Stop Fraud Sooner — at the Edge
As we push the boundaries of the network edge closer to the users and locations where computing power is needed, service providers are able to minimize latency, reduce bandwidth...
Our modern identity services are exposed through developer-friendly APIs, SDKs and Low-Code services to deliver the scale and performance required for any and all customer use cases.
Featured Blog Post:
As we push the boundaries of the network edge closer to the users and locations where computing power is needed, service providers are able to minimize latency, reduce bandwidth...
To read this page in Spanish, click here.
This Data Protection Addendum (this “Addendum”) supplements and forms part of the Transmit Security Agreement for Cloud Services (“Agreement“) entered into between You and Transmit Security. Except as modified in this Addendum, the terms of the Agreement shall remain in full force and effect and defined terms under the Agreement shall have the same meaning in this Addendum, unless defined differently in this Addendum. If there is a conflict between the Agreement and this Addendum, the terms of this Addendum will prevail. For the avoidance of doubt, this Addendum is in force as at the the earlier of (each as applicable) (i) the effective date of the Agreement, or (ii) the commencement of processing of End User Personal Data through the Cloud Services, and will remain in effect until termination of the Agreement; or the last processing of End User Personal Data under the Agreement and this Addendum.
Transmit Security shall ensure that prior to permitting any Sub-Processor to process End User Personal Data, the Sub-Processor has entered into a binding written agreement with Transmit Security which imposes obligations substantially equivalent and no less protective than the obligations imposed on Transmit Security under this Addendum (to the extent applicable to the nature of the services provided by such Sub-processor). Where that Sub-Processor fails to fulfil its data protection obligations concerning End User Personal Data, Transmit Security shall remain fully liable to Customer for the performance of that Sub-Processor’s obligations.
This Addendum may only be modified by means of a written document signed by both parties.
Nature and purpose of the processing. Transmit Security will process End User Personal Data as necessary to perform the Cloud Services contracted by the Customer under the Agreement, and as further instructed by Customer in accordance with the Agreement, the Order Form, and this Addendum.
Duration of processing. Transmit Security will process End User Personal Data for the duration of the Agreement (or as otherwise agreed upon by the parties in writing), and in accordance with Transmit Security’s retention obligations under this Addendum and the Agreement, provided that End User Personal Data shall not be processed for longer than is necessary for the purpose for which it was collected or is being processed (except where a statutory exception applies).
Categories of Data Subjects. End Users.
Types of Personal Data. Customer may request the processing of End User Personal Data for the provision of the Cloud Services which may include, but is not limited to the following categories of Personal Data.
Transmit Security Product | Types of Data |
Strong Passwordless and MFA | End user email and phone number (optional), Transaction and payment data (inc. sum, payee, payment requester), location, bound devices user agent, IP address or any other Personal Data associated with the Customer’s End Users and that is stored and managed by Transmit Security (i.e., custom data) |
(Core) Transmit Identity Platform | Transmit provides the customer the option to store end user email, phone number, address, first name, last name, middle name, date of birth, link to a profile picture, preferred language. In addition, Transmit collect and store the end user IP addresses and user agents. |
Account Protection | The Personal Data processed consist of a number of data elements collected for the purpose of identity and trust decisions relating to the usage of Customer’s web and mobile applications by Customer’s end-users. Such data elements include the end-users’ network information, hardware attributes, software attributes, details on the application journey and interaction events as well as identifiers. End-users are assigned a unique identifier to which the collected data is attributed. In addition the end user email, phone number and address are processed as optional parameters if provided by the customer. |
Identity Verification | End user first name, last name, address, country, ID document number, date of birth, ID document photo, details printed on the ID document, selfied photo. Note: All data is saved by default for 90 days unless the customer defines a different period. |
Depending on (a) the geographic location of a Customer or their End Users, and (b) the nature of the Cloud Services provided, as indicated below, Transmit Security may also Sub-processors to provide the Services to Customer.
Sub-Processor Entity | Brief Description of Processing | Location of Sub-Processor | Applies to Following Products: |
Amazon Web Services, Inc | Hosting | US, EU | Entire Platform* | Canada | Authentication Services, Identity Management Services, Detection and Response Services |
MongoDB Atlas | Database as a Service | US, EU | Identity Verification Services, BindID, FlexID, Authentication Services, Identity Management Services |
Canada | Authentication Services, Identity Management Services, Detection and Response Services | ||
Elastic Cloud | End User activity logging | US, EU | BindID |
Redis Labs | Database as a Service | US, EU | Detection and Response Services, Authentication Services, Identity Management Services |
Google Cloud Platform | Hosting | US, EU | Entire Platform |
Canada | Authentication Services, Identity Management Services, Detection and Response Services | ||
Coralogix | System monitoring and logs | EU | Entire platform |
Sentry | Admin Portal Monitoring | US | Detection and Response Services, Authentication Services, Identity Management Services, Identity Verification |
Movate | Provide Tier 2 Support Services | India and Costa Rica | Entire Platform |
Cloudflare | Network Routing and Protection | US, EU | Entire platform |
Veriff | Identity Verification Vendor | US, EU | Identity Verification Services |
Mitek | Identity Verification Vendor | US, EU | Identity Verification Services |
Salesforce | Customer Relations and Support | US | Entire Platform |
SECURITY DOMAIN | DESCRIPTION OF THE MEASURE |
General Security Measures |
|
Standards | SOC2 Type II GDPR |
Policies | SOC2 required policies |
Records | All customer data records are encrypted at rest. |
Metrics |
|
Training and Awareness | Annual Training and Awareness for all employees and subcontractors |
Physical and Environmental Safety | According to physical and Environmental Safety policies |
Communications Security | According to Transmit Security’s Communications Security policy |
Security of Operations | Included in SOC2 policies |
Access Control (Physical and logical | Included in SOC2 policies |
Acquisition, Development and Maintenance of the software | Included in SOC2 policies |
Incident Management | Included in SOC2 policies |
Business Continuity | According to company’s Business Continuity policy |
Procedures | Security, IT, DevOps, and SRE Operational Procedures |
Clause 1
Purpose and scope
Clause 2
Effect and invariability of the Clauses
Clause 3
Third-party beneficiaries
Clause 4
Interpretation
Clause 5
Hierarchy
In the event of a contradiction between these Clauses and the provisions of related agreements between the Parties, existing at the time these Clauses are agreed or entered into thereafter, these Clauses shall prevail.
Clause 6
Description of the transfer(s)
The details of the transfer(s), and in particular the categories of Custom Personal Data that are transferred and the purpose(s) for which they are transferred, are specified in Annex I. B.
Clause 7
Docking clause
Clause 8
Data protection safeguards
The data exporter warrants that it has used reasonable efforts to determine that the data importer is able, through the implementation of appropriate technical and organisational measures, to satisfy its obligations under these Clauses.
The data importer shall process the Custom Personal Data only for the specific purpose(s) of the transfer, as set out in Annex I. B, unless on further instructions from the data exporter.
On request, the data exporter shall make a copy of these Clauses, including the Appendix as completed by the Parties, available to the data subject free of charge. To the extent necessary to protect business secrets or other confidential information, including the measures described in Annex II and Custom Personal Data, the data exporter may redact part of the text of the Appendix to these Clauses prior to sharing a copy, but shall provide a meaningful summary where the data subject would otherwise not be able to understand the its content or exercise his/her rights. On request, the Parties shall provide the data subject with the reasons for the redactions, to the extent possible without revealing the redacted information. This Clause is without prejudice to the obligations of the data exporter under Articles 13 and 14 of Regulation (EU) 2016/679.
If the data importer becomes aware that the Custom Personal Data it has received is inaccurate, or has become outdated, it shall inform the data exporter without undue delay. In this case, the data importer shall cooperate with the data exporter to erase or rectify the data.
Processing by the data importer shall only take place for the duration specified in Annex I. B. After the end of the provision of the processing services, the data importer shall, at the choice of the data exporter, delete all Custom Personal Data processed on behalf of the data exporter and certify to the data exporter that it has done so, or return to the data exporter all Custom Personal Data processed on its behalf and delete existing copies. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit return or deletion of the Custom Personal Data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process it to the extent and for as long as required under that local law. This is without prejudice to Clause 14, in particular the requirement for the data importer under Clause 14(e) to notify the data exporter throughout the duration of the contract if it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under Clause 14(a).
Where the transfer involves Custom Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions and offences (hereinafter “sensitive data”), the data importer shall apply the specific restrictions and/or additional safeguards described in Annex I. B.
The data importer shall only disclose the Custom Personal Data to a third party on documented instructions from the data exporter. In addition, the data may only be disclosed to a third party located outside the European Union (in the same country as the data importer or in another third country, hereinafter “onward transfer”) if the third party is or agrees to be bound by these Clauses, or if:
Any onward transfer is subject to compliance by the data importer with all the other safeguards under these Clauses, in particular purpose limitation.
Clause 9
Use of sub-processors
Clause 10
Data subject rights
Clause 11
Redress
Clause 12
Liability
Clause 13
Supervision
Where the data exporter is established in an EU Member State: The supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer, as indicated in Annex I. C, shall act as competent supervisory authority.
Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) of Regulation (EU) 2016/679: The supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established, as indicated in Annex I.C, shall act as competent supervisory authority.
Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) without however having to appoint a representative pursuant to Article 27(2) of Regulation (EU) 2016/679: The supervisory authority of one of the Member States in which the data subjects whose personal data is transferred under these Clauses in relation to the offering of goods or services to them, or whose behaviour is monitored, are located, as indicated in Annex I.C, shall act as competent supervisory authority.
Clause 14
Local laws and practices affecting compliance with the Clauses
Clause 15
Obligations of the data importer in case of access by public authorities
Clause 16
Non-compliance with the Clauses and termination
In these cases, it shall inform the competent supervisory authority of such non-compliance. Where the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise.
Clause 17
Governing law
These Clauses shall be governed by the law of one of the EU Member States, provided such law allows for third-party beneficiary rights. The Parties agree that this shall be the law of Belgium.
Clause 18
Choice of forum and jurisdiction
Categories of data subjects whose data is transferred:
The data subjects concerned as identified in Appendix 1 (Processing Details) of the Addendum above.
Categories of Personal Data transferred:
The categories concerned as identified in Appendix 1 (Processing Details) of the Addendum above.
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures:
The special categories of data as identified in Appendix 1 (Processing Details) of the Addendum above.
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis):
Continuous.
Nature of the processing:
The nature of the processing as identified in Appendix 1 (Processing Details) of the Addendum above.
Purpose(s) of the data transfer and further processing:
The purpose of the processing as identified in Appendix 1 (Processing Details) of the Addendum above.
The period for which the Custom Personal Data will be retained, or, if that is not possible, the criteria used to determine that period:
The duration of the processing as identified in Appendix 1 (Processing Details) of the Addendum above.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing:
The subject matter, nature and duration of processing as identified in Appendix 1 (Processing Details) of the Addendum above.
As determined in accordance with Clause 13.
Description of the technical and organisational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons:
The technical and organisational measures as identified in Appendix 3 (Technical and Security Measures) of the Addendum above.
The controller has authorized the use of the following sub-processors: the Sub-Processors as identified in Appendix 2 (Sub-Processors & Sub-Contractors) of the Addendum above.
Clause 1
Purpose and scope
Clause 2
Effect and invariability of the Clauses
Clause 3
Third-party beneficiaries
Clause 4
Interpretation
Clause 5
Hierarchy
In the event of a contradiction between these Clauses and the provisions of related agreements between the Parties, existing at the time these Clauses are agreed or entered into thereafter, these Clauses shall prevail.Clause 6
Description of the transfer(s)
The details of the transfer(s), and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred, are specified in Annex I.B.
Clause 7 – Optional
Docking clause
Clause 8
Data protection safeguards
The data exporter warrants that it has used reasonable efforts to determine that the data importer is able, through the implementation of appropriate technical and organisational measures, to satisfy its obligations under these Clauses.Clause 10
Data subject rights
The Parties shall assist each other in responding to enquiries and requests made by data subjects under the local law applicable to the data importer or, for data processing by the data exporter in the EU, under Regulation (EU) 2016/679.Clause 11
Redress
Clause 12
Liability
Clause 14
Local laws and practices affecting compliance with the Clauses
(where the EU processor combines the personal data received from the third country-controller with personal data collected by the processor in the EU)
Clause 15
Obligations of the data importer in case of access by public authorities
(where the EU processor combines the personal data received from the third country-controller with personal data collected by the processor in the EU)
Clause 16
Non-compliance with the Clauses and termination
Clause 17
Governing law
These Clauses shall be governed by the law of a country allowing for third-party beneficiary rights. The Parties agree that this shall be the law of Belgium.Clause 18
Choice of forum and jurisdiction
Any dispute arising from these Clauses shall be resolved by the courts of Belgium.
Data exporter(s):
Name and Address: the name and address of the applicable Transmit Security entity as set out in the Agreement.
Contact persons name, position and contact details:
Name: Mickey Boodaei
Role: Data Protection Officer
Contact details: privacy@transmitsecurity.com
EU Representative details: Name: Niels Decraene. Contact details: niels@transmitsecurity.com
Activities relevant to the data transferred: provision of the Identity Network services provided by Transmit Security pursuant to the Agreement
Role: processor.
Data importer(s):
Name and Address: The name and address of the “Customer” (as defined in the Agreement)
Contact person’s name, position and contact details: Customer key contact as communicated by the Customer to Transmit Security in writing from time to time.
Activities relevant to the data transferred: receipt of the Identity Network services provided by Transmit Security pursuant to the Agreement
Role: controller.
Categories of data subjects whose data is transferred:
The data subjects concerned as identified in Appendix 1 (Processing Details) of the Addendum above; end users of other customers.
Categories of Personal Data transferred:
The categories concerned as identified in Appendix 1 (Processing Details) of the Addendum above.
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures:
N/A
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis):
Continuous.
Nature of the processing:
Transmit Security will process and transfer Personal Data to Customer as necessary to perform the Cloud Services contracted by the Customer under the Agreement, and as further instructed by Customer in accordance with the Agreement, the Order Form, and the Addendum.
Purpose(s) of the data transfer and further processing:
Transmit Security will process and transfer Personal Data to Customer as necessary to perform the Cloud Services contracted by the Customer under the Agreement, and as further instructed by Customer in accordance with the Agreement, the Order Form, and the Addendum.
The period for which the Custom Personal Data will be retained, or, if that is not possible, the criteria used to determine that period:
The parties will process Personal Data for the duration of the Agreement (or as otherwise agreed by the parties in writing), and in accordance with the parties’ retention obligations under this Addendum, the Agreement and the applicable provided that Personal Data shall not be processed for longer than is necessary for the purpose for which it was collected or is being processed (except where a statutory exception applies).
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing:
The subject matter, nature and duration of processing as identified in Appendix 1 (Processing Details) of the Addendum above.
The Parties confirm that the UK Addendum to the EU Standard Contractual Clauses (or “Clauses”) as set out and populated below (“UK Addendum”) shall apply to the transfer of End User Personal Data originating from the UK to (a) Transmit Security as Processor in the US or (b) to Customer as Controller, and by executing the EU Standard Contractual Clauses and this UK Addendum, the Parties agree to be bound by the UK Addendum. Unless expressly stated below, any optional clauses contained within the UK Addendum shall not apply. The Parties shall work together, in good faith, to enter into any updated version of the UK Addendum as issued by the Information Commissioner’s Office from time to time or negotiate an alternative solution to enable transfers of Custom Personal Data originating from the UK to Transmit Security in the US in compliance with UK Data Protection Laws and related binding guidance issued by the Information Commissioner’s Office.
Background:
This Addendum has been issued by the Information Commissioner for the Parties making restricted transfers. The Information Commissioner considers that it provides appropriate safeguards for restricted transfers when it is entered into as a legally binding contract.
Start Date
The UK Addendum is effective from the date the Addendum comes into force.
Exporter and key contact | As set out in Annex I of the EU Standard Contractual Clauses in Appendix 4 |
Importer and key contact: | As set out in Annex I of the EU Standard Contractual Clauses in Appendix 4 |
Exporter and key contact | As set out in Annex I of the EU Standard Contractual Clauses in Appendix 5 |
Importer and key contact: | As set out in Annex I of the EU Standard Contractual Clauses in Appendix 5 |
Addendum EU SCCs | Module 2 of the EU Standard Contractual Clauses as set out in Appendix 4 |
Addendum EU SCCs | Module 4 of the EU Standard Contractual Clauses as set out in Appendix 5 |
Addendum | This Addendum which is made up of this Addendum incorporating the Addendum EU SCCs. |
Addendum EU SCCs | The version(s) of the Approved EU SCCs as set out in Appendix 4, including the Appendix Information. |
Appendix Information | As set out in Annex I to the Standard Contractual Clauses included in Appendix 4. |
Appropriate Safeguards | The standard of protection over the Custom Personal Data and of data subjects’ rights, which is required by UK Data Protection Laws when you are making a restricted transfer relying on standard data protection clauses under Article 46(2)(d) UK GDPR. |
Approved Addendum | The template Addendum issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18. |
Approved EU SCCs | The Standard Contractual Clauses set out in the Annex of Commission Implementing Decision (EU) 2021/914 of 4 June 2021. |
ICO | The Information Commissioner. |
Restricted Transfer | A transfer which is covered by Chapter V of the UK GDPR. |
UK | The United Kingdom of Great Britain and Northern Ireland. |
UK Data Protection Laws | All laws relating to data protection, the processing of Custom Personal Data, privacy and/or electronic communications in force from time to time in the UK, including the UK GDPR and the Data Protection Act 2018. |
UK GDPR | As defined in section 3 of the Data Protection Act 2018. |