Introduction

At Prove, our guiding mission is centered around creating equitable and convenient solutions to
digital transactions and identity verification processes designed to mitigate fraud and enable
access to online services globally. By modernizing how digital trust is established and maintained
throughout the consumer journey, Prove provides unparalleled accuracy in identity verification and
authentication while delivering a frictionless consumer experience. Prove received numerous
awards in 2023, including Expert Insights Top Solution for “Customer Identity & Access Management”
and “Zero Trust Security” as well as Prove CEO Rodger Desai being named the “Entrepreneur of the Year
NY” by Ernst & Young.
Prove’s mission may focus on providing verification and authentication solutions, however, how
that mission is accomplished is just as important as the mission itself. At Prove, we are continuously
driven to attract and retain exceptional talent from all backgrounds while building a diverse
community from across the globe.
This focus on our community and culture has led to creation of Prove’s Diversity and Impact Report
(this “Report”), which aims to provide an overview of Prove's commitment to diversity, equity, and
inclusion (“DE&I”), as well as the company's efforts to make a positive impact in various other
areas. It highlights key initiatives, progress made, and future goals related to diversity within the
workforce, community engagement, environmental sustainability, and social responsibility.

‍

Current State

Prove recognizes the importance of having corporate policies, practices, and activities in place to
encourage us to act responsibly when it comes to environmental, social, and governance (“ESG”)
issues. More specifically, Prove recognizes the value of a diverse workforce, community
engagement, and environmental sustainability. This Report provides an overview of Prove’s
commitment to and the positive impact of our ESG endeavors, including any resources available to
and activities conducted by our organization.

‍

Diversity

Prove is committed to fostering an inclusive and diverse workplace where every individual feels
valued, respected, and empowered. We believe that embracing and encouraging diversity in all its
forms is not only the right thing to do, but it is also essential for driving innovation, creativity, and
sustainable growth. This Report is the first step in gathering data and interpreting numbers related
to Prove’s DE&I. It showcases the baseline data that we have available today and will assist us as
we develop our goals and metrics to build upon this foundation.

‍Prove Power Hours

Prove engages in regular “Power Hour” digital conferences designed to educate and empower our
team. Examples of these events include:

• Black Men Heal: In honor of Black History Month, Prove partnered with Black Men Heal, a
  non-profit organization dedicated to promoting healing, growth, and empowerment
  through therapy. They hosted a virtual workshop on the topic of “Corporate Wellness:
  Creating a Culture of Care”. It was a space for learning and discussion on topics such as
  imposter syndrome, implicit bias, and cultural competency.
• The Point Foundation: In Pride month, Prove supported Point Foundation, the LGBTQ
  Scholarship Fund, by hosting a Drag Queen Bingo event with the amazing Miss Richfield
  which included a portion dedicated to learning more about Point's important work
  supporting LGBTQ students in higher education.
• Edesia – Virtual Factory Tour: In August, Prove partnered with Edesia for a virtual tour of
  their Rhode Island facility and to hear first-hand from Founder and CEO Navyn Salem about
  how Edesia is making a difference. Edesia is a non-profit, social enterprise created with the
  mission to end malnutrition through the manufacturing of a Ready-to-Use Therapeutic
  Food (RUTF) called Plumpy’Nut - the only formula endorsed by the World Health
  Organization to cure a young child of life-threatening severe acute undernourishment. To
  date, Edesia has impacted more than 20 million children across 62 countries.

‍

Prove People

Prove has won various awards including, “Best Places to Work”, “Best Company Outlook”, “Best
Company Perks and Benefits”, and “Best Company Culture”. Recognition like this comes due
Prove’s greatest asset – the people.
Prove continues to strive to hire the best and brightest. One way we achieve this is through our
referral program and input from the excellent team we already have. Prove also implemented an
Internal mobility policy, a dedicated career channel to promote internal opportunities, and a
framework to provide visibility and clarity around career pathing at Prove, all of which are designed
to help our team members grow within the company.
Prove understands that knowledge is the key to acceptance and growth. As such, Prove requires
all employees to complete annual training in the areas of Human Resources (including Diversity
specific training), Ethics & Compliance, and Data Protection (including Information Security and
Consumer/Employee Data Privacy). These trainings not only educate the employees on best
practices but also provide valuable information about how to respond to incidents that do not fall
within the bounds of Prove’s culture.
Prove’s Ethics & Compliance training, which covers the variety of topics listed below, cites to the
Prove Ethics & Compliance Hotline which allows employees to report violations of Prove’s code of
conduct or other HR or Compliance policies anonymously:

• Ethics: Fraud, Bribery and Corruption, Conflict of Interest, Anti-Money Laundering
• CEO Fraud
• Whistleblower
• Data Privacy
• GDPR

‍

Diversity Data Points (Q4 2023)

This Report provides a high-level snapshot of Prove’s statistics from our Q4 2023 demographics
and DEI surveys (the “Demographics Surveys”). While we are pleased with the 91% participation
in the Demographics Surveys, which was optional and anonymous, the responses may not fully
represent our organization given that there are team members who chose not to respond, as well
as a limited number of questions included in the Demographics Surveys. Prove is aware that
diversity can extend beyond demographic characteristics, but this is the baseline data currently
available for Prove to build upon in 2024 and beyond:

‍

‍

‍

‍

‍

‍

‍

‍

‍

‍

‍

‍

‍

Community

Prove recognizes that building a connected, safe, and open-minded community internally is
imperative to a successful business. Similarly, supporting and giving back to the external
community that the company operates in is equally important. Actively engaging with local and
global organizations that support initiatives promoting education, technology access, and social
well-being inspire positive change and provide long-term value to the communities we serve.

‍Prove Community

Prove engages our internal community through regular wellness programming designed to bring
teams together and encourage interaction outside of the typical work setting. These programs
include mental health awareness sessions, and access to the Bravely professional coaching
platform that connects Prove employees to real people who can help them achieve their
professional goals. Prove also provides regular “Lunch & Learn” events that range from meeting
the Prove Product leaders and other teams (e.g., Customer Success) to information sessions about
how to leverage Prove’s benefits.
Prove has a number of ways to check the pulse of its employees. For example, Prove shares an
annual Wellness survey with all employees (the “Wellness Survey”). The Wellness Survey helps
Prove year-over-year to better support our internal community and continue to create a positive
working environment. Additionally, monthly “All-Hands” meetings bring the entire Prove team
together for company-wide updates and information as well as engaging question and answer
sessions to ensure that everyone is informed and is a part of the Prove culture. Finally, Prove has
in place an annual review process that allows each employee to receive individual feedback on the
previous year, and presents each employee with solid direction going into each new year and a
clear understanding of what they bring to the company. This process is rolled out each year in
tandem with reviewing the annual company-wide general survey results (the “General Survey”).
The General Survey results inform departments on where improvements can be made, which can
include areas related to diversity, inclusion and general belonging, and enable them to create
collective, objective goals for the coming year that align with the company’s overall objectives.

‍

‍Prove Global Engagement

As Prove expands globally, it strives to do its part to have a positive impact on the world. The
interconnectedness of the global community is only growing bigger and stronger, which makes it
more important that everyone strives to make a difference. Through global partnerships, Prove can
reach its goals and take an active part in the global community.

• Move The Chain: Prove has been a long-time partner with Move the Chain, a platform
  connecting corporations, non-profits, and individuals with networks to make the world a
  better place. Examples of non-profits supported are Asian Mental Health Project, The Young
  Center, and CAMFED.
• Asian Mental Health Project: May is recognized as both AAPI Heritage Month and
  Mental Health Awareness Month. In honor of these important causes, Prove
  partnered with the Asian Mental Health Project in order to share details about the
  great work Asian Mental Health Project is doing and educating on the topic of
  Mental Health and Culture as well as participating in a donation matching
  fundraiser for the Asian Mental Health Project. The Asian Mental Health Project is
  a nonprofit organization dedicated to educating and empowering Asian
  communities in seeking mental healthcare.
• The Young Center: Prove partnered with The Young Center to help support their
  mission to protect and advance the rights and best interests of immigrant children
  according to the Convention on the Rights of the Child and state and federal law.
  Prove raised money through its fitness challenge while also raising awareness and
  sharing details about The Young Center’s mission.
• CAMFED: In honor of International Women’s Day, Prove partnered with CAMFED, a
  pan-African movement revolutionizing how girls’ education is delivered, to spread
  awareness and support for their goals. Through a gold-standard system of
  accountability to the young people and communities it serves, CAMFED has created
  a model that radically improves girls’ prospects of becoming independent,
  influential women. CAMFED has already supported more than 5.6 million children
  to go to school across Ghana, Malawi, Tanzania, Zambia, and Zimbabwe. By
  supporting CAMFED we aim to add momentum to their ambitious goals of
  supporting another 5 million girls to attend and thrive in school within just 5 years.

During our 2024 Sales Kick-off Event in Nashville, Prove partnered with Project Cure for a
volunteering event where Prove staff assembled over 150 medical kits containing basic medical
supplies for distribution to countries that struggle with medical care. In 2024, we plan to continue
increasing our impact through fundraising and volunteering efforts. Whether focusing on internal
growth within Prove, local efforts in our various office locations, or as a member of the global
community, Prove strives to improve the status quo.

‍

Environment

Prove is committed to minimizing our environmental impact and promoting sustainable practices
throughout our operations. We are just beginning our journey into environmental sustainability.
While we continue investigating our current practices and their environmental impact, we can
build off our current activities. As we continue to grow, the knowledge of our current impact will
help us set goals to make tangible carbon emission reductions throughout our business in the
coming years.
Today, Prove complies with all relevant environmental legislation and actively engages and
educates our employees on related matters. Where we have office locations, Prove complies with
local waste management regulations.
Prove also has taken the following steps to encourage environment protection:

1. All office equipment (including all computers) is either switched off when not in use or
   programmed for automatic hibernate/energy saving mode for periods of sustained
   downtime and overnight.
2. We encourage meetings by conference call/webinar wherever possible.
3. Our kitchen facilities are energy efficient.
4. Where appropriate, we purchase products and services that do the least damage to the
   environment and conserve energy.
5. We buy items that can be operated in an energy efficient manner.
6. We ensure all building management and local recycling laws are followed and shared with
   all employees.
7. We include questions related to Greenhouse Gas emissions and environmental impact in
   all of our vendor questionnaires.

The Road Ahead

Prove is just beginning its journey but that doesn’t mean that we are behind. This Report is
continuing to set the baseline for all activity moving forward. We are looking forward and excited
to continue our progress to positively impact the world. While Prove has taken great strides to get
where we are today, there are still a number of steps we can take on the journey ahead of us. As
our goals evolve, Prove will make any and all efforts to turn strategy into action.

‍

2024 ESG Goals 

‍

By creating attainable goals, we can take action as we continue to grow instead of just putting
words on paper. Examples of Prove’s 2024 goals include:

1. Expand Prove’s ESG Program [Internal]
Prove recognizes the need to expand the scope of its ESG program. To this end, we are
reviewing the accomplishments we have made over the past few years as we strategize in
order to better organize our ESG activities and track our goals as an enterprise.

2. Improve ESG Education and Awareness [Internal]
Prove recognizes that knowledge is the catalyst to change. With the knowledge we have
today, we can plan for tomorrow and look to improve upon the culture we have already
created, including:

• Expanding our DE&I events and awareness through increased investment in our
  partnerships and employee engagement.
• Increasing awareness of our environmental conservation efforts within our offices
  and providing additional avenues for employees to act for the betterment of the
  environment.
• Continuing to build upon our community involvement while simultaneously
  maintaining the Prove Culture as the company continues to grow.

3. Incorporate ESG into our Vendor Assessments [External]
Expanding our third-party vendor assessment questionnaires to include focused questions
related to environmental sustainability and DE&I can only help to strengthen our
knowledge about and understand the impacts of the third parties we rely on to do business.
Armed with that information, we can take action to improve our processes to better align
with our ESG goals.

‍View Prove Security & Privacy

Effective Date: October 31, 2024

‍

TABLE OF CONTENTS

1. WHAT DOES THIS PRIVACY POLICY COVER?
2. WHAT PERSONAL INFORMATION DO WE PROCESS?
3. HOW DO WE PROCESS PERSONAL INFORMATION?
4. WHEN DO WE SHARE YOUR PERSONAL INFORMATION?
   
5. HOW DO WE RESPOND TO “DO NOT TRACK” SIGNALS?
   
6. ONLINE ADVERTISING
   
7. HOW DO WE PROTECT YOUR PERSONAL INFORMATION?
   
8. LNKS TO OTHER WEBSITES
   
9. CHILDREN
   
10. INTERNATIONAL TRANSFERS
11. YOUR US STATE PRIVACY RIGHTS
    
12. YOUR RIGHTS UNDER EUROPEAN DATA PROTECTION LAWS
    
13. OTHER GLOBAL PRIVACY LAWS
    
14. CHANGES TO OUR PRIVACY POLICY
    
15. CONTACTING US
    

‍

Prove Identity, Inc., Prove Identity Ltd, and all current and future affiliates and subsidiaries (hereinafter “Prove”, “we”, "our”, or “us”) provide mobile-centric identity verification, authentication, and onboarding solutions (our “Solutions”) to businesses and their affiliates (our “Clients”). Our Solutions help Clients prevent fraud, including by helping Clients verify and authenticate consumers when they engage with Clients through mobile and online channels.

Certain terms used in this Privacy Policy (hereinafter, this “Policy”) may have slightly different wording or definitions depending on the applicable state, country, or region. This Policy uses the following definitions:

“Controller” means a natural or legal person who, alone or jointly with others, determines the purposes and means of Processing your Personal Information.

“Personal Information” means any information directly or indirectly linked or associated to a particular identified or identifiable natural person.

“Processing” includes, but is not limited to, collection, use, transmission, transfer, storage, erasure, and/or destruction of Personal Information.

“Processor” means a natural or legal person who Processes Personal Information on a Controller’s behalf.

These definitions are intended to cover substantially similar terms under applicable global privacy and data protection laws, including the European General Data Protection Regulation (“EU GDPR”) which generally applies to the processing of Personal Information in European Union (EU) member states and the European Economic Area (EEA) and the similar law in the United Kingdom ("UK GDPR"). For the purposes of this Policy, the EU GDPR and the UK GDPR are referred to as the “GDPR”, collectively.

Under the EU GDPR and the UK GDPR, and the Swiss Data Protection Act (collectively, "European Data Protection Laws"), Prove Identity, Inc. may be considered either a controller (i.e., is the party responsible for, and controlling the processing of, your Personal Information) or a processor (i.e., the party processing your Personal Information on behalf of a controller). Prove Identity, Inc. may also be considered both a controller and a processor depending on the nature of the transaction.

If the European Data Protection Laws, including individual EU member state laws supplementing the GDPR, or other country laws outside of the United States apply to you, please see the “Your Rights Under European Data Protection Laws” or “Local Country Laws Outside of the US, UK, or EU” sections below for further information about your rights.

‍

1. WHAT DOES THIS PRIVACY POLICY COVER?
‍‍
This Policy applies when Prove Identity, Inc. is the Controller of your Personal Information. This includes your use of our websites and branded social media pages, as well as when you receive emails, texts, faxes or have other communications with us (collectively, our “Sites”).

Prove Identity, Inc. acts in different roles with respect to your Personal Information depending on the nature of the Processing. This Policy does not apply:

• Where Prove Identity, Inc. Processes your Personal Information as a Processor on behalf of our Clients. The Client’s privacy policy (not this Policy) applies when we Process your Personal Information as a Processor on their behalf. Please contact the Client directly if you have concerns about this Processing or which to exercise related privacy rights.
• To any Personal Information you post to the public areas of our Sites. This includes, but is not limited to, comments to social media platforms and other public forums. Comments posted to public areas may be viewed, accessed, and used by third parties subject to the privacy practices and policies of the platform and/or forum.

There may be certain circumstances where more than one Controller Processes your Personal Information (sometimes called Joint Controllers or Co-Controllers). In these situations, we act as an independent Controller over our Processing activities. This means we determine the purposes and means of Processing your Personal Information independently from the other Controllers. Each Controller is responsible for meeting their own obligations under applicable global privacy and data protection laws.

Prove Identity, Inc. is not responsible for other Controllers’ Processing activities, including our Clients and other Joint Controllers.

‍

2. WHAT PERSONAL INFORMATION DO WE PROCESS?

‍
The types of Personal Information we Process depends on (a) how you access or use our Sites and (b) how our Clients use our Solutions.

PERSONAL INFORMATION WE PROCESS THROUGH OUR SITES

Our Sites and/or Solutions may have Processed the following Personal Information about you within the last twelve (12) months:

‍

PERSONAL INFORMATION WE PROCESS AUTOMATICALLY VIA TRACKING TECHNOLOGIES (E.G., COOKIES)

‍

When you interact with our Sites, Prove Identity, Inc. or Prove Identity, Inc.’s third parties may automatically Process your Personal Information through a variety of commonly used tracking technologies, such as cookies, web beacons, pixels, tags, file information, geolocation, and similar technology (collectively, “Cookie Information”).

‍

For more information on how Prove Identity, Inc. uses Cookie Information, please see our Cookie Policy.

‍

3. HOW DO WE PROCESS PERSONAL INFORMATION?
‍
Prove Identity, Inc. may Process your Personal Information to: 

• Operate, maintain, improve, and provide to you the features and functionality of our Sites and/or Solutions. 
• Enhance our Sites, as your information helps us to more effectively respond to your customer service requests and support needs.
• Contact you, including about the information you have provided through our Sites.
• Evaluate you for employment opportunities at Prove Identity, Inc..
• Set up and administer accounts for our Sites and/or Solutions. 
• Process transactions for our Sites and/or Solutions. 
• Deliver marketing and events communication.
• Prevent fraud and abuse using our Solutions. 
• Enable identity authentication and otherwise operate, maintain, and provide our Sites and/or Solutions.
• Perform any other action we may describe when you provide the information.

‍

In cases where our legal basis to Process your Personal Information is based on your consent, that consent may be revoked at any time by contacting us (see Contacting Us). Please note that if you withdraw your consent, we may not be able to provide you with an optimal user experience with our Sites and/or Solutions. We will explain the impact to you at the time to help you with your decision.

‍

4. WHEN DO WE SHARE YOUR PERSONAL INFORMATION?

Prove Identity, Inc. may share Personal Information in the following circumstances: 

• Vendors and Trusted Sources: We may share your Personal Information with our vendors and Trusted Sources in order to provide Solutions to our Clients, provided such companies protect your Personal Information and only use it for the purposes we specify. If you interact with our Solutions through one of our Clients, please review that Client’s privacy practices and its use of third party service providers. 

• Clients: We may share Personal Information we receive from our vendors and Trusted Sources with a Client to whom you interact in order to provide Solutions to that Client.  We do not share this Personal Information between Clients. Our Clients may have their own privacy policies which govern their use of Personal Information. 

• Business Transfers: We may share Personal Information with other parties in connection with a company transaction, such as a merger, sale of company assets or shares, reorganization, financing, change of control or acquisition of all or a portion of our business by another company of a third party, or in the event of a bankruptcy or related or similar proceedings.

• Legal Requirements: We may share Personal Information with law enforcement, regulatory authorities, courts, and governmental agencies to comply with subpoenas or other legal orders, legal or regulatory requirements, and government requests.  We may also disclose Personal Information in order to verify or enforce compliance with other agreements or policies governing the Sites or Solutions, applicable laws, rules, and regulations, or whenever we believe disclosure is necessary to limit our legal liability or to protect or enforce the rights, interests, or safety of the Sites, Solutions, consumers, or other third parties. We reserve the right to report to law enforcement agencies any activities that we, in good faith, believe to be unlawful. 

We may also share Personal Information with others in an aggregated or otherwise anonymized form that does not reasonably identify you directly as an individual.

‍

5. HOW DO WE RESPOND TO “DO NOT TRACK” SIGNALS?
‍
Prove Identity, Inc. may, and Prove Identity, Inc. may allow our vendors and other third parties to, use cookies or other technologies on our Sites or in our Solutions that collect information about your browsing activities over time and across different websites following your use of the Sites or Solutions.  We currently do not respond to “Do Not Track” (DNT) signals and operate as described in this Policy whether or not a DNT signal is received.

‍

6. ONLINE ADVERTISING
‍
Prove Identity, Inc. may permit third party online advertising networks, social media companies, and other third party services to collect Personal Information through cookies and similar Tracking Technologies related to your visit to our Sites so that they may play or display ads that may be relevant to your interests on our Sites as well as on other websites or apps, or on other devices you may use. This information may also be used to make the advertisements you see online more relevant to your interests. For example, Prove Identity, Inc. or a third party may utilize certain forms of display advertising and other advanced features through Google Analytics, such as Remarketing with Google Analytics, Google Display Network Impression Reporting, and Google Analytics Demographics and Interest Reporting. These features enable us to use first-party cookies (e.g., Google Analytics cookie) and third party cookies (e.g., DoubleClick advertising cookie) or other third party cookies together to inform, optimize, and display ads based on your past visits to the Sites. To learn more about interest-based advertising and how you may be able to opt-out of some of this advertising, you may visit the Network Advertising Initiative’s online resources at http://www.networkadvertising.org/choices, and/or the Digital Advertising Alliance’s resources at https://optout.aboutads.info/. You may also control your advertising preferences or opt-out of certain Google advertising Solutions by visiting the Google Ads Preferences Manager, available at https://google.com/ads/preferences/ as of the effective date of this Policy.

‍

7. HOW DO WE PROTECT YOUR PERSONAL INFORMATION?
‍
Keeping information safe. Prove Identity, Inc. maintains reasonable administrative, technical, and physical security measures to protect your Personal Information, including unauthorized access and use. However, no security system is impenetrable. In the event that any Personal Information under our control is compromised as a result of a breach of security, we will take reasonable steps to investigate the situation and, where appropriate, notify those individuals whose information may have been compromised, and take other steps, in accordance with any applicable laws and regulations. In the event Personal Information in our possession is affected by a security event, we will notify our Clients (and where appropriate, consumers directly) in accordance with our contractual obligations and applicable law. 

Data retention. We may retain your Personal Information as long as appropriate for business purposes, unless we are required by law, regulation or for litigation and regulatory investigations to keep it for longer periods of time. Any Personal Information that we have acquired, either directly or from third parties, and that is no longer needed for any business or record-keeping purposes, is disposed of securely and in compliance with established best practices for secure data destruction and/or de-identification. Personal Information that we have processed on behalf of our Clients may be retained, stored, and deleted but only in accordance with our contractual obligations and in compliance with applicable law.

‍

8. LINKS TO OTHER WEBSITES
‍
Our Sites may contain links to other websites not operated or controlled by us (“Third Party Sites”), including social media websites which are not Prove Identity, Inc.-branded and other services. Personal Information that you share with Third Party Sites will be governed by the specific privacy policies and terms of service of the Third Party Sites and not by this Policy. By providing Third Party Site links on our Sites, Prove Identity, Inc. does not imply that we endorse or have reviewed the privacy policies of these sites. Please contact the Third Party Sites directly for information on their privacy policies and practices.

‍

9. CHILDREN
‍
Prove Identity, Inc. does not knowingly collect Personal Information from children under the age of 13. If you have reason to believe that a child under the age of 13 has provided Personal Information to Prove Identity, Inc. through the Sites or Solutions, please contact us at privacy@prove.com and we will endeavor to delete that information from our databases.

‍

10. INTERNATIONAL TRANSFERS

Personal Information received on behalf of Clients for the United States market is processed on servers located in the United States. Personal information received on behalf of Clients based or servicing primarily the European Economic Area countries are processed on servers based in Europe. Your Personal Information, if stored, may also be transferred to locations outside Europe from vendors or Trusted Sources we use.

Prove Identity, Inc. complies with the EU-U.S. Data Privacy Framework (“EU-U.S. DPF”), the UK Extension to the EU-U.S. DPF (“UK Extension to the EU-U.S. DPF”), and the Swiss-U.S. Data Privacy Framework (“Swiss-U.S. DPF”), as administered by the U.S. Department of Commerce and is committed to upholding the rights of EU, UK and Swiss Individuals.

‍

Prove Identity, Inc. has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (“EU-U.S. DPF Principles”) with regard to the Processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF.

‍

Prove Identity, Inc. has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (“Swiss-U.S. DPF Principles”) with regard to the Processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF.

‍

If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern.  To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/.

‍

In compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF, Prove Identity, Inc. commits to cooperate and comply respectively with the advice of the panel established by the EU data protection authorities (DPAs) and the UK Information Commissioner’s Office (ICO) and the Swiss Federal Data Protection and Information Commissioner (FDPIC with regard to unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF.

‍

Where we transfer your Personal Information outside Europe, we will ensure that it is protected and transferred in a manner consistent with legal requirements applicable to the information. This can be done in a number of different ways, for instance:

• The country to which we send the Personal Information may be approved by the European Commission; or
• The recipient may have signed a contract based on “model contractual clauses” approved by the European Commission, obliging them to protect your personal information.

‍

In other circumstances, the law may permit us to otherwise transfer your Personal Information outside Europe. In all cases, however, any transfer of your Personal Information will be compliant with applicable data protection law.

‍

In the event your Personal Information is transferred to a third-party under the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, Prove Identity, Inc. shall remain liable if a third-party acting as an agent on our behalf processes your Personal Information in a manner that is inconsistent with the DPF Principles, unless we are able to prove that we are not responsible for the event giving rise to the damage.

‍

You can request more details of the protection given to your Personal Information when it is transferred outside Europe (including a sample copy of the model contractual clauses) by using the details set out below in the “Contacting Us” section.

‍

If you are an EU, UK or Swiss individual, please see the “Your Rights under European Data Protection Laws” section below for more information about the rights available to you.

‍

‍

11. YOUR US STATE PRIVACY RIGHTS

Several US states have enacted comprehensive privacy laws that grant you certain rights in relation to our Processing of your Personal Information. These laws include:

• The California Consumer Privacy Act (effective January 1, 2020), as amended by the California Privacy Rights Act (effective January 1, 2023).
• The Colorado Privacy Act (effective July 1, 2023).
• The Connecticut Personal Data Privacy and Online Monitoring Act (effective July 1, 2023).
• The Indiana Consumer Data Protection Act (effective January 1, 2026).
• The Iowa Consumer Data Protection Act (effective January 1, 2025).
• The Montana Consumer Data Privacy Act (effective October 1, 2024).
• The Oregon Consumer Privacy Act (effective July 1, 2024).
• The Tennessee Information Protection Act (effective July 1, 2025).
• The Texas Data Privacy and Security Act (effective July 1, 2024).
• The Utah Consumer Privacy Act (effective December 31, 2023).
• The Virginia Consumer Data Protection Act (effective January 1, 2023).

‍

Prove Identity, Inc. complies with all US state privacy laws currently in effect and continually monitors ongoing developments.

‍

If you wish to exercise any of these rights, please contact us as set out in Section 14 (Contacting Us) of this Policy.
‍

‍

12. YOUR RIGHTS UNDER EUROPEAN DATA PROTECTION LAWS

‍

Under European Data Protection Laws, Prove Identity, Inc. may be considered a controller and/or a processor depending on the nature of the transaction.

Legal Basis for Processing under GDPR: Under European Data Protection Laws, Prove Identity, Inc. may process your personal data (as defined under applicable laws) if necessary:

• For the performance of any contractual relationship we have with you; 

• For compliance with any legal obligation; and
• For the purposes of Prove Identity, Inc.’s, our Client’s, or Trusted Sources’ legitimate interests in connection with providing our Solutions or with respect to our Sites, including:

1.   user registration/authentication and providing client services;
2.   to contact you and respond to your requests and enquiries;
3.   for business administration, including statistical analysis; 
4.   to provide the Sites as well as our Solutions; 
5.   for fraud prevention and detection; and
6.   to comply with applicable laws, regulations, or codes of practices.

Prove Identity, Inc. may also process personal data on the basis of your freely given, specific, informed, and unambiguous consent. You are legally entitled to withdraw your consent at any time. If you do this and we have no alternative legal basis for processing your personal data, this may affect our ability to provide you with rights to use the Sites as well as our Solutions.

We may store personal data for as long as necessary to fulfill the purposes for which we process the data, except if required otherwise by law.

Special Categories of Data:  Certain Prove Identity, Inc. Solutions may collect, store, process, and transmit biometric data (e.g., data related to human gait) to the extent legally permitted under European Data Protection Laws for the provision of such Solutions.

Prove Identity, Inc. does not directly or intentionally collect, store, process, and transmit any of the other following special categories of personal data as defined by European Data Protection Laws:

• Racial or ethnic origin
• Political opinions
• Religious, philosophical beliefs, or other beliefs of a similar nature
• Trade union membership
• Physical or mental health or condition
• Sex life and sexual orientation
• Genetic data
• Data on criminal convictions

Specific Rights under European Data Protection Laws: If European Data Protection Laws, including but not limited to the UK GDPR, the EU GDPR and the Swiss Data Protection Act, are applicable to you, you may have the following rights in respect of your personal data that we hold:

1. Right to object. You have a right to object to any processing based on our legitimate interests where there are grounds relating to your particular situation. YOU CAN OBJECT TO MARKETING ACTIVITIES FOR ANY REASON WHATSOEVER.

2. Right of access. The right to obtain access to your personal data in a common machine-readable format. Please note that the request for additional copies of personal data may result in reasonable fees based on administrative costs.

3. Right to rectification. The right to obtain rectification of your personal data without undue delay where that personal data is inaccurate or incomplete.

4. Right to erasure. The right to obtain the erasure of your personal data without undue delay in certain circumstances, such as where the personal data is no longer necessary in relation to the purposes for which it was collected or processed.

5. Right to restriction. The right to obtain the restriction of the processing undertaken by us on your personal data in certain circumstances, such as where the accuracy of the personal data is contested by you, for a period enabling us to verify the accuracy of that personal data.

6. Right to portability. The right to portability allows you to move, copy or transfer personal data easily from one organization to another. 

Additionally, you have the right not to be subject to a decision based solely on automated processing, including profiling. Our Solutions are not used by our Clients to determine credit worthiness. Our Solutions are used to assess the probability of you being the person you’re claiming to be and help avoid fraudulent activities. If you interact with our Solutions through one or more of our Clients, please contact that Client directly in order to understand how they use our Solutions within their current processes, contest any decisions they have made based on our processing, and/or verify your identity.

In the instances where we control your data and you wish to exercise any of these rights, you may contact us in writing at the address below or via email at privacy@prove.com at any time, or by using the “Exercise Your Rights” link at the bottom of our website. We will comply with applicable laws, but may not be able to honor your request in all circumstances. 

You also have the right to lodge a complaint to your local data protection authority. Further information about how to contact your local data protection authority is available at: http://ec.europa.eu/justice/data-protection/bodies/authorities/index_en.htm.

Under the EU-U.S. DPF, the UK extension to the EU-U.S. DPF and the Swiss-U.S. DPF, you also have the possibility, under certain conditions, to invoke binding arbitration for complaints regarding DPF compliance not resolved by any of the other DPF mechanism, provided that you have invoked binding arbitration by delivering notice to us and following the procedures and subject to the conditions set forth in Annex I.

Consequences of Non-Compliance: The GDPR states that penalties for non-compliance with the GDPR must be effective, proportionate, and dissuasive for each individual case. Prove Identity, Inc. understands that GDPR-related fines can be up to 10 million euros or up to 2% of our entire global turnover of the preceding fiscal year, whichever is higher.

Inquiries and Complaints: In compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, Prove Identity, Inc. commits to resolve DPF Principles-related complaints about our collection and use of your personal data.  EU, UK and Swiss individuals with inquiries or complaints regarding our handling of personal data received in reliance on the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF should first contact us as set out in Section 14 (Contacting Us) of this Policy.

Enforcement: The Federal Trade Commission has jurisdiction over Prove Identity, Inc.’s compliance the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF.

‍

‍

13. OTHER GLOBAL PRIVACY LAWS

Many other countries have enacted comprehensive privacy laws that grant you similar rights in relation to how we Process your Personal Information.

Prove Identity, Inc. complies with all applicable legal requirements in a similar manner as required by local law (e.g., data processing agreements, transfer mechanisms, data protection officer requirements, etc.).

If you wish to exercise any of these rights, please contact us as set out in Section 14 (Contacting Us) of this Policy.

‍

‍

14. CHANGES TO OUR PRIVACY POLICY

We reserve the right to change this Policy from time to time in our sole discretion.  Since we may modify this Policy from time to time, we recommend that you check the current version of this Policy periodically.  If we make any modifications to this Policy, we will update the “Effective Date” at the top.  By continuing to use the Sites and Solutions or providing us with information after we have posted any updates to this Policy, you consent to the revised Policy and practices described in it.  

To access this policy, please visit https://www.prove.com/legal/overview#Privacy-Policy.

‍

14. CONTACTING US

If you have any questions, comments, requests, or concerns regarding this Policy, or if you wish to file a complaint, please email us at privacy@prove.com, call us using our toll-free number at 888-315-8780, or use the “Exercise Your Rights” link at the bottom of our website. You can also contact Prove Identity, Inc.’s Data Protection Officer by writing to:

Prove Identity, Inc.

Attn: Prove Legal & Compliance Department 

245 5th Avenue, 20th Floor

New York, NY 10016

‍

Updated October 31, 2024

‍

Prove is committed to protecting the privacy rights of consumers. When you digitally interact with companies that are also Prove’s business clients, Prove may be leveraged by those companies to verify your identity and help prevent fraud using your personal information, such as your full name, residential address, email address, mobile telephone number, date of birth, or Social Security Number. Our business clients are responsible for obtaining your consent for and/or giving you legal notice about this processing of your personal information.

Prove uses real-time, secure Application Programming Interface (API) calls to process and protect the personal information transmitted to us from third parties (e.g., our business clients and data partners) as part of our user authentication and identity verification processes. For most of Prove's products and services, Prove does not retain the personal information transmitted to us in real-time by our business clients, but we may retain certain personal data elements from other sources (including consumers directlto help empower our fraud algorithms.

• If you are a resident of the European Union (EU) or the United Kingdom (UK), you may have certain rights under the General Data Protection Regulation (“GDPR”) or the UK GDPR to ask Prove to (among other things) rectify inaccurate personal data, erase your personal data, or restrict its processing. Prove will honor these consumer privacy rights, where applicable, as well as similar rights often available for residents of other non-EU countries with data protection and privacy frameworks.
• If you are a resident of California, Colorado, Connecticut, Nevada, Utah, Virginia or other jurisdictions in the United States (US), you may be entitled to various consumer privacy rights, such as the right to opt out from having your personal information shared or used.

Prove will not discriminate against you for exercising your consumer privacy rights. However, before submitting a request to Prove directly, we highly recommend that you first contact the third party company you interacted with (e.g., via their website or mobile app) that uses our services. If you come to us first, we may not be able to fully respond to the request without knowing the identity of the third party company given that we may not store the personal information transmitted to us in real-time from our business clients.

If Prove, on its own or in collaboration with any third party company you’ve interacted with that shared your personal information with us, is able to successfully address your consumer privacy request (e.g., delete your personal information), please be aware that your personal information may be processed by Prove again in the future if/when you interact with the same company or a different company that is also a Prove business client and re-accept terms that include this type of processing (i.e., you opt-in or consent to processing your data for fraud-related purposes).

Please also note that in addition to helping protect you against fraud, Prove’s services make it easier and more convenient for you to interact with companies online and when you dial into call centers. For example, instead of having to answer cumbersome security questions or type in pin codes or passcodes (which can be easily intercepted by fraudsters), Prove’s services allow you to be quickly and securely authenticated, enabling you to complete business online and in call centers in a more expeditious manner. By opting out of Prove services, you may lose access to these time-saving and secure benefits.

To exercise your privacy rights, please fill out this form. Once the form has been completed, a member of Prove’s Global Privacy team will begin the process of reviewing your submission and contact you with further details.

Version 1.1 - Effective March 8, 2023

‍

These General Terms and Conditions (“Agreement”) set forth the relationship between Prove Identity, Inc., a Delaware corporation with its principal offices at 245 Fifth Avenue, 20th Floor, New York, NY 10016 ("Prove”) and the individual party listed on the Portal account that is acknowledging this Agreement ("Developer") on behalf of its employer and/or another bonafide legal entity listed on the Portal account (“Client”).

By accepting this Agreement or accessing Prove’s Portal and/or Solutions, Developer certifies that it has all necessary rights to agree to the terms of this Agreement, including on behalf of Client. Furthermore, Developer represents and warrants that: (i) it has full legal authority to select a Plan and bind Client to the terms of this Agreement; (ii) Developer has read and understands the legal requirements and restrictions outlined in this Agreement; and (iii) Developer agrees to the terms of this Agreement on behalf of Client. 

If Developer does not have the legal authority to bind Client to the terms of this Agreement, Developer shall not accept this Agreement or access the features covered by this Agreement.

This Agreement is effective as of the date of Developer’s acknowledgement and, as of that date, Client is considered a party of this Agreement. Prove may update or change the terms of this Agreement at any time at our discretion. If Prove makes any changes deemed to be material in its sole discretion, we will make a reasonable effort to inform you of such change. If you object to a change, your exclusive remedy is to cease any and all access and use of the Portal and Solutions.

1. DEFINITIONS

“Affiliate” means for any entity, any other entity that, directly or indirectly, Controls, is Controlled by or is under common Control with such entity. 

"Confidential Information" means any confidential and/or proprietary information or data, in any form, format or media, disclosed by, or accessed or obtained from Disclosing Party (and any notes, summaries, memoranda or other derivatives prepared by the Receiving Party to the extent that they reflect or reveal such confidential and/or proprietary information or data, whether or not such confidential and/or proprietary information or data is marked as “confidential,” including, without limitation, (i) information or data that concerns the management, business affairs, relationships, operations, business plans, strategies, forecasts, projects, analyses, pricing, marketing, sales or financials of the Disclosing Party or its customers or vendors; (ii) information or data that concerns the Disclosing Party’s products, services, developments, product concepts, technical and/or platform interfaces, or software (including source and object code); (iii) information or data that concerns the Disclosing Party’s methodologies, techniques, designs, drawings, processes procedures, inventions, know-how, pending patents, or Trade Secrets; (iv) any Response Data or Personal Information obtained by either party as a result of this Agreement; (iv) any information or data the Disclosing Party may designate as being confidential, either orally or in writing; (v) any other information or data which, in the normal course of business, would be considered of a confidential nature; and (vi) any copies of the foregoing.

“Control” means, with respect to any entity, the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of such entity, whether through the ownership of voting securities (or other ownership interest), by contract or otherwise.

“Documentation” means the online help files and all other documentation and materials including SDKs (in any format or medium) relating to use of the Solutions and made available by Prove and all modifications to such files, documents or materials as may be updated from time to time.

“Intellectual Property Rights” means any and all intellectual property rights and proprietary rights throughout the world and protected under any applicable laws, rules and regulations, whether existing under intellectual property, unfair competition or trade secret laws, or under statute or at common law or equity, including but not limited to: (a) copyrights, trade secrets, trademarks, service marks, trade names, patents, inventions, invention disclosures, know-how, proprietary data and databases, methods, techniques, works of authorship, computer software, systems, change documentation, interfaces, Marks, designs, logos and trade dress, “moral rights,” mask works, rights of personality, publicity or privacy, and any other intellectual property and proprietary rights; and (b) any registration, application or right to apply for any of the rights referred to in this clause, including, any pending registrations or applications; and (c) any and all renewals, extensions and restorations thereof, now or hereafter in force and effect.  Furthermore, if alternatively reasonable approaches and/or modifications to methodologies, techniques, design details, drawings, processes and procedures, inventions, know-how, pending patents, information disclosures, and/or other intellectual and/or proprietary property is/are reasonably likely to occur to one of ordinary skill in the relevant art, Intellectual Property Rights includes all those alternatively reasonable approaches and/or modifications unless otherwise expressly indicated.

“Marks” means all trademarks, service marks, trade names and logos and other proprietary designations identifying Prove and its products or services.

“Network” means the servers and other equipment on which Prove hosts Solutions.

“Personnel” means a party’s employees and contractors, and a party’s vendor’s employees and contractors.

“Plan” means the pay-as-you-go per Transaction model for the Solutions published on the Portal.

“Portal” means the webpage where the Developer may access all necessary information related to the Plan, the Documentation and the Solutions on behalf of Client.

“Processing” with reference to Personal Information includes collection, use, analysis, modification, deletion, sale, storage, sharing or transfer of such Personal Information.

"Personal Information" means, in any form, format or media, (i) any information that either alone, or in combination with other data, can be used to identify an individual, including, without limitation, the individual’s name, address, phone number, social security number or other government-issued number, financial account number, date of birth, address, biometric data (including gait analysis), mother’s maiden name, or other personal information; (ii) any information or data that is personally identifiable as defined under other applicable privacy and data protection laws.

“Representatives” means a party’s directors, officers, Affiliates, contractors, consultants, employees, advisors, agents, and any other representatives including legal counsel, accountants, and financial advisors.

“Response Data” means, any information Prove provides to Client and/or Developer in connection with Developer’s or Client’s use of the Solutions with the exception of any information that was initially provided by or on behalf of Client and/or Developer to Prove. Response Data is Prove Confidential Information.

“Security Breach” means (i) any act or omission that compromises the security, confidentiality, availability, and/or integrity of any data or information provided under this Agreement or the physical, technical, administrative or organizational safeguards put in place by Client and/or Developer that relate to the protection of the security, confidentiality or integrity of such data or information provided under this Agreement, or (ii) receipt of a complaint in relation to the privacy, security or data protection practices of Client and/or Developer or a breach or alleged breach of this Agreement relating to Client and/or Developer’s privacy, security and/or data protection practices.

“Solutions” means collectively (i) the access Prove provides Developer on behalf of Client to use the Solutions through the Network, which may include access via Graphical User Interfaces (“GUIs”) and portals and/or platforms; (ii) authentication solutions that interoperate with Client’s internal systems in order to provide user authentication for a mobile device application, website or other online service; (iii) the Solutions including data elements and Response Data, ; and (iv) the Documentation.. 

“Trade Secret” means information, without regard to form, including, but not limited to a formula, pattern, compilation, program, device, method, technique, process or product plans or product information that derives independent economic value, actual or potential, from not being generally known to or readily ascertainable through appropriate means by other persons who might obtain economic value from its disclosure or use; and is the subject of efforts that are reasonable under the circumstances to maintain its secrecy; and is information that is considered a Trade Secret under applicable law.

“Transaction” means every inquiry Developer, on behalf of Client, sends to Prove for validation.

‍2. APPOINTMENT AND GRANT OF LICENSE‍

2.1 License.

2.1.1 Grant.  Subject to Developer’s continued compliance with all the terms of this Agreement (including all Exhibits attached hereto), Prove hereby grants Client a non-sublicensable, non-transferable, non-exclusive, revocable, restricted license during the Term to (i) access and use the Solutions, including all enhancements, updates and modifications, for Developer’s internal use on behalf of Client, in strict accordance with this Agreement. In no event will Client or Developer reproduce, modify, sell, sublicense or otherwise distribute the Solutions as a standalone product or service.

2.1.2 Source Code.  No rights are granted to Developer or Client with respect to source code of any component of the Solutions.  For clarity, sample code provided as illustrative examples is provided solely as part of the Documentation and is not itself a component of the Solutions.

2.2 License Restrictions.  Except as otherwise permitted under this Agreement, Client will not, and will not permit Developer or any third party to: 

(i) share, transfer, resell, bundle, rent, distribute, sublicense, or otherwise make the Solutions or Response Data available except as expressly set forth herein and subject to all the controls and protections set forth herein;

(ii) use the Portal or Solutions to send or store infringing or unlawful material;

(iii) send or store viruses, worms, time bombs, Trojan horses and other harmful or malicious code, files, scripts, agents or programs via the Portal or Solutions;

(iv) attempt to gain unauthorized access to, or disrupt the integrity or performance of, the Portal or Solutions or the data contained therein;

(v) adapt, modify, translate, copy, disassemble, decompile, reverse engineer, create derivative works of or make any other attempt by any means to discover or obtain the source code or other proprietary information or Response Data;

(vi) access the Portal or Solutions for the purpose of building a competitive product or service or copying its features or user interface for the purpose of reducing the number of transactions under this Agreement;

(vii) use the Portal or Solutions or permit them to be used, for purposes of product evaluation, benchmarking or other comparative analysis intended for publication without Prove’s prior written consent;

(viii) use the Response Data for marketing purpose;

(ix) maintain or create any table or database of any kind based on the Response Data for the purpose of avoiding subsequent billable API calls or other service requests to Prove or

(x) use the Portal or Solutions in any way that would violate any applicable federal, state, and local law, court order or regulation.

2.3 Right to Modify Portal or Solutions. Prove may, from time to time in its sole discretion, modify or enhance the Portal, Solutions and/or the Documentation and any such modifications or enhancements provided to Developer hereunder are deemed part of the Portal, Solutions and/or Documentation, as applicable.

2.4 Suspension.  Prove, in its sole discretion, may immediately suspend Developer’s and Client’s right to access and use some or all of the Portal, Solutions, or Response Data if it believes that Client, or Developer on behalf of Client, has i) used the Portal, Solutions or Response Data in an illegal manner, ii) if Developer breaches Sections 6.1 and 6.2 of this Agreement, iii) if Prove reasonably believes that Developer’s or Client’s use of the Solutions is in violation of the license restrictions set forth in Section 2.1 or 2.2 above or iv) if Client has suffered a Security Breach.

2.5 Reporting by Prove.  Developer, on behalf of Client, authorizes Prove to collect, store, host, access, use, reproduce and modify, during and after the Term, any and all data, inputs, responses and other information concerning Client and Developer’s use of the Solutions (i) bill Developer for its use of the Solutions (ii) prepare reports for Prove’s internal use, (iii) verify Developer’s compliance with the terms of this Agreement, (iv) perform or enforce its obligations under this Agreement, and (v) conduct data and usage analytics, parsing routes, data modeling and other analyses as deemed necessary by Prove to test, evaluate, develop and enhance Prove’s Solutions, including the creation and management of consumer-based, tokenized digital identities (with the legal consent of each individual consumer which may be collected by Prove directly through the Solutions).  In addition, Prove may provide such data, inputs and information on a confidential basis to its technology partners and Affiliates for the purposes described in this Section 2.5.

2.6 Automated Services. Prove may from time to time provide Developer and/or Client with access to a chatbot, artificial intelligence search, or other automated service (“Automated Service”) that is not monitored or directly managed by a Prove employee. Prove has endeavored to ensure the accuracy and completeness of any information that Developer and/or Client may receive from an Automated Service, however Prove makes no warranties, express or implied, regarding the accuracy or completeness of any response Developer and/or Client receives, including any errors or omissions made by the Automated Service. Additionally, an Automated Service does not have any legal authority to bind Prove to any agreement (including financial terms or service levels) and any language put forward by an Automated Service purporting to bind Prove to any agreement shall be null and void.

3. ADDITIONAL DOCUMENTS

The following documents are hereby incorporated into this Agreement by reference: 

• Portal Service Level Agreement
• Trademark Guidelines

Prove may update any of the above referenced documents at any time by posting a new version and providing appropriate notice in the Portal.

‍

‍4. OBLIGATIONS OF CLIENT & DEVELOPER

4.1 Compliance with Certain Laws. 

(i) Personal Information. Developer understands that the Solutions may contain other sensitive information governed by certain laws regulating the Processing of Personal Information all of which Developer acknowledges and agrees to comply with on behalf of Client and to ensure that any third parties acting on behalf of Developer or Client also comply. This includes Client and Developer (on behalf of Client) agreeing to provide electronically Prove’s End User Terms & Conditions to each individual consumer each time they interact with Prove Solutions through Client’s online sites, products, and/or services in order for Prove to obtain and track consumers’ consent for their Processing of Personal Information.

4.2 Use of the Solutions.

(i) Developer’s use of Prove’s APIs, graphical user interfaces, platforms and other access solutions is limited to Developer’s access to and use on an authorized and credentialed basis.  Developer will not, nor will Client, sublicense any of Prove’s Solutions for use by a third party and any attempted sublicensing will be void.  

(ii) Storage of Response Data.  All Response Data retained by Developer and Client will at all times be maintained in accordance with the confidentiality and information security provisions of the Agreement. 

(iii) Liability for Response Data. Prove will have no liability with respect to claims arising from Developer’s interpretation or use of the Response Data or decisions and actions allegedly based upon such Response Data. 

4.3 No Representations.  Neither Developer or Client may make any representations, warranties or guarantees related to the Solutions unless authorized in advance in writing by Prove.

4.4 GLBA and DPPA Requirements. To the extent that Developer or Client receives Response Data that is Personal Information subject to the GLBA and/or the DPPA, and the regulations issued thereunder, Developer and Client acknowledge and agree that each will request, access and use such Solutions solely for the following specific use(s) listed below:

• As necessary to effect, administer, or enforce a transaction requested or authorized by the Consumer;
• To protect against or prevent actual or potential fraud, unauthorized transactions, claims, or other liability;
• For required institutional risk control, or for resolving consumer disputes or inquiries;
• For use solely in conjunction with a legal or beneficial interest held by Client relating to the Consumer;
• For use solely in Client’s fiduciary or representative capacity on behalf of, and with the implied or express consent of, the Consumer;
• To the extent specifically permitted or required under applicable laws other than the GLBA, and in accordance with the Right to Financial Privacy Act of 1978, to law enforcement agencies, to self-regulatory organizations, or for an investigation on a matter related to public safety; and/or,
• To comply with applicable federal, state, or local laws, rules, and other applicable legal requirements.

4.5 FCRA Prohibition. 

• In relation to Consumers based in the United States, the Client shall not use the Solutions or Response Data to: (i) create a consumer report as defined under 15 USC §1681a (“Consumer Report”) or for use by a consumer reporting agency for the purpose of creating a Consumer Report; or (ii) for any other purpose to the extent it would cause Prove to be subject to the Fair Credit Reporting Act (“FCRA”) or any similar laws or regulations, or (iii) for any other FCRA permissible purposes;
• Client acknowledges that Prove is a solutions provider and that its performance of its obligations under this Agreement does not fall within the scope of the FCRA.  Client undertakes not to provide Prove with Consumer Report data or take any other action which may bring Prove within the scope of the FCRA.  If, despite the above, Client’s interactions with Prove become subject to the FCRA, Client acknowledges that Prove will act as agent on Client’s behalf for the purposes of the FCRA.

4.6 TCPA Prohibition. Client will not use the Solutions to transmit any marketing communications or any communication that would violate any applicable federal, state, and local law, court order or regulation, including but not limited to the Telephone Consumer Protection Act, 47 U.S.C. § 227 (“TCPA”), the rules governing the Do Not Call Registry, currently found at http://www.donotcall.gov, the CAN-SPAM Act, and any other applicable marketing rules in the United States.

4.7   Privacy Requirements. In performing its obligations and exercising its rights under this Agreement, Client will comply with its obligations as a data controller under the applicable data protection and privacy laws. Developer and Client represent that one or both has or will provide notice and consent to its Consumers where legally required under applicable privacy laws including but not limited to the California Consumer Privacy Act (“CCPA”) and all other state data protection, privacy, and consumer protections laws in order to receive the Prove Solution. Client will retain such records of notice, and consent where it is legally required, for the duration of this Agreement, plus an additional year unless otherwise required by law. 

4.8 Security Requirements. 

4.8.1     Securing Personal Information. Client shall treat all Personal Information, as defined in the applicable Agreement, as sensitive and confidential. This includes, but is not limited to securing sensitive files, managing data access, securely disposing of data and paper records and managing devices. Unless otherwise permitted in the Agreement, Client shall not share or distribute Personal Information with any third party organization or person(s) without the express, written consent of Prove’s Legal Department, CFO, or CEO.

4.8.2 Personnel Security. For all Client Personnel who have access to Personal Information, Client shall: (i) Perform background checks that include, at a minimum, national criminal record checks going back seven (7) years, as well as legal identity verification and authentication (e.g., SSN verification); (ii) Require such Personnel to sign an agreement to maintain the confidentiality of such Personal information; (iii) Require such Personnel to be trained on acceptable use of systems, their obligations regarding privacy and data protection laws and their role in the prevention, detection and reporting of security incidents in addition to complying with all other Client security policies; and (iv) Communicate to such employees the relevant aspects of the Information Security Program, including the procedures and penalties for non-compliance. Additionally, Client shall implement a process to terminate access to Personal Information within twenty-four (24) hours upon the termination of Client Personnel.

4.8.3 Information Security Program. Client shall have implemented a documented information security program, policy and standards, and procedures (the “Information Security Program”) that is approved by senior management, meets industry best practices, and complies with all applicable regulatory requirements. Client shall internally review the Information Security Program, and all documentation supporting it, at least annually and revise in accordance with changes in industry best practices and/or applicable regulatory requirements. Client shall hire an accredited third party to review its Information Security Program at least annually in order to provide sufficient assurance documentation to Prove upon request or as part of an annual assessment (e.g., SOC 2, Type II report, PCI DSS 3.2 attestation of compliance, ISO 27001 certification, etc.).

4.8.4 Access Controls. All access to Personal Information by Client shall be limited by business need and using the principle of least privilege. All access and actions on Client systems must be attributable to a named individual or a machine process account. Client shall enforce segregation of duties for all development, test, and production environments.  

4.8.5 Data Storage and Transmission. All Client systems used to process, transmit, store Personal Information must use strong cryptography controls: a minimum of Transport Layer Security (“TLS”) 1.2 for data in transit and at least 256-bit encryption for data at rest. Client shall use Secure File Transfer Protocols (“SFTP”) or another equally secure method/ channel when Personal Information is being transferred externally to/from Client. All Personal Information must be encrypted using TLS 1.2 or higher when in transit. If Personal Information is required to be stored on portable storage media or laptop, Client shall ensure that such Personal Information is encrypted with strong cryptography controls (at least 256 bit) and uncompromised technology.

4.8.6 Security Testing and Monitoring. Client shall implement and maintain security configurations, patch management, vulnerability management, and security tooling in line with industry best practices. Client shall test all web applications Processing, transmitting, or storing Personal Information against Open Web Application Security Project (“OWASP”) Top ten (10) web application security risks prior to going live and on a regular basis.  Client shall conduct regular penetration testing of internal and external systems that process, transmit, or store Personal Information. Upon written request, Client shall provide Prove with the results of such testing, including summary reports, test details and dates, and information on the progress of remediation related to any findings.   

4.8.7 Physical Security. Client shall implement and maintain a clearly defined and documented physical security policy supported by standards that meet industry best practices.

4.8.8 Data Destruction. On expiry or termination of this Agreement, Client shall promptly (and in no case longer than 30 days) and permanently delete all Personal Information, and direct any applicable subcontractor to do the same, unless otherwise approved expressly in writing by Prove’s Legal Department, CFO, or CEO. Where Personal Information is required to be retained by Client under applicable laws, this must be notified to Prove prior to the expiry or termination of this agreement with justification provided for its continued retention and anticipated timescales defined for its eventual destruction.

4.8.9 Security Incidents. Client shall document and maintain an Incident Response Plan (“IRP”) that is sufficient to comply with applicable data privacy laws. At a minimum, the IRP plan should be tested annually.    Client shall document any security event impacting the confidentiality, integrity, or availability of Personal Information (“Security Incident”), including the root cause(s), analysis, and remediation. Client must immediately notify Prove after Client’s discovery of any actual or suspected Security Incident, unauthorized disclosure of Response Data or breach of this Agreement by sending an email to incident@prove.com, privacy@prove.com, and legal@prove.com and to the contract notice addressee set forth in Section 13.7 (Notices) of the Agreement by the means set forth therein.  Client must provide Prove the following information to the extent such information is known at the time: (i) the nature, root cause and impact of the breach or disclosure; (ii) Client’s assessment of immediate risk due to the breach; (iii) corrective actions already taken; (iv) corrective measures to be taken; and (v) notifications made and to be made to regulatory authorities, customers, and consumers.  Client must take all reasonable actions to mitigate the effects of such Security Incident or disclosure, including all necessary actions to recover the affected Response Data, and will reasonably cooperate with Prove in connection therewith.  Client will not, without the prior written consent of Prove or unless required by law, reference Prove in any notification regarding unauthorized access or disclosure that affects Consumers (a “Breach Notice”).  This section is subject to the requirements of state, federal, and local country laws or regulations, including but not limited to any obligation to provide prior notice to law enforcement.

4.8.10 Audit Rights. Client agrees to allow Prove to audit compliance with this Exbibit on a regular basis, but no more once than annually, for at least the length of the engagement (“Annual Reviews”). This may include, as determined by Prove, access to or copies of documentation related to Client’s Information Security Program, including but not limited to Client’s information security policies and procedures, as well as any recent external, third party assurance documentation (e.g., SOC 2, Type II report, PCI DSS 3.2 attestation of compliance, ISO 27001 certification, etc.).

‍

5 OBLIGATIONS OF PROVE

5.1 Provisioning and Onboarding Service.  Provided that Prove has received all fees due under this Agreement from Developer, Prove will provide the Solutions ordered by Developer on behalf of Client in accordance with information received from Developer and the terms and conditions of this Agreement. 

5.2 Technical Support.  Prove is responsible for providing technical support for the Portal and Solutions to Developer and Client as described in the Portal Service Level Agreement.  Prove will not have any support obligations with respect to errors caused by the combination, operation or use of the Solutions with any product not furnished by Prove if such errors would not have resulted from the unmodified, stand-alone Solutions. 

This Data Processing Agreement(“DPA”) is entered into by and between Prove Identity, Inc., a Delaware corporation with its principal offices at 245 Fifth Avenue, 20th Floor, New York, NY 10016 and its Affiliates (collectively “Prove”) and the counterparty listed in the signature block below (“Vendor”).

WHEREAS, Prove and Vendor have entered into one or more agreements (any such agreement individually or collectively referred to as the “Master Agreement”) that may require the processing of personal data as described therein.

WHEREAS, this DPA sets out the additional terms, requirements, and conditions on which the parties will obtain, handle, process, disclose, transfer, or store personal data when providing services under the Master Agreement.

NOW, THEREFORE, in consideration of the mutual covenants and agreements hereinafter set forth and for other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, the parties hereto agree as follows:

1.      DEFINITIONS AND INTERPRETATION

1.1  Definitions

“Affiliates” means for any entity, any other entity that, directly or indirectly, Controls, is Controlled by or is under common Control with such entity.

“Confidential Information” has the same meaning ascribed to it as in the applicable Master Agreement.

“Consumer” means a customer of Prove that is a consumer.

“Control” means, with respect to any entity, the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of such entity whether through the ownership of voting securities (or other ownership interest), by contract or otherwise.

“Data Subject” means an individual who is the subject of the Personal Data and to whom or about the Personal Data relates, directly or indirectly. For the avoidance of doubt, this definition is intended to cover substantially similar terms under applicable Privacy and Data Protection Laws.

“EEA” means the European Economic Area.

“Personal Data” means any information directly or indirectly linked or associated to a particular identified or identifiable natural person, including but not limited to, names, dates of birth, postal addresses, telephone numbers, electronic mail addresses, social security numbers, and credit card numbers. For the avoidance of doubt, this definition is intended to cover “personal information,” “personal data,” or substantially similar terms under applicable Privacy and Data Protection Laws.

“Privacy and Data Protection Laws” means all applicable laws and regulations relating to the processing, protection, or privacy of Personal Data, including where applicable, the guidance and codes of practice issued by regulatory bodies in any relevant jurisdiction. This includes, but is not limited to, the California Consumer Protection Act (CCPA), California Privacy Rights Act (CPRA), Colorado Privacy Act, Virginia Consumer Data Protection Act, Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), European General Data Protection Regulation (GDPR), UK GDPR, and Brazilian General Data Protection Law (LGPD).

“Restricted Transfer” means the receipt, disclosure, access, transfer, or storage of Personal Data to any person or entity located in:

           (i) any country outside the EEA (an “EEA Restricted Transfer”); and/or

          (ii) any country outside the UK (a “UK Restricted Transfer”),

that the applicable supervisory authority has not deemed to provide an adequate level of protection under Privacy and Data Protection Laws.

“Security Breach” means any act or omission that compromises the security, confidentiality, integrity, or availability of Services Personal Data or that compromises the physical, technical, administrative, or organizational safeguards put in place to protect it. The loss of or unauthorized access, disclosure, or acquisition of Services Personal Data is a Security Breach whether or not the incident arises to the level of a security breach under the Privacy and Data Protection Laws.

“Sensitive Personal Data” means categories of Personal Data including but not limited to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data and biometric data used to uniquely identify a natural person, health data, and precise geolocation data. For the avoidance of doubt, this definition in intended to cover "sensitive data," "special categories of personal data," or substantially similar terms under applicable Privacy and Data Protection Laws.

“Services” means the services described in the Master Agreement or any other purposes specifically identified in Annex A. This includes “Solutions” as that term is defined in the Master Agreement (where applicable).

“Services Personal Data” means any Personal Data that Vendor:

(i) obtains, handles, processes, discloses, transfers, or stores on Prove’s behalf pursuant to or in connection with the Services (“Prove Personal Data”); and/or

(ii) transmits to Prove pursuant to or in connection with the Services.

For the avoidance of doubt, Services Personal Data (including Prove Personal Data) is Confidential Information.

“Standard Contractual Clauses” or “SCCs” means the standard contractual clauses for the transfer of personal data to third countries as approved by the European Commission (available here). Where applicable, the SCCs may be varied by the UK Transfer Addendum (available here).

“UK” means the United Kingdom of Great Britain and Northern Ireland.

1.2       This DPA is subject to the terms of the Master Agreement and is incorporated into the Master Agreement. Terms not defined in this DPA have the same meaning as the corresponding terms in the Master Agreement.

1.3       The Annexes form part of this DPA and will have effect as if set out in full in the body of this DPA. Any reference to this DPA includes the Annexes.

2.     PERSONAL DATA TYPES AND PROCESSING PURPOSES

2.1       Prove and Vendor acknowledge that for the purpose of complying with any applicable Privacy and Data Protection Laws:

(i) Prove is the controller and Vendor is the processor with respect to any Prove Personal Data; and

(ii) Prove and Vendor are joint controllers with respect to any Services Personal Data.

2.2       The party acting as controller with respect to Services Personal Data retains control of such data and remains responsible for its compliance obligations under any applicable Privacy and Data Protection Laws, including providing any required notices and obtaining any required consents, and for processing instructions it gives to the party acting as processor.

2.3       Annex A provides general information regarding processing of Services Personal Data in accordance with this DPA and the Privacy and Data Protection Laws.

3.      PROCESSING OBLIGATIONS

3.1       Each party shall only process Services Personal Data to the extent, and in such a manner, as is necessary to perform the Services in accordance with the other party’s written instructions. The parties will not process Services Data for any other purpose or in a way that does not comply with this DPA or the Privacy and Data Protection Laws.

3.2       Each party must promptly comply with any request or instruction from the other party to amend, transfer, or delete the Services Personal Data, or to stop, mitigate, or remedy any unauthorized processing.

3.3       Each party shall maintain the confidentiality of all Services Personal Data and shall not disclose Services Personal Data to third parties unless the other party or this DPA specifically authorizes the disclosure or as required by law. If a law requires any party to process or disclose Service Personal Data, such party must first inform the other party of the legal requirement and give that party an opportunity to object or challenge the requirement, unless the law prohibits such notice.

3.4       The parties shall reasonably assist one another with meeting any compliance obligations under the Privacy and Data Protection Laws, while also considering the nature of the processing and the information available. For the avoidance of doubt, Prove is not responsible for completing Vendor’s privacy impact assessments, data protection impact assessments, transfer impact assessments, or similar requirements; Prove will only provide information or evidence needed to support these compliance activities if it is not already provided in this DPA or otherwise available to Vendor.

4.      EMPLOYEE ACCESS TO PERSONAL DATA

4.1       Parties shall limit any Personal Data access based on the principle of least privilege and to:

(i) those employees who require Personal Data access to meet the applicable party’s obligations under the Master Agreement; and

(ii) the part or parts of the Personal Data that those employees strictly require for the performance of their duties.

4.2       Parties shall ensure that all employees who have access to Personal Data:

(i) are informed of the Personal Data's confidential nature and use restrictions and are obliged to keep such date confidential.

(ii) have undertaken training on the Privacy and Data Protection Laws relating to the handling of Personal Data and how it applies to their particular duties; and

(iii) are aware of the applicable party’s duties and employee’s personal duties and obligations under the Privacy and Data Protection Laws and this DPA.

4.3       Each party’s employees and contractors (“Personnel”) who have access to Personal Data shall:

(i) perform background checks that include, at a minimum, national criminal record checks going back seven (7) years, as well as legal identity verification and authorization (e.g., National ID verification);

(ii) require Personnel to sign an agreement to maintain the confidentiality of such Personal Data; and

(iii) require Personnel to be trained on acceptable use of systems, their obligations regarding privacy and data protection laws, and applicable information security policies.

5.      SECURITY

5.1       Considering the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, each party shall implement appropriate physical, administrative, technical, and organizational measures to ensure a level of security appropriate to the risk of the processing of Personal Data. These measures shall include, at a minimum, the vendor data protection standards set out in Annex D.

5.2       Each party shall immediately notify the other party if it becomes aware of any advance in technology and methods of working which indicate that the parties should adjust their security measures.

5.3       Each party shall take reasonable precautions to preserve the integrity of any Personal Data it processes and to prevent any corruption or loss, including but not limited to establishing effective back-up and data restoration procedures.

6.      SECURITY INCIDENT NOTIFICATION AND MANAGEMENT

6.1       Each party shall document and maintain an Incident Response Plan (“IRP”) which shall be updated and tested at least annually. The IRP shall require that each party document any Security Breach or security event impacting the confidentiality, integrity, or availability of Personal Data (collectively, “Security Incidents”). The documentation should contain the root cause(s) of the Security Incident, any analysis conducted internally and by an external forensics firm, and any current or future planned remediation activities.

6.2       Each party shall notify the other party of a Security Incident promptly, but in no event later than 72 hours, upon discovery of such Security Incident.

6.3       Immediately following any Security Incident, the parties will coordinate with each other to investigate the matter. For Security Breaches specifically, the parties will reasonably cooperate in their handling of the matter, including:

(i) assisting with any investigation;

(ii) facilitating interviews with employees, former employees, and others involved in the matter; and

(iii) making available all relevant records, logs, files, data reporting, and other materials required to comply with the Privacy and Data Protection Laws or as otherwise reasonably required by the non-breaching party.

6.4       For Security Incidents involving Prove Personal Data, Prove will determine:

(i) whether and how to provide notice to any Data Subjects, regulators, law enforcement agencies, or others, as required by law or regulation; and

           (ii)whether and to what extent to offer any type of remedy to affected Data Subjects.

6.5       For all other Security Incidents, Prove and Vendor will mutually determine:

(i) whether and how to provide notice of the Security Breach to any Data Subjects, regulators, law enforcement agencies, or others, as required by law or regulation; and

           (ii) whether and to what extent to offer any type of remedy to affected Data Subjects.

6.6       The party suffering any Security Breach or Security Incident shall cover all reasonable expenses associated with the performance of the obligations under Sections 6.3 to Section 6.5, unless the Security Breach arose from the other party's specific instructions, negligence, willful default, or breach of this DPA, in which case that party will cover all reasonable expenses.

7.      SUB-PROCESSORS

7.1       A list of third parties approved to process Prove Personal Data in connection with the provision of the Services (each a “Sub-processor”) can be provided.

7.2       The parties shall notify one another in writing of any intended change or addition to the Sub-processors and provide the opportunity to object to such change or addition within fourteen (14) days of notification. The party sending notification of any change or addition may cure an objection by:

           (i) cancelling its plans to use the Sub-processor with regard to Services Personal Data;

           (ii) offering an alternative to fulfill the Services without such Sub-Processor; or

           (iii) taking corrective action requested by the objecting party to obtain approval of such Sub-processor.

7.3       Each party shall ensure, and provided evidence upon request, that its Sub-processors:

(i) have entered into a written contract that contains terms that are substantially the same as those set out in this DPA and meet all applicable Privacy and Data Protection Laws; and

(ii) are not authorized to process Services Personal Data for any other purpose than the Services.

7.4       Where a Sub-processor fails to fulfill its obligations under such written contract, the party engaging such Sub-processor remains fully liable to the other party for the Sub-processor’s performance of its agreement obligations.    

8.      RESTRICTED TRANSFERS

8.1       No party shall not make (nor instruct or permit a Sub-processor to make) a Restricted Transfer of any Services Personal Data except with the other party’s prior written consent and in accordance with Section 8.2.

8.2       In order to comply with Privacy and Data Protection Laws, the parties agree to incorporate the applicable SCCs as set out in Annex C and take all other actions required to legitimize the transfer, including implementing any needed supplementary measures or supervisory authority consultations.

8.3       The terms of the applicable SCCs shall control to the extent there is any conflict between the applicable SCCs and this DPA.

8.4       If required by any supervisory authority or the applicable Privacy and Data Protection Laws relating to a Restricted Transfer, the parties shall upon request of either party execute or re-execute the applicable SCCs as separate documents if required.

9.      COMPLAINTS AND DATA SUBJECT RIGHTS REQUESTS

9.1       Each party must notify the other party promptly if it receives any complaint, notice, or communication that relates directly or indirectly to the processing of the Personal Data or to either party’s compliance with the Privacy and Data Protection Laws.

9.2       Each party must notify the other party within three (3) business days after verifying the identity of a Data Subject of any request to access to their Personal Data or exercise one of the Data Subject’s personal data rights.

9.3       Each party shall reasonably cooperate and assist at their own expense in responding to any complaint, notice, communication, or Data Subject request.

9.4       Vendor shall not disclose Services Personal Data to any Data Subject or to another third party without Prove’s prior consent unless required to do so by law.

9.5       Prove shall not disclose Services Personal Data to any Data Subject or to another third party without Vendor’s prior consent unless required to do so by law.

10.   TERM AND TERMINATION

10.1      This DPA shall remain in full force and effect so long as:

           (i) the Master Agreement remains in effect; or

           (ii) Prove or Vendor as applicable retains any Personal Data related to the Master Agreement in its possession or control (the “Term”).

10.2      Any provision of this DPA that expressly or by implication should come into or continue in force on or after termination of the Master Agreement in order to protect Personal Data shall remain in full force and effect.

10.3      Any party’s failure to comply with the terms of this DPA is a material breach of the Master Agreement. In such event, non-breaching party may terminate the Master Agreement effective immediately upon written notice to the counterparty without further liability or obligation.

10.4      If a change in applicable Privacy and Data Protection Laws prevents either party from fulfilling all or part of its Master Agreement obligations, the parties will suspend the processing of Personal Data until that processing complies with the new requirements, unless the parties otherwise agree on an alternate remediation plan. If the parties are unable to bring the Personal Data processing into compliance with the Privacy and Data Protection Laws within thirty (30) days, either party may terminate the Master Agreement upon written notice to the other party.

11.   DATA RETURN AND DESTRUCTION

11.1      At Prove’s request, Vendor shall promptly destroy or return to Prove all copies of, or access to, the Prove Personal Data in its possession or control, in the format and on the media reasonably specified.

11.2      On termination of the Master Agreement for any reason or expiry of its term, each party will promptly (and no later than 30 days) return or destroy all Confidential Information belonging to the other party unless retention of such data is necessary for reasonable archival, billing, legal, and regulatory compliance purposes. For the avoidance of doubt, retained Confidential Information shall not be used for any other purpose than for archival, billing, legal, and regulatory compliance.

11.3      If retention is necessary for archival, billing, legal, or regulatory compliance purposes as set out in Section 11.2 above, Vendor shall notify Prove in writing of that retention requirement, giving details of the documents or materials that it must retain, the legal basis for retention, and establishing a specific timeline for destruction once the retention requirement ends.

11.4      At Prove’s request, Vendor shall certify in writing that it has destroyed all Prove Personal Data as requested in Section 11.1 or 11.2.

12.   RECORDS

12.1      Vendor shall keep detailed, accurate, and up-to-date records regarding any processing of Personal Data it carries out on behalf of the controller, including but not limited to, the access, control, and security of the Personal Data, approved subcontractors and affiliates, and the processing purposes (“Records of Processing”). The parties, when acting as controllers, shall also maintain adequate Records of Processing incompliance with applicable Data Protection & Privacy Laws.

12.2      The party acting as processor shall ensure that the Records of Processing are sufficient to enable the controller to verify the processor’s compliance with its obligations under this DPA.

13.   AUDIT & ASSURANCE

13.1      Each party shall periodically audit its Personal Data processing practices and the information technology and information security controls for all facilities and systems used in complying with its obligations under this DPA.

13.2      Each party agrees to allow the other party to assess and verify compliance with this DPA on a regular basis, but no more once than annually, for at least the length of the engagement (“Annual Reviews”). This may include, as determined by the other party, access to or copies of documentation related to the Information Security Program, including but not limited to the information security policies and procedures, as well as any recent external, third party assurance documentation (e.g., SOC 2, Type II report, PCI DSS 3.2 attestation of compliance, ISO 27001 certification, etc.), and the results of any security testing, including summary reports, test details and dates, and information on remediation related to any findings.

14.   WARRANTIES

14.1      The party acting as controller warrants and represents that it has:

(i) obtained all required consent(s) under applicable Privacy and Data Protection Laws to process Services Personal Data in order to receive the Services; and

(ii) provided all required privacy notice(s) under applicable Privacy and Data Protection Laws to process Services Personal Data in order to receive the Services.

14.2      Each party warrants and represents that:

(i) its employees, subcontractors, agents, and any other person or persons accessing Personal Data on its behalf are reliable and trustworthy and have received the required training on the Privacy and Data Protection Laws relating to the Personal Data;

(ii) it and anyone operating on its behalf will process the Personal Data in compliance with all applicable Privacy and Data Protection Laws and other laws, enactments, regulations, orders, standards, and other similar instruments;

(iii) it has no reason to believe that any Privacy and Data Protection Laws prevent it from providing any of the Services under the Master Agreement; and

(iv) considering the current technology environment and implementation costs, it will take appropriate technical and organizational measures to prevent the unauthorized or unlawful processing of Personal Data and the accidental loss or destruction of, or damage to, Personal Data, and ensure a level of security appropriate to:

(a) the harm that might result from such unauthorized or unlawful processing or accidental loss, destruction, or damage;

(b) the nature of the Personal Data protected; and

(c) comply with all applicable Privacy and Data Protection Laws, as well as its information and security policies, including the security requirements required in Section 5.

14.3      Each party warrants and represents that its expected use of any Personal Data as part of the Services complies with this DPA and all Privacy and Data Protection Laws.

15.   NOTICE

15.1      Any notice or other communication given to a party under or in connection with this DPA shall be in writing by email, certified mail, hand delivery, or delivery by a reputable next business day carrier service delivered to:

For Prove:

Prove Identity, Inc.
245 Fifth Avenue, 20^th Floor
New York, NY 10016
Attn: Chief Compliance Officer
compliance@prove.com

15.2      Section 14.1 does not apply to the service of any proceedings or other documents in any legal action or, where applicable, any arbitration or other method of dispute resolution.

16.   CONFIDENTIALITY

16.1      Each party shall treat Personal Data as Confidential Information. Each party shall ensure that its personnel and Sub-processors are subject to confidentiality obligations as least as restrictive as in the Master Agreement and this DPA.

16.2      Such confidentiality obligations shall survive the termination of this engagement.

17.   MISCELLANEOUS

17.1      Neither party shall assign or transfer any rights or delegate any duties hereunder, in whole or in part, by operation of law or otherwise, without the other party’s express prior written consent, which will not be unreasonably withheld or delayed.

17.2      The terms of this DPA shall control to the extent there is any conflict between this DPA and the terms of the Master Agreement. Except as specifically amended and modified in writing by the parties, the terms and provisions of this DPA shall remain in full force and effect.

17.3      Without limiting the foregoing, the governing law clause and forum selection clause of the Master Agreement shall apply to any disputes arising out of this DPA.

‍

‍