IDEnforcer
Data Processing Addendum

• “Controller” (also “Customer,” “Venue,” “you”) means the entity that has entered into a service agreement with IDEnforcer and determines the purposes and means of processing personal data through the Platform.
• “Processor” (also “IDEnforcer,” “we,” “us”) means ProSolutions Technology LLC, doing business as IDEnforcer, which processes personal data on behalf of the Controller.
• “Personal Data” means any information relating to an identified or identifiable natural person that IDEnforcer processes on the Controller’s behalf through the Platform.
• “Data Subject” means the individual to whom Personal Data relates (e.g., a patron whose ID is scanned at a venue).
• “Sub-processor” means a third party engaged by IDEnforcer to process Personal Data on behalf of the Controller. A current list is maintained at idenforcer.com/cloudSystem/subprocessors.php.
• “Applicable Data Protection Law” means all laws and regulations applicable to the processing of Personal Data, including the California Consumer Privacy Act (CCPA), state biometric privacy statutes, and, to the extent applicable, the EU General Data Protection Regulation (GDPR).
• “Platform” means the IDEnforcer Cloud Portal, Bridge application, APIs, mobile components, and related services.

IDEnforcer processes Personal Data solely to provide the identity verification, fraud detection, access management, and venue security services described in the IDEnforcer Terms of Use and your service agreement.

Categories of Data Subjects:

• Patrons and visitors whose government-issued identification is scanned at venue entry points
• Individuals placed on venue ban lists or watchlists by the Controller

Categories of Personal Data:

IDEnforcer shall:

• Process Personal Data only on the Controller’s documented instructions, unless required by law to do otherwise, in which case IDEnforcer will notify the Controller before processing (unless prohibited by law)
• Ensure that persons authorized to process Personal Data have committed to confidentiality or are under a statutory obligation of confidentiality
• Implement and maintain appropriate technical and organizational security measures as described in Section 5
• Engage sub-processors only in accordance with Section 6 and the current Subprocessors List
• Assist the Controller in responding to Data Subject rights requests (access, correction, deletion) using the built-in Platform tools, or by forwarding requests received at support@idenforcer.com
• Assist the Controller with data protection impact assessments and prior consultations with supervisory authorities, where required
• Delete or return all Personal Data at the end of the service relationship, subject to the Controller’s configured retention period and any legal retention obligations
• Make available to the Controller all information necessary to demonstrate compliance with the obligations in this DPA

The Controller (you) shall:

• Ensure that your use of the Platform and your instructions to IDEnforcer comply with all Applicable Data Protection Law
• Provide all required notices to Data Subjects (patrons) at venue entry points, including using the IDEnforcer Privacy Notice Generator where applicable
• Obtain any consents required under applicable biometric privacy or identification laws in your jurisdiction before scanning patron IDs
• Configure data retention periods that comply with your legal obligations
• Respond to Data Subject rights requests within the timeframes required by applicable law
• Notify IDEnforcer promptly if you become aware of any unauthorized access to the Platform through your account

IDEnforcer implements and maintains the following technical and organizational measures to protect Personal Data:

IDEnforcer infrastructure is hosted by IONOS (1&1 IONOS SE) with Cloudflare providing CDN and DDoS protection. See the Subprocessors List for details.

The Controller grants IDEnforcer general authorization to engage sub-processors to assist in providing the Platform services, subject to the following conditions:

• IDEnforcer maintains a current list of sub-processors at idenforcer.com/cloudSystem/subprocessors.php
• IDEnforcer will update the Subprocessors List at least 30 days before engaging a new sub-processor
• The Controller may object to a new sub-processor by notifying IDEnforcer in writing at support@idenforcer.com within 30 days of the update. If the objection cannot be resolved, the Controller may terminate the affected services
• IDEnforcer imposes data protection obligations on each sub-processor that are no less protective than those in this DPA
• IDEnforcer remains fully liable for the acts and omissions of its sub-processors

In the event IDEnforcer becomes aware of a personal data breach affecting Personal Data processed under this DPA, IDEnforcer shall:

• Notify the Controller without undue delay, and in any event within 72 hours of becoming aware of the breach
• Provide the Controller with sufficient information to meet its own breach notification obligations, including:
  • Nature of the breach, including categories and approximate number of affected Data Subjects
  • Categories of Personal Data affected
  • Likely consequences of the breach
  • Measures taken or proposed to mitigate the breach
• Cooperate with the Controller’s investigation and remediation efforts
• Take reasonable steps to contain the breach and minimize any damage

IDEnforcer provides the Controller with built-in tools to respond to Data Subject rights requests, including:

• Access: Search and export a patron’s scan records and profile data
• Correction: Edit staff-entered notes and venue-assigned metadata
• Deletion: Delete individual patron records or bulk-purge data by date range
• Portability: Export scan records in standard formats (CSV, PDF)

If IDEnforcer receives a request directly from a Data Subject, IDEnforcer will promptly redirect the request to the Controller, unless legally required to respond directly.

Response timelines: 30 days (CCPA), 45 days (most state laws). The Controller is responsible for meeting applicable deadlines.

IDEnforcer’s primary infrastructure is hosted in the United States via IONOS. Personal Data is processed and stored within the United States.

Cloudflare may cache or route encrypted traffic through its global edge network for performance and security purposes. Cloudflare does not have access to decrypted Personal Data stored in the IDEnforcer application database.

If the Controller is subject to GDPR or similar cross-border transfer restrictions, the parties agree that this DPA incorporates Standard Contractual Clauses (Module Two: Controller to Processor) as published by the European Commission, to the extent required. The Controller may request a signed copy by emailing support@idenforcer.com.

To the extent the California Consumer Privacy Act (CCPA) applies:

• IDEnforcer is a “service provider” as defined by the CCPA and processes Personal Data solely for the business purposes specified in this DPA and the service agreement
• IDEnforcer does not sell or share (as defined by the CCPA) any Personal Data it processes on the Controller’s behalf
• IDEnforcer does not combine Personal Data received from the Controller with data received from other sources, except as permitted by the CCPA for service-provider activities
• IDEnforcer certifies that it understands these restrictions and will comply with them

The Controller may audit IDEnforcer’s compliance with this DPA by:

• Requesting and reviewing IDEnforcer’s then-current security documentation, audit logs, and compliance records
• Submitting written questions regarding IDEnforcer’s data processing practices, which IDEnforcer will respond to within 30 days
• Requesting an on-site or remote audit, conducted at the Controller’s expense, upon at least 30 days’ prior written notice and subject to reasonable scope, timing, and confidentiality requirements

IDEnforcer will cooperate with reasonable audit requests and provide the information necessary to demonstrate compliance.

This DPA takes effect when the Controller first accesses the Platform and remains in effect for as long as IDEnforcer processes Personal Data on the Controller’s behalf.

Upon termination of the service agreement:

• IDEnforcer will cease processing Personal Data on the Controller’s behalf, except as required by law
• The Controller may export data using the Platform’s built-in export tools during any post-termination wind-down period
• After the wind-down period (30 days unless otherwise agreed), IDEnforcer will securely delete all remaining Personal Data, unless retention is required by applicable law
• IDEnforcer will provide written confirmation of deletion upon request

Liability under this DPA is subject to the limitations set forth in the IDEnforcer Terms of Use.

This DPA is governed by the laws of the State of Indiana, United States, without regard to conflict of law principles.

In the event of any conflict between this DPA and the Terms of Use, this DPA shall prevail with respect to data processing matters.