These Terms and Conditions for VerifEye (“Agreement”) govern the provision of the VerifEye Service (the “Service”) by Realeyes OÜ, registry code 11730664, with registered office at Vahe 15, 11615 Tallinn, Estonia (“Realeyes,” “we,” “us,” or “our”), to business customers operating online services, platforms, or applications that restrict access to certain content or functionality based on age or similar eligibility criteria (“Business Customer,” “you,” or “your”).
VerifEye is an AI-powered age-estimation service designed to assess, through machine-vision and deep-learning techniques, whether an End User meets a specified age threshold before accessing your content or services. The Service helps Business Customers comply with applicable laws or industry codes relating to age assurance or restricted access.
Realeyes acts solely as a technical service provider and data processor on behalf of the Business Customer. The decision to grant or deny End User access remains exclusively with the Business Customer.
Please read this Agreement carefully before contracting or using the Service.
1. Definitions
For the purposes of this Agreement, the following capitalized terms shall have the meanings set out below:
Access Decision – the final determination made by the Business Customer regarding whether an End User may access its content or services, based on the Verification Result.
Agreement – these Terms and Conditions for VerifEye together with any Work Order, policy, or annex incorporated by reference, including the Data Processing Addendum (DPA) attached as Annex 1.
AI Model – Realeyes’ proprietary artificial intelligence and computer-vision models used within VerifEye to estimate an End User’s probable age or authenticity signal from non-identifying visual data.
API (Application Programming Interface) – a set of functions and endpoints made available by Realeyes to facilitate integration between the VerifEye Service and the Business Customer’s systems.
Anonymized Data – information that has been irreversibly altered so that it no longer relates to an identified or identifiable individual, consistent with applicable Data Protection Laws.
Authorized User – any member of the Business Customer’s personnel, contractor, or authorized integrator permitted to access the Service or Dashboard on behalf of the Business Customer.
Biometric Data – personal data resulting from the technical processing of physical, physiological, or behavioral characteristics (e.g., facial imagery) allowing or confirming unique identification, as defined in Article 4(14) GDPR. Not all VerifEye operations involve Biometric Data.
Business Customer – the entity contracting for the Service to estimate whether its End Users meet a specified age threshold before accessing its content or services, acting as data controller or business under applicable law.
Confidential Information – any non-public business, technical, financial, or personal information disclosed by one Party to the other under or in connection with this Agreement, whether disclosed orally, in writing, or electronically, that is marked or reasonably understood as confidential.
Consent – a freely given, specific, informed, and unambiguous indication of an End User’s agreement to processing of personal data, where required by applicable law.
Customer Platform – the Business Customer’s information technology system or application that integrates with or receives data from the VerifEye API or SDK.
Dashboard – the online interface provided by Realeyes through which the Business Customer can monitor usage, billing, and performance metrics of the Service.
Data Protection Laws – all laws applicable to the processing of personal data, including the GDPR, UK GDPR, ePrivacy Directive, CCPA/CPRA, LGPD, and other equivalent legislation.
End User – a natural person who provides visual or sensor data through the Business Customer’s platform to VerifEye for the purpose of age estimation.
End User Data – the personal data or related information submitted by an End User through the Service (such as facial imagery or metadata) that Realeyes processes on behalf of the Business Customer to generate a Verification Result.
Fees – the usage-based or pre-agreed charges payable by the Business Customer for the Service, as specified in the applicable Work Order or Dashboard.
Lightweight Re-Verification – a limited verification process that may involve liveness or facial-matching checks to confirm continuity of authenticity for a previously verified End User, without requiring the resubmission of full imagery or ID data.
Personal Data – any information relating to an identified or identifiable natural person, as defined under Article 4(1) GDPR or equivalent laws.
SDK (Software Development Kit) – software components supplied by Realeyes for integration into the Business Customer’s platform, enabling the Service’s operation.
Service or VerifEye Service – the AI-powered age-estimation and authenticity-detection solution provided by Realeyes, designed to assess whether an End User meets a given age threshold (e.g., “18 or over”) through non-identifying visual analysis.
Service Start Date – the effective date on which the Service commences under the applicable Work Order or when the Business Customer first activates or integrates the Service.
Sub-processor – any third party engaged by Realeyes to process End User Data on behalf of the Business Customer.
Term – the period during which the Service is provided, as defined in this Agreement and/or the applicable Work Order.
Third-Party Provider – any external vendor engaged by Realeyes under appropriate contractual safeguards to provide components of the Service (e.g., hosting, cloud infrastructure, liveness modules).
Verification API – the Realeyes API endpoint enabling integration and delivery of the Verification Result to the Customer Platform.
Verification Result – the categorical output of the VerifEye process (e.g., “18 or over”, “under 18”, or “unable to estimate”), transmitted to the Business Customer. No raw image or biometric data is shared.
Widget – the technical interface provided by Realeyes to embed VerifEye in the Business Customer’s digital environment.
Both Realeyes and the Business Customer represent and warrant that they have the full authority to enter into this Agreement and perform their respective obligations hereunder.
2. Object
2.1 Under this Agreement, Realeyes shall provide the VerifEye Service to the Business Customer for the purpose of verifying that an End User is a real human and not an automated or fraudulent actor. The Service is an AI-powered human-verification solution designed to assess the authenticity, liveness, and demographic attributes (including probable age and, where configured, gender) of End Users through non-identifying visual analysis. VerifEye enables the Business Customer to prevent bot activity, validate user uniqueness, implement age-based access controls, and, where applicable, support lightweight authentication or continuity checks. The outcome of this process is communicated as a Verification Result (e.g., “human verified,” “under 18,” “18 or over,” “unable to estimate,” or similar categorical outcome).
2.2 Realeyes acts solely as a technical service provider and data processor. It does not control or verify the accuracy of End User inputs and shall not be liable for any loss arising from incomplete, false, or fraudulent data. If Realeyes becomes aware of inaccurate or misleading information, it will take reasonable steps to rectify or remove it. The Business Customer shall indemnify and hold Realeyes harmless for claims arising from End User Data or its own failure to comply with applicable data protection laws.
3. System Connection & Onboarding
3.1 Access and Integration. Upon acceptance of a Work Order and subject to payment of applicable Fees, Realeyes shall issue to the Business Customer the necessary API keys, SDK packages, and documentation for connecting the Customer Platform to VerifEye.
3.2 Environment and Credentials. The Business Customer shall create an account in the Realeyes Dashboard or other designated interface and maintain secure credentials. Any action carried out through authorized credentials shall be deemed performed by the Business Customer.
3.3 Updates and New Releases. Realeyes may from time-to-time issue updates or new versions of the SDK, API, or integration protocols to enhance security or performance. The Business Customer must implement such updates within 60 days of notification. Continued use of outdated components beyond that period may result in suspension of the Service.
3.4 Testing Environment. Realeyes may provide a sandbox or demo environment for testing the integration. Data processed in the testing environment is non-production data and shall not be used for real End User verification.
3.5 Trial Use. Realeyes may at its discretion offer a limited trial period for evaluation purposes. Trial data is processed under the same security and confidentiality obligations as production data but may be deleted without notice after trial expiry.
3.6 Refusal or Suspension of Access. Realeyes may delay activation or temporarily suspend access if (i) onboarding information is incomplete or inaccurate, (ii) use poses security or legal risk, or (iii) the Business Customer fails to comply with technical requirements.
4. Work Orders
4.1 Ordering. Each engagement for the Service shall be formalized by a written or digitally executed Work Order specifying the scope, pricing model, Service Start Date, and integration details. Only Work Orders accepted by both Parties are binding.
4.2 Term of Work Order. Unless otherwise stated, each Work Order remains effective for 12 months from the Service Start Date and automatically renews for successive 12-month periods unless either Party provides 30 days’ notice of non-renewal.
4.3 Priority. If there is a conflict between this Agreement and a Work Order, the Work Order prevails for that specific scope only.
4.4 Changes. Any change in scope or pricing must be agreed in writing or through an updated Work Order.
5. The Service
5.1 Purpose and Scope. The VerifEye Service enables the Business Customer to apply AI-based age estimation to End Users through the Customer Platform. It may include visual analysis, liveness assessment, and authenticity checks to produce a Verification Result.
5.2 Lightweight Re-Verifications.
Realeyes may offer an optional feature enabling returning End Users to undergo a lightweight re-verification process.
This process involves capturing fresh, short-duration visual input (e.g., a brief liveness motion) to confirm that the user currently interacting with the Customer Platform corresponds to a previously verified interaction, without collecting, storing, or reusing any prior facial images or ID information. Realeyes performs this comparison exclusively on-device or in a transient processing environment, outputs only a confirmation signal, and does not permanently link or retain biometric data.
5.3 Design Principles. The Service is developed and maintained according to the following principles:
(a) Data minimization – only process what is strictly necessary for age estimation;
(b) Transparency – ensure that End Users receive clear information about data use;
(c) Security – apply state-of-the-art technical and organizational safeguards;
(d) Fairness and non-bias – conduct ongoing testing to assess model accuracy and demographic balance.
5.4 License. Subject to payment of Fees and compliance with this Agreement, Realeyes grants the Business Customer a non-exclusive, non-transferable, non-sublicensable license to use the VerifEye SDK, API and Dashboard for internal business use only during the Term.
5.5 Use Restrictions. The Business Customer shall not:
(a) resell or sub-license the Service to third parties;
(b) modify or reverse engineer any part of the Service or SDK;
(c) interfere with the operation of the Service or circumvent security controls;
(d) use the Service for purposes other than age estimation or authenticity assurance.
5.6 Security and Access. The Business Customer shall implement reasonable technical and organizational measures to prevent unauthorized access to the API, SDK, and Dashboard, and shall immediately notify Realeyes of any security incident or suspected breach of credentials.
5.7 Suspension of Service. Realeyes may temporarily limit or suspend the Service where:
(a) use poses a security, legal, or compliance risk;
(b) usage exceeds reasonable volume limits or causes system instability;
(c) the Business Customer is in breach of payment or technical obligations.
Realeyes will endeavor to notify the Business Customer in advance unless immediate action is required to protect system integrity.
6. Availability & Service Level
6.1 Service Commitment. Realeyes shall use commercially reasonable efforts to maintain a monthly Service availability of 99.5 percent (99.5%).
6.2 Exclusions. Downtime resulting from scheduled maintenance (maximum five hours per month), emergency maintenance, internet or telecommunication failures outside Realeyes’ control, force majeure events, or the Business Customer’s systems shall not count toward the availability calculation.
6.3 Monitoring and Reporting. Availability is measured via Realeyes’ internal monitoring tools. In case of an outage exceeding the commitment, Realeyes shall provide a written incident report upon request.
6.4 Remedy. If Service availability falls below 99.5% for two consecutive months, the Business Customer may terminate the Agreement for material breach upon 15 days’ notice unless availability is restored within that period.
7. Fees & Payment
7.1 Pricing Model. The default model is pay-per-use, based on the number of Verifications or API calls performed. Alternative pre-paid or subscription plans may be agreed in a Work Order.
7.2 Invoicing and Payment. Invoices are issued monthly and payable within 30 days of the invoice date. Payments shall be made to the account designated by Realeyes.
7.3 Taxes. Fees are exclusive of VAT, sales tax, and other charges. The Business Customer is responsible for all applicable taxes and bank charges.
7.4 Price Adjustments. Realeyes may adjust unit prices with 15 days’ prior notice. If the Business Customer does not accept the change, it may terminate the Agreement before the effective date of the adjustment.
7.5 Late Payments. Overdue balances accrue interest at 0.1% per day (or the maximum rate permitted by law). Realeyes may suspend the Service until all overdue amounts are received.
7.6 Non-Refundable Fees. All payments are non-refundable unless otherwise expressly agreed in writing.
7.7 Collection Costs. The Business Customer shall reimburse Realeyes for reasonable costs of recovering overdue amounts, including legal fees and collection expenses.
8. Obligations of the Parties
8.1 Business Customer Obligations
The Business Customer shall:
- use the Service only for lawful age-assurance purposes and in accordance with this Agreement;
- protect its API keys and access credentials from unauthorized use;
- ensure that no minor below the applicable digital-consent age appears in camera feeds without lawful basis;
- avoid reselling or redistributing the Service outputs; and
- treat all Verification Results and related data as Confidential Information.
8.2 Realeyes Obligations
Realeyes shall:
- provide the Service with reasonable skill, diligence, and industry-standard security;
- maintain and update its AI models to improve accuracy and robustness;
- provide End Users with all required privacy notices and consents before data processing, in compliance with Articles 13 and 14 GDPR, UK GDPR, and CCPA/CPRA. Such notices shall explain categories of data, processing purposes, lawful bases (including explicit consent for biometric data where applicable), retention periods, and data subject rights;
- ensure that a valid legal basis exists for any processing, including explicit consent for biometric data when required;
- offer documentation and support for integration and use;
- make available a Dashboard with aggregated usage statistics and billing information; and
- process End User Data only for the purposes authorized under this Agreement and the DPA.
9. Termination & Cancellation
9.1 Termination for Convenience. Either Party may terminate this Agreement or any Work Order at any time for convenience by giving thirty (30) days’ written notice to the other Party.
9.2 Termination for Breach. Either Party may terminate this Agreement immediately by written notice if the other Party materially breaches its obligations and fails to cure such breach within fifteen (15) days after receiving written notice.
9.3 Immediate Termination by Realeyes. Realeyes may terminate this Agreement with immediate effect if:
(a) the Business Customer uses the Service in violation of applicable law or regulation;
(b) such use exposes Realeyes to material security, legal, or reputational risk; or
(c) termination is required by law, a competent authority, or a data-protection regulator.
9.4 Effects of Termination.
Upon termination:
(a) all licenses and access rights granted under this Agreement immediately end;
(b) the Business Customer must stop using the Service, remove all SDK/API integrations, and destroy any related materials;
(c) Realeyes will deactivate account access and delete or return End User Data in accordance with Clause 10 and the DPA; and
(d) all outstanding Fees become immediately due and payable.
10. Data Protection & Privacy
10.1 Roles of the Parties.
For the purposes of the VerifEye Service:
- the Business Customer acts as Data Controller, determining the purposes and means of processing End User Data; and
- Realeyes acts as Data Processor, processing End User Data solely on behalf of the Business Customer and in accordance with this Agreement and the Data Processing Addendum (Annex 1).
10.2 Processing Purposes.
Realeyes processes End User Data exclusively to:
(a) perform AI-based human verification, including assessment of liveness, authenticity, and (where configured) estimation of age or gender;
(b) return the Verification Result to the Business Customer;
(c) monitor and improve Service performance, fraud prevention, and security; and
(d) comply with applicable legal and regulatory requirements.
10.3 Independent Controller Processing for AI R&D and Fraud Detection.
In certain limited cases, Realeyes may process and aggregate Personal Data from multiple customers as an independent Controller to:
(a) develop, improve, and train AI models and algorithms;
(b) detect presentation attacks, bots, or fraudulent usage patterns; and
(c) generate anonymized or aggregated statistics to enhance Service accuracy.
Such processing is always compatible with the Customer’s purposes, uses anonymized or pseudonymized data where feasible, and is conducted under a lawful basis as described in Realeyes’ Privacy Policy (https://realeyes.com/privacy).
10.4 End User Transparency and Consent.
Realeyes ensures that End Users are informed before data collection. Notices displayed within VerifEye explain categories of data, purposes and lawful bases, retention periods, and data-subject rights. Where required, explicit consent for biometric data is obtained.
10.5 Sub-Processors and Personnel.
Realeyes engages Sub-processors under written agreements imposing safeguards equivalent to those in this Agreement. A current list of authorized Sub-processors is maintained in Annex 1 of the DPA.
10.6 Security and Data Breach Notification.
Realeyes maintains industry-standard technical and organizational measures to ensure data security. In the event of a personal-data breach affecting End User Data, Realeyes shall notify the Business Customer without undue delay (and where feasible, within 48 hours) and co-operate to satisfy regulatory requirements.
10.7 Data Retention and Deletion.
Raw imagery and video frames are deleted immediately after age estimation. Pseudonymized data is retained only as necessary for Service provision or legal compliance. Upon termination, Realeyes will securely delete or return Customer Data as set out in the DPA.
10.8 Customer Compliance.
The Business Customer must not collect or transmit data beyond what is necessary for age estimation and must not combine Verification Results with other personal data to create user profiles.
11. Indemnification & Liability
11.1 Entire Liability.
Subject to Clause 11.2, this Clause sets out the entire financial liability of each Party (including liability for acts or omissions of its employees, agents, and sub-contractors) arising from or in connection with this Agreement.
11.2 Exclusions.
Nothing in this Agreement excludes or limits either Party’s liability for:
(a) fraud or fraudulent misrepresentation;
(b) payment of sums properly due and owing under this Agreement;
(c) any indemnities expressly provided herein; or
(d) any matter for which exclusion or limitation would be unlawful.
11.3 Exclusion of Indirect Loss.
Subject to Clause 11.2, neither Party shall be liable for: (a) loss of profits, revenues, goodwill, or business opportunities; (b) loss or corruption of data except where directly caused by its breach; or (c) any indirect, special, or consequential damages.
11.4 Liability Cap.
Subject to Clause 11.2, the total aggregate liability of Realeyes under or in connection with this Agreement shall not exceed the total Fees paid by the Business Customer to Realeyes during the twelve (12) months immediately preceding the event giving rise to the claim. This limitation is cumulative; multiple claims shall not increase the cap.
11.5 Business Customer Indemnity.
The Business Customer shall indemnify, defend, and hold harmless Realeyes and its affiliates, officers, directors, and employees from and against any third-party claims, fines, or expenses (including reasonable legal fees) arising from:
(a) misuse of the Service or breach of this Agreement;
(b) unlawfulness of End User Data submitted by the Business Customer; or
(c) failure to comply with applicable laws in connection with its use of VerifEye,
provided such claims are not directly attributable to Realeyes’ breach of this Agreement or law.
11.6 Realeyes Indemnity.
Realeyes shall indemnify and hold harmless the Business Customer from any direct losses, fines, or penalties imposed by a competent regulatory authority arising from a proven failure by Realeyes to comply with its legal obligations under applicable data-protection laws, to the extent that such non-compliance was solely caused by Realeyes and not by:
(a) the Business Customer’s instructions or configuration;
(b) the Business Customer’s own non-compliance; or
(c) force majeure or third-party acts beyond Realeyes’ control.
11.7 Responsibility for Use.
VerifEye provides statistical, AI-based estimations only and does not constitute legal proof of age or identity. The Business Customer assumes sole responsibility for decisions based on Verification Results and for its compliance with applicable age-control rules.
11.8 Severability of Limitations.
Each limitation or exclusion in this Clause 11 is independent and enforceable to the maximum extent permitted by law.
12. Representations & Warranties
12.1 Mutual Representations.
Each Party represents and warrants that:
(a) it is duly incorporated and in good standing under its jurisdiction;
(b) it has full power and authority to enter into and perform this Agreement; and
(c) its execution and performance do not violate any binding law or contract.
12.2 Business Customer Warranties.
The Business Customer further represents and warrants that it shall:
(a) use VerifEye solely for lawful age-assurance purposes;
(b) not use the Service in a manner that is discriminatory, unlawful, or reasonably expected to damage Realeyes’ reputation; and
(c) ensure that its integration with VerifEye does not compromise system security.
12.3 Realeyes Warranties.
Realeyes represents and warrants that:
(a) it will perform the Service with reasonable skill and care and in accordance with industry standards;
(b) it will comply with applicable data-protection and information-security laws;
(c) it has implemented appropriate technical and organizational measures to protect Personal Data as required by the DPA; and
(d) to its knowledge, the VerifEye Service does not infringe any third-party Intellectual Property Rights.
12.4 Disclaimer of Other Warranties.
Except as expressly stated herein, all other warranties and conditions (whether statutory, implied, or otherwise, including merchantability, fitness for purpose, or non-infringement) are disclaimed to the fullest extent permitted by law. The Service is provided on an “as-is” and “as-available” basis.
13. Intellectual Property Rights
13.1 Ownership.
The Business Customer acknowledges and agrees that all Intellectual Property Rights in and to the VerifEye Service, including software, SDK, API, algorithms, data models, documentation, and user interfaces, are and shall remain the sole property of Realeyes or its licensors. The Business Customer has no rights or interest in the Service other than the limited license granted herein.
13.2 Non-Challenge.
During the Term and thereafter, the Business Customer shall not challenge or assist any third party in challenging Realeyes’ Intellectual Property Rights in VerifEye.
13.3 Feedback.
Any suggestions or feedback provided by the Business Customer may be freely used by Realeyes for product development without obligation or attribution.
14. General Provisions
14.1 Force Majeure.
Neither Party shall be considered in breach of this Agreement, or liable for any delay or failure to perform its obligations, if such delay or failure results from causes beyond its reasonable control, including acts of God, natural disasters, epidemics, labor disputes, acts of war or terrorism, civil unrest, sabotage, interruption of utilities or telecommunications, or actions of governmental or military authorities (“Force Majeure Event”). The affected Party shall use reasonable diligence to mitigate and remove the condition preventing performance and shall not suspend its obligations for longer than necessary. If a Force Majeure Event continues unremedied for more than sixty (60) consecutive days, either Party may terminate the Agreement immediately by written notice.
14.2 Updates to the Agreement.
Realeyes may update these Terms and Conditions from time to time at its reasonable discretion. Realeyes will notify the Business Customer of such updates by email and/or through the Dashboard or its website. Continued use of the Service after the effective date of any update constitutes acceptance of the revised Terms. Where the Service has been suspended and later restored, the version of the Terms in effect on the restoration date shall govern subsequent use of the Service.
14.3 Waiver.
Failure or delay by either Party in exercising any right or remedy shall not constitute a waiver of that or any other right or remedy. The use of any remedy shall not preclude the use of any other available right or remedy.
14.4 Severability.
If any provision of this Agreement is held to be invalid, illegal, or unenforceable by a competent authority, that provision shall be deemed modified to the minimum extent necessary to make it valid and enforceable, and the remaining provisions shall remain in full force and effect.
14.5 Entire Agreement.
This Agreement (including all Work Orders, annexes, and incorporated documents) constitutes the entire agreement between the Parties concerning its subject matter and supersedes all prior proposals, negotiations, or understandings, whether oral or written. Each Party acknowledges that it has not relied upon any representation or warranty not expressly contained herein.
14.6 Relationship of the Parties.
Nothing in this Agreement creates any partnership, joint venture, employment, or agency relationship between the Parties. Neither Party has authority to bind or represent the other except as expressly permitted herein.
14.7 Assignment.
The Business Customer may not assign or transfer any of its rights or obligations under this Agreement without the prior written consent of Realeyes, which shall not be unreasonably withheld. Realeyes may assign its rights or obligations to any of its affiliates or to a successor acquiring substantially all of its assets, subject to written notice to the Business Customer.
14.8 Public References.
The Business Customer may not issue press releases or public announcements referring to Realeyes or this Agreement without Realeyes’ prior written consent, except as required by law or a competent regulatory authority. Realeyes may identify the Business Customer by name and logo in its marketing materials and client lists for reference purposes.
14.9 Notices.
All notices under this Agreement must be in English and in writing. A notice is deemed received when delivered by hand to an authorized representative during business hours at the recipient’s registered address, when sent by email to the designated address of the recipient and no delivery error is reported, or when delivered via the Dashboard or another mutually agreed electronic method that provides a verifiable record of delivery. Either Party may update its contact details for notice by written notice to the other Party.
14.10 Anti-Bribery and Compliance.
Each Party shall comply with all applicable laws and regulations relating to anti-bribery, anti-corruption, and sanctions. Each Party shall promptly notify the other of any request or demand for an undue financial or other advantage received in connection with this Agreement.
14.11 Governing Law and Arbitration.
This Agreement, and any dispute, controversy, or claim arising out of or in connection with it, shall be governed by and construed in accordance with English law, excluding its conflict-of-law rules. Any dispute arising under or in connection with this Agreement shall be finally settled by arbitration administered by the International Chamber of Commerce (ICC) in accordance with its Rules of Arbitration then in force. The seat of arbitration shall be London, United Kingdom, the language of the arbitration shall be English, and the tribunal shall consist of three (3) arbitrators. The arbitral proceedings, all filings, and any award shall be treated as Confidential Information by both Parties. Nothing in this clause shall prevent either Party from seeking urgent injunctive or equitable relief before a competent court to protect its intellectual-property rights or Confidential Information pending the outcome of the arbitration.
Annex 1 – Data Processing Addendum (DPA)
This Data Processing Addendum (“DPA”) forms an integral part of the Terms and Conditions for VerifEye (the “Agreement”) between
- Realeyes OÜ, registry code 11730664, Vahe 15, 11615 Tallinn, Estonia (“Realeyes”, “Processor”); and
- the contracting business customer (“Customer”, “Controller”).
1. Subject Matter & Duration
This DPA governs Realeyes’ processing of personal data on behalf of the Customer under the Agreement for the VerifEye Service. Processing continues for the Term of the Agreement and ceases upon deletion or return of data as provided in Clause 10 of the Agreement.
2. Roles & Instructions
2.1 The Customer acts as Data Controller; Realeyes acts as Data Processor.
2.2 Realeyes shall process Customer Data only on documented instructions from the Customer, except where required by law.
2.3 The processing instructions, lawful basis, categories of data, and data-subject information are described in Section 9 (Details of Processing).
2.4 Any Realeyes processing as an independent Controller for AI R&D and fraud-detection purposes is limited to what is described in Clause 10.3 of the Agreement.
3. Sub-Processing
3.1 The Customer authorizes Realeyes to engage Sub-processors for the Service.
3.2 Each Sub-processor is bound by written obligations providing protection equivalent to this DPA. Realeyes remains fully liable for their acts or omissions.
3.3 Current authorized Sub-processors:
| Category | Purpose | Typical Location | Safeguard Mechanism |
| Cloud infrastructure providers (e.g., AWS) | Secure hosting and transient processing of Service data | EU/EEA or UK regions | Standard Contractual Clauses / Adequacy Decision |
| Analytics and monitoring tools (e.g. Google Analytics) | System logging, error tracking, and security monitoring | EU/UK/US | Standard Contractual Clauses |
| Content-delivery & network services | API delivery, latency reduction, and availability optimization | Global | Standard Contractual Clauses / Adequacy |
3.4 Realeyes shall notify the Customer at least ten (10) days before adding or replacing a Sub-processor. The Customer may object on reasonable data-protection grounds; unresolved objections entitle the Customer to terminate the affected Work Order without penalty.
4. Security Measures
4.1 Realeyes implements and maintains the following technical and organizational measures (TOMs) appropriate to the risk:
- Encryption of data in transit (TLS 1.2 or higher) and at rest (AES-256 or equivalent);
- Role-based access control and multi-factor authentication;
- Logical segregation of environments (development / testing / production);
- Continuous vulnerability management, intrusion detection, and log monitoring;
- Regular penetration tests and security audits by independent specialists;
- Secure deletion and disposal procedures for temporary and residual data;
- Business-continuity and disaster-recovery planning;
- Employee confidentiality agreements and mandatory training on data protection.
4.2 Realeyes reviews and updates these measures periodically to ensure continued effectiveness.
4.3 The Customer is responsible for implementing appropriate security measures within its own environment, including secure API key storage and controlled access to the Service.
5. Data Breach Notification
In the event of a personal-data breach affecting Customer Data, Realeyes shall:
(a) notify the Customer without undue delay (and where feasible, within 48 hours of becoming aware);
(b) provide details of the nature of the incident, affected data, and remedial actions; and
(c) co-operate with the Customer to satisfy any reporting or communication obligations required by law.
6. Assistance & Audit Rights
6.1 Assistance. Realeyes shall, insofar as possible, assist the Customer in fulfilling its obligations under Articles 32–36 GDPR, including data-subject requests and impact assessments.
6.2 Audit. The Customer may audit Realeyes’ compliance once per calendar year on thirty (30) days’ notice.
Audits may be satisfied through inspection of Realeyes’ independent certifications (e.g. SOC 2) and supporting documentation.
6.3 Co-operation. Realeyes shall co-operate with competent supervisory authorities and the Customer on request.
7. International Transfers
7.1 Customer Data may be processed in locations where Realeyes or its Sub-processors operate.
All international transfers are made under a valid transfer mechanism, including EU Standard Contractual Clauses, the UK Addendum, or an adequacy decision.
7.2 If Realeyes cannot ensure ongoing compliance with these safeguards, it shall promptly inform the Customer and work to agree suitable supplementary measures or suspend the transfer.
8. Retention and Deletion
Upon termination or expiry of the Agreement—or upon the Customer’s written request—Realeyes shall securely delete or return Customer Data within a reasonable period, except where law requires retention.
Deletion is performed using secure wiping or cryptographic erasure consistent with the TOMs above.
9. Details of Processing (Article 28(3) GDPR)
| Item | Description |
| Nature and Purpose of Processing | AI-based age estimation and authenticity (liveness) analysis to generate a non-identifying Verification Result for the Customer. |
| Categories of Data Subjects | End Users of the Customer’s platform who undergo age estimation through VerifEye. |
| Types of Personal Data | Limited facial imagery or frames captured through device camera; derived biometric embeddings; liveness and orientation signals; session identifiers; device and telemetry metadata. |
| Special Categories | Biometric data, only to the extent used for liveness detection or age estimation. |
| Duration of Processing | For the Term of the Agreement and retention periods stated in Clause 10 of the Agreement. |
| Processing Operations | Collection of transient camera input → AI model inference → generation of Verification Result → immediate deletion of raw input → transmission of output to Customer. |
| Customer Instructions | As set out in the Agreement and this DPA. |
Last updated and effective: 15 November 2025