Last updated: 29 May, 2023

Privacy Notice (Website and Mobile App)


When you visit and use Sumsub websites, we collect and process certain information about your interactions with the website and the data you leave at your sole discretion. For more information, please read this Privacy Notice attentively.

This is the Privacy Notice of the Sumsub group of companies: Sum and Substance Ltd., incorporated and registered in England with company number 09688671 (hereinafter – Sumsub or we) together with all affiliated companies and trading divisions, irrespective of location or jurisdiction. More information about our group can be found in Provision 14 of this Privacy Notice.

1. Scope

This Privacy Notice is addressed to Sumsub‘s client's representatives and visitors of Sumsub’s Websites and Mobile App. Sumsub is a Data Controller and determines the purposes and means of personal data processing under Article 24 of the EU GDPR and the UK GDPR when:

  • cookie files are collected during the use of the Website, including public-facing ones;
  • the Sumsub Websites are visited and interacted with;
  • any steps are taken by a Client’s representative prior to establishing, and during the course of, a business relationship with Sumsub, including the creation and use of a Customer Account or Dashboard System;
  • Sumsub hosts webinars or any other events;
  • job applications are managed and considered;
  • Sumsub’s Demo of Service is tested;
  • Sumsub carries out development, improvement and research of new products and services, including use of technologies to monitor and analyse the user experience, service use patterns and more.

California residents may find the information on the CCPA application in Provision 16 of this Notice.

Where the laws of Illinois, Washington, or Texas apply, it is necessary to refer to the “Special notice to residents of the states of Illinois, Washington, or Texas (USA)” (Provision 17 of this Privacy Notice). In the case of any conflict or ambiguity between the Special Notice and the other provisions of this Privacy Notice, the former will prevail.

2. Definitions

  • Client

    the legal entity to which Sumsub provides Services under the specific legal arrangement;

  • Service(s)

    the personal identity verification service and connected services provided by Sumsub;

  • Data Controller, or Controller

    Sumsub where it, alone or jointly with others, determines the purposes and means of the processing of personal data by written instruction for processing activities given to Processor;

  • Data Processor, or Processor

    any legal entity that processes personal data on behalf of Sumsub or Sumsub’s Processor;

  • Data Subject

    any individual whose personal data Sumsub may process, including, but not limited to, Sumsub’s Clients’ customers and representatives, job applicants, Visitors, etc.

  • Personal data

    any information relating to an identified or identifiable Data Subject;

  • Special categories of personal data

    personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation;

  • Filing system

    any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis used for service delivery (e.g. Dashboard System used for service provision and Demo of Service or CRM systems);

  • Visitor

    any individual interacting with website or using Sumsub Websites as well as Sumsub’s Demo of Service;

  • Processing

    any operation or set of operations performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

  • Personal data breach

    a breach of data security leading to unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;

  • Consent

    any freely given, specific, informed and unambiguous indication of the Data Subject’s wishes by which they, by a statement or by clear affirmative action, signify agreement to the processing of their personal data;

  • Customer Account

    a dedicated account created by a prospective Client’s representative via the Website for the purposes of subsequent provision of Services and invoicing;

  • Sumsub Websites, or any other public-facing websites owned and managed by Sumsub;

  • Sumsub Mobile App

    a mobile application owned and managed by Sumsub (hereinafter – Mobile App);

  • Demo of Services

    the webpage on the Sumsub Websites or Mobile App owned by Sumsub and allowing individuals to test a part of Sumsub’s Service;

  • Dashboard Livechat

    a system that allows Clients to have real-time interactions with Sumsub’s support team in a chat box in the Dashboard;

  • Standard Contractual Clauses

    standard sets of contractual terms and conditions adopted by the European Commission and ensuring appropriate safeguards for data transfers from the EEA and the UK to third countries, which the Controller and the Processor both sign up to, where necessary;

  • EEA

    European Economic Area (the European Union Member States, Norway, Iceland and Liechtenstein);

  • CCPA

    the California Consumer Privacy Act of 2018, Civil Code sections 1798.100.

3. Principles of personal data processing that Sumsub adheres to

Sumsub adheres to the principles of personal data protection as envisaged in the EU GDPR and UK GDPR. In accordance with these principles, personal data is

  1. Processed fairly, lawfully and transparently in relation to the Data Subject;
  2. Processed for specified, explicit and legitimate purposes only and not further processed in a manner that is incompatible with those purposes;
  3. Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
  4. Kept accurate and up to date;
  5. Not retained longer than necessary;
  6. Processed in a manner that ensures their appropriate security;
  7. Not transferred outside the European Economic Area (EEA) or the EU without adequate protection.

4. Purposes, types, and retention period of personal data processing

Sumsub only processes personal data according to the purpose limitations below.

[a] Livechat and contact forms purposes

Sumsub collects and processes personal data in order to provide you with the information you may request from Sumsub as a Client via Dashboard Livechat or as a Visitor using website forms.

If you ask us to provide information in the ‘Make a request’ form, we may use the following personal data:

  • Personal data

    Retention period

  • first name
    email address
    phone number
    other information necessary for Sumsub to resolve the relevant issue.

    three years enabling Sumsub to re-contact in the event of unforeseen circumstances

[b] Marketing purposes

We email subscribers regarding compliance-related advice, news and guidelines if they have previously consented to it using the relevant website form. We may also email or otherwise notify our existing Clients of new products and functions of our services in terms of ‘soft opt-in’, meaning that our clients would want to stay tuned for better offers and service benefits.

  • Personal data

    Retention period

  • email address

    until unsubscribing by following the respective link in the email.

[c] Business purposes

We process the personal data of our potential Client’s representatives to maintain communication with them regarding entering into an Agreement, carrying out customer due diligence, and providing Services to the Client and other similar matters.

When participating in the Sumsub Travel Rule Ecosystem, all the data Client left in questionnaires may be redistributed to other participants of the ecosystem following applicable legal requirements and the Sumsub Travel Rule Ecosystem Agreement to assist in ensuring compliance of all the participants with AML/CFT regulations.

When a Client creates and uses a Customer Account, we process the data below in order to service and invoice it.

  • Personal data

    Retention period

  • Personal data of the representative (e.g., name, job title, position, contact information, and certain data contained in an ID document);
    Information obtained in connection with providing the Services to the respective Client (e.g., communication materials)
    Personal data contained in corporate documents;
    Publicly available data relevant to the position of the Client’s representatives

    up to six years from the date of termination of contract or interaction while taking steps to enter the relationships enabling Sumsub to keep the contact with active Clients and provision of the Services uninterrupted, or;

  • Personal data contained in a passport or other identity document;
    Facial image data, such as photos of the face (including selfie images and identity documents)
    Data necessary for transaction processing.

    up to six years after the date of breach or termination of the contract enabling Sumsub to retain information in case of a statutory limitation

  • Other data is provided through questionnaires when participating in the Travel Rule Ecosystem.

    five years after ending the participation in the Ecosystem

[e] Events purposes

We hold various events online, such as webinars or workshops for which you can sign up. In such cases, we process your data to enable you to register for the event, receive a reminder, and provide ancillary information. Once obtained for the event, your information is added to and managed through the contact database following the marketing preferences you submitted to us. Where permitted by law, a member of our sales team may contact you if we determine through your submission that you may be interested in our services. When you attend any offline event (e.g. expo forums) and are interested in communicating, we will process your data as we do for business purposes.

  • Personal data

    Retention period

  • name
    email address
    company name and position

    up to five years after the event visited

[d] Recruitment purposes

Once a job application is sent to Sumsub, we process the application data to evaluate the information presented by job applicants when considering their candidacy and to contact them subsequently.

  • Personal data

    Retention period

  • full name
    email address
    contact phone number
    CV details

    five years from the disqualification of the candidacy (enabling Sumsub to contact the applicant if the position is re-opened)

[f] Cookie processing purposes

When Visitors interact with the Website in any way, Sumsub collects and processes cookie files to store their preferences and settings, enable them to sign in, personalise content and advertising, combat fraud, and analyse the incoming traffic. The Cookie Policy is available here.

  • Personal data

    Retention period

  • “cookie” files (see Cookie Policy) or other similar technologies (e.g., IP address, equipment information, location information, “beacons”).

    specified in the Cookie Policy

[g] Demo of Service purposes

We may process personal data submitted via the Sumsub Websites or Mobile App to provide a demo of Sumsub’s facial and/or identity verification services.

  • Personal data

    Retention period

  • identity document data, such as the name of the identity document, issuing country, number, expiry date, MRZ, information embedded in document barcodes (may vary depending on the document), and security features,
    facial image data, including facial images of the User (“selfies”) and photos on identity documents,
    biometric data (such as facial features),
    contact details (such as an address, email address, phone number
    unique identifier (Applicant ID) created only for association Data Subject’s and its personal data inside the Sumsub’s system
    technical data, which includes, but is not limited to, information regarding the date, time and activity on the Website); IP address and domain name; software and hardware attributes;
    Geolocation data, such as general geographic location (e.g., city, country) from Data Subject’s device.

    Up to 30 days due to the presence of Sumsub’s legitimate interests specified in Provision 6 of this Notice

We may process special categories of personal data (e.g. biometrics) only if you have consented to it. The special categories of personal data will be retained and stored by Sumsub and will be permanently destroyed when Sumsub's purpose and/or retention period prescribed by applicable law expires or purposes for collecting such personal data have been satisfied or after five (5) years from the individual's last interaction with the Sumsub, whichever occurs first, or three (3) if there is a local specific legislative requirement.

Disposal and Destruction Policy

Any personal data is deleted only after (a) obtaining the applicant's data deletion request in line with corresponding procedures by the Client or the Data Subject or (b) the satisfaction of the purpose for data processing, including expiration of retention period prescribed by applicable law.

To delete data from the Sumsub Identity Verification System (Dashboard and storage space), we call a method that searches for a unique applicant identifier (Applicant ID) inside the database. The database contains references, or object IDs, connected to the applicant’s personal data provided to the system. After seeking all these references, the Dashboard system automatically removes them one by one by calling the AWS S3 API Object Deletion method providing Object IDs are placed in the S3 bucket. After all referenced objects are found and deleted from the S3 bucket, the original applicant's personal data is also deleted from Sumsub’s internal database located on AWS Servers. The deletion of biometrics should render it non-recoverable, even using forensic information recovery techniques.

To delete data from the equipment, we implement measures in accordance with the particular Operational System of the equipment. If the information is intended to be rendered non-recoverable, the deletion must be executed by the person who owns it (typically, who has created it) by the ‘empty trash bucket’ mechanism. If any of the methods above is not secure enough considering the sensitivity of the information and such information may be recovered again, the equipment storage medium must be destroyed completely (e.g. shredded, disintegrated, pulverised, or incinerated by burning the device in a licensed incinerator, etc.) in the presence of the Asset Owner.

To delete data from the files located in the removable media, we call the setting and tools designated to the relevant sanitisation method - clearing or purging. If the purging method is not secure enough considering the sensitivity of the information and such information may be recovered again, the removable media containing such information must be destroyed completely (e.g. shredded, crushed, disintegrated, pulverised, or incinerated by burning the device in a licensed incinerator, etc.).

To delete data from mobile devices, we use the means of a particular device. If a certain mobile device is intended to be reused/recycled/donated or is no longer to be used by the Sumsub staff, this staff member must reset the device to the original settings. As a general rule, the procedure for Apple iPhone and iPad OS: Select 'Settings > General > Reset > Erase All Content and Settings menu. For Android OS devices: Select ‘Settings > Backup & Reset > Factory Data Reset > Reset Phone’.

It’s forbidden to handle any sensitive data in any equipment, removable media or mobile devices.

[h] Public-facing website purposes

Sumsub may collect and further process personal data submitted via the Prooface website in order to:

  • provide Visitors with functionality and a better user experience on the Prooface website as stated in the Cookie Policy (Prooface section);
  • provide Visitors with functionality and a better user experience on the Prooface website as stated in the provide the Demo of Service on Prooface’s website.
  • Personal data

    Retention period

  • The cookie set is provided in the Cookie Policy (see Cookie Policy) and the dataset for the Demo of Service is provided here.

    The Cookies retention period is stated in the Cookie Policy (Prooface section) and the Demo of Service data is retained as specified here.

[i] New product and services development, improvement and research

Sometimes, we process data to develop, improve, and conduct research upon our products and services. The reason is to ensure proper use of the System by the Client, including the prevention of user error resulting in serious consequences. Please read more in Provision 5 of this Notice.

  • Personal data

    Retention period

  • The personal data defined here

    the period required to calibrate and select the perfect algorithm and model for the detection of fraud and other illicit activity

  • Any information on the use of our service

    the period necessary to analyse and tackle any non-conformities found

5. Data processing activities

Sumsub provides multiple types of automated processing, including, but not limited to, collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination (if so legally binding) or otherwise making available, alignment or combination, restriction, erasure or destruction.

• Biometric processing and document check when testing the Demo of Service

Sumsub may process biometrics to verify whether provided facial images are likely to match when you test the demo of our verification flow. The processing of biometrics means extracting facial features from uploaded or recorded facial images on government-issued identity documents submitted by the user and comparing them. We store this biometric data for up to 30 days.

The aim of the Liveness check is to verify whether you are alive. So, when you pass the Liveness demo version, we detect if you aren’t holding a mobile phone, showing any signs of constraint, or attempting to defraud the system using emulators, static images, or ‘deep fakes’. As a rule, you are prompted to blink, smile or move your device while passing Liveness.

Sumsub subjects personal data from photos and scanned copies of documents to automated reading and verification of authenticity by conducting different checks, such as completeness of records, screenshots detection, or cross-checking of all data from all submitted documents (e.g. name, date and place of birth, signature). We also check the document's security features, including the embedded security chip, machine-readable zone (MRZ), barcodes, QR codes and other security components used for genuine data validation. The Sumsub system analyses the results of the above to make an inference regarding the document’s trustworthiness.

• Automated decision-making relief and checks

When you test our Demo of Services, we communicate the verification results to you. The results are derived from the work of our system and its algorithms, including those based on a symbiosis of machine learning models and human supervision and intervention.

The checks are either automated, semi-automated, or done by humans. When we carry out checks, we implement a complicated verification system that includes human presence and machine work. A human will be involved if the system cannot reach a verdict on its own or recheck the system verdict. This may occur when data is uncertain or the system faces some other difficulty in analysing information during the verification session. This is to ensure that the verification process is fair and safe for users.

Certain checks during the Demo of Services may be fully automated due to simplicity, using machine learning. Please note that such verification results do not have any legal or other significant effect on you. The verification session during the Demo of Services may also be analysed by a human.

Decision-making during processing for purposes other than demo testing is based on a symbiosis of the machine and human work. If decisions are to be made, for example, on the suitability of a job candidate or customer before concluding an agreement, they are not fully automated and involve human intervention.

• Service development, improvement and research

Our clients use our services to detect whether a real person is passing the identity verification process, as well as any impersonation or spoofing attempts, to prevent money laundering, terrorist financing, fraud, and other activities that are considered a matter of public interest. That is why we, as a service provider, are responsible for providing the highest quality services. For this reason, where it is not prohibited by applicable law, and you have consented to it while testing the demo, we, as a data controller, use personal data to develop and improve our services by building and enhancing algorithms and developing and testing new verification options, products and services to verify a user's identity better and detect fraud.

We do this in two ways. First, we deploy a system of recognising specific patterns in the information and making predictions about new data sets based on those patterns by training our computers or so-called 'machine learning.’ Machine learning helps create models based on the information provided by the users, such as signs of potential fake data, and select the best models to be integrated into our system. The development of services also includes continuous improvement and assessment. We review the approaches for service delivery to ensure that our services comply with clients' requirements and work appropriately by testing and correcting new features and functions. Second, we implement initial and ongoing training for our human analysts to perform those tasks only to prevent machine learning models' automatic judgement. It is also beneficial while machine learning models are in the stage of development and aren't adequately suited to perform such tasks.

We may conduct some research on the user's product and service experience within the Dashboard to make it easy and intuitive to use. For this, we employ state-of-the-art technologies and tools to monitor and analyse User behaviour in the Dashboard System or the Sumsub Websites or Mobile App as a means of detecting flaws in the interface, the reasons for them, and enacting solutions. During such sessions, we make personal data or other confidential information on the Dashboard pages pseudonymised or processed with the use of other security techniques.

6. The lawfulness of personal data processing

Sumsub always relies on the appropriate legal grounds of processing, which depend on the processing purposes:

For Livechat and contact forms purposes, we rely on Article 6(1)(b) of the EU GDPR and the UK GDPR. This allows Sumsub to provide the respective individual with information that has been requested prior to, and during the course of the business relationship. However, when making a data subject right request, we rely on legitimate interest under Article 6(1)(f) of the EU GDPR and the UK GDPR.

For Marketing purposes, we ask individuals to consent to data processing by ticking a special box on the forms on and in line with Article 6(1)(a) of the EU GDPR and the UK GDPR.

For Business purposes, Sumsub relies on Article 6(1)(b) of the GDPR to take steps before entering into a contract, including carrying out due diligence of the Clients and for the performance of the contract, including the provision of the Service, communication with the representative of the Client, ongoing due diligence, as well as legal and financial matters).

For Events purposes, Sumsub relies on Article 6(1)(f) of the GDPR, meaning that the personal data you leave is necessary for us to provide you with the event’s details and information on updates and reminders.

For Recruitment purposes, two legal grounds equally apply: (i) Article 6(1)(c) of the GDPR for compliance with a legal obligation based on labour laws to which Sumsub is subject; and (ii) Article 6(1)(f) of the GDPR since “legitimate interest”, which allows Sumsub to evaluate personal information when considering the job candidacy of a certain applicant and to be able to contact them back on the matter.

For Cookie processing purposes, consent is obtained via the cookie banner (Article 6(1)(a) of the GDPR) on and; necessary cookies are processed in the legitimate interest (Article 6(1)(f) of the EU GDPR and UK GDPR).

For the Demo of Service test, consent is required as specified in Article 6(1)(a) of the GDPR. Further processing of personal data following their collection is justified by the legitimate interest of Sumsub, namely by the necessity of internal analysis and ongoing improvement of Sumsub’s services used by its customers in order to detect whether a real person is passing the verification procedure, as well as any impersonation or spoofing attempts, to prevent money laundering, terrorist financing, fraud, and other illicit activities, which is considered a matter of public interest.

For Service development, improvement and research, Sumsub relies on Article 6(1)(f) of the GDPR – legitimate interest. Our legitimate interest arises from the strict necessity of analysis and ongoing development and improvement of Sumsub's services that the Clients use to detect fraud and illicit activities to prevent money laundering, terrorist financing, fraud, and other activities, which are considered a matter of substantial public interest. When we explore the user’s product and service experience, our legitimate interest relates to the necessity of improving our products and services so that the Client encounters fewer misunderstandings and ambiguities that could lead to undesirable consequences for both the Client and the Client's customers.

Sumsub ensures that no personal data is used for any purposes incompatible with the aforementioned ones.

7. Processing children’s personal data

When personal data is provided via Sumsub’s Demo of Service, Sumsub only processes the personal data of individuals who have reached the age of majority under the national laws of their country/countries of citizenship and/or residence. If a child’s personal data is accidentally submitted to Sumsub, it will be deleted without undue delay.

Please let us know if you, a person under the age of majority, have uploaded any personal data to the Sumsub system or website, we will erase it as soon as possible.

8. Data Subjects’ rights

Sumsub respects and guarantees the following rights of each Data Subject. According to privacy laws, you have the right to

  • obtain confirmation as to whether or not your personal data is being processed;
  • rectify personal data, or, in other words, to correct wrong information or supplement incomplete information;
  • erase personal data, or “right to be forgotten”. Please note that this right is not absolute and applies only if (i) your personal data is no longer necessary in relation to the purposes for which it was collected or otherwise processed, (ii) you object to the processing, and there are no overriding legitimate grounds for Sumsub to process data; (iii) personal data has been unlawfully processed;
  • restrict personal data processing where (i) the accuracy of the personal data is contested (during the period when Sumsub is able to verify its accuracy); (ii) the processing is unlawful, and you object to the erasure of the personal data and request to restrict its use instead; (iii) the Client no longer needs the personal data for the purposes of processing, but they are required by you to establish, exercise or defend legal claims; (iv) you have objected to processing pending verification whether the Client’s legitimate grounds override those of yours;
  • be informed as to the rectification or erasure of personal data or restriction of its processing;
  • data portability, or, in other words, to receive your personal data in an appropriate format to be able to provide it to another party or transfer your personal data from one controller to another;
  • object to personal data processing if the processing is justified by ‘public interest’ or ‘legitimate interest’ legal grounds as set out in points (e) and (f) of Article 6(1) of the GDPR;
  • not be subject to a decision based solely on automated processing unless (i) such decision is necessary for entering into, or the performance of, a contract between you and the data controller; (ii) such a decision is authorised by law to which the data controller is subject and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests or (iii) such a decision is based on your explicit consent;
  • lodge a complaint with the supervisory authority. If you're a resident of the EU, please follow this link. If you're a resident of the UK, please follow the link. If you're a resident of the EU, please follow the link.

To request that Sumsub executes the rights mentioned above, you should send a free form email to [email protected] or use this form. Information on actions taken regarding any request is provided to you within one month. That period may be extended by two months where necessary, considering the complexity and number of requests. We will inform you of any such extension within one month of receipt of the request and the reasons for the delay.

Sumsub guarantees that making a request for receiving personal data is free unless a reasonable cost is to be charged where requests are unfounded or excessive, or repetitive in character.

Please note that any Data Subject’s request to delete all or any personal data related to a Data Subject is fulfilled within 30 days. This period is justified by the complexity of the systems and technologies Sumsub operates to process the data.

9. Withdrawing consent and objection to legitimate interest mechanism

To withdraw consent or object to the processing justified by legitimate interest, you can send a free-form email to [email protected] or use this form. After that, the Data Subject will go through the authentication procedure to prove that such a request is actually made by him/her and is valid in nature.

10. Responsibilities

[a] Sumsub’s responsibilities

Sumsub is responsible for establishing policies and procedures in order to comply with the EU GDPR and the UK GDPR. Our Data Protection Officer can be contacted via the following e-mail address: [email protected].

[b] Sumsub’s Data Protection Officer’s responsibilities

Sumsub’s Data Protection Officer holds responsibility for

  • drawing up guidance and promoting compliance with this Privacy Notice;
  • appropriate compliance with the EU GDPR, UK GDPR and Data Protection Act 2018;
  • ensuring that any personal data breaches are resolved, catalogued and reported appropriately in a swift manner;
  • investigating and responding to complaints regarding data protection, including Data Subject’s requests.

[c] Sumsub personnel responsibilities

Sumsub personnel who are involved in personal data processing comply with the requirements of this Privacy Notice and other internal rules, ensuring that:

  • all personal data is kept securely;
  • no personal data is disclosed either verbally or in writing, accidentally or otherwise, to any unauthorised third party;
  • any queries, requests and complaints regarding data protection are promptly directed to the DPO;
  • any data protection breaches are swiftly brought to the attention of the Management and the DPO;
  • where there is uncertainty regarding a data protection matter, advice is sought from the DPO.

[d] Third-Party Processors acting on behalf of Sumsub

Where third-party companies are engaged to process personal data on behalf of Sumsub, responsibility for the security and appropriate use of the data remains with Sumsub.

Before engaging a Third-Party Processor, Sumsub ensures that it provides sufficient guarantees as regards personal data security. In particular, a written contract establishing the types of personal data to be processed and the purposes of such processing, as well as containing provisions on personal data protection, are concluded between Sumsub and the Third-Party Processor.

11. Specific measures to ensure data protection

Sumsub takes specific measures to ensure personal data protection, including, but not limited to, the following:

  • where applicable, all personal data processing is conditioned on respective Agreements, non-disclosure agreements and data processing agreements compliant with the EU GDPR and the UK GDPR;
  • Sumsub’s specially designed API interface (iFrame) enables Data Subjects to submit personal data directly to Sumsub’s secure servers;
  • all personal data is always securely stored on the servers located in safe European data centres of the security level no lower than Tier 31;
  • all personal data is subjected to encryption;
  • personnel involved in personal data processing are officially authorised and undergo background checks and regular training;
  • Sumsub regularly carries out internal and external data protection and information security audits and vulnerability assessments. In particular, compliance with the EU GDPR and the UK GDPR requirements, ISO/IEC 27001, 27017 and 27018, SOC 2 Type 2, and PCI DSS has been demonstrated. Visit our Security and Compliance section for more information;
  • where the processing of certain personal data (e.g., children’s personal data or sensitive data under certain data protection laws) would be unlawful, Sumsub takes all possible measures to identify and delete or, where appropriate, encrypt such data immediately upon its submission;
  • physical, software and network security guarantees as set out below are implemented.

1 At present, all personal data is stored and processed on specially designated servers in Germany.

If certain types of personal data, such as the Dutch BSN, Korean RRN, Singaporean NRIC number, Japanese My Number Card and related sensitive data, as well as other country-specific identity document data, are under special protection regimes, Sumsub will take necessary measures not to process such data—such as requesting the user to cover such data with a sticker or using blurring technology, unless the respective Client has a legal basis for processing it freely.

12. Personal data breaches

Where a personal data breach occurs or is suspected, it is reported immediately to the Data Protection Officer (DPO) or the Director and, where applicable, to the data protection authority and the individual affected by the breach. The report includes full and accurate details of the incident (including its reasons and magnitude) and sets out the planned measures intended to eliminate the breach, potential consequences for concerned individuals, as well as contact details of the person for feedback.

The respective Data Breach Notifications will be provided to concerned individuals and data protection authorities.

13. Data disclosure

[a] Third Parties

If the Client agrees, Sumsub may have to apply third parties for data processing activities, which include the following categories:

  • Data Processors as to operate the Website and Sumsub public-facing websites as well as to achieve other purposes provided in this Privacy Notice;
  • Data providers when it is necessary for carrying out due diligence of the Clients; and
  • Sumsub Group of companies for assistance in service provision and Sumsub EU representative for granting the opportunity to Data Subjects and Supervisory authority to address Sumsub within EU borders for the purposes of Article 27 of the EU GDPR.

Sumsub requires the Third Parties to respect the security of personal data and treat it according to applicable law. In addition, Third Parties are mostly limited to only accessing or using personal data to provide services to Sumsub and must provide reasonable assurances that they will appropriately safeguard the data in line with Provision 10[d] of this Notice.

[b] Recipients

Sumsub may have to provide personal data to Recipients, which includes the following categories:

  • Governmental bodies and regulatory authorities, judicial bodies, investigation bodies, sworn bailiffs and notaries based on written and concrete requests. Such sharing is conducted in line with strict compliance with derogations of the EU GDPR and the UK GDPR.

14. Sumsub group of companies and EU Representative

Sumsub is a group of companies established as a network of the following legal entities operating worldwide. The processing activities stipulated in this Privacy Notice are provided by the operating company: Sum and Substance Ltd. (registered in England and Wales under company number 09688671), which is for and on behalf of itself and the other members of the Sumsub group of companies. The following entities constitute the Sumsub group of companies:

  • The UK: Sum and Substance Ltd
  • Germany: Sumsub GmbH
  • Cyprus: SUMSUB Tech Limited, SUMSUB LTD, Raritex Trade Ltd.
  • The USA: Sumsub Inc

Sumsub’s EU representative is SUMSUB LTD - incorporated and registered in Cyprus with company number HE 405087.

15. International data transfers

Sumsub confirms that all personal data that is submitted to Sumsub is stored in the EU and/or, subject to national localisation requirements, in the respective country where such requirements exist.

Where it is necessary for the purpose of processing, achieving or ensuring convenient and reliable communication with the Data Subjects, Sumsub may transfer personal data outside of the EU/EEA or the UK to the Third Parties and Recipients indicated in Provision 13 of this Notice.

Whenever a transfer of personal data outside the EU or the EEA is carried out, Sumsub implements appropriate safeguards as set out in Chapter V of the EU GDPR by transferring based on the EU Adequacy Decision (or UK Adequacy Regulations) and by concluding Standard Contractual Clauses. The Third-Party Processors likewise rely on appropriate safeguards, which include Binding Corporate Rules, Standard Contractual Clauses, etc. Cross-border personal data transfers from the UK to the EU/EEA countries are permitted by the UK Government.

16. Sale of personal data and CCPA reference

It should be underlined that Sumsub does not sell personal data and strictly complies with restrictions and prohibitions under CCPA and the EU or the UK GDPR.

For more information on the CCPA application to Sumsub processing activities, please refer to CCPA Privacy Notification.

17. Special notice to residents of the states of Illinois, Washington or Texas (USA)

Personal data processed by Sumsub may include certain “biometric identifiers” (such as scans of facial geometry or voiceprints) and “biometric information” (data extracted from and based on biometric identifiers), which are used to verify the identity of the given Data Subject.

Whenever biometric data is used to test or demonstrate Sumsub’s facial recognition products and services, it shall be automatically and irretrievably deleted within 30 days upon collection.

In any event, biometric data shall only be collected and further processed by Sumsub after having obtained written informed consent of the respective Data Subject to such collection and further processing.

In case of any conflict or inconsistency between the other provisions of this Privacy Notice and the terms of this special notice, the latter shall prevail whenever the laws of Illinois, Washington or Texas (USA) apply to the legal relationship between Sumsub and any Data Subject.

18. Changes to this Notice

This Privacy Notice is constantly reviewed and amended in order to provide appropriate compliance with the relevant data protection laws.

Sumsub reserves the right to make amendments to this Notice at any time and for any reason. Any amendments will be effective immediately upon us posting the updated Privacy Notice on our website. Users of our website waive the right to receive specific notice about such amendments. You are invited to review this Privacy Notice at any time to stay informed about updates.

If you want to observe the previous version of this Privacy Notice, please contact us at [email protected] or visit this link. Our technical and legal support teams work 24/7 and will answer you shortly.