Terms and Conditions

1. Definitions and Interpretations

1.1. In these Terms and Conditions, the following definitions shall apply:

API

means the Service Provider’s application programming interface, which is a set of functions and procedures that facilitate the submission of applications for access to the features and functionalities of the System and communication between the System and the Customer Platform.

Applicant

means an end user of the Customer Platform (whether natural person or legal entity) providing documents, images, and other input data in respect of which the Service Provider performs Checks and other Services.

Authorized User

means any member of the Customer's personnel or another individual authorized by the Customer to access and/or use the System on behalf of the Customer.

Billing Start Date

means (i) the date when the Customer indicates its payment method and billing details and activates the chosen Pricing Plan in the Dashboard; or (ii) expiry of the Trial Period, if any, whichever is later. The Services shall become chargeable as per the applicable Pricing Plan upon the Billing Start Date.

Business Purpose

means the permitted purpose for which the Customer may use the System and/or the Services. For clarity, the Customer may use the System and/or the Services for lawful purposes of remote identity verification, fraud prevention, compliance with AML/CFT laws and regulations, internal risk management and due diligence procedures, and other essentially similar purposes. The Customer is not allowed to resell, sublicense, redistribute, or otherwise make the System and/or the Services (or any materials or results derived therefrom) available to any third party without the Service Provider’s prior written consent (which the Service Provider shall not unreasonably withhold if it is required under applicable laws or regulations or a lawful request by a competent government authority to make the System and/or the Services available to a third party).

Check

means a subcategory of the Services with the following characteristics: (i) a Check is deemed completed when the Applicant in respect of which it has been conducted is assigned a “Rejected”, “Approved”, or “Resubmission requested” status in the Dashboard; and (ii) if any Check is reiterated in respect of the same Applicant later than one calendar month from the moment when the first such Check was completed or, irrespectively of the timing, by the Customer or at the Customer's request, such reiteration shall be considered a new Check and, therefore, billed separately.

Commencement Date

means the date on which the Customer

(i) expresses its consent to be bound by these Terms and Conditions via the Website; or

(ii) starts using or otherwise accesses the System and/or the Services in the absence of a commercial agreement in force between the Parties,

(whichever is earlier).

Confidential Information

means information disclosed by (or on behalf of) the Service Provider to the Customer in connection with or in anticipation of these Terms and Conditions that is marked as confidential or, from its nature, content, or the circumstances in which it is disclosed, could reasonably be deemed confidential. It does not include information (i) that the Customer had already possessed on a lawful basis prior to the disclosure, (ii) that becomes public through no fault of the Customer, (iii) that was independently developed by the Customer, (iv) that was lawfully transferred to the Customer by a third party bearing no confidentiality obligation towards the Service Provider; or (v) that is approved for disclosure by the Service Provider in writing.

Customer Platform

means the information technology system owned and/or operated by the Customer, if any, which receives data from the Service Provider and/or the System based on these Terms and Conditions.

DPA

means the Data Processing Agreement as contained in Annex 3 to these Terms and Conditions.

Fees

means the charges payable by the Customer to the Service Provider under these Terms and Conditions, including in particular Annex 2 hereto (“Payment Terms”), as per the applicable Pricing Plan or as otherwise agreed by the Parties.

Intellectual Property Rights

means all patents, rights to inventions, utility models, copyright and related rights, trademarks, service marks, trade, business and domain names, rights in trade dress or get-up, rights in goodwill or to sue for passing off, unfair competition rights, rights in designs, rights in computer software, database rights, topography rights, moral rights, rights in Confidential Information (including know-how and trade secrets) and any other intellectual property rights, in each case whether registered or unregistered and including all applications for and renewals or extensions of such rights, and all similar or equivalent rights or forms of protection in any part of the world.

Malicious Code

means viruses, worms, time bombs, Trojan horses, and other similar malware, files, scripts, agents, or programs.

New Release

means (i) architectural changes in the System and/or Services; (ii) improvements and bug corrections of the System and/or Services; or (iii) maintenance releases not impacting the visible performance of the System and/or Services.

Pricing Plan

means the tariff as chosen by the Customer via the Dashboard (or, where it is permitted or prescribed under these Terms and Conditions, enabled by the Service Provider for the Customer), entitling the Customer to use Services of such types and volumes and on such conditions as specified in the respective Pricing Plan. Current Pricing Plans offered by the Service Provider are available at: https://sumsub.com/pricing and in the Dashboard. The Customer may at any time enable or disable any of the Services covered by the applicable Pricing Plan via the Dashboard or, if necessary, by contacting the Service Provider at [email protected] (for clarity, disabling a Service only results in a reduction of payable Fees if it is explicitly so provided under the respective Pricing Plan). Where the Customer enables a Service not covered by the Pricing Plan applicable to the Customer at the relevant time, the Service Provider may, at its sole discretion, (i) transfer the Customer to a Pricing Plan that includes the Service in question, and/or (ii) charge the Customer for its usage of the Service in question as per the Pricing Plan including the said Service, and/or (iii) suspend or limit the Customer’s access to the System and/or the Services. Any applicable Pricing Plan shall be considered an inherent part of these Terms and Conditions.

SDK

means the software code supplied by the Service Provider to be embedded into the Customer Platform and any technical documentation relating to the corresponding integration.

Security Feature

means any key, login, PIN, password, etc. as may be provided by the Service Provider to the Customer or created by the Customer for the purposes of accessing the System.

SLA

means the Service Level Agreement as contained in Annex 1 to these Terms and Conditions.

Specification

means the list and description of Services corresponding to the Pricing Plan applicable to the Customer at the relevant time. The Service Provider reserves the right to modify the Specification from time to time, subject to reasonable prior written notice to the Customer in case such modification significantly impairs the scope or quality of the Services available to the Customer according to the then-current Specification.

Sumsub ID

means a feature allowing Applicants to transfer the images of their identity documents already stored by the Service Provider to the Customer instead of uploading or capturing them in real-time, as described in more detail at https://sumsub.com/pricing and in section 1 of Sumsub ID User Terms and Conditions available at https://id.sumsub.com/terms. For the avoidance of doubt, Sumsub ID User Terms and Conditions are hereinafter only linked for reference; they do not constitute part of these Terms and Conditions, are not binding as between the Service Provider and the Customer, and do not create any rights or obligations for the Service Provider or the Customer (or any of their respective affiliate entities) towards each other unless explicitly specified herein.

The Customer agrees that the Service Provider (or any of its affiliate entities, as the case may be) may embed an option for the Customer’s Applicants to accede to Sumsub ID User Terms and Conditions and subsequently use Sumsub ID into the System (including the SDK) and, where it in its discretion considers so necessary, modify the System accordingly.

System

means a set of computer programs and databases owned and/or operated by the Service Provider to render the services described in the Specification (the “Services”), including API and SDK. The System includes an interactive software tool facilitating the communication between the Service Provider and the Customer and ensuring the management and processing of requests as submitted by the Customer or by its Applicants (the “Dashboard“).

Trial Period

means a limited period of time during which the Customer may be entitled to use a limited number of Checks (as determined in the applicable Pricing Plan) free of charge and for the purposes of testing the Services and the functionality of the System.

Website

means www.sumsub.com and its subdomains.

1.2 No provision of these Terms and Conditions shall be construed against or interpreted to the disadvantage of any Party by reason of such Party having or being deemed to have structured or drafted such provision.

1.3 Any reference to "days" shall mean calendar days unless qualified by the word "business", in which instance a "business day" shall be any day other than a Saturday, Sunday, bank holiday, or a public holiday in the Service Provider’s jurisdiction of incorporation.

1.4 Any provision conferring rights or imposing obligations on a Party and contained in any of the definitions listed in clause 1.1 or elsewhere in these Terms and Conditions shall be given effect as if it were a substantive provision within the body of these Terms and Conditions.

1.5 Where figures are referred to in numerals and in words, and there is any conflict between the two, the words shall prevail.

1.6 Where the expressions “include(s)”, “including” or “in particular” are used in these Terms and Conditions, the list of words following them shall not be considered exhaustive unless explicitly indicated otherwise.

1.7 References to sections, clauses, or Annexes are to these Terms and Conditions' respective sections, clauses, and Annexes.

1.8 A reference to a Party includes its successors and permitted assigns.

1.9 The headings in these Terms and Conditions are for ease of reference only and shall not affect their interpretation.

1.10 In these Terms and Conditions, if the context so requires, references to the singular shall include the plural and vice versa.

2. Term

2.1 These Terms and Conditions shall become binding between the Parties on the Commencement Date and remain in full force and effect for 12 months following the Billing Start Date (cumulatively, the “Initial Period”). Once the Initial Period expires, these Terms and Conditions shall automatically be renewed for subsequent periods of 12 months each (the “Renewal Period(s)”). The Initial Period and any Renewal Periods as may follow shall together constitute the “Term”.

2.2. Notwithstanding clause 2.1, on the date when the Customer (i) fully expends any given Pre-Payment (if applicable) or (ii) changes its Pricing Plan to one including a Pre-Payment among the payable Fees, the Initial Period or then-current Renewal Period shall automatically expire, with the subsequent Renewal Period commencing on the following day.

3. Connection to the System

3.1 The Service Provider shall grant the Customer full access to the System and the Services as purchased under the respective Pricing Plan immediately upon the Billing Start Date. Notwithstanding the foregoing:

3.1.1) a limited scope of the System’s functionalities (not including, in particular, any chargeable Services), determined at the Service Provider’s sole discretion, may become available to the Customer upon the Commencement Date, subject to the Customer following the instructions forwarded by the Service Provider to the email address specified by the Customer via the Website (if applicable). The Customer shall not upload any personal data (except that of the individual uploading it, unless that individual is also an Applicant) into the System before the Billing Start Date. Any output generated by the Service Provider in relation to any data uploaded by the Customer into the System prior to the Billing Start Date is a mere demonstration of the System’s capabilities and may not be regarded as processing similar or equivalent to that constituting the Services;

3.1.2) immediately upon the Commencement Date, as well as upon the beginning of the Trial Period (or, if there is no Trial Period, the moment the Customer starts using the chargeable Services) and thereafter, the Customer shall be obliged, when requested to do so, to submit to the Service Provider certain information about itself as further specified by the Service Provider via the Website, by email or otherwise for due diligence purposes (including, but not limited to, personal details of Authorized Users; billing details as required under the applicable Pricing Plan; company details, ownership and control structure, personal details of ultimate beneficial owners and senior officers, supporting corporate documents; nature of business and any required licenses, registrations, certifications, approvals (if applicable); website address; and other data as may be requested by the Service Provider). The Service Provider may, in its sole discretion, disregard any updates made by the Customer to the previously submitted information, to the extent such updates do not amount to an assignment permitted under clause 11.7 below. The Service Provider shall be entitled, at its sole discretion, to suspend or limit the Customer’s access to the System and/or the Services and/or terminate the Terms and Conditions as between itself and the Customer where (i) the Customer fails to timely provide the requested information (in full or in part); (ii) the information provided by the Customer is false, incomplete, inconsistent, or incorrect; (iii) the Service Provider may not or is recommended not to continue a business relationship with the Customer as per the Service Provider’s due diligence policies and procedures; or (iv) in any other case as may be defined by these Terms and Conditions. The Service Provider shall not be obliged to disclose the scope or results of its due diligence procedures. Where the Service Provider has informed the Customer that its due diligence procedures have rendered a final negative result and has withdrawn the Customer’s access to its account in the System’s production environment, these Terms and Conditions shall be considered terminated with immediate effect; should the access to the same account be subsequently restored, the Terms and Conditions shall be considered to have continued in force, starting from the moment of such restoration, on the same terms as were in effect between the Parties immediately prior to the termination.

3.2 Upon the Commencement Date (but not before the Customer indicates its payment method and billing details and activates the chosen Pricing Plan in the Dashboard), the Service Provider may, at its sole discretion, grant the Customer a Trial Period, the exact duration and scope of which shall be specified in the Dashboard. The Trial Period may only be activated by the Customer. The Customer acknowledges that not all features and functionalities of the System may be available during the Trial Period. Upon the expiry of the Trial Period, the Services shall immediately and automatically become chargeable as per the applicable Pricing Plan.

3.2 On or after the Commencement Date (but not before the Customer indicates its payment method, company details and billing details and activates the chosen Pricing Plan in the Dashboard), the Service Provider may, at its sole discretion, grant the Customer an option to activate a Trial Period, the exact duration and scope of which shall be specified in the Dashboard. The Trial Period may only be activated by the Customer. The Customer acknowledges that not all features and functionalities of the System may be available during the Trial Period. Upon the expiry of the Trial Period, the Services shall immediately and automatically become chargeable as per the applicable Pricing Plan.

3.3 For the duration of the Term, the Service Provider shall supply the Customer with (i) Services based on the Pricing Plan applicable at any relevant time and the SLA; (ii) as soon as reasonably practicable, any New Releases; and (iii) technical support, including maintaining the System up-to-date, in good working order, and free from Malicious Code, and restoring it to normal operational conditions if inaccessible.

3.4 The Customer acknowledges that for any reason, at any time, and without prior notice, the Service Provider may issue New Releases, and agrees to implement such New Releases promptly. Failure of the Customer to update its version of the System to the New Release within 60 days of notification from the Service Provider shall, for the avoidance of doubt, be considered a breach as per clause 10.2(i) of these Terms and Conditions. The Service Provider shall not be in any way liable for the System's incorrect operation, unavailability, or any other deficiencies that are due to the Customer's failure to timely comply with its obligations as set out in this clause 3.4.

4. Intellectual Property Rights

4.1 The Customer acknowledges and agrees that all Intellectual Property Rights in the System and the Services belong to the Service Provider or its licensors (as the case may be) and the Customer shall have no rights to or interest in the System and/or Services other than those expressly granted under these Terms and Conditions. The Customer undertakes, during the Term and at any time thereafter, not to challenge the Intellectual Property Rights of the Service Provider or its licensors, nor to assist any third party directly or indirectly to do so.

4.2 Subject to clause 4.1, the Service Provider grants the Customer a worldwide, non-exclusive, non-transferable, non-sublicensable, revocable license for the duration of the Term to use the System and/or Services solely for the Business Purpose, in accordance with these Terms and Conditions, and conditional on the Customer’s compliance therewith.

4.3. The Customer is not permitted to modify, adapt, translate, process, reverse engineer, rearrange or otherwise rework or make derivative works of any elements of the System, or reproduce the results achieved from any of these acts.

5. Fees

5.1 For the provision of the Services and use of the System, including receipt of any New Releases, support, or maintenance as per these Terms and Conditions, the Customer shall pay the Service Provider Fees as detailed in the applicable Pricing Plan and Annex 2 hereto. The Customer may convert to another Pricing Plan at any time through the Dashboard or, if necessary, by contacting the Service Provider at [email protected]. If, as a result of such conversion, the Commitment payable by the Customer regularly as per Annex 2: (i) increases or remains the same compared to the previous Pricing Plan – the conversion becomes effective immediately, with the Fees payable under the new Pricing Plan in the then-current month recalculated in proportion to the number of days remaining in that month; (ii) decreases compared to the previous Pricing Plan – the conversion becomes effective starting from the first day of the month immediately following the conversion.

5.2 Unless it follows otherwise from Annex 2 or the applicable Pricing Plan, any payable Fees will be automatically withdrawn from the bank account specified by the Customer in the Dashboard as further specified in Annex 2. The Customer shall ensure in advance the availability of sufficient funds on its bank account; where a withdrawal is not successful for any reason, the Service Provider may make multiple repeated attempts, provided that the amount actually withdrawn never exceeds the amount outstanding under these Terms and Conditions. Time of payment will be of the essence.

5.3 The Service Provider shall have the right to suspend or limit the Customer’s access to the Services and/or the System: (i) in case any amounts payable by the Customer are overdue – until all such amounts are received by the Service Provider in full; and (ii) in case any amounts payable by the Customer are due and outstanding (without necessarily being overdue) – as described in Annex 2. Additionally, the Service Provider shall be entitled to claim interest on any overdue sum from the due date until payment of the overdue sum in full, whether before or after judgment. Interest under this clause 5.3 shall be in the amount of 0,1% of the overdue sum per each day of delay.

6. Confidentiality and Data Protection

6.1 The Customer shall: (i) maintain all Confidential Information in strict and absolute secrecy and refrain from any publication, communication, or any other disclosure of Confidential Information, in whole or in part, to any third party whatsoever; (ii) take all necessary precautions to keep Confidential Information secure and apply the same security measures and degree of care to Confidential Information as the Customer applies to its own confidential information; and (iii) immediately inform the Service Provider of any damage to or accidental loss of Confidential Information, including transfer to or use by unauthorized persons.

6.2 The Customer shall not: (i) use Confidential Information in order to build a product or service which competes with the Services; (ii) attempt to copy, modify, duplicate, create derivative works from, frame, mirror, republish, download, display, transmit, or distribute all or any portion of Confidential Information (as applicable) in any form or media or by any means to any individual or entity; or (iii) reverse engineer, decompile or disassemble Confidential Information.

6.3 The Customer shall not be prevented from disclosing Confidential Information to members of personnel or professional advisors (“Representatives”) who need to know it and who have agreed in writing to confidentiality obligations no less restrictive than those contained herein. The Customer shall ensure that any Representatives: (i) use Confidential Information only for the purposes of these Terms and Conditions; and (ii) keep such Confidential Information secret and secure. The Customer shall remain liable for any act or omission by its Representatives as if they were its own.

6.4 In the event that the Customer or any of its Representatives are requested pursuant to any applicable law or regulation or by legal process to disclose any Confidential Information, the Customer shall give the Service Provider prompt notice of such request or legal process in order to enable the Service Provider: (i) to seek an appropriate protective order or other remedy; or (ii) to consult with the Customer with respect to taking steps to resist or narrow the scope of such request or legal process. In the event that such protective order or other remedy is not obtained, the Customer shall use commercially reasonable efforts to disclose only that portion of Confidential Information which is legally required to be disclosed and to require that all Confidential Information that is so disclosed will be accorded confidential treatment.

6.5 If so requested by the Service Provider at any time by written notice to the Customer, the Customer shall promptly: (i) destroy or return to the Service Provider all documents and materials (and any copies thereof) containing, reflecting, incorporating or based on the Confidential Information; (ii) erase all Confidential Information from its computer and communications systems, devices and other means of electronic storage; and (iii) certify in writing to the Service Provider that it has complied with the requirements of this clause 6.5.

6.6 Without affecting any other rights and remedies that the Service Provider may have, the Customer hereby agrees that damages would not be an adequate remedy for any breach of this section 6 by the Customer and that the Service Provider shall be entitled to remedies of injunction, specific performance and other equitable relief for any threatened or actual breach of this section 6. The Customer’s liability for any breach of the provisions of this section 6 shall not be subject to any liability limitation otherwise applicable under these Terms and Conditions.

6.7 Notwithstanding anything to the contrary, clauses 6.1-6.6 shall survive the expiry or termination of these Terms and Conditions indefinitely.

6.8 The Service Provider shall guarantee protection of personal data received under these Terms and Conditions as set out in Annex 3 hereto.

6.9 The Customer grants the Service Provider permission to use personal data transferred to the Service Provider under these Terms and Conditions for: (i) developing and testing the Services and/or the System to improve their capabilities for detection and prevention of fraud, including by means of artificial intelligence (e.g. machine learning models); (ii) fulfilling its commitments under the Terms and Conditions and providing a competitive service; (iii) identifying, flagging, monitoring, and reporting potentially fraudulent patterns and other signs of suspicious behaviour which could lead to or signal any illicit activity; (iv) producing anonymised and/or aggregated statistical reports and research; and (v) producing and storing audit log records and reports based on internal information security and personal data protection requirements.

6.10 Where these Terms and Conditions are terminated for any reason, the Service Provider shall, (i) subject to the Customer’s written request and unless the Customer is in breach of these Terms and Conditions as of the termination date, enable the Customer to retrieve all personal data related to its Applicants as may be stored at the relevant time in the Customer’s dedicated account in the Dashboard, free of charge, within 30 days following the termination date; and subsequently (ii) delete all such personal data (excluding any data that the Service Provider may be permitted or obliged to retain under these Terms and Conditions or the applicable laws and regulations) from the System in the absence of the Parties’ mutual agreement to the contrary.

7. Security

7.1 The Customer shall not permit, enable, or provide access to the System to anyone except the Authorized Users. In particular, where the Customer uses Security Features or other credentials in relation to the System, the Customer shall keep those confidential and not share them other than with the Authorized Users.

7.2 Where an Authorized User requires a separate set of Security Features or other credentials to access the System, a request for these shall only be submitted to the Service Provider by another Authorized User.

7.3 All and any actions carried out in the System with the use of Security Features or other credentials previously issued by the Service Provider to the Customer or its Authorized Users or created by the Customer or its Authorized Users shall be regarded as performed by Authorized Users. The Service Provider shall not be in any way liable for the consequences of such actions.

7.4. The Customer shall be responsible and liable for any acts or omissions of its Authorized Users (and any third parties that may be regarded as Authorized Users under clause 7.3) as if they were its own.

8. Liability

8.1 SUBJECT TO CLAUSE 8.2, THIS SECTION 8 SETS OUT THE ENTIRE FINANCIAL LIABILITY OF THE SERVICE PROVIDER (INCLUDING ANY LIABILITY FOR THE ACTS OR OMISSIONS OF ITS EMPLOYEES, AGENTS AND SUB-CONTRACTORS) IN RESPECT OF: (i) ANY BREACH OF THESE TERMS AND CONDITIONS; (ii) ANY USE MADE BY THE CUSTOMER OF THE SERVICES OR ANY PART THEREOF; AND (iii) ANY REPRESENTATION, STATEMENT OR TORTIOUS ACT OR OMISSION (INCLUDING NEGLIGENCE) OR BREACH OF STATUTORY DUTY ARISING UNDER OR IN CONNECTION WITH THE TERMS AND CONDITIONS.

8.2. NEITHER PARTY EXCLUDES OR LIMITS LIABILITY TO THE OTHER PARTY FOR: (i) FRAUD OR FRAUDULENT MISREPRESENTATION; (ii) PAYMENT OF SUMS PROPERLY DUE AND OWING TO THE OTHER PARTY IN THE COURSE OF NORMAL PERFORMANCE OF THESE TERMS AND CONDITIONS; (iii) ANY INDEMNITIES UNDER THESE TERMS AND CONDITIONS; OR (iv) ANY MATTER FOR WHICH IT WOULD BE UNLAWFUL FOR THE PARTIES TO EXCLUDE OR LIMIT LIABILITY.

8.3 SUBJECT TO CLAUSE 8.2, THE SERVICE PROVIDER SHALL NOT IN ANY CIRCUMSTANCES BE LIABLE, WHETHER IN CONTRACT, TORT (INCLUDING FOR NEGLIGENCE AND BREACH OF STATUTORY DUTY HOWSOEVER ARISING), MISREPRESENTATION (WHETHER INNOCENT OR NEGLIGENT), RESTITUTION OR OTHERWISE, FOR: (i) ANY LOSS OF PROFITS, INCOME, GOODWILL, REVENUE, REPUTATION, OR BUSINESS OPPORTUNITIES; (ii) ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES NOT COVERED UNDER SUBCLAUSE 8.3(i); (iii) ANY LOSS OR CORRUPTION OF DATA OR INFORMATION, EXCEPT IF IT WAS CAUSED BY A BREACH OF THESE TERMS AND CONDITIONS BY THE SERVICE PROVIDER.

8.4 SUBJECT TO CLAUSE 8.2, THE SERVICE PROVIDER’S TOTAL AGGREGATE LIABILITY IN CONTRACT, TORT (INCLUDING NEGLIGENCE AND BREACH OF STATUTORY DUTY HOWSOEVER ARISING), MISREPRESENTATION (WHETHER INNOCENT OR NEGLIGENT), RESTITUTION OR OTHERWISE, ARISING IN CONNECTION WITH THE PERFORMANCE OR CONTEMPLATED PERFORMANCE OF THESE TERMS AND CONDITIONS OR ANY COLLATERAL CONTRACT SHALL IN ALL CIRCUMSTANCES BE LIMITED TO: (i) 100% OF THE TOTAL FEES PAID BY THE CUSTOMER TO THE SERVICE PROVIDER DURING THE 3-MONTH PERIOD IMMEDIATELY PRECEDING THE DATE ON WHICH THE CAUSE OF ACTION FIRST AROSE; OR (ii) 5,000 (FIVE THOUSAND) USD, WHICHEVER IS LESS. THIS LIABILITY LIMITATION IS CUMULATIVE AND THE EXISTENCE OF MORE THAN ONE CLAIM WILL NOT ENLARGE IT.

8.5 THE CUSTOMER ASSUMES SOLE RESPONSIBILITY FOR ANY CONCLUSIONS DRAWN FROM USE OF THE SERVICES.

8.6 THE CUSTOMER SHALL INDEMNIFY, DEFEND, AND HOLD HARMLESS THE SERVICE PROVIDER, ITS AFFILIATES AND THEIR RESPECTIVE OFFICERS, SHAREHOLDERS, DIRECTORS, AND PERSONNEL (AND KEEP THEM INDEMNIFIED ON A FULL INDEMNITY BASIS) FROM AND AGAINST ANY THIRD PARTY CLAIMS, SUITS, HEARINGS, ACTIONS, DAMAGES, LIABILITIES, FINES, PENALTIES, COSTS, LOSSES, JUDGMENTS OR EXPENSES (INCLUDING ALL ATTORNEY FEES) ARISING OUT OF OR IN CONNECTION WITH THE CUSTOMER’S USE OF THE SERVICES OR THE CUSTOMER’S PERFORMANCE UNDER THESE TERMS AND CONDITIONS (COLLECTIVELY, “CLAIMS”), PROVIDED AND TO THE EXTENT THAT SUCH CLAIMS ARE NOT DIRECTLY ATTRIBUTABLE TO ANY BREACH HEREOF BY THE SERVICE PROVIDER.

8.7 IT IS EXPRESSLY UNDERSTOOD AND AGREED THAT EACH AND EVERY PROVISION OF THESE TERMS AND CONDITIONS WHICH ESTABLISHES A LIMITATION OF LIABILITY, DISCLAIMER, WARRANTY OR EXCLUSION OF DAMAGES IS INTENDED BY THE PARTIES TO BE SEVERABLE AND INDEPENDENT OF ANY OTHER PROVISION AND SHALL BE ENFORCED AS SUCH.

9. Representations and Warranties

9.1 The Customer warrants, represents and covenants that: (i) it is duly incorporated, organized and validly existing under the applicable law; (ii) it has good and sufficient capacity, power, authority and right to enter into, execute and deliver these Terms and Conditions, to complete the transactions contemplated hereby and to duly observe and perform the covenants and obligations contained herein; and (iii) all necessary corporate action has been taken by it to authorize and approve the execution and delivery of these Terms and Conditions, the completion of the transactions contemplated hereby and the observance and performance of the covenants and obligations contained herein.

9.2 The Customer shall not: (i) use the System and/or the Services to discriminate against any Applicant or in a manner that causes damage or injury to any person or property or is otherwise incompatible with any applicable law or regulation; (ii) use the System and/or the Services for any purposes other than the Business Purpose; (iii) use the System and/or the Services in a manner that could be reasonably expected to bring the Service Provider into disrepute or otherwise harm its reputation; or (iv) act or omit to act in a way that interferes with or compromises the integrity or security of the System and/or the Services.

9.3 No conditions, warranties or other terms apply to the System and/or any Services supplied by the Service Provider under these Terms and Conditions other than those expressly set forth herein. The Service Provider hereby disclaims any implied warranties whether arising under law, through course of dealing, or otherwise, including any implied warranties of non-infringement, title, satisfactory quality, fitness for purpose, merchantability or conformance with description. In addition, the Service Provider does not warrant or enter into any other term to the effect that the Services or any other technology provided in connection with these Terms and Conditions will be entirely free from defects or errors. The Customer acknowledges that the Services are provided on an “as is” basis. The Services are not intended to be used as the sole basis for any business decision (including where those business decisions concern Applicants). The Customer agrees that the Service Provider has no liability for any inaccuracy, incompleteness or other error in the Services which is attributable to data provided by the Customer or any third party, including cases where the provision of a Service may be limited, suspended or discontinued due to a deficiency and/or unavailability of data submitted by an external third-party source the Service Provider may engage to provide the relevant Service. The Service Provider is not a consumer reporting agency and none of the information provided through the Services constitute a "consumer report" as such term is defined in the Fair Credit Reporting Act (15 U.S.C. § 1681 et seq). The Services are expressly limited to providing supplemental information in support of the Customer’s anti-fraud, customer due diligence and identity verification procedures only. The Services are based on information that was not collected, in whole or in part, for the purpose of serving as a factor in establishing a consumer's eligibility for credit or insurance, being used primarily for personal, family or household purposes, employment, or any other similar purpose.

9.4 This clause 9.4 shall apply if: (a) the Service Provider is SUMSUB TECH LTD as stated in the section “Parties to these Terms and Conditions” above, and (b) the Customer is not incorporated and registered in Cyprus.

The Customer hereby represents and warrants that the use and enjoyment of the Services will exclusively take place outside Cyprus (for clarity, the mere fact an Applicant may be a resident of or be located in Cyprus does not constitute a breach of this clause 9.4). The Customer also hereby represents and warrants that it does not have any affiliated organizations, branches, representative offices, permanent establishments (or any other forms of conducting business) in the territory of Cyprus and does not engage in commercial activities using the Services through such forms.

10. Suspension and Termination

10.1 Either Party may terminate these Terms and Conditions at any time for convenience by giving the other Party written notice at least 30 (thirty) days prior to the purported termination date. In addition, the Customer may at any time suspend the provision of Services (without prejudice to the effect of the provisions of these Terms and Conditions unaffected by such suspension) by making a request via the Dashboard, such suspension becoming effective on the first day of the month immediately following the month of the request; for clarity, the Services remain chargeable until the suspension becomes effective and shall become chargeable again immediately once the suspension is removed by the Customer or upon the Customer’s request.

10.2 Either Party may terminate these Terms and Conditions with immediate effect by giving written notice to the other Party if: (i) the other Party is in breach of these Terms and Conditions; (ii) the other Party is in violation of any applicable law or legal regulation; or (iii) the other Party enters into an arrangement or composition with or for the benefit of its creditors, goes into administration, receivership or administrative receivership, is declared bankrupt or insolvent or is dissolved or otherwise ceases to carry on business, or any analogous event happens to the other Party in any jurisdiction in which it is incorporated or resident or in which it conducts business or has assets.

10.3 Any provision of these Terms and Conditions that expressly or by implication is intended to come into or continue in force on or after the termination of these Terms and Conditions shall remain in full force and effect. Termination of these Terms and Conditions for any reason shall not affect the accrued rights, remedies, obligations or liabilities of the Parties that may have accrued by the termination date.

10.4 The Service Provider reserves the right, at its sole discretion, to limit or suspend the Customer’s or any Authorized User’s access to the System and/or the Services and/or terminate these Terms and Conditions with immediate effect where it knows or reasonably suspects that:
(i) the Customer is in breach of any warranties, representations, or obligations set out in clauses 9.1-9.2;
(ii) the Customer (including any of its affiliates and their respective ultimate beneficial owners, directors, officers, agents, or employees) is in breach of any applicable laws or regulations or is subject to any local or international sanctions or restrictions;
(iii) the Customer infringes on the Intellectual Property Rights of the Service Provider, its affiliates or its counterparties;
(iv) the Customer has disclosed any Confidential Information in a manner not permitted under these Terms and Conditions;
(v) a third party has gained unauthorised access to the System and/or the Services as a result of the Customer’s actions or omissions or by using the Security Features or other credentials previously issued by the Service Provider to the Customer or its Authorized User;
(vi) the Customer’s actions may, in the Service Provider’s reasonable opinion, be detrimental to the legitimate interests or business reputation of the Service Provider or its counterparties; or
(vii) the Customer’s usage of the Services exceeds 1000 Checks or 1000 Applicants within any given calendar day. In case of suspension, full access to the System and/or the Services may be restored by the Service Provider at its sole discretion and subject to the Customer taking such actions and providing such information as the Service Provider may further determine.

10.5. Where the Service Provider is permitted to suspend or limit the Customer’s access to the System and/or the Services under these Terms and Conditions, it shall be entitled to do so, in all cases in its sole discretion, (i) with immediate effect and with no prior notice; or (ii) in several consecutive steps (e.g., by disabling the Customer's access to the Dashboard and subsequently stopping the provision of Services altogether); or (iii) in any other manner.

11. General

11.1 A Party shall not be considered to be in breach of these Terms and Conditions, and shall be excused from performance or liability for damages to the other Party (or any third party), if and to the extent it is delayed in or prevented from performing or carrying out any of the provisions of these Terms and Conditions due to a labor disturbance, sabotage, act of the public enemy, war, invasion, insurrection, riot, fire, storm, flood, earthquake, explosion, epidemic, or any other cause beyond such Party’s reasonable control, including, but not limited to, any curtailment, order, regulation, or restriction imposed by governmental, military or lawfully established civilian authorities, or by making of repairs necessitated by an emergency circumstance not limited to those listed above upon the property or equipment of the Party or property or equipment of others which is deemed under the operational control of the Party (“Force Majeure”). Any Party claiming a Force Majeure event shall use reasonable diligence to remove the condition that prevents performance and shall not be entitled to suspend performance of its obligations in any greater scope or for any longer duration than is required by the Force Majeure event. Each Party shall use its best efforts to mitigate the effects of the Force Majeure event, remedy its inability to perform, and resume full performance of its obligations hereunder. Either Party shall be entitled to terminate these Terms and Conditions with immediate effect by giving the other Party written notice if the Force Majeure event remains unremedied for a period of 60 consecutive days.

11.2 The Service Provider may update these Terms and Conditions occasionally from time to time at its sole discretion. The Service Provider shall use reasonable endeavours to notify the Customer of such updates by email and/or via the Dashboard and/or via the Website. The Customer is solely responsible for ensuring it has read, acknowledged, and agreed to the updated version of these Terms and Conditions. For the avoidance of doubt, the Customer’s continued usage of the System and/or the Services or the fact the Customer had not objected to the updates made to these Terms and Conditions before they became effective shall be regarded as acceptance of the updates.

11.3 Failure or delay of either Party in exercising any right or remedy under these Terms and Conditions shall not constitute a waiver of such (or any other) right or remedy. The use of any remedy by either Party shall not constitute an election of that remedy to the exclusion of any other right or remedy.

11.4 If any provision of these Terms and Conditions (or part of any provision) is found by any court or other authority of competent jurisdiction to be invalid, illegal or unenforceable, that provision or part-provision shall, to the extent required, be deemed not to form part of these Terms and Conditions.

11.5 These Terms and Conditions constitute the whole agreement between the Parties and supersede any previous arrangement, understanding or agreement between them relating to the subject matter of these Terms and Conditions (unless expressly agreed otherwise by the Parties). Each Party acknowledges that in entering into these Terms and Conditions, it has not relied upon any oral or written statements, collateral or other warranties, assurances, representations or undertakings which were made by or on behalf of the other Party in relation to the subject matter of these Terms and Conditions other than those which are set out herein (or those which the Terms and Conditions explicitly refer to).

11.6 Except as expressly stated otherwise, nothing in these Terms and Conditions shall create or confer any rights or other benefits in favour of any person other than the Parties. Except as expressly stated otherwise, nothing in these Terms and Conditions shall create an agency, partnership or joint venture of any kind between the Parties. Neither Party shall have authority to act in the name of or on behalf of the other, or to enter into any commitment or make any representation or warranty or otherwise bind the other in any way.

11.7 The Customer may not assign any of its rights or obligations under these Terms and Conditions without the prior written consent of the Service Provider, such consent not to be unreasonably withheld. If permitted under the applicable laws and regulations, the Service Provider may assign its rights and/or obligations to one of its affiliates (meaning entities controlled by, controlling, or under common control with the Service Provider) without the Customer’s consent. Notwithstanding the foregoing, either Party may assign, subject to advance written notice, its rights or obligations under these Terms and Conditions to an acquirer of all or substantially all of the assets of such Party without the consent of the other.

11.8 The Customer is only permitted to make public announcements and/or publish written materials concerning the Service Provider and/or the existence and nature of the business relationship between the Parties subject to the Service Provider’s prior written consent, except as required by law, any governmental or regulatory authority (including, without limitation, any relevant securities exchange), any court or other authority of competent jurisdiction. The Service Provider may freely use the Customer’s trademarks (including logos) in its promotional or marketing materials, on the Website, etc., for the purpose of publicly identifying the Customer as its counterparty.

11.9 Unless specified otherwise in these Terms and Conditions, any notice or communication required or permitted to be given hereunder shall be in writing and in English. It may be delivered:
(i) by hand to a responsible person during ordinary business hours at the then current physical address as indicated by the receiving Party and shall be deemed received on the day of delivery,
(ii) by email to the receiving Party’s chosen email address and shall be deemed received on the date and at the time recorded by the recipient’s email server (unless there is evidence to the contrary that it was delivered on a different date or at a different time),
(iii) via Dashboard, or
(iv) via other means mutually and explicitly agreed in writing by the Parties, and shall be deemed received by written or automated receipt or electronic log (as applicable). The Parties may update their email and physical addresses for notices or communication at any time by notice in writing, or through the Dashboard, or as otherwise provided under this clause 11.9.

11.10 The Parties shall: (i) comply with all applicable laws, statutes and regulations relating to anti-bribery and anti-corruption ; (ii) promptly report to the other Party any request or demand for any undue financial or other advantage of any kind received by it in connection with the performance of these Terms and Conditions.

11.11 Governing Law and Dispute Resolution

• The Service Provider

  Governing Law and jurisdiction

• SUM AND SUBSTANCE LTD or SUMSUB TECH LTD

  This Agreement and all disputes and claims arising out of or in connection with it are governed by English law.
  
  All disputes arising out of or in connection with this Agreement shall be referred to and finally resolved by arbitration administered by the International Court of Arbitration of the International Chamber of Commerce in accordance with the Rules of Arbitration of the International Chamber of Commerce.
  The parties agree, pursuant to Article 30(2)(b) of the Rules of Arbitration of the International Chamber of Commerce, that the Expedited Procedure Rules shall apply irrespective of the amount in dispute.
  The number of arbitrators shall be one.
  The law governing this arbitration clause shall be English law.
  The seat of the arbitration shall be London, England.
  The language of the arbitration shall be English.
  
  No award or procedural order made in the arbitration shall be published. The Parties shall at all times treat all matters relating to the proceedings and any arbitral award as confidential.

• SUMSUB TECHNOLOGY LLC

  This Agreement and all disputes and claims arising out of or in connection with it are governed by English law.
  All disputes arising out of or in connection with this Agreement shall be referred to and finally resolved by an arbitration administered by the Singapore International Arbitration Centre (“SIAC”) under the Arbitration Rules of the Singapore International Arbitration Centre (“SIAC Rules”) for the time being in force, which rules are deemed to be incorporated by reference into this clause.
  The Parties agree, pursuant to Rule 5.1(b) of the SIAC Rules, that the Expedited Procedure shall apply.
  The number of arbitrators shall be one. The law governing this arbitration clause shall be English law.
  The seat of the arbitration shall be Singapore.
  The language of the arbitration shall be English.
  
  In respect of any court proceedings in Singapore commenced under the International Arbitration Act 1994 in relation to the arbitration, the parties agree (a) to commence such proceedings before the Singapore International Commercial Court (“the SICC”); and (b) in any event, that such proceedings shall be heard and adjudicated by the SICC.

• Sumsub Inc.

  This Agreement and all disputes and claims arising out of or in connection with it are governed by the laws of the State of New York.
  With the sole exception of any application for injunctive relief, the Parties irrevocably agree that the courts of the State of New York have exclusive jurisdiction to settle any dispute or claim (whether contractual or non-contractual) arising out of or in connection with this Agreement (including their subject matter or formation).
  The Parties agree that the prevailing Party shall be entitled to recover, on a full indemnity basis, from the other Party the costs and disbursements it incurs in the proceedings, including any attorney’s fees.

• Sumsub APAC Pte. Ltd.

  This Agreement and all disputes and claims arising out of or in connection with it are governed by the laws of Singapore.
  
  All disputes arising out of or in connection with this Agreement shall be referred to and finally resolved by arbitration administered by the Singapore International Arbitration Centre (“SIAC”) under the Arbitration Rules of the Singapore International Arbitration Centre (“SIAC Rules”) for the time being in force, which rules are deemed to be incorporated by reference into this clause.
  The Parties agree, pursuant to Rule 5.1(b) of the SIAC Rules, that the Expedited Procedure shall apply.
  The number of arbitrators shall be one.
  The law governing this arbitration clause shall be Singapore law.
  The seat of the arbitration shall be Singapore.
  The language of the arbitration shall be English.
  
  In respect of any court proceedings in Singapore commenced under the International Arbitration Act 1994 in relation to the arbitration, the parties agree (a) to commence such proceedings before the Singapore International Commercial Court (“the SICC”); and (b) in any event, that such proceedings shall be heard and adjudicated by the SICC.

Annex 1 – Service Level Agreement

1.1 This Service Level Agreement (“SLA”) is a policy governing the use of the Service Provider’s API and/or SDK (hereinafter “Sumsub Service”) by the Customer.

1.2 Except as otherwise provided herein, this SLA is subject to the Terms and Conditions. Terms not otherwise defined herein shall have the meaning given to them in the Terms and Conditions.

1.3 “Service Availability” means Sumsub Service may be accessed and used by the Customer for the Business Purpose and in accordance with the Terms and Conditions.

1.4 “Uptime Commitment” means the Service Availability shall be at least ninety-nine and five tenths percent (99.5%) in each calendar month.

1.5 Uptime measurement: the Service Provider shall measure uptime by checking the response of Sumsub Service. Every one (1) minute, a third-party service will attempt to access Sumsub Service. If the service does not receive a successful HTTPS response – that is, a HTTPS response code of 2XX or 3XX – that will count as one minute of downtime. The unavailability of Sumsub Service shall be calculated from the time that such unavailability is reported by the Customer to the Service Provider at [email protected].

1.6 Exclusions: The calculation of Uptime Commitment excludes instances of: Force Majeure events, Scheduled Maintenance, or Emergency Maintenance. Scheduled Maintenance means the Service Provider may allocate up to five (5) hours per calendar month to performing maintenance on the System or installing upgrades, fixes or reconfigurations. Emergency Maintenance means the Service Provider may conduct emergency maintenance with no prior notice in order to resolve server security issues or other emergency issues. The Service Provider will use best endeavours to notify the Customer at the beginning and end of such Emergency Maintenance, and will provide details on the nature of the work being performed.

Annex 2 – Payment Terms

1. Fees

1.1 Subject to the chosen Pricing Plan and the respective Specification, the Customer shall be obliged to pay the Service Provider Pre-Payment, Commitment, Check Charges, Service Charges, Subscription Fees, and/or Installation Fees (“Fees”) based on invoices sent by the Service Provider (several invoices may be issued, simultaneously or at different times, in respect of the same reporting period, depending on the exact Fees payable in that reporting period). For the avoidance of doubt, all Fees shall be non-refundable.

The Service Provider shall have the right to suspend or limit the Customer’s access to the Services and/or the System: (i) until all payments overdue under the T&C (if any) are received by the Service Provider in full; and/or (ii) as otherwise may be provided under this Annex 2.

Where the Service Provider may withdraw any amount payable by the Customer under the T&C from the Customer’s bank account as described below, that amount becomes overdue immediately after:

• •for cases described under clause 2.3.3, Scenario 2 below – the first unsuccessful (for any reason) attempt of the Service Provider to withdraw it from the Customer’s bank account in full;
• •regarding the first Commitment payable by the Customer upon the Billing Start Date or upon subscription to a new Pricing Plan, if any – the first unsuccessful (for any reason) attempt of the Service Provider to withdraw it from the Customer’s bank account in full;
• •in all other cases – the third unsuccessful (for any reason) attempt of the Service Provider to withdraw it from the Customer’s bank account in full.

1.1.1 Pre-Payment is paid regularly (upon the Billing Start Date and upon the commencement of each Renewal Period). THE CUSTOMER FULLY ACKNOWLEDGES, ACCEPTS AND AGREES THAT THE PRE-PAYMENT IS NON-CANCELLABLE, NON-REFUNDABLE, AND NON-RECOUPABLE AND PAID ON AN UNCONDITIONAL BASIS (IRRESPECTIVELY OF WHETHER ANY SERVICES WERE RENDERED WITHIN THE INITIAL PERIOD OR THE GIVEN RENEWAL PERIOD, AS THE CASE MAY BE). FOR CLARITY, ONCE THE INITIAL PERIOD OR THE GIVEN RENEWAL PERIOD (AS THE CASE MAY BE) ENDS OR IS TERMINATED, THE UNUSED PART OF THE RESPECTIVE PRE-PAYMENT AUTOMATICALLY EXPIRES AND IS NOT SUBJECT TO REFUND. Notwithstanding this, subject to paying the Pre-Payment, the Customer shall be entitled to use a volume of Checks and/or other Services corresponding to the amount of the Pre-Payment within the Initial Period or the given Renewal Period, as the case may be, such volume to be calculated based on the price of an individual Check / other Services as set out in the chosen Pricing Plan. Once the Pre-Payment is exceeded and until another Pre-Payment is paid, any additional Checks and other Services are billed separately.

Should the Customer fail to pay any Pre-Payment, THE CUSTOMER ACKNOWLEDGES AND AGREES THAT THE SERVICE PROVIDER MAY, AT ITS SOLE DISCRETION, TRANSFER THE CUSTOMER TO ANOTHER PRICING PLAN AND/OR LIMIT OR SUSPEND THE CUSTOMER’S ACCESS TO THE SYSTEM AND/OR THE SERVICES.

1.1.2 Commitment is paid regularly (upon the beginning of every reporting period) and on an unconditional basis (irrespectively of whether any Services were rendered within the given reporting period). Once the Commitment is exceeded (as a result of deduction of the other Fees payable and deductible from the Commitment as per the applicable Pricing Plan), any additional Services are billed separately. For clarity, (i) the Commitment is payable even in the absence of the Customer’s usage of any Services; and (ii) once the respective reporting period ends, the unused part of the Commitment automatically expires and is not subject to refunds. Where the Commitment and the Pre-Payment are included in a Pricing Plan simultaneously, the Commitment could be deductible from the Pre-Payment as stated in the respective Pricing Plan.

1.1.2 Check Charges and Service Charges are paid separately for each Check conducted and for other Services rendered during a reporting period and, by default, are deducted from the Commitment or the Pre-Payment. Where the Customer incurs any Check Charges and/or Service Charges in excess of any given Commitment or Pre-Payment (as the case may be), a separate invoice may be issued by the Service Provider for such additional Fees.

1.1.3 Subscription Fees are paid for the provision of specific Services regularly (once in a reporting period) and on an unconditional basis. They are not deductible from the Commitment but may be deductible from the Pre-Payment as indicated in the respective Pricing Plan. For clarity, Subscription Fees are payable even in the absence of the Customer’s usage of the respective Service(s). A separate invoice may be issued by the Service Provider for Subscription Fees payable in any given reporting period.

1.1.4 Installation Fee is paid once for the activation of a given Service. The Installation Fee is not deductible from the Commitment but may be deductible from the Pre-Payment as indicated in the respective Pricing Plan.

1.2 The Fees do not include any applicable taxes, levies, duties, or other similar exactions imposed by a legal, governmental, or regulatory authority in any relevant jurisdiction, including, without limitation, sales, use, value-added, consumption, communications, or withholding taxes. Any amounts of such taxes are not to be deducted by the Customer from amounts payable to the Service Provider. Furthermore, the Fees do not include any charges or commissions imposed by any bank.

1.3 The Service Provider reserves the right to adjust any Fees payable by the Customer under these Terms and Conditions as follows:

a) provided that any external third-party source engaged by the Service Provider increases an existing charge and/or changes the basis on which it provides information necessary for the provision of any particular Service(s) to the Customer, which results in the Service Provider incurring additional costs in order to keep providing the said Service(s), the Service Provider may, in relation to such Service(s) only, increase the Fees payable under the Agreement by the said additional costs;

b) provided that any increase in the Fees other than the one described in clause 1.3(a) above may only be executed once in 12 months and shall not exceed fifteen percent (15%) of the Fees that were in effect prior to such adjustment, the Service Provider may additionally adjust any Fees, effective as of the commencement of the following Renewal Period.

The Service Provider shall notify the Customer of above-mentioned adjustments no later than 15 days prior to the prospective date of their enforcement. In the event that the Customer does not wish to accept the adjustments and the Parties fail to resolve the issue by negotiations within 7 business days, the Customer may terminate the Terms and Conditions with immediate effect by giving written notice to the Service Provider.

1.4. In case of a conflict between this Annex 2 and any applicable Pricing Plan, the latter shall prevail.

2.3 The Fees shall be charged as follows:

2.3.1 the Pre-Payment, if any, shall be payable by the Customer as reasonably practicable upon the Billing Start Date (or, as the case may be, once the Customer converts to a Pricing Plan including a Pre-Payment) and upon the commencement of any given Renewal Period. The Service Provider may automatically withdraw the corresponding amount from the bank account specified by the Customer at any time (i) after the Customer’s subscription to the respective Pricing Plan; and (ii) for recurring subscriptions – after the beginning of every Renewal Period ;

2.3.2 the Service Provider may automatically withdraw the Commitment, if any, from the bank account specified by the Customer: (i) within the first 5 days (on the 1st, 2nd, 3rd, 4th or 5th day, at the Service Provider’s discretion) from the Customer’s subscription to the respective Pricing Plan; and (ii) within the first 5 days (on the 1st, 2nd, 3rd, 4th or 5th day, at the Service Provider’s discretion) of every following reporting period;

2.3.3 the Service Provider may automatically withdraw Check Charges and/or Service Charges incurred in excess of the Commitment (if any) in any given reporting period, and Subscription Fees, if any, from the bank account specified by the Customer as follows:.

Scenario 1 - unless the criteria outlined in Scenario 2 are met, withdrawals may only occur within the first 5 days (specifically on the the 1st, 2nd, 3rd, 4th or 5th day, at the Service Provider’s discretion) of the month following the reporting period;

Scenario 2:

• •withdrawals may occur on any day when the total amount outstanding under the T&C reaches $3,000 USD. For clarity, if there are several outstanding amounts equal to or exceeding $3,000 USD each or cumulatively, the Service Provider may attempt to withdraw them separately or simultaneously;
• •if the total amount outstanding under the T&C reaches $10,000 USD and at least one attempt to withdraw it in full from the Customer’s bank account has failed for any reason, the Service Provider can immediately and with no notice suspend the Customer’s access to the Services and the System until the outstanding amount is paid in full (without prejudice to the Service Provider’s right to suspend or limit the Customer’s access to the System and/or the Services as may be elsewise permitted under the T&C).

2.3.4 The Service Provider may automatically withdraw Installation Fees, if any, from the bank account specified by the Customer immediately once the respective Service is activated or at any time thereafter.

2.4. A reporting period shall constitute one calendar month.

Annex 3

Data processing agreement

Background

This Personal Data Processing Agreement (hereinafter “Agreement“) is supplemental to the Terms and Conditions (also “Master Agreement”) and applies as set out therein.

This Agreement sets out the additional terms, requirements and conditions on which the Service Provider (hereinafter Sumsub) will process Personal Data when providing Services under the Terms and Conditions. This Agreement contains the mandatory clauses required under applicable Data Protection Legislation for contracts regarding data sharing and data processing activities.

Agreed terms

1. Definitions and interpretation

The following definitions, as well as those set out in the Terms and Conditions, apply to this Agreement:

a. Authorised Persons: the persons or categories of persons that the Customer authorizes to give Sumsub Personal Data processing instructions pursuant to clause 2.1. (a).

b. Applicant’s information: any information of Applicant, including Personal Data related to Applicant, tags of approval, rejection and resubmission, as well as log information.

c. Business Purposes: execution of the Terms and Conditions or any other purpose specifically defined by the Customer in Annex A.

d. Data Subject: an individual who is the subject of Personal Data, whose Personal Data is processed under this Agreement (can be referred to as ‘Applicant’).

e. Personal Data: means any information relating to an identified or identifiable natural person which is processed as a result of, or in connection with, the provision of the services under the Terms and Conditions; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person (Data Subject).

f. Processing, processes and process: either any activity that involves the use of Personal Data or as the Data Protection Legislation may otherwise define processing, processes or process. It includes any operation or set of operations which is performed on Personal Data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. Processing also includes transferring Personal Data to third parties.

g. Data Protection Legislation: any law concerning the protection of privacy and Personal Data that may apply to the processing of Personal Data under the Terms and Conditions and this Agreement, including:

• The Service Provider

  Applicable Data Protection Legislation

• SUM AND SUBSTANCE LTD

  UK Data Protection Legislation means the UK General Data Protection Regulation (‘UK GDPR’) and the Data Protection Act 2018 (‘DPA 2018’), any applicable national implementing laws, regulations and secondary legislation in England and Wales relating to the processing of Personal Data and the privacy of electronic communications, as amended, replaced or updated from time to time, including the Privacy and Electronic Communications Directive (2002/58/EC) and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2003/2426);

• SUMSUB TECH LTD

  EU Data Protection Legislation means all applicable privacy and data protection laws within the European Union (EU), including the EU General Data Protection Regulation ((EU) 2016/679)(‘EU GDPR’);

• SUMSUB TECHNOLOGY LLC

  UAE Data Protection Legislation means those laws, rules, and regulations of the United Arab Emirates relating to privacy, security, or data protection, including, as applicable, the Federal Decree-Law No. 45/2021 on the Protection of Personal Data (‘UAE DP Law’), Dubai International Financial Centre Data Protection Law (‘DIFC Data Protection Law 2020’), Abu Dhabi Global Market Data Protection Regulations 2021 (‘ADGM DP Regulations’);

• Sumsub Inc.

  US Data Protection Legislation means those laws, rules, and regulations of the United States of America relating to privacy, security, or data protection, including, as applicable, the California Consumer Privacy Act (‘CCPA’) and its replacement, the California Privacy Rights Act (‘CPRA’), the Virginia Consumer Data Protection Act (‘VCDPA’), the Colorado Privacy Act (‘CPA’), the Utah Consumer Privacy Act (‘UCPA’), the Illinois Biometric Information Privacy Act (‘BIPA’), the Washington’s Biometric Identifiers Law (‘H.B. 1493’), Texas Capture or Use of Biometric Identifier Act (‘CUBI’) and other laws that may apply to the processing of personal data under the Terms and Conditions and this Agreement;

• Sumsub APAC Pte. Ltd.

  Singapore Data Protection Legislation means those laws, rules, and regulations of the Republic of Singapore relating to privacy, security, or data protection, including Personal Data Protection Act 2012 (No. 26 of 2012) and the Personal Data Protection (Amendment) Act 2020 (collectively referred to as 'PDPA').

h. Personal Data Breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.

i. Controller: means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data;

j. Processor: means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the Controller.

The definitions specified herein should be interpreted in light of the applicable Data Protection Legislation. For clarity, “Controller”, “Processor”, and other aforementioned definitions are intended to include equivalent concepts under the applicable Data Protection Legislation. Where specific Data Protection Legislation applies, and the definition of terms differs from those specified herein, the meaning given in the applicable laws shall prevail.

1.2 This Agreement is subject to the terms of the Terms and Conditions and is incorporated into the Terms and Conditions. Interpretations and defined terms set forth in the Terms and Conditions apply to the interpretation of this Agreement.

1.3 Any Annexes to this Agreement form a part of this Agreement and will have effect as if set out in full in the body of this Agreement. Any reference to this Agreement includes Annexes.

The Agreement includes the following Annexes:
Annex A: Data Processing Instruction
Annex B: Consent and Privacy Notice Wording
Annex С: International Data Transfer Safeguards

1.4 A reference to writing or written includes faxes, email and electronic messaging services, which the parties typically use to exchange information in order to execute the Terms and Conditions.

1.5 In the case of conflict or ambiguity between

a. any provision contained in the body of this Agreement and any provision contained in any Annex hereto, the provision in the body of this Agreement will prevail;

b. any of the provisions of this Agreement and the provisions of the Terms and Conditions, the provisions of this Agreement will prevail.

2. Personal Data processing

2.1 The Customer and Sumsub acknowledge and agree that for the purpose of the Data Protection Legislation:

a. Sumsub processes Personal Data provided by the Customer or its Applicants (directly or, regarding Personal Data submitted by an Applicant as per Sumsub ID User Terms and Conditions specifically, via one of Sumsub’s affiliate entities) in relation to the Customer’s use of Services as a Processor. The Customer is a Controller which determines the purposes and scope of processing and instructs Sumsub on how to process Personal Data. Specifically, the Customer will provide or make available to Sumsub, the specific purposes, duration and nature of such collection being described in Annex A. The Customer retains control of the Personal Data and remains responsible for compliance with its obligations under the applicable Data Protection Legislation and for the processing instructions it gives to Sumsub, while Sumsub will process Personal Data as described in this Agreement or in the respective instructions and implement appropriate technical and organisational measures as set out in clause 5 of this Agreement. Where applicable, Sumsub is responsible for storing the Applicant’s information, including any Personal Data, tagged with the corresponding risk level by the Customer. In case the fraud suspicion or commitment is reasonably high, the Customer, pursuant to its purposes related to fraud prevention and/or avoidance, authorises Sumsub to assign a relevant risk score to the Applicant's information. Where Sumsub acts as a Processor on the Customer’s behalf, the parties will also comply with the obligations set out in this Agreement.

b. In some circumstances, Sumsub may process and aggregate some of the Personal Data provided by Customer with data received from other sources (including Data Providers and other customers) as an independent Controller for the purposes of development and improvement of the Services, including means of artificial intelligence (e.g. machine-learning techniques), flagging potentially fraudulent patterns which could lead to or signal of any illicit activity, providing сustomers with calculated risk score information and information about the increased risk of fraud to assist customers in determining whether the user is a genuine user or there is a potential risk of impersonation fraud, concealing a real identity etc. and log audit reports as applicable, provided that Sumsub’s processing purposes are compatible with the Customer’s. Sumsub warrants that such processing relates to preventing and detecting fraud and other illicit activity as part of substantial public interest, and the Customer hereby authorises such use, including profiling of Personal Data. Even after the Customer’s relationship with Sumsub is terminated, Sumsub may retain the Personal Data and related inferences where it has a lawful basis for doing so, including for purposes of Sumsub’s own legitimate interests of continuing to provide services for all Sumsub customers, complying with its legal obligations, resolving disputes, and enforcing its agreements and serving the (substantial) public interest. Where Sumsub acts as an independent Controller, each party shall be individually responsible for its own processing of the Personal Data and compliance with applicable Data Protection Legislation unless otherwise provided herein.

2.2 To the extent the Customer provides Personal Data related to the execution of the Terms and Conditions via Sumsub’s website, dashboard, or other communication means (including in connection with any requests), Sumsub will process such Personal Data in accordance with Sumsub’s privacy notice available at https://sumsub.com/privacy-notice/

2.3 Party shall notify the other Party of any request for the disclosure of Personal Data by a governmental or regulatory body or law enforcement authority (including any data protection supervisory authority) unless otherwise prohibited by law or a legally binding order of such body or agency in accordance with clause 18 of this Agreement.

3. Parties’ obligations

3.1 Sumsub’s obligations as the Processor:

a. Sumsub will only process the Personal Data to the extent and in such a manner as is necessary for the Business Purposes and this Agreement. Sumsub will also process Personal Data in accordance with the Customer's written instructions from Authorised Persons, if applicable. Sumsub will not process the Personal Data for any other purpose or in a way that does not comply with this Agreement or Data Protection Legislation.

b. Sumsub must promptly comply with any of the Customer’s requests or instructions from Authorised Persons requiring Sumsub to rectify, transfer, delete or otherwise process the Personal Data, or to stop, mitigate or remedy any unauthorised processing.

Sumsub must promptly notify the Customer if, in its opinion, the Customer's instruction would not comply with Data Protection Legislation.

c. Sumsub will maintain the confidentiality of all Personal Data and will not disclose Personal Data to third parties unless the Customer or this Agreement generally authorises the disclosure or as required by law. If a law, court, regulator or supervisory authority requires Sumsub to process or disclose Personal Data, Sumsub must first inform the Customer of the legal or regulatory requirement and give the Customer an opportunity to object or challenge the requirement unless the law prohibits such notice.

d. Sumsub will reasonably assist the Customer with meeting the Customer's compliance obligations under Data Protection Legislation, taking into account the nature of Sumsub's processing and the information available to Sumsub, including in relation to Data Subject rights, data protection impact assessments and reporting to and consulting with supervisory authorities under the Data Protection Legislation.

e. Regardless of the type of integration (Web SDK or API) the Customer applies and unless the Customer instructs otherwise, Sumsub will (i) assist the Customer in notifying Data Subjects that Sumsub’s Services may involve processing of their biometric data and (ii) where applicable under Data Protection Legislation, require Data Subjects to consent to such processing before its commencement.

3.2 Customer’s obligations as the Controller:

a. The Customer represents and warrants that it has taken all the required measures to ensure that Sumsub and its subprocessors may lawfully process the Personal Data in accordance with the applicable Data Protection Legislation.

b. The Customer ensures that all required privacy notices have been given to all Data Subjects and/or, as may be applicable under the Data Protection Legislation, all necessary consents have been obtained from Data Subjects before their Personal Data is processed by Sumsub or its subprocessors. Such notices and consents must be sufficient in scope to enable each Party to process the Personal Data as envisaged under this Agreement and the Master Agreement and in accordance with the applicable Data Protection Legislation, including the transfer of such Personal Data to and by Sumsub (including by having provided all necessary notices and obtained all necessary consents allowing both Parties to process biometric data pursuant to applicable Data Protection Legislation and any other applicable national rules, laws, regulations, directives and governmental requirements concerning biometric data).

In particular, the Customer will ensure the Data Subjects are familiarised with the notice wording contained in Annex B and/or, as may be applicable under the Data Protection Legislation, obtain each Data Subject’s consent to that wording before any Personal Data is provided to Sumsub.

When processing Personal Data of a child, the Customer shall make reasonable efforts to assure that the holder of parental responsibility over the child has given consent for the Processing or authorised the Processing in another manner required under applicable Data Protection Legislation.

c. Upon redirection by Sumsub of requests made by Data Subjects or the authorities empowered by the applicable Data Protection Legislation, the Customer will respond to the requests concerning the processing of Personal Data conducted by Sumsub and controlled by the Customer or provide Sumsub with the relevant instruction on responding such a request. The communication details are provided in clause 18 of this Agreement.

For requests made by the authorities empowered by the applicable Data Protection Legislation the Parties shall use the notice contacts in accordance with clause 18 of this Agreement. The Customer shall notify Sumsub of any inquiries by the supervisory authorities about Sumsub Service or Sumsub Processing of Personal Data.

4. Sumsub personnel

4.1 Sumsub will ensure that all of its personnel

i. are informed of the confidential nature of the Personal Data and are bound by confidentiality obligations and use restrictions in respect of the Personal Data; ii. have undertaken training on the Data Protection Legislation relating to handling Personal Data and how it applies to their particular duties; and iii. are aware of both of Sumsub's duties and their personal duties and obligations under the Data Protection Legislation and this Agreement.

4.2 Sumsub will take reasonable steps to ensure the reliability, integrity and trustworthiness of and conduct background checks consistent with applicable law on all of Sumsub's personnel with access to the Personal Data.

5. Data Protection and Security

5.1 Sumsub must at all times implement appropriate technical and organisational measures against unauthorised or unlawful processing, access, disclosure, copying, modification, storage, reproduction, display or distribution of Personal Data, and against accidental or unlawful loss, destruction, alteration, disclosure or damage of Personal Data.

5.2 Sumsub will keep detailed, accurate and up-to-date records on actions committed by the Customer and Sumsub personnel in order to ensure records of compliance with obligations under this Agreement and Sumsub will provide the Customer with copies of the Records upon request.

6. Personal Data Breach

6.1 Sumsub will promptly and without undue delay notify the Customer if any Personal Data is lost or destroyed or becomes damaged, corrupted, or unusable. Sumsub will restore such Personal Data at its own expense.

6.2 Sumsub will immediately and without undue delay notify the Customer if it becomes aware of:

a. any accidental, unauthorised or unlawful processing of the Personal Data; or

b. any Personal Data Breach.

6.3 Where Sumsub becomes aware of (a) and/or (b) above, it shall, without undue delay, also provide the Customer with the following information:

i. description of the nature of (a) and/or (b), including the categories and an approximate number of both Data Subjects and Personal Data records concerned;

ii. the likely consequences; and

iii. description of the measures taken or proposed to be taken to address (a) and/or (b), including measures to mitigate its possible adverse effects.

6.4 Immediately following any unauthorised or unlawful Personal Data processing or Personal Data Breach, the parties will coordinate with each other to investigate the matter. Sumsub will reasonably cooperate with the Customer in the Customer's handling of the matter, including

i. assisting with any investigation;

ii. providing the Customer with physical access to any facilities and operations affected;

iii. making available all relevant records, logs, files, data reporting and other materials required to comply with all Data Protection Legislation or as otherwise reasonably required by the Customer; and

iv. facilitating interviews with Sumsub's employees, former employees and others involved in the matter;

v. making available all relevant records, logs, files, data reporting and other materials required to comply with all Data Protection Legislation or as otherwise reasonably required by the Customer; and

vi. taking reasonable and prompt steps to mitigate the effects and to minimise any damage resulting from the Personal Data Breach or unlawful Personal Data processing.

6.5 Sumsub will not inform any third party of any Personal Data Breach without first obtaining the Customer's prior written consent, except when required to do so by law.

6.6 Sumsub agrees that the Customer has the sole right to determine:

i. whether to provide notice of the Personal Data Breach to any Data Subjects, supervisory authorities, regulators, law enforcement agencies or others, as required by law or regulation or in the Customer's discretion, including the contents and delivery method of the notice; and

ii. whether to offer any type of remedy to affected Data Subjects, including the nature and extent of such remedy.

6.7 Sumsub will cover all reasonable expenses associated with the performance of the obligations under clause 6.2 and clause 6.4 unless the matter arose from the Customer's specific instructions, negligence, wilful default or breach of this Agreement, in which case the Customer will cover all reasonable expenses.

7. International transfers of personal data

7.1 Sumsub (or any subcontractor) may transfer Personal Data outside of the Country of the Customer and process it in the European Union provided that:

i. data recipients or third countries ensure an adequate level of protection for the rights and freedoms of data subjects in relation to the Processing of Customer Personal Data as determined by the applicable Data Protection Legislation;

ii. the transfer is based on appropriate safeguards or another legally recognised transfer method under the Data Protection Legislation.

If conditions under point (i) change resulting in the inability to rely on it as a data transfer mechanism by the Parties, the transfer in point (ii) shall be conducted as provided in clause 7.2.

If there are any laws or regulations applicable to Customer that require the Customer to obtain an authorisation, consent, approval or other decision in any form from any regulatory authority to transfer and process Personal Data, or any other data to be disclosed to Sumsub (personal, payment data, confidential data etc.), outside of the Customer’s country, the Customer is solely responsible for obtaining any such authorisation before disclosing Personal Data to Sumsub for зrocessing. Sumsub shall not be responsible for non-compliance with any such laws or regulations requiring the Customer to store and process Personal Data in the Customer’s country.

• The Service Provider

  International data transfer mechanism

• SUM AND SUBSTANCE LTD

  7.2 If any Personal Data transfer between the Customer (as ‘data exporter’) and Sumsub (as ‘data importer’) requires the execution of the International Data Transfer Agreement (‘IDTA’) or International data transfer addendum to the European Commission’s standard contractual clauses for international data transfers (‘IDTA Addendum’) in order to comply with the UK Data Protection Legislation, the parties conclude IDTA or the IDTA Addendum as indicated in corresponding Schedules of Annex C, which shall be deemed incorporated into and form a part of this DPA, as follows:
  In relation to the restricted transfers of Personal Data under the UK Data Protection Legislation, the IDTA Addendum will apply with the modifications as provided in Schedule 3;
  Where the Parties have effective the SCCs in place, the IDTA Addendum will apply with the modifications as provided in Schedule 4.
  If any Personal Data transfer between the Customer (as ‘data exporter’) and Sumsub (as ‘data importer’) requires the execution of the Standard Contractual Clauses (‘SCCs’) that are available here (https://eur-lex.europa.eu) in order to comply with the Data Protection Legislation, the parties conclude SCCs as indicated in corresponding Schedules of Annex C which shall be deemed incorporated into and form a part of this Agreement, as follows:
  
  a) In relation to transfers of Personal Data per clause 2.1.(a) of this DPA, the SCCs shall apply, completed as provided in Schedule 1.
  b) In relation to transfers of Personal Data per clause 2.1.(b) of this DPA, the SCCs shall apply completed as provided in Schedule 2.

• SUMSUB TECH LTD

  7.2 If any Personal Data transfer between the Customer (as ‘data exporter’) and Sumsub (as ‘data importer’) requires the execution of the Standard Contractual Clauses (‘SCCs’) that are available here (https://eur-lex.europa.eu) in order to comply with the Data Protection Legislation, the parties conclude SCCs as indicated in corresponding Schedules of Annex C which shall be deemed incorporated into and form a part of this Agreement, as follows:
  
  a) In relation to transfers of Personal Data per clause 2.1.(a) of this DPA, the SCCs shall apply, completed as provided in Schedule 1.
  b) In relation to transfers of Personal Data per clause 2.1.(b) of this DPA, the SCCs shall apply completed as provided in Schedule 2.

• SUMSUB TECHNOLOGY LLC

  7.2 Where any data transfer between the Customer (as ‘data exporter’) and Sumsub (as ‘data importer’) requires the execution of the DIFC Standard Contractual Clauses (‘DIFC SCCs’) that are available at https://www.difc.ae/business/operating/data-protection/data-export-and-sharing/ in order to comply with the DIFC Data Protection Law 2020, the Parties conclude DIFC SCCs as indicated in corresponding Schedules of Annex C, which shall be deemed incorporated into and form a part of this Agreement as follows:
  a) In relation to transfers of Personal Data per clause 2.1.(a) of this DPA, the DIFC SCCs shall apply, completed as provided in Schedule 5.
  b) In relation to transfers of Personal Data per clause 2.1.(b) of this DPA, the DIFC SCCs shall apply completed as provided in Schedule 6.
  
  Where any data transfer between the Customer (as ‘data exporter’) and Sumsub (as ‘data importer’) requires the execution of the ADGM Standard Contractual Clauses (‘ADGM SCCs’) that are available at https://www.difc.ae/business/operating/data-protection/data-export-and-sharing/ in order to comply with ADGM Data Protection Regulations 2021, the Parties conclude ADGM SCCs as indicated in corresponding Schedules of Annex C, which shall be deemed incorporated into and form a part of this Agreement as follows:
  a) In relation to transfers of Personal Data per clause 2.1.(a) of this DPA, the ADGM SCCs shall apply, completed as provided in Schedule 7.
  b) In relation to transfers of Personal Data per clause 2.1.(b) of this DPA, the ADGM SCCs shall apply completed as provided in Schedule 8.

• Sumsub Inc.

  7.2 If any Personal Data transfer between the Customer (as ‘data exporter’) and Sumsub (as ‘data importer’) requires the execution of the Standard Contractual Clauses (‘SCCs’) that are available here (https://eur-lex.europa.eu) in order to comply with the Data Protection Legislation, the parties conclude SCCs as indicated in corresponding Schedules of Annex C which shall be deemed incorporated into and form a part of this Agreement, as follows:
  
  a) In relation to transfers of Personal Data per clause 2.1.(a) of this DPA, the SCCs shall apply, completed as provided in Schedule 1.
  b) In relation to transfers of Personal Data per clause 2.1.(b) of this DPA, the SCCs shall apply completed as provided in Schedule 2.
  
  In relation to transfers of Personal Data protected by the UK Data Protection Legislation, the EU SCCs, as implemented in Schedules 1 and 2 of Annex C, will apply with the following modifications:
  i. the EU SCCs shall be deemed amended as specified by Part 2 of the UK Addendum, and
  ii. tables 1 to 3 in Part 1 of the UK Addendum shall be deemed completed respectively with the information set out in Schedule 4 of Annex C of this DPA (as applicable).

• Sumsub APAC Pte. Ltd.

  7.2 If any Personal Data transfer between the Customer (as ‘data exporter’) and Sumsub (as ‘data importer’) requires the execution of the Standard Contractual Clauses (‘SCCs’) that are available here (https://eur-lex.europa.eu) in order to comply with the Data Protection Legislation, the parties conclude SCCs as indicated in corresponding Schedules of Annex C which shall be deemed incorporated into and form a part of this Agreement, as follows:
  
  a) In relation to transfers of Personal Data per clause 2.1.(a) of this DPA, the SCCs shall apply, completed as provided in Schedule 1.
  b) In relation to transfers of Personal Data per clause 2.1.(b) of this DPA, the SCCs shall apply completed as provided in Schedule 2.
  
  In relation to transfers of Personal Data protected by the UK Data Protection Legislation, the EU SCCs, as implemented in Schedules 1 and 2 of Annex C, will apply with the following modifications:
  i. the EU SCCs shall be deemed amended as specified by Part 2 of the UK Addendum, and
  ii. tables 1 to 3 in Part 1 of the UK Addendum shall be deemed completed respectively with the information set out in Schedule 4 of Annex C of this DPA (as applicable).

7.3 In cases where a third-party processor is involved in fulfilling the Terms and Conditions and processing Personal Data in accordance with this Agreement, and such a third-party processor is located in a third country, the transfer of data from Sumsub to this third-party processor requires application of certain appropriate safeguards, such transfers will be subject to the appropriate safeguards specified in applicable Data Protection Legislation.

Where possible, such transfers should be made to countries deemed to have an adequate level of Personal Data protection under the applicable Data Protection Legislation.

7.4 When the Customer transfers any Personal Data from the System or provides access to the System to any third party or recipient, including those located outside the EU/EEA/UK or another jurisdiction resulting in an obligation to comply with provisions on international data transfers, the Customer is solely responsible for ensuring that such transfer is legal and is subject to the applicable protection regime and/or appropriate safeguards in accordance with applicable Data Protection Legislation.

8. Subprocessors

8.1 Sumsub may authorise a subprocessor to process the Personal Data, and it hereby represents and guarantees, subject to clauses 16 and 17, that:

a. Sumsub enters into a written contract with the subprocessor that contains terms substantially the same as those set out in this Agreement, in particular, in relation to requiring appropriate technical and organisational data security measures;

b.Sumsub maintains control over all Personal Data it entrusts to the subprocessor.

The Customer grants Sumsub general authorisation to engage any subprocessor by selecting a set of services for which this subprocessor needs to be involved when signing the Terms and Conditions. Sumsub will maintain the list of engaged subprocessors, which will be updated in the Dashboard notifications and which the Customer shall read and review to receive the updated information. If the Customer objects to the engagement of the specified subprocessor and provides legitimate reasons for the objection, Sumsub, may (i) cease to use the new subprocessor with regard to Personal Data (if possible, to continue providing service without using a particular subprocessor, and it will not affect SLA and quality of service), (ii) taking into account the costs and state of the art, consider providing another subprocessor, or (iii) If it is impossible to provide another subprocessor or if the Customer objects to any subprocessor, Sumsub may cease to provide or the Customer may agree not to use (temporarily or permanently) the particular aspect of a Sumsub Service that would involve the use of the subprocessor to process Personal Data. Sumsub or the Customer may terminate this Agreement in accordance with clause 11.4. Hereto.

8.2 Where the subprocessor fails to fulfil its obligations under such a written agreement, Sumsub remains fully liable to the Customer for the subprocessor's performance of its agreement obligations.

8.3 The Parties consider Sumsub to control any Personal Data controlled by or in possession of its subprocessors.

9. Recipients

9.1 The parties agree that any transfer of Personal Data within the Dashboard from the Customer to a third party will be possible only if:

i. appropriate contractual obligations and other relevant obligations will be entered into between the Customer and the third party under applicable Data Protection Legislation; and

ii. the Customer will give written instructions for such a transfer by completing the relevant legal arrangement.

10. Complaints, data subject requests and third-party rights

10.1 Sumsub must, at no additional cost, take such technical and organisational measures as may be appropriate and promptly provide such information to the Customer as the Customer may reasonably require to enable the Customer to comply with:

i. he rights of Data Subjects under the Data Protection Legislation, including subject access and portability rights, the rights to rectify and erase personal data, object to the processing and automated processing of personal data, and restrict the processing of personal data; and

ii. information or assessment notices served on the Customer by any supervisory authority under the Data Protection Legislation.

10.2 Sumsub must notify the Customer immediately if it receives any complaint, notice or communication that relates directly or indirectly to the processing of the Personal Data or to either party's compliance with the Data Protection Legislation. The communication details are indicated in clause 18 of this Agreement.

10.3 Sumsub must notify the Customer within 10 working days if it receives a request from a Data Subject for access to their Personal Data or to exercise any of their related rights under the Data Protection Legislation.

10.4 Sumsub will give the Customer its full cooperation and assistance in responding to any complaint, notice, communication or Data Subject request.

10.5 Sumsub must not disclose the Personal Data to any Data Subject or to a third party other than at the Customer's request or instruction, as provided for in this Agreement or as required by law.

11. Term and termination

11.1 This Agreement will remain in full force and effect so long as the Terms and Conditions remain in effect.

11.2 Any provision of this Agreement that expressly should come into or continue in force on or after the termination of the Terms and Conditions in order to protect Personal Data will remain in full force and effect.

11.3 Sumsub's failure to comply with the terms of this Agreement is, for the avoidance of doubt, a breach of the Terms and Conditions. In such an event, the Customer may terminate any part of the Terms and Conditions authorising the processing of Personal Data effective immediately on written notice to Sumsub without further liability or obligation.

11.4 If a change in any Data Protection Legislation prevents either party from fulfilling all or part of its Terms and Conditions obligations, the parties will suspend the processing of Personal Data until that processing complies with the new requirements. If the parties are unable to bring the Personal Data processing into compliance with the Data Protection Legislation within 2 (two) months, they may terminate the Terms and Conditions on written notice to the other party. By signing this agreement, the Customer agrees that the termination is the sole remedy in such a situation.

12. Data return and destruction

12.1 At the Customer's request, Sumsub will give the Customer a copy of or access to all or part of the Customer's Personal Data in its possession or control in the format and on the media reasonably specified by the Customer.

12.2 Sumsub will cease any processing and delete and/or return if directed in writing by the Customer, all or any Personal Data related to this Agreement upon (i) instruction from the Customer in connection with the Services or (ii) written request of the Customer in connection with the termination of the Terms and Conditions for any reason or expiry of its term.

This clause does not apply to the processing of Personal Data carried out in accordance with clause 2.1.(b).

12.3 If any law, regulation, or government or regulatory body requires Sumsub to retain any documents or materials that Sumsub would otherwise be required to return or destroy, it will notify the Customer in writing of that retention requirement, giving details of the documents or materials that it must retain, the legal basis for retention, and establishing a specific timeline for destruction once the retention requirement ends.

12.4 Where the Customer has instructed that any Personal Data be deleted, Sumsub will certify in writing that it has destroyed the Personal Data within 30 days after it completes the destruction.

13. Review

13.1 The Customer and Sumsub must review the information listed in Annex A to this Agreement once a year or earlier subject to mutual consent to confirm its current accuracy and update it when required to reflect current practices.

14. Audit

14.1 Sumsub shall, in accordance with Data Protection Legislation, make available to the Customer any information as is reasonably necessary to demonstrate Sumsub's compliance with its obligations as a data processor under the Data Protection Legislation and allow for and contribute to audits, including inspections, by the Customer, subject to the Customer:

i. giving Sumsub 30-day prior notice of such information request, audit and/or inspection being required;

ii. ensuring that all information obtained or generated in connection with such information requests, inspections and audits is kept strictly confidential (save for disclosure to a supervisory authority or as otherwise required by applicable law);

iii. ensuring that such audit or inspection is undertaken during normal business hours, with minimal disruption to Sumsub's business, a subprocessors' business and the business of other customers of Sumsub; and

iv. paying Sumsub's reasonable costs for assisting with the provision of information and allowing for and contributing to inspections and audits.

14.2 Clause 14.1. shall be ensured as follows:

i. remote electronic access to, and copies of the Records and any other relevant information held at Sumsub's premises or on systems storing Personal Data;

ii. access to any of Sumsub's personnel reasonably necessary to provide all explanations and perform the audit effectively; and

iii. remote inspection of all relevant documentation and the infrastructure, electronic data or systems, facilities, equipment or application software used to store, process or transport Personal Data.

14.3 At least once a year, Sumsub will conduct audits of its Personal Data processing practices and the information technology and information security controls for all facilities and systems used in complying with its obligations under this Agreement, including, but not limited to, obtaining a network-level vulnerability assessment performed by a recognised third-party audit firm based on recognised industry best practices.

14.4 Sumsub will promptly address any exceptions noted in the audit reports with the development and implementation of a corrective action plan by Sumsub's management.

15. Breach Notification

15.1 If a Personal Data Breach occurs or is occurring, or Sumsub becomes aware of a breach of any of its obligations under this Agreement or any Data Protection Legislation, Sumsub will:

i. promptly conduct its own audit to determine the cause;

ii. produce a written report that includes detailed plans to remedy any deficiencies identified by the audit;

iii. provide the Customer with a copy of the written audit report; and

iv. promptly remedy any deficiencies identified by the audit.

16. Warranties

16.1 Sumsub warrants and represents that:

a. its employees, subcontractors, agents and any other person or persons accessing Personal Data on its behalf are reliable and trustworthy and have received the required training on the Data Protection Legislation relating to the Personal Data;

b. it and anyone operating on its behalf will process the Personal Data in compliance with the Data Protection Legislation and other laws, enactments, regulations, orders, standards and other similar instruments;

с. it has no reason to believe that the Data Protection Legislation prevents it from providing any of the Terms and Conditions's contracted services; and

d. considering the current technology environment and implementation costs, it will take appropriate technical and organisational measures to prevent the unauthorised or unlawful processing of Personal Data and the accidental loss or destruction of, or damage to, Personal Data, and ensure a level of security appropriate to:

i. the harm that might result from such unauthorised or unlawful processing or accidental loss, destruction or damage;

ii. the nature of the Personal Data protected; and

iii. comply with all applicable Data Protection Legislation and its information and security policies, including the security measures required in clause 5.1.

16.2 The Customer warrants and represents that Sumsub's expected use of the Personal Data for the Business Purposes and as specifically instructed by the Customer will comply with the Data Protection Legislation.

17. Indemnification

17.1 The Customer shall defend, indemnify, and hold (i) Sumsub, its affiliates, successors, assigns, and (ii) the directors, officers, agents, and personnel of any person listed in subclause 17.1(i) harmless from and against any and all claims, causes of actions, suits and proceedings brought by any third party and any resulting judgments, settlements, liabilities, damages, losses, costs and expenses (including, without limitation, all attorneys' fees and legal costs) arising out of or incurred in connection with the Customer’s breach (including for the avoidance of doubt any alleged breach) or non-performance of any of its obligations under clause 3.2 hereof. For clarity, any limitations of liability as may be set out in the Master Agreement shall not apply to this clause 17.1.

18. Notice and the DPO

18.1 Any notice or other communication given to a party under or in connection with this Agreement must be in writing and delivered to: [email protected]

18.2 Clause 18.1. does not apply to the service of any proceedings or other documents in any legal action or, where applicable, any arbitration or other method of dispute resolution.

This agreement has been entered into on the date stated at the beginning of it.

Annex A

Personal Data Processing Purposes and Details

The Customer's Purpose of Processing: CDD and AML/CFT rules compliance for KYC, if applicable

Business Purpose: Execution of the Terms and Conditions

Nature of Processing: Remote identity verification and other CDD procedures

Duration of Processing: Term of the Terms and Conditions or any other term indicated in line with clause 12 of this Agreement

Data subjects categories: the Customer's customers

Categories of data for Processing: The Personal Data processing is based on the products or services selected in ANNEX 2 of the Terms and Conditions, which may include, but are not limited to the categories of Personal Data specified below. For clarity, geolocation data (e.g. IP address) and technical data (e.g. (software and hardware attributes (camera and device name)) are strictly necessary to the extension of detection of fraud patterns as well as provision the correct risk score to the Customer.

KYC (A-Z)

• •For Address verification: General Personal Data (full name, gender, personal identification code or number, date of birth, legal capacity, nationality and citizenship), ID document data (document type, issuing country, ID number, expiry date, MRZ, information embedded into document barcodes (may vary depending on the document), security features); PoA document data; Technical data (software and hardware attributes (camera and device name); Unique Identifier (Applicant ID); Geolocation data (IP address and domain name; general geographic location (e.g., city, country) from Data Subject’s device).
• •For AML Screening: General Personal Data (full name, gender, personal identification code or number, date of birth, legal capacity, nationality and citizenship), ID document data (document type, issuing country, ID number, expiry date, MRZ, information embedded into document barcodes (may vary depending on the document), security features); Relevant publicly available data (information regarding a person being a Politically Exposed Person (PEP) or included in sanctions lists); Technical data (software and hardware attributes (camera and devise name); Unique Identifier (Applicant ID); Geolocation data (IP address and domain name; general geographic location (e.g., city, country) from the Data Subject’s device);
• •For Bank Card extraction and sensitive data masking: General Personal Data (full name, gender, personal identification code or number, date of birth, legal capacity, nationality and citizenship); Banking details (card holder name, expiry date, first 6 and last 4 digits of the card number); Technical data (software and hardware attributes (camera and device name); Unique Identifier (Applicant ID); Geolocation data (IP address and domain name; general geographic location (e.g., city, country) from the Data Subject’s device.
• •For Biometric Checks (Liveness & Face Match): Facial Image data (photos of face including selfie images and photo or scan of face on the ID document), Biometric data (numeric facial features); Technical data (software and hardware attributes (camera and device name); Unique Identifier (Applicant ID); Geolocation data (IP address and domain name; general geographic location (e.g., city, country) from the Data Subject’s device.
• •For Biometric Checks (Selfie image & Face Match): Facial Image data (selfie images and photo or scan of face on the ID document); Biometric data (numeric facial features); Technical data (software and hardware attributes (camera and device name); Unique Identifier (Applicant ID); Geolocation data (IP address and domain name; general geographic location (e.g., city, country) from Data Subject’s device.
• •For Biometric Checks (Video selfie & Face Match): Facial Image data (video-selfie (recording of short video with person saying 3 numbers transmitted to the screen of device used) and photo or scan of face on the ID document); Biometric data (numeric facial features); Technical data (software and hardware attributes (camera and device name); Unique Identifier (Applicant ID); Geolocation data (IP address and domain name; general geographic location (e.g., city, country) from the Data Subject’s device.
• •For Email verification: Email address; Unique Identifier (Applicant ID).
• •For ID document verification: General Personal Data (full name, gender, personal identification code or number, date of birth, legal capacity, nationality and citizenship); ID document data (document type, issuing country, ID number, expiry date, MRZ, information embedded into document barcodes (may vary depending on the document), security features); Technical data (software and hardware attributes (camera and device name); Unique Identifier (Applicant ID); Geolocation data (IP address and domain name; general geographic location (e.g., city, country) from the Data Subject’s device).
• •For Phone verification: Phone number; Unique Identifier (Applicant ID).
• •For Questionnaire: Depends on the Customer’s requirements
• •For Source of Funds and Wealth Check: General Personal Data (full name, gender, personal identification code or number, date of birth, legal capacity, nationality and citizenship); Data extracted from documents provided as proof of source of funds/wealth; Technical data (software and hardware attributes (camera and device name); Unique Identifier (Applicant ID); Geolocation data (IP address and domain name; general geographic location (e.g., city, country) from the Data Subject’s device).
• •For Video Identification: General Personal Data (full name, gender, personal identification code or number, date of birth, legal capacity, nationality and citizenship); ID document data (document type, issuing country, ID number, expiry date); Facial image data (video, sound recordings and screenshots of face); other Personal Data [for AML/CFT purpose] (activity profile, area of activity, purpose and nature of establishment of a business relationship, etc.); Technical data (software and hardware attributes (camera and devise name); Unique Identifier (Applicant ID); Geolocation data (IP address and domain name; general geographic location (e.g., city, country) from the Data Subject’s device).

KYB (A-Z)

• •For Intermediate Shareholder Check: Corporate [company] documents, containing information about name, position, share owning of a particular person considered as shareholder.
• •For Ownership and Management Check: Corporate [company] documents, containing information about name, position, share owning of a particular person considered as a shareholder or a top manager.

Extras (A-Z)

• •For custom fields: Additional information in the ID (depending on the country – personal identification number, tax ID, etc.);
• •For Face authentication: Facial Image data (photos of face including selfie images and photo or scan of face on the ID); Biometric data (numeric facial features); Technical data (software and hardware attributes (camera and device name); Unique Identifier (Applicant ID); Geolocation data (IP address and domain name; general geographic location (e.g., city, country) from the Data Subject’s device).
• •For Known Face Search (Additional to Biometrics Checks): comparison of already provided facial image data.
• •For NIN verification for Nigeria: NIN number data.
• •For Ongoing AML Screening: AML Screening data set.
• •For Ongoing ID document verification: ID document verification data set.
• •For SMS notification: Phone number.
• •For Support: Full name (name and surname); contact details (email address and/or phone number); Other information to mitigate the issue.

KYT

• •For Transaction monitoring: Full name of the sender and the recipient, the address of the sender and the recipient, and the Unique identifier of the counterparties provided by Sumsub and the particular Customer.

Frequency of transfers in case of international transfers: on a continuous basis, in accordance with the Customer’s purpose(s) and Business purpose.

Subject matter, nature and duration of the processing by (sub-) processor: The subject matter, nature and duration of the processing is indicated and specified in the relevant Agreement with the subprocessor that Sumsub engages for Business purpose.

Annex B

Consent and Privacy Notice Wording

The Customer shall ensure that, where applicable, it collects each Data Subject’s consent allowing both Parties to process their biometric data as set out in this Agreement and the Master Agreement in accordance with the applicable Data Protection Legislation, in particular the US Data Protection Legislation by complying with the below:

a. The following notice and consent language must be incorporated into the Customer’s interface with respect to any individual using the Customer’s services where Sumsub is integrated before redirecting any Data Subject to proceed with the onboarding:

“I hereby agree and express my voluntary, unequivocal and informed consent that personally identifiable information (PII) including biometric information will be processed for the purposes specified in this consent of the organisation for which I pass the identity verification process (hereinafter - the “Company”) that uses Sumsub Group of Companies, (hereinafter - the “Service Provider” or “Sumsub”) through which the Company collects and processes my PII and the biometric information. Please refer to the Privacy Notice (https://sumsub.com/privacy-notice-service) for details about the identity and contact details of Sumsub.

Categories of biometric data

My biometric information, to the processing of which by the Company and by the Service Provider I hereby agree and express my voluntary, unequivocal and informed consent, includes facial features or facial scans.

I hereby acknowledge and agree that facial images of myself are processed to confirm the liveliness of my face and/or to confirm that a given identity document is presented by me, its legitimate owner.

Purposes of processing of biometric data

I hereby acknowledge and agree that processing shall be done for the purposes of the Company and may include matters of compliance with applicable AML/CFT, anti-fraud laws and regulations, age restrictions acts and/or other laws and regulations and/or the Company customer due diligence procedures in accordance with the laws governing the intended business relationship.

The processing of biometric data will also be carried out for other compatible purposes of the Service Provider acting as a separate business including service development, fraud and criminal activity prevention, as well as ‘litigation hold’ and statutory obligations of the Service Provider (for details please see the Privacy Notice available here: https://sumsub.com/privacy-notice-service).

How will the biometric data be processed

I hereby acknowledge and agree that Company and Service Provider shall process my biometric information by means of automated reading, verification of the authenticity and other automated processing as stated in the Privacy Notice available at https://sumsub.com/privacy-notice-service/, which includes the processing of facial scan while passing liveness, video-selfie or video identification process, biometric authorisation, face comparison from the photo of an identity document and the facial image, searching of multiple identity creation, work and development of fraud control network to detect and prevent fraud and criminal activity.

The PII including biometric data may be disclosed to entities associated with Service Provider to achieve the purpose of the processing under this Consent. The Service Provider stores biometric information in AWS Amazon or Google Cloud (depending on the requirements of the Company on the place of data storage).

Retention of biometric data

I hereby represent that I have been informed that my PII will be retained and stored by Company and Service Provider and will be permanently destroyed based on the Company’s instructions when the Company’s initial purpose and/or retention period prescribed by applicable law expires. Where Service Provider independently defines the compatible purposes or under the legal obligation, the personal data, including biometric information, will be destroyed after Service Provider’s purposes for collecting the biometric information have been satisfied (and one (1) year of the date the purpose for collecting the data expires for residents of Texas) or after five (5) years from the provision of data to the Service Provider system, whichever occurs first. For the residents of Illinois, the retention period of personal data, including biometric information, will be three (3) years from the date of data provision to the Service Provider system. Please check how your PII will be deleted and destroyed in Service Provider’s Data Disposal and Destruction Policy at https://sumsub.com/privacy-notice-service/?id=#8.

I hereby represent that I have carefully read all of the above provisions and do voluntarily and unequivocally agree with them.”

b. The consent and privacy notice must include hyperlinks to Sumsub’s privacy notice available here: https://sumsub.com/privacy-notice-service/

c. Notwithstanding the above, the Customer will incorporate other necessary terms, notices, documents or consents (if applicable) into its own policies and legal agreements with Data Subjects which meet the requirements applicable to the Customer under Data Protection Legislation describing in particular:

- the processing of Personal Data, including biometric data while capturing face,
- the purposes for which Personal Data, including biometric data, are processed,
- the use of third party service providers to perform this service aimed to perform identity verification on the Customer’s behalf, other matters required by the applicable Data Protection legislation, including as to storage, retention periods, third-countries transfers, etc.

d. Adoption of API consent parameter (privacy_notices_read_consent_given): where API integration is used under the Master Agreement, the Customer must additionally implement the following API consent parameter in respect of use of the Services: Sumsub privacy_notices_read_consent_given and/or other parameters, provided that they should enable Sumsub to log and verify whether the measures listed in this Annex B were implemented by the Customer in respect of that Data Subject.

Annex С

[Where EU Data Protection Legislation applies]
EU STANDARD CONTRACTUAL CLAUSES (SCCs)

Schedule 1: (Controller - Processor)/(Processor-Processor)

The Data Exporter and Data Importer hereby agree to comply with the obligations set out in the SCCs specified in Schedule 1 as they apply to each party.

Applicable module. With respect to any transfer or processing of personal data pursuant to this Agreement, the Data Exporter is Customer, and the Data Importer is Sumsub. Accordingly, Module 2 or Module 3 of the SCCs referred in Schedule 1 as applicable.

Applicable options. The following optional clauses of Module 2/Module 3 apply to Schedule 1:

• Clause 9(a) (use of sub-processors)

  OPTION 2 will apply (general authorisation)

• Clause 13(a) (supervision)

  PARAGRAPH 1 will apply: Data Exporter is established in an EU Member State

• Clause 17 (governing law)

  OPTION 1 will apply: the law of Ireland

• Clause 18(b) (forum)

  England and Wales

Docking clause. Clause 7 of Module 2/Module 3 (docking clause) will apply to Schedule 1. Annexes. The details of Annexes I, II and III of Schedule 1 are set out as follows:

• Competent Supervisory Authority (Annex I):

  Cyprus

• List of Parties (Annex I):

  As specified in the DPA

• Description of Transfer (Annex I):

  As specified in Annex A to this DPA

• Technical and Organisational Measures (Annex II):

  Technical and organisational measures including technical and organisational measures to ensure the security of the data are to be required by the Customer additionally.

• List of Sub-Processors (Annex III):

  As specified in the Dashboard System.

Schedule 2: (Controller - Controller)
(Controller-Controller)

The Data Exporter and Data Importer hereby agree to comply with the obligations set out in the SCCs specified in Schedule 2 as they apply to each party.

Applicable module. With respect to any transfer or processing of personal data pursuant to this Agreement, the Data Exporter is Customer, and the Data Importer is Sumsub. Accordingly, Module 1 of the SCCs referred in Schedule 2 applies.

Applicable options. The following optional clauses of Module 2/Module 3 apply to Schedule 2:

• Clause 13(a) (supervision)

  PARAGRAPH 1 will apply: Data Exporter is established in an EU Member State

• Clause 17 (governing law)

  OPTION 1 will apply: the law of Ireland

• Clause 18(b) (forum)

  Ireland

Docking clause. Clause 7 of Module 1 (docking clause) will apply to Schedule 1.
Annexes. The details of Annexes I, II and III of Schedule 1 are set out as follows:

• Competent Supervisory Authority (Annex I):

  Cyprus

• List of Parties (Annex I):

  As specified in the DPA

• Description of Transfer (Annex I):

  As specified in Annex A to this DPA

• Technical and Organisational Measures (Annex II):

  Technical and organisational measures including technical and organisational measures to ensure the security of the data are to be required by the Customer additionally.

[Where UK Data Protection Legislation applies]

Schedule 3: INTERNATIONAL DATA TRANSFER AGREEMENT (IDTA)

In relation to transfers of Personal Data protected by the UK GDPR, the Data Exporter and Data Importer hereby agree to comply with the obligations set out in the IDTA specified in Schedule 3 below as they apply to each party.

Parts 1-3 of the IDTA shall be deemed completed respectively with the information set out in Schedule 2 below (as applicable).

PART 1. TABLE

• Table 1. Parties

• Commencement date:

  When the restricted transfer is to be conducted

• The Parties' details:

  Exporter: Customer or Sumsub
  Importer: Sumsub or Customer

• Key Contact:

  as specified in DPA

• Table 2. Transfer details

• UK country’s law that governs the IDTA

  England and Wales

• Primary place for legal claims to be made by the Parties

  England and Wales

• The status of the Exporter

  Controller or Processor

• The status of the Importer

  Controller or Processor

• Whether UK GDPR applies to the Importer

  -

• Linked Agreement

  As specified in the ‘Background’ section of the DPA

• Term

  The period for which the Linked Agreement is in force

• Ending the IDTA before the end of the Term

  The Parties cannot end the IDTA before the end of the Term unless there is a breach of the IDTA or the Parties agree in writing

• Ending the IDTA when the Approved IDTA changes

  Neither party

• Can the Importer make further transfers of the Transferred Data?

  The Importer MAY transfer the Transferred Data to another organisation or person (who is a different legal entity) in accordance with Section 16.1 (Transferring on the Transferred Data)

• Specific restrictions when the Importer may transfer on the Transferred Data

  The Importer MAY ONLY forward the Transferred Data in accordance with Section 16.1 to the authorised receivers (or the categories of authorised receivers) as set out in clause 8 and 9 of the DPA.

• Review Dates

  The Parties must review the Security Requirements at least once each time there is a change to the Transferred Data, Purposes, Importer Information, TRA or risk assessment

• Table 3. Transferred Data

• Transferred Data

  The personal data to be sent to the Importer under this IDTA consists of the categories of Transferred Data that will update automatically if the information is updated in the Linked Agreement referred to.

• Special Categories of Personal Data and criminal convictions and offences

  As provided in Annex A of the DPA

• Relevant Data Subjects

  The Data Subjects of the Transferred Data are: the categories of Data Subjects will update automatically if the information is updated in the Linked Agreement referred to.

• Purpose

  The Importer may Process the Transferred Data for the purposes set out in Annex A of the DPA.
  In both cases, any other purposes which are compatible with the purposes set out above.
  The purposes will update automatically if the information is updated in the Linked Agreement referred to.

• Table 4.

• Security of Transmission

  Technical and organisational measures including technical and organisational measures to ensure the security of the data are to be required by the Customer additionally.

• Security of Storage

  Technical and organisational measures including technical and organisational measures to ensure the security of the data are to be required by the Customer additionally.

• Security of Processing

  Technical and organisational measures including technical and organisational measures to ensure the security of the data are to be required by the Customer additionally.

• Organisational security measures

  Technical and organisational measures including technical and organisational measures to ensure the security of the data are to be required by the Customer additionally.

• Technical security minimum requirements

  Technical and organisational measures including technical and organisational measures to ensure the security of the data are to be required by the Customer additionally.

• Updates to the Security Requirements

  The Security Requirements will update automatically if the information is updated in the Linked Agreement referred to.

PART 2. EXTRA PROTECTION CLAUSES

• Extra Protection Clauses:

  N/A

• (i) Extra technical security protections

  -

• (ii) Extra organisational protections

  -

• (iii) Extra contractual protections

  -

PART 3. COMMERCIAL CLAUSES

• Commercial Clauses

  N/A

Schedule 4: IDTA ADDENDUM (Addendum)

Subject to clause 7 of the DPA, the Data Exporter and Data Importer hereby agree to comply with the obligations set out in the Addendum specified in Schedule 4 as they apply to each party.

The SCCs, as implemented under Schedule 1 and/or 2 above, will apply with the following modifications:

i. the SCCs shall be deemed amended as specified by Part 2 (Mandatory clauses) of the Addendum; and

ii. tables 1 to 3 in Part 1 of the Addendum shall be deemed completed, respectively, with the information set out below (as applicable).

PART 1. TABLE

• Table 1. Parties

• Commencement date:

  When the restricted transfer is to be conducted

• The Parties' details:

  Exporter: Contractor or Sumsub
  Importer: Contractor or Sumsub

• Key Contact:

  as specified in DPA

• Table 2. Selected SCCs, Modules and Selected Clauses

• Addendum EU SCCs:

  The version of the Approved EU SCCs (stated in Schedule 1 and/or 2) to which this Addendum is appended detailed below, including the Appendix Information

• Table 3. Appendix Information

• ANNEX IA: List of Parties

  As specified in Table 1

• ANNEX IB: Description of Transfer

  As specified in Annex A to the DPA

• ANNEX II: Technical and organisational measures including technical and organisational measures to ensure the security of the data:

  Technical and organisational measures including technical and organisational measures to ensure the security of the data are to be required by the Customer additionally.

• ANNEX III: List of Subprocessors:

  As specified in the Dashboard System

• Table 4. Appendix Information

• Ending this Addendum when the Approved Addendum changes

  Neither Party

[Where UAE Data Protection Legislation applies]

Schedule 5: DIFC STANDARD CONTRACTUAL CLAUSES (SCCs)
(Controller - Processor)

The Data Exporter and Data Importer hereby agree to comply with the obligations set out in the SCCs specified herein as they apply to each party.

1. With respect to any transfer or processing of personal data pursuant to this DPA, the Data Exporter is Customer, and the Data Importer is Sumsub.

2. Applicable options. The following optional clauses apply as follows:
in ‘Whereas’ section, Clause 6, will be omitted;
in Clause 7, the optional docking clause will apply;
in Clause 9 (1), Option 2 (General Authorisation) will apply;
in Clause 9 (2), the clause will be omitted;
in Clause 16 (4), at the beginning, the following will be added: ‘Where applicable,’;
Clause 16 (6) will be omitted;
in Appendix 1, the enclosure will be completed with the information from Annex A to this DPA. in Appendix 2, Technical and organisational measures including technical and organisational measures to ensure the security of the data are to be required by the Customer additionally in Appendix 3 - the list of subprocessors as specified in the Dashboard System.

Schedule 6: DIFC STANDARD CONTRACTUAL CLAUSES (SCCs)
(Controller - Controller)

The Data Exporter and Data Importer hereby agree to comply with the obligations set out in the SCCs specified herein as they apply to each party.

1. With respect to any transfer or processing of personal data pursuant to this DPA, the Data Exporter is Customer, and the Data Importer is Sumsub.

2. Applicable options. The following optional clauses apply as follows: in ‘Whereas’ section, Clause 6, will be omitted;

in Clause 7, the optional docking clause will apply;
in Clause 9 (1), the clause will be omitted;
in Clause 9 (2), the clause will be omitted;
in Clause 16 (4), at the beginning, the following will be added: ‘Where applicable,’;
Clause 16 (6) will be omitted;
in Appendix 1, the enclosure will be completed with the information from Annex A to this DPA. in Appendix 2, Technical and organisational measures including technical and organisational measures to ensure the security of the data are to be required by the Customer additionally. in Appendix 3 - The list is subprocessors as specified in the Dashboard System.

Schedule 7: ADGM STANDARD CONTRACTUAL CLAUSES (SCCs)
(Controller - Processor)

The Data Exporter and Data Importer hereby agree to comply with the obligations set out in the SCCs specified herein as they apply to each party.
1. Applicable module. With respect to any transfer or processing of personal data pursuant to this DPA, the Data Exporter is Customer, and the Data Importer is Sumsub. Accordingly, Module Two of the SCCs applies.

2. Applicable options. The following optional clauses of Module Two apply as follows:
in Clause 7, the optional docking clause will apply;
in Clause 9, Option 2 will apply;
in Clause 11, the optional paragraph will not apply;
Annex I of the ADGM SCCs shall be deemed completed with the information set out in Annex A to this DPA, and
Subject to clause 6 of the ADGM SCCs, Annex II of the ADGM SCCs - Technical and organisational measures including technical and organisational measures to ensure the security of the data are to be required by the Customer additionally;
Annex III of the ADGM SCCs - The list is subprocessors as specified in the Dashboard System.

Schedule 8: ADGM STANDARD CONTRACTUAL CLAUSES (SCCs)
(Controller - Controller)

The Data Exporter and Data Importer hereby agree to comply with the obligations set out in the SCCs specified herein as they apply to each party.

1. Applicable module. With respect to any transfer or processing of personal data pursuant to this DPA, the Data Exporter is Customer, and the Data Importer is Sumsub. Accordingly, Module One of the SCCs applies.

2. Applicable options. The following optional clauses of Module One apply as follows:
in Clause 7, the optional docking clause will apply;
in Clause 9 is not used;
in Clause 11, the optional paragraph will not apply;

Annex I of the ADGM SCCs shall be deemed completed with the information set out in Annex A to this DPA, and Subject to clause 6 of the ADGM SCCs, Annex II of the ADGM SCCs - Technical and organisational measures including technical and organisational measures to ensure the security of the data are to be required by the Customer additionally;

Annex III of the ADGM SCCs - The list is subprocessors as specified in the Dashboard System.