Data Processing Agreement

Effective Date: March 25, 2026Last Updated: March 25, 2026Version: 1.2
This Data Processing Agreement is available for execution as part of an Infrastructure Agreement. Contact legal@cairl.app to request a signed copy.

1. Introduction

This Data Processing Agreement ("DPA") forms part of the Terms of Service or Infrastructure Agreement (the "Agreement") between reAPPlicate Incorporated, operating as CAIRL ("Processor," "we," "us"), and the Business User entering into the Agreement ("Controller," "you").

This DPA applies when CAIRL processes personal data on behalf of a Business User in connection with the delivery of identity verification services. It supplements and is incorporated into the Agreement.

2. Definitions

  • Personal Data: Any information relating to an identified or identifiable individual, as defined by applicable data protection law (including GDPR, CCPA, and other applicable privacy regulations).
  • Processing: Any operation performed on personal data, including collection, recording, storage, retrieval, use, disclosure, erasure, or destruction.
  • Controller: The Business User that determines the purposes and means of processing personal data.
  • Processor: CAIRL, which processes personal data on behalf of the Controller.
  • Subprocessor: A third party engaged by CAIRL to process personal data on behalf of the Controller.
  • Data Subject: The individual whose personal data is processed.

3. Scope of Processing

3.1 Nature and Purpose

CAIRL processes personal data solely to provide identity verification services as described in the Agreement. This includes processing verification requests initiated by users who have consented to share verification results (claims) with the Controller.

3.2 Types of Personal Data Processed

  • Verification results (claims such as "age verified," "identity verified," "unique per partner")
  • Pairwise identifiers (unique, non-correlatable identifiers for each Controller-user relationship)
  • Verification timestamps and status

3.3 What CAIRL Does NOT Share with Controllers

  • Raw identity documents (driver's license images, passport images)
  • Biometric data (facial geometry, embeddings, liveness data)
  • Full personal details (address, document numbers, date of birth) unless explicitly authorized by the user through a comparison claim
  • Any data beyond what the user has explicitly consented to share

3.4 Categories of Data Subjects

  • Individuals who have CAIRL accounts and have initiated a verification event with the Controller's connected service

3.5 Controller Instructions

The Controller instructs CAIRL to process personal data solely as necessary to provide the identity verification services described in the Agreement, including processing verification requests initiated by Data Subjects, generating and returning verification results (claims), and maintaining system integrity, fraud prevention, and security controls.

The Controller's use of the CAIRL platform and APIs constitutes its complete and documented instructions to CAIRL. These instructions do not permit the Controller to request or access raw identity documents or biometric data.

3.6 Biometric Data Boundary

Biometric data is never shared with Controllers under any circumstance. Controllers receive only verification claims and pairwise identifiers. No biometric data, facial geometry, embeddings, or liveness data is transmitted, accessible, or derivable through CAIRL's APIs or OAuth flows.

4. Controller Obligations

The Controller agrees to:

  • Process verification results only for the purposes authorized by the Data Subject
  • Maintain a lawful basis for processing under applicable data protection law
  • Honor Data Subject consent revocations promptly — when a user revokes consent through CAIRL, the Controller must cease using their claims
  • Not re-sell, sublicense, or redistribute verification results
  • Not use verification results to build profiles, dossiers, or behavioral tracking systems
  • Not use verification results to train machine learning models or AI systems without explicit written consent from CAIRL
  • Provide appropriate privacy notices to Data Subjects regarding the Controller's use of CAIRL verification results
  • Notify CAIRL promptly of any Data Subject requests relating to CAIRL-processed data that the Controller cannot fulfill independently

CAIRL reserves the right to suspend or terminate access to the Service if the Controller violates these obligations.

5. Processor Obligations

CAIRL agrees to:

  • Process personal data only on documented instructions from the Controller, except as required by applicable law
  • Ensure that persons authorized to process personal data are bound by confidentiality obligations
  • Implement appropriate technical and organizational security measures as described in our Security Overview
  • Engage subprocessors only in accordance with Section 7 of this DPA
  • Assist the Controller in responding to Data Subject requests, to the extent technically feasible
  • Assist the Controller in meeting obligations related to data protection impact assessments and prior consultation with supervisory authorities, where applicable
  • Delete or return personal data at the Controller's request upon termination of the Agreement, subject to legal retention requirements described in our Privacy Policy
  • Make available information necessary to demonstrate compliance with this DPA

6. Security Measures

CAIRL maintains the following security measures for all personal data processing:

  • AES-256 encryption at rest for all stored data
  • TLS 1.3 encryption in transit for all connections
  • Role-based access controls with multi-factor authentication
  • Pairwise HMAC-SHA256 identifiers to prevent cross-platform user correlation
  • Rate limiting on all integration endpoints
  • Audit logging of all data access by CAIRL personnel
  • Environment isolation (development, staging, production fully separated)

For full details, see our Security Overview.

7. Subprocessors

7.1 Current Subprocessors

CAIRL uses the following subprocessors for data processing activities:

SubprocessorPurposeLocation
Amazon Web Services (AWS)Cloud infrastructure, identity verification processing (Rekognition, Textract), document storage (S3), serverless compute (Lambda)United States
StripePayment processing and billingUnited States
VercelWebsite hosting and content deliveryUnited States (global edge)
MailgunEmail delivery and proxy relayUnited States
CloudflareBot protection (Turnstile)United States (global edge)
UpstashRate limiting and session cachingUnited States
TwilioPhone verification (OTP delivery)United States
PlaidBank account verificationUnited States

7.2 Subprocessor Changes

We may update our subprocessors from time to time. We will notify Controllers of material changes to subprocessors at least 30 days before the change takes effect. Controllers who object to a new subprocessor may terminate the affected services by providing written notice within 30 days of notification.

7.3 Subprocessor Obligations

All subprocessors are bound by written agreements that impose data protection obligations no less protective than those in this DPA. CAIRL remains fully liable for the performance of its subprocessors' obligations.

8. International Data Transfers

Personal data is processed and stored in the United States. For Controllers located in the European Economic Area (EEA), United Kingdom, or Switzerland, CAIRL relies on Standard Contractual Clauses (SCCs) as approved by the European Commission, including the UK Addendum and Swiss adaptations where applicable, to provide appropriate safeguards for international data transfers.

Upon request, CAIRL will execute SCCs with the Controller where required by applicable law.

9. Data Subject Rights

9.1 CAIRL's Role

CAIRL facilitates Data Subject rights directly through the CAIRL platform. Users can access, correct, delete, and export their data through their account settings or by contacting privacy@cairl.app.

9.2 Controller Cooperation

If a Data Subject directs a rights request to the Controller regarding CAIRL-processed data, the Controller should direct the Data Subject to exercise their rights through CAIRL directly, or notify CAIRL at privacy@cairl.app so we can assist.

10. Data Breach Notification

In the event of a personal data breach affecting data processed under this DPA, CAIRL will:

  • Notify the affected Controller without undue delay and in any event within 72 hours of becoming aware of the breach
  • Provide the Controller with sufficient information to meet its own breach notification obligations, including the nature of the breach, categories of data affected, approximate number of Data Subjects affected, and measures taken or proposed to address the breach
  • Cooperate with the Controller's investigation and mitigation efforts

11. Audits

Upon reasonable request and subject to appropriate confidentiality obligations, CAIRL will make available information necessary to demonstrate compliance with this DPA. This may include summaries of independent audit reports, security certifications, or responses to standardized security questionnaires.

On-site audits may be made available under appropriate agreements and subject to advance scheduling, scope limitations, and reasonable confidentiality obligations.

12. Term and Termination

This DPA remains in effect for the duration of the Agreement. Upon termination, CAIRL will delete or return Controller-specific data in accordance with the Agreement and our Privacy Policy. Verification records may be retained for up to 7 years where required for regulatory, audit, or fraud prevention purposes as described in our Privacy Policy.

13. Limitation of Liability

Liability under this DPA is subject to the limitation of liability provisions in the Agreement.

14. Contact

For DPA-related inquiries: