This U.S. Data Processing Addendum ("DPA") is between SNK Software Consulting LLC, doing business as Fctr Identity ("Fctr"), and the customer receiving the Fctr Identity Platform ("Customer"). For customer-controlled personal information, Customer acts as the business or controller and Fctr acts as its contracted service provider or processor. This DPA applies only when incorporated into an order form, master services agreement, the Terms of Service, or another agreement accepted by authorized representatives (the "Agreement"). If an executed agreement conflicts with this public DPA, the executed agreement controls.
1. Application
This DPA applies when Fctr processes Personal Data on Customer's behalf to provide, secure, support, or maintain the Service. Customer determines the business purpose and means of the relevant processing; Fctr processes the data only for the contracted business purposes described in the Agreement and Customer's documented instructions.
Each party will comply with applicable U.S. privacy and data-protection laws in its role. Customer is responsible for providing required notices, responding to individuals, and having the authority to direct Fctr to process the data.
2. Definitions
- Personal Data means personal data, personal information, or another equivalent term protected under applicable U.S. privacy law.
- Process or Processing means an operation performed on Personal Data.
- Individual means the consumer or other person to whom Personal Data relates.
- Service Provider or Processor means Fctr when it processes Personal Data on Customer's behalf for the contracted business purposes in the Agreement.
- Subprocessor means a third party engaged by Fctr to process Personal Data on Customer's behalf.
- Security Incident means a confirmed breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data processed by Fctr.
3. Processing details
| Category | Standard processing |
|---|---|
| Subject matter | Providing identity verification and authorized identity-operations workflows through the Service. |
| Duration | The term of the Agreement plus the limited period necessary for deletion, legal obligations, and agreed retention. |
| Individuals | Customer personnel, contractors, operators, administrators, and other individuals whose accounts are handled through authorized support workflows. |
| Data categories | Workforce identifiers and directory attributes processed transiently; account, group, device, license, or activity context; enrolled-factor metadata and masked delivery destinations; verification results; limited workflow references; PII-masked support-action and audit metadata; and business contact information. |
| Operations | Retrieval, normalization, display, verification, transmission, authorized provider action, security monitoring, support, PII-masked audit logging, retention, and deletion. |
| Purpose | To provide, secure, maintain, support, and audit the Service according to Customer's documented instructions. |
The actual categories depend on the identity provider, features, integrations, and support actions Customer enables. The verification product does not persist customer workforce PII or create a separate workforce identity directory. Fctr does not intentionally request sensitive personal data beyond information necessary for a customer-enabled verification workflow.
4. Instructions & confidentiality
Fctr will process Customer Personal Data only on Customer's documented instructions, including the Agreement, configuration, authorized use of the Service, support requests, and written directions consistent with the Agreement. If Fctr believes an instruction violates applicable law, it will notify Customer unless prohibited by law.
Fctr will ensure that personnel authorized to process Customer Personal Data are subject to appropriate confidentiality obligations and receive access only as necessary for their responsibilities.
5. Security measures
Taking into account the nature of the processing and available technology, Fctr maintains technical and organizational measures designed to protect Customer Personal Data. Standard measures include:
- encryption in transit and managed encryption for supported cloud data services;
- provider-backed operator authentication, protected browser sessions, and CSRF defense;
- backend-enforced roles, action policy, time-limited verification state, and least-privilege provider access;
- data minimization and restrictions against logging credentials, tokens, one-time codes, generated recovery values, or raw identity documents;
- structured, privacy-reviewed audit events for security-relevant workflows;
- input validation, secure headers, abuse controls, dependency review, and automated security testing; and
- managed cloud infrastructure with deployment-specific access, logging, network, and retention controls.
Additional or customer-specific measures may be documented in the Agreement or security-review materials.
6. Subprocessors & service providers
Customer authorizes Fctr to engage contracted subprocessors and service providers needed to provide the Service. Current standard product providers include:
| Provider | Purpose | Application |
|---|---|---|
| Google Cloud | Product hosting, managed data services, operational logging, and infrastructure security | Standard product delivery |
| Infobip | Transactional SMS or email delivery for supported verification and Verified ID workflows | Only when the applicable delivery feature is enabled |
Microsoft, Okta, and other systems connected using Customer's own tenant or account are customer-directed connected services and may be governed by Customer's separate agreement with those providers.
Fctr will contractually restrict each provider to the relevant business purpose and require appropriate confidentiality, security, and data-protection obligations. Fctr will make material provider changes available to affected customers and provide an opportunity to raise reasonable privacy or data-protection objections through the applicable contractual process.
7. Privacy requests
Taking into account the nature of processing, Fctr will provide reasonable assistance to Customer with verified requests from individuals exercising rights available under applicable U.S. law. If Fctr receives a request relating to Customer-controlled data, Fctr will direct the requester to Customer unless legally prohibited. Customer remains responsible for validating and responding to the request.
8. Compliance assistance
Fctr will provide information reasonably necessary to demonstrate compliance with this DPA and, taking into account the nature of processing and information available to Fctr, will reasonably assist Customer with U.S. privacy assessments and security inquiries required by applicable law.
Fctr may satisfy review requests through current policies, questionnaires, third-party reports, summaries, or other appropriate evidence. On-site audits, if required by law and not satisfied through available evidence, must be coordinated in advance, limited to relevant systems and records, preserve confidentiality, and avoid unreasonable disruption.
9. Security incidents
Fctr will notify Customer without undue delay after confirming a Security Incident affecting Customer Personal Data. Notification will include information reasonably available to Fctr about the nature of the incident, affected data, likely consequences, and mitigation, as required by applicable law.
Fctr's notice or assistance is not an admission of fault or liability. Customer is responsible for notifications to regulators, individuals, or others unless applicable law assigns that obligation to Fctr.
10. Processing locations
Customer authorizes Fctr and its contracted service providers to process Customer Personal Data in the United States and other locations necessary to provide the Service, as described in the Agreement and applicable service-provider disclosures. The standard Fctr Identity Platform is offered as a U.S. SaaS service.
11. Return & deletion
Upon termination or Customer's valid request, Fctr will delete or return Customer Personal Data as required by the Agreement, except where retention is required by law or the data remains in managed backups subject to restricted access and ordinary expiration. Transient workflow state is designed to expire; operational, audit, contracting, and financial records follow the applicable documented retention schedule.
12. Liability & order of precedence
The limitations, exclusions, and remedies in the Agreement apply to this DPA. This DPA controls only with respect to its subject matter. An executed DPA amendment or order form controls over this online version; otherwise, the Agreement controls over inconsistent terms.
13. Contact
Questions about this DPA or requests for an executable version may be sent to:
606 Liberty Ave, Ste 300
Pittsburgh, PA 15222
support@fctr.io