Data Processing Agreement
This Data Processing Agreement ("DPA") forms part of the Terms of Service between Fctr Identity ("Processor," "we," "our," or "us") and the organization subscribing to the Fctr Identity Portal ("Controller," "you," or "your").
This DPA reflects the parties' agreement with respect to the processing of Personal Data in connection with the Fctr Identity Portal ("Portal"), in compliance with applicable data protection laws including the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other relevant privacy frameworks.
1. Definitions
- "Personal Data" means any information relating to an identified or identifiable natural person as defined by applicable data protection law.
- "Processing" means any operation performed on Personal Data, including collection, use, storage, disclosure, or deletion.
- "Sub-Processor" means a third party engaged by the Processor to process Personal Data on behalf of the Controller.
- "Data Subject" means the identified or identifiable natural person to whom the Personal Data relates.
2. Scope and Purpose
The Processor processes Personal Data solely to provide the Portal's identity verification, MFA enforcement, and helpdesk workflow services as described in the Terms of Service. The Processor acts as a data processor on behalf of the Controller.
3. Data Processing Details
| Category | Details |
|---|---|
| Data Subjects | Controller's employees, contractors, and end-users whose identities are verified through the Portal |
| Types of Personal Data | User identifiers (UserID, email/UPN, phone number where used for authentication delivery), MFA factor enrollment status, verification status, account status |
| Nature of Processing | Real-time, in-memory retrieval from the Controller's Identity Provider for display and verification. Raw end-user identity data is not retained at rest as part of normal operations. Limited operational metadata is retained under the schedules described below for troubleshooting, auditability, and billing support. |
| Purpose | Identity verification, MFA enforcement, helpdesk workflow automation, audit logging, and billing support |
| Duration | For the term of the subscription agreement. All in-memory data is discarded at session end. |
4. Zero-Data Architecture
No Raw Identity Records at Rest: The Portal is designed to avoid retaining raw end-user identity records or credentials at rest as part of normal operations.
In-Memory Processing Only: Personal Data retrieved from the Controller's Identity Provider is processed in-memory for real-time verification and is discarded immediately when the session ends.
PII Masking: Limited operational metadata is retained under the schedules described below. Retained audit and billing records use masked or hashed identifiers where applicable. Raw PII is not intentionally included in retained audit or billing records.
5. Operational Record Retention
| Log Type | Location | Retention | Contains PII? |
|---|---|---|---|
| Application runtime logs | Google Cloud Platform managed logging | Approximately 1 day | Limited operational metadata |
| Audit and request metadata | Fctr-managed Google Cloud services | Approximately 30 days | Masked identifiers only |
| Usage and billing metrics | Fctr-managed Google Cloud services | Approximately 3 years | Hashed identifiers only |
The Processor will update this DPA if these retention schedules materially change.
6. Sub-Processors
The Processor uses the following Sub-Processors. The Controller hereby provides general written authorization for the use of these Sub-Processors:
| Sub-Processor | Purpose | Location | Certifications |
|---|---|---|---|
| Google Cloud Platform | Application hosting, operational logging, and encrypted storage | United States | SOC 2 Type II, ISO 27001 |
| Cloudflare, Inc. | DNS resolution, edge security, DDoS protection | Global (Anycast) | SOC 2 Type II, ISO 27001 |
The Processor will notify the Controller at least thirty (30) days in advance before engaging any new Sub-Processor. The Controller may object to a new Sub-Processor by providing written notice within fifteen (15) days of notification.
7. Security Measures
The Processor implements the following technical and organizational measures to protect Personal Data:
- Encryption in Transit: All data transmitted between the Portal, the Controller's browser, and the Identity Provider is encrypted using TLS 1.2 or higher.
- Limited Data at Rest: The Portal does not store raw end-user identity data or credentials at rest as part of normal operations. Limited PII-masked audit metadata and hashed billing identifiers are stored in managed Google Cloud services under defined retention schedules.
- Access Controls: Role-based access control (RBAC) enforced at the application level. Backend middleware validates every API request against the agent's assigned permission tier.
- MFA-Gated Operations: High-risk operations require an active, time-limited MFA verification session.
- Rate Limiting: Strict rate limiting on all authentication and API endpoints.
- Vulnerability Management: Static analysis (SAST) via GitHub CodeQL and Snyk Code. Software composition analysis (SCA) via Dependabot and Snyk Open Source. Secret scanning with push protection via GitHub Advanced Security. Software Bill of Materials (SBOM) generation via GitHub Dependency Graph.
8. Data Subject Rights
The Processor will assist the Controller in responding to Data Subject requests (access, rectification, erasure, restriction, portability, objection) to the extent applicable:
- Given Fctr's minimized retention model, most transient operational data is automatically purged on a short schedule.
- For requests related to active operational data within the applicable retention windows, the Controller may contact [email protected] and the Processor will respond within ten (10) business days.
9. International Data Transfers
The Portal is hosted on Google Cloud Platform infrastructure in the United States. If the Controller or its Data Subjects are located in the European Economic Area (EEA), United Kingdom, or Switzerland, the following transfer mechanisms apply:
- Google Cloud Platform: Offers customer contractual commitments and data processing terms for supported cloud services.
- Cloudflare: Maintains Standard Contractual Clauses (SCCs) and is GDPR-compliant.
The Processor will cooperate with the Controller to implement additional transfer safeguards if required by changes in applicable law.
10. Data Breach Notification
In the event of a confirmed Personal Data breach:
Notification Standard: The Processor will notify the Controller without undue delay consistent with applicable law and the parties' binding contractual obligations.
- The notification will include: the nature of the breach, the categories and approximate number of Data Subjects affected, the likely consequences, and the measures taken or proposed to mitigate the breach.
- Given Fctr's minimized-retention architecture, a breach of Portal infrastructure would not expose a traditional database of raw end-user identity records. Exposure would instead be limited to the operational data retained under the applicable audit and billing retention schedules.
11. Audit Rights
- The Controller may request, no more than once per year and with at least thirty (30) days written notice, a summary of the Processor's security posture, including relevant SOC 2 reports from Sub-Processors.
- The Processor will make available relevant compliance documentation, third-party audit summaries, and penetration test findings (where available) upon reasonable request.
12. Term and Termination
- This DPA is effective for the duration of the Controller's subscription to the Portal.
- Upon termination, all in-memory Personal Data is immediately discarded (as it is on every session end). Retained operational records will be deleted in accordance with the applicable retention schedules, subject to any legal or financial recordkeeping obligations.
- The Processor will certify deletion upon written request from the Controller.
13. Governing Law
This DPA is governed by the same law that governs the Terms of Service: the laws of the Commonwealth of Pennsylvania, USA, without regard to conflict of law provisions.
14. Contact
For questions about this DPA or to exercise any rights described herein: