BIOCATCH
This Data Processing Addendum (“DPA”) sets out the respective obligations of BioCatch and the Subscriber with regard to the Processing of End User’s personal data in the context of the provision of Services under the Agreement.
Capitalized terms not defined in the Section 11 shall have the meanings assigned to such terms in the Agreement.
In the event of any conflict between certain provisions of this DPA and the provisions of the Agreement, the provisions of this DPA shall prevail over the conflicting provisions of the Agreement solely with respect to the Processing of End User Data.
1. PROCESSING OF END USER DATA.
1.1. Roles of the Parties. The Parties acknowledge and agree that in relation to the Processing of End User Data, Subscriber shall be deemed as a Controller and BioCatch shall be deemed as a Processor. Parties will comply with their respective obligations under Applicable Data Protection Laws, as further specified in this DPA, including any applicable requirements of the Subscriber to provide notice to relevant End Users of the use of BioCatch as a Processor (including where the Subscriber is a Processor, by ensuring the ultimate Controller does so) and having necessary lawful basis to transfer End User Personal Data to BioCatch for the provision of the Services, as required under Applicable Data Protection Laws, including the pursuit of ‘business purposes’ as defined under the CCPA.
1.2. BioCatch Processing of End User Data. BioCatch shall Process End User Data on behalf of the Subscriber and only the following purposes: (i) in accordance with the Agreement, this DPA, applicable Order Form(s) or agreed equivalent commercial documents describing the scope of work (e.g., Statement of Works); (ii) to comply with other documented reasonable instructions of the Subscriber, where such instructions are consistent with the terms of the Agreement; (iii) rendering End User Data non-identifiable and non-personal data; (iv) as required under the laws applicable to BioCatch.
1.3. Subscriber Instructions. BioCatch shall inform Subscriber if, in its sole and discretionary opinion, an instruction of the Subscriber pursuant to this DPA infringes any Applicable Data Protection Laws. If a Party notifies the other Party of its inability to comply with its obligations under this DPA that cannot be cured within a reasonable period, the other Party will have the right to temporarily suspend the relevant Processing under this DPA until such time that the Processing is adjusted in such a manner that the noncompliance is remedied. To the extent that such adjustment is not possible, the other Party will have the right to terminate the relevant part(s) of the Agreement, without liability to the other Party. Without limiting the foregoing, Subscriber shall not be entitled to any credits or refunds in such situations.
1.4. Confidentiality. Each Party shall hold End User Data in strict confidence and will impose confidentiality obligations on their respective Personnel who will be provided access to, or will otherwise Process, End User Data, including the obligation to protect all End User Data in accordance with the requirements of this DPA (including during the term of their employment or engagement and thereafter).
1.5. Details of the Processing. The Parties agree that the subject-matter of Processing of End User Data by BioCatch is the performance of the Services pursuant to the Agreement. The duration of the Processing, the nature and purpose of the Processing, the types of End user Data and categories of data subjects Processed under this DPA are further specified in Schedule 1 to this DPA.
2. REQUEST OF END USERS AND ASSISTANCE TO SUBSCRIBER
2.1. Requests or Complaints from End Users. BioCatch shall, to the extent legally required, promptly notify Subscriber of any complaint, dispute or request it receives from an End User in relation to the Processing of End User Data. BioCatch will not respond to any such request or complaint, except to redirect the End User to Subscriber, unless BioCatch is expressly required to do so under Applicable Data Protection Laws and, in such exceptional cases, BioCatch will respond only to the minimum required scope. BioCatch will by appropriate technical and organizational measures, insofar as this is possible and commercially reasonable, cooperate with Subscriber at Subscriber’s sole expense with respect to any action taken relating to such request or complaint, and will seek to implement commercially reasonable appropriate processes to assist Subscriber in responding to requests or complaints from End Users.
2.2. Assistance to the Subscriber. Upon Subscriber’s request, BioCatch shall, at Subscriber’s cost, provide Subscriber with reasonable cooperation and assistance needed to assist Subscriber in meeting its obligations under Applicable Data Protection Laws, to the extent Subscriber does not otherwise have access to relevant information, and to the extent such information is available to BioCatch.
3. SUB-PROCESSORS
3.1. Use of Sub-Processors. Subscriber acknowledges and agrees that BioCatch may engage another processor for carrying out specific Processing activities related to the Services on behalf of the Controller (“Sub-Processor”). BioCatch will enter into a written agreement with the relevant Sub-Processor containing, in substance, data protection obligations no less protective than those in this DPA with the respect to the protection of the End User Data to the extent applicable to the nature of the Services provided by such Sub-Processor.
3.2. Current List of Sub-Processors. The current list of Sub-Processors engaged in Processing End User Data for the performance of each applicable Service, including a description of their processing activities and countries of location, is accessible via this link. Subscriber hereby consents to these Sub-Processors, their locations and processing activities as it pertains to their End User Data.
3.3. Notification of New Sub-Processors and Objection Right. BioCatch will notify Subscriber before engaging a new Sub-Processor in relation to the Processing through email; Subscriber must subscribe to receive such notifications using this link. Within ten (10) days of the Subscriber receiving such notice, Subscriber may object to BioCatch’s use of a new Sub-Processor by notifying BioCatch in writing, providing reasonable grounds relating to the ability of such Sub-Processor to protect End User Data or comply with Applicable Data Protection Laws. Failure to object to such new Sub-Processor within ten (10) days following BioCatch’s notice shall be deemed as acceptance of the new Sub-Processor. In the event of a reasonable objection by Subscriber, Parties will cooperate in good faith to find a solution to address such objection, including by making a change in the Services or recommending a commercially reasonable change to Subscriber’s configuration or use of the Services to avoid the Processing of End User Data by the objected-to new Sub-Processor. If Parties are unable to reach a mutually acceptable solution within thirty (30) days, Subscriber may, as a sole remedy, terminate the Agreement and this DPA with respect only to the Services that cannot be provided by Processor without such new Sub-Processor, by providing notice to BioCatch. Such termination shall not relieve Subscriber of its payment obligations under the Agreement up to the date of termination, and any amounts paid will not be refunded or credited. Until a decision is made regarding the new Sub-Processor, BioCatch may temporarily suspend the Processing of the affected End User Data and/or suspend access to the account. Subscriber will have no further claims against BioCatch due to the termination or suspension of (the relevant parts of) the Agreement (including, without limitation, requesting refunds or credits) in the situation described in this paragraph.
3.4. Responsibility for Sub-Processor. BioCatch shall be responsible for the acts and omissions of its Sub-Processors to the same extent BioCatch would be responsible if performing the services of each Sub-Processor directly under the terms of this DPA, unless otherwise set forth in the Agreement.
4. SECURITY STANDARDS AND AUDIT RIGHTS
4.1. Security. Each Party shall implement and maintain appropriate technical, physical and organizational security measures in relation to the Processing to protect End User Data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access and against all other forms of unlawful Processing. BioCatch process End User Data Processed under this DPA in accordance with the BioCatch Security Standards available here. BioCatch agrees and acknowledge that it will not materially decrease the overall security of the Services during a subscription term.
4.2. Audit. Upon Subscriber’s written request, BioCatch shall contribute to audits conducted by Subscriber, or a certified auditor appointed by Subscriber, for the purpose of verifying BioCatch’s compliance with its obligations under this DPA. To this end, upon Subscriber’s request, BioCatch shall supply a copy of its most recent third-party assessment, where available.
4.3. Where no such third-party assessment is available or is sufficient, as mutually agreed by Parties, Subscriber may, no more than once every twelve (12) months or following a Personal Data Breach or other clear indication that BioCatch is not in compliance with this DPA, request BioCatch to complete a security assessment questionnaire seeking verification of compliance with the terms and conditions of this DPA, which BioCatch will complete.
4.4. If, after the original security questionnaire assessment, Subscriber reasonably determines that further assessment is required for Subscriber to verify BioCatch’s compliance with this DPA, Subscriber may request upon thirty (30) days’ prior notice for a mutually-agreed upon certified third-party auditor who is not a competitor of BioCatch to perform a review with a scope to be mutually agreed by the Parties, where such review does not compromise confidentiality obligations to any of BioCatch’s other customers. Any such audits agreed between the parties in this Section 4.4 shall be conducted no more than once every twelve (12) months and during regular business hours and shall be subject to (i) a detailed written audit plan reviewed and approved by BioCatch; and (ii) BioCatch’s security and other policies. Upon completion of an audit, Subscriber shall provide BioCatch with a copy of the audit report, which, together with all materials and information received or reviewed pursuant to this paragraph, shall be treated as BioCatch’s confidential information and may not be disclosed without BioCatch’s prior written consent and may not be used for any other purpose except verifying BioCatch’s compliance under this DPA, both except as required by law. Subscriber shall return all records or documentation in Subscriber’s possession or control provided by BioCatch in the context of the audit and/or the inspection. Subscriber shall be fully responsible for bearing all the costs and expenses arising from or related to this Section 4.4.
4.5. In the event that such audit or inspection uncovers unauthorized Processing of End User Data, Subscriber shall have the right to, upon notice, take reasonable and appropriate steps to stop and remediate such unauthorized Processing.
5. PERSONAL DATA BREACH
5.1. Personal Data Breach Notification. As a Processor, BioCatch shall maintain appropriate measures to protect End User Data, as agreed between the Parties and in accordance with the requirements of the Applicable Data Protection Laws. BioCatch shall notify Subscriber without undue delay and, in any event, within 48 (forty-eight) hours after becoming aware of any Personal Data Breach caused by BioCatch.
5.2. Incident Management. After providing notice as described above, BioCatch will provide commercially reasonable assistance requested by Subscriber in the furtherance of any correction, remediation, investigation or recording of any Personal Data Breach, including any notification that is required under Applicable Data Protection Laws to send to affected End Users, regulators or third parties, and/or the provision of any credit reporting service that Applicable Data Protection Laws require to provide to affected End Users. Unless required by law applicable to BioCatch, BioCatch will not notify any End User or any third party other than law enforcement of any potential Personal Data Breach involving End User Data in any manner that would identify Subscriber, without first obtaining written permission of Subscriber. Any costs relating to a Personal Data Breach not caused by BioCatch’s violation of this DPA shall be borne by Subscriber. Subscriber will not make any disclosure concerning any Personal Data Breach that directly or indirectly identifies BioCatch (including in any legal proceeding or in any notification to regulatory or supervisory authorities or affected individuals) without BioCatch’s prior written approval, unless, and solely to the extent that, Subscriber is compelled to do so by Applicable Data Protection Laws, in which case Subscriber will limit the disclosure to the minimum scope required. If Subscriber is required by Applicable Data Protection Laws to make the disclosure, unless prohibited by law, Subscriber shall provide BioCatch with reasonable prior notice and provide BioCatch with the opportunity to review and object to such disclosure.
6. GOVERNMENT ACCESS REQUESTS
6.1. Disclosure Requests. If BioCatch receives a valid and binding order, demand, warrant or any other document requesting or purporting to compel the production of End User Data (including, for example, by oral questions, interrogatories, requests for information or documents in legal proceedings, subpoenas, civil or criminal investigative demands or other similar processes) by any competent authority (“Disclosure Request”), BioCatch will promptly notify Subscriber (except to the extent prohibited by laws applicable to BioCatch), so that Subscriber may, at its own sole expense, exercise such rights as it may have under applicable law to prevent or limit such disclosure. Notwithstanding the foregoing, BioCatch will exercise commercially reasonable efforts to prevent and limit any such disclosure and to otherwise preserve the confidentiality of End User Data and will cooperate with Subscriber at Subscriber’s sole expense with respect to any action taken relating to such request, complaint, order or other document, including to obtain an appropriate protective order or other reliable assurance that confidential treatment will be accorded to End User Data.
6.2. Regulatory Investigations. Upon Subscriber’s request, BioCatch shall reasonably assist and support Subscriber in the event of an investigation by any law enforcement body or regulator, including a data protection or similar authority, if and to the extent that such investigation specifically relates to End User Data handled by BioCatch on behalf of Subscriber in accordance with this DPA. Such assistance will be at Subscriber’s cost.
6.3. Notifications by Subscriber. Unless prohibited to do so by applicable law, Subscriber shall notify BioCatch without undue delay if it: (a) receives an inquiry, a subpoena or a request for inspection or audit relating to the Processing from a competent public authority; (b) detects or reasonably suspects that a Personal Data Breach has occurred other than in circumstances set out in Section 5; (c) becomes aware of any circumstances or change in applicable law that is likely to prevent it from fulfilling its obligations under this DPA; or (d) has reason to believe that it is unable to comply with any of its obligations under this DPA and cannot cure this inability to comply within a reasonable period.
7. RETURN AND DISPOSAL OF END USER DATA
7.1. Return or Disposal. Upon termination or expiration of the Agreement or upon Subscriber’s request, BioCatch will immediately cease handling End User Data and will, upon Subscriber’s choice, return or delete such End User Data except as otherwise required by law applicable to BioCatch, as authorized by Subscriber, the Agreement or as needed for dispute resolution purposes. If BioCatch disposes of any paper, electronic or other record containing End User Data, BioCatch will do so by taking all reasonable steps (based on the sensitivity of End User Data to destroy End User Data by: (a) shredding; (b) permanently erasing and deleting; (c) degaussing; or (d) otherwise modifying End User Data in such records to make them non-identifiable and non-personal. BioCatch will continue to protect any End User Data it retains after termination or expiration of the Agreement in accordance with the Agreement and this DPA. Notwithstanding any other provision of the Agreement or this DPA, upon termination or expiration of the Agreement, BioCatch may retain one copy of End User Data as necessary for exercise or defense of legal claims and/or compliance with legal obligations.
8. DATA TRANSFERS.
8.1. Transfer Jurisdiction(s). Subscriber acknowledges and consents to the Transfer of End User Data to jurisdictions throughout the world, and instructs BioCatch to Transfer End User Data as BioCatch understands necessary to provide the Services, including to jurisdictions that may not have granted an Adequacy Decision. Where an Applicable Data Protection Laws require a Transfer Mechanism for the Transfer of End User Data not explicitly instructed below, Parties will cooperate in good faith to put in place a Transfer Mechanism that meets the requirements set out in Applicable Data Protection Laws.
8.2. Restricted Transfers from the EEA, the UK and Switzerland. This Section applies solely to restricted Transfers of End User Data by Subscriber or a Subscriber affiliate in the European Economic Area, the UK or Switzerland (for purposes of this DPA, together, “EEA”) to BioCatch.
a. Where this Section 8.2 applies, the Parties will be deemed to have entered Standard Contractual Clauses in respect to such Transfer of End User Data, whereby:
i. Subscriber is the “data exporter” and BioCatch is the “data importer”
ii. Clause 7 (Docking Clause) of the Standard Contractual Clauses, which is optional, shall not apply.
iii. Clause 9 (Use of sub-processors) of the Standard Contractual Clauses: General Written Authorization (Option Two) shall apply, and specified time period shall be ten (10) days.
iv. Clause 11(a) Redress of the Standard Contractual Clauses, which is optional, shall not apply.
v. Clause 13(a) (Supervision), Clause 17 (Governing Law) and Clause 18 (Jurisdiction) of the Standard Contractual Clauses shall be at the same jurisdiction of the Agreement.
vi. Annex 1 of the Standard Contractual Clauses shall be deemed to be pre-populated with the relevant section above and of Schedule 1 to this DPA.
vii. Annex 2 of the Standard Contractual Clauses shall be deemed to be pre-populated with the relevant sections above and of the Schedule 2 to this DPA.
b. The Parties agree that for any restricted Transfer of End User Data that is subject to the Swiss Federal Act on Data Protection, the Standard Contractual Clauses incorporated into this DPA in this Section shall be amended as follows:
i. The term “EU Member State” must not be interpreted in such a way as to exclude End Users in Switzerland from the possibility for suing their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the Standard Contractual Clauses.
ii. References to the GDPR are to be understood as references to Federal Act on Data Protection.
iii. In Clause 17, the EU SCCs will be governed by the laws of Switzerland.
iv. In Annex I.C., the Swiss Federal Data Protection and Information Commissioner is the competent Supervisory Authority.
c. The Parties agree that for any restricted Transfer of End User Data that is subject to the UK GDPR (as defined in section 3(10) and section 205(4) of the UK Data Protection Act 2018), the Standard Contractual Clauses incorporated into this DPA in this Section shall be amended as follows:
i. The UK IDTA including Part 2 ‘Mandatory Clauses’, are herein incorporated by reference and shall apply in full;
ii. In Table 1 of the UK IDTA, the names of the Parties, their roles and their details shall be set out in the Schedule 1 of this DPA;
iii. Tables 2 and 3 of the UK IDTA, the version of the Standard Contractual Clauses incorporated into this DPA will apply, including the information set out in the Schedules 1 and 2 of this DPA; and
iv. In Table 4 of the UK IDTA, neither Party may end the UK IDTA.
8.3. Restricted Transfers from Argentina. This Section applies solely to restricted Transfers of End User Data by Subscriber or a Subscriber affiliate in Argentina to BioCatch or an Authorized Subcontractor (i) located outside Argentina and (ii) not considered by Argentina to provide adequate data protection. Where this Section 8.3 applies, the Parties agree to adopt the Argentina Model Clauses.
8.4. Restricted Transfers from the Abu Dhabi Global Market Free Zone (ADGM). This Section applies solely to restricted Transfers of End User Data by Subscriber or a Subscriber affiliate in ADGM to BioCatch or an Authorized Subcontractor (i) located outside ADGM and (ii) not considered by ADGM to provide adequate data protection. Where this Section 8.4 applies, the Parties agree to adopt the ADGM Data Transfer Agreement.
8.5. Restricted Transfers from Brazil. This Section applies solely to restricted Transfers of End User Data Subscriber or a Subscriber affiliate in Brazil to BioCatch. Where this Section 8.5. applies, the Parties agree to adopt the Brazilian Standard Contractual Clauses.
8.6. Alternative Transfer Mechanism. At the request of BioCatch, Subscriber shall cooperate with putting an alternative Transfer Mechanism in place, for example in case a Transfer Mechanism is no longer valid or appropriate, or if an improved version is made available.
9. SPECIFIC JURISDICTION PROVISIONS.
9.1. Australia. This Section applies solely if Subscriber, or any relevant Subscriber affiliate, is located in Australia or Subscriber otherwise notifies BioCatch that this Section applies.
a. If, subject to Section 1.9, BioCatch uses or discloses End User Data for one or more enforcement activities conducted by, or on behalf of, an enforcement body, BioCatch must keep a written record of the use and disclosure and promptly provide a copy of the record to Subscriber, unless such notice is prohibited by law applicable to BioCatch.
b. If, subject to Section 1.10, the BioCatch “reasonably believes” that there has been a Personal Data Breach, if at any time the BioCatch has reasonable grounds to suspect that there has been a Personal Data Breach.
9.2. Israel. To the extent that Subscriber is located in Israel or that End User Data is subject to Israel’s Protection of Privacy Law 5741-1981 (PPL), the parties agree to cooperate in good faith to adopt and incorporate any additional terms required to ensure compliance with the PPL, including by executing BioCatch’s PPL Schedule, as needed and upon request.
a. USA. This Section applies solely if End User or Subscriber are in the United States of America and are subject to relevant Applicable Data Protection Laws. BioCatch will not: (i) sell or share End User Data; (ii) retain, use, or disclose End User Data to any third party for the commercial benefit of BioCatch outside of its direct business relationship with Subscriber, or for any business or commercial purpose other than necessary for the specific purpose of performing the Services in accordance with the Agreement or as permitted by Applicable Data Protection Laws; nor (iii) combine the End User Data it receives on behalf of Subscriber with information that identifies, an individual or relates to an identifiable individual that BioCatch receives from, or on behalf of, other persons, or collects from its own interaction with the individual separate from the Services.
b. BioCatch certifies that it understands and will comply with the foregoing restrictions. BioCatch shall notify Subscriber after it makes a determination that BioCatch can no longer meet its obligations under this Section 9.3.
9.3. Additional Country Specific Terms. If additional Processing (including Transfer) requirements are necessary for any specific jurisdiction in order for the Processing by BioCatch or its Authorized Subcontractors to be compliant with Applicable Data Protection Law, the Parties shall negotiate in good faith to amend this DPA to reflect such requirements and implement these provisions accordingly.
10. MISCELLANEOUS.
10.1. Survival. The obligations of BioCatch under this DPA will continue for as long as BioCatch continues to have access to, is in possession or control of, or acquires End User Data, even if all agreements between BioCatch and Subscriber have expired or have been terminated.
10.2. Contact Details for Notifications. Any notification under this DPA will be made in writing (including via email) using the following contact details. Parties are responsible for ensuring that these contact details are at any time accurate and up-to-date.
a. BioCatch: privacy@biocatch.com
b. Subscriber: unless otherwise specified, to Subscriber’s contact information in BioCatch’s records
10.3. Conflicts. To the extent there is any conflict between Sections 1 of this DPA and the terms of a Transfer Mechanism applicable under Section 8, the terms of the Transfer Mechanism will prevail.
10.4. Language. This DPA is in the English language only, which language is controlling in all respects, and all versions hereof in any other language will not be binding on the Parties. All communications and notices to be made or given pursuant to this DPA must be in the English language.
11. DEFINITIONS.
Capitalized terms used in this DPA have the same meaning as those used in the Agreement, unless explicitly provided otherwise. Any terms used in this DPA, which are defined in Applicable Data Protection Laws and not otherwise defined in this DPA or the Agreement, shall have the meaning as set out in such Applicable Data Protection Laws.
11.1. “Adequacy Decision” means a decision issued by a relevant data protection authority that a country or region or a category of recipients in such country or region is deemed to provide an adequate level of data protection.
11.2. “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control”, for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.
11.3. “Argentina Model Clauses” means the model contractual clauses included in the Implementation Guide of Model Contractual Clauses for International Personal Data Transfers of the Ibero-American Data Protection Network, approved by the Agency of Access to Public Information (AAIP) of Argentina, as laid down in the Resolution No. 198/2023 of 18 October 2023.
11.4. “Applicable Data Protection Laws” means relevant laws and regulations concerning data protection and privacy that apply to the Processing of End User Data in the context of the provision of Services under the Agreement.
11.5. “Authorized Subcontractors” means any subprocessors properly engaged by BioCatch in compliance with this DPA.
11.6. “Brazilian Standard Contractual Clauses” means the standard contractual clauses on international data transfers from Brazil and the content of standard contractual clauses, as laid down in the Schedule Two (Anexo II) of the Resolution CD/ANPD No. 19 of 23 August 2024 (Resolução CD/ANPD nº 19, de 23 de agosto de 2024), available at <https://pesquisa.in.gov.br/imprensa/jsp/visualiza/index.jsp?data=23/08/2024&jornal=515&pagina=123>.
11.7. “CCPA” means the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq., as amended by the California Privacy Rights Act, and its implementing regulations.
11.8. “Controller” shall have the same meaning as in the applicable Data Protection Laws or, where not defined in the Applicable Data Protection Laws, shall mean the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of End User Data.
11.9. “End User” means “means an employee of Subscriber who uses the Services or a client, prospective client or other individual who interacts with Subscriber’s mobile application(s) or online service(s).
11.10. “End User Data” means any information relating to an identified or identifiable End User processed by BioCatch for the performance of the Services pursuant to the Agreement, as specified in the Schedule 1 or pursuant to documented instructions of the Subscriber, under the terms and conditions of the DPA. For avoidance of doubt, End User Data does not include aggregated, anonymous, non-personal or non-identifiable information that has been generated from End User Data. Where Applicable Data Protection Laws allows, End User Data shall not include a publicly available information.
11.11. “Standard Contractual Clauses” means the standard contractual clauses (Module 2), as laid down in the EU Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (“EU SCC”) available at <https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj> and where applicable together with the template International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK ICO and laid down before UK Parliament in accordance with section 119 of the Data Protection Act 2018 for the transfer of personal data to processors established in third countries (“UK IDTA”) available at <https://ico.org.uk/media2/migrated/4019539/international-data-transfer-addendum.pdf>, both EU SCC and UK IDTA included herein by reference.
11.12. “Party or Parties” means BioCatch and Subscriber.
11.13. “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, End User Data transmitted, stored or otherwise Processed.
11.14. “Personnel” means any employee, contractor, subprocessor or agent to whom a Party authorizes to access or Process End User Data.
11.15. “Process” or “Processing” means the collection, recording, organization, structuring, alteration, use, access, disclosure, copying, transfer, storage, deletion, combination, restriction, adaptation, retrieval, consultation, destruction, disposal, augmentation or other use of End User Data, whether by automated means or otherwise.
11.16. “Processor” shall have the same meaning as in the applicable Data Protection Laws or, where not defined in the in the Applicable Data Protection Laws, shall mean a natural or legal person, public authority, agency or other body which performs Processing of End User Data on behalf of the Controller. Where Data Protection Laws include laws of the United States of America, Processor shall have the same meaning of “service provider”, as defined in the CCPA.
11.17. “Services” means the services provided by BioCatch to Subscriber under the Agreement and/or relevant Order Form(s).
11.18. “Special Categories of Data” or “Sensitive Information” means any of the following types of End User Data: (i) Social Security or identity card number, taxpayer identification number, passport number, driver’s license number or other government-issued identification number; (ii) credit or debit card details or financial account number, with or without any code or password that would permit access to the account or credit history; or (iii) information on race, religion, ethnicity, sex life or practices or sexual orientation, medical information, health information, genetic or biometric information, biometric templates, political, religious or philosophical beliefs, political party or professional or trade union membership, background check information or judicial data such as criminal records (including alleged commission of an offense) or information on other judicial or administrative proceedings.
11.19. “Sub-Processor” shall have the meaning defined in Section 3.1.
11.20. “Transfer” means the access by, transfer or delivery to or disclosure of End User Data to a person, entity or system located in a country or jurisdiction other than the country or jurisdiction from which the End User Data originated, where the destination country is not subject to an adequacy decision by a competent authority. When US entities are certified under EU-US Data Privacy Framework and its extensions, the Parties agree that transfers of personal data to such entities are not considered to be Transfers.
11.21. “Transfer Mechanism(s)” means Standard Contractual Clauses, Argentina Model Clauses, Brazilian Standard Contractual Clauses, and/or any other transfer mechanism required under Applicable Data Protection Laws to facilitate a Transfer.
Actionable Behavioral Insights Start Here
