What is Signifyd and how do its Services work?
Signifyd provides fraud services (“Fraud Services”) to our subscribers (“Subscribers”) on their e-commerce storefronts (e.g. websites and mobile apps). We provide Fraud Services on end-users transactions from account creation and login – to checkout and returns, all to determine whether these transactions are likely legitimate or fraudulent.

We make these determinations using our collective dataset (the “Signifyd Commerce Network”) and our predictive, built for purpose, fraud models.

What is the Signifyd Commerce Network?
The Signifyd Commerce Network is a collective dataset built from hundreds of billions of global transactions across Signifyd Subscribers. This creates a powerful network effectively protecting all Subscribers and reducing their fraud losses.

When Signifyd analyzes a new transaction, we evaluate it against the backdrop of the Signifyd Commerce Network. Specifically, we use the data within the Signifyd Commerce Network to train and improve Signifyd’s predictive model, which is essential to our ability to fraud protection capabilities for the benefit of all Subscribers. However, we never share a Subscriber’s data with other Subscribers.

This allows us to identify and block fraudulent activities across all of our Subscribers, not just where the fraud first occurred. An attempted fraud on one Subscriber becomes a lesson that subsequently protects all other Subscribers, all while keeping each Subscriber’s data private.

How does Signifyd use machine learning to provide its Fraud Services?
Signifyd uses predictive modeling in its Services to determine if a transaction is likely legitimate or fraudulent. Our predictive models use statistical techniques and historical and real-time data to forecast the likelihood of fraud.

Our predictive models are trained on the Signifyd Commerce Network, a collective dataset built from hundreds of billions of global orders across our Signifyd Subscribers. This creates a powerful network effect protecting all Subscribers and reducing their fraud losses. Specifically, Signifyd uses the data within the Signifyd Commerce Network to create “features” and build our predictive models.

Who controls the inputs and outputs to Signifyd’s predictive model?
Generally speaking, inputs are any information, data, decisions, prompts or discussions that a model receives or is provided access to. These inputs are used to create the outputs generated by the model, which are primarily numerical values between 0 and 1 (“scores”) and occasionally text, like a product category.

In Signifyd’s case the inputs are the Subscriber Data while the outputs generated by Signifyd’s predictive model is Signifyd’s decision as to whether a particular order is fraudulent or legitimate. Signifyd is fully in control of both the inputs our model receives as well as the type of outputs generated by the model.

Why does Signifyd need a license to Subscriber Data from its Subscribers?
Signifyd obtains a license from our Subscribers, which allows Signifyd to process order information for the legitimate business purpose of identifying and preventing fraud. We require the same license from all of our Subscribers in order to provide our Services.

This license allows Signifyd to use techniques such as predictive models, LLMs and similar technologies in order to provide, maintain and improve the Services. In addition, Signifyd may also combine Subscriber Data with data from other Signifyd Subscribers.

Does Signifyd comply with Data Protection regulations and what is Signifyd’s Role in Data Processing?
Regardless of the jurisdiction from which personal data originates, Signifyd’s nature and purpose of processing personal data remains consistent. As detailed in our Data Processing Addendum, Signifyd is strictly limited to processing Subscriber Personal Data for the Fraud Related Purposes, which includes the “fraud identification, prevention, dispute and monitoring, and analyzing of data for the purpose of building, maintaining and improving Signifyd’s predictive models and fraud-related services, including through the use of LLM and similar technologies.”

At the core of our Services, Signifyd must: (i) make its own decisions on what personal data to use from the Commerce Network in order to make a fraud determination in its predictive modeling capabilities; (ii) make its own decision to determine which data fields from a given transaction to use to in its predictive model, (iii) determine which third parties may access the data for the Fraud Related Purposes; and (iv) determine how long to retain personal data for the Fraud Related Purposes.

Different jurisdictions permit processing of personal data for the Fraud Related Purposes under different legal designations or nomenclatures. For example, under the GDPR, data processing for the purposes of fraud prevention and with the use of machine learning can only be performed by a “Controller.” In contrast, data processing for the purposes of fraud prevention can be performed by “Service Providers” or “Contractors” under the CCPA.

On the surface, this may look confusing and inconsistent, but it is important to note that how and why Signifyd processes data remains consistent, regardless of designation or nomenclature.

Does Signifyd sell or share data?
No, Signifyd does not “sell” or “share” data as defined by US State privacy laws. Signifyd’s designation as a Service Provider reduces the risk of a regulator misinterpreting a Subscriber's disclosure of data to Signifyd as a "sale.” Regulators like the California Consumer Privacy Protection Agency (“CPPA”), in particular, view data disclosure to non-Service Provider third parties as a likely “sale.”

How does Signifyd handle data subject rights (DSARs)?
Because Signifyd combines and otherwise processes Subscriber Data across Subscribers for the Fraud Services, privacy laws (e.g. GDPR, CCPA) do not mandate our Subscribers to require Signifyd to delete or correct Subscriber Data in response to data subject requests. Privacy laws generally contain exceptions from compliance with these types of requests when data is being processed for the Fraud Related Purposes.

Entities are generally exempt from fulfilling data subject rights requests when they are processing personal data for fraud detection purposes. This is because any such request to exercise data subject rights (rights to access, delete, limit, or correct, for example) may allow nefarious actors to further commit fraud against Subscribers.

What type of data does Signifyd collect from its Subscribers?
Signifyd collects data from Subscribers about their end users’ interactions and transactions on a Subscriber’s e-commerce storefront. This data is a combination of (1) Subscriber data and (2) personal data about the Subscriber’s end user (“Subscriber Personal Data”).

For example, for a typical order placed by a Subscriber’s end user at checkout, Signifyd will receive (1) Subscriber data relating to the order such as product category and price and (2) Subscriber Personal Data, such as physical address, email address, phone number.

In addition to this information, Signifyd also collects behavioral, device, and connection data through standard tracking technologies, (our JavaScript and mobile SDK), which are embedded on Subscriber’s e-commerce storefronts.

For a full list of the data that Signifyd collects, please see our API documentation and our Privacy Notice.

Where is Subscriber data stored?
All Subscriber data Signifyd receives, regardless of where the Subscriber is located, is sent to the U.S. to build the most accurate model. Our data is stored on our AWS/GCP Subprocessors.

How does Signifyd secure Subscriber data?
All Subscriber Data is encrypted at rest and in transit. Signifyd complies with the parameters of applicable regulatory regimes and provides security and anonymization methods as detailed in our ISO 27001 and SOC 2, Type II reports, as well as PCI compliance certifications. Signifyd’s DPA also fully describes the Technical and Organizational Security Measures in place. For additional specifics, please request a copy of Signifyd’s DPA and the corresponding Technical and Organizational Security Measures.

Do Subscribers need to get consent from their end users for Signifyd's services?
Signifyd does not have direct privity with a Subscriber’s end users. As such, Signifyd looks to our Subscribers to collect and maintain consents from their end-users. If Subscribers aren’t authorized to share the Subscriber Personal Data with Signifyd, (e.g. through a notice and consent mechanism), Signifyd’s processing of the Subscriber data isn't valid. Without the Subscriber guaranteeing they obtain any necessary consents for this data, Signifyd would be processing data without a legal basis, which could expose both parties to significant regulatory and legal risks.