Data Processing Agreement

Last updated: February 2026

This Data Processing Agreement ("DPA") is entered into between XY Zinc, a brand of Chaos Unlimited LLC ("Processor," "we," "us," or "our"), and the business entity that has subscribed to or is using the XY Zinc Age Verification service ("Controller," "Business Customer," or "you"). This DPA forms part of the service agreement between the parties and governs the processing of personal data in connection with the Age Verification service.

1. Purpose

This DPA sets out the terms under which XY Zinc, acting as a Data Processor, processes personal data on behalf of the Business Customer (the Data Controller) in the context of providing age verification services. It supplements the service agreement and is designed to ensure compliance with applicable data protection laws, including:

  • General Data Protection Regulation (GDPR — EU/UK)
  • US state-level age verification laws (including Texas HB 1181, Louisiana Act 440, and similar legislation)
  • Other applicable data protection regulations in jurisdictions where the Business Customer operates

2. Definitions

  • End User — A natural person whose age is verified through the XY Zinc service on behalf of the Business Customer
  • Business Customer — The legal entity or individual using the XY Zinc service for age verification on their website(s)
  • Verification Data — Any personal data collected or processed temporarily during the age verification process
  • Tier 1 Verification — Biometric facial scanning to determine whether the End User meets the age threshold
  • Tier 2 Verification — Biometric facial scanning combined with government-issued photo ID document verification
  • Verification Token — A signed, anonymized token indicating the outcome of a verification session, set as a cookie on the Business Customer's domain

3. Nature and Purpose of Processing

XY Zinc processes personal data solely for the purpose of verifying that an End User meets the minimum age requirement configured by the Business Customer. Verification is performed using one or both of the following methods, as determined by the Business Customer's regional configuration:

Tier 1 — Biometric Face Scan

A live selfie is captured and analyzed to determine the probability that the End User is a minor. The system uses age classification (minor probability scoring) rather than age estimation. No biometric templates are created or stored. The image exists only in server memory during processing and is automatically deleted upon completion or after a maximum of 15 minutes.

Tier 2 — Face Scan + Government ID

In addition to the Tier 1 face scan, the End User provides a photograph of a government-issued photo ID. Only the date of birth and document expiration date are extracted from the sub-processor's results and used by the system. All other fields returned by the sub-processor, including names, addresses, and ID numbers, are never read or used by XY Zinc. The system also performs a face comparison between the selfie and the ID photo to confirm they are the same person. Both images exist only in server memory and are automatically deleted upon completion or after a maximum of 15 minutes.

The Business Customer configures which tier applies to each geographic region through the XY Zinc admin dashboard or site integration settings. Regions not configured for verification pass through without any data processing.

4. Categories of Data Subjects and Data

4.1 Data Subjects

End Users who visit the Business Customer's website from a region that the Business Customer has configured to require age verification.

4.2 Personal Data Processed

Temporary Processing Only (Never Stored)

  • Selfie/liveness images
  • Government ID document photographs
  • Date of birth and document expiration date (extracted only to calculate age and validate document currency, then immediately discarded)

These items exist only in server memory (local Redis instance with disabled persistence) during the verification process. They are never written to disk, database, or any persistent storage. Maximum in-memory retention is 15 minutes via automatic TTL expiration, with immediate deletion upon verification completion.

Data Retained (Pseudonymized Session Records)

  • Session ID (random UUID, not directly linked to the End User's identity by name)
  • Verification outcome (approved or rejected)
  • Confidence scores from age classification
  • Country and region code (e.g., "US-TX")
  • IP address (for fraud detection)
  • Timestamps
  • Tenant identifier (the Business Customer's site)

5. Data Retention and Deletion

Data Type Retention Period
Biometric images (selfies, ID photos) 0 seconds (never stored persistently; in-memory only with 15-minute TTL)
Date of birth / expiration date / personal information from IDs 0 seconds (never stored; extracted transiently to calculate age and validate document)
Pseudonymized verification session records 24 months from creation, then automatically purged
Business Customer account data Duration of service agreement, plus 30 days after termination

Biometric data is stored exclusively in Redis with persistence disabled (no disk writes). Automatic TTL expiration ensures data is purged even in the event of system failure. Upon contract termination, all Business Customer data (including account credentials, API keys, regional configurations, and session records) will be deleted within 30 days. Written confirmation of deletion will be provided upon request.

6. Roles and Responsibilities

The Business Customer is the Data Controller. The Business Customer determines which regions require verification, what verification tier applies, and the minimum age threshold for their website(s).

XY Zinc acts as the Data Processor, processing End User data solely on behalf of and in accordance with the Business Customer's configuration. XY Zinc does not determine the purposes or means of processing beyond the technical implementation of the verification methods selected by the Business Customer.

XY Zinc acts as an independent Controller with respect to aggregated statistical data that cannot reasonably be linked to an identifiable person. This data is used for service improvement, fraud detection, and aggregate reporting.

7. Technical and Organizational Security Measures

XY Zinc implements the following measures to protect personal data during processing:

  • All data transmitted over HTTPS/TLS encryption
  • Biometric data stored only in server memory via a local Redis instance running on the same host as the application, with persistence disabled. Redis data never leaves the server over a network and is never written to disk under any circumstances.
  • Automatic TTL expiration (maximum 15 minutes) ensures data purge even on system failure
  • Images transmitted to sub-processors as raw bytes in API requests — no intermediary cloud storage (e.g., S3 buckets) is used
  • Database encryption at rest for persistent data (PostgreSQL)
  • API access requires authenticated API keys with bcrypt hashing
  • Admin dashboard access requires two-factor authentication (TOTP)
  • Rate limiting on verification endpoints to prevent abuse
  • JWT-based session tokens with expiration controls
  • Failover infrastructure with equivalent security controls to ensure service continuity
  • Host-based intrusion detection with file integrity monitoring on critical system components
  • Network-based intrusion detection and prevention with real-time traffic analysis
  • Centralized security event logging and correlation
  • Regular security audits and code reviews
  • Access controls limiting personnel who can access production systems

8. Sub-Processors

XY Zinc uses the following sub-processors to perform specific technical functions required for the Age Verification service. Images are sent directly to these services as raw bytes within API requests and results are returned immediately.

Sub-Processor Purpose Data Sent Location
AWS Rekognition Liveness detection, face matching between selfie and ID Video stream, selfie image, ID photo US-East (AWS region)
AWS Textract ID document text extraction (date of birth and expiration date only) ID document image US-East (AWS region)
SightEngine Age classification (minor probability), AI-generated image detection Selfie image, ID document image EU

AWS Services (Rekognition, Textract)

We have enabled AWS AI Services opt-out policies for our account, which prevents AWS from using End User images to train or improve their machine learning models. Images are processed in-memory and are not stored in AWS infrastructure beyond what is necessary for the API call. We do not use cloud storage buckets (such as AWS S3) to transfer images. For more information, see the AWS Service Terms.

SightEngine

SightEngine processes images for age classification and AI-generated content detection. They are GDPR-compliant and state that no human moderators review images. Images are processed programmatically and are not shared with third parties. For more information, see the SightEngine Privacy Policy.

XY Zinc will notify the Business Customer of any intended changes to sub-processors, giving the Business Customer the opportunity to object to such changes. All sub-processors are selected based on their published data protection commitments, including GDPR-compliant terms of service and data processing addenda where available. XY Zinc configures all available privacy-enhancing options offered by each sub-processor (such as the AWS AI Services opt-out policy) to minimize data exposure.

9. International Data Transfers

XY Zinc primary infrastructure is located in the United States. In the event of a failover, processing may occur on cloud infrastructure (AWS) also located in the United States, with equivalent security controls applied. Sub-processors may process data in the US (AWS) and the EU (SightEngine). For Business Customers subject to GDPR, the following safeguards apply:

  • Standard Contractual Clauses (SCCs) issued by the European Commission, where required
  • Supplementary technical measures including encryption in transit and the absence of persistent storage of biometric data
  • Sub-processor data protection assessments
  • The inherently transient nature of the processing (data exists for seconds to minutes, not hours or days)

Because biometric images are never stored persistently and exist only in memory during processing, the practical risk of unauthorized access to personal data during international transfer is substantially mitigated.

10. Data Subject Rights

XY Zinc will assist the Business Customer in responding to data subject rights requests to the extent technically feasible. However, due to the privacy-by-design architecture of the service:

  • Biometric data (images, date of birth) cannot be provided or deleted on request because it is never stored
  • Session records contain pseudonymized identifiers (random UUIDs) that are not directly linked to an identifiable person by name, but do contain IP addresses which are retained for fraud prevention purposes
  • Verification tokens stored as cookies on the Business Customer's domain are under the Business Customer's control

Data subject rights requests should be directed to the Business Customer as Controller. Where a request requires action by XY Zinc, the Business Customer should contact us at [email protected] and we will provide reasonable assistance.

11. Personal Data Breaches

In the event of a personal data breach affecting data processed on behalf of the Business Customer, XY Zinc will:

  • Notify the Business Customer without undue delay, and within 72 hours of becoming aware of the breach
  • Provide details of the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed to mitigate the breach
  • Cooperate with the Business Customer and any supervisory authority investigation
  • Document all breaches, including those not requiring notification, as part of our internal records

Reduced Risk Profile

Because biometric images and personal identification information are never stored persistently, a breach of XY Zinc systems would not expose End User photographs, ID documents, names, addresses, or dates of birth. The maximum exposure from stored data is limited to pseudonymized session records (random UUIDs, verification outcomes, region codes, IP addresses, and timestamps).

12. Audit and Compliance

XY Zinc will make available to the Business Customer, upon reasonable request, information necessary to demonstrate compliance with this DPA. Specifically:

  • The Business Customer may request an audit of XY Zinc's data processing practices with 30 days' written notice, no more than once per calendar year
  • XY Zinc will provide reasonable assistance for data protection impact assessments (DPIAs) where the Business Customer's use of the service requires one
  • XY Zinc will cooperate with supervisory authorities where required by law

13. Termination and Data Deletion

Upon termination of the service agreement:

  • XY Zinc will delete all Business Customer data (account credentials, API keys, regional configurations, and verification session records) within 30 days
  • Biometric data requires no deletion action as it is never stored persistently
  • Written confirmation of deletion will be provided upon request
  • Data may be retained beyond 30 days only where required by applicable law, in which case the Business Customer will be informed of the legal basis and expected duration

14. Governing Law

This DPA shall be governed by the laws of the State of Maine, United States, without regard to conflict of law principles. For Business Customers subject to GDPR, the relevant provisions of EU or UK data protection law shall apply to the extent they govern the processing of personal data under this agreement. In the event of a conflict between this DPA and the service agreement, this DPA shall prevail with respect to data protection matters.

15. General Provisions

  • This DPA forms an integral part of the service agreement between XY Zinc and the Business Customer
  • This DPA is accepted by reference as part of the contractual framework when the Business Customer registers for or uses the XY Zinc service
  • XY Zinc may update this DPA from time to time. Material changes will be communicated to active Business Customers via the email address on file. Continued use of the service after notification constitutes acceptance of the updated DPA
  • This DPA may be amended by mutual written agreement of the parties

16. Contact

For questions about this DPA or our data processing practices:

XY Zinc
Owned and operated by Chaos Unlimited LLC

Email: [email protected]
Web: www.xyzinc.com/contact