Data processing agreement (DPA) between GO.CAM and the Business Customer

1. Purpose of the Agreement

This Agreement sets out the terms on which GO.CAM, acting as a Data Processor, processes Personal Data on behalf of the Business Customer (the Data Controller), in the context of the GO.CAM Age Verification Service. It complements the Service Agreement and Users Terms & Conditions, and complies with:

• General Data Protection Regulation (GDPR – EU/UK)
• French Law No. 2020-936 (Articles 21–24)
• UK Online Safety Act (2023)

2. Definitions

Refer to the definitions contained in the Service Agreement and Users Terms & Conditions, including :

• End User : Natural person whose age is verified via GO.CAM
• Business Customer : Legal entity using the GO.CAM service for its website(s)
• End User Data : Any data collected temporarily for age verification purposes
• Age-Verification Methods : The four methods listed in clause 3 below

3. Nature and Purpose of Processing

GO.CAM processes data solely for the purpose of verifying that the End User has reached the Age of Majority.

Verification Methods available :

1. Facial recognition (live selfie check with algorithmic age estimation)
2. ID document check (scanned/uploaded government ID)
3. Card verification (last 4 digits of a credit/debit card)
4. Email + one-time code verification

All verification processes occur locally on the End User’s device. GO.CAM does not store, transmit or retain End User Data beyond the session.

4. Categories of Data Subjects and Data

• Subjects : End Users
• Personal Data categories :
  • Selfie image (not stored)
  • Identity document image (used only if method 2 is selected; deleted within session)
  • 4-digit credit/debit card fragment (method 3 only)
  • Email address (used only for method 4; not retained)
  • IP address and browser metadata (for fraud prevention
  • Outcome of verification (boolean only)

5. Data Retention and Deletion

• No End User Data is stored.
• Images, ID data, email addresses are automatically deleted at end of session.
• Only a signed, anonymised age verification token may be retained.
• Business Customer data is retained only for contractual or compliance purposes, in accordance with the Privacy Policy.
• Upon contract termination, data is deleted within 24h, with confirmation issued within 10 working days.

6. Roles and Responsibilities

• The Business Customer remains the Controller of End User Data.
• GO.CAM acts as Processor, except for pseudonymised age verification outcome data where it acts as independent Controller, without linking data to an identifiable person.

GO.CAM assists the Controller with compliance, but does not handle Data Subject Rights requests directly unless legally required.

7. Technical and Organizational Security Measures

GO.CAM ensures:

• All processing occurs locally on the user’s browser/device
• Communication is encrypted (TLS 1.3 or 2048-bit SSL)
• No PII is retained on GO.CAM infrastructure
• Datacenters (if applicable) are located in the EEA and ISO 27001 certified
• AI models are validated and bias-tested
• Internal access is logged and restricted

8. Sub-Processing

GO.CAM uses a limited number of sub-processors to perform specific technical functions in connection with the Age Verification Service. These sub-processors may include third-party service providers as well as affiliated companies within the same corporate group.

• All sub-processing activities are strictly limited to technical tasks required for the performance of the Service.
• External sub-processors are selected based on their compliance with GDPR and are contractually bound to data protection obligations equivalent to those in this DPA.
• Intra-group processing is conducted under GO.CAM’s direct control and within a shared governance framework.
• A list of sub-processors may be provided upon written request by the Business Customer.

GO.CAM uses a limited number of sub-processors to perform specific technical functions required for the Age Verification Service. These include:

• Technical services provided by affiliated companies within the same corporate group;
• External service providers, including Superlative Enterprises Pty Ltd (operator of HaveIBeenPwned.com), used exclusively to check whether an email address has appeared in a known data breach during the Email + Code verification method.

GO.CAM ensures that all sub-processors:

• Are subject to written data processing agreements imposing obligations equivalent to this DPA;
• Are assessed for compliance with applicable data protection laws;
• Only process data within the scope required for the Service, and for no longer than necessary;
• Do not retain or store the personal data provided by GO.CAM or its End Users.

9. International Transfers

While GO.CAM processes all End User Data locally and does not transmit personal data outside the EEA during the standard verification process, certain technical subprocessors may operate from outside the EEA. For instance, during Email + Code verification, a hashed email address may be sent to Superlative Enterprises Pty Ltd (Australia) for a one-time lookup through their HaveIBeenPwned service, which is hosted in the USA (Microsoft Azure – Western region).

In such cases, GO.CAM ensures :

• The use of Standard Contractual Clauses (SCCs) issued by the European Commission,
• Supplementary technical and organizational safeguards (such as pseudonymisation or encryption),
• Prior risk assessments to validate the level of protection,
• If data transfer outside the EEA becomes necessary, GO.CAM will use :
  • Standard Contractual Clauses (SCCs)
  • Supplementary measures
  • Prior notice and approval from the Business Customer

10. Audit and Assistance

• The Business Customer may request an annual audit with 30 days’ notice.
• GO.CAM agrees to provide reasonable assistance for:
  • Data protection impact assessments (DPIAs)
  • Demonstrating compliance
  • Responding to supervisory authorities

11. Personal Data Breaches

• In the event of a Personal Data Breach, GO.CAM will notify the Business Customer without undue delay, and within 72 hours at the latest.
• Notification will include: nature of breach, categories of data involved, likely consequences, and mitigation measures.

12. Termination and Return or Deletion of Data

Upon termination of the Service Agreement :

• GO.CAM shall delete or return all data (if any) unless retention is legally required.
• Written confirmation shall be provided within 10 working days.

13. Governing Law and Jurisdiction

• This Agreement shall be governed by French law.
• Jurisdiction is assigned to the Courts of Marseille, unless overriding local laws apply.

14. Final Provisions

• This DPA forms part of the Service Agreement.
• In case of conflict, this DPA prevails over other terms for data protection matters.
• This Agreement may be amended only in writing, signed by both Parties.

Date of last update: 26 May 2025

This DPA forms an integral part of the Service Agreement but does not constitute a separately signed document. It is accepted by reference as part of the contractual framework between the Parties.