These SardineAI Pass-Through Terms (these “Terms”) govern the use by the customer that has contracted with Linker Finance, Inc. (“Linker Finance”) to purchase subscriptions to use the Services (“Customer”) provided by SardineAI Corp. (“SardineAI”), pursuant to one or more agreements (each, an “Order”) between Customer and Linker Finance and/or its affiliates that reference these Terms. These Terms are deemed incorporated by reference into the Order to which these Terms are referenced or attached.
- Definitions.
- “API” means the application programming interface for sending data to or receiving data from the Services and any libraries made available to Customer for accessing the foregoing.
- “Authorized Purpose” means fraud and compliance purposes that are conducted by Customer in compliance with these Terms.
- “Customer Data” means, collectively, Provided Data and Submitted Data.
- “Dashboard” means the web-based user interface for Customer to access portions of the Services.
- “Documentation” means any user instructions, manuals, on-line help files, or other materials that are provided by SardineAI in connection with the SDK, API, or Services.
- “Employee Users” means Customer’s employees or contractor personnel authorized by Customer to access and use the Services in connection with the Authorized Purpose.
- “End Users” means the individual end users of Customer’s web-based platforms or mobile applications whose attributes are to be provided to the Services for purposes of performing fraud detection and identity verification.
- “Provided Data” means any risk scores or other data pertaining to End Users that is provided by SardineAI to Customer via the Services.
- “SardineAI Technology” means, collectively, the Services, API, SDK, Dashboard, Documentation, and any other services to be provided pursuant to these Terms.
- “SDK” means the software development kit that is capable of being embedded into and integrated with Customer’s web based platforms and mobile applications.
- “Services” means SardineAI’s proprietary technology platform and services provided hereunder.
- “Submitted Data” means any data pertaining to End Users that is collected by SardineAI through the Services or submitted by Customer, Customer Data, or End Users to the Services via the SDK or API.
- Services; API and SDK.
- Services. Subject to Customer’s ongoing compliance with the terms of these Terms, SardineAI hereby grants to Customer a non-exclusive, non-transferable, non-sublicensable, internal right commencing on the service start date set forth on the applicable Order and continuing for duration of such Order (the “Order Term”) to access and use, and allow Employee Users to access and use the Services solely for Customer’s internal business purposes in connection with the Authorized Purpose subject to any limitations set forth in the Order.
- API and SDK License. Subject to Customer’s ongoing compliance with the terms of these Terms, SardineAI hereby grants Customer a non-exclusive, non-transferable, non-sublicensable, internal use only license, during the period of time commencing on the service start date set forth in an Order and continuing for the duration of the applicable Order Term to: (i) integrate and embed the SDK into and make the SDK available to End Users through Customer’s mobile applications and web based platforms, and (ii) use the API to submit to and obtain information from the Services in accordance with any associated Documentation for the Authorized Purpose.
- Professional Services. SardineAI will own and retain all right, title, and interest, including all intellectual property and proprietary rights, in and to any work product or deliverables created in connection with the professional services. Nothing in these Terms or any attachment hereto shall be understood to prevent SardineAI from developing similar work product or deliverables for other customers.
- Customer Obligations.
- Use Restrictions. Customer shall not, directly or indirectly, and shall not authorize any third party to: (i) decompile, disassemble, reverse engineer, or otherwise attempt to derive the source code, algorithms, or associated know-how of the SardineAI Technology or results provided in connection with professional services; (ii) write or develop any program based upon the SardineAI Technology or any portion of any of the foregoing, or otherwise use the SardineAI Technology in any manner for the purpose of developing, distributing or making available products or services that compete with the SardineAI Technology; (iii) sell, sublicense, transfer, assign, lease, rent, distribute, or grant a security interest in the SardineAI Technology or any rights to any of the foregoing; (iv) permit the SardineAI Technology to be accessed or used by any persons other than Employee Users and End Users accessing or using the SardineAI Technology in accordance with these Terms; (v) alter or remove any trademarks or proprietary notices contained in or on the SardineAI Technology; (vi) circumvent or otherwise interfere with any authentication or security measures of the SardineAI Technology or otherwise interfere with or disrupt the integrity or performance of the foregoing; (vii) without SardineAI’s prior written consent, use the Services or Provided Data in connection with its interactions with End Users who are not residents of the United States. Customer acknowledges that SardineAI may, but is under no obligation to monitor Customer’s use of the Services. SardineAI may suspend Customer’s, or an Employee User’s access to the Services for any period during which Customer or an Employee User is, or SardineAI has a reasonable basis for alleging Customer or an Employee User is, in noncompliance with the foregoing.
- Compliance. Customer shall: (i) ensure that its Employee Users’ and its End Users’ use of the Service complies with these Terms, the DPA, and applicable law, (ii) use commercially reasonable efforts to prevent and terminate any unauthorized access to or use of the Services, and (ⅲ) promptly notify SardineAI of any unauthorized access to or use of the Services of which it becomes aware.
- Consents and Disclosures. Customer shall be solely responsible for: (i) providing any and all legally required notices and disclosures to End Users; (ii) offering all legally required choices to End Users to enable them to exercise any granted privacy rights, and (iii) for obtaining all informed consents from End Users required, to permit: (i) Customer to use the SardineAI Technology and receive the Services, including, without limitation, as described in Section 6 of these Terms; (ii) Customer’s provision of Submitted Data to SardineAI under these Terms; and (iii) SardineAI’s use, accessing, storing, and processing of the Submitted Data in accordance with these Terms, including without limitation, its use of automated decision making (“ADM”).
- Permitted Purposes. Customer and will: (i) only use Provided Data and any results obtained from the use of the Services solely in connection with the Authorized Purpose as it relates to operating its business and (ii) not disclose Provided Data to any third party. Customer acknowledges and agrees that, notwithstanding anything to the contrary herein, SardineAI may be obligated under applicable law to erase or delete certain Customer Data from the Services.
- Prohibited Purposes. Customer is prohibited from using the Services or Provided Data, in whole or in part, for the purpose of serving as a factor in establishing a person’s eligibility for credit, insurance, employment, or any other purpose authorized under the Fair Credit Reporting Act, 15 U.S.C. §1681, et seq. and Regulation V (“FCRA”) or any similar United States State statute. Customer further agrees that neither the Services nor the SardineAI Technology may be used to undertake ADM or profiling which produce potential legal affects concerning an individual or similarly affecting an individual. Specifically, in the EEA and the UK, neither the Services nor the SardineAI Technology are intended to be used for credit scoring, assessing creditworthiness, performing credit reporting or otherwise profiling an individual or opining on the financial health or legal posture of an individual unless done in a way that fully addresses the requirements of Article 22 of the General Data Protection Act (“GDPR”), as interpreted by applicable courts and regulatory bodies. In the United States, SardineAI is not a “credit reporting agency” or “consumer reporting agency” nor does it provide comparable services, regardless of terminology used under applicable law. Neither the Services nor Provided Data constitute a “consumer report” as those terms are defined by FCRA or other comparable statutes or regulations in an applicable United States jurisdiction. Irrespective of jurisdiction, Customer hereby certifies that it will not use the Services or Provided Data to determine, in whole or in part, an individual’s eligibility for any of the following products, services or transactions: (i) credit or insurance to be used primarily for personal, family or household purposes; (ii) employment purposes; (iii) benefits, tenancy (including, without limitation, deciding whether to lease a commercial or residential property) or educational admission considerations; or (iv) in connection with a business transaction initiated by an individual consumer for personal, family or household purposes, including whether an individual meets the terms of a customer account; or (v) any other product, service or transaction in connection with which a consumer report may be used under applicable laws, including, without limitation, check-cashing or the opening of a deposit or transaction account. SardineAI makes no representation or warranty as to the credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living of any person. Customer shall not use the Services in order to take any “adverse action” as that term is defined in the FCRA and the Equal Credit Opportunity Act, 15 U.S.C. § 1691, et seq., or for a purpose that could have an adverse legal effect on an individual, however defined under applicable data and consumer protection laws. Without limiting the foregoing, Customer may use, except as otherwise prohibited or limited by these Terms (including the restrictions contained above), the Services or Provided Data for the purpose of (i) verifying or authenticate an individual’s identity or (ii) preventing or detecting fraud or other unlawful activity
- Data Processing and Security. SardineAI and any affiliates involved in processing Customer Data, will access, use, and otherwise process any Personal Information contained therein, in accordance with the terms of the Data Processing Addendum attached hereto as Exhibit A (the “DPA”). SardineAI has implemented and will maintain technical, organizational, and physical safeguards to protect Personal Information as further described in the DPA.
- Proprietary Rights.
- Intellectual Property Rights. Customer acknowledges that SardineAI owns and retains all rights, title, and interest, including all intellectual property rights, in and to the SardineAI Technology, including all technology, software, algorithms, user interfaces, trade secrets, techniques, designs, inventions, works of authorship, and other tangible and intangible material and information pertaining thereto or included therein, and nothing in these Terms shall preclude or restrict SardineAI from using or exploiting any concepts, ideas, techniques or know-how of or related to the SardineAI Technology or otherwise arising in connection with SardineAI’s performance under these Terms. Other than as expressly set forth in these Terms or an Order, no licenses or other rights in or to the SardineAI Technology are granted to Customer and all such rights are hereby expressly reserved.
- Fraud Feedback. Customer agrees to provide to SardineAI on an ongoing basis comprehensive data related to all End User outcomes that were assessed, in whole or in part, using the Services (“Fraud Feedback”). As used herein Fraud Feedback will include End User KYC or other onboarding process, End User transactions, assessments of End User devices, and other outcomes that are processed and/or risk assessed using the Services. Fraud Feedback is a critical component of the Services’ ability to perform risk assessments, detect and prevent fraud, validate identities, and other fraud-related activities performed by the Services. Customer shall deliver the Fraud Feedback data to SardineAI via the API endpoints designated by SardineAI, including, without limitation, SardineAI’s Feedback API. Fraud Feedback shall be clearly associated with each corresponding End User event that was processed and/or risk assessed using the Services to ensure a direct linkage between the initial assessment and the ultimate outcome. Customer shall adhere to the data formats, transmission protocols, and security requirements for Fraud Feedback set forth in the Documentation, or otherwise reasonably specified by SardineAI. Customer represents and warrants that all Fraud Feedback provided to SardineAI shall be accurate, complete, and provided in a timely manner, enabling SardineAI to effectively utilize such data to provide and improve the Services.
- Fraud Consortium; License to Customer Data. Customer wishes to participate in the consortium of SardineAI customers (the “Fraud Consortium”) that leverages data and insights contributed by consortium members to promote detection of fraudulent or potentially fraudulent activity through the Services. Accordingly, Customer grants SardineAI and its Affiliates a worldwide, non-exclusive, irrevocable, royalty-free license to use Customer Data, including, without limitation, Fraud Feedback, for a period of seven (7) years from SardineAI’s receipt of each element of Customer Data, to support operation and further development the Fraud Consortium, including by sharing Customer Data with other consortium members in a manner that does not identify Customer and by Combining Customer data with other data, including data derived from third-party sources, machine learning, and artificial intelligence applications. Notwithstanding the foregoing or any other provision of this Agreement, SardineAI shall only use Customer Data in conformity with the terms of these Terms, the DPA, and all applicable laws, including laws pertaining to individual privacy and security.
- Requests and Suggestions. Customer may, from time to time, provide SardineAI with requests or suggestions for improvements to or expansions of the Services, including, without limitation new features, functionalities, or product offerings. SardineAI may use and exploit in any manner, on a worldwide, irrevocable, perpetual, royalty-free basis, any such requests or suggestions regarding the Services, provided that SardineAI shall not publicize or otherwise disclose Customer’s involvement therein.
- Customer Data. Customer acknowledges and agrees that, notwithstanding anything to the contrary herein, SardineAI may, in its sole discretion, erase or delete from the Services any Customer Data that it reasonably believes is illegal, harmful, objectionable, lewd, not related to the function of or necessary for the use of the Services, or that SardineAI determines may, as a result of SardineAI possessing such data, harm SardineAI’s business or reputation.
- Limitation of Liability. IN NO EVENT WILL SARDINEAI’S AGGREGATE LIABILITY AND DAMAGES ARISING OUT OF THESE TERMS EXCEED THE AMOUNTS ACTUALLY PAID BY CUSTOMER FOR THE SERVICES DURING THE TWELVE (12) MONTH PERIOD PRECEDING THE DATE OF THE CLAIM. THE LIMITATIONS AND DISCLAIMERS OF LIABILITY SET FORTH IN THIS SECTION WILL APPLY EVEN IF ANY LIMITED REMEDY SPECIFIED IN THESE TERMS IS FOUND TO HAVE FAILED OF ITS ESSENTIAL PURPOSE AND REGARDLESS OF THE THEORY OF LIABILITY. NOTWITHSTANDING ANYTHING TO THE CONTRARY, SARDINEAI AND ITS SUPPLIERS (INCLUDING BUT NOT LIMITED TO ALL EQUIPMENT AND TECHNOLOGY SUPPLIERS), OFFICERS, AFFILIATES, REPRESENTATIVES, CONTRACTORS AND EMPLOYEES SHALL NOT BE RESPONSIBLE OR LIABLE TO CUSTOMER WITH RESPECT TO ANY SUBJECT MATTER OF THESE TERMS OR TERMS AND CONDITIONS RELATED THERETO UNDER ANY CONTRACT, NEGLIGENCE, STRICT LIABILITY OR OTHER THEORY: (a) FOR ERROR OR INTERRUPTION OF USE OR FOR LOSS OR INACCURACY OR CORRUPTION OF DATA OR INFORMATION OR COST OF PROCUREMENT OF SUBSTITUTE GOODS, SERVICES OR TECHNOLOGY OR LOSS OF BUSINESS; (b) FOR ANY INDIRECT, EXEMPLARY, INCIDENTAL, PUNITIVE, RELIANCE, INCIDENTAL, SPECIAL OR CONSEQUENTIAL DAMAGES; (c) FOR ANY MATTER BEYOND SARDINEAI’S REASONABLE CONTROL; OR (d) FOR ANY AMOUNTS THAT, TOGETHER WITH AMOUNTS ASSOCIATED WITH ALL OTHER CLAIMS, EXCEED THE FEES PAID BY CUSTOMER FOR THE SERVICES IN THE 12 MONTHS PRIOR TO THE ACT THAT GAVE RISE TO THE LIABILITY, IN EACH CASE, WHETHER OR NOT SARDINEAI HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
- Disclaimer. EXCEPT AS EXPRESSLY SET FORTH IN THESE TERMS, SARDINEAI HEREBY DISCLAIMS ALL WARRANTIES, WHETHER EXPRESS, IMPLIED OR STATUTORY, INCLUDING ANY AND ALL WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, LOSS OF DATA, OR ACCURACY OF RESULTS. SARDINEAI DOES NOT WARRANT THAT THE SARDINEAI TECHNOLOGY WILL BE ERROR-FREE, UNINTERRUPTED, OR COMPATIBLE WITH ANY PARTICULAR DEVICE, THAT ANY DATA PROVIDED BY OR THROUGH THE SARDINEAI TECHNOLOGY, INCLUDING PROVIDED DATA, WILL BE ACCURATE OR COMPLETE, OR, EXCEPT AS EXPRESSLY SET FORTH HEREIN, THAT SARDINEAI’S SECURITY MEASURES WILL BE SUFFICIENT TO PREVENT THIRD PARTY ACCESS TO CUSTOMER DATA. CUSTOMER ACKNOWLEDGES AND AGREES THAT (i) SARDINEAI AND THE SERVICES ONLY PROVIDE INFORMATION TO ASSIST CUSTOMER IN PERFORMING FRAUD AND ANOMALY DETECTION; (ii) SUCH INFORMATION IS NOT GUARANTEED TO BE ACCURATE OR TO SATISFY ANY LEGAL OR THIRD-PARTY STANDARD RELATING TO FRAUD AND ANOMALY DETECTION; AND (iii) CUSTOMER BEARS ALL RESPONSIBILITY, AND SARDINEAI WILL HAVE NO LIABILITY FOR DECISIONS BASED ON ANY PROVIDED DATA, OR ANY OTHER INFORMATION PROVIDED TO CUSTOMER VIA THE SERVICES OR BY SARDINEAI.
- General Provisions.
- Governing Law. These Terms shall be governed by and construed under the laws of the State of California without reference to conflict of laws principles. The application of the United Nations Convention on Contracts for The International Sale of Goods is expressly excluded. Subject first to Section 9(b), if a lawsuit or court proceeding is permitted under these Terms, the parties will be subject to the exclusive jurisdiction of the state and federal courts located in San Francisco County, California, and the parties hereby agree and consent to the exclusive jurisdiction and venue of such courts.
- Arbitration. CUSTOMER AND SARDINEAI AGREE TO RESOLVE ALL DISPUTES ARISING UNDER OR IN CONNECTION WITH THESE TERMS THROUGH BINDING ARBITRATION. A PARTY WHO INTENDS TO SEEK ARBITRATION MUST FIRST SEND A WRITTEN NOTICE OF THE DISPUTE TO THE OTHER PARTY. THE PARTIES WILL USE GOOD FAITH EFFORTS TO RESOLVE THE DISPUTE DIRECTLY, BUT IF THE PARTIES DO NOT REACH AN AGREEMENT TO DO SO WITHIN 30 DAYS AFTER THE NOTICE IS RECEIVED, EITHER PARTY MAY COMMENCE AN ARBITRATION PROCEEDING. THE ARBITRATION WILL BE CONDUCTED IN ACCORDANCE WITH THE APPLICABLE RULES OF THE AMERICAN ARBITRATION ASSOCIATION (the “AAA RULES”). THE ARBITRATION WILL BE CONDUCTED IN ENGLISH IN SAN FRANCISCO, CALIFORNIA, USA. IF THE PARTIES DO NOT AGREE ON AN ARBITRATOR, THE ARBITRATOR WILL BE SELECTED IN ACCORDANCE WITH THE APPLICABLE RULES OF THE AAA FOR THE APPOINTMENT OF AN ARBITRATOR. THE SELECTION OF AN ARBITRATOR UNDER THE RULES OF THE AAA WILL BE FINAL AND BINDING ON THE PARTIES. THE ARBITRATOR MUST BE INDEPENDENT OF THE PARTIES. THE ARBITRATOR’S DECISION WILL BE FINAL AND BINDING ON BOTH PARTIES, AND THE ARBITRATOR MUST ISSUE A REASONED WRITTEN DECISION SUFFICIENT TO EXPLAIN THE ESSENTIAL FINDINGS AND CONCLUSIONS ON WHICH THE DECISION AND AWARD, IF ANY, ARE BASED. THE COSTS AND EXPENSES OF THE ARBITRATION WILL BE SHARED EQUALLY BY BOTH PARTIES; HOWEVER, IF THE ARBITRATOR FINDS THAT EITHER THE SUBSTANCE OF THE CLAIM OR THE RELIEF SOUGHT IN ARBITRATION IS FRIVOLOUS OR BROUGHT FOR AN IMPROPER PURPOSE (AS MEASURED BY THE STANDARDS SET FORTH IN FEDERAL RULE OF CIVIL PROCEDURE 11(b)), THEN THE PAYMENT OF ALL FEES WILL BE GOVERNED BY THE AAA RULES. NOTWITHSTANDING THE FOREGOING, THIS SECTION WILL NOT PROHIBIT EITHER PARTY FROM: (i) BRINGING AN INDIVIDUAL ACTION IN SMALL CLAIMS COURT; (ii) SEEKING INJUNCTIVE OR OTHER EQUITABLE RELIEF IN A COURT OF COMPETENT JURISDICTION; (iii) PURSUING AN ENFORCEMENT ACTION THROUGH THE APPLICABLE FEDERAL, STATE, OR LOCAL AGENCY IF THAT ACTION IS AVAILABLE; OR (iv) FILING SUIT IN A COURT OF LAW TO ADDRESS AN INTELLECTUAL PROPERTY INFRINGEMENT OR MISAPPROPRIATION CLAIM. IF THIS SECTION IS FOUND TO BE UNENFORCEABLE, THE PARTIES AGREE THAT THE EXCLUSIVE JURISDICTION AND VENUE DESCRIBED IN SECTION 9(a) WILL GOVERN ANY ACTION ARISING OUT OF OR RELATED TO THESE TERMS.
- Third Party Beneficiary. SardineAI is an intended third-party beneficiary of these Terms and is entitled to enforce all provisions set forth herein.
- Miscellaneous. If any provision of these Terms is found to be unenforceable or invalid, that provision will be limited or eliminated to the minimum extent necessary so that these Terms will otherwise remain in full force and effect and enforceable.
EXHIBIT A
Data Processing Addendum
This Data Processing Addendum (this “DPA”) is entered into between SardineAI Corp. (“SardineAI”) and the customer that has contracted with Linker Finance, Inc. (“Linker Finance”) to purchase subscriptions to use the Services (“Customer”) provided by SardineAI, and sets forth the terms upon which SardineAI will process Personal Data pursuant to one or more agreements (collectively, the “Agreement”) between Customer and Linker Finance and/or its affiliates.
In the event of a conflict between the terms of this DPA and the terms of the Agreement, the terms of this DPA shall govern with respect to the subject matter of this DPA as it relates to the Services provided by SardineAI to the extent of the conflict, and the Agreement will govern in all other respects. Any capitalized terms not defined herein shall have the meaning prescribed to them in the Agreement.
- Definitions.
- “Applicable Data Protection Law” means Any data protection or privacy laws applicable to SardineAI’s processing of Customer’s Personal Data under the Agreement, their implementing regulations and secondary legislation, each as may be amended, updated or replaced from time to time, including, as applicable:
- The (1) California Consumer Privacy Act, as amended by the California Privacy Rights Act (“CCPA”), (2) Virginia Consumer Data Protection Act, (3) Colorado Privacy Act, (4) Connecticut Data Privacy Act, (5) Utah Consumer Privacy Act, (6) Oregon Consumer Privacy Act, (7) Texas Data Privacy and Security Act, (8) Montana Consumer Data Privacy Act and (9) once effective, similar comprehensive privacy laws in other U.S. states (collectively, “U.S. Data Protection Laws”);
- The (1) EU e-Privacy Directive (Directive 2002/58/EC), (2) General Data Protection Regulation (EU) 2016/679 and any applicable national implementing laws (“GDPR”), (3) UK General Data Protection Regulation (“UK GDPR”) and the UK Data Protection Act 2018 (“UK DPA”), and (4) Swiss Federal Data Protection Act (“Swiss FDPA”), in each case as may be supplemented, updated or superseded from time to time (collectively, “European Data Protection Laws”);
- Canada’s Personal Information Protection and Electronic Documents Act 2000 (“PIPEDA”); and
- The Brazilian Data Protection Law, Law N. 13.709 from August 14th, 2018 (“LGPD”).
- "controller", "processor", "data subject", "personal data", “personal data breach”, "processing" (and "process"), and “special category” shall have the meanings given in European Data Protection Law; provided, however, that:
- To the extent that CCPA is applicable, the definition of “personal data” includes “personal information”; the definition of “data subject” includes “consumer”; the definition of “controller” includes “business”; and the definition of “processor” includes “service provider”, all as defined under the CCPA; and
- To the extent that neither the European Data Protection Law nor CCPA is applicable, the foregoing terms shall have the meanings given under the Applicable Data Protection Law.
- “Data Privacy Framework” means the: EU-U.S. and/or the Swiss- U.S. Data Privacy Framework (“DPF”), including, where applicable, the UK Extension to the DPF, which is operated by the U.S. Department of Commerce.
- “Personal Data” means information or that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer, data subject, or household or is defined as “personally identifiable information,” “personal information,” “personal data,” or similar terms under Applicable Data Protection Law.
- “Restricted Transfer” means: (i) where the GDPR applies, a transfer of personal data from the European Economic Area to a country outside of the European Economic Area (“EEA”) which is not subject to an adequacy determination by the European Commission; (ii) where the UK GDPR applies, a transfer of personal data from the United Kingdom to any other country which is not based on adequacy regulations pursuant to Section 17A of the UK DPA; (iii) where the Swiss FDPA applies, a transfer of personal data to a country outside of Switzerland which is not included on the list of adequate jurisdictions published by the Swiss Federal Data Protection and Information Commissioner, and (iv) where LGPD applies, a transfer of personal data from Brazil to a country outside of Brazil which does not provide an adequate level of protection within the meaning of LGPD.
- “Standard Contractual Clauses” means, any such standard contracts, standard contractual clauses or such other standardized frameworks authorizing the international transfer of Personal Data to controllers or processors established in third countries under Applicable Data Protection Law, and shall in all cases be understood to reflect the most recent version of the same, as revised under Applicable Data Protection Law from time to time and accepted by the Parties. Specifically, Standard Contractual Clauses shall mean: (i) where the GDPR applies, the standard contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (“EU SCCs”); (ii) where the UK GDPR applies, the applicable standard data protection clauses adopted pursuant to Article 46(2)(c) or (d) of the UK GDPR, as amended by the “UK Addendum to the EU Standard Contractual Clauses” issued by the Information Commissioner’s Office under s.119A(1) of the UK Data Protection Act 2018 (“UK SCCs”); (iii) where the Swiss FDPA applies, the applicable standard data protection clauses issued, approved or recognized by the Swiss Federal Data Protection and Information Commissioner (the “Swiss SCCs”).
- “Subprocessor” means any entity that SardineAI engages to process Personal Data on behalf of SardineAI in connection with providing the Services (as defined in the Agreement), which entities may include Affiliates (as defined in the Agreement) of SardineAI.
- Relationship of the Parties; Nature of Processing.
- SardineAI as a Processor. The Parties acknowledge and agree that, except as provided in Section 2(b) of this DPA, Customer may act either as a controller or processor and SardineAI acts as a processor with respect to the processing of Personal Data. In such cases, the provisions of Section 3 of this DPA shall apply.
- SardineAI as a Controller. The Parties acknowledge and agree that, when SardineAI uses Personal Information for purposes of: (i) deriving insights from such Personal Information, (ii) combining such Personal Information with data from third parties, including other customers of SardineAI, (iii) developing, operating, and improving machine learning and artificial intelligence technologies, and/or (iv) operating fraud detection consortia, SardineAI may act as an independent controller. In such cases, SardineAI will process Personal Data as a controller in accordance with this DPA, the Agreement, and Applicable Data Protection Law.
- Terms Applicable to SardineAI as a Processor.
- Application. When SardineAI processes Personal Data as a processor on Customer’s behalf (and not when SardineAI processes Personal Data as a controller), the terms in this Section 3 shall apply.
- Instructions. Customer hereby instructs and authorizes SardineAI to process Personal Data solely for the following purposes: (i) processing in accordance with the Agreement; (ii) processing initiated by Customer’s end users in their use of the Services; and (iii) processing to comply with other documented reasonable instructions provided by Customer (e.g., via email) where such instructions are consistent with the terms of the Agreement, SardineAI shall process the Personal Data only on documented instructions from Customer, unless required to do otherwise by applicable law to which SardineAI is subject; in such a case, SardineAI shall inform Customer of that legal requirement before processing the Personal Data, unless that law prohibits such disclosure. The Agreement and this DPA constitute Customer’s complete and final documented instructions, and any additional or alternate instructions must be agreed upon separately in writing. Where SardineAI follows Customer’s instructions, Customer will use commercially reasonable efforts to ensure that Customer’s instructions will not cause SardineAI to violate any applicable laws, rules, or regulations, or contractual obligations, and SardineAI will inform Customer if it believes following Customer’s instructions will cause SardineAI to violate any applicable laws, rules, or regulations.
- Subject Matter, Duration, Data Subjects, and Types.
- The subject matter of the processing is provision of Services to Customer pursuant to the Agreement.
- The duration of the processing is for the duration of the Agreement except where otherwise required by applicable law or legal obligation.
- The categories of data subjects or consumers about whom SardineAI processes Personal Data are determined and controlled by Customer, in Customer’s sole discretion, which may include, but are not limited to, Customer’s end users.
- The types of Personal Data are determined and controlled by Customer, in Customer’s sole discretion, which may include, but are not limited to, IP address, email address, username and password, billing and shipping address, phone number, and transaction information.
- CCPA. For any Personal Data subject to CCPA, SardineAI agrees and certifies that it shall not: (i) sell or share the Personal Data; (ii) retain, use, or disclose the Personal Data for any purpose, including a commercial purpose, other than for the specific purpose of performing the Services or as otherwise permitted of a service provider by CCPA; (iii) retain, use, or disclose the Personal Data outside of the direct business relationship between SardineAI and Customer or (iv) combine the Personal Data with personal information that SardineAI receives from or on behalf of another person, or collects from its own interaction with the data subject, provided that SardineAI may combine personal information to perform any business purpose as otherwise permitted of a service provider by CCPA. If SardineAI engages any other person to assist it in processing Personal Data for a business purpose on behalf of Customer, or if any other person engaged by SardineAI engages another person to assist in processing Personal Data for such business purpose, it shall notify Customer in accordance with Section 3(e) below of such engagement, and the engagement shall be pursuant to a written contract binding the other person to observe requirements at least as protective as those set forth in this Section 3(d).
- Subprocessors.
- Customer hereby provides SardineAI with general written authorization to engage Subprocessors to assist in the performance of the Services, as set out in Schedule 2 hereto with changes being permitted pursuant to Section 3(e)(ii) below. SardineAI shall enter into a written agreement with each Subprocessor containing data protection obligations no less protective than those in this DPA with respect to the protection of Personal Data to the extent applicable to the service provided by the Subprocessor. SardineAI shall be liable for the acts and omissions of its Subprocessors to the same extent SardineAI would be liable if performing the service of each Subprocessor directly under the terms of the Agreement.
- SardineAI will provide notification of new Subprocessors no less than fifteen (15) business days before authorizing any new Subprocessors to process Personal Data in connection with SardineAI’s provision of the Services to Customer. Customer may object to SardineAI’s use of a new Subprocessor by notifying SardineAI promptly in writing within ten (10) business days after receipt of SardineAI’s notice. In the event Customer object to a new Subprocessor, SardineAI will use reasonable efforts to make available to Customer a change in the Services or recommend a commercially reasonable change to Customer’s configuration or use of the Services to avoid processing of the Personal Data by the objected-to new Subprocessors without unreasonably burdening Customer. If SardineAI is unable to make available such change within a reasonable period of time, which shall not exceed thirty (30) days, Customer may terminate the applicable Services which cannot be provided by SardineAI without the use of the objected-to new Subprocessor by providing written notice to SardineAI. SardineAI will refund Customer any prepaid fees covering the remainder of the term following the effective date of termination with respect to such terminated Services, without imposing a penalty for such termination on Customer.
- Data Subject Requests. SardineAI shall, to the extent legally permitted, promptly notify Customer if SardineAI receives a request from a data subject or consumer to exercise their rights under Applicable Data Protection Law (“Data Subject Request”). Taking into account the nature of the processing, SardineAI shall assist Customer in the fulfillment of Customer’s obligation to respond to the Data Subject Request. Customer acknowledges and agrees that SardineAI may not be able to fulfill a Data Subject Request where to do so would violate laws applicable to SardineAI, would interfere with SardineAI’s ability to meet legal obligations or protect its rights or those of a third party, or would prevent SardineAI from continuing to process Personal Data where it has a legitimate interest in doing so.
- Data Protection Impact Assessments. SardineAI shall provide Customer with reasonable cooperation and assistance as needed and appropriate to fulfill Customer’s obligations under Applicable Data Protection Law to carry out a data protection impact assessment related to Customer’s use of the Services, to the extent Customer do not otherwise have access to the relevant information, and to the extent such information is available to SardineAI. SardineAI shall provide reasonable assistance to Customer in the cooperation or prior consultation with the Supervisory Authority in the performance of its tasks relating to the data protection impact assessment, to the extent required under Applicable Data Protection Law.
- Audit. Subject to the confidentiality provisions set forth in the Agreement, Customer may make a written request at reasonable intervals that SardineAI make available to Customer a copy of SardineAI’s then most recent third-party audit with respect to its privacy and data protection practices, as applicable. If following SardineAI’s delivery of such report Customer wishes further information necessary to demonstrate SardineAI’s compliance with its obligations as a processor or service provider, then SardineAI agrees at the written request from Customer to submit, to the extent reasonably possible, any facilities where it processes Personal Data on behalf of Customer for audit to ascertain compliance, and agrees to other reasonable audit requests Customer make, including, but not limited to off-site assessment measures like penetration testing, surveys, and interviews of SardineAI personnel. Such audit shall be carried out upon the reasonable request of Customer, with reasonable notice, at reasonable intervals (no greater than twice per year), during normal business hours, and subject to the confidentiality provisions set forth in the Agreement. Customer is responsible for and shall reimburse SardineAI for any reasonable expenses associated with the audit. Customer must receive written approval from SardineAI, before using any third-party auditor, and such third-party auditor must submit to a duty of confidentiality with respect to the audit. Notwithstanding any of the foregoing rights, Customer shall also be entitled to an audit following the occurrence of an actual Data Incident (as defined below). In accordance with Section 3(j) below, SardineAI shall bear the costs associated with an audit after an actual Data Incident.
- Security. SardineAI shall maintain appropriate technical and organizational measures for the protection of the security, confidentiality, and integrity of Personal Data (including protection against unauthorized or unlawful access, unauthorized or unlawful processing and against accidental or unlawful destruction, loss, or alteration or damage, unauthorized disclosure of, or access to, Personal Data), including as further set out in Schedule 3 hereto, consistent with similarly situated entities in its industry and any industry standard and codes of conduct to which it is subject. SardineAI regularly monitors compliance with these measures and may update such measures from time to time, so long as such updates will not materially decrease the overall security of the Services during the provision of the Services pursuant to the Agreement. SardineAI shall ensure that persons authorized to carry out processing have committed themselves to confidentiality or are under the appropriate statutory obligation of confidentiality.
- Incident Management and Notification. SardineAI maintains appropriate security incident management policies and procedures and shall notify Customer without undue delay after becoming aware of the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored, or otherwise processed by SardineAI on behalf of Customer (a “Data Incident”), in any case within forty-eight hours (or shorter if required by applicable law) of becoming aware of such a Data Incident. SardineAI shall make reasonable efforts to identify the cause of such Data Incident and take steps as SardineAI deems necessary and reasonable to remediate the cause of such a Data Incident to the extent the remediation is within SardineAI’s reasonable control. SardineAI shall have no responsibility to Customer for Data Incidents caused solely by the willful misconduct of Customer or Customer’s end users.
- The initial notice of the Data Incident shall be timely supplemented in the detail reasonably requested by Company, inclusive of relevant forensic reports. SardineAI shall promptly take all necessary and advisable corrective actions on an ongoing basis and shall cooperate fully with Customer in all reasonable efforts to mitigate the adverse effects of the actual Data Breach and to prevent its recurrence. The parties will collaborate on whether any notice of the actual Data Incident is required to be given to any person, and if so, on the content of that notice. SardineAI will bear all reasonable, actual and documented costs of the notice if the Data Incident arose from SardineAI’s breach of its obligations under this DPA. If Customer reasonably determines that the actual Data Incident is likely to have a substantial adverse impact on Customer’s relationship with its end users, customers, clients, suppliers or otherwise harm its reputation, Customer may suspend the Services or terminate the Agreement.
- Return and Deletion. Upon Customer’s written request, SardineAI will return or delete Personal Data processed by SardineAI on behalf of Customer. SardineAI may retain Personal Data where necessary for SardineAI to comply with applicable law or legal obligations, or to protect its rights or those of a third party.
- Customer’s Obligations. SardineAI requires, and Customer hereby represents and warrants, that (i) Customer has provided any legally required notices and choices to individuals whose Personal Data may be processed by SardineAI, and has a lawful basis for Customer’s sharing, transmission, and processing of Personal Data from, with, to, and by SardineAI pursuant to the terms of the Agreement; (ii) Customer has complied with Applicable Data Protection Law; and (iii) any Personal Data provided by Customer has not been collected, stored, or transferred to SardineAI in violation of Applicable Data Protection Law. Customer shall not make any representations or warranties to Customer’s End Users contrary to the terms and conditions in the Agreement. Without limiting the preceding sentence, if Customer makes any representation or warranty to Customer’s End Users contrary to the terms and conditions in the Agreement, Customer shall be in violation of the terms of the Agreement and solely and exclusively responsible for such representation or warranty to the extent such representation or warranty differs from those in the Agreement and SardineAI shall have no liability for any such representation or warranty. In the event that the Standard Contractual Clauses are invalidated by a competent governmental authority, Customer will work with SardineAI to find an alternative legal basis for the transfer and continued processing of Personal Data in compliance with Applicable Data Protection Law pursuant to the terms of the Agreement. In the event no such basis is available or agreed upon by the Parties, both Parties shall cease processing the Personal Data and may terminate the Agreement pursuant to the terms of the Agreement.
- Liability. To the maximum extent permitted by applicable law, except as otherwise set forth in this DPA, each Party’s liability is subject to the disclaimers, limitations of liability, and indemnification obligations in the Agreement.
- International Transfers of Personal Data.
- The Parties agree that in the event any transfer of Personal Data from Customer (as “Data Exporter”) to SardineAI (as “Data Importer”) is a Restricted Transfer, such transfer shall be conducted pursuant to the DPF, to the extent that: (i) the DPF is applicable; (ii) the DPF remains recognized as a valid transfer mechanism under the European Data Protection Laws; and (iii) SardineAI remains self-certified under the DPF. In all other instances, Restricted Transfers shall be conducted pursuant to the appropriate Standard Contractual Clauses, which shall be deemed incorporated into and form a part of this DPA, as follows:
- In relation to transfers of Personal Data that is protected by the GDPR and processed in accordance with Section 2(a) of this DPA, the EU SCCs shall apply, completed as follows:
- Module Two or Module Three will apply (as applicable);
- in Clause 7, the optional docking clause will apply;
- in Clause 9, Option 2 will apply, and the time period for prior notice of Subprocessor changes shall be as set out in Section 3(e)(ii) of this DPA;
- in Clause 11, the optional language will not apply;
- in Clause 17, Option 1 will apply, and the EU SCCs will be governed by Irish law;
- in Clause 18(b), disputes shall be resolved before the courts of Ireland;
- Annex I of the EU SCCs shall be deemed completed with the information set out in Schedule 1.1 to this DPA; and
- Subject to section 6(i) of this DPA, Annex II of the EU SCCs shall be deemed completed with the information set out in Schedule 3 to this DPA;
- In relation to transfers of personal data protected by the GDPR and processed in accordance with Section 2(b) of this DPA, the EU SCCs shall apply, completed as follows:
- Module One will apply;
- in Clause 7, the optional docking clause will apply;
- in Clause 11, the optional language will not apply;
- in Clause 17, Option 1 will apply, and the EU SCCs will be governed by Irish law;
- in Clause 18(b), disputes shall be resolved before the courts of Ireland;
- Annex I of the EU SCCs shall be deemed completed with the information set out in Schedule 1.2 to this DPA; and
- Subject to the language provided in Section 3(i) of this DPA, Annex II of the EU SCCs shall be deemed completed with the information set out in Schedule 3 to this DPA;
- In relation to transfers of personal data protected by the UK GDPR or the Swiss FDPA or LGPD, the EU SCCs will also apply in accordance with paragraphs (i) and (ii) above, with the following modifications:
- references to “Regulation (EU) 2016/679” shall be interpreted as references to UK GDPR or the Swiss FDPA or LGPD (as applicable);
- references to specific Articles of “Regulation (EU) 2016/679” shall be replaced with the equivalent article or section of the UK GDPR or the Swiss FDPA or LGPD (as applicable);
- references to “EU”, “Union”, “Member State” and “Member State law” shall be replaced with references to the “UK” or “Switzerland” or “Brazil”, or “UK law” or “Swiss law” or “Brazilian law” (as applicable);
- the term “member state” shall not be interpreted in such a way as to exclude data subjects in the UK or Switzerland or Brazil from the possibility of suing for their rights in their place of habitual residence (i.e., the UK or Switzerland or Brazil);
- Clause 13(a) and Part C of Annex I are not used and the “competent supervisory authority” is the United Kingdom Information Commissioner or Swiss Federal Data Protection Information Commissioner or Brazil Data Protection Authority (as applicable);
- references to the “competent supervisory authority” and “competent courts” shall be replaced with references to the “Information Commissioner” and the “courts of England and Wales” or the “Swiss Federal Data Protection Information Commissioner” and “applicable courts of Switzerland” or the “Brazil Data Protection Authority” and “courts of Brazil” (as applicable);
- in Clause 17, the Standard Contractual Clauses shall be governed by the laws of England and Wales or Switzerland or Brazil (as applicable); and
- with respect to transfers to which UK GDPR applies, Clause 18 shall be amended to state “Any dispute arising from these Clauses shall be resolved by the courts of England and Wales. A data subject may bring legal proceeding against the Data Exporter and/or Data Importer before the courts of any country in the UK. The Parties agree to submit themselves to the jurisdiction of such courts”, and with respect to transfers to which the Swiss FDPA applies, Clause 18(b) shall state that disputes shall be resolved before the applicable courts of Switzerland, unless the EU SCCs, implemented as described above, cannot be used to lawfully transfer such personal data in compliance with the UK GDPR or Swiss FDPA in which case the UK SCCs or the Swiss SCCs (as applicable) shall instead be incorporated by reference and form an integral part of this DPA and shall apply to such transfers. Where this is the case, the relevant Annexes or Appendices of the UK SCCs or the Swiss SCCs shall be populated using the information contained in Schedules 1.1, 1.2 and 3 of the DPA (as applicable).
- It is not the intention of either Party to contradict or restrict any of the provisions set forth in the Standard Contractual Clauses and, accordingly, if and to the extent the Standard Contractual Clauses conflict with any provision of the Agreement (including this DPA) the Standard Contractual Clauses shall prevail to the extent of such conflict.
By the signatures of their duly authorized representatives, below, SardineAI and Customer enter into and agree to be bound by the terms of this DPA as of the Effective Date.
SARDINEAI
SardineAI Corp.
By:
Name:
Title:
Date:
CUSTOMER
By:
Name:
Title:
Date:
Schedule 1.1
Description of Processing / Transfer
Modules 2 and 3 (controller/processor to processor transfers)
A. LIST OF PARTIES
Data Exporter(s):
Name:
Customer.
Address
Customer’s address as provided in the Agreement.
Contact person’s name, position and contact details:
The contact person, their position and contact details provided by Customer to SardineAI.
Activities relevant to the data transferred under these Clauses:
Providing data for the purpose of utilizing the Services.
Role:
Controller/Processor.
Data Importer:
Name:
SardineAI.
Address:
SardineAI’s address as provided in the Agreement.
Contact person’s name, position and contact details:
privacy@sardine.ai.
Activities relevant to the data transferred under these Clauses:
Providing the Services described in the Agreement, which may include, without limitation, providing fraud and risk analysis and data relating to name, email address, address, IP address, device identifiers and biometric information, and phone number.
Role:
Processor.
В. DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred:
End users of the Data Exporter and those of its customers, business partners, and other third parties.
Categories of personal data transferred:
The personal data transferred is based on the specific Services used pursuant to the Agreement, which may include, without limitation, providing fraud and risk analysis and data relating to name, email address, address, IP address, device identifiers and biometric information, and phone number.
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures:
Device identifiers and biometric information may be transferred subject to the terms and safeguards provided in the Agreement and this DPA.
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis):
Continuous: the data will be transferred periodically over the term of the Agreement.
Nature of the processing:
The personal data transferred will be subject to the following basic processing activities (as applicable): providing fraud and risk analysis.
Purpose(s) of the data transfer and further processing:
Based on the Services used pursuant to the Agreement, including, without limitation, fraud detection and related Services.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period:
Personal data shall be retained for the minimum periods deemed necessary or useful by Data Importer to provide the Services to Data Exporter unless otherwise required by law or contract, or pursuant to Data Importer’s record retention policies.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing:
Subprocessors are used by Data Importer throughout the term of the Agreement. The current Subprocessors used by Data importer are set forth in Schedule 2.
C. COMPETENT SUPERVISORY AUTHORITY
Identify the competent supervisory authority/ies in accordance with Clause 13 of the EU SCCs (where applicable)
For transfers to which the GDPR applies – the competent supervisory authority will be determined in accordance with the criteria set forth in Clause 13 of the EU SCCs, provided that if the Data Exporter is not established in an EU Member State and has not appointed a representative, the Irish Supervisory Authority shall act as the competent supervisory authority.
For transfers to which LGPD applies the competent supervisory authority is the Brazil Data Protection Authority.
For transfers to which the UK GDPR applies the competent supervisory authority is the UK Information Commissioner’s Office.
For transfers to which the Swiss DPA applies the competent supervisory authority is the Swiss Federal Data Protection and Information Commissioner.
Schedule 1.2
Description of Processing / Transfer
Module 1 (controller to controller transfers)
A. LIST OF PARTIES
Data Exporter(s):
Name:
Customer.
Address
Customer’s address as provided in the Agreement.
Contact person’s name, position and contact details:
The contact person, their position and contact details provided by Customer to SardineAI.
Activities relevant to the data transferred under these Clauses:
Providing data for the purpose of utilizing and/or improving the Services.
Role:
Controller/Processor.
Data Importer:
Name:
SardineAI.
Address:
SardineAI’s address as provided in the Agreement.
Contact person’s name, position and contact details:
privacy@sardine.ai.
Activities relevant to the data transferred under these Clauses:
Providing and improving the Services described in the Agreement, which may include, without limitation, providing fraud and risk analysis and data relating to name, email address, address, IP address, device identifiers and biometric information, and phone number.
Role:
Controller.
В. DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred:
End users of the Data Exporter and those of its customers, business partners, and other third parties.
Categories of personal data transferred:
The personal data transferred is based on the specific Services used pursuant to the Agreement, which may include, without limitation, providing fraud and risk analysis and data relating to name, email address, address, IP address, device identifiers and biometric information, and phone number.
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures:
Device identifiers and biometric information may be transferred subject to the terms and safeguards provided in the Agreement and this DPA.
The frequency of the transfer (e.g. whether the data is transferred on a oneoff or continuous basis):
Continuous: the data will be transferred periodically over the term of the Agreement.
Nature of the processing:
Data Importer processes and aggregates personal data provided by Data Exporter with data received from other sources (including other licensees) for the purpose of providing fraud detection and analysis pursuant to the Services and improving the Services.
Purpose(s) of the data transfer and further processing:
Based on the Services used pursuant to the Agreement, including, without limitation, fraud detection and related Services, as well as improving the Services.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period:
Personal data shall be retained for the minimum periods deemed necessary or useful by Data Importer to provide the Services to Data Exporter unless otherwise required by law or contract, or pursuant to Data Importer’s record retention policies.
C. COMPETENT SUPERVISORY AUTHORITY
Identify the competent supervisory authority/ies in accordance with Clause 13 of the EU SCCs (where applicable)
For transfers to which the GDPR applies – the competent supervisory authority will be determined in accordance with the criteria set forth in Clause 13 of the EU SCCs, provided that if the Data Exporter is not established in an EU Member State and has not appointed a representative, the Irish Supervisory Authority shall act as the competent supervisory authority.
For transfers to which LGPD applies the competent supervisory authority is the Brazil Data Protection Authority.
For transfers to which the UK GDPR applies the competent supervisory authority is the UK Information Commissioner’s Office.
For transfers to which the Swiss DPA applies the competent supervisory authority is the Swiss Federal Data Protection and Information Commissioner.
Schedule 2
Subprocessors
Subprocessor
Brief Description of Processing
Datacenter Location(s)
Amplitude, Inc.
Behavioral analytics
United States
AtData, LLC
Email address validation
United States
Data Zoo Pty Limited
Identity verification
United States
Experian Information Solutions, Inc.
Identity and credit card verification
United States
FullStory, Inc.
Behavioral analytics
United States
Google LLC (Google Cloud Platform)
Cloud-based data storage and infrastructure; large language model services
United States; European Union
Incode Technologies, Inc.
Identity verification
United States
JPMorgan Chase Bank, N.A. and Early Warning Services, LLC
Bank account verification and risk assessment
United States
Lob.com, Inc.
Address validation
United States
MicroBilt Corporation
Bank account validation and risk assessment
United States
Middesk Inc.
Identity verification
United States
People Data Labs, Inc.
Identity verification
United States
Plaid Inc.
Bank account validation
United States
Prove Identity, Inc.
Identity verification
United States
Regulatory DataCorp, Inc. (Moody’s)
Sanctions, PEP, and Adverse Media screening, Entity validation
United States
Telesign Corporation
Telephone number validation and risk assessment
United States
TRM Labs, Inc.
Blockchain transactions and analytics
United States
Unwired Labs (India) Pvt Ltd, (LocationIQ)
Geocoding
United States
ValidiFI, Inc.
Bank account verification and risk assessment
United States
Visa U.S.A. Inc.
Cardholder verification
United States
WorkOS, Inc.
Authentication and access control
United States
Schedule 3
Technical and Organizational Security Measures Implemented by SardineAI
Organizational safeguards.
- SardineAI has a full-time team dedicated to our security, compliance, and privacy program. SardineAI’s security program is based on NIST 800-53 and we annually review our security program along with our policies and standards. SardineAI has appointed one or more officers responsible for coordinating and monitoring the information technology rules and procedures.
- SardineAI maintains SOC 2 Type II certification to demonstrate our security posture and commitment to security. It is audited annually by a qualified, external third-party.
Data security.
- SardineAI maintains and enforces various policies, standards, processes, and controls to secure data, based on the NIST 800-53 framework.
- Access is limited to data, and in some cases, such as credit card numbers, no employee has routine access.
- SardineAI has data security controls in place to do the following:
- Prevent unauthorized persons from gaining access to data processing systems (physical access control).
- Prevent data processing systems from being used without authorization (logical access control).
- Ensure that persons entitled to use data processing systems gain access only to such data as they are entitled to access in accordance with their access rights (data access control).
- Ensure that data cannot be read, copied, modified, or deleted without authorization during electronic transmission, transport or storage and that the target entities for any transfer of data by means of data transmission facilities can be established and verified (data transfer control).
- Ensure the establishment of an audit trail to document whether and by whom data has been entered into, modified in or removed from processing (entry control).
- Ensure that data is processed solely in accordance with the Instructions of the Data Controller (control of instructions).
- Ensure that data is protected against accidental destruction or loss (availability control).
- Ensure that data collected for different purposes can be processed separately (separation control).
- SardineAI conducts annual risk assessments to review and revise its information security practices and whenever there is a material change in SardineAI’s business practices.
Physical security.
- SardineAI does not have any physical facilities.
- Should SardineAI have facilities in the future, we will maintain commercially reasonable security at all of our facilities, including badged access and cameras, and will not store Customer data in any of our facilities, including backups.
Security controls.
SardineAI’s security program consists of many security policies, procedures, and controls. The following list highlights many of them:
- Application Security. SardineAI utilizes a Secure Development Lifecycle based on the OWASP Software Assurance Maturity Model (SAMM). (Formerly known as OpenSAMM).
- Vendor Security. SardineAI reviews and approves all vendors and sub-contractors that handle Personal Data to ensure they have appropriate security controls and reviews them periodically to ensure ongoing compliance.
- Media Destruction. When media are to be disposed of or reused, procedures have been implemented to prevent any subsequent retrieval of any Personal Data stored on them before they are withdrawn from the inventory. When media are to leave the premises at which the files are located as a result of maintenance operations, procedures have been implemented to prevent undue retrieval of Personal Data stored on them.
- Risk Rated Assets. SardineAI has security policies and procedures to classify sensitive information assets, clarify security responsibilities and promote awareness for employees.
- Incident Response. All Security Incidents are managed in accordance with appropriate incident response procedures.
- Network Security. SardineAI maintains network security using commercially available equipment and industry standard techniques, including firewalls, intrusion detection and/or prevention systems, access control lists and routing protocols.
- Access Control. SardineAI will maintain appropriate access controls, including, but not limited to, restricting access to Personal Data to the minimum number of SardineAI personnel who require such access.
- Least Privilege. Access rights are implemented adhering to the “least privilege” approach. Only authorized staff can grant, modify or revoke access to an information system that uses or houses Personal Data.
- User Roles. User administration procedures define user roles and their privileges, and how access is granted, changed and terminated; address appropriate segregation of duties and define the logging/monitoring requirements and mechanisms.
- Unique Logins. All employees of SardineAI are assigned unique User IDs.
- Secure Passwords. SardineAI implements commercially reasonable physical and electronic security to create and protect passwords.
- Encryption. SardineAI encrypts, using industry-standard encryption tools, all Sensitive Information in transit and at rest. SardineAI safeguards the security and confidentiality of all encryption keys associated with encrypted Sensitive Information.
- Virus and Malware Controls. SardineAI utilizes anti-virus and malware protection software to protect Sensitive Data from anticipated threats or hazards and protect against unauthorized access to or use of Personal Data.
- Training. SardineAI requires personnel to comply with its Information Security Program prior to providing personnel with access to Sensitive Information. SardineAI implements a security awareness program to train personnel about their security obligations. This program includes training about data classification obligations, physical security controls, security best practices, and security incident reporting.
- Business Continuity. SardineAI implements appropriate disaster recovery and business continuity plans. SardineAI regularly reviews and updates its business continuity plan to ensure it is current and effective.