GDPR Compliance

Under GDPR, IntelliFace acts as a Data Processor when processing personal data on behalf of your organization (the Data Controller). We process employee data — including biometric face embeddings — only on your documented instructions.

We have appointed a Data Protection Officer (DPO) reachable at privacy@intelliface.io.

Biometric data is a special category under Article 9 of GDPR. For IntelliFace to process this data lawfully, your organization must identify and document a valid legal basis before enrolling employees.

The most common bases are: (a) explicit consent from each employee, or (b) legitimate interests where processing is necessary for employment purposes and a balancing test has been conducted.

We provide consent letter templates and a Data Processing Agreement (DPA) to help you establish your legal basis correctly.

Article 28 of GDPR requires a written Data Processing Agreement (DPA) between controllers and processors. IntelliFace provides a standard DPA covering all required clauses.

To execute the DPA, contact legal@intelliface.io. The DPA is included at no additional cost on all plans.

We provide tools to help you fulfill data subject requests:

Right of Access: Export all stored data for an employee from the dashboard in one click. Right to Erasure: Delete an employee account and face embedding immediately — permanently and irreversibly. Right to Restriction: Suspend processing for a specific employee while retaining records. Data Portability: Export attendance records as CSV or PDF at any time.

All deletions are propagated within 24 hours and confirmed by an automatic audit entry.

If you choose a European data region, your data is stored and processed within the EEA. For customers who choose other regions, transfers are covered by Standard Contractual Clauses (SCCs) adopted by the European Commission.

We do not transfer data to third-party sub-processors outside the EEA without appropriate safeguards.

We maintain an up-to-date list of sub-processors at intelliface.io/sub-processors. Material changes are notified at least 30 days in advance to give you the opportunity to object.

Current sub-processors include our cloud infrastructure provider (MongoDB Atlas), email service (for transactional notifications only), and payment processor (Stripe — attendance data is never shared with Stripe).

We implement the technical and organizational measures required under Article 32, including: AES-256 encryption at rest, TLS 1.3 for data in transit, application-layer encryption for biometric face embeddings, role-based access control, MFA for all admin accounts, annual penetration testing, and a documented incident response procedure.

In the event of a personal data breach, we will notify you within 72 hours of becoming aware, enabling you to meet your Article 33 notification obligations.