ONFIDO SERVICES AGREEMENT
(Version Date: Nov. 4, 2022)
Previous Versions: Sept. 9, 2022, May 27, 2022,
PLEASE READ THESE TERMS CAREFULLY
Unless an Order Form specifically states otherwise, this Onfido Services Agreement (this “OSA”) applies to each fully executed Order Form that incorporates this OSA to collectively establish the Agreement (as defined below) between Onfido and the legal entity or individual listed in the applicable Order Form (“Client”). In the event of inconsistency or conflict between any terms contained in the Order Form and any terms contained in this OSA, the terms contained in the Order Form shall prevail.
1. DEFINITIONS AND INTERPRETATIONS
1.1 In this Agreement, unless the context otherwise requires, the following definitions will apply:
Accurate Volume Projections means for each individual Service purchased: (i) quarterly volume forecasts six weeks in advance to a degree of accuracy within 10% of the actual monthly volumes; and (ii) notice at least seven days in advance of any major volume spikes, i.e., where the number of checks in a given hour exceeds three standard deviations from the average number of hourly checks in a given month.
Anti-Corruption Laws means the body of local, state, provincial, national and international laws and regulations relating to anti-bribery and anti-corruption, including but not limited to the Foreign Corrupt Practices Act 1977, the UK Bribery Act 2010, U.S. anti-boycott laws and those laws and regulations intended to implement the Organization for Economic Cooperation and Development (OECD) Convention on Combating Bribery of Foreign Public Officials in International Business Transactions.
Baseline Tolerance means within 25% of the baseline volume commitment notified by the Client to Onfido as at the Effective Date, apportioned pro rata monthly over the Term.
BIPA means the Illinois Biometric Information Privacy Act
Brand Features means the trade names, trademarks, logos and other distinctive brand features of the applicable party.
CCPA means the California Consumer Privacy Act (California Civil Code § 1798.100-§ 1798.199), as amended, and any regulations promulgated thereunder
Charges means the charges for the Services set out in the Order Form.
Confidential Information means information disclosed by (or on behalf of) one party to the other party in connection with or in anticipation of this Agreement or any Order Form (including the content of this Agreement and all Order Forms) that is marked as confidential or, from its nature, content or the circumstances in which it is disclosed, might reasonably be supposed to be confidential. It does not include information that the recipient already knew, that becomes public through no fault of the recipient, that was independently developed by the recipient or that was lawfully given to the recipient by a third party.
Content means any information, text, graphics, or other materials uploaded, downloaded or appearing as part of the Services.
Denial of Service (“DoS”) means an attack on computer systems, networks, devices, services or other IT resource causing disruption to the targeted resource and preventing legitimate users from partial or full access to that resource.
Developments means the improvements and further developments of Onfido’s machine learning and fraud monitoring and prevention identity services.
Document means the supported documents listed on the Onfido website, or such other (Service specific) list of documents as is otherwise notified to the Client from time to time, as is subject to change and update from time to time. Where new documents are added to the Documents, they may be subject to an initial service level grace period of ninety days.
Effective Date means the date on which this Agreement takes effect, as set out in the Order Form.
External Data Providers means any third party: institution, organization, corporate entity or government agency responsible for the provision of data or information in relation to the Services.
Feedback means any feedback or suggestions provided by the Client under this Agreement in relation to the Services.
FCRA means the Fair Credit Reporting Act, 15 U.S.C. § 1681 et seq.
Fraud Database Service Provider means a government body or other third party service provider that checks whether an identity document has been previously identified to them as lost, stolen, fraudulent, or otherwise compromised.
Go Live Date means the date set out in the Order Form as the Go Live Date.
GST means goods and services tax, which is a value-added tax levied on goods and services.
HST means harmonized sales tax, which is a combination of federal and provincial taxes on goods and services in five Canadian provinces.
Information Security Policy has the meaning attributed to it in Clause 10.3.1.
Intellectual Property Rights means all patents, rights to inventions, utility models, copyright and related rights, trademarks, service marks, trade, business and domain names, rights in trade dress or get-up, rights in goodwill or to sue for passing off, unfair competition rights, rights in designs, rights in computer software, database rights, topography rights, moral rights, rights in Confidential Information (including Know-How and trade secrets) and any other intellectual property rights, in each case whether registered or unregistered and including all applications for and renewals or extensions of such rights, and all similar or equivalent rights or forms of protection in any part of the world.
Know-How means unpatented technical information (including information relating to inventions, discoveries, concepts, methodologies, models, research, development, and testing procedures; the results of experiments, tests, and trials; processes, techniques, and specifications; quality control data, analyses, reports, and submissions) that is not in the public domain.
Notice has the meaning attributed to it in Clause 11.8.
Order Form means each fully executed Onfido order form that incorporates this OSA including the Schedules (together, the “Agreement”) and describes the Services to be provided by Onfido from time to time as agreed in accordance with Clause 3 of this Agreement.
Permitted Purpose means legitimate, professional, informational, internal business operations purposes and not in any event for the reselling or otherwise making the Services available to any third parties.
Personal Data has the meaning attributed to it in Clause 10.1.
Privacy Laws means any applicable rules, laws, regulations, directives and governmental requirements currently in effect and as they become effective relating to privacy or data protection, whether applicable at the Federal, State, or local level and including, but not limited to, biometric information privacy laws such as the BIPA; the CCPA; and all laws implementing, supplementing, or amending the foregoing; and any other applicable data protection or privacy laws and regulations.
Processing has the meaning attributed to it in Clause 10.1.
PST means provincial sales tax, which is a province specific tax that is collected separately from the GST. In Manitoba, the PST is known as Retail Sales Tax (RST); and Quebec charges Quebec Sales Tax (QST)
Record of Processing means the records of Onfido Processing and list of third party service providers detailed at https://highq.in/jgfufndu8w, or as otherwise notified to Client from time to time.
Reports means a summary at a User level containing one or more of the checks outlined in the Order Form.
Sandbox Environment means a test environment for Clients to simulate API requests and to test their integration with the Software.
Security Breach has the meaning attributed to it in Clause 10.5.
Services means the services and/or products offered by Onfido from time to time under this Agreement and as more particularly detailed in the applicable Order Form (including, as the case may be, the Reports, Content, Developments, Software, Site, and API).
Software means any software provided by Onfido, including the software development kit (or “SDK”) and any Maintenance Release which is being made available to the Client as part of the Services.
SLA means the Onfido service levels for the Services as set out in the Order Form.
Site means www.onfido.com and its subdomains.
Taxes or Tax means all applicable sales or consumption taxes on the Services (or goods) provided hereunder (including sales tax, use tax, excise tax, services tax, value added tax, GST, PST and HST imposed by any governmental authority having jurisdiction on all items, goods and/or Services being paid for by the Client hereunder.
User means any person whose identity is being verified by the Client using the Services.
1.2. Where the words include(s), including or in particular are used in this Agreement or any Order Form, they are deemed to have the words without limitation following them.
1.3. References to clauses are to the clauses of the Onfido Services Agreement.
1.4. A reference to a party includes its successors and permitted assigns.
2.1. This Agreement will commence on the Effective Date and will continue in effect for the duration from the Go Live Date as set forth in the Order Form (the “Initial Term”), unless terminated sooner in accordance with this Agreement. If a term for an Order Form is not specified, then the term for such Order Form will be for twelve (12) months from the date of the last signature of the Order Form. After the Initial Term, this Agreement will automatically renew for successive twelve (12) month periods (each, a “Renewal Term”), unless written termination notice is provided by either party at least thirty (30) days prior to the expiration of the then-current term (such Notice to be effective at the end of the Initial Term or the then current Renewal Term). The Initial Term and the Renewal Terms (if any) are collectively referred to as the “Term”.
3. ORDER FORM(S) AND CHANGE
3.1 Subject to clause 8.4 each Order Form will form a separate agreement between the Client and Onfido on the terms contained in this OSA, including the Schedules.
3.2 Where: (i) any External Data Provider increases an existing charge and/or changes the basis on which it provides information, or confirmation of qualifications or membership; and (ii) the cost of Onfido providing a background check under this Agreement increases as a direct result (each a “Cost Increase”), Onfido may increase the agreed Charges set out in the Order Form by the Cost Increase provided that Onfido will use reasonable endeavours to notify Client of the Cost Increase prior to implementing the Cost Increase. Notwithstanding the foregoing, Client is responsible for all Cost Increases provided that these are properly incurred by Onfido. In the event that the Client does not wish to incur to the cost increase that may arise under this provision, it will be permitted to terminate the Agreement in accordance with Clause 7.1 (v).
4. PARTIES’ OBLIGATIONS
4.1. Onfido will, during the Term, provide the Services with reasonable skill and care, and will use reasonable efforts to meet the SLA.
4.2. The parties will provide each other with: (i) all necessary cooperation in relation to this Agreement, and the Order Form; and (ii) access to such information as may be required in order to render and receive the Services, as set out in this Agreement.
4.3. Unless agreed otherwise in an Order Form, the Client: (i) may download, view, copy and print Content and use the Services for the Permitted Purpose only; (ii) agrees that the Reports, Services, the Site and Content may not be sold, transferred, sublicensed, commercially exploited or otherwise made available to, or used for the benefit of, any third party other than the Client; (iii) will not make the Services available or otherwise use the Services in any jurisdiction such that Onfido's provision of the Services would require Onfido to physically store data (of any kind) in that jurisdiction, without first obtaining Onfido’s prior written consent; (iv) will not make the Services available or otherwise use the Services in any jurisdiction where the Services are not permitted by applicable law; and (v) agrees to provide Users with alternative methods to dispute Reports and any other information resulting from the use of the Services.
4.4 The Client will comply with all applicable laws and regulations (including any obligation to seek prior regulatory review, approval, or similar) with respect to its use of the Services and will not: (i) use the Services to discriminate against the User or in a manner that causes damage or injury to any person or property; (ii) use the Services in a manner that could be reasonably expected to bring Onfido into disrepute or otherwise harm its reputation; (iii) act or omit to act in a way which interferes with or compromises the integrity or security of the Services; (iv) access all or any part of the Services in order to build a product or service which competes with the Services; (v) amend or remove Onfido Brand Features or “powered by Onfido” language from the Services, Site, or Software; (vi) make use of the Onfido API without prominently displaying “powered by Onfido” language in a place that is clearly visible to Users; (vii) except as may be allowed by any applicable law which is incapable of exclusion by agreement between the parties: (a) attempt to copy, modify, duplicate, create derivative works from, frame, mirror, republish, download, display, transmit, or distribute all or any portion of the Services (as applicable) in any form or media or by any means to any individual or entity, including without limitation, Users; or (b) attempt to reverse compile, disassemble, reverse engineer or otherwise reduce to human-perceivable form all or any part of the Services; or (viii) attempt to access the Services other than through the means made available to the Client by Onfido. Any breach of this clause will be deemed to be a material breach.
4.5 The Client represents and warrants that it will only provide Personal Data to Onfido that is accurate, complete and provided in a form that Onfido can Process, in order to maximize the quality of the Services, and Client agrees that if any Personal Data is not provided as such, any resulting impact on the quality of the Services shall not cause Onfido to be in breach of this Agreement or any SLA.
4.6 The Client is responsible for maintaining the confidentiality of any password(s) or security routines it is given or sets to access and use the Services, and is fully responsible for all activities that occur under the Client’s password(s) or security routines. The Client agrees to notify Onfido immediately of any accidental or unauthorized access to or use of the Services, whether suspected or confirmed. In the event of a suspected or confirmed security incident impacting Client's use of the Services or other exigent circumstances (including any sustained external threat to the Services, or any Client breach of Clause 10.1), Onfido reserves the right to immediately withdraw or suspend access to the Site or the Services and to alter the Client’s password(s).
4.7 The Client acknowledges and agrees that the veracity of any information transmitted through the Site and in relation to the Services is the sole responsibility of the originator from which the content originated (for example, referees or data suppliers) and Onfido will not be liable for omissions in content or errors or false statements, including in respect of data provided by third parties. The Services are not intended to be used as the sole basis for any business decision (including where those business decisions concern a User). The Client agrees that Onfido has no liability for any inaccuracy, incompleteness or other error in the Services (including the Site, the Reports and the Content) which arises as a result of data provided by the Client or any third party.
4.8 No conditions, warranties or other terms apply to any Services (including any Software) supplied by Onfido under this Agreement other than the conditions, warranties and terms expressly set forth herein. Onfido hereby disclaims any implied warranties whether arising under law, through course of dealing, or otherwise, (including any implied warranties of non-infringement, title, satisfactory quality, fitness for purpose, merchantability or conformance with description). In addition, Onfido does not warrant or enter into any other term to the effect that any Software or any technology provided in connection with this agreement or any order form will be entirely free from defects or that its operation will be entirely error free. The Client understands that Onfido obtains the information reported in its reports from various third party sources “as is”, and therefore is providing the information to the Client “as is”.
4.9 Client acknowledges and agrees that (i) the Services include the sending of identity documents to a Fraud Database Service Provider; (ii) the Fraud Database Service Provider may retain identity documents that are suspected to be fraudulent for the purpose of identifying fraud in the future; and (iii) Clauses 10.2.3, 10.2.4, 10.2.5, 10.2.8, 10.2.9, 10.6, and 10.7 shall not apply to Processing by a Fraud Database Service Provider. Client may deactivate the aforementioned Services at any time by notifying Onfido in accordance with this Agreement
4.10. Onfido is not a consumer reporting agency and none of the information provided through the Services constitutes a “consumer report” as such term is defined in the Fair Credit Reporting Act (“FCRA”), 15 U.S.C. § 1681 et seq. The Services are expressly limited to providing supplemental information in support of Client’s anti-fraud and identity verification business processes only. By accessing the Services except for Onfido’s SSN Check (to the extent purchased under the Order Form), the Client agrees that it shall not use any Services (i) to determine a consumer’s eligibility for credit or insurance, (ii) in connection with underwriting individual insurance, (iii) in connection with evaluating a consumer for employment, promotion, reassignment or retention as an employee, contractor or similar position, (iv) in connection with any other permissible purpose as defined in the FCRA, or (v) in any other manner that would cause the use of the Services to be construed as a consumer report by any entity having jurisdiction over Onfido or the Client. The Client further agrees not to take any adverse action, based in whole or in part, on the data from the Services, against any consumer. “Adverse action” and “consumer” have the definitions given to them in the FCRA. Client agrees to promptly notify Onfido of any complaints Client receives from Users claiming deficiencies related to procedures required under the FCRA.
4.11 Excluding Right to Work checks and SSN Check (to the extent purchased under the Order Form), Client acknowledges and agrees the Services are based on information that was not collected, in whole or in part, for the purpose of serving as a factor in establishing a consumer's eligibility for credit or insurance to be used primarily for personal, family or household purposes, employment, or any other similar purpose. Accordingly, Client shall not use such Services as part of its decision-making process for determining a consumer's eligibility for credit, insurance or any other similar purpose. For the avoidance of doubt, this clause is not intended to prohibit the Client from using the Services for the purpose of verifying a User’s identity.
4.12. The Client will indemnify, defend, and hold harmless Onfido and its respective officers, shareholders, directors, and personnel, (and keep such individuals indemnified on a full indemnity basis), from and against any third party claims, suits, hearings, actions, damages, liabilities, fines, penalties, costs, losses, judgments or expenses (including reasonable attorneys' fees) arising out of or relating to the Client’s use of the Services (collectively, “Claims”), provided and to the extent that such Claims are not due to any breach of this Agreement by Onfido. Additionally, Client shall require its Users to enter into an individual arbitration agreement containing a non-severable class action waiver regarding the provision of the Services (including the processing of biometric data and/or information), and expressly name Onfido as a third-party beneficiary entitled to enforce such individual arbitration agreement and non-severable class action waiver.
5. CHARGES AND PAYMENT
5.1. In consideration of the provision of the Services, the Client will pay the charges set out in the applicable Order Form in the manner set out in this Agreement and/or the applicable Order Form.
5.2. All charges quoted to the Client will be exclusive of Taxes which (where applicable) Onfido will add to its invoices at the appropriate rate. All payments due to Onfido will be in the currency set out in the Order Form.
5.3. Unless otherwise specified in the Order Form, the Client will pay each invoice submitted to it by Onfido in full within 30 days of the date of the invoice. Time for payment will be of the essence. The Client may not withhold payment of any invoice or other amount due to Onfido by reason of any right of set-off or counterclaim which the Client may have, or allege to have, or for any reason whatsoever.
6. PERMITTED USE AND PROPRIETARY RIGHTS
6.1. As between Onfido and the Client, all Intellectual Property Rights and all other rights in the Services (including the Site, the Software the Content and the Reports) and any Feedback, Onboarding Packages and/ or Beta Features will be owned by Onfido. Onfido licenses all such rights to the Client free of charge during the Term on a non-exclusive, non-transferable, royalty-free worldwide basis to such extent as is necessary to enable the Client to make use of the Services in accordance with this Agreement and the Order Form. The Client will leave in place (and not alter or obscure) all proprietary notices and licenses contained in the Services. All rights in and to Intellectual Property Rights owned or controlled by Onfido not expressly granted herein are reserved.
6.2 The Client will allow Onfido to reference and/or include the Client in any advertising or promotional material, including:
i. using the Client's Brand Features in advertising or promotional materials, including on the Onfido Website, social media sites, external marketing PowerPoints and presentations, and sales materials at conferences;
ii. working with Onfido on finalizing a case study within 90 days following the Client's first use of the Services; and
iii. naming the Client in a press release, such press release to be jointly worked on with the Client within 90 days of the Commencement Date and to be subject to Client’s final approval.
7.1 Without prejudice to any other rights or remedies which the parties may have, either party may suspend, terminate or partially terminate this Agreement and the applicable Order Form without liability to the other party immediately on giving Notice to the other party if: (i) the other party fails to pay any amount due under this Agreement or the Order Form on the due date for payment and remains in default not less than 30 days after being notified in writing to make such payment; or the other party is in material breach of this Agreement and/or the Order Form where the breach is incapable of remedy; or (ii) the other party is in material breach of this Agreement and/or the Order Form where the breach is capable of remedy and fails to remedy that breach within fourteen (14) days after receiving written Notice of such breach, save that this fourteen (14) day cure period is not required if the continued performance of the Agreement is causing harm to the party wishing to suspend/terminate; or (iii) it enters into an arrangement or composition with or for the benefit of its creditors, goes into administration, receivership or administrative receivership, is declared bankrupt or insolvent or is dissolved or otherwise ceases to carry on any Services; or (iv) any analogous event happens to the other party in any jurisdiction in which it is incorporated or resident or in which it carries on business or has assets; or(v) required pursuant to a change in applicable law. If Customer terminates this Agreement because Onfido commits a material breach, Onfido will refund any unconsumed prepaid Charges calculated pro rata. If Onfido terminates this Agreement because the Client commits a material breach, Onfido will be entitled to the Charges until the end of the relevant payment period. Payment obligations will continue in full during any period of suspension by Onfido for material breach.
7.2 On termination of this Agreement and the applicable Order Form, the accrued rights and liabilities of the parties as at termination and the continuation of any provision expressly stated to survive or implicitly surviving termination, will not be affected.
8. LIMITATION OF LIABILITY
8.1 SUBJECT TO THE PROVISIONS OF CLAUSE 8.2, THIS CLAUSE 8 SETS OUT THE ENTIRE FINANCIAL LIABILITY OF EITHER PARTY (INCLUDING ANY LIABILITY FOR THE ACTS OR OMISSIONS OF EITHER PARTY’S EMPLOYEES, AGENTS AND SUB-CONTRACTOR) IN RESPECT OF: (I) ANY BREACH OF THIS AGREEMENT OR ANY ORDER FORM; AND (II) ANY USE MADE BY THE CLIENT OF THE SERVICES (INCLUDING THE REPORTS, THE CONTENT AND THE SITE) OR ANY PART OF THEM; AND (III) ANY REPRESENTATION, STATEMENT OR TORTIOUS ACT OR OMISSION (INCLUDING NEGLIGENCE) OR BREACH OF STATUTORY DUTY ARISING UNDER OR IN CONNECTION WITH THE AGREEMENT AND ANY ORDER FORM.
8.2 NOTHING IN THIS AGREEMENT OR IN ANY ORDER FORMS LIMITS OR EXCLUDES EITHER PARTY'S LIABILITY FOR: (I) DEATH OR PERSONAL INJURY; OR (II) FRAUD OR FRAUDULENT MISREPRESENTATION; (III) WILFUL MISCONDUCT; OR (IV) PAYMENT OF SUMS PROPERLY DUE AND OWING TO THE OTHER IN THE COURSE OF NORMAL PERFORMANCE OF THIS AGREEMENT AND ALL ORDER FORMS.
8.3 SUBJECT TO CLAUSES 8.1 AND 8.2, NEITHER PARTY WILL BE LIABLE UNDER OR IN CONNECTION WITH THIS AGREEMENT OR ANY ORDER FORM (WHETHER IN CONTRACT, TORT OR OTHERWISE) FOR ANY: (I) LOSS OF PROFIT; (II) LOSS OF ANTICIPATED SAVINGS; (III) LOSS OF BUSINESS OPPORTUNITY; (IV) LOSS OF OR CORRUPTION OF DATA; (V) LOSS OF REPUTATION OR GOODWILL; OR (VI) SPECIAL, INDIRECT OR CONSEQUENTIAL LOSSES; SUFFERED OR INCURRED BY THE OTHER PARTY (WHETHER OR NOT SUCH LOSSES WERE WITHIN THE CONTEMPLATION OF THE PARTIES AT THE DATE OF THIS AGREEMENT AND/OR THE APPLICABLE ORDER FORM). ONFIDO WILL NOT BE LIABLE FOR LOSS SUFFERED BY THE CLIENT TO THE EXTENT ONFIDO CANNOT INDEPENDENTLY SUBSTANTIATE A CLAIM DUE TO THE FACT THAT THE CLIENT HAS INSTRUCTED ONFIDO TO DELETE THE UNDERLYING PERSONAL DATA.
8.4 EITHER PARTY'S TOTAL AGGREGATE LIABILITY IN CONTRACT, TORT (INCLUDING NEGLIGENCE OR BREACH OF STATUTORY DUTY), MISREPRESENTATION, RESTITUTION OR OTHERWISE ARISING IN CONNECTION WITH THE PERFORMANCE OR CONTEMPLATED PERFORMANCE OF THIS AGREEMENT AND ALL APPLICABLE ORDER FORMS BETWEEN ONFIDO AND CLIENT INCORPORATING THIS OSA WILL BE LIMITED TO 125% OF THE TOTAL AMOUNT PAID AND PAYABLE BY THE CLIENT UNDER THE APPLICABLE ORDER FORM FOR THE 12 MONTHS PERIOD IMMEDIATELY PRECEDING THE EVENT GIVING RISE TO THE FIRST CLAIM. THIS LIMITATION OF LIABILITY DOES NOT APPLY TO THE CLIENT’S OBLIGATIONS SET OUT IN, OR ITS OBLIGATION TO INDEMNIFY ONFIDO FOR CLAIMS BROUGHT BY THIRD PARTIES IN RELATION TO, BREACHES OF CLAUSE 10.1.
8.5 SUBJECT TO CLAUSE 8.2, THE CLIENT ASSUMES SOLE RESPONSIBILITY FOR CONCLUSIONS DRAWN FROM USE OF THE SERVICES (INCLUDING THE REPORTS, THE CONTENT AND THE SITE).
8.6 IN THE EVENT THAT THE CLIENT ELECTS TO ACCESS ONFIDO'S SERVICES THROUGH A THIRD PARTY INTERFACE, INTEGRATION OR SIMILAR ("THIRD PARTY INTEGRATION"), SUCH THIRD PARTY INTEGRATION WILL BE OUTSIDE THE SCOPE OF THIS AGREEMENT, AND SHALL REMAIN THE SOLE RESPONSIBILITY OF THE CLIENT. THE CLIENT WILL CONTRACT DIRECTLY WITH SUCH THIRD PARTY, AND ONFIDO WILL (I) HAVE NO LIABILITY IN RESPECT OF SUCH THIRD PARTY, OR THIRD PARTY INTEGRATION; AND (II) NOT BE IN BREACH OF THIS AGREEMENT TO THE EXTENT SUCH BREACH IS CAUSED BY THE THIRD PARTY INTEGRATION.
9.1 The recipient of any Confidential Information will not disclose that Confidential Information, except to (i) employees, affiliates and/or professional advisors who need to know it and who have agreed in writing (or in the case of professional advisors are otherwise bound) to keep such information confidential and (ii) third party service providers where and only to the extent required to fulfil the purpose of the Agreement. The recipient will ensure that those people and entities: (a) use such Confidential Information only to exercise rights and fulfil obligations under this Agreement and the applicable Order Form; and (b) keep such Confidential Information confidential. The recipient may also disclose Confidential Information when required by law after giving reasonable Notice to the discloser, such Notice to be sufficient to give the discloser the opportunity to seek confidential treatment, a protective order or similar remedies or relief prior to disclosure.
10. DATA PROTECTION
10.1 PERSONAL DATA. The Client will provide or make available to Onfido or assist Onfido with the collection of information relating to Users (such information provided under this Agreement is “Personal Data”). Such information includes but is not limited to the information described on the Order Form. Client consents to Onfido’s collection, storage, use, disclosure, and destruction of Personal Data (collectively, “Process” or “Processing”) to provide the Services, and Client represents and warrants that it has taken all required steps to ensure that Onfido may lawfully Process the Personal Data for the purpose of providing the Services in accordance with Privacy Laws (including by having provided all necessary notices and obtained all necessary consents for Onfido to collect and Process any and all Personal Data, including biometric information pursuant to BIPA and any other rules, laws, regulations, directives and governmental requirements concerning biometric information). Additionally, Client will provide Client’s Users with the notice language contained in Schedule 4 and obtain each Users’ consent to that notice language before Personal Data is provided to Onfido, except in the case of SSN Check in which Client shall use the consent and notice language contained in the Schedule 6 to this Agreement. Onfido represents and warrants that, except for Permitted Vendor Purposes (defined below), it (i) will only retain, use, disclose, or Process Personal Data obtained in the course of providing the Services on behalf of the Client and in compliance with this Agreement; (ii) will not sell Personal Data; and (iii) will not take any action that would cause Onfido to cease being a “service provider” as defined under the CCPA with respect to Personal Data. Onfido may, however, Process Personal Data for a “business purpose” (as defined by and consistent with the CCPA) permitted of a qualified service provider under the CCPA, so long as the purpose for which the Personal Data is used does not cause Onfido to lose its status as a service provider and is otherwise in compliance with all applicable Privacy Laws (“Permitted Vendor Purposes”). In addition, as part of the Services, Onfido may create de-identified data and aggregate consumer information, which as long as such is maintained so as to qualify as de-identified data and/or aggregate consumer information under applicable Privacy Laws, and so long as such data is not attributable to the Client, will not be deemed Personal Data and will not be subject to the restrictions thereon hereunder. Client will defend and indemnify Onfido against any claims brought by third parties under the BIPA or other Privacy Laws due to breach of this clause 10.1.
10.2 ONFIDO RESPONSIBILITIES. Onfido will:
10.2.1 Process Personal Data only in accordance with this Agreement;
10.2.2 unless required by applicable law, not disclose or otherwise make available any Personal Data to any third party without first (i) imposing contractual obligations on the third party recipient that are substantially similar to those imposed on Onfido under this Agreement related to the Processing of Personal Data; and (ii) including the third party in Onfido’s Records of Processing before sharing any Personal Data with that third party service provider. Onfido shall make the Records of Processing available to Client, and if Client objects to any third party service provider, Client may terminate this Agreement in accordance with Clause 7. Onfido agrees to remain liable to the Client for the aforementioned third party service provider’s Processing of Personal Data;
10.2.3 cooperate and assist the Client in responding to any User’s request to exercise their rights of access, rectification, erasure, restriction of Processing, data portability, objection to Processing, or any other rights available to the User under Privacy Laws (collectively “Data Subject Requests”), and Client agrees that Onfido may disclose Client's name and contact information to any User seeking to exercise their Data Subject Requests so User may directly exercise their Data Subject Requests with the Client. Client acknowledges its responsibility to comply with all Data Subject Requests with respect to Personal Data (including, but not limited to, requests to know, to delete, and to opt-out under the CCPA), as required by applicable law. Upon the Client’s request, and at the reasonable expense of the Client, Onfido will provide reasonable assistance as necessary to permit the Client to respond to such requests as required by applicable law. Onfido will not respond to any Data Subject Requests relating to Personal Data unless and until expressly instructed to do so by the Client other than to indicate to the User that it is unable to comply with the Data Subject Request because it is a service provider and not the controller of the Personal Data. Upon direction from the Client to execute a deletion of Personal Data pursuant to a Data Subject Request, Onfido shall delete the relevant Personal Data in question, subject to Onfido’s retention rights under California Civil Code § 1798.105(d) or other applicable law (e.g., litigation holds). Onfido will inform the Client if it is unable to delete Personal Data or otherwise respond to, or assist with, a Data Subject Request as directed by the Client;
10.2.4 enable the Client to amend, correct, or delete (unless storage of any Personal Data is required by applicable law, including Privacy Law) Personal Data within the Services;
10.2.5 where requested by the Client and required under Privacy Laws, provide such assistance as the Client reasonably requires (taking into account the nature of the Processing and the information available to Onfido) for the Client to (i) conduct data protection impact assessments; and (ii) consult with data protection supervisory authorities;
10.2.6 take measures designed to ensure the reliability of all personnel who Process Personal Data by (i) performing background checks upon such personnel (where permissible under applicable law); (ii) assigning specific and necessity-based access privileges to such personnel; (iii) ensuring that such personnel have undergone training in data protection and privacy; and (iv) ensuring that such personnel are bound by obligations of confidentiality;
10.2.7 ensure that all Personal Data residing in the United Kingdom or European Economic Area is not transferred out of the United Kingdom or European Economic Area to data recipients in third countries which do not ensure an adequate level of data protection as determined by the European Commission or the Information Commissioner’s Office, unless the parties have entered into Information Commission and/or European Commission approved Standard Contractual Clauses or other data protection safeguards in compliance with Privacy Laws; and
10.2.8 provide other reasonably necessary assistance for the Client to meet its compliance obligations under Privacy Laws with respect to the Service in response to written requests from the Client for such assistance.
10.3 SECURITY SAFEGUARDS
10.3.1 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons and in accordance with a comprehensive information security policy (“Information Security Policy”), Onfido will establish, maintain and comply with administrative, physical, technical and organizational safeguards designed to ensure the security and confidentiality of Personal Data and to prevent the unauthorized disclosure of, or access to, Personal Data.
10.3.2 Onfido’s Information Security Policy will: (i) implement back-up and disaster recovery systems; (ii) continuously assess risks to the security of Personal Data by (1) assessing the likelihood and potential damage of such risks, taking into account the sensitivity and risk of the Personal Data, (2) identifying internal and external threats that could result in a Security Breach, and (3) conducting penetration testing; and (iii) take appropriate steps to protect against such risks.
10.4.1 Onfido will keep at its normal place of business detailed, accurate and up-to-date records relating to the Processing of Personal Data by Onfido.
10.4.2 Upon sixty (60) days written Notice, once per contract year Onfido will make available to the Client such access to its books and records as is reasonably necessary for audit purposes to demonstrate Onfido’s compliance with its obligations under Privacy Laws. Any audit requests in excess of those set out in this Clause 10.4.2 will be at Onfido's discretion, and at the Client's sole cost (except in the event that the audit reveals a breach of Privacy Laws). All audits are subject to confidentiality obligations.
10.4.3 Onfido shall promptly resolve all data protection and security issues discovered by the Client and reported to Onfido that reveal a breach or potential breach by Onfido of any of its obligations under this Agreement or Privacy Laws.
10.5 SECURITY BREACH. In the event Onfido confirms any breach of security involving its facilities, networks or systems and any unauthorized disclosure of, or access to, Personal Data (each, a "Security Breach"), Onfido will (i) without undue delay notify the Client of the Security Breach; and (ii) provide all reasonable help for the Client to investigate and remedy the Security Breach.
10.6 DESTRUCTION OF PERSONAL DATA. Unless required by applicable law, Onfido will cease processing and delete Personal Data from its production environment upon the earlier of (i) instruction from Client within the Services; (ii) instruction from a User, but only with respect to numerical biometric information relating to the User’s own Personal Data; or (iii) a reasonable period of time after the termination or expiration of this Agreement. All other Personal Data processed by Onfido (including Personal Data processed for backup and logging purposes) or on behalf of Onfido (including Personal Data processed by third parties) is deleted in accordance with Onfido’s Records of Processing.
10.7 INDEMNITY. Onfido will indemnify, defend, and hold harmless the Client and its respective officers, shareholders, directors, and personnel, (and keep such individuals indemnified on a full indemnity basis), from and against any claims, suits, hearings, actions, damages, liabilities, fines, penalties, costs, losses, judgments or expenses (including reasonable attorneys' fees) arising out of Onfido’s breach of Clause 10.5.
11.1 No variation of this Agreement or any Order Form will be valid unless it is agreed in writing and signed by both of the parties. Failure or delay in exercising any right or remedy under this Agreement or any Order Form will not constitute a waiver of such (or any other) right or remedy.
11.2 If any provision of this Agreement or Order Form (or part of any provision) is found by any court or other authority of competent jurisdiction to be invalid, illegal or unenforceable, that provision or part-provision will, to the extent required, be deemed not to form part of the Agreement or Order Form as applicable and (i) the parties will immediately commence good faith negotiations to remedy such invalidity; and (ii) the validity and enforceability of the other provisions of the Agreement or Order Form as applicable will not be affected.
11.3 This Agreement and the applicable Order Form constitutes the whole agreement between the parties and supersedes any previous arrangement, understanding or agreement between them relating to the subject matter of this Agreement and the applicable Order Form. Each party acknowledges that in entering into this Agreement or any Order Form it has not relied upon any oral or written statements, collateral or other warranties, assurances, representations or undertakings which were made by or on behalf of the other party in relation to the subject-matter of this Agreement or an Order Form at any time before its signature other than those which are set out in this Agreement or any Order Form. Furthermore, and for the avoidance of doubt, Client understands its business needs and has determined independently that the Services will meet its needs.
11.4 Neither party will be liable for any delay or non-performance of its obligations under this Agreement or any Order Form to the extent that such delay or non-performance is a result of any condition beyond its reasonable control (a “Force Majeure Event”). To the extent that a Force Majeure Event occurs, Client acknowledges that Onfido may be required (and will be permitted) to change the manner in which it provides the Services.
11.5 Except as expressly stated otherwise, nothing in this Agreement or any Order Form will create an agency, partnership or joint venture of any kind between the parties. Neither party will have authority to act in the name of or on behalf of the other, or to enter into any commitment or make any representation or warranty or otherwise bind the other in any way.
11.6 Neither party may assign any of its rights or obligations under this Agreement without the prior written consent of the other such consent not to be unreasonably withheld save that either party can, provided not to a direct competitor, assign this Agreement by operation of law, or in connection with a merger, change of control, sale of assets or other similar transaction.
11.7 The Client acknowledges and agrees that the supply of the Reports and Services by Onfido and their use by the Client is governed by laws and regulatory requirements and that these laws and regulatory requirements may be altered from time to time. The Client agrees that Onfido may: (i) modify; or (ii) cease to provide the Services (including the Reports, the Content and the Site) to the Client if necessary to comply with the legal or regulatory requirements, and that such modifications or a cessation will not be deemed to be a breach of this Agreement.
11.8 All notices must be in English, in writing, and sent by email to the address for Legal notices as set out in the Order Form, or such other address as either party has notified the other in accordance with this clause (a “Notice”).
11.9 The parties will: (i) comply with all applicable Anti-Corruption Laws; (ii) promptly report to the other party any request or demand for any undue financial or other advantage of any kind received by it in connection with the performance of this Agreement; (iii) cooperate regarding investigations by the other Party into any matters related to bribery and corruption in connection with this Agreement.
11.10 Charges specified in this Agreement are exclusive of any Tax. The Client will be responsible for, and agrees to pay, Tax on all items, goods and/or Services being paid for by the Client hereunder. If the Client is based in Canada and does not provide a valid GST (or HST) number, Onfido will include GST, PST, and HST in invoices if applicable. Any and all payments or reimbursements made hereunder shall be made free and clear of and without deduction for any and all taxes, levies, imports, deductions, charges or withholdings. If the Client is required by law to deduct such Tax from or in respect of any sum payable hereunder to Onfido then the sum payable hereunder shall be increased as may be necessary so that, after all deductions are made, the Onfido receives an amount equal to the sum it would have received had no such deductions been made. The Parties will cooperate and take all steps reasonably and lawfully available to them to minimize such Tax and to obtain double taxation relief. If the Client withholds any such amounts from the fees, the Client will provide Onfido with a statement of withholding tax within 30 days from the withholding. Onfido confirms to the Client that it is a resident of the United States. Unless otherwise agreed, the party that is liable for payment of any Tax upon which interest and penalties are imposed shall bear such interest and penalties. In the event Onfido suffers any fines, penalties or charges due to the Client's non-compliance with this Clause, or the Client fails to comply with the relevant tax legislation and regulations in respect of the Charges, the Client will indemnify Onfido for such costs.
11.11 Except in respect of any transfer of staff pursuant to applicable law, neither party shall (except with the prior written consent of the other party) directly or indirectly solicit or entice away (or attempt to solicit or entice away) from the employment of the other party any person employed or engaged by such other party in the provision of the Services or (in the case of the Client) in the receipt of the Services at any time during the Term or for a further period of 3 months after the termination of this Agreement other than by means of a national advertising campaign open to all comers and not specifically targeted at any of the staff of the other party.
11.12 Client will comply with all applicable export control and sanctions laws and regulations of the United States and any other applicable governmental authority, including without limitation, the U.S. Export Administration Regulations and U.S. sanctions regulations ("Export Control and Sanctions Laws"). Client will not engage in any transactions with: (i) any User, entity, or country prohibited by Export Control and Sanctions Laws, including, without limitation, the prohibition against transactions with: (A) a national or resident of any country subject to U.S. sanctions or similar restrictions (currently, Cuba, Iran, Syria, North Korea and the region Crimea), or (B) anyone on the U.S. Treasury Department's list of Specially Designated Nationals or other sanctions lists (“OFAC Lists”). Client represents and warrants that it is not a person on an OFAC List and that it is not located in a country subject to sanctions.
11.13 Any and all claims for loss arising under this Agreement will be subject to a general obligation of the parties to use all reasonable efforts to mitigate such losses.
11.14 Except as expressly stated otherwise, nothing in this Agreement will create or confer any rights or other benefits in favor of any person other than the parties to this Agreement.
11.15 This Agreement and all Order Forms and all disputes and claims arising out of or in connection with them are governed by the laws of the United States and the State of New York. With the sole exception of any application for injunctive relief, the parties irrevocably agree that the Federal and State Courts located in New York County, New York have exclusive jurisdiction to settle any dispute or claim (whether contractual or non-contractual) arising out of or in connection with this Agreement and the Order Form (including their subject matter or formation).
TECHNICAL SPECIFICATION FOR ONFIDO PLATFORM
Onfido will provide support in order to solve incidents and make coding modifications required for the Services to function as intended in accordance with the escalation procedure and severity of the issue set out below, provided always that the Client must provide substantiation by means of screenshots, use cases and as much information as reasonably possible, including a description of a scenario leading up to the problem being encountered so that Onfido can understand how the incident occurred.
Client can view system metrics, incident history and subscribe for real time updates here https://status.onfido.com/
Escalation procedures & severity levels: Service response times and definitions are as follows:
(from the point of Client notifying Onfido)
|Normal (P2)||A non-critical component of the Services is not performing as expected. The issue has no or limited impact on the Client’s business.||
Acknowledge: Twenty four hours to acknowledge and respond to the notification.
Resolution: Will be dependent on the nature of the problem and the availability of development resources.
|Urgent (P1)||Some aspects of the Services are slow or intermittent in producing an expected response. The issue has a moderate or intermittent impact on the Client’s business.||
Acknowledge: Five hours to acknowledge and respond to the notification.
Resolution: All reasonable efforts will be taken to restore Services in ten calendar days.
|Critical (P0)||There is no response coming from the Services. Critical outage where the impact on the Client’s business is severe.||Acknowledge: Three hours to acknowledge and respond to the notification. Regular updates to be provided by Onfido until resolved.||
System Performance, Assumptions & Uptime: The API will have availability of 24 hours a day, 7 days a week, 365 days per year with performance as follows:
|Services||Uptime (measured monthly)|
All performance indicators are subject to and dependent on adherence to the API documentation. Performance indicators are exclusively related to Onfido’s performance and Onfido does not assume responsibility for the performance of any External Data Providers. Service uptime is exclusive of maintenance windows and emergency maintenance as described below. Response times in this Schedule and for the SLA exclude any internet latency, internet outage, DoS, or other reasons outside of Onfido’s control.
A maintenance window will be used for corrective maintenance. Onfido reserves the right to perform three hours of maintenance per month, but from time to time may require longer. Onfido will use reasonable endeavors to notify the Client in advance of any upcoming maintenance windows. The service may not be available at all or in part during the time of the maintenance window. The maintenance window will only be utilized if Onfido considers this necessary or desirable to maintain the performance of the Services.
Onfido may conduct emergency maintenance to its network or servers with no prior notice in order to resolve server security issues or other emergency issues. Onfido will notify the Client at the beginning and end of such maintenance, and will provide details on the nature of the work being performed.
Fraud Information Sharing
The Client will provide timely feedback and information to Onfido in relation to the Services, in particular, reporting to Onfido via the API or (if agreed) the Onfido Dashboard any: (i) fraud not identified by Onfido in its provision of the Services that is later identified by the Client (“Missed Fraud”); (ii) Users or checks identified as fraudulent by Onfido which are not fraudulent (“False Positives”); and (iii) Users who commit fraud against the Client (“Fraudulent Users”). Onfido commits to use the reported information and associated fraud data for the sole purpose of improving the Services, identifying Fraudulent Users and reducing False Positives.
Any tests, automated scans and/or probing or penetration tests, or attempts to breach any security or authentication measures used by Onfido (“Testing”) performed by the Client, will be conducted against the Onfido test environment, subject to 48 hours’ notice. The Client is not permitted to conduct Testing against Onfido’s live production environment.
To the extent that the Client elects to use the Sandbox Environment, the Client understands that Onfido does not review any data uploaded or transferred into the Sandbox Environment, and Client agrees (i) to only use the Sandbox Environment to test Client's integration with the Software; (ii) to not upload or transfer any Personal Data into the Sandbox Environment and (iii) Onfido shall have no obligations or liability as to any data uploaded or transferred to the Sandbox Environment.
From time to time, Onfido may invite the Client to participate in a new version or service feature that Onfido has not made generally available to clients for production use and that is designated as beta, pilot, limited release, pre-release, non-production, evaluation or similar designation which does not form part of the Services (“Beta Features”), free of charge in return for the Client providing Onfido with Feedback. This invitation will be communicated to the Client through the Onfido Dashboard and the Client may accept or decline the invitation in its sole discretion. Beta Features are for Onfido evaluation and testing purposes, not for production use, not supported, not subject to availability or security obligations and may be subject to additional terms. Unless otherwise agreed, Onfido will have no liability for any harm, damage or losses of any kind arising out of or in connection with Beta Features, and the Client uses them at its own risk. Onfido may discontinue Beta Features at any time in its sole discretion and may choose not to make them generally available.
ONFIDO STANDARD SDK LICENSE
1.1 The definitions and rules of interpretation in this paragraph apply in this license. Terms not specifically defined in this license will have the meaning given to them in the Onfido Services Agreement, provided that for the purposes of this Schedule 2, “Software” shall mean the SDK.
App: the application owned and developed by the Client into which the Client will integrate the Software.
Maintenance Release: a release of the Software that corrects faults, adds functionality or otherwise amends or upgrades the Software.
Source Code Materials: the source code of the Software, and all technical information and documentation required from Onfido to enable the Client to integrate the Software into the App.
Unless expressly specified otherwise, this license will be governed by the terms of the Order Form and the Agreement.
2. DELIVERY AND INSTALLATION
2.1 Onfido will make available one copy of the Software electronically to the Client. The Client will be responsible for the integration of the Software into the App and all compatibility issues between the Software and the App. Onfido will provide the Client with reasonable, limited assistance and guidance with the integration.
2.2 The Client will carry out appropriate testing and satisfy themselves with the results before making the App available in a live environment.
3.1 In consideration of the Charges paid by the Client to Onfido, Onfido grants to the Client a limited scope, non-exclusive, non-transferable license for the Term to use the Software in the App for the Permitted Purpose provided that:
3.1.1 use of the Software will be restricted to use of the Software in object code form for the purpose of running document and facial recognition checks as part of the App;
3.1.2 the Client may not use the Software other than as specified in paragraph 3.1.1 and this 3.1.2 without the prior written consent of Onfido;
3.1.3 except as may be allowed by any applicable law which is incapable of exclusion by agreement between the parties, the Client will not make backup copies of the Software;
3.1.4 except as may be allowed by any applicable law which is incapable of exclusion by agreement between the parties, the Client has no right (and will not permit any third party) to copy, adapt, reverse engineer, decompile, disassemble, modify, adapt or make error corrections to the Software in whole or in part; and
3.1.5 to the extent the Software includes components covered by open source software (“OSS”) licenses (i) the terms of such OSS license(s) are available at https://github.com/onfido or such other location notified by Onfido from time to time and will, in the event of any conflict with the terms and conditions set out herein, prevail in respect of the Client’s use of such OSS; and (ii) any restrictions prohibited by such OSS license that are contained within this Agreement will not apply to the applicable OSS.
3.2 The Client will not use any information in relation to the integration or use of the Software to create any software whose expression is the same as or substantially similar to that of the Software nor use such information in any manner which would be restricted by any copyright subsisting in it.
3.3 The Client will not: (i) sub-license, assign or novate the benefit or burden of this license in whole or in part; (ii) allow the Software to become the subject of any charge, lien or encumbrance; or (iii) deal in any other manner with any or all of its rights and obligations under this Agreement, without the prior written consent of Onfido.
The Client will: (i) ensure that the Software is integrated with the App only; and (ii) notify Onfido in writing as soon as it becomes aware of any, or suspects any unauthorized use of the Software by any person;
3.5 The Client will permit Onfido to inspect and have access to any records kept in connection with this license, for the purposes of ensuring that the Client is complying with the terms of this license, provided that Onfido provides reasonable advance notice to the Client of such inspections, which will take place at reasonable times.
4. MAINTENANCE AND SUPPORT
4.1 Onfido will provide the Client with all Maintenance Releases generally made available to its Clients. Onfido warrants that no Maintenance Release will adversely affect the then existing facilities or functions of the Software but will not be responsible for any necessary integration or re-integration with the App following a Maintenance Release, or any incompatibility issues. The Client will install all Maintenance Releases as soon as reasonably practicable after receipt, but in any event within 9 months of Maintenance Release (the “Upgrade Obligation”). Onfido will not be in breach of any clause of this agreement to the extent that the Client breaches its Upgrade Obligation.
4.2 Onfido has a Software deprecation policy, under which Onfido provides support (including bug fixes) for each Maintenance Release for a period of 18 months after its release, or in the case of the long-term support Maintenance Release, which Onfido releases on an annual basis, for 30 months after its release. Thereafter, Onfido will longer provide support for that Maintenance Release.
5.1 Neither party will export, directly or indirectly, any technical data acquired from the other party under this Agreement (or any products, including software, incorporating any such data) in breach of any applicable laws or regulations (Export Control Laws), including United States export laws and regulations, to any country for which the government or any agency thereof at the time of export requires an export license or other governmental approval without first obtaining such license or approval.
6. USE OF THE SOFTWARE
6.1 The Client accepts responsibility for the selection of the Software to achieve its intended results and acknowledges that the Software has not been developed to meet the individual requirements of the Client or any particular App.
6.2 Onfido does not (i) provide any warranties in relation to the performance of any third party software (including the App) and will not be liable in the case of a fault caused in relation to the Software that arises from the App, any other third party software, or any actions of the Client or a third party (ii) warrant that the use of the Software will be uninterrupted or error-free.
6.3 In the event of a fault or defect in the Software, Onfido will provide support and incident resolution in accordance with the escalation procedures and severity levels set out in Schedule 1.
6.4 Client will only use the Software for the purpose of receiving the Services and not for any other purpose without Onfido's prior written consent. The Client agrees no other party (including the Client) will use the Software in connection with the provision of services materially similar to the Services during the Term, or at any time thereafter. In the event of a breach of this provision, Client will indemnify Onfido for all associated losses.
7. INTELLECTUAL PROPERTY RIGHTS
7.1 The Client acknowledges that all Intellectual Property Rights in the Source Code Materials, the Software and any Maintenance Releases belong and will belong to Onfido, and the Client will have no rights in or to the Software other than the right to use it in accordance with the terms of this license.
8. DURATION AND TERMINATION
8.1 This License will terminate on termination of the Order Form or in accordance with the terms of the Agreement, upon which (i) all rights granted to the Client under this license will cease; (ii) the Client will immediately pay to Onfido any sums due to Onfido under this license; and (iii) the Client will immediately destroy or return to Onfido (at Onfido's option) all copies of the Software and related documents then in its possession, custody or control and, in the case of destruction, certify to Onfido that it has done so.
CUSTOMER SUCCESS PACKAGES
The Customer Success Packages (“Success Packages”) below, are provided by Onfido to assist the Client with the successful adoption and operation of Onfido Services during the lifetime of the overall Agreement.
Client agrees that it will work with Onfido to coordinate on the agreed activities as part of each purchased Success Package by collaborating with the Onfido Customer Success Manager when required.
|Success Package||Typical Activities|
A named Customer Success Manager providing:
A named Customer Success Manager providing:
Technology Query Management
– Assistance on How To questions
ONFIDO NOTICE AND CONSENT LANGUAGE
Client will ensure that it collects consent for Onfido (as third party service provider) to process biometric data of Client’s Users in accordance with US federal and state privacy laws (particularly the biometric information privacy laws of Illinois, Texas and Washington) by complying with either Part A or Part B below:
Part A The following notice and consent language must be incorporated into the Client’s interface in respect of Users who are based in the United States, through the following requisite steps:
Client to explain to its Users that it uses a third party, Onfido, to process their identity check.
Client to present to Users the following language prior to asking the User to proceed to complete any check powered by Onfido:
Onfido Facial Scan Policy and Release available at
Onfido Terms of Service available at
The following API consent parameter must be implemented by the Client in respect of use of the Services in the United States:
Part B Client will incorporate into its own policies and legal agreements with Users terms which meet the following requirements:
Compliant Privacy Notice: Client must present Users with an appropriate policy document which meets the requirements of US federal and state privacy laws (including the biometric privacy laws referred to above), describing in particular:
the capture of facial scan images and processing of biometric identifiers,
the purpose for which the facial scan images and biometric identifiers are collected,
the use of third party identity verification service providers to perform this service on Client’s behalf
other matters required by US federal / state privacy laws, including as to storage, retention periods, resale, etc.
Biometric consent for Onfido: Client must obtain consent from Users to the processing of their biometric information by third party service providers for the purposes of performing identity verification (as described in more detail in the Client’s linked policies / terms and conditions / legal agreements which are presented to the User), before any information is captured or uploaded to Onfido.
Arbitration of claims against Onfido: Client must ensure that all disputes with US Users regarding the provision of the service (including the processing of biometric information) by a third party identity verification provider are pursued through individual arbitration as opposed to proceedings in US federal or state courts. To achieve this an arbitration agreement containing a non-severable class action waiver must be incorporated in Client’s terms and conditions with Users based in the United States expressly naming Onfido as a third-party beneficiary entitled to enforce the individual arbitration agreement containing the non-severable class action waiver Client must obtain User consent to the terms and conditions.
Adoption of API consent parameter (privacy_notices_read_consent_given): Client must implement the following API consent parameter in respect of use of the Services in the United States:
The Onboarding Packages (“Onboarding Packages”) below, are advisory in nature to allow Onfido to assist the Client with the Client’s implementation of Onfido. Overall control for timelines, scope and the delivery is the sole responsibility of the Client.
Client agrees that it will work with Onfido to carry out the agreed activities as part of each purchased Onboarding Package by providing timely support and reasonable assistance to Onfido.
|Onboarding Package||Example Activities|
Kick-off workshop (1 hour duration)
Up to two additional workshops, each of up to 2 hour duration, for example:
Design and Build
Design and Build
Early Life Support
|No Package||Integration documentation provided, no further support given.|
SSN CHECK TERMS
The terms in this Schedule 6 apply to Client’s access to and use of Onfido’s SSN Check service (“SSN Check”), in addition to the terms set forth in the Agreement. The terms in this Schedule 6 take precedence over any other conflicting or inconsistent terms in the Agreement, but only with respect to Client’s access to and use of SSN Check. Capitalized terms used in this Schedule 6 have the same meaning as in the Agreement, unless expressly defined otherwise.
1.1. Electronic Signature means an electronic sound, symbol, or process, attached to, or logically associated with a contract or other record and executed or adopted by a person with the intent to sign the record, as defined in section 106 of the Electronic Signatures in Global and National Commerce (E-SIGN) Act.
1.2. Fraud Protection Data means a combination of the SSN Holder’s name (including the first name and any family forename or surname of the individual), SSN, and date of birth including the month, day, and year.
1.3. SSA means Social Security Administration.
1.4. SSA Response(s) means the response SSA discloses to Onfido after conducting a verification of the SSN Holder’s Fraud Protection Data.
1.5. SSN means social security number.
1.6. SSN Holder means an individual who authorizes SSA to verify his or her SSN by providing Client with Written Consent.
1.7. SSN Verification(s) means the response Onfido discloses to Client in a Report after receiving an SSA Response.
1.8. Supporting Documentation means all records or information necessary for Onfido or SSA, or their designated representatives, to conduct audits as permitted hereunder, including but not limited to: all completed and signed Written Consents; evidence documenting the specific purpose for each Written Consent, if not referenced within the individual Written Consent; and SSN Verifications.
1.9. Written Consent means consent, whether written or electronic, by which the SSN Holder gives SSA permission to disclose SSA Responses to Onfido in connection with a credit transaction or any circumstance described in section 604 of the FCRA (15 U.S.C. § 1681b).
2. PRODUCT SPECIFIC TERMS FOR SSN CHECK. Client agrees to the following terms:
2.1. Financial Institution Acknowledgement. Client acknowledges and agrees that: (i) Client is a Financial Institution as defined by Section 509 of the Gramm-Leach-Bliley Act (GLBA).
2.2. Permitted Entity Certification. Client must submit a Permitted Entity Certification in the prescribed form found at https://www.ssa.gov/dataexchange/eCBSV/documents/ua/eCBSV%20User%20Agreement%20-%20Exhibit%20A.pdf to the SSA and receive SSA’s acceptance of such Permitted Entity Certification in order for Onfido to provide SSN Check to Client. Onfido reserves the right without further notice to Client to suspend provision of SSN Check if Client fails upon Onfido’s request to provide evidence of a valid Permitted Entity Certification that is satisfactory to Onfido at its sole discretion.
2.3. SSN Holder Consent
2.3.1. Client must submit requests for SSN Verifications only pursuant to the Written Consent received from the SSN Holder.
2.3.2 Client is solely responsible for obtaining valid Written Consent from each SSN Holder that meets all of the following requirements:
a. is in one of the two following forms: (i) SSA-89 “pdf fillable” form found at https://www.ssa.gov/forms/ssa-89.pdf with the SSN Holder’s Electronic Signature, or (ii) one of the two consent template options provided at https://www.ssa.gov/dataexchange/eCBSV/written_consent.html that is incorporated into Client’s existing electronic or paper-based business process;
b. clearly specifies: (i) to whom the information may be disclosed, (ii) that the SSN Holder wants SSA to disclose the SSN verification result, and (iii) where applicable, during which timeframe the SSN verification result may be disclosed (see 20 CFR Part 401.100);
c. has not been altered either before or after the SSN Holder completes the Written Consent, unless the SSN Holder annotated and initialed this alteration in the space provided on the Written Consent, including by a new Electronic Signature;
d. in the case of an SSN Holder aged 18 or older with an appointed legal guardian, (i) the legal guardian has signed the Written Consent, and (ii) the legal guardian has submitted documentation to Client that proves the legal guardian relationship;
e. in the case of an SSN Holder under the age of 18 years, (i) the SSN Holder’s parent or legal guardian has signed the Written Consent, and (ii) the SSN Holder’s parent or legal guardian has submitted documentation to Client that proves the parental or legal guardianship relationship;
f. in the case of an SSN Holder who has given a power of attorney to an agent to act on his or her behalf, (i) the agent has signed the Written Consent, and (ii) the agent has submitted documentation signed by the SSN Holder granting the power of attorney and stating that the SSN Response is within the definition of the information that SSA can disclose to Onfido;
g. the Written Consent: (i) specifies the time period for which it is valid and the date of the SSN Response request is within such time period, or (ii) where no validity period was specified, was signed by the SSN Holder within ninety (90) calendar days prior to the date of the SSN Response request.
Onfido reserves the right, in its sole discretion, to determine whether the Written Consent has met all of the above requirements, and any additional or different requirements that the SSA may impose from time to time.
2.4. FCRA Purpose. Client must submit requests for SSN Verifications only in connection with a credit transaction or any circumstance described in Section 604 of the FCRA.
2.5. Section 215 of the Banking Bill. Client must only submit SSN Response requests for SSN Response verifications in accordance with Section 215 of the Economic Growth, Regulatory Relief, and Consumer Protection Act, (Pub. L. No. 115-174, referred to as the "Banking Bill")
2.6. Fraud Protection Data. To request an SSN Verification, Client must specify to Onfido the full name (including the first and last name), date of birth, and SSN of each SSN Holder whose SSN the Client seeks to verify.
2.7.1. Client must retain all Supporting Documentation for a period of five (5) years from the date of the SSN Response request, either electronically or in paper form.
2.7.2. Client must protect all Supporting Documentation from loss or destruction.
2.7.3. Written Consent and SSA Responses must not be reused.
2.7.4. If Customer retains the Written Consent in paper format, Client must store the Written Consent in a manner that meets all regulatory requirements.
2.7.5. If Client obtains the Written Consent electronically, or obtains it on paper and later converts it to an electronic version, Client must: (i) password protect any electronic files used for storage; (ii) restrict access to the files to the only necessary personnel; and (iii) put in place and follow adequate disaster recovery procedures. SSN Verifications must also be protected in this manner. When storing a Written Consent electronically, Client must destroy any original Written Consent in paper form.
2.8. Marketing and Advertising. Client may not: (i) use the words “Social Security” or other program-related words, acronyms, emblems, and symbols in connection with an advertisement for “identity verification”; (ii) advertise that the SSA Response or SSN Verification provides or services as identity verification; and (iii) pursuant to Section 1140 of the Social Security Act, use the words “Social Security” or other program-related words, acronyms, emblems, and symbols in connection with an advertisement, solicitation, or other communication, “in a manner which such person knows or should know would convey, or in a manner which reasonably could be interpreted or construed as conveying, the false impression that such item is approved, endorsed, or authorized by the SSA.”
2.9. Audits. Client shall permit Onfido, SSA, or a designated third party of either of them, the right to review all Supporting Documentation and conduct on-site visits to review Client’s documentation and in-house procedures for protection of and security arrangements for the Written Consent and adherence to the terms of this Schedule 6.
2.10. Written Consents
2.10.1. Client shall maintain and follow its own policy and procedures to protect any information that can be used to distinguish or trace an individual’s identity and Written Consents, including the policies and procedures it has established for reporting lost or compromised, or potentially lost or compromised non-public information of its consumers. In addition, Client shall maintain and follow any and all policies and procedures to protect Written Consents that are required by the SSA from time to time.
2.10.2. Client shall: (i) safeguard Written Consents to which it has access; and (ii) take appropriate and necessary action to (1) educate its employees on the proper procedures designed to protect Written Consents, and (2) enforce compliance with the policy and procedures prescribed.
2.10.3. Client shall use commercially reasonable efforts to safeguard Written Consents to which it has access from loss, theft, or inadvertent disclosure. Client is responsible for safeguarding this information at all times.
2.10.4. When Client becomes aware or suspects that Written Consents have been lost, compromised, or potentially compromised, Client, in addition to its own reporting process, shall provide immediate notification of the incident to Onfido, which will promptly report such incident to Onfido’s primary SSA contact or its SSA alternate, if the primary SSA contact is not readily available and the name of the alternate has been provided to Onfido. Client shall provide Onfido with any updates on the status of such incident as they become available and will assist Onfido in providing such updates to the primary SSA contact or SSA alternate, as applicable.
2.10.5. Client shall process all Written Consents in a manner that will protect the confidentiality of the records; track the dissemination of the records; prevent the unauthorized use of Written Consents; and prevent access to the records by unauthorized persons.
2.11. Suspension of SSN Check
2.11.1 Client hereby acknowledges that SSA may suspend SSN Check if Client fails to comply with the terms of this Schedule 6. During such period of suspension, Client acknowledges and agrees that Onfido may be restricted from submitting SSN Response requests to SSA on behalf of Client.
2.11.2 Client waives any right to judicial review of SSA’s decision to cancel the provision of SSN Responses, or to suspend or terminate the agreement between Onfido and SSA.
2.12.1. Notwithstanding any other provision of the OSA, any applicable Order Form or this Schedule 6, Client shall defend, indemnify, and hold each of Onfido and SSA, and their respective officers, shareholders, directors, and personnel, (and keep such individuals indemnified on a full indemnity basis), harmless from all claims, actions, causes of action, suits, debts, dues, controversies, restitutions, damages, losses, costs, fees (including reasonable attorney’s fees), judgments, and any other liabilities caused by, arising out of, associated with, or resulting directly or indirectly from, any acts or omissions of Client, including but not limited to the disclosure or use of information provided by Client, or any errors in information provided by Client to Onfido.
2.13.1. Client hereby acknowledges and agrees SSA is not liable for any damages or loss resulting from errors in information provided to Client in SSN Check.
2.13.2. Client hereby acknowledges and agrees that and SSA is not responsible for any financial or other loss incurred by the Client, whether directly or indirectly, through the use of any data provided pursuant to SSN Check.
2.13.3. SSA is not responsible for reimbursing Client for any costs Client incurs pursuant to SSN Check.
3. Exceptions to the OSA.
3.1. For the purposes of this SSN Check only, the definition of “Fraud Database Service Provider” is hereby removed and replaced with the following definition:
“Fraud Database Service Provider” means a government body or other third party service provider, including the U.S. Social Security Administration, that (i) checks whether an identity document has been previously identified to them as lost, stolen, fraudulent, or otherwise compromised, or (ii) verifies a U.S. social security number.
3.2. Clause 4.9 of the OSA shall not apply to SSN Check; provided, however, Onfido is not a consumer reporting agency and none of the information provided through SSN Check constitutes a “consumer report” as such term is defined in the FCRA.
3.3. Clauses 4.11, 10.2.2, 10.2.3, 10.2.4, 10.2.6, 10.2.7, 10.2.8, 10.4.5, 10.5, 10.6, and 10.7 of the OSA shall not apply to SSN Check.
3.4. Clause 11.14 of the OSA shall not apply to SSN Check. For the purposes of Onfido’s provision to Client of SSN Check only, the United States Social Security Administration is named as a third-party beneficiary to the Agreement.
3.5. The Written Consent required in this Schedule 6 is in addition to Onfido’s notice and consent language contained in Schedule 4 of the OSA and shall not diminish or invalidate Client’s requirement to provide such notice and consent language in accordance with Clause 10.1 of the Agreement.
PHONE VERIFICATION REPORT TERMS
The terms in this Schedule 7 apply to the Client’s access to and use of Onfido’s Phone Verification Report service (“Phone Verification Report”), in addition to the terms set forth in the Agreement. The terms in this Schedule 7 take precedence over any other conflicting or inconsistent terms in the Agreement, but only with respect to the Client’s access to and use of Phone Verification Report. Capitalized terms used in this Schedule 7 have the same meaning as in the Agreement, unless expressly defined otherwise.
1.1. “Carrier” means telecommunications operators and/or carriers.
1.2. “Licensed Data” means any properties of a Phone Verification Report check returned to the Client by or on behalf of TeleSign (including as may be provided by Onfido to the Client).
1.3. “Score” means that aspect of TeleSign’s services that determines characteristics about a phone number, including providing a real-time reputation score and assessment based on proven predictive data and other data points that may be used to determine the fraud risk of a transaction.
1.4. “TeleSign” means TeleSign Corporation.
1.5. “User Data” means any information relating to a User which is transmitted in connection with a request for a Phone Verification Report check, including all Personal Data and usage data, other than the Licensed Data.
2. PRODUCT SPECIFIC TERMS FOR PHONE VERIFICATION REPORT. The Client agrees to the following terms:
2.1.1. The provision of Phone Verification Report is subject to contractual agreements entered into by Onfido and TeleSign. This Schedule 7 shall not create privity of contract between the Client and TeleSign, nor shall it result in any direct rights of action by the Client against TeleSign.
2.2.1. The Client acknowledges that the provision and use of Phone Verification Report is subject to certain restrictions and limitations as set forth in Onfido’s API Documentation, as may be updated from time to time.
2.2.2. The Client shall not, and shall procure that Users shall not:
a. use Licensed Data other than for one-time use, or cache Licensed Data for the purpose of reuse;
b. unless required by applicable laws, use Licensed Data in conjunction with any data mining, or to create or store in any form an archive of the Licensed Data;
c. use any Intellectual Property Rights of TeleSign except to the extent necessary to enable them to make use of the Services pursuant to this Agreement; or
d. make available or use Phone Verification Report or any Licensed Data in:
i. China; or
ii. Austria, Spain or France, unless the Client’s Onfido account is configured to store data in an environment which is located in the European Union, as detailed in Onfido’s API Documentation.
2.3. Carrier Consent.
2.3.1. The Client acknowledges that Licensed Data may include data obtained from Carriers, and that the use of Phone Verification Report by the Client and Users is conditional upon receipt of consent from the Carriers (“Carrier Consent”). The Client shall, in a timely manner, provide all information and cooperation as Onfido, TeleSign and/or a Carrier may require in order to obtain and maintain Carrier Consent. Such assistance may include the Client updating or changing its processes, terms of service, use or policies from time to time. Onfido shall not be obliged to provide Phone Verification Report unless and until it has obtained the requisite Carrier Consent, and Onfido shall have no liability in the event that a Carrier does not approve the use of Phone Verification Report by the Client or Users.
2.4.1. Unless otherwise required by applicable law, the Client will delete all Licensed Data within thirty (30) days of receipt.
2.4.2. The Client agrees that TeleSign may use User Data to: (i) process the risk score for Score as a controller; and (ii) improve and develop the machine learning algorithms for Score. As part of a Phone Verification Report check, an assessment is carried out as to the fraud risk of a particular User. The Client consents, and shall procure that each User consents, to the results of each Phone Verification Report check, including the telephone number to which such check relates, being re-used by TeleSign for the purposes of developing and improving the Score machine learning algorithms under point (ii) above.
2.4.3. Without prejudice to Clause 10.1 of the OSA, the Client shall, and shall procure that each User shall, provide all cooperation and documentation which Onfido may require to demonstrate: (i) the collection and continued receipt of any User consents; (ii) that Personal Data was obtained outlined in this Schedule 7. The Client shall retain such records as may be required to demonstrate compliance lawfully; and (iii) that there is a lawful basis for the Processing of Personal Data, to enable Onfido to provide Phone Verification Report and for such other purposes as are outlined in this Schedule 7. The Client shall retain such records as may be required to demonstrate compliance with the foregoing requirements of this paragraph for a minimum of 12 months from the date of Processing.
2.5. Termination and suspension.
Onfido may suspend or cease the provision of Phone Verification Report to the Client or Users, without liability, by providing Notice to the Client if:
2.5.1. the Client fails to comply with the terms of this Schedule 7; or
2.5.2. TeleSign ceases to provide any services or perform any other dependencies which are necessary in order for Onfido to provide Phone Verification Report to the Client or Users,
and such suspension or cessation will not be deemed to be a breach of this Agreement by Onfido. During such period of suspension or cessation, the Client acknowledges that Onfido may be restricted from submitting Phone Verification Report requests to TeleSign on behalf of the Client.
3. EXCEPTIONS TO THE OSA.
3.1. Clause 10.6 of the OSA shall be deleted in its entirety and replaced with:
“DESTRUCTION OF PERSONAL DATA. Unless required by applicable law, Onfido will (and the Client hereby instructs Onfido to) cease processing and delete Personal Data and Licensed Data from its production environment upon the earlier of: (i) instruction from Client within the Services; (ii) thirty (30) days following Onfido completing the relevant check; (iii) a reasonable period of time after the termination or expiration of this Agreement; or (iv) instruction from a User, but only with respect to numerical biometric information relating to the User’s own Personal Data. All other Personal Data processed by Onfido (including Personal Data processed for backup and logging purposes) or on behalf of Onfido (including Personal Data processed by third parties) is deleted in accordance with Onfido’s Records of Processing.”