Legal — Toqen

Data Processing Addendum

This Data Processing Addendum governs the processing of personal data by Toqen on behalf of its partners, in accordance with the GDPR.

TL;DR

  • Toqen acts as a data processor on behalf of its partners.
  • Personal data is processed only on documented instructions and for access and security purposes.
  • Appropriate technical and organisational measures are applied.
  • Subprocessors and international transfers are governed by GDPR safeguards.

Roles and Scope

This Data Processing Addendum ("DPA") applies where Toqen.app processes personal data on behalf of a partner acting as a data controller, in connection with the provision of Toqen services.

For the purposes of the GDPR, the partner is the data controller and Toqen.app acts as a data processor, unless otherwise agreed in writing.

Subject Matter and Duration

The subject matter of the processing consists of authentication, access control, and related security services provided by Toqen. Processing is carried out for the duration of the provision of the services and in accordance with the documented instructions of the controller, unless retention is required by applicable law.

Nature and Purpose of Processing

  • Providing passwordless authentication and access verification services.
  • Generating and validating temporary tokens, sessions, and one-time codes.
  • Ensuring security, abuse prevention, and service reliability.
  • Providing operational support related to the service.

Categories of Personal Data

  • Technical identifiers such as temporary tokens, session identifiers, and request metadata.
  • IP address and device or browser information, where processed in the context of access, security, or abuse prevention.
  • Email address or nickname, where provided by the data subject through the partner’s configuration.

Categories of Data Subjects

  • End users accessing partner services.
  • Authorized representatives or administrators of the partner.

Obligations of the Controller

The partner, as data controller, is responsible for ensuring that personal data is processed lawfully, fairly, and transparently, including providing appropriate information to data subjects and obtaining any required consents.

Obligations of the Processor

  • Process personal data only on documented instructions from the controller, unless required to do so by applicable law.
  • Ensure that persons authorized to process personal data are subject to appropriate confidentiality obligations.
  • Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.
  • Assist the controller, where applicable and to the extent reasonably possible, in responding to data subject requests.
  • Assist the controller in complying with obligations relating to security, personal data breaches, and data protection impact assessments, taking into account the nature of the processing.
  • Maintain records of processing activities in accordance with Article 30(2) of the GDPR and cooperate with supervisory authorities where required.

Security Measures

Toqen implements appropriate technical and organizational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. Such measures include encryption or hashing where appropriate, access controls, network security, and security monitoring.

Subprocessors

The controller authorizes Toqen to engage subprocessors necessary for the provision of the services. A current list of subprocessors is made available in accordance with this DPA. Toqen remains responsible for the performance of its subprocessors in accordance with the GDPR.

International Data Transfers

Where personal data is transferred outside the European Union or the European Economic Area, such transfers are subject to appropriate safeguards in accordance with Articles 44–49 of the GDPR, including adequacy decisions or Standard Contractual Clauses.

Personal Data Breach

Toqen shall notify the controller without undue delay after becoming aware of a personal data breach affecting personal data processed under this DPA and shall provide reasonable information to enable the controller to comply with its notification obligations.

Deletion or Return of Data

Upon termination of the services, Toqen shall, at the choice of the controller, delete or return personal data processed on its behalf, unless retention of the personal data is required by applicable law.

Audits and Compliance

Toqen shall make available information reasonably necessary to demonstrate compliance with this DPA and allow for audits conducted by the controller or an independent auditor, subject to reasonable prior notice, scope limitations, and confidentiality obligations.

Governing Law

This DPA shall be governed by the laws of the EU member state in which the controller is established, unless otherwise agreed in writing.

Contact

For any questions regarding this Data Processing Addendum, please contact hi@toqen.app.