than once per year, upon reasonable notice, and subject to confidentiality and business continuity requirements.

13. Liability

13.1 Each Party’s liability under this DPA shall be subject to the limitations set out in the Terms.

14. Governing Law

14.1 This DPA shall be governed by the same law and jurisdiction as the Terms, unless otherwise required by mandatory Data Protection Laws.

15. Precedence

15.1 In case of conflict:

• This DPA prevails over the Terms with respect to data protection matters.
• Mandatory data protection clauses prevail over this DPA.

16. Final Provisions

16.1 Amendments must be in writing and agreed by both Parties.

16.2 Invalid provisions shall not affect the validity of the remainder.

16.3 This DPA forms part of the contractual framework between IVQA and the Customer.