1. Definitions

All capitalized terms not defined in the DPA shall have the meaning given to them in the Agreement. The following words and expressions shall have the following meaning: 

1.1. "Adequacy Decision" means that the recipient, or the country or territory in which the  personal data is processed, ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of the personal data as determined by the European Commission (at the effective date of this Agreement, the list is available here);

1.2. "CPRA" means the California Consumer Privacy Act, as amended by the California Privacy Rights Act, Cal. Civ. Code § 1798.100 et seq;

1.3. "DPA" means this Data Processing Addendum and its Exhibits entered into by and between the Parties as a part of the Agreement; 

1.4. "Data Protection Laws" means any legislation applicable to Veriff or the Client that protects the fundamental rights and freedoms of persons and their right to privacy with regard to the processing of Personal Data, such as the GDPR, US Data Protection Laws, any national implementing or supplementary legislation and any other data protection or privacy laws as applicable from time to time to Veriff or the Client. In this DPA, the terms “controller”, “business”, “processor”, “data subject”, “process”, “service provider”, “sub-processor” and their respective derivative terms shall have the meanings set forth in the Data Protection Laws;

1.5. "Deidentified Data" means data created using Personal Data that cannot reasonably be linked to such Personal Data, directly or indirectly;

1.6. "GDPR" means the regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data;

1.7. "Permitted Business Purposes" means the use of Personal Data for the reasonably necessary operational purposes, including as described in the CPRA and for the following purposes for which Veriff is processing the Personal Data: (i) ensuring compliance with applicable regulations, including retaining proof of evidence of such for compliance with its legal obligations, (ii) to establish, exercise or defend legal claim, (iii) developing, testing, improving and altering the functionality of the Service, including for machine learning, data annotation, testing and training, fraud prevention and detection purposes, and producing anonymised or anonymised and aggregated statistical reports and research;

1.8. "Personal Data" means any Client Data or information that: (a) is linked or reasonably linkable to an identified or identifiable natural person; or (b) is otherwise "personal data," "personal information," "personally identifiable information," or similarly defined data or information under Data Protection Laws, including: (i) the names and contact details of the End Users; (ii) details of the End Users' documents (identification document, driver’s license, utility bill, as relevant), including photo of the document, document type, number, date of issue and date of expiry, date of birth, estimated age, content of extracted fields depending on the chosen Service features; (iii) photographs, videos and audio recordings of the End Users captured via the Service; (iv) facial biometric data relating to the End Users; (v) the results of the identity verification / authentication process conducted through the Service; (vi) data available in External Register, if applicable; (vii) the End Users’ device’s and Service usage data, including the duration of the End User's use of the Service, activity in the Service, IP address, domain name, network information, software and hardware attributes, general geographic location (e.g. city, state, country); and (viii) any other End User’s Personal Data that Veriff Processes on behalf of the Client in connection with the Client's use of and access to the Service. Deidentified Data is excluded from the definition of Personal Data;

1.9. "Sold" and "Shared" have the meanings given in the US Data Protection Laws;

1.10. "Standard Contractual Clauses" means the standard data protection clauses adopted under the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, as may be amended or replaced from time to time by the European Commission, any applicable data protection authority, or other body with competent authority and jurisdiction;

1.11. "US Data Protection Laws" means to the extent applicable to Veriff or the Client, United States federal and state laws (including but not limited to the CPRA) relating to data protection and/or privacy and the processing of Personal Data, as in force and as amended from time to time.

2. Data processing roles

2.1. The Client shall be the controller or business of the Personal Data, and shall process the Personal Data in accordance with the Data Protection Laws. The Client shall have the sole responsibility for the accuracy, quality, and lawfulness of processing the Personal Data, and the means by which it acquires the Personal Data.

2.2. Veriff shall be:

(a) the processor, or sub-processor, of the Personal Data for and on behalf of the Client as necessary for the provision of the Service, which includes the Service's quality assurance activities, to the Client and, to the extent allowed by law, for the Permitted Business Purposes: 
(i) where the Client acts as a controller, Veriff acts as a processor;
(ii) where the Client acts as a processor on behalf of another controller, Veriff acts as a sub-processor;

unless processing is allowed or mandated by the law of the European Union, any European Union member state or any other applicable law to which Veriff is subject, in which case Veriff shall act as a controller, to the extent permitted by the law, and inform the Client before processing the Personal Data, unless Veriff is legally not allowed to inform the Client.
For purposes of the US Data Protection Laws, Veriff will act as a service provider or processor (as defined in US Data Protection Laws), as applicable, in its performance of its obligations pursuant to the Agreement and this DPA.

(b) a separate and independent controller of the Personal Data to the extent necessary to perform the Permitted Business Purposes; in which case the Client shall be a controller or business of the Personal Data only to the extent of making the Personal Data available to Veriff.   

2.3. Veriff’s rights and obligations, as stated herein, shall apply where Veriff acts as a processor (as described in section 2.2.a), unless expressly stated to be applicable for Veriff as a controller (as described in section 2.2.b), or Veriff in both roles. This does not affect the Client’s compliance obligations stated herein.

2.4. Regarding the personal data of the Parties’ representatives, each Party shall be individually and separately responsible for complying with the obligations that apply to it as a separate and independent data controller under Data Protection Laws.

3. Personal Data Processing

3.1. The Client appoints Veriff to process the Personal Data on behalf of, and in accordance with, the Client’s instructions as set forth in the Agreement, the DPA, and relevant exhibits, as otherwise reasonably necessary to provide the Service and for the Permitted Business Purposes, and as may subsequently be agreed by the Parties in writing. Any such subsequent agreement shall be subject to this DPA.

3.2. The Client’s instructions for the processing of the Personal Data shall comply with the Data Protection Laws and will not cause Veriff to violate any applicable law or regulation, including Data Protection Laws. The Client acknowledges that Veriff is neither responsible for determining which laws are applicable to the Client’s business nor whether Veriff’s provision of the Service meets the requirements of such laws. Veriff shall inform the Client in case Veriff reasonably believes that the Client’s instructions conflict with the requirements of the GDPR, and Veriff has the right to refuse to perform instructions that are not in compliance with the GDPR. In case the Client’s instructions exceed the scope of the Agreement or the DPA, or presume extra development efforts from Veriff, prior to fulfilling the instruction, the Parties may agree on additional fees that may be payable to Veriff.

3.3. The Client shall ensure its compliance with Data Protection Laws in relation to the Personal Data disclosed to and exchanged with Veriff in accordance with this DPA (for the Service and for the Permitted Business Purposes), including the accuracy and lawfulness of processing the Personal Data by the Parties, the provision of all informative notices and disclosures to the End Users and references to Veriff (including to Veriff’s  privacy policy) as required under Data Protection Laws.

3.4. The Client warrants that prior to making the Service accessible to its End Users and disclosing the Personal Data for the Service and the Permitted Business Purposes it has an appropriate legal basis under Data Protection Laws for lawful processing of the Personal Data by Veriff in accordance with this DPA. The Client acknowledges that having an appropriate legal basis may include, but is not limited to, obtaining consents and publishing retention periods for processing the End User’s Personal Data (including document and biometric data), if required under Data Protection Laws. Upon Veriff’s reasonable request, the Client will promptly provide Veriff with proof of having the appropriate legal basis, disclosures, consents, and retention policies required, as necessary, for lawful processing in accordance with the DPA.

3.5. When processing Personal Data of a child, the Client shall secure any legally required consents, including, but not limited to, full and lawful consents from the legal guardian over the child for the processing or authorized the processing in another manner, as required under Data Protection Laws.

3.6. The Client shall inform Veriff of unauthorized Sessions after which Veriff shall, upon Client’s instructions, delete or apply other technical measures to the related Personal Data processed by Veriff or any sub-processors.If Veriff detects an unauthorized Session as determined by the Client, it may delete the Personal Data processed by Veriff or any sub-processors. Veriff has the right to delete, blur, make it Deidentified Data, or make unreadable in any other way the Personal Data that may not be processed pursuant to applicable laws.

4. Sub-processors

4.1. The Client provides a general authorization for Veriff to engage sub-processors to process the Personal Data, provided that (i) Veriff enters into a written agreement with the sub-processor; and (ii) the written agreement with the sub-processor is not materially less protective to Personal Data than this DPA. When requested by the Client, Veriff shall inform the Client of all current sub-processors used by Veriff. An up to date list of sub-processors is available on Veriff’s "Sub-processors Used by Veriff" site.

4.2. Veriff shall notify the Client of any intended changes concerning the addition or replacement of sub-processors it uses to process the Personal Data. The Client acknowledges and agrees to receive notices related to sub-processors through the Service.  If the Client in writing and on reasonable grounds objects to a new sub-processor within thirty (30) days after Veriff has provided notice to Client of such proposed change, then (i) the Parties agree to discuss commercially reasonable alternative solutions in good faith; or (ii) in case Veriff does not agree with the Client’s objection or the Parties do not reach a commercially reasonable alternative solution, then upon thirty (30) days’ prior notice, either Party is entitled to terminate the applicable Order Form, with respect only to those Services, which cannot be provided by Veriff without the use of the objected to sub-processor.

4.3. Veriff shall at all times remain responsible for compliance with its obligations under the DPA and will be liable to the Client for the acts and omissions of any sub-processor as if they were the acts and omissions of Veriff.

5. International Transfers

5.1. Veriff shall not transfer the Personal Data to a recipient in a country or territory outside the European Economic Area unless:

(a) the transfer can be based on an Adequacy Decision; or

(b) the transfer is based on the Standard Contractual Clauses, or any subsequent version released, or another legally recognised transfer method.

5.2. If Veriff adopts an alternative transfer mechanism to the mechanisms described in this DPA, including any new version of or successor to Standard Contractual Clauses, e.g. in case an Adequacy Decision or other transfer mechanism is amended or withdrawn, resulting in the inability to rely on the transfer mechanism, then such alternative transfer mechanism shall apply automatically instead of the mechanisms described in this DPA, and the Client shall fully cooperate with Veriff to sign an amendment to this DPA and/or take such other action as may be necessary to give legal effect to such alternative transfer mechanism. To the extent the Client or Veriff have adopted and certified compliance with such alternative transfer mechanism, the Client represents and warrants that the Client will comply with all legal principles and terms of such alternative transfer mechanism. In addition, in the event that a court of competent jurisdiction or supervisory authority orders (for whatever reason) that the measures described in this DPA cannot be relied on to lawfully transfer Personal Data cross-border, then upon request from either Party, the other Party shall fully cooperate to take such action as may be necessary to remedy such non-compliance.

5.3. Regardless of Veriff’s processing role, if Personal Data is transferred (including disclosed via Service) to the Client outside of (i) the European Economic Area, or (ii) a jurisdiction with an  Adequacy Decision, then the Modules 1 and 4 of the Standard Contractual Clauses are hereby incorporated by reference and form an integral part of the Agreement in accordance with this DPA. The Parties concluding the Agreement shall be deemed as signing the Standard Contractual Clauses and their Appendixes. If the Standard Contractual Clauses are applicable as per this section, the Parties agree that:

(a) Veriff is the “data exporter” and the Client is the “data importer”,

(b) the Module 4 terms apply where the Client is the controller and Veriff is the processor, and Module 1 terms apply where the Parties act as independent controllers, 

(c) Clause 7, the optional docking clause is not applied, 

(d) Clause 11, the optional language is not applied,

(e) pursuant to Clauses 17 (Governing law) and 18 (Choice of forum and jurisdiction) any dispute arising out of the Standard Contractual Clauses will be resolved in accordance with the laws of the Republic of Estonia in Harju County Court (Estonia, Tallinn). For Clause 17, option 1 applies for Module 1,

(f) details required under the Standard Contractual Clauses’ Annexes are provided below in the “Exhibit to Data Processing Addendum” and in the DPA.

6. Data Security, Audits and Security Notifications

6.1. Veriff shall implement and maintain appropriate technical and organizational measures as described in the “Security Controls” section in the Agreement, to ensure a level of security appropriate to the risk. Veriff is entitled to unilaterally change and update such measures provided that it will not materially decrease the overall security of the Service. 

6.2. Veriff maintains the third-party certifications and audits described in the “Security Controls” section in the Agreement. Upon the Client’s written request at reasonable intervals and subject to confidentiality obligations set forth in the Agreement, Veriff shall make available to the Client (or to the Client’s independent third-party auditor) information regarding Veriff’s compliance with the obligations set forth in this DPA in the form of an overview or copy of Veriff’s then most recent third-party audits or certifications described in the “Security Controls” section in the Agreement. 

6.3. The Client may contact Veriff in writing to request a further audit of Veriff’s Personal Data processing activities covered by this DPA. Further audit may be conducted by the Client either by itself or through a independent third-party auditor when: 

(a) the information available pursuant to this section is not sufficient to demonstrate compliance with the obligations set out in this DPA; 

(b) the Client has received a notice from Veriff of a security breach involving Personal Data; or  

(c) such an audit is required by Data Protection Laws or by the Client’s competent supervisory authority. 

6.4. The further audit must include an auditing plan, detailing the compliance elements which are subject to the audit. The Parties agree that the further audit shall be conducted: 

(a) up to one time per year with at least a 30 days’ prior written notice. If an emergency justifies a shorter notice period, Veriff will use good faith efforts to accommodate the further audit request; 

(b) during Veriff’s regular business hours without unreasonable inferences with Veriff’s day-to-day operations, and 

(c) acting reasonably and in a proportional manner, considering the nature and complexity of the Services used by the Client.

Prior to the further audit, the Parties shall mutually agree upon the scope, timing, and duration of the audit and the reimbursement rate for which the Client shall be responsible. All reimbursement rates shall be reasonable, taking into account the resources expended by or on behalf of Veriff. 

6.5. If a Party becomes aware of an actual or reasonably suspected breach of security in the Service causing accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data, that Party will: 

(a) notify the other Party of the security incident without undue delay, 

(b) investigate the security incident and provide such reasonable assistance to the Party (and any law enforcement or regulatory official) as required to investigate the security incident, and 

(c) take steps to remedy any non-compliance with this DPA. 

The Client shall confirm and agree on any notice of security incident to the public or End Users, beforehand with Veriff. 

6.6. Veriff will limit access to the Personal Data to personnel who have a business need to have access to such Personal Data, and will ensure that such personnel are subject to confidentiality at least as protective of the Personal Data as the terms of this DPA and the Agreement.

6.7. Both Parties certify that:

(a) it has not purposefully created back doors or similar programming that could be used to access the system and/or Personal Data,

(b) it has not purposefully created or changed its business processes in a manner that facilitates access to Personal Data or systems, and

(c) that national law or government policy does not require the Party to create or maintain back doors or to facilitate access to Personal Data or systems or for the Party to be in possession or to hand over the encryption key.

Notwithstanding other applicable rights of Veriff, Veriff shall have the right to immediately terminate the Agreement and the DPA if the Client acts in violation of (a) to (c) of this section.

7. Access Requests and Data Subject Rights

7.1. To the extent permitted under applicable law, Veriff shall notify the Client of any request it has received from End User in relation to the Personal Data and shall direct the End User to the Client. The Client shall handle the End User’s request. For avoidance of doubt, Veriff has the right to communicate with the End User in order to clarify the request, including whether the request is submitted regarding the Client, and provide information to the End User regarding the identity of the Client as controller. 

7.2. Veriff will provide the Client with reasonable assistance as necessary for the Client to fulfill its obligation under Data Protection Laws to respond to End User’s requests, including if applicable, the Client’s obligation to respond to requests for exercising the rights set out in Data Protection Laws.

7.3. Party shall notify the other Party of any request for the disclosure of Personal Data in the Service or inquiries about the Service or Veriff processing of the Personal Data by a governmental or regulatory body or law enforcement authority (including any data protection supervisory authority) unless prohibited by law or a legally binding order of such body or agency.

8. Assistance

8.1. Taking into account the nature of the processing, and to the extent required under Data Protection Laws: 

(a) Parties shall use all reasonable endeavors and not hinder the other Party's efforts towards compliance, to assist each other by implementing appropriate technical and organizational measures and all other necessary compliance measures, insofar as this is possible, for the fulfillment of the Parties obligation to comply with Data Protection Laws and to respond to requests for exercising data subject rights laid down in the Data Protection Laws; 

(b) Veriff shall provide reasonable assistance to the Client with any data protection impact assessments and with any prior consultations to any supervisory authorities, in each case solely in relation to the processing of the Personal Data and considering the information available to Veriff. This assistance may be paid service similarly as set forth in section 6.4 for auditing purposes. 

8.2. Taking into account the nature of the processing of the Personal Data, each Party will provide the other Party with reasonable assistance in connection with its compliance obligations under Data Protection Laws. 

9. Data retention

9.1. Except as otherwise specified in the applicable Order Form, as a default, the Personal Data processed by Veriff in connection with the provision of the Service shall be available to the Client for 90 calendar days in the Service, and will thereafter be archived. Veriff will retain such Personal Data in its archive and make it available to the Client upon request for the shorter of (i) the period of time the Client remains a customer of Veriff’s Service, or (ii) three (3) years. Personal Data will thereafter be assigned for deletion. In case of the Agreement termination, the Personal Data will be  deleted in accordance with section 9.2 below. Certain Service features may have effect on the overall Personal Data retention period and archival logic. Detailed information about non-default retention is provided upon request and made available here. 

9.2. Within 14 calendar days as of the date of termination of the Agreement, the Client may request from Veriff a copy of the Personal Data visible in the Service by a secure file transfer; thereafter Veriff shall assign for deletion, and use all reasonable efforts to procure the deletion of, all other copies of Personal Data processed by Veriff or any sub-processors. During the Term, the Client has the right to export the Personal Data visible in the Service by itself. 

9.3. If required by applicable laws or by the Client, Veriff shall delete the Personal Data prior to the date provided in section 9.1 or 9.2.

9.4. Veriff and its sub-processors may retain the Personal Data to the extent required by applicable law, or as Veriff may deem necessary to establish, exercise or defend any legal claim, provided that Veriff shall ensure the confidentiality of all such Personal Data and it is retained only to the extent and for such period as required by applicable laws or pending resolution of any issue.

9.5. Veriff and its sub-processors may retain Personal Data in its backup systems, from which the corresponding Personal Data will be deleted after the end of the backup cycle. Veriff ensures that during the backup period appropriate safeguards are applied and the backed-up materials are put beyond use.

10. Compliance with US Data Protection Laws

10.1. In addition to the other parts of this DPA, this section 10 applies to the extent the US Data Protection Laws govern the processing of Personal Data for the Service Provision and the Permitted Business Purposes. 

10.2. With regard to the Personal Data that is subject to US Data Protection Laws, without Client’s instruction, Veriff is prohibited from:

(a) Selling or Sharing the Personal Data;

(b) retaining, using, or disclosing the Personal Data for any purpose other than for the specific, limited Permitted Business Purposes or as otherwise permitted by Data Protection Laws;

(c) retaining, using, or disclosing the Personal Data outside of the direct business relationship between the Parties; and

(d) except as otherwise permitted by Data Protection Laws or by the Client’s instructions, combining the Personal Data with the Personal Data that Veriff receives from or on behalf of another person or persons, or collects from its own interaction with the data subject.

10.3. Veriff will notify the Client promptly if Veriff determines it can no longer meet its obligations under US Data Protection Laws.

10.4. Veriff will not materially decrease the level of security provided to the protection of Personal Data.

10.5. Veriff hereby certifies that it understands its restrictions and obligations set forth in this DPA and will comply with them. 

EXHIBIT 1 TO DATA PROCESSING ADDENDUM

Description of Personal Data Processing and Transfer

List of Parties

This is applicable only if Standard Contractual Clauses Module 1 and Module 4 transfers are conducted between the Parties.

Competent Supervisory Authority

This is applicable only if Standard Contractual Clauses Module 1 transfers are conducted between the Parties. 

In accordance with Clause 13(a) of the Standard Contractual Clauses Module 1, the competent supervisory authority of Veriff as the data exporter is the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon), email: info@aki.ee.

Technical and Organizational Measures to Ensure the Security of the Data

This is applicable only if Standard Contractual Clauses Module 1 transfers are conducted between the Parties. 

Herewith the Client confirms that when processing personal data (first and foremost, Veriff’s representatives work-related contact details) under Standard Contractual Clauses Module 1, it abides by at least equivalent  technical and organizational measures as applied by Veriff (as described in section “Security Controls” in the Agreement) to ensure the level of security appropriate to the risk related to processing of the personal data. The Client has the right to change and update, from time to time and as seen necessary by the Client any and all technical and organizational measures, provided, in all cases, such modifications will not result in material degradation of the security of the personal data.

EXHIBIT 2 TO DATA PROCESSING ADDENDUM

UKDIATF Certified Identity Verification Solution

Provided the UK Digital Identity and Attributes Trust Framework (“UKDIATF”) Certified Identity Verification Solution is made available to the Customer, the DPA applies in conjunction with the clauses herein. In the event of a conflict between any of the provisions of this Exhibit 2 and the provisions of the DPA, the Exhibit 2 shall prevail.

1. Data Processing Roles of UKDIATF Certified Identity Verification Solution

1.1. For the UKDIATF Certified Identity Verification Solution (Medium Level), the processing roles as per the DPA apply with the following exception: 

(a) As a part of the Service, Veriff conducts fraud or other unlawful conduct checks against the databases operated by Cifas, a company registered in England and Wales under company number 02584687 and with registered office at 6th Floor Lynton House, 7-12 Tavistock Square, London WC1H 9LT (“Cifas”). For the purposes of conducting the checks against and filing the reports to the Cifas databases, Veriff acts as a joint-controller with Cifas. Veriff is a controller for compiling and retaining information about the End Users reported to Cifas if Veriff determines that the Session meets the reporting criteria agreed upon with Cifas. 

(b) In the context of the processing activities in section 1.1(a) of the Exhibit 2, the Customer shall be a controller of the Personal Data only to the extent of making the Personal Data available to Veriff and authorizing the use of Personal Data for the identified purposes to receive the the  UKDIATF Certified Identity Verification Solution (Medium Level).

1.2. Notwithstanding section 1.1 of the Exhibit 2, for the UKDIATF Certified Identity Verification Solution (Low Level), the processing roles as per the DPA apply. 

2. Personal Data Processing and Data Subject Rights Handling 

2.1. The Parties confirm that they obey the data protection principles of lawfulness, purpose and storage limitation, minimisation, accuracy, security and accountability as foreseen in  Data Protection Laws, including the UK GDPR (General Data Protection Regulation (Regulation (EU) 2016/679) as transposed into United Kingdom national law by operation of section 3 of the European Union (Withdrawal) Act 2018, together with the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019).

2.2. Veriff will handle the End User requests to exercise data subject rights provided by Data Protection Laws in regard to the processing activities described in section 1.1 (a) of this Exhibit 2. In case the Customer receives such a request from the End User, the Customer is obliged to promptly forward it to support@veriff.com. 

3. Governing Law and Jurisdiction

3.1. This Exhibit 2 and Personal Data processing subject to this Exhibit 2 is to be governed by and construed in accordance with English law, and each party hereby submits to the exclusive jurisdiction of the courts of England.