Data Processing Addendum (DPA)

1. Definitions

• “Personal Data” means any information relating to an identified or identifiable natural person (“Data Subject”) that is processed under the Agreement.
• “Controller” means the entity which determines the purposes and means of the processing of Personal Data. (In the context of our consumer service, that is typically us for the data you provide about yourself. In a business context, you might be the Controller and we the Processor if you are submitting third-party personal data to our Service.)
• “Processor” means the entity which processes Personal Data on behalf of the Controller. (Here, Anthropos City when acting on your instructions through the Service).
• “Applicable Data Protection Law” means all data protection and privacy laws applicable to the respective party’s processing of Personal Data under the Agreement, including GDPR and any local implementations, and similar laws such as the UK GDPR, CCPA (to the extent applicable in a controller-processor context), etc.

Other capitalized terms not defined herein shall have the meaning given to them in the main Terms of Service or Privacy Policy.

2. Details of Processing

• Subject Matter: Anthropos City’s provision of the Service to you, which involves processing of certain Personal Data as needed to provide features (e.g., if you upload or input personal data of individuals to our platform).
• Duration: For the duration of the Agreement (Terms of Service) between you and Anthropos City, until deletion of all Personal Data as described herein.
• Nature and Purpose: The nature of processing is the collection, storage, analysis, and such other operations as necessary to provide the Service’s functionality (which may include face recognition, avatar generation, etc.) to the Controller. The purpose of processing is determined by you as the Controller – generally to utilize Anthropos City’s Service for identity verification, avatar generation, community interaction, etc., as described in the Terms.
• Types of Personal Data: Could include identification data (e.g., facial images, biometric templates, email addresses), profile data (nicknames, avatars), contact information, online identifiers (IP, device ID), and any other data that users input. Special category data (biometric identifiers in facial images) is processed with explicit consent for the purpose of verification and personalization.
• Categories of Data Subjects: Individuals who use the Service or whose data is provided to the Service. This may include you (the end user) and any individuals who appear in data you submit (though our service is generally for personal use, not for uploading data about others). In a business context, this could be your end-users or employees if you are using our platform in that manner.

3. Obligations of Controller

You, as Controller, shall:

• a. Ensure that you have obtained all necessary consents or have another valid legal basis for the Personal Data you submit to the Service. For example, if you were to upload a photo of another person for processing, you must have that person’s consent or other legal justification (note: our normal use-case expects you to upload your own face only).
• b. Provide necessary privacy notices to Data Subjects whose data you process using our Service, if required by law.
• c. Comply with your protection obligations under Applicable Data Protection Law, including only giving us instructions that are lawful and in accordance with such laws.
• d. Remain responsible for your compliance and monitoring of Anthropos City’s performance under this DPA.

4. Obligations of Processor (Company)

We, as Processor, agree to:

• a. Act Only on Instructions: Process Personal Data only on documented instructions from you (the Controller). By using our Service and submitting data, your instructions are essentially to process the data to fulfill the functionalities of the Service. We will not use or process the data for any other purpose unless required by law. If a law requires us to process beyond your instructions, we will inform you (unless the law forbids such notice).
• b. Confidentiality: Ensure that all persons we authorize to process the Personal Data (including our employees and contractors) are under appropriate obligations of confidentiality.
• c. Security: Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as outlined in our Privacy Policy’s security section. This includes measures to protect data against unauthorized or unlawful processing, and against accidental loss, destruction, or damage. Specific measures include encryption, access controls, etc., as detailed above.
• d. Sub-Processors: We have your general authorization to engage sub-processors that are necessary for providing the Service (e.g., our cloud providers, biometric engine, etc. listed in the Privacy Policy). We will ensure each sub-processor is bound by data protection obligations similar to those in this DPA (per Article 28 GDPR requirements). We remain liable for sub-processors’ performance. We will provide notice of any intended changes to sub-processors (e.g., by updating our Privacy Policy or via email) and give you the opportunity to object for legitimate reasons. If you object and we cannot accommodate it, you may terminate the Service.
• e. Assistance with Data Subject Rights: Taking into account the nature of processing, we will assist you by appropriate technical and organizational measures, insofar as possible, to fulfill your obligation to respond to Data Subjects’ requests to exercise their rights (access, rectification, erasure, restriction, portability, objection, etc.). For example, if a Data Subject contacts us, we will redirect them to you or assist in retrieving, correcting, or deleting their data in our systems as per your instruction.
• f. Assist with Compliance: We will also assist you in ensuring compliance with other applicable obligations (Art. 32-36 GDPR), such as helping with security of processing (we provide detailed info on measures for you to assess), breach notifications (we will notify you without undue delay if we become aware of a personal data breach affecting your data so you can fulfill any reporting duties), data protection impact assessments (we provide necessary info about our processing upon request), and prior consultations with authorities if needed.
• g. Breach Notification: As stated, if we discover a data breach on our side that affects Personal Data subject to this DPA, we will notify you promptly (within 72 hours at most, sooner when feasible) with sufficient information to help you meet any obligations to notify authorities or individuals. Our notification will include known details of the breach, likely consequences, and measures taken or proposed.
• h. Deletion or Return of Data: Upon termination or expiration of our Agreement, at your choice and to the extent feasible, we will delete or return all Personal Data processed on your behalf, and delete existing copies, unless storage is required by law. (Our standard is to delete user data as described in the Privacy Policy; we can also export certain data for you upon request prior to deletion).
• i. Audits: We will make available to you all information necessary to demonstrate compliance with our obligations under Article 28 GDPR and allow for and contribute to audits or inspections. We acknowledge your right to audit our processing of your Personal Data. However, to avoid unnecessary exposure of data or disruption, we may require audits to be conducted by an independent third party under confidentiality, during normal business hours, with reasonable notice. Alternatively, we may demonstrate compliance through third-party certifications and audit reports (e.g., SOC 2, ISO 27001) or by providing detailed documentation. You agree to consider those in satisfaction of audit requirements where possible. Any audits will be at your expense unless the law says otherwise.
• j. International Transfers: For any transfers of Personal Data from the EEA/UK/Switzerland to outside those areas, we agree to abide by the Standard Contractual Clauses (SCCs) which are hereby incorporated into this DPA by reference. [If needed, we will attach the full text of controller-processor SCCs as an annex.] Where the SCCs apply, Anthropos City is the “data importer” and you are the “data exporter.” We will comply with the obligations of the data importer, and you with those of the data exporter. If required, we will also implement additional safeguards to ensure an equivalent level of data protection as required by EU law. If any transfer mechanism is invalidated or insufficient, we will work with you in good faith to adopt an alternative valid solution.

5. Liability

The liability of each party under this DPA shall be subject to the exclusions and limitations of liability in the main Terms of Service or Agreement. You (Controller) shall indemnify and hold us harmless for any fines or legal liabilities arising from your failure to comply with your obligations under data protection laws.

6. Duration and Termination

This DPA becomes effective upon your acceptance of the Terms of Service and remains in effect as long as we process Personal Data on your behalf. Termination of the main Agreement will trigger termination of this DPA. Sections relating to data protection that by their nature should survive (confidentiality, return/deletion, etc.) shall survive.

7. Miscellaneous

In case of any conflict between the main Terms and this DPA regarding data protection, this DPA prevails. If any provision of this DPA is invalid under applicable law, it shall be deemed modified to the minimum extent necessary to make it valid, or if cannot be, then severed, without affecting the remainder. This DPA is governed by the same law and jurisdiction as the main Agreement unless required otherwise by applicable Data Protection Law.

By using the Service in a manner that involves providing personal data for processing, you are deemed to have signed and accepted this DPA as of the effective date of the Agreement. If you need a signed copy, please contact us.