Veriff

Veriff Data Processing Addendum for Starter Plans

This DPA forms an integral part of the Agreement between the Client and Veriff covering the Client’s use of the Service. Unless agreed otherwise, the Agreement means the Agreement made available at Veriff’s website for the use of the Service. In the event of a conflict between any of the provisions of this DPA and the provisions of the Agreement, the provisions of this DPA shall prevail.

1. Definitions

All capitalized terms not defined in the DPA shall have the meaning given to them in the Agreement. The following words and expressions shall have the following meaning:  

1.1. "Adequacy Decision" means that the recipient, or the country or territory in which the  personal data is processed, ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of the personal data as determined by the European Commission (at the effective date of this Agreement, the list is available at: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en);

1.2. "CPRA" means the California Consumer Privacy Act, as amended by the California Privacy Rights Act, Cal. Civ. Code § 1798.100 et seq;

1.3. "DPA" means this Data Processing Addendum and its Exhibits entered into by and between the Parties as a part of the Agreement;

1.4. "Data Protection Laws" means any legislation applicable to Veriff or the Client that protects the fundamental rights and freedoms of persons and their right to privacy with regard to the processing of Personal Data, such as the GDPR, US Data Protection Laws, any national implementing or supplementary legislation and any other data protection or privacy laws as applicable from time to time to Veriff or the Client. In this DPA, the terms “controller”, “business”, “processor”, “data subject”, “process”, “service provider”, “sub-processor” and their respective derivative terms shall have the meanings set forth in the Data Protection Laws;

1.5. "Deidentified Data" means data created using Personal Data that cannot reasonably be linked to such Personal Data, directly or indirectly;

1.6. "GDPR" means the regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data;

1.7. "Permitted Business Purposes" means the use of Personal Data for the reasonably necessary operational purposes, including as described in the CPRA and for the following purposes for which Veriff is processing the Personal Data: (i) ensuring compliance with applicable regulations, including retaining proof of evidence of such for compliance with its legal obligations, (ii) to establish, exercise or defend legal claim, (iii) developing, testing, improving and altering the functionality of the Service, including for machine learning, data annotation, testing and training, fraud prevention and detection purposes, and producing anonymised or anonymised and aggregated statistical reports and research;

1.8. "Personal Data" means any Client Data or information that: (a) is linked or reasonably linkable to an identified or identifiable natural person; or (b) is otherwise "personal data," "personal information," "personally identifiable information," or similarly defined data or information under Data Protection Laws, including: (i) the names and contact details of the End Users; (ii) details of the End Users' documents (identification document, driver’s license, utility bill, as relevant), including photo of the document, document type, number, date of issue and date of expiry, date of birth, estimated age, content of extracted fields depending on the chosen Service features; (iii) photographs, videos and audio recordings of the End Users captured via the Service; (iv) facial biometric data relating to the End Users; (v) the results of the identity verification / authentication process conducted through the Service; (vi) data available in External Register, if applicable; (vii) the End Users’ device’s and Service usage data, including the duration of the End User's use of the Service, activity in the Service, IP address, domain name, network information, software and hardware attributes, general geographic location (e.g. city, state, country); and (viii) any other End User’s Personal Data that Veriff Processes on behalf of the Client in connection with the Client's use of and access to the Service. Deidentified Data is excluded from the definition of Personal Data;

1.9. "Sold and Shared" have the meanings given in the US Data Protection Laws;

1.10. "Standard Contractual Clauses" mean the standard data protection clauses adopted under the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, available at: https://eur-lex.europa.eu/eli/dec_impl/2021/914, as may be amended or replaced from time to time by the European Commission, any applicable data protection authority, or other body with competent authority and jurisdiction;

1.11. "US Data Protection Laws" mean to the extent applicable to Veriff or the Client, United States federal and state laws (including but not limited to the CPRA) relating to data protection and/or privacy and the processing of Personal Data, as in force and as amended from time to time.

2. Data Processing Roles 

2.1. The Client shall be the controller or business of the Personal Data, and shall process the Personal Data in accordance with the Data Protection Laws. The Client shall have the sole responsibility for the accuracy, quality, and lawfulness of processing the Personal Data, and the means by which it acquires the Personal Data. 

2.2. Veriff shall be:

(a) the processor, or sub-processor, of the Personal Data for and on behalf of the Client as necessary for the provision of the Service to the Client and, to the extent allowed by law, for the Permitted Business Purposes: 

(i) where the Client acts as a controller, Veriff acts as a processor;

(ii) where the Client acts as a processor on behalf of another controller, Veriff acts as a sub-processor;

unless processing is allowed or mandated by the law of the European Union, any European Union member state or any other applicable law to which Veriff is subject, in which case Veriff shall act as a controller, to the extent permitted by the law, and inform the Client before processing the Personal Data, unless Veriff is legally not allowed to inform the Client.

For purposes of the US Data Protection Laws, Veriff will act as a service provider or processor (as defined in US Data Protection Laws), as applicable, in its performance of its obligations pursuant to the Agreement and this DPA.

2.3. Regarding the personal data of the Parties’ representatives, each Party shall be individually and separately responsible for complying with the obligations that apply to it as a separate and independent data controller under Data Protection Laws. 

3. Personal Data Processing

3.1. The Client appoints Veriff to process the Personal Data on behalf of, and in accordance with, the Client’s instructions as set forth in the Agreement, the DPA, and relevant exhibits, as otherwise reasonably necessary to provide the Service and for the Permitted Business Purposes, and as may subsequently be agreed by the Parties in writing. Any such subsequent agreement shall be subject to this DPA. 

3.2. The Client’s instructions for the processing of the Personal Data shall comply with the Data Protection Laws and will not cause Veriff to violate any applicable law or regulation, including Data Protection Laws. The Client acknowledges that Veriff is neither responsible for determining which laws are applicable to the Client’s business nor whether Veriff’s provision of the Service meets the requirements of such laws. Veriff shall inform the Client in case Veriff reasonably believes that the Client’s instructions conflict with the requirements of the GDPR, and Veriff has the right to refuse to perform instructions that are not in compliance with the GDPR. In case the Client’s instructions exceed the scope of the Agreement or the DPA, or presume extra development efforts from Veriff, prior to fulfilling the instruction, the Parties may agree on additional fees that may be payable to Veriff.

3.3. The Client shall ensure its compliance with Data Protection Laws in relation to the Personal Data disclosed to and exchanged with Veriff in accordance with this DPA (for the Service and for the Permitted Business Purposes), including the accuracy and lawfulness of processing the Personal Data by the Parties, the provision of all informative notices and disclosures to the End Users and references to Veriff (including to Veriff’s  privacy policy) as required under Data Protection Laws. 

3.4. The Client warrants that prior to making the Service accessible to its End Users and disclosing the Personal Data for the Service and the Permitted Business Purposes it has an appropriate legal basis under Data Protection Laws for lawful processing of the Personal Data by Veriff in accordance with this DPA. The Client acknowledges that having an appropriate legal basis may include, but is not limited to, obtaining consents and publishing retention periods for processing the End User’s Personal Data (including document and biometric data), if required under Data Protection Laws. Upon Veriff’s reasonable request, the Client will promptly provide Veriff with proof of having the appropriate legal basis, disclosures, consents, and retention policies required, as necessary, for lawful processing in accordance with the DPA.   

3.5. When processing Personal Data of a child, the Client shall secure any legally required consents, including, but not limited to, full and lawful consents from the legal guardian over the child for the processing or authorized the processing in another manner, as required under Data Protection Laws. 

3.6. The Client shall inform Veriff of unauthorized Sessions after which Veriff shall, upon Client’s instructions, delete or apply other technical measures to the related Personal Data processed by Veriff or any sub-processors. If Veriff detects an unauthorized Session as determined by the Client, it may delete the Personal Data processed by Veriff or any sub-processors. Veriff has the right to delete, blur, make it Deidentified Data, or make unreadable in any other way the Personal Data that may not be processed pursuant to applicable laws.  

4. Sub-processors

4.1. The Client provides a general authorization for Veriff to engage sub-processors to process the Personal Data, provided that (i) Veriff enters into a written agreement with the sub-processor; and (ii) the written agreement with the sub-processor is not materially less protective to Personal Data than this DPA. When requested by the Client, Veriff shall inform the Client of all current sub-processors used by Veriff. An up to date list of sub-processors is available on Veriff’s website, currently at https://support.veriff.com/en/articles/6700698-sub-processors-used-by-veriff.

4.2. Veriff shall notify the Client of any changes to the sub-processors it uses to Process Client Personal Data (including any addition or replacement of any sub-processors). If the Client does not approve of a new sub-processor, then the Client may give notice to terminate the Terms providing at least fourteen (14) days written notice to Veriff. Veriff shall not process any refunds in case of termination by the Client on grounds of change of sub-processors, regardless of the extent in which the Client has used the Veriff Station Service, or any other circumstance. If no objection has been raised prior to Veriff adding or replacing a sub-processor, Veriff will deem the Client to have authorized the new sub-processor.  

4.3. Veriff shall at all times remain responsible for compliance with its obligations under the DPA and will be liable to the Client for the acts and omissions of any sub-processor as if they were the acts and omissions of Veriff.

5. International Transfers

5.1. Veriff shall not transfer the Personal Data to a recipient in a country or territory outside the European Economic Area unless:

(a) the transfer can be based on an Adequacy Decision; or

(b) the transfer is based on the Standard Contractual Clauses, or any subsequent version released, or another legally recognised transfer method.

5.2. If Veriff adopts an alternative transfer mechanism to the mechanisms described in this DPA, including any new version of or successor to Standard Contractual Clauses, e.g. in case an Adequacy Decision or other transfer mechanism is amended or withdrawn, resulting in the inability to rely on the transfer mechanism, then such alternative transfer mechanism shall apply automatically instead of the mechanisms described in this DPA, and the Client shall fully cooperate with Veriff to sign an amendment to this DPA and/or take such other action as may be necessary to give legal effect to such alternative transfer mechanism. To the extent the Client or Veriff have adopted and certified compliance with such alternative transfer mechanism, the Client represents and warrants that the Client will comply with all legal principles and terms of such alternative transfer mechanism. In addition, in the event that a court of competent jurisdiction or supervisory authority orders (for whatever reason) that the measures described in this DPA cannot be relied on to lawfully transfer Personal Data cross-border, then upon request from either Party, the other Party shall fully cooperate to take such action as may be necessary to remedy such non-compliance. 

5.3. Regardless of Veriff’s processing role, if Personal Data is transferred (including disclosed via Service) to the Client outside of (i) the European Economic Area, or (ii) a jurisdiction with an  Adequacy Decision, then the Modules 1 and 4 of the Standard Contractual Clauses are hereby incorporated by reference and form an integral part of the Agreement in accordance with this DPA. The Parties concluding the Agreement shall be deemed as signing the Standard Contractual Clauses and their Appendixes. If the Standard Contractual Clauses are applicable as per this section, the Parties agree that: 

(a) Veriff is the “data exporter” and the Client is the “data importer”,

(b) the Module 4 terms apply where the Client is the controller and Veriff is the processor, and Module 1 terms apply where the Parties act as independent controllers, 

(c) Clause 7, the optional docking clause is not applied, 

(d) Clause 11, the optional language is not applied,

(e) pursuant to Clauses 17 (Governing law) and 18 (Choice of forum and jurisdiction) any dispute arising out of the Standard Contractual Clauses will be resolved in accordance with the laws of the Republic of Estonia in Harju County Court (Estonia, Tallinn). For Clause 17, option 1 applies for Module 1,

(f) details required under the Standard Contractual Clauses’ Annexes are provided below in the “Exhibit to Data Processing Addendum” and in the DPA.

6. Data Security, Audits and Security Notifications

6.1. Veriff shall implement and maintain appropriate technical and organizational measures as described in the “Security Controls” section in the Agreement, to ensure a level of security appropriate to the risk. Veriff is entitled to unilaterally change and update such measures provided that it will not materially decrease the overall security of the Service. 

6.2. Veriff maintains the third-party certifications and audits described in the “Security Controls” section in the Agreement. Upon the Client’s written request at reasonable intervals and subject to confidentiality obligations set forth in the Agreement, Veriff shall make available to the Client (or to the Client’s independent third-party auditor) information regarding Veriff’s compliance with the obligations set forth in this DPA in the form of an overview or copy of Veriff’s then most recent third-party audits or certifications described in the “Security Controls” section in the Agreement. 

6.3. Veriff acknowledges and agrees that the Client shall have the right to conduct audits to verify compliance with the terms and conditions of this Agreement to the extent such auditing right is granted to the Client in the Data Protection Laws. Upon reasonable notice, the Client may request Veriff to provide copies of relevant documents, records, or other evidence reasonably necessary to verify compliance. Veriff shall provide the requested audit documents within a reasonable time frame. The audits conducted by the Client shall be limited to reviewing Veriff's records, documents, or evidence related to the provision of services and any relevant obligations under this Agreement. The Client's audit shall focus on determining compliance with this Agreement, including but not limited to verifying the accuracy of reported performance, ensuring the provision of agreed-upon service levels, and assessing adherence to Data Protection Laws.

6.4. Veriff will limit access to the Personal Data to personnel who have a business need to have access to such Personal Data, and will ensure that such personnel are subject to confidentiality at least as protective of the Personal Data as the terms of this DPA and the Agreement.

6.5. Both Parties certify that:

(a) it has not purposefully created back doors or similar programming that could be used to access the system and/or Personal Data,

(b) it has not purposefully created or changed its business processes in a manner that facilitates access to Personal Data or systems, and

(c) that national law or government policy does not require the Party to create or maintain back doors or to facilitate access to Personal Data or systems or for the Party to be in possession or to hand over the encryption key.

Notwithstanding other applicable rights of Veriff, Veriff shall have the right to immediately terminate the Agreement and the DPA if the Client acts in violation of (a) to (c) of this section.

7. Access Requests and Data Subject Rights

7.1. To the extent permitted under applicable law, Veriff shall notify the Client of any request it has received from End User in relation to the Personal Data and shall direct the End User to the Client. The Client shall handle the End User’s request. For avoidance of doubt, Veriff has the right to communicate with the End User in order to clarify the request, including whether the request is submitted regarding the Client, and provide information to the End User regarding the identity of the Client as controller. 

7.2. Veriff will provide the Client with reasonable assistance as necessary for the Client to fulfill its obligation under Data Protection Laws to respond to End User’s requests, including if applicable, the Client’s obligation to respond to requests for exercising the rights set out in Data Protection Laws.

7.3. Party shall notify the other Party of any request for the disclosure of Personal Data in the Service or inquiries about the Service or Veriff processing of the Personal Data by a governmental or regulatory body or law enforcement authority (including any data protection supervisory authority) unless prohibited by law or a legally binding order of such body or agency.

8. Assistance

8.1. Taking into account the nature of the processing, and to the extent required under Data Protection Laws: 

(a) Parties shall use all reasonable endeavors and not hinder the other Party's efforts towards compliance, to assist each other by implementing appropriate technical and organizational measures and all other necessary compliance measures, insofar as this is possible, for the fulfillment of the Parties obligation to comply with Data Protection Laws and to respond to requests for exercising data subject rights laid down in the Data Protection Laws; 

(b) Veriff shall provide reasonable assistance to the Client with any data protection impact assessments and with any prior consultations to any supervisory authorities, in each case solely in relation to the processing of the Personal Data and considering the information available to Veriff. This assistance may be paid service similarly as set forth in section 6.4 for auditing purposes. 

8.2. Taking into account the nature of the processing of the Personal Data, each Party will provide the other Party with reasonable assistance in connection with its compliance obligations under Data Protection Laws. 

9. Data Retention

9.1. The Client Personal Data Processed by Veriff in connection with the provision of the Veriff Station Service shall be available to the Client in the Veriff Station Service in accordance with the chosen subscription plan after which the Client Data shall be archived and the available to the Client on a request basis subject to limitations in the chosen subscription plan. The information about available subscription plans can be found here

9.2. Veriff shall, within 14 days of the date of termination of the Terms, delete and use all reasonable efforts to procure the deletion of all other copies of Client Personal Data Processed by Veriff or any sub-processors. Upon the Client’s written request submitted prior to termination of the Terms and subject to unarchiving limitations of the chosen subscription plan, Veriff will return a copy of a selection of Client Personal Data by secure file transfer in such a format as notified by Client to Veriff. If required by applicable laws, Veriff shall delete Client Personal Data prior to the date provided in this clause 9.2.

9.3. In case the Client’s retrieval request exceeds the unarchiving limitations of the chosen subscription plan, the Parties may separately agree on additional retrieval fee. The Client acknowledges that Veriff has no obligation to facilitate the retrieval requests exceeding the unarchiving limitations of the chosen subscription plan.

9.4. If required by applicable laws or by the Client, Veriff shall delete the Personal Data prior to the date provided in section 9.1 or 9.2.

9.5. Veriff and its sub-processors may retain the Personal Data to the extent required by applicable law, or as Veriff may deem necessary to establish, exercise or defend any legal claim, provided that Veriff shall ensure the confidentiality of all such Personal Data and it is retained only to the extent and for such period as required by applicable laws or pending resolution of any issue.

9.6. Veriff and its sub-processors may retain Personal Data in its backup systems, from which the corresponding Personal Data will be deleted after the end of the backup cycle. Veriff ensures that during the backup period appropriate safeguards are applied and the backed-up materials are put beyond use.

10. Compliance with US Data Protection Laws

10.1. In addition to the other parts of this DPA, this section 10 applies to the extent the US Data Protection Laws govern the processing of Personal Data for the Service Provision and the Permitted Business Purposes. 

10.2. With regard to the Personal Data that is subject to US Data Protection Laws, without Client’s instruction, Veriff is prohibited from:

(a) Selling or Sharing the Personal Data;

(b) retaining, using, or disclosing the Personal Data for any purpose other than for the specific, limited Permitted Business Purposes or as otherwise permitted by Data Protection Laws;

(c) retaining, using, or disclosing the Personal Data outside of the direct business relationship between the Parties; and

(d) except as otherwise permitted by Data Protection Laws or by the Client’s instructions, combining the Personal Data with the Personal Data that Veriff receives from or on behalf of another person or persons, or collects from its own interaction with the data subject.

10.3. Veriff will notify the Client promptly if Veriff determines it can no longer meet its obligations under US Data Protection Laws.

10.4. Veriff will not materially decrease the level of security provided to the protection of Personal Data.

10.5. Veriff hereby certifies that it understands its restrictions and obligations set forth in this DPA and will comply with them. 

EXHIBIT TO DATA PROCESSING ADDENDUM

Description of Personal Data Processing and Transfer 

List of Parties

This is applicable only if Standard Contractual Clauses Module 1 and Module 4 transfers are conducted between the Parties.

Competent Supervisory Authority

This is applicable only if Standard Contractual Clauses Module 1 transfers are conducted between the Parties. 

In accordance with Clause 13(a) of the Standard Contractual Clauses Module 1, the competent supervisory authority of Veriff as the data exporter is the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon), email: info@aki.ee.

Technical and Organizational Measures to Ensure the Security of the Data

This is applicable only if Standard Contractual Clauses Module 1 transfers are conducted between the Parties. 

Herewith the Client confirms that when processing personal data (first and foremost, Veriff’s representatives work-related contact details) under Standard Contractual Clauses Module 1, it abides by at least equivalent  technical and organizational measures as applied by Veriff (as described in section “Security Controls” in the Agreement) to ensure the level of security appropriate to the risk related to processing of the personal data. The Client has the right to change and update, from time to time and as seen necessary by the Client any and all technical and organizational measures, provided, in all cases, such modifications will not result in material degradation of the security of the personal data.