IDmelon is now part of HID Global.
Read More
Explore IDmelon Orchestrate
Enter your email to access and explore the page:
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
IDmelon is now part of HID Global.
Enter your email to access and explore the page:
Last updated: May 2026
THESE DATA PROCESSING TERMS ARE BY AND BETWEEN IDMELON TECHNOLOGIES INC. AND ITS AFFILIATED ENTITIES (“IDmelon”) AND COMPANY, AS HEREIN DEFINED. THESE TERMS APPLY ONLY TO THE EXTENT PERSONAL DATA IS PROCESSED BY IDMELON, OR ITS SUB-PROCESSORS, AS NECESSARY TO PROVIDE THE SERVICE (defined below).
These Data Processing Terms shall continue in full force and effect until expiry or termination of the Service. Any terms not defined herein shall have the meaning set forth in the Service-specific Terms of Service.
“Affiliate” or “Affiliates” means entities which are controlled by a party, which controls a party or which is under common control with a party, where "control" means the direct or indirect ownership of at least fifty percent (50%) of the shares or interests entitled to vote for the directors thereof or the equivalent, so long as such control exists.
“Biometric Data” means biometric identifiers and biometric information, including fingerprints, voiceprints, scans of face or hand geometry, iris or retina scans, and biometric templates or feature vectors derived therefrom, that are processed for the purpose of uniquely identifying a natural person. The processing of Biometric Data is governed by Exhibit 3 (Biometric Data Addendum), which applies only to the extent the Service involves biometric authentication.
“CCPA” means the California Consumer Privacy Act of 2018, as amended (Cal. Civ. Code §§ 1798.100 to 1798.199), and any related regulations or guidance provided by the California Attorney General or the California Privacy Protection Agency. If the CCPA applies to provision of or use of the Service, the parties further agree to be bound by the terms set forth in Exhibit 1, attached hereto.
“Channel Partner” means an entity that IDmelon has authorized as a “reseller” of the Service.
"Company-Managed Environment" means a deployment model in which the Service is hosted and operated within infrastructure controlled by Company, including on-premises or privately hosted environments, rather than in an IDmelon-Hosted Environment .
“Controller” has the meaning set forth in the GDPR. Unless otherwise specified, with respect to the Service, End Customer is the Controller of Personal Data. Where Company is a Managed Service Provider, Company acknowledges its role as Processor vis-à-vis the End Customer and is solely responsible for its own obligations under applicable Data Privacy Laws in such capacity.
“Company” means: (i) End Customer if IDmelon provisions the Service directly to the End Customer; or (ii) Channel Partner if Channel Partner provisions the Service to End Customer(s) as a Managed Service Provider.
“Data Privacy Laws” means laws, rules, regulations, governmental requirements, codes as well as international, federal, state, provincial laws applicable to the Personal Data and IDmelon’s provision of the Service, including, where applicable, the Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5 (“PIPEDA”) and the Personal Information Protection Act, S.B.C. 2003, c. 63 (“PIPA”).
“Data Processing Specifications” means the Service-specific document attached hereto.
“End Customer” means the end customer that purchases the Service, either directly from IDmelon or indirectly from a Channel Partner, for internal use by such end customer, and not for further resale.
“GDPR” means the General Data Protection Regulation ((EU) 2016/679), Directive 2002/58/EC (as amended by Directive 2009/136/EC), and any legislation and/or regulation implementing or made pursuant to them, or which amends, replaces, re-enacts or consolidates any of them.
“Hosting Provider” means a third-party hosting provider that manages the cloud infrastructure on which the Service is hosted. The Service may be hosted by a Hosting Provider not controlled by IDmelon. The Hosting Provider is identified in the applicable Data Processing Specifications.
“IDmelon-Hosted Environment” means a deployment model in which the Service is hosted and operated within cloud infrastructure managed by IDmelon or its Hosting Provider, rather than in a Company-Managed Environment.
“Managed Service Provider” is a Channel Partner that: (i) resells the Service to End Customers; and (ii) provisions the Service directly to End Customer from a platform managed by Channel Partner either as a stand-alone solution or in conjunction with Channel Partner’s own offerings.
“Personal Data” means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Unless otherwise specified herein, the Personal Data processed by IDmelon in its provision of the Service is limited to the Personal Data transmitted by Company or End Customer, or on its behalf, or by end users, directly into the infrastructure where the Service is hosted. The Personal Data types that may be used to perform the Service are those specifically set forth in the applicable Data Processing Specifications.
“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed by IDmelon, or a sub-processor, in the performance of the Service.
“Privacy Notice” means the applicable Privacy Notice located at https://idmelon.com/privacy-policy
“Processor” has the meaning set forth in the GDPR. Unless otherwise specified, with respect to the Service, IDmelon is a Processor of Personal Data; provided that, where Company is a Managed Service Provider, IDmelon acts as a sub-processor on behalf of Company.
“Rights of Individuals” means the legal rights of data subjects to access, rectify, delete, and port Personal Data.
“Service Agreement” means the agreement(s) governing the purchase of the Service directly from IDmelon.
"Service" means the IDmelon software-as-a-service offering(s), including any updates thereto, provided by IDmelon to Company or End Customer, as applicable, pursuant to a Service Agreement or Terms of Service.
“Standard Contractual Clauses” means: (i) the Standard Contractual Clauses (Controller to Processor), if Company is the End Customer; or (ii) the Standard Contractual Clauses (Processor to Processor), if Company is a Managed Service Provider, in each case as published on the IDmelon website at idmelon.com, or provided separately to the Company. For clarity, Standard Contractual Clauses only apply when Controllers in the EU transfer data to Processors (and sub-processors) established outside the EU or European Economic Area (EEA). The applicable Standard Contractual Clauses are incorporated herein by reference.
“Terms of Service” means the terms of service as published on the IDmelon website at idmelon.com, as may be amended from time to time by IDmelon, or the service-specific terms of service presented to the End Customer for acceptance either during a trial or evaluation of the Service and/or at the time of first access to the Service by End Customer’s service administrator.
The Data Processing Specifications describe: (i) the subject matter of the data processing; (ii) the type of Personal Data processed; (iii) the name and location of the party hosting the Personal Data; (iv) where the Service is hosted; (v) sub-processors involved in the processing of the Personal Data, if any; (vi) the purpose of the data processing; and (vii) the period of time the Personal Data is retained, as such apply to IDmelon’s SaaS deployment model. The Data Processing Specifications do not apply to a Company-Managed Environment. For a Company-Managed Environment, Company (or Managed Service Provider, as applicable) is solely responsible for determining and documenting the applicable data processing details (e.g. hosting location, retention, sub-processors, etc.).
The parties agree that these Data Processing Terms, the Service Agreement, and the Terms of Service, if applicable, constitute the documented instructions regarding IDmelon’s processing of Personal Data. IDmelon and its sub-processors will process Personal Data only in accordance with such instructions.
IDmelon, and its sub-processors, will only access, use, review, share, disclose, distribute, or reference Personal Data as necessary to maintain and perform the Service. Notwithstanding, IDmelon may disclose Personal Data as necessary to comply with the law or a valid and binding order of a governmental body (such as a subpoena or court order). If compelled to disclose Personal Data to a governmental body, unless IDmelon is legally prohibited, IDmelon will give Company reasonable notice of the demand. Any change in the processing of Personal Data will be in accordance with applicable Data Privacy Laws.
5.1 Any transfer of Personal Data resulting from the Service will be subject to the applicable Standard Contractual Clauses. Cross-border transfers, if any, are described in the applicable Data Processing Specifications and/or the Annexes to the applicable Standard Contractual Clauses.
5.2 To the extent that transfer of Personal Data involves data subjects in the People’s Republic of China, the terms of Exhibit 2 will also apply.
5.3 To the extent that the parties are relying on a specific statutory mechanism or regulatory guidance to authorize cross-border transfers (as required by the Data Privacy Laws) that is subsequently modified, revoked, or held in a court of competent jurisdiction to be invalid as a result of a change in law, IDmelon shall be entitled to immediately suspend any processing of Personal Data to the extent such processing is in conflict with such change in law.
6.1 IDmelon has Company’s general authorization for the engagement of sub-processor(s) from an agreed list. IDmelon shall specifically inform Company in writing of any intended changes to that list through the addition or replacement of sub-processors at least thirty (30) days in advance, thereby giving Company sufficient time to be able to object to such changes prior to the engagement of the sub-processor(s). IDmelon shall provide Company with the information necessary to enable Company to exercise its right to object. Sub-processors, if any, are identified in the applicable Data Processing Specifications.
6.2 IDmelon will restrict sub-processor access to Personal Data to only what is necessary to maintain or provide the Service. IDmelon will prohibit its sub-processors from accessing Personal Data for any other purpose. IDmelon will enter into a written agreement with each sub-processor generally consistent with these Data Processing Terms and applicable Data Privacy Laws.
7.1 Each party will comply with Data Privacy Laws, rules and regulations applicable to it in the use and performance of the Service. IDmelon will keep appropriate records of processing activities.
7.2 IDmelon will cooperate with governmental and regulatory authorities in the event of an inquiry regarding the Service and compliance with applicable Data Privacy Laws. If IDmelon: (i) determines that IDmelon, or a sub-processor, is unable to comply with the obligations set forth in these Data Processing Terms; or (ii) becomes aware of any circumstance or change in the applicable Data Privacy Laws, that is likely to have a substantial adverse effect on its ability to meet the obligations set forth in these Data Processing Terms, IDmelon will promptly notify the Company and Company will have the right to temporarily suspend the processing of Personal Data until the non-compliance is remedied.
7.3 Company represents and warrants that the Personal Data it provides to IDmelon for processing can be processed lawfully (e.g., lawful collection, compliance with obligation to inform, and compliance with the applicable Data Privacy Law) and for the purpose of providing the Service. Company shall not, by any act or omission, put IDmelon or its sub-processors in breach of any Data Privacy Laws in connection with the processing of Personal Data. Company will ensure that Personal Data is accurate, adequate and complete.
With respect to the Personal Data, IDmelon will maintain reasonable security measures and protect Personal Data in a manner legally required or otherwise reasonably appropriate to the nature of the Personal Data, including, as applicable, the measures referred to in Article 32(1) of the GDPR. IDmelon will take appropriate steps to ensure compliance with these Data Processing Terms. IDmelon shall ensure that those processing Personal Data are subject to a duty of confidence. IDmelon imposes appropriate contractual obligations upon its personnel and sub-processors, including relevant obligations regarding confidentiality, data protection and data security. Notwithstanding anything to the contrary in the Service Agreement, IDmelon’s obligations extend only to those systems, networks, network devices, facilities and components over which IDmelon exercises control.
9.1 After becoming aware of a Personal Data Breach, IDmelon will (a) notify Company of the Personal Data Breach without undue delay (and, where PIPEDA applies, as soon as feasible), unless otherwise prohibited by law, and (b) take reasonable steps to mitigate the effects and to minimize any damage resulting from the Personal Data Breach. To assist Company in relation to any personal data breach notifications Company is required to make under applicable Data Privacy Laws, IDmelon will include in the notification such information about the Personal Data Breach as IDmelon is reasonably able to disclose to Company, taking into account the nature of the Service, the information available to IDmelon at the time of the notification, and any restrictions on disclosing the information, such as confidentiality.
9.2 Notification of a Personal Data Breach will be delivered to Company’s administrator(s) or, at IDmelon’s discretion, by direct Company communication (e.g., by email, phone call or an in-person meeting). Company acknowledges that it is solely responsible for ensuring that its contact information is current and valid. Company is solely responsible for fulfilling any third-party notification obligations.
9.3 Promptly following IDmelon’s notification to Company of a Personal Data Breach, Company and IDmelon shall coordinate with each other to investigate the Personal Data Breach. IDmelon will lead the investigation, and agrees to reasonably cooperate with Company in the handling of the Personal Data Breach, including, without limitation: (i) assisting with any investigation; (ii) providing Company with physical access to the facilities and operations affected which are under the control of IDmelon; (iii) facilitating interviews with relevant IDmelon employees, contractors, and sub-processors; and (iv) making available the relevant records, logs, files, data reporting and other materials related to Company and required to comply with applicable Data Privacy Laws, regulation, or as otherwise reasonably required by Company.
9.4 Notwithstanding anything to the contrary, an unsuccessful or suspected Personal Data Breach will not be subject to this Section. Unless otherwise contemplated in applicable Data Privacy Laws, an unsuccessful Personal Data Breach is one that results in no unauthorized access to nonredacted and unencrypted Personal Data. IDmelon will maintain records of breaches of security safeguards as required by applicable Data Privacy Laws. IDmelon’s obligation to report or respond to a Personal Data Breach under this Section will not be construed as an acknowledgement by IDmelon of any fault or liability with respect to the Personal Data Breach.
Once per calendar year or following a successful Personal Data Breach, Company may request to audit IDmelon’s security controls with respect to the Service and compliance with applicable Data Privacy Laws and these Data Processing Terms. Such request shall be sent by Company to IDmelon via the contact notification set forth in the Service Agreement or as otherwise designated by IDmelon. IDmelon and Company will discuss and agree in advance on: (i) the identity of a suitably qualified and independent third party auditor to carry out the audit; (ii) a reasonable start date for the audit (i.e., at a minimum thirty (30) calendar days from the date of receipt by IDmelon of the request to audit); (iii) scope and duration of the audit; and (iv) the security and confidentiality controls applicable to such audit. IDmelon is not responsible for any costs incurred by Company or any fees charged by the third-party auditor in connection with an audit. Any audit pursuant to this Section shall be subject to the rules and policies of any applicable Hosting Provider or sub-processor. Upon request, IDmelon is available to provide details on such limits, if any. Notwithstanding, this Section does not entitle Company to perform a physical audit of any IDmelon facilities or the facilities of any subcontractor, Hosting Provider and/or sub-processor.
IDmelon will deal promptly and appropriately with inquiries by Company related to the processing of Personal Data. IDmelon will use commercially reasonable efforts to cooperate with Company where necessary for the performance of Company’s privacy impact assessments. IDmelon will promptly comply with reasonable requests or instructions by Company requiring IDmelon to provide, amend, transfer, or delete Personal Data or to otherwise assist with requests pursuant to the Rights of Individuals under applicable Data Privacy Laws. Should an individual data subject contact IDmelon, IDmelon will use commercially reasonable efforts to forward such request to Company. IDmelon does not respond to individual data subjects directly except where IDmelon or a sub-processor is required by law to respond. IDmelon will cooperate with Company to address and resolve any such complaints, requests or inquiries. Company shall be responsible to the extent legally permitted for any costs and expenses arising from any such assistance by IDmelon.
In accordance with applicable Data Privacy Laws, as a general principle IDmelon does not keep Personal Data longer than necessary for the provision of the Service. Unless otherwise agreed in writing by the parties, after the data retention period set forth in the applicable Data Processing Specifications, Personal Data is deleted irretrievably.
13.1 IDmelon may process basic contact information from select Company representatives when providing support services. The processing of such data for the purpose of providing support is subject to the Privacy Notice.
13.2 With respect to software-as-a-service offerings, IDmelon may access Company’s environment for the purpose of providing support in accordance with the applicable Terms of Service. The processing of data within Company’s environment for the purpose of providing support is subject to these Data Processing Terms.
14.1 IDMELON IS ONLY LIABLE FOR A PERSONAL DATA BREACH IF SUCH PERSONAL DATA BREACH WAS CAUSED, IN WHOLE OR IN PART, BY IDMELON’S FAILURE TO ADHERE TO: (I) DATA PRIVACY LAWS APPLICABLE TO IDMELON’S PROVISION OF THE SERVICE; AND/OR (II) THE TERMS OF THESE DATA PROCESSING TERMS.
14.2 EXCEPT FOR GROSS NEGLIGENCE OR WILLFUL MISCONDUCT AND CLAIMS FOR WHICH LIABILITY MAY NOT BE EXCLUDED BY LAW, IDMELON’S AGGREGATE LIABILITY IN CONNECTION WITH ANY CLAIMS ARISING OUT OF OR RELATING TO THESE DATA PROCESSING TERMS (INCLUDING ANY EXHIBITS HERETO) SHALL NOT EXCEED AMOUNTS PAID TO IDMELON FOR THE SERVICE GIVING RISE TO THE CLAIM IN THE TWELVE (12) MONTHS PRIOR TO THE DATE THE CLAIM FIRST AROSE. THIS LIMIT, WHICH INCLUDES COSTS AND FEES ARISING OUT OF ANY SUCH CLAIM, SHALL APPLY TO ANY AND ALL CLAIMS REGARDLESS OF THE LEGAL THEORY ON WHICH THEY ARE BASED. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT WILL IDMELON OR ITS AFFILIATES BE LIABLE FOR INDIRECT, INCIDENTAL, SPECIAL, PUNITIVE OR CONSEQUENTIAL DAMAGES OF ANY KIND OR TYPE, INCLUDING, BUT NOT LIMITED TO, LOSS OF PROFITS OR REVENUE, LOSS OF DATA, LOSS OF BUSINESS, LOSS OF OPPORTUNITIES, LOSS OF USE OF THE PRODUCT(S) OR SERVICE(S) OR ANY ASSOCIATED PRODUCT(S) OR SERVICE(S), OR COST OF COVER OR COST OF SUBSTITUTE SERVICE WHICH ARISE OUT OF PERFORMANCE, NON-PERFORMANCE OR FAILURE TO PERFORM ANY OBLIGATION CONTAINED WITHIN THESE DATA PROCESSING TERMS, REGARDLESS OF THE LEGAL THEORY ON WHICH THEY ARE BASED, EVEN IF IDMELON HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
IDmelon may update these Data Processing Terms and the Data Processing Specifications over time based on changes and improvements to the Service and to better align the rights and obligations of the parties with applicable Data Privacy Laws. IDmelon will provide Company with notice of any material change to these Data Processing Terms or the Data Processing Specifications prior to the implementation of such change. Subject to Section 6, notice will be: (i) delivered through the Service (if applicable); (ii) posted at the applicable website; or (iii) provided to Company’s administrator(s), as applicable. By continuing to use the Service after such notice, Company agrees to the changes and agrees to be bound by same. If changes are required in the processing of Personal Data in order to comply with applicable Data Privacy Law, Company and IDmelon shall collaborate to evaluate the changes to be made.
If there is a Service Agreement in place between IDmelon and Company, governing law and jurisdiction shall be as set forth in the Service Agreement. If there is no Service Agreement in place between IDmelon and End Customer, these Data Processing Terms shall be construed and interpreted in accordance with the laws of the Province of British Columbia and the federal laws of Canada applicable therein, without regard to conflict of law principles. Any action, suit or proceeding relating to these Data Processing Terms shall be brought exclusively in the courts of competent jurisdiction located in Vancouver, British Columbia, Canada, and each party irrevocably submits to the exclusive jurisdiction and venue of such courts. The parties hereby irrevocably waive any and all rights to trial by jury in any legal proceedings arising out of or related to these Data Processing Terms or the transactions contemplated hereby. The provisions of the United Nations Convention on Contracts for the International Sale of Goods will not apply to these Data Processing Terms or any order issued hereunder. In the event of a conflict between this Section and any applicable Standard Contractual Clauses, the Standard Contractual Clauses shall govern. If any provision of these Data Processing Terms is held by a court of competent jurisdiction to be contrary to law or public policy the remaining provisions shall remain in full force and effect.
CCPA Addendum
If the CCPA applies to provision of or use of the Service, the parties further agree to be bound by the terms of this CCPA Addendum in addition to Data Processing Terms.
To the extent IDmelon: (i) receives from Company personal information (as defined in the CCPA) of a consumer (as defined in the CCPA) (hereinafter referred to as “Personal Information”); and (ii) processes (as defined in the CCPA) such Personal Information on behalf Company to provide the Service, the following additional terms and conditions shall apply. Unless otherwise specified in this Addendum, Personal Information will be treated as Personal Data under the Data Processing Terms. For clarity, with respect to the Service, IDmelon is a “service provider” as defined in the CCPA.
IDmelon will comply with applicable requirements of the CCPA when using, retaining, or disclosing Personal Information. For the avoidance of doubt, CCPA Compliance shall be interpreted to include compliance with amendments made to the CCPA, including the CPRA.
IDmelon will limit use, retention, and disclosure to activities reasonably necessary and proportionate for the business purpose set forth in the Service Agreement and the Terms of Service. IDmelon shall not retain, use or disclose Personal Information for a commercial purpose other than providing the Service. IDmelon shall not, use, retain, disclose, or otherwise make Personal Information available outside the direct business relationship between IDmelon and Company, for IDmelon’s own commercial purpose(s) or in a way that does not comply with the CCPA. Notwithstanding, IDmelon may use de-identified data for its own business purpose(s) solely as necessary to perform the Service or otherwise in compliance with the Terms of Service and the Data Processing Terms. Except to the extent permitted under applicable regulations, IDmelon shall not combine Personal Information received from Company with any Personal Information received from other sources.
IDmelon will use commercially reasonable efforts to timely assist Company in complying with a verifiable consumer request.
If IDmelon authorizes any subcontractor or third party to process Personal Information, IDmelon acknowledges that such subcontractor or third party is also a “service provider” as defined in the CCPA. If IDmelon authorizes any subcontractor, IDmelon shall notify Company of the engagement, which shall be pursuant to a written contract in which the subcontractor agrees to comply with all privacy and security obligations applicable to IDmelon.
IDmelon will not sell or share any Personal Information. For clarity, if Company purchases the Service through a Channel Partner or expresses interest in purchasing IDmelon offerings through a Channel Partner, IDmelon may disclose certain Personal Information constituting business contact information to the Channel Partner. Company agrees that it has intentionally triggered such disclosure and same does not constitute the selling or sharing of Personal Information as contemplated under the CCPA.
IDmelon shall implement reasonable security procedures and practices appropriate to the nature of the information, to protect the Personal Information from unauthorized access, destruction, use, modification, or disclosure.
China Addendum
If IDmelon requires the processing of Personal Data of data subjects in Mainland China in the provisioning of the Service, the parties agree to be bound by the terms of this China Addendum in addition to the Data Processing Terms. To the extent that the terms of this China Addendum conflict with those of the Data Processing Terms, the terms of this China Addendum will control.
“China Data Privacy Rules” mean all Data Privacy Laws, regulatory policy, national standard, industry standard of Mainland China applicable to the Personal Data and IDmelon’s provision of the Service.
“China SCCs” mean the standard contractual clauses as promulgated by the Cyberspace Administration of China (CAC), available at: https://www.cac.gov.cn/2023-02/24/c_1678884830036813.htm.
“CII Regulations” mean the Regulations on the Security and Protection of Critical Information Infrastructure as promulgated by the State Council (available at: https://www.gov.cn/zhengce/content/2021-08/17/content_5631671.htm)
“CIIO” means an entity designated by the appropriate regulatory authorities to be operating within the Critical Information Infrastructure as such term is defined under the CII Regulations.
“Entrusted Handler” means an organization that is entrusted by the Personal Information Handler to process Personal Information strictly in accordance with the Personal Information Handler’s instructions regarding the purposes and means of Personal Data processing.
“Mainland China” means, for the purposes of these Data Processing Terms, the People’s Republic of China excluding Hong Kong S.A.R, Macao S.A.R. and Taiwan.
"Offshore Recipient" means an organization located outside of Mainland China that receives Personal Information from the Personal Information Handler. This will have the same meaning as “境外接收方” as defined in China Data Privacy Rules.
"Personal Information Handler" means any organization or data subject that independently determines the purposes and means of Personal Data processing activities and provides Personal Data to Offshore Recipient. This will have the same meaning as “个人信息处理者” as defined in China Data Privacy Rules.
For the purposes of this China Addendum, Company is the Personal Information Handler, and IDmelon is the Entrusted Handler. Where Company is a Managed Service Provider, Company represents and warrants that it has obtained all necessary authorizations from the End Customer, as the ultimate Personal Information Handler, to entrust the processing of Personal Data to IDmelon as Entrusted Handler.
3.1. To the extent that IDmelon requires the processing of Personal Data outside of Mainland China, IDmelon will be the Offshore Recipient. Company acknowledges and agrees that it will provide all applicable notices, including without limitation any privacy notices, and obtain and maintain separate consent of data subjects whose Personal Data is subject to such on-ward transfer. Such separate consent must explicitly contain acceptance by the data subject of the on-ward transfer of his or her Personal Data outside of Mainland China. Company represents and warrants that any such consent will be obtained freely, voluntarily, and explicitly on a fully informed basis from the data subject. If there are any changes to the processing of Personal Data that require new or updated consents, Company will fully cooperate with IDmelon to obtain the updated consents. Upon request by IDmelon, Company will provide records of such data subject’s consent to IDmelon.
3.2. The parties agree to elect the use of the China SCCs for the on-ward transfer of Personal Data; provided that, Company represents and warrants that it is not or has not been designated as a CIIO. In furtherance of the foregoing, Company will fully cooperate with IDmelon to properly execute and file the China SCCs with the appropriate authorities including without limitation the provincial branch of the CAC. In the event of a conflict between the terms of these Data Processing Terms and the terms of the China SCCs, the terms of the China SCCs will prevail only to the extent that it is expressly provided for therein.
3.3. In the event that Company is designated as a CIIO or at the sole discretion of IDmelon, IDmelon may select a different transfer mechanism for the on-ward transfer of Personal Data under this Section. The parties will work in good faith to terminate any existing transfer mechanism and implement a new transfer mechanism.
Each party agrees to comply with the China Data Privacy Rules.
If there is a Service Agreement in place between IDmelon and Company, governing law and jurisdiction for all disputes shall be as set forth in the Service Agreement. If there is no Service Agreement in place between IDmelon and End Customer, these Data Processing Terms shall be governed by the laws of the People’s Republic of China. All disputes arising in connection with these Data Processing Terms, including any question regarding its existence or validity, shall be resolved in accordance with this Section. If a dispute is not resolved by negotiations, either party may, by giving written notice, refer the dispute to a meeting of appropriate higher management, to be held within ten (10) business days after the giving of notice. If the dispute is not resolved within twenty (20) business days after the giving of notice, or such later date as may be mutually agreed, the dispute shall be submitted to the China International Economic and Trade Arbitration Commission (“CIETAC”) for arbitration which shall be conducted in accordance with the CIETAC's arbitration rules in effect at the time of applying for arbitration. The arbitral award is final and binding upon both parties. The seat of arbitration shall be Beijing, China. The language to be used in the arbitration shall be English.
Biometric Data Addendum
If the Service involves the processing of Biometric Data: the parties agree to be bound by the terms of this Biometric Data Addendum in addition to the Data Processing Terms. To the extent that the terms of this Addendum conflict with those of the Data Processing Terms, the terms of this Addendum will control. The Service may be deployed in an IDmelon-Hosted Environment or a Company-Managed Environment. Where obligations under this Addendum differ by deployment model, such differences are stated expressly. The applicable deployment model is identified in the applicable Service Agreement, order form or service configuration documentation.
Capitalized terms used in this Addendum have the meanings set forth in Section 1 of the Data Processing Terms.
Company is solely responsible for: (i) establishing the legal basis for processing Biometric Data under applicable Data Privacy Laws; (ii) providing clear written notice to data subjects prior to the collection of Biometric Data, including the specific purpose and duration of collection, use, and storage; (iii) obtaining all required consents or authorizations, including explicit consent under GDPR Article 9(2)(a) and written releases required under applicable biometric privacy laws (including, where applicable, the Illinois Biometric Information Privacy Act, 740 ILCS 14, and the Texas Capture or Use of Biometric Identifier Act, Tex. Bus. & Com. Code § 503.001); (iv) ensuring that consent is freely given by offering data subjects a reasonable alternative to biometric authentication and administering such alternative; (v) determining whether and how biometric authentication is deployed within its organization; and (vi) maintaining records of such consents and making them available to IDmelon upon request. Consent and written releases may be obtained electronically, and such electronic acceptance constitutes a valid written release for purposes of applicable biometric privacy laws. Company shall maintain auditable records of each data subject’s acceptance or decline, including the date and time of such response. IDmelon is responsible for: (a) providing in-product consent capture mechanisms where supported by the Service; (b) maintaining consent records captured through such in-product mechanisms on Company’s behalf; (c) implementing and maintaining the technical and security controls applicable to Biometric Data processed in an IDmelon-Hosted Environment as set forth in Section 4; and (d) making any consent records it maintains available to Company upon reasonable request. Company remains solely responsible for ensuring compliance with applicable consent and record-keeping obligations under Data Privacy Laws regardless of which party maintains such records. IDmelon will provide reasonable assistance and in-product mechanisms to support Company’s compliance with this Section, including the Biometric Consent Form attached as the Annex to this Addendum or a substantially similar form.
Biometric Data will be permanently destroyed when the initial purpose for collection has been satisfied or upon termination of the data subject’s use of the Service, whichever occurs first. Raw biometric images are not retained after template creation. In an IDmelon-Hosted Environment , IDmelon will delete biometric templates within thirty (30) days following user termination, and retention periods for backups, logs, and any consent records maintained by IDmelon are as set forth in the applicable Data Processing Specifications. In a Customer-Managed Environment, Company is responsible for deletion of biometric templates in accordance with this Section and applicable Data Privacy Laws. The applicable Data Processing Specifications will include a retention schedule and guidelines for the permanent destruction of Biometric Data and will be made publicly available on the IDmelon website at idmelon.com, or provided separately to the Company.
In addition to the security measures set forth in Section 8 of the Data Processing Terms, with respect to Biometric Data processed in an IDmelon-Hosted Environment , IDmelon will: (i) encrypt Biometric Data at rest and in transit; (ii) store biometric templates or feature vectors rather than raw biometric images; (iii) implement access controls limiting access to Biometric Data to authorized personnel and systems with a demonstrated need; and (iv) maintain logical separation of Biometric Data from other categories of Personal Data. Where Biometric Data is processed in a Company-Managed Environment, Company is solely responsible for implementing security measures consistent with this Section and applicable Data Privacy Laws.
IDmelon will cooperate with and provide reasonable assistance to Company in conducting data protection impact assessments related to the processing of Biometric Data, as required under applicable Data Privacy Laws, including GDPR Article 35.
IDmelon will not sell, lease, trade, or otherwise profit from Biometric Data. IDmelon will not use Biometric Data for advertising, profiling, model training, or any purpose outside the documented Service purposes, except as required by applicable law. IDmelon will not disclose Biometric Data to any third party except: (i) as necessary to provide the Service through authorized sub-processors identified in the applicable Data Processing Specifications; (ii) with the prior consent of the data subject; or (iii) as required by applicable law or valid legal process.
IDmelon represents that, where the Service is configured and used as described in IDmelon’s published documentation and the applicable Data Processing Specifications, the Service is designed to support compliance with applicable biometric privacy laws. Company is responsible for ensuring that its deployment and use of the Service complies with all applicable biometric privacy laws in the jurisdictions where its data subjects are located. Company shall not, by any act or omission, put IDmelon in breach of any applicable biometric privacy laws.
Biometric Data Addendum
Biometric Data Consent and Authorization
This Annex contains two deployment-specific consent form templates in each case to be amended as appropriate: Form A (for use where the Service is deployed in an IDmelon-Hosted Environment) and Form B (for use where the Service is deployed in a Company-Managed Environment).
The applicable form is determined by the deployment model identified in the Service Agreement, order form, or service configuration documentation.
The applicable form should be adapted by Company to reflect specific jurisdictions and organizational requirements. Where the Service is provisioned through a Managed Service Provider, references to “Company” in the applicable form should be read as references to the applicable End Customer, and the form should be adapted accordingly by the Managed Service Provider or End Customer.
Company-specific fields, including designated contact information, must be populated by Company (or End Customer, as applicable) before the form is presented to end users. Where the Service provides in-product consent capture, bracketed fields (including the applicable biometric identifier type) will be configured during onboarding based on the authentication methods enabled for Company’s deployment, and the form will not be presented to end users with unresolved placeholder text. The applicable form must be accepted by each user prior to enrollment in biometric authentication.
What We Collect. The authentication service processes your biometric data, which may include [fingerprint / facial geometry / other applicable biometric identifier], to generate a biometric template (a mathematical representation of your biometric characteristics). Raw biometric images are not retained after the template is created.
Purpose. Your biometric data is collected and processed solely to verify your identity when you access Company’s systems and services. It will not be used for any other purpose.
Who Processes Your Data. Your biometric data is processed by IDmelon Technologies Inc. (“IDmelon”) on behalf of Company (or, where the Service is provisioned through a Managed Service Provider, on behalf of the applicable End Customer). Biometric templates are processed and stored by IDmelon in an IDmelon-Hosted Environment. IDmelon’s sub-processors are identified in the applicable Data Processing Specifications, available at idmelon.com.
Storage and Security. Your biometric template is stored in an IDmelon-Hosted Environment. Biometric templates are encrypted at rest and in transit and access is restricted to authorized systems necessary to perform authentication.
Your biometric data will be permanently deleted within thirty (30) days upon the earliest of: (a) satisfaction of the purpose for which it was collected; or (b) termination of your user account.
Disclosure. Your biometric data will not be sold, leased, or traded. Your biometric data will not be disclosed to third parties, except as necessary to provide the authentication service through authorized sub-processors, or as required by applicable law.
Your Rights. Depending on your jurisdiction, you may have the right to access, correct, delete, restrict the processing of, object to the processing of, or port your biometric data. To exercise any of these rights, contact [designated contact/role] at Company [at contact method/address].
Alternative. If you do not wish to provide your biometric data, you may request an alternative authentication method by contacting [designated contact/role] at Company [at contact method/address]. Company will provide a reasonable non-biometric authentication alternative.
Consent and Written Release. By selecting "I Accept" below, you:
(a) acknowledge that you have read and understand this notice;
(b) consent to the collection, storage, processing, and use of your biometric data as described above;
(c) provide your explicit consent to the processing of your biometric data for the purpose of uniquely identifying you, as required under applicable data protection laws; and
(d) provide your written release for the collection, capture, and storage of your biometric identifier and biometric information.
You may withdraw your consent at any time by contacting [designated contact/role] at Company [at contact method/address].
Upon withdrawal: (a) your biometric data will be permanently deleted in accordance with the retention schedule stated above under Storage and Security; (b) your access to biometric authentication will be disabled; and (c) you will be required to use an alternative authentication method as designated by Company. Withdrawal does not affect the lawfulness of processing performed prior to withdrawal. A record of your acceptance or decline, including the date and time, will be retained by Company or its service provider for compliance and audit purposes.
[I Accept] [I Decline]
What We Collect. The authentication service processes your biometric data, which may include [fingerprint / facial geometry / other applicable biometric identifier], to generate a biometric template (a mathematical representation of your biometric characteristics). Raw biometric images are not retained after the template is created.
Purpose. Your biometric data is collected and processed solely to verify your identity when you access Company's systems and services. It will not be used for any other purpose.
Who Processes Your Data. Your biometric data is processed using the IDmelon authentication service, which is deployed within infrastructure controlled by Company (or, where the Service is provisioned through a Managed Service Provider, by the applicable End Customer). Biometric templates are processed and stored within Company's infrastructure in a Company-Managed Environment. IDmelon Technologies Inc. ("IDmelon") provides the authentication software but does not store biometric templates in this deployment model.
Storage and Security. Your biometric template is stored within infrastructure controlled by Company. Company is responsible for implementing security measures appropriate to the nature of the biometric data, including encryption at rest and in transit, access controls, and logical separation from other categories of personal data.
Your biometric data will be permanently deleted upon the earliest of: (a) satisfaction of the purpose for which it was collected; or (b) termination of your user account. Company is responsible for timely deletion of biometric data in accordance with applicable data privacy laws.
Disclosure. Your biometric data will not be sold, leased, or traded. Your biometric data will not be disclosed to third parties, except as necessary to provide the authentication service or as required by applicable law.
Your Rights. Depending on your jurisdiction, you may have the right to access, correct, delete, restrict the processing of, object to the processing of, or port your biometric data. To exercise any of these rights, contact [designated contact/role] at Company [at contact method/address].
Alternative. If you do not wish to provide your biometric data, you may request an alternative authentication method by contacting [designated contact/role] at Company [at contact method/address]. Company will provide a reasonable non-biometric authentication alternative.
Consent and Written Release. By selecting "I Accept" below, you:
(a) acknowledge that you have read and understand this notice;
(b) consent to the collection, storage, processing, and use of your biometric data as described above;
(c) provide your explicit consent to the processing of your biometric data for the purpose of uniquely identifying you, as required under applicable data protection laws; and
(d) provide your written release for the collection, capture, and storage of your biometric identifier and biometric information.
You may withdraw your consent at any time by contacting [designated contact/role] at Company [at contact method/address].
Upon withdrawal: (a) your biometric data will be permanently deleted in accordance with Company’s applicable retention schedule and applicable data privacy laws; (b) your access to biometric authentication will be disabled; and (c) you will be required to use an alternative authentication method as designated by Company. Withdrawal does not affect the lawfulness of processing performed prior to withdrawal. A record of your acceptance or decline, including the date and time, will be retained by Company or its service provider for compliance and audit purposes.
[I Accept] [I Decline]
This is not a stand-alone document. These Data Processing Specifications supplement the relevant Data Processing Terms for IDMELON TECHNOLOGIES INC. and its affiliated entities (“IDmelon”) software-as-a-service offerings set forth below (each a “Service”):
The Data Processing Specifications describe: (i) the subject matter of the data processing; (ii) the type of Personal Data processed; (iii) the name and location of the party hosting the Personal Data; (iv) where the Service is hosted; (v) sub-processors involved in the processing of the Personal Data, if any; (vi) the purpose of the data processing; and (vii) the period of time the Personal Data is retained, as such apply to IDmelon’s SaaS deployment model. These Data Processing Specifications do not apply to a Company-Managed Environment. For a Company-Managed Environment, Company (or Managed Service Provider, as applicable) is solely responsible for determining and documenting the applicable data processing details (e.g. hosting location, retention, sub-processors, etc.), with reference to Section 2 of the Data Processing Terms.
Personal Data types processed are selected by End Customer. If End Customer defines a different Data Retention Period or otherwise requests that IDmelon retain Customer Materials beyond the Data Retention Period (“Requested Data Retention Period”), subject to the payment of additional fees associated with such retention as may be reasonable requested by IDmelon, IDmelon will retain the data for the Requested Data Retention Period.
Outside of the data types listed below, there may be additional optional fields that Channel Partner or End Customer may populate at its discretion. If Channel Partner or End Customer elect to populate those fields with Personal Data, any such information will be treated as confidential data and will be deleted within 30 days from last backup. This optional data entered by Channel Partner or End Customer is not required for the operation of the Service.
Service: SaaS Authentication Service (Passkey Orchestration Platform)
Service Provider: IDmelon Technologies Inc.
Locations of Processing: United States and European Union (customer-designated region)
Frequency of Data Transfer: Continuous (runtime authentication, provisioning, logging)
Delivery Channels: Phone app, desktop agent, API, or web UI over HTTPS/TLS
The following applies only where biometric authentication is enabled for the applicable category of data subject. Biometric Data is processed in accordance with these Data Processing Terms and the additional requirements set forth in Exhibit 3 (Biometric Data Addendum). The applicable deployment model (IDmelon-Hosted Environment or Company-Managed Environment) is identified in the Service Agreement, order form, or service configuration documentation. Raw biometric images are not retained after template creation.
IDmelon uses the following sub-processors to deliver and support the SaaS Authentication Service.
Unless otherwise agreed in writing, backup data will be stored within the customer-designated deployment region.
Entities: IDMELON TECHNOLOGIES INC.
Location of Processing: Canada
Frequency of data transfer: Continuous Basis
© 2026 IDmelon. All rights reserved.
