Data Sharing Addendum
last updated: October 2025
This Data Sharing Addendum (“DSA”) is incorporated into and forms part of the Trulioo Services Agreement or other current written or electronic agreement, as well as any other related Order Forms (collectively the “Agreement“) between the entity identified as the “Customer” in the Agreement and Trulioo Information Services Inc. (“Trulioo“). All capitalized terms not defined in this DSA shall have the meanings set forth in the Agreement.
This DSA regulates the processing of Data subject to Data Protection Laws for the Controller Services provided under the Agreement. Customer accepts this DSA on behalf of itself and in the name and on behalf of its Affiliates that use the Controller Services, provided that such Affiliates have not signed their own separate agreement with Trulioo (“Authorized Affiliates“). For the purpose of this DSA only, and except where the context otherwise requires, the term “Customer” will include Customer and Authorized Affiliates.
The parties agree as follows:
1. Definition
“Controller Services” means any Services identified as “Controller Services” in an Order Form and/or Service Specific Terms.
“Customer Data” means any data (including Personal Data) that Customer provides or otherwise makes available to Trulioo through the Controller Services.
“Data” means any Personal Data that is provided or made available by a party (the “disclosing party”) to the other party (the “receiving party”) under the Agreement in connection with the Controller Services, as described in Annex I.
“Data Protection Laws” means all data protection and privacy laws and regulations applicable to a party and the Personal Data in question, including where applicable European Data Protection Laws and US Data Protection Laws.
“Europe” means, for the purposes of this DSA, the European Economic Area, the United Kingdom and Switzerland.
“European Data Protection Laws” means: (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) (the “EU GDPR“); (ii) the EU e-Privacy Directive (Directive 2002/58/EC); (iii) any and all applicable national data protection laws made under, pursuant to or that apply in conjunction with (i) or (ii); (iv) the GDPR as saved into United Kingdom law by virtue of section 3 of the United Kingdom’s European Union (Withdrawal) Act 2018, the UK Data Protection Act 2018 and Data (Use and Access) Act 2025 (collectively the “UK Privacy Law“); and (v) the Swiss Federal Data Protection Act of 25 September 2020 and its corresponding ordinances (“Swiss FDPA”); in each case as may be amended or superseded from time to time.
“Personal Data” means information which is protected as “personal data”, “personally identifiable information” or “personal information” under any applicable Data Protection Laws. For the avoidance of doubt, with respect to US Data Protection Laws, “Personal Data” does not include de-identified data, or publicly available information as such terms are defined in applicable Data Protection Laws.
“Processing Purposes” means the processing of Data for the purposes agreed and described in the Agreement (including this DSA).
“Restricted Transfer” means: (i) where the EU GDPR applies, a transfer of personal data from the EEA to a country outside of the EEA which is not subject to an adequacy determination by the European Commission; (ii) where UK Privacy Law applies, a transfer of personal data from the United Kingdom to any other country which is not subject to adequacy regulations pursuant to Section 17A of the United Kingdom Data Protection Act 2018; and (iii) where the Swiss FDPA applies, a transfer of personal data to a country outside of Switzerland which is not included on the list of adequate jurisdictions published by the Swiss Federal Data Protection and Information Commissioner; in each case whether such transfer is direct or via onward transfer.
“Security Incident” means any breach of security leading to the accidental or unlawful destruction, loss, alteration or unauthorized disclosure of or access to Data.
“Standard Contractual Clauses” or “SCCs” means the contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council.
“Trulioo Data” means any data (including Personal Data) that Trulioo provides or otherwise makes available to Customer through or in connection with the Controller Services. Trulioo Data may include but is not limited to information from publicly available sources, third-party data providers, and/or information derived or generated from analysing Customer Data.
“Trulioo Privacy Policy” means the Trulioo Services Privacy Policy available at https://www.trulioo.com/privacy (or such other URL as may be notified to Customer).
“US Data Protection Laws” means the California Consumer Privacy Act of 2018, as amended by the California Consumer Privacy Rights Act of 2020 (together, the “CCPA”), Colorado Privacy Act, Connecticut Data Privacy Act, Delaware Personal Data Privacy Act, Florida Digital Bill of Rights, Indiana Consumer Data Protection Act, Iowa Consumer Data Protection Act, Montana Consumer Data Privacy Act, Oregon Consumer Privacy Act, Tennessee Information Protection Act, Texas Data Privacy and Security Act, Utah Consumer Privacy Act, and Virginia Consumer Data Protection Act, in each case including any further amendments and implementing regulations that become effective on or after the effective date of this DSA.
The terms “controller,” “data subject,” “personal data,” “processor,” “process” and “processing,” shall have the meanings given to them in Data Protection Laws. If and to the extent that Data Protection Laws do not define such terms, then the definitions given to them in the EU GDPR will apply.
2. Relationship of the Parties. Each party is an independent controller of the Data shared and processed under this DSA. Each receiving party shall process Data strictly for the Processing Purposes or as otherwise agreed in writing by the parties or permitted under Data Protection Laws. In no event shall the parties be deemed joint controllers.
3. Compliance with Law. Except as otherwise expressly agreed under this DSA or otherwise in writing, each party shall be individually and separately responsible for complying with the obligations that apply to it a a controller under Data Protection Laws. In particular (and without limitation): (a) each disclosing party shall be responsible for comlying with all necessary requirements under Data Protection Laws to lawfully collect and subsequently disclose the Data to the receiving party forthe Processing Purposes; (b) each receiving party shall be separately and independently responsible for complying with Data Protection Laws in respect of its processing of Data that it receives from disclosing party; and (c) neither party shall nowingly perform its obligations under this DSA in such a way as to cause the other party to breach any of its obligations under Data Protection Laws.
4. Notice, Consent and Opt-Out. Each party shall post and maintain a publicly accessible privacy notice that satisfies the requirements of Data Protection Laws and this DSA, including but not limited to transparency and information requirements. Notwithstanding the foregoing, the party disclosing Data shall be responsible for ensuring that it has obtained all necessary and valid consents and authorizations and provided such notice and opt-out mechanisms to data subjects as may be required under Data Protection Laws to lawfully share Data with the receiving party for the Processing Purposes. The disclosing party shall, upon written request, provide to the receiving party evidence of such consents, notices and opt-out mechanisms, as applicable.
5. Customer Obligations. Without prejudice to Section 4 (Notice, Consent and Opt-Out), prior to processing any Data for the Processing Purposes, Customer shallll ensure that its privacy notice at minimum: (a) includes a description of the types of Data collected by Trulioo (or its data providers) for the Processing Purposes; and (ii) discloses the identity of Trulioo as a controller of the Data. The Trulioo Privacy Policy describes the Data Trulioo collects and how it uses it for the Processing Purposes, which may assist the Customer in complying with the notification obligations under this DSA.The parties will provide reasonable assistance and reasonably cooperate with each other to assist with each party’s compliance with Data Protection Laws and this Section 4.1.
6. Third Party Requests. Each party (the “Responding Party”) will respond reasonably, promptly and in accordance with the Responding Party’s obligations under Data Protection Laws, to any correspondence, inquiry or complaint from any data subject, consumer, regulator or other third party (“Correspondence“), concerning its processing of Data shared under this DSA and the other party will co-operate as reasonably requested by Responding Party to enable Responding Party to respond to such Correspondence. The Responding Party will be entitled to take action with respect to specific Data in its control or possession in response to such Correspondence or as otherwise required by Data Protection Laws; provided that in the event either party receives any Correspondence related to the processing of Data by the other party, it will promptly inform the other party giving full details of the same, and the parties will cooperate reasonably and in good faith in-order to respond to such Correspondence in accordance with any requirements under applicable Data Protection Laws. Subject to the foregoing obligations of notice and cooperation, where any Correspondence made directly to Trulioo concerns a request by a data subject to exercise their data protection rights in relation to the Customer’s processing of Data under this DSA (including where Data resides in the Customer’s account), Customer shall be solely responsible for responding to the data subject in accordance with Data Protection Laws.
7. Cooperation. Each party will reasonably cooperate with the other in any activities contemplated by the Controller Services and to enable each party to comply with its respective obligations under applicable Data Protection Laws. Without limiting the foregoing, in the event of a change in Data Protection Laws or a determination by a supervisory authority or competent court affecting the data processing undertaken under this DSA, the parties shall work together in good faith to make any amendments to this DSA as are reasonably necessary to ensure continued compliance with Data Protection Laws
8. Security & Security Incidents. Each receiving party shall implement and maintain appropriate technical and organisational measures designed to protect the Data it receives from a Security Incident in accordance with Annex II of this DSA (“Security Measures“). Upon becoming aware of a Security Incident that affects Data receivd from the other party, the affected party shall inform the other party without undue delay and shall provide all such timely information and cooperation as the other party reasonably requires in order to comply with its obligations under Data Protection Laws and the affected party shall further take all such measures as are reasonably necessary to remedy or mitigate the effects of the Security Incident and shall keep the other party informed of all developments in connection with the Security Incident.
9. International Transfers
9.1 Each party shall take all such measures as are necessary to ensure that the processing or transfer (directly or via onward transfer) of the Data in or to a territory other than the territory in which the Data was first collected is in compliance with Data Protection Laws.
9.2 The parties agree that where the transfer of Data from the disclosing party (as “data exporter“) to the receiving party (as “data importer“) is a Restricted Transfer and European Data Protection Laws require that appropriate safeguards are put in place, such transfer shall be subject to the SCCs, modified by the UK Addendum as required for Restricted Transfers subject to UK Privacy Law, each of which shall be deemed incorporated herein in full by reference and shall form an integral part of this DSA. For the purposes of the foregoing, the parties agree that:
(a) each recipient of Data shall be the “data importer” and the other party shall be the “data exporter”;
(b) Module One (controller to controller) will apply;
(c) in Clause 7, the optional docking clause will apply;
(d) in Clause 11, the optional language will not apply;
(e) in Clause 17, Option 1 will apply, and the SCCs will be governed by the laws of Ireland, England and Wales or Switzerland (in each case, as appropriate, depending on the European Data Protection Law applicable to the transfer);
(f) in Clause 18(b), disputes shall be resolved before the courts of Ireland, England and Wales or Switzerland (in each case, as appropriate, depending on the European Data Protection Law applicable to the transfer); and
(g) Annexes I and II of the SCCs and Tables 1 and 3 of Part 1 of the UK Addendum (as applicable) shall be deemed completed with the information set out in Annexes I and II of this DSA and Table 4 in Part 1 of the UK Addendum shall be deemed completed by selecting “neither party”.
9.3 It is not the intention of either party to contradict or restrict any of the provisions set forth in the SCCs, and accordingly if and to the extent the SCCs conflict with any provision of the Agreement (including this DSA) the SCCs shall prevail to the extent of such conflict.
9.4 The parties acknowledge that Trulioo is located in Canada and Canada has been recognized as providing an adequate level of data protection by the European Commission (such adequacy decision is available at: https://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX%3A32002D0002). However, where and to the extent the transfer of Data from Customer to Trulioo is a Restricted Transfer and European Data Protection Laws require that appropriate safeguards are put in place, such transfer shall be subject to the SCCs in accordance with this Section 10 (International Transfers).
10. Audit. Each party agrees upon request from the other party to respond to questions and all reasonable requests for information in connection with its processing activities to the extent necessary to demonstrate its compliance with this DSA. If such an audit identifies any default by a party or there are reasonable grounds to suspect a default then, without prejudice to any other rights or remedies available, the defaulting party shall take all necessary steps to comply with its obligations.
11. Additional provisions for CCPA
11.1 Roles. This Section shall only apply with respect to Data processed in connection with the Controller Services subject to the CCPA (“CCPA Personal Information”). When processing CCPA Personal Information, the parties acknowledge and agree that Customer is a Business and Trulioo is a Service Provider for the purposes of the CCPA. For the purpose of this Section, “Business”, “Business Purpose”, “Commercial Purpose”, “Consumer,” “Personal Information”, “Process,” “Sell”, “Service Provider”, and “Share” have the meanings given to them in the CCPA.
11.2 Responsibilities. The parties agree that all CCPA Personal Information is processed by Trulioo on behalf of Customer for one or more Business Purpose(s) and its use or sharing by Customer with Trulioo is necessary to perform such Business Purpose(s). For the purposes of this DSA, Trulioo is Processing the CCPA Personal Information for the Business Purpose(s) of: (a) providing the Controller Services to Customer, and (b) to help Customer resist malicious, deceptive, fraudulent or illegal actions (the “Purpose”).
11.3 Trulioo will: (a) only Process CCPA Personal Information under the Agreement for the limited and specific Purpose, and at all times in compliance with applicable portions of the CCPA, and shall provide the same level of privacy protection as is required by the CCPA; (b) assist Customer in responding to any request from a Consumer to exercise rights under the CCPA; (c) notify Customer without undue delay if Trulioo makes a determination that it can no longer meet its obligations under the CCPA and Customer shall have the right to take reasonable and appropriate steps to help ensure that Trulioo uses the CCPA Personal Information in a manner consistent with Customer’s obligations under the CCPA and stop and remediate any unauthorized use of the CCPA Personal Information; and (d) require that each employee or other person processing CCPA Personal Information is subject to a duty of confidentiality with respect to such CCPA Personal Information.
11.4 To the extent required by the CCPA and, in each case, except as otherwise permitted by the CCPA, Trulioo is prohibited from: (a) Selling the CCPA Personal Information; (b) Sharing the CCPA Personal Information for cross-contextual behavioural advertising purposes; (c) retaining, using or disclosing the CCPA Personal Information for any purpose other than for the Processing Purposes; (d) retaining, using, or disclosing the CCPA Personal Information outside of the direct business relationship between Trulioo and Customer; and (e) combining the CCPA Personal Information with any Personal Information that may be collected from Trulioo’s separate interactions with the individual(s) to whom the CCPA Personal Information relates or from any other sources, except to perform a Business Purpose or as otherwise permitted by law.
12. General. In the event of any conflict, ambiguity or inconsistency between the terms of the Agreement and the terms of this DSA, the terms of this DSA shall prevail as they relate to the subject matter of this DSA. The DSA shall be governed by and construed in accordance with the governing law and jurisdiction provisions in the Agreement, unless required otherwise by Data Protection Laws.
Annex I
Description of Data Processing / Transfer
I.A. List of Parties
| Data Exporter | Data Importer |
|---|---|
| Name: The entity that is disclosing Data to the other party, which shall be Trulioo (for the Trulioo Data described in I.B. below) or the Customer (for the Customer Data described in Annex I.B. below). | Name: The entity that is disclosing Data to the other party, which shall be Trulioo (for the Trulioo Data described in I.B. below) or the Customer (for the Customer Data described in Annex I.B. below). |
| Address: Trulioo: #400 – 114 E. 4th Avenue, Vancouver, BC V5T 1G2, Canada; Customer: The address for the Customer specified in the Agreement. | Address: Trulioo: #400 – 114 E. 4th Avenue, Vancouver, BC V5T 1G2, Canada; Customer: The address for the Customer specified in the Agreement. |
| Contact Person’s Name, position and contact details: Trulioo: Legal Counsel, [email protected] Customer: As set out in the Agreement and this DSA. | Contact Person’s Name, position and contact details: Trulioo: Legal Counsel, [email protected] Customer: As set out in the Agreement and this DSA. |
| Activities relevant to the transfer: See Annex I.B. below. | Activities relevant to the transfer: See Annex I.B. below. |
| Signature and date: This Annex I shall automatically be deemed executed when the Agreement (incorporating this DSA) is executed by the parties. | Signature and date: This Annex I shall automatically be deemed executed when the Agreement (incorporating this DSA) is executed by the parties. |
| Role: Controller | Role: Controller |
I.B. Description of Processing / Transfer
(a) Customer Data
| EU SCC Module: | Module One (C2C) |
| Categories of Data Subjects: | Data subjects include individuals whose Personal Data is included in Data shared by the Customer which may include individuals who are the subject of a query submitted to the Services (including consumers/ end users of a Customer’s services)). |
| Categories of Personal Data: | Personal Data provided by (or on behalf of) Customer to Trulioo in connection with the Controller Services, which will depend on the specific Controller Services, but may include (for example): • name; • contact details (e.g. email address, residential address and telephone number); • date of birth; • government ID number (e.g. passport, driving license, national ID number); • IP address; and • any other category of Personal Data submitted by Customer to Trulioo in connection with the Controller Services. |
| Sensitive data transferred and safeguards: | N/A |
| Frequency: | Continuous |
| Nature of the processing: | Personal Data about individuals will be processed for the Processing Purposes. |
| Purpose(s): | The Personal Data is processed for the Processing Purposes set out in Section 3 of the DSA. |
| Retention: | Trulioo shall retain Personal Data for as long as necessary for the Processing Purposes or as otherwise permitted by Data Protection Laws. |
(b) Trulioo Data
| EU SCC Module: | Module One (C2C) |
| Categories of Data Subjects: | Data subjects include individuals whose Personal Data is included in Data shared by the Customer, which depending on the specific Controller SErvices, may include: • Individuals who are the subject of a query submitted to the Controller Services (including Consumers of a Customer’s services). • Company officers and other individuals related to the business that is the subject of a search (like directors and ultimate beneficial owners). |
| Categories of Personal Data: | Personal Data included in the Results provided to Customer in connection wiht the Controller SErvice, which depending on the specific Controller SErvice may include: • Business contact information, including company address, position held (e.g. director) and current status (e.g. resigned, active, start date, end date). • Person fraud and risk signals (for example, risk signals associated with an individual’s personal contact information and risk scores with associated reasoning). |
| Sensitive data transferred and safeguards: | N/A |
| Frequency: | Continuous |
| Nature of the processing: | Personal Data about individuals will be processed for the Processing Purposes. |
| Purpose(s): | The Personal Data is processed for the Processing Purposes, which shall include processing Personal Data for the purposes of providing the Controller Services. |
| Retention: | Customer shall retain Personal Data for as long as necessary for the Processing Purposes or as otherwise permitted by Data Protection Laws. |
I.C. Competent supervisory authority
Irish Data Protection Commissioner, the UK Information Commissioner’s Office, or the Swiss Federal Data Protection and Information Commissioner (in each case, as appropriate, depending on the European Data Protection Law applicable to the transfer).
Annex II
Technical and Organizational Security Measures
Trulioo’s Security Measures are set out in the Trulioo Security Annex available at https://www.trulioo.com/security-annex. Customer shall establish and maintain industry standard security measures that meet or exceed the standards and certifications that Trulioo employs. Customer shall be able to adequately demonstrate its compliance with these obligations to Trulioo upon request.