• Termini di utilizzo di Tools for Humanity

    Termini di utilizzo di Tools for Humanity

  • Politica sulla conservazione dei dati biometrici

    Politica sulla conservazione dei dati biometrici

  • Informativa sulla privacy di Tools for Humanity

    Informativa sulla privacy di Tools for Humanity

  • Informativa sui cookie di Tools for Humanity

    Informativa sui cookie di Tools for Humanity

  • Richieste delle forze dell’ordine

    Richieste delle forze dell’ordine

  • Tools for Humanity Arbitration Agreement

    Tools for Humanity Arbitration Agreement

  • ALLEGATO – Basi giuridiche/finalità delle attività di trattamento dati di Tools for Humanity

    ALLEGATO – Basi giuridiche/finalità delle attività di trattamento dati di Tools for Humanity

TFH Integration Data Processing Addendum

Versione: 1.0Data di entrata in vigore 5 giugno 2026
TFH Integration Data Processing Addendum
This Data Processing Agreement with its schedules (“DPA”) is incorporated into and forms part of the agreement (“Agreement”) between Tools for Humanity Corporation, a Delaware corporation (“TFH”) and you as the Integrator named in the Order Form (“Integrator”). In the event of a conflict between the Agreement and this DPA, the terms of the DPA will apply with respect to the subject matter set forth herein.
How This DPA Applies
Pursuant to the Agreement, TFH may from time to time process Personal Data (as defined below) for which Integrator may be a “Data Controller” as defined by Applicable Data Protection Law (as defined below), including the General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”). When processing such Personal Data, TFH acts as a “Data Processor” as defined by Applicable Data Protection Law. This DPA applies only to TFH’s processing of Personal Data on behalf of Integrator in connection with the Deep Face Products, as set out in Section 10.2 of the Agreement.
Because such processing may, from time to time, require the maintenance and implementation of appropriate technical and organizational safeguards, and because such processing may, from time to time, involve the transfer of Personal Data from the European Union to the United States, Integrator and TFH agree to execute this DPA in order to ensure that adequate safeguards are established with respect to the protection of Personal Data.
The subject matter and duration of the processing are governed by the underlying Agreement. The rights and obligations of the controller are determined in this DPA in connection with the attached Standard Contractual Clauses and the Agreement.
Terms
1. Definitions
All capitalized words not defined below will have the meaning set forth in the Agreement.
1.1 “Applicable Data Protection Law” means privacy and data protection laws, regulations, and decisions by a supervisory authority or other governmental entity applicable to Integrator or TFH.
1.2 DPA Effective Date” means the Effective Date of the Agreement.
1.3 “Permitted Business Purpose” means TFH's processing of Personal Data for: (i) providing and improving the Deep Face Products; (ii) ensuring the security, integrity, and continued functioning of the Deep Face Products; (iii) developing and improving TFH’s biometric verification technologies; (iv) producing anonymized or aggregated analytics; and (v) complying with applicable law.
1.4 “Personal Data” means all data which is (i) defined as ‘personal data’ or ‘sensitive data’ in the GDPR and (ii) provided by Integrator to TFH and accessed, stored, or otherwise processed by TFH pursuant to the Agreement.
1.5 “Processing”, “Data Controller,” “Data Subject,” “Supervisory Authority,” and “Data Processor” have the same meanings set forth in the GDPR.
1.6 “Standard Contractual Clauses” means Standard Contractual Clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and the Council approved by European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, as currently set out at https://eurlex.europa.eu/eli/dec_impl/2021/914/oj.
1.7 “Security Practices Summary”means summary documentation of TFH’s security practices (including without limitation third-party security attestations and certifications, as applicable) that TFH makes generally available to its customers, as updated by TFH from time to time. A copy of the Security Practices Summary, current as of the DPA Effective Date, is incorporated into Schedule II of this DPA.
1.8 “Subprocessor”means third-party subcontractors that TFH retains from time to time to provide services to TFH necessary for TFH to perform its obligations under the Agreement and that process personal data on behalf of TFH.
2. Applicability
This DPA applies regardless of when TFH or Integrator fall under the GDPR’s scope or the UK GDPR’s scope of application.
3. Processing of Personal Data
With respect to TFH’s processing of Personal Data on behalf of Integrator under this DPA will:
3.1 process Personal Data only for the purposes of providing the Deep Face Products, for the Permitted Business Purposes, and otherwise in accordance with Applicable Data Protection Law;
3.2 act only upon instructions from Integrator, including Integrator's instructions to correct, amend, delete or to stop processing Personal Data;
3.3 take all measures required to implement and maintain appropriate technical and organizational measures to ensure a level of security for Personal Data consistent with Applicable Data Protection Law, as described in the Security Practices Summary and updated from time to time; provided that TFH will not materially degrade the level of security in effect as of the DPA Effective Date;
3.4 disclose Personal Data only to those of TFH’s personnel who have a “need-to-know” in order to fulfill TFH’s obligations under the Agreement and who are subject to written confidentiality agreements that obligate them to use and protect such Personal Data as required under the Agreement and this DPA, and for no other purpose;
3.5 promptly notify Integrator upon TFH’s or its Subprocessors’ receipt of any request, dispute or claim directly from a Data Subject (including, without limitation, requests related to the exercise of that Data Subject’s rights under Applicable Data Privacy Law with respect to Personal Data), and refrain from responding to such request, dispute or claim unless Integrator has provided written consent to such response to TFH;
3.6 notify Integrator of any accidental or unlawful destruction or accidental loss, alteration, or unauthorized disclosure or access of Personal Data that presents a material risk to the rights of data subjects (a “Data Breach”) or of any processing of Personal Data in a manner inconsistent with the terms of the Agreement and this DPA, with such notification given in accordance with Section 10.7 of the Agreement, and to provide reasonable assistance to Integrator with respect to any Data Breach (including without limitation cooperating with Integrator with respect to notification of Supervisory Authorities and communicating to Data Subjects regarding a Data Breach);
3.7 provide reasonable assistance to Integrator where processing performed by TFH is relevant to a data protection impact assessment being conducted by TFH;
3.8 promptly notify Integrator upon TFH’s or its Subprocessors’ receipt of any request for disclosure of Personal Data from a Supervisory Authority, government entity or court of law of a competent jurisdiction, or pursuant to a subpoena (unless otherwise prohibited by law);
3.9 promptly notify Integrator upon TFH’s or its Subprocessors’ determination that it can no longer meet its obligation to provide the level of protection to Personal Data required under the Agreement and this DPA;
3.10 take reasonable and appropriate steps to stop and remediate unauthorized processing, upon notice by Integrator, in the event Integrator has determined that TFH is no longer processing data in accordance with the Agreement and this DPA.
4. Standard Contractual Clauses
As of the DPA Effective Date, and with respect to all Personal Data Processed by TFH pursuant to the Agreement that is subject to the GDPR, TFH will comply with the obligations of the “data importer” and the obligations of the “data exporter” in the Standard Contractual Clauses. The information required by the Annexes to the Standard Contractual Clauses is set forth in Schedule I to this DPA. Pursuant to Clause 5(h) of the Standard Contractual Clauses:
4.1 Integrator acknowledges and agrees that TFH may retain Subprocessors for the purposes of providing services under the Agreement and hereby provides general authorization of the use of Subprocessors as described herein. In addition, Integrator hereby provides general authorization of the use of those Subprocessors engaged by TFH as of the DPA Effective Date.
4.2 Upon request from Integrator, TFH will provide Integrator a list of its then-current Subprocessors (the “Subprocessor List”). Integrator will have 10 business days after receipt of the Subprocessor List to provide written notice to TFH of any objections Integrator has with respect to one or more Subprocessors. TFH will have a commercially reasonable time after the receipt of any such objection to either (i) provide clarification to Integrator regarding the Subprocessor’s processing activities, security profile, and compliance with Applicable Data Protection Law, and thereafter receive Integrator’s authorization to use such Subprocessor (such authorization not to be unreasonably withheld) or (ii) make reasonable changes to TFH’s processing in order to accommodate the objection, and gain Integrator’s approval of such changes. If TFH is unable to comply with (i) or (ii), Integrator may terminate any services provided by TFH to Integrator that involve processing by Subprocessors to which Integrator has provided written objections.
4.3 TFH agrees to ensure that all Subprocessors are bound by contractual data protection obligations at least as stringent as those in this Agreement and will hold each processor fully liable to the controller for Subprocessors’ performance of such data protection obligations. Pursuant to Clause 5(j) of the Standard Contractual Clauses:
4.3.1 Integrator agrees that the copies of the Subprocessor agreements may be provided only upon reasonable request, and only once annually (unless requested by a Supervisory Authority).
4.3.2 Integrator agrees that such copies may be provided in summary form or, upon reasonable request from Integrator, in a form with all commercial information and clauses unrelated to data privacy and security redacted by TFH.
4.4 Pursuant to Clauses 5(f), Clause 11, and Clause 12(2), an “audit” as described therein will be carried out as follows:
4.4.1 Upon written request by Integrator, and subject to the confidentiality obligations of the Agreement, TFH will make available to Integrator the security information TFH generally makes available to its auditors.
4.4.2 In the event an on-site review is required by a Supervisory Authority or is otherwise reasonably requested by Integrator, Integrator and TFH will mutually agree on the scope, timing, and duration of such on-site review. On-site audits will be carried out at Integrator’s expense.
4.5 Pursuant to Clause 12(1) of the Standard Contractual Clauses, certification of deletion of Personal Data will be conducted only upon Integrator’s request.
5. CCPA clause
TFH will not (i) sell Personal Data; (ii) retain, use, or disclose Personal Data for any purpose other than for the specific purpose of performing the services for Integrator; (iii) retain, use, or disclose Personal Data for a commercial purpose other than providing the services for Integrator; (iv) retain, use, or disclose Personal Data outside of the direct business relationship between TFH and Integrator; or (v) combine the Personal Data with personal data that TFH receives from or on behalf of any other person, except as permitted by Applicable Data Protection Law or as instructed by Integrator..
6. UK-GDPR
6.1 In relation to transfers of Data protected by the UK GDPR, the EU Standard Contractual Clauses will apply to such transfers in accordance with Section 4 above with the following modifications:
6.1.1 The EU Standard Contractual Clauses shall be deemed amended as specified by the UK Addendum, which shall be deemed executed between Integrator and TFH;
6.1.2 Any conflict between the terms of the EU Standard Contractual Clauses and the UK Addendum shall be resolved in accordance with Section 10 and Section 11 of the UK Addendum;
6.1.3 For the purposes of the UK Addendum, Tables 1 to 3 in Part 1 of the UK Addendum shall be deemed completed using the information contained in Schedule I of this DPA; and
6.1.4 Table 4 in Part 1 of the UK Addendum shall be deemed completed by selecting “neither party”.
6.2 It is not the intention of either Party to contradict or restrict any of the provisions set forth in the Standard Contractual Clauses or the UK Addendum and, accordingly, if and to the extent any provision of the Agreement (including this DPA) conflict with the Standard Contractual Clauses or UK Addendum, the latter shall prevail.
7. Miscellaneous
7.1 This DPA shall remain in full force and effect until the earlier of:
7.1.1 the expiration or termination of the Agreement; or
7.1.2 the mutual agreement of the parties to terminate.
7.2 In the event of a conflict between this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses will apply.
Schedule I
Processing of European Citizens Personal Data
A. LIST OF PARTIES
Data exporter(s):
Name: The Integrator named in the Order Form.
Address: As specified in the Agreement
Contact person’s name, position and contact details: As specified in the Agreement.
Activities relevant to the data transferred under the Standard Contractual Clauses: Integrator uses the Deep Face Products provided by TFH under the Agreement.
Signature and date: As of the effective date of the Agreement.
Role (controller/processor): Controller
Data importer(s):
Name: Tools for Humanity Corporation.
Address: As specified in the Agreement.
Contact person’s name, position and contact details: As specified in the Agreement.
Activities relevant to the data transferred under the Standard Contractual Clauses: TFH provides the Deep Face Products to Integrator in accordance with the Agreement.
Signature and date: As of the effective date of this Agreement
Role (controller/processor): Processor
B, DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred:
  • End users of the Integrator Platform who submit to identity verification through the Deep Face Products.
Categories of personal data transferred (may include):
  • Facial images of the end users of Integrator Platform and certain metadata from the videoconference sessions, such as screen name of the participant, videoconference platform identifier, date and time of the verification.
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
  • Facial images.
  • Safeguards: explicit consent is obtained from the data subject prior to processing in accordance with applicable biometric and privacy laws. Consent is obtained independently for TFH to provide the Deep Face product and for the Permitted Business Purposes. Data is also encrypted at rest and in transit.
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
  • Data will is transferred on a discrete basis when triggered by Integrator’s end users, once every 24 hours on a videoconferencing session.
Nature of the processing
  • TFH will process Personal Data to perform facial biometric verification of end users at the request of Integrator, including image quality checks and three-way matching to confirm the person presented in the videoconference session is in fact the human on the screen. In addition, TFH will process Personal Data for the Permitted Business Purposes as defined in Section 1 of this DPA, including the training, evaluation, and improvement of TFH's biometric verification models, and the production of anonymized or aggregated analytics.
Purpose(s) of the data transfer and further processing
  • TFH will transfer Personal Data to perform the biometric verification stated above to protect Integrator’s videoconference sessions from deep fakes and identity spoofing. In addition, TFH will process Personal Data for the Permitted Business Purposes as defined in Section 1 of this DPA.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
  • For the duration of the Agreement until deletion in accordance with the provisions of the Agreement.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
As specified above.
C. COMPETENT SUPERVISORY AUTHORITY
Identify the competent supervisory authority/ies in accordance with Clause 13 of the Standard Contractual Clauses
  • The Bavarian Data Protection Supervisory Authority (BayLDA)

Schedule II
Technical And Organisational Measures Including Technical And Organisational Measures To Ensure The Security Of The Data
TFH maintains a comprehensive, written information security program that contains administrative, technical, and physical safeguards that, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing of personal information as well as the associated risks, are appropriate to (a) the type of information that TFH will store as personal information; and (b) the need for security and confidentiality of such information. TFH’s security program is designed to:
  • Protect the confidentiality, integrity, and availability of personal information in TFH’s possession or control or to which TFH has access;
  • Protect against any anticipated threats or hazards to the confidentiality, integrity, and availability of personal information;
  • Protect against unauthorized or unlawful access, use, disclosure, alteration, or destruction of personal information;
  • Protect against accidental loss or destruction of, or damage to, personal information; and
  • Safeguard information as set forth in any local, state or federal regulations by which TFH may be regulated.
Without limiting the generality of the foregoing, TFH’s security program includes:
1. Security Awareness and Training. Mandatory employee security awareness and training programs, which include:
  1. Training on how to implement and comply with its information security program; and
  2. Promoting a culture of security awareness.
2. Access Controls. Policies, procedures, and logical controls:
  1. To limit access to its information systems and the facility or facilities in which they are housed to properly authorized persons;
  2. To prevent those workforce members and others who should not have access from obtaining access; and
  3. To remove access in a timely basis in the event of a change in job responsibilities or job status.
3. Physical and Environmental Security. Controls that provide reasonable assurance that access to physical servers at the data centers housing personal information is limited to properly authorized individuals and that environmental controls are established to detect, prevent and control destruction due to environmental extremes.
4. Security Incident Procedures. A security incident response plan that includes procedures to be followed in the event of any security breach of any application or system directly associated with the accessing, processing, storage or transmission of personal information.
5. Contingency Planning. Policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, pandemic flu, and natural disaster) that could damage personal information or production systems that contain personal information.
6. Audit Controls. Technical or procedural mechanisms put in place to promote efficient and effective operations, as well as compliance with policies.
7. Data Integrity. Policies and procedures to ensure the confidentiality, integrity, and availability of personal information and to protect it from disclosure, improper alteration, or destruction.
8. Storage and Transmission Security. Security measures to guard against unauthorized access to personal information that is being transmitted over a public electronic communications network or stored electronically.
9. Secure Disposal. Policies and procedures regarding the secure disposal of tangible property containing personal information, taking into account available technology so that such data cannot be practicably read or reconstructed.
10. Assigned Security Responsibility. Assigning responsibility for the development, implementation, and maintenance of its information security program, including:
  1. Designating a security official with overall responsibility; and
  2. Defining security roles and responsibilities for individuals with security responsibilities.
11. Testing. Regularly testing the key controls, systems and procedures of its information security program to validate that they are properly implemented and effective in addressing the threats and risks identified.
12. Monitoring. Network and systems monitoring, including error logs on servers, disks and security events for any potential problems. Such monitoring includes:
  1. Reviewing changes affecting systems handling authentication, authorization, and auditing;
  2. Reviewing privileged access to TFH production systems processing personal information; and
  3. Engaging third parties to perform network vulnerability assessments and penetration testing on a regular basis.
13. Change and Configuration Management. Maintaining policies and procedures for managing changes TFH makes to production systems, applications, and databases processing personal information. Such policies and procedures include:
  1. A process for documenting, testing and approving the patching and maintenance of the TFH Service;
  2. A security patching process that requires patching systems in a timely manner based on a risk analysis; and
  3. A process for TFH to utilize a third party to conduct web application level security assessments. These assessments generally include testing, where applicable, for:
    1. Cross-site request forgery
    2. Services scanning
    3. Improper input handling (e.g. cross-site scripting, SQL injection, XML injection, cross-site flashing)
    4. XML and SOAP attacks
    5. Weak session management
    6. Data validation flaws and data model constraint inconsistencies
    7. Insufficient authentication
    8. Insufficient authorization
14, Program Adjustments. TFH monitors, evaluates, and adjusts, as appropriate, the security program in light of:
  1. Any relevant changes in technology and any internal or external threats to TFH or the personal information;
  2. Security and data privacy regulations applicable to TFH; and
  3. TFH's own changing business arrangements, such as mergers and acquisitions, alliances and joint ventures, outsourcing arrangements, and changes to inform.
TFHWIDIA20260601