Data Processing Agreement

Between the Parties

[Customer] — company name, registered office, and authority of representation as per the registration data stored in the Flonk dashboard

– hereinafter "Controller" or "Customer" –

and

MedConnect GmbH
Bayernstraße 10
30855 Langenhagen, Germany
represented by Managing Director oec. Michael Mansholt
Commercial register: Local Court of Hannover, HRB 226358

– hereinafter "Processor" or "Flonk" –

– jointly the "Parties", individually a "Party" –

Preamble

The Controller uses the Software-as-a-Service platform for digital identity verification provided by the Processor under the "Flonk" brand at the domain https://flonk.id (hereinafter the "Flonk platform" or "Service"). In the course of providing the Service, the Processor processes personal data on behalf of the Controller subject to instructions, within the meaning of Art. 4(8), Art. 28 of Regulation (EU) 2016/679 (General Data Protection Regulation — "GDPR").

This agreement specifies the data protection obligations of the Parties arising from processing on behalf within the meaning of Art. 28 GDPR. It applies to all activities related to the main contract (General Terms and Conditions, enterprise contract, or other agreement on the use of the Flonk platform — "Main Contract") in which the Processor's staff or sub-processors engaged by it process personal data of the Controller.

§ 1 Subject Matter and Term

(1) Subject Matter. The subject matter of this DPA is the processing of personal data of End Users of the Controller (in particular persons identifying themselves via the Flonk platform — hereinafter "End Users" or "data subjects") by the Processor for the purpose of providing the Services described in the Main Contract, in particular:

• a) reading and authenticity check of official identity documents;
• b) biometric 1:1 matching (selfie ↔ document photo);
• c) liveness detection;
• d) provision of API, SDKs, webhooks, and dashboard;
• e) documentation and reporting of verification results.

(2) Term. The term of this DPA corresponds to the term of the Main Contract. Obligations that by their nature are intended to continue beyond the term (in particular confidentiality, return/erasure of data, cooperation in official proceedings) shall remain in force after termination.

(3) Precedence. This DPA takes precedence over the provisions of the Main Contract on data protection matters. Otherwise, the provisions of the Main Contract apply in addition.

§ 2 Nature and Purpose of Processing

(1) Nature of Processing. Processing comprises in particular: collecting, recording, organising, structuring, storing, adapting, altering, retrieving, consulting, using, disclosing by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction (Art. 4(2) GDPR).

(2) Purpose of Processing. Processing is carried out exclusively for the purpose of digital identity verification of the Controller's End Users and for the provision, operation, and further development of the technical infrastructure required for this, including security, fraud prevention, and audit purposes.

(3) No Independent Purposes. The Processor does not carry out processing for its own purposes; this excludes anonymised statistical analyses and the improvement of models and algorithms on the basis of fully anonymised data, provided that no conclusions can be drawn about individual persons.

§ 3 Types of Personal Data and Categories of Data Subjects

(1) Categories of Data Subjects. End Users of the Controller who have themselves verified via the Flonk platform; where applicable, employees/authorised persons of the Controller using the dashboard.

(2) Categories of Data:

• a) Identification and master data: first/last name, birth name, date of birth, place of birth, country of birth, nationality, gender, address, signature.
• b) Identity document data: document type, document number, issuing authority, issue and expiry date, MRZ data, NFC chip data, security features.
• c) Biometric data (Art. 9(1) GDPR): photo from the document, live selfie(s), video / 3D depth data for liveness, biometric templates.
• d) Verification / result data: session ID, timestamp, result (successful/rejected/manual review), confidence and risk scores.
• e) Technical metadata: IP address, device type, operating system, browser, device fingerprint, language, approximate location.
• f) Communication / mapping data: reference IDs, email addresses, and other client metadata transmitted by the Controller.
• g) Dashboard user data: name, business email, role, login data, access logs.

(3) Special Categories. As biometric data is processed for unique identification, special categories of personal data within the meaning of Art. 9 GDPR are involved. The Controller ensures that a valid legal basis exists pursuant to Art. 9(2) GDPR (typically explicit consent pursuant to Art. 9(2)(a) GDPR).

§ 4 Responsibility and Right of Instruction

(1) Responsibility. The Customer is the controller within the meaning of Art. 4(7) GDPR. The Processor processes personal data exclusively within the scope of the contractually agreed services and on documented instructions of the Controller, unless required to process by Union or Member State law to which it is subject; in such case, the Processor shall inform the Controller of these legal requirements before processing, unless the law in question prohibits such information on important grounds of public interest.

(2) Instructions. Instructions are in principle issued in text form by persons authorised for this purpose. Oral instructions must be confirmed in text form without undue delay. Standard instructions result from the parameters laid down in the Main Contract, the documentation, and the API configuration (e.g. workflow settings in the dashboard).

(3) Notice of Unlawfulness. If the Processor is of the opinion that an instruction infringes data protection law, it shall inform the Controller thereof without undue delay (Art. 28(3) sentence 3 GDPR). The Processor is entitled to suspend execution of the relevant instruction until confirmation or modification by the Controller.

(4) Contact Persons. The Parties shall each designate competent contact persons for data protection matters. At the Processor, this is the appointed Data Protection Officer.

§ 5 Obligations of the Processor

The Processor undertakes in particular as follows:

(1) Processing in accordance with the GDPR. Processing exclusively within the scope of the documented instructions of the Controller and in accordance with Art. 28, 29, and 32 GDPR.

(2) Confidentiality (Art. 28(3)(b) GDPR). All persons engaged in data processing are committed to confidentiality, unless they are already subject to an appropriate statutory duty of confidentiality, and to compliance with data secrecy.

(3) Technical and Organisational Measures (Art. 32 GDPR). Implementation and maintenance of the technical and organisational measures (TOMs) defined in Annex 1. The measures may be further developed in line with the state of the art but must not fall below the agreed level of protection.

(4) Support of the Controller (Art. 28(3)(e) and (f) GDPR). Support in fulfilling obligations under Art. 12–22 GDPR (data subject rights) and Art. 32–36 GDPR (data security, notification obligations, data protection impact assessment, prior consultation). The Processor is entitled to charge a reasonable extra fee separately for support that goes beyond the contractually agreed standard scope.

(5) Notification of Personal Data Breaches (Art. 33 GDPR). Information to the Controller without undue delay, generally within 48 hours, after becoming aware of a personal data breach. Notification is made to the contact designated by the Controller and contains at least the information specified in Art. 33(3) GDPR, to the extent available.

(6) Data Protection Officer. The Processor has appointed a Data Protection Officer pursuant to Art. 37 GDPR.

(7) Records of Processing Activities (Art. 30(2) GDPR). The Processor maintains a record of all processing activities and provides it on request to the supervisory authority or the Controller.

(8) Data Minimisation and Storage Limitation. Data are processed only to the extent and stored only for as long as necessary to fulfil the contractual obligations and to comply with statutory retention periods.

(9) Return and Erasure (Art. 28(3)(g) GDPR). Upon completion of the provision of processing services, all personal data shall — at the Controller's choice — be either erased or returned; existing statutory retention obligations remain unaffected. Details are governed by § 11.

§ 6 Obligations of the Controller

(1) Lawfulness. The Controller is solely responsible for the lawfulness of data processing and for safeguarding the rights of data subjects, in particular for the existence of a valid legal basis (including consents under Art. 9(2)(a) GDPR).

(2) Information and Consent. The Controller ensures that data subjects are duly informed about the data processing (Art. 13, 14 GDPR) and — where required — valid consents are in place that can be evidenced at any time.

(3) Issuing Instructions. The Controller designates one or more persons authorised to issue instructions and notifies the Processor of changes without undue delay.

(4) Cooperation Obligations. The Controller supports the Processor in fulfilling its statutory obligations, in particular by responding promptly to enquiries.

(5) Information on Breaches. The Controller reports personal data breaches that come to its knowledge and may be connected with processing by the Processor, without undue delay, to info@medconnect.gmbh with the subject „DRINGEND! DATENSCHUTZPANNE!" (URGENT! DATA PROTECTION INCIDENT!).

(6) Requirements for End Users. The Controller integrates the Flonk platform into its processes in such a way that End Users are shown the privacy notice and consent declaration in a transparent form before verification begins.

§ 7 Sub-Processors

(1) Authorisation. By concluding this DPA, the Controller grants the Processor general written authorisation within the meaning of Art. 28(2) sentence 2 GDPR to engage sub-processors. A current list of the sub-processors engaged at the time of contract conclusion is attached as Annex 2.

(2) Contractual Commitment. The Processor shall, by means of a contract, commit each sub-processor to data protection obligations that essentially correspond to those of this DPA, in particular with regard to sufficient technical and organisational measures.

(3) Change of Sub-Processors. The Processor shall inform the Controller of intended changes (addition or replacement of sub-processors) at least 30 calendar days before they take effect, in text form (e.g. by email to the data protection contact address stored in the dashboard) or by updating the list published at https://flonk.id/subprocessors with an indication of the update date.

(4) Right of Objection. The Controller may object to the change within 14 calendar days of being informed, for important data protection reasons. In the event of a legitimate objection, the Parties shall seek an amicable solution in good faith. If no agreement is reached, the Controller is entitled to extraordinarily terminate the Main Contract and this DPA.

(5) Intra-Group Service Providers. Activities that the Processor uses from third parties as merely ancillary services (e.g. telecommunications, cleaning, or security services) do not constitute sub-processing within the meaning of this contract, provided that there is no regular access to personal data.

§ 8 Third-Country Transfers

(1) Principle. Data processing in principle takes place within the European Union or the European Economic Area (EEA), primarily in data centres in Amsterdam (Netherlands).

(2) Third-Country Transfers. Transfers to third countries only take place where the requirements of Art. 44 et seq. GDPR are met, in particular through:

• a) adequacy decision of the European Commission (Art. 45 GDPR), e.g. EU-US Data Privacy Framework for certified sub-processors (in particular Railway Corp., San Francisco/USA);
• b) EU Standard Contractual Clauses (Art. 46(2)(c) GDPR) in their respective valid version, supplemented where appropriate by additional technical and organisational protective measures (transfer impact assessment).

(3) Prohibition of Transfer of Raw Biometric Data. Transfer of raw biometric data (selfies, liveness videos, biometric templates) to third countries does not take place without express written agreement with the Controller.

§ 9 Support for Data Subject Rights

(1) The Processor supports the Controller with suitable technical and organisational measures in fulfilling data subject requests to exercise their rights under Art. 15–22 GDPR (access, rectification, erasure, restriction, data portability, objection, withdrawal of consent, right to human intervention in automated decision-making).

(2) Direct Contact by Data Subjects. If a data subject contacts the Processor directly, the Processor shall forward the request to the Controller without undue delay. The Processor does not independently provide substantive information unless the Controller has expressly permitted this.

(3) Authorities and Courts. Where personal data are requested from the Processor by government bodies, the Processor will inform the Controller without undue delay, to the extent legally permissible, and — to the extent reasonable and legally possible — work toward prior consultation of the Controller.

§ 10 Audit Rights

(1) Duty to Provide Evidence. The Processor demonstrates compliance with the agreed obligations on request in a suitable manner, in particular through:

• a) presentation of valid certificates (e.g. ISO/IEC 27001, SOC 2 Type II);
• b) provision of up-to-date TOM documentation;
• c) presentation of audit reports by independent auditors;
• d) answering written questionnaires.

(2) On-Site Audit. Where the evidence referred to in paragraph 1 is not sufficient in an individual case, the Controller is entitled to conduct an audit of the Processor's processing facilities during normal business hours and with reasonable notice (at least 30 calendar days), or have it conducted by an independent auditor bound to confidentiality. The auditor may neither be a competitor of the Processor nor in any other conflict of interest.

(3) Frequency. Such audits generally take place no more than once a year; in cases of justified suspicion of data protection violations and at the request of a supervisory authority, ad-hoc audits are permissible.

(4) Costs. The costs of an audit are borne by the Controller; the Processor is entitled to charge for its cooperation effort at the rates applicable at the time, unless the audit reveals material violations on the part of the Processor.

(5) Confidentiality and Security. Audits may not disproportionately impair business operations and may not lead to disclosure of trade secrets of third parties or other customers. All information obtained in the course of the audit shall be treated as strictly confidential.

§ 11 Erasure and Return of Data

(1) Upon termination of the provision of processing services, the Processor shall, at the Controller's choice, erase or return all personal data.

(2) Retention Obligations. Retention only takes place to the extent required by statutory obligations (in particular § 8(4) GwG: 5 to 10 years; § 257 HGB, § 147 AO: 6 to 10 years). During retention, the protective measures set out in this DPA remain in force unchanged.

(3) Early Anonymisation. The Controller may at any time arrange for the irreversible anonymisation of individual or all data sets, provided no statutory obligations preclude this.

(4) Evidence. On request, the Processor shall provide suitable evidence of proper erasure.

§ 12 Liability and Contractual Penalties

(1) External Liability. Vis-à-vis the data subject, each Party is liable in accordance with Art. 82 GDPR.

(2) Internal Liability. Internally, liability between the Parties is governed by the provisions of the Main Contract. To the extent the Main Contract contains no provisions, the statutory provisions apply.

(3) Fines. Fines under Art. 83 GDPR are borne by the Party whose breach of duty was causative for their imposition. In the event of mutual fault, an allocation is made according to the respective contribution.

§ 13 Final Provisions

(1) Written Form. Amendments and supplements to this DPA require text form. This also applies to the waiver of this text form clause.

(2) Severability. Should individual provisions of this DPA be or become invalid, this shall not affect the validity of the remaining provisions. In place of the invalid provision, the valid and enforceable provision that comes closest to the economic purpose of the invalid provision shall be deemed agreed.

(3) Choice of Law and Jurisdiction. The laws of the Federal Republic of Germany apply, excluding the UN Convention on Contracts for the International Sale of Goods. The exclusive place of jurisdiction for all disputes is — to the extent legally permissible — Hannover, Germany.

(4) Annexes. The following annexes are part of this DPA:

• Annex 1: Technical and organisational measures (TOMs) pursuant to Art. 32 GDPR
• Annex 2: List of sub-processors