Master Service Agreement (Terms and Conditions)

Each Purchase Order submitted by Customer to Irisnet (“Provider”) is subject to these Terms and Conditions (these “Terms“).

This is a legal and enforceable contract between Irisnet GmbH and Customer. Customer is responsible for carefully reading all of the terms and conditions of this Agreement before submitting a Purchase Order, clicking “Complete Order (subject to payment)”, or accessing or using any service or product offered by Irisnet GmbH. By submitting a Purchase Order, or accessing or using any Product, Customer confirms that Customer has accessed online and/or been provided a copy of this Agreement and has read and accepts all of its terms and conditions in their entirety. Notwithstanding any different or additional terms customer may reference or provide, Provider’s offer or acceptance to enter into an agreement with Customer with respect to any product or service is expressly limited to the terms and conditions contained in this Agreement and conditioned on the Customer’s consent to this Agreement.

AGREEMENT

1. Definitions

1.1         The definitions and rules of interpretation in this clause apply in this Agreement.

Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control” for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.

Agreement” means these Terms and conditions contained herein, Schedules, and any amendments to this Agreement from time to time, together with a completed Purchase Order. For the avoidance of doubt, each Purchase Order between Customer and Provider forms one separate and distinct Agreement.

Business Day” means any weekday other than a bank or public holiday in Düsseldorf, Germany.

Confidential Information“ means any information disclosed by or on behalf of a party (the “Disclosing Party”) to the other party (the “Receiving Party”) or its Representatives (as defined below) that would be regarded as confidential by a reasonable business person relating to the business, affairs, customers, clients, suppliers, plans, intentions, market opportunities, operations, processes, product information, knowhow, designs, trade secrets or software of a party or any of its Affiliates (but not information that is publicly known through no fault of the Receiving Party). Information shall not constitute Confidential Information for the purposes of this Agreement to the extent that the information (a) is or becomes publicly available through no fault of the Receiving Party; (b) is already in the Receiving Party’s lawful possession prior to the Disclosing Party’s disclosure; (c) is received by the Receiving Party from a third party without any restriction and without breach of any confidentiality obligation; or (d) is developed independently without assistance of the Disclosing Party and without the use of any information disclosed by the Disclosing Party.

Current Subscription Period” means the current one-month period until the next Renewal Date.

Customer” means any entity that purchases the Products from the Provider, as more particularly detailed in the Order Confirmation Email, or Purchase Order Form for Agreements not concluded through Irisnet’s website.

Customer Data” means (a) the data inputted by Customer, or Irisnet on the Customer’s behalf, for the purpose of using the Products or facilitating Customer’s use of the Products, and (b) data inputted by and collected from End Users of the Customer Site (as defined below).

Customer Site” means those website URLs and mobile/desktop/server applications (as applicable) owned and operated by Customer or a Customer Affiliate on which Customer elects, and the Provider agrees, to provide the Products.

Effective Date” means the date on which the Provider accepts the Purchase Order of Customer, which shall also be the date on which the Provider supplies a license key to the live environment to Customer, or alternatively such date as specified in the Order Confirmation Email or Purchase Order Form.

End User” means an end user (natural person) of the Customer Site(s)/ services.

Fees” means the Subscription Fees as such amounts are more particularly detailed in Section 5.1, or the relevant Purchase Order Form.

Hosted Services” means the Products which will be made available by the Provider to the Customer as a Product via the Internet in accordance with this Agreement.

Intellectual Property Rights” means all intellectual property rights in any part of the world, including patents, rights to inventions, utility models, copyright and related rights, trade and service marks, trade, business and domain names, rights in trade dress, rights to goodwill or to sue for passing off, unfair competition rights, rights in designs, rights in computer software, database rights, semiconductor and topography rights, moral rights, rights in confidential information (including know-how and trade secrets) and any other intellectual property rights, in each case whether registered or unregistered and including all applications for and renewals or extensions of such rights, and all similar or equivalent rights or forms of protection which subsist or will subsist now or in the future.

Normal Working Hours” means the time between 9:00 AM and 5:00 PM in Germany on a Business Day.

Order Confirmation Email” means the email sent to Customer on the Effective Date to confirm Irisnet’s acceptance of a Purchase Order submitted by Customer. The Order Confirmation Email will contain details of the subscription package (see section 5.1) selected by Customer as well as billing information, a license key, a copy of these Terms and the Data Processing Agreement.

Privacy Policy” means the then current Provider privacy policy located at https://irisnet.de/privacy-policy/ (as Provider may update, modify, or change from time to time), which is incorporated herein by reference.

Products” means the products ordered by Customer under this Agreement, as more particularly described in the Purchase Order Form. They include in particular the performance of KYC and anti-fraud checks for customers (End Users) of customer.

Purchase Order” means an order for the Products, placed at https://shop.airisident.com/ or through completion of a Purchase Order Form, which is electronically submitted to Irisnet GmbH to purchase the Products according to these Terms. The Order Confirmation Email, or countersigning of the Purchase Order Form, signifies Irisnet’s acceptance of a Purchase Order.

Purchase Order Form” means the ordering document for the Products for any order not completed through https://shop.airisident.com/.

Renewal Date” means the date on which this Agreement automatically renews, which will be the same day of the month as the Effective Date for each subsequent month. For the sake of clarity, if this Agreement was concluded on the 16th of April 2024, then the first Renewal Date will be the 16th of May 2024, the second Renewal Date will be the 16th of June 2024, etc. If this Agreement is concluded on the 31st of any month, then the Renewal Date will be the last day of any month which does not have 31 days.

SLA” means the Provider’s standard service level agreement for the Products which is incorporated herein by reference.

Subscription Fees” means the fees payable to Provider for the Products by Customer that in accordance with clause 4 below.

Subscription Period” is the time between the Effective Date and the date on which this Agreement ends.

Virus” means any thing or device (including any software, code, file or program) that may: (i) prevent, impair or otherwise adversely affect the operation of any computer software, hardware or network, any telecommunications service, equipment or network or any other service or device; (ii) prevent, impair or otherwise adversely affect access to or the operation of any program or data; or (iii) adversely affect the user experience, including worms, trojan horses, malware, viruses and other similar things or devices, now known or later developed.

1.2         Clause and schedule headings are for informational and organisational purposes only and shall not affect the interpretation of this Agreement.

1.3         Where the words “include”, “includes”, “including” or “in particular” are used in an Agreement, they are deemed to have the words “without limitation” following them. Unless the context otherwise requires, words in the singular shall include the plural and in the plural shall include the singular.

2. Supply of the Products

2.1         Provider shall, during the Subscription Period, supply the Products on and subject to the terms of this Agreement. Provider undertakes that Products will be supplied with reasonable and professional skill and care and in accordance with the SLA and Privacy Policy, provided that such undertaking shall not apply to the extent of any non-conformance that is caused by use of the Products contrary to the Providers instructions, written or oral, or any modification or alteration of the Products by a party other than Provider or Provider’s duly authorised partners, contractors or agents. The Products are provided “as-is” subject to reasonable defect.

2.2         Customer shall

(a) permit, assist and cooperate with Provider to monitor actual usage (as applicable) for the purpose of calculating the Subscription Fees;

(b) afford the Provider with:

(i) all necessary cooperation in relation to this Agreement; and

(ii) all necessary access to such information as may be required in order to render and receive the Products, including access to Customer Data, security access information and configuration settings and services;

(c) comply with all applicable laws and regulations of any government agency with respect to its activities under this Agreement;

(d) carry out all of its responsibilities set forth in this Agreement in a timely and efficient manner.

If there are delays in Customer’s provision of any assistance or information as agreed by the parties, the Provider may adjust any agreed upon timetable or delivery schedule as reasonably necessary to compensate for such delay.

Although the Provider has no obligation to monitor Customer’s use of the Products, the Provider may do so and may prohibit any use of the Products it believes may be, or is alleged to be, in violation of this Agreement.

2.3         Customer agrees that the Provider is not responsible for any delays, delivery failures, or any other loss or damage resulting from the transfer of data over communications networks and facilities, including the Internet, and Customer acknowledges that the Products may be subject to limitations, delays and other problems inherent in the use of such communications facilities. Other than as expressly provided in these Terms and conditions and the SLA, no implied conditions, warranties or other terms apply (including any implied warranties or terms as to Customer’s use of the Products being uninterrupted or error-free or fit for a particular purpose). Customer acknowledges, agrees and understands that nothing herein shall be construed as, or considered a guaranty of performance of the Products by the Provider, including, but not limited to the success of such Product.

2.4         This Agreement shall not prevent the Provider from entering into similar agreements with any third parties, or from independently developing, using, selling or licensing documentation, products and/or services that are similar to those provided under this Agreement.

3. Customer’s use of the Products

3.1         Subject to the terms and conditions of this Agreement (including payment by Customer of the Fees in accordance with clause 4 and the restrictions set out in this clause 3), the Provider hereby grants Customer a non-exclusive, non-transferable (except as set forth specifically in clause 10.9), non-sublicensable, freely revocable right and licence, during the Subscription Period only, to:

(a) integrate the Provider’s API with the Customer Sites; and

(b) permit Customer to use the Products in accordance with the Terms and conditions of this Agreement and solely for Customer’s internal business operations.

3.2         Customer hereby grants to the Provider a non-exclusive, royalty-free, non-transferable (except as set forth in clause 10.9), freely revocable right and licence to use, modify, create derivative works of, transfer, and otherwise reproduce in any medium, currently known or developed in the future, any Customer Data for the sole purposes of

(a) rendering the Products under this Agreement, and

(b) developing, maintaining or improving the Products.

3.3         Customer shall:

(a) keep secure and confidential any PIN codes, API keys and passwords necessary for accessing and using the Products;

(b) use all reasonable efforts to not access, store, distribute or transmit any Viruses when accessing and using the Products; and

(c) use all reasonable endeavours to prevent any unauthorised access to, or use of, the Products; in the event of any such unauthorised access or use, to promptly notify the Provider and reasonably cooperate with the Provider to block the unauthorised access or use.

3.4         Customer shall not, directly or indirectly:

(a) except as may be allowed by any applicable law which is incapable of exclusion by agreement between the parties:

(i) and except to the extent expressly permitted under this Agreement, attempt to copy, modify, duplicate, create derivative works from, frame, mirror, republish, download, display, transmit, or distribute all or any portion of the Products in any form or media, their derivatives, source codes, or templates, or by any means; or

(ii) attempt to reverse compile, disassemble, tamper with, reverse engineer or otherwise reduce to human-perceivable form all or any part of the Product or any other products which the Provider owns that is outside of the scope of this Agreement;

(b) use the Products in a manner that is illegal or facilitates illegal activity, or causes damage or injury to any person or property or tortuously violates any rights or interests;

(c) use any automated system, including “robots”, “spiders”, or “offline readers”, to access the Products in a manner that sends more request messages to the Products beyond the product rate limits or what can be reasonably expected from a similar Product;

(d) attempt to interfere with or compromise the integrity or security of the Products;

(e) access all or any part of the Products in order to build or facilitate a product that competes with the Products.

The Provider may, at its sole discretion and without liability and without being subject to damages, or prejudice to its other rights under this Agreement, disable Customers’ access to the Products for any breach or suspected breach of this clause

4. Personal Data

To the extent that the Provider in the provision of the Products processes any Personal Data (as defined in the Data Processing Agreement) contained in Customer Data on Customer’s behalf, the terms of the Data Processing Agreement, which are hereby incorporated by reference, shall apply and the parties agree to comply with such terms.

5. Charges and payments

5.1         Fees for the products vary in accordance with the subscription package chosen by Customer. The table below provides an overview of the different subscription packages and the associated prices.

  Basic Standard Business Enterprise
Monthly Minimum 1€ 100€ 350€ 1,000€
Document Check 1.25 € 1 € 0.75 € 0.60 €
Biometric Check (FM+L) 0.25 € 0.20 € 0.15 € 0.12 €
Automated document recognition 0.25 € 0.20 € 0.10 € 0.07 €
Age Estimation 0.25 € 0.20 € 0.15 € 0.12 €

5.2         Customer selects their desired subscription package when placing a Purchase Order at https://shop.airisident.com/ or when completing the Purchase Order Form. The subscription package chose will be confirmed in the Order Confirmation Email.

5.3         Fees will be invoiced monthly.

5.4         Provider may ask Customer to provide a valid credit card on which the monthly payments may be charged. This card will be debited within 7 days of the issuance of the corresponding invoice.

5.5         Customer will pay each invoice submitted by the Provider:

(a) within 14 days of the date of the invoice; and

(b) in full and cleared funds.

Time is of the essence for any payment due to the Provider and a condition precedent to services being continued in the Provider’s sole discretion.

5.6         If Customer fails to make payment of any and all Fees within (7) days of the invoice becoming due, then, without liability to Customer or prejudice to any of the Provider other rights and remedies:

(a) the Provider may cease to provide and/or disable Customer’s access to all or part of the Products; and the Provider shall be under no obligation to provide any or all of the Products while the invoice(s) concerned remain unpaid; and

(b) the Provider shall be entitled to recover all reasonable legal fees and other reasonable costs associated with the collection of such amounts; and

(c) charge Customer interest on the overdue amount(s) on a daily basis at an annual rate equal to eight percent (8%) over the then current base lending rate of the European Central Bank at the date the relevant invoice was issued, commencing on the due date and continuing until fully paid, whether before or after judgment.

5.7         All amounts and Fees stated or referred to in this Agreement:

(a) shall be payable in Euros;

(b) are exclusive of any applicable taxes or charges (including any sales or other transaction-based tax, or value added or non-resident withholding tax), which shall (if applicable) be added to the Provider’s invoice at the appropriate rate and be payable by Customer; and

(c) are non-cancellable and all payments are non-refundable. Customer must make all payments without setoffs, withholdings or deductions of any kind.

6. Property Rights

6.1         Customer acknowledges and agrees that the Provider and/or its licensors or partners own all Intellectual Property Rights and any other rights in or arising out of or in connection with the Products. Except as expressly stated in this Agreement, this Agreement does not grant Customer any Intellectual Property Rights or any other rights or licenses in respect of the Products, and Customer shall not acquire or claim any rights in respect of the same by virtue of the rights granted under this Agreement.

6.2         The Provider acknowledges and agrees that Customer (or Customer Affiliate(s) as applicable) and/or its licensors own all Intellectual Property Rights and any other rights in Customer Data and the Customer Site. Except as expressly stated in this Agreement, this Agreement does not grant the Provider any Intellectual Property Rights or any other rights or licenses in respect of Customer Data or the Customer Site and the Provider shall not acquire or claim any rights in respect of Customer Data or the Customer Site by virtue of the rights granted under this Agreement.

7. Confidentiality

7.1         The Receiving Party shall hold all Confidential Information in confidence and, unless required by law, not make Confidential Information available to any third party, or use the Confidential Information for any purpose other than the performance of its obligations or exercise of its rights under this Agreement.

7.2         Without prejudice to clause 7.1, the Receiving Party may disclose Confidential Information to those of its Affiliates, employees, agents and advisors (together the “Representatives”) who need to know such Confidential Information solely in connection with the implementation of this Agreement, provided that the Receiving Party is at all times responsible for its Representatives’ compliance with the obligations set out in this Agreement. Each party shall procure that its Representatives are bound by confidentiality agreements applicable to the Confidential Information supplied to the Receiving Party on terms no less onerous than those contained in this clause 7. Subject to the foregoing, neither party shall be responsible for any loss, destruction, alteration or disclosure of Confidential Information caused by any third party, provided that such loss, destruction, alteration or disclosure was not caused or authorized by the Receiving Party.

7.3         The Disclosing Party hereby represents and warrants that it has the right and authority to disclose the Confidential Information to the Receiving Party (or its Representatives).

7.4         The Receiving Party agrees that the Confidential Information is and shall at all times, unless otherwise notified, remain the exclusive property of the Disclosing Party and the Receiving Party shall not acquire, by implication or otherwise, any right, title, interest or licence in or to any Confidential Information or to any intellectual property rights, if any, embodied in such Confidential Information. The Receiving Party acknowledges and agrees that Disclosing Party may be irreparably harmed by a breach of the terms of this Agreement and that damages may not be an adequate remedy. The Disclosing Party shall be entitled to seek an injunction or specific performance for any threatened or actual breach of the provisions of this Agreement by the Receiving Party or any other person receiving Confidential Information pursuant to this Agreement.

8. Limitation of Liability

8.1         This clause 10 sets out the entire financial liability of either party (including any liability for the acts or omissions of either party’s employees, agents or sub-contractors) to the other, including in respect of:

(a) any breach of any obligation (whether implied or express) arising out of or in connection with this Agreement;

(b) any use made by Customer of the Products or any part of them; and

(c) any representation, statement or tortious act or omission (including negligence) or breach of statutory duty arising under or in connection with this Agreement.

8.2         Customer assumes sole responsibility (and the Provider shall have no liability) for:

(a) results obtained from the use of the Products by Customer and for conclusions drawn from such use;

(b) integration of the Products with Customer Site;

(c) any damage caused by errors or omissions in any information or instructions provided to the Provider by Customer in connection with the Products; or

(d) any content published on a Customer Site by, or with the approval of, Customer or any actions taken by the Provider at Customer’s direction.

8.3         Subject to clause 8.4, neither party shall under any circumstances whatsoever be liable to the other for any:

(a) loss of profits, revenues or opportunity costs;

(b) loss of business or business opportunities;

(c) loss or depletion of goodwill and/or similar losses or injuries;

(d) loss or corruption of data or information (including Customer Data), subject to the Data Processing Agreement;

(e) pure economic loss;

(f) special, indirect, punitive or consequential loss, costs, damages, charges or expenses howsoever arising under this Agreement.

8.4         Nothing in this Agreement excludes the liability of either party for:

(a) death or personal injury caused by negligence; or

(b) fraud or fraudulent misrepresentation; or

(c) any other liability which may not be limited or excluded by applicable law.

8.5         Subject to clause 8.4, each party’s total aggregate liability in contract, tort (including negligence or breach of statutory duty), misrepresentation, restitution or otherwise, arising under or in connection with this Agreement or the performance or contemplated performance of this Agreement, shall be limited to the total Fees actually paid by Customer for the Products during the 12 months immediately preceding the date on which the claim arose.

9. Term and Termination

9.1         This Agreement commences on the Effective Date upon Provider’s acceptance of the Customer’s Purchase Order, which will be sent to a verified email address of the Customer, this Master Service Agreement, and the Data Processing Agreement.

9.2         This Agreement shall automatically renew after one month. For the sake of clarity, if the agreement was concluded on the 16th of March, it will renew on the 16th of April.

9.3         Customer may cancel the Agreement at any time to the end of the Current Subscription Period (one day before the Renewal Date). For the sake of clarity, if the Agreement renews on the 16th of April, Customer can cancel their subscription on the 15th of April and the Agreement will end on that day.

9.4         A subscription plan that was purchased in the online shop can be cancelled at any time in the online shop under My Account –> Subscription(s). The cancellation takes place at the end of the Current Subscription Period. Usage of the Products will not be possible after this date.

9.5         Alternatively, this Agreement can also be cancelled in writing by post or email. Upon receipt, the Agreement ends at the end of the Current Subscription Period.

9.6         Provider may cancel this Agreement by giving three months’ notice to the end of the Current Subscription Period.

9.7         Without prejudice to any other rights or remedies which the parties may have, either party may terminate this Agreement without liability to the other immediately on giving written notice to the other if:

(a) the other party is in material breach of this Agreement where the breach is incapable of remedy; or the other party is in material breach of this Agreement where the breach is capable of remedy and the breaching party fails to remedy that breach within thirty (30) days after receiving written notice of such breach;

(b) the other party enters into an arrangement for an assignment for the benefit of its creditors, goes into administration, receivership or administrative receivership, is declared bankrupt or insolvent or is dissolved or otherwise ceases to carry on business.

9.8         On termination of this Agreement for any reason:

(a) all licenses and other rights granted by the Provider under this Agreement shall immediately terminate;

(b) Customer shall immediately pay to the Provider all outstanding unpaid invoices and interest and, in respect of Products rendered but for which no invoice has been submitted, the Provider will submit an invoice, which will be payable by Customer immediately on receipt;

(c) each party shall return or destroy as promptly directed by the other party and make no further use of any equipment, property, Confidential Information, the Products and other items (and all copies of them) belonging to the other party;

(d) the accrued rights of the parties as at termination, and clauses 1, 3.2, 3.4, 5 and 6 through 10, will survive any expiration or termination of this Agreement.

10. General

10.1      Neither party shall have any liability to the other under or in connection with this Agreement if it is prevented from, or delayed in performing, its obligations under this Agreement or from carrying on its business by acts, events, omissions or accidents beyond its reasonable control (a “Force Majeure Event”), including strikes, lock-outs or other industrial disputes (whether involving the workforce of either party to this Agreement or any other party), failure of a utility service or transport network, acts of God, war, riot, Internet interruptions, civil commotion, malicious damage, compliance with any law or governmental order, rule, change in law, regulation or direction, accident, breakdown of plant or machinery, fire, flood, storm or default of suppliers or subcontractors.

10.2      The Provider shall be permitted to identify Customer as the Provider’s Customer on its website or other marketing materials and accordingly, Customer hereby grants to the Provider the right to use and display Customer’s name, logo and/or any other identifying words or marks associated with Customer, in whole or in part, and in any media for the sole purposes of identifying Customer as a customer of the Provider.

10.3      The parties are independent contracting parties and owe no fiduciary or other duties to each other except as set forth in this Agreement and any Purchase Order. Neither party has, or will hold itself out as having, any right, title or authority to incur any obligation on behalf of the other party, unless expressly authorized in writing to do so. The parties’ relationship in this Agreement shall not be construed as imposing any liability upon either party that otherwise might result from such a relationship.

10.4      Customer recognizes that the Provider always seeks to innovate and find ways to improve the Products with new features and functions. Customer agrees that the Provider may therefore change the Products

(a) without notice, provided such changes do not materially adversely affect the nature or quality of the Products, or

(b) on written notice to Customer where such changes will materially adversely affect the nature or quality of the Products, provided that Customer shall have the opportunity to cancel their subscription prior to such change taking effect. Subject to the preceding sentence, no variation of this Agreement shall be valid unless it is in writing and signed by or on behalf of each of the parties.

10.5      Customer may submit feedback or ideas about the Products, including how to improve the Products or any other service offered by the Provider (“Feedback”). Customer acknowledges that no further consideration is payable as a result of such Feedback, and that the Provider is free (but not obligated) to use the Feedback on a non-exclusive and non-confidential basis for any business purpose, during or after the Subscription Period.

10.6      A waiver of any right under this Agreement is effective only if it is in writing and it applies only to the circumstances for which it is given. No failure or delay by a party in exercising any right or remedy under this Agreement or by law shall constitute a waiver of that (or any other) right or remedy, nor preclude or restrict its further exercise. No single or partial exercise of such right or remedy shall preclude or restrict the further exercise of that (or any other) right or remedy. Unless specifically provided otherwise, rights arising under this Agreement are cumulative and do not exclude rights provided by law.

10.7      If any provision of this Agreement (or part of any provision) is found by any court or other authority of competent jurisdiction to be invalid, illegal or unenforceable, that provision or part-provision shall, to the extent required, be deemed not to form part of this Agreement, and the validity and enforceability of the other provisions of this Agreement shall not be affected. If a provision of this Agreement (or part of any provision) is found illegal, invalid or unenforceable, the provision shall apply with the minimum modification necessary to make it legal, valid and enforceable.

10.8      This Agreement, and any documents referred to in it, constitutes the whole agreement between the parties and supersedes all previous agreements between the parties relating to its subject matter (including any Customer Purchase Orders). Each party acknowledges that, in entering into this Agreement, it has not relied on, and shall have no right or remedy in respect of, any statement, representation, assurance or warranty, whether made negligently or innocently, except as expressly provided in this Agreement. Each party represents and warrants that in entering into this Agreement it has not relied upon any oral or written statements, collateral or other warranties, assurances, representations or undertakings, or the failure or omission of the other party to make statements, assurances, representations or undertakings (together: “Pre-Contractual Statements”) other than what is expressly set forth in this Agreement. Each party waives all rights and remedies which might otherwise be available to it in relation to such Pre-Contractual Statements, including any claim it was induced into entering into this Agreement or accepting its terms based on any Pre-Contractual Statements.

10.9      Neither party may assign any of its rights or obligations under this Agreement without the prior written consent of the other party, except that either party may assign this Agreement as a whole without such consent to an entity of good standing (other than any direct competitor of the other party) capable of complying with the rights and obligations under this Agreement succeeding to all or substantially all of such assigning party’s assets or business.

10.10    A person who is not a party to this Agreement shall not have any rights under or in connection with it. No third party beneficiaries are created by this Agreement.

10.11    All notices must be in English, in writing, addressed

(a) in the case of the Provider to [email protected], and

(b) in the case of Customer to the postal address or email address provided by Customer at https://shop.airisident.com/my-account/, or alternatively such email address as provided by Customer in the Purchase Order Form,

or such other address as either party has notified the other in accordance with this clause.

All notices shall be deemed to have been given on receipt as verified by written or automated receipt or electronic log (as applicable).

10.12    This agreement shall be governed exclusively by the laws of the Federal Republic of Germany to the exclusion of the United Nations Convention on Contracts for the International Sale of Goods. The exclusive place of jurisdiction for all disputes arising from or in connection with this agreement is Düsseldorf (Federal Republic of Germany).

Data Processing Agreement (DPA)

This DPA is an addendum to Master Service Agreement between Customer and Irisnet. The signing of the Master Service Agreement by submission of a Purchase Order shall be deemed signing of this Addendum as well. Each party is referred to as a “Party” and together the “Parties”.

This Addendum consists of (i) the main terms and conditions of the Data Processing and Information Security Addendum (“Main Body”); (ii) the Appendix to the Addendum, including Annexes I and II (collectively, “Appendix”).

WHEREAS

(A)          Irisnet has developed and operates certain web-based software applications (the “Products”) that it makes available via the Internet.

(B)          Customer wishes to use the Products in its business operations for the purpose of delivering improvements to the online experience of customers (End Users) of Customer, preventing fraud, and performing Know Your Customer (KYC)/identity verification due diligence on customers (End Users) of Customer.

(C)         Irisnet has agreed, or may agree after the date of this Addendum, pursuant to a Master Service Agreement or otherwise, to supply the Products to Customer, which may involve the processing of Customer Data (including Personal Data) by Irisnet.

(D)         In compliance with the provisions of the General Data Protection Regulation and the applicable national Data Protection Laws, the Parties wish to agree this Addendum.

In consideration of the mutual covenants and undertakings stated herein, THE PARTIES AGREE AS FOLLOWS:

1. DEFINITIONS AND INTERPRETATION

1.1         All definitions set forth in the Master Services Agreement equivocally apply to this DPA.

1.2         In addition, the following definitions shall apply:

Controller” means the entity which determines the purposes and means of the Processing of Personal Data.

Data Protection Laws” means all laws and regulations, including laws and regulations of the European Union, the European Economic Area and their member states, applicable to the Processing of Personal Data under the Agreement as amended from time to time.

Data Subject” means the identified or identifiable person to whom Personal Data relates.

Instruction” means an instruction, issued by Customer to Irisnet, and directing the same to perform a specific action with regard to Personal Data as further set out in Section 3.2 of this Addendum.

Personal Data” means any information relating to an identified or identifiable natural person, where such data is Customer Data.

Personnel” means all persons authorized to process Personal Data under this Addendum.

Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Processor” means the entity which Processes Personal Data on behalf of the Controller.

Public Authority” means a government agency or law enforcement authority, including judicial authorities.

Purposes” means the purposes for which Irisnet Processes Personal Data as listed in Section 2 of this Addendum.

Security Incident” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored, or otherwise Processed.

Sub-Processor” means any Processor engaged by Irisnet.

1.2         In the case of conflict or ambiguity between any provision in this Addendum and any provision contained in the Master Service Agreement, the provision in this Addendum shall prevail.

1.3         Where the words “include”, “includes”, “including” or “in particular” are used in an Addendum, they are deemed to have the words “without limitation” following them.

1.4         Unless the context otherwise requires, words in the singular shall include the plural and in the plural shall include the singular.

1.5         A reference to a statute or statutory provision is a reference to it as it is in force as of the date of this Addendum. Such reference shall include all subordinate legislation made as at the date of the Addendum under that statute or statutory provision.

2. SUBJECT MATTER OF THE PROCESSING

The following Personal Data are Processed by Irisnet on behalf of Customer under the Addendum including Processing as reasonably necessary, proportionate, and consistent with the business purpose of providing the Products to the extent permitted by applicable Data Protection Laws:

Type of Personal Data Nature and Purpose of Processing Categories of Data Subjects

Personal Data inputted by Customer, or Irisnet on Customer’s behalf. Such data may include:

  • Company details and incorporation documents
  • Customer staff details and email addresses
  • Support requests
  • Use of Products
  • Employees or agents of Customer

Data about End Users collected by Customer or Irisnet Products and sent to Irisnet via a pre-determined data layer implemented by Customer, or otherwise transferred to Irisnet. This includes in particular all information contained in identity documents and utility bills:

  • Full name and nationality
  • Date and place of birth
  • Address
  • Height, eye colour

In addition, Irisnet processes biometric data from selfies or selfie videos of End Users.

  • Use of Products
  • Perform KYC and antifraud checks on end-users.
  • Improvements to the online experience of customers (End Users) of Customer
  • End User
Information about the End User’s device (e.g., OS and version, browser and version, browser settings, IP address)
  • Use of Products
  • Perform KYC and antifraud checks on end-users.
  • Improvements to the online experience of customers (End Users) of Customer
  • End User
Geolocation data inferred from IP address
  • Use of Products
  • Perform KYC and antifraud checks on end-users.
  • Improvements to the online experience of customers (End Users) of Customer
  • End User

 

3. RIGHTS AND OBLIGATIONS OF CUSTOMER

3.1         Customer acknowledges and agrees that:

(a) It is Customer’s responsibility as Controller to ensure that its use of the Products complies with all Data Protection Laws applicable to Customer including, in particular,

(i) in respect of the placing and use of cookies and the capturing of any consents required to be obtained from the relevant End User,

(ii) adhering to any applicable requirement to provide notice to Data Subjects of the use of Irisnet as Processor.

(b) If Customer requests Irisnet to transfer Customer Data (including Personal Data) to a third-party, Customer is solely responsible and liable for this transfer, and in any event, Customer shall not act or omit to act in a way which places Irisnet in breach of any applicable Data Protection Laws;

(c) Customer shall have sole responsibility for the accuracy, quality, integrity, legality, reliability, and copyright of all Customer Data. Irisnet is under no duty to investigate the completeness, accuracy, or sufficiency of the Customer Data, including Personal Data. This does not preclude Irisnet’s responsibility for verifying the authenticity of End Users’ ID documents.

(d) Customer undertakes not to use the Products to process or request Irisnet to process any payment card information.

(e) Customer specifically acknowledges that its use of the Products will not violate the rights of any Data Subject.

3.2         Irisnet shall Process Customer Data only on Instructions from Customer. Customer instructs Irisnet to Process the types of Personal Data listed in Section 2 of this Addendum and in the Master Service Agreement for the Purposes. This is the final Instruction of the Customer to Irisnet with regard to the Processing of Customer Data. If Customer requests Irisnet to Process Customer Data outside the scope of this Addendum, it is Customer’s obligation to enter into an additional agreement with Irisnet and Customer will have to bear the costs (if any) for such additional Processing.

3.3         In case of a claim of a Data Subject against Irisnet, Customer undertakes to assist Irisnet with regard to verifying the claim’s legitimacy and subject matter in the defense of the claim.

3.4         Customer grants to Irisnet the non-exclusive, worldwide right to copy, adapt, transmit, communicate, display, distribute and create compilations and derivative works of the Customer Data for the purpose of providing the Products pursuant to the Master Service Agreement and to improve or enhance such Products. This license includes the use of Customer Data to compile, use and disclose anonymous, aggregated statistics that include Customer Data, provided that no such information will directly identify and cannot reasonably be used to identify Customer or Customer’s End Users. Customer shall be solely responsible for ensuring that Customer has obtained all necessary third-party consents and made all required disclosures in connection with the foregoing grant.

 

4. RIGHTS AND OBLIGATIONS OF IRISNET

4.1         Unless otherwise instructed by Customer, Irisnet will delete all Personal Data from End Users within 24 hours of completion of Processing. Processing is deemed to be complete when the Irisnet’s response to any check whose performance was instructed by Customer in accordance with clause 3.2, has been duly received by Customer. The checks to be performed are more particularly described in the Purchase Order Form. For any Product which requires an ongoing comparison of new End User data with initially provided End User data, Processing is deemed to be complete when Customer informs Irisnet that the End User in question is no longer a customer of Customer.

4.2         At Customer’s request and sole expense, Irisnet shall provide to Customer a copy of all Personal Data held by it under the Addendum in a commonly used and machine-readable format.

4.3         To the extent not prohibited by applicable Data Protection Laws and applicable national laws, Irisnet shall notify Customer as soon as reasonably practicable in writing of any subpoena or other judicial or administrative order or proceeding seeking access to, or disclosure of, Personal Data. Irisnet acknowledges that Customer may, at its sole expense, seek to defend against or contest such action in lieu of and on behalf of Irisnet.

4.4         Irisnet shall, to the extent legally permitted, promptly (and in any event within five (5) working days of receipt) notify Customer if Irisnet receives a request from a Data Subject to exercise the Data Subject’s right of access, right to rectification, restriction of Processing, erasure (“right to be forgotten”), data portability, object to the Processing, or its right not to be subject to an automated individual decision making, each such request being a “Data Subject Request”, or any other. Taking into account the nature of the Processing, Irisnet shall assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Irisnet’s obligation to respond to a Data Subject Request under Data Protection Laws. In addition, to the extent Customer, in its use of the Services, does not have the ability to address a Data Subject Request, Irisnet shall upon Customer’s request provide commercially reasonable efforts to assist Customer in responding to such Data Subject Request, to the extent Irisnet is legally permitted to do so and the response to such Data Subject Request is required under Data Protection Laws. To the extent legally permitted, Customer shall be responsible for any costs arising from Irisnet’s provision of such assistance.

4.5         Irisnet shall assist Customer within the scope of its ability to comply with Customer’s obligations pursuant to Articles 32 to 36 of the General Data Protection Regulation, taking into account the nature of processing and the information available to Irisnet.

4.6         Irisnet is not obliged to actively monitor Instructions for infringements of Data Protection Laws. Without prejudice to the foregoing, Irisnet shall notify the Customer immediately upon becoming aware that an Instruction infringes Data Protection Laws.

4.7         Irisnet shall comply with its obligation to implement a process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the Processing pursuant to Article 32 (1) (d) of the General Data Protection Regulation.

4.8         Irisnet shall make available to Customer such information as is requested by Customer to demonstrate its compliance with applicable statutory obligations, in a commonly used and machine-readable format.

5. SECURITY OBLIGATIONS OF IRISNET

5.1         Irisnet shall implement appropriate technical and organizational measures to protect the Customer Data as described in Annex 1. In particular, Irisnet shall implement technical and organizational measures to provide the ongoing confidentiality, integrity, availability, and resilience of processing systems and services, including protection against

(a) unauthorized or unlawful Processing and against accidental or unlawful destruction, loss or alteration, or damage, unauthorized disclosure of, or access to, Customer Data,

(b) retaining, using, disclosing, or selling the Personal Data

(i) for a commercial purpose other than providing the Products and as specified by Customer’s documented instructions; or

(ii) outside of the direct business relationship between the Customer and Irisnet.

Customer has knowledge of these technical and organizational measures and is responsible for ensuring that they provide an appropriate level of protection for the risks of the Customer Data to be Processed. Irisnet may update or modify the measures listed in Annex 1 from time to time provided that such updates or modifications do not result in any material degradation of the security of Customer Data.

5.2         Irisnet shall notify Customer without undue delay after becoming aware of a Security Incident and assist Customer with its third-party notification and communication obligations, taking into account the nature of Processing and the information available to Irisnet. However, Customer is solely responsible for fulfilling any third-party notification and communication obligations. Irisnet will take, where appropriate, measures to mitigate the possible adverse effects of the Security Incident. In addition to the extent Customer has notification or communication obligations in case of a Security Incident, Irisnet undertakes to provide reasonable cooperation and support to Customer at Customer’s sole expense.

5.3         In the event of any loss or damage to Customer Data, Irisnet shall use commercially reasonable endeavors to restore the lost or damaged Customer Data from the latest back-up of such Customer Data maintained by Irisnet in accordance with its standard archiving procedures.

5.4         Irisnet shall not be responsible for any destruction, loss, alteration, or disclosure of Customer Data caused by any third party (except for Irisnet Sub-processors).

6. PERSONNEL

6.1         Irisnet undertakes to ensure that access to Customer Data is limited to those Personnel who need access to the Customer Data to meet Irisnet obligations under this Addendum and/or the Master Service Agreement.

6.2         Irisnet shall provide that all Personnel authorized to Process Customer Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

7. SUB-PROCESSORS

7.1         Customer consents that Irisnet shall be entitled to subcontract Irisnet’s obligations specified in this Addendum to third-party Sub-processors. Irisnet has entered into a written agreement with each Sub-processor containing, in substance, data protection obligations no less protective than those contained in this Addendum with respect to the protection of Customer Data to the extent applicable to the nature of the services provided by such Sub-processor.

7.2         Customer consents to the Sub-processors identified in Annex 2 of this Addendum, including their locations and processing activities. Irisnet shall provide notification of a new Sub-processor(s) to Customer before authorizing any new Sub-processor(s) to Process Personal Data in connection with the provision of the Products.

7.3         Customer may object to Irisnet‘s use of a new Sub-processor by notifying Irisnet promptly in writing within five (5) business days of receipt of Irisnet’s notice in accordance with the mechanism set out in Section 7.2 above. If Customer does not object within the deadline, the consent to the appointment of the Sub-processor in question shall be deemed to be given. If Customer objects to a new Sub-processor, as permitted in the preceding sentence, Irisnet will use reasonable efforts to make available to Customer a change in the Products or recommend a commercially reasonable change to Customer’s configuration or use of the Products to avoid Processing of Personal Data by the objected-to new Sub-processor without unreasonably burdening the Customer. If Irisnet is unable to make available such change within a reasonable period of time, which shall not exceed sixty (60) days, Customer may terminate their Master Services Agreement to the end of the current month.

7.4         Irisnet shall be liable for the acts and omissions of its Sub-processors to the same extent Irisnet would be liable if performing the services of each Sub-processor directly under the terms of this DPA.

8. LIMITATION OF LIABILITY

The limitation of liability agreed between the Parties in the Master Service Agreement shall also apply to this Addendum, unless otherwise expressly agreed.

9. GENERAL

9.1         Upon expiry or termination of the Master Service Agreement or this Addendum, or upon earlier request by Customer, Irisnet shall – at the choice of Customer – return to Customer or securely delete or destroy all Customer Data and existing copies (including Personal Data) in a manner appropriate to the sensitivity thereof, unless applicable Data Protection Laws require storage of the Customer Data. Upon request, Irisnet shall provide written confirmation to the Customer that the deletion process has been completed.

9.2         The Addendum is an attachment to and integral part of the Master Service Agreement. This Addendum is the entire agreement between Irisnet and Customer regarding data protection and privacy issues regarding the Customer’s use of the Products and supersedes all prior and contemporaneous agreements, proposals, or representations, written or oral, concerning its subject matter. This Addendum has been entered into as part of the Agreement between parties and shall be effective upon Effective Date of the Agreement.

9.3         Updates to the Addendum. Irisnet may modify the terms herein from time to time by publication on www.airisident.com. The modified terms will become effective upon posting.

 

 

Annex I: Description of the Technical and Organizational Security Measures taken by Irisnet

Irisnet has implemented the following technical and organizational security measures to provide the ongoing confidentiality, integrity, availability, and resilience of processing systems and services:

1. Confidentiality

Irisnet has implemented the following technical and organizational security measures to protect the confidentiality of processing systems and services, in particular:

  • Irisnet processes all customer data on remote server sites owned and operated by industry-leading cloud service providers that offer highly sophisticated measures to protect against unauthorized persons gaining access to data processing equipment (namely telephones, database and application servers, and related hardware). Such measures include:
    • a layered security model, including safeguards like custom-designed electronic access cards, alarms, vehicle access barriers, perimeter fencing, metal detectors, and biometrics, and the data center floor features laser beam intrusion detection;
    • data centers are monitored 24/7 by high-resolution interior and exterior cameras that can detect and track intruders;
    • access logs, activity records, and camera footage are available in case an incident occurs
    • data centers are also routinely patrolled by experienced security guards who have undergone rigorous background checks and training;
    • access to the data center floor is only possible via a security corridor which implements multi-factor access control using security badges and biometrics;
    • only approved employees with specific roles may enter.
  • Irisnet servers can be accessed remotely from hardware devices operated by Irisnet employees; the following measures are implemented to safeguard end user hardware
    • Password protection with complexity requirements for passwords (minimum length, use of special characters, etc.)
    • Automated logging of administrative access to IT systems
    • Automatic screen lock after five minutes of inactivity
    • Automated logging of unsuccessful login attempts
  • Irisnet employees entitled to use its data processing systems are only able to access personal data within the scope of and to the extent covered by their respective access permission (authorization). In particular, access rights and levels are based on employee job function and role, using the concepts of least-privilege and need-to-know to match access privileges to defined responsibilities.
  • Irisnet will delete all End User data shortly completion of the Customer’s Processing request. Irisnet will only retain copies of End User data if explicitly instructed to do so.

2. Integrity

    Irisnet has implemented the following technical and organizational security measures to protect the integrity of processing systems and services, in particular:

    • Irisnet implements suitable measures to prevent personal data from being read, copied, altered, or deleted by unauthorized parties during the transmission thereof or during the transport of the data media. This is accomplished by:
      • use of state-of-the-art firewall and encryption technologies to protect the gateways and pipelines through which the data travels;
      • industry-standard encryption; and
      • avoiding the storage of personal data on portable storage media for transportation purposes and on company-issued laptops or other mobile devices.
    • Irisnet does not access any Customer content except as necessary to provide that customer with the Products and professional services it has selected.

    3. Availability

      Irisnet has implemented the following technical and organizational security measures to protect the availability of processing systems and services, in particular:

      • infrastructure redundancy
      • selection of best-in-class infrastructure providers with data centers that have daily backups with an assured uptime and availability of 99.99% by the service providers
      • separation of testing and live environments

       

      Annex II: List of Sub-processors

      Sub-processor Description of activities Location
      ITGix IT Operations Sofia, Bulgaria
      Plusserver Hosting Düsseldorf, Germany
      Google Website analytics Mountain View, USA
      Teemo Technology Identity document analysis London, England / Frankfurt, Germany (hosted @ AWS)
      Netcup Webhosting Karlsruhe, Germany