Legal — Toqen

Data Processing Addendum

This Data Processing Addendum governs the processing of personal data by Toqen on behalf of its partners, in accordance with the GDPR.

TL;DR

  • Toqen acts as a data processor on behalf of its partners.
  • Personal data is processed only on documented instructions and for access and security purposes.
  • Appropriate technical and organisational measures are applied.
  • Subprocessors and international transfers are governed by GDPR safeguards.

Roles and Scope

This Data Processing Addendum ("DPA") applies where Toqen.app processes personal data on behalf of a partner acting as a data controller, in connection with the provision of Toqen services.

For the purposes of the GDPR, the partner is the data controller and Toqen.app acts as a data processor, unless otherwise agreed in writing.

Subject Matter and Duration

The subject matter of the processing consists of authentication, access control, and related security services provided by Toqen. Processing is performed for the duration of the partner’s use of the services, unless otherwise required by applicable law.

Nature and Purpose of Processing

  • Providing passwordless authentication and access verification services.
  • Generating and validating temporary tokens, sessions, and one-time codes.
  • Ensuring security, abuse prevention, and service reliability.
  • Providing operational support related to the service.

Categories of Personal Data

  • Technical identifiers such as temporary tokens, session identifiers, and request metadata.
  • IP address and device or browser information.
  • Email address or nickname, if provided by the data subject through the partner’s configuration.

Categories of Data Subjects

  • End users accessing partner services.
  • Authorized representatives or administrators of the partner.

Obligations of the Controller

The partner, as data controller, is responsible for ensuring that personal data is processed lawfully, fairly, and transparently, including providing appropriate notices to data subjects and obtaining any required consents.

Obligations of the Processor

  • Process personal data only on documented instructions from the controller, unless required by applicable law.
  • Ensure that all persons authorized to process personal data are bound by appropriate confidentiality obligations.
  • Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.
  • Assist the controller, where applicable, in responding to data subject requests.
  • Assist the controller in ensuring compliance with security, breach notification, and impact assessment obligations under the GDPR.
  • Maintain records of processing activities in accordance with Article 30(2) of the GDPR and cooperate with supervisory authorities where applicable.

Security Measures

Toqen implements technical and organizational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. Such measures include encryption or hashing where appropriate, access controls, network security, and monitoring.

Subprocessors

The controller authorizes Toqen to engage subprocessors necessary for the provision of the services. A current list of subprocessors is made available in accordance with this DPA. Toqen remains responsible for the performance of its subprocessors.

International Data Transfers

Where personal data is transferred outside the European Union, such transfers shall be subject to appropriate safeguards in accordance with Articles 44–49 of the GDPR, including adequacy decisions or Standard Contractual Clauses.

Personal Data Breach

Toqen shall notify the controller without undue delay after becoming aware of a personal data breach affecting personal data processed under this DPA, and shall provide reasonable assistance to enable the controller to comply with its notification obligations.

Deletion or Return of Data

Upon termination of the services, Toqen shall delete or return personal data processed on behalf of the controller, unless retention is required by applicable law.

Audits and Compliance

Toqen shall make available information reasonably necessary to demonstrate compliance with this DPA and allow for audits conducted by the controller or an independent auditor, subject to reasonable notice and confidentiality obligations.

Governing Law

This DPA shall be governed by the laws of the European Union and, where applicable, the laws of the EU member state in which the controller is established, unless otherwise agreed in writing.

Contact

For any questions regarding this Data Processing Addendum, please contact hi@toqen.app.