Data Processing Agreement

RCDevs YumiPass Privacy Policy
Data Processing Agreement under Article 28 GDPR

Last updated: June 2026

This Data Processing Agreement (“DPA”) forms part of the agreement between:

The Customer
the legal entity or organization entering into an agreement with Yumipass for the use of the Services,
the “Controller” or “Customer”,

and

RCDevs Security SA
1 Boulevard du Jazz
4370 Esch-sur-Alzette
Luxembourg
the “Processor” or “Yumipass”.

Together, the “Parties”.

This DPA governs the processing of personal data by Yumipass on behalf of the Customer in connection with the provision of the Yumipass platform and related services.

For the purposes of the GDPR, where Yumipass processes personal data on behalf of the Customer, the Customer acts as controller and Yumipass acts as processor.

01

Definitions

For the purposes of this DPA:

“Applicable Data Protection Laws” means the GDPR and any applicable data protection or privacy laws applicable to the processing of personal data under this DPA.

“Customer Data” means any personal data processed by Yumipass on behalf of the Customer in connection with the Services.

“Data Subject”, “Personal Data”, “Processing”, “Controller”, “Processor”, “Personal Data Breach” and “Supervisory Authority” have the meanings given to them under the GDPR.

“GDPR” means Regulation (EU) 2016/679, the General Data Protection Regulation.

“Services” means the Yumipass SaaS platform and related services, including digital identity verification, authentication, account recovery, MFA recovery, step-up authentication, identity verification before electronic signature, API access, mobile application services, integrations and Proof Package generation.

“Sub-processor” means any third-party processor engaged by Yumipass to process Customer Data on behalf of the Customer.

02

Purpose of this DPA

This DPA sets out the conditions under which Yumipass processes personal data on behalf of the Customer in connection with the Services.

The Services may include:

  • digital identity verification;
  • KYC or identity verification workflows;
  • authentication;
  • account recovery;
  • MFA recovery;
  • step-up authentication;
  • verification before electronic signature;
  • Proof Package generation;
  • IAM integrations;
  • API access;
  • mobile application services;
  • platform administration;
  • technical support;
  • security monitoring.

This DPA is intended to satisfy the requirements of Article 28 GDPR, which requires processing by a processor to be governed by a contract or other legal act setting out, among other things, the subject matter, duration, nature, purpose, types of personal data, categories of data subjects and obligations of the controller and processor.

03

Roles of the Parties

3.1 Customer

The Customer acts as controller where it determines the purposes and essential means of the processing carried out through Yumipass.

The Customer is responsible for determining:

  • the purpose of the identity verification or authentication process;
  • the legal basis for the processing;
  • the Article 9 GDPR condition for biometric data, where applicable;
  • the categories of individuals subject to verification;
  • the accepted identity documents;
  • the verification checks enabled;
  • the retention periods;
  • access rights to results and Proof Packages;
  • the consequences of a verification result;
  • whether human review or alternative procedures are required;
  • whether a Data Protection Impact Assessment is required.

 

3.2 Yumipass

Yumipass acts as processor where it processes Customer Data on behalf of and under the documented instructions of the Customer.

Yumipass processes Customer Data only to the extent necessary to provide the Services, unless required otherwise by applicable law.

Yumipass may act as controller for limited processing activities carried out for its own purposes, including general platform security, business administration, billing, legal compliance and defence of legal claims. Such processing is governed by the Yumipass Privacy Policy.

04

Description of Processing

4.1 Subject matter

The subject matter of the processing is the provision of the Yumipass platform, which enables remote identity verification, authentication, account recovery, MFA recovery, step-up authentication, verification before electronic signature, mobile identity workflows and generation of identity evidence.

4.2 Nature of processing

The processing may include:

  • collection;
  • receipt;
  • extraction;
  • reading;
  • recording;
  • structuring;
  • analysis;
  • comparison;
  • verification;
  • validation;
  • cryptographic verification;
  • storage;
  • hosting;
  • logging;
  • transmission;
  • making available;
  • deletion;
  • anonymization or pseudonymization, where applicable.
4.3 Purposes of processing

The purposes of processing are determined by the Customer and may include:

  • identity verification;
  • authentication;
  • KYC workflows;
  • account recovery;
  • MFA recovery;
  • access control;
  • user onboarding;
  • verification before electronic signature;
  • fraud prevention;
  • generation of Proof Packages;
  • audit and traceability;
  • security monitoring;
  • integration with IAM systems.
4.4 Duration of processing

Yumipass processes Customer Data for the duration of the agreement with the Customer, and thereafter in accordance with the Customer’s documented instructions regarding deletion, return, retention or anonymization.

Unless otherwise agreed, Customer Data will be deleted or anonymized within 30 days after termination of the Services, subject to legal retention obligations and backup deletion cycles.

Backup copies may remain for a limited period after deletion from production systems and will be protected against further active processing, except where restoration is required for security, continuity or legal reasons.

05

Categories of Data Subjects

The data subjects may include:

  • end users of the Customer;
  • employees of the Customer;
  • contractors of the Customer;
  • customers of the Customer;
  • signatories;
  • administrators;
  • customer representatives;
  • users invited to complete an identity verification;
  • users performing authentication, account recovery or MFA recovery;
  • users interacting with the Yumipass mobile application.

06

Categories of Personal Data

Depending on the Customer configuration and enabled features, Yumipass may process the following categories of Customer Data.

6.1 Identity data
  • first name;
  • last name;
  • date of birth;
  • nationality;
  • issuing country;
  • information appearing on an official identity document.
6.2 Document data
  • document type;
  • document number;
  • issuing country;
  • issue date;
  • expiry date;
  • document images, where applicable;
  • MRZ data;
  • CAN or document access code data, where applicable;
  • data extracted by OCR;
  • NFC chip data, where available;
  • cryptographic verification results;
  • document authenticity results.
6.3 Biometric data
  • selfie;
  • facial image from the identity document;
  • technical data used for facial comparison;
  • face matching scores;
  • liveness detection results;
  • anti-spoofing indicators.

The Parties acknowledge that biometric data may constitute a special category of personal data under Article 9 GDPR where processed for the purpose of uniquely identifying or authenticating an individual.

6.4 Technical and security data
  • IP address;
  • device identifiers;
  • mobile device information;
  • session identifiers;
  • browser data;
  • operating system data;
  • technical environment data;
  • logs;
  • timestamps;
  • request metadata;
  • security events;
  • audit trails;
  • crash logs;
  • diagnostic data.
6.5 Administrator and integration data
  • administrator name;
  • professional email address;
  • organization;
  • role;
  • access rights;
  • login history;
  • actions performed in the administration console;
  • API usage data;
  • authentication metadata;
  • integration metadata.
6.6 Result and evidence data
  • verification status;
  • OCR result;
  • NFC result;
  • biometric result;
  • liveness result;
  • risk score or indicator;
  • decision status, including Approved, Rejected or Review Required;
  • Proof Package;
  • audit metadata;
  • transaction identifiers.

07

Obligations of the Customer

The Customer shall:

  1. process personal data in accordance with the GDPR and Applicable Data Protection Laws;
  2. ensure that its use of Yumipass is lawful, necessary and proportionate;
  3. identify an appropriate legal basis for each processing activity;
  4. identify an appropriate Article 9 GDPR condition where biometric data is processed;
  5. provide all required information notices to data subjects;
  6. ensure that data subjects are informed about the use of Yumipass, the categories of data processed and the consequences of the verification process;
  7. configure the Services in accordance with the principles of data minimization, purpose limitation and storage limitation;
  8. define appropriate retention periods;
  9. determine whether human review or alternative procedures are required;
  10. respond to data subject requests;
  11. conduct a Data Protection Impact Assessment where required;
  12. ensure that its instructions to Yumipass are lawful;
  13. ensure that use of Yumipass is appropriate for the relevant jurisdiction, sector and use case;
  14. ensure that it has appropriate authority to submit or cause personal data to be submitted to Yumipass;
  15. not instruct Yumipass to process personal data in a manner that would violate Applicable Data Protection Laws.

 

08

Obligations of Yumipass

Yumipass shall:

  1. process Customer Data only on documented instructions from the Customer;
  2. inform the Customer if, in Yumipass’s opinion, an instruction infringes the GDPR or other Applicable Data Protection Laws;
  3. ensure that persons authorized to process Customer Data are subject to confidentiality obligations;
  4. implement appropriate technical and organizational security measures;
  5. assist the Customer with data subject requests, insofar as possible and taking into account the nature of the processing;
  6. assist the Customer with security obligations, personal data breach notifications, DPIAs and prior consultations, where applicable;
  7. delete or return Customer Data at the end of the Services, according to the Customer’s instructions;
  8. make available information reasonably necessary to demonstrate compliance with this DPA;
  9. allow for and contribute to audits under the conditions set out in this DPA or the main agreement;
  10. impose appropriate data protection obligations on authorized Sub-processors.

09

Documented Instructions

The Customer’s documented instructions include:

  • the main agreement;
  • this DPA;
  • the applicable order form or subscription terms;
  • platform configuration settings;
  • verification policies configured by the Customer;
  • API instructions;
  • administration console instructions;
  • written instructions provided by the Customer.

Yumipass shall not process Customer Data for purposes other than those documented, unless required by applicable law.

Where Yumipass is required by law to process Customer Data outside the Customer’s instructions, Yumipass shall inform the Customer before such processing, unless the law prohibits such information on important grounds of public interest.

10

Confidentiality

Yumipass shall ensure that persons authorized to process Customer Data:

  • are subject to confidentiality obligations;
  • access Customer Data only to the extent necessary for their duties;
  • receive appropriate information or training regarding data protection and security;
  • are subject to internal access controls and authorization processes.

11

Security Measures

Yumipass shall implement appropriate technical and organizational measures designed to ensure a level of security appropriate to the risk.

Such measures may include:

  • encryption of communications;
  • encryption of stored data;
  • dedicated encryption keys for documents, where applicable;
  • access controls;
  • role-based permissions;
  • strong authentication for administrative access;
  • individual user accounts for authorized personnel;
  • VPN or equivalent secure access mechanisms where appropriate;
  • tenant separation;
  • separation of testing and production environments;
  • logging of access and administrative actions;
  • security monitoring;
  • vulnerability management;
  • firewall protection;
  • anti-virus or endpoint protection;
  • regular server updates;
  • backup procedures;
  • incident response procedures;
  • limitation of internal access on a need-to-have basis;
  • periodic penetration testing by third parties;
  • use of data centers with appropriate security certifications, including ISO 27001 where applicable.

Yumipass states in its Privacy Policy that it uses measures including two-factor authentication, VPN, individual accounts, activity logging, separation of test and production environments, encryption, firewalls, anti-virus protection, third-party penetration tests and certified data centers.

Further details are set out in Annex 2 — Technical and Organizational Measures.

12

Sub-processors

The Customer grants Yumipass a general written authorization to engage Sub-processors for the provision of the Services.

Yumipass shall:

  1. maintain an up-to-date list of Sub-processors;
  2. make the Sub-processor list available through its website or customer documentation;
  3. inform the Customer of any intended addition or replacement of Sub-processors;
  4. give the Customer the opportunity to object on reasonable data protection grounds within 30 days of notification;
  5. impose data protection obligations on Sub-processors that are substantially equivalent to those set out in this DPA;
  6. remain liable to the Customer for the performance of its Sub-processors’ data protection obligations.

The current Sub-processor list is set out in Annex 3.

Yumipass’s public Sub-processor list currently includes AWS, Microsoft, Cloudflare, Okta, SendGrid/Twilio, Stripe, GitHub, Google Firebase and OVHcloud.

13

International Transfers

Yumipass shall not transfer Customer Data outside the European Economic Area unless an appropriate transfer mechanism is in place under Applicable Data Protection Laws.

Such mechanisms may include:

  • an adequacy decision;
  • Standard Contractual Clauses;
  • supplementary technical and organizational measures;
  • another valid transfer mechanism under the GDPR.

Yumipass’s Privacy Policy states that personal data is hosted exclusively within the EU and that, with its sub-processors, the selected processing location is within the EU, subject to limited exceptions necessary to provide the services or comply with law. It also notes that users or recipients may access the service remotely from outside the EU/EEA.

The Customer acknowledges that certain Sub-processors may involve possible international transfers depending on the service, support model, configuration or customer deployment region, as indicated in Annex 3.

14

Assistance with Data Subject Rights

Yumipass shall assist the Customer, insofar as possible and taking into account the nature of the processing, in responding to requests from data subjects exercising their rights under Applicable Data Protection Laws.

If Yumipass receives a data subject request directly concerning processing carried out on behalf of the Customer, Yumipass shall:

  • not respond on the merits unless instructed by the Customer;
  • forward the request to the Customer or invite the data subject to contact the Customer;
  • reasonably cooperate with the Customer.

The Customer remains responsible for responding to data subject requests where it acts as controller.

15

Personal Data Breaches

Yumipass shall notify the Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Data processed on behalf of the Customer.

Where feasible, Yumipass shall provide such notification within 48 hours after becoming aware of the Personal Data Breach.

The notification shall include, to the extent available:

  • the nature of the breach;
  • the categories and approximate number of affected data subjects;
  • the categories and approximate number of affected records;
  • the likely consequences of the breach;
  • the measures taken or proposed to address the breach;
  • the relevant contact point.

Yumipass shall reasonably cooperate with the Customer in investigating, mitigating and remediating the breach.

The Customer remains responsible for notifying the competent supervisory authority and affected data subjects where required by law.

16

Data Protection Impact Assessment and Prior Consultation

Yumipass shall reasonably assist the Customer with Data Protection Impact Assessments and prior consultations with supervisory authorities where required by Applicable Data Protection Laws.

Given that the Services may involve identity documents, authentication data, technical logs, NFC verification and biometric checks, the Customer should assess whether a DPIA is required before deploying Yumipass in a specific use case.

17

Deletion or Return of Customer Data

At the end of the agreement or upon documented instruction from the Customer, Yumipass shall delete or return Customer Data processed on behalf of the Customer, unless applicable law requires retention.

Unless otherwise agreed, Yumipass shall delete or anonymize Customer Data from production systems within 30 days after termination or expiration of the Services.

Backup copies may be retained for up to 90 days after deletion from production systems, provided that such copies are protected against further active processing and are deleted in accordance with Yumipass’s backup lifecycle.

Deletion may be implemented through:

  • manual deletion;
  • automatic deletion;
  • expiry based on configured retention periods;
  • deletion of Proof Packages;
  • deletion of verification data;
  • deletion or minimization of biometric data;
  • deletion of logs, subject to security and compliance constraints.

18

Audits

Yumipass shall make available information reasonably necessary to demonstrate compliance with this DPA.

Audits may be conducted through:

  • documentary review;
  • security reports;
  • compliance questionnaires;
  • certifications, where available;
  • summaries of penetration tests or security assessments;
  • remote audit meetings.

On-site or technical audits may be conducted only where reasonably necessary, subject to:

  • at least 30 days’ prior written notice;
  • confidentiality obligations;
  • reasonable scope and duration;
  • non-disruption of the Services;
  • protection of other customers’ data;
  • protection of Yumipass’s security-sensitive information;
  • performance during normal business hours;
  • no more than one audit per calendar year, unless required due to a material security incident or by a supervisory authority.

The Customer shall bear its own audit costs and shall reimburse Yumipass for reasonable costs incurred in connection with audits that exceed standard documentary review, unless otherwise required by law.

19

Processing by Yumipass as Controller

This DPA does not apply to processing for which Yumipass acts as controller.

Such processing may include:

  • general platform security;
  • Yumipass account administration;
  • billing;
  • commercial management;
  • legal compliance;
  • defence of legal claims;
  • prevention of abuse affecting Yumipass;
  • business communications;
  • website analytics and cookies, where applicable.

Such processing is governed by the Yumipass Privacy Policy.

20

Liability

Each Party is responsible for complying with its own obligations under the GDPR and Applicable Data Protection Laws.

The Customer is responsible for:

  • the lawfulness of its instructions;
  • the legal basis for processing;
  • the Article 9 GDPR condition, where applicable;
  • information provided to data subjects;
  • use of verification results;
  • consequences of access, rejection, review, onboarding, account recovery or authentication decisions.

Yumipass is responsible for complying with its obligations as processor and implementing the measures set out in this DPA.

Any limitation of liability agreed in the main agreement shall apply to this DPA, unless prohibited by Applicable Data Protection Laws.

21

Order of Precedence

In the event of a conflict between this DPA and the main agreement, this DPA shall prevail with respect to data protection matters, unless expressly agreed otherwise by the Parties.

In the event of a conflict between this DPA and the Standard Contractual Clauses, where applicable, the Standard Contractual Clauses shall prevail with respect to international transfers.

Annex 1

Detailed Description of Processing

ItemDescription
ServiceYumipass digital identity verification, authentication and identity evidence platform
ControllerCustomer
ProcessorYumipass / RCDevs Security SA
Data subjectsEnd users, employees, customers, signatories, administrators, customer representatives, users invited to verify their identity
PurposesIdentity verification, authentication, account recovery, MFA recovery, electronic signature verification, KYC, Proof Package generation, security and auditability
Identity dataName, date of birth, nationality, document information
Document dataDocument type, number, expiry, images where applicable, OCR, MRZ, CAN, NFC data
Biometric dataSelfie, document facial image, face comparison, liveness results, scores
Technical dataIP address, device ID, mobile identifiers, logs, timestamps, metadata, crash logs
ResultsApproved, Rejected, Review Required, Proof Package
DurationDuration of the agreement; thereafter deletion or anonymization according to Customer instructions and applicable retention settings
Hosting locationEuropean Union / European Economic Area, with OVHcloud France listed as infrastructure provider
Sub-processorsAs listed in Annex 3

Annex 2

Technical and Organizational Measures

Yumipass implements technical and organizational measures designed to ensure a level of security appropriate to the risk.

1. Encryption
  • TLS encryption for communications;
  • encryption of stored data;
  • encryption of documents with dedicated keys, where applicable;
  • controlled key management;
  • secure handling of sensitive verification data.
2. Access Control
  • individual accounts for authorized personnel;
  • role-based access control;
  • strong authentication;
  • two-factor authentication where appropriate;
  • VPN or equivalent secure access mechanisms where appropriate;
  • access granted on a need-to-have basis;
  • approval process for access rights;
  • periodic access review;
  • access revocation procedures.
3. Environment Separation
  • separation of testing and production environments;
  • no transfer of production data to testing environments unless specifically authorized and protected;
  • segregation of customer tenants;
  • logical isolation controls.
4. Logging and Monitoring
  • activity logging;
  • access logs;
  • administration logs;
  • security logs;
  • event timestamps;
  • monitoring of system usage and security events;
  • investigation of suspicious activity.
5. Infrastructure Security
  • firewall protection;
  • anti-virus or endpoint protection;
  • regular server updates;
  • vulnerability management;
  • secure configuration of servers;
  • backups;
  • restoration procedures;
  • data center security controls.
6. Testing and Assurance
  • regular security testing;
  • penetration tests performed by third parties;
  • remediation of identified vulnerabilities;
  • use of certified data centers, including ISO 27001 where applicable.
7. Confidentiality and Training
  • confidentiality obligations for authorized personnel;
  • security awareness;
  • data protection awareness;
  • limited access to Customer Data;
  • internal approval process for support access.
8. Data Minimization
  • collection limited to data necessary for the configured verification process;
  • customer-configurable verification policies;
  • limitation of biometric data processing to the relevant verification purpose;
  • deletion or anonymization according to retention settings.

Annex 3

Sub-processors

The following Sub-processors are listed by Yumipass as of the date of this DPA.

 

Connect your app