Data Processing Addendum
Effective date: 15 June 2026
This Data Processing Addendum (“DPA”) forms part of the Terms of Service or other written agreement between IDEEVY and the Business Customer (the “Agreement”). It applies where IDEEVY processes Personal Data on behalf of the Business Customer in connection with the IDEEVY identity document verification service. IDEEVY is operated by INTEGRITYTECH HK LIMITED, which provides the identity document verification service at ideevy.com. The service scope is identity document verification (IDV) only.
This DPA is intended to describe the parties’ data protection roles, the scope of processing, the retention approach, security measures, subprocessor arrangements, and related obligations for the standard IDEEVY service.
1. Definitions
For the purposes of this DPA:
- “Agreement” means the Terms of Service, Order Form, statement of work, or other written agreement between IDEEVY and the Business Customer.
- “Business Customer” means the company, organization, or professional customer that uses IDEEVY to verify identity documents.
- “Customer Personal Data” means Personal Data processed by IDEEVY on behalf of the Business Customer through the Service.
- “End User” means an individual whose identity document is submitted for verification through the Service.
- “IDEEVY”, “we”, “us”, and “our” refer to INTEGRITYTECH HK LIMITED.
- “Personal Data” means information relating to an identified or identifiable individual, as defined under applicable data protection laws.
- “Service” means the IDEEVY identity document verification service made available at ideevy.com and related APIs, dashboards, and technical tools.
- “Verification Record” means the document image, related extracted document data where enabled, verification status, reason codes, identifiers, timestamps, and technical metadata processed in connection with an IDV session.
2. Relationship of the Parties
For standard identity document verification processing, the Business Customer determines why an End User’s identity document is submitted, what verification workflow is required, and how the verification result is used. The Business Customer is therefore normally the controller, business, or equivalent decision-making party under applicable privacy laws.
IDEEVY processes Customer Personal Data on behalf of the Business Customer and normally acts as a processor, service provider, or equivalent processing party with respect to the standard Service. IDEEVY will process Customer Personal Data only in accordance with the Agreement, this DPA, the Business Customer’s documented instructions, and applicable law.
IDEEVY may act as an independent controller for limited data and purposes outside the standard IDV processing relationship, including website use, customer account administration, billing, security, service protection, legal compliance, and communications with the Business Customer.
3. Scope of Processing
The standard IDEEVY Service is limited to identity document verification. It is not a full KYC platform, AML screening service, sanctions screening service, biometric service, or final customer onboarding decision engine.
The processing covered by this DPA includes receiving identity document images, performing document verification checks, extracting document data where required for IDV, producing a verification result, maintaining a Verification Record, and making verification results available to the Business Customer through the applicable product interface, API, webhook, dashboard, or other agreed method.
The details of processing are set out in Annex 1.
4. Customer Instructions and Responsibilities
The Business Customer is responsible for ensuring that it has a valid legal basis to submit identity documents and related data to IDEEVY for verification. The Business Customer is also responsible for providing all required notices, obtaining all required consents or authorizations where applicable, and handling the direct relationship with its End Users.
The Business Customer must not submit Personal Data to IDEEVY unless it is authorized to do so and unless the processing is compatible with the Service and the Agreement. The Business Customer must not use IDEEVY to process documents for unlawful, deceptive, discriminatory, abusive, surveillance-based, or unauthorized purposes.
IDEEVY is not responsible for the Business Customer’s final decision to approve, reject, onboard, restrict, terminate, or otherwise act with respect to an End User. IDEEVY provides document verification outputs; the Business Customer remains responsible for its own business, compliance, and user relationship decisions.
5. Standard Service Exclusions
Unless separately agreed in writing, the standard IDEEVY Service does not include:
- collection or processing of selfies;
- liveness checks;
- face matching;
- facial recognition;
- creation, storage, or processing of biometric templates;
- AML, PEP, sanctions, adverse media, or source-of-funds screening;
- final regulatory KYC approval or rejection on behalf of the Business Customer.
Additional or tailor-made services, if any, may be provided only under a separate written agreement and may be subject to separate terms, notices, data processing arrangements, and pricing.
6. Confidentiality
IDEEVY will ensure that persons authorized to process Customer Personal Data are subject to appropriate confidentiality obligations or are otherwise bound by duties of confidentiality. Access to Customer Personal Data is restricted to personnel, contractors, or service providers who need such access for operational, support, security, or legal purposes related to the Service.
7. Security Measures
IDEEVY will implement commercially reasonable technical and organizational measures designed to protect Customer Personal Data against unauthorized access, accidental or unlawful destruction, loss, alteration, disclosure, or processing. These measures may include encrypted storage, secure transmission, access controls, least-privilege access, audit logging, restricted operational access, infrastructure security controls, and security monitoring.
The security measures are described in Annex 2. IDEEVY may update or improve its security measures over time, provided that such updates do not materially reduce the overall level of protection for Customer Personal Data.
8. Retention and Deletion
IDEEVY retains Verification Records, including identity document images, for up to one year from the date of verification, unless a shorter retention period is configured or agreed with the Business Customer, or a longer period is required for legal, dispute, security, fraud prevention, or service protection reasons.
Upon termination or expiry of the Agreement, IDEEVY will delete or return Customer Personal Data in accordance with the Agreement, this DPA, applicable law, and standard retention cycles. Backup copies and technical logs may be deleted according to IDEEVY’s normal backup, security, and deletion schedules.
The Business Customer is responsible for exporting or preserving any verification data it needs before termination, unless a different process is agreed in writing.
9. Subprocessors and Infrastructure Providers
The Business Customer authorizes IDEEVY to use subprocessors and infrastructure providers to deliver, secure, monitor, and support the Service. Such providers may include hosting, storage, monitoring, logging, security, communications, support, and document-processing technology providers.
IDEEVY will use reasonable contractual and technical safeguards with subprocessors that process Customer Personal Data and will remain responsible for their performance of data processing obligations to the extent required by applicable law and the Agreement.
For operational security reasons, IDEEVY does not publish a full public list of infrastructure and security providers. A current list of relevant service providers may be made available to Business Customers upon request, subject to appropriate confidentiality and security considerations. Material subprocessor notice or objection rights apply only where expressly agreed in an Order Form, enterprise agreement, or other written arrangement. Subprocessor categories are described in Annex 3 and in Subprocessors & Infrastructure.
10. International Storage and Transfers
Where reasonably possible, IDEEVY aims to store and process verification data in the End User’s country or region, or in another location consistent with the Business Customer’s configuration and applicable data protection requirements. However, Customer Personal Data may be processed or stored in other jurisdictions where IDEEVY, its infrastructure providers, or service providers operate.
Where applicable data protection law requires specific transfer safeguards, IDEEVY will use appropriate safeguards for cross-border processing or transfers, which may include contractual protections, data processing terms, standard contractual clauses, or other lawful transfer mechanisms where required and available.
11. Data Subject Requests
Because the Business Customer normally determines why an End User’s document was submitted and how the verification result is used, End Users should normally contact the Business Customer first regarding access, correction, deletion, objection, restriction, or other privacy rights related to their verification.
If IDEEVY receives a request from an End User relating to Customer Personal Data, IDEEVY may direct the End User to the relevant Business Customer or forward the request to the Business Customer where appropriate. IDEEVY will provide reasonable assistance to the Business Customer in responding to data subject requests to the extent required by applicable law and the Agreement.
IDEEVY may respond directly only where required by law, where the request concerns IDEEVY’s own controller processing, where the Business Customer cannot reasonably be identified or reached, or where the Business Customer is unavailable and the circumstances reasonably require direct handling by IDEEVY.
12. Personal Data Breach
IDEEVY will notify the Business Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data. Such notice may include available information regarding the nature of the breach, the affected data, likely consequences, and measures taken or proposed to address the breach, to the extent such information is available and legally permitted.
The Business Customer is responsible for determining whether any notification to End Users, regulators, or other third parties is required in connection with its own role as controller or equivalent decision-making party.
13. Assistance and Audits
IDEEVY will provide reasonable assistance to the Business Customer, taking into account the nature of the processing and the information available to IDEEVY, with respect to data protection impact assessments, security reviews, data subject requests, and regulatory inquiries where required by applicable law and the Agreement.
IDEEVY may satisfy reasonable audit or review requests by providing written responses, security summaries, policies, certifications, third-party reports where available, or other appropriate documentation. On-site audits, infrastructure reviews, penetration testing, or direct access to systems require prior written agreement, reasonable notice, confidentiality protections, security controls, and may be subject to additional fees.
14. Order of Precedence
If there is a conflict between this DPA and the Agreement with respect to the processing of Customer Personal Data, this DPA will control to the extent of the conflict. Commercial terms, payment terms, service descriptions, liability limits, and other non-data-processing terms remain governed by the Agreement unless expressly modified in this DPA.
15. Governing Law
This DPA is governed by the law governing the Agreement. If no governing law is specified in the Agreement, this DPA is governed by the laws of Hong Kong.
16. Contact and Company Details
IDEEVY is operated by INTEGRITYTECH HK LIMITED.
Registered name: INTEGRITYTECH HK LIMITED
Company Registration Number: 3339122
Business Registration Number: 75921776
Registered address: Room 905, Block 2, Cyberport, 100 Cyberport Road, Hong Kong
Legal contact: legal@ideevy.com
Privacy contact: privacy@ideevy.com
Annex 1 — Details of Processing
- Subject matter: processing of Customer Personal Data for identity document verification through the IDEEVY Service.
- Duration: for the term of the Agreement and the applicable retention period. Verification Records are retained for up to one year from the date of verification unless otherwise configured, agreed, or required.
- Nature of processing: collection, receipt, transmission, storage, analysis, extraction, validation, classification, logging, display, deletion, and making verification results available to the Business Customer.
- Purpose of processing: to provide identity document verification, return verification results, maintain auditability, support the Service, protect against abuse, resolve disputes, and comply with applicable obligations.
- Categories of data subjects: End Users, applicants, account holders, customers, merchants, sellers, users, or other individuals whose identity documents are submitted by or on behalf of the Business Customer.
- Categories of Personal Data: identity document images; document type; issuing country; document side/front-back where applicable; image quality information; extracted document data where enabled; MRZ, barcode, or OCR fields where applicable; verification status; reason codes; timestamps; customer, project, and session identifiers; IP address, device, browser, and session metadata; audit and technical logs related to verification.
- Sensitive or special category data: the Service may process identity document images and information contained in identity documents. The standard Service does not collect selfies, perform liveness checks, use face matching, perform facial recognition, or create biometric templates.
- Frequency of transfer: continuous or as initiated by the Business Customer through the Service.
- Business Customer instructions: the Business Customer instructs IDEEVY to process Customer Personal Data to provide the Service in accordance with the Agreement, this DPA, product configuration, and documented instructions.
Annex 2 — Security Measures
IDEEVY applies commercially reasonable technical and organizational safeguards designed to protect Customer Personal Data. Measures may include:
- encrypted storage of verification data where supported by the applicable infrastructure;
- secure transmission of data using industry-standard transport security;
- access controls and user authentication for administrative and operational access;
- least-privilege access principles and restricted access based on operational need;
- audit logging and monitoring of relevant service activity;
- segregation of customer environments or logical separation where appropriate;
- secure infrastructure configuration and vulnerability management practices;
- backup, recovery, and continuity measures appropriate to the Service;
- internal confidentiality obligations for personnel with access to Customer Personal Data;
- vendor and service provider controls appropriate to the nature of the processing;
- incident response procedures for suspected or confirmed Personal Data Breaches.
Security measures may be updated from time to time to reflect changes in technology, operational requirements, and risk, provided that IDEEVY does not materially reduce the overall level of protection for Customer Personal Data.
Annex 3 — Subprocessor Categories
IDEEVY may use the following categories of subprocessors and infrastructure providers to deliver the Service. Specific provider information may be made available to Business Customers upon request, subject to appropriate confidentiality and security considerations.
- Hosting and cloud infrastructure: hosting, compute, network, and infrastructure services used to operate the Service.
- Secure storage providers: storage of Verification Records, document images, logs, and related service data.
- Monitoring and logging tools: service reliability, operational monitoring, debugging, logging, and security observability.
- Security providers: security monitoring, access control, infrastructure protection, vulnerability management, or incident response support.
- Document-processing technology providers: document parsing, OCR, image analysis, document classification, or related IDV technology where used to provide the Service.
- Communications and support tools: customer support, operational communications, account notifications, and service administration.
- Analytics for website use: limited website analytics such as Google Analytics, as described in IDEEVY’s Privacy Policy and Cookie Policy.