Fctr Identity
Home Terms Privacy Security

Data Processing Agreement

Fctr Identity

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Fctr Identity ("Processor," "we," "our," or "us") and the organization subscribing to the Fctr Identity Portal ("Controller," "you," or "your").

This DPA reflects the parties' agreement with respect to the processing of Personal Data in connection with the Fctr Identity Portal ("Portal"), in compliance with applicable data protection laws including the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other relevant privacy frameworks.


1. Definitions

  • "Personal Data" means any information relating to an identified or identifiable natural person as defined by applicable data protection law.
  • "Processing" means any operation performed on Personal Data, including collection, use, storage, disclosure, or deletion.
  • "Sub-Processor" means a third party engaged by the Processor to process Personal Data on behalf of the Controller.
  • "Data Subject" means the identified or identifiable natural person to whom the Personal Data relates.

2. Scope and Purpose

The Processor processes Personal Data solely to provide the Portal's identity verification, MFA enforcement, and helpdesk workflow services as described in the Terms of Service. The Processor acts as a data processor on behalf of the Controller.

3. Data Processing Details

CategoryDetails
Data SubjectsController's employees, contractors, and end-users whose identities are verified through the Portal
Types of Personal DataUser identifiers (UserID, email/UPN, phone number where used for authentication delivery), MFA factor enrollment status, verification status, account status
Nature of ProcessingReal-time, in-memory retrieval from the Controller's Identity Provider for display and verification. Raw end-user identity data is not retained at rest as part of normal operations. Limited operational metadata is retained under the schedules described below for troubleshooting, auditability, and billing support.
PurposeIdentity verification, MFA enforcement, helpdesk workflow automation, audit logging, and billing support
DurationFor the term of the subscription agreement. All in-memory data is discarded at session end.

4. Zero-Data Architecture

No Raw Identity Records at Rest: The Portal is designed to avoid retaining raw end-user identity records or credentials at rest as part of normal operations.

In-Memory Processing Only: Personal Data retrieved from the Controller's Identity Provider is processed in-memory for real-time verification and is discarded immediately when the session ends.

PII Masking: Limited operational metadata is retained under the schedules described below. Retained audit and billing records use masked or hashed identifiers where applicable. Raw PII is not intentionally included in retained audit or billing records.

5. Operational Record Retention

Log TypeLocationRetentionContains PII?
Application runtime logs Google Cloud Platform managed logging Approximately 1 day Limited operational metadata
Audit and request metadata Fctr-managed Google Cloud services Approximately 30 days Masked identifiers only
Usage and billing metrics Fctr-managed Google Cloud services Approximately 3 years Hashed identifiers only

The Processor will update this DPA if these retention schedules materially change.

6. Sub-Processors

The Processor uses the following Sub-Processors. The Controller hereby provides general written authorization for the use of these Sub-Processors:

Sub-ProcessorPurposeLocationCertifications
Google Cloud Platform Application hosting, operational logging, and encrypted storage United States SOC 2 Type II, ISO 27001
Cloudflare, Inc. DNS resolution, edge security, DDoS protection Global (Anycast) SOC 2 Type II, ISO 27001

The Processor will notify the Controller at least thirty (30) days in advance before engaging any new Sub-Processor. The Controller may object to a new Sub-Processor by providing written notice within fifteen (15) days of notification.

7. Security Measures

The Processor implements the following technical and organizational measures to protect Personal Data:

  • Encryption in Transit: All data transmitted between the Portal, the Controller's browser, and the Identity Provider is encrypted using TLS 1.2 or higher.
  • Limited Data at Rest: The Portal does not store raw end-user identity data or credentials at rest as part of normal operations. Limited PII-masked audit metadata and hashed billing identifiers are stored in managed Google Cloud services under defined retention schedules.
  • Access Controls: Role-based access control (RBAC) enforced at the application level. Backend middleware validates every API request against the agent's assigned permission tier.
  • MFA-Gated Operations: High-risk operations require an active, time-limited MFA verification session.
  • Rate Limiting: Strict rate limiting on all authentication and API endpoints.
  • Vulnerability Management: Static analysis (SAST) via GitHub CodeQL and Snyk Code. Software composition analysis (SCA) via Dependabot and Snyk Open Source. Secret scanning with push protection via GitHub Advanced Security. Software Bill of Materials (SBOM) generation via GitHub Dependency Graph.

8. Data Subject Rights

The Processor will assist the Controller in responding to Data Subject requests (access, rectification, erasure, restriction, portability, objection) to the extent applicable:

  • Given Fctr's minimized retention model, most transient operational data is automatically purged on a short schedule.
  • For requests related to active operational data within the applicable retention windows, the Controller may contact [email protected] and the Processor will respond within ten (10) business days.

9. International Data Transfers

The Portal is hosted on Google Cloud Platform infrastructure in the United States. If the Controller or its Data Subjects are located in the European Economic Area (EEA), United Kingdom, or Switzerland, the following transfer mechanisms apply:

  • Google Cloud Platform: Offers customer contractual commitments and data processing terms for supported cloud services.
  • Cloudflare: Maintains Standard Contractual Clauses (SCCs) and is GDPR-compliant.

The Processor will cooperate with the Controller to implement additional transfer safeguards if required by changes in applicable law.

10. Data Breach Notification

In the event of a confirmed Personal Data breach:

Notification Standard: The Processor will notify the Controller without undue delay consistent with applicable law and the parties' binding contractual obligations.

  • The notification will include: the nature of the breach, the categories and approximate number of Data Subjects affected, the likely consequences, and the measures taken or proposed to mitigate the breach.
  • Given Fctr's minimized-retention architecture, a breach of Portal infrastructure would not expose a traditional database of raw end-user identity records. Exposure would instead be limited to the operational data retained under the applicable audit and billing retention schedules.

11. Audit Rights

  • The Controller may request, no more than once per year and with at least thirty (30) days written notice, a summary of the Processor's security posture, including relevant SOC 2 reports from Sub-Processors.
  • The Processor will make available relevant compliance documentation, third-party audit summaries, and penetration test findings (where available) upon reasonable request.

12. Term and Termination

  • This DPA is effective for the duration of the Controller's subscription to the Portal.
  • Upon termination, all in-memory Personal Data is immediately discarded (as it is on every session end). Retained operational records will be deleted in accordance with the applicable retention schedules, subject to any legal or financial recordkeeping obligations.
  • The Processor will certify deletion upon written request from the Controller.

13. Governing Law

This DPA is governed by the same law that governs the Terms of Service: the laws of the Commonwealth of Pennsylvania, USA, without regard to conflict of law provisions.

14. Contact

For questions about this DPA or to exercise any rights described herein:

Fctr Identity
606 Liberty Ave, Ste 300
Pittsburgh, PA 15222
Email: [email protected]
Fctr Identity

Secure identity verification integrated with Okta and Entra ID.

Legal

  • Terms of Service
  • Privacy Policy
  • Security Model
  • Data Processing Agreement

Company

  • Home
  • Trust Center
  • Contact
© 2026 Fctr Identity. All Rights Reserved.