Veriff

Data Processing Addendum

This DPA forms an integral part of the Agreement between the Customer and Veriff covering the Customer’s use of the Service. Unless agreed otherwise, the Agreement means the Agreement made available at Veriff’s website for the use of the Service. In the event of a conflict between any of the provisions of this DPA and the provisions of the Agreement, the provisions of this DPA shall prevail.

1. Definitions

All capitalized terms not defined in the DPA shall have the meaning given to them in the Agreement. The following words and expressions shall have the following meaning: 

1.1. "Adequacy Decision" means that the recipient, or the country or territory in which the  personal data is processed, ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of the personal data as determined by the European Commission (at the effective date of this Agreement, the list is available here);

1.2. "CPRA" means the California Consumer Privacy Act, as amended by the California Privacy Rights Act, Cal. Civ. Code § 1798.100 et seq;

1.3. "DPA" means this Data Processing Addendum and its Exhibits entered into by and between the Parties as a part of the Agreement;

1.4. "Data Protection Laws" mean any legislation applicable to Veriff or the Customer that protects the fundamental rights and freedoms of persons and their right to privacy with regard to the processing of Personal Data, such as the GDPR, US Data Protection Laws, any national implementing or supplementary legislation and any other data protection or privacy laws as applicable from time to time to Veriff or the Customer. In this DPA, the terms “controller”, “business”, “processor”, “data subject”, “process”, “service provider”, “subprocessor” and their respective derivative terms shall have the meanings set forth in the Data Protection Laws;

1.5. "Deidentified Data" means data created using Personal Data that cannot reasonably be linked to such Personal Data, directly or indirectly;

1.6. "GDPR" means the regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data;

1.7. "Permitted Business Purposes" means the use of Personal Data for the reasonably necessary operational purposes, including as described in the CPRA and for the following purposes for which Veriff is processing the Personal Data: (i) ensuring compliance with applicable regulations, including retaining proof of evidence of such for compliance with its legal obligations, (ii) to establish, exercise or defend legal claim, (iii) developing, testing, improving and altering the functionality of the Service, including for machine learning, data annotation, testing and training, fraud prevention and detection purposes, and producing anonymised or anonymised and aggregated statistical reports and research;

1.8. "Personal Data" means any Customer Data that: (a) is linked or reasonably linkable to an identified or identifiable natural person; or (b) is otherwise "personal data," "personal information," "personally identifiable information," or similarly defined data or information under Data Protection Laws, including: (i) the names and contact details of the End Users; (ii) details of the End Users' documents (identification document, driver’s license, utility bill, as relevant), including photo of the document, document type, number, date of issue and date of expiry, date of birth, estimated age, content of extracted fields depending on the chosen Service features; (iii) photographs, videos and audio recordings of the End Users captured via the Service; (iv) facial biometric data relating to the End Users; (v) the results of the identity verification / authentication process conducted through the Service; (vi) data available in Third Party Sites, if applicable; (vii) the End Users’ device’s and Service usage data, including the duration of the End User's use of the Service, activity in the Service, IP address, domain name, network information, software and hardware attributes, general geographic location (e.g. city, state, country); and (viii) any other End User’s Personal Data that Veriff Processes on behalf of the Customer in connection with the Customer's use of and access to the Service. Deidentified Data is excluded from the definition of Personal Data;

1.9. "Sold" and "Shared" have the meanings given in the US Data Protection Laws;

1.10. "Standard Contractual Clauses" means the standard data protection clauses adopted under the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, as may be amended or replaced from time to time by the European Commission, any applicable data protection authority, or other body with competent authority and jurisdiction;

1.11. "US Data Protection Laws" means to the extent applicable to Veriff or the Customer, United States federal and state laws (including but not limited to the CPRA) relating to data protection and/or privacy and the processing of Personal Data, as in force and as amended from time to time.

2. Data Processing Roles

2.1. The Customer shall be the controller or business of the Personal Data, and shall process the Personal Data in accordance with the Data Protection Laws.

2.2. Veriff shall:

(a) process the Personal Data for and on behalf of the Customer as necessary for the provision of the Service, which includes the Service’s quality assurance activities,  and, to the extent allowed by law for the Permitted Business Purposes. Veriff shall process the Personal Data as per the Customer’s instructions, unless  the processing is allowed or mandated by the law of the European Union, any European Union member state or any other applicable law to which Veriff is subject; in such a case Veriff shall  inform the Customer before processing the Personal Data, unless Veriff is legally not allowed to inform the Customer.

(b) process the Personal Data to the extent necessary to perform the Permitted Business Purposes.

2.3. Regarding the personal data of the Parties’ representatives, each Party shall be individually and separately responsible for complying with the obligations that apply to it  under Data Protection Laws.

3. Personal Data Processing

3.1. The Customer appoints Veriff to process the Personal Data on behalf of, and in accordance with, the Customer’s instructions as set forth in the Agreement, the DPA, and relevant exhibits, as otherwise reasonably necessary to provide the Service and for the Permitted Business Purposes, and as may subsequently be agreed by the Parties in writing. Any such subsequent agreement shall be subject to this DPA.

3.2. The Customer’s instructions for the processing of the Personal Data shall comply with the Data Protection Laws and will not cause Veriff to violate any applicable law or regulation, including Data Protection Laws. The Customer acknowledges that Veriff is neither responsible for determining which laws are applicable to the Customer’s business nor whether Veriff’s provision of the Service meets the requirements of such laws. Veriff shall inform the Customer in case Veriff reasonably believes that the Customer’s instructions conflict with the requirements of the GDPR, and Veriff has the right to refuse to perform instructions that are not in compliance with the GDPR. In case the Customer’s instructions exceed the scope of the Agreement or the DPA, or presume extra development efforts from Veriff, prior to fulfilling the instruction, the Parties may agree on additional fees that may be payable to Veriff.

3.3. The Customer shall ensure its compliance with Data Protection Laws in relation to the Personal Data disclosed to and exchanged with Veriff in accordance with this DPA (for the Service and for the Permitted Business Purposes), including the accuracy, quality, and lawfulness of processing the Personal Data by the Parties, the means by which the Customer acquires the Personal Data, and the provision of all informative notices and disclosures to the End Users and references to Veriff (including to Veriff’s privacy notice) as required under Data Protection Laws.

3.4. The Customer warrants that prior to making the Service accessible to its End Users and disclosing the Personal Data for the Service and the Permitted Business Purposes it has an appropriate legal basis under Data Protection Laws for lawful processing of the Personal Data by Veriff in accordance with this DPA. The Customer acknowledges that having an appropriate legal basis may include, but is not limited to, obtaining consents and publishing retention periods for processing the End User’s Personal Data (including document and biometric data), if required under Data Protection Laws. Upon Veriff’s reasonable request, the Customer will promptly provide Veriff with proof of having the appropriate legal basis, disclosures, consents, and retention policies required, as necessary, for lawful processing in accordance with the DPA.

3.5. When processing Personal Data of a child, the Customer shall secure any legally required consents, including, but not limited to, full and lawful consents from the legal guardian over the child for the processing or authorized the processing in another manner, as required under Data Protection Laws.

3.6. The Customer shall inform Veriff of unauthorized Sessions after which Veriff shall, upon Customer’s instructions, delete or apply other technical measures to the related Personal Data processed by Veriff or any sub-processors.If Veriff detects an unauthorized Session as determined by the Customer, it may delete the Personal Data processed by Veriff or any sub-processors. Veriff has the right to delete, blur, make it Deidentified Data, or make unreadable in any other way the Personal Data that may not be processed pursuant to applicable laws.

4. Sub-processors

4.1. The Customer provides a general authorization for Veriff to engage sub-processors to process the Personal Data, provided that (i) Veriff enters into a written agreement with the sub-processor; and (ii) the written agreement with the sub-processor is not materially less protective to Personal Data than this DPA. When requested by the Customer, Veriff shall inform the Customer of all current sub-processors used by Veriff. An up to date list of sub-processors is available on Veriff’s “Sub-Processor Page”. 

4.2. Veriff shall notify the Customer of any intended changes concerning the addition or replacement of sub-processors it uses to process the Personal Data. The Customer acknowledges and agrees to receive notices related to sub-processors through the Service.  If the Customer in writing and on reasonable grounds objects to a new sub-processor within thirty (30) days after Veriff has provided notice to Customer of such proposed change, then (i) the Parties agree to discuss commercially reasonable alternative solutions in good faith; or (ii) in case Veriff does not agree with the Customer’s objection or the Parties do not reach a commercially reasonable alternative solution, then upon thirty (30) days’ prior notice, either Party is entitled to terminate the applicable Order Form, with respect only to those Services, which cannot be provided by Veriff without the use of the objected to sub-processor. 

4.3. Veriff shall at all times remain responsible for compliance with its obligations under the DPA and will be liable to the Customer for the acts and omissions of any sub-processor as if they were the acts and omissions of Veriff.

5. International Transfers

5.1. Veriff shall not transfer the Personal Data to a recipient in a country or territory outside the European Economic Area unless:

(a) the transfer can be based on an Adequacy Decision; or

(b) the transfer is based on the Standard Contractual Clauses, or any subsequent version released, or another legally recognised transfer method.

5.2. If Veriff adopts an alternative transfer mechanism to the mechanisms described in this DPA, including any new version of or successor to Standard Contractual Clauses, e.g. in case an Adequacy Decision or other transfer mechanism is amended or withdrawn, resulting in the inability to rely on the transfer mechanism, then such alternative transfer mechanism shall apply automatically instead of the mechanisms described in this DPA, and the Customer shall fully cooperate with Veriff to sign an amendment to this DPA and/or take such other action as may be necessary to give legal effect to such alternative transfer mechanism. To the extent the Customer or Veriff have adopted and certified compliance with such alternative transfer mechanism, the Customer represents and warrants that the Customer will comply with all legal principles and terms of such alternative transfer mechanism. In addition, in the event that a court of competent jurisdiction or supervisory authority orders (for whatever reason) that the measures described in this DPA cannot be relied on to lawfully transfer Personal Data cross-border, then upon request from either Party, the other Party shall fully cooperate to take such action as may be necessary to remedy such non-compliance.

5.3. If Personal Data is transferred (including disclosed via Service) to the Customer outside of (i) the European Economic Area, or (ii) a jurisdiction with an  Adequacy Decision, then the Modules 1 and 4 of the Standard Contractual Clauses are hereby incorporated by reference and form an integral part of the Agreement in accordance with this DPA. The Parties concluding the Agreement shall be deemed as signing the Standard Contractual Clauses and their Appendixes. If the Standard Contractual Clauses are applicable as per this section, the Parties agree that:

(a) Veriff is the “data exporter” and the Customer is the “data importer”,

(b) Clause 7, the optional docking clause is not applied, 

(c) Clause 11, the optional language is not applied,

(d) pursuant to Clauses 17 (Governing law) and 18 (Choice of forum and jurisdiction) any dispute arising out of the Standard Contractual Clauses will be resolved in accordance with the laws of the Republic of Estonia in Harju County Court (Estonia, Tallinn). For Clause 17, option 1 applies for Module 1,

(e) details required under the Standard Contractual Clauses’ Annexes are provided below in the “Exhibit A to Data Processing Addendum” and in the DPA.

6. Data Security, Audits and Security Notifications

6.1. Veriff shall implement and maintain appropriate technical and organizational measures as described in the “Security Controls” section in the Agreement, to ensure a level of security appropriate to the risk. Veriff is entitled to unilaterally change and update such measures provided that it will not materially decrease the overall security of the Service.

6.2. Veriff maintains the third-party certifications and audits described in the “Security Controls” section in the Agreement. Upon the Customer’s written request at reasonable intervals and subject to confidentiality obligations set forth in the Agreement, Veriff shall make available to the Customer (or to the Customer’s independent third-party auditor) information regarding Veriff’s compliance with the obligations set forth in this DPA in the form of an overview or copy of Veriff’s then most recent third-party audits or certifications described in the “Security Controls” section in the Agreement.

6.3. The Customer may contact Veriff in writing to request a further audit of Veriff’s Personal Data processing activities covered by this DPA. Further audit may be conducted by the Customer either by itself or through a independent third-party auditor when:

(a) the information available pursuant to this section is not sufficient to demonstrate compliance with the obligations set out in this DPA;

(b) the Customer has received a notice from Veriff of a security breach involving Personal Data; or

(c) such an audit is required by Data Protection Laws or by the Customer’s competent supervisory authority.

6.4. The further audit must include an auditing plan, detailing the compliance elements which are subject to the audit. The Parties agree that the further audit shall be conducted:

(a) up to one time per year with at least a 30 days’ prior written notice. If an emergency justifies a shorter notice period, Veriff will use good faith efforts to accommodate the further audit request;

(b) during Veriff’s regular business hours without unreasonable interferences with Veriff’s day-to-day operations, and

(c) acting reasonably and in a proportional manner, considering the nature and complexity of the Services used by the Customer.

Prior to the further audit, the Parties shall mutually agree upon the scope, timing, and duration of the audit and the reimbursement rate for which the Customer shall be responsible. All reimbursement rates shall be reasonable, taking into account the resources expended by or on behalf of Veriff.

6.5. If a Party becomes aware of an actual or reasonably suspected breach of security in the Service causing accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data, that Party will:

(a) notify the other Party of the security incident without undue delay, 

(b) investigate the security incident and provide such reasonable assistance to the Party (and any law enforcement or regulatory official) as required to investigate the security incident, and 

(c) take steps to remedy any non-compliance with this DPA.

The Customer shall confirm and agree on any notice of security incident to the public or End Users, beforehand with Veriff.

6.6. Veriff will limit access to the Personal Data to personnel who have a business need to have access to such Personal Data, and will ensure that such personnel are subject to confidentiality at least as protective of the Personal Data as the terms of this DPA and the Agreement.

6.7. Both Parties certify that:

(a) it has not purposefully created back doors or similar programming that could be used to access the system and/or Personal Data,

(b) it has not purposefully created or changed its business processes in a manner that facilitates access to Personal Data or systems, and

(c) national law or government policy does not require the Party to create or maintain back doors or to facilitate access to Personal Data or systems or for the Party to be in possession or to hand over the encryption key.

Notwithstanding other applicable rights of Veriff, Veriff shall have the right to immediately terminate the Agreement and the DPA if the Customer acts in violation of (a) to (c) of this section.

7. Access Requests and Data Subject Rights

7.1. To the extent permitted under applicable law, Veriff shall notify the Customer of any request it has received from End User in relation to the Personal Data and shall direct the End User to the Customer. The Customer shall handle the End User’s request. For avoidance of doubt, Veriff has the right to communicate with the End User in order to clarify the request, including whether the request is submitted regarding the Customer, and provide information to the End User regarding the identity of the Customer.

7.2. Veriff will provide the Customer with reasonable assistance as necessary for the Customer to fulfill its obligation under Data Protection Laws to respond to End User’s requests, including if applicable, the Customer’s obligation to respond to requests for exercising the rights set out in Data Protection Laws.

7.3. Each Party shall notify the other Party of any request for the disclosure of Personal Data in the Service or inquiries about the Service or Veriff processing of the Personal Data by a governmental or regulatory body or law enforcement authority (including any data protection supervisory authority) unless prohibited by law or a legally binding order of such body or agency.

8. Assistance

8.1. Taking into account the nature of the processing, and to the extent required under Data Protection Laws:

(a) Parties shall use all reasonable endeavors and not hinder the other Party's efforts towards compliance, to assist each other by implementing appropriate technical and organizational measures and all other necessary compliance measures, insofar as this is possible, for the fulfillment of the Parties obligation to comply with Data Protection Laws and to respond to requests for exercising data subject rights laid down in the Data Protection Laws;

(b) Veriff shall provide reasonable assistance to the Customer with any data protection impact assessments and with any prior consultations to any supervisory authorities, in each case solely in relation to the processing of the Personal Data and considering the information available to Veriff. This assistance may be paid service similarly as set forth in section 6.4 for auditing purposes.

8.2. Taking into account the nature of the processing of the Personal Data, each Party will provide the other Party with reasonable assistance in connection with its compliance obligations under Data Protection Laws.

9. Data Retention

9.1. Customer acknowledges that Veriff’s data retention practices vary by Service offering and by type of Personal Data submitted to the Service. Veriff’s data retention practices are detailed here (“Data Retention Page”). Except as otherwise requested by Customer, agreed in writing by the Parties, or as otherwise modified by Customer in the Service, the retention timelines specified in the Data Retention Page will apply.

9.2. Upon request from Customer, and provided such request is received no later than 14 calendar days after termination or expiration of the Agreement, Veriff will assist Customer in retrieving copy of the Personal Data in the Service; thereafter Veriff shall assign for deletion, and use all reasonable efforts to procure the deletion of, all other copies of Personal Data processed by Veriff or any sub-processors.

9.3. If required by applicable laws or upon request from Customer in writing, Veriff shall delete the Personal Data prior to the date provided in section 9.1 or 9.2.

9.4. Customer acknowledges and agrees that Veriff and/or its sub-processors may retain the Personal Data to the extent required by applicable law, or as Veriff may deem necessary to establish, exercise, or defend any legal claim, provided that Veriff shall ensure the confidentiality of all such Personal Data and it is retained only to the extent and for such period as required by applicable laws or pending resolution of any issue.

9.5. Customer acknowledges and agrees that Veriff and/or its sub-processors may retain Personal Data in its backup systems, from which the corresponding Personal Data will be deleted after the end of the backup cycle. Veriff ensures that during the backup period appropriate safeguards are applied and the backed-up materials are put beyond use.

10. Compliance with US Data Protection Laws

10.1. In addition to the other parts of this DPA, this section 10 applies to the extent the US Data Protection Laws govern the processing of Personal Data for the Service Provision and the Permitted Business Purposes.

10.2. With regard to the Personal Data that is subject to US Data Protection Laws, without Customer’s instruction, Veriff is prohibited from:

(a) Selling or Sharing the Personal Data;

(b) retaining, using, or disclosing the Personal Data for any purpose other than for the specific, limited Permitted Business Purposes or as otherwise permitted by Data Protection Laws;

(c) retaining, using, or disclosing the Personal Data outside of the direct business relationship between the Parties; and

(d) except as otherwise permitted by Data Protection Laws or by the Customer’s instructions, combining the Personal Data with the Personal Data that Veriff receives from or on behalf of another person or persons, or collects from its own interaction with the data subject.

10.3. Veriff will notify the Customer promptly if Veriff determines it can no longer meet its obligations under US Data Protection Laws.

10.4. Veriff will not materially decrease the level of security provided to the protection of Personal Data.

10.5. Veriff hereby certifies that it understands its restrictions and obligations set forth in this DPA and will comply with them.

EXHIBIT A TO DATA PROCESSING ADDENDUM

Description of Personal Data Processing and Transfer

List of Parties

This is applicable only if Standard Contractual Clauses Module 1 and Module 4 transfers are conducted between the Parties.

Competent Supervisory Authority

This is applicable only if Standard Contractual Clauses Module 1 transfers are conducted between the Parties. 

In accordance with Clause 13(a) of the Standard Contractual Clauses Module 1, the competent supervisory authority of Veriff as the data exporter is the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon), email: info@aki.ee.

Technical and Organizational Measures to Ensure the Security of the Data

This is applicable only if Standard Contractual Clauses Module 1 transfers are conducted between the Parties. 

Herewith the Customer confirms that when processing personal data (first and foremost, Veriff’s representatives work-related contact details) under Standard Contractual Clauses Module 1, it abides by at least equivalent  technical and organizational measures as applied by Veriff (as described in section “Security Controls” in the Agreement) to ensure the level of security appropriate to the risk related to processing of the personal data. The Customer has the right to change and update, from time to time and as seen necessary by the Customer any and all technical and organizational measures, provided, in all cases, such modifications will not result in material degradation of the security of the personal data.