Login >
CONTACT SALES
Search Button
Search Button
Platform Explore how our platform packs many solutions in a single place How it works Discover why accessing to reliable data matters Tools library Dive into our catalog of tools designed to streamline your verification processes Ready-to-use templates Consider our pre-designed templates for common tasks that most businesses utilize Integrations See how effortlessly you can integrate MetaMap into your website or app Security and certifications Examine our certifications and stringent security measures Frequently Asked Questions Find a comprehensive collection of resources designed to answer all your questions
By Industry
Banking Lending & Payments Financial Services & FinTech Transportation Telcos See all >
By Use Case
KYC and AML Compliance Comply with international regulationsCustomer onboarding Improve your conversions with ease Authentication Grant secure access to your services Financial risk management Validate your user’s payment eligibility and reduce financial risks
By Region
Latin America Solutions for identity verification in adherence to compliance with Latin American regulations Africa Easy to integrate identity verification solutions designed for the African market Rest of the world Discover why businesses across the world and in diverse industries trust MetaMap
For Businesses
Resources Dive into our latest blogs, guides, and webinars on identity verification Customer Stories Find out how businesses like yours mastered identity verification
For Developers
Documentation Explore our documentation to start using our platform and building effective verification workflowsService Status Check our Trust Report powered by Vanta which identifies security flaws and privacy gaps in a company's security posture
Our Company Learn more about MetaMap and its historyWhy MetaMap Find out why businesses around the world trust us Corporate Relations Reach out for corporate issues and organizational questions Careers Visit our career page and unfold your potentialPress Browse our news feed and enrich your stories with our dedicated press kit
CONTACT SALES
START FOR FREE
LOG IN

SMB Data Processing Addendum

Version: April 28th,  2025

This Data Processing Addendum and its Schedules (“Addendum” or “DPA”) applies to
a Customer that has accepted the terms of the Master Services Agreement
(“Agreement”) for the provision of Services by the Provider identified in the
applicable invoice referencing this Agreement and reflect the party’s agreement with
respect to the Processing of Personal Data.
This DPA is supplemental to, and forms an integral part of, the Agreement and is
effective upon its incorporation into the Agreement per its reference. In the event of a
conflict between the terms and conditions of this Addendum and the Agreement, the
terms and conditions of this Addendum shall supersede and control, except as
expressly stated in the applicable Agreement. The term of this DPA will follow the term
of the Agreement. Terms not otherwise defined in this DPA will have the meaning as
set forth in the Agreement.

1. Definitions.

Applicable Data Protection Law” means all worldwide data protection and
privacy laws and regulations applicable to the Personal Data in question, including,
where applicable, but not limited to the California Consumer Privacy Act, the
European Union General Data Protection Regulation, the Brazil Lei Geral de Proteção
de Dados, the Nigerian Data Protection Act of 2023, the Federal Law for the Protection
of Personal Data Held by Private Parties applicable in Mexico, the Argentine Data
Protection Regulations, the Illinois Biometric Information Privacy Act, Washington
Biometric Privacy Protection Act, the Texas Capture or Use of Biometric Identifiers Act,
and the Washington My Health My Data Act.

Biometric Information” means data generated by automatic measurements of an
individual’s biological characteristics, such as a faceprint, fingerprint, voiceprint, eye
retinas, irises, or other unique biological patterns or characteristics that is used to
identify a specific individual.

“Data Processor”, “Data Controller”, “Data Subject”, “Processing”,
“Subprocessor”, and “Supervisory Authority” shall be interpreted in accordance
with the European Union General Data Protection Regulation;

Data Subject Request” as used in this Addendum means a request for access,
erasure, rectification, or portability of an individual ́s Personal Data; and

Provider API” means the application programming interface offered by Provider to
Customer pursuant to the Agreement.

Personal Data” means any information which is protected as “personal data”,
“personal information” or “personally identifiable information” under Applicable Data
Protection Law (including Biometric Information and Sensitive Personal Data).

Sensitive Personal Data” means any Personal Data that relates to the most
intimate sphere of its owner, or whose improper use may give rise to discrimination or
entail a serious risk for the owner.

2. Data Protection Requirements.

2.1 Under the Agreement, Provider will process Personal Data relating to Customer ́s
End Users. Specific details about the Personal Data that will be processed is described
in Exhibit A to this Addendum.
2.2 Provider will process this Personal Data as a Data Controller and will use this
Personal Data solely to provide and improve the Platform and Services.
2.3 When Provider processes the Personal Data under the Agreement it will:

2.3.1 Notify Customer if, in Provider’s opinion, Customer ́s instruction for the
Processing of Personal Data infringes applicable Applicable Data Protection
Law;
2.3.2 Notify Customer promptly, to the extent permitted by law, upon receiving
an inquiry or complaint from a Supervisory Authority relating to the Processing
of Customer ́s End Users Personal Data;
2.3.3 Implement reasonable technical and organizational measures enabling
Customer to execute Data Subject Requests that Customer is obligated to
fulfill;
2.3.4 Upon request, provide reasonable information to help Customer
complete Customer’s data protection impact assessments;
2.3.5 Upon request, provide Customer with up-to-date attestations, reports or
extracts thereof where available from Provider’s security and data protection
auditors, to enable Customer to assess Provider’s data protection practices;
2.3.6 Ensure that its personnel who access the Personal Data are subject to
confidentiality obligations that restrict their ability to disclose the Personal
Data to third parties.

2.4 In the course of providing the Services, Customer acknowledges and agrees that
Provider may use Subprocessors to process Customer ́s End Users Personal Data.
Provider’s use of any specific Subprocessor to process Customer ́s End Users Personal
Data must be in compliance with Applicable Data Protection Law and must be
governed by a contract between Provider and Subprocessor imposing data protection
terms on the Subprocessors that are consistent with the level of protection provided
under this DPA, to the extent applicable to the nature of the services provided by such
Subprocessors. A current list of Subprocessors may be provided upon request. All sub-
processors engaged by Provider on the Effective Date of the Agreement are deemed
authorized by Customer. A list of Authorized Sub-Processors will be provided on
request. If Customer object to the appointment of a Subprocessor, the parties will
discuss Customer ́s concerns in good faith with a view to achieving a commercially
reasonable resolution. If no such resolution can be reached Customer will have the
right to suspend or terminate the affected Service in accordance with the termination
provisions of the Agreement without liability to either party. Any amount paid will not
be reimbursed.

2.5 In the course of providing the Services, Customer acknowledges and agrees that
Provider may transfer the Personal Data to third countries such as the United States
and European Union. Such transfers will be conducted in compliance with Applicable
Data Protection Laws.

3. Security Requirements.

3.1 Provider will implement and maintain appropriate technical and organizational
measures to protect the Personal Data against unauthorized or unlawful processing
and against accidental loss, destruction, damage, theft, alteration or disclosure.
3.2 These measures shall be appropriate to the harm which might result from any
unauthorized or unlawful processing, accidental loss, destruction, damage or theft of
Personal Data and appropriate to the nature of the Personal Data which is to be
protected.
3.3 In the event that Provider becomes aware of and confirms any accidental,
unauthorized, or unlawful processing of, disclosure of, or access to the Customer ́s
End User Personal Data (a “Security Breach”):

3.3.1 Provider will notify the affected Customer within 72 business hours of
becoming aware of and confirming the Security Breach;
3.3.2 In such notification, Provider will provide the following information, to the
extent it has sufficient information to do so: (i) a detailed summary of the
Security Breach; (ii) the Personal Data elements and number of records
exposed and/or misused; and (iii) the corrective measures to be implemented
by Provider;
3.3.3 Provider will advise Customer if Provider believes it is legally required to
provide Customers or any other party with a notification of the Security Breach,
and will provide Customer with an advanced copy of any such notification;
3.3.4 Provider will cooperate with the Customer and any competent authority
and shall provide reasonable additional information or documents requested
for such purpose in connection with such Security Breach, to the extent it is
legally and contractually allowed to do so.

4. Consent in respect of End Users.

To the extent that Customer uses the Provider API, Customer agrees to display the consent language
included in this section for the duration of the Agreement on its website and/or
application to End Users receiving the Services. Such consent language shall be displayed clearly, conspicuously and before
the collection of the End User Personal Data via the Provider Services, and Customer
shall keep a record of written consent (in a manner that constitutes an enforceable e-
signature or express and written consent under Applicable Data Protection Law)
thereto as a precondition to collection of such data. Customer shall only allow End
User to submit Personal Data to the Provider API once the End User has consented to
the language set forth in section 4.1. (“Consent Language”) of this Addendum. In case
Customer disables the consent or unilaterally changes the content of the Consent
Language set forth in section 4.1 of this Addendum, Provider will be entitled to
suspend the Services. Simultaneously with Customer, the Parties agree that Provider
and its Affiliates shall be entitled to process End User’s Personal Data, including
Biometric Information and Sensitive Personal Data (“Provider Data”) to improve
Provider’s, and its Affiliates’, products and services (including its algorithms), which
may benefit the Services, through the same Consent Language. Where Provider acts
as Processor (as defined in Applicable Data Protection Law) in the Agreement,
Customer agrees and acknowledges that the processing of End User’s Personal Data,
to improve Provider’s, and its Affiliates’, products and services is aligned with the
purposes for which such Personal Data was collected by Customer, and that such
processing will in no case constitute processing that goes beyond the instructions of
Customer.

4.1 Consent Language. Customer will integrate via Incode SDK using the consent
language that follows:

By clicking “Next” I consent to [Company Name] and its service provider, [Provider],
obtaining and disclosing a scan of my face geometry and barcode of my ID for the purpose of
verifying my identity pursuant to [Company Name] and [Provider’s] Privacy Policies and for
improving and updating [Provider] products or services (including its algorithm). [Company
Name] and [Provider] shall store the biometric data for no longer than 3 years (or as
determined by your local regulation).
I can exercise my privacy rights, including withdrawal of my consent, by contacting
dataprotection@incode.com.
I have read and agree to Provider’s Privacy Policy.

4.2 If the consent wording above needs to be amended for a specific territory, that is
Customer’s obligation to determine, however, the Parties will work together in
implementing such adjustments, with the understanding that the Services are
conditioned on Customer ensuring that any required adjustments are made to comply
with Applicable Data Protection Law in such territories. Customer is solely responsible
for determining if the Consent Language and consent implementation is sufficient to
comply with Applicable Data Protection Laws and any failure to request necessary
modifications (which Provider shall not unreasonably deny) shall be a material breach
of the Agreement.

4.3 Consent Collection. For the collection of the applicable consent as detailed
above, Customer agrees as follows:

4.3.1 If Customer uses the Provider API, Customer acknowledges, agrees and
commits to include within its flow a screen with the applicable consent wording
above, prior to the collection of its End Users Personal Data, and to maintain a
record of the applicable consent provided by the End User and include such
consent record together with the Personal Data sent to Provider for processing.
4.3.2 In case any End User does not provide consent to Customer to verify their
identity through the Services Customer shall not allow such End User to access
the Services and doing otherwise shall be a material breach of this Agreement
by Customer in which case Customer shall be solely responsible and liable for
any claims and/or damages asserted by such End Users.
4.3.3 Prior to incorporating the Consent Language into the End User sign-up
flow, Customer shall complete highlighted fields in the Consent Language set
forth in this Addendum.

5. Miscellaneous.

5.1 For avoidance of doubt and to the extent allowed by applicable law, any and all
liability under this Addendum, including limitations thereof, will be governed by the
relevant provisions of the Agreement.
5.2 The terms of this Addendum shall be subject to any choice of law and venue
provisions in the Agreement.

Exhibit A

Description of Processing

1. SCOPE.
Name: Customer and its Authorized Affiliates as identified in the applicable invoice.
Contact person’s name, position and contact details: As identified in the applicable
documentation or information provided by the Customer.
Activities relevant to the data transferred under these clauses: Performance of the
Services pursuant to the Agreement.
Data Importer: Provider identified in the applicable invoice.

2. CATEGORIES OF DATA SUBJECTS.
Customer ́s End Users

3. CATEGORIES OF PERSONAL DATA.
Customer can configure the Platform and Services to collect and process different
Personal Data, at their discretion. This Personal Data can include:
– Full Name
– Contact information (email, phone, physical address)
– Government Identifiers
– Biometric Information (facial photographs)
– Financial Information
– Professional Information
– Device Information

4. PURPOSE OF THE PROCESSING.
Provider will Process Personal Data as necessary to perform the Services pursuant to
the Agreement, and as further instructed by Customer in its use of the Services.

5. DURATION OF PROCESSING.
Provider will Process Personal Data for the duration of the Agreement, as specified in
this Addendum, unless otherwise agreed upon in writing by the parties.

6. TECHNICAL AND ORGANIZATIONAL MEASURES.
Data importer will maintain administrative, physical, and technical safeguards for
protection of the security, confidentiality and integrity of Personal Data uploaded to
the Services and will make reasonably available descriptions of such safeguards at
the request of Customer