Onfido Inc. Specific Terms

Last updated December 21, 2022

These terms (the “Onfido Inc. Specific Terms”) apply in addition to the terms of the Order Form, OSA and its Schedules, which collectively establish the “Agreement” between Onfido and the Client listed in the applicable Order Form in the event Onfido’s Affiliate that enters into an Order Form is Onfido Inc. Terms not defined herein will have the meaning given to them in the OSA. 

1. DEFINITIONS

1.1 In these Onfido Inc. Specific Terms, unless the context otherwise requires, the following definitions will apply:

BIPA means the Illinois Biometric Information Privacy Act.

CCPA means the California Consumer Privacy Act (California Civil Code § 1798.100-§ 1798.199), as amended, and any regulations promulgated thereunder.

Fraud Database Service Provider means a government body or other third party service provider that checks whether an identity document has been previously identified to them as lost, stolen, fraudulent, or otherwise compromised. For the purposes of SSN Check only, the definition of “Fraud Database Service Provider” is instead as follows: “Fraud Database Service Provider” means a government body or other third party service provider, including the U.S. Social Security Administration, that (i) checks whether an identity document has been previously identified to them as lost, stolen, fraudulent, or otherwise compromised, or (ii) verifies a U.S. social security number.

1.2 Notwithstanding the definition of Privacy Laws in the OSA, the following definition shall apply where the Onfido contracting entity is Onfido Inc:

Privacy Laws means any applicable rules, laws, regulations, directives and governmental requirements currently in effect and as they become effective relating to privacy or data protection, whether applicable at the Federal, State, or local level and including, but not limited to, as applicable, biometric information privacy laws such as the BIPA; the CCPA; and all laws implementing, supplementing, or amending the foregoing; and any other applicable data protection or privacy laws and regulations. 

2. WARRANTIES

2.1 No conditions, warranties or other terms apply to any Services (including any Software) supplied by Onfido under this Agreement other than the conditions, warranties and terms expressly set forth herein. Onfido hereby disclaims any implied warranties whether arising under law, through course of dealing, or otherwise, (including any implied warranties of non-infringement, title, satisfactory quality, fitness for purpose, merchantability or conformance with description). In addition, Onfido does not warrant or enter into any other term to the effect that any Software or any technology provided in connection with this agreement or any order form will be entirely free from defects or that its operation will be entirely error free. The Client understands that Onfido obtains the information reported in its reports from various third party sources “as is”, and therefore is providing the information to the Client “as is”.

2.2 Onfido is not a consumer reporting agency and none of the information provided through the Service constitute a "consumer report" as such term is defined in the FCRA. The Services are expressly limited to providing supplemental information in support of Client’s anti-fraud and identity verification businesses only. By accessing the Services, the Client agrees that it shall not use any Services (i) to determine a consumer’s eligibility for credit or insurance, (2) in connection with underwriting individual insurance, (3) in connection with evaluating a consumer for employment, promotion, reassignment or retention as an employee, contractor or similar position, (4) in connection with any other manner that would cause the use of the Services to be construed as a consumer report by any entity having jurisdiction over Onfido or the Client. The Client further agrees not to take any adverse action, based in whole or in part, or on the data from the Services, against any consumer. "Adverse action" and "consumer" have the definitions given to them in the FCRA. Client agrees to promptly notify Onfido of any complaints Client receives from Users claiming deficiencies related to procedures required under the FCRA. This clause does not apply to SSN Check. 

3. FRAUD DATABASE SERVICE PROVIDERS

Client acknowledges and agrees that (i) the Services include the sending of identity documents to a Fraud Database Service Provider; (ii) the Fraud Database Service Provider may retain identity documents that are suspected to be fraudulent for the purpose of identifying fraud in the future; and (iii) Clauses 10.2.3, 10.2.4, 10.2.5, 10.2.8, 10.5, and 10.6 of the OSA and clauses 5.5 and 6.4 of these Onfido Inc. Specific Terms shall not apply to Processing by a Fraud Database Service Provider.  Client may deactivate the aforementioned Services at any time by notifying Onfido in accordance with this Agreement. This clause does not apply to SSN Check; provided, however, Onfido is not a consumer reporting agency and none of the information provided through SSN Check constitutes a “consumer report” as such term is defined in the FCRA.

4. CHARGES

4.1 Unless otherwise specified in the Order Form, the Client will pay each invoice submitted to it by Onfido in full within 30 days of the date of the invoice. The Client may not withhold payment of any invoice or other amount due to Onfido by reason of any right of set-off or counterclaim which the Client may have, or allege to have, or for any reason whatsoever.

4.2 Onfido reserves the right, once per contract year, on the anniversary of the Effective Date, to apply the annual rate of inflation (as published by as applicable, the Office for National Statistics in the Retail Price Index or such other nationally recognised index as Onfido may reasonably designate) to the then-current Charges.  Any such increased Charges shall be the new Charges, which may be subject to increase the next contract year.

5. TERMINATION

5.1 Without prejudice to any other rights or remedies which the parties may have, either party may suspend, terminate or partially terminate this Agreement and the applicable Order Form without liability to the other party immediately on giving Notice to the other party if: (a) the other party fails to pay any amount due under this Agreement or the Order Form on the due date for payment and remains in default not less than 30 days after being notified in writing to make such payment; or (b) (i) the other party is in material breach of this Agreement and/or the Order Form where the breach is incapable of remedy; or (ii) the other party is in material breach of this Agreement and/or the Order Form where the breach is capable of remedy and fails to remedy that breach within fourteen (14) days after receiving written Notice of such breach, save that this fourteen (14) day cure period is not required if the continued performance of this Agreement is causing harm to the party wishing to suspend/terminate; or (c) it enters into an arrangement or composition with or for the benefit of its creditors, goes into administration, receivership or administrative receivership, is declared bankrupt or insolvent or is dissolved or otherwise ceases to carry on any Services; or (d) any analogous event happens to the other party in any jurisdiction in which it is incorporated or resident or in which it carries on business or has assets (e) the circumstances in Clause 3 apply; (f) required pursuant to a change in applicable law. If Customer terminates this Agreement because Onfido commits a material breach, Onfido will refund any unconsumed prepaid Charges calculated pro rata. If Onfido terminates this Agreement because the Client commits a material breach, Onfido will be entitled to the Charges until the end of the relevant payment period. Payment obligations will continue in full during any period of suspension by Onfido for material breach.

5.2 On termination of this Agreement and the applicable Order Form, the accrued rights and liabilities of the parties as at termination and the continuation of any provision expressly stated to survive or implicitly surviving termination, will not be affected.

6. U.S. DATA PROTECTION

6.1 In ensuring it takes all required steps to ensure Onfido may process Personal Data to provide the Services in accordance with clause 10.1 of the OSA, the Client represents and warrants that it has provided all necessary notices and obtained all necessary consents for Onfido to collect and Process any and all Personal Data, including biometric information pursuant to BIPA and any other rules, laws, regulations, directives and governmental requirements concerning biometric information). Additionally, Client will provide Client’s Users with the notice language contained in clause 5.2 of these Onfido Inc. Specific Terms and obtain each Users’ consent to that notice language before Personal Data is provided to Onfido. Onfido represents and warrants that, except for Permitted Vendor Purposes (defined below), it (a) will only retain, use, disclose, or Process Personal Data obtained in the course of providing the Services on behalf of the Client and in compliance with this Agreement; (b) will not sell Personal Data; and (c) will not take any action that would cause Onfido to cease being a “service provider” as defined under the CCPA with respect to Personal Data. Onfido may, however, Process Personal Data for a “business purpose” (as defined by and consistent with the CCPA) permitted of a qualified service provider under the CCPA, so long as the purpose for which the Personal Data is used does not cause Onfido to lose its status as a service provider and is otherwise in compliance with all applicable Privacy Laws (“Permitted Vendor Purposes”).  In addition, as part of the Services, Onfido may create de-identified data and aggregate consumer information, which as long as such is maintained so as to qualify as de-identified data and/or aggregate consumer information under applicable Privacy Laws, and so long as such data is not attributable to the Client, will not be deemed Personal Data and will not be subject to the restrictions thereon hereunder. Client will defend and indemnify Onfido against any claims brought by third parties under the Privacy Laws due to breach of this clause 5.1. NOTHING IN THE AGREEMENT SHALL LIMIT THE CLIENT’S LIABILITY FOR BREACH OF THIS CLAUSE.

6.2 Client will ensure that it collects consent for Onfido (as third party service provider) to process biometric data of Client’s Users in accordance with US federal and state privacy laws (particularly the biometric information privacy laws of Illinois, Texas and Washington) by complying with either A or B below:

A. The following notice and consent language must be incorporated into the Client’s interface in respect of Users who are based in the United States, through the following requisite steps:

  • Client to explain to its Users that it uses a third party, Onfido, to process their identity check.
  • Client to present to Users the following language prior to asking the User to proceed to complete any check powered by Onfido:

“By clicking on the “Accept” button or otherwise continuing to use this service, you agree you have read, understand and accept Onfido Facial Scan Policy and Release, Privacy Policy and Terms of Service

  • Client to link to the full text of Onfido’s Facial Scan Policy and Release, Privacy Policy and Terms of Service, which are hosted externally by Onfido, from within its application / User interface - this will enable Users to understand more about the service Onfido provides through the Client.  The full text of the current versions of each of these documents, and the URLs you can use to link to them, are:

The following API consent parameter must be implemented by the Client in respect of use of the Services in the United States:

privacy_notices_read_consent_given

B. Client will incorporate into its own policies and legal agreements with Users terms which meet the following requirements:

  • Compliant Privacy Notice: Client must present Users with an appropriate policy document which meets the requirements of US federal and state privacy laws (including the biometric privacy laws referred to above), describing in particular:
    • the capture of facial scan images and processing of biometric identifiers,
    • the purpose for which the facial scan images and biometric identifiers are collected,
    • the use of third party identity verification service providers to perform this service on Client’s behalf
    • other matters required by US federal / state privacy laws, including as to storage, retention periods, resale, etc
  • Biometric consent for Onfido:  Client must obtain consent from Users to the processing of their biometric information by third party service providers for the purposes of performing identity verification (as described in more detail in the Client’s linked policies / terms and conditions / legal agreements which are presented to the User), before any information is captured or uploaded to Onfido.  
  • Arbitration of claims against Onfido:  Client must ensure that all disputes with US Users regarding the provision of the service (including the processing of biometric information) by a third party identity verification provider are pursued through individual arbitration as opposed to proceedings in US federal or state courts.  To achieve this an arbitration agreement containing a non-severable class action waiver must be incorporated in Client’s terms and conditions with Users based in the United States expressly naming Onfido as a third-party beneficiary entitled to enforce the individual arbitration agreement containing the non-severable class action waiver Client must obtain User consent to the terms and conditions.
  • Adoption of API consent parameter (privacy_notices_read_consent_given): Client must implement the following API consent parameter in respect of use of the Services in the United States:Privacy_notices_read_consent_given

6.3 Client acknowledges its responsibility to comply with all Data Subject Rights with respect to Personal Data (including, but not limited to, requests to know, to delete, and to opt-out under the CCPA), as required by applicable law. Upon the Client’s request, and at the reasonable expense of the Client, Onfido will provide reasonable assistance as necessary to permit the Client to respond to such requests as required by applicable law. Onfido will not respond to any Data Subject Rights relating to Personal Data unless and until expressly instructed to do so by the Client other than to indicate to the User that it is unable to comply with the Data Subject Rights because it is a service provider and not the controller of the Personal Data. Upon direction from the Client to execute a deletion of Personal Data pursuant to a Data Subject Right, Onfido shall delete the relevant Personal Data in question, subject to Onfido’s retention rights under California Civil Code § 1798.105(d) or other applicable law (e.g. litigation holds). Onfido will inform the Client if it is unable to delete Personal Data or otherwise respond to, or assist with, a Data Subject Right as directed by the Client.

6.4 Onfido will ensure that all Personal Data residing in the United Kingdom or European Economic Area is not transferred out of the United Kingdom or European Economic Area to data recipients in third countries which do not ensure an adequate level of data protection as determined by the European Commission or the Information Commissioner’s Office, unless the parties have entered into Information Commission and/or European Commission approved Standard Contractual Clauses or other data protection safeguards in compliance with Privacy Laws; and provide other reasonably necessary assistance for the Client to meet its compliance obligations under Privacy Laws with respect to the Service  in response to written requests from the Client for such assistance. This clause does not apply to SSN Check.

6.5 DESTRUCTION OF PERSONAL DATA. Notwithstanding clause 10.6 of the OSA, unless required by applicable law, Onfido will cease processing and delete Personal Data from its production environment upon the earlier of (i) instruction from Client within the Services; (ii) instruction from a User, but only with respect to numerical biometric information relating to the User’s own Personal Data; or (iii) a reasonable period of time after the termination or expiration of this Agreement.  All other Personal Data processed by Onfido (including Personal Data processed for backup and logging purposes) or on behalf of Onfido (including Personal Data processed by third parties) is deleted in accordance with Onfido's Records of Processing. This clause shall not apply to SSN Check.

6.6 THE LIMITATION OF LIABILITY SET OUT IN CLAUSE 8.4 OF THE OSA DOES NOT APPLY TO THE CLIENT’S OBLIGATIONS SET OUT IN, OR ITS OBLIGATION TO INDEMNIFY ONFIDO FOR CLAIMS BROUGHT BY THIRD PARTIES IN RELATION TO, BREACHES OF CLAUSE 6.1 OF THESE ONFIDO INC. SPECIFIC TERMS.

7. GENERAL

7.1 Without prejudice to Clauses 3 of the OSA or 4.2 of these Onfido Inc. Specific Terms, no variation of this Agreement or any Order Form will be valid unless it is agreed in writing and signed by both of the parties. Failure or delay in exercising any right or remedy under this Agreement or any Order Form will not constitute a waiver of such (or any other) right or remedy. 

7.2 Neither party will be liable for any delay or non-performance of its obligations under this Agreement or any Order Form to the extent that such delay or non-performance is a result of a force majeure event, as defined by article 1218 of the French Civil Code (a “Force Majeure Event”). To the extent that a Force Majeure Event occurs, the Client acknowledges that Onfido may be required (and will be permitted) to change the manner in which it provides the Services.

7.3 Except as expressly stated otherwise, nothing in this Agreement will create or confer any rights or other benefits in favour of any person other than the parties to this Agreement. This clause shall not apply to SSN Check. For the purposes of Onfido’s provision to Client of SSN Check only, the United States Social Security Administration is named as a third-party beneficiary to the Agreement.

7.4 This Agreement and all disputes and claims arising out of or in connection with it are governed by the laws of the United States and the State of New York. With the sole exception of any application for injunctive relief, the parties irrevocably agree that the Federal and State Courts located in New York County, New York have exclusive jurisdiction to settle any dispute or claim (whether contractual or non-contractual) arising out of or in connection with this Agreement (including its subject matter or formation).