Terms & Conditions

1.2. Interpretation and Construction

No term or condition within these Terms and Conditions shall be interpreted or construed against a Party based on the assertion that such Party was responsible for its drafting or preparation.

1.3. Calculation of Time Periods

All references to "days" within this agreement shall be construed as calendar days. Where the term "business days" is used, it shall exclude Saturdays, Sundays, any official bank holidays, and public holidays observed in the jurisdiction where the Service Provider is incorporated.

1.4. Substantive Effect of Definitions

Any right, obligation, or prohibition set forth within the definitions provided in Clause 1.1, or elsewhere in these Terms and Conditions, shall be endowed with full legal force and effect as an independent provision of this agreement.

1.5. Resolution of Numerical Conflicts

In the event of a discrepancy between a numerical value and the same value expressed in words within these Terms and Conditions, the written form shall take precedence.

1.6. Non-Exhaustive Nature of Examples

The use of the terms "include," "includes," "including," or "in particular" is for illustrative purposes and shall not be interpreted as limiting the generality of the preceding words or concepts.

1.7. Internal References

Any reference to a section, clause, schedule, Appendix, or appendix is a reference to a corresponding part of these Terms and Conditions.

1.8. Successors and Assigns

References to a "Party" include that Party's lawful successors-in-interest and any assigns permitted under the terms of this agreement.

1.9. Headings for Convenience

The titles and headings preceding the clauses of these Terms and Conditions are inserted solely for organizational convenience and shall not be used in its interpretation or to derive meaning.

1.10. Grammatical Interpretation

Unless the context otherwise dictates, words in the singular shall be deemed to include the plural, and words in the plural shall be deemed to include the singular.

2.1. Effective Term and Automatic Renewal

These Terms shall become legally binding upon the Parties from the Commencement Date. The initial duration of this Agreement (the "Initial Term") shall extend for a period of twelve (12) consecutive months, calculated from the Billing Start Date. Upon the expiry of the Initial Term, these Terms shall be automatically renewed for successive periods of twelve (12) months each (each, a "Renewal Term"), unless terminated in accordance with the provisions herein. The collective duration of the Initial Term and all subsequent Renewal Terms shall be referred to as the "Term".

2.2. Modification of Term Due to Pre-Payment

Notwithstanding the provisions of Clause 2.1, the Initial Term or any then-current Renewal Period shall be deemed to automatically conclude on the date the Customer either (i) has not used the Services in the Trial Period for the next thirty (30) days from registration, or their account is considered inactive. A notice from the Service Provider may be sent after this period of notification, which will mean the service will be terminated within the time period specified in such notice, or (ii) other valid written agreements with the Service Provider govern this provision.

3.1. Grant of Access and Pre-Production Environment

The Service Provider shall provision the Customer with comprehensive access to the System and the subscribed Services, commensurate with the selected Pricing Option, effective from the Billing Start Date. Notwithstanding the foregoing, the Service Provider may, at its sole discretion, enable limited access to a pre-production environment of the System upon the Commencement Date. Such preliminary access shall be restricted to a defined set of non-chargeable functionalities and shall be conditional upon the Customer's adherence to any technical instructions provided by the Service Provider Website. The Customer is expressly prohibited from uploading any personal data pertaining to its end-users (Applicants) into the System prior to the Billing Start Date. Any outputs generated from data submitted during this preliminary phase are provided for demonstration purposes only and shall not be construed as constituting the provision of Services under these Terms.

3.2. Customer Due Diligence and Information Submission

The Customer shall, upon the Commencement Date and periodically thereafter as reasonably requested by the Service Provider, promptly furnish all necessary information and documentation to facilitate the Service Provider's ongoing due diligence and "know your customer" procedures. This obligation encompasses, but is not limited to, providing details of Authorized Users, complete billing and company information, ownership and control structures, personal particulars of ultimate beneficial owners and senior management, supporting corporate documentation, the nature of the Customer's business operations, all relevant licenses, registrations, and approvals, and any other data deemed necessary by the Service Provider. The Service Provider reserves the right, in its sole discretion, to disregard updates to previously submitted information that do not constitute a permitted assignment under these Terms. Failure to provide accurate, complete, and timely information, or the submission of false or misleading data, or a negative outcome from the Service Provider's due diligence review, shall entitle the Service Provider to suspend, limit, or terminate the Customer's access to the System and/or Services immediately. The Service Provider is under no obligation to disclose the specific scope or detailed results of its due diligence assessments. A final negative determination resulting in the withdrawal of production access shall be deemed a termination of these Terms with immediate effect.

3.3. Trial Period Provision and Conditions

The Service Provider may, at its sole discretion, grant the Customer an option to prolong a Trial Period on or after the Commencement Date, following the provision of the Customer's payment method and billing details. The specific duration, scope, and limitations of the Trial Period shall be explicitly outlined within the Dashboard. The Customer acknowledges and agrees that the Trial Period may not include access to the full suite of features and functionalities available within the System. Upon the expiration of the Trial Period, the Customer's use of the services shall convert to a chargeable plan pursuant to the applicable Pricing Options, without further notice. In the event that the Customer remains under the Trial Period and has not made any deposit or transitioned to a Pre-Payment basis, the Service Provider reserves the right to respond to the Customer’s support inquiries within a period of up to seven (7) business days.

3.4. Service Provision and Support Obligations

Throughout the Term, the Service Provider undertakes to: (i) deliver the Services in substantial conformance with the applicable Specification and the service levels defined in the SLA (Appendix B); (ii) provide the Customer with access to New Releases within a commercially reasonable timeframe; and (iii) render technical support services aimed at maintaining the System's operational integrity, which includes keeping the System updated, functional, and free from Malicious Code, and endeavouring to restore accessibility in the event of service interruptions.

3.5. Obligation to Implement Updates and Liability Exclusion

The Customer acknowledges the Service Provider's right to deploy New Releases to the System at any time and without prior notice. The Customer covenants to implement all such New Releases promptly upon their availability. The Service Provider shall be absolved from any and all liability arising from the System's incorrect operation, unavailability, or any other performance deficiencies that are attributable to the Customer's failure to comply with this obligation.

4.1. Recognition of Title and Non-Assertion Covenant

The Customer hereby irrevocably acknowledges and agrees that the entirety of the Intellectual Property Rights vesting in and pertaining to the System, the Services, and all their constituent components, are and shall remain the exclusive property of the Service Provider and/or its licensors. No right, title, or interest in or to the System or Services is transferred to the Customer, except for the limited usage rights explicitly set forth in this Agreement. The Customer further undertakes a perpetual obligation, effective during the Term and at any time following its termination or expiration, not to contest, challenge, or otherwise dispute the validity or ownership of the Service Provider's (or its licensors') Intellectual Property Rights, and shall not knowingly facilitate or provide assistance to any third party in pursuing such actions.

4.2. Limited Grant of License

Subject to the Customer's strict adherence to all terms and conditions herein, the Service Provider hereby confers upon the Customer a limited, worldwide, non-exclusive, non-transferable, non-sublicensable, and revocable license. This license is granted solely for the duration of the Term and authorizes the Customer to access and use the System and Services exclusively for its internal Business Purpose, as defined in these Terms.

4.3. Expressly Prohibited Acts

Any form of alteration, modification, adaptation, translation, decompilation, disassembly, reverse engineering, or the creation of derivative works based upon the System, its underlying source code, or any other element of the Service Provider's technology is strictly forbidden. Furthermore, the Customer is prohibited from attempting to extract, replicate, or reproduce the results or outputs generated by the System through any means not expressly authorized by the Service Provider. The Customer is prohibited from using the system, its elements, to pass it out for their own.

5.1. Covenants of Non-Disclosure and Safeguarding

The Customer hereby covenants and agrees to:

• (i)

  hold all Confidential Information in the strictest confidence and to refrain from any publication, dissemination, or disclosure thereof, in whole or in part, to any third party;

• (ii)

  implement and maintain all necessary and appropriate security measures to protect the confidentiality and integrity of the Confidential Information, exercising a standard of care no less stringent than that which it employs to safeguard its own proprietary and confidential information of a similar nature;

• (iii)

  promptly notify the Service Provider upon becoming aware of any unauthorized access, use, disclosure, loss, or destruction of Confidential Information.

5.2. Prohibited Uses of Confidential Information

The Customer shall not, and shall not permit any third party to:

• (i)

  utilize the Confidential Information for the purpose of developing, directly or indirectly, any product, service, or technology that competes with the Services;

• (ii)

  copy, modify, create derivative works from, distribute, or otherwise exploit any portion of the Confidential Information;

• (iii)

  reverse engineer, decompile, disassemble, or attempt to derive the composition or underlying structure of the Confidential Information.

5.3. Permitted Disclosures to Representatives

Notwithstanding the foregoing, the Customer may disclose Confidential Information to its employees, officers, directors, and professional advisors (collectively, "Representatives") who have a bona fide need to know such information for the purposes contemplated under these Terms and who are bound by written confidentiality obligations at least as restrictive as those set forth herein. The Customer shall be fully liable for any act or omission of its Representatives that would constitute a breach of this Section 6 if performed by the Customer.

5.4. Legal Compulsion to Disclose

In the event the Customer or any of its Representatives becomes legally compelled by law, regulation, or legal process to disclose any Confidential Information, the Customer shall, to the extent legally permissible, provide the Service Provider with immediate prior notice of such compulsion to enable the Service Provider to seek a protective order or other appropriate remedy. If such protection is not obtained, the Customer may disclose only that portion of the Confidential Information which it is legally required to disclose and shall use commercially reasonable efforts to obtain reliable assurance that confidential treatment will be accorded the disclosed information.

5.5. Return or Destruction of Confidential Information

Upon the Service Provider's written request at any time, or upon the termination of these Terms, the Customer shall, at the Service Provider's discretion, promptly:

• (i)

  return to the Service Provider or

• (ii)

  irretrievably destroy all documents, materials, and embodiments of the Confidential Information, including all copies and reproductions thereof. Upon completion of such destruction, the Customer shall, upon request, provide the Service Provider with a written certification attesting to its compliance with this clause.

5.6. Equitable Relief and Liability

The Parties acknowledge that any breach of this Section 5 would cause the Service Provider irreparable harm for which monetary damages would be an inadequate remedy. Accordingly, the Service Provider shall be entitled to seek injunctive relief, specific performance, and other equitable remedies for any such breach, in addition to any other rights and remedies available at law or in equity. Any liability arising from a breach of this Section 6 shall not be subject to the limitations of liability set forth elsewhere in these Terms.

5.7. Survival

The obligations set forth in this Section 5 shall survive the expiration or termination of these Terms indefinitely.

5.8. Data Protection Commitment

The processing of personal data by the Service Provider shall be conducted in strict accordance with the Data Processing Agreement set forth in Appendix hereto.

5.9. License for Data Utilization

The Customer grants the Service Provider a non-exclusive, royalty-free license to utilize the personal data transferred under these Terms for the following business purposes:

• (i)

  the development, enhancement, and testing of the Services and System, including through the application of artificial intelligence and machine learning techniques for fraud detection and prevention;

• (ii)

  the fulfillment of its contractual commitments and the provision of a competitive service offering;

• (iii)

  the identification, monitoring, and reporting of potentially fraudulent activities and suspicious patterns;

• (iv)

  the creation of anonymized and/or aggregated statistical reports and research; and

• (v)

  the generation and retention of audit logs and records for internal security and compliance purposes.

5.10. Data Retrieval and Deletion Post-Termination

Upon termination of these Terms for any reason, the Service Provider shall:

• (i)

  upon the Customer's written request and provided the Customer is not in breach of these Terms as of the termination date, grant the Customer a period of thirty (30) days to retrieve all Applicant personal data stored within its dedicated Dashboard account, free of charge; and

• (ii)

  following such period, proceed with the deletion of all such personal data from its active systems, except for any data that the Service Provider is required to retain by applicable law or regulation, or as otherwise permitted under these Terms.

6.1. Restriction of System Access

The Customer shall strictly limit access to the System solely to individuals formally designated as Authorized Users. The Customer bears full responsibility for maintaining the confidentiality and security of all Security Features and access credentials associated with its account. Under no circumstances shall such Security Features be disclosed to or shared with any party other than the designated Authorized Users.

6.2. Protocol for Access Credential Management

Any request for the issuance of new or replacement Security Features for an Authorized User must be formally submitted to the Service Provider exclusively by another pre-existing and duly authorized Authorized User. This procedure is mandatory to ensure the integrity of the access control framework.

6.3. Irrebuttable Presumption of Authorized Use

Any and all activities, transactions, or instructions executed within the System following a successful authentication using the Security Features provided to the Customer or its Authorized Users shall be conclusively deemed to have been performed by an Authorized User. The Service Provider is hereby absolved from any and all liability, claims, or damages arising from such activities, regardless of their nature or consequence.

6.4. Customer's Vicarious Liability

The Customer accepts full responsibility and shall be held liable for all acts, omissions, and failures to comply with these Terms by its Authorized Users, and by any third party who gains access to the System using the Customer's Security Features, as if such acts or omissions were its own. This liability extends to any and all damages, losses, or costs incurred by the Service Provider or any third party as a result thereof.

7.1. Fees and Pricing Option Conversion

In consideration for the provision of the Services, access to the System, and the receipt of any New Releases, support, and maintenance as stipulated herein, the Customer shall pay the Service Provider the Fees as detailed in the applicable Pricing Options and scope of verification features further specified in Appendix A ("Pricing and payment schedule").

7.2. Payment Method and Customer's Responsibilities

Unless otherwise expressly stipulated in Appendix A or the applicable Pricing Option, all Fees due hereunder shall be deposited manually from the bank account/card by the Customer within the Dashboard, in accordance with the procedures set forth in Appendix A. In the event an automated withdrawal attempt is unsuccessful for any reason, the Service Provider is authorized to initiate repeated collection attempts, provided, however, that the total amount withdrawn in any given period shall not exceed the total outstanding balance under these Terms.

7.3. Consequences of Late or Outstanding Payment

Since the Service Provider, at its sole discretion, may provide the opportunity to use the Service without a temporary payment, then The Service Provider is expressly entitled to suspend or restrict the Customer's access to the Services and/or the System under the following circumstances:

• (i)

  if any payment due to the Service Provider becomes overdue for a long time, in which case access may be withheld until all arrears are settled in full; and

• (ii)

  if any amounts are due and outstanding, as further detailed in Appendix A.

8.1. Termination for Convenience and Service Suspension

Either Party may terminate these Terms at any time, for its convenience, by providing the other Party with a written notice of at least thirty (30) days prior to the intended date of termination. In the event of suspension by either Party at the initiative of the Customer, the deposited funds will not be returned and will be considered a fee for closing the User's account.

8.2. Termination for Cause

Either Party shall have the right to terminate these Terms with immediate effect by providing written notice to the other Party if the other Party:

• (i)

  commits a material breach of any provision of these Terms;

• (ii)

  is in violation of any applicable law or regulation; or

• (iii)

  becomes insolvent, enters into any form of liquidation or administration, makes a composition or arrangement with its creditors, or ceases to carry on business, or an analogous event occurs in any relevant jurisdiction.

8.3. Survival of Terms

Termination of these Terms, for any reason whatsoever, shall not affect the continuation in force of any provision that is expressly or by implication intended to survive such termination. Furthermore, termination shall not prejudice any accrued rights, remedies, obligations, or liabilities of the Parties that existed as of the termination date.

8.4. Service Provider's Discretionary Suspension and Termination Rights

The Service Provider reserves the right, in its sole discretion, to limit, suspend, or terminate the Customer's (or any Authorized User's) access to the System and/or Services with immediate effect if the Service Provider knows or reasonably suspects that:

• (i)

  the Customer has breached any of its warranties, representations, or obligations under clauses 10.1 or 10.2;

• (ii)

  the Customer, its affiliates, or their respective principals or personnel are in breach of applicable laws, regulations, or are subject to sanctions;

• (iii)

  the Customer has deceived the legality of his actions, purposes and the legality of selling goods or services in certain markets where special regulations exist;

• (iv)

  the Customer has infringed the Intellectual Property Rights of the Service Provider or its partners;

• (v)

  the Customer has made an unauthorized disclosure of Confidential Information;

• (vi)

  a third party has gained unauthorized access to the System due to the Customer's action or inaction, or through the use of the Customer's Security Features;

• (vii)

  the Customer violates the rules of use for data collection or it has become known that the Client is transferring data without authorization, which jeopardizes the legality of his receipt and use of personal data;

• (viii)

  the Customer's actions are, in the Service Provider's reasonable judgment, detrimental to the Service Provider's legitimate business interests or reputation; or(ix) the Customer does not use the account during the Trial Period and is inactive;

The Service Provider may, at its sole discretion, condition the restoration of access on the Customer taking remedial actions or providing additional information and clarifications.

8.5. Manner of Suspension

Where these Terms grant the Service Provider the right to suspend or limit access, it may exercise this right in its sole discretion,

• (i)

  with immediate effect and without prior notice;

• (ii)

  in a graduated manner (for example, by first restricting Dashboard access before ceasing all Services); or

• (iii)

  in any other manner it deems appropriate.

9.1. Scope of Financial Liability

Subject to the exclusions set forth in clause 9.2, the provisions of this Section 9 define the entire financial liability of the Service Provider (including for the acts or omissions of its employees, agents, and sub-contractors) to the Customer in respect of:

• (i)

  any breach of these Terms and Conditions;

• (ii)

  any use made by the Customer of the Services or any part of them; and

• (iii)

  any representation, statement, tortious act or omission (including negligence) or breach of statutory duty arising under or in connection with these Terms and Conditions.

9.2. Liabilities That Cannot Be Excluded

Notwithstanding any other provision herein, neither Party excludes or limits its liability to the other Party for:

• (i)

  fraud or fraudulent misrepresentation;

• (ii)

  the payment of sums properly due and owing to the other Party in the normal course of performance under these Terms;

• (iii)

  any indemnities provided under these Terms; or

• (iv)

  any matter in respect of which it would be unlawful for the Parties to exclude or restrict liability.

9.3. Excluded Categories of Loss

Subject always to clause 9.2, the Service Provider shall not be liable to the Customer, whether in contract, tort (including for negligence or breach of statutory duty), misrepresentation (whether innocent or negligent), restitution, or under any other legal theory, for any of the following, even if foreseeable:

• (i)

  loss of profits, income, revenue, goodwill, business opportunities, or anticipated savings;

• (ii)

  any special, indirect, or consequential loss or damage; or

• (iii)

  loss or corruption of data or information, except to the extent that such loss or corruption is directly caused by the Service Provider's breach of these Terms.

9.4. Financial Cap on Liability

Subject to clause 9.2, the Service Provider's total aggregate liability to the Customer, howsoever arising (whether in contract, tort, including negligence, or otherwise) in connection with the performance or contemplated performance of these Terms, shall be limited to the greater of:

• (i)

  100% of the total Fees paid by the Customer to the Service Provider in the three (3) month period immediately preceding the date the cause of action first arose; or

• (ii)

  the sum of 1,000 Euro (EUR €1,000).

This limitation is cumulative, and the existence of multiple claims shall not serve to increase this limit.

9.5. Customer's Responsibility for Decisions

The Customer acknowledges and agrees that it assumes sole and absolute responsibility for any decisions, conclusions, or actions it takes based on its use of the Services or any information derived therefrom.

9.6. Customer's Indemnification Obligation

The Customer shall indemnify, defend, and hold harmless the Service Provider, its affiliates, and their respective officers, directors, shareholders, and personnel from and against any and all third-party claims, actions, damages, liabilities, losses, costs, and expenses (including reasonable legal fees) (collectively, "Claims") arising out of or in connection with the Customer's use of the Services or the Customer's breach of these Terms, provided that such Claims are not solely and directly attributable to a breach of these Terms by the Service Provider.

9.7. Severability of Limitation Provisions

It is expressly agreed that each provision within these Terms that operates to limit or exclude liability, or to disclaim a warranty, is severable and independent of any other provision and shall be enforced as such, regardless of the unenforceability of any other such provision.

10.1. Customer's Representations and Undertakings

The Customer hereby warrants, represents, and undertakes that:

• (i)

  it is a business entity duly organized, validly existing, and in good standing under the laws of its jurisdiction of incorporation;

• (ii)

  it possesses the full legal right, corporate power, and authority to enter into these Terms, to deliver its obligations hereunder, and to consummate the transactions contemplated herein; and

• (iii)

  all requisite corporate proceedings have been duly taken to authorize the execution, delivery, and performance of these Terms.

10.2. Acceptable Use and Prohibited Conduct

The Customer shall refrain from, and shall ensure that its Authorized Users refrain from:

• (i)

  utilizing the System and/or Services in a manner that discriminates against any Applicant, causes harm to any individual or property, or violates any applicable law or regulation;

• (ii)

  using the System and/or Services for any purpose other than the defined Business Purpose;

• (iii)

  engaging in any activity that could reasonably be expected to damage the reputation or bring the Service Provider into disrepute; or

• (iv)

  undertaking any action or omission that could impair, interfere with, or compromise the integrity, security, or performance of the System and/or Services.

10.3. Service "As Is" and Disclaimer of Warranties

Except as expressly stipulated in these Terms, the System and Services are provided by the Service Provider on an "as is" and "as available" basis. To the fullest extent permissible under applicable law, the Service Provider hereby disclaims all warranties, whether express, implied, statutory, or otherwise, including but not limited to any implied warranties of merchantability, fitness for a particular purpose, non-infringement, title, and those arising from course of dealing or usage of trade. The Service Provider does not warrant that the Services will be uninterrupted, error-free, or completely secure. The information provided through the Services is intended for supplemental use only and shall not serve as the sole basis for any business decision.

11.1. Force Majeure

Neither Party shall be held liable for any failure or delay in the performance of its obligations hereunder to the extent that such failure or delay is caused by a Force Majeure Event. For the purposes of these Terms, a "Force Majeure Event" shall mean any circumstance not within a Party's reasonable control, including but not limited to acts of God, war, terrorism, insurrection, riot, civil commotion, fire, flood, earthquake, epidemic, pandemic, government actions, embargoes, strikes, lockouts, or other labor disputes (other than those involving the Party's own employees), or any failure of public infrastructure. The affected Party shall promptly notify the other Party of the Force Majeure Event and shall use commercially reasonable efforts to mitigate its effects and resume performance. If a Force Majeure Event substantially prevents performance for a continuous period of sixty (60) days, either Party may terminate these Terms upon written notice to the other.

11.2. Modification of Terms

The Service Provider reserves the right to modify these Terms from time to time. The Service Provider will provide notice of such modifications by posting the updated Terms on the Website, via the Dashboard, or by sending an email to the address associated with the Customer's account. The Customer's continued use of the Services following the effective date of the modified Terms constitutes acceptance of those changes. The Customer is responsible for reviewing the Terms periodically for any updates. If the Customer wishes to review a previous version of these Terms that was effective prior to the current version, such a request may be submitted by email to [email protected].

11.3. No Waiver

The failure of either Party to enforce any right or provision of these Terms shall not constitute a waiver of such right or provision. Any waiver of any breach or default shall not constitute a waiver of any subsequent breach or default. The rights and remedies provided in these Terms are cumulative and not exclusive of any rights or remedies provided by law.

11.4. Severability

If any provision of these Terms is held by a court of competent jurisdiction to be invalid, illegal, or unenforceable, the remaining provisions shall remain in full force and effect to the fullest extent permitted by law, and the invalid, illegal, or unenforceable provision shall be deemed modified to the minimum extent necessary to make it valid, legal, and enforceable.

11.5. Entire Agreement

These Terms, together with all referenced Appendixes and documents, constitute the entire and exclusive agreement between the Parties concerning the subject matter herein and supersede all prior and contemporaneous understandings, agreements, representations, and warranties, both written and oral. Each Party acknowledges that it has not relied on any statement, promise, or representation not expressly set out in these Terms.

11.6. Priority of Terms and Conditions

In the event of any inconsistency or conflict between these Terms and Conditions and any other signed agreement, document, or arrangement between the Parties, these Terms and Conditions, together with the publicly available policies established by the Service Provider (including those governing penalties, enforcement, and related procedures), shall prevail. By accessing and using the System after executing any agreement, the Customer acknowledges and agrees that they have accepted these Terms and Conditions and such policies as having superior legal force over any previously signed documents. The Service Provider shall not be liable for any errors, inaccuracies, or omissions in the data provided by the Customer, nor for ensuring the constant availability, functionality, or uninterrupted operation of the System or the Product.

11.7. No Third-Party Beneficiaries

These Terms are intended for the sole benefit of the Parties and their respective permitted successors and assigns and do not confer any rights or remedies upon any other third party. Nothing in these Terms is intended to create a partnership, joint venture, agency, or employment relationship between the Parties.

11.8. Assignment

The Customer may not assign or transfer any of its rights or obligations under these Terms, whether by operation of law or otherwise, without the prior written consent of the Service Provider, which shall not be unreasonably withheld. The Service Provider may freely assign these Terms in connection with a merger, acquisition, or sale of all or substantially all of its assets. Any attempted assignment in violation of this clause shall be void.

11.9. Publicity

The Customer shall not issue any press release or make any public statement regarding the Service Provider or the existence of this Agreement without the Service Provider's prior written consent. The Service Provider may include the Customer's name and logo on its customer list and in its marketing materials.

11.10. Notices

All notices required or permitted under these Terms shall be in writing and delivered in English. Notices shall be deemed given: (i) upon personal delivery; (ii) when sent by email (with confirmation of transmission); (iii) when posted to the Dashboard; or (iv) when delivered by a recognized courier service. The Parties shall maintain current contact information for notices through the Dashboard or by written notice to the other Party.

11.11. Anti-Corruption

Each Party represents that it has not received or been offered any illegal or improper bribe, kickback, payment, gift, or thing of value from any of the other Party's employees or agents in connection with these Terms. Each Party shall comply with all applicable anti-bribery and anti-corruption laws.

11.12 Governing Law and Dispute Resolution

This Agreement, including any non-contractual obligations arising out of or in connection with it, shall be governed by, and construed in accordance with, the laws of England and Wales. Any dispute, controversy, or claim arising out of or relating to this Agreement, including its formation, interpretation, breach, termination, or validity, shall be finally settled under the Rules of Arbitration of the International Chamber of Commerce (the "ICC Rules"). The parties agree, pursuant to Article 30(2)(b) of the Rules of Arbitration of the International Chamber of Commerce, that the Expedited Procedure Rules shall apply irrespective of the amount in dispute. The number of arbitrators shall be one. The law governing this arbitration clause shall be English law. The seat of the arbitration shall be London, England. The language of the arbitration shall be English.

1. Financial Obligations

1.1. Fee Structure and Payment Terms

In accordance with the selected Pricing Option and its corresponding Specification, the Customer is obligated to pay the Service Provider any of the following fees (collectively, the "Fees"): Pre-Payment, Commitment, Service Charges, Subscription Fees, and/or Installation Fees of applicable. The Service Provider may issue one or multiple invoices for the same reporting period, depending on the specific Fees accrued. All and any Fees are non-refundable. The Service Provider reserves the right to suspend or limit the Customer's access to the Services and/or the System:

• (i)

  until any and all overdue payments are settled in full if the payment plan with a suspensive condition; and/or

• (ii)

  the account balance is depleted or close to zero and is inactive; and/or

• (iii)

  as otherwise stipulated within this Appendix.

1.1.1. Pre-Payment Terms

A Pre-Payment is due upon the Billing Start Date. The Customer expressly and unequivocally acknowledges that all Pre-Payments are non-cancellable, non-refundable, and non-recoupable, and are made on an unconditional basis, irrespective of the actual usage of Services during the applicable term. Any unused portion of a Pre-Payment shall automatically expire upon the termination of the access to the Services and/or the System, the relevant term and is not eligible for a refund or credit. Subject to the payment of the Pre-Payment, the Customer is entitled to utilize a volume of Verifications (Cheks) and/or Services equivalent to the monetary value of the Pre-Payment, calculated at the rates specified in the chosen Pricing Option. Usage exceeding the Pre-Payment balance will be billed separately. Failure to remit any due Pre-Payment authorizes the Service Provider, at its sole discretion, to migrate the Customer to an alternative Pricing Option and/or to suspend or limit the Customer's access to the System and/or Services.

1.2. Taxes and External Charges

All Fees are exclusive of any taxes, levies, duties, or similar governmental assessments, including but not limited to value-added, sales, use, or withholding taxes. The Customer is responsible for paying all such charges. Amounts payable to the Service Provider shall not be reduced on account of any such taxes. Furthermore, the Fees do not include any bank transfer fees, transaction charges, or commissions, which shall be borne by the Customer.

1.3. Fee Adjustments

The Service Provider reserves the right to adjust the Fees in the following circumstances:

• (a)

  Cost-Pass Through Adjustment: If an external third-party data source utilized by the Service Provider to deliver specific Services imposes a price increase or alters its pricing model, resulting in additional costs to the Service Provider, the Service Provider may proportionally increase the Fees associated solely with those affected Services to cover such verified additional costs.

• (b)

  General Price Adjustment: The Service Provider may implement a general adjustment to any and all Fees, which shall become effective at the start of the next Renewal Period.

The Service Provider undertakes to provide the Customer with at least fifteen (15) days' prior written notice of any such fee adjustment. Should the Customer find the adjustment unacceptable, it may terminate this Agreement with immediate effect by providing written notice to the Service Provider before the effective date of the adjustment.

1.4. Order of Precedence

In the event of any conflict or inconsistency between the provisions of this Appendix and the terms of the applicable Pricing Option, the terms of the Pricing Option shall prevail.

2. Billing and Collection Schedule

2.1 Pre-Payment Collection

The Pre-Payment shall become due and payable upon the use of Services after the Trial Period. All Pre-Payment should be done manually by the Customer. The Service Provider does not automatically debit the corresponding amount from the Customer's bank card account or any other way.

1.1. Purpose and Scope

This Service Level Agreement ("SLA") constitutes an integral part of the main Agreement and defines the service level policies governing the Customer's access to and use of the Kycaid API and/or SDK (collectively, the "Kycaid Service").

1.2. Incorporation by Reference

This SLA is subject to all terms and conditions of the main Agreement. Any capitalized term not explicitly defined within this Appendix shall carry the meaning ascribed to it in the main Agreement.

1.3. Definition of Service Availability

"Service Availability" refers to the state where the Kycaid Service is operational and capable of being accessed and utilized by the Customer for the intended Business Purpose and in substantial conformity with the main Agreement.

1.4. Uptime Commitment

The Service Provider commits to maintaining Service Availability of at least ninety-nine and five-tenths percent (99.5%) during any given calendar month (the "Uptime Commitment").

1.5. Uptime Measurement Methodology

The Service Provider will measure uptime by checking the response of the Kycaid HTTP API. Every one (1) minute, a third-party service will attempt to access the Kycaid API. If the service does not receive a successful HTTP response – that is, a HTTP response code of 2XX or 3XX – then that will count as one minute of downtime. The unavailability of the Kycaid API will be calculated from the time that such unavailability is reported by the Customer to the Service Provider at [email protected].

1.6. Exclusions from Uptime Calculation

The calculation of Service Availability excludes instances of: force major events, Scheduled  Maintenance or Emergency Maintenance. Scheduled  Maintenance means Service Provider may conduct up to five (5) hours per calendar month of scheduled maintenance for purposes of performing maintenance on the System, or installing upgrades, fixes or reconfigurations. Emergency Maintenance means Service Provider may conduct emergency maintenance with no prior notice in order to resolve sever security issues or other emergency issues. Service Provider will use best endeavours to notify Customer at the beginning and end of such maintenance, and will provide details on the nature of the work being performed.

Preamble

This Data Processing Agreement (the "DPA") is incorporated into and forms an integral part of the main Terms and Conditions between the Parties (the "Processing Agreement"). This DPA sets forth the mutual obligations and specific terms under which the Service Provider shall process Personal Data on behalf of the Customer in the course of providing the Services. This DPA is designed to meet the requirements of applicable Data Protection Legislation.

1. Definitions and Interpretation

1.1. Defined Terms

For the purposes of this DPA, the following terms shall have the meanings set out below. Capitalized terms not defined herein shall have the meanings given to them in the Processing Agreement.

• (a)

  Authorised Persons: The individuals or categories of individuals designated by the Customer who are permitted to issue processing instructions to the Service Provider in accordance with Section 2.1(a) of this DPA.

• (b)

  Applicant’s Information: Any data pertaining to an Applicant, including their Personal Data, verification status tags (such as approval, rejection, or resubmission requests), and associated log information.

• (c)

  Business Purposes: The purposes for which Personal Data is processed, as defined in the Processing Agreement and further detailed in Appendix C1 to this DPA.

• (d)

  Data Subject: An identified or identifiable natural person to whom the Personal Data relates. For the purpose of this DPA, this is typically the Applicant.

• (e)

  Personal Data: Any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person, which is processed in connection with the Services.

• (f)

  Processing (or Process): Any operation or set of operations which is performed on Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. This includes the transfer of Personal Data to third parties.

• (g)

  Data Protection Legislation: All applicable laws and regulations relating to the processing of personal data and privacy, including, but not limited to UK Data Protection Legislation means the UK General Data Protection Regulation (‘UK GDPR’) and the Data Protection Act 2018 (‘DPA 2018’), any applicable national implementing laws, regulations and secondary legislation in England and Wales relating to the processing of Personal Data and the privacy of electronic communications, as amended, replaced or updated from time to time, including the Privacy and Electronic Communications Directive (2002/58/EC) and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2003/2426).

• (h)

  Personal Data Breach: A breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data that is being transmitted, stored, or otherwise processed.

• (i)

  Controller: The entity that, alone or jointly with others, determines the purposes and means of the processing of Personal Data.

• (j)

  Processor: The entity which processes Personal Data on behalf of the Controller. The definitions set forth in this DPA shall be interpreted in accordance with the principles of the applicable Data Protection Legislation. The terms "Controller" and "Processor" are intended to align with equivalent concepts defined in such legislation. In the event of a direct conflict between a definition herein and a term defined in a specific Data Protection Law, the meaning in the applicable law shall take precedence.

1.2. Relationship with the Processing Agreement

This DPA is supplemental to the Processing Agreement and is incorporated therein by reference. All capitalized terms not defined in this DPA shall have the meaning ascribed to them in the Processing Agreement.

1.3. Appendices and Order of Precedence

The following documents are incorporated into and form an integral part of this DPA:

• Appendix C1: Data Processing Instructions
• Appendix C2: Mandatory notice and consent framework
• Appendix C3: EU/UK Data Protection Compliance

In the event of a conflict between the body of this DPA and its Appendices, the body of this DPA shall prevail. In the event of a conflict between this DPA and the Processing Agreement, the provisions of this DPA shall prevail with respect to the subject matter of data protection.

1.4. Form of Notice

A reference to "writing" or "written" includes communication by email and electronic messages via the Dashboard, which constitute acceptable forms of written communication between the Parties for the purposes of this DPA.

2. Roles, Responsibilities, and Processing Purposes

2.1. Allocation of Data Protection Roles

The Parties acknowledge and agree that with respect to the processing of Personal Data described herein:

• (a)

  The Service Provider acts as a Processor on the instructions of the Customer. The Customer is the Controller and determines the purposes and means of the processing. The specific processing instructions, including the nature, purpose, and duration of processing, are detailed in Appendix C3. The Service Provider shall process Personal Data only in accordance with these documented instructions, this DPA, and applicable Data Protection Legislation. The Customer authorizes the Service Provider to assign a risk score to Applicant information where a reasonably high suspicion of fraud exists, aligning with the Customer's fraud prevention purposes.

• (b)

  The Service Provider may also act as an independent Controller for certain processing activities. This includes processing and aggregating Personal Data with information from other sources to develop, improve, and secure its Services (e.g., via machine learning), identify fraudulent patterns, calculate generalized risk scores, and generate audit logs. The Customer provides a legal basis for this independent processing, which is conducted under the Service Provider's legitimate interests and substantial public interest in fraud prevention. The Service Provider may retain relevant Personal Data and inferences after the termination of the Processing Agreement where it has a lawful basis to do so.

2.2. Processing of Customer Account Data

Any Personal Data the Customer provides about itself (e.g., for account management) will be processed by the Service Provider as a Controller in accordance with its Privacy Policy, available on the Kycaid Website.

2.3. Governmental Disclosure Requests

A Party shall, unless legally prohibited, promptly notify the other Party of any received request from a governmental or regulatory body for the disclosure of Personal Data processed under this DPA, to allow the other Party an opportunity to seek a protective order or other remedy.

3. Processor Obligations

3.1. General Processing Principles

When acting as a Processor, the Service Provider shall:

• (a)

  Process Personal Data only for the Business Purposes and in strict compliance with the Customer’s documented instructions and applicable law.

• (b)

  Promptly inform the Customer if, in its view, an instruction infringes upon Data Protection Legislation.

• (c)

  Ensure that persons authorized to process Personal Data have committed themselves to confidentiality.

3.2. Assistance and Cooperation

The Service Provider shall, taking into account the nature of the processing, provide reasonable assistance to the Customer in ensuring compliance with its obligations under Data Protection Legislation, including:

• Responding to Data Subject rights requests.
• Conducting data protection impact assessments.
• Consulting with supervisory authorities.

In the event of a conflict between the body of this DPA and its Appendices, the body of this DPA shall prevail. In the event of a conflict between this DPA and the Processing Agreement, the provisions of this DPA shall prevail with respect to the subject matter of data protection.

3.3. Assistance with Biometric Data Processing

Where Services involve the processing of biometric data, the Service Provider shall, unless otherwise instructed, assist the Customer in providing necessary notices to Data Subjects and, where legally required, facilitate the obtaining of consent prior to processing.

4. Controller Obligations

4.1. Lawfulness of Processing

The Customer, as the Controller, represents and warrants that it has established a valid legal basis for the processing of Personal Data by the Service Provider and its sub-processors in accordance with applicable Data Protection Legislation.

4.2. Transparency and Consent Management

The Customer is responsible for ensuring that all required privacy notices have been provided to Data Subjects and, where mandated by law, that all necessary consents have been obtained prior to the processing of their Personal Data by the Service Provider. These notices and consents must be sufficiently broad to cover all processing activities contemplated under the Processing Agreement and this DPA, including international data transfers and the specific processing of biometric data as outlined in Appendix C2. The Customer shall ensure that Data Subjects are presented with the notice wording contained in Appendix C2 and, where applicable, provide their consent prior to any data transfer to the Service Provider. When processing Personal Data of a child, the Customer shall make reasonable efforts to verify that consent from a holder of parental responsibility has been obtained as required by law.

4.3. Handling of Data Subject and Authority Requests

The Customer is responsible for responding to requests from Data Subjects or regulatory authorities concerning the processing of Personal Data for which it is the Controller. If the Service Provider receives such a request, it will promptly redirect it to the Customer. The Customer shall either respond directly or provide the Service Provider with timely instructions for responding. The Customer shall also inform the Service Provider of any inquiries from supervisory authorities specifically related to the Service Provider's processing activities.

5. Service Provider's Personnel and Security

5.1. Personnel Confidentiality and Training

The Service Provider shall ensure that any personnel authorized to process Personal Data are subject to a legally binding duty of confidentiality. Such personnel shall receive appropriate training on their data protection obligations under this DPA and applicable law.

5.2. Personnel Reliability

The Service Provider shall take commercially reasonable steps, consistent with applicable law, to ensure the reliability and trustworthiness of personnel with access to Personal Data.

5.3. Security Measures

The Service Provider shall implement and maintain throughout the term appropriate technical and organizational security measures to protect Personal Data from accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.

5.4. Records of Processing

The Service Provider shall maintain accurate and up-to-date records of processing activities carried out on behalf of the Customer and shall make these records available to the Customer upon request.

6. Personal Data Breach Management

6.1. Breach Notification

The Service Provider shall, without undue delay, notify the Customer upon becoming aware of a Personal Data Breach. The notification shall include, to the extent possible, a description of the nature of the breach, the categories and approximate number of individuals and records concerned, the likely consequences, and the measures taken or proposed to be taken to address the breach.

6.2. Cooperation and Mitigation

Following a breach, the Service Provider shall cooperate with the Customer and take reasonable steps to assist in the investigation, mitigation, and remediation of the breach. This includes providing relevant information and facilitating interviews with personnel.

6.3. Public Communication and Costs

The Service Provider shall not disclose a Personal Data Breach to any third party without the Customer's prior written consent, unless required by law. The Customer has the sole authority to determine whether to notify Data Subjects or regulators and what remedial measures, if any, to offer. The Service Provider shall bear all reasonable expenses incurred in fulfilling its obligations under this Section, unless the breach was a direct result of the Customer's instructions, negligence, or breach of this DPA, in which case the Customer shall bear such expenses.

7. International Data Transfers

7.1. Lawfulness of Extraterritorial Processing and Transfers

The Parties acknowledge that the provision of the Services may involve the processing of Personal Data in jurisdictions outside the territory where the Customer is established. The Service Provider is hereby authorized to transfer and process Personal Data in any such jurisdiction, including member states of the European Union, provided that at least one of the following conditions is met:

• (i)

  The European Commission, or an equivalent competent authority under applicable Data Protection Legislation, has issued an adequacy decision in respect of the third country's level of data protection, confirming it to be essentially equivalent to the standards within the originating jurisdiction; or

• (ii)

  The transfer is effected through the implementation of appropriate safeguards as expressly recognized under the applicable Data Protection Legislation, which may include, but are not limited to, binding corporate rules or the execution of standard contractual clauses.

In the event that the legal basis for a transfer relying on an adequacy decision is subsequently invalidated or withdrawn, the Parties shall promptly transition such data flows to an alternative transfer mechanism compliant with clause 7.1(ii) herein.

The Customer, as the data exporter, bears sole responsibility for determining the applicability of, and for securing, any mandatory authorizations, consents, or approvals from regulatory authorities within its own jurisdiction that are a prerequisite for the lawful export of Personal Data to the Service Provider. The Service Provider shall be held indemnified and harmless against any claims, liabilities, or penalties arising from the Customer's failure to secure such requisite authorizations.

7.2. Incorporation of Standard Contractual Clauses

Where the lawful transfer of Personal Data under this DPA necessitates the execution of specific contractual instruments mandated by Data Protection Legislation, such as the Standard Contractual Clauses as adopted by the European Commission or the International Data Transfer Addendum for the United Kingdom, the Parties agree that the relevant instrument, as meticulously completed and selected in accordance with the schedules and appendixes set forth in Appendix C3 to this DPA, shall be deemed incorporated by reference into this agreement and shall govern the respective transfer.

7.3. Transfers to Subprocessors in Third Countries

The Service Provider shall ensure that any transfer of Personal Data to a subprocessor located in a third country is subject to a written agreement imposing data protection obligations on such subprocessors that are substantially similar to those contained within this DPA. Furthermore, the Service Provider shall guarantee that the transfer to the subprocessor itself is supported by a valid transfer mechanism, as outlined in clause 7.1 of this DPA, thereby ensuring a continuous and adequate level of protection for the Personal Data.

7.4. Customer-Initiated Transfers to Third Parties

Any disclosure, provision of access to, or subsequent transfer of Personal Data by the Customer from the Kycaid System to a third-party recipient, including where such recipient is located outside the European Union, the European Economic Area, the United Kingdom, or another jurisdiction with restrictive data transfer laws, shall be considered a distinct data export operation initiated by the Customer. The Customer, acting as the data controller in this context, assumes full and sole responsibility for ensuring the lawfulness of this subsequent transfer, including the implementation of any required protective measures or appropriate safeguards in accordance with the applicable Data Protection Legislation.

8. Appointment and oversight of subprocessors

8.1. General Authorization and Safeguards

The Service Provider is hereby authorized to engage third-party subprocessors for the processing of Personal Data. The Customer provides this general authorization upon subscribing to Services that necessitate such subprocessing. The Service Provider represents and warrants that for any subprocessor it engages:

• (a)

  A binding written agreement shall be executed, imposing on the subprocessor data protection obligations that are substantively equivalent to those set forth in this DPA, with particular emphasis on the implementation of appropriate technical and organizational security measures.

• (b)

  Notwithstanding such delegation, the Service Provider shall retain ultimate control and responsibility for all Personal Data entrusted to the subprocessor.

A current register of appointed subprocessors shall be maintained and made accessible to the Customer via the Dashboard. The Customer is obligated to monitor notifications for updates to this list.

8.2. Right to Object and Resolution Mechanisms

The Customer retains the right to object to the appointment of a new subprocessor on reasonable, substantiated grounds relating to data protection. Upon receiving a formal, reasoned objection, the Service Provider shall, at its discretion and using commercially reasonable efforts, endeavor to propose a mutually acceptable resolution. This may include, but is not limited to:

• (i)

  Ceasing to use the contested subprocessor for the Customer's data;

• (ii)

  Proposing an alternative subprocessor; or

• (iii)

  If no resolution is feasible, the Customer may elect to terminate the specific Service functionality reliant upon the contested subprocessor.

8.3. Liability

The Service Provider shall remain fully liable to the Customer for any failure by its subprocessor to fulfil its obligations, as if such acts or omissions were performed by the Service Provider itself.

9. Customer-directed data disclosures

Any provision or disclosure of Personal Data by the Customer to a third-party recipient through the functionalities of the Dashboard shall be deemed a direct transfer initiated by the Customer. The Customer warrants that it shall:

• (i)

  Establish all necessary contractual arrangements with the third party to ensure compliance with applicable Data Protection Legislation; and

• (ii)

  Provide explicit written instruction to the Service Provider to execute the transfer, thereby fulfilling the requisite formalities for a lawful disclosure.

10. Cooperation and data subject rights

10.1. Assistance Obligations

The Service Provider shall, at no additional cost, provide timely and reasonable assistance to the Customer, including the implementation of appropriate technical and organizational measures, to enable the Customer to comply with its obligations under Data Protection Legislation. This includes facilitating responses to:

• (i)

  Requests from Data Subjects seeking to exercise their rights of access, portability, rectification, erasure, objection, and restriction; and

• (ii)

  Formal information or assessment notices issued by a supervisory authority.

10.2. Notification Protocol

The Service Provider shall, without undue delay, inform the Customer upon receiving any complaint, notice, or legal communication that pertains directly or indirectly to the processing activities governed by this DPA or to either Party's compliance with Data Protection Legislation.

10.3. Specific Request Handling

The Service Provider shall notify the Customer of any received Data Subject request to exercise their rights within ten (10) business days of its receipt.

10.4. Full Cooperation

The Service Provider agrees to provide its full cooperation and assistance to the Customer in formulating and executing a response to any such complaint, notice, communication, or Data Subject request.

10.5. Limitation on Disclosure

The Service Provider is expressly prohibited from disclosing Personal Data to any Data Subject or third party, except in strict accordance with a documented instruction from the Customer, as expressly permitted under this DPA, or as compelled by applicable law.

11. Duration and consequences of expiry

11.1. Effective Term

This Data Processing Addendum shall be co-terminus with the Processing Agreement. Its provisions shall remain in full force and effect for the entire duration that the Processing Agreement is active.

11.2. Survival of Terms

A material breach of the obligations stipulated within this DPA by the Service Provider shall be deemed a material breach of the Processing Agreement. In such an event, the Customer shall be entitled to terminate, with immediate effect upon written notice, the portion of the Processing Agreement that authorizes the processing of Personal Data, without incurring any further liability or obligation to the Service Provider.

11.3. Termination for Cause

A material breach of the obligations stipulated within this DPA by the Service Provider shall be deemed a material breach of the Processing Agreement. In such an event, the Customer shall be entitled to terminate, with immediate effect upon written notice, the portion of the Processing Agreement that authorizes the processing of Personal Data, without incurring any further liability or obligation to the Service Provider.

11.4. Termination Following Legal Change

Should a change in applicable Data Protection Legislation render either Party unable to perform its obligations hereunder, the Parties shall suspend the relevant processing activities until compliance can be assured. If the Parties are unable to achieve compliance with the new legislative requirements within a period of three (3) months, either Party may terminate the Processing Agreement upon written notice to the other. The Customer expressly acknowledges that termination under this clause shall be the sole and exclusive remedy available in such circumstances.

12. Post-termination data management

12.1. Data Portability

Upon the Customer's reasonable request, the Service Provider shall facilitate the export of the Customer's Personal Data, providing a copy or access in a structured, commonly used, and machine-readable format.

12.2. Cessation of Processing and Deletion

Upon termination or expiry of the Processing Agreement, or upon the Customer's earlier written instruction, the Service Provider shall immediately cease all processing of the Personal Data and shall securely delete or return all such data to the Customer, at the Customer's election. The act of the Customer accepting the Processing Agreement constitutes a standing instruction for the Service Provider to delete Applicant data in accordance with its data retention policy and applicable law. This obligation does not extend to data which the Service Provider processes as an independent Controller under Clause 2.1(b).

12.3. Legal Retention Obligation

In the event that the Service Provider is required under Union or Member State law to retain any Personal Data that would otherwise be subject to deletion or return, the Service Provider shall inform the Customer of such legal requirement in writing, specifying the data concerned, the legal basis for retention, and the envisaged timeline for its eventual erasure.

12.4. Certification of Destruction

Following the completion of a data deletion process initiated by the Customer, the Service Provider shall provide the Customer with a written certification confirming the destruction of the specified Personal Data within thirty (30) days.

13. Review of processing instructions

The Parties shall mutually review the information detailed in Appendix C1 to this DPA on an annual basis, or more frequently as mutually agreed, to verify its ongoing accuracy and to implement any necessary updates to reflect current processing activities.

14. Audit rights and compliance verification

14.1. Audit Conditions

The Service Provider shall make available to the Customer all information reasonably necessary to demonstrate compliance with its obligations under this DPA and shall allow for and contribute to audits, including inspections, conducted by the Customer or a mandated independent auditor, subject to the following conditions:

• (i)

  The Customer provides no less than thirty (30) days' prior written notice;

• (ii)

  All information obtained during the audit is treated as the Service Provider's Confidential Information;

• (iii)

  The audit is conducted during normal business hours with minimal disruption to the Service Provider's operations; and

• (iv)

  The Customer bears all reasonable costs incurred by the Service Provider in facilitating the audit.

14.2. Scope of Audit

The audit rights shall be satisfied through the provision of remote electronic access to relevant records, systems, and personnel, and the remote inspection of documentation and infrastructure related to the processing of the Customer's Personal Data.

14.3. Service Provider's Internal Audits

The Service Provider shall undertake, at least annually, independent audits of its data processing practices and information security controls, which may include network-level vulnerability assessments performed by a qualified third-party auditor.

14.4. Remediation of Deficiencies

The Service Provider shall promptly address any compliance gaps identified in any audit report by developing and implementing an appropriate corrective action plan.

15. Internal breach investigation

In the event the Service Provider becomes aware of a breach of its obligations under this DPA or applicable Data Protection Legislation, it shall promptly initiate an internal investigation to determine the root cause, produce a report outlining remedial actions, and diligently execute such actions to rectify any identified deficiencies.

16. Mutual representations and warranties

16.1. Service Provider's Undertakings

The Service Provider hereby warrants and represents to the Customer that:

• (a)

  It has taken reasonable steps to ensure the reliability, integrity, and trustworthiness of any employee, agent, or subcontractor who may have access to the Personal Data, and has provided them with adequate training on their data protection obligations relevant to their processing activities.

• (b)

  It shall ensure that all processing of Personal Data conducted by itself or on its behalf is performed in strict adherence to the provisions of applicable Data Protection Legislation and other relevant legal and regulatory instruments.

• (c)

  It is not aware of any existing legal impediment under Data Protection Legislation that would prevent it from fulfilling its service obligations as outlined in the Processing Agreement.

• (d)

  It shall implement and maintain throughout the term of this DPA appropriate technical and organizational security measures. These measures shall be designed to ensure a level of security commensurate with the risks presented to the Personal Data, taking into account the state of technological development and implementation costs, the nature, scope, context and purposes of processing, and the risk to the rights and freedoms of natural persons.

16.2. Customer's Undertakings

The Customer hereby warrants and represents to the Service Provider that the Service Provider's processing of Personal Data, when carried out in accordance with the Customer's documented instructions for the Business Purposes, shall not place the Service Provider in violation of any applicable Data Protection Legislation.

17. Indemnification

17.1. Customer's Indemnity Obligation

The Customer shall defend, indemnify, and hold harmless the Service Provider, its affiliates, and their respective directors, officers, agents, and personnel from and against any and all third-party claims, actions, liabilities, losses, damages, judgments, costs, and expenses (including reasonable attorneys' fees) arising out of or in connection with any breach or alleged breach by the Customer of its obligations under Section 3.2 (Customer’s Obligations as Controller) of this DPA. For the avoidance of doubt, any limitation of liability set forth in the Processing Agreement shall not apply to this indemnification obligation.

18. Notices

18.1. Formal Communications

Any notice, demand, or other communication required or permitted to be given under this DPA shall be in writing in the English language and shall be deemed duly given when delivered via email to the address specified for the Service Provider in the Processing Agreement, or to such other address as either Party may subsequently designate in writing.

18.2. Legal Process

The provisions of Clause 18.1 shall not apply to the service of any proceedings or other documents in any legal action or alternative dispute resolution mechanism.

18.3. Effective Date

This Data Processing Addendum is entered into and becomes legally binding on the date the Processing Agreement is duly executed by both Parties.

1. CONTROLLER'S PROCESSING PURPOSE

The primary purpose for the processing of Personal Data by the Service Provider is to assist the Customer in fulfilling its obligations regarding Customer Due Diligence (CDD) and compliance with Anti-Money Laundering and Counter-Financing of Terrorism (AML/CFT) rules, specifically for Know Your Customer (KYC) procedures, where applicable.

2. BUSINESS PURPOSE

The processing is necessary for the execution of the Processing Agreement (Terms and Conditions) between the Parties.

3. NATURE OF THE PROCESSING

The processing encompasses a suite of remote identity verification and customer due diligence procedures, as selected by the Customer via the Service Provider's platform.

4. DURATION OF THE PROCESSING

The processing will continue for the duration of the Processing Agreement, or for such other period as may be stipulated in accordance with the data retention and deletion provisions of the Processing Agreement and this DPA.

5. CATEGORIES OF DATA SUBJECTS

Processing is conducted on Personal Data pertaining to the Customer's own customers (end-users).

6. CATEGORIES OF PERSONAL DATA

The specific categories of Personal Data processed are contingent upon the Services selected by the Customer within the applicable Pricing Option (as detailed in Appendix C). The data categories are intrinsically linked to the specific verification features enabled. For clarity, the processing of technical data (e.g., software/hardware attributes) and geolocation data (e.g., IP address) is fundamental to the System's capability for fraud pattern detection and accurate risk scoring.

7. INTERNATIONAL TRANSFERS

Transfers of Personal Data to third countries may occur on a continuous basis, as necessary to fulfill the Customer's purposes and the Business Purpose outlined herein.

8. SUBPROCESSOR PROCESSING

The subject matter, nature, and duration of the processing conducted by any appointed subprocessor are defined by the terms of the separate agreement between the Service Provider and that subprocessor, which is executed to support the Business Purpose.

1. Parties and Purpose

I authorize the company with which I am establishing a relationship ("the Company") and its designated service provider, Kycaid (COMPLIGATE LTD), to process my personally identifiable information (PII), including my biometric data, for the purpose of verifying my identity. This processing is conducted to fulfill the Company's legal and regulatory obligations, including anti-money laundering (AML) and counter-terrorist financing (CFT) compliance, fraud prevention, and customer due diligence (KYC).

2. Biometric Data

I understand that my biometric data, specifically my facial features and facial scans, will be captured and processed. This processing includes comparing my live selfie with the photograph on my identity document to confirm liveness and authenticate that I am the legitimate holder of the document.

3. Service Provider's Independent Use

I acknowledge that Kycaid may also process my data as an independent controller for its own legitimate business purposes, such as service development, improving fraud detection algorithms, and complying with its own legal obligations. For details on Kycaid's independent processing, please review their Privacy Notice.

4. Method of Processing

I understand that my data will be processed using automated means, including facial recognition technology, liveness detection, and database checks for identity fraud.

5. Data Disclosure and Storage

My data may be shared with Kycaid's affiliated entities and subprocessors to achieve the stated purposes. I understand that my biometric data will be stored securely in cloud infrastructure, such as Google Cloud, based on the Company's requirements.

6. Data Retention

My PII, including biometric data, will be retained by the Company only as long as necessary for the initial purposes or as required by law. Kycaid will destroy biometric data upon the earlier of:

• (i)

  when its purposes for collection are satisfied; or

• (ii)

  specific statutory timelines for the GDPR, or others such as 1 year for Texas residents, 3 years for Illinois residents, or 5 years for others, from the date of provision.

For more information on data deletion, please refer to Kycaid's Privacy Policy.

By proceeding, I confirm that I have read, understood, and agree to the terms outlined above.

7. Hyperlink Requirement

The mandatory text must contain an active hyperlink to the Service Provider's (Kycaid's) Privacy Notice, available at: https://kycaid.com/privacy-policy/.

8. Customer's Additional Obligations

Notwithstanding the provision of the mandatory text, the Customer remains solely responsible for ensuring its overall privacy notices and consent mechanisms, integrated into its own policies and legal agreements with Data Subjects, are fully compliant with all applicable Data Protection Legislation. This includes comprehensive descriptions of:

• The full scope of data processing, including biometric data capture.
• All purposes for processing.
• The use of third-party service providers like Kycaid.
• Data storage locations, retention periods, and international transfer mechanisms.

9. Api Integration Verification

For integrations utilizing the API, the Customer must implement a technical consent parameter provided by the Service Provider. The passing of this parameter is required to log and verify the Customer's compliance with this Appendix C2 for each Data Subject.