Data Processing Addendum
Last updated: June 20, 2026
This Data Processing Addendum (the "DPA") forms part of the Terms of Service between you (the "Controller" / "Data Fiduciary") and SightRadar (the "Processor" / "Data Processor"). It applies whenever we process personal data — including biometric face data — on your behalf. Where a signed agreement is required (for example, under GDPR Article 28), this DPA is the binding processing contract; enterprise customers may request a countersigned copy at legal@sightradar.com.
1. Roles and scope
- You are the Controller. You determine the purposes and means of processing the personal data you submit.
- We are the Processor. We process personal data only on your documented instructions (which include your use of the API and console), except where law requires otherwise.
- Subject-matter: face detection, indexing, search, and comparison. Duration: the term of your account. Purpose: providing the Service. Data types: the images you submit and the biometric face vectors and metadata derived from them. Data subjects: the individuals whose faces appear in your images.
2. Our obligations as processor
- Process personal data only on your documented instructions;
- Ensure that persons authorized to process the data are bound by confidentiality;
- Implement appropriate technical and organizational security measures (encryption in transit and at rest, tenant isolation, and least-privilege access to secrets);
- Not use your data to train general-purpose models, and not process it for any purpose other than providing the Service;
- Assist you, taking into account the nature of processing, in responding to data-subject requests and in meeting your security, breach-notification, and impact-assessment obligations;
- Notify you without undue delay after becoming aware of a personal-data breach affecting your data;
- Delete or return your personal data at the end of the engagement, as described in Section 5;
- Make available information reasonably necessary to demonstrate compliance, and allow for audits, subject to reasonable confidentiality and security conditions.
3. Your obligations as controller
- Establish and maintain a valid lawful basis for the processing, including providing all required notices and obtaining all required consents (including written or explicit consent for biometric data where required) before submitting images;
- Issue only lawful instructions, and remain responsible for the accuracy and legality of the data you submit;
- Comply with your obligations under applicable data-protection and biometric-privacy law, and with our Acceptable Use Policy.
4. Sub-processors
You authorize us to engage sub-processors to provide the Service — including our cloud infrastructure, vector database, authentication, analytics, and our Merchant of Record, Dodo Payments, for payments. We impose data-protection obligations on each sub-processor no less protective than this DPA, and we remain responsible for their performance. We will give notice of material changes so you can object where you have that right. The categories of sub-processor are described in our Privacy Policy.
5. Retention, deletion, and return
You may delete your collections and stored faces at any time via the API or console. On termination of your account, we will delete your face vectors in the ordinary course thereafter, except where retention is required by law. On request, and where technically feasible, we will return your data before deletion.
6. International transfers
Where you or your data subjects are in a region whose data is transferred to a country without an applicable adequacy decision, the parties agree to rely on Standard Contractual Clauses or another lawful transfer mechanism, incorporated by reference and completed with the details in Section 1.
7. Liability and precedence
This DPA is subject to the disclaimers and limitation of liability in the Terms of Service. If there is a conflict between this DPA and the Terms regarding the processing of personal data, this DPA controls. It is governed by the laws of India.
8. Contact
Data-protection queries and signed-DPA requests: privacy@sightradar.com or legal@sightradar.com.