Terms and Conditions

These Terms and Conditions, including any schedules, annexes or appendices thereto, shall govern the mutual relationship of the Service Provider and the Customer (hereinafter collectively referred to as the “Parties” or individually as a “Party“).

The Customer agrees to be bound by the Terms and Conditions by proceeding with the registration while applying for a particular Pricing Plan on the Service Provider’s Website.

1. Definitions and Interpretations

1.1. In these Terms and Conditions, unless the context requires otherwise, the following definitions shall apply:

  • API

    means a set of functions and procedures that facilitate submission of applications for access to the features or data of the System.

  • Applicant

    means the end user (whether natural person or legal entity) providing documents, images, and other input data in respect of which the Service Provider performs Checks and other Services.

  • Business Purpose

    means the permitted purpose for which the Customer may use the System and the Services. For clarity, the Customer may use the System (in its entirety or in part) for lawful purposes of remote identity verification, fraud prevention, compliance with AML/CFT laws and regulations, internal risk management and due diligence procedures, and other similar purposes.

  • Check

    means a subcategory of the Services consisting of analysis of documents, images, and other input data submitted by a given Applicant, carried out in order to verify the Applicant’s identity. For clarity, a Check is deemed completed when a given Applicant is assigned a “Rejected”, “Approved” or “Resubmission requested” status in the Dashboard. If any Check is reiterated in respect of the same Applicant later than one calendar month from the moment when the first such Check was completed, such reiteration shall be considered a new Check and, therefore, charged separately.

  • Commencement Date

    means the day the Customer expresses its agreement to be bound by these Terms and Conditions.

  • Confidential Information

    means information disclosed by (or on behalf of) one party (the “Discloser”) to the other party (the “Recipient”) in connection with or in anticipation of these Terms and Conditions (including the content of these Terms and Conditions and Services itself) that is marked as confidential or, from its nature, content or the circumstances in which it is disclosed, might reasonably be supposed to be confidential. It does not include information (i) that the Recipient already knew, (ii) that becomes public through no fault of the Recipient, (iii) that was independently developed by the Recipient or (iv) that was lawfully given to the Recipient by a third party.

  • Customer System

    means any information technology system (systems) owned or operated by the Customer, if any, which receives data from the Service Provider in accordance with these Terms and Conditions, including the Customer's data processing facilities, data files and documents requiring processing.

  • Customer User

    means any member of the Customer's personnel authorised by the Customer to access and/or use the System (in its entirety or in part) under their own unique identifier issued by the Service Provider.

  • DPA

    means the Data Processing Agreement as contained in Annex 3 to these Terms and Conditions.

  • Fees

    means the charges payable by the Customer to the Service Provider in accordance with these Terms and Conditions and, specifically, Annex 2 hereto.

  • Good Industry Practice

    means, in relation to any undertaking and any circumstances, the exercise of skill, diligence, prudence, foresight and judgement and any expenditure that would reasonably be expected from a skilled person engaged in the same type of undertaking under the same or similar circumstances.

  • Intellectual Property Rights

    means all patents, rights to inventions, utility models, copyright and related rights, trademarks, service marks, trade, business and domain names, rights in trade dress or get-up, rights in goodwill or to sue for passing off, unfair competition rights, rights in designs, rights in computer software, database rights, topography rights, moral rights, rights in Confidential Information (including know-how and trade secrets) and any other intellectual property rights, in each case whether registered or unregistered and including all applications for and renewals or extensions of such rights, and all similar or equivalent rights or forms of protection in any part of the world.

  • Malicious Code

    means viruses, worms, time bombs, Trojan horses and other similar malware, files, scripts, agents or programs.

  • Payment Terms

    means the general payment terms and options applicable to the Parties’ relationship, as contained in Annex 2 to these Terms and Conditions.

  • Pricing Plan

    means the tariff and the payment option chosen by the Customer via the Service Provider’s Website prior to using the System, entitling the Customer to use Services of types and volumes and on the conditions specified in the respective Pricing Plan.

  • Reports

    means documents generated in the Dashboard and containing summaries of the Checks performed in respect of each given Applicant and of their results.

  • SDK

    means the software code supplied by the Service Provider to be embedded into the Customer System and any documentation relating to the integration of the System with the Customer System.

  • Security Feature

    means any key, PIN, password, token, smartcard, etc.

  • SLA

    means the Service Level Agreement as contained in Annex 1 to these Terms and Conditions.

  • Support

    means the technical support to be rendered by the Service Provider, including maintaining the System accurate, up-to-date, in good working order, and free from Malicious Code, and restoring it to normal operational conditions if unavailable.

  • Specification

    means the list and description of Services corresponding to the Pricing Plan chosen by the Customer, available at: https://sumsub.com/pricing at the relevant time. The Service Provider reserves the right to update or amend the Specification, provided that such actions are not detrimental to the Customer's legitimate interests; the Customer shall be entitled to object to an update or amendment, in which case it shall not be applicable (or, as the case may be, shall cease to apply) to its relationship with the Service Provider. The Customer may at any time enable or disable any of the Services covered by the respective Specification by contacting the Service Provider's support department at [email protected]

  • System

    means a set of computer programs and databases owned and operated by the Service Provider in order to render the services described in the Specification (the “Services“). The System includes an interactive software tool facilitating the communication between the Service Provider and the Customer and ensuring management and processing of requests for verification submitted by the Customer or by Applicants (the “Dashboard“).

  1. 1.2Where the expressions “include(s)”, “including” or “in particular” are used in these Terms and Conditions, the list of words following them shall not be considered exhaustive.
  2. 1.3References to sections and clauses are to the respective sections and clauses of these Terms and Conditions.
  3. 1.4A reference to a party includes its successors and permitted assigns.
  4. 1.5The headings in these Terms and Conditions are for ease of reference only and shall not affect their construction.
  5. 1.6In these Terms and Conditions, if the context so requires, references to the singular shall include the plural and vice versa.

2. Term

  1. 2.1These Terms and Conditions shall become effective on the Commencement Date and remain in force for an initial period of 12 months (the “Initial Period”). Once the Initial Period expires, these Terms and Conditions shall be automatically renewed for subsequent periods of 12 months each (the “Renewal Periods”) unless terminated earlier by either Party pursuant to section 9 below. The Initial Period and any Renewal Periods, taken cumulatively, shall constitute the “Term“.

3. Connection to the system

  1. 3.1For the Customer to gain access to the System, a designated Customer User must (i) provide to the Service Provider relevant personal and company details (including bank card details) as specified in the respective form on the Website and (ii) have their identity verified by the Service Provider within 7 days after the Commencement Date and in accordance with the Service Provider’s instructions forwarded by email. The Service Provider is entitled to temporarily suspend the Customer’s account in the System if the Customer User’s identity has not been verified within the aforementioned period.
  2. 3.2Once the procedure detailed in clause 3.1(i) above has been completed, the Service Provider shall enable the Customer’s connection to the System. Each Party shall bear its own costs of establishing the connection; however, the Service Provider shall provide the Customer with all reasonable assistance and information necessary to establish the connection in a timely manner.
  3. 3.3The Service Provider shall, for the entire duration of the Term, (i) provide the Customer with Services and Support in accordance with Good Industry Practice, the Specification and the SLA and (ii) promptly supply any new releases of the System’s features to the Customer.
  4. 3.4The Customer acknowledges that for any reason, at any time, and without prior notice, the Service Provider may issue updates to the provided Services / the System, and agrees to use commercially reasonable efforts to install such updates in a timely manner. Failure of the Customer to update all versions of the Services / the System within 60 days of written upgrade notification from the Service Provider shall be considered a material breach in accordance with clause 9.3 of these Terms and Conditions. The Service Provider shall send written upgrade notifications via email address or through the System notification mechanism. The Service Provider shall not be in any way liable for the incorrect operation of the System due to the failure of the Customer to comply with the obligation to update the Services / the System.

4. Intellectual property rights – ownership and protection

  1. 4.1The Customer acknowledges and agrees that all Intellectual Property Rights in the System are the property of the Service Provider or its counterparties (as the case may be) and the Customer shall have no rights in or to the System other than the right to use it in accordance with the express provisions of these Terms and Conditions.
  2. 4.2Subject to clause 4.1 above, the Service Provider grants the Customer a worldwide, non-exclusive, non-transferable license to use the System for the Business Purpose and in accordance with these Terms and Conditions, effective during the entire Term. The Customer may not sublicense this right other than with prior written consent of the Service Provider.

5. Charges

  1. 5.1For provision of the Services and use of the System, including receipt of any new releases, Support, or maintenance as per these Terms and Conditions, the Customer shall pay the Service Provider charges as detailed in the chosen Pricing Plan and the Payment Terms. The Customer may switch to another Pricing Plan at any time by contacting the Service Provider’s support department at [email protected], effective from the next calendar month.
  2. 5.2Unless it is stated otherwise in Annex 2, the charges stated in clause 5.1 of these Terms and Conditions shall be automatically withdrawn from the bank account specified by the Customer no later than the 2nd day of the month following the reporting period (meaning the period in which the chargeable Services were actually provided). The Customer shall ensure in advance the availability of sufficient funds on the bank account submitted to pay for the Services provided.
  3. 5.3The Service Provider shall have the right to suspend access to the Services and/or the System until the due payment as required under clauses 5.1-5.2 above and Annex 2 is made. Additionally, the Service Provider shall be entitled to claim interest on the overdue sum from the due date until payment of the overdue sum, whether before or after judgement. Interest under this clause shall be in the amount of 0,1% of the due payment per each day of such delay.
  4. 5.4Once the Customer has gained access to the System as described in clauses 3.1-3.2 above, the Service Provider may, at its own discretion, grant the Customer a free trial of the System’s capabilities for testing purposes only (“Test Period“). The Test Period shall continue for a period specified in the Dashboard, unless terminated by either Party pursuant to section 9. The Customer acknowledges that not all features and functionalities of the System shall be available during the Test Period.

6. Confidentiality and data protection

  1. 6.1The Recipient shall: (a) maintain all Confidential Information in strict and absolute confidence and refrain from any disclosure and/or publication and/or description and/or communication of Confidential Information, in whole or in part, to any third party whatsoever; (b) take all necessary precautions to keep Confidential Information confidential and apply the same security measures and degree of care to Confidential Information as the Recipient applies to its own confidential information; (c) inform the Discloser of any damage to or accidental loss of Confidential Information, including transfer to or use by unauthorized persons immediately; (d) not reverse engineer, decompile or disassemble Confidential Information.
  2. 6.2The Recipient shall not: (a) use Confidential Information in order to build a product or service which competes with the Services; (b) attempt to copy, modify, duplicate, create derivative works from, frame, mirror, republish, download, display, transmit, or distribute all or any portion of Confidential Information (as applicable) in any form or media or by any means to any individual or entity; or (ii) attempt to reverse compile, disassemble, reverse engineer or otherwise reduce to human-perceivable form all or any part of Confidential Information. For clarity, any breach of this clause will be deemed to be a material breach of these Terms and Conditions.

Notwithstanding the above, the Customer grants Sum and Substance a licence to access, download and use some parts of Confidential Information (including Personal Data as stated in Annex 3 herein) for: (a) analysing such information in accordance with the Sum and Substance Service functionality; (b) developing and testing service and new products to improve the functionality of the Services, designed for detection and prevention fraud, including by means of artificial intelligence (e.g. machine learning models) in order to fulfil the commitments in the Terms and Conditions, Specification and the SLA and provide competitive service; (c) identifying and flagging potentially fraudulent patterns and other signs of suspicious behaviour which could lead to or signal any illicit activity, and calculated risk score based on the said factors and alert сustomers in the framework of higher-risk applicant control and alert functionality; (d) producing anonymised or anonymised and aggregated statistical reports and research, and (e) producing and storing audit log records and reports based on information security and personal data protection requirements.

  1. 6.3The Recipient shall not be prevented from disclosing Confidential Information to employees and/or professional advisors who need to know it and who have agreed in writing (or, in the case of professional advisors, are otherwise bound) to keep confidentiality no less restrictive than those contained herein. The Recipient will ensure that those people and entities: (a) use such Confidential Information only to exercise rights and fulfil obligations under these Terms and Conditions; and (b) keep such Confidential Information confidential. The Recipient shall remain liable for any act or omission by its employees and/or professional advisors.
  2. 6.4The Recipient may also disclose Confidential Information when required by law after giving reasonable notice to the Discloser, such notice to be sufficient to give the Discloser an opportunity to seek confidential treatment, a protective order or similar remedies or relief prior to disclosure.
  3. 6.5If so requested by the Discloser at any time by written notice to the Recipient, the Recipient shall promptly: (a) destroy or return to the Discloser all documents and materials (and any copies thereof) containing, reflecting, incorporating or based on the Discloser's Confidential Information; (b) erase all Confidential Information from its own computer and communications systems, devices and other means of electronic storage; (c) erase all Confidential Information stored in electronic form in systems and data storage services owned by third parties; and (d) certify in writing to the Discloser that it has complied with the requirements of this clause 5.5.
  4. 6.6Without affecting any other rights and remedies that the Discloser may have, the Recipient hereby agrees that damages would not be an adequate remedy for any breach by the Recipient of these Terms and Conditions, and that the Discloser shall be entitled to remedies of injunction, specific performance and other equitable relief for any threatened or actual breach of these Terms and Conditions.
  5. 6.7Notwithstanding anything to the contrary, this Section 5 shall survive for 3 years after the expiry or termination of these Terms and Conditions.
  6. 6.8The Service Provider shall guarantee protection of personal data received under these Terms and Conditions at the level required by the applicable laws and regulations (including the EU General Data Protection Regulation, as the case may be). The regime of personal data protection is set out in the DPA.
  7. 6.9When these Terms and Conditions are terminated, the Service Provider shall, subject to clause 6.2 above, upon the relevant request of the Customer and unless the Customer is in breach of these Terms and Conditions, transfer to the Customer, free of charge and in a structured manner, all the data collected in relation to the Applicants or, alternatively and where possible, permit the Customer to extract such data from the System on its own. The exact method of the transfer shall be agreed upon by the Parties.

7. Security features. Customer users

  1. 7.1The Customer shall not permit, enable, or provide access to the System to anyone except the Customer Users. In particular, where the Service Provider uses Security Features in relation to the System, the Customer shall keep such Security Features confidential and not share them other than with the Customer Users.
  2. 7.2Any Customer User shall only be assigned Security Features and other credentials necessary to access the System after the relevant request from the Customer has been approved by the Service Provider. The Customer shall ensure that such requests are only delivered by those members of its personnel who are authorised to do so.
  3. 7.3All and any actions carried out in the System / the Dashboard with the use of Security Features or other credentials previously assigned to Customer Users shall be regarded as performed by duly authorised Customer Users. The Service Provider shall not be in any way liable for the consequences of such actions.

8. Liability. Limitation of liability

  1. 8.1SUBJECT TO THE PROVISIONS OF CLAUSE 8.2, THIS ARTICLE 8 SETS OUT THE ENTIRE FINANCIAL LIABILITY OF EITHER PARTY (INCLUDING ANY LIABILITY FOR THE ACTS OR OMISSIONS OF EITHER PARTY’S EMPLOYEES, AGENTS AND SUB-CONTRACTORS) IN RESPECT OF: (A) ANY BREACH OF THESE TERMS AND CONDITIONS; AND (B) ANY USE MADE BY THE CUSTOMER OF THE SERVICES (INCLUDING THE REPORTS) OR ANY PART OF THEM; AND (C) ANY REPRESENTATION, STATEMENT OR TORTIOUS ACT OR OMISSION (INCLUDING NEGLIGENCE) OR BREACH OF STATUTORY DUTY ARISING UNDER OR IN CONNECTION WITH THE TERMS AND CONDITIONS.
  2. 8.2NEITHER PARTY EXCLUDES OR LIMITS LIABILITY TO THE OTHER PARTY FOR (A) FRAUD OR FRAUDULENT MISREPRESENTATION; (B) ANY INDEMNITIES UNDER THESE TERMS AND CONDITIONS; OR (C) ANY MATTER FOR WHICH IT WOULD BE UNLAWFUL FOR THE PARTIES TO EXCLUDE OR LIMIT LIABILITY.
  3. 8.3SUBJECT TO CLAUSE 8.2 ABOVE, NEITHER PARTY SHALL BE LIABLE TO THE OTHER PARTY, WHETHER IN CONTRACT, TORT (INCLUDING FOR NEGLIGENCE AND BREACH OF STATUTORY DUTY HOWSOEVER ARISING), MISREPRESENTATION (WHETHER INNOCENT OR NEGLIGENT), RESTITUTION OR OTHERWISE, FOR: (A) ANY LOSS OF PROFITS, INCOME, GOODWILL, REVENUE OR BUSINESS OPPORTUNITIES; ANY SPECIAL, INDIRECT OR CONSEQUENTIAL LOSS OR DAMAGES; (B) LOSSES ARISING OUT OF A FORCE MAJEURE EVENT; (C) ANY LOSS OR CORRUPTION OF DATA OR INFORMATION, EXCEPT IF IT WAS CAUSED BY A BREACH OF THESE TERMS AND CONDITIONS BY EITHER PARTY.
  4. 8.4SUBJECT TO CLAUSE 8.2 ABOVE, THE SERVICE PROVIDER’S TOTAL AGGREGATE LIABILITY IN CONTRACT, TORT (INCLUDING NEGLIGENCE AND BREACH OF STATUTORY DUTY HOWSOEVER ARISING), MISREPRESENTATION (WHETHER INNOCENT OR NEGLIGENT), RESTITUTION OR OTHERWISE, ARISING IN CONNECTION WITH THE PERFORMANCE OR CONTEMPLATED PERFORMANCE OF THESE TERMS AND CONDITIONS OR ANY COLLATERAL CONTRACT SHALL IN ALL CIRCUMSTANCES BE LIMITED TO: (A) 100% OF THE TOTAL FEES PAID BY THE CUSTOMER TO THE SERVICE PROVIDER DURING THE 3-MONTH PERIOD IMMEDIATELY BEFORE THE DATE ON WHICH THE CAUSE OF ACTION FIRST AROSE OR (B) 2500 USD, WHICHEVER IS LESS, OR (C) 50 USD, IF THE CAUSE OF ACTION AROSE DURING THE TEST PERIOD.
  5. 8.5SUBJECT TO CLAUSE 8.2, THE CUSTOMER ASSUMES SOLE RESPONSIBILITY FOR CONCLUSIONS DRAWN FROM ITS USE OF THE SERVICES (INCLUDING THE REPORTS).
  6. 8.6THE CUSTOMER WILL INDEMNIFY, DEFEND, AND HOLD HARMLESS SERVICE PROVIDER AND ITS RESPECTIVE OFFICERS, SHAREHOLDERS, DIRECTORS, AND PERSONNEL, (AND KEEP SUCH INDIVIDUALS INDEMNIFIED ON A FULL INDEMNITY BASIS), FROM AND AGAINST ANY THIRD PARTY CLAIMS, SUITS, HEARINGS, ACTIONS, DAMAGES, LIABILITIES, FINES, PENALTIES, COSTS, LOSSES, JUDGMENTS OR EXPENSES (INCLUDING REASONABLE ATTORNEYS' FEES) ARISING OUT OF OR RELATING TO THE CUSTOMER’S USE OF THE SERVICES (COLLECTIVELY, “CLAIMS”), PROVIDED AND TO THE EXTENT THAT SUCH CLAIMS ARE NOT DUE TO ANY BREACH OF THIS AGREEMENT BY SERVICE PROVIDER.

9. Representations and warranties.

  1. 9.1The Customer warrants, represents and covenants that: (a) it is duly incorporated, organized and validly existing under the applicable law; (b) it has good and sufficient capacity, power, authority and right to enter into, execute and deliver these Terms and Conditions, to complete the transactions contemplated hereby and to duly observe and perform the covenants and obligations contained herein; and (c) all necessary corporate action has been taken by the Parties to authorize and approve the execution and delivery of these Terms and Conditions, the completion of the transactions contemplated hereby and the observance and performance of the covenants and obligations contained herein.
  2. 9.2The Customer warrants, represents and covenants that it will not: (a) use the Services to discriminate against any Applicant or in a manner that causes damage or injury to any person or property; (b) use the Services in a manner that could be reasonably expected to bring the Service Provider into disrepute or otherwise harm its reputation; (c) act or omit to act in a way which interferes with or compromises the integrity or security of the Services; or (d) make the Services available or otherwise use the Services in any jurisdiction where the Services are not permitted by applicable law.
  3. 9.3NO WARRANTY. No conditions, warranties or other terms apply to any Services supplied by the Service Provider under these Terms and Conditions other than the conditions, warranties and terms expressly set forth herein. The Service Provider hereby disclaims any implied warranties whether arising under law, through course of dealing, or otherwise, (including any implied warranties of non-infringement, title, satisfactory quality, fitness for purpose, merchantability or conformance with description). In addition, the Service Provider does not warrant or enter into any other term to the effect that any technology provided in connection with these Terms and Conditions will be entirely free from defects or that its operation will be entirely error-free. The Customer understands that the Service Provider obtains the information reported in its Reports from various third-party sources “as is”, and therefore is providing the information to the Customer “as is”. The Services are not intended to be used as the sole basis for any business decision (including where those business decisions concern Applicants). The Customer agrees that the Service Provider has no liability for any inaccuracy, incompleteness or other error in the Services which arises based on data provided by the Customer or any third party.

10. Termination and suspension

  1. 10.1The Customer may suspend and/or terminate these Terms and Conditions (and the provision of the Services accordingly) via the Dashboard and via the formal notice respectively at any time for convenience. The Customer agrees and acknowledges that the Service Provider has the right to suspend access to the Services and/or the System if the Customer fails to complete all required due diligence procedures as could be requested by the Service Provider.
  2. 10.2Without prejudice to any rights that have accrued under these Terms and Conditions, either Party may terminate these Terms and Conditions with immediate effect by giving written notice to the other Party if: (a) the other Party is in material breach of these Terms and Conditions where the breach is incapable of remedy; or (b) the other Party is in material breach of these Terms and Conditions where the breach is capable of remedy and fails to remedy that breach within fourteen (14) days after receiving written notice of such breach; (c) the other Party is in violation of any applicable law or legal regulation or (d) the other Party enters into an arrangement or composition with or for the benefit of its creditors, goes into administration, receivership or administrative receivership, is declared bankrupt or insolvent or is dissolved or otherwise ceases to carry on business; or (e) any analogous event happens to the other Party in any jurisdiction in which it is incorporated or resident or in which it carries on business or has assets.
  3. 10.3Any provision of these Terms and Conditions that expressly or by implication is intended to come into or continue in force on or after the termination of these Terms and Conditions shall remain in full force and effect. Termination for any reason shall not affect the accrued rights, remedies, obligations or liabilities of the Parties existing at the date of termination.
  4. 10.4Subject to clause 6.3 above, upon the termination of these Terms and Conditions for any reason or expiry of the Term, each Party shall as soon as reasonably practicable return or destroy (as directed in writing by the other Party) all data, information, software, and other materials provided to it by the other Party in connection with these Terms and Conditions, including all materials containing or based on the other Party's Confidential Information.
  5. 10.5The Service Provider reserves the right to temporarily suspend the Customer’s or any Customer User’s access to the System and/or the Services and/or terminate these Terms and Conditions with immediate effect at its own discretion where it knows or reasonably suspects that: (a) the Customer (including any of its subsidiaries, any ultimate beneficial owner, director, officer, agent, employee or affiliate of the Customer or any of its subsidiaries) is in breach of any applicable laws and regulations or is subject to any local or international sanctions (including any sanctions administered or enforced by the U.S. government or the U.S. Department of State, the United Nations Security Council, the European Union, Her Majesty’s Treasury or other relevant sanctions authority) or restrictions; (b) the Customer infringes the intellectual property rights of the Service Provider or its counterparties; (c) a third party has gained unauthorised access to the System and/or the Services as a result of the Customer’s actions or omissions or using the Security Features or other credentials of a Customer User; (d) the Customer’s activity may, in the opinion of the Service Provider, be detrimental to the interests or business reputation of the Service Provider or its counterparties.

11. General

  1. 11.1Neither Party shall be liable for any delay or non-performance of its obligations under these Terms and Conditions to the extent that such delay or non-performance is a result of any condition beyond its reasonable control, including but not limited to governmental action, pandemic, acts of terrorism, earthquake, fire, flood or other similar events, labour conditions, power failures, and Internet disturbances.
  2. 11.2The Service Provider may revise these Terms and Conditions from time to time without any prior notice provided that these revisions are not detrimental to the Customer’s legitimate interests;
  3. 11.3Failure or delay in exercising any right or remedy under these Terms and Conditions shall not constitute a waiver of such (or any other) right or remedy.
  4. 11.4If any provision of these Terms and Conditions (or part of any provision) is found by any court or other authority of competent jurisdiction to be invalid, illegal or unenforceable, that provision or part-provision shall, to the extent required, be deemed not to form part of these Terms and Conditions; and (a) the Parties shall immediately commence good faith negotiations to remedy such invalidity; and (b) the validity and enforceability of the other provisions of these Terms and Conditions as applicable shall not be affected.
  5. 11.5These Terms and Conditions constitute the whole agreement between the Parties and supersede any previous arrangement, understanding or agreement between them relating to the subject matter of these Terms and Conditions. Each Party acknowledges that in entering into these Terms and Conditions it has not relied upon any oral or written statements, collateral or other warranties, assurances, representations or undertakings which were made by or on behalf of the other Party in relation to the subject matter of these Terms and Conditions other than those which are set out herein (or those which the Terms and Conditions explicitly refer to).
  6. 11.6Except as expressly stated otherwise, nothing in these Terms and Conditions shall create or confer any rights or other benefits in favour of any person other than the Parties. Except as expressly stated otherwise, nothing in these Terms and Conditions shall create an agency, partnership or joint venture of any kind between the Parties. Neither Party shall have authority to act in the name of or on behalf of the other, or to enter into any commitment or make any representation or warranty or otherwise bind the other in any way.
  7. 11.7Neither Party may assign any of its rights or obligations under these Terms and Conditions without the prior written consent of the other, such consent not to be unreasonably withheld, save that either Party can assign to an acquirer of all or substantially all of the assets of a Party without the consent of the other.
  8. 11.8Each Party is only permitted to make public announcements and/or publish written materials concerning the other Party and/or the existence and nature of the business relationship between the Parties if the other Party has given its prior written consent to the content of such an announcement or the text of such written material, except as required by law, any governmental or regulatory authority (including, without limitation, any relevant securities exchange), any court or other authority of competent jurisdiction. However, each Party may freely use the other Party’s trademarks (including logos) in its promotional or marketing materials, on websites etc. for the sole purpose of publicly identifying such other Party as its counterparty.
  9. 11.9All notices must be in English, in writing and sent to the receiving Party's current postal address, email address, via Dashboard or via other means mutually agreed upon by the Parties. All notices shall be deemed to have been given on receipt as verified by written or automated receipt or electronic log (as applicable).
  10. 11.10The Parties shall: (i) comply with all applicable laws, statutes and regulations relating to anti-bribery and anti-corruption including to the Bribery Act 2010 (Relevant Requirements); (ii) not engage in any activity, practice or conduct which would constitute an offence under sections 1, 2 or 6 of the Bribery Act 2010 if such activity, practice or conduct had been carried out in the UK; (iii) promptly report to the other Party any request or demand for any undue financial or other advantage of any kind received by it in connection with the performance of these Terms and Conditions.
  11. 11.11These Terms and Conditions and all disputes and claims arising out of or in connection with it are governed by English law. Any dispute, controversy or claim arising out of or in connection with these Terms and Conditions, or any breach, termination or invalidity thereof, shall be finally settled by arbitration administered by the Arbitration Institute of the Stockholm Chamber of Commerce (the “SCC”).

Annex 1

Service level agreement

  1. 1.1This Service Level Agreement (“SLA”) is a policy governing the use of the Sum and Substance API and/or Web/Mobile SDK (depending on which type of integration is chosen, hereinafter “S&S Service”) between the Service Provider and the Customer.
  2. 1.2Except as otherwise provided herein, this SLA is subject to the Terms and Conditions. Terms not otherwise defined herein shall have the meaning given to them in the Terms and Conditions.
  3. 1.3Service Availability: “Service Availability” means that the S&S Service may be accessed and used by the Customer for the Business Purpose and in accordance with the Terms and Conditions.
  4. 1.4Uptime commitment: the Service Availability of the S&S Service shall be at least ninety-nine and five tenths percent (99.5%) in each calendar month.
  5. 1.5Uptime measurement: the Service Provider shall measure uptime by checking the response of the S&S Service. Every one (1) minute, a third-party service will attempt to access the S&S Service. If the service does not receive a successful HTTPS response – that is, a HTTPS response code of 2XX or 3XX – that will count as one minute of downtime. The unavailability of the S&S Service shall be calculated from the time that such unavailability is reported by the Customer to the Service Provider at [email protected]
  6. 1.6Exclusions: The calculation of Uptime commitment excludes instances of: force majeure events, Scheduled Maintenance, or Emergency Maintenance. Scheduled Maintenance means the Service Provider may conduct up to five (5) hours of maintenance per calendar month with prior written notice for the purposes of installing upgrades, fixes or reconfigurations to the System. Emergency Maintenance means the Service Provider may conduct maintenance with no prior notice in order to resolve server security issues or other emergency issues. The Service Provider shall use best endeavours to notify the Customer at the beginning and end of such maintenance, and shall provide details on the nature of the work being performed.

Annex 2

Payment terms

  1. 1.Fees
  2. 1.1Subject to the chosen Pricing Plan and the respective Specification, the Customer may be obliged to pay the Service Provider Commitment, Check Charges, Service Charges, Subscription Fees and/or Installation Fee (“Fees”). For the avoidance of doubt, all Fees shall be non-refundable.

    1. 1.1.1Commitment is paid regularly (once in a reporting period), on an unconditional basis (irrespectively of whether any Checks were conducted and/or other Services rendered within the given reporting period). Notwithstanding this, subject to paying the Commitment, the Customer shall be entitled to use a respective number of Checks and/or other Services within the given reporting period, such number to be calculated based on the price of an individual Check / other Services as set out in the respective Pricing Plan. Once the Commitment is exceeded, any additional Checks and other Services are billed separately. Where Commitment and Deposit are chosen simultaneously as the main payment options, the Commitment is not deductible from the Deposit and is only applicable to the specific Services for which it is chosen.
    2. 1.1.2Check Charges and Service Charges are paid separately for each Check conducted and for other Services rendered in excess of the Commitment or, if it was stated in the Pricing Plan, as the case may be, within the given reporting period.
    3. 1.1.3Subscription Fees are paid for the provision of specific Services, regularly (once in a reporting period) and on an unconditional basis.
    4. 1.1.4Installation Fee is paid once for the activation of a given Service. The Installation Fee is not deductible from the Commitment.
  3. 1.2The Fees do not include VAT, where applicable.
  4. 1.3The Service Provider reserves the right to adjust any Fees payable by the Customer under these Terms and Conditions, effective as of the commencement of the following Renewal Period, provided, however, that а) any increase in the Fees may only be executed once in 12 months and shall not exceed ten per cent (10%) of the Fees that were in effect prior to such adjustment, and b) the Service Provider shall notify the Customer of such adjustment not later than 30 days prior to the prospective date of its enforcement. If the Customer fails to object to the notice, the Customer shall be deemed to have agreed to the adjustment.
  5. 2.Schedule of payments
  6. 2.1Any Fees shall be payable by the Customer in accordance with the invoicing procedure set out in clause 2.3 below and in the amount detailed in the respective Pricing Plan.
  7. 2.2The reporting period shall mean the given calendar month, starting from its first day. Where the Services are not used for the entire reporting period (in particular, where the Customer terminates or suspends the Terms and Conditions in accordance with clause 10.1 thereof or in case of the first month of using the Services if applicable), the Commitment payable in such a reporting period shall be calculated in proportion to the number of calendar days during which the Services were available for use.
  8. 2.3The Fees shall be charged as follows:

    1. 2.3.1the Commitment, Check Charges and/or Service Charges, Subscription Fees, if any shall be automatically withdrawn from the bank account specified by the Customer no later than the 2nd day of the month following the reporting period;
    2. 2.3.2the Installation Fee, if any, shall be automatically withdrawn from the bank account specified by the Customer upon the Commencement Date.

Annex 3

Data processing agreement

  1. Background
  2. a.This Personal Data Processing Agreement (hereinafter “Agreement“) is supplemental to the Terms and Conditions and applies as set out therein.
  3. b.This Agreement sets out the additional terms, requirements and conditions on which Sum and Substance (hereinafter Sumsub) will process Personal Data when providing services under the Terms and Conditions. This Agreement contains the mandatory clauses required by applicable Data Protection Legislation for contracts regarding data sharing and data processing activities.

Agreed terms

  1. 1.Definitions and interpretation
  2. The definitions of the EU General Data Protection Regulation (GDPR), in particular Art. 4 EU GDPR, as well as those of the Terms and Conditions, apply to this Agreement. In addition, the following definitions shall be applicable:

    1. a.Authorised Persons: the persons or categories of persons that the Customer authorizes to give Sumsub Personal Data processing instructions pursuant to clause 2.1. (a).
    2. b.Applicant’s information: tany information of Applicant, including Personal Data related to Applicant, tags of approval, rejection and resubmission, as well as log information.
    3. c.Business Purposes: execution of the Terms and Conditions or any other purpose specifically defined by the Customer in Annex A.
    4. d.Data Subject: an individual who is the subject of Personal Data, whose Personal Data is processed under this Agreement (can be referred to as ‘Applicant’).
    5. e.Personal Data: means any information relating to an identified or identifiable natural person which is processed as a result of, or in connection with, the provision of the services under the Terms and Conditions; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person (Data Subject).
    6. f.Processing, processes and process: either any activity that involves the use of Personal Data or as the Data Protection Legislation may otherwise define processing, processes or process. It includes any operation or set of operations which is performed on Personal Data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. Processing also includes transferring Personal Data to third parties.
    7. g.Data Protection Legislation: all applicable privacy and data protection laws, including the EU General Data Protection Regulation ((EU) 2016/679)(‘EU GDPR’) and the UK General Data Protection Regulation (‘UK GDPR’) and the Data Protection Act 2018; any applicable national implementing laws, regulations and secondary legislation in England and Wales relating to the processing of Personal Data and the privacy of electronic communications, as amended, replaced or updated from time to time, including the Privacy and Electronic Communications Directive (2002/58/EC) and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2003/2426).
    8. h.Personal Data Breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.
  3. 1.2This Agreement is subject to the terms of the Terms and Conditions and is incorporated into the Terms and Conditions. Interpretations and defined terms set forth in the Terms and Conditions apply to the interpretation of this Agreement.
  4. 1.3Any Annexes to this Agreement form a part of this Agreement and will have effect as if set out in full in the body of this Agreement. Any reference to this Agreement includes Annexes.

The Agreement includes the following Annexes:

  1. Annex A: Data Processing Instruction
  2. Annex B: Consent and Privacy Тotice Wording
  3. Annexes С - 1, С - 2, С - 3: Standard Contractual Clauses and Addendum
  1. 1.4A reference to writing or written includes faxes, email and electronic messaging services, which the parties typically use to exchange information in order to execute the Terms and Conditions.
  2. 1.5In the case of conflict or ambiguity between

    1. a.any provision contained in the body of this Agreement and any provision contained in any Annex hereto, the provision in the body of this Agreement will prevail;
    2. b.any of the provisions of this Agreement and the provisions of the Terms and Conditions, the provisions of this Agreement will prevail.
  1. 2.Personal Data processing
  2. 2.1The Customer and Sumsub acknowledge and agree that for the purpose of the Data Protection Legislation:

    1. a.Sumsub processes Personal Data provided by the Customer in relation to the Customer’s use of Services as a processor. The Customer is a controller which determines the purposes and scope of processing and instructs Sumsub on how to process Personal Data. Specifically, the Customer will provide or make available to Sumsub, the specific purposes, duration and nature of such collection being described in Annex A. The Customer retains control of the Personal Data and remains responsible for compliance with its obligations under the applicable Data Protection Legislation and for the processing instructions it gives to Sumsub, while Sumsub will process Personal Data as described in this Agreement or in the respective instructions and implement appropriate technical and organisational measures as set out in clause 5 of this Agreement. Where applicable, Sumsub is responsible for storing the applicant’s information, including any Personal Data, tagged with the corresponding risk level by the Customer. In case the fraud suspicion or commitment is reasonably high, the Customer, pursuant to its purposes related to fraud prevention and/or avoidance, authorises Sumsub to assign a relevant risk score to the applicant's information. Where Sumsub acts as a Processor on the Customer’s behalf, the parties will also comply with the obligations set out in this Agreement.
    2. b.In some circumstances, Sumsub may process and aggregate some of the Personal Data provided by Customer with data received from other sources (including Data Providers and other customers) as an independent controller for the purposes of development and improvement of the Services, including means of artificial intelligence (e.g. machine-learning techniques), flagging potentially fraudulent patterns which could lead to or signal of any illicit activity, provision сustomers with calculated risk score information and information about the increased risk of fraud to assist Customers in determining whether the user is a genuine user or there is a potential risk of impersonation fraud, concealing a real identity etc. and log audit reports as applicable, provided that Sumsub’s processing purposes are compatible with the Customer’s. Sumsub warrants that such processing relates to preventing and detecting fraud and other illicit activity as part of substantial public interest, and the Customer hereby authorises such use, including profiling of Personal Data. Even after the Customer’s relationship with Sumsub is terminated, Sumsub may retain the Personal Data and related inferences where it has a lawful basis for doing so, including for purposes of Sumsub’s own legitimate interests of continuing to provide services for all Sumsub customers, complying with its legal obligations, resolving disputes, and enforcing its agreements and serving the (substantial) public interest. Where Sumsub acts as an independent controller, each party shall be individually responsible for its own processing of the Personal Data and compliance with Applicable Data Protection Legislation unless otherwise provided herein.
  3. 2.2To the extent the Customer provides Personal Data related to the execution of the Terms and Conditions via Sumsub’s website, dashboard, or other communication means (including in connection with any requests), Sumsub will process such Personal Data in accordance with Sumsub’s privacy notice available at https://sumsub.com/privacy-notice/
  4. 2.3Party shall notify the other Party of any request for the disclosure of Personal Data by a governmental or regulatory body or law enforcement authority (including any data protection supervisory authority) unless otherwise prohibited by law or a legally binding order of such body or agency in accordance with clause 18 of this Agreement.
  1. 3.Parties’ obligations
  2. 3.1Sumsub’s obligations as the Processor:

    1. a.Sumsub will only process the Personal Data to the extent and in such a manner as is necessary for the Business Purposes and this Agreement. Sumsub will also process Personal Data in accordance with the Customer's written instructions from Authorised Persons, if applicable. Sumsub will not process the Personal Data for any other purpose or in a way that does not comply with this Agreement or Data Protection Legislation.
    2. b.Sumsub must promptly comply with any of the Customer’s requests or instructions from Authorised Persons requiring Sumsub to rectify, transfer, delete or otherwise process the Personal Data, or to stop, mitigate or remedy any unauthorised processing.

      Sumsub must promptly notify the Customer if, in its opinion, the Customer's instruction would not comply with Data Protection Legislation.
    3. c.Sumsub will maintain the confidentiality of all Personal Data and will not disclose Personal Data to third parties unless the Customer or this Agreement generally authorises the disclosure or as required by law. If a law, court, regulator or supervisory authority requires Sumsub to process or disclose Personal Data, Sumsub must first inform the Customer of the legal or regulatory requirement and give the Customer an opportunity to object or challenge the requirement unless the law prohibits such notice.
    4. d.Sumsub will reasonably assist the Customer with meeting the Customer's compliance obligations under Data Protection Legislation, taking into account the nature of Sumsub's processing and the information available to Sumsub, including in relation to Data Subject rights, data protection impact assessments and reporting to and consulting with supervisory authorities under the Data Protection Legislation.
  3. 3.2Customer’s obligations as the Controller:

    1. a.The Customer represents and warrants that it has taken all the required measures to ensure that Sumsub and subprocessors may lawfully process the Personal Data in accordance with the applicable Data Protection Legislation.
    2. b.The Customer ensures that any and all required privacy notices have been given to the data processing subjects and, where required, all necessary consents obtained, which are sufficient in scope to enable each Party to Process the Personal Data as envisaged under this Agreement and in accordance with the Applicable Data Protection Legislation, including the transfer of such Personal Data to and by Sumsub (including by having provided all necessary notices and obtained all necessary consents for Sumsub to process biometric data pursuant to Article 9 of the EU General Data Protection Regulation and the UK General Data Protection Regulation and any other applicable national rules, laws, regulations, directives and governmental requirements concerning biometric data).

      For clarity, the Customer will ensure the Data Subjects are familiarised with the notice wording contained in Annex B and/or obtain each Data Subject’s consent to that wording before any Personal Data is provided to Sumsub, where applicable.

      When processing Personal Data of a child, the Customer shall make reasonable efforts to assure that the holder of parental responsibility over the child has given consent for the Processing or authorised the Processing in another manner required under applicable Data Protection Legislation.
    3. c.Upon redirection by Sumsub of requests made by Data Subjects or the authorities empowered by the Applicable Data Protection Legislation, the Customer will respond to the requests concerning the processing of Personal Data conducted by Sumsub and controlled by the Customer or provide Sumsub with the relevant instruction on responding such a request. The communication details are provided in clause 18 of this Agreement.

      For requests made by the authorities empowered by the Applicable Data Protection Legislation the Parties shall use the notice contacts in accordance with clause 18 of this Agreement. The Customer shall notify Sumsub of any inquiries by the supervisory authorities about Sumsub Service or Sumsub Processing of Personal Data.
  1. 4.Sumsub personnel
  2. 4.1Sumsub will ensure that all of its personnel

    1. i.are informed of the confidential nature of the Personal Data and are bound by confidentiality obligations and use restrictions in respect of the Personal Data;
    2. ii.have undertaken training on the Data Protection Legislation relating to handling Personal Data and how it applies to their particular duties; and
    3. iii.are aware of both of Sumsub's duties and their personal duties and obligations under the Data Protection Legislation and this Agreement.
  3. 4.2Sumsub will take reasonable steps to ensure the reliability, integrity and trustworthiness of and conduct background checks consistent with applicable law on all of Sumsub's personnel with access to the Personal Data.
  1. 5.Data Protection and Security
  2. 5.1Sumsub must at all times implement appropriate technical and organisational measures against unauthorised or unlawful processing, access, disclosure, copying, modification, storage, reproduction, display or distribution of Personal Data, and against accidental or unlawful loss, destruction, alteration, disclosure or damage of Personal Data.
  3. 5.2Sumsub will keep detailed, accurate and up-to-date records on actions commited by the Customer and Sumsub personnel in order to ensure records of compliance with obligations under this Agreement and Sumsub will provide the Customer with copies of the Records upon request.
  1. 6.Personal Data Breach
  2. 6.1Sumsub will promptly and without undue delay notify the Customer if any Personal Data is lost or destroyed or becomes damaged, corrupted, or unusable. Sumsub will restore such Personal Data at its own expense.
  3. 6.2Sumsub will immediately and without undue delay notify the Customer if it becomes aware of

    1. a.any accidental, unauthorised or unlawful processing of the Personal Data; or
    2. b.any Personal Data Breach.
  4. 6.3Where Sumsub becomes aware of (a) and/or (b) above, it shall, without undue delay, also provide the Customer with the following information:

    1. i.description of the nature of (a) and/or (b), including the categories and an approximate number of both Data Subjects and Personal Data records concerned;
    2. ii.the likely consequences; and
    3. iii.description of the measures taken or proposed to be taken to address (a) and/or (b), including measures to mitigate its possible adverse effects.
  5. 6.4Immediately following any unauthorised or unlawful Personal Data processing or Personal Data Breach, the parties will coordinate with each other to investigate the matter. Sumsub will reasonably cooperate with the Customer in the Customer's handling of the matter, including

    1. i.assisting with any investigation;
    2. ii.providing the Customer with physical access to any facilities and operations affected;
    3. c.making available all relevant records, logs, files, data reporting and other materials required to comply with all Data Protection Legislation or as otherwise reasonably required by the Customer; and
    4. iii.facilitating interviews with Sumsub's employees, former employees and others involved in the matter;
    5. iv.making available all relevant records, logs, files, data reporting and other materials required to comply with all Data Protection Legislation or as otherwise reasonably required by the Customer; and
    6. v.taking reasonable and prompt steps to mitigate the effects and to minimise any damage resulting from the Personal Data Breach or unlawful Personal Data processing.
  6. 6.5Sumsub will not inform any third party of any Personal Data Breach without first obtaining the Customer's prior written consent, except when required to do so by law.
  7. 6.6Sumsub agrees that the Customer has the sole right to determine:

    1. i.whether to provide notice of the Personal Data Breach to any Data Subjects, supervisory authorities, regulators, law enforcement agencies or others, as required by law or regulation or in the Customer's discretion, including the contents and delivery method of the notice; and
    2. ii.whether to offer any type of remedy to affected Data Subjects, including the nature and extent of such remedy.
  8. 6.7Sumsub will cover all reasonable expenses associated with the performance of the obligations under clause 6.2 and clause 6.4 unless the matter arose from the Customer's specific instructions, negligence, wilful default or breach of this Agreement, in which case the Customer will cover all reasonable expenses.
  1. 7.International transfers of personal data
  2. 7.1Sumsub (or any subcontractor) shall not transfer or otherwise process Personal Data outside the European Economic Area (EEA) or the United Kingdom unless:

    1. i.data recipients or third countries ensure an adequate level of protection for the rights and freedoms of data subjects in relation to the Processing of Customer Personal Data as determined by the European Commission (EC) or the Information Commissioner’s Office (ICO);
    2. ii.the transfer is based on the Binding Corporate Rules or Standard Contractual Clauses or another legally recognised transfer method.

Provided that an adequacy decision/regulation of the EC or the ICO is amended or withdrawn, resulting in the inability to rely on it as a data transfer mechanism by the Parties, such transfer shall be conducted as provided in clause 7.2.

  1. 7.2If any Personal Data transfer between the Customer (as ‘data exporter’) and Sumsub (as ‘data importer’) requires the execution of the Standard Contractual Clauses (‘SCCs’) that are available here (https://eur-lex.europa.eu) in order to comply with the Data Protection Legislation, the parties conclude SCCs as indicated in Annexes С-1, С-2 and С-3, accordingly, which shall be deemed incorporated into and form a part of this Agreement, as follows:

    In relation to transfers of Personal Data that is protected by the EU GDPR and processed per clause 2.1.(a) of this Agreement, the SCCs shall apply, completed as follows:

    1. i.Module Two or Module Three will apply (as applicable);
    2. ii.in Clause 7, the optional docking clause will apply;
    3. iii.in Clause 9, both options will apply per clause 8 of this Agreement, and the time period for prior notice of Subprocessor changes shall be as set out in clause 8.1. of this Agreement;
    4. iv.in Clause 11, the optional language will not apply;
    5. v.in Clause 17, Option 1 will apply, and the SCCs will be governed by Cyprus law;
    6. vi.in Clause 18(b), disputes shall be resolved before the courts of Cyprus;
    7. vii.Annex I of the SCCs shall be deemed completed with the information set out in Annex C-1 to this Agreement; and
    8. viii.Subject to clause 6 of the SCCs, Annex II of the SCCs shall be deemed completed with the information set out in Annex C to this Agreement;

In relation to transfers of Personal Data protected by the EU GDPR and processed per clause 2.1.(b) of this Agreement, the SCCs shall apply, completed as follows:

    1. i.Module One will apply;
    2. ii.in Clause 7, the optional docking clause will apply;
    3. iii.in Clause 11, the optional language will not apply;
    4. iv.in Clause 17, Option 1 will apply, and the SCCs will be governed by Cyprus law;
    5. v.in Clause 18(b), disputes shall be resolved before the courts of Cyprus;
    6. vi.Annex I of the SCCs shall be deemed completed with the information set out in Annex C-2 to this Agreement; and
    7. vii.Subject to the language provided in clause6(i) of this Agreement, Annex II of the SCCs shall be deemed completed with the information set out in Annex C to this Agreement;

In relation to transfers of Personal Data protected by the UK GDPR, the SCCs, as implemented under sub-paragraphs (a) and (b) above, will apply with the following modifications:

    1. i.the SCCs shall be deemed amended as specified by Part 2 of the UK Addendum;
    2. ii.tables 1 to 3 in Part 1 of the UK Addendum shall be deemed completed respectively with the information set out in Annex C-3 of this Agreement (as applicable); and
    3. iii.table 4 in Part 1 of the UK Addendum shall be deemed completed by selecting "neither party".
  1. 7.3In cases where a third-party processor is involved in fulfilling the Terms and Conditions and processing Personal Data in accordance with this Agreement, and such a third-party processor is located in a third country, the transfer of data from Sumsub to this third-party processor requires application of certain appropriate safeguards, such transfers will be subject to the appropriate safeguards specified in Article 46 EU GDPR and UK GDPR.

    Where possible, such transfers should be made on the basis of Adequacy Decisions per Article 45 of the EU GDPR or Adequacy Regulations in accordance with Article 17A of the Data Protection Act 2018.
  2. 7.4When the Customer transfers any Personal Data from the System or provides access to the System to any third party or recipient, including those located outside the EU/EEA/UK, the Customer is solely responsible for ensuring that such transfer is legal and is subject to the applicable protection regime and/or appropriate safeguards in accordance with applicable Data Protection Legislation.
  1. 8.Subprocessors
  2. 8.1Sumsub may authorise a subprocessor to process the Personal Data, and it hereby represents and guarantees, subject to clauses 16 and 17, that:

    1. a.Sumsub enters into a written contract with the subprocessor that contains terms substantially the same as those set out in this Agreement, in particular, in relation to requiring appropriate technical and organisational data security measures;
    2. b.Sumsub maintains control over all Personal Data it entrusts to the subprocessor.

The Customer grants Sumsub general authorisation to engage any subprocessor by selecting a set of services for which this subprocessor needs to be involved when signing the Terms and Conditions. Sumsub will maintain the list of engaged subprocessors, which will be updated in the Dashboard notifications and which the Customer shall read and review to receive the updated information. If the Customer objects to the engagement of the specified subprocessor and provides legitimate reasons for the objection, Sumsub, may (i) cease to use the new subprocessor with regard to Personal Data (if possible, to continue providing service without using a particular subprocessor, and it will not affect SLA and quality of service), (ii) taking into account the costs and state of the art, consider providing another subprocessor, or (iii) If it is impossible to provide another subprocessor or if the Customer objects to any subprocessor, Sumsub may cease to provide or the Customer may agree not to use (temporarily or permanently) the particular aspect of a Sumsub Service that would involve the use of the subprocessor to process Personal Data. Sumsub or the Customer may terminate this Agreement in accordance with clause 11.4. hereto.

  1. 8.2Where the subprocessor fails to fulfil its obligations under such a written agreement, Sumsub remains fully liable to the Customer for the subprocessor's performance of its agreement obligations.
  2. 8.3The Parties consider Sumsub to control any Personal Data controlled by or in possession of its subprocessors.
  1. 9.Recipients
  2. 9.1The parties agree that any transfer of Personal Data within the Dashboard from the Customer to a third party will be possible only if:

    1. i.appropriate contractual obligations and other relevant obligations will be entered into between the Customer and the third party under applicable Data Protection Legislation; and
    2. ii.the Customer will give written instructions for such a transfer by completing the relevant legal arrangement.
  1. 10.Complaints, data subject requests and third-party rights
  2. 10.1Sumsub must, at no additional cost, take such technical and organisational measures as may be appropriate and promptly provide such information to the Customer as the Customer may reasonably require to enable the Customer to comply with:

    1. i.he rights of Data Subjects under the Data Protection Legislation, including subject access and portability rights, the rights to rectify and erase personal data, object to the processing and automated processing of personal data, and restrict the processing of personal data; and
    2. ii.information or assessment notices served on the Customer by any supervisory authority under the Data Protection Legislation.
  3. 10.2Sumsub must notify the Customer immediately if it receives any complaint, notice or communication that relates directly or indirectly to the processing of the Personal Data or to either party's compliance with the Data Protection Legislation. The communication details are indicated in clause 18 of this Agreement.
  4. 10.3Sumsub must notify the Customer within 10 working days if it receives a request from a Data Subject for access to their Personal Data or to exercise any of their related rights under the Data Protection Legislation.
  5. 10.4Sumsub will give the Customer its full cooperation and assistance in responding to any complaint, notice, communication or Data Subject request.
  6. 10.5Sumsub must not disclose the Personal Data to any Data Subject or to a third party other than at the Customer's request or instruction, as provided for in this Agreement or as required by law.
  1. 11.Term and termination
  2. 11.1This Agreement will remain in full force and effect so long as the Terms and Conditions remain in effect.
  3. 11.2Any provision of this Agreement that expressly should come into or continue in force on or after the termination of the Terms and Conditions in order to protect Personal Data will remain in full force and effect.
  4. 11.3Sumsub's failure to comply with the terms of this Agreement is a material breach of the Terms and Conditions. In such an event, the Customer may terminate any part of the Terms and Conditions authorising the processing of Personal Data effective immediately on written notice to Sumsub without further liability or obligation.
  5. 11.4If a change in any Data Protection Legislation prevents either party from fulfilling all or part of its Terms and Conditions obligations, the parties will suspend the processing of Personal Data until that processing complies with the new requirements. If the parties are unable to bring the Personal Data processing into compliance with the Data Protection Legislation within 2 (two) months, they may terminate the Terms and Conditions on written notice to the other party. By signing this agreement, the Customer agrees that the termination is the sole remedy in such a situation.
  1. 12.Data return and destruction
  2. 12.1At the Customer's request, Sumsub will give the Customer a copy of or access to all or part of the Customer's Personal Data in its possession or control in the format and on the media reasonably specified by the Customer.
  3. 12.2Sumsub will cease any processing and delete and/or return if directed in writing by the Customer, all or any Personal Data related to this Agreement upon (i) instruction from the Customer in connection with the Services or (ii) written request of the Customer in connection with the termination of the Terms and Conditions for any reason or expiry of its term.

This clause does not apply to the processing of Personal Data carried out in accordance with clause 2.1.(b).

  1. 12.3If any law, regulation, or government or regulatory body requires Sumsub to retain any documents or materials that Sumsub would otherwise be required to return or destroy, it will notify the Customer in writing of that retention requirement, giving details of the documents or materials that it must retain, the legal basis for retention, and establishing a specific timeline for destruction once the retention requirement ends.
  2. 12.4Where the Customer has instructed that any Personal Data be deleted, Sumsub will certify in writing that it has destroyed the Personal Data within 30 days after it completes the destruction.
  1. 13.Review
  2. 13.1The Customer and Sumsub must review the information listed in Annex A to this Agreement once a year or earlier subject to mutual consent to confirm its current accuracy and update it when required to reflect current practices.
  1. 14.Audit
  2. 14.1Sumsub shall, in accordance with Data Protection Legislation, make available to the Customer any information as is reasonably necessary to demonstrate Sumsub's compliance with its obligations as a data processor under the Data Protection Legislation and allow for and contribute to audits, including inspections, by the Customer, subject to the Customer:

    1. i.giving Sumsub 30-day prior notice of such information request, audit and/or inspection being required;
    2. ii.ensuring that all information obtained or generated in connection with such information requests, inspections and audits is kept strictly confidential (save for disclosure to a supervisory authority or as otherwise required by applicable law);
    3. iii.ensuring that such audit or inspection is undertaken during normal business hours, with minimal disruption to Sumsub's business, a subprocessors' business and the business of other customers of Sumsub; and
    4. iv.paying Sumsub's reasonable costs for assisting with the provision of information and allowing for and contributing to inspections and audits.
  3. 14.2Clause 14.1. shall be ensured as follows:

    1. i.remote electronic access to, and copies of the Records and any other relevant information held at Sumsub's premises or on systems storing Personal Data;
    2. ii.access to any of Sumsub's personnel reasonably necessary to provide all explanations and perform the audit effectively; and
    3. iii.remote inspection of all relevant documentation and the infrastructure, electronic data or systems, facilities, equipment or application software used to store, process or transport Personal Data.
  4. 14.3At least once a year, Sumsub will conduct audits of its Personal Data processing practices and the information technology and information security controls for all facilities and systems used in complying with its obligations under this Agreement, including, but not limited to, obtaining a network-level vulnerability assessment performed by a recognised third-party audit firm based on recognised industry best practices.
  5. 14.4Sumsub will promptly address any exceptions noted in the audit reports with the development and implementation of a corrective action plan by Sumsub's management.
  1. 15.Breach Notification
  2. 15.1If a Personal Data Breach occurs or is occurring, or Sumsub becomes aware of a breach of any of its obligations under this Agreement or any Data Protection Legislation, Sumsub will:

    1. i.promptly conduct its own audit to determine the cause;
    2. ii.produce a written report that includes detailed plans to remedy any deficiencies identified by the audit;
    3. iii.provide the Customer with a copy of the written audit report; and
    4. iv.promptly remedy any deficiencies identified by the audit.
  1. 16.Warranties
  2. 16.1Sumsub warrants and represents that:

    1. a.its employees, subcontractors, agents and any other person or persons accessing Personal Data on its behalf are reliable and trustworthy and have received the required training on the Data Protection Legislation relating to the Personal Data;
    2. b.it and anyone operating on its behalf will process the Personal Data in compliance with the Data Protection Legislation and other laws, enactments, regulations, orders, standards and other similar instruments;
    3. с.it has no reason to believe that the Data Protection Legislation prevents it from providing any of the Terms and Conditions's contracted services; and
    4. d.considering the current technology environment and implementation costs, it will take appropriate technical and organisational measures to prevent the unauthorised or unlawful processing of Personal Data and the accidental loss or destruction of, or damage to, Personal Data, and ensure a level of security appropriate to:

      1. i.the harm that might result from such unauthorised or unlawful processing or accidental loss, destruction or damage;
      2. ii.the nature of the Personal Data protected; and
      3. iii.comply with all applicable Data Protection Legislation and its information and security policies, including the security measures required in clause 5.1.
  3. 16.2The Customer warrants and represents that Sumsub's expected use of the Personal Data for the Business Purposes and as specifically instructed by the Customer will comply with the Data Protection Legislation.
  1. 17.Indemnification
  2. 17.1The Customer agrees to indemnify Sumsub against any losses arising out of or incurred in connection with any claims brought by third parties under the Data Protection Legislation in connection with any breach (including for the avoidance of doubt any alleged breach) of clause 3.2 hereof.
  1. 18.Notice and the DPO
  2. 18.1Any notice or other communication given to a party under or in connection with this Agreement must be in writing and delivered to: [email protected]
  3. 18.2Clause 18.1. does not apply to the service of any proceedings or other documents in any legal action or, where applicable, any arbitration or other method of dispute resolution.

This agreement has been entered into on the date stated at the beginning of it.

Annex A

Personal Data Processing Purposes and Details

  • The Customer's Purpose of Processing:

    CDD and AML/CFT rules compliance for KYC, if applicable

  • Business Purpose:

    Execution of the Terms and Conditions

  • Nature of Processing:

    Remote identity verification and other CDD procedures

  • Duration of Processing:

    Term of the Terms and Conditions or any other term indicated in line with clause 12 of this Agreement

  • Data subjects categories:

    the Customer's customers

  • Categories of data for Processing:

    The Personal Data processing is based on the products or services selected in ANNEX 2 of the Terms and Conditions, which may include, but are not limited to the categories of Personal Data specified below.

For clarity, geolocation data (e.g. IP address) and technical data (e.g. (software and hardware attributes (camera and device name)) are strictly necessary to the extension of detection of fraud patterns as well as provision the correct risk score to the Customer.

KYC (A-Z)

  • For Address verification: General Personal Data (full name, gender, personal identification code or number, date of birth, legal capacity, nationality and citizenship), ID document data (document type, issuing country, ID number, expiry date, MRZ, information embedded into document barcodes (may vary depending on the document), security features); PoA document data; Technical data (software and hardware attributes (camera and device name); Unique Identifier (Applicant ID); Geolocation data (IP address and domain name; general geographic location (e.g., city, country) from Data Subject’s device).
  • For AML Screening: General Personal Data (full name, gender, personal identification code or number, date of birth, legal capacity, nationality and citizenship), ID document data (document type, issuing country, ID number, expiry date, MRZ, information embedded into document barcodes (may vary depending on the document), security features); Relevant publicly available data (information regarding a person being a Politically Exposed Person (PEP) or included in sanctions lists); Technical data (software and hardware attributes (camera and devise name); Unique Identifier (Applicant ID); Geolocation data (IP address and domain name; general geographic location (e.g., city, country) from the Data Subject’s device);
  • For Bank Card extraction and sensitive data masking: General Personal Data (full name, gender, personal identification code or number, date of birth, legal capacity, nationality and citizenship); Banking details (card holder name, expiry date, first 6 and last 4 digits of the card number); Technical data (software and hardware attributes (camera and device name); Unique Identifier (Applicant ID); Geolocation data (IP address and domain name; general geographic location (e.g., city, country) from the Data Subject’s device.
  • For Biometric Checks (Liveness & Face Match): Facial Image data (photos of face including selfie images and photo or scan of face on the ID document), Biometric data (numeric facial features); Technical data (software and hardware attributes (camera and device name); Unique Identifier (Applicant ID); Geolocation data (IP address and domain name; general geographic location (e.g., city, country) from the Data Subject’s device.
  • For Biometric Checks (Selfie image & Face Match): Facial Image data (selfie images and photo or scan of face on the ID document); Biometric data (numeric facial features); Technical data (software and hardware attributes (camera and device name); Unique Identifier (Applicant ID); Geolocation data (IP address and domain name; general geographic location (e.g., city, country) from Data Subject’s device.
  • For Biometric Checks (Video selfie & Face Match): Facial Image data (video-selfie (recording of short video with person saying 3 numbers transmitted to the screen of device used) and photo or scan of face on the ID document); Biometric data (numeric facial features); Technical data (software and hardware attributes (camera and device name); Unique Identifier (Applicant ID); Geolocation data (IP address and domain name; general geographic location (e.g., city, country) from the Data Subject’s device.
  • For Email verification: Email address; Unique Identifier (Applicant ID).
  • For ID document verification: General Personal Data (full name, gender, personal identification code or number, date of birth, legal capacity, nationality and citizenship); ID document data (document type, issuing country, ID number, expiry date, MRZ, information embedded into document barcodes (may vary depending on the document), security features); Technical data (software and hardware attributes (camera and device name); Unique Identifier (Applicant ID); Geolocation data (IP address and domain name; general geographic location (e.g., city, country) from the Data Subject’s device).
  • For Phone verification: Phone number; Unique Identifier (Applicant ID).
  • For Questionnaire: Depends on the Customer’s requirements
  • For Source of Funds and Wealth Check: General Personal Data (full name, gender, personal identification code or number, date of birth, legal capacity, nationality and citizenship); Data extracted from documents provided as proof of source of funds/wealth; Technical data (software and hardware attributes (camera and device name); Unique Identifier (Applicant ID); Geolocation data (IP address and domain name; general geographic location (e.g., city, country) from the Data Subject’s device).
  • For Video Identification: General Personal Data (full name, gender, personal identification code or number, date of birth, legal capacity, nationality and citizenship); ID document data (document type, issuing country, ID number, expiry date); Facial image data (video, sound recordings and screenshots of face); other Personal Data [for AML/CFT purpose] (activity profile, area of activity, purpose and nature of establishment of a business relationship, etc.); Technical data (software and hardware attributes (camera and devise name); Unique Identifier (Applicant ID); Geolocation data (IP address and domain name; general geographic location (e.g., city, country) from the Data Subject’s device).

KYB (A-Z)

  • For Intermediate Shareholder Check: Corporate [company] documents, containing information about name, position, share owning of a particular person considered as shareholder.
  • For Ownership and Management Check: Corporate [company] documents, containing information about name, position, share owning of a particular person considered as a shareholder or a top manager.

Extras (A-Z)

  • For custom fields: Additional information in the ID (depending on the country – personal identification number, tax ID, etc.);
  • For Face authentication: Facial Image data (photos of face including selfie images and photo or scan of face on the ID); Biometric data (numeric facial features); Technical data (software and hardware attributes (camera and device name); Unique Identifier (Applicant ID); Geolocation data (IP address and domain name; general geographic location (e.g., city, country) from the Data Subject’s device).
  • For Known Face Search (Additional to Biometrics Checks): comparison of already provided facial image data.
  • For NIN verification for Nigeria: NIN number data.
  • For Ongoing AML Screening: AML Screening data set.
  • For Ongoing ID document verification: ID document verification data set.
  • For SMS notification: Phone number.
  • For Support: Full name (name and surname); contact details (email address and/or phone number); Other information to mitigate the issue.

KYT

  • For Transaction monitoring: Full name of the sender and the recipient, the address of the sender and the recipient, and the Unique identifier of the counterparties provided by Sumsub and the particular Customer.

Frequency of transfers in case of international transfers: on a continuous basis, in accordance with the Customer’s purpose(s) and Business purpose.

Subject matter, nature and duration of the processing by (sub-) processor: The subject matter, nature and duration of the processing is indicated and specified in the relevant Agreement with the subprocessor that Sumsub engages for Business purpose. More details are provided in Annex E.

Annex B

Consent and Privacy Notice Wording

The Customer shall ensure that, where applicable, it collects each Data Subject’s consent for Sumsub (as a third-party processor) to process Personal Data, including biometric data, related to this Agreement in accordance with the applicable Data Protection Legislation (particularly Article 9 of the EU GDPR and the UK GDPR) by complying with either point (a) or (b) below:

  1. a.The following notice and consent language must be incorporated into the Customer’s interface with respect to any person using the Customer’s services, where Sumsub is integrated, through the following requisite steps:

    1. 1.The Customer is to explain to Data Subjects that it uses a third party, Sumsub, to process their Personal Data.
    2. 2.The Customer is to present to Data Subjects the following or a sufficiently similar notification prior to asking any Data Subject to proceed to complete any check powered by Sumsub:
    “By clicking “Accept” below or otherwise continuing the verification procedure, you agree you have read, understand and accept Sumsub Privacy Notice”

    1. 3.The Customer is to provide a link to the full text of Sumsub Privacy Notice, which is hosted externally by Sumsub, from within its application /user interface, this will enable Data Subjects to understand more about the services Sumsub provides to the Customer. The full text of the current versions of each of these documents and the URLs you can use are:
    Sumsub Privacy Notice is available at https://sumsub.com/privacy-notice/

    The following API consent parameter must be implemented by the Customer in respect of use of the Services:

    Sumsub privacy_notice_read_consent_given

  2. b.The Customer will incorporate terms which meet the following requirements into its own policies and legal agreements with Data Subject:

    1. 1.Appropriate Privacy Notice: Customer must present the Data Subjects with an appropriate policy document which meets the requirements of the applicable Data Protection Legislation, describing in particular:

      1. -the processing of biometric data while capturing face,
      2. -the purpose for which the biometric data is collected,
      3. -the use of third party service providers to perform this service aimed to perform identity verification on the Customer’s behalf,
      4. -other matters required by the applicable Data Protection legislation, including as to storage, retention periods, third-countries transfers, etc.
    2. 2.Adoption of API consent parameter (privacy_notices_read_consent_given): Customer must implement the following API consent parameter in respect of use of the Services:
    Sumsub Privacy_notices_read_consent_given

Annex С-1

Description of Processing / Transfer

Modules 2 and 3 (controller/processor to processor transfers)

A. List of Parties

Data exporter(s)

Name: Party identified as ‘Customer’ in the Agreement.

Address: as defined in the Agreement.

Contact person’s name, position and contact details: As provided in clause 18 of the Agreement.

Activities relevant to the data transferred under these Clauses: Provisioning data for the Business purpose.

Role: Controller/Processor

Data importer(s)

Name: Party identified as ‘Sumsub’ in the Agreement.

Address: as defined in the Agreement.

Contact person’s name, position and contact details: Sumsub’s DPO, email: [email protected]

Activities relevant to the data transferred under these Clauses:

  • non-face-to-face customer identification, documents verification,
  • anti-money laundering customer screening (applies if it is indicated as a Service under the Service Provider Agreement), and
  • other services related to customer identity verification according to the Service Provider Agreement.

Role: Processor

B. Description of Transfer

As specified in Annex A of the DPA.

C. Competent Supervisory Authority

The competent supervisory authority will be determined in accordance with the criteria set forth in Clause 13 of the SCCs, provided that if the data exporter is not established in an EU Member State and has not appointed a representative, the Cyprus Supervisory Authority shall act as the competent supervisory authority.

ANNEX II: Technical and organisational measures including technical and organisational measures to ensure the security of the data is to be required by the Customer additionally.

ANNEX III: List of Subprocessors: As specified in Dashboard System.

Annex С-2

Description of Processing / Transfer

Module 1 (controller-to-controller transfers)

A. List of Parties

Data exporter(s)

Name: Party identified as ‘Customer’ in the Agreement.

Address: as defined in the Agreement.

Contact person’s name, position and contact details: As provided in clause 18 of the Agreement.

Activities relevant to the data transferred under these Clauses: Provisioning data for the Business purpose.

Role: Controller

Data importer(s)

Name: Party identified as ‘Sumsub’ in the Agreement.

Address: as defined in the Agreement.

Contact person’s name, position and contact details: Sumsub’s DPO, email: [email protected]

Activities relevant to the data transferred under these Clauses: Improvement of Services

Role: Controller

B. Description of Transfer

As specified in Annex A of the DPA.

C. Competent Supervisory Authority

The competent supervisory authority will be determined in accordance with the criteria set forth in Clause 13 of the SCCs, provided that if the data exporter is not established in an EU Member State and has not appointed a representative, the Cyprus Supervisory Authority shall act as the competent supervisory authority.

ANNEX II: Technical and organisational measures including technical and organisational measures to ensure the security of the data is to be required by the Customer additionally.

ANNEX III: List of Subprocessors: As specified in the Dashboard System.

Annex С-3

International Data Transfer Addendum to the EU Commission Standard Contractual Clauses - UK

PART 1. TABLE

Table 1. Parties

Commencement date: when the restricted transfer is to be conducted

The Parties' details:

Exporter: Customer

Importer: Sumsub

Key Contact: as specified in DPA

Table 2. Selected SCCs, Modules and Selected Clauses

Addendum EU SCCs: The version of the Approved EU SCCs (stated in Annexes C-1 and C-2) to which this Addendum is appended, detailed below, including the Appendix Information.

Table 3. Appendix Information

ANNEX IA: List of Parties: As specified in the preamble of the SCCs (stated in Annex C-1 and/or Annex C-2).

ANNEX IB: Description of Transfer: As specified in Annex A to the DPA.

ANNEX II: Technical and organisational measures including technical and organisational measures to ensure the security of the data is to be required by the Customer additionally.

ANNEX III: List of Subprocessors: As specified in the Dashboard System.