Data Processing Agreement
Data Processing Agreement (DPA) defines how personal data is processed between the data controller and the processor in compliance with GDPR.
last updated: 01/01/2026
This Data Processing Agreement (“Agreement” or “DPA”) forms part of the agreement
between GlobeID Limited and the Customer governing the use of the PassportScan
services.
1. Parties
1.1 Data Controller (Customer)
The legal entity using the PassportScan services to process personal data in the course of
its hospitality, accommodation, or guest-registration activities (“Customer”).
1.2 Data Processor
GlobeID Limited
The Black Church, St. Mary’s Place
Dublin 7, Ireland
(“GlobeID” or “Processor”).
2. Definitions
Capitalised terms not defined herein shall have the meaning given in the EU General Data
Protection Regulation (GDPR).
- Personal Data: any information relating to an identified or identifiable natural person.
- Processing: any operation performed on Personal Data as defined under GDPR.
- Data Subject: the individual to whom the Personal Data relates.
- Applicable Data Protection Law: GDPR and any national implementing legislation.
- Sub-processor: any third party engaged by GlobeID to process Personal Data on behalf of the Customer.
3. Subject Matter and Duration
3.1 Subject Matter
This DPA governs the Processing of Personal Data by GlobeID on behalf of the Customer
through the PassportScan platform and related services.
3.2 Duration
Processing shall continue for the duration of the Customer’s use of the Services, unless
otherwise agreed in writing.
4. Nature and Purpose of Processing
4.1 Nature of Processing
Processing may include collection, recording, structuring, storage, consultation,
transmission, and deletion of Personal Data.
4.2 Purpose of Processing
Processing is performed exclusively to:
- enable guest check-in and registration
- scan and extract identity document data
- transmit required data to PMS systems
- comply with legal guest reporting obligations (e.g. police, immigration, statistics authorities)
- support digital signatures and consent workflows
. Categories of Personal Data and Data Subjects
5.1 Categories of Personal Data
Depending on the Customer’s use of the Services, Personal Data may include:
- full name
- date and place of birth
- nationality and citizenship
- identity document type, number, issuing authority, and expiry date
- document images and machine-readable zone (MRZ) data
- reservation and stay information
- digital signatures and consent records
5.2 Categories of Data Subjects
- guests of the Customer, including children and minors where legally required
- accompanying persons linked to a booking
6. Roles and Responsibilities
6.1 Customer Obligations
The Customer:
- acts as Data Controller
- determines the purposes and legal basis for Processing
- ensures lawful collection of Personal Data
- provides required privacy notices to Data Subjects
- determines retention periods
6.2 GlobeID Obligations
GlobeID shall:
- process Personal Data only on documented instructions of the Customer
- ensure confidentiality of Personal Data
- implement appropriate technical and organisational security measures
- assist the Customer in meeting GDPR obligations
- not process Personal Data for its own purposes
7. Processing of Children’s Data
The Customer acknowledges that PassportScan may process Personal Data relating to
children and minors where required by law during guest registration.
Such Processing is:
- performed solely on Customer instructions
- limited to data strictly necessary for legal compliance
- not used for marketing, profiling, or analytics
8. Security Measures
GlobeID implements appropriate technical and organisational measures in accordance
with GDPR Article 32.
These measures include, but are not limited to:
- encryption at rest of sensitive Personal Data stored in encrypted Amazon S3 buckets
- encryption in transit using secure communication protocols
- logical segregation of customer data by region and account
- role-based access control and least-privilege principles
- secure authentication, logging, and monitoring
- incident detection and response procedures
Sensitive identity documents and extracted data are stored encrypted within the applicable
regional AWS infrastructure.
9. Sub-processing
9.1 General Authorisation
The Customer grants GlobeID general written authorisation to engage Sub-processors as necessary for the provision, operation, security, and maintenance of the Services.
Sub-processors may provide services including infrastructure hosting, system administration, monitoring, authentication, logging, and operational support.
All Sub-processors are contractually bound by confidentiality and data protection obligations no less protective than those set out in this Agreement.
GlobeID remains fully liable for the acts and omissions of its Sub-processors.
9.2 On-Device OCR Processing
Where PassportScan uses OCR or document analysis technologies, all sensitive document processing is performed locally on the end-user’s mobile device.
No raw identity documents or extracted sensitive data are transmitted to third-party OCR providers. As a result, such providers do not receive Personal Data and are not considered Sub-processors.
9.3 Sub-processor Transparency
GlobeID maintains an up-to-date list of authorised Sub-processors.
The Customer hereby provides general written authorisation for the use of the Sub-processors listed at that location.
GlobeID shall notify Customers of material changes to the Sub-processor list prior to the engagement of a new Sub-processor and provide the opportunity to object where required by Applicable Data Protection Law.
10. Data Hosting and International Transfers
10.1 Cloud Infrastructure
Personal Data is hosted using Amazon Web Services (AWS).
10.2 Regional Data Residency
PassportScan applies a regional data-storage model aligned with the Customer’s hotel
location.
Supported regions at the time of this Agreement:
| Geographic Zone | Data Storage Location |
|---|---|
| Europe | Ireland |
| Asia | Singapore |
| Australia | Sydney |
| North America | North Virginia |
| South America | São Paulo |
Personal Data is stored in the region corresponding to the Customer’s operational location
unless otherwise agreed.
10.3 Cross-Border Transfers
Where cross-border transfers occur, GlobeID ensures appropriate safeguards, including
EU Standard Contractual Clauses where required.
ANNEX 1 – SUMMARY OF PROCESSING
| Item | Description |
|---|---|
| Subject matter | Guest identity and check-in data |
| Purpose | Legal compliance and guest registration |
| Data subjects | Guests, including minors |
| Data categories | Identity documents, guest details |
| Processing | Collection, storage, transmission |
| Duration | Contract term |
