Veriff
  • External Sources Exhibit

External Sources Exhibit

This External Sources Exhibit is hereby incorporated into the Agreement by and between Veriff and Customer. All capitalized terms that are not expressly defined in this External Sources Exhibit have the meanings assigned to them in the Agreement.

1. Scope. This External Sources Exhibit governs the purchase of Services by Customer under an Order Form where Sessions are checked against Third Party Sites. More information on Veriff’s external data sources may be found here.

2. Use of external sources

2.1. In the event the purchased Service relies upon a Third Party Site, Customer authorizes and instructs Veriff to transfer the Customer Data to the third party service provider, and, if applicable, the data source country for the purpose of delivering the Service and performing the Session.

2.2. Customer acknowledges and agrees that:

2.2.1. the Third Party Site acts as an independent controller for the Personal Data submitted through the Session;

2.2.2. it has a valid legal basis for transfers of End User’s Personal Data to a Third Party Site (e.g. the End User’s authorization where necessary); and

2.2.3. any service level, response time commitments, and/or uptime commitments will not apply to Sessions submitted to Third Party Sites.

3. UKDIATF Certified Identity Verification Solution

3.1. Customer acknowledges and agrees that with respect to the UK Digital Identity and Attributes Trust Framework (“UKDIATF”) Certified Identity Verification Solution Service,  in the event of a conflict with the DPA and this Section 3 (“UKDIATF Certified Identity Verification Solution”), the provisions of this Section will control.

3.2. Data Processing Roles of UKDIATF Certified Identity Verification Solution. For the UKDIATF Certified Identity Verification Solution (Medium Level), the processing roles  per the DPA apply, with the following exception:

(a) As a part of the UKDIATF Certified Identity Verification Solution (Medium Level)Session, Veriff conducts fraud or other unlawful conduct checks against the databases operated by Cifas, a company registered in England and Wales under company number 02584687 and with registered office at 6th Floor Lynton House, 7-12 Tavistock Square, London WC1H 9LT (“Cifas”). Customer acknowledges that for the purposes of conducting the checks against and filing the reports to the Cifas databases, Veriff acts as a joint-controller with Cifas. For clarity, Veriff is a controller for compiling and retaining information about the End Users reported to Cifas, if Veriff reasonably determines that the Session meets the reporting criteria agreed upon with Cifas.

(b) In the context of the processing activities in section 3.2 of this External Sources Exhibit, Customer shall be a controller of the Personal Data for the purpose of making the Personal Data available to Veriff, and authorizing the use of Personal Data to deliver the Service.

3.3. No change to UKDIATF Certified Identity Verification Solution (Low Level). For clarity, with respect to the UKDIATF Certified Identity Verification Solution (Low Level), the processing roles in the DPA are not impacted and will remain unmodified.

3.4. Personal Data Processing and Data Subject Rights Handling.  The Parties hereby acknowledge and agree to comply with the data protection principles of lawfulness, purpose and storage limitation, minimisation, accuracy, security and accountability as foreseen in  Data Protection Laws, including the UK GDPR (General Data Protection Regulation (Regulation (EU) 2016/679), as transposed into United Kingdom national law by operation of section 3 of the European Union (Withdrawal) Act 2018, together with the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019).

3.5. End User Requests. Customer acknowledges that Veriff will be responsible for responding to End User requests related to those processing activities described in section 3.2(a) of this External Sources Exhibit. In the event Customer receives such a request from the End User related to the processing activities described in section 3.2(a) of this External Sources Exhibit, Customer must promptly forward such request to Veriff at support@veriff.com.

3.6. Governing Law and Jurisdiction. This Section 3, and Personal Data processing subject to this Section 3 of External Sources Exhibit, is governed by and construed in accordance with English law, and each party hereby submits to the exclusive jurisdiction of the courts of England.

4. CPF Database Verification Check

4.1. Customer acknowledges and agrees that with respect to the CPF Database Verification Check (“CPF Check”), in the event of a conflict between the DPA and this Section 4, the provisions of this Section will control.

4.2. Personal Data Processing. For processing Personal Data for, and as a result of, the CPF Check, the Customer hereby acknowledges and agrees to comply with the Brazilian General Data Protection Law (LGPD; Federal Law no. 13,709/2018) and other applicable laws of the Federative Republic of Brazil, including warranting:

4.2.1. to uphold and fulfill any direct or indirect (either submitted to Veriff or directly to the Customer) decision, decrees or orders that concern the CPF Check either by supervisory or other authorities;

4.2.2. that the country in which the Personal Data is processed by the Customer offers a level of personal data protection adequate to that established in the Federative Republic of Brazil;

4.2.3. to inform Veriff in case it receives an End User request to exercise its rights specifically in relation to the CPF Check;

4.2.4. to ensure an appropriate legal basis for exercising the CPF Check; provided that the legal basis is consent, to validly obtain, manage and retain proof of the consent, including promptly providing Veriff with such proof;

4.2.5. to inform Veriff in case it is subject to any supervisory activity concerning Personal Data returned as a result of the CPF Check; and

4.2.6. unless allowed otherwise under applicable laws, ensure the deletion of Personal Data returned as a result of the CPF Check if required by the Third Party Site providing the CPF Check or applicable law.

5. Aadhaar Database Verification Check

5.1. Customer acknowledges and agrees that with respect to the Aadhaar Database Verification Check, in the event of a conflict between the DPA and this Section 5, the provisions of this Section will control.

5.2. Security Requirements. For the purposes of receiving and processing Personal Data as a result of the Aadhaar Database Verification Check, the Customer acknowledges and agrees that they must follow security practices and procedures complying with International Standard IS/ISO/IEC 27001 on information security management or higher; or otherwise ensuring compliance with the relevant Data Protection Laws of the Republic of India.

Veriff logo
Products

Identity and Document Verification

Proof of Address

Database Verification Checks

Age Validation

KYC Onboarding

Biometric Authentication

AML Screening

Age Estimation

Fraud Protect

Fraud Intelligence

Solutions

By Industry

Financial Services

Mobility

Crypto

Gaming

Education

Healthcare

HR Management

By Use Case

New account onboarding

Age verification

Driver validation

Customer identity and access management

Right to Work

Right to Rent

Resources

Blog

Case studies

Help center

Trust Center

Documentation

Service status

Supported documents

Supported languages

About

Our story

Careers

Press

©2024 Veriff. All rights reserved
Privacy notice
Cookie notice
Bug bounty
Security and compliance
Recruitment privacy notice
Accessibility statement