Legal · Data Processing Agreement

Data Processing Agreement.

Effective May 22, 2026 Version 1.0 For Customers processing personal data through InkID services

What this is. This Data Processing Agreement (the "DPA") is the standard processor agreement under which InkID, Inc. processes personal data on behalf of business customers — for example, music publishers using InkTrust to manage their roster's authorship records, or institutional customers running InkID-backed workflows for their own users. The DPA satisfies the requirements of GDPR Article 28 and equivalent provisions of UK GDPR, CCPA, and other applicable privacy frameworks. It is published here as the canonical version; specific customer agreements may incorporate it by reference or execute a counter-signed version.

1. Scope, parties & relationship to other agreements

This DPA is entered into between InkID, Inc., a Delaware C-Corporation ("InkID," the "Processor") and the customer entity that has agreed to receive InkID services under a separate services agreement (the "Customer," the "Controller"). Together InkID and Customer are the "Parties."

This DPA governs the Processing by InkID of Personal Data on behalf of Customer in connection with the InkID services Customer uses (the "Services") — including, where applicable, the InkTrust publisher dashboard, the InkID protocol applied to Customer's writers, and any other InkID service expressly designated as a Customer-controller-processor service. It does not govern (a) personal data InkID processes as a controller for its own purposes, (b) processing performed by an individual InkID end user (e.g., a songwriter using InkWave directly) under that user's own consent, or (c) processing under another product's standalone terms (such as the InkID Privacy Policy for inkid.io visitor data).

To the extent of any conflict between this DPA and any other Customer agreement with InkID concerning the processing of Personal Data, this DPA controls.

2. Definitions

Capitalized terms not defined here have the meaning given in Customer's services agreement with InkID, or — for GDPR-defined terms (Controller, Processor, Personal Data, Personal Data Breach, Processing, Data Subject, Special Category Data, Supervisory Authority) — the meaning given in the GDPR. For convenience:

  • "Applicable Law" means the data-protection laws applicable to the Processing under this DPA, including the EU General Data Protection Regulation (Regulation 2016/679, "GDPR"), the UK Data Protection Act 2018 and UK GDPR (together, "UK GDPR"), the California Consumer Privacy Act as amended ("CCPA"), and equivalent state and national privacy laws of the United States and other jurisdictions to the extent applicable.
  • "Customer Personal Data" means Personal Data that InkID Processes on behalf of Customer pursuant to the Services, as further described in Schedule 1.
  • "SCCs" means the Standard Contractual Clauses adopted by the European Commission in Implementing Decision (EU) 2021/914 of 4 June 2021, as updated from time to time.
  • "Sub-processor" means any third party engaged by InkID to Process Customer Personal Data on InkID's behalf, as listed in Schedule 2.

3. Roles & responsibilities

The Parties acknowledge that, with respect to Customer Personal Data Processed under this DPA:

  1. Customer is the Controller. Customer determines the purposes and means of Processing Customer Personal Data and is responsible for ensuring it has a lawful basis for Processing and for any further disclosures it makes outside the Services.
  2. InkID is a Processor. InkID Processes Customer Personal Data on Customer's behalf, in accordance with Customer's documented instructions and the terms of this DPA.
  3. For CCPA purposes, InkID is a "service provider." InkID will not (a) sell or share (as defined in CCPA) Customer Personal Data; (b) retain, use, or disclose Customer Personal Data for any commercial purpose other than performing the Services; or (c) combine Customer Personal Data with personal information from any source outside the Services, except as permitted by CCPA.

Customer represents and warrants that it has all necessary rights, consents, and lawful bases to provide Customer Personal Data to InkID and to instruct InkID to Process it as contemplated by this DPA and the Services.

4. Subject matter, duration, nature & purpose

The subject matter, duration, nature, and purpose of the Processing under this DPA are set out in Schedule 1. In summary:

  • Subject matter. Processing of Customer Personal Data by InkID to provide the Services to Customer.
  • Duration. For the term of Customer's services agreement with InkID, plus any post-termination retention period permitted under §13.
  • Nature. Hosting, storage, retrieval, transmission, computation (including the production of InkID authorship records, behavioral evidence summaries, and verification artifacts), backup, deletion, and (where instructed) export.
  • Purpose. Delivery of the Services Customer has subscribed to — for example, in the case of InkTrust, enabling Customer to receive, manage, and verify songwriter submissions and the associated InkID evidence.

5. Categories of data subjects & data

The categories of Data Subjects and types of Personal Data Processed by InkID under this DPA are set out in Schedule 1. The Parties anticipate that the categories of Data Subjects will typically include Customer's writers/contributors, Customer's personnel using the Services, and other natural persons whose Personal Data Customer provides to or generates through the Services. The categories of Personal Data will typically include identifiers, contact information, and Service-generated records such as InkID identifiers, verification scores, and timestamp records. The Services are not intended to be used to Process Special Category Data; if Customer wishes to Process Special Category Data, additional terms must be agreed in advance.

6. Processing on documented instructions

InkID will Process Customer Personal Data only on Customer's documented instructions, including with regard to transfers to a third country or international organisation, unless required to do so by Applicable Law. Customer's instructions are: (a) the terms of this DPA and Customer's services agreement with InkID; (b) the configurations and operational instructions Customer provides through the Services' administrative interfaces; and (c) any other written instructions Customer provides to InkID's contact specified in §22 (provided that InkID may decline instructions that would, in InkID's reasonable judgment, violate Applicable Law, exceed the scope of the Services, or impose material additional cost — in which case InkID will notify Customer and the Parties will negotiate in good faith).

If InkID is required by Applicable Law to Process Customer Personal Data other than on Customer's documented instructions, InkID will notify Customer of that legal requirement before Processing, unless prohibited from doing so by Applicable Law on important grounds of public interest.

7. Confidentiality of personnel

InkID will ensure that all personnel authorized to Process Customer Personal Data are bound by appropriate written confidentiality obligations (whether contractual or statutory). InkID will limit access to Customer Personal Data to those personnel who require access for the performance of the Services.

8. Security of processing

InkID will implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk to Customer Personal Data, taking into account the state of the art, the costs of implementation, the nature, scope, context and purposes of Processing, and the likelihood and severity of risk to Data Subjects. The current security measures are set out in Schedule 3 and incorporate the architectural privacy-by-design properties of the InkID protocol — including, where applicable, data minimization (raw behavioral data not retained), on-device pre-processing, and independent cryptographic anchoring via RFC 3161 Time-Stamp Authorities.

InkID may update Schedule 3 from time to time, provided that any update does not materially reduce the overall level of protection.

9. Sub-processors

9.1 General authorisation

Customer provides general written authorisation for InkID to engage the Sub-processors listed in Schedule 2. InkID will ensure that each Sub-processor is bound by a written agreement that imposes data-protection obligations no less protective than those imposed on InkID by this DPA, in particular providing sufficient guarantees to implement appropriate technical and organisational measures.

9.2 New or replacement Sub-processors

InkID will give Customer prior written notice (which may be given by updating Schedule 2 and notifying the Customer contact on record) of any intended addition or replacement of a Sub-processor at least thirty (30) days before that Sub-processor begins Processing Customer Personal Data. Customer may object in writing to the engagement of a new or replacement Sub-processor on reasonable grounds related to data protection. If Customer's objection cannot be resolved by good-faith discussion within thirty (30) days, Customer may terminate the affected portion of the Services on written notice, with a pro-rata refund of any pre-paid fees for the unused portion of the term.

9.3 InkID liability for Sub-processors

InkID remains fully liable to Customer for the performance of each Sub-processor's data-protection obligations in respect of Customer Personal Data.

10. Assistance with data-subject rights

Taking into account the nature of the Processing, InkID will assist Customer by appropriate technical and organisational measures, insofar as possible, in fulfilling Customer's obligations to respond to requests from Data Subjects exercising their rights under Applicable Law (including rights of access, rectification, erasure, restriction, portability, and objection). Where InkID receives a request directly from a Data Subject in respect of Customer Personal Data, InkID will (a) promptly forward the request to Customer and (b) not respond to the request directly except to acknowledge receipt and confirm that the request will be handled by Customer, unless authorised by Customer or required by Applicable Law to do so.

11. Personal-data-breach notification

InkID will notify Customer without undue delay, and in any event within seventy-two (72) hours after becoming aware of a Personal Data Breach affecting Customer Personal Data. The notification will include, to the extent then known and to the extent possible, the information required by GDPR Article 33(3) — including the nature of the breach, the categories and approximate number of Data Subjects and records concerned, the likely consequences, and the measures taken or proposed to address the breach and mitigate its effects. InkID will provide reasonable assistance to Customer in meeting Customer's own breach-notification obligations under Applicable Law.

12. DPIA & prior-consultation assistance

Taking into account the nature of the Processing and the information available to InkID, InkID will provide reasonable assistance to Customer in connection with (a) Data Protection Impact Assessments under GDPR Article 35 and equivalent provisions of UK GDPR and other Applicable Law, and (b) prior consultations with Supervisory Authorities under GDPR Article 36. InkID may charge reasonable, cost-based fees for assistance that materially exceeds standard Service operation, and will notify Customer of any such fees in advance.

13. Return or deletion of personal data

Upon termination of the Services (or earlier, on Customer's written request), InkID will, at Customer's election, either return all Customer Personal Data to Customer in a structured, commonly used, machine-readable format, or delete the Customer Personal Data and certify the deletion in writing, in either case within ninety (90) days of the termination or request. Disaster-recovery backups will be purged within an additional ninety (90) days from the date of deletion. InkID may retain Customer Personal Data to the extent required by Applicable Law, in which case the retained data will continue to be subject to the confidentiality and security obligations of this DPA for as long as InkID holds it.

For the avoidance of doubt: RFC 3161 timestamp tokens are issued by independent Time-Stamp Authorities and contain only cryptographic hashes of content, not Personal Data; they are immutable by design and are not returned or deleted under this section, but they cannot be used to reconstruct any underlying content or identify any Data Subject.

14. Audit rights

14.1 Audit-information requests

InkID will make available to Customer all information necessary to demonstrate compliance with InkID's obligations under GDPR Article 28 and this DPA. Such information may include (a) current security-program documentation, (b) the most recent independent third-party security assessment relevant to the Services, where one exists, and (c) responses to a reasonable Customer questionnaire.

14.2 Audits and inspections

Customer (or an independent third-party auditor mandated by Customer who is not a competitor of InkID) may, on at least sixty (60) days' prior written notice and not more than once in any 12-month period (except where required to do so by a Supervisory Authority or where a Personal Data Breach has occurred), conduct an audit of InkID's compliance with this DPA. Audits will be conducted during InkID's normal business hours, will not unreasonably interfere with InkID's operations, will be subject to reasonable confidentiality and security restrictions, and will be at Customer's expense (except where the audit reveals InkID's material non-compliance, in which case InkID will bear reasonable costs).

15. International transfers

15.1 Transfers from the EEA, UK, or Switzerland

To the extent the Processing involves a transfer of Customer Personal Data from the European Economic Area, the United Kingdom, or Switzerland to a country not subject to an applicable adequacy decision, the Parties incorporate the Standard Contractual Clauses by reference, with InkID acting as the "data importer" and Customer as the "data exporter." The Module Two clauses (Controller to Processor) apply. The following options are pre-completed: Clause 7 (docking) — included; Clause 9(a) — Option 2, general written authorisation with the 30-day notice period set out in §9.2; Clause 11(a) optional element — not selected; Clause 17 — Option 1, governed by the law of the EU Member State of the data exporter or, where the exporter is outside the EEA, Ireland; Clause 18 — courts of the same Member State (or Ireland); Annexes I, II, and III are completed by reference to Schedules 1, 3, and 2 of this DPA respectively.

15.2 UK transfers

For transfers subject to UK GDPR, the Parties incorporate the UK Information Commissioner's International Data Transfer Addendum to the SCCs, applied to the SCCs incorporated under §15.1.

15.3 EU–US Data Privacy Framework

Where and to the extent the EU–US Data Privacy Framework (or any successor framework) applies and InkID has self-certified to that framework, the framework may serve as an alternative or additional lawful transfer mechanism. InkID will identify its self-certification status on request.

16. Liability

Each Party's liability under this DPA is subject to the limitations and exclusions of liability set out in Customer's services agreement with InkID. To the extent permitted by Applicable Law, the limitation of liability in that agreement applies to all claims under this DPA in the aggregate. Nothing in this DPA limits any liability that cannot be limited by Applicable Law, including liability arising from a Party's wilful misconduct, fraud, or, where Applicable Law prohibits limitation, gross negligence.

17. Term & termination

This DPA takes effect on the date Customer accepts InkID's services agreement (or, if later, the date Customer first uses the Services) and continues for the term of that agreement. The obligations in §§7 (Confidentiality), 11 (Breach notification, in respect of breaches discovered after termination affecting data Processed during the term), 13 (Return or deletion), and 14 (Audit, for a reasonable period after termination) survive termination of this DPA.

18. General provisions

18.1 Order of precedence

In the event of conflict between this DPA and Customer's services agreement with InkID, this DPA controls with respect to the Processing of Customer Personal Data. In the event of conflict between this DPA and the SCCs as incorporated under §15.1, the SCCs control.

18.2 Severability

If any provision of this DPA is held invalid or unenforceable, the remaining provisions remain in full force and effect, and the invalid or unenforceable provision will be modified to the minimum extent necessary to make it valid and enforceable while preserving its original intent.

18.3 Assignment

Neither Party may assign this DPA without the other Party's prior written consent, except that either Party may assign it (a) to an affiliate or (b) in connection with a merger, acquisition, reorganisation, or sale of all or substantially all of its assets — provided that the assignee assumes the assigning Party's obligations under this DPA.

18.4 Governing law & jurisdiction

Except as provided by the SCCs under §15, this DPA is governed by the laws of the State of California, United States, and the exclusive venue for any matter not subject to arbitration under Customer's services agreement is the state and federal courts located in San Francisco County, California.

18.5 Counterparts & electronic acceptance

This DPA may be accepted electronically and may be executed in counterparts, each of which is deemed an original and all of which together constitute one and the same instrument.

Schedule 1 — Processing details

Subject matter, duration, nature, purpose, categories

Subject matter
Processing of Customer Personal Data by InkID to provide the Services to Customer, as further described in Customer's services agreement.
Duration
The term of Customer's services agreement, plus any post-termination retention period permitted under §13 of this DPA.
Nature
Hosting, storage, retrieval, transmission, computation (including production of authorship-evidence records, behavioral-evidence summaries, verification artifacts, and credentials), backup, deletion, and instructed export.
Purpose
To enable Customer to use the Services for the purposes for which they are designed — e.g., management of a publishing roster's submissions and verification records via InkTrust.
Categories of Data Subjects
Customer's writers, contributors, employees, contractors, and other natural persons whose Personal Data Customer provides to or generates through the Services.
Categories of Personal Data
Identifiers (name or pseudonym, email address, account identifier); Service-generated records (InkID identifiers, verification scores and classifications, evidence-dimension summaries, RFC 3161 timestamp tokens); submission metadata (titles, attribution, dates); and any other Personal Data Customer chooses to upload, configure, or generate within the Services.
Special Category Data
The Services are not intended to be used for the Processing of Special Category Data within the meaning of GDPR Article 9. The architectural minimization described in §8 is designed to keep Processing outside the categories of biometric data used for uniquely identifying a natural person and data concerning health.
Frequency
Continuous, for the duration of the Services.

Schedule 2 — Sub-processors

Authorised Sub-processors as of the Effective date

InkID engages the following Sub-processors to support the delivery of the Services. Each Sub-processor is bound by a written agreement that imposes data-protection obligations consistent with this DPA.

Google LLC
(Firebase / Google Cloud)
Cloud hosting, Firestore database, Cloud Functions, Authentication, Hosting. Region: us-west2. Privacy: firebase.google.com/support/privacy
Google LLC
(Gemini API)
AI processing for analytical-AI features in InkID products (proxied via InkID Cloud Functions; no direct device-to-Gemini calls). API terms prohibit use of customer data for model training.
FreeTSA.org
Independent RFC 3161 Time-Stamp Authority. Receives only cryptographic hashes; never receives Personal Data or content.
RevenueCat, Inc.
Subscription and entitlement management (applicable to InkID products with paid tiers). Receives anonymised user identifiers and subscription status only.

InkID maintains and updates this list as Sub-processors change. Customer will receive prior notice of new or replacement Sub-processors as set out in §9.2.

Schedule 3 — Security measures

Technical and organisational measures

InkID implements the following technical and organisational measures to ensure a level of security appropriate to the risk to Customer Personal Data:

  1. Encryption. TLS 1.2+ for data in transit. AES-256 encryption for data at rest in Google Cloud / Firestore. Encrypted local storage where data is held on end-user devices.
  2. Access control. Authentication required for all data access. Server-side security rules (Firestore Security Rules) enforce that authenticated users may access only the data they are authorised to access. Cloud Functions validate authentication tokens on every invocation. API keys are stored in Google Secret Manager — never on end-user devices.
  3. Architectural minimization. Where the InkID protocol applies, raw behavioral data is processed on-device into aggregated summaries; raw per-event behavioral data is never transmitted to or stored on InkID infrastructure. This is a structural property of the protocol, not a runtime configuration that can be disabled.
  4. Sub-processor controls. Sub-processors are bound by written agreements with data-protection obligations consistent with this DPA. InkID assesses Sub-processor security postures before engagement and on a periodic basis.
  5. Personnel. Personnel authorised to access Customer Personal Data are bound by written confidentiality obligations and receive periodic privacy and security training.
  6. Logging & monitoring. Access and administrative events affecting Customer Personal Data are logged. Logs are retained for a period appropriate to security and audit needs.
  7. Incident response. InkID maintains a documented incident-response procedure that includes triage, containment, notification, and post-incident review. Notification timelines satisfy §11.
  8. Backup & recovery. Customer Personal Data is backed up via the Firebase / Google Cloud platform's standard backup mechanisms. Backups are encrypted at rest and are purged within ninety (90) days of deletion of the underlying data.
  9. Physical security. Physical security of data centres is provided by Google Cloud, which maintains industry-standard certifications (SOC 2, ISO 27001, ISO 27017, ISO 27018).

InkID may update the measures described above from time to time to reflect changes in the state of the art, provided that any update does not materially reduce the overall level of protection.

22. Contact

Notices and inquiries under this DPA should be directed to:

InkID, Inc.
Attn: Data Protection
Email: legal@inkid.io and privacy@inkid.io

Email contact addresses will be activated as the InkID email infrastructure is provisioned. Until then, please direct inquiries to the address listed on a current product page or InkID's verified channels. For the avoidance of doubt, all timelines that begin on InkID's "receipt" of a Customer notice run from the date InkID actually receives the notice at a working address.