Last updated: 19 November, 2025
This Incognia Services Agreement (the “Agreement”) is entered into by and between Incognia US Inc. ("Incognia") and the counterparty (“Client”) identified in an order form (“Order Form”) (each a “Party” or together the “Parties”). Client wishes to obtain, and Incognia wishes to provide, a subscription to Incognia’s authentication services described in this Agreement and the Order Form. This Agreement and its Exhibit I - Data Protection Agreement (“DPA”) govern the parties' promises and set forth the terms and conditions under which Incognia will provide Client with a subscription to the Services.
This Agreement takes effect when Incognia and the Client execute an Order Form (or on the date specified in such Order Form) referring to this Agreement, or, if no such Order Form is executed, when the Client accepts this Agreement on the Incognia Platform (the “Effective Date”).
Capitalized words are defined terms, applicable in both singular and plural, and should be construed according to the definitions below or as provided in the applicable section:
1.1. Admin – means the natural persons authorized and designated by the Client to represent it in accessing and using the Services.
1.2. Application Programming Interfaces (APIs) – means the interfaces developed by Incognia for technical integration between the Client’s Platform and the Services, enabling, for example, the Client to make Requests to Incognia and Incognia to share Risk Assessments.
1.3. Client Platform – means the application owned by the Client to be installed by Users on a mobile Device (the "Application") or the Client's website through which Users access its products and services ("Website"), whichever is applicable according to the Solution (as defined below).
1.4. Dashboard – means the functionality of the Incognia Platform through which the Client accesses the Risk Assessments and their respective reports, as well as sends and receives files for occasional analysis.
1.5. Device – means the mobile communication device (such as cell phone or smartphone) or computer used by the User, whichever is applicable, as provided in the Order Form.
1.6. Incognia Platform – means the set of Incognia's web-hosted applications, through which the Client accesses the Dashboard and Technical Documentation.
1.7. Order Form – means the document that includes the commercial and technical specification of the Services and that incorporates this Agreement by reference or is an exhibit to it as Exhibit I.
1.8. Request – means the request made by the Client to the Services regarding an event in the Client’s platform so that Incognia can perform the Risk Assessment according to the applicable Solution.
1.9. Risk Assessment – means the risk score and/or authentication or validation of an event on the Client's Platform, including the respective reasoning supporting them.
1.10. Services – means the solutions offered by Incognia, described in the Order Form, and their respective features, Incognia Platform, which is provided as Software-as-a-Service, the SDK, and APIs, as well as any related professional or support services.
1.11. Software Development Kit (SDK) – means Incognia’s proprietary software, including but not limited to source-code, object-code, a set of software development tools, libraries and documentation.
1.12. Solution – means the software solution and respective use case, functionalities, and capabilities described in the Order Form.
1.13. Technical Documentation - means instructions, detailing, and technical specifications of Incognia's technology consolidated on the Incognia Platform.
1.14. User – means the natural person who uses the Client Platform, either through the Client's Application installed on their Device or by accessing the Client's Website.
2.1. Subject to the terms of this Agreement, Incognia will perform the Services described in the applicable Order Form. The Services include a limited, revocable, non-exclusive, non-transferable, royalty-free (i) right to reproduce Incognia’s SDK in object-code format solely to integrate it with the Client Platform and allow the collection of data pursuant to the DPA; (ii) right to use APIs to make Requests, receive Risk Assessments, and make other authorized communications, such as events feedback sharing; and (iii) right to access Incognia Platform, by which the Client may access and use the Dashboard and Technical Documentation that are provided for the purposes of this Agreement.
2.2. Client will use the Services solely for the relevant Solution’s purpose and will not (or attempt or permit any third party to): (a) permitt third parties not authorized in or party to this Agreement to use the Services; (b) sell, assign, resell, pledge, license, sublicense, rent, distribute (except when stated otherwise in this Agreemet) market, or otherwise commercially exploit the Services or Risk Assessments; (c) reverse assemble, reverse engineer, decompile or otherwise attempt to derive source code of the Services or any component thereof; (d) circumvent, disable, or otherwise interfere with features of the Service and limits of use set forth in this Agreement, including those related to security or access to the Services; (e) cache the Risk Assessments or use any robot, spider, crawler, scraper, search or retrieval application, or any other manual or automatic device or process to retrieve, index, data-mine, or in any way reproduce or circumvent the navigational structure or presentation thereof; (f) modify, copy, distribute, or prepare derivative works from the Services or any component thereof; (g) use in any manner that infringes the intellectual property or other rights of Incognia or any other party; (h) store or transmit any defamatory, violent, obscene, pornographic, illegal or otherwise offensive content; (i) use the Services or Risk Assessments for any unlawful discriminatory practices or use in any unlawfully way or not specifically permitted under this Agreement. Client recognizes that the Services are not provided by a “consumer reporting agency” and do not constitute a “consumer report” under the Fair Credit Reporting Act.
2.3. API-Rate Limit. To protect the Client's and Incognia's infrastructure from malicious attacks and preserve the stability of the Services, the Client acknowledges and agrees that Incognia may set and modify reasonable limits on the number of requests to any API that may occur within a specified period of time (“API Limits”), which will be available in the Technical Documentation. The Client shall comply with the applicable API Limits and refrain from exceeding or manipulating them. Incognia may monitor compliance with the API Limits and restrict Requests to ensure compliance with this section.
3.1. Client is solely responsible and liable for its uses (including by the actions and omissions of its Admins) of the Services resulting from access provided to Client, directly or indirectly, whether such access or use is permitted by or in violation of this Agreement. Client is responsible for obtaining and maintaining any equipment and ancillary services needed to connect to, access or otherwise use the Services, including, without limitation, modems, hardware, servers, software, operating systems, networking, web servers, and the like (collectively, “Equipment”). Client is responsible for maintaining the security of Equipment, Client’s account information, passwords, and files, keeping the Admins’ credentials updated, and for all uses of Client’s account or the Equipment.
3.2. It is the Client’s sole responsibility and discretion to continuously store the Risk Assessments the Client deems necessary and to preserve the physical and logical integrity of the extracted data. Client will use the Services in compliance with applicable law including, without limitation, those laws related to privacy and data protection. Client understands and agrees that, in order to ensure compliance with applicable law and Incognia’s internal policies, Incognia may conduct usage reviews of Client’s use of the Services, and Client agrees to cooperate fully with any such reviews.
4.1. As a condition for using the Services, Client is solely responsible for integrating the SDK and APIs (and its updates) and for adopting all reasonable measures so that its Users’ only use the Client Platform that has the most up-to-date version of the SDK, considering the Technical Documentation and updated software versions. Updated versions of the SDK, APIs and other tools eventually provided will be made available through the Incognia Platform. Client shall perform all the integrations and updates in accordance with the Technical Documentation provided by Incognia and abide by the following deadlines for SDK and APIs updates (“Update Deadlines”) (a) Update for compatibility persistence: 6 (six) months from the release of the updated version; and (b) critical update, which occur when an exceptional and unexpected event that generates risks to Client’s Platform, security, Users, or Services or database: seventy-two (72) hours after event written communication. Non-compliance with the Update Deadlines is subject to immediate suspension of the Services at Incognia’s discretion without prejudice to other remedies provided in this Agreement and continuous payment of amounts due, including any agreed minimum fee. THE CLIENT ACKNOWLEDGES AND AGREES THAT THE SAID INTEGRATIONS AND UPDATES ARE NECESSARY FOR THE SUCCESSFUL PERFORMANCE OF THE SERVICES AND RELEASES INCOGNIA FROM ANY CLAIM ARISING FROM THE USE OF THE SERVICES WITHOUT COMPLYING WITH THIS SECTION.
4.2. In the event the Client chooses to integrate third-party components permitted by the Technical Documentation (“Third-Party Components”) into the Services, the use of such Third-Party Components (even if Incognia, for the Client’s convenience, facilitates the integration of these Third-Party Components) shall be the sole responsibility and risk of the Client, who shall comply with the applicable agreements governing the Third-Party Component and abide by the permissions and rules set forth in the Technical Documentation.
5.1. Incognia shall Provide the Services in a diligent manner, employing reasonable commercial efforts to perform the Services properly in accordance with industry standards.
5.2. Incognia shall make the Risk Assessments available to the Client through the Dashboard and/or APIs.
5.3. Incognia shall make reasonable efforts to address the Client's questions and inquiries regarding a Risk Assessment provided such questions and inquiries are made up to 6 (six) months after the Risk Assessment was furnished.
7.1. Incognia or its licensors, as the case may be, shall retain and own all rights, titles and interests and all intellectual property rights in and to the Services (including but not limited to the SDK, APIs, Incognia Platform, their source and object-code, modules and packages, operating structure, algorithms, models, trade dress, look and feel, Technical Documentation and all information related to its usage and operation, material models, documentation, reports, tables, data compilations, manuals, and other elements resulting directly from the delivery of the Services), any software underlying the Services, any hosting environment made available to Client, aggregated and or statistical data collected or inferred in connection with the Services (subject to the DPA limits), any related documentation, modification, derivation, improvement or development thereof, and all copies thereof ("Incognia Intellectual Property").
7.2. Nothing in this Agreement entitled one Party with the other Party’s intellectual property rights, except when expressly agreed upon otherwise in this Agreement, such as the limited right to use the Services by the Client subject to the terms of this Agreement.
7.3. Incognia reserves the right to add, remove, or update content, features, capabilities or software utilized in the Services and will use commercially reasonable efforts to notify Client of such changes, upon which the Client shall perform the relevant update or integration as set forth in section 4.
7.4. If Client sends or transmits any communications or materials to Incognia suggesting or recommending changes to the Services or Incognia Intellectual Property, including without limitation, new features or functionality relating thereto, or any comments, questions, suggestions, or the like (”Feedback”), Incognia is free to use such Feedback irrespective of any other obligation or limitation between the Parties governing such Feedback. Client hereby assigns to Incognia, including on behalf of its employees, contractors and/or agents, all right, title, and interest in, and Incognia is free to use, without any attribution or compensation to any party, any ideas, know-how, concepts, techniques, or other intellectual property rights contained in the Feedback, for any purpose whatsoever, although Incognia is not required to use any Feedback.
7.5. Publicity. Each Party recognizes and concedes that all trademarks, service marks or other designations (“Proprietary Marks”) constitute such Party’s exclusive property. Each Party grants the other Party a nonexclusive, non-transferable, non-sublicensable, royalty-free license during the Term to publicly use the other Party’s mark solely to identify the other Party as a Client or supplier, as the case may be, in its official communication channels worldwide and in any media format. Except as set forth herein, neither Party shall use the Proprietary Marks of the other Party without the prior written consent of the other Party. Any uses of the other Party’s Proprietary Marks shall be in accordance with the reasonable trademark usage policies provided by the Granting Party, if any. Each Party shall cease, or adjust the manner of, its use of any of the other Party’s Proprietary Marks at the request of the other Party in its sole discretion. The granting Party may withdraw any approval or license of any use of its Proprietary Marks at any time in its sole discretion.
9.1. This Agreement is effective on the effective date of the first Order Form processed under this Agreement or the effective date specified in this Agreement (if any), whichever occurs first (“Effective Date), and will continue in effect for the term provided in the applicable Order Form (the “Term”). The Term will automatically renew for successive periods equal to the Term, unless either party provides the other with at least sixty (60) days’ prior written notice of non-renewal before the end of the then-current Term or as provided in the Order Form. If the Services continue to be provided under an Order Form after termination of this Agreement, then this Agreement will continue to be in effect until the Order Form is terminated or the obligations under the Order Form are completed.
9.2. Unless otherwise expressly provided on an Order Form, the Parties may not terminate this Agreement other than for the causes provided in section 9.3. The Client acknowledges that this provision is essential for Incognia to recover the investments made to serve the Client and to balance the pricing assumptions underlying a long-term, high-volume contract. Accordingly, the consequence of breaching this obligation of continuity shall take into account the projected variable compensation for the remaining period, calculated based on the average revenue from the six (6) preceding months (or, if unavailable, the longest available period of full billing for the Services) or, if it is a fixed compensation, the highest fixed fee applicable during the Term. In the event the Order Form allows termination for convenience, during any prior written notice the Services will be rendered regularly and consistently with at least the volume of Requests or active users (as applicable pursuant to the Order Form) of the prior six (6) months (or, if unavailable, the longest available period) to the notice.
9.3. This Agreement and the Order Form may be terminated by either Party on delivery of written notice of termination to the other Party for cause as follows: (1) if the Client materially breaches the license conditions set forth in Section 2.2; (2) if the other Party materially breaches this Agreement, such breach is capable of being cured and the breaching Party fails to cure such breach within fifteen (15) days (or within the applicable term for specific breaches as set forth in this Agreement) after receipt of written notice of such breach from the nonbreaching Party; or (3) if the other Party: (a) makes a general assignment for the benefit of creditors, (b) admits in writing its inability to pay debts as they come due, (c) voluntarily files a petition or similar document initiating any bankruptcy or reorganization proceeding, or (d) involuntarily becomes the subject of a petition in bankruptcy or reorganization proceeding and such proceeding shall not have been dismissed or stayed within sixty (60) days after such filing. Termination of the Agreement shall terminate all rights granted in this Agreement.
9.4. Upon termination of the Agreement (i) access to the Services will be ceased, (ii) the SDK and APIs will be deactivated, and (iii) Client will pay Incognia any remaining fees and not be entitled to any refunds or credits for unused Services.
Without prejudice to other provisions of this Agreement, Incognia may temporarily suspend Client’s access to any portion or all of the Services if: (i) Incognia reasonably determines that (A) there is a threat or attack on any of the Services; (B) Client’s use of the Services disrupts or poses a security risk to Incognia or any of its other Clients; (C) Client is using the Services for fraudulent or illegal activities or in a manner contrary to the limits of use set forth in this Agreement; or (D) Incognia’s provision of the Services to Client is prohibited by applicable law; or (ii) Client fails to pay applicable fees in accordance with Section 8 (any such suspension described in these subsections (i) or (ii), a “Service Suspension”). Incognia shall provide written notice of any Service Suspension to Client and updates regarding resumption of access to the Services following any Service Suspension. Incognia shall resume providing access to the Services as soon as reasonably possible after the event giving rise to the Service Suspension is cured. Incognia will have no liability for any damage, liabilities, losses, or any other consequences that Client may incur as a result of a Service Suspension.
11.1. In connection with this Agreement, each Party (a “Disclosing Party”) has provided or may provide Confidential Information to the other Party (a “Receiving Party”). Except as set forth below, “Confidential Information” means all non-public, confidential or proprietary information of or about Disclosing Party that is received by Receiving Party which relates to Disclosing Party’s business (including without limitation, business plans, financial data, pricing information, marketing, Client information, personal information), technology (including without limitation, source code, algorithms, processes, technical data, product plans, research, software, and other confidential intellectual property), products, services, trade secrets, know-how, formulae, processes, ideas, and inventions, or other information which should be reasonably understood by Receiving Party as the confidential or proprietary information of Disclosing Party, except that to the extent the Confidential Information consist of Personal Data governed by the DPA, such Confidential Information shall be solely governed by the DPA. Confidential Information includes any documents or reports created by the Receiving Party that include, summarize, or refer to Confidential Information. The terms of this Agreement are the Confidential Information of Incognia.
11.2. Confidential Information will not include any information that Receiving Party can document: (i) is or becomes generally known to the public without fault of Receiving Party; (ii) was in its possession or known by it without any obligation of confidentiality prior to receipt pursuant to this Agreement; (iii) is independently developed by Receiving Party without use of or reference to the Confidential Information; or (iv) is rightfully obtained by Receiving Party from a third party without any obligation of confidentiality to Disclosing Party.
11.3. Receiving Party’s Obligations. Confidential Information of Disclosing Party may be used by Receiving Party solely for the purposes anticipated in this Agreement and may not be used for any other purpose. Receiving Party will hold Disclosing Party’s Confidential Information in strictest confidence and may not use or disclose Disclosing Party’s Confidential Information, except as expressly permitted herein, without the prior written consent of Disclosing Party, which consent may be granted or refused in Disclosing Party’s sole discretion. Receiving Party will take all reasonable measures to protect the Confidential Information of Disclosing Party from becoming known to the public or falling into the possession of persons other than those persons authorized to have any such Confidential Information, which measures shall include the highest degree of care that Receiving Party uses to protect its own information of a similar nature, but in no event less than a reasonable degree of care. Receiving Party may disclose Disclosing Party’s Confidential Information only to its Representatives who have a legitimate “need to know,” have been advised of the obligations of confidentiality under this Agreement and are bound in writing to obligations of confidentiality no less strict than those set out in this Agreement. “Representatives” include any person acting on behalf of either Party as individual contractors, directors, legal and accounting advisors, employees, and Affiliates. An “Affiliate” is a business entity controlling, controlled by or under common control, directly or indirectly, with a Party. For purposes of defining Affiliate only, “control” means ownership of more than fifty percent (50%) of the voting stock or other voting ownership interest in an entity. Receiving Party will be liable for any breach of this Agreement by its Representatives. Nothing in this Agreement will prohibit Receiving Party from disclosing Confidential Information of Disclosing Party if legally required to do so by judicial or governmental order or in a judicial or governmental proceeding (“Required Disclosure”); provided that Receiving Party shall: (i) where permitted, give Disclosing Party reasonable notice of such Required Disclosure prior to disclosure; (ii) cooperate with Disclosing Party in the event that it elects to contest such disclosure or seek a protective order with respect thereto; and (iii) in any event only disclose the exact Confidential Information, or portion thereof, specifically requested by the Required Disclosure. Despite the foregoing, each Party may disclose the terms and existence of this Agreement to its actual or potential investors, debtholders, acquirers, or merger partners under customary confidentiality terms.
11.4. Confidentiality Period; Return of Confidential Information; Remedies. The confidentiality obligations with respect to any disclosure made on or after the Effective Date will survive and continue for a period of five (5) years after the Agreement terminates, except that the obligations with respect to Confidential Information constituting a trade secret shall survive for so long as such information remains a trade secret under applicable law. Immediately upon either the written request by Disclosing Party at any time or the termination of this Agreement, Receiving Party shall cease all use of and destroy or delete all copies or extracts of Disclosing Party’s Confidential Information, in any medium, or certify, in writing by an authorized officer of Receiving Party, the destruction of the same. Receiving Party acknowledges and agrees that due to the unique nature of Disclosing Party’s Confidential Information, there can be no adequate remedy at law for any breach of its confidentiality obligations, that any such breach may allow Receiving Party or third parties to compete unfairly with Disclosing Party resulting in irreparable harm to Disclosing Party and, therefore, that upon any such breach or any threat of breach of confidentiality, Disclosing Party will be entitled to seek appropriate equitable relief in addition to whatever remedies it might have at law. Each Party agrees that monetary damages would be inadequate to compensate the other Party for any breach of confidentiality. The receiving Party will notify the Disclosing Party in writing immediately upon the occurrence of any such unauthorized release or other breach of which it is aware.
12.1. Incognia will defend and indemnify Client or its officers, directors, employees or agents from any and all losses, damages, costs and expenses including reasonable attorneys’ fees to the extent that based on a claim that the Services when used in accordance with this Agreement, infringes any patent, copyright, or trademark of a third party (a “Claim”). Incognia shall have no obligation to defend or indemnify hereunder to the extent that a Claim is caused by or results from any: (i) use of the Services not in accordance with this Agreement or for purposes not intended by Incognia and not specifically permitted pursuant to this Agreement; or (ii) use of the Services other than the most updated, unaltered and unmodified version of the Services as made available by Incognia to Client as an update or upgrade or after the termination of this Agreement. Following notice of a Claim or upon facts which in Incognia’s sole opinion are likely to give rise to such Claim, Incognia shall in its sole discretion and at its sole option, elect to (A) procure for Client the right to continue to use the Services, at no additional cost to Client, (B) replace the Services so that they become non-infringing, but functionally equivalent, (C) modify the Services to avoid the alleged infringement in a manner so that it remains functionally equivalent, or (D) terminate this Agreement.
12.2. Client will defend and indemnify Incognia, its affiliates and their respective officers, directors, agents and employees from any and all losses, damages, costs and expenses including reasonable attorneys’ fees relating to or arising out of a breach of section 2.2 or 13.2 by the Client or anyone on its behalf.
12.3. A Party's (“Indemnifying Party”) indemnification obligations are subject to the other Party (“Indemnified Party”): (a) notifying the Indemnifying Party of any Claim promptly after it obtains knowledge of such Claim; (b) providing the Indemnifying Party with reasonable assistance, information and cooperation in defending the lawsuit or proceeding; and (c) giving the Indemnifying Party full control and sole authority over the defense and settlement of such Claim, provided any such settlement is solely for monetary damages and does not admit any liability on behalf of the Indemnified Party. The Indemnified Party may be represented in any such suit by counsel of its own choosing at its own expense.
13.1. Each Party represents and warrants that: (i) the execution and performance of this Agreement do not conflict with any contractual or legal obligations it has; (ii) it shall comply with applicable law; and (iii) it has all rights necessary to execute and perform this Agreement.
13.2. Client further represents and warrants that it has and shall during the Term have all rights, licenses, and consents required under applicable law to provide Incognia with (and access to) any data (including but not limited to Personal Data) collected or processed by the Services in accordance with the terms of this Agreement and will only use the Services for lawful purposes. Client represents and warrants that neither it nor its owners have been designated by or are otherwise subject to restriction in accordance with export controls or economic sanctions laws and regulations administered by the United States Department of Commerce, United States Department of State, United States Department of Treasury or other applicable export controls or sanctions laws and regulations. Client covenants that it shall not—directly or indirectly—sell, export, reexport, transfer, divert, or otherwise dispose of any products, software, or technology (including products derived from or based on such technology) received from Incognia to any restricted destination, entity, person or end-use requiring an export license. Client also represents and warrants it has all the required authorizations, licenses, or applicable legal requirements to provide its service or products and represents and warrants that the Services will not be associated with an unlawful activity regarding Client’s service or products. The Client is prohibited from engaging or attempting to engage in, or permitting others to engage or attempt to engage in giving access, selling, licensing of access to, or other similar commercial transactions, the Services, the Risk Assessments, personal identifiers, geolocation data, or any part thereof that constitute covered data pursuant to 28 CFR part 202 (the “Rule”), to countries of concern or covered persons, as defined in the Rule. Where the Client knows or suspects that a country of concern or covered person has gained access to information restricted by this section, the Client shall immediately notify Incognia. Failure to comply with the above will constitute a material breach of this Agreement and may constitute a violation of 28 CFR part 202.
14.1. CLIENT ACKNOWLEDGES THAT THE SERVICES ARE PROVIDED ON AN "AS-IS" AND "AS AVAILABLE" BASIS. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, INCOGNIA DISCLAIMS ALL OTHER REPRESENTATIONS, WARRANTIES, TERMS AND CONDITIONS, WHETHER EXPRESS OR IMPLIED, REGARDING THE SERVICES, RELATED DOCUMENTATION OR INFORMATION, AND OTHER MATERIALS AND SERVICES, AND SPECIFICALLY DISCLAIMS THE IMPLIED WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE, SATISFACTORY QUALITY, MERCHANTABLE QUALITY, NON-INFRINGEMENT AND THOSE ARISING FROM COURSE OF PERFORMANCE, DEALING, USAGE OR TRADE. INCOGNIA DOES NOT WARRANT THAT THE FUNCTIONS CONTAINED IN THE SERVICES OR IN ANY UPDATE WILL MEET THE REQUIREMENTS OF CLIENT OR THAT THE OPERATION OF THE SERVICES WILL BE UNINTERRUPTED OR ERROR FREE, OR FREE FROM OTHER PROGRAM LIMITATIONS. INCOGNIA PROVIDES NO WARRANTY REGARDING ANY USE OF THE SERVICES NOT IN ACCORDANCE WITH THIS AGREEMENT OR FOR PURPOSES NOT INTENDED BY INCOGNIA AND NOT SPECIFICALLY PERMITTED BY THIS AGREEMENT. THE RISK ASSESSMENTS ARE RISK ANALYSIS THAT RELY ON STATISTICAL METHODS BASED ON MATH FORMULAS AND HEURISTICS CREATED BY INCOGNIA CONDITIONED BY MODELS AND METRICS SET OUT BY THE CLIENT, HENCE, CONSIST OF A RISK PROBABILITY ASSESSMENT, BEING UP TO THE CLIENT HOW TO USE SUCH ASSESSMENT, INCLUDING USING IT TO APPROVE OR DENY A TRANSACTION INITIATED BY AN USER.
14.2. IN NO EVENT, SHALL A PARTY OR ITS AFFILIATES OR ANY OF THEIR RESPECTIVE DIRECTORS, OFFICERS, EMPLOYEES, OR AGENTS BE LIABLE FOR INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES, OR ANY PENALTIES, CLAIMS FOR LOST DATA, REVENUE, PROFITS, COSTS OF PROCUREMENT OR SUBSTITUTE GOODS OR SERVICES OR BUSINESS OPPORTUNITIES, ARISING OUT OF THIS AGREEMENT OR ANY ADDENDUM THERETO, UNDER ANY CAUSE OF ACTION OR THEORY OF LIABILITY, WHETHER IN CONTRACT OR IN TORT INCLUDING NEGLIGENCE, EVEN IF SUCH PARTY HAD BEEN ADVISED OF SUCH DAMAGES.
14.3. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT SHALL A PARTY’S MAXIMUM AND AGGREGATE LIABILITY HEREUNDER FOR ANY CAUSE OF ACTION OR THEORY OF LIABILITY EXCEED THE AMOUNTS PAID BY CLIENT TO INCOGNIA HEREUNDER DURING THE PRECEDING 3 MONTH PERIOD PRIOR TO THE DATE THE CAUSE OF ACTION AROSE. THE LIMITATION OF THIS SECTION 14.3 DOES NOT APPLY TO (A) ONE PARTY’S INFRINGEMENT OF THE OTHER PARTY’S INTELLECTUAL PROPERTY RIGHTS, (B) BREACH OF THE CUSTOMER’S OBLIGATION TO PAY FEES, AND (C) SECTION 12 (INDEMNIFICATION).
14.4. The exclusion of consequential damages provided in the Section 14.3 does not apply to reasonably foreseeable consequential damages arising from one Party's infringement of the other Party’s intellectual property rights.
15.1. Anti-Bribery and Anti-Corruption. Each Party represents it is compliant with the provisions of the United States Foreign Corrupt Practices Act of 1977, as amended (15 U.S.C. § 78 et seq.), related local laws, and other applicable laws related to anti-bribery and anti-corruption (collectively, “Anti-Bribery Laws”). Each Party represents, warrants, and undertakes that neither it nor any of its directors, officers, employees, agents, or affiliates: (a) has not, and will not, directly or indirectly, offer, promise, authorize, give, solicit, or accept any undue financial or other advantage, or engage in any payment, gift, transfer, or other act that would constitute a violation of the Anti-Bribery Laws, including extortion, kickbacks, or other unlawful or improper means of obtaining or retaining business or an advantage; and (b) it will not commit or permit any act that could reasonably cause the other Party to be in violation of the Anti-Bribery Laws with respect to this Agreement.
15.2. Relationship. This Agreement is not intended to create, nor should it be construed as creating, an agency, joint venture, partnership or similar relationship between the Parties. Incognia will act solely as an independent contractor of Client and neither Party shall have the right to act for or bind the other Party in any way or to represent that the other Party is in any way responsible for any acts or omissions of such Party.
15.3. Successors and Assigns. This Agreement shall bind and inure to the benefit of each Party’s permitted successors and assigns. Either Party may assign any of its rights or obligations without prior written consent of other Party only in the event of: (a) a sale or other transfer of all or substantially all of the assets of such Party, (b) a transfer to an entity controlled by, controlling, or under common control with such Party. Any attempt to assign this Agreement in any other event without prior written consent of the other Party will be null and void.
15.4. Law and Jurisdiction. This Agreement will be construed and governed by the laws of the State of California, without giving effect to its conflicts of law principles. The parties hereby submit to the personal jurisdiction of, and agree that any legal proceeding with respect to or arising under this Agreement will be brought solely in, the state courts of the State of California for the county of Santa Clara or the United States District Court for the Northern District of California, if such court has subject matter jurisdiction. Notwithstanding the foregoing, either party will at all times have the right to commence proceedings in any other court of its choice with the appropriate jurisdiction for interim injunctive relief. If any legal action or proceeding is commenced in connection with any dispute arising under, relating to or otherwise concerning this Agreement, the prevailing party, as determined by the court, will be entitled to recover its attorneys’ and experts’ fees and all costs and necessary disbursements actually incurred in connection with such action or proceeding.
15.5. Force Majeure. With the exception of payment obligations, neither Party shall be liable hereunder by reason of any delay or failure in the performance of its obligations if such delay arises out of causes beyond its control including, without limitation, use of the internet and electronic communications, acts of God or of the public enemy, fires, floods, epidemics, riots, quarantine restrictions, strikes, freight embargoes, earthquakes, electrical outages, computer or communications failures, structural internet failures or malfunction, severe weather, war, governmental action, labor conditions, and acts or omissions of subcontractors (“Force Majeure Event”). The Party prevented from performing its obligations or duties because of a Force Majeure Event shall promptly notify the other Party of the occurrence and particulars of such Force Majeure Event and shall provide the other Party, from time to time, with its best estimate of the duration of such Force Majeure Event and, if applicable, with notice of the termination thereof.
15.6. Severability and Waiver. If any provision of this Agreement is found invalid or unenforceable, that provision will be enforced to the maximum extent permissible so as to effect the intent of the Parties and the remainder of this Agreement will remain in full force and effect. Neither Party will be deemed to have waived any of its rights under this Agreement by lapse of time or by any statement or representation other than by an explicit written waiver. No waiver of a breach of this Agreement will constitute a waiver of any prior or subsequent breach of this Agreement.
15.7. Construction; Integration; Counterparts. This Agreement will not be construed in favor of or against either Party by reason of authorship. This Agreement, including its exhibits, constitutes the entire agreement between the Parties, and supersedes and replaces all prior or contemporaneous understandings or agreements, written or oral, regarding such subject matter, as well as any terms of service available on. If Incognia and the Client have executed a specific agreement to govern an Order Form, the agreement executed between the Parties shall prevail over this Agreement. This Agreement may be executed in counterparts, each of which shall be deemed an original, but all of which together shall constitute a single instrument. In the event of any conflict between this Agreement and any other document applicable to the servicesServices, the order of prevalence will be the Order Form followed by this Agreement. To the extent the matter under conflict involves Personal Data, the DPA, followed by this Agreement and the Order Form, shall prevail.
15.8. Notices. Any notice, request or other communication required or permitted hereunder shall be in writing and shall be deemed to have been duly given if: (i) personally delivered to the address in the Order Form, upon receipt; (ii) sent by e-mail to the e-mail address indicated in the Order Form or otherwise provided by Incognia; or (iii) sent by registered mail upon delivery and only if sent to the address in the Order Form.
15.9. Survival. All provisions of this Agreement that are by their nature intended to survive the expiration or termination of this Agreement or an Order Form, including without limitation, obligations with respect to indemnification, confidentiality, and proprietary rights, shall survive such expiration or termination.
15.10. Modifications. Incognia reserves the right to modify the Agreement (the "Modifications"), however, the Modifications shall only come into effect and bind the Client when and if (i) the Client expressly agrees to the Modifications (including by executing a new Order Form referring to the modified Agreement), (ii) the term of the Order Form is renewed or on the anniversary of its execution if it provides an indefinite term. If the Modifications are published after the date in which the Client may oppose the automatic renewal of the term (if applicable) and before the actual renewal, the Client may oppose the renewal up to 30 (thirty) (or for the period equivalent to that provided to oppose to automatic renewals) days from the Modifications. THE MODIFICATIONS WILL BE NOTIFIED THROUGH THE INCOGNIA PLATFORM AND THE CLIENT ACKNOWLEDGES THAT THIS SECTION PROVIDES SUFFICIENT TIME TO REVIEW AND CONSENT TO THE MODIFICATIONS
EXHIBIT I - DATA PROCESSING AGREEMENT (DPA)
This Data Processing Agreement ("DPA") is an integral and inseparable part of the Terms of Service ("Agreement") and is entered into between the parties referred to in the Agreement to provide for the responsibilities and obligations of the Parties regarding the processing of personal data carried out for the performance of the Agreement, in accordance with the applicable privacy laws, especially provisions of the General Data Protection Regulation (“GDPR”) and California Consumer Privacy Act (“CCPA”), when applicable, and the following clauses:
1.1. Capitalized terms and expressions used in this DPA shall have the following meaning:
1.1.1. Applicable Privacy Law: means the CCPA, GDPR and its respective regulations and guidelines published by Authorities. .
1.1.2. Authority: Any data protection authority or agency that is responsible for ensuring, implementing, and monitoring the enforcement of the Applicable Privacy Laws.
1.1.3. CCPA: California Consumer Privacy Act. It will be applicable when processing Data of Data Subjects located in the United States (“US”) territory.
1.1.4. Data Subject: natural person to whom the processed Personal Data refers. For the purposes of this DPA, the Data Subject is the User of the Client's Platform.
1.1.5. GDPR: General Data Protection Regulation. For the purposes of this DPA, it will be applicable when processing Data of Data Subjects located out of the US territory.
1.1.6. Network effect: an anti-fraud market practice consisting of the strategic consolidation of data in a common repository with the aim of improving and optimizing Risk Assessment. The collective knowledge extracted from the Network Effect aims to improve the effectiveness and accuracy of Risk Assessment, guaranteeing that no Data will be shared among clients or third parties.
1.1.7. Personal Data: data relating to the identified (Direct Identifiable Personal Data) or identifiable (Indirect Identifiable Personal Data) natural person, processed by Incognia on behalf of the Client, in connection with the Agreement. For the purposes of this DPA, it refers to Personal Data related to the Data Subjects. References to "Data" should be interpreted as Personal Data;
1.1.8. Risk Policy: Set of rules configured by the Client that establishes criteria for classifying the risk of events analyzed by Incognia as high risk or low risk according to each context.
1.2. Any other terms mentioned in this Agreement and not listed in this clause shall adhere to the meanings contained in the Agreement and/or the Applicable Privacy Law, and their cognate terms shall be interpreted accordingly.
2.1. This DPA is applicable to the processing of Personal Data by Incognia on behalf of the Client for the execution of the Services related to the contracted Solution, according to the Agreement disposals.
2.2. During the Data processing, the Client will act in the role of controller and Incognia will act as processor.
2.3. The main purpose of the processing of Personal Data to be carried out by Incognia on behalf of the Client is to provide the applicable Solution, through the development of a Risk Assessment for each Client Request, as well as to support the Client in specific analyses and requests related to the purpose of preventing fraud on the Client Platform.
2.4. The Parties shall comply with all Applicable Privacy Laws and regulations in force on the date of signature of this DPA or that enter into force during its term. The Client acknowledges that it solely determines its used base geography where the SDK will be deployed and used, and is therefore responsible and liable for assessing whether any additional privacy or data protection obligations apply beyond GDPR and CCPA and instruct Incognia accordingly
3.1. The Personal Data covered by this DPA will be collected by Incognia on behalf of the Client through the SDK integrated into the Client's Platform, as well as through API interactions and Dashboard.
3.2. In order to carry out the Services and develop the Risk Assessment, Incognia will collect through the SDK the following categories of Personal Data, in accordance with the Client’s Platform applicable to the contracted Solution:
3.2.1 Incognia may periodically release new versions of the SDK that may include adjustments to Data collection. Such new versions, however, shall always restrict Data collection to the categories of Data set forth in the preceding clause and to the other provisions of this DPA. All changes related to new SDK versions will be previously communicated to the Client and will only be implemented after the Client performs the necessary updates to the Platform, in accordance with Clause 4.1 of the Agreement.
3.3. The Client may share Personal Data, information, files, and documents with Incognia through the Dashboard, for the purpose of requesting specific analyses as well as improving and personalizing Risk Assessments.
3.4. Through the API the Client will share with Incognia only the Data necessary to register their Request, as well as sending any feedback on a Request. It is the Client’s responsibility, depending on the use case and the contracted Solution, to determine which Data will be sent to Incognia via API.
3.5. Through the API, Incognia will share the Risk Assessment as a response to the Request.
3.5.1 The Risk Assessment covers the respective findings and justifications applicable to each type of scenario, such as, but not limited to, information on the integrity of the Device, the reputation of the Device, and suspicious behavior.
3.5.2 The Risk Assessment will also be made available to the Client via access to the Dashboard, where it will be possible to access the Risk Assessment reports for the last six (6) months, under the terms of section 5.3. of the Agreement.
3.6. The Client shall not share with Incognia, via Dashboard, API, SDK, or any other means, files or documents that contain sensitive Personal Data, or Data that is not necessary for the provision of the Services.
3.6.1. If the Client transfers such Personal Data, the Client will be exclusively responsible and liable for any legal violations caused by the improper sharing of Personal Data, regardless of the measures to be adopted by Incognia to delete the Data.
3.6.2. The liability imposed in the previous section also applies if the Client transfers to Incognia Personal Data through unauthorized platforms, such as email.
3.7. The Personal Data processing for the preparation of Risk Assessments is based on the Network Effect, as well as algorithms and heuristics created from Incognia's expertise, which are subject to the Risk Policy, respecting the applicable technical and legal limitations.
3.8. Any decisions that impact the Data Subject and arise from the results of the Risk Assessments areadopted exclusively by the Client under its sole and exclusive responsibility, under the terms of clause 14.1 of the Agreement, which includes the definition of the form of adoption of these decisions, whether human or automated.
3.9. The Personal Data collected by Incognia may be used for aggregated and statistical studies, as well as to improve the algorithms of Incognia's technology in order to generate more assertive Risk Assessments for the Client.
3.10. Incognia will only share with the Client the Personal Data that integrates the Risk Analyses and, under no circumstances, will share Personal Data with any unauthorized third parties, being all the Data encrypted and processed exclusively by Incognia to achieve the purposes determined by the Client, in accordance with the provisions of this DPA and the Agreement..
4.1. Incognia will process the Personal Data in accordance with the determinations and purposes defined by the Client and provided for in this DPA and in the Agreement, limiting the decisions to those related to its expertise and necessary for the provision of the Services.
4.2. Incognia undertakes to take reasonable measures to restrict access to Personal Data to its professionals who need to carry out the processing for the purposes of performing the Services, ensuring that these employees have signed an undertaking and are subject to professional or statutory confidentiality obligations.
4.3. Incognia undertakes to implement security, technical, and administrative measures capable of protecting Personal Data from unauthorized access and from accidental or unlawful situations of destruction, loss, alteration, communication, or any form of inappropriate or illicit processing.
4.4. In accordance with the applicable technical, legal, and contractual boundaries, Incognia will assist the Client in providing information that is exclusively related to the processing of Personal Data subject to this DPA and is necessary to comply with Applicable Privacy Laws.
5.1. The Client undertakes to act transparently towards Data Subjects and to make available in its privacy policies and/or notices information on the processing of Personal Data by service providers for the purposes of operationalizing its fraud prevention activities.
5.2. The Client is responsible for providing location permission texts that are transparent and appropriate to the Data Subject's profile, to be made available at appropriate times during their journey on the Client Application. The Client shall also ensure that any end-user consent for Data processing, when applicable, meets the conditions for valid consent under the Applicable Privacy Law.
5.3. The Client warrants that it has all the rights, permissions, and legal bases required by the Applicable Privacy Law to share with Incognia the Personal Data to be processed under the terms set out in this DPA.
5.4. The Client undertakes to provide Incognia with only lawful instructions regarding the processing of Personal Data and shall verify compliance with its own instructions and with the Applicable Privacy Law.
5.5. If applicable, the Client undertakes to designate a representative in the local jurisdiction, in accordance with the Applicable Privacy Law or local Authority designation.
6.1. The Client is exclusively responsible for complying with requests from Data Subjects, including requests for rights, involving Personal Data that is the subject of this relationship or questions about the application of Incognia's technology in its activities.
6.1.1. Incognia undertakes to assist the Client in carrying out any actions that may be necessary to fulfill requests, subject to the applicable technical, legal, and contractual limits. To this end, the Client shall notify Incognia of the instructions and guidelines to be adopted by Incognia to assist the Client in responding to Requests. Incognia undertakes to address efforts in order to meet the instructions and guidelines indicated by the Client according to legal deadlines.
6.1.2. Incognia shall comply with instructions received from the Client and in accordance with the Applicable Privacy Law, subject to protection of trade secrets and adherence to the applicable technical, legal, and contractual limits.
6.2. If Incognia receives requests from Data Subjects and third parties expressly addressed to the Client and involving Data Subject’s Personal Data, it undertakes to notify the Client within 48 (forty-eight) hours to adopt the necessary measures, committing to support the Client, in accordance with section 6.1.1 of this DPA.
7.1. Incognia shall implement logical segregation of Data and ensure the application of encryption in transit and at rest, with secure key management and the use of hashing for identifiers.
7.2. Access to the Data is controlled through credentials linked to least-privilege policies, with auditable records and traceability of critical activities.
7.3. Incognia shall apply technical and administrative measures suitable to protect Personal Data from unauthorized access and from accidental or unlawful situations of destruction, loss, alteration, communication, or disclosure.
8.1. In case of occurrence of Personal Data Breach involving Data Subject’s Personal Data, Incognia shall notify the Client, without undue delay, providing the information reasonably available and relevant for the Client to comply with its own obligations under the Applicable Privacy Law.
8.2. The obligation to assess whether a Personal Data Breach shall be notified to the Authority and to the Data Subjects is the sole responsibility of the Client, who is also responsible for effective communication, if applicable.
8.3. In accordance with applicable technical, legal and contractual limits, Incognia will cooperate with the Client and take reasonable steps to support the investigation, mitigation and remediation of the incident.
9.1. The Personal Data processed by Incognia will be stored in cloud computing through a cloud server hired exclusively for this purpose, Amazon Web Services, which has entered into a commitment with Incognia establishing the protection of Personal Data alongside the adoption of measures to ensure the proper processing of Personal Data with provisions no less stringent than those contained in this DPA.
9.2. With the exception of the previous item, Incognia will not share any Personal Data with other sub-processors, vendors, or third parties without the Client's prior and express authorization.
10.1. Data collected via SDK will be automatically deleted within a maximum period of up to 180 (a one hundred and eighty) days from the collection.
10.2. Upon termination of the Agreement, (i) Incognia shall deactivate the SDK and ensure the Data safe disposal within the period referred to in the previous clause, and (ii) the Client shall remove the SDK from the Client Platform and undertake for its Users to use updated versions of the Client Platform - without Incognia's SDK - failing which it shall bear the liability arising from the maintenance of the residual collection of Data.
10.3. The deletion of Data shall comply with the applicable legal, contractual and technical limits.
10.4. Personal Data necessary for the regular exercise of rights, compliance with contractual, legal and/or regulatory obligations and audits may be kept by Incognia to the extent strictly necessary to achieve such purposes and in accordance with the applicable legal provisions.
11.1. Upon the Client’s request, made at least thirty (30) business days in advance, Incognia undertakes to provide the Client with the information necessary to demonstrate compliance with this DPA and with Applicable Privacy Law, provided that Incognia’s trade secrets, intellectual property, and confidentiality obligations toward third parties are duly respected.
12.1 In order to perform the Services, Incognia stores Personal Data in cloud environments provided by Amazon Web Services (AWS) which may constitute an international data transfer to the United States, depending on the jurisdiction where the Personal Data is originally collected and in accordance with the Client’s instructions.11.2 Where an international data transfer is involved, Incognia warrants compliance with the official personal data transfer mechanisms required by the jurisdiction where the Personal Data is collected, including, as applicable, Standard Contractual Clauses (SCCs) or an adequacy decision.
13.1. Incognia shall be jointly and severally liable with the Client for any damages caused by the processing of Personal Data when it fails to comply with the obligations of the ApplicablePrivacy Law or when it fails to follow the Client's lawful instructions, in which case Incognia shall be deemed to be the Client.
13.1.1. Incognia undertakes to immediately assume responsibility for the obligations required in any judicial or administrative actions, exempting and indemnifying the Client for any liability and/or Losses determined in said actions, including attorney fees. In such a case, the rules set forth in section 12.3 of the Agreement shall apply.
13.2. In the event that the Client provides Incognia with unlawful processing instructions or shares Personal Data or authorizes its collection by Incognia in violation with the Applicable Privacy Law or the provisions of this DPA, the Client assumes responsibility for any resulting liability and undertakes to immediately assume responsibility for the liabilities required in any judicial or administrative proceeding, exempting and indemnifying Incognia for any liability and/or Losses determined in said proceeding, including attorney fees. In such a case, the rules set forth in section 12.3 of the Agreement shall apply.
13.3. In the event that either Party is sued by any natural or legal person, including public Authorities or private entities, for processing of Personal Data exclusively attributable to the other Party, such shall indemnify the innocent Party and bear any judicial or extrajudicial costs, including administrative fines. In such a case, the rules set forth in section 12.3 of the Agreement shall apply.
14.1. This DPA will be in effect while the Agreement is in force or while the processing of the Personal Data subject to this DPA takes place.
14.2. Any changes to this DPA must be made in writing and agreed by the Parties, in accordance with the provisions of the Agreement.
14.3. If the Authority publishes any guidance, regulation or interpretation that is contrary to the provisions of this DPA or in any way makes the processing of Personal Data unfeasible or unlawful under this DPA, the Parties shall employ good-faith reasonable efforts to adjust the processes in conformity with such new guidelines.
14.4. All provisions of this DPA shall be interpreted in conjunction with the provisions of the Agreement. If there is a discrepancy between the Agreement and this DPA, the provisions of this DPA shall remain.
Previous versions