Legal · Last updated 2026-05-31

Data Processing Addendum

This Data Processing Addendum (the "DPA") forms part of, and is incorporated by reference into, the agreement between Customer and (a) SkyMakers Digital Limited (for the hosted Authgear Services governed by the Terms of Services) or (b) Oursky Limited (for the Authgear Enterprise Edition governed by the Terms of Enterprise License). The contracting Authgear entity is referred to as the "Processor"; Customer is referred to as the "Controller". Where a term used in the underlying agreement conflicts with this DPA in respect of personal data processing, this DPA controls.

Where a Controller requires a signed copy of this DPA for compliance purposes, please contact hello@authgear.com.

1. Definitions

1.1 Defined terms. For purposes of this DPA, the following terms have the meanings set out below; terms not defined here have the meaning given in the underlying agreement or in Applicable Data Protection Laws.

  • "Applicable Data Protection Laws" means all laws, regulations, and binding regulatory guidance applicable to the Processing of Personal Data under this DPA, including without limitation: (a) Regulation (EU) 2016/679 (the "EU GDPR"); (b) the UK General Data Protection Regulation as incorporated by the Data Protection Act 2018 (the "UK GDPR"); (c) the Swiss Federal Act on Data Protection (the "FADP"); (d) the California Consumer Privacy Act as amended by the California Privacy Rights Act (the "CCPA"); (e) other applicable U.S. state privacy laws (including the Virginia Consumer Data Protection Act, the Colorado Privacy Act, the Connecticut Data Privacy Act, the Utah Consumer Privacy Act, and successor laws); and (f) any other applicable data protection or privacy law in any jurisdiction where Personal Data is Processed under this DPA, including without limitation the Hong Kong Personal Data (Privacy) Ordinance (Cap. 486) (the "PDPO"), the Singapore Personal Data Protection Act, the Japan Act on the Protection of Personal Information ("APPI"), the Brazil Lei Geral de Proteção de Dados ("LGPD"), the Canada Personal Information Protection and Electronic Documents Act ("PIPEDA"), the Australia Privacy Act, and the India Digital Personal Data Protection Act ("DPDPA").
  • "Controller" means the entity that determines the purposes and means of Processing Personal Data; references to "Controller" include "Business" under the CCPA where applicable.
  • "Processor" means the contracting Authgear entity identified in the introduction above (either SkyMakers Digital Limited or Oursky Limited), which Processes Personal Data on behalf of the Controller; references to "Processor" include "Service Provider" under the CCPA where applicable.
  • "Personal Data", "Processing", and "Data Subject" have the meanings given in the EU GDPR, with equivalent meanings under the UK GDPR, FADP, CCPA, and other Applicable Data Protection Laws as the context requires; "Personal Data" includes "Personal Information" under the CCPA where applicable.
  • "Personal Data Breach" has the meaning given in the EU GDPR (and equivalent meanings under the UK GDPR and other Applicable Data Protection Laws).
  • "Security Incident" means a confirmed breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored, or otherwise Processed.
  • "End User Personal Data" means Personal Data of Customer's End Users that the Processor Processes on behalf of the Controller in performing the Services.
  • "Services" means the Authgear Services (in the case of SkyMakers Digital Limited) or the Licensed Materials and any Oursky-operated components (in the case of Oursky Limited).
  • "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of Personal Data to third countries pursuant to the EU GDPR, adopted by the European Commission (Implementing Decision (EU) 2021/914), and any successor instrument.
  • "UK IDTA" means the UK International Data Transfer Agreement and the UK International Data Transfer Addendum to the SCCs, in each case issued by the UK Information Commissioner.
  • "Sub-processor" means any third party engaged by the Processor that Processes End User Personal Data in connection with the Services.
  • "Annex" means the annexes attached to this DPA.

2. Scope and Roles

2.1 Scope and roles. This DPA applies to the extent the Processor Processes End User Personal Data on behalf of the Controller. The parties agree that, for purposes of Applicable Data Protection Laws and with respect to End User Personal Data, Customer is the Controller (or, where applicable, a processor acting on behalf of a downstream controller), and the Processor is a Processor. Nothing in this DPA shall be construed as establishing a joint controllership relationship between the parties for the purposes of EU GDPR or UK GDPR Article 26.

2.2 Details of Processing. The subject matter, nature, purpose, duration, types of End User Personal Data, and categories of Data Subjects covered by this DPA are set out in Annex A.

3. Processing Instructions

3.1 Documented instructions. The Processor will Process End User Personal Data only on documented instructions from the Controller, including with regard to international transfers of Personal Data, unless required to do so by law to which the Processor is subject; in such a case, the Processor will inform the Controller of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest. The underlying agreement, this DPA, the Controller's configuration of the Services, and the Controller's documented requests constitute the Controller's instructions.

3.2 Notice of unlawful instructions. The Processor will inform the Controller without undue delay if, in the Processor's opinion, an instruction infringes Applicable Data Protection Laws.

4. Confidentiality of Personnel

4.1 Confidentiality undertaking. The Processor will ensure that personnel authorized to Process End User Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality, and that access to End User Personal Data is limited to personnel who need such access to perform the Processor's obligations.

5. Security Measures

5.1 Technical and organisational measures. The Processor will implement and maintain appropriate technical and organizational measures designed to ensure a level of security appropriate to the risk of the Processing, taking into account the state of the art, costs of implementation, and the nature, scope, context, and purposes of Processing, as well as the risks to the rights and freedoms of Data Subjects. A summary of the Processor's current security measures is set out in Annex C, with the full description available at the Authgear Security page, incorporated by reference. The Processor is ISO/IEC 27001 certified and SOC 2 Type II attested.

5.2 Review and updates. The Processor will regularly test, assess, and evaluate the effectiveness of its security measures and may update them, provided that any update does not materially diminish the overall level of security.

6. Sub-Processors

6.1 General authorisation. The Controller grants general authorisation for the Processor to engage Sub-processors to Process End User Personal Data in connection with the Services, subject to this Section 6.

6.2 Current Sub-processors. The current list of Authgear-operated Sub-processors is maintained at the Authgear Sub-Processors page, which is the canonical record. Categories of Sub-processor activity currently used include cloud hosting and infrastructure, transactional email delivery, payment processing, application error monitoring, and product/web analytics.

6.3 New Sub-processors. The Processor will notify the Controller of any intended changes to the Sub-processor list (additions or replacements) by updating the Authgear Sub-Processors page at least thirty (30) days before the change takes effect, unless an earlier engagement is required for security or business-continuity reasons. Publication of the updated page constitutes sufficient notice. The Controller may subscribe to receive email notifications of Sub-processor changes by writing to hello@authgear.com with the subject line "Subscribe to sub-processor updates".

6.4 Right to object. The Controller may object to a proposed new or replacement Sub-processor on reasonable data-protection grounds within the notice period set out in Section 6.3 by notifying the Processor in writing. If the parties cannot resolve the objection in good faith within a further fourteen (14) days, the Controller may, as its sole remedy, terminate the affected portion of the Services on written notice. No refund of any prepaid Fees is available on the basis of such an objection.

6.5 Flow-down obligations. The Processor will impose on each Sub-processor data-protection obligations substantially equivalent to those set out in this DPA, by way of a written contract, and will remain liable to the Controller for the acts and omissions of its Sub-processors with respect to End User Personal Data.

6.6 Customer-configured integrations. The Services may be configured by the Controller to interact with third-party providers (such as SMTP servers; SMS gateways including Twilio, Nexmo/Vonage, and custom HTTP gateways; the WhatsApp Cloud API; bot-protection providers such as Google reCAPTCHA and Cloudflare Turnstile; Customer-controlled cloud-storage buckets; and Customer-configured identity-provider connectors) using credentials and accounts that the Controller owns and controls. The Processor is not a Sub-processor with respect to such Customer-configured integrations; the Controller is responsible for selecting these providers, controlling the resulting data flows, and entering into appropriate data-protection arrangements directly with them. The current categorical list is published on the Sub-Processors page.

7. International Transfers

7.1 EU GDPR transfers. Where End User Personal Data subject to the EU GDPR is transferred from the European Economic Area to a country not benefiting from an adequacy decision of the European Commission, the parties incorporate by reference the SCCs, with Module Two (Controller to Processor) applying where the Controller is itself a controller and Module Three (Processor to Processor) applying where the Controller is acting as a processor on behalf of a downstream controller. For the purposes of the SCCs: (a) the docking clause applies; (b) Clause 7 (optional) does not apply; (c) Clause 9, Option 2 (general written authorisation) applies, with the time period set out in Section 6.3 of this DPA; (d) Clause 11 (optional language) does not apply; (e) Clause 17, Option 1 applies, with the SCCs governed by the law of Ireland; (f) Clause 18(b) designates the courts of Ireland; and (g) Annexes I, II, and III of the SCCs are completed by reference to Annexes A, C, and B of this DPA respectively.

7.2 UK GDPR transfers. Where End User Personal Data subject to the UK GDPR is transferred outside the United Kingdom to a country not benefiting from a UK adequacy regulation, the parties incorporate by reference the UK IDTA (or the UK International Data Transfer Addendum to the SCCs, at the parties' election), completed by reference to the Annexes of this DPA.

7.3 Swiss FADP transfers. Where End User Personal Data subject to the FADP is transferred, the SCCs apply with the contextual amendments necessary to reflect the FADP: references to the EU GDPR shall be read as references to the FADP, the supervisory authority is the Swiss Federal Data Protection and Information Commissioner, and references to "EU Member State" shall include Switzerland.

7.4 Conflict. In the event of any conflict between this DPA and the SCCs or UK IDTA in respect of an international transfer, the SCCs or UK IDTA (as applicable) shall prevail to the extent of the conflict.

8. Data Subject Rights

8.1 Processor assistance. Taking into account the nature of the Processing, the Processor will assist the Controller by appropriate technical and organizational measures, insofar as this is possible, to fulfill the Controller's obligations to respond to requests from Data Subjects exercising their rights under Applicable Data Protection Laws (including rights of access, rectification, erasure, restriction, portability, and objection). The Controller acknowledges that the self-service tools available through the Authgear Developer Portal and API (including data export, deletion, and activity logs) constitute the Processor's primary mechanism for fulfilling this assistance obligation. Any assistance beyond what is reasonably available through such standard product features will be provided at the Controller's reasonable cost, charged at the Processor's then-current professional-services rates. The Processor's obligation to provide such additional assistance is limited to eight (8) hours per calendar year per Controller account without charge; time beyond that threshold will be invoiced at the Processor's standard rates.

8.2 Forwarding requests. If the Processor receives a request from a Data Subject relating to End User Personal Data, the Processor will, unless legally prohibited, promptly forward the request to the Controller and will not respond to the Data Subject directly (other than to acknowledge receipt and redirect to the Controller), unless the Controller has instructed the Processor to do so or has provided a documented self-service mechanism.

9. Personal Data Breach Notification

9.1 Notification timing and content. The Processor will notify the Controller without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a Personal Data Breach affecting End User Personal Data Processed under this DPA. Where complete information is not available at the time of initial notification, the Processor will provide the available information promptly and supplement the notification as further information becomes available. The notification will, to the extent then known, describe:

  • the nature of the Personal Data Breach;
  • the categories and approximate number of Data Subjects and Personal Data records concerned;
  • the likely consequences of the Personal Data Breach; and
  • measures taken or proposed to address the breach and mitigate adverse effects.

Notifications shall be sent to the contact email address registered on the Controller's Authgear account.

9.2 Cooperation with downstream notifications. The Processor will provide the Controller with reasonable cooperation and assistance in connection with the Controller's obligations to notify supervisory authorities and Data Subjects under Applicable Data Protection Laws.

10. Data Protection Impact Assessments and Prior Consultation

10.1 DPIA assistance. Taking into account the nature of the Processing and the information available to the Processor, the Processor will provide reasonable assistance to the Controller with any data protection impact assessments and any prior consultations with supervisory authorities required of the Controller under Applicable Data Protection Laws. Such assistance is limited to providing information about the Processor's Processing activities and security measures that is not already publicly available or covered by the Processor's ISO/IEC 27001 certificate and SOC 2 Type II report. Assistance beyond this scope will be provided at the Controller's reasonable cost at the Processor's then-current professional-services rates.

11. Audits

11.1 Attestations as default. The Processor will make available to the Controller, on the Controller's written request and subject to a customary non-disclosure agreement, information necessary to demonstrate compliance with this DPA, no more than once per twelve (12) month period. The Processor's primary and default mechanism for satisfying this obligation is to provide its then-current ISO/IEC 27001 certificate and SOC 2 Type II report (and any successor or equivalent third-party security attestations). The Controller agrees that delivery of those documents satisfies the audit obligation under this DPA, except as set out in Section 11.2.

11.2 On-site audits. On-site audits or inspections are permitted only where: (a) the Controller's competent supervisory authority specifically requires an on-site inspection and provides a written demand to that effect, or (b) a Security Incident has occurred that materially affected the Controller's End User Personal Data and remains unresolved. Any on-site audit is subject to the following conditions: (i) the Controller will give at least thirty (30) days' prior written notice; (ii) the audit will be conducted during normal business hours in a manner that minimises disruption to the Processor; (iii) the auditor must not be a competitor of the Processor and must execute the Processor's standard non-disclosure agreement before accessing any information; (iv) the Controller bears its own costs and expenses, and reimburses the Processor's reasonable internal cooperation costs (personnel time at standard rates, not to exceed the Processor's reasonable estimate provided in advance); and (v) audit findings constitute the Processor's Confidential Information and may not be disclosed to third parties without the Processor's prior written consent, except as required by law or the Controller's regulator.

12. Return and Deletion of Personal Data

12.1 Return or deletion. Upon termination or expiry of the underlying agreement, or upon the Controller's written request, the Processor will, at the Controller's election, delete or return all End User Personal Data Processed on the Controller's behalf, and delete existing copies, unless applicable law requires retention. The Processor will confirm completion of deletion in writing within sixty (60) days of the request or termination.

12.2 Carve-outs. The following carve-outs apply: (a) backup copies of End User Personal Data will be deleted in the ordinary course of the Processor's standard backup rotation, which will not exceed ninety (90) days, during which period such backup copies will remain encrypted and will not be actively processed; (b) the Processor may retain data that it is required to retain under applicable law; (c) the Processor may retain anonymised or aggregated data that no longer constitutes Personal Data; and (d) the Processor may retain billing and account records necessary for tax and audit compliance.

13. Controller Indemnity

13.1 Indemnity for unlawful processing. The Controller will indemnify and hold the Processor harmless from and against any third-party claim brought against the Processor arising directly from: (a) the Controller's failure to have a valid lawful basis for Processing or transferring End User Personal Data to the Processor; (b) the Controller's failure to provide required notices to, or obtain required consents from, Data Subjects as required by Applicable Data Protection Laws; (c) End User Personal Data submitted to the Processor in breach of Applicable Data Protection Laws; or (d) any Controller instruction that infringes Applicable Data Protection Laws. The Controller represents and warrants that it has a valid lawful basis for Processing and transferring End User Personal Data to the Processor, that the End User Personal Data has been collected and is provided to the Processor in compliance with Applicable Data Protection Laws, that it has provided all necessary notices and obtained all necessary consents from Data Subjects to the extent required by applicable law, and that it shall promptly inform the Processor of any instruction that, in the Controller's reasonable opinion, infringes Applicable Data Protection Laws. The Controller's obligations under this Section 13 are conditioned on the Processor providing prompt written notice of the claim, granting the Controller sole control of the defence and settlement (provided that any settlement imposing liability or admission of fault on the Processor requires the Processor's prior written consent, not to be unreasonably withheld), and providing reasonable cooperation at the Controller's expense.

14. Liability

14.1 Cap under the underlying agreement. Each party's liability arising out of or in connection with this DPA, whether in contract, tort (including negligence), or under any other theory of liability, is subject to and counts toward the limitations and exclusions of liability set out in the underlying agreement. No separate, additional, or uncapped liability is created by this DPA.

14.2 Apportionment. Where both parties are responsible for damage caused by Processing in breach of Applicable Data Protection Laws, each party will be liable for the damage attributable to it.

15. Governing Law and Precedence

15.1 Governing law. This DPA is governed by, and construed in accordance with, the governing-law provisions of the underlying agreement, except that the SCCs (and the UK IDTA, where applicable) are governed by the laws specified in those instruments themselves.

15.2 Precedence. In the event of any conflict between this DPA and the underlying agreement (whether the Terms of Services or the Terms of Enterprise License), this DPA prevails to the extent of the conflict, with respect to the Processing of End User Personal Data only.

15.3 Survival. Sections 9 (Personal Data Breach Notification), 12 (Return and Deletion of Personal Data), 13 (Controller Indemnity), 14 (Liability), 15 (Governing Law and Precedence), and 16 (Regional Provisions) shall continue to be effective after termination of this DPA to the extent reasonably necessary to give effect to their terms.

16. Regional Provisions

16.1 European Economic Area, United Kingdom, and Switzerland. The Processor's obligations under the EU GDPR, UK GDPR, and FADP are addressed throughout Sections 3 to 11 of this DPA. International transfers of End User Personal Data subject to those laws are governed by Section 7.

16.2 United States — CCPA. To the extent the Processor Processes Personal Information (as defined under the CCPA) on behalf of the Controller, the Processor acts as a "Service Provider" (as defined under the CCPA). The Processor will not: (a) sell or share Personal Information; (b) retain, use, or disclose Personal Information for any purpose other than for the specific business purpose of performing the Services for the Controller, or for a permitted business purpose under the CCPA; (c) retain, use, or disclose Personal Information outside the direct business relationship between the parties; or (d) combine Personal Information received from or on behalf of the Controller with personal information received from or on behalf of any other person, except as expressly permitted by the CCPA. The Processor will reasonably cooperate with the Controller to enable the Controller to respond to verifiable consumer requests under the CCPA, including requests to know, delete, correct, or limit use of sensitive personal information. The assistance limitations in Section 8 of this DPA apply.

16.3 United States — other state privacy laws. For Personal Information governed by other U.S. state privacy laws (including the Virginia Consumer Data Protection Act, the Colorado Privacy Act, the Connecticut Data Privacy Act, the Utah Consumer Privacy Act, and successor laws), the Processor acts as a "Processor" (or equivalent role) and will comply with substantially equivalent obligations to those set out in Section 16.2.

16.4 Hong Kong — PDPO. To the extent the Processor Processes Personal Data subject to the Hong Kong Personal Data (Privacy) Ordinance (Cap. 486) (the "PDPO") on behalf of the Controller, the Processor will Process such Personal Data in a manner consistent with the Data Protection Principles set out in Schedule 1 to the PDPO, including without limitation Data Protection Principle 4 (security of personal data) and Data Protection Principle 5 (information to be generally available), as applicable to its role as a data processor under the PDPO. The Processor will provide the Controller, as data user under the PDPO, with reasonable cooperation to enable the Controller to comply with its obligations under the PDPO in respect of such Personal Data.

16.5 Other jurisdictions — substantially equivalent obligations. For Personal Data governed by other Applicable Data Protection Laws not specifically addressed above (including without limitation the Singapore Personal Data Protection Act, the Japan Act on the Protection of Personal Information, the Brazil Lei Geral de Proteção de Dados, the Canada Personal Information Protection and Electronic Documents Act, the Australia Privacy Act, the India Digital Personal Data Protection Act, and any successor or equivalent law in any jurisdiction where End User Personal Data is Processed under this DPA), the Processor will comply with obligations substantially equivalent to those set out in Sections 3 to 11 and this Section 16, taking into account the role of the Processor as a processor (or equivalent role) under such laws.

Annex A: Details of Processing

Subject matter Authentication, identity, and related services provided via the Authgear Services (and, where applicable, the Authgear Enterprise Edition Licensed Materials operated by Oursky Limited)
Nature of processing Receipt, storage, and processing of authentication factors, identifiers, profile attributes, and related log and audit data to authenticate, manage, and secure End User accounts on behalf of the Controller
Purpose of processing To provide the Services as instructed by the Controller
Duration For the term of the Controller's subscription to the Services, and thereafter only as required for legal-retention purposes
Type of End User Personal Data Identifiers (such as user IDs, email addresses, phone numbers); authentication factors (such as hashed passwords, multi-factor authentication secrets, WebAuthn credentials, session tokens); profile attributes provided by the Controller or by End Users; log and audit metadata
Categories of Data Subjects End Users of the Controller's applications

Annex B: Approved Sub-processors

The Processor maintains the current list of approved Sub-processors at the Authgear Sub-Processors page. Controllers may subscribe to notifications of Sub-processor changes by writing to hello@authgear.com with the subject line "Subscribe to sub-processor updates".

Annex C: Technical and Organisational Security Measures

The full description of the Processor's technical and organisational security measures is published at the Authgear Security page and is incorporated by reference. A summary of the principal areas of control is set out below:

  • Access Controls. Role-based access control with least-privilege principles; multi-factor authentication for personnel; access reviews; production access limited to authorised personnel.
  • Encryption. Data encrypted in transit using industry-standard protocols (TLS); data encrypted at rest using industry-standard encryption (AES-256) via cloud provider key-management services; passwords stored as one-way hashes; secrets managed via the cloud provider's secret-management service.
  • Infrastructure Security. Hosted on ISO/IEC 27001-certified Google Cloud Platform infrastructure; network segmentation; managed databases with controlled access; resource limits to prevent resource exhaustion.
  • Data Minimisation and Retention. Self-service data export and deletion tools available to Controllers through the Authgear Developer Portal and API; configurable retention; deletion procedures executed in accordance with Section 12; End User Personal Data is not used to train machine-learning models.
  • Audit Logging. Authentication and administrative events logged (failed login attempts, last login, password changes, token invalidation); centralised log aggregation; application error and exception monitoring; per-project audit logs available to Customer administrators.
  • Incident Management. Security incident response procedures in place; breach notification without undue delay upon a confirmed Security Incident in accordance with Section 9.
  • Compliance. ISO/IEC 27001 certified; SOC 2 Type II attested; annual third-party security audits. Certifications and audit reports available to Controllers under NDA.
  • Authorised Testing Only. The Controller shall not conduct, and shall not authorise any third party to conduct, penetration testing, vulnerability scanning, load testing, or other intrusive security or performance testing against the Services or the Processor's infrastructure without the Processor's prior written consent.

Start building with Authgear

Start for free Schedule a demo

Free plan includes unlimited MAUs