Signifyd.com European Data, Privacy and Security Policy

Effective date: April 20, 2018 to January 30, 2023

This European Data, Privacy and Security Policy (the “GDPR Policy”) is incorporated by reference into the Terms of Service and all related orders for the Fraud Screening Services between Subscriber and Signifyd, Inc. (the “Agreement”). This GDPR Policy is entered into as of the later of the dates beneath the parties’ signatures below.

This GDPR Policy is supplemental to the Agreement and regulates the parties’ Processing of Personal Data subject to European Data Protection Law under the Terms of Service, which forms an integral part of this GDPR Policy. This GDPR Policy will prevail over any conflicting term in the Terms of Service.

1. Defined Terms. The terms used in this GDPR Policy have the meaning set forth in this GDPR Policy. Capitalized terms not defined herein have the meaning given to them in the Terms of Service.
   1. “Controller” means the entity which alone or jointly with others determines the purposes and the means of the Processing of Personal Data.
   2. “Data Subject” means any natural person whose Personal Data are Processed in the context of this GDPR Policy.
   3. “Europe” means the member states of the European Union, the United Kingdom, the European Economic Area, the European Free Trade Agreement, and Monaco.
   4. “European Data Protection Law” means Article 8 of the Charter of Fundamental Rights of the European Union and Article 16 of the Treaty on the Functioning of the European Union, and their implementations in European Union and national law, including Data Protection Directive 95/46/EC, the EU General Data Protection Regulation 2016/679, and the e-Privacy Directive 2002/58/EC (as amended by Directive 2009/136/EC); as well as all national, regional, and local data protection acts of Europe; each as may be amended or repealed from time to time.
   5. “Personal Data” means any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
   6. “Processor” means the entity which Processes Personal Data on behalf of a Controller.
   7. “Processing” or “Process” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
2. Roles of the Parties. Each party is an independent Controller for its Processing of Personal Data described in this GDPR Policy. The parties acknowledge and confirm that neither party acts as a Processor on behalf of the other party, and that the Terms of Service, does not create a joint-Controllership or a Controller-processor relationship between the parties. For the avoidance of doubt, Signifyd is responsible for performing the Services to Subscriber as set forth in the Terms of Service, in particular fraud identification, prevention, dispute and monitoring, and to analyze data for the purpose of building, maintaining and improving Signifyd’s predictive models and fraud-related services. Subscriber is responsible for its own Processing activities, including customer relationship management with Data Subjects.
3. Data Protection Principles. Subscriber warrants and represents that: (a) Data Subjects have been informed of Signifyd’s use of Personal Data as required by European Data Protection Laws; and (b) Signifyd can rely on a valid legal ground for the Processing of Personal Data under European Data Protection Laws, and if required under European Data Protection Laws Subscriber has obtained consent from Data Subjects for the processing by Signifyd in the context of the Services. Subscriber warrants and represents that, in relation to its own Processing of Personal Data, it acts as a Controller and that it will Process Personal Data in accordance European Data Protection Law, in particular relying on a valid legal ground for the Processing, providing notice to Data Subjects with regard to the Processing of Personal Data and complying with Data Subjects’ rights with regard to the Processing, as well as internal records requirements. Subscriber will take steps to ensure that any person acting under their authority who has access to Personal Data is subject to a duly enforceable contractual or statutory confidentiality obligation that are substantially similar to those required under this GDPR Policy.
4. Cross-Border Data Transfers. Each party may transfer the Personal Data Processed as described in this GDPR Policy outside of Europe in accordance with European Data Protection Law.
5. Data Disclosures. Each party will promptly report to the other party any unauthorized access to Personal Data in connection with the Terms of Service and use diligent efforts to remedy such breach in a timely manner. Except as prohibited by law, the content of any filings, communications, notices, press releases or reports related to any breach of security in connection with the Terms of Service must be prepared in cooperation with the other party before any such publication or communication.
6. Each party will cooperate with the other party to fulfill compliance obligations under European Data Protection Law and enter into any further privacy, confidentiality, or information security agreement reasonably requested by the other party for purposes of compliance with applicable European Data Protection Law. In case of any conflict between the Terms of Service and any such further privacy, confidentiality, or information security agreement, such further agreement shall prevail with regard to the Processing of Personal Data covered by it.
7. Subject to the liability clauses in the Terms of Service and to the maximum extent permitted by European Data Protection Law, each party agrees that it will be liable to Data Subjects for the entire damage resulting from a violation of European Data Protection Law with regard to Processing of Personal Data for which it is a Controller. If one party paid full compensation for the damage suffered, it is entitled to claim back from the other party that part of the compensation corresponding to the other party’s part of responsibility for the damage. Subscriber will indemnify Signifyd for any damages or claims arising from a violation of Subscriber’s obligations to comply with European Data Protection Laws, in particular from a failure to provide notice to, and where required under European Data Protection Laws obtain consent from, individuals as specified under 3(a) and (b) above.
8. Inability to Comply. Subscriber will promptly notify Signifyd in writing if Subscriber cannot comply with its obligations under this GDPR Policy.