Privacy Notice

Preamble

Sum and Substance Ltd., incorporated and registered in England with company number 09688671, whose registered office is at 30 St. Mary Axe, London, EC3A 8BF (hereinafter – SumSub), being a software-as-a-service business, takes its responsibilities with regard to the requirements of the EU GDPR and UK GDPR very seriously.

This document provides the Privacy Notice framework through which effective management of Data Protection matters can be achieved.

This Privacy Notice is addressed to SumSub‘s clients as well as to those individuals who will provide their personal data to SumSub for processing, including SumSub’s public-facing websites.

Where the laws of Illinois, Washington, or Texas apply, it is necessary to refer to the “Special notice to residents of the states of Illinois, Washington, or Texas (USA)” (Provision 15 of this Privacy Notice). In the case of any conflict or ambiguity between the Special notice and the other provisions of this Privacy Notice, the former will prevail.

1. Definitions

Agreement – the Service Provider Agreement concluded with each Client, its annexes and appendices;

Client – the legal entity to which SumSub provides Services under the Agreement;

Service(s) – the personal identity verification service and connected services provided by SumSub;

Data Controller, or Controller – the Client where it, alone or jointly with others, determines the purposes and means of the processing of personal data by written instruction for processing activities given to SumSub;

Data Processor, or Processor – SumSub where it processes personal data on behalf of a Data Controller;

Third-Party Processors – processors authorised to exercise certain processing activities under the direct authority of SumSub;

Data Providers – third-party service providers or public authorities used to collect additional information necessary for the provision of the Services.

Data Subject – any individual whose personal data SumSub may process, including, but not limited to, SumSub’s Clients’ customers and representatives, Users, SumSub’s job applicants, Visitors, etc.

Personal data – any information relating to an identified or identifiable Data Subject;

User – any individual in respect of whom the identity verification procedure (or any of its elements) is performed as part of the Services provided to a Client;

Visitor – any individual using SumSub’s Website, SumSub’s Demo Mobile App or WebSDK Demo on SumSub’s website;

Website – sumsub.com;

Processing – any operation or set of operations performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

Personal data breach – a breach of data security leading to unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;

Restriction of processing – marking of stored personal data with the aim of limiting the scope of their processing in the future;

Consent – any freely given, specific, informed and unambiguous indication of the Data Subject’s wishes by which they, by a statement or by clear affirmative action, signify agreement to the processing of their personal data;

Personal Account – a dedicated account created by a prospective Client’s representative via the Website for the purposes of subsequent provision of Services and invoicing;

SumSub’s public-facing website – prooface.ai (hereinafter referred to as the “Prooface website” or “prooface.ai”);

SumSub’s Demo Mobile App – the mobile application owned by SumSub and allowing individuals to test SumSub’s verification procedures;

WebSDK Demo on SumSub’s website – the web page running SumSub’s iFrame with the liveness check step only;

Liveness Demo on Prooface website – the web page on prooface.ai running SumSub’s iFrame with the liveness check step only;

Livechat – a system that allows Users and Visitors to have a real-time interaction with SumSub’s support team in a chat box on the Website page in the browser;

Standard Contractual Clauses – standard sets of contractual terms and conditions adopted by the European Commission and ensuring appropriate safeguards for data transfers from the EU to third countries, which the Controller and the Processor both sign up to, where necessary;

EEA – European Economic Area (the European Union Member States, Norway, Iceland and Liechtenstein);

AML/CFT – Anti-Money Laundering / Combating the Financing of Terrorism legal rules and standards as envisaged in the FATF recommendations, the EU regulations and national legislation;

Politically Exposed Persons (PEPs) – individuals who are or have been entrusted with prominent public functions (e.g., Heads of State or of government, senior politicians, senior government, judicial or military officials, senior executives of state-owned corporations, important political party officials), as well as their relatives and close associates.

2. Scope of the Privacy Notice

• SumSub may act as a Data Processor

SumSub processes personal data under Article 28 of the EU GDPR and the UK GDPR where it is engaged by a Controller to do so for the purposes of the respective Agreement.

For clarity, as part of the Services provided to a Client, SumSub performs remote identity verification procedures. Prior to passing such procedures, Users express their Consent in line with the Client’s privacy policy and this Privacy Notice.

• SumSub may act as a Data Controller

SumSub may determine the purposes and means of personal data processing under Article 24 of the EU GDPR and the UK GDPR in certain cases. This applies, in particular, to the following situations:

• when “cookie” files are collected in the course of the Website or livechat operation;
• when the Prooface website is visited and interacted with;
• when SumSub obtains data from the forms filled out on the Website;
• when a prospective Client’s representative creates a Personal Account via the Website;
• when taking steps prior to entering the contract with a Client and further processing for the performance of the contract;
• when SumSub’s Demo Mobile App or WebSDK Demo on SumSub’s website or Liveness Demo on Prooface’s website is used.

3. Principles of personal data processing that SumSub adheres to

SumSub adheres to the principles of personal data protection as envisaged in the EU GDPR and UK GDPR. In accordance with these principles, personal data is:

1. Processed fairly and lawfully and in a transparent manner in relation to the Data Subject;
2. Processed for specified, explicit and legitimate purposes only and not further processed in a manner that is incompatible with those purposes;
3. Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
4. Kept accurate and up to date;
5. Retained in a form permitting identification of Data Subjects for no longer than is necessary for the purposes for which they are processed;
6. Not retained longer than necessary;
7. Processed in a manner that ensures their appropriate security;
8. Not transferred outside the European Economic Area (EEA) or the EU without adequate protection.

Whenever a transfer of personal data outside the EU or the EEA is carried out, SumSub implements appropriate safeguards as set out in Chapter V of the EU GDPR by concluding Standard Contractual Clauses with the Controller. Third-Party Processors likewise rely on appropriate safeguards, which includes Binding Corporate Rules, Standard Contractual Clauses, etc. Cross-border personal data transfers from the UK to the EU/EEA countries are permitted by the UK Government.

SumSub confirms that all personal data is submitted by Data Subjects directly to SumSub‘s servers located in the EU and/or, subject to any national localisation requirements, in the respective country where such requirements exist. The Controller may choose the location of personal data processing (including storage) for the purposes of compliance with the applicable laws.

4. Purposes of personal data processing

• As the Data Controller,

SumSub may collect and further process personal data submitted via the Website in order to:

– provide Visitors with such information as they may request from SumSub in a livechat or the ‘Contact Us’ form;

– provide Visitors with such information as they may request from SumSub in the ‘Make a request form;

– email Visitors regarding compliance-related advice, news and guidelines (if they have previously consented to it using the ‘Contact Us’ form);

– evaluate the information presented by job applicants when considering their candidacy and to contact them subsequently;

– maintain communication with a Client’s representative regarding entering into an Agreement, carrying out due diligence of the Clients, and providing Services to the respective Client and other similar matters;

– provide a representative of a prospective Client with an opportunity to create a Personal Account on the Website and operate it in order to be serviced and invoiced;

– provide the test of WebSDK Demo on SumSub’s website to demonstrate the capabilities of SumSub’s facial and/or identity verification service when the SumSub’s сlients integrated with SumSub service.

When Visitors interact with the Website, a livechat, the ‘Contact Us’ and ‘Make a request’ form, WebSDK Demo on SumSub’s website, SumSub collects and processes “cookie” files to store their preferences and settings, enable them to sign in, personalise content and advertising, combat fraud, and analyse the incoming traffic. The Cookie Policy is available here.

SumSub may collect and further process personal data submitted via SumSub’s Demo Mobile App for the purpose of obtaining a demonstration of the capabilities of SumSub’s facial and/or identity verification service when the SumSub’s сlients integrated with SumSub service.

SumSub may collect and further process personal data submitted via the Prooface website in order to:

– provide Visitors with functionality and better user experience regarding the Prooface website as stated in the Cookie Policy (Prooface section);

– provide Visitors with such information as they may request via the ‘Contact Us’ and ‘Make a request form;

– email Visitors regarding compliance-related advice, news and guidelines (if they have previously consented to it using the ‘Contact Us’ form);

– provide the test of Liveness Demo on Prooface’s website.

• As the Data Processor,

SumSub provides Services to its Clients, collecting and further processing Users’ personal data in order to verify their identities, which may be necessary for the Clients’ compliance with the applicable AML/CFT and/or other laws and regulations and/or the Clients’ internal due diligence policies and procedures.

SumSub subjects personal data (including photos and scanned copies of documents) to automated reading, verification of authenticity, and other types of automated processing, such as cross-checks against multiple databases of Data Providers (e.g., PEP lists, global and country-specific sanctions lists, criminal lists, financial lists).

Once the personal data is no longer necessary for the relevant purpose, SumSub, upon the written instruction of the Controller, erases it completely from its servers without leaving any backup copies after having transferred it to the Controller (if the Controller so requests).

5. Lawfulness of personal data processing

• As the Data Controller,

SumSub always relies on the appropriate legal grounds of processing, which may depend on the processing purposes:

– for the cookie-file processing, consent is obtained via the cookie banner (Article 6(1)(a) of the GDPR) on sumsub.com and prooface.ai;

– for emailing Visitors regarding compliance-related advice, news and guidelines after they have consented (Article 6(1)(a) of the GDPR) to it by ticking a special box in the ‘Contact Us’ form on sumsub.com and prooface.ai;

– when forms are filled out via the Website in order to contact SumSub on sumsub.com and prooface.ai, “legitimate interest” (Article 6(1)(f) of the GDPR) allows SumSub to provide the respective individual with the information that has been requested;

– when the information presented by job applicants is reviewed, two legal grounds equally apply: (i) Article 6(1)(c) of the GDPR (“compliance with a legal obligation” based on labour laws to which SumSub is subject); and (ii) Article 6(1)(f) of the GDPR (since “legitimate interest” allows SumSub to evaluate personal information when considering the job candidacy of a certain applicant and to be able to contact them back on the matter);

– when information is collected during a business inquiry or communication, SumSub relies on Article 6(1)(b) of the GDPR to take steps prior to entering into a contract, including carrying out due diligence of the Clients, and for the performance of the contract, including the provision of the Service, communication with the representative of the Client, as well as legal and financial matters);

– when a Personal Account is created, the personal data processing is based on Article 6(1)(b) of the GDPR (“processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract”);

– for the use of SumSub’s Demo Mobile App or test of WebSDK Demo on SumSub’s website or Liveness Demo on Prooface’s website, consent is required as specified in Article 6(1)(a) of the GDPR. Further processing of personal data following their collection is justified by the legitimate interest of SumSub, namely by the necessity of internal analysis and ongoing improvement of SumSub’s services used by its customers in order to detect whether a real person is passing the verification procedure, as well as any impersonation or spoofing attempts, so as to prevent money laundering, terrorist financing, fraud, and other illicit activities, which is considered a matter of public interest.

SumSub ensures that no personal data is used for any purposes incompatible with the aforementioned ones.

• As the Data Processor,

SumSub is engaged by its Clients (Controllers) to perform identity verification procedures in respect of their Users’. In line with Article 6 of the EU and UK GDPR, Controllers should rely on an appropriate legal ground when processing personal data. Most of SumSub’s Clients rely on the following grounds for processing personal data:

– Article 6(1)(c) of the GDPR: “[personal data] processing is necessary for compliance with a legal obligation to which the controller is subject”;

– Article 6(1)(e) of the GDPR: “[personal data] processing is necessary for the performance of a task carried out in the public interest”;

– Article 6 (1)(a) of the GDPR: “the data subject has given consent to the processing of his or her personal data for one or more specific purposes”;

The processing of personal data by SumSub is covered by those legal grounds that are relied on by the certain Client SumSub has the Agreement with.

6. Types of personal data processed by SumSub

As the Data Controller, SumSub may collect and further process the following personal data depending on the processing purpose:

• Visitors’ personal data

SumSub may process certain data of the Visitors using the Website and WebSDK Demo on SumSub’s website through “cookie” files (see SumSub’s Cookie Policy) or Liveness Demo on Prooface’s website through “cookie” files (see Cookie Policy) or other similar technologies (e.g., IP address, equipment information, location information, “beacons”).

When a Visitor interacts with the Website or SumSub’s Demo Mobile App / WebSDK Demo on SumSub’s website and Liveness Demo on Prooface’s website  (e.g., by filling out forms or testing SumSub’s identity verification procedures), SumSub processes: (i) the data indicated below (as may be applicable); (ii) technical data, which includes, but is not limited to, information regarding the date, time and activity on the Website; IP address and domain name; software and hardware attributes; general geographic location (e.g., city, country) from Data Subject’s device.

• Personal data of Users contacting SumSub via a livechat, the “Contact Us” or ‘Make a request’ form on sumsub.com or prooface.ai

– first name (applicable for live chat and ‘Contact Us’ form);

– email address;

– telephone number (applicable only for the “Contact Us” form);

– other information necessary for SumSub to resolve the relevant issue brought up by the User.

• Personal data of Clients’ representatives SumSub may process:

– personal data of the representative (e.g., name, job title, position, contact information, and the one that is contained in ID documents);

– information obtained in connection with providing the Services to the respective Client (e.g., communication materials)

– personal data contained in corporate documents;

– publicly available data relevant to the position of Client’s representatives.

• Personal data of SumSub’s job applicants

– full name;

– email address;

– contact phone number;

– CV details.

• Personal data of prospective Clients’ representatives data provided prior to or after the creation of a Personal Account:

– full name;

– contact phone number;

– email address;

– text personal data contained in the passport or another identity document;

– biometric data, such as facial features;

– facial image data, such as photos of face (including selfie images) and photo or scan of face contained in the identity document;

– data necessary for transaction processing.

• Personal data of Visitors using SumSub’s Demo Mobile App – depends on the service chosen by the Data Subject (liveness tool/liveness and identity document check tool):

– identity document data, such as the name of the identity document, issuing country, number, expiry date, MRZ, information embedded to document barcodes (may vary depending on the document), security features;

– facial image data, such as photos of the face (including selfie images) and photo or scan of the face on the identification document;

– biometric data such as facial features;

– contact details, such as an address, email address, phone number;

– unique identifier (Applicant ID) created only for association Data Subject’s and its personal data inside the SumSub’s system.

• Personal data of Visitors testing WebSDK Demo on SumSub’s website – depends on the service chosen by the Data Subject (liveness tool/liveness and identity document check tool):

– identity document data, such as the name of the identity document, issuing country, number, expiry date, MRZ, information embedded to document barcodes (may vary depending on the document), security features;

– facial image data, such as photos of the face (including selfie images);

– biometric data such as facial features.

– email address;

– unique identifier (Applicant ID) created only for association Data Subject’s and its personal data inside the SumSub’s system.

• Personal data of Visitors testing Liveness Demo on Prooface’s website:

– facial image data, such as photo images of face (including selfie images);

– biometric data, such as facial features;

– email address;

– unique identifier (Applicant ID) created only for the purposes of associating a Data Subject and their Personal data within SumSub’s system.

As the Data Processor, SumSub may collect and further process the following personal data of Data Subjects depending on the particular Service being provided to the Controller:

– general personal data, such as full name, sex, personal identification code or number, date of birth, legal capacity, nationality and citizenship, location (street, city, country, postcode);

– identity document data, such as document type, issuing country, number, expiry date, MRZ, information embedded into document barcodes (may vary depending on the document), security features;

– facial image data, such as photos of the face (including selfie images) and photo or scan of the face on the identification document, videos, sound recordings;

– biometrical data such as facial features;

– banking details, such as cardholder name, expiry date, first 6 and last 4 digits of the card number, data extracted from documents provided as proof of source of funds/wealth;

– contact details, such as an address, e-mail address, phone number, IP address;

– technical data, including, but not limited to, information regarding the date, time and activity in the Services; IP address and domain name; software and hardware attributes (e.g., camera name and type); general geographic location (e.g., city, country) from Data Subject’s device;

– unique identifier (Applicant ID) created only for association Data Subject’s and its personal data inside the SumSub’s system;

– data concerning health, such as vaccination certificates data, test certificates (NAAT/RT-PCR test or a rapid antigen test) data, and data of certificates for persons who have recovered from COVID-19;

– relevant publicly available data, such as information regarding a person being a Politically Exposed Person (PEP) or included in sanctions lists;

– personal information that SumSub has received from the Controller, such as contact details;

– personal information additionally provided by Data Subjects, such as data obtained during their communications with SumSub (e.g., requests, reports).

7. Personal data retention period

The retention period depends entirely on the relevant data processing purpose:

• regarding Visitors contacting SumSub upon certain requests and technical data, the retention period is three years (enabling SumSub to re-contact the Visitor in the event of unforeseen circumstances and to manage the Website efficiently);
• regarding the purpose of emailing Visitors regarding compliance-related advice, news and guidelines, the retention period lasts until the Data Subject unsubscribes by following the respective link in the email;
• regarding the evaluation of job applications, the retention period is one year from the disqualification of the candidacy (enabling SumSub to contact the applicant if the position is re-opened);
• regarding business communication with Clients’ representatives, the retention period is up to six years (enabling SumSub to keep the contact with active Clients and provision of the Services uninterrupted);
• regarding the data operated via a Personal Account, the retention period is up to six years after the date of breach or termination of the contract (enabling SumSub to retain information in case of a statutory limitation);
• regarding personal data collected via SumSub’s Demo Mobile App or WebSDK Demo on SumSub’s website or Liveness Demo on Prooface’s website, the retention period is up to 30 days due to the presence of SumSub’s legitimate interests specified in Provision 5;
• regarding “cookie” files, the retention period is specified in the Cookie Policy and Prooface Cookie Policy;
• regarding the Users’ personal data, the retention period is established in the respective Agreement and typically constitutes three years; however, it may be longer when the AML/CFT or other laws to which the Client is subject so require.

Any Client’s request to delete all or any personal data related to a User is fulfilled within 30 days. This period is justified by the complexity of the systems and technologies SumSub operates to process the data.

Users’ personal data may be retained for up to 90 days (from the Client’s request for data deletion) to comply with any applicable law, regulation, legal process, or governmental request and investigation; to assert legal rights or defend against legal claims; or to prevent, detect, or investigate illegal activity, fraud, abuse, violations of the Client’s or SumSub’s terms of service, or threats to the security of the Services or the physical safety of any person. SumSub will delete such personal data of the affected User when no longer legally obligated or reasonably required to retain it.

8. Processing of children’s personal data

When personal data are provided via SumSub’s Demo Mobile App or WebSDK Demo on SumSub’s website or Liveness Demo on Prooface’s website, SumSub, as the Data Controller, only processes personal data of individuals who have reached the age of majority under the national laws of their country/countries of citizenship and/or residence. In case a child’s personal data is accidentally submitted to SumSub, it will be deleted without undue delay.

SumSub, as the Data Processor, may process personal data of children, understood as individuals under the age of majority under the national laws of the Controller’s country of incorporation, only when the Controller ensures that the person with parental responsibility for the child has consented to such processing. Otherwise, in case a child’s personal data is accidentally submitted to SumSub, it will be deleted without undue delay.

9. Processing rules of personal data concerning health

As the Data Processor, SumSub may process personal data concerning health, such as vaccination certificates data, test certificates (NAAT/RT-PCR test or a rapid antigen test) data, and data of certificates for persons who have recovered from COVID-19. Such processing may be necessary for the Controller’s compliance with the applicable laws and regulations and/or the Controller’s internal due diligence policies and procedures only when the Controller ensures that such processing is justified by the respective legal basis and the Data Subject is informed properly by the Controller.

10. Data Subjects’ rights

As the Data Controller, SumSub respects and guarantees the following rights of each Data Subject:

• Right to obtain confirmation as to whether or not his or her personal data are being processed (Article 15 of the EU GDPR and the UK GDPR);
• Right to rectify inaccurate personal data without undue delay (Article 16 of the EU GDPR and the UK GDPR);
• Right to erase personal data, or “right to be forgotten” (Article 17 of the EU GDPR and the UK GDPR) if one of the following applies: (i) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; (ii) Data Subject objects to the processing and there are no overriding legitimate grounds for the processing; (iii) the personal data have been unlawfully processed;
• Right to restrict personal data processing (Article 18 of the EU GDPR and the UK GDPR) if one of the following applies: (i) the accuracy of the personal data is contested (during the period when SumSub is able to verify its accuracy); (ii) the processing is unlawful and the Data Subject objects to the erasure of the personal data and requests to restrict their use instead; (iii) SumSub no longer needs the personal data for the purposes of the processing, but they are required by the Data Subject to establish, exercise or defend legal claims; (iv) the Data Subject has objected to processing pending the verification whether SumSub legitimate grounds override those of Data Subject;
• Right to be informed as to rectification or erasure of personal data or restriction of their processing (Article 19 of the EU GDPR and the UK GDPR);
• Right to receive personal data in the form that is machine-­readable and ready for transmission to another controller (Article 20 of the EU GDPR and the UK GDPR);
• Right to object to personal data processing (Article 21 of the EU GDPR and the UK GDPR) if the processing is justified by the “public interest” or “legitimate interest” legal ground as set out in point (e) and (f) of Article 6(1) of the GDPR;
• Right not to be subject to a decision based solely on automated processing (Article 22 of the EU GDPR and the UK GDPR) unless one of the following applies: (i) such decision is necessary for entering into, or performance of, a contract between the Data Subject and SumSub; (ii) such decision is authorised by the law to which SumSub is subject and which also lays down suitable measures to safeguard the Data Subject’s rights and freedoms and legitimate interests, or (iii) such decision is based on the Data Subject’s explicit consent;
• Right to lodge a complaint with the supervisory authority (Article 77 of the EU GDPR and the UK GDPR).

As the Data Processor, SumSub assists Controllers in the exercise of these rights upon the respective Controller’s written instruction.

11. Withdrawing consent and objection to legitimate interest mechanism

SumSub complies with the obligation of provisioning the mechanism for withdrawal of consent (Article 7 (3) EU GDPR and UK GDPR) and objection of processing based on the legitimate interests (Article 21 (1) EU GDPR and UK GDPR).

To withdraw consent or object to the processing justified by the legitimate interest, the Data Subject can send a free-form email to [email protected] or using the website form ‘Make a request’ in the Support section. After that, the Data Subject will go through the authentication procedure to prove that such a request is actually made by him/her and is valid in nature.

In cases where the SumSub acts as a Processor, SumSub can only assist the Data Subject in transmitting his/her request to the Controller (for whom the Data Subject was verified). SumSub cannot make decisions regarding such requests on its own, as SumSub acts in accordance with the written instructions of the Controller who exercises control over personal data.

12. Responsibilities

[a] SumSub’s responsibilities

SumSub is responsible for establishing policies and procedures in order to comply with the EU GDPR and the UK GDPR. Our Data Protection Officer can be contacted via the following e-mail address: [email protected]

[b] SumSub’s Data Protection Officer’s responsibilities

SumSub’s Data Protection Officer holds responsibility for:

• drawing up guidance and promoting compliance with this Privacy Notice;
• appropriate compliance with the EU GDPR, UK GDPR and Data Protection Act 2018;
• ensuring that any personal data breaches are resolved, catalogued and reported appropriately in a swift manner;
• investigating and responding to complaints regarding data protection, including requests to cease the processing of personal data.

[c] SumSub’s personnel responsibilities

SumSub’s personnel who are involved in personal data processing comply with the requirements of this Privacy Notice. Personnel ensures that:

• all personal data is kept securely;
• no personal data is disclosed either verbally or in writing, accidentally or otherwise, to any unauthorised third party;
• any queries, requests and complaints regarding data protection are promptly directed to the Data Protection Officer;
• any data protection breaches are swiftly brought to the attention of the Governance Team and the Data Protection Officer;
• where there is uncertainty regarding a data protection matter, advice is sought from the Data Protection Officer.

[d] Third-Party Processors acting on behalf of SumSub

Where third-party companies are engaged to process personal data on behalf of SumSub, responsibility for the security and appropriate use of the data remains with SumSub.

Prior to engaging a Third-­Party Processor, SumSub ensures that it provides sufficient guarantees as regards personal data security. In particular, a written contract establishing the types of personal data to be processed and the purposes of such processing, as well as containing provisions on personal data protection, are concluded between SumSub and the Third-­Party Processor.

13. Specific measures to ensure data protection

SumSub takes specific measures to ensure personal data protection, including, but not limited to, the following:

• where applicable, all personal data processing is conditioned on respective Agreements, non-disclosure agreements and data processing agreements compliant with the EU GDPR and the UK GDPR;
• SumSub’s specially designed API interface (iFrame) enables Data Subjects to submit personal data directly to SumSub’s secure servers;
• all personal data is always securely stored on the servers located in safe European data centres of the security level no lower than Tier 3¹;
• all personal data is subjected to hashing;
• personnel involved in personal data processing is officially authorised and undergoes background checks and regular training;
• SumSub regularly carries out the internal and external data protection and security audits and penetration tests (in particular, compliance with ISO 27001, PCI DSS, ISO/IEC 30107-3 standards has been demonstrated);
• where the processing of certain personal data (e.g., children’s personal data or resident registration numbers under certain Asian data protection laws) would be unlawful, SumSub takes all possible measures to identify and delete or, where appropriate, encrypt such data immediately upon its submission;
• physical, software and network security guarantees as set out below are implemented.

¹At present, all personal data is stored and processed on specially designated servers in Germany.

[a] Physical security

SumSub is working on preventing any unauthorised physical access, damage, or interference with SumSub’s data processing facilities. In particular, SumSub has established:

• Removable media blocking;
• CCTV monitoring;
• entry controls systems at the premises;
• secure areas for authorised personnel; and
• physical protection of hardware against natural disasters, malicious attacks or accidents.

[b] Software and network security

• SumSub carries out regular vulnerability scans of its entire infrastructure, as well as independent external penetration tests;
• SumSub’s dashboard supports several regimes of secrecy, so that, e.g., the Clients could monitor the status of processing without obtaining access to the personal data itself;
• code changes are always peer-reviewed and static source code reviews are performed systematically and frequently;
• all engineering and development operations personnel are regularly trained on system, application and network security;
• SumSub’s IT and container infrastructure is continuously monitored and audited;
• critical systems and information are protected with strong authentication mechanisms;
• all network connections are protected by firewalls and are monitored by cyber security solutions to detect intrusions and suspicious activity;
• machine learning is used to identify malicious behaviour of network endpoints and applications;
• all SumSub’s computers, laptops and servers utilise full disk/volume encryption and are embedded with security settings antivirus/malware protection, which is automatically updated to the latest version and signatures available;
• all user information is encrypted using AES-­256 at rest as well as in transit;
• regular backups of the most important data are carried out.

14. Personal data breaches

Where a personal data breach occurs or is suspected, it is reported immediately to the Data Protection Officer (DPO) or the CEO and, where applicable, to the data protection authority and the individual affected by the breach. The report includes full and accurate details of the incident (including its reasons and magnitude) and sets out the planned measures intended to eliminate the breach.

15. Special notice to residents of the states of Illinois, Washington or Texas (USA):

Personal data processed by SumSub may include certain “biometric identifiers” (such as scans of facial geometry or voiceprints) and “biometric information” (data extracted from and based on biometric identifiers), which are used to verify the identity of the given Data Subject.

Whenever such biometric identifiers and/or biometric information (collectively “biometric data”) are used as part of the services rendered by SumSub to any Controller, such data shall be processed by SumSub on behalf of such Controller and permanently deleted (i) when the Controller so directs, (ii) when SumSub ceases to have the relevant legal relationship with the Controller, or (iii) when 3 (three) years have passed since the respective Data Subject’s last interaction with SumSub, whichever is earlier, unless either the Controller or SumSub is legally obliged to store the data for a longer period. In the latter case, SumSub shall not perform any operations regarding such data other than its storage for the period required by the applicable law.

Whenever biometric data are used for the sole purpose of testing or demonstrating SumSub’s facial recognition products and services to potential Clients and/or Visitors, such data shall be automatically and irretrievably deleted within 24 hours upon collection.

In any event, biometric data shall only be collected and further processed by SumSub after having obtained written informed consent of the respective Data Subject to such collection and further processing. By confirming (e.g., selecting the appropriate checkbox) that they have read and accepted the terms of biometric data processing prior to the identity verification procedure, the Data Subject shall be deemed to have given such consent.

In case of any conflict or inconsistency between the other provisions of this Privacy Notice and the terms of this special notice, the latter shall prevail whenever the laws of the states of Illinois, Washington or Texas (USA) are applicable to the legal relationship between SumSub and any Data Subject.

* * *

This Privacy Notice is constantly reviewed and amended in order to provide appropriate compliance with the EU GDPR and the UK GDPR.

If you have any request or complaint regarding the Privacy Notice or would like to exercise any of the data subject’s rights granted to you by the applicable laws, please contact us at [email protected] or [email protected]. Our technical and legal support teams work 24/7 and will answer you shortly.

This Privacy Notice was last updated on 13 October 2021.