This Data Processing Addendum (“DPA”) supplements the agreement between PRVNZ LLC, a company registered in the United Arab Emirates (“PRVNZ”, “Processor”), and the customer identified in the order form (“Customer”, “Controller”), and applies whenever PRVNZ processes personal data on the Customer's behalf.
1. Roles and scope
For personal data processed on the Customer's behalf, the Customer is the controller and PRVNZ is the processor. PRVNZ processes personal data only on the Customer's documented instructions (including those expressed through the platform), except where required to do otherwise by applicable law.
2. Subject matter and duration
Subject matter: processing necessary to provide the Services described in the order form — passport issuance, verification, claim recording, autonomous agents, and related infrastructure.
Duration: the term of the agreement, plus any post-termination retention period set out in the Terms or required by law.
3. Categories of data and data subjects
- End-customer scan data (IP address, user agent, geolocation derived from IP, scan timestamp).
- Account holders and operators provisioned by the Customer.
- Supplier and partner contacts where the Customer chooses to record them on a passport.
- Other personal data the Customer chooses to submit to the Services.
4. Sub-processors
The Customer authorizes PRVNZ to engage sub-processors to provide the Services. A current list of sub-processors is maintained and made available on request. PRVNZ will notify the Customer of intended changes and give the Customer a reasonable opportunity to object.
5. International transfers
Where personal data is transferred across borders, PRVNZ uses appropriate safeguards — Standard Contractual Clauses, adequacy decisions, or equivalent mechanisms recognized by the data exporter's law. The Customer may configure regional residency where the Services support it.
6. Security
PRVNZ implements technical and organizational measures appropriate to the risk, including encryption in transit and at rest, role-based access control, hardware-isolated compute for sensitive workloads, and incident response procedures. Detail is published on the Security page.
7. Personnel
PRVNZ ensures personnel authorized to process personal data are bound by appropriate confidentiality obligations.
8. Data subject rights
PRVNZ will assist the Customer, by appropriate technical and organizational measures, in fulfilling the Customer's obligations to respond to requests by data subjects. Where a data subject contacts PRVNZ directly, PRVNZ will promptly forward the request to the Customer.
9. Personal data breach
PRVNZ will notify the Customer without undue delay after becoming aware of a personal data breach, with sufficient information to allow the Customer to meet its own notification obligations.
10. Audits
PRVNZ will make available information necessary to demonstrate compliance with this DPA, and allow for audits — including inspections — conducted by the Customer or an auditor mandated by the Customer, on reasonable notice and subject to confidentiality.
11. Deletion or return
On termination, PRVNZ will delete or return personal data processed on behalf of the Customer, at the Customer's choice, subject to legal retention obligations.
12. Governing law
This DPA is governed by the laws specified in the agreement to which it is attached, or, if none is specified, the laws of the United Arab Emirates.
13. Contact
Privacy and DPA questions: privacy@prvnz.com.