Data Processing Agreement

1. Definitions

• "Controller" means the entity that determines the purposes and means of processing personal data (the Customer).
• "Processor" means Common Identity, which processes personal data on behalf of the Controller.
• "Data Subject" means the identified or identifiable natural person whose personal data is processed.
• "Personal Data" means any information relating to a Data Subject as defined in GDPR Article 4(1).
• "Sub-processor" means any third party engaged by the Processor to process Personal Data.
• "Services" means the image watermarking and ownership verification services provided by the Processor.

2. Scope and Purpose of Processing

The Processor shall process Personal Data only to the extent necessary to provide the Services, specifically:

• Processing images for watermark embedding and detection (transient, in-memory only)
• Generating and verifying Watermark IDs (deterministic hash derivation)
• Facilitating blockchain registration of ownership records (at the Controller's direction)
• User authentication and account management

3. Processor Obligations

The Processor shall:

• Process Personal Data only on documented instructions from the Controller, unless required by applicable law.
• Ensure that persons authorized to process Personal Data have committed to confidentiality obligations.
• Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.
• Not engage another processor without prior specific or general written authorization of the Controller.
• Assist the Controller in responding to Data Subject requests.
• Delete or return all Personal Data upon termination of the Services, at the Controller's choice.

4. Processing Instructions

The Controller instructs the Processor to process Personal Data as follows:

5. Confidentiality

The Processor shall ensure that all personnel processing Personal Data are subject to contractual or statutory confidentiality obligations. Access to Personal Data shall be limited to those personnel who require it to perform the Services.

6. Security Measures

The Processor implements the following technical and organizational measures:

• Encryption in transit (HTTPS/TLS 1.2+)
• API key authentication between services
• Image data cleared from memory after processing
• No persistent storage of image data
• Rate limiting to prevent abuse
• Structured logging with PII sanitization
• Server-side secrets never exposed to client code

7. Sub-Processors

The Controller provides general authorization for the Processor to engage sub-processors. The current list of sub-processors is maintained at: Sub-Processor List.

The Processor shall inform the Controller of any intended changes to sub-processors, giving the Controller the opportunity to object. The Processor shall impose equivalent data protection obligations on sub-processors via written contract.

8. Data Subject Rights

The Processor shall assist the Controller in fulfilling its obligations to respond to Data Subject requests, including:

• Right of access (Article 15)
• Right to rectification (Article 16)
• Right to erasure (Article 17)
• Right to restriction of processing (Article 18)
• Right to data portability (Article 20)
• Right to object (Article 21)

Note on blockchain records: On-chain data (wallet address, Watermark ID, timestamp) cannot be modified or deleted due to the immutable nature of blockchain technology. This limitation is disclosed to Data Subjects before registration.

9. Data Breach Notification

The Processor shall notify the Controller without undue delay (and in any event within 72 hours) after becoming aware of a personal data breach. The notification shall include:

• The nature of the breach
• Categories and approximate number of Data Subjects affected
• Categories and approximate number of records affected
• Likely consequences of the breach
• Measures taken or proposed to address the breach

10. Audit Rights

The Processor shall make available to the Controller all information necessary to demonstrate compliance with Article 28 obligations, and allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller.

Audits shall be conducted with reasonable notice (minimum 30 days) and during normal business hours, subject to confidentiality obligations.

11. Data Return and Deletion

Upon termination of the Services, the Processor shall, at the Controller's choice:

• Return all Personal Data to the Controller in a structured, commonly used, machine-readable format; or
• Delete all Personal Data and certify such deletion in writing.

Exception: Blockchain records cannot be deleted or returned as they are stored on a public, immutable ledger. This exception is documented and disclosed to Data Subjects prior to on-chain registration.

12. Term and Termination

This DPA shall remain in effect for the duration of the Services agreement. The Processor's obligations regarding confidentiality and data deletion shall survive termination.

13. International Data Transfers

Where Personal Data is transferred from the European Economic Area (EEA), United Kingdom, or Switzerland to a country that has not received an adequacy decision from the European Commission, the parties agree to execute the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) as the legal mechanism for such transfers.

Applicable Module: Module 2 (Controller to Processor) applies to transfers under this DPA.

Supplementary Measures (per Schrems II):

• Encryption in transit (TLS 1.2+) for all data transfers
• No persistent storage of image data. Processed in memory only
• Access to Personal Data limited to authorized personnel with a need-to-know basis

Current Transfer Destinations:

For the current sub-processor list, see Sub-Processor List.

14. Governing Law

This DPA shall be governed by and construed in accordance with the laws applicable to the main Services agreement. Where the processing of Personal Data is subject to GDPR, the provisions of GDPR shall prevail in the event of conflict.