Last update: May 10, 2024
This Data Processing Agreement ("DPA") is an integral and inseparable part of the Confidentiality Agreement or Non Disclosure Agreement ("NDA") and is entered into between the parties referred to in the NDA to provide for the responsibilities and obligations of the Parties regarding the processing of personal data carried out for the performance of the Proof of Value (“PoV”) analyses, in accordance with the applicable privacy laws, especially provisions of the General Data Protection Regulation (“GDPR”) and California Consumer Privacy Act (“CCPA”) - when applicable - and the following clauses:
1.1. Capitalized terms and expressions used in this DPA shall have the following meaning:
1.1.1. Authority: Any data protection authority or agency that is responsible for ensuring, implementing, and monitoring the enforcement of the applicable privacy laws.
1.1.2. CCPA: California Consumer Privacy Act. It will be applicable when processing Data of Data Subjects located in the United States (“US”) territory.
1.1.3. Client Platform: The application developed by the Client to be installed by the Client's User on a Mobile Device (the “Application”) or the Client's website through which its Users access its products and services (“Website”), whichever is applicable in accordance with the Solution.
1.1.4. Dashboard: This is a feature of the Incognia Platform through which the Client can send and receive files related to PoV analysis, as well as monitor SDK integration metrics.
1.1.5. Data Subject: natural person to whom the processed Personal Data refers. For the purposes of this DPA, the Data Subject is the User of the Client's Platform.
1.1.6. Device: This is the mobile communication device (cell phone, smartphone, etc.) or computer used by the Client User, where applicable.
1.1.7. GDPR: General Data Protection Regulation. For the purposes of this DPA, it will be applicable when processing Data of Data Subjects located out of the US territory.
1.1.8. Network effect: an anti-fraud market practice consisting of the strategic consolidation of data in a common repository with the aim of improving and optimizing Risk Assessment. The collective knowledge extracted from the Network Effect aims to improve the effectiveness and accuracy of Risk Assessment, guaranteeing that no Data will be shared among clients or third parties.
1.1.9. Personal Data: data relating to the identified (Direct Identifiable Personal Data) or identifiable (Indirect Identifiable Personal Data) natural person, processed by Incognia on behalf of the Client, in connection with the Agreement. For the purposes of this DPA, it refers to Personal Data related to the Data Subjects. References to "Data" should be interpreted as Personal Data;
1.1.10. Personal Data Breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.
1.1.11. Proof of Value (PoV): This is a practical demonstration of the Incognia Solution through which real data from Client Users is collected and analyzed by Incognia to present possible results that would be achieved if the Solution were contracted by the Client. It involves investigating scenarios and use cases applicable to the Client's Platform.
1.1.12. PoV Analysis: These are the general analyses and risk assessments carried out on the client's User Data. These analyses aim to demonstrate scenarios and support the proof of value of the Incognia Solution.
1.1.13. Software Development Kit (SDK): Means Incognia’s proprietary set of software development tools, including but not limited to software, ad tags, sample code, documentation, and/or base codes.
1.1.14. Solution: This is the use case applicable to the Client Platform. It refers to the purpose of using Incognia's technology and its respective functionalities to provide analyses to identify fraud risks in specific contexts identified during the PoV.
1.1.15. Technical Documentation: These are the instructions, details and technical specifications of Incognia's technology consolidated in the Incognia Platform.
1.1.16. User: This is the natural person who uses the Client Platform, either through the Application installed on their Device or by accessing the Client Website.
1.2. Any other capitalized terms mentioned in this DPA, such as , "controller", "sensitive personal data", "processor", and "processing" must adhere to the meanings described in the Section 4 of the GDPR, and its cognate terms must be interpreted accordingly.
2.1. This DPA is applicable to the processing of Personal Data by Incognia on behalf of the Client for the execution of the PoV.
2.2. During the Data processing, the Client will act in the role of controller and Incognia will act as processor.
2.3. The main purpose of the processing of Personal Data to be carried out by Incognia on behalf of the Client is to implement PoV-related tests consistent with the analysis of collected data and the presentation of risk results and statistics of identified suspicious behavior in order to demonstrate the potential of the Incognia Solution when implemented in production.
2.4. The Parties will comply with all applicable personal data protection laws and regulations in force in Europe and/or United States on the date of signature of this DPA or that enter into force during its term, including, but not limited to GDPR, CCPA, as well as all regulations and guidelines published by Authorities.
3.1. The Personal Data covered by this DPA will be collected by Incognia on behalf of the Client through the SDK integrated into the Client's Platform, as well as through Dashboard interactions.
3.2. In order to carry out the PoV and consequently carry out tests and demonstrations, Incognia will collect the following categories of Personal Data, in accordance with the Client’s Platform applicable to the Solution that is the subject of the PoV:
|
Client Platform - Application |
|
|
Category |
Personal data collected through the SDK |
|
Location |
Location information such as GPS, Wi-Fi signals and bluetooth signals. |
|
Identifier |
Information intended to uniquely identify the Device. This refers to IDs. |
|
Device |
Information related to the Device, operating system data, suspicious applications installed, operating system version, model and information aimed at uniquely identifying the Device and Device integrity levels. |
|
Application |
Information related to the use of the Application such as app session, installation data and information that allows integrity factors to be assessed. |
|
Client Platform - Website |
|
|
Category |
Personal data collected through the SDK |
|
Location |
GPS-based location information |
|
Identifier |
IDs information, such as account ID and session ID. |
|
Device |
Information related to the Device used for browsing, such as operating system data, connectivity, hardware and integrity levels. |
|
Browser and network |
Information related to the network and browser in which the Website is open, such as browser settings, permissions, plugins, connectivity information and language. |
3.3. The Client may share Personal Data, information, files and documents with Incognia through the Dashboard, for the purpose of requesting specific analyses as well as improving and customizing results reports and PoV analyses.
3.3.1 The results of the PoV Analysis will be presented to the client at previously scheduled meetings and supported by presentation materials with information on the main results and statistics.
3.3.2 The detailed PoV Analysis can be made available to the Client for download via access to the Dashboard.
3.4. The Client shall not share with Incognia, via Dashboard, SDK or any other means, files or documents that contain sensitive Personal Data, Directly Identifiable Personal Data (such as non-hashed names and email address) of its Data Subjects or Data that is not necessary for the provision of the PoV.
3.4.1. If the Client transfers such Personal Data, the Client will be exclusively responsible for any damages and legal violations caused by the improper sharing of Personal Data, regardless of the measures to be adopted by Incognia to delete the Data.
3.4.2. The liability imposed in the previous clause also applies if the Client transfers to Incognia Personal Data through unauthorized platforms, such as email.
3.5. The Personal Data processing for the development of PoV results is based on the Network Effect, as well as algorithms and heuristics created from Incognia's expertise, which are subject to the modeling and metrics defined by the Client, when the services are actually contracted, respecting the applicable technical and legal limitations.
3.6. The results of the PoV Analyses to be presented by Incognia to the Client during the PoV period are intended solely and exclusively to demonstrate the value of Incognia's services, as well as to identify use cases. This PoV is not intended to provide the Client with subsidies for making decisions that impact the Data Subject, and it is certain that any decisions to be adopted by the Client arising from the results of the PoV Analyses and impacting the Data Subject will be their sole and exclusive responsibility.
3.6.1. Incognia's PoV Analysis is a statistical model based on mathematical formulas and heuristics created by Incognia, subject to the modeling and metrics being defined by the Client when the services are actually contracted, and therefore corresponds only to a probability of risk to demonstrate the viability and efficiency of the Solution in the Client's specific use case. Incognia has taken commercially reasonable steps to avoid bugs, glitches or defects in its technology, including but not limited to the SDK. However, the Client is aware of the impossibility of hardware and/or computer systems being totally free of errors, bugs or defects, so Incognia does not guarantee that the demonstration of the Solution will be error-free.
3.7. The Personal Data collected by Incognia during the PoV may be used to improve the algorithms of Incognia's technology in order to generate more assertive PoV Analyses for the Client.
3.8. The Personal Data collected by Incognia will not be shared with the Client or with any unauthorized third parties, being encrypted and processed exclusively by Incognia to achieve the purposes determined by the Client, in accordance with the provisions of this DPA.
4.1. Incognia will process the Personal Data in accordance with the determinations and purposes defined by the Client and provided for in this DPA, limiting the decisions to those related to its expertise and necessary for PoV development.
4.2. Incognia undertakes to take reasonable measures to restrict access to Personal Data to its professionals who need to carry out the processing for the purposes of performing the PoV, ensuring that these employees have signed an undertaking and are subject to professional or statutory confidentiality obligations.
4.3. Incognia undertakes to implement security, technical and administrative measures capable of protecting Personal Data from unauthorized access and from accidental or unlawful situations of destruction, loss, alteration, communication, or any form of inappropriate or illicit processing.
4.4. In accordance with the applicable technical, legal and contractual boundaries, Incognia will assist the Client in providing information that is exclusively related to the processing of Personal Data subject to this DPA and is necessary to comply with applicable data protection laws.
5.1. It is the sole responsibility of the Client to integrate the SDK in accordance with the Technical Documentation. The Client is aware and agrees that said integrations and updates are necessary for the successful performance of the PoV and the correct processing of the Personal Data arising therefrom.
5.2. The Client undertakes to act transparently towards Data Subjects and to make available in its privacy policies and/or notices information on the processing of Personal Data by service providers for the purposes of operationalizing its fraud prevention activities.
5.3. The Client is responsible for providing location permission texts that are transparent and appropriate to the Data Subject's profile, to be made available at appropriate times during their journey on the Client Application.
5.4. The Client warrants that it has all the rights, permissions and legal bases required by applicable law to share with Incognia the Personal Data to be processed under the terms set out in this DPA.
5.5. The Client shall limit itself to providing Incognia with only lawful instructions regarding the processing of Personal Data and shall verify compliance with its own instructions and with the relevant regulations.
5.6. If applicable, the Client undertakes to designate a representative in the European Union, in accordance with Section 27 of the GDPR.
6.1. The Client is exclusively responsible for complying with requests from Data Subjects, including requests for rights, and from third parties, including competent authorities, involving Personal Data that is the subject of this relationship or questions about the application of Incognia's technology in its activities.
6.1.1. Incognia undertakes to assist the Client in carrying out any actions that may be necessary to fulfill requests, subject to the applicable technical, legal and contractual limits. To this end, the Client must notify Incognia of the instructions and guidelines to be adopted by Incognia to assist the Client in responding to Requests. Incognia undertakes to address efforts in order to meet the instructions and guidelines indicated by the Client according to legal deadlines.
6.1.2. Incognia shall act on legal instructions received from the Client and in accordance with the applicable law, observing trade secrets and adhering to the applicable technical, legal and contractual limits.
6.2. If Incognia receives requests from Data Subjects and third parties expressly addressed to the Client and involving Data Subject’s Personal Data, it undertakes to notify the Client within 48 (forty-eight) hours to adopt the necessary measures, committing to support the Client, in accordance with Clause 6.1.1 of this DPA.
7.1. In case of occurrence of Personal Data Breach involving Data Subject’s Personal Data, Incognia shall notify the Client, without undue delay, so that it can adopt the necessary measures to comply with the applicable laws, providing it with the information described in applicable laws and those requested by the Authorities.
7.2. The obligation to assess whether a Personal Data Breach shall be notified to the Authority and to the Data Subjects is the sole responsibility of the Controller, who is also responsible for effective communication, if applicable.
7.3. In accordance with applicable technical, legal and contractual limits, Incognia will cooperate with the Client and take reasonable steps to support the investigation, mitigation and remediation of the incident.
8.1. The Personal Data processed by Incognia will be stored in cloud computing through a cloud server hired exclusively for this purpose, Amazon Web Services, which has entered into a commitment with Incognia establishing the protection of Personal Data and the adoption of measures to ensure the proper processing of Personal Data with provisions no less stringent than those contained in this DPA.
8.2. With the exception of the previous item, Incognia will not share any Personal Data with other sub-processors, vendors or third parties without the Client's prior and express authorization.
9.1. Data collected by Incognia, described in clause 3.2, will be automatically deleted within a maximum period of up to 6 (six) months from collection.
9.2. Upon termination of the PoV, in the event that the Client decides not to proceed with the contracting of Incognia within the subsequent period previously agreed between the Parties, the Client shall remove the SDK from the Client Platform and undertake for its Users to use updated versions of the Client Platform - without Incognia's SDK - failing which it shall bear the liability arising from the maintenance of the residual collection of Data.
9.3. The deletion of Data must comply with the applicable legal, contractual and technical limits.
9.4. Personal Data necessary for the regular exercise of rights, compliance with contractual, legal and/or regulatory obligations and audits may be kept by Incognia to the extent strictly necessary to achieve such purposes and in accordance with the applicable legal provisions.
10.1. Incognia undertakes to, when requested and provided that the trade secret, the intellectual property and Incognia's confidentiality obligations towards third parties are respected, make available to the Client all the information necessary to demonstrate compliance with this DPA and with applicable laws.
10.1.1. Incognia, upon prior notice of 30 (thirty) business days, must allow and contribute to any assessments to be carried out by the Client to confirm that the Incognia is acting in accordance with this DPA.
11.1 In order to perform the PoV, Incognia may transfer Personal Data to the United States of America for storage and processing on a local cloud computing server, provided by Amazon Web Service, which is part of the EU-US Data Privacy Framework, as described in clause 8.1 of this DPA.
11.2 The international transfer of Personal Data will be performed in accordance with the applicable transfer mechanisms provided for the applicable privacy laws.
12.1. Incognia shall be jointly and severally liable with the Client for any damages caused by the processing of Personal Data when it fails to comply with the obligations of the applicable personal data protection legislation or when it fails to follow the Client's lawful instructions, in which case Incognia shall be deemed to be the controller.
12.1.1. Incognia undertakes to immediately assume responsibility for the obligations required in any judicial or administrative actions, exempting and indemnifying the Client for any liability and/or Losses determined in said actions, including attorney fees.
12.2. In the event that the Client provides Incognia with unlawful processing instructions or shares Personal Data or authorizes its collection by Incognia in disagreement with the applicable Law or the provisions of this DPA, the Client assumes responsibility for any resulting damages and undertakes to immediately assume responsibility for the obligations required in any judicial or administrative actions, exempting and indemnifying Incognia for any liability and/or Losses determined in said actions, including attorney fees.
12.3. In the event that either Party is sued by any natural or legal person, including public authorities or private entities, for processing Personal Data exclusively attributable to the other Party, the innocent Party may exercise its right to indemnify the other Party, without prejudice to the reimbursement of any judicial or extrajudicial costs, including administrative fines.
13.1. This DPA will be valid while the NDA is in force or while the processing of the Personal Data object of this DPA takes place.
13.2. Any changes to this DPA must be made in writing and shall be deemed to have been duly given if: (i) personally delivered to the address in the NDA, upon receipt; (ii) sent by e-mail to the e-mail address provided by Incognia; or (iii) sent by registered mail upon delivery and only if sent to the address in the NDA..
13.3. If the Authority publishes any guidance, regulation or interpretation that is contrary to the provisions of this DPA or in any way makes the processing of Personal Data unfeasible or unlawful in the manner provided for in this DPA, the Parties must reach a consensus to adjust the processes and if conform to the new guidelines.
13.4. All provisions of this DPA shall be interpreted in conjunction with the provisions of the NDA. If there is a discrepancy between the NDA and this DPA, the provisions of this DPA shall remain.
14.1. This DPA shall be subject to the applicable governing law according to the definitions on the clauses 1.1.2 and 1.1.7.
14.2. The Parties hereby elect the court elected in the NDA, to the detriment of any other, however privileged, as the competent court to settle any doubts and questions related to this DPA.
14.2.1. Any dispute or claim arising from the processing of personal data originating from PoV shall be adjudicated in the courts specified in the NDA as governing, and the Client agrees to the exclusive jurisdiction and venue of said courts.