Data Processing Addendum

Last updated: 06.08.2024

This Data Processing Addendum ("DPA") is incorporated into and forms part of the Terms of Service ("Agreement") between Proofly ("Proofly AI", "Company", "we", "us", or "our") and the customer agreeing to these terms ("Customer"). This DPA reflects the parties' agreement on the processing of Personal Data in accordance with applicable Data Protection Laws.

1. DEFINITIONS

1.1. "Affiliate" means an entity that directly or indirectly controls, is controlled by, or is under common control with a party.

1.2. "CCPA" means the California Consumer Privacy Act.

1.3. "Data Protection Laws" means all applicable laws relating to data protection and privacy, including the GDPR, UK GDPR, CCPA, the UAE Data Protection Laws (including DIFC Data Protection Law 2020 and ADGM Data Protection Regulations 2021) and Saudi Arabia Personal Data Protection Law, and Swiss Federal Act on Data Protection, depending on the jurisdiction of data processing.

1.4. "Data Subject" means an identified or identifiable natural person.

1.5. "GDPR" means the General Data Protection Regulation (EU) 2016/679 and the UK GDPR.

1.6. "Personal Data" means any information relating to a Data Subject processed by Proofly AI on behalf of Customer.

1.7. "Processing" means any operation performed on Personal Data.

1.8. "Subprocessor" means any processor engaged by Proofly AI to process Personal Data.

1.9. "Standard Contractual Clauses" means the standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679, as adopted by the European Commission.

1.10. 'QFC Regulations' means the QFC Data Protection Regulations 2021.

1.11. Duration and Survival. This DPA will become legally binding upon the effective date of the Agreement. Proofly AI will Process Customer Personal Data until the relationship terminates as specified in the Agreement. Proofly AI's obligations and Customer's rights under this DPA will continue in effect so long as Proofly AI Processes Customer Personal Data.

1.12. "UAE Data Protection Laws" include, but are not limited to, the data protection laws of the UAE (including DIFC Data Protection Law 2020 and ADGM Data Protection Regulations 2021) and Saudi Arabia (including Personal Data Protection Law), depending on the jurisdiction of data processing.

2. PROCESSING OF PERSONAL DATA

2.1. Roles of the Parties. The parties acknowledge that with regard to the processing of Personal Data, Customer is the controller and Proofly AI is the processor.

2.2. Customer's Processing of Personal Data. Customer shall, in its use of the Services, process Personal Data in accordance with Data Protection Laws. Customer's instructions for the processing of Personal Data shall comply with Data Protection Laws.

2.3. Proofly AI's Processing of Personal Data. Proofly AI shall process Personal Data only for the purposes described in this DPA and the Agreement, and in accordance with Customer's documented instructions, unless required otherwise by applicable law.

2.4. Details of the Processing. The subject-matter, nature, purpose, and duration of this processing, as well as the types of Personal Data collected and categories of Data Subjects, are set forth in Annex 1 to this DPA.

2.5 AI Processing Details. Proofly AI utilizes advanced AI, including deep learning models, for deepfake detection. The processing of Personal Data by AI systems includes:

  • Conversion of user data (images) into vector representations for deepfake detection.

  • Analysis of user image data for identifying patterns and anomalies indicative of manipulation or forgery.

  • Processing of visual data to determine the authenticity of images.

  • Continuous learning and model updates based on user interactions and new data to improve detection accuracy.

  • Generation of authenticity scores and reports.

3. RIGHTS OF DATA SUBJECTS

3.1. Data Subject Requests. Proofly AI shall, to the extent permitted by law, notify Customer upon receipt of a request by a Data Subject to exercise the Data Subject's rights under Data Protection Laws. If Proofly AI receives a Data Subject Request in relation to Customer Personal Data, Proofly AI will advise the Data Subject to submit their request to Customer and Customer will be responsible for responding to such request.

3.2. Assistance to Customer. Proofly AI shall, at the request of the Customer, and taking into account the nature of the processing applicable to any Data Subject Request, apply appropriate technical and organizational measures to assist Customer in complying with Customer's obligation to respond to such Data Subject Request and/or in demonstrating such compliance, where possible, provided that (i) Customer is itself unable to respond without Proofly AI's assistance and (ii) Proofly AI is able to do so in accordance with all applicable laws, rules, and regulations. Customer shall be responsible to the extent legally permitted for any costs and expenses arising from any such assistance by Proofly AI.

3.3. Response Time. Proofly AI shall respond to Data Subject requests within 30 days, with the possibility of extension for up to 60 days in complex cases.

3.4. Proofly AI commits to respecting the rights of data subjects as provided by Applicable Data Protection Laws, including but not limited to the right of access, rectification, and erasure of data.

3.5. Right to Erasure via Self-Service. Data Subjects may exercise their right to erasure ("right to be forgotten") by using the self-service data deletion functionality provided within the Proofly AI platform.

4. PROOFLY AI PERSONNEL

4.1. Confidentiality. Proofly AI shall ensure that its personnel engaged in the processing of Personal Data are informed of the confidential nature of the Personal Data, have received appropriate training on their responsibilities, and have executed written confidentiality agreements.

4.2. Reliability. Proofly AI shall take reasonable steps to ensure the reliability of any Proofly AI personnel engaged in the processing of Personal Data.

4.3. Limitation of Access. Proofly AI shall ensure that access to Personal Data is limited to those personnel who require such access to perform the Agreement.

5. SUBPROCESSORS

5.1. Appointment of Subprocessors. Customer acknowledges and agrees that Proofly AI may engage third-party Subprocessors in connection with the provision of the Services.

5.2. List of Current Subprocessors. Proofly AI shall make available to Customer the current list of Subprocessors for the Services at proofly.ai/legal/subprocessors. This list shall include the identities of those Subprocessors and their country of location. Proofly AI shall update this list promptly with any changes.

5.3. Notification of New Subprocessors. Proofly AI shall provide notification of a new Subprocessor(s) before authorizing any new Subprocessor(s) to process Personal Data in connection with the provision of the applicable Services.

5.4. Changes to Subprocessors. Proofly AI maintains an up-to-date list of Subprocessors. Proofly AI may update this list from time to time. It is Customer's responsibility to check this list periodically for any changes. Customer's continued use of the Services after an update to the Subprocessor list constitutes acceptance of the new Subprocessor(s). If Customer has a reasonable basis to object to Proofly AI's use of a new Subprocessor, Customer shall notify Proofly AI promptly in writing within 30 business days after checking the updated Subprocessor list. In the event of such an objection, Proofly AI will use commercially reasonable efforts to make available to Customer a change in the Services or recommend a commercially reasonable change to Customer's configuration or use of the Services to avoid processing of Personal Data by the objected-to new Subprocessor without unreasonably burdening Customer. If Proofly AI is unable to make available such change within a reasonable period of time, Customer may terminate the applicable Order Form(s) with respect only to those Services which cannot be provided by Proofly AI without the use of the objected-to new Subprocessor by providing written notice to Proofly AI.

5.5. Liability. Proofly AI shall be liable for the acts and omissions of its Subprocessors to the same extent Proofly AI would be liable if performing the services of each Subprocessor directly under the terms of this DPA.

6. SECURITY

6.1. Security Measures. Proofly AI shall implement and maintain appropriate technical and organizational measures to protect Personal Data from Personal Data Breaches, as described in Annex 2 to this DPA.

6.2. Third-Party Certifications and Audits. Proofly AI has obtained the third-party certifications and audits set forth in Annex 2 to this DPA. Upon Customer's written request at reasonable intervals, and subject to the confidentiality obligations set forth in the Agreement, Proofly AI shall make available to Customer a copy of Proofly AI's then most recent third-party audits or certifications, as applicable.

6.3. Proofly AI shall maintain transparent privacy notices and make them easily accessible to Data Subjects.

6.4. Proofly AI Personnel. Proofly AI personnel are required to conduct themselves in a manner consistent with the company's guidelines regarding confidentiality, business ethics, appropriate usage, and professional standards. Personnel are required to execute a confidentiality agreement and must acknowledge receipt of, and compliance with, Proofly AI's confidentiality and privacy policies.

6.5 Al-Specific Security Measures

  • Implement measures to ensure the accuracy, robustness, and cybersecurity of AI systems as per Article 15 of the EU AI Act, and in line with UAE regulations on AI security.

  • Regular testing and validation of AI models to prevent biases and ensure fairness. This includes regular audits specifically designed to identify and mitigate any potential biases in the deepfake detection algorithms.

  • Implementation of kill-switch mechanisms for immediate halting of AI processing if necessary.

  • Continuous monitoring of AI system outputs for anomalies or unexpected behaviors.

7. PERSONAL DATA BREACH MANAGEMENT AND NOTIFICATION

7.1. Notification. Proofly AI shall notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data. Such notification shall include, to the extent known to Proofly AI at that time, the categories and approximate number of Data Subjects concerned, and the categories and approximate number of Personal Data records concerned. Proofly AI shall also notify the DIFC Data Protection Office and ADGM Registration Authority of any serious breaches as required by QFC Regulations and ADGM Regulations respectively, as well as other relevant supervisory authorities in the UAE and Saudi Arabia if applicable. Commits to complying with all applicable breach notification requirements established by local data protection laws, including notifying relevant supervisory authorities in the UAE and Saudi Arabia, where applicable.

7.2. Assistance to Customer. Proofly AI shall provide reasonable assistance to Customer in the handling and documentation of Personal Data Breaches.

8. RETURN AND DELETION OF CUSTOMER DATA

8.1. Deletion or Return of Data. Proofly AI shall, at the choice of Customer, delete or return all Personal Data to Customer after the end of the provision of Services relating to processing, and delete existing copies unless applicable law requires storage of the Personal Data.

8.2. Self-Service Data Deletion. Proofly AI provides a self-service mechanism, accessible through the user interface, allowing Customer and authorized users to permanently delete their data, including uploaded images, videos, and associated metadata, at any time. Upon initiating the deletion process, all relevant data will be irreversibly removed from Proofly AI's systems, subject to limitations outlined in section 8.1.

8.3. Confirmation of Deletion. Upon successful completion of the data deletion process initiated by the Customer or authorized user, Proofly AI shall provide a confirmation message to the user verifying that the data has been permanently removed.

8A. AI Model Management

8A.1. Proofly AI shall maintain detailed records of AI model versions, training data used, and significant updates.

8A.2. Upon request, Proofly AI shall provide Customer with information about the AI models used in processing their data, including general descriptions of model architecture and key features. This information will be provided to the extent that it does not compromise Proofly AI's intellectual property or trade secrets.

8A.3. Proofly AI shall implement procedures for regular evaluation of AI model performance, including checks for potential biases or unfair outcomes.

8A.4. In the event of significant changes to AI models that may affect data processing, Proofly AI shall notify Customer and, if necessary, conduct a new Data Protection Impact Assessment.

8B. RECORDS OF PROCESSING ACTIVITIES

8B.1. Proofly AI shall maintain detailed records of processing activities in accordance with QFC Regulations and ADGM Regulations. Upon request, Proofly AI shall make these records available to the relevant supervisory authorities, such as the DIFC Data Protection Office, ADGM Registration Authority, or the Saudi Data and Artificial Intelligence Authority (SDAIA), as applicable.

9. TRANSFERS OF PERSONAL DATA

9.1. Standard Contractual Clauses. The Standard Contractual Clauses shall apply to Personal Data that is transferred outside the EEA, either directly or via onward transfer, to any country not recognized by the European Commission as providing an adequate level of protection for Personal Data. The Standard Contractual Clauses shall not apply to Personal Data that is not transferred, either directly or via onward transfer, outside the EEA.

9.2. For transfers to countries not recognized as adequate by QFC, Proofly AI shall implement appropriate safeguards as required by QFC Regulations.

9.3. Supplementary Measures. In respect of any transfer of Personal Data outside the EEA, UK, or Switzerland, Proofly AI shall implement appropriate supplementary measures as required by applicable Data Protection Laws to ensure an adequate level of protection for the Personal Data.

9.4. For data transfers to or from the UAE and Saudi Arabia, Proofly AI commits to complying with all applicable local requirements for cross-border data transfers, including obtaining necessary approvals from relevant authorities if required.

10. LIMITATION OF LIABILITY

10.1. To the extent permitted by applicable law, any liability arising under or in connection with this DPA shall be subject to the limitations and exclusions of liability set out in the Agreement.

10.2. Each Party's liability, arising out of or related to this DPA, whether in contract, tort or under any other theory of liability, is subject to the 'Limitation of Liability' section of the Agreement.

10.3. Any reference to the liability of a Party means the total liability of that Party and all of its affiliates under the Agreement and this DPA together.

11. LEGAL EFFECT

This DPA shall only become legally binding between Customer and Proofly AI when fully executed following the formalities steps set out in the Agreement. If Customer has previously executed a data processing addendum with Proofly AI, this DPA supersedes and replaces such prior Data Processing Addendum.

12. DATA PROTECTION IMPACT ASSESSMENT (DPIA)

12.1 Systematic Description of Processing

In addition to the details provided in Annex 1, Proofly AI conducts the following types of processing:

  • Collection and storage of user profile data, including names, contact information (if provided by the Customer), and the images uploaded for analysis.

  • Analysis of user image data and deep learning-based analysis for deepfake detection purposes.

  • Processing of technical data related to the uploaded images and the analysis process for the purpose of providing the deepfake detection service.

  • Handling of user-generated content, such as feedback and reports related to the service.

  • No payment information is processed by Proofly AI directly, as this is handled by secure third-party payment processors.

  • Analysis of user data for personalized recommendations and service improvements.

12.2 Assessment of Necessity and Proportionality

Proofly AI has assessed the adequacy, relevance, and necessity of the processing activities described above and has determined that:

  • The processing is necessary for providing our core deepfake detection services, enhancing user experience, ensuring platform security, and complying with legal obligations.

  • The amount and types of data collected are proportionate to the purposes of processing.

  • Data retention periods are limited to what is necessary for the stated purposes.

  • User consent is obtained for all non-essential data processing activities, particularly related to service improvements and personalized recommendations.

  • Data minimization principles are applied to ensure only necessary data is collected and processed.

  • Regular reviews are conducted to ensure ongoing relevance and necessity of processed data.

12.3 Assessment of Risks to Data Subjects

Proofly AI has identified the following potential risks to the rights and freedoms of data subjects:

  • Unauthorized access to personal data due to security breaches.

  • Misuse of personal data by Proofly AI employees or third-party contractors.

  • Data loss or corruption due to technical failures.

  • User consent is obtained for all non-essential data processing activities, particularly related to service improvements and personalized recommendations.

  • Unwanted disclosure of analysis results to unauthorized parties.

  • Profiling leading to discriminatory treatment or exclusion from services (although the primary purpose of the service is deepfake detection, this risk is considered in the context of service improvements).

12.4 Measures to Address Risks

In addition to the security measures described in Annex 2, Proofly AI implements the following measures to address the identified risks:

  • For unauthorized access: Implementation of advanced encryption techniques, regular security audits, and intrusion detection systems.

  • For misuse of personal data: Strict access controls, employee background checks, and comprehensive data handling training for all staff.

  • For data loss or corruption: Regular data backups, disaster recovery plans, and use of redundant systems.

  • For unwanted disclosure: Strict access controls and authorization mechanisms to ensure that only authorized users can access the analysis results.

  • For profiling risks: Regular algorithmic audits to detect and mitigate potential biases, and providing users with control over their data used for profiling (where applicable).

12.5 AI Risk Assessment

Proofly AI has conducted a thorough risk assessment of its AI systems, focusing on:

  • Potential impacts on user privacy and data protection.

  • Risks of bias or discrimination in AI-driven deepfake detection.

  • Transparency and explainability of AI decision-making processes.

  • Measures to ensure human oversight and intervention in AI processes.

12.6 Ongoing AI Monitoring

Proofly AI commits to:

  • Continuous monitoring of AI system performance and outputs.

  • Regular audits of AI decision-making processes.

  • Periodic reassessment of AI risks as systems evolve and improve.

  • Maintaining open communication channels with users for feedback on AI-driven features.

13. CONFLICT OF TERMS

13.1. In the event of any conflict or inconsistency among the following documents, the order of precedence will be:

(1) the applicable terms in the Standard Contractual Clauses;
(2) the terms of this DPA; and
(3) the Agreement.

13.2. No provision in the Agreement shall be construed to reduce, limit, or otherwise negatively affect any of Proofly AI's obligations or Customer's rights under this DPA or the Standard Contractual Clauses.

13.3. In case of doubt, the interpretation that provides the highest level of data protection and security for Personal Data shall prevail.

14. COOPERATION WITH SUPERVISORY AUTHORITIES

14.1. Proofly AI shall cooperate, on request, with the supervisory authority in the performance of its tasks.

14.2. Proofly AI shall promptly notify Customer if it receives a request from a supervisory authority in connection with Customer Personal Data, unless prohibited by applicable law.

14.3. If a supervisory authority requires an audit of the data processing facilities from which Proofly AI processes Customer Personal Data in order to ascertain or monitor Customer's compliance with Data Protection Laws, Proofly AI shall cooperate with such audit, subject to appropriate confidentiality obligations.

14.4. Proofly AI commits to cooperating with relevant supervisory authorities in the UAE and Saudi Arabia, including but not limited to the DIFC Data Protection Administration, ADGM Registration Authority, and Saudi Data and Artificial Intelligence Authority (SDAIA), in accordance with applicable law.

15. CONTINUOUS IMPROVEMENT

Proofly AI is committed to continuously improving its data protection and security measures. Proofly AI shall regularly review and update its practices, policies, and technical measures to ensure ongoing compliance with Data Protection Laws and industry best practices.

16. AI Transparency and User Rights

16.1. Proofly AI shall provide clear information to users about the use of AI in its services, including how AI influences deepfake detection results and any related recommendations.

16.2. Users shall have the right to:

  • Receive explanations of significant AI-driven decisions affecting their experience, particularly regarding the assessment of an image as a potential deepfake.

  • Contest AI-generated results and request human review.

  • Opt-out of certain AI-driven features while retaining access to core services (where applicable).

  • Access and correct data used by AI systems for decision-making.

  • Delete their data through the self-service functionality provided within the Proofly AI platform.

16.3. Proofly AI shall maintain a user-friendly interface for exercising these rights and shall respond to user requests within 30 days.

List of Annexes:

ANNEX 1: DETAILS OF PROCESSING

Nature and Purpose of Processing: Proofly AI will process Personal Data as necessary to provide the Services pursuant to the Agreement and as further instructed by Customer in its use of the Services. Specifically, Proofly AI processes data to detect and analyze potentially manipulated or forged images (deepfakes) using artificial intelligence technologies.

Duration of Processing: Proofly AI will process Personal Data for the duration of the Agreement, unless otherwise agreed upon in writing.

Categories of Data Subjects:

Customer may submit Personal Data to the Services, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of data subjects:

  • Customers, business partners, and vendors of Customer (who are natural persons)

  • Employees or contact persons of Customer's customers, business partners, and vendors

  • Employees, agents, advisors, and freelancers of Customer (who are natural persons)

  • Customer's users authorized by Customer to use the Services

  • Individuals whose images are uploaded to the Proofly AI platform for deepfake analysis.

Type of Personal Data: Customer may submit Personal Data to the Services, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to the following categories of Personal Data:

  • First and last name (if provided by the Customer)

  • Contact information (company, email, phone) (if provided by the Customer)

  •  ID data (if provided by the Customer)

  •  Image data (including facial images) uploaded for deepfake detection. This may include metadata embedded within the image files (e.g., EXIF data such as camera model, geolocation, date and time of capture).

  • Technical data related to the uploaded images and the analysis process, such as image hashes, vector representations, and intermediate data generated during the deepfake detection process.

Additional Processing Details:

Proofly AI will also conduct the following types of processing:

  • Analysis of user image data and deep learning-based analysis for deepfake detection purposes

  •  Processing of technical data related to the uploaded images and the analysis process.

  • Handling of user-generated content, such as feedback and reports related to the service.

  • Analysis of user data for personalized recommendations and service improvements.

ANNEX 2: SECURITY MEASURES

Proofly AI maintains administrative, physical and technical safeguards for protection of the security, confidentiality and integrity of Customer's Personal Data, including the measures described in this Annex 2.

1. Information Security Program

Proofly AI maintains a written information security program that includes:

  • Network security

  • Platform security

  • System and application security

  • Data security

  • Information security processes

2. Physical Access Controls

  • Physical access to facilities where data is processed is limited to authorized personnel.

  • Proofly AI offices are protected by appropriate access control systems.

  • Authorized individuals enter Proofly AI facilities using electronic access cards.

3.System Access Controls

  • Role-based access controls are implemented to ensure access to systems processing Personal Data is provisioned on a need-to-know and least privilege basis.

  • Unique user accounts are created for authentication.

  • For any access to systems that process Personal Data, multi-factor authentication is enabled.

4. Data Access Controls

  • Access to Customer Data is restricted to authorized personnel who require such access to perform their job function.

  • If required by law, Proofly AI can restrict visibility of Customer Data based on the country of origin.

  • Proofly AI personnel do not access Customer Data, except when required to provide customer support, troubleshoot the Services, or comply with legal requirements.

5. Transmission Controls

  • Proofly AI uses industry standard transport encryption protocols for the transfer of any Personal Data.

  • Data in transit to and from the Services is encrypted using TLS 1.2+.

6. Input Controls

  • Proofly AI implements detective controls to identify unauthorized changes to Personal Data.

  • Application and infrastructure systems log information to centrally managed log management systems for audit and analysis.

7.Availability Controls

  • Proofly AI replicates data over multiple systems to help protect against accidental destruction or loss.

  • Proofly AI has designed and regularly plans and tests its business continuity planning/disaster recovery programs.

8. Subprocessor Security

Before onboarding Subprocessors, Proofly AI conducts an audit of the security and privacy practices of Subprocessors to ensure they provide a level of security and privacy appropriate to their access to data and the scope of the services they are engaged to provide.

9.Personnel

  • Proofly AI personnel are required to conduct themselves in a manner consistent with the company's guidelines regarding confidentiality, business ethics, appropriate usage, and professional standards.

  • Personnel are required to execute a confidentiality agreement and must acknowledge receipt of, and compliance with, Proofly AI's confidentiality and privacy policies.

10. AI-Specific Security Measures

  • Regular security testing and vulnerability assessments of the AI systems are performed.

  • Access to AI models and training data is strictly controlled and monitored.

  • Audit trails are maintained for all activities related to the AI systems.