Data Protection

Tiller Technologies is deeply committed to safeguarding user privacy and personal data, a commitment detailed in our Privacy Policy, available at 'Tiller Technologies Privacy Policy'. This policy transparently outlines how Tiller collects, uses, shares, retains, and secures personal data across various interactions, whether users are Browse marketing websites, engaging directly, or utilizing the 'Verify by Tiller' service. Data collection in relation to our website is limited to basic usage information (via IP addresses analysis and cookies) Within our Verify by Tiller platform more extensive information may be captured including, identity verification details, such as full names, addresses, identity documents, facial images, and financial information, but only collected after explicit user consent is obtained. This data is primarily utilized for identity verification, fraud prevention, and financial crime prevention as part of our clients onboarding regulatory obligations.

Tiller makes a clear distinction between its roles as a data processor (for data collected via 'Verify by Tiller' service, where the requesting organization is the controller) and as data controller (for employees of clients, website visitors, and direct contacts). Personal data is shared only with selected, trusted third parties necessary for service delivery, such as identity processing service providers and sanction screening agencies, and may be shared with government bodies or law enforcement when legally required. The company enforces robust security controls and policies, requiring appropriate measures from all third-party contractors. Data is only retained for the legitimate or lawful needs of its own operation and that of its clients. Tiller upholds all user rights under GDPR, including the rights to access, rectification, erasure, restriction of processing, data portability, and objection to processing, ensuring individuals maintain control over their personal information.

Tiller Technologies is commitment to data privacy and protection, adhering to a robust framework of global and regional regulations. Our approach ensures full compliance with the 7 principles of General Data Protection Regulation (GDPR) (EU) 2016/679, which is detailed in our Privacy and Personal Data Protection Policy. This commitment extends to specific national legislation, including the Data Protection Act 2018 (DPA 2018) and Data (Use and Access) Act 2025 (DUAA) in the UK, as well as the Data Protection (Jersey) Law 2018 (DPJL), which underpins our Data Processor Agreement. These legal frameworks guide every aspect of our data handling, from collection and processing to storage and disclosure, ensuring the highest standards of data integrity and confidentiality.

Beyond these foundational regulations, Tiller Technologies continuously monitors and integrates other relevant regional or industry-specific privacy laws and best practices, such as those recommended by ISO/IEC 27018 for personally identifiable information (PII) in cloud environments. Tiller Technologies Privacy Policy 'Tiller Technologies Privacy Policy' further details how we manage personal data, uphold individual rights (including access, rectification, and erasure), and employ stringent security measures to protect your information. Through this multi-layered compliance strategy, Tiller Technologies actively builds and maintains trust, ensuring that our data processing activities not only meet but often exceed regulatory requirements, providing our clients and their customers with confidence in our secure and privacy-conscious operations.

Tiller’s Privacy and Personal Data Protection Policy explicitly states its adherence to GDPR principles, including "data minimisation," which emphasizes the need to collect only the minimum data required for a stated purpose.

Tiller ensures that personal data processed is adequate, relevant, and limited to what is necessary for that purpose. Tiller's Data Processor Agreement also confirms that Tiller only performs processing activities that are necessary and relevant to provide its services.

As for additional information captured via Verify by Tillers custom forms, the client themselves as Data Controllers must ensure they too are only requesting data which is adequate, relevant, and limited to what is necessary for their purpose.

Tiller Technologies formalizes its commitment to data protection through a comprehensive Data Processor Agreement (DPA) that governs the processing of personal data on behalf of its clients. This DPA is included in all contracts with Tiller and in summary sets out the following. As the designated "Processor," Tiller adheres strictly to applicable data protection and privacy legislation, notably the Data Protection (Jersey) Law 2018, ensuring that all processing activities are conducted lawfully and responsibly. The primary purpose of this processing is to deliver Tiller Technologies' services, encompassing various categories of personal data as defined by the DPA, to facilitate the functionality and security of its platform. This agreement meticulously outlines Tiller's obligations, reinforcing that all personal data is handled under the strict written instructions of the client, who acts as the "Controller". Finally, Tiller also includes GDPR Standard Contractual Clauses (SCC) in its applicable contracts.

The DPA also establishes clear protocols for managing data subject rights and breach notifications. Tiller is mandated to promptly notify its clients (Controllers) of any complaints, notices, or communications related to data processing, as well as any requests received from data subjects regarding their personal data or other rights. Furthermore, Tiller provides full cooperation and assistance to clients in responding to such inquiries.

To support its service delivery, Tiller utilizes a limited number of approved sub-processors all operating under the stringent terms set forth in the DPA to maintain the highest standards of data security and privacy:

Cloud Hosting

• Microsoft Ireland Operations Limited

• Microsoft Datacenter Netherlands B.V.

Digital Identity Orchestration

• GB Group plc

KYC/KYB/AML Due Diligence Intelligence

• Experian Limited

• LexisNexis® Risk Solutions

• IDMerit LLC

• Datanamix (Pty) Ltd

Understanding the specific roles in our data relationship is vital for compliance. In the context of the Verify by Tiller service, the roles are defined as follows:

• The Data Owner (Data Subject): This is the individual (your customer) whose identity is being verified. They own their personal data and rights.

• The Data Controller: This is You (our Client). You determine the "purpose and means" of the processing. You decide to request a verification check to satisfy your own regulatory or business requirements, and you control how long that data is retained. The Data Controller is sometimes referred to as the "Organisation" in data privacy regulations such as PIPA.

• The Data Processor: This is Tiller Technologies. We process the data solely on your behalf and in accordance with your written instructions (as defined in our Data Processing Agreement) to deliver the verification service.

Under General Data Protections Regulations there are 3 classifications of personal data.

General Personal Data

Any information relating to an identified or identifiable natural person (data subject) such as full legal name, residential address, date of birth, place of birth, nationality, Passport number, National Identity Card number, Social Security number, Tax Identification Number, IP Address, bank account numbers and source of funds information etc. which do not fall into the other two categories.

Special Category Data:

Any data that is deemed inherently sensitive and poses a higher risk to the data subject's fundamental rights and freedoms. The only Special Category Data which Tiller or its sub-processors may process are the selfie image (Biometric data) used as part of the ID Verification process and some information revealed during PEP screening. For example, a data subjects active membership in a political party or senior role in a government.

Criminal Conviction and Offence Data:

Any data relating to criminal convictions, offences, or related security measures regarding the data subject. Such data may be processed when retrieved as part of Adverse Media Screening and Sanctions Screening. For example, a news article reporting that the data subject has been arrested or charged with fraud.

Biometric data is treated as Special Category Data under GDPR. It is encrypted at rest and in transit and is strictly used only for the purpose of identity verification (comparing the selfie to the ID document). We do not build persistent biometric databases of your clients for other purposes, and this data is deleted in accordance with our retention policies.

Verify by Tiller processing and hosting is performed from a Dublin, Ireland based data centre with georedundant DR hosting from a centre in Amsterdam, Netherlands and therefore falls under EU commission regulations. Some aspects of our operations do require some limited PII data related to the individuals to be transferred to that person’s country of residency for the purposes of residential address verification. In all instances Transfer Impact Assessments (TIA) have been performed to assess any risk and ensure all parties meet EU GDPR standards and enforced by its Standard Contractual Clauses (SCC).

Some industries and jurisdictions may enforce additional restrictions such as those required by the Commission de Surveillance du Secteur Financier (CSSF), Luxembourg’s financial regulator requiring Binding Corporate Rules (BCRs) be pre-approved by the CSSF. In those situations, the client will need to determine if their operation and the services they are taking from Tiller meet the regulations they operate under. However, Tiller will always collaborate with its clients to help them meet and evidence their compliance wherever possible.

Tiller's Privacy and Personal Data Protection Policy ensures processing is conducted in a manner that guarantees appropriate security, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage.

We ensure all sensitive or confidential data at rest (files, databases, backups) are encrypted, regardless of the environment. Encryption keys are stored securely within key vaults with restricted access. In addition, transactions between individuals and our Verify by Tiller platform and within the platform itself are encrypted using TLS, and customer data is encrypted at rest using keys managed by Tiller.

Tiller's Privacy and Personal Data Protection Policy acknowledges the rights of data subjects under GDPR (e.g., right to be informed, access, rectification, erasure, restriction of processing, data portability, objection, rights related to automated decision-making and profiling).

In matters related to data held within the Verify by Tiller platform, If Tiller, as Data Processor, receives a request from a data subject (Data Owner) regarding their data, Tiller will immediately forward the request to the client company (Data Controller) who instructed us to capture and process their data and refrain from responding directly ourselves. Tiller will also assist the Data Controller by providing the necessary information and documentation for data subject requests upon the Data Controller's written request and consent.

Ultimately Tiller will do everything it can to respect the rights of the individual while ensuring our clients retail full control of the request.

No. Tiller strictly enforces environment segregation. Development and Testing environments utilize synthetic or anonymized dummy data. Live client PII which has not been fully anonymized is never copied into lower environments, eliminating the risk of accidental exposure during development cycles.

Yes, you have full control over data retention. As the Data Controller, you can configure the Verify platform settings to match your specific compliance needs.

Our system operates on the following principles:

• Custom Configuration: You can set retention limits that align with your local laws and internal policies.

• Default Policy: In the absence of a custom setting, data is automatically deleted after 90 days or sooner if the record is flagged for deletion by you.

• Ongoing Monitoring: If you have enabled continuous monitoring (e.g., for AML purposes), data is retained for as long as that service is active.

Data captured during an incomplete or abandoned session is held temporarily to allow the user to resume. Once the client completes the capture journey or if the verification request is cancelled by the client, then the data is processed and deleted in accordance with our standard retention policies.

We follow a strict 72-hour notification window. In the unlikely event of a personal data breach, Tiller will notify the Data Controller without undue delay after becoming aware of the breach. We provide a detailed report including the nature of the breach, the data categories involved, and the remedial actions taken, assisting you in your obligation to report to supervisory authorities.

Tiller adopted and applied the principles of "Privacy by Design" from the very inception of Verify by Tiller. This means that the definition and planning of all features in the platform and any new or changed features, only collect or process personal data after taking into due consideration of privacy rights if the individual. We have completed privacy impact assessments (PIAs) for the platform and are committed to respecting individuals GDPR rights and privacy in everything we do.

GB Group plc is a UK-based global specialist in digital identity and location intelligence. Tiller has partnered with GBG for their assistance in image and identity processing services that power parts of Tiller’s client onboarding and verification solutions.

Data Shared (ID Verification)

Special Category Data Shared

• ID Document Image (which will include an image of the individual)

• Selfie Image (taken as part of the liveliness test)

General Category Data Shared (OCR'ed or extracted from the RFID chip)

• Full Name

• Date of Birth

• Place of Birth

• Nationality

• Residential Address (if present on ID Document)

• Country and Place of Birth

• ID Document number (Passport number/Driving Licence Number/ID Card Number)

Data Retention Terms with GB Group plc

• Maximum of 30 days

LexisNexis Risk Solutions is a world leader in data and analytics, providing specialized financial crime compliance tools. Tiller has partnered with LexisNexis Risk Solutions for Politically Exposed Persons (PEP), Sanctions, and Adverse Media screening because they maintain one of the world's most comprehensive risk databases, covering millions of profiles curated from thousands of global government, regulatory, and media sources.

Data Shared (Individual - PEP, Sanction and Adverse Media Screening)

General Category Data Shared

• Full Name

• Title (Mr, Mrs, Miss etc.)

• Current Residential Address

• Date of Birth

• Country and Place of Birth

Data Shared (Corporate - Sanction and Adverse Media Screening)

General Category Data Shared

• Company Name

• Company Type

• Registered Address

• Registration Number

Data Retention Terms with LexisNexis Risk Solutions

• Maximum of 24 hours (except where ongoing monitoring is in place when it is retained for the duration the individual is monitored)

Experian is a global leader in information services, providing robust data quality. Tiller has partnered with Experian to access their comprehensive range of UK and Internation ePoA that leverages government, credit bureau and utility company data. We also utilise their UK bank sources for Bank Account verification.

Data Shared (Residential Address Verification)

General Category Data Shared

• Full Name

• Title (Mr, Mrs, Miss etc.)

• Current Residential Address

• Previous Residential Address (if applicable)

• Date of Birth

• ID Dard Number (if available)

• Telephone

• Email

Data Shared (Bank Account Verification)

General Category Data Shared

• Full Name

• Title (Mr, Mrs, Miss etc.)

• Current Residential Address

• Bank Account/IBAN Number (including Sort Code or SWIFT/BIC code)

Data Retention Terms with Experian Limited

• Contracted maximum 1 year (However, only retains personal data for 7 days, the contracted requirement is to allow for support of a claims.

IDMERIT is a identity verification specialist that excels in coverage of "hard-to-verify" markets. Tillers long partnership with IDMerit give us access to regulatory quality data sources from a large array of countries providing real-time internation ePoA.

Data Shared (Residential Address Verification)

General Category Data Shared

• Full Name

• Title (Mr, Mrs, Miss etc.)

• Current Residential Address

• Date of Birth

• ID Dard Number (if available)

• Telephone

• Email

Data Retention Terms with IDMerit LLC

• Maximum of 72 hours

Datanamix is a South African information services leader specializing in data verification and risk management solutions. Our partnership with them gives us comprehensive access to data on South African residence from government and credit agency sources.

Data Shared (Residential Address Verification)

General Category Data Shared

• Full Name

• SA ID Number

• Title (Mr, Mrs, Miss etc.)

• Telephone

• Email

Data Shared (Bank Account Verification)

General Category Data Shared

• Full Name

• Title (Mr, Mrs, Miss etc.)

• SA ID Number

• Bank Account & Branch Code

• Account Type

Data Shared (Company Search)

General Category Data Shared

• Company Name

• Company Type

• Registration Number

Data Retention Terms with Datanamix (Pty) Ltd

• Maximum of 72 hours

Microsoft Ireland Operations Limited is the legal entity responsible for operating Microsoft’s cloud services and data centres within the region, acting as a primary hub for Azure’s European infrastructure. Tiller partners with Microsoft by hosting its entire infrastructure within Azure's "North Europe" region (located in Dublin) and "West Europe" region (located in Amsterdam) data centres. We leverage Azure's enterprise-grade security to ensure that your client data is stored with the highest levels of resilience and compliance available.

No data is shared with Microsoft as all data hosted in their virtualised infrastructure is encrypted both at rest and in transit.