Data Processing Agreement – Partners

DATA PROCESSING AGREEMENT

PARTNER

1. OBJECTIVE AND APPLICATION

1.1 SEON Technologies Kft. (company reg. no.: 01-09-292732; registered seat: Rákóczi út 42, 1072 Budapest, Hungary; “SEON”) has entered into a Partner General Terms and any Specific Partner Addendum and associated SEON Partner Guide (the “Agreement”) with its Partner (“Partner”) under which SEON provides specific Services to Partner. Within the scope of the Agreement, SEON will process Personal Data for which is Partner acts in the role defined under clause 2. This Data Processing Agreement (DPA) sets out the additional terms, requirements, and conditions on which SEON will process Personal Data when providing services under the Agreement. This DPA contains the mandatory clauses required by applicable Data Protection Legislation for contracts regarding data sharing and data processing activities, taking into account the application of the appropriate Module(s) and in the scope specified in Appendix 1 to this DPA.

1.2 This DPA forms part of, and complements the provisions of the Agreement. Any issues not regulated by this DPA shall be governed by the provisions of the Agreement. By signing this Agreement or clicking through the click-through mechanism implemented by SEON at seon.io or by expressing its agreement otherwise, Partner agrees to this DPA and this DPA becomes a binding commitment between Partner and SEON.

1.3 The objective of this DPA is to comply with the requirements in the Data Protection Legislation for a written agreement between data controllers and data processors. 

1.4 Parties state that the Standard Contractual Clauses specified in Appendix 3 shall apply to the transfer from SEON to Partner of any Personal Data (including the processing thereof) if Partner is outside the EEA and its processing does not fall within the scope of the Data Protection Legislation, whereas Clause 14 and 15 of the Standard Contractual Clauses specified in Appendix 3 shall apply to such transfer provided additionally that SEON combines Personal Data received from Partner with Personal Data collected by SEON in the EEA. Parties agree that when Standard Contractual Clauses specified in Appendix 3 apply to the processing and transfer of Personal Data, the other provisions of this DPA complement the provisions of Standard Contractual Clauses specified in Appendix 3 to the fullest extent permitted by law and by the provisions of the Standard Contractual Clauses specified in Appendix 3. Where the other provisions of the DPA contradicts the provisions of the Standard Contractual Clauses specified in Appendix 3, the Standard Contractual Clauses specified in Appendix 3 shall prevail.

1.5 This DPA is incorporated into the Agreement. Interpretations and defined terms set forth in the Agreement apply to the interpretation of this DPA. 

1.6 Selected Module(s).The Parties agree that the Processing described in Appendix 1 shall be performed under the module selected in the Module Selection Schedule in section 1.6.1 below. (the “Selected Module”). Only the Selected Module applies. Any module text not selected is deemed deleted and of no effect.

1.6.1 MODULE SELECTION SCHEDULE  (please tick 1 module as appropriate)

Module “A” – Partner as Controller; SEON as Processor

• Partner (and/or End-Customer, if applicable) determines purposes/means; SEON processes on documented instructions (Art. 28 GDPR equivalent).

Module “B” – Partner & End-Customer joint controllers; SEON as Processor (Partner warranty model)

• Partner warrants a valid Art. 26 arrangement exists between Partner and End-Customer and Partner is authorised to instruct SEON on their behalf. 

Module “C” – Partner as Processor for End-Customer; SEON as Sub-processor

• End-Customer is controller; Partner is processor; SEON is sub-processor (Art. 28 flow-down). 

2.2 Defaults. If the Module Selection Schedule is not completed for a given Partner relationship, the default selection is:

(a) Module “A” (Partner as Controller; SEON as Processor);

1.6 Any Appendixes to this DPA form a part of this DPA and will have effect as if set out in full in this DPA. Any reference to this DPA includes Appendixes. The DPA includes the following Appendixes: Appendix 1: Details of the processing of personal data; Appendix 2: List of Sub-processors; Appendix 3: Standard Contractual Clauses; Appendix 4: Consent and Privacy Notice Wording

2. PERSONAL DATA PROCESSING

MODULE “A”: Partner – Independent Controller

2.1 The Partner and SEON acknowledge and agree that, for the purposes of the applicable Data Protection Legislation, SEON processes Personal Data provided by the Partner in relation to the Partner’s use of the Services as a processor. The Partner is the controller, determining the purposes and scope of such processing and instructing SEON on how to process Personal Data. Specifically, the Partner shall provide or make available to SEON the specific purposes, duration, and nature of data processing activities, as further described in Appendix 1. The Partner retains control over the Personal Data and remains responsible for complying with its obligations under applicable Data Protection Legislation and for the processing instructions it gives to SEON, while SEON shall process Personal Data as described in this DPA (or in the Partner’s instructions) and implement appropriate technical and organisational measures as set out in Clause 5 of this DPA.

2.2 Where applicable, SEON is responsible for storing Applicant information, including any Personal Data, tagged with the corresponding risk level assigned by the Partner. In cases where there is a reasonably high suspicion or indication of fraud, the Partner, for its fraud prevention or avoidance purposes, authorizes SEON to assign a relevant risk score to the applicant’s information. Where SEON acts as a processor on the Partner’s behalf, the Parties shall also comply with the processor-related obligations set out in this DPA.

2.3 In some circumstances, SEON may process and aggregate certain Personal Data provided by the Partner with data obtained from other sources (including data providers and other Partners) as an independent controller, for the purposes of developing and improving the Services. This may include using artificial intelligence (e.g., machine-learning techniques), identifying potentially fraudulent patterns that could indicate illicit activity, providing Partners with calculated risk scores or alerts regarding elevated fraud risk, and maintaining appropriate audit logs. Such processing is permissible only if SEON’s processing objectives are compatible with the Partner’s. SEON warrants that this processing is undertaken to prevent and detect fraud and other illicit activities in the substantial public interest, and the Partner hereby authorizes such use, including profiling of Personal Data for these purposes.

2.4 Even after the Partner’s relationship with SEON ends, SEON may continue to retain the Personal Data and any related inferences where it has a lawful basis for doing so. Such lawful bases include SEON’s legitimate interests in providing services to all of its Partners, fulfilling its legal obligations, resolving disputes, enforcing agreements, or otherwise serving the substantial public interest. Where SEON acts as an independent controller, each Party remains individually responsible for its own processing of the Personal Data and for compliance with the applicable Data Protection Legislation, unless otherwise stated herein.

MODULE “B”: Partner and End-Customer – Joint Controllers

2.1. In respect of any Personal Data shared under this DPA, the Partner and the End-Customer shall be considered and act as joint controllers as defined under Art. 26 of the EU GDPR and the UK GDPR, jointly determining the purposes and means of Personal Data processing, stated in Appendix 1. In any case, they shall have the corresponding legal arrangement and, in a transparent manner, determine their respective responsibilities for compliance with their obligations under the EU GDPR and UK GDPR and other applicable Data Protection Legislation. Accordingly, the Partner and/or End-Customer shall provide evidence to SEON, upon its request, that such an arrangement indeed exists between the Partner and the End-Customer. Partner and the End-Customer retains control over the Personal Data and remains responsible for complying with its obligations under applicable Data Protection Legislation and for the processing instructions it gives to SEON, while SEON shall process Personal Data as described in this DPA (or in the Partner’s instructions) and implement appropriate technical and organisational measures as set out in Clause 5 of this DPA.

For the purposes of the Data Protection Legislation, SEON shall be the data processor acting on behalf of the Partner and End-Customer, who are the joint controllers, unless specified herein and/or the Agreement concluded with them, respectively.

2.2 Where applicable, SEON is responsible for storing Applicant information, including any Personal Data, tagged with the corresponding risk level assigned by the Partner. In cases where there is a reasonably high suspicion or indication of fraud, the Partner, for its fraud prevention or avoidance purposes, authorizes SEON to assign a relevant risk score to the applicant’s information. Where SEON acts as a processor on the Partner’s behalf, the Parties shall also comply with the processor-related obligations set out in this DPA.

2.3 In some circumstances, SEON may process and aggregate certain Personal Data provided by the Partner with data obtained from other sources (including data providers and other Partners) as an independent controller, for the purposes of developing and improving the Services. This may include using artificial intelligence (e.g., machine-learning techniques), identifying potentially fraudulent patterns that could indicate illicit activity, providing Partners with calculated risk scores or alerts regarding elevated fraud risk, and maintaining appropriate audit logs. Such processing is permissible only if SEON’s processing objectives are compatible with the Partner’s. SEON warrants that this processing is undertaken to prevent and detect fraud and other illicit activities in the substantial public interest, and the Partner hereby authorizes such use, including profiling of Personal Data for these purposes.

2.4 Even after the Partner’s relationship with SEON ends, SEON may continue to retain the Personal Data and any related inferences where it has a lawful basis for doing so. Such lawful bases include SEON’s legitimate interests in providing services to all of its Partners, fulfilling its legal obligations, resolving disputes, enforcing agreements, or otherwise serving the substantial public interest. Where SEON acts as an independent controller, each Party remains individually responsible for its own processing of the Personal Data and for compliance with the applicable Data Protection Legislation, unless otherwise stated herein.

MODULE “C”: Partner – Processor on behalf of the End-Customer

2.1. The Partner and SEON acknowledge and agree that for the purpose of the Data Protection Legislation: 

a. SEON processes Personal Data provided by the Partner in relation to the Partner’s use of Services as a subprocessor. The Partner is a processor on behalf of the End-Customer, which determines the purposes and scope of processing and instructs SEON on how to process Personal Data. Specifically, the Partner will provide or make available to SEON the specific purposes of the End-Customer, duration and nature of such collection being described in Appendix 1. 

b. The Partner retains control over the Personal Data and remains responsible for complying with its obligations under applicable Data Protection Legislation and for the processing instructions it gives to SEON, while SEON shall process Personal Data as described in this DPA (or in the Partner’s instructions) and implement appropriate technical and organisational measures as set out in Clause 5 of this DPA.

2.2 Where applicable, SEON is responsible for storing Applicant information, including any Personal Data, tagged with the corresponding risk level assigned by the Partner. In cases where there is a reasonably high suspicion or indication of fraud, the Partner, for its fraud prevention or avoidance purposes, authorizes SEON to assign a relevant risk score to the applicant’s information. Where SEON acts as a processor on the Partner’s behalf, the Parties shall also comply with the processor-related obligations set out in this DPA.

2.3 In some circumstances, SEON may process and aggregate certain Personal Data provided by the Partner with data obtained from other sources (including data providers and other Partners) as an independent controller, for the purposes of developing and improving the Services. This may include using artificial intelligence (e.g., machine-learning techniques), identifying potentially fraudulent patterns that could indicate illicit activity, providing Partners with calculated risk scores or alerts regarding elevated fraud risk, and maintaining appropriate audit logs. Such processing is permissible only if SEON’s processing objectives are compatible with the Partner’s. SEON warrants that this processing is undertaken to prevent and detect fraud and other illicit activities in the substantial public interest, and the Partner hereby authorizes such use, including profiling of Personal Data for these purposes.

2.4 Even after the Partner’s relationship with SEON ends, SEON may continue to retain the Personal Data and any related inferences where it has a lawful basis for doing so. Such lawful bases include SEON’s legitimate interests in providing services to all of its Partners, fulfilling its legal obligations, resolving disputes, enforcing agreements, or otherwise serving the substantial public interest. Where SEON acts as an independent controller, each Party remains individually responsible for its own processing of the Personal Data and for compliance with the applicable Data Protection Legislation, unless otherwise stated herein.

3. PARTNER’S OBLIGATIONS

MODULE “A”: Partner – Independent Controller

MODULE “B”: Partner and End-Customer – Joint Controllers

a. The Partner represents and warrants that it has taken all the required measures to ensure that SEON

and subprocessors may lawfully process the Personal Data in accordance with the applicable Data Protection Legislation. The Partner is independently responsible for complying with applicable Data Protection Legislation, providing all necessary disclosures and obtaining all required consents.

b. The Partner ensures that all required privacy notices have been given to all Data Subjects and/or, as may be applicable under the Data Protection Legislation, all necessary consents have been obtained from Data Subjects before their Personal Data is processed by SEON or its subprocessors. Such notices and consents must be sufficient in scope to enable each Party to process the Personal Data as envisaged under this DPA and the Agreement and in accordance with the applicable Data Protection Legislation, including the transfer of such Personal Data to and by SEON (including by having provided all necessary notices and obtained all necessary consents allowing both Parties to process biometric data pursuant to applicable Data Protection Legislation and any other applicable national rules, laws, regulations, directives and governmental requirements concerning biometric data).

In particular, the Partner will ensure the Data Subjects are familiarised with the notice wording contained in Appendix 4 and/or, as may be applicable under the Data Protection Legislation, obtain each Data Subject’s consent to that wording before any Personal Data is provided to SEON.

When processing Personal Data of a child, the Partner shall make reasonable efforts to assure that the holder of parental responsibility over the child has given consent for the Processing or authorised the Processing in another manner required under applicable Data Protection Legislation.

c. Upon redirection by SEON of requests made by Data Subjects or the authorities empowered by the Applicable Data Protection Legislation, the Partner will respond to the requests concerning the processing of Personal Data conducted by SEON and controlled by the Partner or provide SEON with the relevant instruction on responding such a request. The contact details is provided in clause 12 of this DPA.

For requests made by the authorities empowered by the Applicable Data Protection Legislation, the Parties shall use the notice contacts in accordance with clause 12 of this DPA. The Partner shall notify SEON of any inquiries by the supervisory authorities about SEON Service or SEON Processing of Personal Data.

MODULE “C”: Partner – Processor on behalf of the End-Customer

a. Partner shall give SEON instructions (including e-mail) in accordance with the written instructions received from the End-Customer, including with regard to transfers of Personal Data to a third country or an international organisation unless required to do so by applicable Data Protection Legislation to which the Partner is subject.

b. Partner must comply with applicable Data Protection Legislation. The Partner is independently responsible for complying with applicable Data Protection Legislation, providing all necessary disclosures and obtaining all required consents.

c. Partner shall have a written agreement regarding the processing of personal data with the End-Customer that specifies the End-Customers and Partner’s rights and obligations. Partner acknowledges and agrees that the processing of any Personal Data provided by Partner to SEON has been and will continue to be carried out by Partner in accordance with applicable Data Protection Legislation.

d. Partner shall notify SEON as to any Data Subject request where the End-Customer requests the support of the Partner as soon as possible and to give appropriate instructions to SEON in a timely manner.

4. DEFINITIONS

4.1 The terms used in the DPA shall have the same meaning as assigned to them below and in the Data Protection Legislation, which inter alia imply that:

1. The term ”Applicant’s information” means any information of Applicant, including Personal Data related to Applicant, tags of approval, rejection and resubmission, as well as log information. 
2. The term “Business Purposes” means the execution of the Agreement or any other purpose specifically defined by the Partner in Appendix 1.
3. The term “Partner’s Email Address” means any email address provided for Partner’s user accounts with “administrator” role created at seon.io pursuant to the Agreement. If Partner accesses the Services without having created an account, Partner’s Email Address means any email address that SEON has on file of Partner;
4. The term “Documentation” means the documentation of the Services as amended from time to time and available at: User Docs Dashboard (seon.io);
5. The term “DPA” means this data processing agreement together with its Appendices, and other documents explicitly referenced herein;
6. The term “data controller” means anyone who alone or jointly with others determines the purposes and means of the processing of personal data; 
7. The term “data processor” means anyone who processes personal data on behalf of the data controller;
8. The term “Data Protection Legislation” means the applicable data protection legislation, including (i) Regulation (EU) 2016/679 of the European Parliament of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation; the “GDPR; (ii)  if applicable, national legislation implementing the GDPR; (iii) , the US Data Protection Legislation and (iv) the UK General Data Protection Regulation (‘UK GDPR’).
9. The term “data subject” means identified or identifiable natural person;
10. The terms “European Economic Area” or “EEA” means the economic area consisting of the territory of the EU Member States and the member states of the European Free Trade Association (Iceland, Liechtenstein and Norway), excluding Switzerland.
11. The terms “EU Member States” means then-current member states of the European Union.
12. The term “personal data” means any information that, directly or indirectly, can identify a living natural person;
13. The term “Personal Data” means personal data that is processed by SEON on behalf of Partner;
14. The term “Personal Data Breach” means breach of data security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed, as defined by GDPR;
15. The term “processing” means any operation or set of operations performed with regard to personal data, whether or not performed by automated means, for example collection, recording, organisation, storage, adaptation or alteration, retrieval, gathering, use, disclosure by transmission, dissemination or otherwise making information available, alignment or combination, restriction, erasure or destruction;
16. The term “Services” mean SEON’s fraud prevention services as provided from time to time;
17. The term “Standard Contractual Clauses” means the standard agreement for Personal Data transfers (as defined in Data Protection Legislation) concluded between a data exporter and a data importer that fulfils the requirements of Article 46 GDPR, in particular the standard agreement as adopted by the European Commission by any of the following instruments:

1. Commission Decision of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council; and
2. Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (”Commission Implementing Decision (EU) 2021/914”)

as applicable to the situation at hand, provided that the referenced standard agreement may be deemed to provide appropriate safeguards within the meaning of Article 46(1) of GDPR pursuant to Article 4 of Commission Implementing Decision (EU) 2021/914. 

18. The term “UK Transfer Addendum” means the standard agreement for Personal Data transfers (as defined in Data Protection Legislation) concluded between a data exporter and a data importer that fulfils the requirements of Article 46 of the UK Data Privacy Act (2018), in particular the standard agreement as adopted by the UK Information Commissioner’s Office (“UK ICO”), as applicable to the situation at hand, provided that the referenced standard agreement may be deemed to provide appropriate safeguards within the meaning of Article 46(1) of UK Data Privacy Act (2018).
19. The term “sub-processor” means a processor that is engaged by SEON. The sub-processor processes Personal Data on behalf of Partner in accordance with the sub-processor’s obligation to provide its services to SEON;
20. The “US Data Protection Legislation” means those laws, rules, and regulations of the United States of America relating to privacy, security, or data protection, including, as applicable, the California Consumer Privacy Act (‘CCPA’) and its replacement, the California Privacy Rights Act (‘CPRA’), the Virginia Consumer Data Protection Act (‘VCDPA’), the Colorado Privacy Act (‘CPA’), the Utah Consumer Privacy Act (‘UCPA’), the Illinois Biometric Information Privacy Act (‘BIPA’), the Washington’s Biometric Identifiers Law (‘H.B. 1493’), Texas Capture or Use of Biometric Identifier Act (‘CUBI’) and other laws that may apply to the processing of personal data under the Master Agreement and this DPA.
21. The term “End-Customer” means the legal entity to which SEON provides Services under the Agreement via Partner.

5. UNDERTAKING AND INSTRUCTION

5.1 SEON undertakes:

1. to process and transfer Personal Data in accordance with the Data Protection Legislation, the Agreement and as further documented in any other written instructions given by Partner (and/or the End-Customer, if applicable) and acknowledged by SEON as constituting instructions for purposes of this DPA; 
2. to inform Partner prior to processing that SEON is required by laws of the European Union or EU Member States, to which SEON is subject, to process Personal Data, provided that SEON is not prohibited to give such information on important grounds of public interest;
3. to immediately inform Partner if, in its opinion, an instruction of Partner infringes applicable Data Protection Legislation. SEON will be under no obligation to follow such instruction, until the matter is resolved in good-faith between the parties;
4. to keep Personal Data confidential and ensure that persons authorised to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
5. to implement all appropriate technical and organisational measures necessary in order to ensure a level of security, as required pursuant to the Data Protection Legislation, and necessary in order for SEON to comply with the security requirements set out in Appendix 1 of the DPA. SEON shall notify Partner about changes in the applied technical and organizational security measures that significantly affect the security of the processing of Personal Data;
6. to assist Partner (and/or the End-Customer, if applicable) in the fulfilment of Partner’s (and/or the End-Customer, if applicable) obligation to respond to and to fulfil requests from data subjects exercising their rights laid down in the Data Protection Legislation taking into account the nature of the processing, by implementing appropriate technical and organisational measures, insofar as this is possible. SEON shall notify Partner in case of receiving a request to exercise the data subjects’ rights under the Data Protection Legislation without undue delay after receiving such request, and SEON should reasonably cooperate with Partner in addressing such request. Unless Partner otherwise instructs SEON, the notification of such request shall be sent to Partner’s Email Address. If Partner provided more than one Partner’s Email Address, notification sent to at least one of Partner’s Email Address shall be sufficient to comply with this section. SEON is not responsible or liable for responding to the data subject;
7. to assist Partner in the implementation of appropriate technical and organisational measures, the notification of a Personal Data Breach to data protection supervisory authorities and affected data subjects, preparation of data protection impact assessments and prior consultation with data protection supervisory authorities. SEON shall make available to Partner all information necessary to demonstrate compliance with applicable Data Protection Legislation, to the extent Partner does not otherwise have access to the relevant information, and that such information is available to SEON. Except for negligible costs, SEON reserves the right to claim the reimbursement of costs and expenses incurred by SEON in connection with the provision of assistance to Partner under this DPA;
8. to inform and consult with Partner without undue delay in the event that a data protection supervisory authority initiates or takes any action in relation to SEON with regard to the processing of Personal Data; and
9. to process Personal Data only until the purposes of the processing for which the data was collected have been fulfilled, but in any case, at the latest until 1 year starting from the completion of the query to which Personal Data relate. Upon the expiration of this period, SEON shall delete or anonymize Personal Data, unless it follows from the requirements of European Union law or EU Member State law that SEON is required to store Personal Data for a longer period or unless Partner has instructed SEON otherwise.

6. AUDIT 

6.1 SEON shall facilitate and participate in audits, including inspections, carried out by Partner or by a third party authorised by Partner. If Partner uses a third party to carry out the audit that third party shall be a well-regarded international service provider that is not a competitor of SEON. Partner and third party authorised by Partner shall undertake confidentiality in relation to SEON’s confidential information prior to the audit. The details of the audits are subject to the prior approval of SEON. Partner shall carry out the audits at its own costs.

6.2 SEON may satisfy the audit obligation under this section by providing Partner with attestations, certifications and summaries of audit reports conducted by third party auditors. 

7. ENGAGING SUB-PROCESSORS 

7.1 Partner provides a general authorization to SEON to engage or replace a sub-processor for the performance of its duties and responsibilities under this DPA in accordance with the provisions of this section. 

7.2 The list of current sub-processors is attached as Appendix 2 to this DPA. Partner hereby provides written authorization to use sub-processors listed in Appendix 2. 

7.3 SEON will update Appendix 2 regularly. Partner may object to any new sub-processors within 14 days starting from the then-current update of Appendix 2. Any objection made by Partner regarding the use of any sub-processors has to be reasonable. SEON will within its discretion make all reasonable efforts necessary to accommodate the requests of Partner. If it is commercially reasonable, SEON will review the possibility of finding another equivalent sub-processor.

7.4 SEON and the sub-processor shall enter into a written data processing agreement that imposes substantively equivalent obligations on the sub-processor as those specified in this DPA and SEON shall ensure that the sub-processor provide appropriate level of protection for Personal Data as required by the Data Protection Legislation. 

7.5 Partner authorizes SEON to engage sub-processors which process Personal Data in a country outside the European Economic Area. Provided that the European Commission has not determined, in accordance with the Data Protection Legislation, that such country ensures an adequate level of protection to the processing of Personal Data, SEON undertakes to provide appropriate safeguards when transferring Personal Data to such sub-processors, in particular, to conclude Standard Contractual Clauses and to take all necessary steps to ensure that the transfer is lawful under the Data Protection Legislation. 

8. PUBLIC DATABASES AND PUBLICLY AVAILABLE PERSONAL DATA

8.1 Partner acknowledges that carrying out real-time queries from public databases and collecting publicly available information from social media providers constitutes an inherent part of certain functionalities of the Services. Partner acknowledges and authorizes SEON to use public database providers (in particular, DNSBL providers, data breach database providers), and social media providers established within or outside the EEA to carry out queries on the basis of Personal Data and collect publicly available personal data to be able to provide the Services to Partner. Parties agree that in their assessment public database providers and social media providers shall be considered data Partners or third parties under the Data Protection Legislation.

9. DELETION OF PERSONAL DATA

9.1 At the Partner’s written request, SEON shall promptly provide the Partner with a copy of, or access to, all or any portion of the Partner’s Personal Data in SEON’s possession or control, in the format and on the media reasonably specified by the Partner.

9.2 SEON shall, upon the Partner’s written instruction, cease processing and promptly delete and/or return all or any Personal Data subject to this DPA, including (i) upon the Partner’s instruction in connection with the Services, or (ii) upon the written request of the Partner in connection with the termination or expiry of the Master Agreement for any reason. This clause does not apply to any processing of Personal Data carried out in accordance with Clause 2.4 of this DPA.

9.3 If SEON is required by any applicable law, regulation, or governmental or regulatory authority to retain any documents or materials that it would otherwise be required to return or destroy under this DPA, SEON shall promptly notify the Partner in writing. Such notice shall specify the legal basis for the retention requirement, identify the particular documents or materials to be retained, and set out a timeline for destruction once the retention requirement ceases to apply.

9.4 Where the Partner instructs SEON to delete any Personal Data, SEON shall, within thirty (30) days of completing the deletion, provide the Partner with a written certification confirming that the relevant Personal Data has been destroyed.

10. REPORTING PERSONAL DATA BREACH

10.1 If SEON becomes aware of any Personal Data Breach, SEON shall notify Partner (and/or the End-Customer, if applicable) without undue delay and shall fully cooperate in order to reasonably remedy the issue. The notification shall include all available significant information on the circumstances of the Personal Data Breach.

10.2 The notification on Personal Data Breach shall be sent to Partner’s Email Address. If Partner provided more than one Partner’s Email Address, notification sent to at least one of Partner’s Email Address shall be sufficient to comply with this section.

10.3 SEON is not responsible or liable for notifying to any data protection supervisory authorities or inform data subjects about Personal Data Breach.

11. RESPONSIBILITIES OF PARTNER

11.1 Partner shall have sole responsibility for the accuracy, quality, and legality of Personal Data, the means by which Partner (and/or the End-Customer, if applicable) acquired Personal Data and for all other obligations imposed on Partner by Data Protection Legislation.

11.2 Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, Partner shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with the Data Protection Legislation. Those measures shall be reviewed and updated where necessary. Where proportionate in relation to the processing, the above measures shall include the implementation of appropriate data protection policies by Partner.

11.3 Partner shall inform the data subjects in accordance with Article 13-14 of the GDPR. 

11.4 Partner shall secure all necessary permissions, authorizations and consents for processing Personal Data and ensure that the processing of Personal Data is based on a valid legal basis provided in the Data Protection Legislation. 

11.5 Where the processing of biometric data or similarly regulated categories of personal data is contemplated, the Partner shall ensure that Data Subjects are adequately informed of, and have provided (where required) valid, explicit, and informed consent to the processing of such data. Specifically, the Partner shall incorporate, or otherwise make available to the Data Subjects, the notice and consent language set out in the Consent and Privacy Notice Wording (Appendix 4) prior to initiating any relevant processing activities.

11.6 In particular, the Partner shall: 

1. Ensure all required data protection notices and consents are consistent with the guidelines in the Consent and Privacy Notice Wording, 
2. Provide Data Subjects with direct access (via hyperlink or otherwise) to SEON’s privacy notice, and 
3. Implement the relevant technical or API-based mechanisms to capture and document that Data Subjects have been presented with, and agreed to, the foregoing.

Failure to comply with these requirements may result in a breach of Data Protection Legislation, for which the Partner shall remain solely liable.

11.7 Partner shall comply with the above Section 11.1 – 11.7 only if Partner falls within the scope of the Data Protection Legislation.

12. LIMITATION OF LIABILITY

12.1 Subject to the Section 12.2 and 12.3, neither party shall be responsible or liable under this DPA to the other party:

1. for any indirect, exemplary, incidental, punitive, special or consequential damages; or 
2. for any amounts that exceed the fees actually paid or payable by Partner to SEON under the Agreement in the twelve (12) months prior to the act that gave rise to the relevant claim. 

12.2 The limitation of liability provisions of the Agreement shall prevail over Section 12.1, and shall be applied mutatis mutandis in the context of this DPA.

12.3 For the avoidance of doubt, the Parties agree that the limitation of liability set out in section 12.1 shall be interpreted in accordance with the applicable laws, in particular the Data Protection Legislation and the applicable civil law provisions.

13. CONTACT INFORMATION

13.1 SEON and the Partner agree to designate a point of contact for urgent security issues (a “Designated POC”). The Designated POC for both parties are: 

SEON Designated POC: [email protected]

Partner Designated POC: [***]  if left blank  then Partner Designated POC will be the Partner Business Contact on the Master Partner Agreement.

14. TERM, TERMINATION

14.1 The DPA is effective from the date SEON starts processing Personal Data and for as long as SEON processes Personal Data. 

14.2 Parties may terminate this DPA anytime for any reason by providing thirty (30) days’ notice to the other party. Partner acknowledges that SEON will be under no obligation to provide the Services, until a Data Protection Legislation compliant data processing agreement is concluded between the parties.

14.3 Within thirty (30) days from the expiration of the Agreement or the receipt of the notice of termination, SEON shall delete (or anonymize) or, based on Partner’s instruction, return to Partner all Personal Data, and delete (or anonymize) existing copies unless the storage of Personal Data is required pursuant to European Union law or EU Member State’s law.

14.4 All provisions of this DPA that are expressly or consequently intended to be fulfilled or remain in force following the termination of this DPA shall fully remain in force following the termination of this DPA, in particular, Section 3 (Partner’s Obligations), Section 4 (Definitions), Section 11 (Responsibilities of Partner), Section 12 (Limitation of Liability), Section 14 (Term, Termination), Section 15 (Miscellaneous).

15. MISCELLANEOUS

15.1 Governing Law and Dispute Resolution. This DPA shall be governed by and construed in accordance with the laws of Hungary and the courts of Hungary shall have jurisdiction over any dispute, or claim arising out of, or in connection with this DPA, including its formation. Disputes regarding interpretation and application of this DPA shall be settled in accordance with the provisions in the Agreement regarding dispute resolution. 

15.2 Amendments. This DPA shall be amended in accordance with the Agreement’s provisions on amendments. 

15.3 Severability. Should any provision of this DPA be invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall be either: (i) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible; (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.

15.4 Entire Agreement. This DPA, together with its Appendixes supersedes and repeals all current or prior oral or written undertakings, covenants, agreements or communications, in particular all current or prior data processing agreements between Partner and SEON with respect to the subject matter of this DPA. In the case of conflict between any provision contained in this DPA and any provision contained in any Appendix hereto, the provision in this DPA will prevail. In the case of conflict between any provision contained in this DPA and the provisions of the Subscription Agreement, the provisions of this DPA will prevail.

Appendix 1

details of the processing of personal data

1. The subject matter of the processing

Providing the Services of SEON.

2. The nature and purpose of the processing

2.1 Fraud Prevention Service (if applicable): Carrying out data-driven fraud detection measures for the Partner (and/or the End-Customer, if applicable), which entails executing the processing procedures outlined in SEON’s documentation (available at https://docs.seon.io/), including IT support and debugging (e.g., during beta testing or integration assistance). Such processing may involve the Partner (and/or the End-Customer, if applicable) collecting user or transaction-related data (e.g., IP address, email address, phone number, device/browser fingerprints) in its own systems and transmitting such data to SEON’s APIs for real-time or near real-time risk analysis. The purpose of this processing is to generate a fraud risk score and relevant insights, which are then returned to the Partner (and/or the End-Customer, if applicable) for review and further action. By identifying potentially fraudulent or high-risk activities, SEON’s services enable the Partner (and/or the End-Customer, if applicable) to make informed decisions, enhance security measures, and reduce fraudulent behavior.

2.2 Identity Verification Services (if applicable): 

a) Remotive Identity Verification. Carrying out remote identity verification sessions (document verification + liveness check) for Partner (and/or the End-Customer, if applicable) by SEON which entails executing the processing procedures outlined in the documentations provided by SEON to Partner (and/or the End-Customer, if applicable), as well as providing IT support and debugging assistance (e.g., during beta testing or integration assistance). Proof of Address Verification. Additionally, SEON’s IDV services include proof of address verification as a critical component, as outlined in the documentations provided by SEON to Partner (and/or the End-Customer, if applicable). This process confirms an individual’s residential address by validating documents such as utility bills, bank statements, or government-issued letters showing the individual’s name and address. Proof of address verification enhances the security and trustworthiness of financial transactions and services, ensuring compliance with regulatory requirements, preventing fraud, and maintaining accurate Partner records. The sub-module includes providing IT support and debugging assistance (e.g., during beta testing or integration assistance) as well.

b) eKYC. Within SEON’s eKYC services, and as outlined in the documentations provided by SEON to Partner (and/or the End-Customer, if applicable), SEON can determine whether the identification number submitted by the end user is valid and exists within the relevant government or regulatory databases. To be able to determine this, specific verification checks are carried out regarding the provided number. This sub-module involves the following jurisdictions:

• SSN (Social Security Number) for the U.S.,
• Aadhaar for India,
• CPF (Cadastro de Pessoas Físicas) for Brazil, and
• CURP (Clave Única de Registro de Población) for Mexico.

The eKYC sub-module includes providing IT support and debugging assistance (e.g., during beta testing or integration assistance) as well.

Thus, the purpose and nature of SEON’s processing regarding the Identity Verification Services is to perform the foregoing services for including but not limited to Partner Due Diligence (CDD), Know-Your-Partner (KYC), Anti Money Laundering and Combating the Financing of Terrorism (AML/CFT) and similar purposes.

2.3 AML Service (if applicable): Perform certain checks (PEP & RCA, Sanction Lists, Watchlists, Crime Lists, Adverse Media) in order to identify high-risk individuals, block suspicious entities, and ensure compliance with the applicable Anti-Money Laundering regulations, including but not limited to the EU’s 6th Anti-Money Laundering Directive (6AMLD) and other relevant AML laws. This entails executing the processing procedures outlined in the documentations provided by SEON to Partner (and/or the End-Customer, if applicable), as well as providing debugging assistance. This processing is conducted to support the Partner (and/or the End-Customer, if applicable) in meeting their regulatory obligations, improving both security measures and compliance with global AML regulations. The sub-module includes providing IT support and debugging assistance (e.g., during beta testing or integration assistance) as well.

3. Categories of data subjects 

The users or customers (individuals) of Partner and/or if applicable the users or customers (individuals) of End-Customer.

4. Categories of personal data 

This is a non-exhaustive summary of the categories of personal data that may be processed by SEON in connection with its Services. The exact categories of personal data depend on (i) the specific services used, (ii) the Partner (and/or the End-Customer, if applicable)’s configuration and customization choices, and (iii) the data provided by the Partner to SEON in order to enable the services. The complete list of categories of personal data is available in SEON’s documentation (available at https://docs.seon.io/).

4.1 Fraud Prevention Service (if applicable): Contact and Identification Data; Email address; Phone number; Online and Technical Data; IP address; Device information (including device/browser fingerprints, operating system, browser version, unique device identifiers); Session information; (e.g., session IDs, timestamps) Metadata related to the method and context of accessing the Partner’s system or site (e.g., referral URL); Behavioral and Transactional Data Transaction details (e.g., time of transaction, amount, payment method); User behavior patterns on the Partner’s platform (e.g., frequency or timing of transactions or account logins); Location Data Geolocation information; Derived or Machine-Generated Data Risk; scores and analytical insights generated by SEON’s systems (e.g., fraud risk assessment or flags).

4.2 Identity Verification Service (if applicable): (i) Personal Data on the identification document or Personal Data extracted from the identification document, for example  name, sex, personal identification number or national equivalent, date of birth, estimated age, legal capacity, nationality, citizenship, eye color, weight and height, address, as well as historic data of the End User that may have been stored by SEON during previous interactions within the retention periods and at all times within the scope of the specific Partner (and/or the End-Customer, if applicable); (ii) Contact data, for example address, e-mail address, telephone numbers, IP address and, if relevant, presented document type (e.g. bank statement or utility bill); (iii) Bank Account number (iv) Details of the identification document, for example the name of the document, issuing country, document number, expiration date, data encoded in the document barcodes (which may vary based on the type of document) and security features; (v) Identity verification data, for example images (photographs) and recordings (videos) taken from the End User and their identification document, as well as video recordings of the verification process, along with the results of the verification checks; (vi) Biometric identifiers which are data generated by measurements of the End User’s biological characteristics such as face scans (scan of their face geometry), retina or iris scans and other measurements, extracted from an image (e.g. selfie) and/or a video which are used to verify the End User or compare their face to the identity document photos via facial recognition or similar technologies; biometric information which is information based on a biometric identifier that can be used to identify the End User; and any personal data that results from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data (Art. 4 (14) of the GDPR);. Some of this data may be considered biometric data under the applicable data protection laws (hereinafter: “Biometric Personal Data”); (vii) Technical data, which includes, but is not limited to, details such as the date, time, and the End User’s activity within the services, their IP address and domain name, information about their software and hardware, as well as their general geographic location (e.g., city, state, country); and (viii) Session metadata, which is technical data, such as login information, device information.

4.3 AML Services (if applicable): General Personal Data (Full name; Date of birth; Place of birth; Photo ID number; Nationality; Nationality/Residency data; Unique user identifier; Affiliation with organizations; and Adverse media information, which may include negative news or reports about individuals, identifying potential reputational risks related to financial crimes or illegal activities.), ID document data (document type, issuing country, ID number, expiry date, MRZ, information embedded into document barcodes (may vary depending on the document), security features); Relevant publicly available data (information regarding a person being a Politically Exposed Person (PEP) or included in sanctions, watch or crime lists).

5. duration of processing

SEON will continue to process Personal Data related to any queries for a period of one (1) year from the completion of the relevant query, unless the Partner (and/or the End-Customer, if applicable) instructs SEON otherwise by configuring a custom data retention period as set out below  (“Data Retention Period”). 

The Partner (and/or the End-Customer, if applicable) has the right to configure different Data Retention Periods for each SEON domain or product, as applicable within the SEON platform. The Partner is responsible for ensuring that the configured Data Retention Periods comply with applicable Data Protection Legislation and for updating the retention settings as necessary.

If SEON processes Personal Data related to testing the Service by Partner, SEON will delete all Personal Data processed during testing within thirty (30) days after completion of the testing period.

6. Technical and organisational security measures 

SEON implements all technical and organizational security measures required by ISO27001 standard

and complies with SOC2 Type 2 requirements. 

Further information regarding SEON’s security framework, privacy practices, can be found in SEON’s Privacy and Security Whitepaper made available athttps://seon.io/legal-and-security/seon-privacy-and-security-whitepaper/

Appendix 2

List of Sub-Processors

Subcontractor’s company name and business name	Nature of the Subcontractor’s work and duration thereof	Server location	Place of performance of the Subcontractor’s work (full address)	Safeguards implemented for data transfer outside the EEA
Amazon Web Services EMEA SARL (“AWS Europe”)	Hosting and cloud computing	Ireland (or U.S., in case of Partner’s choice)	38 avenue John F. Kennedy, L-1855 Luxembourg	Standard Contractual Clauses, if applicable
Elasticsearch B.V	Hosting and cloud computing	Ireland	Keizersgracht 281 Amsterdam, 1016 ED Netherlands	Standard Contractual Clauses, if applicable
Snowflake Computing Netherlands B.V.	Database SaaS service	Ireland	FOZ Building, Gustav Mahlerlaan 300-314, 1082 ME Amsterdam, Netherlands; 1-844-SNOWFLK (1-844-766-9355)	Standard Contractual Clauses, if applicable
COMPLYADVANTAGE	Data provider for SEON’s AML Adverse Media offering. Subcontractor is only used in relation to the AML API	Ireland	IVXS UK LIMITED, 86-90 Paul Street, EC2A 4NE, London, United Kingdom	Standard Contractual Clauses, if applicable
ClickHouse	Database SaaS service	Ireland (or U.S., in case of Partner’s choice)	650 Castro St., Suite 120 #92426, Mountain View CA 94041	Standard Contractual Clauses, if applicable
ShuftiPro	Data provider for  Proof of Address verification services.	EEA	England, United Kingdom, having its office at Coppergate  House, 10 Whites Row, E1 7NF, London, England	Standard Contractual Clauses, if applicable
Signzy	Data provider supporting eKYC services and is used only for specific identification number database checks.	India	Delaware, having its corporate office at 4320 Winfield Road, Cornerstone @ Cantera, Suite 200, Warrenville, Illinois	Standard Contractual Clauses, if applicable

Appendix 3

Processor to Controller Standard Contractual clauses

The Parties agree that the EU Standard Contractual Clauses and the UK Transfer Addendum are incorporated by reference and that by executing the Agreement, each party is deemed to have executed the EU Standard Contractual Clauses and the UK Transfer Addendum.

SCC Clause	GDPR	UK Data Protection Law
Module in operation: module two (controller to processor) and module three (processor to processor)
Clause 7- Docking Clause	An entity that is not a party to these Standard Contractual Clauses may, with the agreement of the parties, accede to these Standard Contractual Clauses at any time, either as a data exporter or as a data importer, by completing the Appendix and signing Appendix 1.A of the Standard Contractual Clauses.
Clause 9(a)- Use of Sub-processors	GENERAL WRITTEN AUTHORISATION: The data importer has the data exporter’s general authorisation for the engagement of Sub-processor(s) from an agreed list. The data importer shall specifically inform the data exporter in writing of any intended changes to that list through the addition or replacement of Sub-processors at least 30 calendar days in advance, thereby giving the data exporter sufficient time to be able to object to such changes prior to the engagement of the Sub-processor(s). The data importer shall provide the data exporter with the information necessary to enable the data exporter to exercise its right to object.
Clause 11 (redress)	Optional language in Clause 11 shall not apply.
Clause 17- governing law	These Clauses shall be governed by the law of one of the EU Member States, provided such law allows for third-party beneficiary rights. The Parties agree that this shall be the law of Hungary.	These Clauses shall be governed by the laws of England and Wales.
Clause 18 – choice of forum and jurisdiction	The parties agree that those shall be the courts of Hungary.	The parties agree that those shall be the competent courts of England and Wales.
Appendix 1A- List of Parties	The name, address, and contact person’s name, position, and contact details, and each party’s role in processing Partner Personal Data are provided in Section 1, 2, and 3 of Appendix 1.
Appendix 1B – Description of Transfer	This information can be found in Section 4 Appendix 1.
Clause 13 and Appendix 1C – Competent Supervisory Authority	Identify the competent supervisory authority/ies in accordance with Clause 13:Hungarian National Authority for Data Protection and Freedom of Information	Identify the competent supervisory authority/ies in accordance with Clause 13:UK Informational Commissioner
Appendix II – Technical and Organizational Measures	See Section 6 of Appendix 1 of the DPA.
Appendix III – List of Sub-processors	See Appendix 2 of the DPA.
Ending the UK Transfer Addendum when the Approved Addendum changes	N/A	Which Parties may end this Addendum as set out in Section ‎19:☒Importer☒Exporter☐neither Party

Appendix I. 

to Appendix 3 Processor to Controller Standard Contractual clauses

A. LIST OF PARTIES

Data exporter(s):

Partner, as defined by the DPA.

Contact person’s name, position and contact details: Partner’s Email Address as defined by the DPA.

Activities relevant to the data transferred under these Clauses: As defined by Appendix 1 of the DPA.

Signature and date: Pursuant to Section 1.2 of the DPA.

Role (controller/processor): Controller.

Data importer(s):

Name: SEON Technologies Kft.

Address: Rákóczi út 42, 1072 Budapest, Hungary

Contact person’s name, position and contact details: [email protected].

Activities relevant to the data transferred under these Clauses: As defined by Appendix 1 of the DPA.

Signature and date: Pursuant to Section 1.2 of the DPA.

Role (controller/processor): Processor.

B. DESCRIPTION OF TRANSFER

Categories of data subjects whose personal data is transferred	As specified under Section 3 of Appendix 1 of the DPA.
Categories of personal data transferred	As specified under Section 4 of Appendix 1 of the DPA.
Sensitive Personal Data transferred	Not applicable.
Frequency of the transfer	Data is transferred on a continuous basis.
Nature and purpose of the data transfer and further processing	As specified under Section 2 of Appendix 1 of the DPA.
Period for which the personal data will be retained or criteria used to determine that period	As specified under Section 5 of Appendix 1 of the DPA.
Sub-processor transfers – subject matter, nature, and duration of processing	See as described in the Agreement, Appendix 2, EU SCCs and the UK Transfer Addendum, if applicable.

Appendix 4

Consent and Privacy Notice Wording

1. Requirement to Obtain Consent

The Partner (and/or the End-Customer, if applicable) must ensure that, where required under applicable Data Protection Legislation (including, without limitation, relevant U.S. legislation), it secures each Data Subject’s valid, explicit, and informed consent for the processing of Biometric Personal Data by both Parties as outlined in this Agreement and the Subscription Agreement and by complying with the highlighted requirements below.

2. Notice and Consent Language

The following notice and consent text (or a functionally equivalent version) must be integrated into the Partner’s (and/or the End-Customer’s, if applicable) user interface for any individual utilizing the Partner’s (and/or the End-Customer’s, if applicable) services where SEON’s technology and Services is deployed prior to redirecting the Data Subject to proceed with onboarding:

2.2 Consent to Biometric and Other Personal Data Processing

“I understand and voluntarily agree that my personally identifiable information (“Personal Data”), including biometric information, may be processed by:

1. the organization for which I am undergoing the identity verification process (the “Company”), and
2.  SEON Technologies Kft. (“SEON” or the “Service Provider”), each acting in accordance with applicable privacy and data protection laws.

For more information about SEON and how it processes your Personal Data, including its company detailes and contact details, please refer to the Privacy Notice of SEON made availabe at https://seon.io/legal-and-security/privacy/identity-verification-services/].

I hereby acknowledge and agree that

1. (Categories of Biometric Data) my biometric data that may be processed (including facial features or facial scans) to confirm my identity and/or verify that the identity document presented is legitimately owned by me.
2. (Purposes of Biometric Data Processing) my  biometric data will be processed for the Company’s purposes, which may include compliance with Anti-Money Laundering/Combating the Financing of Terrorism (AML/CFT) regulations, fraud prevention, age verification, and related legal obligations or business requirements.
3. (Purposes of Biometric Data Processing) SEON may independently process biometric data for compatible purposes, such as service development, fraud/criminal activity prevention, litigation holds, and other legal or regulatory requirements, as further described in SEON’s Privacy Notice made available athttps://seon.io/legal-and-security/privacy/identity-verification-services/
4. (Automated decision making) the Company and SEON may process my biometric data via automated techniques — such as facial scans, liveness checks, video-selfies, face matching with identity documents, and related technologies — to verify my identity, detect the use of multiple or fraudulent identities, and help prevent illegal and fraudent activity.
5. (Disclosure of Personal Data) my Personal Data, including biometric data, may be shared with SEON’s affiliated entities if necessary to achieve the purposes set out above. SEON uses Amazon Web Services (AWS) to stores biometric data, as its sub-processor.
6. (Retention period) my Personal Data, including biometric data, will be retained by the Company and SEON only for as long as is necessary to fulfill the purposes for which it was collected, or to comply with applicable laws. Biometric data will be permanently destroyed once it is no longer required or after the applicable legal retention period expires.

For residents of Texas, deletion will occur within one (1) year from the date the purpose of collecting the data ends.

For residents of Illinois: deletion will occur within three (3) years from the date the data was initially provided to SEON.

In all other cases, deletion will occur no later than five (5) years after SEON’s receipt of the data or earlier if required by law or upon the Company’s instructions. Additional information regarding data deletion and destruction is provided in SEON’s Privacy Notice made available at https://seon.io/legal-and-security/privacy/identity-verification-services/ ).”

Acknowledgment and Consent

I confirm that I have read, understand, and voluntarily agree to the above terms, and consent to the processing of my biometric data and other Personal Data by the Company and SEON for the purposes described herein.”

3. Hyperlinks to SEON’s Privacy Notice

The Partner (and/or the End-Customer, if applicable) must ensure that the notice and consent includes direct hyperlinks to SEON’s Privacy Notice, available at: https://seon.io/legal-and-security/privacy/identity-verification-services/.

4. Additional Requirements in Partner Documentation

In addition to incorporating the above notice and consent wording, the Partner (and/or the End-Customer, if applicable) must ensure its own policies, notices, and agreements with Data Subjects contain any further requisite terms to meet applicable Data Protection Legislation. These terms should address, among other matters:

• Processing of Personal Data, including biometric data, at the point of facial capture,
• The specific purposes for which biometric data is processed,
• The Partner’s (and/or the End-Customer’s, if applicable) use of third-party service providers (such as SEON) to perform identity verification and any related services,
• Storage, retention periods, international transfers (if applicable), and any other legally mandated disclosures.

5. API Consent Parameter 

Where an API integration is utilized under the Subscription Agreement, the Partner (and/or the End-Customer, if applicable) must implement an API consent parameter, such as privacy_notices_read_consent_given (or a similar parameter specified by SEON), to allow SEON to record and confirm that Data Subjects have been presented with, and agreed to, the provisions described in this Appendix.