BOOK DEMO
risk management solutions, compliance solution, kyc verification - KYC Portal CLM
MENU
share
PAY-AS-YOU-GO MODULE DATA PROCESSING AGREEMENT

 This data processing agreement (this “DPA”) is entered into by and between the Licensor (as defined in the Pay-As-You-Go General Terms and Conditions) and the Customer (as defined in the Pay-As-You-Go General Terms and Conditions) in accordance with the requirements of article 28 of the General Data Protection Regulation.

This DPA is effective as from the date that the Pay-As-You-Go Module Specific Terms and Conditions are accepted by the Customer or on the date that the Customer uses the Module, whichever is the earlier.
  
1. Definitions

1.1. In this DPA, the following words and expressions will have the following meanings:

“Applicable Law/s”

means the relevant data protection and privacy laws to which the Parties are subject including but not limited to the Data Protection Regulation (EU) 2016/679 and the Data Protection Act, Chapter 586 of the Laws of Malta and subsidiary legislation thereto, as may be amended from time to time;

“Pay-As-You-Go Agreement”

means the Pay-As-You-Go Module Specific Terms and Conditions and the General Terms and Conditions entered into by the Parties;

“Personal Data”

means the Personal Data (as defined under the Applicable Law) being Processed from time to time pursuant to the terms of this DPA, including as is more particularly described in Annex 1 to this DPA; and

“Sub-Processor”

means any third party appointed by the Licensor in accordance with this DPA to process personal data on behalf of the Customer.

1.2. References to “Data Controller”, “Data Subject”, “Personal Data”, “Process”, “Processed”, “Processing”, “Data Protection Officer”, “Personal Data Breach”, “Supervisory Authority” and “Data Processor” have the meanings set out in, and will be interpreted in accordance with Applicable Laws.

1.3. Other capitalised terms used but not defined in this DPA shall have the meaning subscribed to them in the Pay-As-You-Go Module Specific Terms and Conditions and the General Terms and Conditions.

2. SCOPE

2.1. This DPA applies to the extent that the Licensor Processes Personal Data as a data Processor when providing the Module to the Customer according to the Pay-As-You-Go Agreement. 

3. THE LICENSOR AS PROCESSOR

3.1. The Customer, as a data Controller, hereby appoints the Licensor, which accepts, as its data Processor, to Process Personal Data on its behalf as is necessary to use and receive the Pay-As-You-Go Module.

3.2. The Licensor, in its capacity as a Processor, shall:

(i) Process the Personal Data only in accordance with this DPA and the Applicable Law;

(ii) not Process the Personal Data other than on the prior written instructions of the Customer and solely for the purposes provided in Annex 1, unless Processing is required by applicable law to which the Licensor is subject, in which case the Licensor shall inform the Customer without undue delay of that legal requirement;

(iii) upon the written request from the Customer, and in so far as this is technically or legally possible, assist with appropriate technical and organisational measures (taking into account the nature of the Processing) for the fulfilment of the Customer's obligations to respond to requests from Data Subjects for access to, rectification, erasure or portability of Personal Data or for restriction of Processing or objections to Processing of Personal Data; it being understood that the Licensor has no obligation to respond to any such data subject requests, unless expressly required by law; and

(iv) give the Customer such assistance as it reasonably requests, and the Licensor is reasonably able to provide, aimed at ensuring compliance with the Customer’s own security, Personal Data Breach notifications, impact assessment, Supervisory Authority consultation obligations under the Applicable Law, and any other obligations under the Applicable Law, taking into account the information and means available to the Licensor.

3.3. Subject to clauses 3.5 and 3.6 and to the extent permitted by the Applicable Law, the Licensor will, at the expense of the Customer, make available to the Customer such information in relation to the Personal Data as the Customer reasonably requests and the Licensor is reasonably able to provide.

3.4. Subject to clauses 3.5 and 3.6 and to the extent permitted by the Applicable Law, the Licensor will further, subject to any relevant and applicable confidentiality obligations, and at the expense of the Customer, provide the Customer with access to any Personal Data relating to the Pay-As-You-Go Module and assist with such audits, including inspections, reasonably requested by (or on behalf of) the Customer (and its internal or external auditors (the “Auditor”)) to undertake the verification that the Licensor complies with its obligations under this DPA.

3.5. The Customer is entitled to conduct a visit or audit under clauses 3.3 and 3.4 at the Customer’s expense. In such case, the Licensor requires prior written notice of at least seven (7) Business Days from the Customer before conducting such visit or audit. Further, the Customer will be required to use (and ensure that its Auditors use) its best endeavours to avoid (or minimise) causing any damage, injury or disruption to the Licensor’s premises, equipment, personnel and business while the personnel of the Customer or its Auditors are on the Licensor’s premises in the course of such an audit or visit. The Licensor has no obligation to give access to its premises for the purposes of an audit or visit: (i) to any individual unless he or she produces reasonable evidence of identity and authority; or (ii) for the purpose of more than one audit or inspection in any calendar year except in case of suspected fraud; or, (iii) if by doing so, the Licensor breaches its statutory or regulatory or contractual duties, an order of a competent court or other authority and applicable to the Licensor.

3.6. For the avoidance of doubt, clauses 3.3 and 3.4 will not require, nor be deemed to require, the Licensor to disclose to the Customer and/or its Auditors information of any kind previously disclosed to, or otherwise held in confidence by the Licensor on behalf of any of its other clients or other person in any capacity whatsoever (the “Protected Information”).The Licensor may, in its sole discretion, refuse access to the Customer and/or its Auditors to any systems (including databases or servers) and files belonging to, or used by the Licensor and containing such Protected Information, documents or any other data, if and to the extent that it is impossible or impracticable for the Licensor to grant access to such systems without compromising the protection, confidentiality or security of the Protected Information.

4. Obligations of the Customer

4.1. As a data Controller, the Customer:

(i) shall determine the purpose and means of Personal Data Processing;

(ii) shall remain ultimately liable towards its own Supervisory Authority and/or any other competent authority for the Processing of Personal Data;

(iii) shall remain fully responsible to inform its officers, directors, partners, managers, employees, investors, agents or any other Data Subjects whose Personal Data was transferred to the Licensor under the Pay-As-You-Go Agreement about the Processing by the Licensor of the Personal Data relating to them, as well as about the rights available to them under Applicable Laws;

(iv) shall remain responsible t (a) protect the Data Subjects’ rights pursuant to the Applicable Law; (b) provide adequate information to the Data Subjects about the Personal Data, and, (c) to obtain their consent, if necessary or required, in line with the Applicable Law;

(v) shall ensure that the Personal Data is Processed in a fair and lawful manner in conformity with all the provisions and obligations provided by the Applicable Law; and,

(vi) warrants and represents that, to the extent required by the Applicable Law, all relevant Data Subjects have consented to the disclosure of Personal Data (or categories of Personal Data) to be disclosed to the Licensor in accordance with this DPA, and all relevant Data Subjects have been provided with the information required in accordance with the Applicable Law.

For the avoidance of doubt, the foregoing is without prejudice to the Licensor’s obligations under Applicable Law and this DPA. 

5. DURATION AND TERMINATION OF THE AGREEMENT

5.1. This DPA shall enter into force as from the date that the Pay-As-You-Go Module Specific Terms and Conditions are accepted by the Customer or on the date that the Customer uses a Module, whichever is the earlier and shall remain in force for as long as the Licensor Processes Personal Data on the instructions of the Customer, or until the last Pay-As-You-Go Agreement expires or terminates, whichever is the later.

5.2. Subject to clause 5.3, upon termination of this DPA, the Licensor shall, as soon as reasonably practicable on receipt of a prior written request from the Customer, destroy or return to the Customer (at the Customer's election) any of the Personal Data Processed as agreed in this DPA which is in the Licensor’s possession or under its control, and at the Customer’s cost and expense. If, within thirty (30) days from termination of this DPA according to Clause 5.1, the Customer does not submit a written request to the Licensor to destroy or return the Personal Data in line with this Clause 5.2, the Licensor shall destroy the Personal Data without any further notice. 

5.3. The Licensor will not be required to destroy or return the Personal Data Processed as agreed in this DPA which the Licensor is required to retain in accordance with any laws, regulations, and regulatory guidance applicable to the Licensor or any of its Affiliates, orders imposed on the Licensor or an Affiliate of the Licensor by a competent judicial, governmental, regulatory or similar body, or that the Licensor may have determined (to the extent permitted by law) to be necessary to protect and enforce its rights under the Pay-As-You-Go Agreement.

6. TECHNICAL AND ORAGISATIONAL MEASURES

6.1. The Licensor shall implement and maintain all necessary technical and/or organisational measures as required by the Applicable Law (such as, for instance, the ability to ensure the confidentiality, integrity, availability and resilience of processing systems and services, the ability to restore the availability and access to Personal Data in a timely manner in the event of a Personal Data Breach, a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the Processing) to ensure the protection of the Personal Data Processed from any Personal Data Breach.

7. CONFIDENTIALITY

7.1. The Parties shall procure that all Confidential Information disclosed by a Party to the other Party under this DPA or which may at any time during the term of this DPA come into the other Party’s knowledge, possession or control as a result of this DPA, shall be kept secret and confidential and shall not be used for any purposes other than those required or permitted by this DPA and shall not be disclosed to any third party without the consent of the other Party, to the extent permitted by law.

7.2. The Parties and their principals, agents, contractors, employees, processors, sub-processors and/or Affiliates are only entitled to Process Confidential Information in the performance of this DPA.

7.3. The Parties shall procure that their principals, agents, contractors, employees, processors, sub-processors and/or the Affiliates are made aware of and agree to comply with the obligations contained in this DPA regarding the Personal Data, and this confidentiality clause, and the shall take all reasonable steps to ensure that their principals, agents, contractors, employees, processors, sub-processors and/or the Affiliates to whom the Personal Data is made available (if any), shall comply with the obligations set out in the Pay-As-You-Go Agreement.

7.4. For the performance of the obligations in relation to this DPA, the Parties shall only appoint such principals, agents, contractors, employees, processors, sub-processors and/or Affiliates who are informed about all relevant data privacy obligations and instructed to comply with confidentiality of the Confidential Information prior to performing their duties.

7.5. The Parties shall regularly train their employees to comply with their data protection and contractual obligations incumbent on them in this DPA and in the Applicable Law.

7.6. This clause 7 shall survive termination of this DPA. 

8. PERSONAL DATA BREACHES AND REPORTING

8.1. The Licensor shall, not later than seventy two (72) hours from awareness of a Personal Data Breach, inform the Customer without undue delay, and in writing, of any actual or suspected Personal Data Breach, including but not limited to, unauthorised, accidental or unlawful destruction or loss, damage, alteration, unauthorised disclosure or access to Personal Data stored or otherwise Processed, and against any and all other unlawful forms of Processing.

8.2. The Licensor shall provide the Customer with a written report on any and all information necessary in relation to the Personal Data Breach (the “Data Breach Report”), including:

(i) a description of the nature of the Personal Data Breach including, the categories and approximate number of data subjects concerned and the categories and approximate number of Personal Data records concerned;

(ii) a communication of the name and contact details of the Data Protection Officer of the Processor or other contact point where more information can be obtained;

(iii) a description of the likely consequences of the Personal Data Breach;

(iv) a description of the measures taken or proposed to be taken by the Licensor to address the Personal Data Breach, including measures to mitigate its possible adverse effects; and

(v) a description of the initiatives undertaken or to be undertaken by the Licensor to safeguard against future security Personal Data Breaches.  

8.3. Where Licensor cannot provide the Data Breach Report within seventy two (72) hours from awareness of a Personal Data Breach, it shall without undue delay provide reasons in writing to the Customer for the delay, and seek to provide the Data Breach Report without undue delay.

9. SUB-PROCESSORS

9.1. The Customer hereby authorises the Licensor to delegate the Processing of Personal Data as agreed in this DPA to the Sub-Processors listed in Annex 2. The Licensor shall specifically inform in writing the Customer of any intended changes of that list through the addition or replacement of sub-processors at least ten (10) days in advance, thereby giving the Customer sufficient time to be able to object to such changes prior to the engagement of the concerned sub-processor(s). The Licensor shall provide the Customer with the information necessary to enable the Customer to exercise the right to object.

9.2. The Licensor shall ensure that a written sub-processing agreement is entered into with each Sub-Processor and shall ensure that the Sub-Processor shall accept the data protection obligations which are substantially the same as those undertaken by the Licensor under this DPA.

9.3. The Sub-Processor Agreement shall terminate automatically on termination of this DPA.

9.4. The Licensor will remain liable towards the Customer for any acts and omissions of the Sub-Processor according to Clause 10.

9.5. The Customer authorises the Licensor to transfer Personal Data Processed as agreed in this DPA to the Licensor’s Sub-Processors located within the EEA or the UK, as well as to competent authorities. To the extent that such Sub-Processors are located outside of the EEA, the Licensor shall ensure that any transfers of Personal Data are made in compliance with Chapter V of the GDPR. The Licensor shall provide copies of the transfer safeguards implemented to the Customer when requested by the Customer.

10. INDEMNITY

10.1 To the extent permitted by the Applicable Law, the Licensor shall have no liability howsoever arising (whether in contract, tort (including negligence) or otherwise) for any direct and indirect losses, costs, expenses or liabilities arising from or in connection: (i) with any Processing in accordance with the Customer’s instructions in Annex 1 to this DPA, as may be amended by Parties in writing from time to time; (ii) that result directly or indirectly from the Customer’s (including its Affiliates, directors, officers, employees, agents and shareholders) bad faith, wilful misconduct and/or negligence; and/or (iii) that result directly or indirectly from the Customer’s (including its Affiliates, directors, officers, employees, agents and shareholders) breach of this DPA or the Applicable Law. The Customer shall indemnify and hold the Licensor (including its Affiliates, directors, officers, employees, agents and shareholders) harmless from and against any claims made against Licensor (and its Affiliates, directors, officers, employees, agents and shareholders), including any direct and indirect losses, costs, actions, expenses, penalties, administrative fines or sanctions, or liabilities suffered by the Licensor as a result of the Customer’s acts or omissions under this DPA.

10.2 If both Licensor and Customer are liable for either material or non-material damage caused by Processing activities that infringe Applicable Laws, any Party shall be liable to the respective other Party for the amount of damage corresponding to their part of responsibility for the damage.

10.3 The Licensor shall be liable to indemnify and hold Customer harmless solely where it results that the material or non-material damage is a direct damage and is caused as a result of: (i) a wilful act or omission, or gross negligence on behalf of the Licensor in breach of this DPA or the Applicable Law, and, (ii) a wilful act or omission, or gross negligence on behalf of the Sub-Processor in breach of the Sub-Processor Agreement or the Applicable Law.

10.4 Notwithstanding any other clause in this DPA, the total liability of the Licensor for each claim made by Customer according to this Clause 10, shall not exceed the total fees paid by the Customer to the Licensor for the use of the specific Pay-As-You-Go Module forming the subject matter of the claim during the twelve (12) months immediately preceding the claim.

10.5 Notwithstanding any other clause in this DPA, the Licensor (including its Affiliates, directors, officers, employees, agents and shareholders) shall not be liable to Customer for any indirect, special, incidental or consequential damages, including but not limited to lost revenues, lost profits, or lost prospective economic advantage, whether or not foreseeable and whether or not based on contract, tort, warranty, claims or otherwise in connection with this DPA, and Customer hereby releases and waives any claims against the Licensor (including its Affiliates, directors, officers, employees, agents and shareholders) regarding such indirect, special, incidental or consequential damages.

10.6 In the event of a claim against the Customer (“the Indemnified Party”) which is the subject of an indemnity under Clause 10.3, the Customer shall:-

(i) as soon as reasonably practicable notify the Licensor (the “Indemnifying Party”) in writing of the claim and shall provide all such details of the claim or the losses claims as are reasonably requested by the Indemnifying Party;

(ii) give the Indemnifying Party the option to elect in writing to take sole or joint control of the investigation, defence and resolution of the claim;

(iii) allow the Indemnifying Party to participate and / or conduct all negotiations and proceedings, and/or provide the Indemnifying Party with such reasonable assistance as may be required;

(iv) at the request and reasonable expense of the Indemnifying Party, provide all such assistance in relation to the claim as is reasonably requested by the Indemnifying Party; and,

(v) not make any admissions in relation to the claim and shall not compromise or settle the claim without the prior written consent of the Indemnifying Party.

10.7 The provisions regarding liability and recourse in this Clause 10 shall prevail over any other applicable provisions on liability and recourse concluded between the Parties in other agreements.

10.8 This Clause shall survive termination of this DPA for any cause.

11. GENERAL

11.1 Any failure by Licensor in exercising any right power or privilege in this DPA, will not act as a waiver nor will any single or partial exercise of such right, power or privilege preclude any further exercise of any rights, power or privilege.

11.2 If all or any part of any provision of this DPA shall be or become illegal, invalid or unenforceable, that shall not affect:

(i) The legality, validity, or enforceability of the remainder of that provision and/or all other provisions of this DPA; or

(ii) The legality, validity or enforceability of that provision and/or all other provisions of this DPA.

11.3 No variation of this DPA or of any document referred to in it shall be valid unless it is in writing and signed by both Parties.

11.4 This DPA shall be governed and construed in accordance with the laws of Malta.

11.5 In the event of conflict, the provisions of this DPA are to be read in the following order of precedence in relation to that conflict: (i) this DPA; (ii) any document incorporated by reference; (iii) the Pay-As-You-Go Agreement. The document higher in the order of preference will prevail to resolve the conflict.

12. Dispute Resolution:

12.1 Without prejudice to either Parties’ rights or remedies hereunder the Parties hereto agree to use all reasonable efforts in good faith to resolve any dispute, controversy or claim arising out of or relating to this DPA, or the breach, termination of invalidity hereof (“Dispute”). If the Dispute is resolved by the Parties within fourteen (14) Business Days after one Party provides notice to the other Party of such Dispute ("Dispute Notice") together with any relevant supporting documentation, the agreement and/or settlement shall be recorded in writing and signed by each of the Parties within seven (7) days of the expiration of the fourteen (14) Business Day period.

12.2 In the event that such Dispute is not resolved on an informal basis within fourteen (14) Business Days after one Party provides a Dispute Notice, either Party may, by written notice to the other Party refer the matter to an arbitral tribunal composed of three (3) arbitrators. Each Party shall appoint an arbitrator and the third arbitrator shall be selected by mutual agreement of the appointed arbitrators. Nothing in this clause shall be construed to:

(a) prevent either Party from seeking a temporary restraining order or injunctive or other equitable relief with respect to a breach (or attempted breach) of this DPA by the other Party; or

(b) prevent a Party from instituting litigation or other formal proceedings to the extent necessary to: (i) avoid the expiration of any applicable limitations period; and/or (ii) to preserve a superior position with respect to other creditors.

12.3 Arbitration shall be held in Malta. The arbitral award shall, without prejudice to the residual jurisdiction of the Courts of Malta, be final and binding on both Parties.

Annex 1- Data Protection Particulars
 
Licensor Details: Aqubix Limited, a private limited liability company incorporated in Malta with company registration number C44882

Details of Processing of Personal Data

Description of types of Personal Data being Processed:

Self CheckIn Module:

Full name, address, date of birth, government issued identifier, expiry date of ID, biometric data, nationality, email address, contact details, data from fraud-prevention services, device ID, device type, geo-location data, company and connection data, IP address and standard web log data, other data identifiable from scanned ID documents provided, such as photographs.

Description of categories of Data Subjects whose data is being Processed:

Self CheckIn Module:

Persons that are stored within KYC Portal for whom the Customer triggers the self checkin for.

Purpose of the data Processing:

For the Customer to be able to use the Pay-As-You-Go Modules in accordance with the terms of the Pay-As-You-Go Module Specific Terms and Conditions and:

Self Checkin Module:

Identity or age verification and fraud detection

Description of the types of data Processing involved:

collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Description of Security Measures

Summary of technical and organisational security measures applied by the Licensor to the data (including encryption/ access controls/ training/ screening of personnel/ security reviews etc.)

[To be included.]

Annex 2 - List of Pre-Authorised Sub-Processors

Module Name:

Sub-Processor:

Address:

Contact Person Details:

Description of the Processing:

Self CheckIn

OCR Labs Global Limited (doing business as IDVerse), an English company with number 12867358

1st floor Healthaid House, Malborough Hill, Harrow, Middlesex, England, HA1 1UD

Adam Desmond

adam.desmond@idverse.com

Processing of personal data pertaining to Customers in order for Customer to use Module for Identity or age verification and fraud detection.

Malta: +356 2141 1400
UK: +44 (0) 114 392 0015
info@kycportal.com
KYC Portal CLM © WWW.KYCPORTAL.COM ALL RIGHTS RESERVED.
ALL ARTICLES - SITEMAP - Terms and Conditions - Privacy Policy
Images from Freepik