Signifyd’s Data, Privacy and Security Addendum
In compliance with the European Union’s General Data Protection Regulation (GDPR), which went into effect on May 25, 2018, Signifyd has rolled out updates to its comprehensive privacy program for our customers doing business in Europe. To facilitate our customers’ compliance with requirements for contracts between entities involved in processing personal data, Signifyd is providing its customers with a GDPR Addendum to their master subscription agreement with Signifyd. Signifyd also continues to subscribe to the EU-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the processing of personal information that is transferred from the European Economic Area to the United States. Signifyd has certified to the Department of Commerce that it adheres to the Privacy Shield Principles.
Signifyd’s GDPR Addendum
The GDPR Addendum contains all the terms and commitments required by the GDPR for compliant contracts between two controllers. It is specifically tailored to Signifyd’s platform, applications, and architecture, and, when executed, modifies the master subscription agreement to align with the GDPR.
Signifyd and Subscriber each as a Controller
Upon advice of our local European counsel, Wilson Sonsini Goodrich & Rosati, Signifyd has opted to be a controller under the GDPR for the data our customers pass to us. Signifyd is responsible for performing the services to our customers as set forth in the master subscription agreements, in particular fraud identification, prevention, dispute and monitoring, and to analyze data for the purpose of building, maintaining and improving Signifyd’s predictive models and fraud-related services. The GDPR, specifically in Recitals 47 and 71, recognizes these purposes as legitimate interests that provide a legal basis for a controller to process personal data. Our customers remain responsible for their own processing activities, including customer relationship management with data subjects.
Who needs to execute Signifyd’s GDPR Addendum?
For any question involving the interpretation or applicability of the GDPR, you should consult with your legal counsel.
In general, Signifyd customers must execute the GDPR Addendum if they:
- Have an establishment in the European Union, European Economic Area, or Switzerland, regardless of whether the processing takes place in the European Union/European Economic Area/Switzerland or not;
- Offer goods or services, irrespective of whether payment is required, to data subjects in the EU/EEA/Switzerland;
- Monitor the behavior of data subjects that takes place within the EU/EEA/Switzerland.
A Signifyd customer does not need to execute the GDPR Addendum if it does not pass any personal data from data subjects in Europe to us; however, we request you still execute the GDPR Addendum so that we can be in compliance should you start to offer goods or services to Europeans.
Cross-Border Data Transfers
Because Signifyd relies on large data sets to build and execute its machine-learning fraud prevention algorithms, Signifyd takes privacy very seriously. We treat the data that our customers collect and use on our platform with the utmost sensitivity and employ strict policies and protections to help ensure the privacy of that information.
Signifyd certified to the EU-US Privacy Shield Framework for the transfer of personal data from the European Union prior to the Court of Justice of the European Union’s decision on July 16, 2020 to invalidate this framework. Signifyd will continue to comply with Privacy Shield principles while also utilizing Standard Contractual Clauses.
Privacy Shield - The EU-US Privacy Shield Framework is a data protection principles safe-harbor mechanism agreed upon by the US Department of Commerce with the European Commission to facilitate data transfers between the European Economic Area and the US. Signifyd's Privacy Shield certification can be found on the Department of Commerce website.
Who should sign the GDPR Addendum for my company, and how can they do so?
The GDPR Addendum should be signed and executed by an authorized signatory for your company. If you are not sure whether you are an authorized signatory, consult your legal counsel before signing.
The DocuSign version of the GDPR Addendum is made available for customers in jurisdictions that accept esignatures and can be completed and signed electronically. If you have multiple entities with master subscription agreements with Signifyd, please enter each such entity on the “Subscriber” line or execute multiple versions of the GDPR Addendum if there are different authorized signatories. If necessary, you can download a PDF version of the GDPR Addendum and manually execute it, and submit it as an email attachment to email@example.com.
What if I have additional questions?
If you have questions that are not answered here, please contact your Signifyd representative, and they will put you in contact with Signifyd’s compliance and legal departments, or reach out to firstname.lastname@example.org.