Sumsub Travel Rule Ecosystem Agreement

Version 6

Last updated: 29 January, 2024

This Sumsub Travel Rule Ecosystem Agreement (hereinafter – the “Agreement”) shall govern the conditions for Virtual Asset Service Providers (VASPs) and other entities (hereinafter referred to as "Participants") joining the Sumsub Travel Rule Ecosystem (as defined below) and the terms of the Parties’ subsequent cooperation in relation thereto.

For the purposes of this Agreement, Sumsub and the Participant entering into the Agreement are hereinafter collectively referred to as the “Parties” and individually as a “Party”.

1. Types of Participants

1.1.The following entities can join the Sumsub Travel Rule Ecosystem by the means specified in Section 2 of this Agreement and become Participants:

Level 1 Participants. This type includes Clients that, at the time of joining the Sumsub Travel Rule Ecosystem, acquire the Sumsub Travel Rule Solution under the respective Service Provider Agreement (hereinafter - the “SPA”) or Sumsub Travel Rule Solution Agreement (hereinafter - the “TRA”).
Level 2 Participants. This type includes Clients’ counterparties that pass the VASP Due Diligence and accept this Agreement upon request of a Client but are not bound by any other direct agreement with Sumsub.
Level 3 Participants. This type includes entities that are members of Travel Rule alliances / networks of Sumsub’s Partners.

2. Acceptance of Agreement

2.1.The Participant agrees to be bound by this Agreement starting from the date when:

it accepts this Agreement and initiates the VASP Due Diligence process via the Dashboard by marking the respective checkbox (applicable to Level 1,2 and 3 Participants); or
it accepts the TRA as described therein (applicable to Level 1 Participants); or
it concludes an SPA that includes Sumsub Travel Rule Solution as a service, so long as the SPA contains a reference to this Agreement (applicable to Level 1 Participants).

2.2.For Level 1 Participants, the terms of the respective SPA or TR Agreement shall apply to the relationship between the respective Participant and Sumsub under this Agreement insofar as the matter in question is not regulated hereunder. In case of a conflict or discrepancy between the SPA or TR Agreement and this Agreement, the latter shall prevail.
2.3.Application of this Agreement to the Level 3 Participants is subject to the relevant Partnership agreement between Sumsub and corresponding Sumsub’s Partners, in whose ecosystem/alliance the Level 3 Participant is a member.

3. Definitions

The following terms and definitions are used in this Agreement:

Client – a legal entity acquiring services from Sumsub under the respective Service Provider Agreement or Partnership Agreement;

Confidential Information – information disclosed by (or on behalf of) a) Sumsub to any Participant; b) any Participant to Sumsub; c) any Participant to another Participant (with the disclosing party hereinafter referred to as the “Discloser” and the receiving Party as the “Recipient”) in connection with or in anticipation of this Agreement (including the content of this Agreement itself) that is marked as confidential or, from its nature, content or the circumstances in which it is disclosed, can reasonably be assumed to be confidential. It does not include information (i) that the Recipient already knew, (ii) that becomes public through no fault of the Recipient, (iii) that was independently developed by the Recipient, (iv) that was authorized for disclosure by the Discloser or (v) that was lawfully given to the Recipient by a third party, so long as these circumstances can be proven by documentary evidence.

Dashboard – an interactive software tool ensuring management and processing of requests for VASP Due Diligence, Data Exchange Transactions, VA Transactions and facilitating the communication between Sumsub and the Participant in relation to this Agreement.

Data Protection Legislation – all applicable privacy and data protection laws, including the EU General Data Protection Regulation ((EU) 2016/679)(‘EU GDPR’) and the UK General Data Protection Regulation (‘UK GDPR’) and the Data Protection Act 2018; any applicable national implementing laws, regulations and secondary legislation in England and Wales relating to the processing of Personal Data and the privacy of electronic communications, as amended, replaced or updated from time to time, including the Privacy and Electronic Communications Directive (2002/58/EC) and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2003/2426).

Service Provider Agreement (SPA) – an agreement (with its annexes and appendices) concluded between Sumsub and its Client for the provision of Sumsub Travel Rule Solution and other related services.

Sumsub Travel Rule Solution Agreement (TRA) – a supplemental Agreement to the SPA, concluded between Sumsub and its Clients by accepting it in the Sumsub Dashboard by the Clients for the provision of Sumsub Travel Rule Solution and other related services.

Sumsub – either (i) SUM AND SUBSTANCE LTD incorporated and registered in England with company number 09688671 and registered office at 30 St. Mary Axe, London, England, EC3A 8BF (for Level 2 and Level 3 Participants); or (ii) for Level 1 Participants – the legal entity belonging to Sumsub Group that maintains the respective SPA or TR with the Participant.

Sumsub Travel Rule Ecosystem – a community of Participants bound by this Agreement, united to facilitate the sharing of data about VA Transactions among Participants and identification and verification of counterparty VASPs’ identities for the purposes of complying with the Travel Rule requirements. Members of the Sumsub Travel Rule Ecosystem can be referred to as Virtual Asset Service Providers (VASPs), financial institutions or non-regulated entities (as the respective national laws and regulations may specify) dealing in virtual asset transfers.

Sumsub Travel Rule Solution – a set of solutions and related services (as determined by the relevant SPA or TRA), designed to assist Clients in following the requirements of the Travel Rule by collecting, verifying and transferring to counterparty VASPs certain data pertaining to originators and beneficiaries of VASP-facilitated transactions.

Travel Rule – an AML/CFT measure mandating that VASPs obtain, hold and exchange information about the originators and beneficiaries of virtual asset transfers (as per paragraph 7(b) of FATF’s Interpretative Note to Recommendation 15).

Data Exchange Transaction – a transfer of data under the Travel Rule requirements.

VA Transaction – a transfer of virtual assets subject to the Travel Rule requirements.

VASP Due Diligence – the process of verifying the counterparty VASP before the originating VASP transmits the information required under the Travel Rule.

VASP Due Diligence Questionnaire – the questionnaire incorporated to Sumsub Dashboard, and as contained as an example in Annex I that the Participant is required to fill in for the purposes of identity verification under the request of its counterparty (i.e. Originating VASP).

VASP Due Diligence Report or Report – the report that Sumsub completes during VASP Due Diligence. The Report contains the results of the verification of all information provided by the Participant in the VASP Due DIligence Questionnaire.

Partner – independent Travel Rule solution providers that have their own messaging protocol and community of verified VASPs and maintain a Partnership Agreement with Sumsub to facilitate data transfer between participants of their community and the Sumsub Travel Rule Ecosystem.

Originator – originating VASP customer who sends a virtual asset transfer to the Beneficiary.

Beneficiary – beneficiary VASP customer who receives a virtual asset transfer from the Originator.

4. Content of Agreement

4.1.The following documents shall be considered as integral parts of this Agreement:

the VASP Due Diligence Questionnaire (Annex I);
Data Processing Details. Data Processing Instruction (Annex II);
International Data Transfer Mechanism pursuant to Article 13.1. of this Agreement (Annex III);
International Data Transfer Mechanism pursuant to Article 13.2. of this Agreement (Annex IV);
Sumsub Privacy Notice (Service delivery) and Privacy Notice (website and mob app).

5. Types of Participants and Due Diligence process

5.1.Level 1 Participants can join the Sumsub Travel Rule Ecosystem as either verified ("Due Diligence completed" status) or ("rejected" status). A “Due Diligence completed” status is assigned once the Report is completed regarding the Participant in question.

Participants that do not pass VASP Due Diligence acknowledge that, according to the FATF Recommendations and certain local AML regulations, a VASP needs to undertake counterparty due diligence before it transmits the Travel Rule information to its counterparty VASP. Therefore, most VASPs do not execute transactions to unverified counterparties.

5.2.Level 2 Participants are always required to complete due diligence before joining the Travel Rules Ecosystem.
5.3.The due diligence procedures that Level 3 Participants may undergo, when joining the respective alliance or network, shall be regarded as a substitution for the VASP Due Diligence carried out by Sumsub, subject to the Partner in question transferring the results of such procedures to Sumsub upon request.

The Participant acknowledges that the scope of due diligence carried out by any Partner may not match that of the VASP Due Diligence. If needed, Sumsub may attempt to request the missing information about a VASP for evaluation from the Partner or by other means; or theParticipant can request such information from its counterparty directly.

Level 3 Participants can also complete VASP Due Diligence if they deem it necessary.

6. Participation Conditions

6.1.By entering into this Agreement, the Participant agrees to the following:
6.1.1.In relation to Due Diligence (if applicable)
6.1.1.1.The Participant undertakes to provide Sumsub with complete, accurate, non-misleading information about itself, its internal processes and representatives, AML/CFT and data protection measures, in particular when filling out the VASP Due Diligence Questionnaire.
6.1.1.2.The Participant also agrees that other Participants can request the VASP Due Diligence Questionnaire previously filled in by the Participant, as well as the VASP Due Diligence Report completed by Sumsub in respect of the Participant, for additional verification purposes. In such cases, Sumsub may share it with the requesting entity and notify the Participant in question regarding such a request and the execution status. If the Participant objects to the sharing of the VASP Due Diligence Questionnaire, it must notify Sumsub accordingly before completing the VASP Due Diligence Questionnaire or immediately thereafter, but in any case before receiving / sending any transactions via the Sumsub Travel Rule Solution.
6.1.1.3.The Participant agrees that Sumsub carries out VASP Due Diligence in order to help other Participants to comply with the applicable regulatory requirements. Sumsub is not a company regulated for AML purposes, meaning that VASP Due Diligence cannot be considered as “reliance” in terms of AML/CFT regulation. Sumsub carries out VASP Due Diligence based on the FATF Guideline, Wolfsberg group and GDF Association recommendations. Notwithstanding the results of the VASP Due Diligence carried out by Sumsub, each Participant shall be solely responsible for its decisions regarding the execution of Data Exchange Transactions and VA Transactions with any other Participant. The Participant acknowledges that no warranties exist as to the accuracy, completeness or suitability for any particular purposes as regards the data obtained during the VASP Due Diligence.

If a Participant believes that it does not have enough information to decide on the execution of the transaction, it can contact the counterparty directly and request missed information.

6.1.2.In relation to Travel Rule Ecosystem
6.1.2.1.The Participant agrees that, so long as it remains a participant of the Sumsub Travel Rule Ecosystem and 5 years after ending the participation in the Travel Rule Ecosystem, at least the following information about itself can be displayed to the other Participants in the Ecosystem :

legal name and trademarks;
website;
country of incorporation;
company number;
information about protocols and other technical features used for compliance with the Travel Rule;
regulatory status (e.g., licenced/registered; unlicensed/unregistered; has temporary exemption);
verification status (e.g., due diligence completed/rejected as a result of the VASP Due Diligence),
transaction actions (e.g., [VASP] sends transactions, [VASP] receives transactions, [VASP] not subject to the Travel Rule regulation);
email address, provided as a contact address for the issues related to the subject matter of this Agreement;
counterparty type risk score received from blockchain analytic tool.

The scope of the aforementioned information can differ depending on the verification status of the Participant (“due diligence completed” or “rejected”).

6.1.2.2.The Participant also agrees that Sumsub may, on a confidential basis, display a list of the Sumsub Travel Rule Ecosystem members (without providing the identification information referred to in section 6.1.2.1) to a company that wishes to become a member of the Sumsub Travel Rule Ecosystem and/or subscribe to the Sumsub Travel Rule Solution.
6.1.2.3.The Participant agrees that Sumsub may use the Participant’s trading name and logo (where applicable) in its marketing materials purported to promote Sumsub Travel Rule Solution. If the Participant objects to such use, it must notify Sumsub accordingly immediately after the acceptance of this Agreement.

7. Participation Benefits

7.1.
After joining the Sumsub Travel Rule Ecosystem, the Participant will be entitled to all or some of the following benefits, depending on their status as per section 4 above:
1. 7.1.1.Access to the information about the other Participants as specified in sections 4 and 5 above;
2. 7.1.2.Technical functionality allowing to conduct Data Exchange Transactions with the other Participants via the Dashboard and integrated messaging protocols;
3. 7.1.3.Access to materials and documentation, including any technical documentation, whitepapers, manuals, descriptions, instructions, legal researches etc. designed to provide guidance regarding the operation, maintenance, and use of the Sumsub Travel Rule Solution and other related features;
4. 7.1.4.Special invitations to events, webinars, and other activities related to the crypto industry and related areas;
5. 7.1.5.Access to marketing materials and news in the field of compliance as may be available through email notifications and other channels. Sumsub can also share the relevant materials with the Participant by a direct link;
6. 7.1.6.Product testing opportunities may be available from time to time.
7.2.Level 1 Participants are entitled to all the benefits listed in clause 7.1; Level 2 Participants – to those listed in clauses 7.1.1-7.1.5; Level 3 Participants – to those listed in clauses 7.1.1-7.1.2.

Any Participant may disclose and publicize the fact of its membership in the Sumsub Travel Rule Ecosystem, subject to restrictions as may be communicated by Sumsub separately and provided that Sumsub’s written approval is obtained beforehand.

8. Participant's Obligations

8.1.The Participant shall be obligated to comply with (a) this Agreement; and (b) any applicable laws and regulations at all times.
8.2.The Participant must inform Sumsub of any change in or inaccuracy of the information previously provided as soon as it becomes or should reasonably become aware of it and provide up-to-date data for re-verification. This may include, but is not limited to: changes in the ownership structure of the company; new types of business activities, commencement of operations in other jurisdictions; changes in compliance processes regarding AML/CFT and data protection; changes in the technical capabilities in relation to compliance with the Travel Rule, etc.
8.3.The Participant is solely responsible for all use of the Sumsub Travel Rule Solution.
8.4.The Participant must not:

attempt to pass the VASP Due Diligence using a fake identity or an identity of a third party;
share the information received within the Sumsub Travel Rule Ecosystem, including data about other Participants, with third parties in ways not envisaged in this Agreement;
remove any copyright, trademark or other proprietary rights notices contained in Sumsub’s materials, any part of the Dashboard, or on Sumsub’s website (https://sumsub.com) or in Sumsub’s web and mobile applications;
copy, modify or create derivative works of any parts of the Dashboard, Sumsub’s web and mobile applications, or any related technology.

8.5.The Participant agrees that its non-compliance with the provisions of this section 8 may result in its exclusion from the Sumsub Travel Rule Ecosystem.

9. Charges

9.1.Joining the Sumsub Travel Rule Ecosystem is free of charge.
9.2.Notwithstanding clause 9.1, Sumsub may establish a reasonable fee to cover the administrative costs associated with maintaining the Sumsub Travel Rule Ecosystem. Sumsub shall notify the Participants at least one month prior to the relevant amendments to the Agreement.

10. Intellectual property

10.1.The Participant acknowledges and agrees that all intellectual property rights related to the Sumsub Travel Rule Ecosystem or the Sumsub Travel Rule Solution are the property of Sumsub or its Partners (as the case may be) or other Participants (within the scope determined in section 5 of the Agreement) and the Participant shall have no rights in or to the Sumsub Travel Rule Ecosystem or the Sumsub Travel Rule Solution other than the right to use them in accordance with the express provisions of this Agreement and the Participant’s Service Provider Agreement with Sumsub (if any).
10.2.Notwithstanding clause 10.1 above, Sumsub grants the Participant a worldwide, non-exclusive, non-transferable, revocable license to use the Sumsub Travel Rule Ecosystem in accordance with and for the purposes of this Agreement, effective during the entire term hereof. The Participant may not sublicense this right other than with the prior written consent of Sumsub.

11. Confidentiality

11.1.The Recipient shall: (a) maintain all Confidential Information in strict and absolute confidence and refrain from any disclosure and/or publication and/or description and/or communication of Confidential Information, in whole or in part, to any third party whatsoever; (b) take all necessary precautions to keep Confidential Information secret and apply the same security measures and degree of care to Confidential Information as the Recipient applies to its own confidential information; and (c) inform the Discloser of any damage to or accidental loss of Confidential Information, including transfer to or use by unauthorized persons immediately.
11.2.The Recipient shall not: (a) use Confidential Information in order to build a product or service which competes with any products or services provided by Sumsub; (b) attempt to copy, modify, duplicate, create derivative works from, frame, mirror, republish, download, display, transmit, or distribute all or any portion of Confidential Information (as applicable) in any form or media or by any means to any individual or entity; or (c) attempt to reverse compile, disassemble, reverse engineer or otherwise reduce to human-perceivable form all or any part of Confidential Information. For clarity, any breach of this clause will be deemed to be a material breach of this Agreement.

Where applicable, Participants, unless otherwise specified in the respective Service Provider Agreement, grant Sumsub a license to access, download and use some parts of Confidential Information (including Personal Data) for: (a) analyzing such information in accordance with Sumsub’s functionality; (b) developing and testing service and new products to improve the functionality of the services, designed for fraud detection and prevention, including by means of artificial intelligence (e.g. machine learning models) in order to fulfill the commitments in this Agreement and/or corresponding Service Provider Agreement; (c) identifying and flagging potentially fraudulent patterns and other signs of suspicious behavior which could lead to or signal any illicit activity, and calculated risk score based on the said factors and alert customers in the framework of higher-risk applicant control and alert functionality; (d) producing anonymised or anonymised and aggregated statistical reports and research, and (e) producing and storing audit log records and reports based on information security and personal data protection requirements.

11.3.The Recipient shall also not be prevented from disclosing Confidential Information to employees and/or professional advisors who need to know it and who have agreed in writing (or, in the case of professional advisors, are otherwise bound) to keep confidentiality on terms no less restrictive than those contained herein. The Recipient will ensure that those persons: (a) use such Confidential Information only to exercise rights and fulfil obligations under this Agreement; and (b) keep such Confidential Information secret. The Recipient shall remain liable for any act or omission by its employees and/or professional advisors.
11.4.The Recipient may also disclose Confidential Information when required by law after giving reasonable notice to the Discloser, such notice to be sufficient to give the Discloser an opportunity to seek confidential treatment, a protective order or similar remedies or relief prior to disclosure.
11.5.If so requested by the Discloser at any time by written notice to the Recipient, the Recipient shall promptly: (a) destroy or return to the Discloser all documents and materials (and any copies thereof) containing, reflecting, incorporating or based on the Discloser's Confidential Information; (b) erase all Confidential Information from its own computer and communications systems, devices and other means of electronic storage; (c) erase all Confidential Information stored in electronic form in systems and data storage services owned by third parties, if possible; and (d) certify in writing to the Discloser that it has complied with the requirements of this clause.

Notwithstanding that, if the Recipient is required by law to retain any part of Confidential Information (for example, obtained under section 5 of the Agreement), this clause shall only apply to the extent allowing the Recipient to comply with the legal obligations in question.

11.6.Without affecting any other rights and remedies that the Discloser may have, the Recipient hereby agrees that damages would not be an adequate remedy for any breach by the Recipient of this section 10s, and that the Discloser shall be entitled to remedies of injunction, specific performance and other equitable relief for any threatened or actual breach hereof.
11.7.Notwithstanding anything to the contrary, this section 10 shall survive for 3 years after the expiry or termination of this Agreement.

12. Limitation of Liability

12.1.THIS SECTION 11 SETS OUT THE ENTIRE FINANCIAL LIABILITY OF EITHER PARTY (INCLUDING ANY LIABILITY FOR THE ACTS OR OMISSIONS OF EITHER PARTY’S EMPLOYEES, AGENTS AND SUB-CONTRACTORS) IN RESPECT OF: (A) ANY BREACH OF THIS AGREEMENT; AND (B) ANY USE MADE BY THE PARTICIPANT OF THE SUMSUB TRAVEL RULE ECOSYSTEM OR SUMSUB TRAVEL RULE SOLUTION OR ANY PART OF THESE; AND (C) ANY REPRESENTATION, STATEMENT OR TORTIOUS ACT OR OMISSION (INCLUDING NEGLIGENCE) OR BREACH OF STATUTORY DUTY ARISING UNDER OR IN CONNECTION WITH THE AGREEMENT.
12.2.NEITHER PARTY EXCLUDES OR LIMITS LIABILITY TO THE OTHER PARTY FOR (A) FRAUD OR FRAUDULENT MISREPRESENTATION; (B) ANY INDEMNITIES UNDER THIS AGREEMENT; OR (C) ANY OTHER MATTER FOR WHICH IT WOULD BE UNLAWFUL FOR THE PARTIES TO EXCLUDE OR LIMIT LIABILITY.
12.3.NEITHER PARTY SHALL BE LIABLE TO THE OTHER PARTY, WHETHER IN CONTRACT, TORT (INCLUDING FOR NEGLIGENCE AND BREACH OF STATUTORY DUTY HOWSOEVER ARISING), MISREPRESENTATION (WHETHER INNOCENT OR NEGLIGENT), RESTITUTION OR OTHERWISE, FOR: (A) ANY LOSS OF PROFITS, INCOME, GOODWILL, REVENUE OR BUSINESS OPPORTUNITIES; ANY SPECIAL, INDIRECT OR CONSEQUENTIAL LOSS OR DAMAGES; (B) LOSSES ARISING OUT OF A FORCE MAJEURE EVENT; (C) ANY LOSS OR CORRUPTION OF DATA OR INFORMATION, EXCEPT IF IT WAS CAUSED BY A BREACH OF THIS AGREEMENT BY EITHER PARTY.
12.4.SUBJECT TO CLAUSES ABOVE, SUMSUB’S TOTAL AGGREGATE LIABILITY IN CONTRACT, TORT (INCLUDING NEGLIGENCE AND BREACH OF STATUTORY DUTY HOWSOEVER ARISING), MISREPRESENTATION (WHETHER INNOCENT OR NEGLIGENT), RESTITUTION OR OTHERWISE, ARISING IN CONNECTION WITH THE PERFORMANCE OR CONTEMPLATED PERFORMANCE OF THIS AGREEMENT OR ANY COLLATERAL CONTRACT SHALL IN ALL CIRCUMSTANCES BE LIMITED TO 5,000 EUR IN RELATION TO ANY GIVEN CLAIM (WHETHER INDIVIDUAL OR COLLECTIVE) .
12.5.THE PARTICIPANT ASSUMES SOLE RESPONSIBILITY FOR CONCLUSIONS DRAWN FROM ITS USE OF INFORMATION RECEIVED UNDER THIS AGREEMENT.
12.6.THE PARTICIPANT SHALL INDEMNIFY, DEFEND, AND HOLD HARMLESS SUMSUB AND ITS RESPECTIVE OFFICERS, SHAREHOLDERS, DIRECTORS, AND PERSONNEL, (AND KEEP SUCH INDIVIDUALS INDEMNIFIED ON A FULL INDEMNITY BASIS), FROM AND AGAINST ANY THIRD PARTY CLAIMS, SUITS, HEARINGS, ACTIONS, DAMAGES, LIABILITIES, FINES, PENALTIES, COSTS, LOSSES, JUDGMENTS OR EXPENSES (INCLUDING REASONABLE ATTORNEYS' FEES) ARISING OUT OF OR RELATING TO THE PARTICIPANTS’ USE OF THE ECOSYSTEM (COLLECTIVELY, “CLAIMS”), PROVIDED AND TO THE EXTENT THAT SUCH CLAIMS ARE NOT DUE TO ANY BREACH OF THIS AGREEMENT BY SUMSUB.

13. Data processing

13.1.Data processing rules for Originator's and Beneficiary's data
13.1.1.The Participants agree that Sumubs is a data processor when providing Travel Rule Solution Services, namely verifies the Beneficiary’s and Originator's identity and transfers to/ receive from another Participant's particular personal data using special messaging protocols under the Participant’s instructions.
13.1.2.The Participants, as data controllers, shall determine the legal bases for the processing of personal data and procure that each data subject whose personal data is to be processed and shared under the SPA, TRA or this Agreement be properly notified about such processing by respective means.

The receiving Participant guarantees that no personal data transferred to it shall be further redistributed to any third party without an appropriate legal basis for such data-sharing activities.

13.1.3.The Participant ensures and guarantees the transferring of personal data of the Beneficiary and Originator within the Sumsub Travel Rule Ecosystem be legal and adequate. The Participant solely decides on the Sumsub Travel Rule Ecosystem and/or any personal data sharing and transfer activities in accordance with the applicable Travel Rule requirements. The Participant agrees that the personal data transferred following this paragraph will be defined and limited to the extent necessary and/or required by the applicable regulatory requirements by the Participant at the time of transfer, and the Participant agrees to be fully responsible for any non-compliance and breach of applicable Data Protection Legislation related to and affects Sumsub data processing activity.
13.1.4.The Participants agree with the data processing details under the Crypto Travel Rule Solution provided in Annex II.
13.1.5.
the Participants shall be considered and act as independent controllers as per the Data Protection Legislation unless there is a joint controller relationship between them. In any case, this Agreement constitutes the legal arrangement that determines their respective responsibilities for compliance with their obligations under the applicable data protection legislation, namely:

(a) Except as otherwise specified in this Agreement, any Participant shall have all and any ownership, rights and interests (including intellectual property rights) to the Deliverables under this Agreement, and shall have the right to modify and combine the data.

(b) The attribution of the ownership and interests (including intellectual property rights) of products developed (if any) or services conducted jointly by different Participants shall be separately determined by such participating parties through negotiation, with agreements separately signed.

(c) After accessing this Agreement, the Participant joins the Sumsub Travel Rule Ecosystem. The Participants agree that after accession to this Agreement, they shall each appoint a representative as the person in charge of all matters related to the interaction of the Participant and Sumsub in respect of the Sumsub Travel Rule Ecosystem (Authorised Person). For the purpose of this Agreement, the Authorised Person is an individual proceeding with the VASP Due Diligence process and acceding to this Agreement on behalf of the legal entity they represent (Participant) and empowered to do so. Meanwhile, Participants may change their appointed persons from time to time but shall notify Sumsub in writing in a timely manner.

(d) Any decision on the Sumsub Travel Rule Ecosystem is subject to the sole discretion of the Authorised Persons, who shall exercise authority independently from each other unless otherwise applicable.

(e) Taking into account the state-of-the-art technology, the costs of implementation and the nature, scope, context and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, each Participant shall maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk of processing personal data under this Agreement in compliance with applicable Data Protection Legislation.

(f) Any transfer of personal data made in this Agreement from the Data Exporter subject to the EU GDPR and/or the UK GDPR to any Data Importer located in third countries which do not ensure an adequate level of data protection within the meaning of the laws and regulations of the EU GDPR and/or the UK GDPR shall be undertaken by the Parties through the Standard Contractual Clauses and/or the UK IDTA or Addendum set forth in Annex III to this Agreement as applicable. For any data transfers subject to the EU Commission’s Standard Contractual Clauses (hereinafter - the SCCs) and/or the UK International Data Transfer Agreement or Addendum, the EU Standard Contractual Clauses will be deemed entered into and completed as follows:
1. (i) Module One (Controller to Controller) of the EU Standard Contractual Clauses, with the modifications provided in Schedule 1 of Annex III, will apply where the Parties sign and executes this Agreement and when the Data Exporter is transferring any Travel Rule information, including Personal Data to the Data Importer based in a third-country outside of the EU member states.
  
  (ii) Module Two (Controller to Processor) of the EU Standard Contractual Clauses, with the modifications provided in Schedule 2 of Annex III, will apply where the Parties sign and execute this Agreement and when the Data Exporter is transferring any Travel Rule information, including Personal Data, to the Data Importer based in a third-country outside of the EU member states
  
  OR
  
  Module Four (Processor to Controller) of the EU Standard Contractual Clauses, with the modifications provided in Schedule 3 of Annex III, will apply where the Parties sign and execute this Agreement and when the Data Exporter is transferring any Travel Rule information, including Personal Data, to the Data Importer based in a third-country outside of the EU member states
  
  (iii) The International Data Transfer Agreement will apply regardless as the SCCs under sub-paragraphs (i) and (ii) above will not be applicable and implemented, with the modifications provided in Schedule 4 of Annex III.
  
  OR
  
  The Addendum together with the SCCs, as implemented under sub-paragraphs (i) and (ii) above, will apply with the modifications provided in Schedule 5 of Annex III.

For any data transfers that are not subject to the EU Commission’s Standard Contractual Clauses or UK International Data Transfer Agreement or Addendum, the Data Exporter shall ensure, and the Data Importer shall assume sufficient legal basis, safeguards and/or derogations have been in place in compliance with Article 45, 46 or 49 of EU GDPR and/or the UK GDPR for the transfer of personal data to a third country.

(g) The Data Exporter and Data Importer shall individually, to the extent permitted by applicable Data Protection Legislation, facilitate any requests by a Data Subject (as set out in Annex II) in exercising their Data Subject’s right of access, rectification, restriction of Processing, erasure, data portability, restriction of or objection to, withdrawal of consent to, and/or objection to being subject to the data processing that constitutes automated decision-making or profiling (such requests individually and collectively referred to as “Data Subject Request(s))” the data processing under this Agreement. In the event Sumsub receives any Data Subject Request in relation to their personal data processing pursuant to this Agreement, Sumsub will advise the Data Subject to submit their request to the respective Participant and the respective Participant will be responsible for responding to such request.

(h) The Participants agree, taking into account the nature of the data processing under this Agreement, that the Data Exporter may request the Data Importer to provide reasonable cooperation and assistance, including an independent audit report from the Data Importer confirming in writing that the minimum-security measures and standards prescribed in relevant SCCs or IDTA or Addendum. The Participants acknowledge and agree to individually respond to and, where necessary, provide reasonable cooperation and assistance to each other, any requests and enquiries from relevant Regulatory Authorities regarding personal data processing in their respective jurisdictions.

(i) In the event of a confirmed Personal Data Breach, the Data Importer shall, without undue delay, notify the Data Exporter and, where necessary, the relevant Regulatory Authority. Data Importer shall also take such steps, as required in relevant SCCs or IDTA or Addendum and Data Importer’s sole discretion deems necessary and reasonable, to remediate such breach (to the extent that the breach is within the Data Importer’s reasonable control). The Data Importer shall also notify, without undue delay, the Data Subjects concerned if the Personal Data Breach results in a high risk to the rights and freedoms of natural persons as set out in relevant SCCs or IDTA or Addendum. The Data Importer shall provide the Data Exporter with reasonable cooperation and assistance necessary for the Data Exporter to comply with its obligations under applicable Data Protection Legislation with respect to notifying (i) the relevant Regulatory Authority and (ii) Data Subjects affected by such Personal Data Breach without undue delay. The Data Importer shall provide the Data Exporter with (i) a description of the nature and reasonably anticipated consequences of the Personal Data Breach; (ii) the measures taken to mitigate any possible adverse effects and prevent a recurrence; and (iii) where possible, information about the types of Personal Data that were the subject of the Personal Data Breach.

13.2.Data Processing rules for Ecosystem Participant’s data
13.2.1.For the purposes of this Agreement, if the Participant passes VASP Due Diligence, any Participant shall be able to redistribute the results of the VASP Due Diligence previously rendered by Sumsub, including relevant personal data in the VASP Due Diligence Questionnaire (Deliverables) specified in Annex II hereto, in part or their entirety, to the receiving Participant, and Sumsub shall perform such redistribution based on the accession to this Agreement and subject to the following conditions:
(a) The Participants, as data controllers, shall procure that each data subject whose personal data is to be processed during the VASP Due Diligence process and shared under this Agreement are properly informed about such processing by respective means depending on the determined legal bases.

(b) The receiving Participant guarantees that no Deliverables transferred to it under this Agreement shall be further redistributed to any third party without an appropriate legal basis for such data-sharing activities.
13.2.2.For the purposes of the data protection legislation, Sumsub shall be considered the data Controller, when it maintains the Travel Rule Ecosystem and carries out due diligence of its Participants.
13.2.3.For any data transfers subject to the EU Commission’s Standard Contractual Clauses (hereinafter - the SCCs) and/or the UK International Data Transfer Agreement or Addendum, the EU Standard Contractual Clauses will be deemed entered into and completed as follows:
(i) Module One (Controller to Controller) of the EU Standard Contractual Clauses, with the modifications provided in Schedule 1 of Annex IV, will apply where the Parties sign and executes this Agreement and when the Data Exporter is transferring any Travel Rule information, including Personal Data to the Data Importer based in a third-country outside of the EU member states.

(ii) The International Data Transfer Agreement will apply regardless as the SCCs under sub-paragraphs (i) and (ii) above will not be applicable and implemented, with the modifications provided in Schedule 2 of Annex IV.

OR

The Addendum together with the SCCs, as implemented under sub-paragraphs (i) and (ii) above, will apply with the modifications provided in Schedule 3 of Annex IV.
13.2.4.Upon the termination of this Agreement, Sumsub will retain the VASP Due Diligence information, including the personal data, if any, for five years from the moment of the termination for the purpose of Travel Rule Solution delivery to its customers.
13.3.The Participant confirms that the data subjects whose personal data is to be processed in connection with this Agreement will be notified with Sumsub’s Privacy Notice as referenced in clause 4.1 above.

14. Representations and Warranties

14.1.The Participant warrants, represents and covenants that: (a) it is duly incorporated, organized, and validly existing under the applicable law; (b) it has good and sufficient capacity, power, authority and right to enter into, execute and deliver this Agreement, to complete the transactions contemplated hereby and to duly observe and perform the covenants and obligations contained herein; and (c) all necessary corporate action has been taken by the Parties to authorize and approve the execution and delivery of this Agreement, the completion of the transactions contemplated hereby and the observance and performance of the covenants and obligations contained herein.
14.2.The Participant warrants, represents and covenants that it will not: (a) use the Sumsub Travel Rule Ecosystem to discriminate against any other Participant or in a manner that causes damage or injury to any person or property; (b) use the Sumsub Travel Rule Ecosystem in a manner that could be reasonably expected to bring Sumsub into disrepute or otherwise harm its reputation; (c) act or omit to act in a way which interferes with or compromises the integrity or security of the Sumsub Travel Rule Ecosystem; or (d) make the Sumsub Travel Rule Ecosystem benefits available or otherwise use the Sumsub Travel Rule Ecosystem in any jurisdiction where it is not permitted by applicable law.
14.3.NO WARRANTY. No conditions, warranties or other terms apply to the Sumsub Travel Rule Ecosystem other than the conditions, warranties and terms expressly set forth herein. Sumsub hereby disclaims any implied warranties, whether arising under law, through the course of dealing, or otherwise (including any implied warranties of non-infringement, title, satisfactory quality, fitness for purpose, merchantability or conformance with description). In addition, Sumsub does not warrant or enter into any other term to the effect that any technology provided in connection with this Agreement will be entirely free from defects or that its operation will be entirely error-free.

15. Term and Termination

15.1.The Agreement remains in force between Sumsub and the Participant until terminated by either Party.
15.2.The Participant may terminate this Agreement at any time for convenience by giving Sumsub at least 14 calendar days prior written notice.

For clarity, termination of the contract is considered the exit of the entity from the Sumsub Travel Rule ecosystem. Other participants will be notified of the withdrawal of another participant from the Sumsub Travel Rule ecosystem by putting a special status in the Ecosystem.
The termination of this Agreement leads to the termination of the SPA or TRA.
15.3.Without prejudice to any rights that have accrued under this Agreement, either Party may terminate this Agreement with immediate effect by giving written notice to the other Party if:

a) the other Party is in material breach of this Agreement (including any warranties) where the breach is incapable of remedy; or

b) the other Party is in material breach of this Agreement (including any warranties) where the breach is capable of remedy and fails to remedy that breach within fourteen (14) days after receiving written notice of such breach;

c) the other Party is in violation of any applicable law or legal regulation; or

d) the other Party enters into an arrangement or composition with or for the benefit of its creditors, goes into administration, receivership or administrative receivership, is declared bankrupt or insolvent or is dissolved or otherwise ceases to carry on business; or any analogous event happens to the other Party in any jurisdiction in which it is incorporated or resident or in which it carries on business or has assets.
15.4.The Participant acknowledges that, once this Agreement is terminated, Sumsub will continue to store its VASP Due Diligence Questionnaire as specified in clause 13.2.4 of this Agreement.
15.5.Sumsub reserves the right to temporarily suspend the Participant’s involvement in the Sumsub Travel Rule Ecosystem and/or terminate this Agreement with immediate effect at its own discretion where it knows or reasonably suspects that:

a) the Participant is in breach of any applicable laws and regulations or is subject to any local or international sanctions (including any sanctions administered or enforced by the U.S. government or the U.S. Department of State, the United Nations Security Council, the European Union, Her Majesty’s Treasury or other relevant sanctions authority) or restrictions;

b) the Participant infringes the intellectual property rights of Sumsub or its Partners, or other Participants;

c) the Participant’s activity may, in the opinion of Sumsub, be detrimental to the interests or business reputation of Sumsub, its Partners or other Participants.

16. Changes to Agreement

16.1.Sumsub is entitled to modify and make changes unilaterally to the Agreement from time to time without any prior notice, provided that these revisions are not detrimental to the Participant’s legitimate interests. Any material changes to the Agreement will be communicated in writing to the Participant prior to or immediately after such changes come into effect.
16.2.In case the Participant does not agree to be bound by the amendments to this Agreement as described in clause 16.1, it is entitled to terminate the Agreement with immediate effect.

17. General

17.1.Neither Party shall be liable for any delay or non-performance of its obligations under this Agreement to the extent that such delay or non-performance is a result of any condition beyond its reasonable control, including but not limited to governmental action, pandemic, acts of terrorism, earthquake, fire, flood or other similar events, labour conditions, power failures, and Internet disturbances.
17.2.All notices must be in English, in writing and sent to the receiving Party's current postal address, email address, via Dashboard or other means mutually agreed upon by the Parties. All notices shall be deemed to have been given on receipt as verified by written or automated receipt or electronic log (as applicable).
17.3.Failure or delay in exercising any right or remedy under this Agreement shall not constitute a waiver of such (or any other) right or remedy.
17.4.If any provision of this Agreement (or part of any provision) is found by any court or other authority of competent jurisdiction to be invalid, illegal or unenforceable, that provision or part-provision shall, to the extent required, be deemed not to form part of this Agreement; and (a) the Parties shall immediately commence good faith negotiations to remedy such invalidity; and (b) the validity and enforceability of the other provisions of this Agreement as applicable shall not be affected.
17.5.Each Party acknowledges that in entering into this Agreement it has not relied upon any oral or written statements, collateral or other warranties, assurances, representations or undertakings which were made by or on behalf of the other Party in relation to the subject matter of this Agreement other than those which are set out herein (or those which the Agreement explicitly refer to).
17.6.Except as expressly stated otherwise, nothing in this Agreement shall create or confer any rights or other benefits in favour of any person other than the Parties. Except as expressly stated otherwise, nothing in this Agreement shall create an agency, partnership or joint venture of any kind between the Parties. Neither Party shall have authority to act in the name of or on behalf of the other, or to enter into any commitment or make any representation or warranty or otherwise bind the other in any way.
17.7.Neither Party may assign any of its rights or obligations under this Agreement without the prior written consent of the other, such consent not to be unreasonably withheld, save that either Party can assign to an acquirer of all or substantially all of the assets of a Party without the consent of the other.
17.8.Unless otherwise specified in this Agreement, each Party is only permitted to make public announcements and/or publish written materials concerning the other Party and/or the existence and nature of the business relationship between the Parties if the other Party has given its prior written consent to the content of such an announcement or the text of such written material, except as required by law, any governmental or regulatory authority (including, without limitation, any relevant securities exchange), any court or other authority of competent jurisdiction.
17.9.The Parties shall: (i) comply with all applicable laws, statutes and regulations relating to anti-bribery and anti-corruption including to the Bribery Act 2010 (Relevant Requirements); (ii) not engage in any activity, practice or conduct which would constitute an offence under sections 1, 2 or 6 of the Bribery Act 2010 if such activity, practice or conduct had been carried out in the UK; (iii) promptly report to the other Party any request or demand for any undue financial or other advantage of any kind received by it in connection with the performance of this Agreement.
17.10.This Agreement and all disputes and claims arising from or in connection with it are governed by English law. Any dispute, controversy or claim arising out of or in connection with this Agreement, or any breach, termination or invalidity thereof, shall be finally settled by arbitration administered by the Arbitration Institute of the Stockholm Chamber of Commerce (the “SCC”). The Rules for Expedited Arbitrations shall apply where the amount in dispute does not exceed EUR 100,000. Where the amount in dispute exceeds EUR 100,000 the Arbitration Rules shall apply. Where the amount in dispute exceeds EUR 1,000,000, the Arbitral Tribunal shall be composed of three arbitrators. The amount in dispute includes the claims made in the Request for Arbitration and any counterclaims made in the Answer to the Request for Arbitration. The seat of the arbitration shall be London, England. The language of the arbitration shall be English.

ANNEX I. Template of the VASP Due Diligence Questionnaire

Section A. VASP details
1. Full legal name
2. Trade name if applicable
3. Full legal (registered) address
4. Full primary business address (if different from the registered address above)
5. Date of incorporation / establishment
6. Incorporation number
7. Website
8. Legal representative of the entity (e.g., CEO, Director, etc)
- full name
- DOB
- email
9. Ownership structure / Entity type
Please select the type of ownership structure / entity type:
- Privately Owned
- Publicly Listed
- Partnership
- Foundation
- Association
- Not-for-Profit / Non-Profit
- Trust
- Member Owned / Mutual
- Government or State Owned by 25% or more
- Sole proprietorships
- Natural Person
- Other

If Other, please state the ownership / entity type ____________

If Privately Owned, please provide details of shareholders or ultimate beneficial owners with a holding of 25%* or more.

*If your company doesn't have UBO with 25% of ownership, please provide the information about the person holding 10% or more; if the holding is less than 10%, please indicate the senior managing official(s).
10. Is your company part of a group of companies?
Yes/No

If yes, please specify which companies are part of the group, their reg. number and in what jurisdiction they are located.
Please attach the following documents
Certificate of incorporation or registration
Certificate of incumbency (issued within the last 6 months) or power of attorney
Ownership chart signed by the legal representative of the entity.
Section B. Business activity
11. Type of organisation:
- Centralised
- Decentralised
12. Business activity of the entity.
Please select the applicable activity for your entity:
- exchange between virtual assets and fiat currencies;
- exchange between one or more forms of virtual assets;
- transfer of virtual assets;
- safekeeping and/or administration of virtual assets or instruments enabling control over virtual assets; and
- participation in and provision of financial services related to an issuer’s offer and/or sale of a virtual asset.

Other ________
13. Services provided
Does your entity provide the following services:
• no
• yes (if yes, please specify):

- Intermediary VASP
- P2P exchange
- DeFI services;
- NFT services;
- Omnibus or co-mingled custodial wallets
- OTC trading
- Investment Funds
- Crypto ATMs
- Virtual asset exchange involving privacy-preserving Virtual Assets
- Virtual asset deposits or withdrawals to / from a bank account not verified as under the customer's control
- Virtual asset deposits or withdrawals to / from a wallet not verified as under the customer's control
- Virtual asset issuance, fund raising, or collection of funds for Initial Coin Offerings (ICO) / Initial Exchange Offerings (IEO) / Security Token Offerings (STO) / Private Token Sales;

Other__________
Section C. Regulatory details
14. Name of the Entity’s primary financial regulator / supervisory authority
15. Regulatory status

- No license / registration required
- Registered
- Temporary license exemption
- License application in progress
- Licensed
16. List of jurisdictions where the Entity has been (will be) granted licenses or other approvals or have (will be) registered as required to operate (with registration numbers), and the name of the regulator / supervisory authority
17. Is the Entity permitted to send and/or receive transfers of virtual assets in the jurisdictions in which it operates?
Please attach the following documents or provide the link
Copy of the Licence and the link to the register confirming the granting of license (if applicable); or

Link to the regulatory register confirming regulatory approval for operating (if applicable)
Section D. Travel rule compliance and technical information
18. Is the Entity required to comply with the application of the Travel Rule standards (FATF Recommendation 16) in the jurisdiction(s) where it is licensed / approved / registered?

If Yes, please specify the applicable regulation(s)
19. What is the minimum transaction threshold above which the entity is required to collect/send Travel Rule information?
20. Which of the following processes your entity carries out within the Travel Rule:
- sanctions screening
- transactions monitoring
21. Does the Entity conduct counterparty VASP Due Diligence prior to the sharing of originator and / or beneficiary details to a transaction?

If not, please specify the reason.
22. Does the Entity have processes and controls to prevent customer access to deposits and withdrawals prior to name and wallet screening processes completing
23. Does the Entity have procedures to allow for the return of inbound payments?
24. What protocols and technical solution(s) does the Entity support for sharing Travel Rule information?

Is the entity a member of any Travel Rule Alliances, /ecosystems, /directories, or /networks? If so, please specify.
25. The technical details (IDs, endpoints, URLs, etc.) required to send Travel Rule information to the Entity for each solution the Entity supports (if applicable)
26. Name, email and phone number of travel rule contact
Section D. AML/CFT & Sanctions Compliance
27. Does the Entity have documented policies, and procedures and controls implemented consistent with applicable AML/CTF & Sanctions regulations and requirements of the jurisdiction where the entity is licensed/registered to reasonably prevent, detect and report the following?
- Money laundering/ Terrorist financing.
- Sanctions violations.
28. Does the Entity establish business relationships with:
- natural persons
- legal entities

If legal entities are acceptable, please complete the following:

When conducting CDD for Legal Entity's (Legal Persons), are each of the following identified:
- Ultimate beneficial ownership
- Authorised account operators / signatories (where applicable)
- Key controllers (e.g., Chief Executive Officer, Chief Financial Officer, Managing Partner, Chairman of the Board and Directors)
- Other relevant parties

Are Ultimate Beneficial Owners (UBOs) verified?
- yes
- no

What is the Entity’s minimum (lowest) threshold percentage applied to beneficial ownership identification for CDD?

Does the Entity have a risk-based approach to screening customers and connected parties to determine whether they are PEPs, or controlled by PEPs?
- yes
- no
29. Are the majority of the Entity's customer relationships Face-to-Face or Non-Face-to-Face?

If the majority is Non- Face-to-Face, does the Entity use any of the following tools to enhance verification?:
- Biometric solutions on identity documents;
- Liveness testing on natural persons
- Video identification;
- eIDAS;
- GeoIP detection on the location on natural persons;
- Duplicate account detection.
30. Methods or technical means the Entity use for identity verification of its customers (including originators and beneficiaries within the Travel Rule obligation):
- manual
- automated
- combination of automated and manual.
- outsourced

If outsourced, please specify the name of the partner conducting outsource services: _____
31. Does the Entity permit the opening and keeping of anonymous accounts or accounts in obviously fictitious names; unlicensed VASPs?
If so, please specify
32. Does the Entity conduct identity verification before permitting the customers to send/receive virtual asset transfers?

If Yes, at what threshold does the Entity conduct identity verification before permitting the customer to send/receive virtual asset transfers?
33. Which of the following processes your entity carries out:
- Governance and the appointment of a Compliance Officer / MLRO with sufficient experience / expertise.
- Risk Based Approach and Risk Assessment.
- CDD.
- EDD.
- SDD.
- Sanctions Screening.
- PEP Screening.
- Adverse Media & Negative News Screening.
- Beneficial Ownership Identification & Verification.
- Controller Identification & Verification.
- KYC Refresh / Periodic Review.
- AML Transaction Monitoring.
- Blockchain Analytics Monitoring.
- Transaction / Payment Screening.
- Suspicious Activity/Transaction Reporting.
- Travel Rule Reporting
- Record Keeping.
- Training and Education.
- Independent Audit & Testing.
34. Does the Entity screen its customers, including beneficial ownership information collected by the Entity, during onboarding and after that regularly verify thereafter against Sanctions Lists ?
Please specify the frequency.
35. Does the entity have offshore customers domiciled in countries / regions against which UN, OFAC, OFSI, EU and G7 member countries have enacted comprehensive jurisdiction-based sanctions?
36. Methods or technical means the Entity use for sanctions screening of its customers (including originators and beneficiaries within the Travel Rule obligation):
- manual
- automated
- outsourced

If outsourced please specify the name of the partner conducting outsource services: _____
37. In addition to inspections by the government supervisors/regulators, does the Entity have an internal audit function, a testing function or other independent third party, or both, that assesses AML/CTF, Fraud and Sanctions policies and practices on a regular basis?
Please attach the following documents
AML Policy and other related policies and procedures
Section F. Data Protection Compliance
Please describe which technical (e.g. 2-FA, MFA, passwords, data encryption, firewalls, etc.) and organisational (e.g. visitor registration, staff training or restricted access, etc.) measures your entity has in relation to the data protection.
38. Information about the Data Protection Officer appointed in the entity, if any.
- full name
- contact details
39. Security measures and security certificates in place (if any).
please describe
40. Security measures and security certificates in place (if any).
please describe
Please attach the following documents
Privacy Notice
Document describing technical and organisational measures in relation to the PII protection (if any)
Security Certificates
Section G. Information regarding person providing information
41. Full name
42. Title
43. Contact details
email
phone number

Please be informed that the list of information and documents is not exhaustive. Sumsub may request additional documents if it deems it necessary (e.g., due to the inability to verify some information, or the existence of doubts about the information provided).

ANNEX II. Data Processing Details

Data Processing/Sharing Instruction

The Customer's Purpose of Processing: Travel Rule compliance

Business Purpose: Execution of this Agreement

Nature of Processing:

For Annex III

AML and sanctions screening against the Beneficiary's and Originator's data,
data cross-check of relevant Travel Rule requirements, and
transfer to/ receiving from another Participant of this data via messaging protocols to ensure Travel Rule regulations compliance

For Annex IV

performance of VASP Due Diligence, and
the data redistribution between the Participants based on the accession to this Agreement

Duration of Processing: Term of this Agreement, unless otherwise specified and/or applicable

Data subjects categories:

For Annex III

the Participant's customers (Individuals)

For Annex IV

the Participant’s personal data as specified in Annex I hereto

Categories of data for Processing:

For Annex III

The Personal Data processing is based on the Travel Rule Solution service, which may include, but are not limited to the categories of Personal Data specified below.

For Crypto Travel Rule Solution: Full name of the sender and the recipient, the physical (geographical) address of the sender, or national identity number, or customer identification number (i.e., not a transaction number) that uniquely identifies the originator to the ordering institution, or date and place of birth, recipient account number (e.g., wallet address); the legal name of counterpary VASP.

For Annex IV

Personal data categories as specified in Annex I hereto

Frequency of transfers in case of international transfers: on a continuous basis, in accordance with the Participant’s purpose(s) and Business purpose.

Subject matter, nature and duration of the processing by (sub-) processor: The subject matter, nature and duration of the processing is indicated and specified in the relevant privacy clauses hereto and/or Data Processing Agreement, if any, with the subprocessor that Sumsub engages for Business purpose. More details is to be provided upon written request.

Technical and Organisational Measures: – the list of implemented security and privacy standards by Sumsub can be found here. The further information may be clarified with a manager.

Sumsub Travel Rule Ecosystem Agreement

1. Types of Participants

2. Acceptance of Agreement

3. Definitions

4. Content of Agreement

5. Types of Participants and Due Diligence process

6. Participation Conditions

7. Participation Benefits

8. Participant's Obligations

9. Charges

10. Intellectual property

11. Confidentiality

12. Limitation of Liability

13. Data processing

14. Representations and Warranties

15. Term and Termination

16. Changes to Agreement

17. General

ANNEX I. Template of the VASP Due Diligence Questionnaire

ANNEX II. Data Processing Details

ANNEX III. International Data Transfer Mechanism pursuant to Article 13.1. of this Agreement

ANNEX IV. International Data Transfer Mechanism pursuant to Article 13.2. of this Agreement