HomeBlogPricingDemoDocs
LoginGet Started

Data Processing Agreement

Last updated: April 21, 2026

This DPA applies to End-User Personal Data processed on your behalf.

It forms part of our Merchant Terms of Service and governs our role as a processor for End-User verification data. It does not apply to Customer Data about your own organization (where we act as a controller under our Privacy Policy).

1. Parties, scope, and definitions

This Data Processing Agreement ("DPA") is entered into between AgeOnce ("Processor") and the Customer identified in the associated account or order form ("Controller") and applies to the processing of End-User Personal Data by the Processor on behalf of the Controller in connection with the Platform.

Capitalized terms not defined here have the meaning given in the Merchant Terms or in applicable data-protection law ("Data Protection Law"), including the EU General Data Protection Regulation (Regulation (EU) 2016/679) and the UK GDPR, the California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA), Illinois BIPA, and equivalent laws.

  • "Personal Data" and "Processing" have the meanings given in Data Protection Law.
  • "Data Subject" means an identified or identifiable natural person to whom Personal Data relates (here, an End User).
  • "Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
  • "Standard Contractual Clauses" ("SCCs") means the EU Commission's module-2 SCCs (Decision 2021/914) and, where applicable, the UK International Data Transfer Addendum.
2. Subject-matter, duration, and purpose

Subject-matter and purpose: Processing End-User Personal Data as needed to provide the AgeOnce age-verification service configured by the Controller, including OCR of ID documents, biometric face-matching and template generation, issuance of age-eligibility results, and fraud prevention.

Duration: For the term of the Merchant Terms and for any post-termination period required to complete return or deletion.

3. Nature of processing, types of data, and data subjects

Types of Personal Data processed by the Processor on behalf of the Controller may include:

  • Identity signals extracted from ID documents during verification (such as date of birth used transiently to compute age-eligibility).
  • Biometric data: facial geometry scans and the mathematical face templates derived from them, stored in protected form.
  • Verification outcomes: age-eligibility flags (for example, over 16 / 18 / 21), timestamps, audit identifiers.
  • Account identifiers linked to End Users (for example, email address from the authentication provider).
  • Technical and security data: IP address, user agent, device signals used for fraud prevention.
4. Obligations of the Controller

The Controller:

  • Has and will maintain an appropriate legal basis for the processing, including obtaining consent where required (for example, explicit consent for biometric processing under GDPR Art. 9(2)(a) and BIPA written release).
  • Will provide End Users with the notices and information required by Data Protection Law.
  • Warrants that its instructions to the Processor comply with Data Protection Law.
  • Will not submit Personal Data that is outside the documented purpose of age verification.
5. Obligations of the Processor

The Processor will:

  • Process Personal Data only on documented instructions from the Controller, including through the Platform configuration (for example, minimum age thresholds, allowed redirect URIs), unless required to do so by law, in which case the Processor will inform the Controller before processing unless prohibited by that law.
  • Ensure that persons authorized to process Personal Data are bound by confidentiality.
  • Implement appropriate technical and organizational measures, as described in Annex II, having regard to the state of the art, the costs of implementation, and the risks to Data Subjects.
  • Assist the Controller by appropriate technical and organizational measures, insofar as possible, to fulfill its obligation to respond to Data Subject requests.
  • Assist the Controller in ensuring compliance with security, breach-notification, data-protection-impact-assessment, and prior-consultation obligations under Data Protection Law.
  • Make available to the Controller information reasonably necessary to demonstrate compliance and allow for audits as described in Section 10.
6. Sub-processors

The Controller grants the Processor general authorization to engage Sub-processors for the processing described in this DPA. Current Sub-processor categories are listed in Annex III. The Processor will impose data-protection obligations on each Sub-processor that are substantially similar to this DPA and remains liable to the Controller for the acts and omissions of its Sub-processors.

Changes: The Processor will give the Controller notice (through the Platform, by email, or by a public list) of new or replacement Sub-processors before they start processing. If the Controller has a reasonable data-protection objection to a new Sub-processor, the parties will work in good faith to resolve it; if they cannot, the Controller may terminate the affected Services as its sole remedy.

7. International data transfers

If Personal Data is transferred from the EU/EEA, UK, or Switzerland to a country without an adequacy decision, the parties will rely on the SCCs, with the Processor as "data importer" and the Controller as "data exporter," plus the UK Addendum where applicable. The Processor's self-hosted OCR and face-recognition services are deployed in the region(s) it selects with its hosting provider and do not transmit Personal Data to any third-party OCR or face-recognition API.

8. Security measures (TOMs)

The Processor implements the technical and organizational measures set out in Annex II, including TLS in transit, encryption at rest for biometric templates, hashed secrets, row-level security, least-privilege access control, audit logging, and regular review of access rights.

9. Personal data breach

The Processor will notify the Controller without undue delay after becoming aware of a Personal Data Breach affecting End-User Personal Data, and will provide information reasonably necessary to enable the Controller to meet its own notification obligations, including where feasible the nature of the breach, categories and approximate number of Data Subjects and records concerned, likely consequences, and measures taken or proposed.

10. Audits

On reasonable prior written request, and no more than once per year (except following a Personal Data Breach or a regulator request), the Processor will make available documentation needed to demonstrate compliance with this DPA. The parties agree to accept up-to-date third-party audit reports and certifications where available, and to limit on-site audits to what is strictly necessary, subject to confidentiality and to not disrupting the Platform or other customers.

11. Return or deletion of data

On termination or expiration of the Merchant Terms, the Processor will, at the Controller's choice, return or delete End-User Personal Data processed on its behalf, unless storage is required by law. Biometric templates held on behalf of End Users who continue to use AgeOnce with other merchants may remain in their own user records; templates tied solely to the Controller's integration will be deleted on request consistent with this Section and the Biometric Information Privacy Policy.

12. Data subject rights

The Processor will, to the extent legally permitted, promptly notify the Controller of a request it receives from a Data Subject to exercise their rights under Data Protection Law. The Processor will not respond to such a request except on the Controller's documented instructions or as required by law.

13. CCPA / CPRA terms

Where the Controller is a "business" and the Processor is a "service provider" under the CCPA/CPRA, the Processor will not (a) sell or share Personal Data, (b) retain, use, or disclose it for any purpose other than providing the services, including for a commercial purpose other than those specified in this DPA, or (c) combine it with Personal Data received from other sources, except as permitted by the CCPA/CPRA. The Processor certifies it understands and will comply with these restrictions.

14. Liability

Each party's liability under this DPA is subject to the limitation-of-liability provisions in the Merchant Terms. Nothing in this DPA excludes or limits liability to the extent it cannot be excluded or limited under Data Protection Law.

15. Conflict and termination

Conflict: In case of conflict between this DPA and the Merchant Terms or the Privacy Policy in respect of the processing of End-User Personal Data, this DPA prevails. The SCCs prevail over this DPA where they conflict.

Termination: This DPA terminates automatically with the Merchant Terms. Provisions that by their nature should survive will survive termination.

Annex I — Description of processing

Controller: the Customer identified in the account or order form. Processor: AgeOnce. Data Subjects: End Users directed to the Platform by the Controller. Categories of Personal Data: as described in Section 3. Frequency: continuous for the term. Nature and purpose: age verification as configured by the Controller. Duration: for the term of the Merchant Terms and any post-termination return or deletion period.

Annex II — Technical and organizational measures

Summary of the measures the Processor applies:

  • Encryption in transit (TLS) and encryption at rest for biometric templates; AES-256 where applicable.
  • Hashed API secrets and authorization codes; no plaintext OAuth client secrets at rest.
  • Strict access control: least-privilege for staff, Supabase row-level security, audit logging, and monitoring.
  • Segregation of tenants through row-level policies and organization scoping.
  • Self-hosted OCR and face-recognition services on infrastructure controlled by the Processor; no third-party recognition API receives Personal Data.
  • Security monitoring (Sentry with PII minimization); regular review of dependencies and access rights.
  • Backups with restricted access; incident-response procedure for Personal Data Breaches.
Annex III — Sub-processors

Current sub-processor categories (see Privacy Policy §7 for details and updates):

  • Supabase — database, authentication, and storage.
  • Cloud hosting / compute provider — runs the Processor's application servers and self-hosted OCR and face-recognition services.
  • Stripe — payment processing for the Controller's billing (Stripe acts as an independent controller for payment data).
  • Google — OAuth sign-in for End Users who choose it.
  • Sentry — error and performance monitoring with PII minimization.

The privacy-first age verification for high-risk businesses.

Legal
Terms of ServicePrivacy PolicyBiometric PolicyMerchant TermsData Processing Agreement
Product
DocumentationWordPress PluginStatus

© 2026 AgeOnce Inc. All rights reserved.