Company logoIconus Tech
legal

Data Processing Agreement

Last updated: December 7, 2025

Introduction

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Iconus Tech, Inc. ("Processor") and the customer ("Controller") using our Check Fraud Detection API services.

This DPA applies when we process personal data on your behalf and ensures compliance with GDPR, CCPA, and other applicable data protection regulations.

1. Definitions

  • "Personal Data" means any information relating to an identified or identifiable natural person.
  • "Processing" means any operation performed on Personal Data, including collection, storage, use, and deletion.
  • "Sub-processor" means any third party engaged by Processor to process Personal Data.
  • "Data Subject" means the individual whose Personal Data is being processed.

2. Scope of Processing

We process the following categories of data on your behalf:

Data Categories

  • Check Data: Check numbers, amounts, dates (hashed)
  • Payee Information: Names, identifiers (hashed)
  • Account Data: Business email, company name
  • API Logs: Request metadata, timestamps

Processing Purposes

  • Check fraud detection and prevention
  • QR code verification services
  • AI risk assessment
  • Service delivery and support

3. Processor Obligations

As the Processor, we agree to:

  • Process Personal Data only on documented instructions from the Controller
  • Ensure personnel are bound by confidentiality obligations
  • Implement appropriate technical and organizational security measures
  • Assist with Data Subject rights requests
  • Delete or return Personal Data upon termination
  • Provide information necessary for compliance audits

4. Security Measures

We implement the following security measures:

  • Encryption: SHA-256 for data at rest, TLS 1.3 for data in transit
  • Access Control: Role-based access with MFA enforcement
  • Infrastructure: AWS with SOC 2 Type II certification
  • Monitoring: 24/7 security monitoring and incident response
  • Auditing: Regular penetration testing and security audits

5. Sub-processors

We use the following sub-processors:

Sub-processorPurposeLocation
Amazon Web Services (AWS)Cloud infrastructureUS (us-east-1)
VercelWeb hostingUS / Global CDN

We will notify you of any new sub-processors with 30 days advance notice.

6. Data Subject Rights

We will assist you in responding to Data Subject requests for:

  • Access to Personal Data
  • Rectification of inaccurate data
  • Erasure ("right to be forgotten")
  • Data portability
  • Restriction of processing
  • Objection to processing

7. Data Breach Notification

In the event of a Personal Data breach, we will:

  • Notify you without undue delay (within 72 hours)
  • Provide details of the breach nature and scope
  • Describe likely consequences
  • Outline measures taken to mitigate the breach

8. International Transfers

For transfers outside the EEA, we rely on:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • AWS Data Processing Addendum with SCCs
  • Supplementary measures as required by Schrems II

9. Termination

Upon termination of services, we will:

  • Cease processing Personal Data
  • Delete or return all Personal Data within 30 days
  • Certify deletion upon request

Retention beyond termination only as required by law.

10. Contact Information

For DPA-related inquiries or to request a signed copy:

Iconus Tech, Inc.
Data Protection Officer
Email: dpo@iconustech.com
Website: www.iconustech.com

View our Privacy Policy →