Smile ID Data Processing Agreement

2.1. “Affiliate” means, with respect to a Party, any entity or individual that directly or indirectly controls, is controlled by, is under common control with, or is otherwise contractually engaged by such Party in a manner that supports shared commercial, operational, or technological objectives relevant to this Agreement;

2.2. “Applicable Law” means any national, supranational, regional or local government or governmental, administrative, statute, law (including common law), regulation, rule, ruling, order, writ, injunction, decree or guidelines issued by any authority in the Territory;

2.3. “Applicable Data Protection Laws” means all data protection and privacy laws applicable to the processing of Personal Data under this Agreement, including but not limited to: (i) Regulation (EU) 2016/679 (the "GDPR"); (ii) the Data Protection Act, 2012 of Ghana; (iii) the Data Protection Act, 2019 of Kenya; (iv) the Nigeria Data Protection Act, 2023; (v) the Protection of Personal Information Act, 2013 of South Africa ("POPIA"); and any other relevant laws. Any reference includes all amendments or replacements thereof.

2.4. “Business Purposes” means Smile ID’s Services and internal operational purposes, including identity verification, prevention of cybersecurity threats, identity fraud detection, identity fraud monitoring, research and development related to the Services, and any related activities necessary and proportionate to achieve those purposes.

2.5. “Consent” means agreement which must be freely given, specific, informed and be an unambiguous indication of the Data Subject’s wishes by which they, by a statement or by a clear positive action, signify agreement to the Processing of their Personal Data;

2.6. “Controller” shall have the meaning set out in the GDPR or Applicable Data Protection Laws;

2.7. “Customer” means a corporate entity with whom Smile ID enters into the Agreement and for whom Smile ID has agreed to provide the Services. This includes representatives, employees, or contracted third parties of the Customer utilising the Services;

2.8. “Data Subject” shall have the meaning set out in the GDPR or Applicable Data Protection Laws and shall for the purposes of this Agreement, include Users as defined below;

2.9. “Data Subject Rights” means all rights granted to Data Subjects under Applicable Data Protection Laws, including the right of access, portability, complaints, opt-out, and rectification or erasure of Personal Data.

2.10. “Order Form” means each fully executed Smile ID order form that incorporates these Terms and describes the Services to be provided by Smile ID from time to time.

2.11. “Party” refers to either Smile ID or the Customer; both are jointly referred to as the “Parties”.

2.12. “Personal Data” means any information identifying or relating to a Data Subject, including but not limited to: names, addresses, photos, email addresses, bank details, and unique identifiers like IP or MAC addresses;

2.13. “Processing and Process” shall have the meaning set out in the GDPR or Applicable Data Protection Laws;

2.14. “Personal Data Breach” shall have the meaning set out in the GDPR or Applicable Data Protection Laws;

2.15. “Pseudonymisation” means replacing identifying information with artificial identifiers so the individual cannot be identified without additional secure information;

2.16. “Regulatory Authority” means the enforcing authority responsible for data protection and privacy in the territory as described in Applicable Data Protection Laws;

2.17. “Services” means the data processing, identity-related fraud detection, and verification services to be provided by Smile ID to the Customer;

2.18. “User” means a customer or client of the “Customer” who is utilising the Services.

3.1. The Customer acknowledges that it is an independent Controller and determines the purposes and means of processing for the Personal Data it collects from Users. The Customer shall remain responsible for its compliance obligations under the Applicable Data Protection Laws, including providing any required notices and obtaining any required consent for processing activities carried out under its instruction.

3.2. The Customer hereby appoints Smile ID to provide the Services.

3.3. Smile ID processes Personal Data for the Business Purposes and may utilise machine learning models, AI-based systems, and statistical analysis of User activity to identify patterns and trends indicative of fraud or cybersecurity threats. Such processing may involve profiling and automated decision-making, in accordance with Applicable Data Protection Laws. Where necessary, Smile ID shall implement appropriate safeguards, including the right of human intervention.

3.4. For the processing of Personal Data to achieve the Business Purposes, Smile ID acknowledges that it is an independent Controller and Data Processor. This may include the analysis of patterns of use, identity verification anomalies and biometric spoofing attempts. Smile ID shall be responsible for complying with its obligations under the Applicable Data Protection Laws.

3.5. Each Party hereby acknowledges that it is responsible for establishing and documenting its lawful basis for processing under Applicable Data Protection Laws.

4.1. Smile ID will process the Personal Data in accordance with the Customer’s instructions, and only to the extent necessary for the Business Purposes. Smile ID shall not Process the Personal Data in a manner incompatible with those purposes, unless required or permitted by Applicable Data Protection Laws.

4.2. Unless otherwise required by law, and in line with Smile ID’s Data Retention Policy, Smile ID will retain and securely store Personal Data only for as long as is necessary to fulfil the Business Purpose and, where feasible, shall apply appropriate data minimisation techniques, including Pseudonymisation.

4.3. Smile ID shall at all times implement appropriate technical and organisational measures against unauthorised or unlawful processing, access, disclosure, copying, modification, reproduction, or display of Personal Data in its possession, and against accidental or unlawful loss, destruction, alteration, or damage of such Personal Data.

4.4. Smile ID shall implement measures to ensure a level of security appropriate to the risk involved, including as appropriate:

• 4.4.1. the Pseudonymisation and encryption of Personal Data;
• 4.4.2. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
• 4.4.3. the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and
• 4.4.4. a process for regularly testing, assessing and evaluating the effectiveness of security measures.

4.5. Smile ID will ensure that all employees are informed of the confidential nature of the Personal Data and are bound by the necessary confidentiality obligations and use restrictions in respect of the Personal Data.

4.6. The obligations under this clause shall survive the termination of the Agreement.

5.1. Understanding that Smile ID shall be relying on the adequacy of the Consent obtained by the Customer from the User to perform the Services, the Customer shall ensure that, where applicable, it has obtained the requisite consent (of the Data subject) using a notice or method which contains:

• 5.1.1. an approved data processing notice informing the Data Subject of appointment of Smile ID at the time of collecting the Personal Data;
• 5.1.2. the purpose for which their Personal Data will be Processed, including notification that the Personal Data may be Processed for the Business Purposes, and their right to opt-out;
• 5.1.3. information that the Personal Data may be transferred outside the territory of collection for Processing;
• 5.1.4. information that the Personal Data may be Processed by a third-party controller or processor; and
• 5.1.5. any other information that, having regard to the specific circumstances of the collection and expected processing, is required to enable fair Processing and performance of the Services.

5.2. The Customer shall at all times implement appropriate technical, organisational and security measures against unauthorised or unlawful processing and access of Personal Data in its possession.

5.3. The obligations under this clause shall survive the termination of the Agreement.

6.1. Each Party shall remain responsible for complying with Applicable Data Protection Laws in respect of the Personal Data it controls.

6.2. Each Party shall treat all Personal Data and any non-public information shared under this Agreement as confidential and shall not disclose it to any third party except:

• (i) as required by law;
• (ii) as required for the performance of the Business Purposes or;
• (iii) with the other Party’s prior written consent.

6.3. Each Party acknowledges that it is individually responsible for handling Data Subject requests applicable to the data it controls and must put in place mechanisms which allow Data Subjects to exercise their Data Subject Rights. Each Party further acknowledges and agrees that where a request requires cooperation from the other Party, the Parties shall reasonably assist each other in good faith to enable full and timely compliance with individual Data Subject requests, regulatory directives, or other obligations under Applicable Data Protection Laws.

6.4. Each Party agrees to promptly notify the other Party if it receives any complaint, notice or communication that relates directly or indirectly to the processing of the Personal Data held by the other Party or to either Party’s compliance with the Applicable Data Protection Laws.

6.5. The obligations under this clause shall survive the termination of the Agreement.

7.1. Smile ID will promptly and without undue delay notify the Customer if any Personal Data in its possession is lost or destroyed or becomes damaged, corrupted, or unusable.

7.2. Smile ID will immediately and without undue delay notify the Customer if it becomes aware of:

• 7.2.1. any accidental, unauthorised or unlawful processing of the Personal Data; or
• 7.2.2. any Personal Data Breach.

7.3. Immediately following any Personal Data Breach, the Parties will coordinate with each other to investigate the matter. Smile ID will reasonably cooperate with the Customer in the Customer’s handling of the matter, including:

• 7.3.1. assisting with any investigation;
• 7.3.2. providing the Customer with access to any facilities and operations affected if necessary;
• 7.3.3. facilitating interviews with Smile ID’s employees, former employees and others involved in the matter;
• 7.3.4. making available all relevant records, logs, files, data reporting and other materials required to comply with the Applicable Data Protection Laws or as otherwise reasonably required by the Customer and;
• 7.3.5. taking reasonable and prompt steps to mitigate the effects and to minimise any damage resulting from the Personal Data Breach or unlawful Personal Data Processing.

7.4. The Customer must, to the extent permitted by Applicable Data Protection Laws, obtain the written approval of Smile ID prior to the publication or communication of any filings, communications, notices, press releases or reports related to any Personal Data Breach that expressly mentions Smile ID or its Affiliates. This obligation does not extend to:

• 7.4.1. disclosures required by law, a court order, or a Regulatory Authority, provided Smile ID is promptly notified, where permissible, and consulted in advance of such disclosure;
• 7.4.2. internal communications with the Data Provider’s personnel, stakeholders, or professional advisers, insofar as the Data Provider ensures that such communication is made with the greatest of confidentiality and in good faith; and
• 7.4.3. communications with affected Data Subjects or Regulatory Authorities, provided that Smile ID or its Affiliates are not referred to by name or clearly identifiable implication.

7.5. The Customer acknowledges and agrees that a violation of the above clause may cause immediate and irreparable harm to Smile ID for which damages may not constitute an adequate remedy and as such, Smile ID may seek injunctive or other equitable relief for any such violation or incident, in addition to its remedies at law, without proof of actual damages.

8.1. The Customer agrees that Smile ID may transfer the Personal Data outside the territory of collection for the purpose of Processing and performance of the Services.

8.2. Where the Processing to be carried out by Smile ID includes a transfer to a country which is not recognized by the relevant Regulatory Authority to have adequate level of protection, Smile ID shall ensure that there are appropriate safeguards and that the Personal Data will be protected with the same level of protection as provided under the Applicable Data Protection Laws and this Agreement.

8.3. The Customer shall ensure that the Data Subject has provided Consent for the transfer of Personal Data outside the territory of collection, after having been informed:

• 8.3.1. of the possible risks of such transfers for the Data Subject due to the absence of an adequate level of data protection for the privacy rights of individuals;
• 8.3.2. that Smile ID shall remain bound by the Applicable Data Protection Laws;
• 8.3.3. that there are no alternatives and;
• 8.3.4. that the transfer is necessary for the performance of a contract between the Data Subject and the Customer.

9.1. Smile ID may only authorise a third-party (subcontractor) to process the Personal Data if:

• 9.1.1. Smile ID enters into a written contract with the subcontractor that contains terms substantially the same as those set out in these Terms, in particular, in relation to requiring appropriate technical and organisational data security measures; and
• 9.1.2. Smile ID maintains control over all Personal Data it entrusts to the subcontractor.

10.1. To the extent permitted by Applicable Law and access protocols, each Party shall, from time to time, permit the other Party and its duly authorised third-party representatives to audit the other Party’s compliance with its obligations under these Terms, on at least thirty (30) Business Days’ notice. Each Party will give the other Party, and its duly authorised third-party representatives, all necessary assistance to conduct such audits.

10.2. The Parties shall cooperate in good faith and provide access limited to such documentation, personnel, and systems that are reasonably necessary to verify compliance with the obligations under this Agreement.

10.3. Audits shall be conducted during normal business hours and in a manner that minimises disruption to the Party’s operations.

10.4. The Parties agree that audits shall be limited to one (1) per calendar year. Nonetheless, additional audits may be conducted in response to data breaches, regulatory inquiries, or substantiated compliance concerns.

10.5. All audit-related information shall be treated as confidential information and used solely for compliance purposes.

11.1. The Customer shall indemnify and keep indemnified Smile ID in respect of costs, claims, damages, expenses, fines or penalties arising from losses suffered or incurred by, awarded against or agreed to be paid by Smile ID or any of its sub-contractors arising from or in connection with any:

• 11.1.1. Non-compliance by the Customer with the Applicable Data Protection Laws;
• 11.1.2. Processing carried out by Smile ID or any of its sub-contractors pursuant to any Processing instruction from the Customer that infringes any provision of the Applicable Data Protection Laws;
• 11.1.3. Personal Data Breaches directly attributable to the Customer with regard to the Personal Data it controls; or
• 11.1.4. Breach by the Customer of its obligations under these Terms.

11.2. Smile ID shall indemnify and keep indemnified the Customer in respect of costs, claims, damages, expenses, fines or penalties arising from losses suffered or incurred by or awarded against the Customer arising from or in connection with any:

• 11.2.1. Non-compliance by Smile ID with the Applicable Data Protection Laws;
• 11.2.2. Personal Data Breaches directly attributable to Smile ID or any of its sub-contractors with regard to the Personal Data it controls; or
• 11.2.3. Breach by Smile ID of its obligations under these Terms.

12.1. This Agreement shall be governed by the Applicable Law of the Territory where the Service is delivered; however, where the Service is delivered in multiple territories, the laws of England and Wales shall apply.

12.2. For questions or more information on our data protection and privacy policies contact us at compliance@usesmileid.com with the subject line: Data Protection.

13.1. Any dispute, controversy, difference, claim or question which may arise at any time between the Parties touching upon the construction of this Agreement, on their respective rights and liabilities with respect hereto or otherwise arising in respect of matters the subject of this Agreement shall be dealt with amicably between the Parties.

13.2. Any disputes arising under or in connection with the validity, interpretation and performance of this Agreement between Smile ID, Customer or/and any third parties that cannot be resolved amicably by the Parties through negotiation within thirty (30) calendar days shall be resolved by arbitration.

13.3. Where the Services are delivered in only one territory, the forum shall be any arbitration panel/tribunal or centre established under Applicable Law (the “Domestic Tribunal”), and the rules of the Domestic Tribunal shall apply. The seat of arbitration shall be the territory in which the services are delivered. The number of arbitrators shall be one. The arbitrator shall be appointed by the Domestic Tribunal.

13.4. Where the Services are delivered in multiple territories, the dispute shall be resolved by the London Court of International Arbitration (LCIA) in accordance with the LCIA Rules and the seat of arbitration shall be London. The number of arbitrators shall be one. The arbitrator shall be appointed by the LCIA.