dpa | Trulioo

Data Processing Addendum

last updated: April 2024

This Data Processing Addendum (“DPA”) is incorporated into and forms part of the Trulioo Services Agreement or other current written or electronic agreement, as well as any other related Order Forms (collectively, the “Agreement“) between the entity identified as the “Customer” in the Agreement and Trulioo Information Services, Inc. (“Trulioo“). All capitalized terms not defined in this DPA shall have the meaning set forth in the Agreement.

By signing the Agreement, Customer hereby accepts this DPA on behalf of itself and in the name and on behalf of its Affiliates, if and to the extent Trulioo processes Processor Data, provided that such Affiliates have not signed their own separate agreement with Trulioo (“Authorized Affiliates“). For the purpose of this DPA only, and except where the context otherwise requires, the term “Customer” will include Customer and Authorized Affiliates.

1. Definition

“Authorized Users” means those individuals (such as Customer’s employees, consultants, contractors or agents) who are authorized by Customer to use the Services from time to time, on Customer’s behalf and solely in the manner authorized in the Agreement.

“CCPA” means the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act (“CPRA”) and including any further amendments and its implementing regulations that become effective on or after the effective date of this DPA.

“Consumer” means an individual whose information is included in Customer Information (as defined in the Agreement) or the Results, but shall not include Authorized Users.

“Data Protection Laws” means, where applicable to the Personal Data in question, European Data Protection Laws and US Data Protection Laws.

“Data Providers” means any third party data sources or other service provider engaged by Trulioo to provide the Results, including, but not limited to, government agencies, suppliers of identity verification services and credit reference agencies.

“Europe” means, for the purposes of this DPA, the European Economic Area (“EEA”), the United Kingdom and Switzerland.

“European Data Protection Laws” means: (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (the “GDPR“); (ii) the GDPR as saved into United Kingdom law by virtue of section 3 of the United Kingdom’s European Union (Withdrawal) Act 2018 and the UK Data Protection Act 2018 (collectively the “UK Privacy Laws“); (iii) the EU e-Privacy Directive (Directive 2002/58/EC); (iv) any and all applicable national data protection laws made under, pursuant to or that apply in conjunction with any of (i), (ii) or (iii); and (v) the Swiss Federal Data Protection Act of 19 June 1992 or the revised Federal Act on Data Protection of 25 September 2020 (Switzerland) (with the Ordinance to the Federal Act on Data Protection of 31 August 2022) (“Swiss FDPA“); in each case as may be amended or superseded from time to time;

“Personal Data” means information, which is protected as “personal data”, “personally identifiable information” or “personal information” under any applicable Data Protection Laws. For the avoidance of doubt, with respect to US Data Protection Laws, “Personal Data” does not include de-identified data, or publicly available information as such terms are defined in applicable Data Protection Laws.

“Processor Data” means any Personal Data that is processed by Trulioo on behalf of Customer in the course of providing the Services, as more particularly described in Annex A of this DPA.

“Restricted Transfer” means: (i) where the GDPR applies, a transfer of Personal Data from the EEA to a country outside of the EEA which is not subject to an adequacy determination by the European Commission; (ii) where UK Privacy Laws apply, a transfer of Personal Data from the United Kingdom to any other country which is not subject to adequacy regulations pursuant to Section 17A of the United Kingdom Data Protection Act 2018, whether such transfer is direct or via onward transfer; and (iii) where the Swiss FDPA applies, a transfer of Personal Data to a country outside of Switzerland which is not included on the list of adequate jurisdictions published by the Swiss Federal Data Protection and Information Commissioner.

“Results” means any data, content or other information transferred, communicated or shared by Trulioo (or the Data Providers) to or otherwise accessed by Customer in the course of receiving Services, including any data, content or other information that Trulioo obtains on behalf of Customer and at Customer’s instruction from the Data Providers. For example, this may include the match results and/or any related appended data provided in response to Customer identity or company verification queries. For the purposes of this DPA only and for the avoidance of doubt, the Results shall not include any Personal Data which Trulioo collects and maintains independently of providing the Services to Customer.

“Security Incident” means any breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Processor Data transmitted, stored or otherwise processed by Trulioo in connection with the provision of the Services. A “Security Incident” shall not include unsuccessful attempts or activities that do not compromise the security of Processor Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.

“Standard Contractual Clauses” or “EU SCCs” means the contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council.

“Subprocessor” means any third party processor (including any Trulioo Affiliates) engaged by Trulioo to process any Processor Data (but shall not include Trulioo employees, contractors or consultants).

“UK Addendum” means the International Data Transfer Addendum (version B1.0) issued by the Information Commissioner’s Office under S119(A) of the UK Data Protection Act 2018, as updated or amended from time to time.

“US Data Protection Laws” means, as applicable, the CCPA, the Colorado Privacy Act, the Connecticut Data Privacy Act, Delaware Personal Data Privacy Act, Florida Digital Bill of Rights, Indiana Consumer Data Protection Act, Iowa Consumer Data Protection Act, Montana Consumer Data Privacy Act, Oregon Consumer Privacy Act, Tennessee Information Protection Act, Texas Data Privacy and Security Act, Utah Consumer Privacy Act, and Virginia Consumer Data Protection Act.

The terms “controller“, “data subject“, “processor,” and “processing,” have the meanings given to them in Data Protection Laws and “process“, “processes” and “processed” shall be interpreted accordingly. If and to the extent that Data Protection Laws do not define such terms, then the definitions given in the GDPR will apply.

2. Scope and Applicability of this DPA

2.1 This DPA applies where and only to the extent that Trulioo processes Processor Data protected by Data Protection Laws as a processor (or functionally equivalent role) on behalf of Customer in the course of providing the Services pursuant to the Agreement. Nothing in this DPA shall act to restrict or prevent Trulioo from processing any data, content or other information (including Personal Data) that Trulioo collects and maintains independently of providing the Services to Customer.

2.2 Notwithstanding expiry or termination of the Agreement, this DPA and any Standard Contractual Clauses (if applicable) will remain in effect until, and will automatically expire upon deletion of all Processor Data by Trulioo as described in this DPA.

3. Role and Scope of Processing

3.1 Roles of the Parties. The parties acknowledge and agree that for the purposes of this DPA, Customer is the controller with respect to the processing of Processor Data, and Trulioo shall process Processor Data only as a processor on behalf of Customer, as further described in Annex A of this DPA. Any processing by either party of Personal Data under or in connection with the Agreement shall be performed in accordance with Data Protection Laws. However, with respect to Processor Data, Trulioo is not responsible for compliance with Data Protection Laws applicable to Customer that are not generally applicable to Trulioo as a service provider.

3.2 Processing Instructions. Trulioo will process Processor Data only in accordance with Customer’s documented lawful instructions and for these purposes, Customer instructs Trulioo to process Processor Data for the purposes described in Annex A of this DPA, unless obligated otherwise by applicable law. Trulioo shall promptly notify Customer if it makes a determination that Customer’s instructions infringe Applicable Data Protection Law(s)) (but without obligation to actively monitor Customer’s compliance with Applicable Data Protection Law(s)) and in such event, Trulioo shall not be obligated to undertake such processing until such time as the Customer has updated its processing instructions and Trulioo has determined that the incidence of non-compliance has been resolved.

3.3 Customer Responsibilities. Customer shall have sole responsibility for the accuracy, quality, and legality of Processor Data and the means by which Customer acquired Processor Data. Customer represents and warrants that (i) it has provided, and will continue to provide all notices and has obtained, and will continue to obtain, all consents, permissions and rights necessary under applicable laws, including Data Protection Laws, for Trulioo to lawfully process Processor Data for the purposes contemplated by the Agreement (including this DPA and any Order Forms under the Agreement); (ii) it has complied with all applicable laws, including Data Protection Laws in the collection and provision to Trulioo and its Sub-processors of such Processor Data; and (iii) it shall ensure its processing instructions comply with applicable laws (including Data Protection Laws) and that the processing of Processor Data by Trulioo in accordance with Customer’s instructions will not cause Trulioo to be in breach of Data Protection Laws.

4. Subprocessing

4.1 Authorized Subprocessors. Customer agrees that Trulioo may engage Subprocessors to process Processor Data on Customer’s behalf. Trulioo will make available a list of Subprocessors if requested by Customer in writing. Trulioo shall notify Customer if it adds or replaces any Subprocessor at least fifteen (15) days prior to any such change. Customer must subscribe to receive notice of Sub-processor changes at https://id.trulioo.com/subprocessor-notification.html.

4.2 Subprocessor Obligations. Trulioo shall: (i) enter into a written agreement with each Subprocessor containing data protection terms that provide at least the same level of protection for Processor Data as those contained in this DPA, to the extent applicable to the nature of the services provided by such Subprocessor; and (ii) remain responsible for its compliance with the obligations of this DPA and for any acts or omissions of the Subprocessor that cause Trulioo to breach any of its obligations under this DPA.

4.3 Objection to Subprocessors. Customer may object in writing to Trulioo’s appointment of a new Subprocessor on reasonable grounds relating to data protection by notifying Trulioo promptly in writing within fifteen (15) calendar days of receipt of Trulioo’s notice in accordance with Section 4.1. In such case, the parties shall discuss Customer’s concerns in good faith with a view to achieving a commercially reasonable resolution. If the parties cannot reach such resolution, Trulioo shall, at its sole discretion either not appoint the Subprocessor, or permit Customer to suspend or terminate the affected Services in accordance with the Agreement without liability to either party (but without prejudice to any fees incurred by Customer prior to suspension or termination). If such objection right is not exercised by Customer in the terms defined above, silence shall be deemed to constitute an approval of such engagement.

5. Cooperation

5.1 Trulioo shall, taking into account the nature of the processing, reasonably assist Customer to enable Customer to respond to any requests, complaints or other communications from data subjects and regulatory or judicial bodies relating to the processing of Processor Data, including requests from data subjects seeking to exercise their rights under Data Protection Laws. In the event that any such request, complaint or communication is made directly to Trulioo and Trulioo is able to directly identify that the request relates to Customer’s processing activities, Trulioo shall pass this onto Customer and shall not respond to such communication except to direct the data subject to the Customer, without Customer’s express authorization (unless required to do so in order to comply with applicable law(s)).

5.2 To the extent Trulioo is required under Applicable Data Protection Laws, Trulioo shall (at Customer’s request and expense) provide reasonably requested information regarding the Services to enable Customer to conduct a data protection impact assessment or prior consultations with data protection authorities as required by law.

6. Security

6.1 Security Measures. Trulioo will implement and maintain appropriate technical and organizational security measures designed to protect Processor Data from Security Incidents and to preserve the security and confidentiality of Processor Data, in accordance with the security standards described in Annex B (“Security Measures“). Trulioo will ensure that any person who is authorized by Trulioo to process Processor Data shall be under an appropriate obligation of confidentiality (whether a contractual or statutory duty).

6.2 Updates to Security Measures. Customer acknowledges that the Security Measures are subject to technical progress and development and that Trulioo may update or modify the Security Measures from time to time, provided that such updates and modifications do not degrade or diminish overall security of the Services.

6.3 Security Incident Response. Upon becoming aware of a Security Incident, Trulioo shall notify Customer without undue delay and shall: (i) provide timely information relating to the Security Incident as it becomes known or as is reasonably requested by Customer; and (ii) promptly take reasonable steps to contain, investigate, and remediate any Security Incident, to the extent that the remediation is within Trulioo’s control. Trulioo’s notification of or response to a Security Incident under this Section 6.3 shall not be construed as an acknowledgment by Trulioo of any fault or liability with respect to the Security Incident. The obligations set forth in this Section 6.3 shall not apply to Security Incidents to the extent they are caused by Customer.

7. Security Reports and Audits

7.1 Audit Rights. Customer acknowledges that Trulioo is regularly audited against ISO 27001 standard by independent third party auditors and/or internal auditors respectively. Upon Customer’s written request, and subject to obligations of confidentiality, Trulioo will make available to Customer a summary of its most relevant audit report and/or other documentation reasonably required by Customer which Trulioo makes generally available to its customers, so that Customer can verify Trulioo’s compliance with this DPA. Customer acknowledges and agrees that it shall exercise its audit rights under this DPA (including this Section 7.1 and where applicable, the Standard Contractual Clauses) by instructing Trulioo to comply with the audit measures described in Section 7.2 below.

7.2 Onsite Audits. While it is the parties’ intention ordinarily to rely on Trulioo’s obligations set forth in Section 7.1 to verify Trulioo’s compliance with this DPA, following a confirmed Security Incident or where a data protection authority requires it, Customer may provide Trulioo with thirty (30) days’ prior written notice requesting that a third-party conduct an audit of Trulioo’s operations and facilities (“Audit”); provided that (i) any Audit shall be conducted at Customer’s expense; (ii) the parties shall mutually agree upon the scope, timing and duration of the Audit; and (iii) the Audit shall not unreasonably impact Trulioo’s regular operations.

8. Return or Deletion of Data

8.1 Upon Customer’s request, or upon termination or expiry of the Agreement, Trulioo shall destroy or return to Customer the Processor Data in its possession or control in accordance with the Agreement. This requirement shall not apply to the extent that Trulioo is required by any applicable law to retain some or all of the Processor Data, or to Processor Data it has archived on back-up systems, which Processor Data Trulioo shall securely isolate and protect from any further processing and eventually delete in accordance with Trulioo’s deletion policies, except to the extent required by such law. The parties agree that the certification of deletion that is described in Clauses 8.5 and 16(d) of the Standard Contractual Clauses shall be provided by Trulioo to Customer only upon Customer’s written request.

9. International Transfers

9.1 Location of Processing. Processor Data that Trulioo processes under the Agreement may be processed in any country in which Trulioo, its Affiliates, partners and authorized Sub-processors maintain facilities to perform the Services. Trulioo shall not process or transfer (directly or via onward transfer) Processor Data (nor permit such data to be processed or transferred) outside of its country of origin unless it first takes such measures as are necessary to ensure the transfer is in compliance with Data Protection Laws.

10. Additional provisions for European Processor Data

10.1 Scope and Role of the Parties. This Section 10 shall only apply with respect to Processor Data subject to European Data Protection Laws.

10.2 Restricted Transfers to Trulioo. The parties acknowledge that Trulioo is located in Canada and Canada has been recognized as providing an adequate level of data protection by the European Commission (such adequacy decision is available at: https://eur-lex.europa.eu/legalcontent/en/TXT/?uri=CELEX%3A32002D0002). However, the parties agree that where and to the extent the transfer of Processor Data from Customer (as “data exporter”) to Trulioo (as “data importer”) is deemed a Restricted Transfer and European Data Protection Laws require that appropriate safeguards are put in place, such transfer shall be subject to the Standard Contractual Clauses, which shall be deemed incorporated by reference and form an integral part of this DPA as set out in Annex C. It is not the intention of either party to contradict or restrict any of the provisions set forth in the Standard Contractual Clauses and, accordingly, if and to the extent the Standard Contractual Clauses conflict with any provision of the Agreement (including this DPA) the Standard Contractual Clauses shall prevail to the extent of such conflict.

11. Additional provisions for California Processor Data

11.1 Scope and Role of Parties. This Section 11 shall only apply with respect to Processor Data subject to the CCPA. When processing Processor Data subject to the CCPA under this DPA, the parties acknowledge and agree that Customer is a Business and Trulioo is a Service Provider for the purposes of the CCPA. For the purpose of this Section 11, “Business”, “Business Purpose”, “Commercial Purpose”, “Consumer,” “Personal Information”, “Process,” “Sell”, “Service Provider”, and “Share” have the meanings given to them in the CCPA.

11.2 Responsibilities.

11.2.1 The parties agree that all Processor Data that is subject to the CCPA (“CCPA Processor Data”) is processed by Trulioo on behalf of Customer for one or more Business Purpose(s) and its use or sharing by Customer with Trulioo is necessary to perform such Business Purpose(s). For the purposes of this DPA, Trulioo is Processing the CCPA Processor Data for the Business Purpose(s) of: (i) providing the Services as are more specifically set forth in the applicable order form, and in each case, (ii) to help Customer resist malicious, deceptive, fraudulent or illegal actions (the “Purpose”).

11.2.2 Trulioo will: (i) only Process CCPA Processor Data under the Agreement for the limited and specific Purpose, and at all times in compliance with applicable portions of the CCPA, and shall provide the same level of privacy protection as is required by the CCPA; (ii) assist Customer in responding to any request from a Consumer to exercise rights under the CCPA; (iii) notify Customer without undue delay if Trulioo makes a determination that it can no longer meet its obligations under the CCPA and Customer shall have the right to take reasonable and appropriate steps to help ensure that Trulioo uses the CCPA Processor Data in a manner consistent with Customer’s obligations under the CCPA and stop and remediate any unauthorized use of the CCPA Processor Data; and (iv) require that each employee or other person processing CCPA Processor Data is subject to a duty of confidentiality with respect to such CCPA Processor Data.

11.2.3 To the extent required by the CCPA and, in each case, except as otherwise permitted by the CCPA, Trulioo is prohibited from: (i) Selling the CCPA Processor Data; (ii) Sharing the CCPA Processor Data for cross-contextual behavioural advertising purposes; (iii) retaining, using or disclosing the CCPA Processor Data for any purpose other than for the Purposes; (iv) retaining, using, or disclosing the CCPA Processor Data outside of the direct business relationship between Trulioo and Customer; and (v) combining the CCPA Processor Data with any Personal Information that may be collected from Trulioo’s separate interactions with the individual(s) to whom the CCPA Processor Data relates or from any other sources, except to perform a Business Purpose or as otherwise permitted by law.

12. Limitation of Liability

12.1 Each party’s and all of its Affiliates’ liability taken together in the aggregate arising out of or related to this DPA (including, where applicable, the Standard Contractual Clauses) shall be subject to the exclusions and limitations of liability set forth in the main body of the Agreement.

12.2 Any claims against Trulioo or its Affiliates under or in connection with this DPA (including, where applicable, the Standard Contractual Clauses) shall be brought solely by the Customer entity that is a party to the Agreement.

12.3 Notwithstanding any other provision of the Agreement or this DPA, in no event shall any party limit its liability with respect to any individual’s data protection rights under this DPA, the Standard Contractual Clauses or otherwise.

13. Relationship with the Agreement

13.1 The parties agree that this DPA shall replace any existing data processing agreement or similar document that the parties may have previously entered into in connection with the Services.

13.2 Except for the changes made by this DPA, the Agreement remains unchanged and in full force and effect. If there is any conflict or inconsistency between this DPA and the Agreement, the provisions of the following documents (in order of precedence) shall prevail: (a) Standard Contractual Clauses (where applicable); then (b) this DPA; and then (c) the main body of the Agreement.

13.3 This DPA will be governed by and construed in accordance with governing law and jurisdiction provisions in the Agreement, unless required otherwise by Data Protection Laws.

Annex A

Description of Data Processing / Transfer

Annex A(I) List of Parties

Data Exporter	Data Importer
Name: The party identified as the “Customer” in the DPA.	Name: Trulioo Information Services Inc.
Address: The address for the Customer specified in the Agreement.	Address: 400 – 114 E. 4th Ave, Vancouver, BC Canada V6E 2E9
Contact person’s name, position and contact details: The contact as set out in the Order Form.	Contact person’s name, position and contact details: Legal Counsel, [email protected]
Activities relevant to the transfer: See Annex A(II) below.	Activities relevant to the transfer: See Annex A(II) below.
Signature and date: This Annex A(I) shall automatically be deemed executed when the Agreement (which incorporates the DPA) is executed by the Customer.	Signature and date: This Annex A(I) shall automatically be deemed executed when the Agreement (which incorporates the DPA) is executed by Trulioo.
Role: Controller	Role: Processor

Annex A(II) Details of Processing / Transfer

EU SCC Module: Module 2
Categories of Data Subjects:	Data subjects include individuals about whom Personal Data is processed by Trulioo via the Services by or at the direction of the Customer, which may include Consumers and Authorized Users.
Categories of Personal Data:	In connection with the Services, Trulioo may process certain Personal Data, the extent of which is determined and controlled by Customer in its sole discretion, and which will depend on the particular Services, but may include: Consumers: • name; • contact details (e.g. email address, residential address and telephone number); • date of birth; • government issued ID (e.g. passport, driving license, national ID number) and any information captured on such ID); • facial images / photograph; • company ownership or directorship related information, including company address, position held (e.g. director), current status (e.g. resigned, active, start date, end date); • watch list information, including financial contributions (e.g. donation records, income or asset verification), PEP status; and • any other category of Personal Data submitted by (or on behalf of) the Customer to the Services or otherwise included in the Results provided by Trulioo to Customer in connection with the Services. Authorized Users: • Name, contact details, employment details (company and job role).
Sensitive data transferred and safeguards:	In connection with the Services, Trulioo may process certain sensitive Personal Data about Consumers, the extent of which is determined and controlled by the Customer in its sole discretion and which will depend on the particular Services, but may include the following types of sensitive Personal Data: • biometric facial templates; • criminal record data, including information about criminal investigations, trials, offences and sanctions information; and • political affiliation (e.g. donation records). The applicable safeguards are set out in Annex B to the DPA.
Frequency:	Continuous
Subject matter and nature of the processing:	Trulioo provides a global identity verification service, as further described in the Agreement.
Duration of the processing:	The duration of processing shall be as described in the Agreement.
Purpose(s):	Processor Data may only be processed by Trulioo on behalf of Customer for the following purposes: (i) processing as necessary to perform the Services and Trulioo’s obligations under and pursuant to the Agreement, which shall include sharing Processor Data with Data Providers where and as necessary for the purposes of delivering the Results and specific Services requested by Customer; (ii) processing initiated by Customer’s Authorized Users in their use of the Services; and (iii) any other purposes of processing of Processor Data agreed upon between the parties in writing.
Retention:	Trulioo will retain Processor Data in accordance with the retention periods described in the Agreement.

Annex A(III): Competent supervisory authority

Competent supervisory authority

The data exporter’s competent supervisory authority will be determined in accordance with the GDPR.

Annex B

Security Measures

The Security Measures are set out in the Trulioo Security Annex available at https://www.trulioo.com/security-annex.

Annex C

Standard Contractual Clauses

In relation to transfers of Processor Data that are deemed Restricted Transfers protected by the European Data Protection Laws, the Standard Contractual Clauses will apply, modified by the UK Addendum as required, completed as follows:

(a) Module Two (Controller to Processor) will apply;

(b) in Clause 7, the optional docking clause will apply;

(c) in Clause 9, Option 2 will apply, and the time period for prior notice of Sub-processor changes shall be as set out in Section 4.1 of this DPA;

(d) in Clause 11, the optional language will not apply;

(e) in Clause 17, Option 1 will apply, and the EU SCCs will be governed by the laws of Ireland, England and Wales or Switzerland (in each case, as appropriate, depending on the European Data Protection Law applicable to the transfer);

(f) in Clause 18(b), disputes shall be resolved before the courts of Ireland, England and Wales or Switzerland (in each case, as appropriate, depending on the European Data Protection Law applicable to the transfer);

(g) Annex I of the EU SCCs shall be deemed completed with the information set out in Annex A of this DPA;

(h) Subject to Section 6.2 of this DPA, Annex II of the EU SCCs shall be deemed completed with the information set out in Annex B of this DPA;

(i) Tables 1 and 3 of Part 1 of the UK Addendum (as applicable) shall be deemed completed with the information set out in Annexes A and B of this DPA; and

(j) Table 4 of Part 1 of the UK Addendum shall be completed by selecting the option “neither party”.