Data Processing Addendum

Last updated: 24 May 2026 · KYCer Technologies LLC · Dubai, UAE

This Data Processing Addendum ("DPA") forms part of the agreement between KYCer Technologies LLC ("Processor") and the Customer ("Controller") and governs the processing of personal data through the KYCer Platform.

1. Roles

The Customer is the data controller determining the purposes and means of processing. KYCer acts as the data processor, processing data solely on the Customer's documented instructions.

2. Processing Details

• Subject matter: AML/KYC screening of natural persons and legal entities
• Duration: For the term of the Customer's subscription
• Nature: Screening, matching, risk classification, report generation
• Categories of data: Names, DOB, nationality, ID numbers, business details
• Data subjects: Individuals and entities submitted by Customer for screening

3. Processor Obligations

KYCer shall: (i) process data only on Customer's written instructions; (ii) ensure personnel are bound by confidentiality; (iii) implement appropriate technical and organizational security measures; (iv) assist Customer in responding to data subject requests; (v) delete or return data upon termination; (vi) provide audit cooperation upon reasonable request with 30 days notice.

4. Sub-Processors

KYCer uses the following sub-processors: Hostinger (infrastructure), Cloudflare (CDN/security), Sentry (error monitoring). KYCer will notify Customer of any new sub-processors with 14 days advance notice. Customer may object within 7 days.

5. International Transfers

Where personal data is transferred outside the UAE or EEA, KYCer ensures appropriate safeguards including Standard Contractual Clauses or equivalent protections required under UAE PDPL.

6. Security

KYCer implements: AES-256 encryption at rest, TLS 1.3 in transit, RBAC, MFA, audit logging, vulnerability scanning, and incident response procedures.

7. Security Incident Notification

KYCer will notify the Customer without undue delay (and within 72 hours where feasible) upon becoming aware of a Security Incident affecting Customer Data. Notification will include: nature of incident, categories of data affected, likely consequences, and measures taken.

8. Retention & Deletion

Upon termination, KYCer will retain Customer Data for 30 days then securely delete unless a longer retention period is required by UAE AML regulations (minimum 7 years for screening records).

9. Audit Rights

Customer may request an audit of KYCer's data processing activities with 30 days written notice, no more than once per year, and at Customer's cost unless a breach is identified.

10. Governing Law

This DPA is governed by DIFC law and forms part of the main Terms of Service agreement.

Request a Signed DPA

Enterprise customers may request a countersigned DPA by contacting: legal@kycertechnologies.com or via WhatsApp.