DPA (GDPR)

The Parties agree as follows:

1. Definitions “Additional Services” means additional model-driven fraud prediction and detection services, as agreed between the Customer and FingerprintJS. “Administration Data” means:
   • (a) contact details relating to, and the content of correspondence with, the Customer’s main account holder or administrator; and
   • (b) support enquiries submitted by the Customer’s authorized users in relation to the Service and Additional Services. “Affiliate” means an entity that directly or indirectly Controls, is Controlled by or is under common Control with an entity.
   “Authorized Affiliate” means any of Customer Affiliate(s) permitted to or otherwise receiving the benefit of the Service and Additional Services pursuant to the Agreement. “Control” means either (i) an ownership, voting or similar interest representing twenty five (25%) or more of the total interests then outstanding of the entity in question; or (ii) the power to direct or cause the direction and management of an entity’s policies in accordance with the acquirer’s wishes, whether as a result of the ownership of shares, control of the board of directors, contract or any powers conferred by the entity’s articles of association or other constitutional documents. The term “Controlled” shall be construed accordingly. “Controller” has the meaning given to it in the GDPR. “Controller Clauses” means Module One (controller to controller) of the Standard Contractual Clauses annexed to Commission Implementing Decision (EU) 2021/914. “Controller Purposes” has the meaning given in Section 2.5. “Customer Personal Data” means any Personal Data that FingerprintJS and/or its Affiliates processes in the course of providing the Service and Additional Services to Customer under the Agreement as set out in Schedule 2. “Data Protection Laws” means all data protection and privacy laws and regulations applicable to the processing of Personal Data under the Agreement, including, where applicable, the GDPR and Swiss Data Protection Laws. “GDPR” means Regulation (EU) 2016/679 (the “EU GDPR”) or, where applicable the “UK GDPR” as defined in section 3 of the Data Protection Act 2018. “Personal Data” has the meaning given to it in the GDPR. “Processor” has the meaning given to it in the GDPR. “Processor Clauses” means Module Two (controller to processor) of the Standard Contractual Clauses annexed to Commission Implementing Decision (EU) 2021/914. “Security Incident” means any breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Personal Data. “Standard Contractual Clauses” or “SCCs” means the Controller Clauses and the Processor Clauses. “Sub-processor” means any Processor engaged by FingerprintJS or its Affiliates to assist in fulfilling its obligations with respect to providing the Service and Additional Services pursuant to the Agreement or this DPA. Sub-processors may include third parties or any FingerprintJS Affiliate. “Swiss Data Protection Laws” means the Swiss Federal Act on Data Protection of 25 September 2020 (“FADP”) and the Swiss Data Protection Ordinance of 31 August 2022, and any new or revised version of these laws that may enter into force for time to time; and “Usage Data” means diagnostic, usage and performance information collected by FingerprintJS in relation to the Customer’s and its authorized users’ use of the Service. The terms “data subject”, “processing” (and “process”, “processes” and “processed”) and “supervisory authority” have the meanings given to them in the GDPR.
2. Scope and Applicability of this DPA

2.1 This DPA applies where and only to the extent that FingerprintJS processes Customer Personal Data in the course of providing the Service and Additional Services and such Customer Personal Data is subject to Data Protection Laws. The Parties agree to comply with the terms and conditions in this DPA in connection with such Customer Personal Data. 2.2 Role of the Parties. Save as set out in Section 2.5, the Parties acknowledge and agree that, as between FingerprintJS and Customer, Customer is the Controller of Customer Personal Data and FingerprintJS shall process Customer Personal Data only as a Processor on behalf of Customer. 2.3 Customer Obligations. Customer agrees that: (i) it shall comply with its obligations as a Controller under Data Protection Laws in respect of its processing of Customer Personal Data; (ii) it shall ensure that any processing instructions it issues to FingerprintJS with respect to Customer Personal Data shall comply with applicable Data Protection Laws. 2.4 Processing of Personal Data. Save as set out in Section 2.5, and notwithstanding clause 8.1 of the Processor Clauses, FingerprintJS shall process Customer Personal Data only for the following purposes: (i) processing to perform the Service and Additional Services in accordance with the Agreement; and (ii) processing to perform any steps necessary for the performance of the Agreement, in each case unless processing is required by applicable law in the UK, Switzerland, the European Union or a Member State of the European Union, in each case to which FingerprintJS is subject, in which case FingerprintJS shall, to the extent permitted by such applicable law, inform the Customer of that legal requirement before processing that Customer Personal Data. The Parties agree that, for the purposes of clause 8.1(a) of the Processor Clauses, the Agreement and this DPA shall be the Customer’s instructions for the processing of Customer Personal Data. To the extent that any of the Customer’s instructions require processing of Customer Personal Data in a manner that falls outside the scope of the Service and Additional Services, FingerprintJS may:

• (a) make the performance of any such instructions subject to the payment by the Customer of any costs and expenses incurred by FingerprintJS or such additional charges as FingerprintJS may reasonably determine; or
• (b) terminate the Agreement and the Service and Additional Services.

2.5 Controller Purposes. The Parties acknowledge and agree that FingerprintJS collects and processes Administration Data and Usage Data as a Controller for legitimate business purposes, including administering its business relationship with Customer, product development and sales and marketing (the “Controller Purposes”). Where it acts as a Controller, FingerprintJS shall process such data in compliance with Data Protection Laws.

3. Standard Contractual Clauses

3.1 The Standard Contractual Clauses shall, as further set out at Schedule 5, apply to transfers of Customer Personal Data from Customer to FingerprintJS, and form part of this DPA, to the extent that:

• (a) the GDPR or Swiss Data Protection Law applies to Customer’s processing of such Customer Personal Data when making the transfer; or
• (b) the transfer is an “onward transfer” (as defined in the applicable module of the SCCs).

3.2 The Parties agree that:

• (a) execution of the Agreement or this DPA shall have the same effect as signing the SCCs; and
• (b) in the event of a conflict between the terms of the Agreement, this DPA and the SCCs, the terms of the SCCs shall prevail.

4. Sub-processing

4.1 Authorized Sub-processors. The Parties agree that, for the purposes of clause 9 of the Standard Contractual Clauses, Customer gives FingerprintJS general authorization to engage Sub-processors to process Customer Personal Data on Customer’s behalf. The Sub-processors currently engaged by FingerprintJS and authorized by Customer are listed in Schedule 4. 4.2 Sub-processor Obligations. FingerprintJS shall: (i) enter into a written agreement with the Sub-processor imposing the same data protection obligations on the Sub-processor as set out in this DPA; and (ii) remain responsible for its compliance with the obligations of this DPA and for any acts or omissions of the Sub-processor that cause FingerprintJS to breach any of its obligations under this DPA. 4.3 Changes to Sub-processors. FingerprintJS shall provide Customer with fourteen (14) calendar days’ notice (for which email shall suffice) of any proposed changes to the Sub-processors, including any information reasonably necessary to enable the Customer to assess the Sub-processor and exercise its right to object. 4.4 Objection to Sub-processors. If the Customer objects to FingerprintJS’s use of a new Sub-processor (including when exercising its right to object under clause 9(a) of the Standard Contractual Clauses) it shall: (i) notify FingerprintJS of its objection promptly in writing within five (5) calendar days of receipt of FingerprintJS’ notice in accordance with Section 4.3; and (ii) provide documentary evidence that reasonably shows that the Sub-processor does not or cannot comply with the requirements in this DPA (including the Standard Contractual Clauses). In such an event, the Parties shall discuss such concerns in good faith with a view to achieving commercially reasonable resolution. If this is not possible, either Party may terminate the applicable Service and Additional Services that cannot be provided by FingerprintJS without the use of the objected-to new Sub-processor by giving to the other Party thirty (30) calendar days’ written notice. During such notice period, FingerprintJS may suspend the affected portion of the Service and Additional Services.

5. Customer warranties and undertakings

5.1 The Customer represents and warrants that:

• (a) it has provided all applicable notices to data subjects and, to the extent required, obtained consent from data subjects in each case as required for the lawful processing of Customer Personal Data in accordance with the Agreement and this DPA; and
• (b) without prejudice to the generality of clause 8 of the Standard Contractual Clauses (as applicable), taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the security measures set out in Schedule 3 are:
  • (i) appropriate to ensure the security of the Customer Personal Data, including protection against a Security Incident; and
  • (ii) otherwise consistent with the Customer’s obligations under Article 32 of the GDPR. 5.2 Other than as set out in Section 2.5, the Customer shall be solely responsible for the legality of Customer Personal Data provided to FingerprintJS by Customer or an Authorized Affiliate or collected by FingerprintJS.

6. Security and Audits

6.1 Security Measures. FingerprintJS shall implement and maintain appropriate technical and organizational security measures to protect Customer Personal Data from Security Incidents and to preserve the security and confidentiality of the Customer Personal Data, in accordance with FingerprintJS’ security standards described in Schedule 3 (“Security Measures”). 6.2 Confidentiality of Processing. FingerprintJS shall ensure that any person who is authorized by FingerprintJS to process Customer Personal Data (including its staff, agents and subcontractors) shall be under an appropriate obligation of confidentiality (whether a contractual or statutory duty). 6.3 Security Incident Response. FingerprintJS will notify Customer in writing without undue delay after becoming aware of any Security Incident, and reasonably cooperate with regards to any obligation of Customer under Data Protection Laws to make any notifications in respect of a Security Incident, such as to individuals, supervisory authorities or other regulatory authorities. FingerprintJS’ notification of, or response to, a Security Incident under this Section 6.3 will not be construed as an acknowledgement by FingerprintJS of any fault or liability with respect to the Security Incident. 6.4 Updates to Security Measures. Customer acknowledges that the Security Measures are subject to technical progress and development and that FingerprintJS may, by written notice to the Customer, update or modify the Security Measures from time to time following any review by FingerprintJS of the Security Measures (including in accordance with clause 8.6 of the Standard Contractual Clauses), provided that such updates and modifications do not result in the degradation of the overall level of protection afforded to the Customer Personal Data by FingerprintJS under this DPA. 6.5 Audits. With respect to any audits conducted under clauses 8.9(c) and (d) of the Standard Contractual Clauses, the Parties agree that:

• (a) all such audits shall be conducted:
  • (i) only once per year, or more frequently if any audit indicates that FingerprintJS is in non-compliance with this DPA;
  • (ii) on reasonable written notice to FingerprintJS;
  • (iii) only during FingerprintJS’ normal business hours; and
  • (iv) in a manner that does not disrupt FingerprintJS’ business;
  • (v) by reference to an appropriate and accepted control standard or framework; and
• (b) the Customer (or, where applicable, a third party independent auditor appointed by the Customer) shall:
  • (i) enter into a confidentiality agreement with FingerprintJS prior to conducting the audit in such form as FingerprintJS may request; and
  • (ii) ensure that its personnel comply with FingerprintJS’ and any Sub-processor’s policies and procedures when attending FingerprintJS’ or Sub-processor’s premises, as notified to the Customer by FingerprintJS or Sub-processor.

6.6 Reports. FingerprintJS shall provide written responses (on a confidential basis) to all reasonable requests for information made by Customer, including responses to information security and audit questionnaires, that Customer (acting reasonably) considers necessary to confirm FingerprintJS’s compliance with this DPA, provided that Customer shall not exercise this right more than once per year.

7. Return or Deletion of Data

7.1 Upon deactivation of the Service and Additional Services, FingerprintJS shall, subject to Section 7.2: (i) if requested to do so by the Customer within seven (7) days of the date of termination of the Agreement or deactivation of the Service and Additional Services, return a complete copy of all Customer Personal Data by secure file transfer in such a format as notified by the Customer to FingerprintJS; and (ii) delete and use all reasonable efforts to procure the deletion of all other copies of Customer Personal Data processed by FingerprintJS or any Sub-processors. 7.2 FingerprintJS may retain Customer Personal Data:

• (a) to the extent that such Customer Personal Data is processed for the Controller Purposes;
• (b) to the extent required by applicable laws, and only for such period and such purposes as required by applicable laws; or
• (c) to the extent that the Customer Personal Data has been archived on back-up systems, provided that FingerprintJS shall securely isolate and protect such Customer Personal Data from any further processing, except to the extent required by applicable law, and purge such Customer Personal Data from the applicable back-up systems in accordance with its normal back-up cycle.

7.3 FingerprintJS shall, with respect to any Customer Personal Data retained in accordance with Section 7.2, ensure the confidentiality of all such Customer Personal Data.

8. Cooperation

8.1 To the extent that Customer is unable to independently access the relevant Customer Personal Data within the Service and Additional Services, FingerprintJS shall (at Customer’s expense) taking into account the nature of the processing, provide reasonable cooperation to assist Customer by appropriate technical and organizational measures, in so far as is possible, to respond to any requests from individuals or applicable data protection authorities relating to the processing of Customer Personal Data under the Agreement. Other than in respect of Administration Data and Usage Data processed for the Controller Purposes, in the event that any such request is made directly to FingerprintJS, FingerprintJS shall not respond to such communication directly without Customer’s prior authorization, unless legally compelled to do so. If FingerprintJS is required to respond to such a request, FingerprintJS shall promptly notify Customer and provide it with a copy of the request unless legally prohibited from doing so. 8.2 To the extent FingerprintJS is required under Data Protection Law, FingerprintJS shall (at Customer’s expense) provide reasonably requested information regarding FingerprintJS’s processing of Customer Personal Data under the Agreement to enable the Customer to carry out data protection impact assessments or prior consultations with data protection authorities as required by law. 8.3 Customer shall promptly inform FingerprintJS of any request received by the Customer from a data subject to assert their rights under the GDPR and Swiss Data Protection Laws in relation to Administration Data and Usage Data processed by FingerprintJS for the Controller Purposes.

9. Costs

9.1 The Customer shall pay to FingerprintJS on demand all costs and expenses incurred by FingerprintJS in connection with:

• (a) implementing any changes to the Service and Additional Services under Section 4.4;
• (b) facilitating and contributing to any audits of FingerprintJS under Section 6.5 or clauses 8.9(c) and (d) of the Standard Contractual Clauses;
• (c) facilitating and contributing to any audits of FingerprintJS conducted by a supervisory authority;
• (d) responding to queries or requests for information from the Customer relating to the processing of Customer Personal Data under clauses 8.9(a), 8.9(c) or 8.9(e) of the Standard Contractual Clauses;
• (e) any assistance provided by FingerprintJS to the Customer with its fulfillment of its obligations to respond to data subjects’ requests for the exercise of their rights under the GDPR; and
• (f) any assistance provided by FingerprintJS to the Customer with any data protection impact assessments or prior consultation with any supervisory authority of the Customer.

10. Miscellaneous

10.1 Except for the changes made by this DPA, the Agreement remains unchanged and in full force and effect. Without prejudice to the generality of clause 5 of the Standard Contractual Clauses, in the event of any conflict between the Agreement, this DPA and the Standard Contractual Clauses, the following order of precedence shall apply:

• (a) The Standard Contractual Clauses (or, with respect to transfers of Customer Personal Data subject to the UK GDPR or Swiss Data Protection Laws, the Standard Contractual Clauses as amended by Schedule 5).
• (b) The main body of this DPA.
• (c) The Agreement.

10.2 This DPA is a part of and incorporated into the Agreement so references to “Agreement” in the Agreement shall include this DPA. 10.3 In no event shall any Party limit its liability with respect to any individual’s data protection rights under this DPA or otherwise. 10.4 Other than the right of data subjects or not-for-profit bodies, organizations or associations under the conditions set out in Article 80(1) of the GDPR to bring claims under the Standard Contractual Clauses (as applicable), a person who is not a Party to this DPA may not enforce any of its terms. 10.5 Notwithstanding the provisions of the Agreement and unless otherwise indicated in Schedule 5, this DPA and the Standard Contractual Clauses shall (to the extent permitted under applicable law) be governed by and construed in accordance with the laws of England and Wales. 10.6 Notwithstanding the provisions of the Agreement and unless otherwise indicated in Schedule 5, the Parties submit themselves to the jurisdiction of the courts of England and Wales in respect of any disputes arising under this DPA and the Standard Contractual Clauses.

​

Schedule 1

​

PARTIES TO THE PROCESSING

​

Schedule 2

​

Details of processing

​

Part 1

Processing subject to the Processor Clauses Data subjects The personal data transferred concern the following categories of data subjects:

• The Customer’s end users who visit the Customer’s sites and services (“End Users”).
• The Customer’s employees and contractors that the Customer authorises to access and use the Service (“Authorized Users”).

Purpose(s) of the data transfer and further processing The purpose of the data transfer and further processing is the provision and maintenance of FingerprintJS’ Service and Additional Services. Categories of data The personal data transferred concern the following categories of data: End Users:

• Personal data contained within Visitor Data, including information relating to an End User’s device, operating system, browser, browser configuration, IP address, and approximate location, and IDs associated with successful detections of fraud on the Customer’s sites and services.

Authorized Users:

• account information, including login information;
• payment and transaction information;
• support request information; and
• technical information regarding access to the Service (including IP address, approximate location, pages viewed and log data).

Sensitive data None. Frequency of the transfer The data is transferred on a continuous basis. Subject matter of the processing The provision and maintenance of FingerprintJS’ Service and Additional Services . Nature of the processing Transmitting, collecting, storing and analysing data in order to provide and maintain FingerprintJS’ the Service and Additional Services. Duration The Personal Data will be retained for the duration of the Agreement, subject to Section 7 of the DPA. Sub-processor (if applicable) For transfers to sub-processors, specify subject matter, nature and duration of the processing:

• as set out in Schedule 4

​

Part 2

Processing subject to the Controller Clauses Data subjects

• Authorized Users.

Purposes of the transfer(s) and further processing The purpose of the data transfer and further processing is the administration of FingerprintJS’ Service and Additional Services and improvement of FingerprintJS’ Service, including internal record-keeping, billing, product development and sales and marketing. Categories of data The Personal Data transferred concern the following categories of data: Authorized Users:

• contact information, including name, address, phone number, email address, login details, employing / engaging organization;
• payment and transaction information;
• contact preferences, including preference set for notifications, marketing communications;
• comments and opinions; and
• technical information regarding access to the Service (including IP address, approximate location, pages viewed and log data, display and active functionalities).

Sensitive data None. Frequency of the transfer The transfer is carried out on a continuous basis for the duration of the Agreement. Subject matter of the processing The subject matter of the processing is:

• Administration of FingerprintJS’s Service and Additional Services.
• Improvement, troubleshooting and testing of FingerprintJS’ Service.
• Calculation of charges and fees owed by the Customer to FingerprintJS in respect of the Service and Additional Services.
• Marketing to Customer and their users.

Nature of the processing The processing of Personal Data in connection with the administration of the Service and Additional Services and improvement of FingerprintJS’s Service. Duration The Personal Data will be retained for the duration of the Agreement, subject to Section 7 of the DPA. Sub-processor (if applicable) For transfers to sub-processors, specify subject matter, nature and duration of the processing:

• as set out in Schedule 4.

​

Schedule 3

​

Technical and Organizational Security Measures

1. Introduction

The data importer employs a combination of policies, procedures, guidelines and technical controls to protect the personal data it processes from accidental loss and unauthorized access, disclosure or destruction.

2. Governance and Policies

The data importer has organized leadership and defined policies related to information security to ensure alignment with business objectives to adequately serve clients. These policies are reviewed and approved annually by management and updates are communicated to employees and relevant external parties. Roles and responsibilities for teams and team members are defined within the data importer’s organizational structure and reporting lines as well as written job descriptions. Management reviews the data importer’s organizational structure at least annually as part of strategic planning, and any changes are made as needed based on changing reporting lines, authorities, and responsibilities. The data importer has following security policies and related processes in place:

• (a) Data classification and business impact assessment
• (b) Selection, documentation, and implementation of security controls
• (c) Assessment of security controls
• (d) User access authorization and provisioning
• (e) Removal of user access
• (f) Monitoring of security controls
• (g) Security management

3. Access control

The data importer has implemented role-based access controls that limit access to sensitive information to only those individuals who require access based on job function, active employment, and management approval. The data importer maintains an up-to-date and complete inventory of information technology assets and asset owners. Administrative level access to the data importer’s critical systems (network, application, source code, and related databases) is limited to appropriate individuals based on job function and current employment with the data importer. Administrative level access to critical system components including (production servers, databases, system infrastructure components, and front-end application level) are restricted to appropriate individuals based on job function and current employment with the data importer. Access to the Amazon Web Services (“AWS”) environment is controlled with security groups configured to prevent access based on predefined access control lists. Monitoring tools are in place to monitor the AWS environment and administrators receive notification of issues detected by the system based on pre-defined alert thresholds. Sensitive authentication data such as service accounts and encryption keys are stored in a key management system. Access to sensitive authentication data is limited to only appropriate individuals based on job function and active employment with the data importer. Remote access to the data importer’s network and system infrastructure requires a unique username, password, and one-time multi-factor authentication code to authenticate. Remote access to the data importer’s network and system infrastructure is limited to only appropriate individuals based on job function and active employment with the data importer. Access to the data importer’s systems requires a unique username and password. Password complexity standards within AWS are enforced and include the following:

• (a) Minimum password length is 16 characters
• (b) Require at least one uppercase letter from Latin alphabet (A–Z)
• (c) Require at least one lowercase letter from Latin alphabet (a–z)
• (d) Require at least one number
• (e) Require at least one non alphanumeric character ! @ # $ % ^ & * ( ) _ + - = [ ] | ’.
• (f) Passwords expires in 90 days
• (g) Allow users to change their own password

4. Segmentation of personal data

The data importer has logically segmented its network so that unrelated portions of the information system are isolated from each other. All public internet facing systems are segregated from the production network through network segmentation, firewalling, logical access restrictions, and the use of a load balancers which restricts access to production infrastructure. The data importer’s information security program prohibits the use of shared user accounts unless approved by management.

5. Encryption and Transmission

All data classified as potentially sensitive is encrypted at the database level while at rest. All media containing sensitive data, including electronic, hardcopy, and photocopy, is destroyed when it is no longer needed for business or legal reasons as defined in the data importers’ terms of service. All data in transit is encrypted including the following:

• (a) Information transmitted over the public internet (HTTPS)
• (b) Data transferred within system components (TLS)
• (c) Data transferred between organizations (SFTP)

Access to modify data transmission protocols is limited to appropriate individuals based on job function, current employment status, and inquiry with the data importer’s management team. All authentication and data transmission to the production applications, the operating systems hosting the applications, and associated production databases take place over secure transmission channels (i.e. VPN, SSH, SFTP, TLS). All production databases are encrypted using AES-256 bit encryption.

6. Data Backup, Recovery and Availability

The data importer performs incremental backups of its critical information systems on a daily basis, and full backups are performed on at least a weekly basis. The data importer’s management is alerted in the case of a backup failure, and backup failures are tracked to remediation. Established entity standards exist for infrastructure and software hardening and configurations for key system components and infrastructure. The data importer has established a business continuity plan and disaster recovery plan, both of which are reviewed, tested, and updated on an annual basis. Customer data is backed up for 90 days in the primary data store, unless otherwise stated in the Customer’s contract. After 90 days, unless otherwise stated in Customer’s contract, it becomes the customer’s responsibility to manage, back up, or otherwise store their data per their use case. All primary data stores are retained for at least 90 days unless otherwise specified in the customer’s contract. To ensure data availability and avoid issues with data older than 90 days, customers are advised to configure webhooks in their dashboard account. All data received via webhooks should be backed up securely on their end. The Data importer is fully responsible for the availability of product and services.

7. Incident Management and System Monitoring

The data importer’s management team has implemented an incident response plan that outlines the requirements for responding to anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity’s ability to meet its objectives. Security events are documented, reviewed, and tracked to final remediation by data importer’s management team. A root cause analysis is conducted to determine the cause and mitigate the risk of such an incident occurring in the future. The data importer has security monitoring tools in place to monitor the data importer’s production environment and provide an ongoing solution to monitor security threats and unusual system activities. The data importer’s management team receives alerts from the tools, based on predefined thresholds, and confirmed security issues are tracked to remediation. The data importer engages a third-party to perform external penetration tests of the system on an annual basis. Management assesses and prioritizes the results of the penetration test and tracks issues of medium criticality or above to final remediation.

8. Asset and Software Management

The data importer has implemented a change management policy that outlines the requirements for authorization, design, development, configuration, documentation, testing, approval, and implementation of changes to infrastructure, data, and software. All system changes are tested, reviewed, and approved prior to implementation to the production environment. Access to make changes to source code is limited to only appropriate individuals based on job function and active employment with the data importer. Version control software is in place to manage current versions of source code. Audit logs of all commits to source code libraries are maintained. Source code scans are performed on in-scope application source code to detect potential vulnerabilities prior to the release of source code into the production environment. Any high-risk vulnerabilities are tracked to remediation prior to the promotion of each change into the production environment.

9. Physical Security

The data importer has a cloud-based infrastructure in AWS and relies on this subservice organization to operate physical access controls to the data centres hosting the data importer’s infrastructure. Additionally, the data importer does not own any facilities containing information assets which would require physical security controls to be implemented.

10. Endpoint Security

The data importer has enforced the following mobile device hardening standards for laptops and mobile phones:

• (a) Evidence of device encryption
• (b) Enterprise antivirus enabled
• (c) Antivirus daily updates
• (d) Requirement of user name and password
• (e) Patches or regular OS updates

All laptops with access to the data importer’s network are configured to enforce hard drive encryption. The data importer’s security policy prohibits the use of removable media storage without prior approval from management. Anti-virus/anti-malware software is installed on workstations and laptops supporting the system. Antivirus software is configured to receive an updated virus signature at least daily. Network operations receives a report of devices that have not been updated in more than 24 hours and follows up on those devices.

11. Service providers

The data importer has written contracts in place with service providers which require them to implement appropriate security measures to protect the personal data to which they have access and to limit the use of personal data in accordance with the data importer’s instructions.

12. Customer Communications

The data importer has reporting mechanisms in place for reporting security issues and compliance concerns from internal and external system users. Each report is reviewed by appropriate management personnel, based on the nature of the suspected security issues, in accordance with the data importer’s Incident Response Policy. Security incidents and unauthorized disclosures of internal or external user data are communicated to data subjects, relevant legal and regulatory authorities, and others as required by law, contract, or at the advice of legal counsel, per the incident response plan. Customer responsibilities, which include responsibility for reporting operational failures, incidents, problems, concerns, and complaints, and the process for doing so, are described within customer agreements. The data importer communicates relevant security and privacy commitments, made available on its public-facing website or by written request. When major changes to security or privacy commitments are made, FingerprintJS communicates these changes to impacted stakeholders via email. System descriptions are made available to authorized external users that delineate the boundaries of the system and describe relevant system components as well as the purpose and design of the system.

13. Staff training and awareness

The data importer maintains security policies and procedures which communicate objectives and responsibilities for internal control, necessary to support the function of internal control. Policies and procedures are made available to employees in the data importer’s policy document repository. The data importer has established standards and guidelines for management’s, employees’, and contractors’ ethical behaviour, as outlined in the data importer’s employee handbook. The handbook includes a termination policy for personnel who violate the data importer’s policies and procedures, which may include disciplinary action up to and including involuntary termination. All employees and contractors are required to sign an employment agreement, that requires personnel to adhere to the data importer’s code of conduct, security, and confidentiality policies and procedures as part of their initial terms and conditions of employment. The data importer has implemented a formal disciplinary process to address instances of noncompliance with the data importer’s standards of conduct related to security which includes disciplinary measures up to and including termination. Roles and responsibilities are defined by written job descriptions and communicated to the data importer’s employees upon hire, as well as to their managers and supervisors. Management monitors personnel compliance with the code of conduct through a complaint submission system which serves as a mechanism for reporting deviations from the code of conduct. Any deviations to the code of conduct are addressed immediately in accordance with the employee handbook.  

​

Schedule 4

​

List of Sub-processors

​

Schedule 5

STANDARD CONTRACTUAL CLAUSES

1. EU SCCS

With respect to any transfers referred to in Section 3.1, the Standard Contractual Clauses shall be completed as follows:

• 1.1 The Controller Clauses will apply with respect to FingerprintJS’s processing of Administration Data, and Usage Data for Controller Purposes; otherwise, the Processor Clauses will apply to FingerprintJS’s processing of Customer Personal Data.
• 1.2 Clause 7 of the Standard Contractual Clauses (Docking Clause) does not apply.
• 1.3 Option 2 of Clause 9(a) (General written authorization) shall apply, and the time period to be specified is determined in Section 4.3 of the DPA.
• 1.4 The option in Clause 11(a) of the Standard Contractual Clauses (Independent dispute resolution body) does not apply.
• 1.5 With regard to Clause 17 of the Standard Contractual Clauses (Governing law), the Parties agree that option 1 will apply and the governing law will be Irish law.
• 1.6 In Clause 18 of the Standard Contractual Clauses (Choice of forum and jurisdiction), the Parties submit themselves to the jurisdiction of the courts of Ireland.
• 1.7 For the Purpose of Annex I of the Standard Contractual Clauses: (i) Schedule 1 contains the specifications regarding the parties and the competent supervisory authority; and (ii) in respect of the Processor Clauses: Part 1 of Schedule 2, and in respect of the Controller Clauses: Part 2 of Schedule 2, contains the specifications regarding the description of transfer.
• 1.8 For the Purpose of Annex II of the Standard Contractual Clauses, Schedule 3 of the DPA contains the technical and organizational measures.

2. UK Addendum

• 2.1 This paragraph 2 (UK Addendum) shall apply to any transfer of Customer Personal Data from the Customer (as data exporter) to FingerprintJS (as data importer), to the extent that:
  • (a) the UK Data Protection Laws apply to the Customer when making that transfer; or
  • (b) the transfer is an “onward transfer” as defined in the Approved Addendum.
• 2.2 As used in this paragraph 2: “Approved Addendum” means the template addendum, version B.1.0 issued by the UK Information Commissioner under S119A(1) Data Protection Act 2018 and laid before the UK Parliament on 2 February 2022, as it may be revised according to Section 18 of the Approved Addendum. “UK Data Protection Laws” means all laws relating to data protection, the processing of Personal Data, privacy and/or electronic communications in force from time to time in the UK, including the UK GDPR and the Data Protection Act 2018.
• 2.3 The Approved Addendum will form part of this DPA with respect to any transfers referred to in paragraph 2.1, and execution of the Agreement or this DPA shall have the same effect as signing the Approved Addendum.
• 2.4 The Approved Addendum shall be deemed completed as follows:
  • (a) the “Addendum EU SCCs” shall refer to the SCCs as they are incorporated into this Agreement in accordance with Section 3.1 and this Schedule 5;
  • (b) Table 1 of the Approved Addendum shall be completed with the details in Schedule 1;
  • (c) the “Appendix Information” shall refer to the information set out in Schedule 1, Schedule 2 (as relevant, with respect to the Controller Clauses and Processor Clauses), Schedule 3 and Schedule 4;
  • (d) for the purposes of Table 4 of the Approved Addendum, FingerprintJS (as data importer) may end this DPA, to the extent the Approved Addendum applies, in accordance with Section ‎19 of the Approved Addendum; and
  • (e) Section 16 of the Approved Addendum is not used.

3. Swiss addendum

• 3.1 This Swiss Addendum will apply to any processing of Customer Personal Data that is subject to Swiss Data Protection Laws or to both Swiss Data Protection Laws and the GDPR.
• 3.2 Interpretation of this Addendum
  • (a) Where this Addendum uses terms that are defined in the Standard Contractual Clauses, those terms will have the same meaning as in the Standard Contractual Clauses. In addition, the following terms have the following meanings:
    • “Addendum” means this addendum to the Clauses;
    • “Clauses” means the Standard Contractual Clauses as incorporated into this DPA in accordance with Section 3.1 and as further specified in this Schedule 5; and
    • “FDPIC” means the Federal Data Protection and Information Commissioner.
  • (b) This Addendum shall be read and interpreted in a manner that is consistent with Swiss Data Protection Laws, and so that it fulfils the Parties’ obligations under Article 16(2)(d) of the FADP.
  • (c) This Addendum will not be interpreted in a way that conflicts with rights and obligations provided for in Swiss Data Protection Laws.
  • (d) Any references to legislation (or specific provisions of legislation) means that legislation (or specific provision) as it may change over time. This includes where that legislation (or specific provision) has been consolidated, re-enacted and/or replaced after this Swiss Addendum has been entered into.
  • (e) In relation to any processing of Personal Data subject to Swiss Data Protection Laws or to both Swiss Data Protection Laws and the GDPR, this Addendum amends and supplements the Clauses to the extent necessary so they operate:
    • (i) for transfers made by the data exporter to the data importer, to the extent that Swiss Data Protection Laws apply to the data exporter’s processing when making that transfer; and
    • (ii) as standard data protection clauses approved, issued or recognized by the FDPIC for the purposes of Article 16(2)(d) of the FADP.
  • 3.3 Hierarchy
    • In the event of a conflict or inconsistency between this Addendum and the provisions of the Clauses or other related agreements between the Parties, existing at the time this Addendum is agreed or entered into thereafter, the provisions which provide the most protection to data subjects will prevail.
  • 3.4 Changes to the Clauses for transfers exclusively subject to Swiss Data Protection Laws
    • To the extent that the data exporter’s processing of Personal Data is exclusively subject to Swiss Data Protection Laws, or the transfer of Personal Data from a data exporter to a data importer under the Clauses is an “onward transfer” (as defined in the Clauses, as amended by the remainder of this paragraph 3.4) the following amendments are made to the Clauses:
      • (a) References to the “Clauses” or the “SCCs” mean this Swiss Addendum as it amends the SCCs.
      • (b) Clause 6 Description of the transfer(s) is replaced with:
        • “The details of the transfer(s), and in particular the categories of Personal Data that are transferred and the purpose(s) for which they are transferred, are those specified in Schedule 1 of this DPA where Swiss Data Protection Laws apply to the data exporter’s processing when making that transfer.”
      • (c) References to “Regulation (EU) 2016/679” or “that Regulation” or ""GDPR” are replaced by “Swiss Data Protection Laws” and references to specific Article(s) of “Regulation (EU) 2016/679” or “GDPR” are replaced with the equivalent Article or Section of Swiss Data Protection Laws extent applicable.
      • (d) References to Regulation (EU) 2018/1725 are removed.
      • (e) References to the “European Union”, “Union”, “EU” and “EU Member State” are all replaced with “Switzerland”.
      • (f) Clause 13(a) and Part 3 of Annex 1.C. are not used; the “competent supervisory authority” is the FDPIC;
      • (g) Clause 17 is replaced to state: “These Clauses are governed by the laws of Switzerland”.
      • (h) Clause 18 is replaced to state: “Any dispute arising from these Clauses relating to Swiss Data Protection Laws will be resolved by the courts of Switzerland. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of Switzerland in which he/she has his/her habitual residence. The Parties agree to submit themselves to the jurisdiction of such courts.”
    • 3.5 Supplementary provisions for transfers of Personal data subject to both the GDPR and Swiss Data Protection Laws
      • (a) To the extent that the data exporter’s processing of Personal Data is subject to both Swiss Data Protection Laws and the GDPR, or the transfer of Personal Data from a data exporter to a data importer under the Clauses is an “onward transfer” under both the Clauses and the Clauses as amended by paragraph 3.4 of this Addendum:
        • (i) for the purposes of Clause 13(a) and Annex I.C.:
          • (A) the FDPIC shall act as competent supervisory authority with respect to any transfers of Personal Data to the extent Swiss Data Protection Laws apply to the data exporter’s processing when making that transfer, or such transfer is an “onward transfer” as defined in the Clauses (as amended by paragraph 3.4 of this Addendum); and
          • (B) subject to the provisions of paragraph 2 of this Schedule 5 (UK Addendum), the supervisory authority identified in Schedule 1 shall act as competent supervisory authority with respect to any transfers of Personal Data to the extent the GDPR applies to the data exporter’s processing, or such transfer is an “onward transfer” as defined in the Clauses.
      • (b) The terms “European Union”, “Union”, “EU”, and “EU Member State” shall not be interpreted in a way that excludes the ability of data subjects in Switzerland bringing a claim in their place of habitual residence in accordance with Clause 18(c) of the Clauses.

---

What’s Next

• Start your free subscription now