Terms of use

Last updated: June 1, 2022

This Services Agreement (the “Agreement”) is entered into by and between Incognia US Inc. ("Incognia") and the counterparty (“Client”) identified in the sign-in page of Incognia’s platform on in an order form (“Order Form”) referring to the terms of this Agreement (each a “Party” or together the “Parties”). Client wishes to obtain, and Incognia wishes to provide, a subscription to Incognia’s location-based behavioral services described in this Agreement and the Order Form (the “Services”). This Agreement and its Annex I - Data Processing Agreement (“DPA”) - regulate the parties obligations and sets forth the terms and conditions under which Incognia will provide Client with a subscription to the Services. In the event of any conflict between these terms and any other document applicable to the services, the order of prevalence will be the Order Form followed by these terms. This Agreement takes effect when Client executes an Order Form referring to this Agreement, or, if no such Order Form is executed, when the Client clicks an “I Accept” button or check box presented with these terms in Incognia’s platform.

  1. Use of Services. Subject to the terms of this Agreement, Incognia grants Client the right to use the Services during the Term. The Services include a limited, revocable, non-exclusive, non-transferrable, royalty-free, (i) right to use Incognia’s software development kit (“SDK”), which is Incognia’s proprietary set of software development tools, including but not limited to computer programs, sample code, documentation, or base codes, the use of which is authorized by Incognia to Client to allow the collection and processing of data and for the provision of the Services, and (ii) right to access Incognia’s application programming interfaces (“APIs”) and platform by which the Services are performed and made available. Client will use the Services only for its own business purposes and, regarding the Services, will not (or permit any third party to): (a) reverse assemble, reverse engineer, decompile or otherwise attempt to derive source code or any component thereof; (b) circumvent, disable, or otherwise interfere with features, including those related to security or access; (c) use any robot, spider, search or retrieval application, or any other manual or automatic device or process to retrieve, index, data-mine, or in any way reproduce or circumvent the navigational structure or presentation thereof; (d) modify or prepare derivative works; (e) assign, copy, reproduce, modify, sell, lease, pledge, transfer, sublicense, market, commercially exploit, or otherwise dispose of in any way, on temporary or permanent basis or any component thereof other than as expressly provided in this Agreement; (f) use in any manner that infringes the intellectual property or other rights of Incognia or any other party; (g) store or transmit any defamatory, violent, obscene, pornographic, illegal or otherwise offensive content, (h) cause or permit any third party to do any of the foregoing; and/or (i) use in any way not specifically permitted under this Agreement. Client recognizes that the Services are not provided by a “consumer reporting agency” and do not constitute a “consumer report” under the Fair Credit Reporting Act.
  2. Client Responsibilities. Client is responsible and liable for all uses of the Services resulting from access provided to Client, directly or indirectly, whether such access or use is permitted by or in violation of this Agreement. Client is responsible for obtaining and maintaining any equipment and ancillary services needed to connect to, access or otherwise use the Services, including, without limitation, modems, hardware, servers, software, operating systems, networking, web servers and the like (collectively, “Equipment”). Client is responsible for maintaining the security of Equipment, Client’s account information, passwords and files, and for all uses of Client’s account or the Equipment. Client will use the Services in compliance with applicable law including, without limitation, those laws related to privacy and data protection. Client will be responsible for any notifications required to or approvals, consents, or authorizations required from individuals arising out of any use of the Services. Client understands and agrees that, in order to ensure compliance with applicable law and Incognia’s internal policies, Incognia may conduct usage reviews of Client’s use of the Services, and Client agrees to cooperate fully with any such reviews. Furthermore, Client is solely responsible for installing the SDK (and its updates).
  3. Data Collection and Privacy Practices. As necessary to provide the Services, Incognia will collect, use, store and process data listed in Incognia’s Privacy Policy available at https://www.incognia.com/privacy, according to the Annex I, integral and inseparable part of this Agreement. Incognia does not collect data from Client or Client’s customers (“Users”) (i) to personally identify Users (such as name, gender, age, government identification number, mobile phone number or email address), (ii) from persons under 18 (eighteen) years old, or (iii) about static hardware identifiers from mobile devices.  All Client data will be logically segregated from other Incognia Client, but Incognia may use Client data for its own commercial purposes, including for improving its algorithms and systems and enhancing its products and services, statistical information and analytics, all subject to the purposes stated in Incognia's ParPrivacy Policy, provided that they do not conflict with the provisions of this Agreement. Client will ensure that it has (a) provided notice to and/or has obtained any necessary consents (i.e., including from Users), all as required under applicable law to permit Incognia to process data in accordance with the terms of this Agreement, and (b) remain responsible for the transmission of any data to Incognia. Notwithstanding the foregoing, Incognia reserves the right to block and/or remove any prohibited data from its Services platform. Incognia shall have the right to collect and analyze data and information related to Client’s use of the Services that is used by Incognia in an aggregated manner, including to compile statistical and performance information related to the provision and operation of the Services (“Aggregated Statistics”). As between Incognia and Client, all right, title, and interest in Aggregated Statistics, and all intellectual property rights therein, belong to and are retained solely by Incognia. Client agrees that Incognia may (i) make Aggregated Statistics publicly available in compliance with applicable law, and (ii) use Aggregated Statistics to the extent and in the manner permitted under applicable law; provided, however, that such Aggregated Statistics do not identify Client or Client’s Confidential Information.
  4. Ownership. Incognia or its licensors, as the case may be, shall retain and own all right, title and interest and all intellectual property rights (including but not limited to the SDK, source code, its modules, packages, operating structure, business model, algorithms, trade dress, look  and  feel, technical documentation and all information related to its usage and operation, material models, documentation, reports, tables, data compilations, manuals and other elements resulting directly from the delivery of the Services) in and to the Services, any software underlying the Services, any hosting environment made available to Subscriber, any data collected by the Services, any related documentation, modification, derivation, improvement or development thereof, and all copies thereof ("Incognia Intellectual Property"). Nothing in this Agreement shall be interpreted to provide Client with any rights in the foregoing, except the limited right to use the Services subject to the terms of this Agreement. Incognia reserves the right to add, remove or update content, features or software utilized in the Services and will use commercially reasonable efforts to notify Client of such changes. If Client sends or transmits any communications or materials to Incognia suggesting or recommending changes to the Services or Incognia Intellectual Property, including without limitation, new features or functionality relating thereto, or any comments, questions, suggestions, or the like (”Feedback”), Incognia is free to use such Feedback irrespective of any other obligation or limitation between the Parties governing such Feedback. Client hereby assigns to Incognia on Client’s behalf, and on behalf of its employees, contractors and/or agents, all right, title, and interest in, and Incognia is free to use, without any attribution or compensation to any party, any ideas, know-how, concepts, techniques, or other intellectual property rights contained in the Feedback, for any purpose whatsoever, although Incognia is not required to use any Feedback.
  5. Fees, Payment and Taxes. Client shall pay Incognia the fees specified in an Order Form (“Fees”). Unless otherwise specified in an Order Form, payment for all Fees will be invoiced upon mutual execution of the Order Form and all Fees will be due monthly, payable in U.S. dollars within thirty (30) days from the date of the invoice. If Client purchases professional services, Fees do not include travel, lodging, and other related expenses, which will be billed at actual cost. Fees are exclusive of all taxes; other than taxes on Incognia’s net income, Client shall pay (and Incognia shall have no liability for), any taxes, tariffs, duties and other charges or assessments imposed or levied by any government or governmental agency in connection with this Agreement, including, without limitation, any federal, provincial, state and local sales, use, goods and services, value-added, withholding, and personal property taxes on any payments due in connection with the Services provided hereunder. In the event that a payment by Client is not received within five (5) business days of its due date, Incognia shall be entitled to interest on the amount owing at a rate of 2% per month, or the highest rate allowed by applicable law, whichever is more, from the due date of payment until the date of actual receipt by Incognia and, if necessary, Client shall bear all reasonably attorneys’ fees actually incurred by Incognia in collecting any such overdue amounts.
  6. Term and Termination. This Agreement is effective on the start date of the first Order Form processed under this Agreement or the effective date specified in this Agreement (if any), whichever occurs first (“Effective Date), and will continue until terminated (the “Term”). If the Services continue to be provided under an Order Form after termination of this Agreement, then this Agreement will continue to be in effect until the Order Form is terminated or the obligations under the Order Form are completed. Unless otherwise expressly provided on an Order Form, either Party may terminate this Agreement for convenience without any penalty or charge upon thirty (30) days’ prior written notice to the other Party. In addition, this Agreement may be terminated by either Party on delivery of written notice of termination to the other Party, as follows: (1) if the other Party materially breaches this Agreement and such breach is not capable of being cured; (2) if the other Party materially breaches this Agreement, such breach is capable of being cured and the breaching Party fails to cure such breach within thirty (30) days after receipt of written notice of such breach from the non­breaching Party; or (3) if the other Party: (a) makes a general assignment for the benefit of creditors, (b) admits in writing its inability to pay debts as they come due, (c) voluntarily files a petition or similar document initiating any bankruptcy or reorganization proceeding, or (d) involuntarily becomes the subject of a petition in bankruptcy or reorganization proceeding and such proceeding shall not have been dismissed or stayed within sixty (60) days after such filing. Termination of the Agreement shall terminate all rights granted in this Agreement. Upon termination of the Agreement (i) Client will cease all use of the Services, uninstall the SDK, and if applicable, will pay Incognia any remaining fees and (ii) Client will not be entitled to any refunds or credits for unused Services.
  7. Temporary Suspension. Notwithstanding anything to the contrary in this Agreement, Incognia may temporarily suspend Client’s access to any portion or all of the Services if: (i) Incognia reasonably determines that (A) there is a threat or attack on any of the Services; (B) Client’s use of the Services disrupts or poses a security risk to Incognia or any of its other Clients; (C) Client is using the Services for fraudulent or illegal activities; or (D) Incognia’s provision of the Services to Client is prohibited by applicable law; or (ii) Client fails to pay applicable fees in accordance with Section 5 (any such suspension described in subclause (i) or (ii), a “Service Suspension”). Incognia shall provide written notice of any Service Suspension to Client and to provide updates regarding resumption of access to the Services following any Service Suspension. Incognia shall resume providing access to the Services as soon as reasonably possible after the event giving rise to the Service Suspension is cured. Incognia will have no liability for any damage, liabilities, losses, or any other consequences that Client may incur as a result of a Service Suspension.
  8. Confidentiality. In connection with this Agreement, each Party (a “Disclosing Party”) has provided or may provide Confidential Information to the other Party (a “Receiving Party”). Except as set forth below, “Confidential Information” means all non-public, confidential or proprietary information of or about Disclosing Party that is received by Receiving Party which relates to Disclosing Party’s business (including without limitation, business plans, financial data, pricing information, marketing, Client information, personal information), technology (including without limitation, source code, algorithms, processes, technical data, product plans, research, software, and other confidential intellectual property), products, services, trade secrets, know-how, formulae, processes, ideas, and inventions, or other information which should be reasonably understood by Receiving Party as the confidential or proprietary information of Disclosing Party. Confidential Information includes any documents or reports created by the Receiving Party that include, summarize, or refer to Confidential Information. The terms of this Agreement are the Confidential Information of Incognia. Confidential Information will not include any information that Receiving Party can document: (i) is or becomes generally known to the public without fault of Receiving Party; (ii) was in its possession or known by it without any obligation of confidentiality prior to receipt pursuant to this Agreement; (iii) is independently developed by Receiving Party without use of or reference to the Confidential Information; or (iv) is rightfully obtained by Receiving Party from a third party without any obligation of confidentiality to Disclosing Party.
    1. Receiving Party’s Obligations. Confidential Information of Disclosing Party may be used by Receiving Party solely for the purposes anticipated in this Agreement and may not be used for any other purpose. Receiving Party will hold Disclosing Party’s Confidential Information in strictest confidence and may not use or disclose Disclosing Party’s Confidential Information, except as expressly permitted herein, without the prior written consent of Disclosing Party, which consent may be granted or refused in Disclosing Party’s sole discretion. Receiving Party will take all reasonable measures to protect the Confidential Information of Disclosing Party from becoming known to the public or falling into the possession of persons other than those persons authorized to have any such Confidential Information, which measures shall include the highest degree of care that Receiving Party uses to protect its own information of a similar nature, but in no event less than a reasonable degree of care. Receiving Party may disclose Disclosing Party’s Confidential Information only to its Representatives who have a legitimate “need to know,” have been advised of the obligations of confidentiality under this Agreement and are bound in writing to obligations of confidentiality no less strict than those set out in this Agreement. “Representatives” include any person acting on behalf of either Party as individual contractors, directors, legal and accounting advisors, employees, and Affiliates. An “Affiliate” is a business entity controlling, controlled by or under common control, directly or indirectly, with a Party. For purposes of defining Affiliate only, “control” means ownership of more than fifty percent (50%) of the voting stock or other voting ownership interest in an entity. Receiving Party will be liable for any breach of this Agreement by its Representatives. Nothing in this Agreement will prohibit Receiving Party from disclosing Confidential Information of Disclosing Party if legally required to do so by judicial or governmental order or in a judicial or governmental proceeding (“Required Disclosure”); provided that Receiving Party shall: (i) where permitted, give Disclosing Party reasonable notice of such Required Disclosure prior to disclosure; (ii) cooperate with Disclosing Party in the event that it elects to contest such disclosure or seek a protective order with respect thereto; and (iii) in any event only disclose the exact Confidential Information, or portion thereof, specifically requested by the Required Disclosure
    2. Confidentiality Period; Return of Confidential Information; Remedies. The confidentiality obligations with respect to any disclosure made on or after the Effective Date will survive and continue for a period of five (5) years after the Agreement terminates, except that the obligations with respect to Confidential Information constituting a trade secret shall survive for so long as such information remains a trade secret under applicable law. Immediately upon either the written request by Disclosing Party at any time or the termination of this Agreement, Receiving Party shall cease all use of and return to Disclosing Party all copies or extracts of Disclosing Party’s Confidential Information, in any medium, or certify, in writing by an authorized officer of Receiving Party, the destruction of the same. Receiving Party acknowledges and agrees that due to the unique nature of Disclosing Party’s Confidential Information, there can be no adequate remedy at law for any breach of its confidentiality obligations, that any such breach may allow Receiving Party or third parties to compete unfairly with Disclosing Party resulting in irreparable harm to Disclosing Party and, therefore, that upon any such breach or any threat of breach of confidentiality, Disclosing Party will be entitled to seek appropriate equitable relief in addition to whatever remedies it might have at law. Each Party agrees that monetary damages would be inadequate to compensate the other Party for any breach of confidentiality. Receiving Party will notify Disclosing Party in writing immediately upon the occurrence of any such unauthorized release or other breach of which it is aware.
  9. Indemnifications.
    1. Incognia will defend, indemnify, and hold harmless, Client or its officers, directors, employees or agents from any and all losses, damages, costs and expenses including reasonable attorneys’ fees to the extent that based on a claim that the Services when used in accordance with the terms of this Agreement, infringes any patent, copyright, or trademark of a third party (a “Claim”). Incognia shall have no obligation to indemnify, defend or hold harmless hereunder to the extent that a Claim is caused by or results from any: (i) use of the Services not in accordance with this Agreement or for purposes not intended by Incognia and not specifically permitted pursuant to this Agreement; or (ii) use of the Services other than the most updated, unaltered and unmodified version of the Services as made available by Incognia to Client as an update or upgrade. Following notice of a Claim or upon facts which in Incognia’s sole opinion are likely to give rise to such Claim, Incognia shall in its sole discretion and at its sole option, elect to (A) procure for Client the right to continue to use the Services, at no additional cost to Client, (B) replace the Services so that they become non-infringing, but functionally equivalent, (C) modify the Services to avoid the alleged infringement in a manner so that it remains functionally equivalent, or (D) terminate this Agreement.
    2. Client will defend, indemnify, and hold harmless Incognia, its affiliates and their respective officers, directors, agents and employees from any and all losses, damages, costs and expenses including reasonable attorneys’ fees relating to or arising out of (i) a breach of this Agreement by the Client or anyone on its behalf, including, without limitation, breach of its representations and warranties under this Agreement or misuse of the Services or (ii) the lawful collection and transmission of data that Client provides to Incognia in order to provide the Services.
    3. A Party's (“Indemnifying Party”) indemnification obligations are subject to the other Party (“Indemnified Party”): (a) notifying the Indemnifying Party of any Claim promptly after it obtains knowledge of such Claim; (b) providing the Indemnifying Party with reasonable assistance, information and cooperation in defending the lawsuit or proceeding; and (c) giving the Indemnifying Party full control and sole authority over the defense and settlement of such Claim, provided any such settlement is solely for monetary damages and does not admit any liability on behalf of the Indemnified Party. The Indemnified Party may be represented in any such suit by counsel of its own choosing at its own expense.
  10. Representations and Warranties. Each Party represents and warrants that: (i) the execution and performance of this Agreement does not conflict with any contractual or legal obligations it has; and (ii) it shall comply with applicable law. Incognia further represents and warrants that the Services will materially function in accordance with its specifications in the Order Form. Client further represents and warrants that it has and shall during the Term have all right, license and consent required under applicable law to provide Incognia with (and access to) any data (including but not limited to personal data) collected or processed by the Services in accordance with the terms of this Agreement. Client represents and warrants that neither it nor its owners have been designated by or are otherwise subject to restriction in accordance with export controls or economic sanctions laws and regulations administered by the United States Department of Commerce, United States Department of State, United States Department of Treasury or other applicable export controls or sanctions laws and regulations. Client covenants that it shall not—directly or indirectly—sell, export, reexport, transfer, divert, or otherwise dispose of any products, software, or technology (including products derived from or based on such technology) received from Incognia to any restricted destination, entity, person or end-use requiring an export license. Client also represents and warrants it has all the required authorizations, licenses, or applicable legal requirements to provide its service or products and represents and warrants that Incognia services will not be associated to an unlawful activity regarding Client’s service or products
  11. Disclaimers; Limitation of Liability.
  12. Miscellaneous.
    1. Relationship. This Agreement is not intended to create, nor should it be construed as creating, an agency, joint venture, partnership or similar relationship between the Parties. Incognia will act solely as an independent contractor of Client and neither Party shall have the right to act for or bind the other Party in any way or to represent that the other Party is in any way responsible for any acts or omissions of such Party.
    2. Publicity. Each Party recognizes and concedes that all trademarks, service marks or other designations (“Proprietary Marks”) constitute such Party’s exclusive property. Each Party grants the other Party a nonexclusive, nontransferable, non-sublicensable, royalty-free license during the Term to use, solely to identify the other Party as a Client or supplier, as the case may be. Except as set forth herein, neither Party shall use the Proprietary Marks of the other Party without the prior written consent of the other Party. Any uses of the other Party’s Proprietary Marks shall be in accordance with the granting Party’s reasonable trademark usage policies. Each Party shall cease, or adjust the manner of, its use of any of the other Party’s Proprietary Marks at the request of the other Party in its sole discretion. The granting Party may withdraw any approval or license of any use of its Proprietary Marks at any time in its sole discretion.
    3. Successors and Assigns. This Agreement shall bind and inure to the benefit of each Party’s permitted successors and assigns. Either Party may assign any of its rights or obligations without prior written consent of other Party only in the event of: (a) a sale or other transfer of all or substantially all of the assets of such Party, (b) a transfer to an entity controlled by, controlling, or under common control with such Party. Any attempt to assign this Agreement in any other event without prior written consent of the other Party will be null and void.
    4. Law and Jurisdiction. This Agreement will be construed and governed by the laws of the State of California, without giving effect to its conflicts of law principles. The parties hereby submit to the personal jurisdiction of, and agree that any legal proceeding with respect to or arising under this Agreement will be brought solely in, the state courts of the State of California for the county of Santa Clara or the United States District Court for the Northern District of California, if such court has subject matter jurisdiction. Notwithstanding the foregoing, either party will at all times have the right to commence proceedings in any other court of its choice with the appropriate jurisdiction for interim injunctive relief. If any legal action or proceeding is commenced in connection with any dispute arising under, relating to or otherwise concerning this Agreement, the prevailing party, as determined by the court, will be entitled to recover its attorneys’ and experts’ fees and all costs and necessary disbursements actually incurred in connection with such action or proceeding.
    5. Force Majeure. With the exception of payment obligations, neither Party shall be liable hereunder by reason of any delay or failure in the performance of its obligations if such delay arises out of causes beyond its control including, without limitation, use of the internet and electronic communications, acts of God or of the public enemy, fires, floods, epidemics, riots, quarantine restrictions, strikes, freight embargoes, earthquakes, electrical outages, computer or communications failures, internet failures or malfunction, severe weather, war, governmental action, labor conditions, and acts or omissions of subcontractors or third parties (“Force Majeure Event”). The Party prevented from performing its obligations or duties because of a Force Majeure Event shall promptly notify the other Party of the occurrence and particulars of such Force Majeure Event and shall provide the other Party, from time to time, with its best estimate of the duration of such Force Majeure Event and, if applicable, with notice of the termination thereof.
    6. Severability and Waiver. If any provision of this Agreement is found invalid or unenforceable, that provision will be enforced to the maximum extent permissible so as to effect the intent of the Parties and the remainder of this Agreement will remain in full force and effect. Neither Party will be deemed to have waived any of its rights under this Agreement by lapse of time or by any statement or representation other than by an explicit written waiver. No waiver of a breach of this Agreement will constitute a waiver of any prior or subsequent breach of this Agreement.
    7. Construction; Integration; Counterparts. This Agreement will not be construed in favor of or against either Party by reason of authorship. In the event of any conflict between this Agreement and any other document applicable to the services, the order of prevalence will be the Order Form followed by this Agreement. If the Client and Incognia executes an specific Service Agreement, such Service Agreement shall prevail over this Agreement.
    8. Notices. Any notice, request or other communication required or permitted hereunder shall be in writing and shall be deemed to have been duly given if: (i) personally delivered to the address in the Order Form, upon receipt; (ii) sent by e-mail to the e-mail address indicated in the Order Form or otherwise provided by Incognia; or (iii) sent by registered mail upon delivery and only if sent to the address in the Order Form.
    9. Survival. All provisions of this Agreement that are by their nature intended to survive the expiration or termination of this Agreement or an Order Form, including without limitation, obligations with respect to indemnification, confidentiality, and proprietary rights, shall survive such expiration or termination.
    10. Changes. Incognia reserves the right to make changes to the terms of this Agreement by posting a revised version on its website or by otherwise notifying the Client in accordance with Section 12.8 or through Incognia’s platform. If the Client continues to access the Services after ten (10) days after the acknowledgment of such changes, the Client is deemed to have accepted such changes and is bound to the version of this Agreement.




This Data Protection Agreement ("DPA") is an integral and inseparable part of Services Terms Incognia (Terms of Services" or "Agreement") and is entered into between Incognia US Inc. (“Incognia” or “processor”), and the counterparty (“Client” or “Controller”) identified in an order form or in the sign-in page of Incognia’s platform (“Order Form”), collectively referred to as “Parties” and separately “Party”. 


  1. Incognia is a location technology company that provides anti-fraud services;
  2. The Parties intend to enter into the Agreement for the provision of anti-fraud services by Incognia to the Client;
  3. In order to provide the services to be contracted, Incognia will process personal data of the Client's users on its behalf and under its determinations;
  4. During the execution of the Agreement, Incognia and the Client will act as personal data processing agents, occupying the positions of Processor and Controller, respectively; 

The Parties agree to sign this DATA PROCESSING AGREEMENT (DPA) in order to provide for the responsibilities and obligations of the Parties with regard to the processing of personal data carried out during the performance of the Agreement, in accordance with the applicable privacy laws, specially provisions of the General Data Protection Regulation (GDPR), California Consumer Privacy Act (“CCPA”) and the following clauses.

1. Definitions

  1. Capitalized terms and expressions used in this DPA shall have the following meaning:
    1. Personal Data: data relating to the identified or identifiable natural person, processed by Incognia on behalf of the Client,in connection with the Terms of Services;
    2. Terms of Services: Agreement entered into between the Parties to, together with the Commercial Proposal, regulate the Services to be provided by Incognia to the Client;
    3. Data subject: natural person to whom the processed Personal Data refers. For the purposes of this DPA, the Right Data subject is the user of the Client's application.
    4. Security Incident: any and all situations, accidental or intentional, unlawful, that causes, in relation to Personal Data: (i) destruction; (ii) the loss; (iii) the change; (iv) communication or dissemination; or (v) access to unauthorized third parties.
    5. Services: exclusively the Incognia that will be provided to the Client, as provided for in the Agreement.
    6. Authority: Data Protection Authority, responsible for ensuring, implementing and monitoring compliance with the privacy laws;
    7. Subprocessor: third party hired by the Processor to assist it in processing personal data on behalf of the Controller.
    8. The terms "Controller", "Processor", "Legal Basis", and "processing" shall have the same meanings provided for in GDPR, and their cognate terms shall be interpreted accordingly.
    9. Any other terms mentioned in this DPA and not detailed in this clause, must adhere to the meanings contained in clause 1.1 of the Agreement.

2. Purpose and Compliance with Applicable Legislation

  1. This DPA is applicable to the processing of Personal Data of the Agreement by the Processor on behalf of the Controller's Proposal for the execution of the services contained in the Agreement and the Proposal, meeting the general anti-fraud purpose determined by the Controller.
    1. The types of Personal Data subject to processing are detailed in the Processor's Privacy Policy, available on its website (https://www.incognia.com/policies/incognia-policy).
  2. The Parties will comply with all applicable personal data protection laws and regulations in force in Europe and USA on the date of signature of the Agreement or that enter into force during its term, including, but not limited to, the GDPR and CCPA as well as all regulations and guidelines published by the Privacy Authorities.

3. Incognia Processor's Obligations

  1. The Processor must restrict the processing of Personal Data to the determinations imposed by the Controller in order to achieve the data processing according to the purposes defined by it, limiting itself to adopting only decisions on non-essential elements of the processing that are related to its expertise and necessary for the provision of services.
  2. The Processor shall take reasonable steps to ensure that access to Personal Data is restricted only to its professionals who need to carry out the processingment for the purposes of executing the Agreement and this DPA, ensuring that these employees have signed a commitment and are subject to professional or statutory obligations of confidentiality.
  3. The Processor shall implement security, technical and administrative measures capable of protecting Personal Data from unauthorized access and from accidental or unlawful situations of destruction, loss, alteration, communication or any form of inappropriate or illicit processingment.
    1. When assessing the appropriate level of security, the Processor must take into account the nature, scope, context, purposes and risks presented by the processing, in particular the risk of a personal data breach.

4. Rights of the Data Subject

  1. The Controller shall guarantee and respond to the data subjects' rights, as well as notify the Processor, without undue delay, to inform which deadlines, guidelines and procedures must be adopted by the Processor to assist the Controller in meeting said requests.
  2. The Processor shall act in accordance with lawful guidelines received from the Controller and in accordance with the provisions of the applicable privacy laws.
  3. Whenever it receives requests for rights from data subjects, the Processor will notify the Controller within 48 (forty-eight) hours so that it fulfills its legal obligation to respond to the data subject's request. The Processor will provide all necessary assistance to the Controller, under the terms of the previous clause.

5. Personal Data Breach

  1. The Processor will notify the Controller without undue delay as soon as it becomes aware of a Personal Data Breach or Security Incident affecting the Controller, providing it with sufficient information to allow it to comply with any obligation to notify the data subjects and/or the Authority, if applicable.
  2. The Processor shall cooperate with the Controller and take reasonable steps, as instructed by the Controller, to assist in the investigation, mitigation and correction of each Personal Data Breach.

6. Storage of Personal Data

  1. The Personal Data processed by the Processor to provide the services will be stored in cloud computing through a cloud server hired to act as a Sub-processor exclusively for this purpose, as provided in the Processor's Privacy Policy, available on its website (https://www.incognia.com/policies/incognia-policy).
  2. With the exception of the previous item, the Processor shall not share any Personal Data with Sub-processors unless required or authorized by the Controller.

7. Deletion of Personal Data

  1. All personal data collected will be deleted in accordance with the retention periods set out in the Privacy Policy.
  2. The Processor shall, upon termination of the Agreement, in any case, promptly stop processing the Personal Data and delete them, according to the retention periods set forth in the Privacy Policy.
  3. The Processor must, when requested, provide the Client with a written statement that it has complied with the provisions referred to in the previous clause.

8. Data Protection Impact Assessment and Prior Consultation

  1. The Controller shall prepare a Personal Data Impact Assessment and responses to queries or other demands arising from the competent Supervisory Authorities.
  2. The Processor shall assist the Controller with the preparation of any impact reports on the protection of personal data that are exclusively related to the Processing of Personal Data object of the Agreement and this DPA.

9. Periodic Assessment

  1. The Processor undertakes to, when requested and provided that the business secret and intellectual property are respected, make available to the Controller all the information necessary to demonstrate compliance with this DPA and with applicable laws.
    1. The Processor, upon prior notice of 30 (thirty) business days, must allow and contribute to any assessments to be carried out by the Controller to confirm that the Processor is acting in accordance with this DPA.

10. International Transfer

  1. The personal data collected may be stored on servers with a high standard of security located in other countries, pursuant to clause 6 and 9.1 and as provided in the Processor's Privacy Policy available on its website (https://www.incognia.com/policies/incognia-policy).

11. Transparency

  1. The Parties shall adopt measures to guarantee transparency in the processing of Personal Data, informing the Data Subjects what types of data are collected, how they are used, with whom they are shared, where they are stored and the security measures adopted in accordance with the provisions of the data protection rules and regulations in force.
  2. The Controller shall make information available in its privacy policies on the use of Personal Data by third parties in order to support the Controller's activities to prevent fraud.

12. Communications

  1. All notices, requests and communications in general relating to this DPA must be in writing and delivered (i). Personally; (ii) by postal delivery via registered mail or; (iii) by email; all with acknowledgment of receipt and directed to the Data Protection Officer (DPO) of the Parties.
  2. Communications will be considered delivered: (i) by email, on the date they are sent; (ii) when sent/delivered to the above physical addresses, on the date of the protocol with acknowledgment of receipt.
  3. Any change in the contacts and addresses of either Party must be communicated in writing to the other Party, with the new contacts and addresses automatically updated in clause 12.1

13. General Provisions

  1. This DPA will be valid while the Agreement is in force or while the processing of the data object of this DPA takes place.
  2. Any changes to this DPA must be made in writing and signed by the legal representatives of the Parties by means of a contractual amendment.
  3. If the Authority publishes any guidance, regulation or interpretation that is contrary to the provisions of this DPA or in any way makes the processing of Personal Data unfeasible or unlawful in the manner provided for in this DPA, the Parties must reach a consensus to adjust the processes and if conform to the new guidelines.
  4. All provisions of this DPA shall be interpreted in conjunction with the provisions of the Agreement. If there is a discrepancy between the Agreement and this document, the provisions of this DPA shall remain.

14. Legislation and Jurisdiction

  1. This DPA and all issues related to it will be governed, interpreted and resolved in accordance with USa and Europe privacy laws, in particular the GDPR, CCPA and rules issued by the Privacy Authorities and official inspection bodies and agencies.
  2. The Parties hereby elect the forum chosen in the Agreement, to the detriment of any other, however privileged it may be, as competent to resolve doubts and issues related to this DPA.



Previous versions