Terms of use

Last updated: May 09, 2024

This Incognia Services Agreement (the “Agreement”) is entered into by and between Incognia US Inc. ("Incognia") and the counterparty (“Client”) identified in an order form (“Order Form”) (each a “Party” or together the “Parties”). Client wishes to obtain, and Incognia wishes to provide, a subscription to Incognia’s authentication services described in this Agreement and the Order Form. This Agreement and its Exhibit I - Data Protection Agreement (“DPA”) govern the parties' promises and set forth the terms and conditions under which Incognia will provide Client with a subscription to the Services. 

This Agreement takes effect when Incognia and the Client execute an Order Form (or on the date specified in such Order Form) referring to this Terms of Service, or, if no such Order Form is executed, when the Client clicks an “I Accept” button or checkbox in Incognia’s platform or alike mechanism (the “Effective Date”)

1. Definitions

Capitalized words are defined terms, applicable in both singular and plural, and should be construed according to the definitions below or as provided in the applicable section:

1.1. Admin – means the natural persons authorized and designated by the Client to represent it in accessing and using the Services.

1.2. Application Programming Interfaces (APIs) – means the interfaces developed by Incognia through which the Client's Platform will communicate with Services, enabling, for example, the Client to make Requests to Incognia and receive Risk Assessments, as well as share Risk Assessments feedback.

1.3. Client Platform – means the application owned by the Client to be installed by the Client's User on a mobile Device (the "Application") or the Client's website through which its Users access its products and services ("Website"), whichever is applicable according to the Solution (as defined below).

1.4. Dashboard – means the functionality of the Incognia Platform through which the Client accesses the Risk Assessment and their respective reports, as well as sends and receives files for analysis.

1.5. Device – means the mobile communication device (cell phone, smartphone, etc.) or computer used by the Client's User, whichever is applicable, as provided in the Order Form.

1.6. Incognia Platform – means the set of Incognia's web-hosted applications, through which access to the Dashboard and Technical Documentation is provided to the Client.

1.7. Order Form – means the document that includes the commercial and technical specification of the Services and that incorporates this Agreement by reference or is an exhibit of it.

1.8. Request – means the request made by the Client to the Services regarding a Client's User so that Incognia can perform the Risk Assessment according to the applicable Solution.

1.9. Risk Assessment – means the risk score of a User for an event on the Client's Platform within the scope of the Solution, including the respective reasoning supporting them.

1.10. Services – means the solutions offered by Incognia, described in the Order Form, and their respective features, Incognia Platform, which is provided as Software-as-a-Service, the SDK, and APIs, as well as any related professional or support services.

1.12. Software Development Kit (SDK) – means Incognia’s proprietary set of software development tools, including but not limited to software, ad tags, sample code, documentation, and/or base codes.

1.13. Solution – means the product and respective use case, functionalities, and capabilities described in the Order Form.

1.14. Technical Documentation - means instructions, detailing, and technical specifications of Incognia's technology consolidated on the Incognia Platform.

1.15. User – means the natural person who uses the Client Platform, either through the Client's Application installed on their Device or by accessing the Client's Website.

2. Services; Conditions.

2.1. Subject to the terms of this Agreement and its Exhibits, Incognia will perform the Services described in the applicable Order Form. The Services include a limited, revocable, non-exclusive, non-transferable, royalty-free  (i) right to reproduce Incognia’s SDK, solely to integrate it with the Client Platform and allow the collection of data pursuant to the DPA, (ii) right to use Incognia’s APIs to make Requests, receive Risk Assessments, and make other authorized communications with respect to a Request, and (iii) right to access Incognia Platform, by which the Client may access and use Risk Assessment and Technical Documentation that are provided for the purposes of this Agreement.  

2.2. Client will use the Services for any purpose other than the relevant Solution purpose and will not (or attempt or permit any third party to): (a)  permitted third parties not authorized in or party to this Agreement to use the Services (b) sell, assign, resell, pledge, license, sublicense, rent, market, or otherwise commercially exploit the Services or Risk Assessments; (c) reverse assemble, reverse engineer, decompile or otherwise attempt to derive source code of the Services or any component thereof; (d) circumvent, disable, or otherwise interfere with features of the Service and limits of use set forth in this Agreement, including those related to security or access to the Services; (e) cache the Risk Assessments or use any robot, spider, search or retrieval application, or any other manual or automatic device or process to retrieve, index, data-mine, or in any way reproduce or circumvent the navigational structure or presentation thereof; (f) modify, copy, distribute, or prepare derivative works from the Services or any component thereof; (g) use in any manner that infringes the intellectual property or other rights of Incognia or any other party; (h) store or transmit any defamatory, violent, obscene, pornographic, illegal or otherwise offensive content,; and/or (i) use in any unlawfully way or not specifically permitted under this Agreement. Client recognizes that the Services are not provided by a “consumer reporting agency” and do not constitute a “consumer report” under the Fair Credit Reporting Act.

2.3. API-Rate Limit. To protect the Client's and Incognia's infrastructure from malicious attacks and preserve the stability of the Services, the Client acknowledges and agrees that Incognia may lay down and modify reasonable limits on the number of requests to a certain API that may occur within a specified period of time (“API Limits”), which will be available in the Technical Documentation. The Client shall comply with the applicable API Limits and refrain from exceeding or manipulating them. Incognia may monitor compliance with the API Limits and restrict API calls to ensure compliance with this clause.

3. Client Covenants and Responsibilities. 

3.1. Client is solely responsible and liable for all uses of the Services resulting from access provided to Client, directly or indirectly, whether such access or use is permitted by or in violation of this Agreement. Client is responsible for obtaining and maintaining any equipment and ancillary services needed to connect to, access, or otherwise use the Services, including, without limitation, modems, hardware, servers, software, operating systems, networking, web servers, and the like (collectively, “Equipment”). Client is responsible for maintaining the security of Equipment, Client’s account information, passwords, and files, keeping the Admins’ credentials updated, and for all uses of Client’s account or the Equipment. 

3.2. It is up to the Client’s sole responsibility and discretion to continuously store the Risk Assessments the Client deems necessary and to preserve the integrity (both physical and logical) of the extracted data. Client will use the Services in compliance with applicable law including, without limitation, those laws related to privacy and data protection. Client understands and agrees that, in order to ensure compliance with applicable law and Incognia’s internal policies, Incognia may conduct usage reviews of Client’s use of the Services, and Client agrees to cooperate fully with any such reviews. 

3.3. To protect the Client's and Incognia's infrastructure from malicious attacks and preserve the stability of the Services, the Client acknowledges and agrees that Incognia may lay down and modify reasonable limits on the number of requests to a certain API that may occur within a specified period of time ('API Limits'), which will be available in the Technical Documentation. The Client shall comply with the applicable API Limits and refrain from exceeding or manipulating them. Incognia may monitor compliance with the API Limits and restrict API calls to ensure compliance with this clause.

4. Integrations and Updates.

As a condition for using the Services, Client is solely responsible for integrating the SDK and APIs (and its updates) and for adopting all reasonable measures so that its Users’ only use the Client Platform that has the most up-to-date version of the SDK, considering Incognia Technical Documentation and updated software versions. Updated versions of the SDK, APIs and other tools eventually provided will be made available through the Incognia Platform. Client shall perform all the integrations and updates in accordance with the Technical Documentation provided by Incognia and abide by the following deadlines for SDK and APIs updates (“Update Deadlines”)  (a) Update for compatibility persistence: 6 (six) months from the release of the updated version; and (b) critical update, which occur when an exceptional event that generates risks to Client’s Platform, security, Users, or Services or database: seventy-two (72) hours after event written communication. Non-compliance with the Update Deadlines is subject to immediate suspension of the Services under Incognia discretion without prejudice to other remedies provided in this Agreement and continuous payment of amounts due, including any agreed minimum fee. THE CLIENT ACKNOWLEDGES AND AGREES THAT THE SAID INTEGRATIONS AND UPDATES ARE NECESSARY FOR THE SUCCESSFUL PERFORMANCE OF THE SERVICES AND RELEASES INCOGNIA FROM ANY CLAIM ARISING FROM THE USE OF THE SERVICES WITHOUT COMPLYING WITH THIS SECTION.

5. Incognia Covenants and Responsibilities. 

5.1. Incognia shall Provide the services in a diligent manner, employing reasonable commercial efforts to perform the services properly. 

5.2. Incognia shall make the Risk Assessments available to the Client through the Dashboard and/or APIs. 

5.3. Incognia shall make reasonable efforts to address the Client's questions and inquiries regarding a Risk Assessment provided such questions and inquiries are made up to 6 (six) months after the Risk Assessment was furnished.

6. Privacy and Personal Data Protection.

Personal data processing under this Agreement will be carried out in accordance with the applicable privacy and data protection laws, regulations, and the DPA, which is an integral and inseparable part of this Agreement, as if transcribed herein.

7. Intellectual Property and Trademarks.

7.1. Incognia or its licensors, as the case may be, shall retain and own all rights, titles and interests and all intellectual property rights in and to the Services (including but not limited to the SDK, APIs, Incognia Platform, their source code, modules and packages, operating structure, business model, algorithms, trade dress, look and feel, Technical Documentation and all information related to its usage and operation, material models, documentation, reports, tables, data compilations, manuals, and other elements resulting directly from the delivery of the Services), any software underlying the Services, any hosting environment made available to Client, aggregated data collected by the Services (subject to the DPA limits), any related documentation, modification, derivation, improvement or development thereof, and all copies thereof ("Incognia Intellectual Property"). 

7.2. Nothing in this Agreement shall be interpreted to entitle one Party with the other Party’s intellectual property rights, except when expressly agreed upon otherwise in this Agreement, such as the limited right to use the Services by the Client subject to the terms of this Agreement.

7.3. Incognia reserves the right to add, remove or update content, features, capabilities or software utilized in the Services and will use commercially reasonable efforts to notify Client of such changes, upon which the Client shall, including but not limited to, perform the relevant update or integration as set forth in section 4. 

7.4. If Client sends or transmits any communications or materials to Incognia suggesting or recommending changes to the Services or Incognia Intellectual Property, including without limitation, new features or functionality relating thereto, or any comments, questions, suggestions, or the like (”Feedback”), Incognia is free to use such Feedback irrespective of any other obligation or limitation between the Parties governing such Feedback. Client hereby assigns to Incognia on Client’s behalf, and on behalf of its employees, contractors and/or agents, all right, title, and interest in, and Incognia is free to use, without any attribution or compensation to any party, any ideas, know-how, concepts, techniques, or other intellectual property rights contained in the Feedback, for any purpose whatsoever, although Incognia is not required to use any Feedback.

7.5. Publicity. Each Party recognizes and concedes that all trademarks, service marks or other designations (“Proprietary Marks”) constitute such Party’s exclusive property. Each Party grants the other Party a nonexclusive, non-transferable, non-sublicensable, royalty-free license during the Term to use, solely to identify the other Party as a Client or supplier, as the case may be. Except as set forth herein, neither Party shall use the Proprietary Marks of the other Party without the prior written consent of the other Party. Any uses of the other Party’s Proprietary Marks shall be in accordance with the granting Party’s reasonable trademark usage policies. Each Party shall cease, or adjust the manner of, its use of any of the other Party’s Proprietary Marks at the request of the other Party in its sole discretion. The granting Party may withdraw any approval or license of any use of its Proprietary Marks at any time in its sole discretion.

8. Fees, Payment and Taxes.

Client shall pay Incognia the fees specified in the respective Order Form (“Fees”). Unless otherwise specified in an Order Form, payment for all Fees will be invoiced upon mutual execution of the Order Form and all Fees will be due monthly, payable in U.S. dollars within fifteen (15) days from the date of the invoice, which will be issued by the fifth (5th) business day of each month. The fees mentioned in the Order Form will be adjusted on an annual basis, as of each Order Form execution date, to account for inflation. The adjustment will be made, if positive, on the basis of the higher official consumer price of the applicable jurisdiction, unless otherwise settled in the Order Form. Fees are non-refundable and exclusive of all taxes; other than taxes on Incognia’s net income, Client shall pay (and Incognia shall have no liability for), any taxes, tariffs, duties and other charges or assessments imposed or levied by any government or governmental agency in connection with this Agreement, including, without limitation, any federal, provincial, state and local sales, use, goods and services, value-added, withholding, and personal property taxes on any payments due in connection with the Services provided hereunder. In the event that a payment by Client is not received until its due date, Incognia shall be entitled to interest on the amount owing at a rate of 2% per month, or the highest rate allowed by applicable law, whichever is more, from the due date of payment until the date of actual receipt by Incognia and, if necessary, Client shall bear all reasonable attorneys’ fees actually incurred by Incognia in collecting any such overdue amounts.

9. Term and Termination.

9.1. This Agreement is effective on the start date of the first Order Form processed under this Agreement or the effective date specified in this Agreement (if any), whichever occurs first (“Effective Date), and will continue until terminated or as laid down in the Order Form (the “Term”). If the Services continue to be provided under an Order Form after termination of this Agreement, then this Agreement will continue to be in effect until the Order Form is terminated or the obligations under the Order Form are completed. 

9.2. Unless otherwise expressly provided on an Order Form, either Party may terminate this Agreement for convenience without any penalty or charge upon ninety (90) days’ prior written notice to the other Party, period during which the Services will be rendered regularly and consistently with at least the volume of Requests or active users (as applicable pursuant to the Order Form) of the prior 6 months to the notice.,  

9.3.In addition, this Agreement may be terminated by either Party on delivery of written notice of termination to the other Party, as follows: (1) if the other Party materially breaches this Agreement and such breach is not capable of being cured; (2) if the other Party materially breaches this Agreement, such breach is capable of being cured and the breaching Party fails to cure such breach within fifteen(15) days (or within the applicable term for specific breaches as set forth in this Agreement) after receipt of written notice of such breach from the non­breaching Party; or (3) if the other Party: (a) makes a general assignment for the benefit of creditors, (b) admits in writing its inability to pay debts as they come due, (c) voluntarily files a petition or similar document initiating any bankruptcy or reorganization proceeding, or (d) involuntarily becomes the subject of a petition in bankruptcy or reorganization proceeding and such proceeding shall not have been dismissed or stayed within sixty (60) days after such filing. Termination of the Agreement shall terminate all rights granted in this Agreement. 

9.4. Upon termination of the Agreement (i) data collection on the Client’s behalf and performance of Services will be ceased in accordance with the DPA, and (ii) Client will pay Incognia any remaining fees and not be entitled to any refunds or credits for unused Services.

10. Temporary Suspension.

Without prejudice to other provisions of this Agreement, Incognia may temporarily suspend Client’s access to any portion or all of the Services if: (i) Incognia reasonably determines that (A) there is a threat or attack on any of the Services; (B) Client’s use of the Services disrupts or poses a security risk to Incognia or any of its other Clients; (C) Client is using the Services for fraudulent or illegal activities or in a manner contrary to the limits of use set forth in this Agreement; or (D) Incognia’s provision of the Services to Client is prohibited by applicable law; or (ii) Client fails to pay applicable fees in accordance with Section 5 (any such suspension described in subclause (i) or (ii), a “Service Suspension”). Incognia shall provide written notice of any Service Suspension to Client and to provide updates regarding resumption of access to the Services following any Service Suspension. Incognia shall resume providing access to the Services as soon as reasonably possible after the event giving rise to the Service Suspension is cured. Incognia will have no liability for any damage, liabilities, losses, or any other consequences that Client may incur as a result of a Service Suspension.

11. Confidentiality.

11.1. In connection with this Agreement, each Party (a “Disclosing Party”) has provided or may provide Confidential Information to the other Party (a “Receiving Party”). Except as set forth below, “Confidential Information” means all non-public, confidential or proprietary information of or about Disclosing Party that is received by Receiving Party which relates to Disclosing Party’s business (including without limitation, business plans, financial data, pricing information, marketing, Client information, personal information), technology (including without limitation, source code, algorithms, processes, technical data, product plans, research, software, and other confidential intellectual property), products, services, trade secrets, know-how, formulae, processes, ideas, and inventions, or other information which should be reasonably understood by Receiving Party as the confidential or proprietary information of Disclosing Party, except that to the extent the Confidential Information consist of Personal Data governed by the DPA, such Confidential Information shall be solely governed by the DPA. Confidential Information includes any documents or reports created by the Receiving Party that include, summarize, or refer to Confidential Information. The terms of this Agreement are the Confidential Information of Incognia. 

11.2. Confidential Information will not include any information that Receiving Party can document: (i) is or becomes generally known to the public without fault of Receiving Party; (ii) was in its possession or known by it without any obligation of confidentiality prior to receipt pursuant to this Agreement; (iii) is independently developed by Receiving Party without use of or reference to the Confidential Information; or (iv) is rightfully obtained by Receiving Party from a third party without any obligation of confidentiality to Disclosing Party.

11.3. Receiving Party’s Obligations. Confidential Information of Disclosing Party may be used by Receiving Party solely for the purposes anticipated in this Agreement and may not be used for any other purpose. Receiving Party will hold Disclosing Party’s Confidential Information in strictest confidence and may not use or disclose Disclosing Party’s Confidential Information, except as expressly permitted herein, without the prior written consent of Disclosing Party, which consent may be granted or refused in Disclosing Party’s sole discretion. Receiving Party will take all reasonable measures to protect the Confidential Information of Disclosing Party from becoming known to the public or falling into the possession of persons other than those persons authorized to have any such Confidential Information, which measures shall include the highest degree of care that Receiving Party uses to protect its own information of a similar nature, but in no event less than a reasonable degree of care. Receiving Party may disclose Disclosing Party’s Confidential Information only to its Representatives who have a legitimate “need to know,” have been advised of the obligations of confidentiality under this Agreement and are bound in writing to obligations of confidentiality no less strict than those set out in this Agreement. “Representatives” include any person acting on behalf of either Party as individual contractors, directors, legal and accounting advisors, employees, and Affiliates. An “Affiliate” is a business entity controlling, controlled by or under common control, directly or indirectly, with a Party. For purposes of defining Affiliate only, “control” means ownership of more than fifty percent (50%) of the voting stock or other voting ownership interest in an entity. Receiving Party will be liable for any breach of this Agreement by its Representatives. Nothing in this Agreement will prohibit Receiving Party from disclosing Confidential Information of Disclosing Party if legally required to do so by judicial or governmental order or in a judicial or governmental proceeding (“Required Disclosure”); provided that Receiving Party shall: (i) where permitted, give Disclosing Party reasonable notice of such Required Disclosure prior to disclosure; (ii) cooperate with Disclosing Party in the event that it elects to contest such disclosure or seek a protective order with respect thereto; and (iii) in any event only disclose the exact Confidential Information, or portion thereof, specifically requested by the Required Disclosure.

11.4. Confidentiality Period; Return of Confidential Information; Remedies. The confidentiality obligations with respect to any disclosure made on or after the Effective Date will survive and continue for a period of five (5) years after the Agreement terminates, except that the obligations with respect to Confidential Information constituting a trade secret shall survive for so long as such information remains a trade secret under applicable law. Immediately upon either the written request by Disclosing Party at any time or the termination of this Agreement, Receiving Party shall cease all use of and destroy or delete all copies or extracts of Disclosing Party’s Confidential Information, in any medium, or certify, in writing by an authorized officer of Receiving Party, the destruction of the same. Receiving Party acknowledges and agrees that due to the unique nature of Disclosing Party’s Confidential Information, there can be no adequate remedy at law for any breach of its confidentiality obligations, that any such breach may allow Receiving Party or third parties to compete unfairly with Disclosing Party resulting in irreparable harm to Disclosing Party and, therefore, that upon any such breach or any threat of breach of confidentiality, Disclosing Party will be entitled to seek appropriate equitable relief in addition to whatever remedies it might have at law. Each Party agrees that monetary damages would be inadequate to compensate the other Party for any breach of confidentiality. Receiving Party will notify Disclosing Party in writing immediately upon the occurrence of any such unauthorized release or other breach of which it is aware.

12. Indemnifications.

12.1. Incognia will defend, indemnify, and hold harmless, Client or its officers, directors, employees or agents from any and all losses, damages, costs and expenses including reasonable attorneys’ fees to the extent that based on a claim that the Services when used in accordance with the terms of this Agreement, infringes any patent, copyright, or trademark of a third party (a “Claim”). Incognia shall have no obligation to indemnify, defend or hold harmless hereunder to the extent that a Claim is caused by or results from any: (i) use of the Services not in accordance with this Agreement or for purposes not intended by Incognia and not specifically permitted pursuant to this Agreement; or (ii) use of the Services other than the most updated, unaltered and unmodified version of the Services as made available by Incognia to Client as an update or upgrade or after the termination of this Agreement. Following notice of a Claim or upon facts which in Incognia’s sole opinion are likely to give rise to such Claim, Incognia shall in its sole discretion and at its sole option, elect to (A) procure for Client the right to continue to use the Services, at no additional cost to Client, (B) replace the Services so that they become non-infringing, but functionally equivalent, (C) modify the Services to avoid the alleged infringement in a manner so that it remains functionally equivalent, or (D) terminate this Agreement.

12.2. Client will defend, indemnify, and hold harmless Incognia, its affiliates and their respective officers, directors, agents and employees from any and all losses, damages, costs and expenses including reasonable attorneys’ fees relating to or arising out of (i) a breach of this Agreement by the Client or anyone on its behalf, including, without limitation, breach of its representations and warranties under this Agreement or misuse of the Services or (ii) the lawful collection and transmission of data that Client provides to Incognia in order to provide the Services.

12.3. A Party's (“Indemnifying Party”) indemnification obligations are subject to the other Party (“Indemnified Party”): (a) notifying the Indemnifying Party of any Claim promptly after it obtains knowledge of such Claim; (b) providing the Indemnifying Party with reasonable assistance, information and cooperation in defending the lawsuit or proceeding; and (c) giving the Indemnifying Party full control and sole authority over the defense and settlement of such Claim, provided any such settlement is solely for monetary damages and does not admit any liability on behalf of the Indemnified Party. The Indemnified Party may be represented in any such suit by counsel of its own choosing at its own expense.

13. Representations and Warranties.

Each Party represents and warrants that (i) the execution and performance of this Agreement do not conflict with any contractual or legal obligations it has; (ii) it shall comply with applicable law; and (iii) it has all rights necessary to execute and perform this Agreement. Client further represents and warrants that it has and shall during the Term have all rights, licenses, and consent required under applicable law to provide Incognia with (and access to) any data (including but not limited to personal data) collected or processed by the Services in accordance with the terms of this Agreement. Client represents and warrants that neither it nor its owners have been designated by or are otherwise subject to restriction in accordance with export controls or economic sanctions laws and regulations administered by the United States Department of Commerce, United States Department of State, United States Department of Treasury or other applicable export controls or sanctions laws and regulations. Client covenants that it shall not—directly or indirectly—sell, export, re-export, transfer, divert, or otherwise dispose of any products, software, or technology (including products derived from or based on such technology) received from Incognia to any restricted destination, entity, person or end-use requiring an export license. Client also represents and warrants it has all the required authorizations, licenses, or applicable legal requirements to provide its service or products and represents and warrants that the Services will not be associated with an unlawful activity regarding Client’s service or products.

14. Disclaimers; Limitation of Liability.




14.4. The exclusion of Consequential Damages does not apply to (a) breach of Section 10 (Confidentiality) and (b) one Party's infringement of the other Party’s intellectual property rights.

15. Miscellaneous.

15.1.      Relationship. This Agreement is not intended to create, nor should it be construed as creating, an agency, joint venture, partnership, or similar relationship between the Parties. Incognia will act solely as an independent contractor of Client and neither Party shall have the right to act for or bind the other Party in any way or to represent that the other Party is in any way responsible for any acts or omissions of such Party.

15.2.      Successors and Assigns. This Agreement shall bind and inure to the benefit of each Party’s permitted successors and assigns. Either Party may assign any of its rights or obligations without prior written consent of the other Party only in the event of (a) a sale or other transfer of all or substantially all of the assets of such Party, (b) a transfer to an entity controlled by, controlling, or under common control with such Party. Any attempt to assign this Agreement in any other event without prior written consent of the other Party will be null and void.

15.3.      Law and Jurisdiction. This Agreement will be construed and governed by the laws of the State of California, without giving effect to its conflicts of law principles. The parties hereby submit to the personal jurisdiction of and agree that any legal proceeding with respect to or arising under this Agreement will be brought solely in, the state courts of the State of California for the county of Santa Clara or the United States District Court for the Northern District of California, if such court has subject matter jurisdiction. Notwithstanding the foregoing, either party will at all times have the right to commence proceedings in any other court of its choice with the appropriate jurisdiction for interim injunctive relief. If any legal action or proceeding is commenced in connection with any dispute arising under, relating to or otherwise concerning this Agreement, the prevailing party, as determined by the court, will be entitled to recover its attorneys’ and experts’ fees and all costs and necessary disbursements actually incurred in connection with such action or proceeding.

15.4.      Force Majeure. With the exception of payment obligations, neither Party shall be liable hereunder by reason of any delay or failure in the performance of its obligations if such delay arises out of causes beyond its control including, without limitation, use of the internet and electronic communications, acts of God or of the public enemy, fires, floods, epidemics, riots, quarantine restrictions, strikes, freight embargoes, earthquakes, electrical outages, computer or communications failures, internet failures or malfunction, severe weather, war, governmental action, labor conditions, and acts or omissions of subcontractors or third parties (“Force Majeure Event”). The Party prevented from performing its obligations or duties because of a Force Majeure Event shall promptly notify the other Party of the occurrence and particulars of such Force Majeure Event and shall provide the other Party, from time to time, with its best estimate of the duration of such Force Majeure Event and, if applicable, with notice of the termination thereof.

15.5.   Severability and Waiver. If any provision of this Agreement is found invalid or unenforceable, that provision will be enforced to the maximum extent permissible so as to effect the intent of the Parties and the remainder of this Agreement will remain in full force and effect. Neither Party will be deemed to have waived any of its rights under this Agreement by lapse of time or by any statement or representation other than by an explicit written waiver. No waiver of a breach of this Agreement will constitute a waiver of any prior or subsequent breach of this Agreement.

15.6.      Construction; Integration; Counterparts. This Agreement will not be construed in favor of or against either Party by reason of authorship. This Agreement, including its exhibits, constitutes the entire agreement between the Parties, and supersedes and replaces all prior or contemporaneous understandings or agreements, written or oral, regarding such subject matter, except that if the Parties executed a specific agreement to govern the Order Form, such specific agreement shall prevail over this Agreement. In the event of any conflict between this Agreement and the Order Form, the Order Form shall prevail. To the extent the matter under conflict involves personal data, the DPA shall prevail over the Agreement.

15.7.      Notices. Any notice, request, or other communication required or permitted hereunder shall be in writing and shall be deemed to have been duly given if: (i) personally delivered to the address in the Order Form, upon receipt; (ii) sent by e-mail to the e-mail address indicated in the Order Form or otherwise provided by Incognia; or (iii) sent by registered mail upon delivery and only if sent to the address in the Order Form.

15.8.      Survival. All provisions of this Agreement that are by their nature intended to survive the expiration or termination of this Agreement or an Order Form, including without limitation, obligations with respect to indemnification, confidentiality, and proprietary rights, shall survive such expiration or termination.

15.9.   Modifications. Incognia reserves the right to modify the Terms of Service (the "Modifications"), however, the Modifications shall only come into effect and bind the Client when and if (i) the Client expressly agrees to the Modifications (including by executing a new Order Form referring to the modified Agreement), (ii) the term of the Order Form is renewed or on the anniversary of its execution if it provides an indefinite term. If the Modifications are published after the date in which the Client may oppose the automatic renewal of the term (if applicable) and before the actual renewal, the Client may oppose the renewal up to 30 (thirty) days from the Modifications. THE MODIFICATIONS WILL BE NOTIFIED THROUGH THE INCOGNIA PLATFORM AND THE CLIENT ACKNOWLEDGES THAT THIS SECTION PROVIDES SUFFICIENT TIME TO REVIEW AND CONSENT TO THE MODIFICATIONS


This Data Processing Agreement ("DPA") is an integral and inseparable part of the Terms of Service ("Agreement") and is entered into between the parties referred to in the Agreement to provide for the responsibilities and obligations of the Parties regarding the processing of personal data carried out for the performance of the Agreement, in accordance with the applicable privacy laws, especially provisions of the General Data Protection Regulation (“GDPR”) and California Consumer Privacy Act (“CCPA”) - when applicable -  and the following clauses:

1. Definitions 

1.1. Capitalized terms and expressions used in this DPA shall have the following meaning:

1.1.1. Authority: Any data protection authority or agency that is responsible for ensuring, implementing, and monitoring the enforcement of the applicable privacy laws.

1.1.2. CCPA: California Consumer Privacy Act. It will be applicable when processing Data of Data Subjects located in the United States (“US”) territory.

1.1.3. Data Subject: natural person to whom the processed Personal Data refers. For the purposes of this DPA, the Data Subject is the User of the Client's Platform.

1.1.4. GDPR: General Data Protection Regulation. For the purposes of this DPA, it will be applicable when processing Data of Data Subjects located out of the US territory.

1.1.5. Network effect: an anti-fraud market practice consisting of the strategic consolidation of data in a common repository with the aim of improving and optimizing Risk Assessment. The collective knowledge extracted from the Network Effect aims to improve the effectiveness and accuracy of Risk Assessment, guaranteeing that no Data will be shared among clients or third parties.

1.1.6. Personal Data: data relating to the identified (Direct Identifiable Personal Data) or identifiable (Indirect Identifiable Personal Data) natural person, processed by Incognia on behalf of the Client, in connection with the Agreement. For the purposes of this DPA, it refers to Personal Data related to the Data Subjects. References to "Data" should be interpreted as Personal Data;

1.1.7. Personal Data Breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.

1.2. Any other capitalized terms mentioned in this DPA, such as "controller", "sensitive personal data",  "processor", and "processing" must adhere to the meanings described in Section 4 of the GDPR, and its cognate terms must be interpreted accordingly.

2. Purpose and Compliance with Applicable Legislation

2.1. This DPA is applicable to the processing of Personal Data by Incognia on behalf of the Client for the execution of the services related to the contracted Solution, according to the Agreement disposals.

2.2. During the Data processing, the Client will act in the role of controller and Incognia will act as processor. 

2.3. The main purpose of the processing of Personal Data to be carried out by Incognia on behalf of the Client is to provide the applicable Solution, through the development of a Risk Assessment for each Client Request, as well as to support the Client in specific analyses and requests related to the purpose of preventing fraud on the Client Platform.

2.4. The Parties will comply with all applicable personal data protection laws and regulations in force in Europe and/or the United States on the date of signature of this DPA or that enter into force during its term, including, but not limited to GDPR, CCPA, as well as all regulations and guidelines published by Authorities.

3. Processing of Personal Data

3.1. The Personal Data covered by this DPA will be collected by Incognia on behalf of the Client through the SDK integrated into the Client's Platform, as well as through API interactions and Dashboard. 

3.2. In order to carry out the Services and develop the Risk Assessment, Incognia will collect the following categories of Personal Data, in accordance with the Client’s Platform applicable to the contracted Solution:

Client Platform - Application


Personal data collected through the SDK


Location information such as GPS, Wi-Fi signals, and Bluetooth signals.


Information intended to uniquely identify the Device. This refers to IDs.


Information related to the Device, operating system data, suspicious applications installed, operating system version, model, and information aimed at uniquely identifying the Device and Device integrity levels.


Information related to the use of the Application such as app session, installation data, and information that allows integrity factors to be assessed.


Client Platform - Website


Personal data collected through the SDK


GPS-based location information


IDs information, such as account ID and session ID.


Information related to the Device used for browsing, such as operating system data, connectivity, hardware, and integrity levels.

Browser and network

Information related to the network and browser in which the Website is open, such as browser settings, permissions, plugins, connectivity information, and language.


3.3. The Client may share Personal Data, information, files, and documents with Incognia through the Dashboard, for the purpose of requesting specific analyses as well as improving and personalizing Risk Assessments.

3.4. Through the API the Client will share with Incognia only the Data necessary to register their Request, as well as sending any feedback on a Request. Through the API, Incognia will share the Risk Assessment as a response to the Request.

3.4.1 The Risk Assessment covers the respective findings and justifications applicable to each type of scenario, such as, but not limited to, information on the integrity of the Device, the reputation of the Device, and suspicious behavior.

3.4.2 The Risk Assessment will also be made available to the Client via access to the Dashboard, where it will be possible to access the Risk Assessment reports for the last two (2) months, under the terms of clause 3.2 of the Agreement.  

3.5. The Client shall not share with Incognia, via Dashboard, API, SDK or any other means, files or documents that contain sensitive Personal Data, Directly Identifiable Personal Data (such as names and email addresses) of its Data Subjects or Data that is not necessary for the provision of the Services.

3.5.1. If the Client transfers such Personal Data, the Client will be exclusively responsible for any damages and legal violations caused by the improper sharing of Personal Data, regardless of the measures to be adopted by Incognia to delete the Data.

3.5.2. The liability imposed in the previous clause also applies if the Client transfers to Incognia Personal Data through unauthorized platforms, such as email. 

3.6. The Personal Data processing for the preparation of Risk Assessments is based on the Network Effect, as well as algorithms and heuristics created from Incognia's expertise, which are subject to the modeling and metrics defined by the Client, respecting the applicable technical and legal limitations.

3.7. Any decisions that impact the Data Subject and arise from the results of the Risk Assessments must be adopted exclusively by the Client under its sole and exclusive responsibility, under the terms of clause 11 of the Agreement, which includes the definition of the form of adoption of these decisions, whether human or automated.

3.8. The Personal Data collected by Incognia may be used to improve the algorithms of Incognia's technology in order to generate more assertive Risk Assessments for the Client. 

3.9. The Personal Data collected by Incognia will not be shared with the Client or with any unauthorized third parties, being encrypted and processed exclusively by Incognia to achieve the purposes determined by the Client, in accordance with the provisions of this DPA and the Agreement.

4. Obligations of Incognia

4.1. Incognia will process the Personal Data in accordance with the determinations and purposes defined by the Client and provided for in this DPA and in the Agreement, limiting the decisions to those related to its expertise and necessary for the provision of the Services.

4.2. Incognia undertakes to take reasonable measures to restrict access to Personal Data to its professionals who need to carry out the processing for the purposes of performing the Services, ensuring that these employees have signed an undertaking and are subject to professional or statutory confidentiality obligations.

4.3. Incognia undertakes to implement security, technical, and administrative measures capable of protecting Personal Data from unauthorized access and from accidental or unlawful situations of destruction, loss, alteration, communication, or any form of inappropriate or illicit processing.

4.4. In accordance with the applicable technical, legal, and contractual boundaries, Incognia will assist the Client in providing information that is exclusively related to the processing of Personal Data subject to this DPA and is necessary to comply with applicable data protection laws.

5. Obligations of the Client

5.1. The Client undertakes to act transparently towards Data Subjects and to make available in its privacy policies and/or notices information on the processing of Personal Data by service providers for the purposes of operationalizing its fraud prevention activities.

5.2. The Client is responsible for providing location permission texts that are transparent and appropriate to the Data Subject's profile, to be made available at appropriate times during their journey on the Client Application. 

5.3. The Client warrants that it has all the rights, permissions, and legal bases required by applicable law to share with Incognia the Personal Data to be processed under the terms set out in this DPA.

5.4. The Client shall limit itself to providing Incognia with only lawful instructions regarding the processing of Personal Data and shall verify compliance with its own instructions and with the relevant regulations.

5.5. If applicable, the Client undertakes to designate a representative in the European Union, in accordance with Section 27 of the GDPR.

6. Rights of the Data Subject

6.1. The Client is exclusively responsible for complying with requests from Data Subjects, including requests for rights, and from third parties, including competent authorities, involving Personal Data that is the subject of this relationship or questions about the application of Incognia's technology in its activities.

6.1.1. Incognia undertakes to assist the Client in carrying out any actions that may be necessary to fulfill requests, subject to the applicable technical, legal, and contractual limits. To this end, the Client must notify Incognia of the instructions and guidelines to be adopted by Incognia to assist the Client in responding to Requests. Incognia undertakes to address efforts in order to meet the instructions and guidelines indicated by the Client according to legal deadlines.

6.1.2. Incognia shall act on legal instructions received from the Client and in accordance with the applicable law, observing trade secrets and adhering to the applicable technical, legal, and contractual limits.

6.2. If Incognia receives requests from Data Subjects and third parties expressly addressed to the Client and involving Data Subject’s Personal Data, it undertakes to notify the Client within 48 (forty-eight) hours to adopt the necessary measures, committing to support the Client, in accordance with Clause 6.1.1 of this DPA.

7. Personal Data Breach

7.1. In case of occurrence of a Personal Data Breach involving Data Subject’s Personal Data, Incognia shall notify the Client, without undue delay, so that it can adopt the necessary measures to comply with the applicable laws, providing it with the information described in applicable laws and those requested by the Authorities.

7.2. The obligation to assess whether a Personal Data Breach shall be notified to the Authority and to the Data Subjects is the sole responsibility of the Controller, who is also responsible for effective communication, if applicable.

7.3. In accordance with applicable technical, legal and contractual limits, Incognia will cooperate with the Client and take reasonable steps to support the investigation, mitigation and remediation of the incident.

8. Storage of Personal Data

8.1. The Personal Data processed by Incognia will be stored in cloud computing through a cloud server hired exclusively for this purpose, Amazon Web Services, which has entered into a commitment with Incognia establishing the protection of Personal Data and the adoption of measures to ensure the proper processing of Personal Data with provisions no less stringent than those contained in this DPA.

8.2. With the exception of the previous item, Incognia will not share any Personal Data with other sub-processors, vendors, or third parties without the Client's prior and express authorization.

9. Deletion of Personal Data

9.1. Data collected via SDK will be automatically deleted within a maximum period of up to 6 (six) months from collection.

9.2. Upon termination of the Agreement, (i) Incognia shall stop collecting Personal Data and ensure its safe disposal within the period referred to in the previous clause, and (ii) the Client shall remove the SDK from the Client Platform and undertake for its Users to use updated versions of the Client Platform - without Incognia's SDK - failing which it shall bear the liability arising from the maintenance of the residual collection of Data.  

9.3. The deletion of Data must comply with the applicable legal, contractual and technical limits.

9.4. Personal Data necessary for the regular exercise of rights, compliance with contractual, legal and/or regulatory obligations and audits may be kept by Incognia to the extent strictly necessary to achieve such purposes and in accordance with the applicable legal provisions.

10. Periodic Assessment

10.1. Incognia undertakes to, when requested and provided that the trade secret, the intellectual property and Incognia's confidentiality obligations towards third parties are respected, make available to the Client all the information necessary to demonstrate compliance with this DPA and with applicable laws.

10.1.1. Incognia, upon prior notice of 30 (thirty) business days, must allow and contribute to any assessments to be carried out by the Client to confirm that the Incognia is acting in accordance with this DPA.

11. International Transfer

11.1 In order to perform the services, Incognia may transfer Personal Data to the United States of America for storage and processing on a local cloud computing server, provided by Amazon Web Service, which is part of the EU-US Data Privacy Framework. 

11.2 The international transfer of Personal Data will be performed in accordance with the applicable transfer mechanisms provided for the applicable privacy laws.

12. Limitation of Liability 

12.1. Incognia shall be jointly and severally liable with the Client for any damages caused by the processing of Personal Data when it fails to comply with the obligations of the applicable personal data protection legislation or when it fails to follow the Client's lawful instructions, in which case Incognia shall be deemed to be the controller.

12.1.1. Incognia undertakes to immediately assume responsibility for the obligations required in any judicial or administrative actions, exempting and indemnifying the Client for any liability and/or Losses determined in said actions, including attorney fees.

12.2. In the event that the Client provides Incognia with unlawful processing instructions or shares Personal Data or authorizes its collection by Incognia in disagreement with the applicable Law or the provisions of this DPA, the Client assumes responsibility for any resulting damages and undertakes to immediately assume responsibility for the obligations required in any judicial or administrative actions, exempting and indemnifying Incognia for any liability and/or Losses determined in said actions, including attorney fees.  

12.3. In the event that either Party is sued by any natural or legal person, including public authorities or private entities, for processing Personal Data exclusively attributable to the other Party, the innocent Party may exercise its right to indemnify the other Party, without prejudice to the reimbursement of any judicial or extrajudicial costs, including administrative fines.

13. General Provisions

13.1. This DPA will be valid while the Agreement is in force or while the processing of the Personal Data object of this DPA takes place.

13.2. Any changes to this DPA must be made in writing and agreed by the Parties, in accordance with the provisions of Clause 14.9 of the Agreement.

13.3. The Parties undertake to keep the other Party updated on the name and contact details of their Data Protection Officer indicated in the Order Form. 

13.4. If the Authority publishes any guidance, regulation or interpretation that is contrary to the provisions of this DPA or in any way makes the processing of Personal Data unfeasible or unlawful in the manner provided for in this DPA, the Parties must reach a consensus to adjust the processes and if conform to the new guidelines.

13.5. All provisions of this DPA shall be interpreted in conjunction with the provisions of the Agreement. If there is a discrepancy between the Agreement and this DPA, the provisions of this DPA shall remain.

Previous versions