🔥 Limited Time Offer: Save $250 on the S50 w/ IDStand Bundle! Shop Now
IDscanner.com Logo
mobile-menu

Data Processing Addendum

TokenWorks, Inc.
Last Updated: April 8, 2026

PREAMBLE

This Data Processing Addendum (“DPA”) is made a part of the Master Services Agreement (“Agreement”) between the party accepting this DPA or accessing or using the Services (“Customer”) and TokenWorks, Inc. (“TokenWorks”).

By accepting the Agreement or by accessing or using the Services, Customer is bound by the terms and conditions of this DPA. In the event of any conflict between the terms of the Agreement and the terms of this DPA with respect to the processing of Personal Data, the terms of this DPA shall control. Capitalized terms used but not defined in this DPA shall have the meanings given to them in the Agreement.

1. DEFINITIONS

In addition to other terms defined in this DPA, the following definitions apply:

“Aggregate Consumer Information”

means information that relates to a group or category of consumers, from which individual consumer identities have been removed, that is not linked or reasonably linkable to any consumer or household.

“Business”

means a sole proprietor, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or nonprofit benefit of its shareholders or other owners, that collects consumers’ personal information and determined the means and purposes of the processing of consumers’ personal information.

“Business Purpose”

means the use of consumers’ personal information for TokenWorks’ operational purposes or other notified purposes, as reasonably necessary and proportionate to achieve stated operational purposes, including fraud prevention, security, access management, age verification, and identity verification, but not for a commercial purpose or to the extent prohibited by applicable Data Protection Law.

“Commercial Purpose”

means using consumers’ personal information to analyze, predict, and improve marketing effectiveness or identify or communicate with consumers for marketing purposes.

“Consumer”

means a natural person who is a resident of the applicable jurisdiction and whose personal information is collected in the context of the Services, excluding natural persons acting as employees, owners, directors, officers, or contractors of a business to the extent that collection is in such capacity.

“Controller”

means the natural or legal person, public authority, agency or any other body which, alone or jointly with others, determines the purposes and means of the processing of personal data as referred to in Data Protection Law.

“Data Protection Law”

means any law, regulation, or other applicable legal requirement relating to privacy, security, data protection, or the protection of personal information, including: (i) laws of the United States of America, including the California Consumer Privacy Act as amended by the California Privacy Rights Act and regulations or guidance issued thereunder; (ii) laws of the European Union, European Economic Area, or United Kingdom including the General Data Protection Regulation (GDPR), the UK Data Protection Act 2018, and the UK General Data Protection Regulation; the Swiss Federal Data Protection Act; and (iii) laws of any other relevant jurisdiction as may be applicable to the Services or the parties’ relationship, and any successor to or replacement of any of the foregoing.

“Data Subject”

means any data subject, consumer, or identified or identifiable natural person whose personal data is processed by TokenWorks on behalf of Customer, as that term is defined in applicable Data Protection Law.

“Deidentified Information”

means information that cannot identify a particular consumer or household, and the business or service provider that maintains the information:

  • Has implemented technical and organizational measures that reasonably prevent re-identification of the consumer or household;
  • Commits contractually not to attempt re-identification;
  • Commits contractually not to transfer the deidentified information to any third party except where permitted by law; and
  • Commits to and implements technical and organizational measures to prevent any service provider from identifying the consumer or household.
“Personal Data”

means any Customer Data that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked to a particular Data Subject or household.

“Personal Information”

has the meaning given to it in the CCPA and other applicable Data Protection Laws.

“Process,” “Processing,” or “Processed”

means any operation performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

“Processor”

means a natural or legal person, public authority, agency or any other body which processes personal data on behalf of a Controller as referred to in Data Protection Law.

“Security Incident”

means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored, or otherwise processed by TokenWorks.

“Sell”

means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating consumers’ personal information by a business to another business or a third party for monetary or other valuable consideration.

“Service Provider”

means a natural or legal person, public authority, agency or any other body that processes Personal Data on behalf of a business in accordance with Data Protection Law.

“Share”

means sharing, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating consumers’ personal information by a business to a third party for cross-context behavioral advertising.

“Subprocessor”

means a subcontractor engaged by TokenWorks or by another Subprocessor to process Personal Data on behalf of Customer.

“Supervisory Authority”

means an independent public authority designated for the purpose of monitoring compliance with Data Protection Law.

“Third Party”

means a natural or legal person, public authority, agency or body, other than the Data Subject, Controller, Processor, or persons who, under the direct authority of the Controller or Processor, are authorized to process personal data.

2. DATA PROCESSING

2.1 Role and Scope of Processing

This DPA applies to the processing of Personal Data by TokenWorks on behalf of Customer. TokenWorks shall act as a processor or service provider (as defined in applicable Data Protection Law) with respect to Personal Data, and Customer shall act as a controller or processor to another person with respect to such Personal Data.

2.2 Documented Instructions

Customer instructs TokenWorks to process Personal Data only: (i) as detailed in this DPA and in Schedule 1 hereto, and in accordance with the terms of the Agreement; and (ii) upon receipt of other written instructions from Customer that are consistent with the terms of this DPA and the Agreement, unless processing is required by applicable law. If a requirement of applicable law obligates TokenWorks to process Personal Data other than on the instructions of Customer, TokenWorks shall, to the extent permitted by applicable law, notify Customer of that legal requirement before performing such processing.

2.3 CCPA Obligations

The obligations in this Section 2.3 apply only with respect to Personal Information that is subject to the California Consumer Privacy Act or applicable state laws.

2.3.1 Limited Use. Customer makes Personal Data available to TokenWorks for the business purposes identified in Schedule 1. TokenWorks agrees to:

  • Use Personal Data only for the limited and specified business purposes set forth in Schedule 1 and not for any commercial purpose;
  • Provide the same level of privacy protection to Personal Data as required by Data Protection Law;
  • Grant Customer the right to take reasonable and appropriate steps under Section 8 to ensure TokenWorks’ compliance with this DPA;
  • Notify Customer if it is no longer able to meet its obligations under this DPA;
  • Grant Customer the right to stop TokenWorks’ processing of Personal Data and to remediate any unauthorized processing;
  • Not sell Personal Data of any Data Subject, as that term is used in Data Protection Law;
  • Not share Personal Data of any Data Subject for cross-context behavioral advertising, as that term is used in Data Protection Law;
  • Not retain, use, or disclose Personal Data provided by or on behalf of Customer for any purpose other than the specific business purposes set forth in Schedule 1, including any commercial purpose, or as otherwise permitted by Data Protection Law;
  • Not retain, use, or disclose Personal Data outside of the direct business relationship with Customer or as otherwise permitted by Data Protection Law; and
  • Not combine Personal Data received from or on behalf of Customer with Personal Data received from other sources, except as permitted by Data Protection Law.

2.4 Customer Responsibilities

Customer represents, warrants, and covenants that:

  • Customer is solely responsible for the accuracy, quality, and legality of all Personal Data provided to TokenWorks;
  • Customer has obtained all necessary rights, consents, and privileges to provide Personal Data to TokenWorks;
  • Customer has complied with all applicable Data Protection Laws in collecting, processing, and transferring Personal Data to TokenWorks;
  • Customer shall not provide sensitive categories of Personal Data to TokenWorks, including health information, sex life information, information about children, or financial account information, unless Customer has expressly authorized such data in Schedule 1. With respect to biometric data (including but not limited to face images or other identifying biological or physiological characteristics), Customer represents that it has provided all required notices and disclosures to Data Subjects and obtained all necessary consents as required by applicable biometric privacy laws;
  • Customer’s instructions and the Personal Data provided by Customer shall not cause TokenWorks to violate any applicable Data Protection Law.

2.5 Deidentified and Aggregate Information

Notwithstanding anything to the contrary, TokenWorks may use and retain Deidentified Information and Aggregate Consumer Information for purposes of analytics, improving the Services, and other business purposes in accordance with Data Protection Law and without restriction, provided that such information cannot identify any particular Data Subject.

3. SECURITY

TokenWorks shall implement and maintain appropriate security procedures and practices designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data, taking into account the nature of the Personal Data, the potential risks of Processing, and the technical and organizational measures available. TokenWorks shall implement the minimum technical and organizational measures outlined in Schedule 2. TokenWorks shall ensure that all such measures are monitored on a regular basis and shall not materially decrease the level of security without prior notification to Customer. TokenWorks shall ensure that any natural persons who are authorized to process Personal Data have committed to confidentiality or are under an appropriate legal obligation of confidentiality.

4. SECURITY INCIDENTS

TokenWorks shall notify Customer without undue delay, and in any case no later than as required by applicable Data Protection Law, upon becoming aware of any Security Incident. TokenWorks shall make reasonable efforts to identify the cause of the Security Incident and take all reasonable steps necessary to remediate the Security Incident within a reasonable timeframe and as may be required by law. TokenWorks shall provide Customer with accurate and complete information regarding the Security Incident and shall cooperate fully with Customer’s investigation and remediation efforts.

5. SUBPROCESSORS

5.1 General Authorization

Customer hereby authorizes TokenWorks to engage Subprocessors to process Personal Data on behalf of Customer. TokenWorks shall provide Customer with a current list of authorized Subprocessors via our Trust Center (available at tokenworks.com or idscanner.com), which TokenWorks shall update as necessary.

5.2 Subprocessor Agreements

TokenWorks shall enter into a written agreement with each Subprocessor that imposes data protection obligations no less protective than those contained in this DPA with respect to the protection of Personal Data.

5.3 Changes to Subprocessors

TokenWorks shall provide notice of any new Subprocessor or replacement of any existing Subprocessor at least 10 days before engaging such Subprocessor by updating the Subprocessor List available at our Trust Center. If Customer objects to the engagement of a new or replacement Subprocessor on reasonable grounds relating to data protection by providing written notice to TokenWorks within 10 days of notification, TokenWorks shall use commercially reasonable efforts to make available to Customer a substantially equivalent alternative arrangement that does not require processing by the objected-to Subprocessor. If TokenWorks is unable to do so within 30 days of Customer’s objection, Customer may terminate the affected Services without penalty by providing written notice to TokenWorks.

5.4 Liability for Subprocessors

TokenWorks shall be fully liable to Customer for the failure of any Subprocessor to fulfill its data protection obligations. TokenWorks shall be liable to the same extent as if TokenWorks had performed the obligations that the Subprocessor failed to perform.

6. DATA SUBJECT REQUESTS AND SUPERVISORY AUTHORITY COOPERATION

6.1 Notification of Requests

TokenWorks shall promptly notify Customer of any request from a Data Subject or a Supervisory Authority regarding Personal Data. TokenWorks shall not respond to such requests without the prior written authorization of Customer unless required to do so by applicable law.

6.2 Assistance with Requests

TokenWorks shall, to the extent reasonably practicable, provide Customer with such assistance as Customer may reasonably request in order to fulfill Data Subject requests and to comply with requests from Supervisory Authorities, including requests regarding access, deletion, correction, and data portability. TokenWorks shall provide such assistance at Customer’s expense, unless otherwise required by Data Protection Law. TokenWorks may not be able to fulfill requests to the extent that doing so would interfere with any legal obligation, legal process, or third-party rights of TokenWorks.

6.3 Additional Assistance

TokenWorks shall, to the extent reasonably practicable, assist Customer with:

  • Conducting Data Protection Impact Assessments and prior consultations with Supervisory Authorities as required by Data Protection Law;
  • Responding to enquiries from Supervisory Authorities regarding the processing of Personal Data; and
  • Ensuring compliance with Customer’s obligations under Data Protection Law relating to the security, breach notification, and transfer of Personal Data.

6.4 Mutual Assistance

Each party shall provide reasonable assistance to the other party in carrying out the obligations imposed on such other party by Data Protection Law.

7. RETURN AND DELETION OF PERSONAL DATA

Upon Customer’s request or upon termination or expiration of the Agreement, TokenWorks shall, at Customer’s election, either return or securely delete (in a manner that renders the data unrecoverable) all Personal Data and existing copies thereof that TokenWorks has collected or created in the course of providing the Services to Customer, unless applicable law requires TokenWorks to retain such Personal Data. Where TokenWorks is required to retain Personal Data by any applicable law, regulation, or court order, TokenWorks shall securely isolate and protect such Personal Data from further processing except as required by applicable law. TokenWorks shall provide written confirmation of the return or deletion of Personal Data upon Customer’s request.

8. AUDIT RIGHTS

8.1 Audit Scope

TokenWorks shall allow and fully cooperate with reasonable audits and inspections by Customer or Customer’s designated third-party auditor to the extent required by Data Protection Law. Such audits shall be conducted on a reasonable basis and at reasonable intervals, provided that in no event shall audits be conducted more frequently than once per year, unless otherwise required by law, and shall be limited to facilities and systems used by TokenWorks for processing Personal Data on behalf of Customer.

8.2 Audit Procedures

Any such audits shall be conducted:

  • Upon at least 30 days’ prior written notice to TokenWorks;
  • During TokenWorks’ normal business hours;
  • Without access to any other customer data or systems; and
  • By any third-party auditor mutually agreed upon in writing by the parties, who shall be bound by a written confidentiality agreement that protects TokenWorks’ confidential information and trade secrets.

8.3 Alternative Audit Method

As an alternative to audits under Sections 8.1 and 8.2, Customer may accept annual audits conducted by an independent third-party auditor using widely accepted frameworks such as SOC 2 Type II or an equivalent standard. TokenWorks shall provide results of such audits to Customer upon request. The cost of any third-party audit shall be borne by Customer unless otherwise required by Data Protection Law.

8.4 Confidentiality of Audit Information

Audit information shall be considered TokenWorks’ confidential information and shall be subject to the confidentiality obligations contained in the Agreement.

8.5 DPA Audits

All audits conducted in connection with this DPA shall be carried out in accordance with the procedures outlined in this Section 8.

9. DATA TRANSFERS

9.1 Transfer of Personal Data

Customer acknowledges and agrees that Personal Data may be stored and processed in the United States and in any other country where TokenWorks or its Subprocessors maintain facilities. By providing Personal Data to TokenWorks, Customer consents to the transfer of such Personal Data outside of the country in which it was collected.

9.2 GDPR Transfers

To the extent that Personal Data is subject to the European Union General Data Protection Regulation (Regulation 2016/679), TokenWorks and Customer shall rely upon the Standard Contractual Clauses (as adopted by EU Decision 2021/914) for the transfer of such Personal Data to the United States or other countries. The Standard Contractual Clauses shall apply as follows:

  • Customer shall be treated as the data exporter, and TokenWorks shall be treated as the data importer;
  • Module Two shall apply to transfers where Customer is a controller;
  • Module Three shall apply to transfers where Customer is a processor;
  • The optional docking clause (Clause 7) shall apply;
  • Clause 9, Option 2 shall apply, with the timeframe for objections as set forth in Section 5 of this DPA;
  • The optional language in Clause 11 shall not apply;
  • Clause 17 shall be governed by the laws of Ireland;
  • Clause 18 shall provide for resolution of disputes in the courts of Ireland;
  • Annex I shall include the details of the Customer and TokenWorks as set forth in the Agreement and this DPA;
  • Annex II shall include the technical and organizational measures set forth in Schedule 2; and
  • Annex III shall include the Subprocessor information available in our Trust Center.

9.3 UK GDPR Transfers

To the extent that Personal Data is subject to the UK General Data Protection Regulation or UK Data Protection Act 2018, the Standard Contractual Clauses referenced in Section 9.2 shall apply, supplemented by the International Data Transfer Addendum issued by the UK Information Commissioner’s Office. In the event of any conflict between the Standard Contractual Clauses and the UK Addendum, the UK Addendum shall prevail.

10. LIABILITY

To the maximum extent permitted by applicable law, each party’s total liability arising under or related to this DPA shall be subject to the disclaimers, limitations of liability, and other provisions contained in the Agreement.

11. MODIFICATION

TokenWorks may modify this DPA by posting a modified version or by providing written notice by email to Customer. Such modifications shall become effective upon the date specified by TokenWorks or, if no date is specified, upon Customer’s continued access to or use of the Services after such modification is posted or delivered. Customer may not modify this DPA.

SCHEDULE 1: DETAILS OF PROCESSING ACTIVITIES

Processing Activity Element Details
Subject Matter Personal Data collected, processed, and stored by TokenWorks on behalf of Customer
Duration of Processing Processing shall continue until: (i) Customer requests TokenWorks to stop processing; (ii) this DPA or the Agreement expires or is terminated; or (iii) the Personal Data is no longer necessary to fulfill the purposes specified herein
Categories of Data Subjects
  • End users of Customer
  • Customer personnel and agents
  • Customer’s customers, business partners, vendors, and their personnel and agents
  • Other authorized natural persons
Categories of Personal Data
  • First and last name
  • Mailing address and geographic location information
  • Age, date of birth, and age verification
  • Gender
  • Height and weight
  • Veteran status
  • Government identification numbers (driver’s license, passport, state ID, etc.)
  • IP address and IP-based location
  • Device information (operating system, device make and model)
  • Phone number
  • Web analytics and usage data
  • Face image and video data (selfies and other identifying images)
  • Identifying communications (email address, text messages, phone calls)
Sensitive Data Any data identified in the “Categories of Personal Data” above that constitutes sensitive personal data under applicable Data Protection Law
Frequency of Transfer Continuous throughout the duration of the Agreement and provision of Services
Nature of Processing The Services as described in the Agreement, which may include: collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, transmission, and disclosure of Personal Data
Purpose of Processing To provide the Services to Customer as described in the Agreement
Business Purpose (CCPA)
  • Performing services on behalf of Customer
  • Fraud prevention and security
  • Access management and authentication
  • Age verification and identity verification
  • Other operational purposes as permitted by Data Protection Law
Location of Processing Global, including the United States and Subprocessor jurisdictions as identified in the Trust Center
Retention Period TokenWorks may retain Personal Data throughout the duration of the Agreement and thereafter where applicable law requires TokenWorks to retain such data, or where retention is necessary for TokenWorks’ legal obligations or third-party rights, subject to the provisions of this DPA
Subprocessors Transfers of Personal Data to Subprocessors shall be conducted in accordance with the obligations and procedures set forth in Section 5 of this DPA. The current list of authorized Subprocessors is available at our Trust Center

SCHEDULE 2: TECHNICAL AND ORGANIZATIONAL MEASURES

TokenWorks shall implement and maintain the following minimum technical and organizational measures to protect Personal Data:

1. Physical and Environmental Security

Access Control of Processing Areas

  • Security areas and physical controls shall be maintained and monitored to prevent unauthorized access
  • Protection of access paths to areas where Personal Data is stored or processed
  • Access authorizations documented for all employees and third parties with documented evidence
  • Data center access shall be logged, monitored, and tracked with full audit trails
  • Data centers shall be secured by alarm systems and appropriate physical security measures including but not limited to CCTV monitoring, physical barriers, and controlled entry points

2. Logical and Access Controls

Access Control to Data Processing Systems

  • Encryption shall be implemented using industry-standard encryption protocols for data in transit and at rest
  • Automatic temporary lock-out on idle sessions, requiring password re-entry for system access
  • Automatic temporary lock-out after a limited number of failed password attempts, with event logging and break-in monitoring
  • Data access shall be logged, monitored, and tracked with complete audit trails maintained for review

Access Control to Specific Areas of Data Processing Systems

  • Employee policies and training programs shall be maintained regarding access rights and data protection obligations
  • Individual terminal and user allocation with identification characteristics recorded
  • Monitoring of individuals who delete, add, or modify Personal Data with complete audit trails
  • Release of Personal Data only to authorized persons with differentiated access rights and roles based on business necessity
  • Industry-standard encryption for stored data and transmission of data within systems
  • Controlled and documented procedures for destruction of Personal Data per applicable data protection and retention laws

3. Data Availability and Resilience

Availability Control

  • Infrastructure redundancy and failover capabilities to prevent loss of availability
  • Backup systems located at alternative geographic sites to enable restoration of data in the event of primary infrastructure failure
  • Regular backup testing and restoration drills to ensure effectiveness
  • Business continuity and disaster recovery plans to minimize downtime and data loss

4. Data Transfer Security

Transmission Control

  • Industry-standard firewalls for network protection and monitoring
  • Virtual private networks (VPN) for secure transmission of data
  • Encryption for all data gateways and transmission pipelines using TLS or equivalent protocols
  • User alerts on incomplete data transfer with end-to-end integrity checks
  • Transmissions shall be logged, monitored, and tracked for security and compliance purposes

5. Data Input and Modification Controls

Input Control

  • Authorization policies established for input, reading, alteration, and deletion of Personal Data
  • Authentication of authorized personnel prior to granting access to data input functions
  • Protective measures for data input to memory and reading, alteration, or deletion of stored data
  • Unique authentication credentials (passwords) for each user with complexity requirements
  • Data processing facility entries and access shall be maintained in a locked state
  • Automatic log-off of unused user IDs after a defined period of inactivity
  • Proof established within TokenWorks’ organization of authorization prior to input or modification of data
  • Electronic recording of all data entries with complete audit trails maintained

6. Data Separation and Purpose Limitation

Separation of Processing for Different Purposes

  • Data access separated through application-level security controls
  • Database modules segregated by purpose, with separation of functionality and application functions
  • Database-level data organization with different normalized tables per module and function
  • Interfaces, batch processes, and reports created for specific purposes only with restrictions on cross-purpose access

7. Documentation and Compliance Tracking

Documentation

  • Complete documentation of technical and organizational measures maintained for audits and evidence of compliance
  • Regular review of documentation to ensure measures remain current and effective
  • All personnel shall be made aware of and trained on applicable technical and organizational measures
  • Policies and procedures documented and made available to authorized auditors

8. Personnel Security and Administration

Monitoring and Administration

  • Individual appointment of system administrators with documented authorization and responsibilities
  • Secure registration of system administrators’ access logs with restricted access to audit trails
  • Regular audit of system administrators’ activity for compliance with security policies
  • Maintained list of system administrators with identification and assigned tasks updated regularly
  • Termination procedures to revoke system administrator access upon separation from TokenWorks

9. Data Retention and Secure Destruction

Limits on Retention and Destruction

  • Appropriate measures established and implemented to securely destroy Personal Data when no longer needed
  • Methods for secure destruction shall include industry-standard approaches such as:
    • Third-party certified disk scrubbing using DoD or NIST standards
    • Physical destruction of storage devices by certified destruction facilities
    • Degaussing of magnetic storage media to prevent recovery
    • Shredding or pulping of paper and physical media
    • Cryptographic erasure where data encryption keys are destroyed
  • Documented evidence of secure destruction provided upon request
  • Retention periods established for different categories of Personal Data based on legal requirements and business necessity

Last Updated: April 8, 2026

This Data Processing Addendum is made effective as of the date of the Agreement and continues until termination or expiration of the Agreement.