Data Processing Agreement

LAST MODIFIED: December 2025

1. INTRODUCTION

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Arettox ID ("Processor") and the Discord server administrator ("Controller") who uses the Arettox ID verification service.

This DPA reflects the parties' agreement with regard to the processing of personal data in accordance with the requirements of the General Data Protection Regulation (GDPR).

2. DEFINITIONS

  • "Personal Data" means any information relating to an identified or identifiable natural person.
  • "Processing" means any operation performed on Personal Data.
  • "Data Subject" means the individual to whom Personal Data relates (Discord users).
  • "Controller" means the Discord server administrator who determines the purposes and means of processing.
  • "Processor" means Arettox ID, which processes Personal Data on behalf of the Controller.

3. SCOPE AND PURPOSE OF PROCESSING

3.1. Purpose. The Processor processes Personal Data solely for the purpose of providing the verification service, which includes:

  • Verifying the humanity of Discord users via World ID
  • Assigning verification roles to confirmed human users
  • Preventing duplicate verifications (anti-alt protection)
  • Maintaining verification records for service functionality

4. TYPES OF PERSONAL DATA PROCESSED

Data CategoryData ElementsRetention Period
Discord IdentifiersUser ID, Server ID, UsernameUntil deletion request or 24 months of inactivity
Verification DataVerification status, timestamp, nullifier hashSame as above
Technical LogsIP addresses, timestamps, error logs12 months maximum

5. PROCESSOR OBLIGATIONS

The Processor shall:

  • Process Personal Data only on documented instructions from the Controller
  • Ensure that persons authorized to process Personal Data have committed to confidentiality
  • Implement appropriate technical and organizational security measures
  • Assist the Controller in responding to Data Subject requests
  • Delete or return all Personal Data upon termination of service
  • Make available all information necessary to demonstrate compliance

6. SUB-PROCESSORS

The Controller authorizes the Processor to engage the following sub-processors:

  • Vercel Inc. — Hosting and edge computing (USA, EU SCCs)
  • Neon Database — Database storage (EU region)
  • Cloudflare Inc. — CDN and security (Global, EU SCCs)
  • World ID (TFH) — Identity verification (EU SCCs)

7. DATA SUBJECT RIGHTS

The Processor shall assist the Controller in fulfilling Data Subject requests for:

  • Access to their Personal Data
  • Rectification of inaccurate data
  • Erasure of data ("right to be forgotten")
  • Restriction of processing
  • Data portability

8. SECURITY MEASURES

The Processor implements the following security measures:

  • Encryption of data in transit (TLS 1.3) and at rest (AES-256)
  • Access controls and authentication
  • Regular security assessments and penetration testing
  • Incident response procedures
  • Employee security training

9. DATA BREACH NOTIFICATION

In the event of a Personal Data breach, the Processor shall notify the Controller without undue delay (within 72 hours) after becoming aware of the breach.

10. CONTACT

For DPA-related inquiries, contact: dpa@arettox.dev

Arettox ID — Discord Bot for Human Verification with World ID