VerifiMe® Data Processing Agreement
Greengate Fintech Holdings Pty Ltd (ABN 97 664 286 515)
Effective Date
01/02/2026
Date
25/05/2026
This Data Processing Agreement supplements the VerifiMe Terms of Agreement available at www.verifime.com/terms and governs the processing of personal data where the Customer engages VerifiMe as a data processor.
- DEFINITIONS AND SCOPE
1.1 Relationship Definition
- Controller: The Client organisation determining purposes and means of personal data processing
- Processor: GreenGate Fintech Holdings Pty Ltd (ABN 97 664 286 515) operating VerifiMe platform
- Processing: Identity verification, document validation, AML/CTF compliance checking, and related services
1.2 Data Categories Processed
- Identity verification data (names, addresses, dates of birth)
- Government-issued document data (passport, license numbers)
- Biometric data (facial recognition, document photos)
- Entity verification data (company/trust details)
- Compliance assessment results
2. PROCESSING INSTRUCTIONS AND RESTRICTIONS
2.1 Lawful Processing Instructions
The Processor shall only process personal data:
- For identity verification and compliance assessment purposes as specified in the main agreement
- According to documented instructions from the Controller
- In accordance with applicable privacy laws (Privacy Act 1988, AML/CTF Act)
- Using the technical and organisational measures outlined in Schedule A
2.2 Processing Restrictions
The Processor shall NOT:
- Process personal data for own commercial purposes beyond service delivery
- Transfer data outside Australia without Controller's written consent and adequate safeguards
- Retain personal data longer than necessary or beyond agreed retention periods
- Grant access to unauthorised personnel or third parties
3. CONTROLLER RIGHTS AND OVERSIGHT
3.1 Audit Rights
The Controller may:
- Request annual compliance reports and certifications
- Conduct security assessments with reasonable notice
- Access processing logs and incident reports upon request
- Engage third-party auditors (costs shared if no material issues found)
3.2 Data Subject Request Assistance
The Processor shall:
- Notify Controller of any direct data subject requests within 48 hours
- Provide technical assistance for data access, rectification, and deletion requests
- Implement Controller's instructions for data subject rights fulfillment
- Maintain records of all data subject requests and responses
3.3 Transparency Reporting
Monthly reports shall include:
- Number of verification transactions processed
- Any security incidents or system access issues
- Sub-processor changes or additions
- Data retention and deletion activities
4. SECURITY AND TECHNICAL MEASURES
4.1 Mandatory Security Controls (Reference: VerifiMe Security Whitepaper)
The Controller may:
- AWS infrastructure with encryption at rest and in transit (AES-256, TLS 1.3)
- Multi-factor authentication for all system access
- Role-based access controls with least privilege principles
- Regular vulnerability scanning and penetration testing
- 24/7 monitoring with intrusion detection systems
4.2 Additional Controller-Specific Requirements
- Notify Controller of any direct data subject requests within 48 hours
- Provide technical assistance for data access, rectification, and deletion requests
- Implement Controller's instructions for data subject rights fulfillment
- Maintain records of all data subject requests and responses
5. SUB-PROCESSOR MANAGEMENT
5.1 Authorised Sub-Processors (as of agreement date)
- Amazon Web Services - Hosting and infrastructure
- AWS Rekognition - Biometric facial comparison, liveness detection, deepfake detection
- AWS KMS - Encryption key management
- AWS CloudTrail - Infrastructure audit logging
- Australian Government DVS (AGD) - Document verification
5.2 Sub-Processor Changes
- 30 days advance notice of any new sub-processors
- Controller right to object with termination option if objection not resolved
- Same data protection standards required for all sub-processors
- Direct liability chain ensuring Controller can claim against any sub-processor
6. DATA BREACH AND INCIDENT MANAGEMENT
6.1 Breach Notification Timeline
- Initial notification to Controller: within 4 hours of discovery
- Detailed incident report: within 24 hours
- Regulatory notification assistance: as required by applicable law
- Post-incident review: within 7 days of resolution
6.2 Breach Response Responsibilities
The Processor shall:
- Implement immediate containment measures
- Preserve forensic evidence
- Assist with regulatory reporting and data subject notifications
- Provide detailed impact assessment and remediation plan
7. DATA RETENTION AND DELETION
7.1 Standard Retention Periods
- Identity verification data: 7 years (AML/CTF compliance requirement)
- Processing logs: 2 years
- Audit evidence: 7 years from last processing activity
- Controller may specify shorter periods where legally permissible
7.2 Data Return and Deletion
Upon agreement termination or Controller request:
- Return or secure deletion of all personal data within 30 days
- Certificate of destruction provided
- Exception: data required for legal compliance may be retained in secure offline storage
- No personal data retained for Processor's own purposes
8. LIABILITY AND INDEMNIFICATION
8.1 Liability Allocation
- Processor liable for damages caused by processing outside Controller instructions
- Processor liable for failure to implement adequate technical and organisational measures
- Joint liability for violations involving both parties' actions
- Liability caps as defined in main agreement apply unless excluded by law
8.2 Indemnification
The Processor shall indemnify Controller against:
- Claims arising from unauthorised data processing
- Breaches of this DPA by Processor or its sub-processors
- Regulatory fines resulting from Processor non-compliance
- Third-party claims related to data security failures
9. CROSS-BORDER TRANSFERS
9.1 Data Localisation
- All personal data stored within Australia unless Controller consent obtained
- Any offshore processing requires Controller approval and adequate safeguards
- Standard Contractual Clauses or equivalent mechanisms for international transfers
- Regular compliance monitoring for cross-border data flows
10. TERMINATION AND TRANSITION
10.1 Agreement Termination
Either party may terminate with 30 days notice for material breach (uncured after 14 days) Controller may terminate immediately if:
- All personal data stored within Australia unless Controller consent obtained
- Any offshore processing requires Controller approval and adequate safeguards
- Standard Contractual Clauses or equivalent mechanisms for international transfers
- Regular compliance monitoring for cross-border data flows
10.2 Transition Assistance
Upon termination, Processor shall:
- Provide data export in standard formats
- Assist with migration to new processor (fees may apply)
- Maintain confidentiality obligations for 3 years post-termination
SCHEDULE A: TECHNICAL AND ORGANISATIONAL MEASURES
Security Controls Matrix
Control Category
Measure
Standard
Access Control
MFA, RBAC, Least Privilege
AWS IAM Standards
Encryption
Data at rest/transit
AES-256, TLS 1.3
Network Security
Secure subnets, firewalls
AWS VPC Standards
Monitoring
24/7 SOC, SIEM
CloudTrail, New Relic
Testing
Annual penetration testing
Independent third party
Backup
Multi-AZ replication
99.99% availability SLA
Compliance Certifications
- ISO 9001 (Quality Management Systems)
- AWS security best practices compliance
- OAIC privacy compliance (Australian Privacy Principles)
SCHEDULE B: DATA PROCESSING DETAILS
Categories of Personal Data
- Identity Data: Names, addresses, DOB,
- Document Data: Passport/license numbers, photos, medicare cards
- Biometric Data: Facial images, document verification
- Entity Data: Company/trust registration details
- Compliance Data: Risk scores, verification status
This DPA is governed by the laws of New South Wales, Australia and takes precedence over conflicting terms in other agreements.
Data Subjects
- Individual customers requiring identity verification
- Beneficial owners and controllers of entities
- Authorised representatives and signatories
Processing Purposes
- Identity verification for AML/CTF compliance
- Document authenticity validation
- Risk assessment and scoring
- Audit trail creation and maintenance
- Regulatory reporting support
VerifiMe Australia Pty Ltd is a wholly-owned subsidiary of Greengate Fintech Holdings
ACN 664 286 515
ABN 97 664 286 515
VerifiMe Australia Copyright 2026
VerifiMe acknowledges the Traditional Custodians of country throughout Australia and their connections to land, sea and community.
We pay our respect to their Elders past and present and extend that respect to all Aboriginal and Torres Strait Islander peoples today.