Last updated: 29 September, 2023
This Sumsub Travel Rule Ecosystem Agreement (hereinafter – the “Agreement”) shall govern the conditions for Virtual Asset Service Providers (VASPs) and other entities (hereinafter referred to as "Participants") joining the Sumsub Travel Rule Ecosystem (as defined below) and the terms of the Parties’ subsequent cooperation in relation thereto.
For the purposes of this Agreement, Sumsub and the Participant entering into the Agreement are hereinafter collectively referred to as the “Parties” and individually as a “Party”.
The following terms and definitions are used in this Agreement:
Client – a legal entity acquiring services from Sumsub under the respective Service Provider Agreement or Partnership Agreement;
Confidential Information – information disclosed by (or on behalf of) a) Sumsub to any Participant; b) any Participant to Sumsub; c) any Participant to another Participant (with the disclosing party hereinafter referred to as the “Discloser” and the receiving Party as the “Recipient”) in connection with or in anticipation of this Agreement (including the content of this Agreement itself) that is marked as confidential or, from its nature, content or the circumstances in which it is disclosed, can reasonably be assumed to be confidential. It does not include information (i) that the Recipient already knew, (ii) that becomes public through no fault of the Recipient, (iii) that was independently developed by the Recipient, (iv) that was authorized for disclosure by the Discloser or (v) that was lawfully given to the Recipient by a third party, so long as these circumstances can be proven by documentary evidence.
Dashboard – an interactive software tool ensuring management and processing of requests for VASP Due Diligence, Data Exchange Transactions, VA Transactions and facilitating the communication between Sumsub and the Participant in relation to this Agreement.
Data Protection Legislation – all applicable privacy and data protection laws, including the EU General Data Protection Regulation ((EU) 2016/679)(‘EU GDPR’) and the UK General Data Protection Regulation (‘UK GDPR’) and the Data Protection Act 2018; any applicable national implementing laws, regulations and secondary legislation in England and Wales relating to the processing of Personal Data and the privacy of electronic communications, as amended, replaced or updated from time to time, including the Privacy and Electronic Communications Directive (2002/58/EC) and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2003/2426).
Service Provider Agreement (SPA) – an agreement (with its annexes and appendices) concluded between Sumsub and its Client for the provision of Sumsub Travel Rule Solution and other related services.
Sumsub Travel Rule Solution Agreement (TRA) – a supplemental Agreement to the SPA, concluded between Sumsub and its Clients by accepting it in the Sumsub Dashboard by the Clients for the provision of Sumsub Travel Rule Solution and other related services.
Sumsub – either (i) SUM AND SUBSTANCE LTD incorporated and registered in England with company number 09688671 and registered office at 30 St. Mary Axe, London, England, EC3A 8BF (for Level 2 and Level 3 Participants); or (ii) for Level 1 Participants – the legal entity belonging to Sumsub Group that maintains the respective SPA or TR with the Participant.
Sumsub Travel Rule Ecosystem – a community of Participants bound by this Agreement, united to facilitate the sharing of data about VA Transactions among Participants and identification and verification of counterparty VASPs’ identities for the purposes of complying with the Travel Rule requirements. Members of the Sumsub Travel Rule Ecosystem can be referred to as Virtual Asset Service Providers (VASPs), financial institutions or non-regulated entities (as the respective national laws and regulations may specify) dealing in virtual asset transfers.
Sumsub Travel Rule Solution – a set of solutions and related services (as determined by the relevant SPA or TRA), designed to assist Clients in following the requirements of the Travel Rule by collecting, verifying and transferring to counterparty VASPs certain data pertaining to originators and beneficiaries of VASP-facilitated transactions.
Travel Rule – an AML/CFT measure mandating that VASPs obtain, hold and exchange information about the originators and beneficiaries of virtual asset transfers (as per paragraph 7(b) of FATF’s Interpretative Note to Recommendation 15).
Data Exchange Transaction – a transfer of data under the Travel Rule requirements.
VA Transaction – a transfer of virtual assets subject to the Travel Rule requirements.
VASP Due Diligence – the process of verifying the counterparty VASP before the originating VASP transmits the information required under the Travel Rule.
VASP Due Diligence Questionnaire – the questionnaire incorporated to Sumsub Dashboard, and as contained as an example in Annex I that the Participant is required to fill in for the purposes of identity verification under the request of its counterparty (i.e. Originating VASP).
VASP Due Diligence Report or Report – the report that Sumsub completes during VASP Due Diligence. The Report contains the results of the verification of all information provided by the Participant in the VASP Due DIligence Questionnaire.
Partner – independent Travel Rule solution providers that have their own messaging protocol and community of verified VASPs and maintain a Partnership Agreement with Sumsub to facilitate data transfer between participants of their community and the Sumsub Travel Rule Ecosystem.
Originator – originating VASP customer who sends a virtual asset transfer to the Beneficiary.
Beneficiary – beneficiary VASP customer who receives a virtual asset transfer from the Originator.
Participants that do not pass VASP Due Diligence acknowledge that, according to the FATF Recommendations and certain local AML regulations, a VASP needs to undertake counterparty due diligence before it transmits the Travel Rule information to its counterparty VASP. Therefore, most VASPs do not execute transactions to unverified counterparties.
The Participant acknowledges that the scope of due diligence carried out by any Partner may not match that of the VASP Due Diligence. If needed, Sumsub may attempt to request the missing information about a VASP for evaluation from the Partner or by other means; or theParticipant can request such information from its counterparty directly.
Level 3 Participants can also complete VASP Due Diligence if they deem it necessary.
If a Participant believes that it does not have enough information to decide on the execution of the transaction, it can contact the counterparty directly and request missed information.
The scope of the aforementioned information can differ depending on the status of the Participant (“verified” or “unverified”).
Any Participant may disclose and publicize the fact of its membership in the Sumsub Travel Rule Ecosystem, subject to restrictions as may be communicated by Sumsub separately and provided that Sumsub’s written approval is obtained beforehand.
Where applicable, Participants, unless otherwise specified in the respective Service Provider Agreement, grant Sumsub a license to access, download and use some parts of Confidential Information (including Personal Data) for: (a) analyzing such information in accordance with Sumsub’s functionality; (b) developing and testing service and new products to improve the functionality of the services, designed for fraud detection and prevention, including by means of artificial intelligence (e.g. machine learning models) in order to fulfill the commitments in this Agreement and/or corresponding Service Provider Agreement; (c) identifying and flagging potentially fraudulent patterns and other signs of suspicious behavior which could lead to or signal any illicit activity, and calculated risk score based on the said factors and alert customers in the framework of higher-risk applicant control and alert functionality; (d) producing anonymised or anonymised and aggregated statistical reports and research, and (e) producing and storing audit log records and reports based on information security and personal data protection requirements.
Notwithstanding that, if the Recipient is required by law to retain any part of Confidential Information (for example, obtained under section 5 of the Agreement), this clause shall only apply to the extent allowing the Recipient to comply with the legal obligations in question.
The receiving Participant guarantees that no personal data transferred to it shall be further redistributed to any third party without an appropriate legal basis for such data-sharing activities.
For any data transfers that are not subject to the EU Commission’s Standard Contractual Clauses or UK International Data Transfer Agreement or Addendum, the Data Exporter shall ensure, and the Data Importer shall assume sufficient legal basis, safeguards and/or derogations have been in place in compliance with Article 45, 46 or 49 of EU GDPR and/or the UK GDPR for the transfer of personal data to a third country.
Section A. VASP details
1. Full legal name
2. Trade name if applicable
3. Full legal (registered) address
4. Full primary business address (if different from the registered address above)
5. Date of incorporation / establishment
6. Incorporation number
7. Website
8. Legal representative of the entity (e.g., CEO, Director, etc)
- full name
- DOB
- email
9. Ownership structure / Entity type
Please select the type of ownership structure / entity type:
- Privately Owned
- Publicly Listed
- Partnership
- Foundation
- Association
- Not-for-Profit / Non-Profit
- Trust
- Member Owned / Mutual
- Government or State Owned by 25% or more
- Sole proprietorships
- Natural Person
- Other
If Other, please state the ownership / entity type ____________
If Privately Owned, please provide details of shareholders or ultimate beneficial owners with a holding of 25%* or more.
*If your company doesn't have UBO with 25% of ownership, please provide the information about the person holding 10% or more; if the holding is less than 10%, please indicate the senior managing official(s).
Please attach the following documents
Certificate of incorporation or registration
Certificate of incumbency (issued within the last 6 months) or power of attorney
Ownership chart signed by the legal representative of the entity.
Section B. Business activity
10. Type of organisation:
- Centralised
- Decentralised
11. Business activity of the entity.
Please select the applicable activity for your entity:
- exchange between virtual assets and fiat currencies;
- exchange between one or more forms of virtual assets;
- transfer of virtual assets;
- safekeeping and/or administration of virtual assets or instruments enabling control over virtual assets; and
- participation in and provision of financial services related to an issuer’s offer and/or sale of a virtual asset.
Other ________
12. Services provided
Does your entity provide the following services:
• no
• yes (if yes, please specify):
- Intermediary VASP
- P2P exchange
- DeFI services;
- NFT services;
- Omnibus or co-mingled custodial wallets
- OTC trading
- Investment Funds
- Crypto ATMs
- Virtual asset exchange involving privacy-preserving Virtual Assets
- Virtual asset deposits or withdrawals to / from a bank account not verified as under the customer's control
- Virtual asset deposits or withdrawals to / from a wallet not verified as under the customer's control
- Virtual asset issuance, fund raising, or collection of funds for Initial Coin Offerings (ICO) / Initial Exchange Offerings (IEO) / Security Token Offerings (STO) / Private Token Sales;
Other__________
Section C. Regulatory details
13. Name of the Entity’s primary financial regulator / supervisory authority
14. Regulatory status
- No license / registration required
- Registered
- Temporary license exemption
- License application in progress
- Licensed
15. List of jurisdictions where the Entity has been (will be) granted licenses or other approvals or have (will be) registered as required to operate (with registration numbers), and the name of the regulator / supervisory authority
16. Is the Entity permitted to send and/or receive transfers of virtual assets in the jurisdictions in which it operates?
Please attach the following documents or provide the link
Copy of the Licence and the link to the register confirming the granting of license (if applicable); or
Link to the regulatory register confirming regulatory approval for operating (if applicable)
Section D. Travel rule compliance and technical information
17. Is the Entity required to comply with the application of the Travel Rule standards (FATF Recommendation 16) in the jurisdiction(s) where it is licensed / approved / registered?
If Yes, please specify the applicable regulation(s)
18. What is the minimum transaction threshold above which the entity is required to collect/send Travel Rule information?
19. Which of the following processes your entity carries out within the Travel Rule:
- sanctions screening
- transactions monitoring
20. Does the Entity conduct counterparty VASP Due Diligence prior to the sharing of originator and / or beneficiary details to a transaction?
If not, please specify the reason.
21. Does the Entity have processes and controls to prevent customer access to deposits and withdrawals prior to name and wallet screening processes completing
22. Does the Entity have procedures to allow for the return of inbound payments?
23. What protocols and technical solution(s) does the Entity support for sharing Travel Rule information?
Is the entity a member of any Travel Rule Alliances, /ecosystems, /directories, or /networks? If so, please specify.
24. The technical details (IDs, endpoints, URLs, etc.) required to send Travel Rule information to the Entity for each solution the Entity supports (if applicable)
25. Name, email and phone number of travel rule contact
Section D. AML/CFT & Sanctions Compliance
26. Does the Entity have documented policies, and procedures and controls implemented consistent with applicable AML/CTF & Sanctions regulations and requirements of the jurisdiction where the entity is licensed/registered to reasonably prevent, detect and report the following?
- Money laundering/ Terrorist financing.
- Sanctions violations.
27. Does the Entity establish business relationships with:
- natural persons
- legal entities
If legal entities are acceptable, please complete the following:
When conducting CDD for Legal Entity's (Legal Persons), are each of the following identified:
- Ultimate beneficial ownership
- Authorised account operators / signatories (where applicable)
- Key controllers (e.g., Chief Executive Officer, Chief Financial Officer, Managing Partner, Chairman of the Board and Directors)
- Other relevant parties
Are Ultimate Beneficial Owners (UBOs) verified?
- yes
- no
What is the Entity’s minimum (lowest) threshold percentage applied to beneficial ownership identification for CDD?
Does the Entity have a risk-based approach to screening customers and connected parties to determine whether they are PEPs, or controlled by PEPs?
- yes
- no
28. Are the majority of the Entity's customer relationships Face-to-Face or Non-Face-to-Face?
If the majority is Non- Face-to-Face, does the Entity use any of the following tools to enhance verification?:
- Biometric solutions on identity documents;
- Liveness testing on natural persons
- Video identification;
- eIDAS;
- GeoIP detection on the location on natural persons;
- Duplicate account detection.
29. Methods or technical means the Entity use for identity verification of its customers (including originators and beneficiaries within the Travel Rule obligation):
- manual
- automated
- combination of automated and manual.
- outsourced
If outsourced, please specify the name of the partner conducting outsource services: _____
30. Does the Entity permit the opening and keeping of anonymous accounts or accounts in obviously fictitious names; unlicensed VASPs?
If so, please specify
31. Does the Entity conduct identity verification before permitting the customers to send/receive virtual asset transfers?
If Yes, at what threshold does the Entity conduct identity verification before permitting the customer to send/receive virtual asset transfers?
32. Which of the following processes your entity carries out:
- Governance and the appointment of a Compliance Officer / MLRO with sufficient experience / expertise.
- Risk Based Approach and Risk Assessment.
- CDD.
- EDD.
- SDD.
- Sanctions Screening.
- PEP Screening.
- Adverse Media & Negative News Screening.
- Beneficial Ownership Identification & Verification.
- Controller Identification & Verification.
- KYC Refresh / Periodic Review.
- AML Transaction Monitoring.
- Blockchain Analytics Monitoring.
- Transaction / Payment Screening.
- Suspicious Activity/Transaction Reporting.
- Travel Rule Reporting
- Record Keeping.
- Training and Education.
- Independent Audit & Testing.
33. Does the Entity screen its customers, including beneficial ownership information collected by the Entity, during onboarding and after that regularly verify thereafter against Sanctions Lists ?
Please specify the frequency.
34. Does the entity have offshore customers domiciled in countries / regions against which UN, OFAC, OFSI, EU and G7 member countries have enacted comprehensive jurisdiction-based sanctions?
35. Methods or technical means the Entity use for sanctions screening of its customers (including originators and beneficiaries within the Travel Rule obligation):
- manual
- automated
- outsourced
If outsourced please specify the name of the partner conducting outsource services: _____
36. In addition to inspections by the government supervisors/regulators, does the Entity have an internal audit function, a testing function or other independent third party, or both, that assesses AML/CTF, Fraud and Sanctions policies and practices on a regular basis?
Please attach the following documents
AML Policy and other related policies and procedures
Section F. Data Protection Compliance
Please describe which technical (e.g. 2-FA, MFA, passwords, data encryption, firewalls, etc.) and organisational (e.g. visitor registration, staff training or restricted access, etc.) measures your entity has in relation to the data protection.
38. Information about the Data Protection Officer appointed in the entity, if any.
- full name
- contact details
39. Security measures and security certificates in place (if any).
please describe
Please attach the following documents
Privacy Notice
Document describing technical and organisational measures in relation to the PII protection (if any)
Security Certificates
Section G. Information regarding person providing information
40. Full name
41. Title
42. Contact details
email
phone number
Please be informed that the list of information and documents is not exhaustive. Sumsub may request additional documents if it deems it necessary (e.g., due to the inability to verify some information, or the existence of doubts about the information provided).
Data Processing/Sharing Instruction
The Customer's Purpose of Processing: Travel Rule compliance
Business Purpose: Execution of this Agreement
Nature of Processing:
For Annex III
For Annex IV
Duration of Processing: Term of this Agreement, unless otherwise specified and/or applicable
Data subjects categories:
For Annex III
the Participant's customers (Individuals)
For Annex IV
the Participant’s personal data as specified in Annex I hereto
Categories of data for Processing:
For Annex III
The Personal Data processing is based on the Travel Rule Solution service, which may include, but are not limited to the categories of Personal Data specified below.
For Annex IV
Personal data categories as specified in Annex I hereto
Dashboard – an interactive software tool ensuring management and processing of requests for VASP Due Diligence, Data Exchange Transactions, VA Transactions and facilitating the communication between Sumsub and the Participant in relation to this Agreement.
Frequency of transfers in case of international transfers: on a continuous basis, in accordance with the Participant’s purpose(s) and Business purpose.
Subject matter, nature and duration of the processing by (sub-) processor: The subject matter, nature and duration of the processing is indicated and specified in the relevant privacy clauses hereto and/or Data Processing Agreement, if any, with the subprocessor that Sumsub engages for Business purpose. More details is to be provided upon written request.
Technical and Organisational Measures: – the list of implemented security and privacy standards by Sumsub can be found here. The further information may be clarified with a manager.
Schedule 1. The Standard Contractual Clauses: Module One
The Data Exporter and Data Importer hereby agree to comply with the obligations set out in the SCCs specified herein as they apply to each party.
1. Applicable module. With respect to any transfer or processing of personal data pursuant to this Agreement, the Data Exporter is Partner, and the Data Importer is Sumsub. Accordingly, Module One of the SCCs applies.
2. Applicable options. The following optional clauses of Module Two apply as follows:
Clause 13(a) (supervision)
The PARAGRAPH 1 will apply: Data Exporter is established in an EU Member State
Clause 17 (governing law)
The OPTION 1 will apply: the law of Ireland
Clause 18(b) (forum)
England and Wales
3. Docking clause. Clause 7 of Module 3 (docking clause) will apply.
4. Annexes. The details of Annexes I and III are set out as follows:
List of Parties (Annex I):
As specified in this Agreement
Description of Transfer (Annex I):
As specified in Annex II to this Agreement
Schedule 2. The Standard Contractual Clauses: Module Two
The Data Exporter and Data Importer hereby agree to comply with the obligations set out in the SCCs specified herein as they apply to each party.
1. Applicable module. With respect to any transfer or processing of personal data pursuant to this Agreement, the Data Exporter is Partner, and the Data Importer is Sumsub. Accordingly, Module Two of the SCCs applies.
2. Applicable options. The following optional clauses of Module Two apply as follows:
Clause 9(a) (use of sub-processors)
The OPTION 2 will apply (general authorisation)
Clause 13(a) (supervision)
The PARAGRAPH 1 will apply: Data Exporter is established in an EU Member State
Clause 17 (governing law)
The OPTION 1 will apply: the law of Ireland
Clause 18(b) (forum)
England and Wales
3. Docking clause. Clause 7 of Module 3 (docking clause) will apply.
4. Annexes. The details of Annexes I, II and III are set out as follows:
Competent Supervisory Authority (Annex I):
Cyprus
List of Parties (Annex I):
As specified in this Agreement
Description of Transfer (Annex I):
As specified in Annex II to this Agreement
List of Sub-Processors (Annex III):
To be requsted with a manager
Technical and Organisational Measures (Annex II):
As specified in Annex II to this Agreement
Schedule 3. The Standard Contractual Clauses: Module Four
EU STANDARD CONTRACTUAL CLAUSES (SCCs)
(Processor - Controller)
The Data Exporter and Data Importer hereby agree to comply with the obligations set out in the SCCs specified herein as they apply to each party.
1. Applicable module. With respect to any transfer or processing of personal data pursuant to this Agreement, the Data Exporter is Partner, and the Data Importer is Sumsub. Accordingly, Module Four of the SCCs applies.
2. Applicable options. The following optional clauses of Module Two apply as follows:
Clause 13(a) (supervision)
The PARAGRAPH 1 will apply: Data Exporter is established in an EU Member State
Clause 17 (governing law)
The OPTION 1 will apply: the law of England and Wales
Clause 18(b) (forum)
England and Wales
3. Docking clause. Clause 7 of Module 3 (docking clause) will apply.
4. Annexes. The details of Annexes I and III are set out as follows:
List of Parties (Annex I):
As specified in this Agreement
Description of Transfer (Annex I):
As specified in Annex II to this Agreement
List of Sub-Processors (Annex III):
To be requsted with a manager
Technical and Organisational Measures (Annex II):
As specified in Annex II to this Agreement
Schedule 4. The UK IDTA
In relation to transfers of Personal Data protected by the UK GDPR, the Data Exporter and Data Importer hereby agree to comply with the obligations set out in the IDTA herein as they apply to each party with the following modifications:
1. Table 1 ‘Parties and signatures’ of Part 1 from the ‘Tables’ section is completed with the information which is specified in the Agreement.
2. Table 2 ‘Transfer Details’ of Part 1 from the ‘Tables’ section is complete as follows:
UK country’s law that governs the IDTA
England and Wales
Northern Ireland
Scotland
Primary place for legal claims to be made by the Parties
England and Wales
Northern Ireland
Scotland
The status of the Exporter
In relation to the Processing of the Transferred Data:
Exporter is neither Controller OR Processor or Sub-Processor
The status of the Importer
In relation to the Processing of the Transferred Data:
Importer is neither Controller or Exporter’s Processor or Sub-Processor.
Whether UK GDPR applies to the Importer
UK GDPR applies to the Importer’s Processing of the Transferred Data OR does not apply to the Importer’s Processing of the Transferred Data
Linked Agreement
This Agreeement
Term
The Importer may Process the Transferred Data for the following time period:
the period for which the Linked Agreement is in force
time period:
(only if the Importer is a Controller or not the Exporter’s Processor or Sub-Processor) no longer than is necessary for the Purpose.
Ending the IDTA before the end of the Term
the Parties cannot end the IDTA before the end of the Term unless there is a breach of the IDTA or the Parties agree in writing.
the Parties can end the IDTA before the end of the Term by serving: months’ written notice, as set out in Section 29 (How to end this IDTA without there being a breach).
Ending the IDTA when the Approved IDTA changes
Which Parties may end the IDTA as set out in Section 29.2:
Importer
Exporter
neither Party
Can the Importer make further transfers of the Transferred Data?
The Importer MAY transfer on the Transferred Data to another organisation or person (who is a different legal entity) in accordance with Section 16.1 (Transferring on the Transferred Data).
The Importer MAY NOT transfer on the Transferred Data to another organisation or person (who is a different legal entity) in accordance with Section 16.1 (Transferring on the Transferred Data).
Specific restrictions when the Importer may transfer on the Transferred Data
The Importer MAY ONLY forward the Transferred Data in accordance with Section 16.1:
if the Exporter tells it in writing that it may do so.
to
to the authorised receivers (or the categories of authorised receivers) set out in manner the Parties agree.
there are no specific restrictions.
Review Dates
The Parties must review the Security Requirements at least once:
each month(s)
each quarter
each 6 months
each year
each year(s)
each time there is a change to the Transferred Data, Purposes, Importer Information, TRA or risk assessment
3. Table 3 ‘Transferred Data’ of Part 1 from the ‘Tables’ section is complete as follows:
Transferred Data
The personal data to be sent to the Importer under this IDTA consists of:
The categories of Transferred Data will update automatically if the information is updated in the Linked Agreement referred to.
The categories of Transferred Data will NOT update automatically if the information is updated in the Linked Agreement referred to. The Parties must agree a change under Section 5.3.
Special Categories of Personal Data and criminal convictions and offences
The Transferred Data includes data relating to:
racial or ethnic origin
political opinions
religious or philosophical beliefs
trade union membership
genetic data
biometric data for the purpose of uniquely identifying a natural person
physical or mental health
sex life or sexual orientation
criminal convictions and offences
none of the above
set out in:
And:
The categories of special category and criminal records data will update automatically if the information is updated in the Linked Agreement referred to.
The categories of special category and criminal records data will NOT update automatically if the information is updated in the Linked Agreement referred to. The Parties must agree a change under Section 5.3
Relevant Data Subjects
The Data Subjects of the Transferred Data are:
The categories of Data Subjects will update automatically if the information is updated in the Linked Agreement referred to.
The categories of Data Subjects will not update automatically if the information is updated in the Linked Agreement referred to. The Parties must agree a change under Section 5.3.
Purpose
The Importer may Process the Transferred Data for the following purposes:
The Importer may Process the Transferred Data for the purposes set out in:
In both cases, any other purposes which are compatible with the purposes set out above.
The purposes will update automatically if the information is updated in the Linked Agreement referred to.
The purposes will NOT update automatically if the information is updated in the Linked Agreement referred to. The Parties must agree a change under Section 5.3.
4. Table 4 ‘Security Requirements’ of Part 1 from the ‘Tables’ section is complete as follows:
Security of Transmission
As specified in Annex II to this Agreement
Security of Storage
As specified in Annex II to this Agreement
Security of Processing
As specified in Annex II to this Agreement
Organisational security measures
As specified in Annex II to this Agreement
Technical security minimum requirements
As specified in Annex II to this Agreement
Updates to the Security Requirements
The Security Requirements will update automatically if the information is updated in the Linked Agreement referred to.
The Security Requirements will NOT update automatically if the information is updated in the Linked Agreement referred to. The Parties must agree a change under Section 5.3.
5. Part 2 ‘Extra Portection Clauses’ from the ‘Tables’ section is complete as follows:
Extra Protection Clauses:
(i) Extra technical security protections
As specified in Annex II to this Agreement
(ii) Extra organisational protections
As specified in Annex II to this Agreement
(iii) Extra contractual protections
As specified in Annex II to this Agreement
PART 3. COMMERCIAL CLAUSES
Commercial Clauses
This Agreement
Schedule 5. The UK IDTA Addemdum
IDTA ADDENDUM (Addendum)
In relation to transfers of Personal Data protected by the UK GDPR, the Data Exporter and Data Importer hereby agree to comply with the obligations set out in the Addendum herein as they apply to each party.
The SCCs, as implemented under the Schedules 1-3 will apply with the following modifications:
i. the SCCs shall be deemed amended as specified by Part 2 of the Addendum; and
ii. tables 1 to 3 in Part 1 of the Addendum shall be deemed completed, respectively, with the information set out in Schedule 1-3 above (as applicable).
PART 1. TABLE
Table 1. Parties
Commencement date:
When the restricted transfer is to be conducted
The Parties' details:
Exporter: Partner
Importer: Sumsub
Key Contact:
as specified in this Agreement
Table 2. Selected SCCs, Modules and Selected Clauses
Addendum EU SCCs:
The version of the Approved EU SCCs to which this Addendum is appended, detailed below, including the Appendix Information
Table 3. Appendix Information
ANNEX IA: List of Parties
As specified in Table 1 hereto
ANNEX IB: Description of Transfer
As specified in Annex II to this Agreement
ANNEX II: Technical and organisational measures including technical and organisational measures to ensure the security of the data:
As specified in Annex II to this Agreement
ANNEX III: List of Subprocessors (if applicable):
To be requsted with a manager
Table 4. Appendix Information
Ending this Addendum when the Approved Addendum changes
Neither Party
Schedule 1. The Standard Contractual Clauses: Module One
The Data Exporter and Data Importer hereby agree to comply with the obligations set out in the SCCs specified herein as they apply to each party.
1. Applicable module. With respect to any transfer or processing of personal data pursuant to this Agreement, the Data Exporter is Partner, and the Data Importer is Sumsub. Accordingly, Module One of the SCCs applies.
2. Applicable options. The following optional clauses of Module Two apply as follows:
Clause 13(a) (supervision)
The PARAGRAPH 1 will apply: Data Exporter is established in an EU Member State
Clause 17 (governing law)
The OPTION 1 will apply: the law of Ireland
Clause 18(b) (forum)
England and Wales
3. Docking clause. Clause 7 of Module 3 (docking clause) will apply.
4. Annexes. The details of Annexes I and III are set out as follows:
List of Parties (Annex I):
As specified in this Agreement
Description of Transfer (Annex I):
As specified in Annex II to this Agreement
The UK IDTA
In relation to transfers of Personal Data protected by the UK GDPR, the Data Exporter and Data Importer hereby agree to comply with the obligations set out in the IDTA herein as they apply to each party with the following modifications:
1. Applicable module. With respect to any transfer or processing of personal data pursuant to this Agreement, the Data Exporter is Partner, and the Data Importer is Sumsub. Accordingly, Module Two of the SCCs applies.
2. Applicable options. The following optional clauses of Module Two apply as follows:
Clause 9(a) (use of sub-processors)
The OPTION 2 will apply (general authorisation)
Clause 13(a) (supervision)
The PARAGRAPH 1 will apply: Data Exporter is established in an EU Member State
Clause 17 (governing law)
The OPTION 1 will apply: the law of Ireland
Clause 18(b) (forum)
England and Wales
3. Docking clause. Clause 7 of Module 3 (docking clause) will apply.
4. Annexes. The details of Annexes I, II and III are set out as follows:
Competent Supervisory Authority (Annex I):
Cyprus
List of Parties (Annex I):
As specified in this Agreement
Description of Transfer (Annex I):
As specified in Annex II to this Agreement
List of Sub-Processors (Annex III):
To be requsted with a manager
Technical and Organisational Measures (Annex II):
As specified in Annex II to this Agreement
Schedule 3. The Standard Contractual Clauses: Module Four
EU STANDARD CONTRACTUAL CLAUSES (SCCs)
(Processor - Controller)
The Data Exporter and Data Importer hereby agree to comply with the obligations set out in the SCCs specified herein as they apply to each party.
1. Applicable module. With respect to any transfer or processing of personal data pursuant to this Agreement, the Data Exporter is Partner, and the Data Importer is Sumsub. Accordingly, Module Four of the SCCs applies.
2. Applicable options. The following optional clauses of Module Two apply as follows:
Clause 13(a) (supervision)
The PARAGRAPH 1 will apply: Data Exporter is established in an EU Member State
Clause 17 (governing law)
The OPTION 1 will apply: the law of England and Wales
Clause 18(b) (forum)
England and Wales
3. Docking clause. Clause 7 of Module 3 (docking clause) will apply.
4. Annexes. The details of Annexes I and III are set out as follows:
List of Parties (Annex I):
As specified in this Agreement
Description of Transfer (Annex I):
As specified in Annex II to this Agreement
List of Sub-Processors (Annex III):
To be requsted with a manager
Technical and Organisational Measures (Annex II):
As specified in Annex II to this Agreement
Schedule 4. The UK IDTA
In relation to transfers of Personal Data protected by the UK GDPR, the Data Exporter and Data Importer hereby agree to comply with the obligations set out in the IDTA herein as they apply to each party with the following modifications:
1. Table 1 ‘Parties and signatures’ of Part 1 from the ‘Tables’ section is completed with the information which is specified in the Agreement.
2. Table 2 ‘Transfer Details’ of Part 1 from the ‘Tables’ section is complete as follows:
UK country’s law that governs the IDTA
England and Wales
Northern Ireland
Scotland
Primary place for legal claims to be made by the Parties
England and Wales
Northern Ireland
Scotland
The status of the Exporter
In relation to the Processing of the Transferred Data:
Exporter is Controller
The status of the Importer
In relation to the Processing of the Transferred Data:
Importer is Controller
Whether UK GDPR applies to the Importer
UK GDPR applies to the Importer’s Processing of the Transferred Data OR does not apply to the Importer’s Processing of the Transferred Data
Linked Agreement
This Agreeement
Term
The Importer may Process the Transferred Data for the following time period:
the period for which the Linked Agreement is in force
time period:
(only if the Importer is a Controller or not the Exporter’s Processor or Sub-Processor) no longer than is necessary for the Purpose.
Ending the IDTA before the end of the Term
the Parties cannot end the IDTA before the end of the Term unless there is a breach of the IDTA or the Parties agree in writing.
the Parties can end the IDTA before the end of the Term by serving: months’ written notice, as set out in Section 29 (How to end this IDTA without there being a breach).
Ending the IDTA when the Approved IDTA changes
Which Parties may end the IDTA as set out in Section 29.2:
Importer
Exporter
neither Party
Can the Importer make further transfers of the Transferred Data?
The Importer MAY transfer on the Transferred Data to another organisation or person (who is a different legal entity) in accordance with Section 16.1 (Transferring on the Transferred Data).
The Importer MAY NOT transfer on the Transferred Data to another organisation or person (who is a different legal entity) in accordance with Section 16.1 (Transferring on the Transferred Data).
Specific restrictions when the Importer may transfer on the Transferred Data
The Importer MAY ONLY forward the Transferred Data in accordance with Section 16.1:
if the Exporter tells it in writing that it may do so.
to
to the authorised receivers (or the categories of authorised receivers) set out in manner the Parties agree.
there are no specific restrictions.
Review Dates
The Parties must review the Security Requirements at least once:
each month(s)
each quarter
each 6 months
each year
each year(s)
each time there is a change to the Transferred Data, Purposes, Importer Information, TRA or risk assessment
3. Table 3 ‘Transferred Data’ of Part 1 from the ‘Tables’ section is complete as follows:
Transferred Data
The personal data to be sent to the Importer under this IDTA consists of:
The categories of Transferred Data will update automatically if the information is updated in the Linked Agreement referred to.
The categories of Transferred Data will NOT update automatically if the information is updated in the Linked Agreement referred to. The Parties must agree a change under Section 5.3.
Special Categories of Personal Data and criminal convictions and offences
The Transferred Data includes data relating to:
racial or ethnic origin
political opinions
religious or philosophical beliefs
trade union membership
genetic data
biometric data for the purpose of uniquely identifying a natural person
physical or mental health
sex life or sexual orientation
criminal convictions and offences
none of the above
set out in:
And:
The categories of special category and criminal records data will update automatically if the information is updated in the Linked Agreement referred to.
The categories of special category and criminal records data will NOT update automatically if the information is updated in the Linked Agreement referred to. The Parties must agree a change under Section 5.3
Relevant Data Subjects
The Data Subjects of the Transferred Data are:
The categories of Data Subjects will update automatically if the information is updated in the Linked Agreement referred to.
The categories of Data Subjects will not update automatically if the information is updated in the Linked Agreement referred to. The Parties must agree a change under Section 5.3.
Purpose
The Importer may Process the Transferred Data for the following purposes:
The Importer may Process the Transferred Data for the purposes set out in:
In both cases, any other purposes which are compatible with the purposes set out above.
The purposes will update automatically if the information is updated in the Linked Agreement referred to.
The purposes will NOT update automatically if the information is updated in the Linked Agreement referred to. The Parties must agree a change under Section 5.3.
4. Table 4 ‘Security Requirements’ of Part 1 from the ‘Tables’ section is complete as follows:
Security of Transmission
As specified in Annex II to this Agreement
Security of Storage
As specified in Annex II to this Agreement
Security of Processing
As specified in Annex II to this Agreement
Organisational security measures
As specified in Annex II to this Agreement
Technical security minimum requirements
As specified in Annex II to this Agreement
Updates to the Security Requirements
The Security Requirements will update automatically if the information is updated in the Linked Agreement referred to.
The Security Requirements will NOT update automatically if the information is updated in the Linked Agreement referred to. The Parties must agree a change under Section 5.3.
5. Part 2 ‘Extra Portection Clauses’ from the ‘Tables’ section is complete as follows:
Extra Protection Clauses:
(i) Extra technical security protections
As specified in Annex II to this Agreement
(ii) Extra organisational protections
As specified in Annex II to this Agreement
(iii) Extra contractual protections
As specified in Annex II to this Agreement
6. Part 2 ‘Commercial Clauses’ from the ‘Tables’ section is complete as follows:
Commercial Clauses
This Agreement
Schedule 3. The UK IDTA Addemdum
IDTA ADDENDUM (Addendum)
In relation to transfers of Personal Data protected by the UK GDPR, the Data Exporter and Data Importer hereby agree to comply with the obligations set out in the Addendum herein as they apply to each party.
The SCCs, as implemented under the Schedules 1-3 will apply with the following modifications:
i. the SCCs shall be deemed amended as specified by Part 2 of the Addendum; and
ii. tables 1 to 3 in Part 1 of the Addendum shall be deemed completed, respectively, with the information set out in Schedule 1 above.
PART 1. TABLE
Table 1. Parties
Commencement date:
When the restricted transfer is to be conducted
The Parties' details:
Exporter: Participant
Importer: Sumsub
Key Contact:
as specified in this Agreement
Table 2. Selected SCCs, Modules and Selected Clauses
Addendum EU SCCs:
The version of the Approved EU SCCs to which this Addendum is appended, detailed below, including the Appendix Information
Table 3. Appendix Information
ANNEX IA: List of Parties
As specified in Table 1 hereto
ANNEX IB: Description of Transfer
As specified in Annex II to this Agreement
ANNEX II: Technical and organisational measures including technical and organisational measures to ensure the security of the data:
As specified in Annex II to this Agreement
ANNEX III: List of Subprocessors (if applicable):
To be requsted with a manager
Table 4. Appendix Information
Ending this Addendum when the Approved Addendum changes
Neither Party