Data Processing Agreement
Version 1.0 — DRAFT for review · Effective date: [EFFECTIVE DATE]
⚠ DRAFT — NOT LEGAL ADVICE. This DPA concerns special‑category biometric data and is high‑risk. It must be reviewed by a qualified solicitor before use. Complete all [bracketed placeholders].
This Data Processing Agreement ("DPA") forms part of the Terms of Service between [Pariah Ltd] ("Processor", "Pariah") and the customer ("Controller", "you"). It governs Pariah's processing of personal data on your behalf under UK GDPR Article 28. Where it conflicts with the Terms, this DPA prevails for data‑protection matters.
1. Roles
You are the controller of the personal data processed through the Platform (including facial images and biometric templates of individuals at your premises). Pariah is your processor. Where Pariah determines purposes/means of processing for its own account/billing data, it acts as a separate controller under its Privacy Policy.
2. Processing details (UK GDPR Art. 28(3))
- Subject matter: provision of the Pariah facial‑recognition security Platform.
- Duration: the term of the Terms, plus the retention periods below.
- Nature & purpose: capture, detection, template generation, matching, storage, alerting, and incident logging for premises security, on your documented instructions.
- Types of personal data: facial images; biometric templates / face embeddings (special‑category data, Art. 9); profile/watchlist records; incident metadata; Authorised User account data.
- Categories of data subjects: individuals captured by your cameras (which may include staff, visitors, customers, and persons of interest/banned individuals).
3. Your instructions and warranties
3.1 Pariah processes personal data only on your documented instructions (the Terms, this DPA, and your configuration/use of the Platform), unless required by law (in which case it will inform you unless legally prohibited).
3.2 You warrant that: (a) you have a valid lawful basis under Article 6 and a condition under Article 9 for processing biometric data; (b) you have completed a DPIA (see /legal/dpia) and will keep it current; (c) you provide compliant notices/signage to data subjects; (d) your instructions and Customer Data do not breach applicable law; and (e) you will not enrol or process individuals unlawfully. You are responsible for the lawfulness of the data and instructions you provide.
4. Pariah's obligations
Pariah will:
- (a) Confidentiality — ensure personnel authorised to process the data are bound by confidentiality.
- (b) Security — implement the technical and organisational measures in Annex B (Art. 32).
- (c) Sub‑processors — engage only the sub‑processors in Annex A, impose equivalent data‑protection obligations on them, and remain liable for them. We will give at least 30 days' notice of intended additions/changes, during which you may object on reasonable data‑protection grounds.
- (d) Assistance — taking into account the nature of processing, assist you (so far as possible) to respond to data‑subject rights requests and to meet your obligations on security, breach notification, DPIAs, and prior consultation.
- (e) Breach notification — notify you without undue delay after becoming aware of a personal data breach, with the information reasonably available to help you meet your reporting duties.
- (f) Deletion/return — at the end of the service, delete or return Customer Data at your choice, save where law requires retention. Following subscription suspension, data is retained for 90 days then deleted unless you export it first.
- (g) Audits — make available information necessary to demonstrate compliance and allow for and contribute to audits, including inspections, conducted by you or an auditor you mandate, subject to reasonable confidentiality and frequency limits.
5. International transfers
Pariah will not transfer personal data outside the UK except via the sub‑processors and safeguards in Annex A (UK adequacy, UK IDTA/Addendum, or SCCs). Continuous on‑premises detection runs locally; cloud facial search (AWS Rekognition) is limited to manual mobile lookups.
6. Liability
Liability under this DPA is subject to the limitations in the Terms, except as those limitations cannot lawfully be applied to data‑protection liabilities.
Annex A — Sub‑processors
| Sub‑processor | Service | Data processed | Location / transfer safeguard |
|---|---|---|---|
| Amazon Web Services | Cloud facial search (Rekognition) — manual mobile searches only | Facial images / templates for ad‑hoc lookups | [REGION] — UK/EEA region preferred; SCCs/UK Addendum if outside UK |
| Cloudflare | CDN, tunnels, object storage (R2) | Stored media, encrypted assets | Global edge; UK Addendum/SCCs |
| Hetzner | Server hosting | Application data at rest | [EU/Germany] — UK adequacy/EEA |
| Stripe | Payment processing | Billing/account data (not biometric) | SCCs/UK Addendum as applicable |
| Postmark | Transactional email | Email address, message content | SCCs/UK Addendum as applicable |
Maintain this table as the authoritative sub‑processor list and update on change with notice per clause 4(c).
Annex B — Technical and organisational measures (Art. 32)
- Encryption — TLS in transit; encryption at rest for stored media/assets.
- On‑premises biometric processing — continuous detection and template matching run locally on the NVR client (InsightFace), minimising cloud exposure of biometric templates.
- Access control — role‑based access (owner / security operations / admin / frontline); least‑privilege; authentication on all endpoints.
- Tenant isolation — logical separation of each Controller's data.
- Audit logging — security‑relevant events are logged.
- Retention controls — configurable retention for detections, search logs, notifications, audit logs, and incidents.
- Resilience — backups and recovery procedures.
- Vendor management — sub‑processors bound by equivalent obligations.
DPA queries: [email protected]. A signed counterpart is available for Enterprise customers on request.