Firebase Data Processing Addendum

INTRODUCTION

This Data Processing Addendum forms part of the agreement between you and iProov Limited covering your use of the Trial Services.

The definitions set out in Annex 3 shall apply to this Data Processing Addendum. If a term is not otherwise defined in Annex 3 of this Data Processing Addendum or elsewhere within it, those terms shall have the meaning given in them in the rest of the Agreement.

1. PROCESSING OF PERSONAL DATA

1.1 In the performance of the Trial Services:

    1. iProov acts as a Processor; and
    2. you act as the Controller.

1.2 iProov shall process Your Personal Data in compliance with the obligations of Processors under UK and EU Data Protection Laws.

1.3 iProov will process personal data in order to provide the Trial Services in accordance with the Agreement. The Annex 1 (Data Processing Details) further specifies the nature and purpose of the processing, the processing activities, the duration of the processing, the types of personal data and categories of data subjects.

1.4 You appoint iProov as a processor to process Your Personal Data on behalf of, and in accordance with, your instructions (a) as set out in the Agreement (which includes this Data Processing Addendum), and as otherwise necessary for iProov to provide the Trial Services to you which includes (but is not limited to) (i) investigating security incidents and preventing spam, fraudulent activity and violations of the Acceptable Use Policy and (ii) detecting and preventing network exploits or abuse; (b) as necessary to comply with applicable law or regulation, including Data Protection Legislation; and (c) as otherwise agreed in writing between iProov and you.

1.5 You warrant, represent and undertake, that at all times:

    1. you will ensure that your instructions comply with Data Protection Legislation;
    2. fair processing and all other appropriate notices have been provided to the Data Subjects of Your Personal Data (and all necessary consents from such Data Subjects obtained and at all times maintained) to the extent required by Data Protection Legislation in connection with all processing activities in respect of Your Personal Data that may be undertaken by iProov and and/or its sub-processors under the Agreement and this Data Processing Addendum;
    3. you have complied, and will continue to comply, with Data Protection Legislation in connection with the use of the Trial Services and your own processing of personal data and the exercise and performance of your respective rights and obligations under the Agreement, including maintaining all relevant regulatory registrations and notifications as required under Data Protection Legislation;
    4. you have, and will continue to have, the right to transfer, or provide access to any personal data to iProov for processing in accordance with the terms of the Agreement and this Data Processing Addendum;
    5. if you enter into this as an Organisation, you and the Organisation have undertaken due diligence in relation to iProov’s business, processing operations and commitments and you are satisfied (and at all times that you continue to use the Trial Services you remain satisfied) that:
      1. iProov’s processing operations are suitable for the purposes for which you propose to use the Trial Services and engage iProov to process Your Personal Data;
      2. the technical and organisational measures set out in this Data Processing Addendum and the Agreement (each as updated from time to time) shall (if iProov complies with its obligations under such) ensure a level of security appropriate to the risk in respect of Your Personal Data, as required by Data Protection Legislation; and
      3. iProov has sufficient expertise, reliability and resources to implement technical and organisational measures that meet the requirements of Data Protection Legislation.

1.6 You acknowledge that iProov is neither responsible for determining which laws or regulations are applicable to you, your business or Organisation nor whether iProov’s provision of the Trial Services meets or will meet the requirements of any such laws. You will ensure that iProov’s processing of Your Personal Data, when done in accordance with the Agreement, will not cause iProov to violate any applicable law or regulation, including any Data Protection Legislation. iProov will inform you if it becomes aware, or reasonably believes, that your instructions violate any Data Protection Legislation.

2.1 SECURITY

2.1 iProov shall implement the technical and organisational measures set out in Annex 2 of this Data Processing Addendum in relation to its Processing of Your Personal Data.

2.2 You shall undertake an assessment of whether the security measures implemented in accordance with paragraph 2.1 are sufficient to protect Your Personal Data against accidental, unauthorised or unlawful destruction, loss, alteration, disclosure or access to the extent required by Data Protection Legislation, in the circumstances.

2.3 You acknowledge that iProov provides a commoditised one-to-many service and the needs or assessments of other customers may differ and iProov shall not be obliged to implement different security measures for you but you may stop using the Trial Services, if you conclude the measures adopted by iProov are not sufficient for your needs.

3. SUBPROCESSING

3.1 iProov shall not subcontract any Processing of the Personal Data to a third party sub processor without your prior written consent and shall ensure that such sub-processor (each, a “Sub-Processor“) is bound by terms which (i) are at least equivalent to the terms set out in this Data Processing Addendum, or (ii) in the case of Cloud Service Providers, are such terms as the Cloud Service Provider offers by way of compliance with UK and EU Data Protection Laws. You hereby consent to and authorise (a) iProov Limited and (b) the following (each a “Cloud Service Provider“) as processors: Microsoft Limited c/o Microsoft Ireland Operations Limited, One Microsoft Place, South County Industrial Park, Leopardstown, Dublin, Ireland (or another member of its group) in respect of the Azure service; AWS EMEA SARL (a Luxembourg entity) (or another member of its group) in respect of Amazon Web Services (AWS); Google Ireland Limited, with offices at Gordon House, Barrow Street, Dublin 4, Ireland (or another member of its group) in respect of Google GCP.

3.2 iProov shall be and remain fully liable for all the acts and omissions of each Sub-Processor as if they were its own.

4. DATA SUBJECT RIGHTS

iProov will assist you in responding to Data Subject Requests to the extent technically feasible and required by UK and EU Data Protection Laws. iProov will, without undue delay, notify you of any Data Subject Requests and will only respond to them with your written instructions (at your cost and expense) or as required by law. Unless prohibited by Data Protection Legislation, you are responsible for any costs and/or expenses incurred by iProov in providing this assistance and will reimburse iProov for any such costs and/or expenses immediately upon iProov’s request.

5. PERSONAL DATA BREACHES

iProov shall notify you without undue delay upon iProov becoming aware of a Personal Data Breach affecting Your Personal Data and iProov shall provide you with such information as is required of iProov under applicable Data Protection Legislation (insofar as such information is, at such time, within iProov’s control or possession).

6. DATA PROTECTION IMPACT ASSESSMENT AND PRIOR CONSULTATION

iProov will provide reasonable cooperation to you in connection with any data protection impact assessment or consultations with regulatory authorities that may be required in accordance with Data Protection Legislation (at your cost and expense).

7. RETURN OR DELETION OF PERSONAL DATA.

7.1 Subject to paragraph 7.2 and the Retention Period, on termination or expiry of the Agreement, iProov will, in accordance with Annex 1 (Details of Processing) of this Data Processing Addendum, delete or irreversibly render Anonymised (at iProov’s discretion) Your Personal Data stored or Processed as part of or within the Trial Services.

7.2 Notwithstanding anything to the contrary in this Data Processing Addendum, iProov may retain Your Personal Data, or any portion of it, if required by applicable law or regulation, including Data Protection Legislation.

7.3 During any period for which Your Personal Data is retained following termination or expiry of this Agreement in accordance with this paragraph, iProov will ensure that Your Personal Data:

      1. is processed only as necessary for the purposes described in this Data Processing Addendum; and
      2. remains protected in accordance with the terms of the Agreement, this Data Processing Addendum and UK and EU Data Protection Laws.

8. AUDIT RIGHTS

8.1 iProov shall make available to you within a reasonable period of your written request such information as iProov reasonably considers appropriate in the circumstances to demonstrate its compliance with this Data Processing Addendum.

8.2 If you reasonably demonstrate that the information provided by iProov under Paragraph 8.1 is insufficient to demonstrate iProov’s compliance with this Data Processing Addendum, iProov shall allow you or your auditor (the “Auditor“) (which shall include internal and external auditors and, where relevant, Supervisory Authorities) access during normal working hours of iProov and on reasonable prior notice (and in any event at least 60 days’ prior notice), to audit any relevant records and materials held by iProov, which are necessary to demonstrate such compliance. Such access will be subject to the following:

      1. audits will be conducted remotely unless an onsite visit is legally required;
      2. you agree to comply and shall ensure that any Auditor complies with Data Protection Legislation and any reasonable iProov security and confidentiality requirements;
      3. access will only be given at premises and on systems determined by iProov in its reasonable discretion, (and for the avoidance of doubt, it shall be reasonable for iProov to take account of any other customers of iProov, any disruption to iProov’s business and any confidentiality obligations of iProov, in determining what access is reasonable);
      4. access will not be given to any records or materials or systems which contain information relating to other customers of iProov;
      5. access will not be given to any auditor who fails to produce reasonable evidence of their identity or authority; and
      6. access will not be given on more than one occasion in any rolling 12 month period unless you demonstrate to iProov that an audit is required more frequently, in order to meet your obligations under applicable Data Protection Legislation.

8.3 You shall and shall procure that your Auditors shall use their best efforts to avoid any damage or disruption to iProov’s premises, equipment, personnel, data or business during any on-premise audit and you shall indemnify iProov for any such damage or disruption.

8.4 You shall pay for (and reimburse iProov on demand for) all costs and expenses of iProov in connection with the conduct of the audit unless such audit reveals that iProov has materially breached its obligations under this Paragraph 8, in which case iProov shall bear its own costs and expenses.

9. PROCESSING PERSONAL DATA OF CALIFORNIAN RESIDENTS

9.1 For purposes of this Paragraph 9, the terms “business,” “commercial purpose,” “sell” and “service provider” shall have the respective meanings given thereto in the CPRA, and “personal information” shall mean Your Personal Data that constitutes personal information governed by the CPRA.

9.2 With respect to any personal information, iProov is a service provider. iProov shall not (a) sell any personal information; (b) subject to Paragraph 7 retain, use or disclose any personal information for any purpose other than for the specific purpose of providing the Trial Service, including retaining, using, or disclosing the personal information for a commercial purpose other than the provision of the Trial Service; or (c) subject to Paragraph 7, retain, use or disclose the personal information outside of the direct business relationship between iProov and you. iProov hereby certifies that it understands its obligations under this Paragraph 9.2 and will comply with them.

9.3 It is acknowledged that iProov’s retention, use and disclosure of personal information documented in this Data Processing Addendum is integral to iProov’s processing and provision of the Trial Services.

10. INTERNATIONAL DATA TRANSFERS

10.1 During the Extension installation process, you will be provided with an option to select the country within which Your Personal Data will be hosted by iProov in connection with your use of or access to the Trial Services (the “Hosting Region“) and you agree that, if it is an option, you will select the country within which the Trial Services will be used or made available (or predominantly used or made available, as applicable), as the Hosting Region.

10.2 iProov (and its Sub-Processors) may only Transfer Your Personal Data to (or process Your Personal Data in) the following countries: the United Kingdom, the EU and the Hosting Region (together, the “Territories“) and you hereby authorise iProov (or any Sub-Processor) to Transfer Your Personal Data to any of the Territories and this paragraph 10 shall constitute your instruction with respect to Transfers.

11. INCORPORATION AND PRECEDENCE

To the extent there is any conflict or inconsistency between this Data Processing Addendum and the remainder of this Agreement, the terms of this Data Processing Addendum shall take precedence and prevail.

ANNEX 1

DATA PROCESSING DETAILS

This Annex 1 includes certain details of the Processing of Your Personal Data, as required by Article 28(3) GDPR.

Details of Processing

Categories of Data Subjects: you and/or the Users
Categories of Personal Data:
  • User interaction data (includes data about how users interact with the service)
  • Information regarding the Data Subject’s device which may include an IP address
  • IP address of the Data Subject’s device connected to the Trial Services and/or Application.
  • Authentication credentials including API keys and secrets used to identify Data Subjects
  • Facial imagery of the Data Subject created when using the Trial Services e.g. images taken with the device camera
  • Pseudonymous username of the Data Subject
  • An identifier of an installed instance of an Android, IOS or Flutter
  • A biometric template of you / Users
Nature and purpose of the Processing:
  • Processing in accordance with the rights and obligations of the parties under the Agreement;
  • processing as reasonably required to provide the Trial Services; and
  • processing as initiated, requested or instructed by you or Users in connection with use of the Trial Services.
Duration of Processing: For the duration of the Agreement or (if longer) in accordance with your instructions.

In respect each facial image of any Data Subject created or transferred to iProov in connection with the use of the Trial Services, iProov shall delete the relevant facial image within no longer than 14 days following the Processing of such in connection with its provision of the Trial Services (the “Retention Period“).

ANNEX 2

SECURITY MEASURES

iProov maintains compliance with security standard ISO/IEC 27001:2013 the scope of which will include the Trial Services provided to you and which includes the following standards:

  • ISO/IEC 27001:2013 section 5.3 – Organisational roles, responsibilities and authorities
  • ISO/IEC 27001:2013 section 8.2 – Information security risk assessment
  • ISO/IEC 27002:2013 section 9 – Access control
  • ISO/IEC 27002:2013 section 10 – Cryptography
  • ISO/IEC 27002:2013 section 9.2.4 – Management of secret authentication information of users
  • ISO/IEC 27002:2013 section 11.1 – Management of secure areas
  • ISO/IEC 27002:2013 section 12.1.2 – Change management
  • ISO/IEC 27002:2013 section 16.1 – Management of information security incidents and improvements
  • ISO/IEC 27002:2013 section 13.1 – Network security management
  • ISO/IEC 27002:2013 section 12.6 – Technical vulnerability management
  • ISO/IEC 27002:2013 section 17 – Information security aspects of business continuity management.

ANNEX 3

DEFINITIONS

  1. In this Data Processing Addendum, terms shall have the meaning given to them in this Annex 3.
  2. Any capitalised term which is not defined in this Annex 3 or the Agreement, shall have the meaning given to it in the UK GDPR.
  • Applicable Law” means the following to the extent forming part of the law of any applicable jurisdiction:
  1. a) any law, legislation, regulation, byelaw or subordinate legislation in force from time to time;
  2. b) the common law and laws of equity as applicable from time to time;
  3. c) any binding court order, judgment or decree; or
  4. d) any applicable direction, policy, rule or order made or given by any regulatory body having jurisdiction over a party or any of that party’s assets, resources or business;
  • Biometric Information” means any information, regardless of how it is captured, converted, stored, or shared, based on an individual’s Biometric Identifier used to identify an individual.
  • Biometric Information Laws” means any and all Applicable Laws and binding biometric information laws and regulations which relate to the use of Biometric Information or biometric data.
  • Biometric Identifier” means an individual’s physiological, biological, or behavioural characteristics, including an individual’s deoxyribonucleic acid (DNA), that can be used, singly or in combination with each other or with other identifying data, to establish individual identity. Biometric Identifiers may include, but are not limited to, imagery of the iris, retina, fingerprint, or face, hand, palm, vein patterns, and voice or video recordings, from which an identifier template, such as a faceprint, a minutiae template, or a voiceprint, can be extracted, and keystroke patterns or rhythms, gait patterns or rhythms, and sleep, health, or exercise data that contain identifying information.
  • CPRA” means the California Privacy Rights Act of 2020 and any binding regulations promulgated thereunder.
  • Data Protection Legislation” means any Applicable Laws relating to (i) data privacy and security including (but not limited to) the GDPR and the CPRA or (ii) biometric data or Biometric Information, including Biometric Information Laws;
  • Data Subject Request” means the exercise by Data Subjects of their rights under, and in accordance with, Chapter III of the GDPR, in respect of Your Personal Data.
  • Delete” means to remove or obliterate Personal Data such that it cannot be recovered or reconstructed, and “Deletion” shall be construed accordingly.
  • EEA” means the European Economic Area.
  • GDPR” means, as and where applicable:
  1. a) Regulation(EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (the “EU GDPR”); and/or
  2. b) the EU GDPR as it forms part of UK law by virtue of section 3 of the European Union (Withdrawal) Act 2018, as amended (including by the Data Protection, Privacy and
    c) Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019) (the “
    UK GDPR”).
  • Lawful Safeguards” means such legally enforceable mechanism(s) for Transfers of Personal Data as may be permitted under UK and EU Data Protection Laws, from time to time;
  • Personal Data Breach” means any actual or reasonably suspected breach of security leading to the accidental, unlawful or unauthorised destruction, loss, alteration, encryption, acquisition, disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed by iProov under or in connection with the Agreement.
  • Retention Period” means the period identified as such in Annex 1.
  • “Supervisory Authority” means:
  1. a) in the context of the UK and the UK GDPR, means the UK Information Commissioner’s Office;
  2. b) in the context of the EEA and EU GDPR, has the given to that term in Article 4(21) of the EU GDPR; and
  3. c) any other regulatory, governmental, or independent public authority established with jurisdiction over all or any part of (a) the enforcement of Data Protection Legislation; and (b) the Trial Services.
  • “Transfer” has the same meaning as the word ‘transfer’ in Article 44 of the GDPR (and related terms such as Transfers, Transferred and Transferring have corresponding meanings).
  • UK and EU Data Protection Laws” means Applicable Laws on data protection or privacy that apply in the UK and EU including the GDPR and the Data Protection Act 2018 in the UK.
  • “Your Personal Data” means Personal Data that is Processed by or on behalf of iProov on behalf of you (which includes any Personal Data of your Users or the Organisation) under or in connection with the Agreement (which includes this Data Processing Addendum).