TERMS OF SERVICE

AUTHENTEQ IDENTITY VERIFICATION

These terms of service (the “Terms of Service”) together with any other documents incorporated herein, form the agreement relating to the receipt and use of the Services (the “Agreement”) between (1) Authenteq Tarbena GmbH, a company duly established and existing under the laws of Germany, registered under number HRB191401B and VAT No. DE315770014 with its registered office at Pappelallee 78/79, 104347 Berlin (“Authenteq”); and (2) the entity purchasing the Services (the “Client”).

By ticking the box indicating acceptance of these Terms of Service, the Client agrees to enter into the Agreement, which will be binding on the Client and Authenteq.

1. DEFINITIONS AND INTERPRETATION

1.1. Definitions and interpretation. The definitions and rules of interpretation in clause 17 apply to this Agreement.

2. UPDATES TO THESE TERMS OF SERVICE

2.1. Updates. Authenteq reserves the right to amend these Terms of Service in its sole discretion from time to time, in which case Authenteq shall notify the Client in writing. Unless the Client objects in accordance with clause 2.2 below, the updated Terms of Service shall automatically take effect thirty (30) days after such notification (or on such other date as specified in the notification).

2.2. Client’s Objection to Updates. If the Client objects to the updates to these Terms of Service, the Client may, prior to the date on which the updates are due to take effect, notify Authenteq of its objection and exercise its right of non-renewal in accordance with clause 3.2. In such case, the updates shall not take effect for the Client and this Agreement shall terminate in accordance with clause 3.2.

3. TERM

3.1. This Agreement shall come into force on the Effective Date and, unless terminated earlier in accordance with these Terms of Service, shall continue in effect on a rolling, monthly or annual, basis until either party gives notice of non-renewal under clause 3.2.

The subscription billing cycle is either monthly in Monthly plan or annual in Annual plan. In case of the Monthly plan the customer is charged a subscription fee at sign up and at every monthly anniversary of the sign up. In case of the Annual plan the customer is charged a subscription fee at sign up and at every annual anniversary of the sign up. In both cases the subscription is paid upfront.

The verification billing cycle is always monthly. Verifications are billed monthly, in arrears, and the first billing cycle begins on date of sign up. In case of plan upgrades the billing and subscription cycle date changes from the sign up date to the plan upgrade date.

3.2. The Client may terminate the Agreement at any time and will retain access to the Service for the remainder of the billing period.

4. PROVISION OF SERVICES

4.1. Product. Authenteq shall provide the Product in accordance with these Terms of Service and all laws applicable to the provision of the Product.

4.2. Technical Support. Authenteq shall also provide technical support—accessible by contacting support@authenteqstaging.itiswise.com—from Monday till Friday between the hours of 9:00-17:00 Central European Time.

5. CLIENT OBLIGATIONS

5.1. Client Materials integration. Where the Product is to be integrated into any Client Materials, the Client shall ensure that the Client Materials are capable of interfacing with the Product in accordance with the specifications set out in the SDK Operations Manual accessible at https://docs.authenteq.com/. Authenteq shall not have any responsibility or liability to the extent that any failure in operation or performance of the Services is due to the inadequacy of design or performance of the Client’s Materials.

5.2. Client co–operation. The Client shall co-operate with Authenteq as reasonably required to allow Authenteq to deliver the Services and shall ensure that suitably qualified personnel are available to carry out any tasks which are reasonably necessary to enable Authenteq to meet its obligations.

5.3. Use of the Product. The Client shall ensure that the Product is used only in accordance with this Agreement and shall notify Authenteq if it becomes aware of any unauthorized use of the Product.

5.4. Security. The Client shall maintain appropriate and up-to-date malware and anti-virus software for detecting and preventing the introduction of any virus or similar, to Authenteq’s (and its’ Affiliates’ and subcontractors’) systems.

6. FEES AND PAYMENT

6.1. Fees. The Client shall pay Authenteq the Fees as consideration for the Subscription Plan, verifications (if applicable) and add-ons (if applicable). If the Client fails to pay any Fees due, Authenteq may (without liability) suspend access to the Services until all outstanding Fees have been paid.

6.2. Payment. Authenteq will bill the Client on a monthly or annual basis, depending on the Subscription Plan chosen by the Client. The payment will be taken directly from the credit card, using an automated payment process that us made through the payment processor.

6.3. Interest. Authenteq may charge interest on overdue sums in accordance with the Late Payment of Commercial Debts (Interest) Act 1998.

6.4. Taxes. (a) All sums payable under this Agreement are exclusive of VAT and other taxes, however, designated or levied, for which the Client shall be responsible. Authenteq shall invoice the Client for any Taxes payable by the Client that it is required to collect under applicable law and shall remit any such Taxes as required by law. (b) The Client shall pay each invoice in full and in cleared funds without any deduction, set-off or withholding for Tax (for the purpose of this clause a “Tax Deduction”). If the Client is required to make any Tax Deduction, the Client agrees to gross up the payment it actually makes in respect of the relevant invoice such that Authenteq receives sums due hereunder in full and free of any such Tax Deduction.

7. INTELLECTUAL PROPERTY RIGHTS AND INDEMNITY

7.1. Authenteq Intellectual Property. The Authenteq Intellectual Property is owned by Authenteq or its licensors and the Client acquires no rights in or to the Product other than those expressly granted by this Agreement.

7.2. License. (a) In consideration for the Fees, Authenteq grants to the Client a non-exclusive, non-transferable license, to use the Authenteq Intellectual Property on the terms set out herein for the term of this Agreement, to the extent necessary to enable the Client to receive and use the Services for its own business purposes. This license includes the right to integrate the Product into the Client’s website, to display the Product to the Client’s end-users, and to enable those end-users to interact with the Product as required. (b) Except to the extent permitted by law or as expressly authorized herein, the Client shall not: (i) copy or modify the Product or Documentation or remove any copyright, trademark, or other proprietary notice therefrom; (ii) reverse compile or reverse assemble all or any portion of the Product; or (iii) transfer to any third party the Product or the Documentation.

7.3. Client Materials. The Client warrants that all Client Materials are owned by or fully licensed to the Client. Authenteq acknowledges that Client Materials are the sole property of the Client (or its licensor) and the Client (or its licensor) shall at all times retain sole and exclusive title to and ownership thereof. The Client grants to Authenteq, or shall procure the direct grant to Authenteq of, a worldwide, royalty-free, non-transferable, non-exclusive, personal license to, and to permit sub-contractors and their respective personnel to, use, copy and modify, during the term of this Agreement, the Client Materials, for the purpose of, and to the extent necessary for the performance of Authenteq’s obligations under this Agreement.

7.4. Indemnity. Authenteq and the Client (in such case, the “indemnifying party”) each agree to indemnify the other (in such case, the “indemnified party”) from and against any costs and damages awarded against the indemnified party by a court pursuant to a final judgment or a settlement by the indemnifying party, as a result of, and defend the indemnified party against: (a) in the case of indemnification by Authenteq, any claim that the Client’s use of the Product in accordance with the terms of this Agreement infringes any third party Intellectual Property Right; or (b) in the case of indemnification by the Client, any claim that Authenteq’s possession, use or modification of any Client Materials in accordance with this Agreement infringes any third party Intellectual Property Right, an (“IPR Claim”).

7.5. Exclusions. Authenteq shall have no obligation under clause 7.4 or any other liability for any IPR Claim to the extent resulting or alleged to result from: (a) use of the Product or any part thereof in combination with any equipment, software or data not permitted by this Agreement; (b) any modification or alteration of the Product by a person or entity other than Authenteq or its Affiliates or subcontractors; (c) any Client Materials, instructions, designs, specifications, information or materials provided by or on behalf of the Client to Authenteq; (d) any software or other materials supplied by or via any third party to Authenteq on the Client’s instructions; or (e) any costs or damages resulting from the Client continuing the allegedly infringing activity after being notified to cease the activity or after being provided with modifications that would have avoided or mitigated the alleged infringement.

7.6. Infringement Remedies. In the event of an IPR Claim, or if Authenteq reasonably believes that an IPR Claim is likely to be made, Authenteq may, at its option and in lieu of indemnification: (a) modify the Product so that it becomes non-infringing but functionally equivalent; (b) replace the Product with items that are non-infringing but functionally equivalent, or (c) obtain for the Client the right to use the Product upon commercially reasonable terms. This clause 7 sets out the sole and exclusive remedy and entire liability and obligation of each party with respect to any IPR Claim.

7.7. Conduct of claims. No indemnity shall apply unless the indemnified party: (a) promptly notifies the indemnifying party of any claim or event (which may reasonably be considered as likely to give rise to a liability under an indemnity clause) made or occurring, or of which the indemnified party has knowledge; (b) gives the indemnifying party full opportunity to control the response to, defence and settlement of such claim, and provided further that the indemnified party shall not at any time admit liability or settle any such claim or action without the prior written consent of the indemnifying party; and (c) cooperates with the indemnifying party, at the indemnifying party’s cost and expense in the defence or settlement of that claim. The indemnified party shall have the right to participate in the proceedings at its cost.

8. CONFIDENTIALITY

8.1. Confidentiality Obligations. Each party shall, during the term of this Agreement and thereafter, keep confidential all, and shall not use for its own purposes (other than its rights and obligations under this Agreement) nor without the prior written consent of the other disclose to any third party (except its professional advisors or as may be required by law or legal or regulatory authority) any, Confidential Information which may become known to such party from the other party and which relates to the other party or any of its Affiliates, unless that information is public knowledge or already known to such party at the time of disclosure, or subsequently becomes public knowledge other than by breach of this Agreement, or subsequently comes lawfully into the possession of such party from a third party. Each party shall use its reasonable endeavours to prevent the unauthorised disclosure of any such Confidential Information.

8.2. Compelled Disclosure. The receiving party may disclose Confidential Information as required to comply with binding orders of courts and governmental and regulatory entities that have jurisdiction over it. The receiving party shall (insofar as legally permissible): (a) give the disclosing party reasonable written notice to allow the disclosing party to seek a protective order or other appropriate remedy; (b) disclose only such Confidential Information as is required by the court or governmental entity; and (c) use reasonable endeavours to obtain confidential treatment for any Confidential Information so disclosed.

8.3. Return of Confidential Information. Subject to clause 8.4, promptly following the earlier of: (a) the termination of this Agreement (unless the return or destruction of such Confidential Information would prohibit or restrict Authenteq’s ability to perform its obligations under this Agreement); and (b) the written request of disclosing party, the receiving party shall destroy or return all documents or other materials provided by the disclosing party to the receiving party constituting Confidential Information, together with all copies, including (where reasonably possible) when stored on a computer, in the possession of receiving party. Upon request, the receiving party shall certify such destruction in writing to the disclosing party. Where the request for the return or destruction of Client Confidential Information prevents, hinders or delays Authenteq in the performance of the Services, Authenteq shall have no liability for any non- or partial performance of its obligations or any delay in respect of the same.

8.4. Latent Data. Latent Data which is Confidential Information, shall be subject to destruction in due course but shall remain subject to clauses 8.1 to 8.2 until it is so destroyed.

9. WARRANTY

9.1. Mutual Warranties. Each party warrants to the other that: (a) it has the requisite power and has taken all actions necessary to execute this Agreement; and (b) this Agreement constitutes legal, valid and binding obligations of that party.

9.2. Performance Warranties. Authenteq warrants to the Client that: (a) the Services shall be performed by qualified personnel with reasonable diligence and care and in accordance with good industry practice; and (b) the Services shall conform substantially to the applicable specifications set out at https://authenteqstaging.itiswise.com/solution/.

9.3. Provided “as is”. Save as expressly set out otherwise in this Agreement, the Services are provided on an “as is” basis and all warranties, representations and conditions implied by statute or common law are, to the fullest extent permitted by applicable law, excluded. Authenteq does not warrant that the Product shall operate uninterrupted or error-free, without prejudice to clause 9.2.

9.4. No reliance. Subject to clause 10.1, each party acknowledges that in entering into this Agreement it has not relied upon any oral or written statements, collateral or other warranties, assurances, undertakings or representations that were made by or on behalf of the other party in relation to the subject matter of this Agreement at any time before its signature other than those that are set out expressly in this Agreement (and each party hereby waives all rights and remedies which might otherwise have been available to it in relation to the same but for this clause 9.4).

10. LIMITATION OF LIABILITY

10.1. Nothing in this Agreement shall exclude or limit either party’s liability to the other party for: (a) death or personal injury as a result of negligence; (b) fraud or fraudulent misrepresentation; (c) any other liability which cannot be limited or excluded by law; or (d) as regards the Client, any claim by Authenteq for Fees due for payment.

10.2. Subject to clause 10.1, in no event shall either party (including its Affiliates) be liable to the other in contract, tort (including negligence), breach of statutory duty, misrepresentation, for any of the following losses or damages howsoever caused and even if such losses and/or damages were foreseen, foreseeable or known, or that party was advised of the possibility of them in advance: (a) any loss of business or business opportunity, loss of revenue, loss of actual or anticipated profits, loss of contracts, loss of anticipated savings, loss of, damage to, or corruption of, data, economic loss, loss of goodwill; or (b) any indirect, special, exemplary, punitive or consequential loss or damage.

10.3. Subject to clauses 10.1 and 10.2, the maximum aggregate liability of each party (including its Affiliates) to the other party (including its Affiliates), for all causes of action, whether arising in contract, tort (including negligence), breach of statutory duty, misrepresentation, on indemnity basis or otherwise, for any losses arising under or in connection with this Agreement shall be limited to the total Fees paid or payable under this Agreement in the twelve (12) months prior to the incident giving rise to the first claim.

10.4. If Authenteq’s performance of its obligations under this Agreement is prevented, hindered or delayed by any act or omission of the Client, its Affiliates, agents, subcontractors, consultants or employees (including a failure to follow Client’s reasonable instructions) (“Relief Event”), Authenteq shall not be liable for any costs, charges, liabilities or losses sustained or incurred by the Client that arise directly or indirectly from such Relief Event and Authenteq shall be relieved of its obligations to provide the Services to the extent performance impeded by such events.

11. DATA PROTECTION

11.1. For the purposes of this clause 12 and Schedule 1, the terms “personal data”, “data processing”, “data controller” or “controller”, “data processor” or “processor”, “data subject” and “special categories of personal data” shall have the meaning given to them in the Data Protection Legislation. “Employee Personal Data” means the personal data of either Authenteq’s personnel or the Client’s personnel, as the context requires.

11.2. During the term of this Agreement, either party may process personal data provided to it (for the purposes of this clause, the “disclosing party”) by the other (the “receiving party”) and when it does so, the receiving party may be either a controller or a processor of such personal data, including in the following circumstances: (a) when the Client provides personal data, of which it is the controller, to Authenteq for Authenteq to process on its behalf as part of the provision of the Services (and not for customer relationship, invoicing or Services preparation reasons), Authenteq shall process such personal data as a processor; (b) when the Client provides Employee Personal Data, of which it is the controller, to Authenteq (including employee contact details) for customer relationship or invoicing reasons or in respect of preparation for the provision of the Services, Authenteq shall process such Employee Personal Data as a controller; and (c) when Authenteq provides Employee Personal Data (either as a controller, or a processor acting on behalf of a controller) to the Client, including for the Client to process as part of evaluating such staff or to implement security measures at the Client site, the Client shall process such Employee Personal Data as a controller.

12.3. Each party shall comply with: (a) the obligations that apply to it under Data Protection Legislation; and (b) in circumstances where the GDPR would be applicable to the processing, the Data Processing Terms set out in Schedule 1.

12.4. Where Employee Personal Data is processed in accordance with clause 12.2(b) and/or (c), each party shall act as an independent controller in respect of such Employee Personal Data

12. NON-SOLICITATION

12.1. Non-Solicitation Obligations. During the term of this Agreement and for a period of twelve (12) months thereafter, neither party shall, directly or indirectly for themselves or on behalf of anybody else, solicit for employment or engagement or employ, or accept services provided by, any current or former employee or independent contractor of the other party (including those of Authenteq Affiliates engaged in the provision of Services hereunder), who performed any work in connection with or related to the Services. This restriction does not apply to employment or engagement of an individual who responds of their own volition to general, non-targeted, recruitment activities.

13. ANTI-SLAVERY

13.1. In performing their obligations under this Agreement, the Client and Authenteq shall each: (a) comply with all the Anti-Slavery Laws; and (b) have and maintain throughout the term of this Agreement, their own policies and procedures to ensure their compliance with the Anti-Slavery Laws.

14. CORRUPTION AND BRIBERY.

14.1. Each party shall comply with all applicable laws and regulations regarding anti-corruption and anti-bribery. To the extent that the Services cannot be performed without violation of any law, regulation, or other control, then Authenteq shall not be obligated to provide the same and the Agreement shall be deemed to be automatically amended accordingly.

15. MISCELLANEOUS

15.1. Force Majeure. If either party is delayed or prevented from complying with its obligations under this Agreement by a Force Majeure Event, then such party shall not be in breach of this Agreement nor liable for any failure or delay in performance of any of its obligations. If the Force Majeure Event continues for more than two months, either party may terminate this Agreement affected by the Force Majeure Event by giving 30 days’ written notice to the other party.

15.2. Notices. All notices under this Agreement will be in writing and sent to: (a) (in the case of Authenteq) the address at the top of these Terms of Service or info@authenteqstaging.itiswise.com; and (b) (in the case of the Client) the address(es) provided by the Client when purchasing the Services, or (in each case) such updated address as a party may notify in accordance with this clause 16.2. All notices pursuant to this Agreement are deemed delivered: (a) when sent via email; or (b) when sent via hand delivery, certified mail (return receipt requested, full postage prepaid), or overnight delivery via a commercially respected courier (full service fees prepaid) as evidenced by an acknowledgment of receipt, to the address of the receiving party.

15.3. Amendments. Except as expressly set out otherwise herein, no variation of this Agreement or any of the documents referred to in it shall be valid unless it is in writing and signed by or on behalf of each of the parties.

15.4. Assignment. The Client may not without the prior written consent of Authenteq, assign in whole or in part, subcontract or otherwise transfer any obligations under this Agreement to any third party. Authenteq may, without the consent of the Client and in whole or part: (a) subcontract its obligations under this Agreement to any third party; and (b) assign or otherwise transfer any of its obligations under this Agreement to any Affiliate or to any person acquiring the whole or any part of Authenteq’s (or any Affiliate’s) assets or business (and the Client shall facilitate the same).

15.5. Waivers. No reasonable delay by either party to exercise any right or remedy arising under, or in connection with, this Agreement (collectively, any “action”) shall act as a waiver, or otherwise prejudice or restrict the rights of that party, in relation to that action or any other contemporaneous or future action.

15.6. Severability. If any provision, or part of a provision, of this Agreement is found by any court or authority of competent jurisdiction to be illegal, invalid or unenforceable, that provision or part-provision will be deemed not to form part of this Agreement, and the legality, validity or enforceability of the remainder of the provisions of this Agreement will not be affected, unless otherwise required by operation of applicable laws.

15.7. Entire Agreement. This Agreement constitutes the entire agreement between the parties in relation to its subject matter, and replaces and extinguishes all prior agreements, draft agreements, arrangements, undertakings, or collateral contracts of any nature, whether oral or written, in relation to that subject matter.

15.8. Publicity. Authenteq may in its general promotional material (a) identify the Client as a client of Authenteq; and (b) use the Client’s logo in such materials provided its use conforms with any guidelines issued by the Client to Authenteq from time to time.

16.9. Contracts (Rights of Third Parties) Act 1999. A person who is not a party to this Agreement shall have no right to enforce any terms of this Agreement, including under the Contracts (Rights of Third Parties) Act 1999.

16.10. Survival. Termination or expiry of this Agreement, however caused, shall be without prejudice to any obligations or rights of either of the parties which may have accrued before termination or expiry and shall not affect any provision of this Agreement which is expressly or by implication intended to come into effect on, or to continue in effect after, such termination or expiry.

16.11. Dispute Resolution. If a dispute arises between the parties then they shall, first, use their reasonable endeavours to resolve that dispute amicably, within a reasonable period and without recourse to legal proceedings. Either party may by notice at any time propose to attempt to settle a dispute by non-binding mediation, conducted in accordance with the rules of a recognised dispute resolution institution. The costs of any such mediation shall be borne equally by the parties. Should a dispute remain unresolved after a reasonable period of time then it may be referred for determination by legal proceedings.

16.12. Governing Law. This Agreement, and any dispute or non-contractual obligation arising out of or in connection with it shall be governed by and construed in accordance with the laws of England and, subject to clause 16.11, the parties submit to the exclusive jurisdiction of the courts of England.

17. DEFINITIONS.

17.1. Interpretation. In this Agreement: (a) reference to a party shall include its permitted successors, assigns or transferees; (b) the words “including”, “include”, “for example” and words of similar effect shall not limit the general effect of the words which precede them; (c) reference to any legislative provision shall be deemed to include any statutory instrument, by-law, regulation, rule, subordinate or delegated legislation or order and any rules and regulations which are made under it, in each case as amended, re-enacted or replaced from time to time; (d) a reference to a person will include any individual, firm, partnership, organisation, institution, trust or agency, corporate body and unincorporated association; and (e) words used in the singular tense should be interpreted to include the plural tense and vice versa, and words which refer to one gender should be interpreted to include other genders.

17.2. Definitions. The following definitions apply to this Agreement:

“Agreement”, “Authenteq”, “Client” and “Terms of Service” have the meanings given at the top of this page.

“Add-ons”– additional services, that could be enabled on verification,

“Anti-Slavery Laws” means all applicable anti-slavery and human trafficking laws, statutes and regulations, including the Modern Slavery Act 2015.

“Client Materials” means any application, software, systems, hardware, documentation, information, data or other materials owned by or licensed to the Client (other than under this Agreement).

“Authenteq Intellectual Property” means all Intellectual Property Rights that have been or are acquired or developed by or on behalf of Authenteq or its licensors (including third party items) before, on or after the Effective Date (including in the Product) and any modifications, enhancements or derivatives of such Intellectual Property Rights.

“Billing period”, means the period in which all purchases of services incurred by the Client. should be billed either monthly or annually.

“Confidential Information” means all information or proprietary materials which is disclosed before or after the Effective Date by one party (“disclosing party”) to the other (“receiving party”), however conveyed (including by way of oral descriptions, demonstrations or observations), and which relates to the business affairs of the disclosing party or its Affiliates, customers, employees, suppliers or subcontractors, including existing or contemplated products, services, operations, technology, processes, plans or intentions, developments, trade secrets, know-how, design rights, technical data, engineering, techniques, methodologies and concepts, market opportunities, business plans, sales, pricing and other financial information, unpublished patent specifications, photographs, databases, computer software in disk, cassette, tape or electronic form and data storage or memory in, any items of, computer hardware or any other materials or media of whatever nature and all information derived from the above, together with the existence and provisions of this Agreement the negotiations relating to it.

“Data Protection Legislation” means the GDPR, the UK Data Protection Act 2018, Directive 2002/58/EC and any legislation and/or regulation implementing or made pursuant to them, or which amends, replaces, re-enacts or consolidates any of them (including the General Data Protection Regulation).

“Documentation” any document relating to the Product made available to the Client by Authenteq.

“EEA” means the European Economic Area.

“Effective Date” means the date on which the Client successfully purchases the Services via Authenteq’s website.

“Fees” means the relevant amounts set out at https://authenteqstaging.itiswise.com/kyc-pricing/, depending on the option selected by the Client, and which may include: (a) a monthly service fee; and (b) an additional amount for each successful verification in excess of the maximum number of verifications included in the monthly service fee (if applicable).

“Force Majeure Event” means an event which is beyond the reasonable control of the party affected by it (or its Affiliates or sub-contractors), including act of God, natural disasters, fire, flood, storm, war, military action, riot, civil commotion, acts of state, terrorism, epidemic, explosion, malicious damage, non-availability of public networks, accident or breakdown of machinery, strike, lock-out or labour disputes.

“GDPR” means, in each case to the extent applicable to the processing activities: (i) Regulation (EU) 2016/679; and (ii) Regulation (EU) 2016/679 as amended by any legislation arising out of the withdrawal of the UK from the European Union.

“Intellectual Property Rights” means patents, utility models, supplementary protection certificates, petty patents, rights in trade secrets and other confidential or undisclosed information (such as inventions (whether patentable or not) or know-how), registered designs, rights in copyright (including authors’ and neighbouring or related rights), database rights, design rights, trademarks and service marks and all similar or equivalent rights or forms of protection which subsist or will subsist now or in the future in any part of the world.

“Latent Data” means data that is stored by a party on routine back-up media for the purpose of disaster recovery including, but not limited to deleted files and other non-logical data types, memory dumps, swap files, temporary files, printer spool files and metadata that can customarily be retrieved only by computer forensics experts and is generally considered inaccessible without the use of specialised tools and techniques.

“Product” means Authenteq Identity Verification, as further described at https://authenteqstaging.itiswise.com/solution/.

“Services” means the services to be provided by Authenteq, as set out in clause 4.

“Subscription plan” – means a sellable Subscription Service. If the Client select the Annual Subscription Plan, it may not change to the Monthly Subscription Plan until the end of the one-year term of the Annual Plan, in this case, the subscription fee they have already paid for the current billing cycle will be prorated and the remainder will be refunded to the customer and the new subscription fee will be immediately applied and charged to the customer. If the client selects the monthly subscription plan, it can switch to the Annual Subscription Plan at any time.

“ Subscription terms” means a subscription term of (1) one month or (12) twelve months commencing on the Effective Date on an each subsequent anniversary.

“Tax” means all taxes, imposts, duties, levies, or fees of any kind payable to any governmental, fiscal or taxing authority in Iceland or elsewhere. The definition of “Tax” includes any penalties, additions, fines or associated interest. The words “Taxes” and “Taxation” and similar expressions will be interpreted in accordance with this definition.

“Verification” means act of verifying the Client via Authenteq service.

SCHEDULE 1 – DATA PROCESSING TERMS

1. Data Processing

1.1. Relationship of the parties: These Data Processing Terms shall apply only to the extent that the GDPR applies and Authenteq or an Authenteq Affiliate processes personal data on behalf of Client or a Client Affiliate. The Client or a Client Affiliate (the controller) appoints Authenteq or an Authenteq Affiliate as a processor to process the personal data described in paragraph 2 below (the “In-Scope Personal Data“).

1.2. Prohibited data: The Client shall not disclose (and shall not permit any data subject to disclose) any: (i) special categories of In-Scope Personal Data; or (ii) In-Scope Personal Data in relation to criminal convictions and offences, to Authenteq for processing that are not expressly disclosed in paragraph 2 below.

1.3. Purpose limitation: Authenteq shall process the In-Scope Personal Data as a processor for the purposes described in paragraph 2 below and only in accordance with the lawful documented instructions of the Client (the “Permitted Purpose“), except where otherwise required by any law applicable to Authenteq. The Agreement sets out Client’s complete instructions to Authenteq in relation to the processing of Personal Data and any processing required outside of the scope of these instructions will require prior agreement between the parties, including agreement on any additional fees that Client shall pay. Client agrees that any necessary changes to its data processing instructions shall be by way of written notification to Authenteq.

1.4 International transfers: If and to the extent that In-Scope Personal Data originating from the EEA will be transferred or otherwise processed by Authenteq outside of the EEA in a country that has not been designated by the European Commission as providing an adequate level of protection for personal data, Authenteq and Client shall ensure an adequate level of protection by any of the recognized methods in Data Protection Legislation, including but not limited to entry into the standard contractual clauses for the transfer of personal data to processors established in third countries approved by the European Commission from time to time or any subsequent replacement or revision thereof (the “Standard Contractual Clauses“). Client authorises any transfers of In-Scope Personal Data to, or access to In-Scope Personal Data from, such destinations outside the EEA subject to any of these adequacy measures having been taken.

1.5 Confidentiality of processing: Authenteq shall ensure that any person that it authorises to process the In-Scope Personal Data (an “Authorised Person“) shall be subject to a duty of confidentiality (whether a contractual duty or a statutory duty or otherwise). Authenteq shall ensure that all Authorised Persons process the In-Scope Personal Data only as necessary for the Permitted Purpose.

1.6 Security: Authenteq shall implement appropriate technical and organisational measures designed to protect the In-Scope Personal Data from accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access (each a “Security Incident“). Authenteq shall implement the following measures:

Information Security Policy

Our Information Security Policy details the collection, processing, storing and deletion of information at Authenteq.
A risk assessment for all relevant information security relevant assets in the company isbeing implemented.

Access Control

Following the Principle of Least Privilege.
PII is only accessible to employees that have completed Security Awareness training and that need access due to the nature of their work.

Awareness & Training

All full time employees and long term contractors are required to complete comprehensive security awareness training.

Data storage

PII is only stored for up to 7 days for manual fraud review purposes. After that timeframe the data is automatically and unrecoverably deleted.

Passwords & Encryptions

Individual user accounts
Accounts are secured with 2FA or MFA where available
Strong unique generated passwords
Mandatory password manager (1Password) for secure storage

Remote Access

Only via VPN access to internal systems

Software Development Processes

Software Development follows industry best practices, among others including:

Only via VPN access to internal systems
Code reviews
Automated tests
Deployment pipelines
Version control system
Following OWASP guidelines for web application security

1.7. Subprocessing: Client agrees that Authenteq may engage the following types of subprocessors: (a) Authenteq Affiliates; and (b) third party subprocessors authorized by Client (subject to paragraphs 1.9 and 1.10); to fulfil Authenteq’s contractual obligations under the Agreement and to provide services to Client on Authenteq’s behalf. The third party subprocessors (excluding Authenteq Affiliates), if any, are listed at https://authenteqstaging.itiswise.com/subprocessors (together “Authenteq Subprocessors”). Authenteq shall, subject to paragraphs 1.9 and 1.10 of this Schedule 1, impose data protection terms on any Authenteq Subprocessor it appoints that protect the In-Scope Personal Data to the same standard provided for by this Schedule 1 and remain fully liable for any breach of this Schedule 1 that is caused by an act, error or omission of a Authenteq Subprocessor.

1.8. Changes to Subprocessors: Authenteq may, by giving reasonable notice to the Client, add or make changes to the Authenteq Subprocessors. If the Client objects to Authenteq’s appointment of an additional Authenteq Subprocessor within five (5) calendar days of such notice on reasonable grounds relating to the protection of the In-Scope Personal Data, then Authenteq will take reasonable efforts to work with the Client to find an alternative.

1.9. Cooperation and data subjects’ rights: Authenteq shall provide reasonable assistance (including by appropriate technical and organisational measures in so far as is possible) to the Client (at Client’s expense) to enable the Client to respond to any request from a data subject to exercise any of its rights under Data Protection Legislation (including its rights of access, correction, objection, erasure and data portability, as applicable). In the event that any such request is made directly to Authenteq, Authenteq shall promptly inform the Client providing full details of the same.

1.10. Data Protection Impact Assessment: Authenteq shall, upon written request from the Client and at the Client’s expense, provide the Client with reasonable assistance, to the extent necessary to facilitate the Client’s compliance with data protection impact assessment and prior consultation requirements under Data Protection Legislation.

1.11. Security incidents: Upon becoming aware of a Security Incident, Authenteq shall inform the Client without undue delay notify the Client in order for the Client to fulfil its data breach reporting obligations under (and in accordance with the timescales required by) Data Protection Legislation.

1.12. Deletion or return of Data: Upon termination or expiry of the Agreement, Authenteq shall (at the Client’s election) destroy or return to the Client all relevant In-Scope Personal Data (including all copies of the In-Scope Personal Data) in its possession or control. This requirement shall not apply to the extent that Authenteq is required by any applicable law to retain some or all of the In-Scope Personal Data.

1.13. Security Reports & Audits: Authenteq agrees to provide, upon Client’s reasonable request, copies of relevant external security certifications, audit report summaries of audits performed by Authenteq to verify Authenteq’s compliance with its security obligations under this Agreement and/or any other relevant documentation relating to the Services necessary to verify Authenteq’s compliance with this Schedule 1. While it is the parties’ intention ordinarily to rely on the provision of such documentation to verify Authenteq’s compliance with this Schedule 1, Authenteq shall permit the Client (or its appointed third party auditors) to audit Authenteq’s processing of the Personal Data under this Agreement following a Security Incident suffered by Authenteq or when instructed by a competent data protection authority. Except for audits instructed by a competent data protection authority, for which Client will give Authenteq as much notice as reasonably possible, Client must give Authenteq 45 days’ notice of its intention to audit with finalized audit scope and evidence request list provided no less than 20 days in advance of a site visit. Client agrees to conduct its audit during normal business hours, take all reasonable measures to prevent unnecessary disruption to Authenteq’s operations, and such audit shall not exceed a period of 25 hours and not more than 5 hours per working day. Any such audit shall be subject to the following limitations: (i) use of any third party auditor shall be subject to Authenteq’s prior written approval, such approval not to be unreasonably withheld or delayed; and (ii) Client or any auditor conducting any such audit shall at all times comply with any and all reasonable security and confidentiality guidelines and other policies of Authenteq with respect to the audit.

1.14. Compliance: The Client shall be responsible for ensuring: (a) it has complied, and will continue to comply, with Data Protection Legislation; (b) all In-Scope Personal Data has been, and will continue to be, collected and processed in accordance with notice, consent (including that Client has obtained all necessary consents) and other requirements of the Data Protection Legislation (and, where applicable, the collection and processing has been notified to the relevant authorities); (c) it has, and will continue to have, the right to transfer, or provide access to, the In-Scope Personal Data to Authenteq and its subprocessors, for processing for the Permitted Purposes and such processing by Authenteq will not breach Data Protection Legislation; and (d) its instructions to Authenteq in respect of the processing of the Personal Data are lawful and will not create legal or regulatory liability on the part of Authenteq if followed.

2. Details of Processing

Categories of personal data: Picture, verification ID, issuing country, jurisdiction within the country, document type, name of the user on the document, nationality, date of birth, issue and expiry, gender, driving licence class.

Data subject: End user of the service.

Duration: The term of the Agreement.

Subject matter: Authenteq service under this Agreement.

Purpose: The provision of the service under this Agreement.

Nature of processing: Collection for identifying the Customers/Users, use, processing, retaining, deleting, analysing.

Terms last updated: 21.10.2021