<img height="1" width="1" style="display:none;" alt="" src="https://px.ads.linkedin.com/collect/?pid=1611884&amp;fmt=gif">

Terms of Service

Revised February 12, 2026

Thank you for your interest in Vouched ("Vouched," "We" or "Us")!

These Terms of Service (this “Agreement”) represent a legally binding agreement between You (or our "Customer," with the address and other applicable information specified in this Agreement) and Us governing Your access to and use of our Services. "You" in the case of an individual accepting this Agreement on his or her own behalf, means that individual, and in the case of an individual accepting this Agreement on behalf of a company or other legal entity, means the company or other legal entity for which that individual is accepting this Agreement, and affiliates of that company or entity (for so long as they remain affiliates).

If You use Our Services, You are agreeing to the Terms of Service set forth in this Agreement. If You do not agree to the Terms of Service set forth in this Agreement, You must not access or use Our Services.

This Agreement begins on the date on which You first access or use the Services.  We call that date the "Effective Date" of this Agreement, and Your rights and obligations begin on that specific date.

Please note that We may decide to modify this Agreement from time to time. We have the right to make modifications under this Agreement and You should take a look at Section 10.1 to further understand Our ability to implement modifications.

This Agreement governs Your  (i) access to and use of Vouched’s artificial intelligence identity verification technology and software (the “Vouched AI”); and (ii) any additional services provided by Vouched (the “Vouched Services”); (collectively, the “Services”). 

Here are the specific legal rights and obligations that You and We have under this Agreement.

1. PRODUCTS AND SERVICES

1.1.1 Subject to this Agreement, You agree to purchase, and Vouched agrees to provide, the following Services:

Access to Vouched AI and Provision of Services

Vouched will provide You with an implementation of the Vouched AI that will enable You to verify data provided by third parties utilizing Your platforms, apps and other web properties (“Your Platform”).

You and Vouched agree that the primary anticipated Services under this TOS will be applying the Vouched AI to match and verify information, photos and other information entered by users on Your Platform (“Verifications”).

Additional Services, Details and Exceptions

Vouched will cooperate with Your engineering and/or operations team to integrate the Vouched AI described above into Your workflow. You and Vouched anticipate that such integration efforts will primarily include back-end integration of the Vouched AI into Your customer verification process through use of Vouched’s application program interface or “API” the “Vouched API”.

Vouched uses artificial intelligence to provide the Services. In some instances, information, photos and other documentation provided by Your users may not be readable by the Vouched AI (for example, blurry, dark, obstructed or occluded photos or scans). In such instances You may attempt manual verification of data.

In addition to utilizing artificial intelligence, Vouched may use human verification, including by Vouched AI scientists, as necessary to provide oversight and decisioning.

1.1.2. You and Vouched may expand the scope of the Services provided under this TOS by entering into additional order forms (each an “Order Form”) which can be attached to and will become a part of this Agreement if such Order Form references this TOS and is signed by both Vouched and You. 

1.1.3. You owns the relationship with its customers, patients, or employees (each an “End User”) and possesses data, which may include data from law enforcement and governmental authorities, as well as insurance providers, or credit authorities (the “Preponderance of Data”) not processed by Vouched. Using the Preponderance of Data, You may implement controls, rules, and decisioning as part of its security and compliance requirement that contrast with data Vouched processes on the End User. Based on the Preponderance of Data, You has the ultimate decision as to the End User’s identity and can override Vouched’s recommendation. You and Vouched acknowledge and agree that the Verifications provided should be construed as a recommendation of the veracity of the information provided by users on Your Platform. 

1.1.4. You acknowledge and agree that the Services provided pursuant to this Agreement are not provided by “consumer reporting agencies,” as that term is defined in the Fair Credit Reporting Act (15 U.S.C. § 1681, et seq.) (“FCRA”) and do not constitute “consumer reports,” as that term is defined in the FCRA. You specifically acknowledge that the use of the Services may be limited by applicable law, including the Drivers Privacy Protection Act (18 U.S.C. Section 2721 et seq.) and related state laws (collectively, the “DPPA”); the Gramm-Leach-Bliley Act (15 U.S.C. Section 6801 et seq.) and related state laws (collectively, the “GLBA”); and the Health Insurance Portability and Accountability Act of 1996 and Health Information Technology for Economic and Clinical Health Act of 2009, and their implementing regulations codified at 45 C.F.R. Parts 160 and 164 (collectively, “HIPAA”). You agree to use the Services only for permissible purposes under such applicable laws (e.g., in accordance with an exception provided under the GLBA) and You must take appropriate measures so as to protect against the misuse of the Services. You agree that it will not, and will not allow its End Users to, access or use information in the Services in a manner that would violate the FCRA, GLBA, DPPA, HIPAA, or any other applicable law, regulation or rule. You understand that applicable laws may be amended at any time and/or that Vouched policies and procedures may be amended at any time to reflect changes to such applicable laws, which may have the effect of either limiting or expanding the ability of You to use the Services. 

1.2. Permitted Uses. You may only access and use the Services for its own internal business purposes related to identity verification, security and/or fraud prevention, and in accordance with the terms set forth herein in the Agreement. 

1.3. Restrictions on Use. You will not, and will not allow its End Users to, do any of the following: (a) reproduce, copy, distribute, modify, or reverse engineer the Services or any part thereof, (b) sublicense, resell, or make the Services, or any part thereof, available to others except to End Users in accordance with the terms of the Agreement,  ( c) introduce into the Services any unauthorized data, or any malware, viruses, Trojan horses, spyware, worms, or other malicious or harmful code, or any data that infringes, misappropriates, or otherwise violates the intellectual property rights or other rights of any third party or an End User, (d) use the Services or any component thereof, in the operation of a service bureau to support or process any content, data, or information on behalf of any party other than You, (e) sell, transfer, sublicense, assign, or otherwise permit any party, other than You or End Users to access the Services or any output therefrom, (f) access or use the Services, or output therefrom, to create a competing product or service, or (g) use the Services for any purpose that is unlawful, harassing, abusive, tortious, threatening, harmful, invasive of privacy, vulgar, defamatory, false, intentionally misleading, trade libelous, pornographic, obscene, patently offensive, promotes racism, bigotry, hatred, or physical harm of any kind, or is otherwise objectionable. If You or any of its End Users violate any of these terms, Vouched may, without prejudice to any other right or remedy it may have, suspend Your, or any End User’s, access to the Services and terminate the Agreement in accordance with Section 9.1. 

1.4. Third Party Services. Vouched AI or other Services may include third-party services, technology, or software ("Third Party Services").  You acknowledge that: (a) Vouched may update, modify, add, or remove Third Party Services or functionality at any time without notice; (b) Vouched may terminate or suspend Third Party Services with reasonable notice if the underlying Service Provider terminates services to Vouched;  and (c ) Third Party Services may be subject to additional terms, conditions as provided by Vouched. 

2. PAYMENT AND TAXES

2.1. Payment. You agree that you will pay for all Services you purchase and you are authorized to make such purchases and that Vouched may charge your selected payment method (such as your credit card or debit card) for any products purchased and for any additional amounts (including any taxes and late fees, as applicable) that may be accrued by or in connection with your account. You are responsible for the timely payment of all fees and for providing Vouched with a valid payment method for payment of all fees. All fees will be billed to the payment method you designate during the registration process.  All fees are in US dollars.

2.2.   Fee Adjustment.  Prices for our Service may change at any time, and the Service does not provide price protection or refunds in the event of a price reduction or promotional offering. 

2.3. Taxes. You agrees to pay any fees related to state and local taxes related to the Services.

2.4.  All sales are final. 

3. INTELLECTUAL PROPERTY RIGHTS

3.1.   Vouched Intellectual Property Rights.  The Services, including without limitation the Vouched AI, and all right, title and interest in and to the Services, including but not limited to all Intellectual Property Rights therein, are and will remain the exclusive property of Vouched or its licensors. No rights to the Services, or any output of any part thereof, are granted to You, other than the license in Section 3.2. In connection with Vouched performing the Services or otherwise during the Term, Vouched may develop modifications to the Services and/or new software programs (collectively, the “Developments”). Vouched, on behalf of itself and its licensors, reserves all right, title, and interests in and to the Developments, including, but not limited to, all Intellectual Property Rights therein. Without limitation of the foregoing, You agree that Vouched will have a perpetual sublicensable and assignable right to use and incorporate any You feedback or suggestions for enhancement provided to Vouched regarding the Services, without any obligation of compensation. As between the parties, Vouched will own all data that does not relate to an identified or identifiable natural person and to personal data rendered anonymous in such a manner that the data subject is not identifiable. 

3.2. “Intellectual Property Rights” means rights in and to any and all intellectual property whether registrable or not including names, trademarks, trade names, trade dress, service marks, insignias, designs, works of authorship, domain names, inventions, whether or not copyrightable or patentable, trade secret or confidential information, and any other intellectual and/or industrial property.

3.3. License of Services. Subject to this Agreement, Vouched hereby grants You a limited, non-exclusive, non-transferable right for You to access and use the Services during the Term (as defined below) and within the Territory. “Territory” means the United States.

3.4. End User Data. Vouched may collect data from End Users on Your behalf as part of the Services and You may provide data collected from End Users to Vouched, and such data may include Personal Data (defined in the Data Processing Addendum) (such data “End User Data”). You authorizes and instructs Vouched, or its third-party service providers (“Service Providers”), to use End User Data to provide the Services, including keeping Vouched AI up to date and performant; enhancing productivity, efficacy, quality, and security; detecting security incidents and resisting malicious, deceptive, fraudulent, or illegal actions; and troubleshooting (preventing, detecting, investigating, mitigating, and repairing problems). You further authorizes Vouched, and its Service Providers, to (i) use End User Data to create profiles of the applicable End User for Vouched’s internal use in support of Vouched’s fraud prevention services , and (ii) create aggregated or de-identified data from End User Data for Vouched’s business purposes.


4. DATA SECURITY

4.1. Data Security Provisions.  The parties have implemented and will maintain commercially reasonable information security policies and safeguards, which include technical and organizational measures, designed to preserve the security, integrity, and confidentiality of the Personal Data (defined in Exhibit A) and to protect it against unauthorized access and information security threats in accordance with the Data Processing Addendum, Exhibit A, attached hereto and incorporated herein by this reference. Your technical and organization measures must, at a minimum: (i) be designed to protect the security, integrity, and confidentiality of its access to and use of the Services and any output therefrom, (ii) secure Your systems using network security controls (e.g., firewalls), vulnerability management processes, and secure configuration practices, (iii) protect End User Data using industry-standard encryption techniques, and (iv) enable You to quickly become aware of any actual or suspected security incident. You  agrees to notify Vouched within twenty-four (24) hours of becoming aware of any actual or suspected security incident, including without limitation any unauthorized access to or use of the Services, and will promptly cooperate with Vouched in the investigation and remediation of any such incident.

4.2. Data Backup. Vouched is not obligated to back up any electronic data and information that You inputs into, uploads to, or otherwise makes available to Vouched, including corporate, administrative, and firmographic data required by Vouched. 

5. REPRESENTATIONS AND WARRANTIES

5.1.  Mutual.  Each Party represents and warrants to the other Party that it has the necessary authority to enter into this Agreement and that it will comply with all applicable laws relating to or affecting this Agreement or the Services. In particular, and without limitation of the foregoing, You and Vouched will comply with all applicable state and federal laws and regulations regarding the privacy, security and confidentiality of any Personal Data, including the receipt, storage, processing, use and transmission of such information, in connection with the Services.

5.2. Your Representation and Warranties. You represent and warrant to Vouched that You receive, prior to utilizing the Services, all necessary End User consents, including where necessary explicit and informed consent, for (a) Vouched to collect and process End User Data in accordance with this Agreement, including, as applicable, social security numbers and biometric information, (b) collecting any End User Data from the End User, (c ) sharing End User Data with Vouched and/or its Service Providers, (d) retrieving End User Data from the Services, or (e) using any End User Data for a purpose not previously disclosed or for which consent had been previously withdrawn. If requested by Vouched, You will provide evidence of such End User consent. You represent and warrant that its use of the Service, and Vouched’s collection and processing of End User Data as part of the Services, will not violate any applicable law, including without limitation any privacy or consumer protection law. Without limiting the foregoing, with respect to any biometric data accessed or obtained by You through the Services, You represent and warrant that (i) it will only use such data for ID verification consistent with the Vouched Biometric Privacy Notice and these TOS, and (ii) it will keep such information confidential and secure. You further represents and warrants that it has, and will maintain through the duration of the term of this TOS , a privacy policy that is made available to End Users which complies with all applicable laws and regulations.

 

5.3. Limitation of Warranties.

VOUCHED PROVIDES ITS SERVICES “AS IS.” TO THE FULLEST EXTENT PERMITTED BY LAW, NEITHER VOUCHED NOR OF ANY OF ITS OFFICERS, DIRECTORS, AFFILIATES, SUPPLIERS, SERVICE PROVIDERS, AGENTS, LICENSORS OR DISTRIBUTORS MAKE ANY WARRANTY OF ANY KIND, EXPRESS, IMPLIED, STATUTORY OR OTHERWISE, INCLUDING, BUT NOT LIMITED TO, WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NONINFRINGEMENT, OR ANY WARRANTY THAT THE SERVICES ARE FREE FROM DEFECTS. VOUCHED DOES NOT MAKE ANY WARRANTY AS TO ACCURACY, COMPLETENESS, DEPENDABILITY OR RELIABILITY OF THE INFORMATION THAT MAY BE DELIVERED OR PROVIDED IN CONNECTION WITH THE SERVICES. VOUCHED IS NOT RESPONSIBLE FOR ERRONEOUS, FRAUDULENT, OR SYNTHETIC DATA INTRODUCED BY BUYER, END USER, OR OTHER THIRD PARTIES. ANY OUTPUT AND ANY OTHER DATA OR INFORMATION THAT BUYER OR END USERS OBTAIN THROUGH THE SERVICES IS FOR INFORMATIONAL AND GENERAL REFERENCE PURPOSES ONLY. VOUCHED DOES NOT WARRANT THAT THE SERVICES WILL MEET YOUR REQUIREMENTS OR THAT THE OPERATION OF THE SERVICES WILL BE UNINTERRUPTED OR ERROR-FREE, OR THAT ALL ERRORS WILL BE CORRECTED.

 

6. INDEMNIFICATION

6.1. Your Indemnification Subject to the terms and conditions set forth herein, You will indemnify, defend, and hold harmless, Vouched and its officers, directors, and employees (collectively, "Vouched Indemnified Party") against any and all losses, damages, liabilities, deficiencies, claims, actions, judgments, settlements, interest, awards, penalties, fines, costs, or expenses of whatever kind, including reasonable attorneys' fees (collectively, "Losses") that are awarded against a Vouched Indemnified Party in a final non-appealable judgment, arising out of any third-party claim that results from: (a) any breach or violation by You or End User of Sections 1.2-1.3, 1.4, 3.2, 4.1, of these TOS, or Your breach of the DPA; (b) any material breach or non-fulfillment of any representation or warranty by You contained in this Agreement; (c ) any grossly negligent or more culpable act or omission of You (including any reckless or willful misconduct) in connection with the performance of its obligations under the Agreement; or (d) actual fraud by You.  

6.2. Vouched Indemnification Subject to the terms and conditions set forth herein, Vouched will indemnify, defend, and hold harmless, You and its officers, directors, and employees (collectively, "You Indemnified Party") against any and all Losses that are awarded against You Indemnified Party in a final non-appealable judgment arising out of any third-party claim that results from: (a) material breach or non-fulfillment of any representation or warranty by Vouched contained in this Agreement; (b) any grossly negligent or more culpable act or omission of Vouched (including any reckless or willful misconduct) in connection with the performance of its obligations under the Agreement; or (c ) actual fraud by Vouched. 

6.3. Indemnity Procedures. The indemnified party shall promptly provide written notice of a claim to the indemnifying party and must give the indemnifying party sole control of the defense and settlement of the claim (provided that any settlement unconditionally releases the indemnified party of all liability and does not make any admissions on behalf of the indemnified party or include payment of any amounts by the indemnified party. The indemnifying party, at the indemnifying party's expense, will provide all reasonable assistance in connection with such a claim and may participate in the defense of the claim at its sole cost and expense. 

7. LIMITATIONS ON LIABILITY. TO THE FULLEST EXTENT PERMITTED BY LAW, NEITHER VOUCHED NOR ANY OF ITS OFFICERS, DIRECTORS, AFFILIATES, SUPPLIERS, SERVICE PROVIDERS, AGENTS, LICENSORS OR DISTRIBUTORS WILL BE LIABLE UNDER THIS AGREEMENT, INCLUDING ANY ORDER FORMS, FOR ANY: (A) INDIRECT, SPECIAL, INCIDENTAL, CONSEQUENTIAL, EXEMPLARY, OR PUNITIVE DAMAGES; (B) LOSS, ERROR, OR INTERRUPTION OF USE OF DATA OR OTHER INFORMATION (IN EACH CASE, WHETHER DIRECT OR INDIRECT); OR (C) COST OF COVER OR LOSS OF BUSINESS, REVENUES, OR PROFITS (IN EACH CASE WHETHER DIRECT OR INDIRECT), EVEN IF THE PARTY KNEW OR SHOULD HAVE KNOWN THAT SUCH DAMAGES WERE POSSIBLE OR FORESEEABLE. TO THE FULLEST EXTENT PERMITTED BY LAW, THE AGGREGATE LIABILITY OF VOUCHED AND ALL OTHER PERSONS REFERRED TO IN THIS SECTION 7; IN CONNECTION WITH THIS AGREEMENT WILL NOT EXCEED THE AMOUNT PAID BY You TO VOUCHED DURING THE TWELVE (12) MONTH PERIOD PRIOR TO THE EVENT GIVING RISE TO LIABILITY (PROVIDED THAT, IF NO FEES ARE PAID, SUCH AMOUNTS WILL BE LIMITED TO ONE HUNDRED DOLLARS (US $100.00)). THE EXISTENCE OF MORE THAN ONE CLAIM SHALL NOT INCREASE OR ENLARGE THE FOREGOING PAYMENT LIMITATION. THE PARTIES AGREE THAT THE WAIVERS AND LIMITATIONS SPECIFIED IN THIS SECTION 7 APPLY REGARDLESS OF THE FORM OF ACTION, WHETHER IN CONTRACT (INCLUDING INDEMNITY CLAIMS), TORT (INCLUDING NEGLIGENCE), STRICT LIABILITY, OR OTHERWISE AND WILL SURVIVE AND APPLY EVEN IF ANY LIMITED REMEDY SPECIFIED IN THIS AGREEMENT IS FOUND TO HAVE FAILED OF ITS ESSENTIAL PURPOSE. 

8. CONFIDENTIALITY

8.1. Non-Disclosure Agreement. “Confidential Information” means any non-public, proprietary information disclosed by a Party (“Disclosing Party”) to the other Party (“Receiving Party”), whether orally or in writing, that is designated as confidential or that reasonably should be understood to be confidential given the nature of the information and the circumstances of disclosure. The Receiving Party shall not use any Confidential Information other than for the purpose of exercising its rights or performing its obligations under this Agreement. Further, the Receiving Party shall not disclose any Confidential Information of the Disclosing Party to any third party, except as may be required to its employees, agents, parent companies, shareholders, lawyers and accountants on a strict need-to-know basis, to the extent such third parties are subject to confidentiality obligations that are at least as restrictive as those in this Agreement. Notwithstanding the foregoing, Receiving Party may disclose Confidential Information pursuant to any legal proceeding or as otherwise required by law, subject to the Receiving Party providing Disclosing Party with commercially reasonable notice of any such legal request and taking all commercially reasonable steps to limit the amount of Confidential Information disclosed and to allow the Disclosing Party to seek a protective order or pursue other protective measures, in each case to the extent permitted under applicable law.  For purposes of this Agreement, Confidential Information excludes information that: (a) was known to the Receiving Party prior to disclosure by the Disclosing Party without restriction as to use or disclosure; (b) is or becomes generally available to the public other than by violation of this Agreement or another valid agreement between the parties; (c ) was independently developed by the Receiving Party without use or reliance upon the Disclosing Party’s Confidential Information; or (d) is divulged by a third party who had the right to make such disclosure without violating any confidentiality agreement with or other obligation to the Disclosing Party. 

8.2. Limited Marketing Exception. You agree to allow Vouched to use Your name and logo on Vouched’s website and in other materials acknowledging this Agreement. Vouched and You will mutually agree on the terms of a promotional statement announcing the relationship between the parties set forth in the Agreement. 

9. TERMINATION AND SUSPENSION OF SERVICES

9.1.Termination and Suspension of Services. If You fail, or Vouched suspects that You have failed, to comply with any of the provisions of this Agreement, Vouched may, without notice to you: (i) terminate this Agreement and You will remain liable for all amounts due under your account up to and including the date of termination; and/or (ii) terminate your license to the software; and/or (iii) preclude your access to the Services. Vouched further reserves the right to modify, suspend, or discontinue the Services at any time with or without notice to You, and Vouched will not be liable to you or to any third party should it exercise such rights. You may terminate this agreement up to one (1) day prior to the end of the testing period by contacting Vouched via email at support@vouched.id. Thereafter, this Agreement may be terminated by either Vouched or You upon ninety (90 )days written notice to the other of such Party’s intent to terminate. All fees shall be due until termination is complete. 

9.2. Effect of Termination. Upon termination or expiration of this Agreement for any reason: (a) the Agreement including any Order Form(s) under this Agreement will terminate; (b) all rights and obligations of the parties hereunder will cease (except as set forth in Section 9.4 (Survival)); and (c ) You will remain obligated to pay for all Services through the effective date of termination. 

9.3. Survival. Any term of this Agreement that by its nature is intended to survive termination or expiration of this Agreement will survive, including, without limitation: 3 (Intellectual Property Rights), 4 (Data Security), 5 (Representations and Warranties), 6 (Indemnification), 7 (Limitation on Liability), 8 (Confidentiality), 9.2 (Effect of Termination), 9.3 (Survival) and 10 (Miscellaneous). 

10. MISCELLANEOUS

10.1. Entire Agreement. This Agreement, including this TOS and each Order Form represents the entire agreement between the parties with respect to Your use of the Services and supersedes any and all prior agreements of the parties with respect to the subject matter hereof. No change, amendment or modification of any provision of this TOS, or any Order Form will be valid unless set forth in a written instrument signed by the duly authorized representatives of both parties. 

10.2. Notices. Any required notices under this Agreement should be sent to the addresses or email addresses noted on the Order Form. If either party changes its address or email address, that party will promptly give notice to the other party of the new address or email address. 

10.3. Counterparts. The parties may execute this Agreement in any number of counterparts. Each counterpart is an original and all counterparts constitute one agreement binding both parties. Facsimile and electronic signatures will be binding for all purposes. 

10.4. Applicable Law. The Agreement and the Services will be governed by and interpreted in accordance with the internal laws of the state of Washington, excluding its conflict of law rules. Exclusive jurisdiction and venue for any claims related to or arising under the Agreement will be in a court located in King County, Washington. If any action at law or in equity is necessary to enforce or interpret the terms of the Agreement, the substantially prevailing party will be entitled to reasonable attorneys’ fees and costs in addition to any other relief to which such party may be entitled. 

10.5. Severability If any provision of the Agreement violates any law or becomes unenforceable, then that provision will be deemed modified or excluded to the extent necessary so that it is no longer in violation of law or unenforceable and the remaining provisions will remain binding on the parties. 

10.6. Assignment. The Agreement will be binding upon and inure to the benefit of the successors and permitted assigns of the parties. Either party may assign or transfer any or all of its rights, obligations or interest under the Agreement without the written consent of the other party. 

10.7. Waiver. The various rights and remedies given to or reserved by either party herein or allowed by law, are cumulative and the failure of either party to insist upon the performance of any provision herein or to exercise any right or privilege granted to it hereunder, will not be construed as a waiver of that provision or any other provision, and the same will continue in full force.

10.8. Modifications. Vouched may modify this TOS from time to time with notice to You. Modifications take effect at Your next renewal date or Order Form unless Vouched indicates an earlier effective date. If Vouched requires modifications with an earlier effective date and You object, Your exclusive remedy is to terminate this Agreement with notice to Vouched, in which case Vouched will provide You a refund of any pre-paid fees for the terminated portion of the current Term. To exercise this termination right, You must notify Vouched of its objections within thirty (30) days after Vouched’s notice of the modified TOS. Once the modified TOS takes effect Your continued use of the Service constitutes its acceptance of the modifications. Vouched may require You to click to accept the modified TOS. 

Exhibit A

Data Processing Agreement

This Data Processing Agreement (“DPA”) amends and forms part of the Terms of Service between Vouched and You (the “Agreement”). This DPA supersedes any existing data protection terms concluded in relation to the Services and prevails over any conflicting term of the Agreement but does not otherwise modify the Agreement.

1. Definitions

1.1. In this DPA:

    1. Controller”, “Data Subject”, “Personal Data”, “Personal Data Breach”, “Processing”, and “Supervisory Authority” have the meaning given to them in Data Protection Law. “Data Subject” includes “Consumer” as that term is defined under U.S. Privacy Laws;

    2. Your Personal Data” means Personal Data Processed by Vouched as a Processor on behalf of You or Third Party Controller;

    3. Data Protection Law” means U.S. Privacy Laws, the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and the e-Privacy Directive 2002/58/EC (as amended by Directive 2009/136/EC), their national implementations in the European Economic Area (“EEA”), including the European Union, and all other data protection laws of the EEA, the United Kingdom (“UK”), and Switzerland, each as applicable, and as may be amended or replaced from time to time;

    4. Data Subject Rights” means Data Subjects’ rights to information, access, rectification, erasure, restriction, portability, objection, the right to withdraw consent, and the right not to be subject to automated individual decision-making in accordance with Data Protection Law;

    5. International Data Transfer” means any disclosure of Your Personal Data by an organization subject to Data Protection Law to another organization located outside the EEA, the UK, or Switzerland;

    6. Processor” means “Processor,” “Service Provider,” or “Contractor” as those terms are defined in Data Protection Law.

    7. Sale” and “Selling” have the meaning defined in the U.S. Privacy Laws.

    8. Services” means the services provided by Vouched to You under the Agreement;

    9. Share,” “Shared,” and “Sharing” have the meaning defined in the CCPA;

    10. Subprocessor” means a Processor engaged by Vouched to Process Your Personal Data;

    11. SCCs” means the clauses annexed to the EU Commission Implementing Decision 2021/914 of June 4, 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council as amended or replaced from time to time;

    12. Third-Party Controller” means a Controller for which You are a Processor; and

    13. UK Addendum” means the addendum to the SCCs issued by the UK Information Commissioner under Section 119A(1) of the UK Data Protection Act 2018 (version B1.0, in force March 21, 2022).

    14. U.S. Privacy Laws” means, collectively, all United States federal and state privacy laws and their implementing regulations, as amended or superseded from time to time, that apply generally to the processing of individuals’ Personal Data and that do not apply solely to specific industry sectors (e.g., financial institutions), or specific demographics (e.g., children). U.S. Privacy Laws include, but are not limited to, the California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act of 2020 (“CCPA”).


    1.2. Capitalized terms used but not defined herein have the meaning given to them in the Agreement.

    1.3. In the event of a conflict in the meanings of defined terms in Data Protection Law, the meaning from the Data Protection Law applicable to the relevant jurisdiction of the Data Subject applies.

 

2. Scope

2.1. This DPA applies to the Processing of Your Personal Data by Vouched subject to Data Protection Law to provide the Services.

2.2. The subject matter, nature and purpose of the Processing, the types of Your Personal Data and categories of Data Subjects are set out in Annex I, which is an integral part of this DPA.

2.3. You appoints Vouched as a Processor on behalf of You. Unless You are a Processor on behalf of a Third-Party Controller, You are responsible for compliance with the requirements of Data Protection Law applicable to Controllers.

2.4. If You are a Processor on behalf of a Third-Party Controller, then You: are the single point of contact for Vouched; must obtain all necessary authorizations from such Third-Party Controller; and undertakes to issue all instructions and exercise all rights on behalf of such other Third-Party Controller.

2.5. You acknowledges that Vouched may Process Personal Data, including Your Personal Data, relating to the operation, support, or use of the Services for its own business purposes, such as: (i) to prevent, detect, protect against, investigate, or otherwise respond to data security incidents, theft, harassment, or malicious, deceptive, fraudulent or illegal activity; (ii) benchmarking, (iii) product development, and (iv) compliance with law. Vouched is the Controller for such Processing and will Process such data in accordance with Data Protection Law.

2.6. Vouched shall comply with the obligations of, and provide the level of privacy protection required by, Data Protection Law.

3. Instructions

3.1. Vouched will Process Your Personal Data to provide the Services and in accordance with Your documented instructions.

3.2. The Controller’s instructions are documented in this DPA, the Agreement, and any applicable statement of work or order form.

3.3. You may reasonably issue additional instructions as necessary to comply with Data Protection Law. Vouched may charge a reasonable fee to comply with any additional instructions.

3.4. Except as set forth in section 2.5 of this DPA and as expressly permitted under applicable Data Protection Law, Vouched is prohibited from (i) Selling or Sharing Your Personal Data, (ii) retaining, using, or disclosing Your Personal Data for any purpose other than for the specific purpose documented in the Buyer instructions, (iii) retaining, using, or disclosing Your Personal Data outside of the direct business relationship between You and Vouched, and (iv) combining Your Personal Data with Personal Data obtained from, or on behalf of, sources other than You.

3.5. Vouched certifies that it understands the Processing restrictions set forth in this DPA and will comply with them.

3.6. Unless prohibited by applicable law, Vouched will inform Buyer if Vouched is subject to a legal obligation that requires Vouched to Process Your Personal Data in contravention of Your documented instructions.

4.  Personnel

4.1. Vouched will ensure that all personnel authorized to Process Your Personal Data are subject to an obligation of confidentiality.

5.  Security and Personal Data Breaches

5.1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Vouched will implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including the measures listed in Annex II.

5.2. You acknowledges that the security measures in Annex II are appropriate in relation to the risks associated with Your intended Processing and will notify Vouched prior to any intended Processing for which Vouched’s security measures may not be appropriate.

5.3. Vouched will notify You without undue delay after becoming aware of a Personal Data Breach involving Your Personal Data. If Vouched’s notification is delayed, it will be accompanied by reasons for the delay.

6.  Subprocessing

6.1. You hereby authorizes Vouched to engage Subprocessors. A list of Vouched’s current Subprocessors is included in Annex III.

6.2. Vouched will enter into a written agreement with Subprocessors which imposes the same obligations as required by Data Protection Law.

6.3. Vouched will notify You to a change to Subprocessors. You may object to the addition of a Subprocessor based on reasonable grounds relating to a potential or actual violation of Data Protection Law by providing written notice detailing the grounds of such objection within thirty (30) days following Vouched’s notification. You and Vouched will work together in good faith to address Your objection. If Vouched chooses to retain the Subprocessor, Vouched will inform You and either party may immediately discontinue providing or using the relevant parts of the Services, as applicable, and may terminate the relevant parts of the Services within thirty (30) days.

7.  Assistance

7.1.  Taking into account the nature of the Processing, and the information available to Vouched, Vouched will assist You, including, as appropriate, by implementing technical and organizational measures, with the fulfillment of Your own obligations under Data Protection Law to: comply with requests to exercise Data Subject Rights; conduct data protection impact assessments, and prior consultations with Supervisory Authorities; and notify a Personal Data Breach.

7.2.  Vouched may charge a reasonable fee for assistance under this Section 7. If Vouched is at fault, Vouched and You shall each bear their own costs related to assistance.

7.3. Upon receiving notice from Vouched that it is unable to comply with Data Protection Law or this DPA, You may direct Vouched to take reasonable and appropriate steps to stop and remediate unauthorized Processing of Your Personal Data.

8.  Audit

8.1. Upon reasonable request, Vouched will make available to You all information necessary to demonstrate compliance with the obligations of this DPA. The parties agree that Buyer shall first look to third-party reports or certifications (e.g., SSAE 16-Type II, SOC 2, ISO 27001, or ISO 27701 reports) provided by Vouched or its Subprocessors to satisfy any audit requirements under this DPA or Data Protection Law.  Requests for these third-party reports or certifications can be made by sending a request to https://trust.vouched.id.  If, and only to the extent that, such reports or certifications do not satisfy Your legally mandated audit obligations under Data Protection Law, Vouched will allow for and contribute to audits, including inspections, as mandated by a Supervisory Authority or reasonably requested no more than once per year by You, and performed by an independent auditor as agreed upon by You and Vouched. Any such audit or inspection shall only extend to those documents and facilities relevant and material to the Processing of Your Personal Data and shall be conducted during normal business hours and in a manner that causes minimal disruption to Vouched’s operations.

8.2. Vouched will inform You if Vouched believes that Your instruction under Section 8.1 infringes Data Protection Law. Vouched may suspend the audit or inspection or withhold requested information until You have modified or confirmed the lawfulness of the instructions in writing.

8.3. Vouched and You each bear their own costs related to an audit.

9. International Data Transfers

9.1. You hereby authorizes Vouched to perform International Data Transfers to any country deemed to have an adequate level of data protection by the European Commission or the competent authorities, as appropriate; on the basis of adequate safeguards in accordance with Data Protection Law; or pursuant to the SCCs and the UK Addendum referred to in Sections 9.2 and 9.3.

9.2. By signing this DPA, Vouched and You conclude Module 2 (controller-to-processor) of the SCCs, to the extent You are a Processor on behalf of a Third-Party Controller, Module 3 (Processor-to-Subprocessor) of the SCCs, and to the extent the parties are independent Controllers Module 1 (Controller-to-Controller) of the SCCs, which are hereby incorporated and completed as follows: the “data exporter” is You; the “data importer” is Vouched; the optional docking clause in Clause 7 is implemented; Option 2 of Clause 9(a) is implemented and the time period therein is ten (10) days; the optional redress clause in Clause 11(a) is struck; Option 1 in Clause 17 is implemented and the governing law is the law of Ireland; the courts in Clause 18(b) are the Courts of Ireland; Annex I and II to Modules 1, 2 and 3 of the SCCs are Annex I and II to this DPA respectively. For International Data Transfers from Switzerland, Data Subjects who have their habitual residence in Switzerland may bring claims under the SCCs before the courts of Switzerland.

9.3. By signing this DPA, Vouched and You conclude the UK Addendum, which is hereby incorporated and applies to International Data Transfers outside the UK. Part 1 of the UK Addendum is completed as follows: (i) in Table 1, the “Exporter” is You and the “Importer” is Vouched, their details are set forth in this DPA, and the Agreement; (ii) in Table 2, the first option is selected and the “Approved EU SCCs” are the SCCs referred to in Section 9.2 of this DPA; (iii) in Table 3, Annexes 1 (A and B) and II to the “Approved EU SCCs” are Annex I and II respectively; and (iv) in Table 4, both the “Importer” and the “Exporter” can terminate the UK Addendum.

9.4.  If Vouched’s compliance with Data Protection Law applicable to International Data Transfers is affected by circumstances outside of Vouched’s control, including if a legal instrument for International Data Transfers is invalidated, amended, or replaced, then You and Vouched will work together in good faith to reasonably resolve such non-compliance. In the event that additional, replacement or alternative standard contractual clauses or UK standard contractual clauses are approved by Supervisory Authorities, Vouched reserves the right to amend the Agreement and this DPA by adding to or replacing, the standard contractual clauses or UK standard contractual clauses that form part of it at the date of signature in order to ensure continued compliance with Data Protection Law.

10.  Notifications

10.1. You will send all notifications, requests and instructions under this DPA to Vouched’s Legal via email to legal@vouched.id

10.2. Vouched will send all notifications under this DPA to Your contact set forth in the Agreement.

11. Liability

11.1. Where Vouched has paid compensation, damages or fines, Vouched is entitled to claim back from You that part of the compensation, damages or fines, corresponding to Your part of responsibility for the compensation, damages or fines.

12.  Termination and return or deletion

12.1. This DPA is terminated upon the termination of the Agreement.

12.2. You may request return of Your Personal Data up to ninety (90) days after termination of the Agreement. Unless required or permitted by applicable law, Vouched will delete all remaining copies of Your Personal Data within one hundred eighty (180) days after returning Your Personal Data to Buyer.

13. Applicable law and jurisdiction

13.1. This DPA is governed by the laws set forth in the Agreement. Any disputes relating to this DPA will be subject to the exclusive jurisdiction of the courts set forth in the Agreement.

14. Modification of this DPA

14.1. This DPA may only be modified by a written amendment signed by both Vouched and You.

15. Invalidity and severability

15.1. If any provision of this DPA is found by any court or administrative body of a competent jurisdiction to be invalid or unenforceable, then the invalidity or unenforceability of such provision does not affect any other provision of this DPA and all provisions not affected by such invalidity or unenforceability will remain in full force and effect.

 

ANNEX I

DESCRIPTION OF THE TRANSFER

A. LIST OF PARTIES

Data exporter:

      • Name: You 
      • Address: 
      • Contact person’s name, position and contact details: 
      • Activities relevant to the data transferred under these Clauses: You receive Vouched’s services as described in the Agreement and You provide Personal Data to Vouched in that context.
      • Signature and date: 
      • Role (controller/processor): Controller, or Processor on behalf of Third-Party Controller

Data importer:

      • Name: Vouched 
      • Address: 
      • Contact person’s name, position and contact details: 
      • Activities relevant to the data transferred under these Clauses: Vouched provides its services to You as described in the Agreement and Processes Personal Data on behalf of You in that context, or as a separate controller in limited cases.
      • Signature and date: 
      • Role (controller/processor): Processor on behalf of You, or Subprocessor on behalf of Third-Party Controller, or separate Controller

B.  DESCRIPTION OF INTERNATIONAL DATA TRANSFER

    • Categories of Data Subjects whose Personal Data is transferred:

      # Category of Data Subjects
      1 Your end users
      2 Your personnel, staff and contractors

       

    • Categories of Personal Data:

      # Category of Personal Data
      1 Name, Title, Work Phone, Work Email
      2 Name, Legal Name, Email, Phone, Physical Address, Government ID date of issuance, Government ID date of expiration, Age, Date of Birth, IP Address, Geolocation, Unknown client supplied PII

       

    • Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures:
# Category of Sensitive Data Applied Restrictions and Safeguards
1

Social Security Number, Individual Tax Identification Number, Biometric data, Driver’s License #, Passport #, National ID #

 Vouched does not store Social Security Numbers or Individual Tax Identification Number. All biometrics data and government identification documents are stored in Google Cloud Platform with limited access.

 

    • The frequency of the transfer (e.g., whether the data is transferred on a one-off or continuous basis): On a continuous basis.
    • Nature of the processing: The Personal Data will be processed and transferred as described in the Agreement, including but not limited to fraud prevention and identity verification.
    • Purpose(s) of the data transfer and further processing: The Personal Data will be transferred and further processed for the provision of the Services as described in the Agreement.
    • The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: Personal Data will be retained for as long as necessary taking into account the purpose of the Processing, and in compliance with applicable laws, including laws on the statute of limitations and Data Protection Law.
    • For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing: For the subject matter and nature of the Processing, reference is made to the Agreement and this DPA. The Processing will take place for the duration of the Agreement.


C.   COMPETENT SUPERVISORY AUTHORITY

    • The competent authority for the Processing of Personal Data relating to Data Subjects located in the EEA is the Supervisory Authority a) of Your country of establishment, or, where not applicable, b) of the country where Your EU data protection representative is located, or, where not applicable, c) of one of the EEA countries where the Data Subjects are located.
    • The competent authority for the Processing of Personal Data relating to Data Subjects located in the UK is the UK Information Commissioner.
    • The competent authority for the Processing of Personal Data relating to Data Subjects located in Switzerland is the Swiss Federal Data Protection and Information Commissioner.



ANNEX II


TECHNICAL AND ORGANIZATIONAL MEASURES INCLUDING TECHNICAL AND ORGANIZATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

Vouched has organized and implemented technical and organizational measures for personal data protection according to ISO 27001 and ISO 27701 to support its data protection program. The measures include the following types of controls:

Information Security Policies

    • Provides management direction and support for information security in accordance with business requirements, and relevant laws and regulations.

Organization of Information Security

    • Establishes a framework for initiating and controlling information security implementation and operations at Vouched.

Enterprise Risk Management

    • Defines the methodology for the assessment and treatment of risks associated with the loss of confidentiality, integrity, and availability of information, and defines the acceptable risk level.

Human Resource Security

    • Designed to ensure that all workforce members are well suited for, and understand, their roles and responsibilities.
    • Designed to ensure that potential workforce hires undergo background checks.
    • Designed to ensure that workforce members sign non-disclosure agreements and commit to acceptable use policies.
    • Designed to ensure that all workforce members are aware of, and fulfill, their information security responsibilities and obligations, such as adhering to Vouched’s password policies.
    • Designed to ensure that workforce members who handle personal data receive additional privacy and security training to better understand their responsibilities and obligations.
    • Designed to ensure that the organization’s interests are protected throughout the employment process, from pre-employment to termination.

Asset Management

    • Identifies and classifies Vouched’s information assets, defines and assign appropriate responsibilities for ensuring their protection, and sets their retention schedules.
    • Designed to ensure an appropriate level of protection for information assets in accordance with their sensitivity level and importance to the organization.
    • Designed to prevent the unauthorized disclosure, modification, removal, or destruction of information stored on media.

Access Control

    • Sets forth management principles governing information security and cybersecurity to secure information in any form information in any for.
    • Establishes governing principles for the protection of all Vouched’s information and to reduce the risk of unauthorized access to Vouched’s information.
    • Provides the framework for user, system and application access control and management, and user responsibilities.
    • Limits access to information and information processing facilities.
    • Designed to ensure authorized user access and prevent unauthorized access to systems and services.
    • Makes users accountable for safeguarding their authentication information.
    • Designed to prevent unauthorized access to systems and applications.

Cryptography

    • Designed to ensure proper and effective use of cryptography in order to protect the confidentiality, authenticity, and integrity of information.
    • Provides guidance that limits the use of encryption to those algorithms that have received substantial public review and have been proven to work effectively.
    • Establishes procedures on proper encryption for data in motion encryption, data at rest encryption and key management.
    • Uses end-to-end encryption and encrypts data in transit and at rest.

Physical and Environmental Security (if applicable given Vouched has no physical offices)

    • Establishes procedures for properly defining secure areas, entry, threat protection, equipment security, secure disposal, clear desk and clear screen policies, and visitor access in order to prevent (1) unauthorized physical access, damage, and interference with Vouched’s information and information processing facilities; and (2) loss, damage, theft, or compromise of Vouched’s assets, and interruption of its operations.

Operations Security

    • Establishes procedures on the proper management of IT systems, including change management, capacity management, malware, backup, logging, monitoring, installation, vulnerabilities, and audit controls
    • Designed to ensure that information and information processing facilities are operated securely and protected from malware and loss of data.
    • Designed to ensure that security events are recorded appropriately.
    • Designed to maintain operational system integrity and avoid exploitation of technical vulnerabilities.

Communications Security

    • Establish controls related to network security, network segregation, network services, transfer of information internally and externally, messaging, and more.

System Acquisition, Development, and Maintenance

    • Establishes security requirements for the procurement and deployment of technology solutions, as well as the requirements for internal development and support processes.

Supplier Relationships

    • Provides a framework for Vouched to perform vendor risk management, including due diligence, identification of contractually required privacy and security controls, and the management and monitoring of third-party suppliers (i.e., vendors, service providers, and processors) from onboarding to offboarding to ensure proper information security and service delivery.

Information Security Incident Management

    • Establishes policies to reduce the impact of security incidents to the confidentiality, integrity, and availability of Vouched’s technology resources, services and information.
    • Enables Vouched to provide consistent, repeatable, and measurable guidance that reduces or eliminates the ambiguity and questions that would otherwise commonly appear and result in inconsistent processes

Information Security Aspects of Business Continuity Management

    • Establishes a business continuity framework and defines how Vouched should recover its IT architecture and IT services within set deadlines in the event of a disaster or other disruptive incident.
    • Designed to ensure data backup for cloud-hosted implementations.
    • Designed to maintain a business continuity plan and support annual technical and tabletop tests.

Compliance

    • Designed to support Vouched’s compliance with respect to the organization’s internal policies and procedures and contractual obligations related to information privacy and security, and applicable privacy, information security, and data protection laws and regulations.



Other Industry Standard Security Controls

    • Penetration Testing
    • Vulnerability Management
    • Application Password Policy
    • OAuth-based Authorization
    • API Security

ANNEX III

LIST OF SUBPROCESSORS

You authorizes Vouched to engage the following Subprocessors:

Entity Name Service Location Registered Address Contact Task Performed
Google Cloud USA

1600 Amphitheatre Parkway Mountain View, CA 94043, USA

 Privacy.google.com and google.privacy/business Infrastructure, Image Processing
AWS USA

11000 Equity Drive Suite 300  Houston, TX 77041, USA

 privacyshield@amazon.com Image Processing
Microsoft USA One Microsoft Way, Redmond, WA 98052, USA privacy@microsoft.com Image Processing
Labelbox USA 510 Treat Ave, San Francisco, CA 94110, USA security@labelbox.com Image Processing
Fivetran USA

405 14th Street Suite 1050 Oakland, CA 94612 USA

 privacy@fivetran.com Data Processing and ETL
Snowflake USA

106 East Babcock Street Suite 3A Bozeman, MT 59715 USA

 privacy@snowflake.com Database Services
DataDog USA 620 8th Avenue 45th Floor New York, NY 10018 USA privacy@datadoghq.com Infrastructure Monitoring
Zendesk USA

1019 Market Street San Francisco, CA 94103 USA

 privacy@zendesk.com Customer Support Ticketing
Sentry USA 45 Fremont St, San Francisco, CA 94105, USA compliance@sentry.io Analytics on JS Plug-in
Amplitude USA 201 3rd Street, Suite 200 San Francisco, CA 94103, USA privacy@amplitude.com Analytics on JS Plug-in

Atlassian (Jira/Confluence)

 USA 350 Bush Street Floor 13 San Francisco, CA 94104, USA

privacy@atlassian.com,eudatarep@atlassian.com

 Ticket Tracking and Documentation
Linear USA 2261 Market Street, San Francisco, CA 94114 USA hello@linear.app Ticket Tracking
Salesforce USA Salesforce Tower, 415 Mission Street, 3rd Floor, San Francisco, CA 94105, USA privacy@salesforce.com CRM
Hubspot USA

25 1st Street Cambridge, MA 02141, USA

https://preferences.hubspot.com/privacy Marketing Automation
Twilio USA

1801 California St Suite 500 Denver, CO 80202 USA



 privacy@twilio.com Communication APIs (Phone Numbers, SMS)
Stripe USA

354 Oyster Point Blvd South San Francisco, CA 94080, USA

 privacy@stripe.com Payments Processing