Sumsub Travel Rule Ecosystem Agreement

1. Types of Participants

1. 1.1.The following entities can join the Sumsub Travel Rule Ecosystem by the means specified in Section 2 of this Agreement and become Participants:
   
   
• Level 1 Participants. This type includes Clients that have acquired the Sumsub Travel Rule Solution under the respective Client Agreement and such Clients’ Affiliates, if any.
• Level 2 Participants. This type includes Clients’ counterparties that accede to this Agreement by registering a Free Account or otherwise but are not bound by any other direct commercial agreement with Sumsub.
2. VASPs connected to Partners may also be displayed in the VASP Directory with a corresponding mark. These VASPs, as a rule, are not bound by this Agreement and are not Participants unless otherwise agreed in the agreement between the respective Partner and Sumsub.

2. Acceptance of Agreement

1. 2.1.The Participant agrees to be bound by this Agreement starting from the date (“Effective Date”):
• for Level 1 Participants, as the case may be – (i) when the respective Client Agreement wherein this Agreement is incorporated by reference enters into force; or (ii) where this Agreement is incorporated into a VASP Due Diligence Questionnaire, when the Participant submits it to Sumsub; or (iii) where a Participant is connected to a Partner – as specified in the commercial agreement concluded between that Partner and Sumsub, if applicable; or (iv) where the Participant is a Client’s Affiliate, when it proceeds to fill in its VASP Registration Form via the Dashboard, whichever is the earlier;
• for Level 2 Participants – when the Participant initiates completion of the VASP Registration Form to access a Free Account.
2. 2.2.For Level 1 Participants, the terms of the respective Client Agreement shall apply to the relationship between the respective Participant and Sumsub under this Agreement insofar as the matter in question is not regulated hereunder. In case of a conflict or discrepancy between the Client Agreement and this Agreement, the latter shall prevail.
3. 2.3.For Level 2 Participants that carry out activities requiring personal data processing by Sumsub as a data processor, such data processing, as well as the corresponding rights and obligations of the Parties, are regulated by the DPA (as defined below).

3. Definitions

The following terms and definitions are used in this Agreement:

Beneficiary – beneficiary VASP receiving a VA Transaction from the Originator.

Blockchain Analytics Provider – a Data Partner used within the Sumsub Travel Rule Solution for the purposes of wallet attribution or conducting Essential Checks.

Client – a legal entity acquiring services directly from Sumsub under the respective Service Provider Agreement (“SPA”), Partnership Agreement, Sumsub Travel Rule Solution Agreement (“TRA”), or another commercial agreement (“Client Agreement”);

Client’s / Clients’ Affiliate – a legal entity that (i)(a) is controlled, controlling, or under common control with a Client (control meaning direct or indirect ownership of at least 50% of the capital stock or voting rights) or (i)(b) maintains a commercial agreement with a Client requiring it to have access to that Client’s data and (ii) has access to the Dashboard and the Sumsub Travel Rule Solution functionality under the respective Client Agreement.

Confidential Information – information disclosed by (or on behalf of) a) Sumsub to any Participant; b) any Participant to Sumsub; c) any Participant to another Participant (with the disclosing party hereinafter referred to as the “Discloser” and the receiving Party as the “Recipient”) in connection with or in anticipation of this Agreement (including the content of this Agreement itself) that is marked as confidential or, from its nature, content or the circumstances in which it is disclosed, can reasonably be assumed to be confidential. It does not include information (i) that the Recipient already knew, (ii) that becomes public through no fault of the Recipient, (iii) that was independently developed by the Recipient, (iv) that was authorized for disclosure by the Discloser or (v) that was lawfully given to the Recipient by a third party, so long as these circumstances can be proven by documentary evidence.

Dashboard – an interactive software tool ensuring management and processing of requests for VASP Due Diligence, TR Transactions, VA Transactions and facilitating the communication between Sumsub and the Participant in relation to this Agreement.

DPA – data processing agreement forming an integral part of this Agreement and available at https://sumsub.com/files/data_processing_agreement.pdf.

Data Protection Legislation – all applicable privacy and data protection laws, including the EU General Data Protection Regulation ((EU) 2016/679)(‘EU GDPR’) and the UK General Data Protection Regulation (‘UK GDPR’) and the Data Protection Act 2018; any applicable national implementing laws, regulations and secondary legislation in England and Wales relating to the processing of Personal Data and the privacy of electronic communications, as amended, replaced or updated from time to time, including the Privacy and Electronic Communications Directive (2002/58/EC) and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2003/2426).

Data Partner – any entity providing any data to Sumsub to be used in the Sumsub Travel Rule Solution.

Essential Check (EC) – a set of checks in relation to a Participant which are sourced by Sumsub directly from a Blockchain Analytics Provider.

Extended Essential Check¹ (EEC) – a set of checks in relation to a Participant which are conducted by Sumsub based on information obtained from Data Partners.

Extended Essential Check Report (EEC Report) – a report generated by Sumsub after conducting an Extended Essential Check and containing the information received from Data Partners and the VASP Score².

Free Account – a limited-functionality account in the Dashboard provided to Level 2 Participants for the purposes of enabling them to respond to incoming TR Transactions and to send outgoing TR Transactions manually. To benefit from full functionality, Level 2 Participants must become Level 1 Participants and have purchased the Sumsub Travel Rule Solution under a Client Agreement.

Originator – originating VASP sending a VA Transaction to the Beneficiary.

Partner – independent Travel Rule solution provider that has its own messaging protocol and community of verified VASPs and maintains a partnership agreement with Sumsub to facilitate data transfer between participants of their community and the Sumsub Travel Rule Ecosystem.

Service Provider Agreement (SPA) – an agreement (with its annexes and appendices) concluded between Sumsub and its Client for the provision of Sumsub Travel Rule Solution and other related services.

Sumsub Travel Rule Solution Agreement (TRA) – a supplemental Agreement to the SPA, concluded via the Dashboard or otherwise, whereunder a Client obtains access to the Sumsub Travel Rule Solution and adjacent services provided by Sumsub, if any.

Sumsub – either (i) SUM AND SUBSTANCE LTD incorporated and registered in England with company number 09688671 and registered office at 30 St. Mary Axe, London, England, EC3A 8BF (for Level 2 Participants); or (ii) for Level 1 Participants – the legal entity belonging to Sumsub Group*³ that maintains the respective Client Agreement with the Participant.

Sumsub Travel Rule Ecosystem – a community of Participants bound by this Agreement, united to facilitate the sharing of data about VA Transactions among Participants and identification and verification of counterparty VASPs’ identities for the purposes of complying with the Travel Rule requirements (when applicable). Members of the Sumsub Travel Rule Ecosystem can be referred to as Virtual Asset Service Providers (VASPs), financial institutions or non-regulated entities (as the respective national laws and regulations may specify) dealing in virtual asset transfers.

Sumsub Travel Rule Solution – a set of solutions and related services (as determined by the relevant Client Agreement), designed to assist Clients in following the requirements of the Travel Rule by collecting, verifying and transferring to counterparty VASPs certain data pertaining to originators and beneficiaries of VASP-facilitated transactions.

Travel Rule – an obligation under AML/CFT laws and regulations mandating that VASPs obtain, hold and exchange information about the originators and beneficiaries of virtual asset transfers (as per paragraph 7(b) of FATF’s Interpretative Note to Recommendation 15).

Travel Rule Transaction (TR Transaction) –a data entry created by a Participant in the Dashboard in relation to a VA Transaction originated by that Participant , designed to transfer data to a counterparty VASP according to Travel Rule requirements.

Third-Party Travel Rule protocols/systems – open source protocols or independent Travel Rule solution providers that have their own messaging protocols and communities of verified VASPs but do not qualify as a Partner.

VASP Registration Form – the questionnaire incorporated into the Dashboard (contained in Annex I to this Agreement as a template) that a Level 2 Participant is required to fill in before getting access to its Free Account.

VA Transaction – a transfer of virtual assets subject to the Travel Rule requirements.

VASP Due Diligence – the process of Sumsub verifying the information provided by a Participant via the VASP Due Diligence Questionnaire.

VASP Due Diligence Questionnaire – the questionnaire incorporated into the Dashboard (contained as a template in Annex II to this Agreement) that every Participant may fill in for the purposes of VASP Due Diligence.

VASP Due Diligence Report or Report – the report that Sumsub completes during VASP Due Diligence. The Report contains the results of the verification of all information provided by the Participant in the VASP Due Diligence Questionnaire and certain information received by Sumsub from Data Partners and other sources.

VASP Directory – the full list of VASPs provided to Sumsub by the Blockchain Analytic Providers or Partners and/or composed based on some other sources and accessible via the Dashboard. For clarity, an entity listed in the Directory is not necessarily a Participant.

Wallet Address Book (WAB) – a database of wallet addresses and/or their hashes, collected and maintained by Sumsub (and/or its affiliates, as the case may be). This data may be obtained directly from Participants, their customers, through public sources, or by other lawful means.

¹The information processed as part of an EC/EEC Report is received by Sumsub from its data providers “as-is”. Sumsub does not verify or validate the information by any other means, does not guarantee its accuracy and disclaims all liability in relation thereto. The results of an EC / EEC are not legally binding and do not constitute any final compliance-related decision; each Participant is solely responsible for deciding, in its own discretion and in accordance with its internal policies and procedures, whether to rely on such results.
²An EC/EEC Report does not necessarily substitute the risk assessment and counterparty due diligence procedures that a Participant may be obliged to conduct in accordance with the applicable laws and regulations and shall only be regarded as an additional source of information for the Participant’s benefit. Each Participant is solely responsible for making informed decisions as to whether to transact or otherwise interact with any other VASP, including any other Participant.
³Including, but not limited to:
- SUM AND SUBSTANCE LTD incorporated and registered in England with company number 09688671 and registered office at 30 St. Mary Axe, London, England, EC3A 8BF;
- SUMSUB TECHNOLOGY LLC, incorporated and registered in the United Arab Emirates with Commercial Register number 2014604 and registered office at Sheikh Mohammed bin Rashid Blvrd., Boulevard Plaza Tower 2, Floor 23, Downtown, Dubai, United Arab Emirates, 00000;
- Sumsub Inc., incorporated and registered in Delaware with File Number 6366081 and registered office at 8 The Green, Suite 8293, Dover, DE, 19901, USA;
- Sumsub APAC Pte. Ltd., incorporated and registered in Singapore with unique entity number 202345939C and registered office at 1 Goldhill Plaza #03-39, Singapore;
- SUMSUB TECH LTD, incorporated and registered in Cyprus with company number HE 424752 and registered office at Agiou Andreou 153, 3036, Limassol, Cyprus.

4. Content of Agreement

1. 4.1.The following documents shall be considered as integral parts of this Agreement:
   
   
• the VASP Registration Form (Annex I)
• the VASP Due Diligence Questionnaire (Annex II);
• Participant’s website page template (Annex III)
• Data Processing Details. Data Processing Instruction (Annex IV);
• International Data Transfer Mechanism pursuant to Article 13.1. of this Agreement (Annex V);
• International Data Transfer Mechanism pursuant to Article 13.2. of this Agreement (Annex VI);
• Sumsub Privacy Notice (Service delivery) and Privacy Notice (website and mob app);
• the DPA.

5. Participation Conditions

1. 5.1.Identification and identity verification
2. 5.1.1.VASP Due Diligence is not a prerequisite for joining the Sumsub Travel Rule Ecosystem. However:
• For certain Participants, it may be mandatory under the applicable laws and regulations to obtain information identical or similar to that collected by Sumsub as part of VASP Due Diligence prior to executing a VA Transaction with a counterparty VASP. Therefore, every Participant acknowledges that other Participants may elect not to transact with it if it has not undergone VASP Due Diligence or if they have determined, in their sole discretion, the results of such VASP Due Diligence unsatisfactory.
• VASP Due Diligence may be required under a commercial agreement between Sumsub and its Partner for the use of particular solutions / integrations forming part of the Sumsub Travel Rule Solution. In this case, a Participant may be denied access to such solutions / integrations where it has not undergone VASP Due Diligence or if Sumsub has determined, in its sole discretion, the results of such VASP Due Diligence unsatisfactory.
3. 5.1.2The VASP Registration Form does not substitute VASP Due Diligence and serves only to collect and subsequently verify certain basic information about a Level 2 Participant registering a Free Account or a Client’s Affiliate.
   
   The dependency between the VASP Registration Form and VASP Due Diligence is as follows:
   
   

1. 5.1.3.EC/EEC checks are required for both Level 1 and 2 Participants to obtain access to the Dashboard.
2. 5.1.4.Participants acknowledge that each Participant shall be solely responsible for its decisions regarding the execution of TR Transactions and VA Transactions with any other Participant regardless of the status assigned to it by Sumsub in the VASP Directory or otherwise.
3. 5.2.By entering into this Agreement, the Participant agrees to the following:

5.2.1. In relation to the VASP Registration Form (if applicable)

5.2.1.1 The Participant undertakes to provide Sumsub with complete, accurate, non-misleading information about itself.

5.2.2. In relation to VASP Due Diligence (if applicable)

5.2.2.1. The Participant undertakes to provide Sumsub with complete, accurate, non-misleading information about itself, its internal processes and representatives, AML/CFT and data protection measures, in particular when filling out the VASP Due Diligence Questionnaire.

5.2.2.2. The Participant also agrees that other Participants can request the VASP Due Diligence Questionnaire previously filled in by the Participant, as well as the VASP Due Diligence Report completed by Sumsub in respect of the Participant, for additional verification purposes. In such cases, Sumsub may share it with the requesting entity and notify the Participant in question regarding such a request and the execution status.

If the Participant objects to the sharing of the VASP Due Diligence Questionnaire, it must notify Sumsub accordingly before completing the VASP Due Diligence Questionnaire or immediately thereafter, but in any case before receiving / sending any transactions via the Sumsub Travel Rule Solution. The Participant solely bears all the risks that may follow such a refusal, including the possibility of any other Participant electing not to transact with it.

The Participant agrees that Sumsub carries out VASP Due Diligence in order to help other Participants to comply with the applicable regulatory requirements. Sumsub is not a company regulated for AML purposes, meaning that VASP Due Diligence cannot be considered as “reliance” in terms of AML/CFT laws and regulations. Sumsub carries out VASP Due Diligence based on the FATF Guideline, Wolfsberg group and GDF Association recommendations. Notwithstanding the results of the VASP Due Diligence carried out by Sumsub, each Participant shall be solely responsible for its decisions regarding the execution of TR Transactions and VA Transactions with any other Participant. The Participant acknowledges that no warranties exist as to the accuracy, completeness or suitability for any particular purposes as regards the data obtained and produced by Sumsub during the VASP Due Diligence.

If a Participant believes that it does not have enough information to decide on the execution of a VA Transaction or a TR Transaction, it can contact the counterparty directly and request missed information.

5.2.2.3. The Participant agrees that Sumsub reserves the right to request any Participant to undergo VASP Due Diligence at its discretion and at any time without providing any reason. In case of refusal, Sumsub reserves the right to deny the availability of the Sumsub Travel Rule Ecosystem and Sumsub Travel Rule Solution.

5.2.2.4. The Participant acknowledges that due diligence procedures that VASPs connected to Partners may undergo when joining the respective Partners' alliance or network shall be regarded as a substitution for the VASP Due Diligence carried out by Sumsub, subject to the Partner in question transferring the results of such procedures to Sumsub upon request.

The Participant acknowledges that the scope of due diligence carried out by any Partner may not match that of the VASP Due Diligence. If needed, Sumsub may attempt to request the missing information about a VASP for evaluation from the Partner or by other means; or the Participant can request such information from its counterparty directly. If a Participant is not satisfied with the level of VASP Due Diligence conducted by a Partner, it may request that the counterparty complete the VASP Due Diligence. If the counterparty refuses to complete the VASP Due Diligence, the Participant decides on whether to transact with it based on its policies and procedures.

5.2.3. In relation to Sumsub Travel Rule Ecosystem

5.2.3.1. The Participant agrees that, so long as this Agreement is in force between Sumsub and itself and for 5 years thereafter, at least the following information about the Participant (if available) can be displayed to the other Participants in the VASP Directory:

• legal name and trademarks; logo;
• legal name and country of incorporation of other companies of the group;
• website;
• country of incorporation;
• company number;
• registration address;
• information about protocols and other technical features used for compliance with the Travel Rule;
• regulatory status (e.g., licenced/registered; unlicensed/unregistered; has temporary exemption);
• supervisory authority (-s);
• verification status (e.g., EC/EEC statuses);
• email address, provided as a contact address for the issues related to the subject matter of this Agreement;
• counterparty risk label (green, yellow, red) received from a Blockchain Analytics Provider (it can be adjusted by Sumsub based on the information received via the VASP Due Diligence Questionnaire);
• VASP Score.
• EEC Report.

5.2.3.2. The Participant agrees that, so long as this Agreement is in force between Sumsub and itself, Sumsub may display certain information from the list specified above about the Participant publicly on its website.

5.2.3.3. The Participant also agrees that Sumsub may display a list of the Sumsub Travel Rule Ecosystem members (without providing the identification information referred to in section 5.2.3.1) to a company that wishes to become a member of the Sumsub Travel Rule Ecosystem and/or subscribe to the Sumsub Travel Rule Solution.

5.2.3.4. The Participant agrees that Sumsub may use the Participant’s trading name and logo (where applicable) in its marketing materials purported to promote Sumsub Travel Rule Solution. If the Participant objects to such use, it must notify Sumsub accordingly immediately after the acceptance of this Agreement.

5.2.3.5. By joining the Sumsub Travel Rule Ecosystem, each Participant undertakes to place a special message on its website stating that it is using Sumsub for Travel Rule purposes in accordance with the template specified in Annex III of this Agreement. For clarity, this message is intended for general information purposes only and shall not be interpreted as a warranty, guarantee, or representation on Sumsub’s behalf.

5.2.3.6. By joining the Sumsub Travel Rule Ecosystem, each Participant authorises Sumsub to interact with Third-Party Travel Rule protocols/systems for the purpose of receiving, sending and processing Travel Rule messages in those protocols/systems on behalf of the Participant (in particular, to register the Participant for Third-Party Travel Rule protocols/systems or access its accounts in Third-Party Travel Rule protocols/systems to resolve interoperability issues under prior notification of the Participant).

5.2.3.7. Participants grant Sumsub the right to collect and use their customers’ wallet addresses and/or their hashes by aggregating them into a database maintained and operated by Sumsub and/or its affiliates, as the case may be (also referred to ashereinafter Wallet Address Book (WAB)), for the purposes of wallet attribution offered by Sumsub (and/or its affiliates, as the case may be) as part of its services.

This information can be collected:

• during transaction processing by a Participant, such as when a Participant confirms that a particular wallet is controlled by it;
• during unhosted wallet verification carried out by a Participant’s customer;
• imported into WAB directly by a Participant by the means specified in the document.

Sumsub will act as an independent data controller with respect to this information, using it to develop and improve its services, specifically for wallet attribution purposes. Participants who chose to grant Sumsub the right to use their customers’ wallet addresses and/or their hashes, agree to include a link to Sumsub’s privacy notice (available here: https://sumsub.com/privacy-notice-service/) into their own privacy notices or other documents which are made available to their customers.

This solution is intended to increase transaction transparency, mitigate fraud risks and help Participants comply with regulatory obligations, namely the Travel Rule. Notwithstanding this, no warranties are implied.

For clarity, as this is not a prerequisite for joining the Travel Rule Ecosystem, any Participant who chooses not to grant this right must notify Sumsub immediately upon acceding to this Agreement. In such cases, this provision 5.2.3.7 will not apply between the Parties.

6. Participation Benefits

6.1. After joining the Sumsub Travel Rule Ecosystem, the Participant will be entitled to the following benefits:

6.1.1. Access to the information about the other Participants as specified in sections 4 and 5 above;
6.1.2. Technical functionality allowing to conduct TR Transactions with the other Participants via the Dashboard and integrated messaging protocols/solutions (depending on the Partner’s terms and conditions applicable to Sumsub);
6.1.3. Access to materials and documentation, including any technical documentation, whitepapers, manuals, descriptions, instructions, legal researches etc. designed to provide guidance regarding the operation, maintenance, and use of the Sumsub Travel Rule Solution and other related features;
6.1.4. Special invitations to events, webinars, and other activities related to the crypto industry and related areas;
6.1.5. Access to marketing materials and news in the field of compliance as may be available through email notifications and other channels. Sumsub may also share the relevant materials with the Participant by a direct link;
6.1.6. Product testing opportunities not involving real personal data may be available upon the request of the Participant .

7. Participant's Obligations

1. 7.1.The Participant shall be obligated to comply with (a) this Agreement; and (b) any applicable laws and regulations at all times.
2. 7.2.The Participant must inform Sumsub of any change in or inaccuracy of the information previously provided as soon as it becomes or should reasonably become aware of it and provide up-to-date data for re-verification. This may include, but is not limited to: changes in the ownership structure of the company; new types of business activities, commencement of operations in other jurisdictions; changes in compliance processes regarding AML/CFT and data protection; changes in the technical capabilities in relation to compliance with the Travel Rule, etc.
3. 7.3.The Participant is solely responsible for its use of the Sumsub Travel Rule Solution.
4. 7.4.The Participant must not:
• attempt to pass the VASP Due Diligence or fill in the VASP Registration Form using a fake identity or an identity of a third party;
• share the information received within the Sumsub Travel Rule Ecosystem, including data about other Participants, with third parties in a manner not envisaged in this Agreement;
• remove any copyright, trademark or other proprietary rights notices contained in Sumsub’s materials, any part of the Dashboard, or on Sumsub’s website (https://sumsub.com) or in Sumsub’s web and mobile applications;
• copy, modify or create derivative works of any parts of the Dashboard, Sumsub’s web and mobile applications, or any related technology.
5. 7.5.The Participant agrees that its non-compliance with the provisions of this section 7 may result in its exclusion from the Sumsub Travel Rule Ecosystem.

8. Charges

1. 8.1.Joining the Sumsub Travel Rule Ecosystem is free of charge.
2. 8.2.Notwithstanding clause 8.1, Sumsub may establish a reasonable fee to cover the administrative costs associated with maintaining the Sumsub Travel Rule Ecosystem. Sumsub shall notify the Participants at least one month prior to the relevant amendments to the Agreement.

9. Intellectual property

1. 9.1.The Participant acknowledges and agrees that all intellectual property rights related to the Sumsub Travel Rule Ecosystem or the Sumsub Travel Rule Solution are the property of Sumsub or its counterparties (as the case may be), including other Participants (within the scope determined in section 5 of the Agreement), and the Participant shall have no rights in or to the Sumsub Travel Rule Ecosystem or the Sumsub Travel Rule Solution other than the right to use them in accordance with the express provisions of this Agreement and the Participant’s Service Provider Agreement with Sumsub (if any).
2. 9.2.Notwithstanding clause 9.1 above, Sumsub grants the Participant a worldwide, non-exclusive, non-transferable, revocable license to use the Sumsub Travel Rule Ecosystem in accordance with and for the purposes of this Agreement, effective during the entire term hereof. The Participant may not sublicense this right other than with the prior written consent of Sumsub.

10. Confidentiality

1. 10.1.The Recipient shall: (a) maintain all Confidential Information in strict and absolute confidence and refrain from any disclosure and/or publication and/or description and/or communication of Confidential Information, in whole or in part, to any third party whatsoever without the Discloser’s explicit prior written consent; (b) take all necessary precautions to keep Confidential Information secret and apply the same security measures and degree of care to Confidential Information as the Recipient applies to its own confidential information; and (c) inform the Discloser of any damage to or accidental loss of Confidential Information, including transfer to or use by unauthorized persons immediately.
2. 10.2.The Recipient shall not: (a) use Confidential Information in order to build a product or service which competes with any products or services provided by Sumsub; (b) attempt to copy, modify, duplicate, create derivative works from, frame, mirror, republish, download, display, transmit, or distribute all or any portion of Confidential Information (as applicable) in any form or media or by any means to any individual or entity without the Discloser’s explicit prior written consent; or (c) attempt to reverse compile, disassemble, reverse engineer or otherwise reduce to human-perceivable form all or any part of Confidential Information.

Where applicable, Participants, unless otherwise specified in the respective Client Agreement, grant Sumsub a license to access, download and use some parts of Confidential Information (including personal data) for: (a) analyzing such information in accordance with Sumsub’s functionality; (b) developing and testing service and new products to improve the functionality of the services, designed for fraud detection and prevention, including by means of artificial intelligence (e.g. machine learning models) in order to fulfill the commitments in this Agreement and/or corresponding Client Agreement; (c) identifying and flagging potentially fraudulent patterns and other signs of suspicious behavior which could lead to or signal any illicit activity, and calculated risk score based on the said factors and alert customers in the framework of higher-risk applicant control and alert functionality; (d) producing anonymised or anonymised and aggregated statistical reports and research, and (e) producing and storing audit log records and reports based on information security and personal data protection requirements.

1. 10.3.The Recipient shall also not be prevented from disclosing Confidential Information to employees and/or professional advisors who need to know it and who have agreed in writing (or, in the case of professional advisors, are otherwise bound) to keep confidentiality on terms no less restrictive than those contained herein. The Recipient will ensure that those persons: (a) use such Confidential Information only to exercise rights and fulfil obligations under this Agreement; and (b) keep such Confidential Information secret. The Recipient shall remain liable for any act or omission by its employees and/or professional advisors.
2. 10.4.The Recipient may also disclose Confidential Information when required by law after giving reasonable notice to the Discloser (if permitted by applicable laws and regulations).
3. 10.5.If so requested by the Discloser at any time by written notice to the Recipient, the Recipient shall promptly: (a) destroy or return to the Discloser all documents and materials (and any copies thereof) containing, reflecting, incorporating or based on the Discloser's Confidential Information; (b) erase all Confidential Information from its own computer and communications systems, devices and other means of electronic storage; (c) erase all Confidential Information stored in electronic form in systems and data storage services owned by third parties, if possible; and (d) certify in writing to the Discloser that it has complied with the requirements of this clause.

Notwithstanding that, if the Recipient is required by law to retain any part of Confidential Information (for example, obtained under section 5 of the Agreement), this clause shall only apply to the extent allowing the Recipient to comply with the legal obligations in question.

1. 10.6.Without affecting any other rights and remedies that the Discloser may have, the Recipient hereby agrees that damages would not be an adequate remedy for any breach by the Recipient of this section 10, and that the Discloser shall be entitled to remedies of injunction, specific performance and other equitable relief for any threatened or actual breach hereof.
2. 10.7.Notwithstanding anything to the contrary, this section 9 shall survive for 3 years after the expiry or termination of this Agreement.

11. Limitation of Liability

1. 11.1.THIS SECTION 11 SETS OUT THE ENTIRE FINANCIAL LIABILITY OF EITHER PARTY (INCLUDING ANY LIABILITY FOR THE ACTS OR OMISSIONS OF EITHER PARTY’S EMPLOYEES, AGENTS AND SUB-CONTRACTORS) IN RESPECT OF: (A) ANY BREACH OF THIS AGREEMENT; AND (B) ANY USE MADE BY THE PARTICIPANT OF THE SUMSUB TRAVEL RULE ECOSYSTEM OR SUMSUB TRAVEL RULE SOLUTION OR ANY PART OF THESE; AND (C) ANY REPRESENTATION, STATEMENT OR TORTIOUS ACT OR OMISSION (INCLUDING NEGLIGENCE) OR BREACH OF STATUTORY DUTY ARISING UNDER OR IN CONNECTION WITH THE AGREEMENT.
2. 11.2.NEITHER PARTY EXCLUDES OR LIMITS LIABILITY TO THE OTHER PARTY FOR (A) FRAUD OR FRAUDULENT MISREPRESENTATION; (B) ANY INDEMNITIES UNDER THIS AGREEMENT; OR (C) ANY OTHER MATTER FOR WHICH IT WOULD BE UNLAWFUL FOR THE PARTIES TO EXCLUDE OR LIMIT LIABILITY.
3. 11.3.NEITHER PARTY SHALL BE LIABLE TO THE OTHER PARTY, WHETHER IN CONTRACT, TORT (INCLUDING FOR NEGLIGENCE AND BREACH OF STATUTORY DUTY HOWSOEVER ARISING), MISREPRESENTATION (WHETHER INNOCENT OR NEGLIGENT), RESTITUTION OR OTHERWISE, FOR: (A) ANY LOSS OF PROFITS, INCOME, GOODWILL, REVENUE OR BUSINESS OPPORTUNITIES; ANY SPECIAL, INDIRECT OR CONSEQUENTIAL LOSS OR DAMAGES; (B) LOSSES ARISING OUT OF A FORCE MAJEURE EVENT; (C) ANY LOSS OR CORRUPTION OF DATA OR INFORMATION, EXCEPT IF IT WAS CAUSED BY A BREACH OF THIS AGREEMENT BY EITHER PARTY.
4. 11.4.SUBJECT TO CLAUSES ABOVE, SUMSUB’S TOTAL AGGREGATE LIABILITY IN CONTRACT, TORT (INCLUDING NEGLIGENCE AND BREACH OF STATUTORY DUTY HOWSOEVER ARISING), MISREPRESENTATION (WHETHER INNOCENT OR NEGLIGENT), RESTITUTION OR OTHERWISE, ARISING IN CONNECTION WITH THE PERFORMANCE OR CONTEMPLATED PERFORMANCE OF THIS AGREEMENT OR ANY COLLATERAL CONTRACT SHALL IN ALL CIRCUMSTANCES BE LIMITED TO 5,000 EUR IN RELATION TO ANY GIVEN CLAIM (WHETHER INDIVIDUAL OR COLLECTIVE). THIS LIABILITY LIMITATION IS CUMULATIVE AND THE EXISTENCE OF MORE THAN ONE CLAIM WILL NOT ENLARGE IT.
5. 11.5.THE PARTICIPANT ASSUMES SOLE RESPONSIBILITY FOR CONCLUSIONS DRAWN FROM ITS USE OF INFORMATION RECEIVED UNDER THIS AGREEMENT.
6. 11.6.THE PARTICIPANT SHALL INDEMNIFY, DEFEND, AND HOLD HARMLESS SUMSUB AND ITS RESPECTIVE OFFICERS, SHAREHOLDERS, DIRECTORS, AND PERSONNEL, (AND KEEP SUCH INDIVIDUALS INDEMNIFIED ON A FULL INDEMNITY BASIS), FROM AND AGAINST ANY THIRD PARTY CLAIMS, SUITS, HEARINGS, ACTIONS, DAMAGES, LIABILITIES, FINES, PENALTIES, COSTS, LOSSES, JUDGMENTS OR EXPENSES (INCLUDING REASONABLE ATTORNEYS' FEES) ARISING OUT OF OR RELATING TO THE PARTICIPANTS’ USE OF THE ECOSYSTEM (COLLECTIVELY, “CLAIMS”), PROVIDED AND TO THE EXTENT THAT SUCH CLAIMS ARE NOT DUE TO ANY BREACH OF THIS AGREEMENT BY SUMSUB.

12. Data processing

1. 12.1.Data processing rules for Originator's and Beneficiary's data
2. 12.1.1.The Participants agree that Sumub is a data processor when providing the Sumsub Travel Rule Solution, namely verifies the identities of a VA Transaction’s beneficiary and originator and transfers to/ receives from another Participant the corresponding personal data using special messaging protocols under the Participant’s instructions.
3. 12.1.2.The Participants, as data controllers, shall determine the legal bases for the processing of personal data and procure that each data subject whose personal data is to be processed and shared under the respective Client Agreement or this Agreement be properly notified about such processing by respective means.

The receiving Participant guarantees that no personal data transferred to it shall be further redistributed to any third party without an appropriate legal basis.

1. 12.1.3.Participants ensure and guarantee that the transferring of personal data within the Sumsub Travel Rule Ecosystem as described in clause 12.1.1 is legal and adequate. Participants solely decide on the Sumsub Travel Rule Ecosystem and/or any personal data sharing and transfer activities in accordance with the applicable Travel Rule requirements. Participants agree that the personal data transferred following this paragraph will be defined and limited to the extent necessary and/or required by Data Protection Legislation by Participants at the time of transfer, and Participants agree to be fully responsible for any non-compliance and breach of applicable Data Protection Legislation related to and affecting Sumsub’s data processing activities.
2. 12.1.4.The Participants agree with the data processing details under the Sumsub Travel Rule Solution provided in Annex IV.
3. 12.1.5.Participants shall be considered and act as independent controllers as per the Data Protection Legislation unless there is a joint controller relationship between them. Notwithstanding any legal obligations stemming from Data Protection Legislation Participants agree to comply with the following responsibilities, namely:
   
   (a) after entering into this Agreement, Participants join the Sumsub Travel Rule Ecosystem. After accession to the Sumsub Travel Rule Ecosystem, each Participant shall appoint a representative acting as a person in charge of all matters related to the interaction of the Participant and Sumsub in respect of the Sumsub Travel Rule Ecosystem (“Authorised Person”). For the purpose of this Agreement, the Authorised Person is an individual proceeding with the VASP Due Diligence process and entering into this Agreement on behalf of the legal entity they represent (Participant) and empowered to do so. Participants may change their Authorised Persons from time to time, by notifying Sumsub in writing.
   
   (b) Any decision on the Sumsub Travel Rule Ecosystem is subject to the sole discretion of the Authorised Persons, who shall exercise authority independently from each other unless stated otherwise in this Agreement.
   
   (c) Taking into account the state-of-the-art technology, the costs of implementation and the nature, scope, context and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, each Participant shall maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk of processing personal data under this Agreement in compliance with applicable Data Protection Legislation.
   
   (d) Any transfer of personal data made under this Agreement from Sumsub (the Data Exporter) subject to the EU GDPR and/or the UK GDPR to any Level 2 Participant (the Data Importer) located in a third country that does not ensure an adequate level of data protection within the meaning of the EU GDPR and/or the UK GDPR shall be undertaken through the EU Commission’s Standard Contractual Clauses (hereinafter – the SCCs) or the UK International Data Transfer Agreement (hereinafter – the IDTA) or the SCCs with the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (hereinafter – the UK Addendum) set forth in Annex V to this Agreement as applicable. For any data transfers subject to the SCCs and/or the IDTA or the UK Addendum, the SCCs will be deemed entered into and completed as follows:
   
   
   1. (i) Module Four (Processor to Controller) of the EU Standard Contractual Clauses, with the modifications provided in Schedule 1 of Annex V, will apply where the Parties sign and execute this Agreement and when Sumsub (the Data Exporter) is transferring any Travel Rule information, including Personal Data, to the Level 2 Participant (Data Importer) based in a third-country outside of the EU member states
      
      (ii) The IDTA will apply with the modifications provided in Schedule 2 of Annex V.
      
      OR
      
      The UK Addendum together with the SCCs, as implemented under subparagraph (i) above, will apply with the modifications provided in Schedule 3 of Annex V.

1. 12.2.Data Processing rules for Ecosystem Participant’s data
2. 12.2.1.For the purposes of this Agreement, if the Participant passes VASP Due Diligence, any Participant shall be able to redistribute the results of the VASP Due Diligence previously rendered by Sumsub, including relevant personal data in the VASP Due Diligence Questionnaire (Deliverables) specified in Annex II hereto, in part or their entirety, to the receiving Participant, and Sumsub shall perform such redistribution based on the accession to this Agreement and subject to the following conditions:
3. (a) The Participants, as data controllers, shall procure that each data subject whose personal data is to be processed during the VASP Due Diligence process and shared under this Agreement are properly informed about such processing by respective means depending on the determined legal bases.
   
   (b) The receiving Participant guarantees that no Deliverables transferred to it under this Agreement shall be further redistributed to any third party without an appropriate legal basis for such data-sharing activities.
4. 12.2.2.For the purposes of the data protection legislation, Sumsub shall be considered the data Controller, when it maintains the Travel Rule Ecosystem and carries out due diligence of its Participants.
5. 12.2.3.For any data transfers subject to the SCCs or the IDTA or Addendum the SCCs will be deemed entered into and completed as follows:
6. (i) Module One (Controller to Controller) of the SCCs, with the modifications provided in Schedule 1 of Annex VI, will apply where the Parties sign and executes this Agreement and when Sumsub (the Data Exporter) is transferring any Travel Rule information, including Personal Data to Level 2 Participant (Data Importer) based in a third-country outside of the EU member states.
   
   (ii) The International Data Transfer Agreement will apply with the modifications provided in Schedule 2 of Annex VI.
   
   OR
   
   The UK Addendum together with the SCCs, as implemented under subparagraph (i) above, will apply with the modifications provided in Schedule 3 of Annex VI.
7. 12.2.4.Upon the termination of this Agreement, Sumsub will retain the VASP Due Diligence information, including the personal data, if any, for five years from the moment of the termination for the purpose of Travel Rule Solution delivery to its customers.
8. 12.3.Participants confirm that the data subjects whose personal data is to be processed in connection with this Agreement will be notified about processing of their personal data using the Sumsub’s Privacy Notice as referenced in clause 4.1 above for data processing activities in which Sumsub acts as a data controller.

13. Representations and Warranties

1. 13.1.The Participant warrants, represents and covenants that: (a) it is duly incorporated, organized, and validly existing under the applicable law; (b) it has good and sufficient capacity, power, authority and right to enter into, execute and deliver this Agreement, to complete the transactions contemplated hereby and to duly observe and perform the covenants and obligations contained herein; and (c) all necessary corporate action has been taken by it to authorize and approve the execution and delivery of this Agreement, the completion of the transactions contemplated hereby and the observance and performance of the covenants and obligations contained herein.
2. 13.2.The Participant warrants, represents and covenants that it will not: (a) use the Sumsub Travel Rule Ecosystem or Sumsub Travel Rule Solution to discriminate against any third party or in a manner that causes damage or injury to any person or property or is otherwise incompatible with the applicable laws and regulation; (b) use the Sumsub Travel Rule Ecosystem or Sumsub Travel Rule Solution in a manner that could be reasonably expected to bring Sumsub into disrepute or otherwise harm its reputation; or (c) act or omit to act in a way which interferes with or compromises the integrity or security of the Sumsub Travel Rule Ecosystem or Sumsub Travel Rule Solution.
3. 13.3.NO WARRANTY. No conditions, warranties or other terms apply to the Sumsub Travel Rule Ecosystem or Sumsub Travel Rule Solution other than the conditions, warranties and terms expressly set forth herein. Sumsub hereby disclaims any implied warranties, whether arising under law, through the course of dealing, or otherwise (including any implied warranties of non-infringement, title, satisfactory quality, fitness for purpose, merchantability or conformance with description). In addition, Sumsub does not warrant or enter into any other term to the effect that any technology provided in connection with this Agreement will be entirely free from defects or that its operation will be entirely error-free.

14. Term and Termination

1. 14.1.The Agreement remains in force between Sumsub and the Participant from the Effective Date and until terminated by either Party.
2. 14.2.Either Party may terminate this Agreement at any time for convenience by giving the other Party at least 30 calendar days prior written notice.
   
   For clarity, termination of the Agreement automatically leads to the Participant’s exclusion from the Sumsub Travel Rule Ecosystem. Other Participants will be notified of the Participant’s withdrawal from the Sumsub Travel Rule Ecosystem by a special status in the VASP Directory.
3. 14.3.Without prejudice to any rights that have accrued under this Agreement, either Party may terminate this Agreement with immediate effect by giving written notice to the other Party if:
   
   a) the other Party is in breach of this Agreement (including any warranties) where the breach is incapable of remedy; or
   
   b) the other Party is in breach of this Agreement (including any warranties) where the breach is capable of remedy and fails to remedy that breach within fourteen (14) days after receiving written notice of such breach;
   
   c) the other Party is in violation of any applicable law or legal regulation; or
   
   d) the other Party enters into an arrangement or composition with or for the benefit of its creditors, goes into administration, receivership or administrative receivership, is declared bankrupt or insolvent or is dissolved or otherwise ceases to carry on business; or any analogous event happens to the other Party in any jurisdiction in which it is incorporated or resident or in which it carries on business or has assets.
4. 14.4.The Participant acknowledges that, once this Agreement is terminated, Sumsub will continue to store its VASP Due Diligence Questionnaire as specified in clause 12.2.4 of this Agreement.
   
5. 14.5.Sumsub reserves the right to temporarily suspend the Participant’s involvement in the Sumsub Travel Rule Ecosystem and/or terminate this Agreement with immediate effect at its own discretion where it knows or reasonably suspects that:
   
   a) the Participant is in breach of any applicable laws and regulations or is subject to any local or international sanctions (including any sanctions administered or enforced by the U.S. government or the U.S. Department of State, the United Nations Security Council, the European Union, Her Majesty’s Treasury or other relevant sanctions authority) or restrictions;
   
   b) the Participant infringes the intellectual property rights of Sumsub or its Partners, or other Participants;
   
   c) the Participant’s activity may, in the opinion of Sumsub, be detrimental to the interests or business reputation of Sumsub, its Partners or other Participants.

15. Changes to Agreement

1. 15.1.Sumsub is entitled to modify and otherwise make changes unilaterally to the Agreement from time to time without any prior notice. Sumsub shall use reasonable endeavors to notify Participants of such changes. The Participant is solely responsible for ensuring it has read, acknowledged, and agreed to the updated version of this Agreement.
2. 15.2.In case the Participant does not agree to be bound by the amendments to this Agreement as described in clause 15.1, it is entitled to terminate the Agreement with immediate effect. Continued use of the Sumsub Travel Rule Ecosystem or the fact the Participant has not objected to the amendments to this Agreement within 7 calendar days after they became effective shall be considered as acceptance of such amendments.

16. General

1. 16.1.Neither Party shall be liable for any delay or non-performance of its obligations under this Agreement to the extent that such delay or non-performance is a result of any condition beyond its reasonable control, including but not limited to governmental action, pandemic, acts of terrorism, earthquake, fire, flood or other similar events, labour conditions, power failures, and Internet disturbances.
2. 16.2.All notices must be in English, in writing and sent to the receiving Party's current postal address, email address, via Dashboard or other means mutually agreed upon by the Parties. All notices shall be deemed to have been given on receipt as verified by written or automated receipt or electronic log (as applicable).
3. 16.3.Failure or delay in exercising any right or remedy under this Agreement shall not constitute a waiver of such (or any other) right or remedy.
4. 16.4.If any provision of this Agreement (or part of any provision) is found by any court or other authority of competent jurisdiction to be invalid, illegal or unenforceable, that provision or part-provision shall, to the extent required, be deemed not to form part of this Agreement; and (a) the Parties shall immediately commence good faith negotiations to remedy such invalidity; and (b) the validity and enforceability of the other provisions of this Agreement as applicable shall not be affected.
5. 16.5.Each Party acknowledges that in entering into this Agreement it has not relied upon any oral or written statements, collateral or other warranties, assurances, representations or undertakings which were made by or on behalf of the other Party in relation to the subject matter of this Agreement other than those which are set out herein (or those which the Agreement explicitly refer to).
6. 16.6.Except as expressly stated otherwise, nothing in this Agreement shall create or confer any rights or other benefits in favour of any person other than the Parties. Except as expressly stated otherwise, nothing in this Agreement shall create an agency, partnership or joint venture of any kind between the Parties. Except as expressly stated otherwise, neither Party shall have authority to act in the name of or on behalf of the other, or to enter into any commitment or make any representation or warranty or otherwise bind the other in any way.
7. 16.7.Neither Party may assign any of its rights or obligations under this Agreement without the prior written consent of the other, such consent not to be unreasonably withheld, save that either Party can assign to an acquirer of all or substantially all of the assets of a Party without the consent of the other. If permitted under the applicable laws and regulations, Sumsub may assign its rights and/or obligations to one of its affiliates (meaning entities controlled by, controlling, or under common control with Sumsub) without the Participant’s consent.
8. 16.8.Unless otherwise specified in this Agreement, the Participant is only permitted to make public announcements and/or publish written materials concerning Sumsub and/or the existence and nature of the business relationship between the Parties if Sumsub has given its prior written consent to the content of such an announcement or the text of such written material, except as required by law, any governmental or regulatory authority (including, without limitation, any relevant securities exchange), any court or other authority of competent jurisdiction.
9. 16.9.The Parties shall: (i) comply with all applicable laws, statutes and regulations relating to anti-bribery and anti-corruption; and (ii) promptly report to the other Party any request or demand for any undue financial or other advantage of any kind received by it in connection with the performance of this Agreement.
10. 16.10.Applicable law and dispute resolution:

16.10.1) where “Sumsub” means SUM AND SUBSTANCE LTD or SUMSUB TECH LTD, as well in any other cases not covered by this clause 16.10:

This Agreement and all disputes and claims arising from or in connection with it are governed by English law. All disputes arising out of or in connection with this Agreement shall be referred to and finally resolved by arbitration administered by the International Court of Arbitration of the International Chamber of Commerce in accordance with the Rules of Arbitration of the International Chamber of Commerce. The parties agree, pursuant to Article 30(2)(b) of the Rules of Arbitration of the International Chamber of Commerce, that the Expedited Procedure Rules shall apply irrespective of the amount in dispute. The number of arbitrators shall be one. The law governing this arbitration clause shall be English law. The seat of the arbitration shall be London, England. The language of the arbitration shall be English. No award or procedural order made in the arbitration shall be published. The Parties shall at all times treat all matters relating to the proceedings and any arbitral award as confidential;

16.10.2) where “Sumsub” means SUMSUB TECHNOLOGY LLC:

This Agreement and all disputes and claims arising out of or in connection with it are governed by English law. All disputes arising out of or in connection with this Agreement shall be referred to and finally resolved by an arbitration administered by the Singapore International Arbitration Centre (“SIAC”) under the Arbitration Rules of the Singapore International Arbitration Centre (“SIAC Rules”) for the time being in force, which rules are deemed to be incorporated by reference into this clause The Parties agree, pursuant to Rule 5.1(b) of the SIAC Rules, that the Expedited Procedure shall apply The number of arbitrators shall be one. The law governing this arbitration clause shall be English law. The seat of the arbitration shall be Singapore. The language of the arbitration shall be English. In respect of any court proceedings in Singapore commenced under the International Arbitration Act 1994 in relation to the arbitration, the parties agree (a) to commence such proceedings before the Singapore International Commercial Court (“the SICC”); and (b) in any event, that such proceedings shall be heard and adjudicated by the SICC.

16.10.3) where “Sumsub” means Sumsub Inc:

This Agreement and all disputes and claims arising out of or in connection with it are governed by the laws of the State of New York. With the sole exception of any application for injunctive relief, the Parties irrevocably agree that the courts of the State of New York have exclusive jurisdiction to settle any dispute or claim (whether contractual or non-contractual) arising out of or in connection with this Agreement (including their subject matter or formation). The Parties agree that the prevailing Party shall be entitled to recover, on a full indemnity basis, from the other Party the costs and disbursements it incurs in the proceedings, including any attorney’s fees.

16.10.4) where “Sumsub” means Sumsub APAC Pte. Ltd.:

This Agreement and all disputes and claims arising out of or in connection with it are governed by the laws of Singapore. All disputes arising out of or in connection with this Agreement shall be referred to and finally resolved by arbitration administered by the Singapore International Arbitration Centre (“SIAC”) under the Arbitration Rules of the Singapore International Arbitration Centre (“SIAC Rules”) for the time being in force, which rules are deemed to be incorporated by reference into this clause. The Parties agree, pursuant to Rule 5.1(b) of the SIAC Rules, that the Expedited Procedure shall apply. The number of arbitrators shall be one. The law governing this arbitration clause shall be Singapore law. The seat of the arbitration shall be Singapore. The language of the arbitration shall be English. In respect of any court proceedings in Singapore commenced under the International Arbitration Act 1994 in relation to the arbitration, the parties agree (a) to commence such proceedings before the Singapore International Commercial Court (“the SICC”); and (b) in any event, that such proceedings shall be heard and adjudicated by the SICC.

ANNEX I. VASP Registration Form

• 1. Full legal name

• 2. Full legal (registered) address

• 3. Date of incorporation / establishment

• 4. Incorporation number

• 5. Company email

• 6. Website

• 7. Please provide the information about your licence/registration with regulatory authority (if any) and link to the register (if any)

• 8. What protocols or technical solution(s)/ travel rule providers do you support for sharing Travel Rule information?

ANNEX II .Template of the VASP Due Diligence Questionnaire

• Section A. VASP details

• 1. Full legal name

• 2. Full legal (registered) address

• 3. Full primary business address (if different from the registered address above)

• 4. Date of incorporation / establishment

• 5. Incorporation number

• 6. Website

• 7. Legal representative of the entity (e.g., CEO, Director, etc)

  - full name
  - DOB
  - email

• Please attach the following documents

• Certificate of incorporation or registration

• Certificate of incumbency (issued within the last 6 months) or power of attorney

• Ownership chart signed by the legal representative of the entity.

• Section B. Business activity

• 8. Trade name if applicable

• 9. VASP name

• 10. Type of legal entity
  Please select legal entity type:

  - Privately Owned
  - Publicly Listed (Please provide a link to stock exchange)
  - Partnership
  - Foundation
  - Association
  - Not-for-Profit / Non-Profit
  - Trust
  - Member Owned / Mutual
  - Government or State Owned by 25% or more
  - Sole proprietorships
  - Natural Person
  - Other (If Other, please state the ownership / entity type)

• 11. Type of organisation:

  - Centralised
  - Decentralised

• 12. Is your company part of a group of companies?
  
  A corporate group, company group or business group, also known as a group of companies, is a collection of parent, associated, intermediate and subsidiary companies that function as a single economic entity through a common source of control.

  - Yes (If yes, please specify which companies are part of the group (Including information about their register numbers, jurisdictions) and the role (which activity it provides) of each company in the group))
  
  - No

• 13. Business activity of the entity.
  Please select the applicable activity for your entity:

  - exchange between virtual assets and fiat currencies;
  - exchange between one or more forms of virtual assets;
  - transfer of virtual assets;
  - safekeeping and/or administration of virtual assets or instruments enabling control over virtual assets; and
  - participation in and provision of financial services related to an issuer’s offer and/or sale of a virtual asset;
  
  - Other (If you choose this option, please state your activity);

• 14. Services provided
  Please specify which service is provided by your entity:

  - Intermediary VASP
  - P2P exchange
  - DeFI services;
  - NFT services;
  - Omnibus or co-mingled custodial wallets
  - OTC trading
  - Investment Funds
  - Crypto ATMs
  - Virtual asset exchange involving privacy-preserving Virtual Assets
  - Virtual asset deposits or withdrawals to / from a bank account not verified as under the customer's control
  - Virtual asset deposits or withdrawals to / from a wallet not verified as under the customer's control
  - Virtual asset issuance, fund raising, or collection of funds for Initial Coin Offerings (ICO) / Initial Exchange Offerings (IEO) / Security Token Offerings (STO) / Private Token Sales;
  - None of the above-mentioned
  - Other (If you choose this option, please state your services);

• Section C. Regulatory details

• 15. Name of the entity’s primary financial regulator / supervisory authority

• 16. Regulatory status

  
  - No license / registration required
  - Registered (If you choose this option, please answer question 17-20)
  - Temporary license exemption (If you choose this option, please answer question 17-20)
  - License application in progress (If you choose this option, please answer question 17-20)
  - Licensed (If you choose this option, please answer question 17-20)

• 17. List of jurisdictions where the entity has been (will be) granted licenses or other approvals or have (will be) registered as required to operate (with registration numbers), and the name of the regulator / supervisory authority

• 18. Is the entity permitted to send and/or receive transfers of virtual assets in the jurisdictions in which it operates?

  - Yes
  - No

• 19. Please attach a Copy of the License/registration (if applicable)

• 20. Please attach the link to the register confirming the granting of license or the link to the regulatory register confirming regulatory approval for operating (if applicable)

• Section D. Travel rule compliance and technical information

• 21. Is the entity required to comply with the application of the Travel Rule standards (FATF Recommendation 16) in the jurisdiction(s) where it is licensed / approved / registered?

  - Required (If you choose this option, please answer questions 22-31)
  - Not required (If you choose this option, we kindly ask you to describe the purpose for which you will use our Travel rule solution.)
  - Not required but our company implemented the Travel Rule standards (If you choose this option, please answer questions 22-31)

• 22. Please specify the regulation(s) you rely on/will apply to you.

• 23. What is the minimum threshold above which the entity collects/sends Travel Rule information?

• 24. Which of the following processes your entity carries out within the Travel Rule:

  - sanctions screening
  - transactions monitoring

• 25. Does the entity conduct counterparty VASP Due Diligence prior to the sharing of originator and / or beneficiary details to a transaction?

  - Yes
  - No (If you choose this option, please specify the reason)

• 26. Does the entity have processes and controls to prevent customer access to deposits and withdrawals prior to name and wallet screening processes completing

  - Yes
  - No

• 27. Does the entity have procedures to allow for the return of inbound payments?

  - Yes
  - No

• 28. What protocols and technical solution(s) does the entity support for sharing Travel Rule information?

• 29. Is the entity a member of any Travel Rule Alliances, ecosystems, directories, or networks?

  - Yes (If you choose this option, please specify details )
  - No

• 30. The technical details (IDs, endpoints, URLs, etc.) required to send Travel Rule information to the entity for each solution the entity supports

• 31. Name, email and phone number of travel rule contact

• Section E. AML/CFT & Sanctions Compliance

• 32. Does the entity have documented policies and procedures to prevent money laundering, financing of terrorism, violation of sanctions regulation, and fraud?

  - Yes (If you choose this option, please answer question 33-58)
  - No (If you choose this option, we kindly ask you to clarify why your company doesn’t need AML policies and procedures.)

• 33. Please upload relevant documents.

• 34. Does the entity have appointed a Compliance Officer and/or MLRO?

  - Yes
  - No

• 35. Does the entity have implemented a Risk-Based Approach?

  - Yes
  - No

• 36. Does the entity permit the opening and keeping of anonymous accounts or accounts in obviously fictitious names?

  - Yes
  - No

• 37. Does the entity establish business relationships with the following persons in accordance with CDD*:
  
  * You can choose both options.

  - Natural persons
  - Legal entities (If you choose this option, please answer question 38)

• 38. Are Ultimate Beneficial Owners (UBOs) verified?

  - Yes (If you choose this option, please answer question 39)
  - No

• 39. What is the entity’s minimum (lowest) threshold percentage applied to beneficial ownership identification for CDD?

• 40. Are the majority of the entity's customer relationships Face-to-Face or Non-Face-to-Face?

  - Face-to-Face
  - Non Face-to-Face

• 41. Does the entity keep the data up to date and have implemented processes for ongoing monitoring?

  - Yes
  - No

• 42. Does the entity have implemented processes for customer risk assessment?

  - Yes
  - No

• 43. Does the entity have implemented processes for EDD?

  - Yes
  - No

• 44. Does the entity have implemented processes for SDD?

  - Yes
  - No

• 45. Does the entity screen its customers, including beneficial ownership information collected by the entity, during onboarding and after that regularly verify against Sanctions Lists?

  - Yes (If you choose this option, please specify the frequency.)
  - No

• 46. Does the entity have offshore customers domiciled in countries/regions against which UN, OFAC, OFSI, EU and G7 member countries have enacted comprehensive jurisdiction-based sanctions?

  - Yes
  - No

• 47. Does the entity screen its customers and connected parties to determine whether they are PEPs, or controlled by PEPs/family members of PEPs?

  - Yes
  - No

• 48. Does the entity incorporate negative news (Adverse media) searches as part of its customer verification process?

  - Yes
  - No

• 49. Does the entity have implemented ongoing monitoring for AML screening?

  - Yes
  - No

• 50. Does the entity have risk based policies, procedures and monitoring processes for the identification and report of suspicious activity/suspicious transactions?

  - Yes
  - No

• 51. Does the entity use a blockchain analysis tool for monitoring transactions?

  - Yes (If you choose this option, please specify which blockchain analytic tool/provider your company uses.)
  - No

• 52. Does the entity outsource any components of its AML, CFT & Sanctions compliance measures?

  - Yes (If you choose this option, please answer question 53 and 54)
  - No (If you choose this option, please answer question 55)

• 53. Please specify which processes:

  - KYC
  - Sanctions screening;
  - Transactions monitoring;
  - Other (If you choose this option, please specify processes)

• 54. Please specify the name of vendor (s).

• 55. Please specify which means do you use:

  - Manual check
  - Automated check
  - Other (If you choose this option, please please specify them)

• 56. Does the entity have implemented processes for records keeping?

  - Yes
  - No

• 57. Does the entity perform AML/CFT training programme, covering all relevant categories of employees?

  - Yes
  - No

• 58. Does the entity have an internal audit function or independent third party, or both, that assess AML/CFT and Sanctions policies and practices on a regular basis?

  - Yes
  - No

• Section F. Data Protection & Security Compliance

• 59. Does the entity have appointed a data protection officer?

  - Yes (If you choose this option, provide the full name and contact details of the Data Protection Officer.)
  - No

• 60. Has the entity been certified for compliance with applicable data protection regulations?

  - Yes (If you choose this option, please provide relevant certificate(s))
  - No

• Please attach the Privacy Notice

• 61. Does the entity have appointed an information security officer?

  - Yes
  - No

• 62. Has the entity been certified for information protection standards such as ISO 27001, SOC 2, Etc.?

  - Yes (If you choose this option, please attach the relevant security certificates)
  - No

• 63. Does the entity have an information Security Policy or other equivalent document in place?

  - Yes
  - No

• 64. Please indicate which of the following measures has your entity implemented?

  - 2-FA or MFA
  - Passwords management
  - Data encryption
  - Firewalls
  - Access control measures
  - Data backup
  - Disaster recovery
  - Data protection and information security trainings for employees
  - Physical access control measures
  - Other (If you choose this option, please specify measures)

• Please attach the document describing technical and organisational measures in relation to the PII protection

• Section G. Information regarding person providing information

• Full name

• Title

• Contact details

  email
  phone number

• Power of Attorney (optional)

• Please submit a Power of Attorney to confirm that you are authorized to complete the questionnaire and bind the company by the Sumsub Travel Rule Ecosystem Agreement.

Please be informed that the list of information and documents is not exhaustive. Sumsub may request additional documents if it deems it necessary (e.g., due to the inability to verify some information, or the existence of doubts about the information provided).

ANNEX III. Participants’ website page template

• Headline (60)

  The solution to Travel Rule compliance

• Description (90)

  Integrate the Travel Rule with one full-cycle solution for seamless compliance.

• Headline

  What is the Virtual Assets (Crypto) Travel Rule?

• Description

  • The Travel Rule is a key AML/CFT measure mandating that virtual asset service providers (VASPs) obtain, hold, and transfer information about the originators and beneficiaries of virtual asset transfers to their counterparties
  • Details required include, among other things, names, addresses, and wallet addresses, ensuring transparency and accountability within transactions
  • VASPs act as crucial gatekeepers, playing a pivotal role in upholding regulatory measures and the integrity of the cryptocurrency ecosystem
  
  More information on the Travel Rule is available here.

• Headline

  Who needs to comply?

• Description

  VASPs and other obligated entities engaged in virtual asset transfers.
  
  If you have any questions, our experts are here to support you. Contact our dedicated team here.

• Headline

  How does {Customer_name} comply?

• Description

  {Client_name} strategically partnered with Sumsub to uphold regulatory compliance, addressing specific Travel Rule regulations. This partnership empowers us to navigate complex requirements while ensuring adherence to stringent industry standards.

• Headline

  What is Sumsub?

• Description

  Sumsub is a full-cycle verification platform integrating KYC, Fraud Prevention, AML, Crypto Transaction Monitoring, and Travel Rule compliance, that streamlines user verification and monitoring processes.
  
  Simplify compliance with one platform
  
  Improve your compliance journey with a single platform for your verification needs, including Travel Rule compliance, without using costly multiple vendors.
  
  Connect with a wide VASP network
  
  Access the largest VASP network with a protocol-agnostic architecture, bolstered by seamless third-party integrations, ensuring comprehensive coverage for compliant transactions.
  
  Get maximum value from the complete suite
  
  Upgrade your compliance strategy with a holistic solution that incorporates all essential tools, from integrated AML checks to an advanced rules engine. It encompasses all assets and blockchains, including unhosted wallet verification.
  
  Learn more ➡️

• Headline

  Exchange transactions with us for free

• Description

  Get in touch with Sumsub to start exchanging transactions with us today.
  
  • All major Travel Rule protocols supported
  • Exchange information with 600+ Sumsub crypto clients
  • Data protection assured
  
  Get started ➡️

• Headline

  Start using Sumsub

• Description

  Experience the revolutionary benefits of Sumsub's Travel Rule solution.
  
  Register here ➡️

The message above is provided for general information purposes only; nothing in it shall not be interpreted as a warranty, guarantee, or representation of any kind.

ANNEX IV. Data Processing Details

Data Processing/Sharing Instruction

The Customer's Purpose of Processing: Travel Rule compliance

Business Purpose: Execution of this Agreement

Nature of Processing:

For Annex V

• AML and sanctions screening against the Beneficiary's and Originator's data,
• data cross-check of relevant Travel Rule requirements, and
• transfer to/ receiving from another Participant of this data via messaging protocols to ensure Travel Rule regulations compliance

For Annex VI

• performance of VASP Due Diligence, and
• the data redistribution between the Participants based on the accession to this Agreement

Duration of Processing: Term of this Agreement, unless otherwise specified and/or applicable

Data subjects categories:

For Annex V

the Participant's customers (Individuals)

For Annex VI

the personal data of Participants’ representatives or employees as specified in Annex I hereto

Categories of data for Processing:

For Annex V

The Personal Data processing is based on the Travel Rule Solution service, which may include, but are not limited to the categories of Personal Data specified below.

• For Crypto Travel Rule Solution: Full name of the sender and the recipient, the physical (geographical) address of the sender, or national identity number, or customer identification number (i.e., not a transaction number) that uniquely identifies the originator to the ordering institution, or date and place of birth, recipient account number (e.g., wallet address); the legal name of counterparty VASP. Additional data processed for Wallet Address Book: wallet address hash, wallet address (optional), asset, chain, created date, updated date, VASP ID owner (optional), source type, source provider (optional), client ID (optional)

For Annex VI

Personal data categories as specified in Annex II hereto

Frequency of transfers in case of international transfers: on a continuous basis, in accordance with the Participant’s purpose(s) and Business purpose.

Subject matter, nature and duration of the processing by (sub-) processor: The subject matter, nature and duration of the processing is indicated and specified in the relevant privacy clauses hereto and/or Data Processing Agreement, if any, with the subprocessor that Sumsub engages for Business purpose. More details are to be provided upon written request.

Technical and Organisational Measures: – the list of implemented security and privacy standards by Sumsub can be found here. The further information may be clarified with a manager.

ANNEX V. International Data Transfer Mechanism pursuant to Article 12.1. of this Agreement

Schedule 1. The Standard Contractual Clauses: Module Four

EU STANDARD CONTRACTUAL CLAUSES (SCCs)

(Processor - Controller)

Sumsub (Data Exporter) and Level 2 Participant (Data Importer) hereby agree to comply with the obligations set out in the SCCs specified herein as they apply to each party.

1. Applicable module. With respect to any transfer or processing of personal data pursuant to this Agreement, the Data Exporter is Sumsub, and the Data Importer is Level 2 Participant. Accordingly, Module Four of the SCCs applies.

2. Applicable options. The following optional clauses of Module Two apply as follows:

• Clause 13(a) (supervision)

  The PARAGRAPH 1 will apply: Data Exporter is established in an EU Member State

• Clause 17 (governing law)

  The OPTION 1 will apply: the law of Ireland

• Clause 18(b) (forum)

  England and Wales

3. Docking clause. Clause 7 of Module 3 (docking clause) will apply.

4. Annexes. The details of Annexes I and III are set out as follows:

• List of Parties (Annex I):

  As specified in this Agreement

• Description of Transfer (Annex I):

  As specified in Annex IV to this Agreement

• List of Sub-Processors (Annex III):

  To be requested with a manager

• Technical and Organisational Measures (Annex II):

  As specified in Annex IV to this Agreement

Schedule 2. The UK IDTA

In relation to transfers of Personal Data protected by the UK GDPR, Sumsub (the Data Exporter) and Level 2 Participant (Data Importer) hereby agree to comply with the obligations set out in the IDTA herein as they apply to each party with the following modifications:

1. Table 1 ‘Parties and signatures’ of Part 1 from the ‘Tables’ section is completed with the information which is specified in the Agreement.

2. Table 2 ‘Transfer Details’ of Part 1 from the ‘Tables’ section is complete as follows:

• UK country’s law that governs the IDTA

  England and Wales
  Northern Ireland
  Scotland

• Primary place for legal claims to be made by the Parties

  England and Wales
  Northern Ireland
  Scotland

• The status of the Exporter

  In relation to the Processing of the Transferred Data:
  
  Exporter is Processor OR Controller

• The status of the Importer

  In relation to the Processing of the Transferred Data:
  
  Importer is the Controller.

• Whether UK GDPR applies to the Importer

  UK GDPR applies to the Importer’s Processing of the Transferred Data

• Linked Agreement

  This Agreeement

• Term

  The Importer may Process the Transferred Data for the following time period:
  
  the period for which the Linked Agreement is in force
  time period:
  (only if the Importer is a Controller or not the Exporter’s Processor or Sub-Processor) no longer than is necessary for the Purpose.

• Ending the IDTA before the end of the Term

  the Parties cannot end the IDTA before the end of the Term unless there is a breach of the IDTA or the Parties agree in writing.
  the Parties can end the IDTA before the end of the Term by serving: months’ written notice, as set out in Section 29 (How to end this IDTA without there being a breach).

• Ending the IDTA when the Approved IDTA changes

  Which Parties may end the IDTA as set out in Section 29.2:
  
  Importer
  Exporter
  neither Party
  

• Can the Importer make further transfers of the Transferred Data?

  The Importer MAY transfer on the Transferred Data to another organisation or person (who is a different legal entity) in accordance with Section 16.1 (Transferring on the Transferred Data).
  The Importer MAY NOT transfer on the Transferred Data to another organisation or person (who is a different legal entity) in accordance with Section 16.1 (Transferring on the Transferred Data).

• Specific restrictions when the Importer may transfer on the Transferred Data

  The Importer MAY ONLY forward the Transferred Data in accordance with Section 16.1:
  
  if the Exporter tells it in writing that it may do so.
  to
  to the authorised receivers (or the categories of authorised receivers) set out in manner the Parties agree.
  there are no specific restrictions.

• Review Dates

  The Parties must review the Security Requirements at least once:
  each month(s)
  each quarter
  each 6 months
  each year
  each year(s)
  each time there is a change to the Transferred Data, Purposes, Importer Information, TRA or risk assessment

3. Table 3 ‘Transferred Data’ of Part 1 from the ‘Tables’ section is complete as follows:

• Transferred Data

  The personal data to be sent to the Importer under this IDTA consists of:
  
  The categories of Transferred Data will update automatically if the information is updated in the Linked Agreement referred to.
  The categories of Transferred Data will NOT update automatically if the information is updated in the Linked Agreement referred to. The Parties must agree a change under Section 5.3.

• Special Categories of Personal Data and criminal convictions and offences

  The Transferred Data includes data relating to:
  
  racial or ethnic origin
  political opinions
  religious or philosophical beliefs
  trade union membership
  genetic data
  biometric data for the purpose of uniquely identifying a natural person
  physical or mental health
  sex life or sexual orientation
  criminal convictions and offences
  none of the above
  set out in:
  And:
  The categories of special category and criminal records data will update automatically if the information is updated in the Linked Agreement referred to.
  The categories of special category and criminal records data will NOT update automatically if the information is updated in the Linked Agreement referred to. The Parties must agree a change under Section 5.3
  

• Relevant Data Subjects

  The Data Subjects of the Transferred Data are:
  
  The categories of Data Subjects will update automatically if the information is updated in the Linked Agreement referred to.
  The categories of Data Subjects will not update automatically if the information is updated in the Linked Agreement referred to. The Parties must agree a change under Section 5.3.

• Purpose

  The Importer may Process the Transferred Data for the following purposes:
  
  The Importer may Process the Transferred Data for the purposes set out in:
  
  In both cases, any other purposes which are compatible with the purposes set out above.
  The purposes will update automatically if the information is updated in the Linked Agreement referred to.
  The purposes will NOT update automatically if the information is updated in the Linked Agreement referred to. The Parties must agree a change under Section 5.3.

4. Table 4 ‘Security Requirements’ of Part 1 from the ‘Tables’ section is complete as follows:

• Security of Transmission

  As specified in Annex IV to this Agreement

• Security of Storage

  As specified in Annex IV to this Agreement

• Security of Processing

  As specified in Annex IV to this Agreement

• Organisational security measures

  As specified in Annex IV to this Agreement

• Technical security minimum requirements

  As specified in Annex IV to this Agreement

• Updates to the Security Requirements

  The Security Requirements will update automatically if the information is updated in the Linked Agreement referred to.
  The Security Requirements will NOT update automatically if the information is updated in the Linked Agreement referred to. The Parties must agree a change under Section 5.3.

5. Part 2 ‘Extra Protection Clauses’ from the ‘Tables’ section is complete as follows:

• Extra Protection Clauses:

• (i) Extra technical security protections

  As specified in Annex IV to this Agreement

• (ii) Extra organisational protections

  As specified in Annex IV to this Agreement

• (iii) Extra contractual protections

  As specified in Annex IV to this Agreement

PART 3. COMMERCIAL CLAUSES

• Commercial Clauses

  This Agreement

Schedule 3. The UK

IDTA ADDENDUM (Addendum)

In relation to transfers of Personal Data protected by the UK GDPR, Sumsub (Data Exporter) and Level 2 Participant (Data Importer) hereby agree to comply with the obligations set out in the Addendum herein as they apply to each party.

The SCCs, as implemented under the Schedule 1 will apply with the following modifications:

i. the SCCs shall be deemed amended as specified by Part 2 of the Addendum; and

ii. tables 1 to 3 in Part 1 of the Addendum shall be deemed completed, respectively, with the information set out in Schedule 1-3 above (as applicable).

PART 1. TABLE

• Table 1. Parties

• Commencement date:

  When the restricted transfer is to be conducted

• The Parties' details:

  Exporter: Sumsub
  
  Importer: Level 2 Participant

• Key Contact:

  as specified in this Agreement

• Table 2. Selected SCCs, Modules and Selected Clauses

• Addendum EU SCCs:

  The version of the Approved EU SCCs to which this Addendum is appended, detailed below, including the Appendix Information

• Table 3. Appendix Information

• ANNEX IA: List of Parties

  As specified in Table 1 hereto

• ANNEX IB: Description of Transfer

  As specified in Annex IV to this Agreement

• ANNEX II: Technical and organisational measures including technical and organisational measures to ensure the security of the data:

  As specified in Annex IV to this Agreement

• ANNEX III: List of Subprocessors (if applicable):

  To be requsted with a manager

• Table 4. Appendix Information

• Ending this Addendum when the Approved Addendum changes

  Neither Party

ANNEX VI. International Data Transfer Mechanism pursuant to Article 12.2. of this Agreement

Schedule 1. The Standard Contractual Clauses: Module One

Sumsub (Data Exporter) and Level 2 Participant (Data Importer) hereby agree to comply with the obligations set out in the SCCs specified herein as they apply to each party.

1. Applicable module. With respect to any transfer or processing of personal data pursuant to this Agreement, the Data Exporter is Sumsub, and the Data Importer is Level 2 Participant. Accordingly, Module One of the SCCs applies.

2. Applicable options. The following optional clauses of Module One apply as follows:

• Clause 13(a) (supervision)

  The PARAGRAPH 1 will apply: Data Exporter is established in an EU Member State

• Clause 17 (governing law)

  The OPTION 1 will apply: the law of Ireland

• Clause 18(b) (forum)

  England and Wales

3. Docking clause. Clause 7 of Module 3 (docking clause) will apply.

4. Annexes. The details of Annexes I and III are set out as follows:

• List of Parties (Annex I):

  As specified in this Agreement

• Description of Transfer (Annex I):

  As specified in Annex IV to this Agreement

Schedule 2. The UK IDTA

In relation to transfers of Personal Data protected by the UK GDPR, Sumsub (Data Exporter) and Level 2 Participant (Data Importer) hereby agree to comply with the obligations set out in the IDTA herein as they apply to each party with the following modifications:

1. Table 1 ‘Parties and signatures’ of Part 1 from the ‘Tables’ section is completed with the information which is specified in the Agreement.

2. Table 2 ‘Transfer Details’ of Part 1 from the ‘Tables’ section is complete as follows:

• UK country’s law that governs the IDTA

  England and Wales
  Northern Ireland
  Scotland

• Primary place for legal claims to be made by the Parties

  England and Wales
  Northern Ireland
  Scotland

• The status of the Exporter

  In relation to the Processing of the Transferred Data:
  
  Exporter is Controller

• The status of the Importer

  In relation to the Processing of the Transferred Data:
  
  Importer is Controller

• Whether UK GDPR applies to the Importer

  UK GDPR applies to the Importer’s Processing of the Transferred Data OR does not apply to the Importer’s Processing of the Transferred Data

• Linked Agreement

  This Agreeement

• Term

  The Importer may Process the Transferred Data for the following time period:
  
  the period for which the Linked Agreement is in force
  time period:
  (only if the Importer is a Controller or not the Exporter’s Processor or Sub-Processor) no longer than is necessary for the Purpose.

• Ending the IDTA before the end of the Term

  the Parties cannot end the IDTA before the end of the Term unless there is a breach of the IDTA or the Parties agree in writing.
  the Parties can end the IDTA before the end of the Term by serving: months’ written notice, as set out in Section 29 (How to end this IDTA without there being a breach).

• Ending the IDTA when the Approved IDTA changes

  Which Parties may end the IDTA as set out in Section 29.2:
  
  Importer
  Exporter
  neither Party
  

• Can the Importer make further transfers of the Transferred Data?

  The Importer MAY transfer on the Transferred Data to another organisation or person (who is a different legal entity) in accordance with Section 16.1 (Transferring on the Transferred Data).
  The Importer MAY NOT transfer on the Transferred Data to another organisation or person (who is a different legal entity) in accordance with Section 16.1 (Transferring on the Transferred Data).

• Specific restrictions when the Importer may transfer on the Transferred Data

  The Importer MAY ONLY forward the Transferred Data in accordance with Section 16.1:
  
  if the Exporter tells it in writing that it may do so.
  to
  to the authorised receivers (or the categories of authorised receivers) set out in manner the Parties agree.
  there are no specific restrictions.

• Review Dates

  The Parties must review the Security Requirements at least once:
  each month(s)
  each quarter
  each 6 months
  each year
  each year(s)
  each time there is a change to the Transferred Data, Purposes, Importer Information, TRA or risk assessment

3. Table 3 ‘Transferred Data’ of Part 1 from the ‘Tables’ section is complete as follows:

• Transferred Data

  The personal data to be sent to the Importer under this IDTA consists of:
  
  The categories of Transferred Data will update automatically if the information is updated in the Linked Agreement referred to.
  The categories of Transferred Data will NOT update automatically if the information is updated in the Linked Agreement referred to. The Parties must agree a change under Section 5.3.

• Special Categories of Personal Data and criminal convictions and offences

  The Transferred Data includes data relating to:
  
  racial or ethnic origin
  political opinions
  religious or philosophical beliefs
  trade union membership
  genetic data
  biometric data for the purpose of uniquely identifying a natural person
  physical or mental health
  sex life or sexual orientation
  criminal convictions and offences
  none of the above
  set out in:
  And:
  The categories of special category and criminal records data will update automatically if the information is updated in the Linked Agreement referred to.
  The categories of special category and criminal records data will NOT update automatically if the information is updated in the Linked Agreement referred to. The Parties must agree a change under Section 5.3
  

• Relevant Data Subjects

  The Data Subjects of the Transferred Data are:
  
  The categories of Data Subjects will update automatically if the information is updated in the Linked Agreement referred to.
  The categories of Data Subjects will not update automatically if the information is updated in the Linked Agreement referred to. The Parties must agree a change under Section 5.3.

• Purpose

  The Importer may Process the Transferred Data for the following purposes:
  
  The Importer may Process the Transferred Data for the purposes set out in:
  
  In both cases, any other purposes which are compatible with the purposes set out above.
  The purposes will update automatically if the information is updated in the Linked Agreement referred to.
  The purposes will NOT update automatically if the information is updated in the Linked Agreement referred to. The Parties must agree a change under Section 5.3.

4. Table 4 ‘Security Requirements’ of Part 1 from the ‘Tables’ section is complete as follows:

• Security of Transmission

  As specified in Annex IV to this Agreement

• Security of Storage

  As specified in Annex IV to this Agreement

• Security of Processing

  As specified in Annex IV to this Agreement

• Organisational security measures

  As specified in Annex IV to this Agreement

• Technical security minimum requirements

  As specified in Annex IV to this Agreement

• Updates to the Security Requirements

  The Security Requirements will update automatically if the information is updated in the Linked Agreement referred to.
  The Security Requirements will NOT update automatically if the information is updated in the Linked Agreement referred to. The Parties must agree a change under Section 5.3.

5. Part 2 ‘Extra Protection Clauses’ from the ‘Tables’ section is complete as follows:

• Extra Protection Clauses:

• (i) Extra technical security protections

  As specified in Annex IV to this Agreement

• (ii) Extra organisational protections

  As specified in Annex IV to this Agreement

• (iii) Extra contractual protections

  As specified in Annex IV to this Agreement

6. Part 2 ‘Commercial Clauses’ from the ‘Tables’ section is complete as follows:

• Commercial Clauses

  This Agreement

Schedule 3. The UK IDTA Addendum

IDTA ADDENDUM (Addendum)

In relation to transfers of Personal Data protected by the UK GDPR, Sumsub (Data Exporter) and Level 2 Participant (Data Importer) hereby agree to comply with the obligations set out in the Addendum herein as they apply to each party.

The SCCs, as implemented under the Schedule 1 will apply with the following modifications:

i. the SCCs shall be deemed amended as specified by Part 2 of the Addendum; and

ii. tables 1 to 3 in Part 1 of the Addendum shall be deemed completed, respectively, with the information set out in Schedule 1 above.

PART 1. TABLE

• Table 1. Parties

• Commencement date:

  When the restricted transfer is to be conducted

• The Parties' details:

  Exporter: Sumsub
  
  Importer: Level 2 Participant

• Key Contact:

  as specified in this Agreement

• Table 2. Selected SCCs, Modules and Selected Clauses

• Addendum EU SCCs:

  The version of the Approved EU SCCs to which this Addendum is appended, detailed below, including the Appendix Information

• Table 3. Appendix Information

• ANNEX IA: List of Parties

  As specified in Table 1 hereto

• ANNEX IB: Description of Transfer

  As specified in Annex IV to this Agreement

• ANNEX II: Technical and organisational measures including technical and organisational measures to ensure the security of the data:

  As specified in Annex IV to this Agreement

• ANNEX III: List of Subprocessors (if applicable):

  To be requested with a manager

• Table 4. Appendix Information

• Ending this Addendum when the Approved Addendum changes

  Neither Party