Case Study

Delivery Hero brands secure over 7X ROI and significant fraud savings with Incognia | Read the case study >>

Incognia Services Agreement EU

Last updated: November 19, 2025

  1. Scope and Order of Precedence

This Annex governs the transfer of Personal Data from the Client (located in the European Economic Area, the United Kingdom or Switzerland) to Incognia, established in the United States of America, where the data is stored and processed in cloud environments hosted by Amazon Web Services (AWS) to enable the performance of the Services under the Agreement.

Where more than one international data-transfer mechanism could apply, the following order of precedence shall govern:

(a) the EU Standard Contractual Clauses (SCCs) set forth in Section 2 below;

(b) the UK International Data Transfer Addendum (IDTA) set forth in Section 3 below; and

(c) the Swiss Addendum set forth in Section 4 below.

If a higher-ranking mechanism becomes invalidated, the next available mechanism shall automatically apply without the need for any amendment or further action by the Parties.

 

  1. EU Standard Contractual Clauses

The Parties agree that the Standard Contractual Clauses adopted by the European Commission under Implementing Decision (EU) 2021/914 (“EU SCCs”) apply to all transfers of Personal Data from the EEA to Incognia, located in the United States.

The EU SCCs are incorporated by reference into this DPA and deemed executed as of the Effective Date, with the following parameters:



  • Module Applicable:
  • Module 2 (Controller → Processor) applies where the Client acts as Data Controller and Incognia acts as Data Processor.
  • Clause 7 (Docking Clause): Not applicable.
  • Clause 9 (a): Option 2 (General Authorisation) applies, with prior notice of new Sub-processors.
  • Clause 11 (Redress): Excluded.
  • Clause 17 and 18: The SCCs are governed by the laws of Ireland and disputes shall be submitted to the courts of Ireland.

 

  • Transfer Impact Assessment:
  • The Parties acknowledge that they have assessed the laws and practices of the United States relevant to government access to data, and conclude that, in light of the supplementary measures implemented by Incognia and AWS, the transfer provides an adequate level of protection consistent with the GDPR.

 

2.1. Documentation and Cooperation

Incognia shall maintain documentation evidencing its assessment of the laws and practices of the United States, as well as the supplementary measures implemented in accordance with Clause 14 of the SCCs. 

 

2.2.  Requests from Public Authorities

In accordance with Clauses 14 and 15 of the SCCs, Incognia shall:

  1. promptly notify the Client of any legally binding request from public authorities to disclose Personal Data, unless legally prohibited;
  2. use its best efforts to obtain a waiver of any prohibition to communicate such information;
  3. challenge requests that are unlawful or disproportionate; and
  4. limit any disclosure to the minimum necessary.

Incognia maintains internal policies and procedures for the assessment, escalation, and documentation of such requests, and shall make summary information available to the Client upon reasonable request.

 

  1. UK International Data Transfer Addendum (IDTA)

For transfers of Personal Data subject to the UK GDPR, the UK International Data Transfer Addendum to the EU SCCs (Version B1.0, effective 21 March 2022) applies and is incorporated by reference into this Annex.

 

  • Table 1 – Parties: Client (Exporter) and Incognia  (Importer).
  • Table 2 – Transfer Mechanism: refers to the EU SCCs outlined in Section 2.
  • Table 3 – Annexes: the information required to complete the Appendices of the EU Standard Contractual Clauses (description of the transfer, technical and organisational measures, and list of sub-processors) is contained within this Annex (Cross-Border Data Transfer Mechanisms)
  • Table 4 – Termination Right: either Party may terminate in accordance with the Addendum.
  1. Swiss Addendum

 

For Personal Data transfers subject to the Swiss Federal Act on Data Protection (FADP), the EU SCCs apply with the following modifications:

 

  1. references to the “EU” and “Member States” include Switzerland;
  2. references to the “European Commission” shall be read as references to the Swiss Federal Data Protection and Information Commissioner (FDPIC);
  3. the governing law under Clause 17 shall be Swiss law where the transfer is exclusively subject to the FADP; and
  4. data subjects in Switzerland may bring claims in their place of habitual residence (Switzerland) under Clause 18.
  5. Conflict

 

In case of any conflict or inconsistency between this Annex and the Standard Contractual Clauses (or their UK or Swiss Addenda), the Standard Contractual Clauses and their respective Addenda shall prevail to the extent of such conflict.

EU SCC’s ANNEX I

 

  • LIST OF PARTIES

Data exporter(s):

  1. Name: Client, as identified in the applicable Order Form
  2. Address: As specified in the Order Form
  3. Contact person’s name, position and contact details: As specified in the Order Form
  4. Activities relevant to the data transferred under these Clauses: The Client uses the Incognia Services under the Agreement and shares Personal Data for the purposes described in Clause 3 of the DPA and Clause 2 of the Agreement.
  5. Signature and date: As executed in the Order Form
  6. Role (controller/processor): Controller

Data importer(s):

  1. Name: Incognia US Inc
  2. Address: 333, West San Carlos Street, San Jose, United States, CA 95110.
  3. Contact person’s name, position and contact details: Dayana Caroline Costa – Data Protection Officer – dpo@incognia.com
  4. Activities relevant to the data transferred under these Clauses: Risk analysis for fraud  prevention
  5. Signature and date:As executed in the Order Form
  6. Role (controller/processor): Processor

  • DESCRIPTION OF TRANSFER

  • Categories of data subjects whose personal data is transferred:

- Users of data exporter’s Website and/or Application.

  • Categories of personal data transferred:

Mobile Solution (Application): Location, Identifiers, Device Data, Network and Application Data

Web Solution (Website): Location, Identifiers,  Device Data, Network Browser and Website Data

  • Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
  • Non applicable.
  • The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
  • Continuous basis.
  • Nature of the processing
  • Storing, processing and deleting.
  • Purpose(s) of the data transfer and further processing
  • Risk analysis for fraud prevention
  • The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
  • The personal data will be retained for the time necessary to achieve the processing purposes determined by the data exporter. After this period, the data is securely and permanently deleted. When it is necessary to retain personal data after the purpose for which it was collected has been achieved, the criteria for delimiting the retention period will be as follows: i. we have a legal, regulatory, contractual or competent authority obligation to retain such data; ii. the data is essential to maintain our historical, commercial and financial records, to the extent necessary; or iii. the Data is necessary for auditing purposes or to regularly exercise rights in judicial or administrative proceedings.
  • For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
  • The sub-processor’s purpose is to store and process the data in an object storage base (Simple Storage Service, or S3) through the use of Cloud storage for the period specified in the previous item. 

  • COMPETENT SUPERVISORY AUTHORITY

  • Identify the competent supervisory authority/ies in accordance with Clause 13:

- Data Protection Authority of Ireland 

 

EU SCC’s ANNEX II

TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

Description of the technical and organisational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.

For transfers to (sub-) processors, also describe the specific technical and organisational measures to be taken by the (sub-) processor to be able to provide assistance to the controller and, for transfers from a processor to a sub-processor, to the data exporter.

- The data is stored in an object storage base (Simple Storage Service, or S3) hosted in technological environments managed solely and exclusively by the data importer through the use of a public cloud platform provided by the AWS, the sub-Processor. The data importer uses security mechanisms in both transport and storage of data, in addition to constantly updating its protection systems. All requests are sent using secure versions of HTTPS, which is an industry standard protocol. It is worth noting that the data importer is SOC 2 certified, which guarantees security on the part of its technology. This type of certification guarantees an international standard in cybersecurity risk management systems. As a result, the data importer has security measures such as risk monitoring, systems and application of controls; environment management and logical and physical access; communication channels; risk mitigation and assessment mechanisms; and change management. In addition, other protection mechanisms are applied, such as: Applying hash functions to the collected ID ́s, storing a pseudonymous identifier, the hash ID. Data is stored encrypted in the Cloud AWS - Storage of data on servers in the cloud (“cloud computing”) is also an industry standard as it simplifies the technology operation, scalability and security for any technological service. The sub-processor hired for data storage and processing, offers a variety of security features and services to increase privacy and control network access, including: firewalls, encryption (both at rest and in transit), defense and response automatic DDoS attacks, security checks, backup, as well as constant monitoring, activity logging and access control. In this way, a level of protection is guaranteed along the trajectory of the data, before, during and after the transfer to the US. The sub-processor, adheres to information from 18 international security standards, regulations and certifications such as ISO 27001, ISO 27017, ISO 27018, ISO 9001, SOC 1/ISAE 3402, SOC 2, SOC 3, FISMA, DIACAP, FedRAMP, PCI DSS Level 1 and Cloud Security Alliance. The sub-processor has servers spread all over the world, including the US. The personal data collected is stored on logically segregated bases and is not shared with other customers in any way.

 

EU SCC’s ANNEX III

 

LIST OF SUB-PROCESSORS

The controller has authorised the use of the following sub-processors:

  1. Name: Amazon Web Services, Inc (AWS).
  2. Address: 410 Terry Avenue North, Seattle, WA 98109-5210, U.S.A.
  3. Contact person’s name, position and contact details: privacyofficer@marketo.com
  4. Description of processing (including a clear delimitation of responsibilities in case several sub-processors are authorised): The sub-processor’s purpose is to store and process the data in an object storage base (Simple Storage Service, or S3) through the use of Cloud storage. AWS supports the data importer in its delivery of services since the ub-processor simplifies the technology's operation, generates scalability and increases the security level of all services that use it. The sub-processor participates in the EU-US Data Privacy Framework.

Previous versions