Overview

Legal and Compliance

Overview

For Consumers

Learn more about Prove's privacy policies and practices, and the terms and conditions that apply when using Prove products.

Learn more

For Developers

Learn more about the rules that govern developers' access to and use of Prove products and services.
‍

Learn more

Prove Ethics & Compliance Hotline

This system makes it easy to report (anonymously or otherwise) an incident about workplace issues like financial and auditing concerns, harassment, theft, substance abuse and unsafe conditions.

Click the button below to get started with your report and we'll ask you a few questions about the incident.

Report an Incident

Modern Slavery Statement

Statement on Modern Slavery and Human Trafficking

‍

This statement is made by Prove Identity, Inc. and Prove Identity Ltd in accordance with Section 54(1) of the Modern Slavery Act 2015 (the “Act”) for the financial year ending December 31, 2022. For the purposes of this statement, any reference to “Prove” is a reference to both companies unless otherwise stated.

‍

This statement sets out the steps Prove has taken or will take to ensure there is no modern slavery or human trafficking in our supply chains or in any part of our business.

‍

Prove’s Structure, Business, and Supply Chains

‍

Prove Identity Ltd, a United Kingdom registered company, is a direct subsidiary of Prove Identity, Inc., which is incorporated in Delaware and headquartered in New York, New York.

‍

Prove provides digital identity verification and authentication products and services to global businesses, non-profit organizations, and their clients and affiliates. Operating business-to-business (B2B), Prove assists clients with fraud prevention by securely verifying digital identities when clients engage with consumers online through mobile devices and applications, websites, or client call centers.

‍

Prove’s Policies Relating Slavery and Human Trafficking

‍

Prior to the financial year ending December 31, 2020, Prove did not meet the worldwide revenue threshold to trigger the Act’s reporting obligations. As such, our policies and procedures addressing modern slavery and human trafficking are in their early stages but are continuing to evolve.

‍

Corporate Code of Conduct

‍

Prove adheres to a Corporate Code of Conduct, which requires (among other things) that all employees, temporary personnel, consultants, and independent contractors conduct their business in strict compliance with all applicable laws and regulations.

‍

Prove’s employees acknowledge the Corporate Code of Conduct annually. Anyone who suspects or becomes aware of possible violations of Prove’s Corporate Code of Conduct (as discussed above) is instructed to notify his or her manager, a company officer, or a human resources representative

‍

Whistleblower Policy

‍

All Prove personnel acknowledge the Whistleblower Policy on an annual basis. The intention of the policy is to outline the process for Prove personnel to report instances of fraud, unethical behavior, or misconduct. This policy is integral in preventing occurrences of modern slavery and human trafficking by providing an avenue for Prove personnel to report any suspecting instance without the fear of repercussions.

‍

The Whistleblower Policy provides multiple reporting channels including direct reporting to managers and corporate leaders, as well as an online web portal, phone number (local and international), and SMS text messaging number which all provide for anonymous reporting.

‍

Prove’s Compliance with Modern Slavery and Human Trafficking Policies

‍

Prove operates in a relatively low risk industry for modern slavery and human trafficking; however, we understand the importance of guarding against modern slavery and human trafficking in our supply chains or in any part of our business. This includes risk-based, thorough due diligence, monitoring, and training of our clients, vendors, and employees.

‍

All Prove employees are trained on our business standards and culture through annual trainings related to Human Resources (HR) and Compliance. The HR training includes a variety of human rights related issues such as equal opportunity employment and diversity and inclusion; while the Compliance training covers such topics as fraud, ethics, money laundering, bribery and corruption, whistleblower, and privacy.

‍

Our Clients

‍

High-risk prospective clients undergo detailed initial risk assessments and are independently reviewed by our Compliance Department. This review includes identity verification, prospect due diligence, and a review of publicly available information.

‍

Existing clients are periodically audited on an ongoing basis using a risk-based approach.

‍

Our Vendors

‍

Prove understands the importance of working with reputable suppliers and subcontractors that comply with all regulatory, legal, and third-party requirements. To this end, Prove has a Vendor Risk Management (VRM) and company-wide policy and program in place to effectively manage our third-party vendors. The goal of the program is to gain a thorough understanding of risks created by vendor relationships through the diligent selection of available vendors and ongoing monitoring of vendor performance against business, contractual, regulatory, and legal requirements. Specifically, Prove examines various factors, which may include:

‍

Vendor history and longevity.
Qualifications and background of company principals, including criminal background checks (where determined appropriate by risk).
Business references from previous engagements.
Financial status.
Reputation.
Legal and regulatory compliance history.
Reliance on subcontractors or third-party service providers.

‍

Prove uses a risk-based approach to regularly monitor its vendors in real-time or on an ad hoc basis based on the nature and scope of the services provided. This ongoing diligence is performed so Prove can exercise the control necessary to properly manage its products and services.

‍

Prove will continue to assess supply chain risks and expand our due diligence and monitoring accordingly

‍

Our Employees

‍

Prove personnel, including employees, contractors, and other short-term staff, are expected to abide by our Corporate Code of Conduct (as discussed above). Prove is an equal opportunity employer and is free of discrimination of all types. We are committed to an environment that is free from abusive, offensive, or harassing behavior.

‍

Prove recruits employees in accordance with established company standards. All offers of employment are contingent upon clear results of a thorough background check covering identity verification, review of criminal history, and searches of more than 30 sources including the Office of Foreign Asset Control, Office of Inspector General, United Nations Consolidated Sanctions List, European Union Terrorism List, and World Bank Debarred Parties. All Prove employees are employed by mutual agreement through a written contract governed by local law and terminable by either party.

‍

Prove develops and updates training for all new and existing employees on an ongoing basis and endeavors to include modern slavery and human trafficking training and awareness as appropriate.

‍

Board Approval

‍

This statement was approved by Prove’s Board of Directors on November 14, 2023.

‍

Mitch Bompey

Chief Legal Officer

‍

Diversity & Impact Report

Introduction

At Prove, our guiding mission is centered around creating equitable and convenient solutions to digital transactions and identity verification processes designed to mitigate fraud and enable access to online services globally. By modernizing how digital trust is established and maintained throughout the consumer journey, Prove provides unparalleled accuracy in identity verification and authentication while delivering a frictionless consumer experience. Prove received numerous awards in 2023, including Expert Insights Top Solution for “Customer Identity & Access Management”and “Zero Trust Security” as well as Prove CEO Rodger Desai being named the “Entrepreneur of the Year
NY” by Ernst & Young.Prove’s mission may focus on providing verification and authentication solutions, however, how that mission is accomplished is just as important as the mission itself. At Prove, we are continuously driven to attract and retain exceptional talent from all backgrounds while building a diverse community from across the globe.This focus on our community and culture has led to creation of Prove’s Diversity and Impact Report(this “Report”), which aims to provide an overview of Prove's commitment to diversity, equity, and inclusion (“DE&I”), as well as the company's efforts to make a positive impact in various other areas. It highlights key initiatives, progress made, and future goals related to diversity within the workforce, community engagement, environmental sustainability, and social responsibility.

Current State

Prove recognizes the importance of having corporate policies, practices, and activities in place to encourage us to act responsibly when it comes to environmental, social, and governance (“ESG”)issues. More specifically, Prove recognizes the value of a diverse workforce, community engagement, and environmental sustainability. This Report provides an overview of Prove’s commitment to and the positive impact of our ESG endeavors, including any resources available to and activities conducted by our organization.

‍

Diversity

Prove is committed to fostering an inclusive and diverse workplace where every individual feels valued, respected, and empowered. We believe that embracing and encouraging diversity in all its forms is not only the right thing to do, but it is also essential for driving innovation, creativity, and sustainable growth. This Report is the first step in gathering data and interpreting numbers related to Prove’s DE&I. It showcases the baseline data that we have available today and will assist us as we develop our goals and metrics to build upon this foundation.

‍Prove Power Hours

Prove engages in regular “Power Hour” digital conferences designed to educate and empower our team. Examples of these events include:

Black Men Heal: In honor of Black History Month, Prove partnered with Black Men Heal, a non-profit organization dedicated to promoting healing, growth, and empowerment through therapy. They hosted a virtual workshop on the topic of “Corporate Wellness: Creating a Culture of Care”. It was a space for learning and discussion on topics such as imposter syndrome, implicit bias, and cultural competency.‍
The Point Foundation: In Pride month, Prove supported Point Foundation, the LGBTQ Scholarship Fund, by hosting a Drag Queen Bingo event with the amazing Miss Richfield which included a portion dedicated to learning more about Point's important work supporting LGBTQ students in higher education.‍
Edesia – Virtual Factory Tour: In August, Prove partnered with Edesia for a virtual tour of their Rhode Island facility and to hear first-hand from Founder and CEO Navyn Salem about how Edesia is making a difference. Edesia is a non-profit, social enterprise created with the mission to end malnutrition through the manufacturing of a Ready-to-Use Therapeutic Food (RUTF) called Plumpy’Nut - the only formula endorsed by the World Health Organization to cure a young child of life-threatening severe acute undernourishment. To date, Edesia has impacted more than 20 million children across 62 countries.

Prove People

Prove has won various awards including, “Best Places to Work”, “Best Company Outlook”, “BestCompany Perks and Benefits”, and “Best Company Culture”. Recognition like this comes dueProve’s greatest asset – the people.Prove continues to strive to hire the best and brightest. One way we achieve this is through our referral program and input from the excellent team we already have. Prove also implemented anInternal mobility policy, a dedicated career channel to promote internal opportunities, and a framework to provide visibility and clarity around career pathing at Prove, all of which are designed to help our team members grow within the company. Prove understands that knowledge is the key to acceptance and growth. As such, Prove requires all employees to complete annual training in the areas of Human Resources (including Diversity specific training), Ethics & Compliance, and Data Protection (including Information Security and Consumer/Employee Data Privacy). These trainings not only educate the employees on best practices but also provide valuable information about how to respond to incidents that do not fall within the bounds of Prove’s culture.Prove’s Ethics & Compliance training, which covers the variety of topics listed below, cites to theProve Ethics & Compliance Hotline which allows employees to report violations of Prove’s code of conduct or other HR or Compliance policies anonymously:

Ethics: Fraud, Bribery and Corruption, Conflict of Interest, Anti-Money Laundering
CEO Fraud
Whistleblower
Data Privacy
GDPR

‍

Diversity Data Points (Q4 2023)

This Report provides a high-level snapshot of Prove’s statistics from our Q4 2023 demographics and DEI surveys (the “Demographics Surveys”). While we are pleased with the 91% participation in the Demographics Surveys, which was optional and anonymous, the responses may not fully represent our organization given that there are team members who chose not to respond, as well as a limited number of questions included in the Demographics Surveys. Prove is aware that diversity can extend beyond demographic characteristics, but this is the baseline data currently available for Prove to build upon in 2024 and beyond:

‍

Community

Prove recognizes that building a connected, safe, and open-minded community internally isimperative to a successful business. Similarly, supporting and giving back to the external community that the company operates in is equally important. Actively engaging with local and global organizations that support initiatives promoting education, technology access, and socialwell-being inspire positive change and provide long-term value to the communities we serve.

‍Prove Community

Prove engages our internal community through regular wellness programming designed to bring teams together and encourage interaction outside of the typical work setting. These programs include mental health awareness sessions, and access to the Bravely professional coaching platform that connects Prove employees to real people who can help them achieve their professional goals. Prove also provides regular “Lunch & Learn” events that range from meeting the Prove Product leaders and other teams (e.g., Customer Success) to information sessions about how to leverage Prove’s benefits.Prove has a number of ways to check the pulse of its employees. For example, Prove shares an annual Wellness survey with all employees (the “Wellness Survey”). The Wellness Survey helpsProve year-over-year to better support our internal community and continue to create a positive working environment. Additionally, monthly “All-Hands” meetings bring the entire Prove team together for company-wide updates and information as well as engaging question and answer sessions to ensure that everyone is informed and is a part of the Prove culture. Finally, Prove has in place an annual review process that allows each employee to receive individual feedback on the previous year, and presents each employee with solid direction going into each new year and a clear understanding of what they bring to the company. This process is rolled out each year in tandem with reviewing the annual company-wide general survey results (the “General Survey”).The General Survey results inform departments on where improvements can be made, which can include areas related to diversity, inclusion and general belonging, and enable them to create collective, objective goals for the coming year that align with the company’s overall objectives.

‍

‍Prove Global Engagement

As Prove expands globally, it strives to do its part to have a positive impact on the world. The interconnectedness of the global community is only growing bigger and stronger, which makes it more important that everyone strives to make a difference. Through global partnerships, Prove can reach its goals and take an active part in the global community.

Move The Chain: Prove has been a long-time partner with Move the Chain, a platform connecting corporations, non-profits, and individuals with networks to make the world a better place. Examples of non-profits supported are Asian Mental Health Project, The Young Center, and CAMFED.
Asian Mental Health Project: May is recognized as both AAPI Heritage Month and Mental Health Awareness Month. In honor of these important causes, Prove partnered with the Asian Mental Health Project in order to share details about the great work Asian Mental Health Project is doing and educating on the topic of Mental Health and Culture as well as participating in a donation matching fundraiser for the Asian Mental Health Project. The Asian Mental Health Project is a nonprofit organization dedicated to educating and empowering Asian communities in seeking mental healthcare.
The Young Center: Prove partnered with The Young Center to help support their mission to protect and advance the rights and best interests of immigrant children according to the Convention on the Rights of the Child and state and federal law. Prove raised money through its fitness challenge while also raising awareness and sharing details about The Young Center’s mission.
CAMFED: In honor of International Women’s Day, Prove partnered with CAMFED, a pan-African movement revolutionizing how girls’ education is delivered, to spread awareness and support for their goals. Through a gold-standard system of accountability to the young people and communities it serves, CAMFED has created a model that radically improves girls’ prospects of becoming independent, influential women. CAMFED has already supported more than 5.6 million children to go to school across Ghana, Malawi, Tanzania, Zambia, and Zimbabwe. By supporting CAMFED we aim to add momentum to their ambitious goals of supporting another 5 million girls to attend and thrive in school within just 5 years.

During our 2024 Sales Kick-off Event in Nashville, Prove partnered with Project Cure for a volunteering event where Prove staff assembled over 150 medical kits containing basic medical supplies for distribution to countries that struggle with medical care. In 2024, we plan to continue increasing our impact through fundraising and volunteering efforts. Whether focusing on internal growth within Prove, local efforts in our various office locations, or as a member of the global community, Prove strives to improve the status quo.

‍

Environment

Prove is committed to minimizing our environmental impact and promoting sustainable practices throughout our operations. We are just beginning our journey into environmental sustainability. While we continue investigating our current practices and their environmental impact, we can build off our current activities. As we continue to grow, the knowledge of our current impact will help us set goals to make tangible carbon emission reductions throughout our business in the
coming years. Today, Prove complies with all relevant environmental legislation and actively engages and educates our employees on related matters. Where we have office locations, Prove complies with local waste management regulations. Prove also has taken the following steps to encourage environment protection:

All office equipment (including all computers) is either switched off when not in use or programmed for automatic hibernate/energy saving mode for periods of sustained downtime and overnight.
We encourage meetings by conference call/webinar wherever possible.
Our kitchen facilities are energy efficient.
Where appropriate, we purchase products and services that do the least damage to the environment and conserve energy.
We buy items that can be operated in an energy efficient manner.
We ensure all building management and local recycling laws are followed and shared with all employees.
We include questions related to Greenhouse Gas emissions and environmental impact in all of our vendor questionnaires.

The Road Ahead

Prove is just beginning its journey but that doesn’t mean that we are behind. This Report is continuing to set the baseline for all activity moving forward. We are looking forward and excited to continue our progress to positively impact the world. While Prove has taken great strides to get where we are today, there are still a number of steps we can take on the journey ahead of us. As our goals evolve, Prove will make any and all efforts to turn strategy into action.

‍

2024 ESG Goals

‍

By creating attainable goals, we can take action as we continue to grow instead of just putting words on paper. Examples of Prove’s 2024 goals include:

1. Expand Prove’s ESG Program [Internal]
Prove recognizes the need to expand the scope of its ESG program. To this end, we are reviewing the accomplishments we have made over the past few years as we strategize in order to better organize our ESG activities and track our goals as an enterprise.

2. Improve ESG Education and Awareness [Internal]‍

Prove recognizes that knowledge is the catalyst to change. With the knowledge we have today, we can plan for tomorrow and look to improve upon the culture we have already created, including:

Expanding our DE&I events and awareness through increased investment in our partnerships and employee engagement.
Increasing awareness of our environmental conservation efforts within our offices and providing additional avenues for employees to act for the betterment of the environment.
Continuing to build upon our community involvement while simultaneously maintaining the Prove Culture as the company continues to grow.

3. Incorporate ESG into our Vendor Assessments [External]
Expanding our third-party vendor assessment questionnaires to include focused questions related to environmental sustainability and DE&I can only help to strengthen our knowledge about and understand the impacts of the third parties we rely on to do business. Armed with that information, we can take action to improve our processes to better align with our ESG goals.

‍

Trademark Guidelines

View Prove Trademark Usage Guidelines

Security & Privacy

‍View Prove Security & Privacy

Privacy Policy

Effective Date: Febuary 24, 2025

‍

Prove Identity, Inc., Prove Identity Ltd, and all current and future affiliates and subsidiaries (hereinafter “Prove”, “we”, "our”, or “us”) provide mobile-centric identity verification, authentication, and onboarding solutions (our “Solutions”) to businesses and their affiliates (our “Clients”). Our Solutions help Clients prevent fraud, including by helping Clients verify and authenticate consumers when they engage with Clients through mobile and online channels.

Certain terms used in this Privacy Policy (hereinafter, this “Policy”) may have slightly different wording or definitions depending on the applicable state, country, or region. This Policy uses the following definitions:

“Controller” means a natural or legal person who, alone or jointly with others, determines the purposes and means of Processing your Personal Information.

“Personal Information” means any information directly or indirectly linked or associated to a particular identified or identifiable natural person.

“Processing” includes, but is not limited to, collection, use, transmission, transfer, storage, erasure, and/or destruction of Personal Information.

“Processor” means a natural or legal person who Processes Personal Information on a Controller’s behalf.

These definitions are intended to cover substantially similar terms under applicable global privacy and data protection laws, including the European General Data Protection Regulation (“EU GDPR”) which generally applies to the processing of Personal Information in European Union (EU) member states and the European Economic Area (EEA) and the similar law in the United Kingdom ("UK GDPR"). For the purposes of this Policy, the EU GDPR and the UK GDPR are referred to as the “GDPR”, collectively.

Under the EU GDPR and the UK GDPR, and the Swiss Data Protection Act (collectively, "European Data Protection Laws"), Prove Identity, Inc. may be considered either a controller (i.e., is the party responsible for, and controlling the processing of, your Personal Information) or a processor (i.e., the party processing your Personal Information on behalf of a controller). Prove Identity, Inc. may also be considered both a controller and a processor depending on the nature of the transaction.

If the European Data Protection Laws, including individual EU member state laws supplementing the GDPR, or other country laws outside of the United States apply to you, please see the “Your Rights Under European Data Protection Laws” or “Local Country Laws Outside of the US, UK, or EU” sections below for further information about your rights.

‍

1. WHAT DOES THIS PRIVACY POLICY COVER?
‍‍
This Policy applies when Prove Identity, Inc. is the Controller of your Personal Information. This includes your use of our websites and branded social media pages, as well as when you receive emails, texts, faxes or have other communications with us (collectively, our “Sites”).

Prove Identity, Inc. acts in different roles with respect to your Personal Information depending on the nature of the Processing. This Policy does not apply:

Where Prove Identity, Inc. Processes your Personal Information as a Processor on behalf of our Clients. The Client’s privacy policy (not this Policy) applies when we Process your Personal Information as a Processor on their behalf. Please contact the Client directly if you have concerns about this Processing or which to exercise related privacy rights.
To any Personal Information you post to the public areas of our Sites. This includes, but is not limited to, comments to social media platforms and other public forums. Comments posted to public areas may be viewed, accessed, and used by third parties subject to the privacy practices and policies of the platform and/or forum.

There may be certain circumstances where more than one Controller Processes your Personal Information (sometimes called Joint Controllers or Co-Controllers). In these situations, we act as an independent Controller over our Processing activities. This means we determine the purposes and means of Processing your Personal Information independently from the other Controllers. Each Controller is responsible for meeting their own obligations under applicable global privacy and data protection laws.

Prove Identity, Inc. is not responsible for other Controllers’ Processing activities, including our Clients and other Joint Controllers.

‍

2. WHAT PERSONAL INFORMATION DO WE PROCESS?

‍
The types of Personal Information we Process depends on (a) how you access or use our Sites and (b) how our Clients use our Solutions.

PERSONAL INFORMATION WE PROCESS THROUGH OUR SITES

Our Sites and/or Solutions may have Processed the following Personal Information about you within the last twelve (12) months:

‍

PERSONAL INFORMATION WE PROCESS AUTOMATICALLY VIA TRACKING TECHNOLOGIES (E.G., COOKIES)

‍

When you interact with our Sites, Prove Identity, Inc. or Prove Identity, Inc.’s third parties may automatically Process your Personal Information through a variety of commonly used tracking technologies, such as cookies, web beacons, pixels, tags, file information, geolocation, and similar technology (collectively, “Cookie Information”).

‍

For more information on how Prove Identity, Inc. uses Cookie Information, please see our Cookie Policy.

‍

3. HOW DO WE PROCESS PERSONAL INFORMATION?
‍
Prove Identity, Inc. may Process your Personal Information to:

Operate, maintain, improve, and provide to you the features and functionality of our Sites and/or Solutions.
Enhance our Sites, as your information helps us to more effectively respond to your customer service requests and support needs.
Contact you, including about the information you have provided through our Sites.
Evaluate you for employment opportunities at Prove Identity, Inc..
Set up and administer accounts for our Sites and/or Solutions.
Process transactions for our Sites and/or Solutions.
Deliver marketing and events communication.
Prevent fraud and abuse using our Solutions.
Enable identity authentication and otherwise operate, maintain, and provide our Sites and/or Solutions.
Perform any other action we may describe when you provide the information.

‍

In cases where our legal basis to Process your Personal Information is based on your consent, that consent may be revoked at any time by contacting us (see Contacting Us). Please note that if you withdraw your consent, we may not be able to provide you with an optimal user experience with our Sites and/or Solutions. We will explain the impact to you at the time to help you with your decision.

‍

4. WHEN DO WE SHARE YOUR PERSONAL INFORMATION?

Prove Identity, Inc. may share Personal Information in the following circumstances:

Vendors and Trusted Sources: We may share your Personal Information with our vendors and Trusted Sources in order to provide Solutions to our Clients, provided such companies protect your Personal Information and only use it for the purposes we specify. If you interact with our Solutions through one of our Clients, please review that Client’s privacy practices and its use of third party service providers.

Clients: We may share Personal Information we receive from our vendors and Trusted Sources with a Client to whom you interact in order to provide Solutions to that Client. We do not share this Personal Information between Clients. Our Clients may have their own privacy policies which govern their use of Personal Information.

Business Transfers: We may share Personal Information with other parties in connection with a company transaction, such as a merger, sale of company assets or shares, reorganization, financing, change of control or acquisition of all or a portion of our business by another company of a third party, or in the event of a bankruptcy or related or similar proceedings.

Legal Requirements: We may share Personal Information with law enforcement, regulatory authorities, courts, and governmental agencies to comply with subpoenas or other legal orders, legal or regulatory requirements, and government requests. We may also disclose Personal Information in order to verify or enforce compliance with other agreements or policies governing the Sites or Solutions, applicable laws, rules, and regulations, or whenever we believe disclosure is necessary to limit our legal liability or to protect or enforce the rights, interests, or safety of the Sites, Solutions, consumers, or other third parties. We reserve the right to report to law enforcement agencies any activities that we, in good faith, believe to be unlawful.

We may also share Personal Information with others in an aggregated or otherwise anonymized form that does not reasonably identify you directly as an individual.

‍

5. HOW DO WE RESPOND TO “DO NOT TRACK” SIGNALS?
‍
Prove Identity, Inc. may, and Prove Identity, Inc. may allow our vendors and other third parties to, use cookies or other technologies on our Sites or in our Solutions that collect information about your browsing activities over time and across different websites following your use of the Sites or Solutions. We currently do not respond to “Do Not Track” (DNT) signals and operate as described in this Policy whether or not a DNT signal is received.

‍

6. ONLINE ADVERTISING
‍
Prove Identity, Inc. may permit third party online advertising networks, social media companies, and other third party services to collect Personal Information through cookies and similar Tracking Technologies related to your visit to our Sites so that they may play or display ads that may be relevant to your interests on our Sites as well as on other websites or apps, or on other devices you may use. This information may also be used to make the advertisements you see online more relevant to your interests. For example, Prove Identity, Inc. or a third party may utilize certain forms of display advertising and other advanced features through Google Analytics, such as Remarketing with Google Analytics, Google Display Network Impression Reporting, and Google Analytics Demographics and Interest Reporting. These features enable us to use first-party cookies (e.g., Google Analytics cookie) and third party cookies (e.g., DoubleClick advertising cookie) or other third party cookies together to inform, optimize, and display ads based on your past visits to the Sites. To learn more about interest-based advertising and how you may be able to opt-out of some of this advertising, you may visit the Network Advertising Initiative’s online resources at http://www.networkadvertising.org/choices, and/or the Digital Advertising Alliance’s resources at https://optout.aboutads.info/. You may also control your advertising preferences or opt-out of certain Google advertising Solutions by visiting the Google Ads Preferences Manager, available at https://google.com/ads/preferences/ as of the effective date of this Policy.

‍

7. HOW DO WE PROTECT YOUR PERSONAL INFORMATION?
‍
Keeping information safe. Prove Identity, Inc. maintains reasonable administrative, technical, and physical security measures to protect your Personal Information, including unauthorized access and use. However, no security system is impenetrable. In the event that any Personal Information under our control is compromised as a result of a breach of security, we will take reasonable steps to investigate the situation and, where appropriate, notify those individuals whose information may have been compromised, and take other steps, in accordance with any applicable laws and regulations. In the event Personal Information in our possession is affected by a security event, we will notify our Clients (and where appropriate, consumers directly) in accordance with our contractual obligations and applicable law.

Data retention. We may retain your Personal Information as long as appropriate for business purposes, unless we are required by law, regulation or for litigation and regulatory investigations to keep it for longer periods of time. Any Personal Information that we have acquired, either directly or from third parties, and that is no longer needed for any business or record-keeping purposes, is disposed of securely and in compliance with established best practices for secure data destruction and/or de-identification. Personal Information that we have processed on behalf of our Clients may be retained, stored, and deleted but only in accordance with our contractual obligations and in compliance with applicable law.

‍

8. LINKS TO OTHER WEBSITES
‍
Our Sites may contain links to other websites not operated or controlled by us (“Third Party Sites”), including social media websites which are not Prove Identity, Inc.-branded and other services. Personal Information that you share with Third Party Sites will be governed by the specific privacy policies and terms of service of the Third Party Sites and not by this Policy. By providing Third Party Site links on our Sites, Prove Identity, Inc. does not imply that we endorse or have reviewed the privacy policies of these sites. Please contact the Third Party Sites directly for information on their privacy policies and practices.

‍

9. CHILDREN
‍
Prove Identity, Inc. does not knowingly collect Personal Information from children under the age of 13. If you have reason to believe that a child under the age of 13 has provided Personal Information to Prove Identity, Inc. through the Sites or Solutions, please contact us at privacy@prove.com and we will endeavor to delete that information from our databases.

‍

10. INTERNATIONAL TRANSFERS

Personal Information received on behalf of Clients for the United States market is processed on servers located in the United States. Personal information received on behalf of Clients based or servicing primarily the European Economic Area countries are processed on servers based in Europe. Your Personal Information, if stored, may also be transferred to locations outside Europe from vendors or Trusted Sources we use.

Prove Identity, Inc. complies with the EU-U.S. Data Privacy Framework (“EU-U.S. DPF”), the UK Extension to the EU-U.S. DPF (“UK Extension to the EU-U.S. DPF”), and the Swiss-U.S. Data Privacy Framework (“Swiss-U.S. DPF”), as administered by the U.S. Department of Commerce and is committed to upholding the rights of EU, UK and Swiss Individuals.

‍

Prove Identity, Inc. has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (“EU-U.S. DPF Principles”) with regard to the Processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF.

‍

Prove Identity, Inc. has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (“Swiss-U.S. DPF Principles”) with regard to the Processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF.

‍

If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/.

‍

In compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF, Prove Identity, Inc. commits to cooperate and comply respectively with the advice of the panel established by the EU data protection authorities (DPAs) and the UK Information Commissioner’s Office (ICO) and the Swiss Federal Data Protection and Information Commissioner (FDPIC with regard to unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF.

‍

Where we transfer your Personal Information outside Europe, we will ensure that it is protected and transferred in a manner consistent with legal requirements applicable to the information. This can be done in a number of different ways, for instance:

The country to which we send the Personal Information may be approved by the European Commission; or
The recipient may have signed a contract based on “model contractual clauses” approved by the European Commission, obliging them to protect your personal information.

‍

In other circumstances, the law may permit us to otherwise transfer your Personal Information outside Europe. In all cases, however, any transfer of your Personal Information will be compliant with applicable data protection law.

‍

In the event your Personal Information is transferred to a third-party under the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, Prove Identity, Inc. shall remain liable if a third-party acting as an agent on our behalf processes your Personal Information in a manner that is inconsistent with the DPF Principles, unless we are able to prove that we are not responsible for the event giving rise to the damage.

‍

You can request more details of the protection given to your Personal Information when it is transferred outside Europe (including a sample copy of the model contractual clauses) by using the details set out below in the “Contacting Us” section.

‍

If you are an EU, UK or Swiss individual, please see the “Your Rights under European Data Protection Laws” section below for more information about the rights available to you.

‍

11. YOUR US STATE PRIVACY RIGHTS

Several US states have enacted comprehensive privacy laws that grant you certain rights in relation to our Processing of your Personal Information. These laws include:

The California Consumer Privacy Act (effective January 1, 2020), as amended by the California Privacy Rights Act (effective January 1, 2023).
The Colorado Privacy Act (effective July 1, 2023).
The Connecticut Personal Data Privacy and Online Monitoring Act (effective July 1, 2023).
The Indiana Consumer Data Protection Act (effective January 1, 2026).
The Iowa Consumer Data Protection Act (effective January 1, 2025).
The Montana Consumer Data Privacy Act (effective October 1, 2024).
The Oregon Consumer Privacy Act (effective July 1, 2024).
The Tennessee Information Protection Act (effective July 1, 2025).
The Texas Data Privacy and Security Act (effective July 1, 2024).
The Utah Consumer Privacy Act (effective December 31, 2023).
The Virginia Consumer Data Protection Act (effective January 1, 2023).

‍

Prove Identity, Inc. complies with all US state privacy laws currently in effect and continually monitors ongoing developments.

‍

If you wish to exercise any of these rights, please contact us as set out in Section 14 (Contacting Us) of this Policy.
‍

‍

12. YOUR RIGHTS UNDER EUROPEAN DATA PROTECTION LAWS

‍

Under European Data Protection Laws, Prove Identity, Inc. may be considered a controller and/or a processor depending on the nature of the transaction.

Legal Basis for Processing under GDPR: Under European Data Protection Laws, Prove Identity, Inc. may process your personal data (as defined under applicable laws) if necessary:

For the performance of any contractual relationship we have with you;

For compliance with any legal obligation; and
For the purposes of Prove Identity, Inc.’s, our Client’s, or Trusted Sources’ legitimate interests in connection with providing our Solutions or with respect to our Sites, including:

user registration/authentication and providing client services;
to contact you and respond to your requests and enquiries;
for business administration, including statistical analysis;
to provide the Sites as well as our Solutions;
for fraud prevention and detection; and
to comply with applicable laws, regulations, or codes of practices.

Prove Identity, Inc. may also process personal data on the basis of your freely given, specific, informed, and unambiguous consent. You are legally entitled to withdraw your consent at any time. If you do this and we have no alternative legal basis for processing your personal data, this may affect our ability to provide you with rights to use the Sites as well as our Solutions.

We may store personal data for as long as necessary to fulfill the purposes for which we process the data, except if required otherwise by law.

Special Categories of Data: Certain Prove Identity, Inc. Solutions may collect, store, process, and transmit biometric data (e.g., data related to human gait) to the extent legally permitted under European Data Protection Laws for the provision of such Solutions.

Prove Identity, Inc. does not directly or intentionally collect, store, process, and transmit any of the other following special categories of personal data as defined by European Data Protection Laws:

Racial or ethnic origin
Political opinions
Religious, philosophical beliefs, or other beliefs of a similar nature
Trade union membership
Physical or mental health or condition
Sex life and sexual orientation
Genetic data
Data on criminal convictions

Specific Rights under European Data Protection Laws: If European Data Protection Laws, including but not limited to the UK GDPR, the EU GDPR and the Swiss Data Protection Act, are applicable to you, you may have the following rights in respect of your personal data that we hold:

Right to object. You have a right to object to any processing based on our legitimate interests where there are grounds relating to your particular situation. YOU CAN OBJECT TO MARKETING ACTIVITIES FOR ANY REASON WHATSOEVER.

Right of access. The right to obtain access to your personal data in a common machine-readable format. Please note that the request for additional copies of personal data may result in reasonable fees based on administrative costs.

Right to rectification. The right to obtain rectification of your personal data without undue delay where that personal data is inaccurate or incomplete.

Right to erasure. The right to obtain the erasure of your personal data without undue delay in certain circumstances, such as where the personal data is no longer necessary in relation to the purposes for which it was collected or processed.

Right to restriction. The right to obtain the restriction of the processing undertaken by us on your personal data in certain circumstances, such as where the accuracy of the personal data is contested by you, for a period enabling us to verify the accuracy of that personal data.

Right to portability. The right to portability allows you to move, copy or transfer personal data easily from one organization to another.

Additionally, you have the right not to be subject to a decision based solely on automated processing, including profiling. Our Solutions are not used by our Clients to determine credit worthiness. Our Solutions are used to assess the probability of you being the person you’re claiming to be and help avoid fraudulent activities. If you interact with our Solutions through one or more of our Clients, please contact that Client directly in order to understand how they use our Solutions within their current processes, contest any decisions they have made based on our processing, and/or verify your identity.

In the instances where we control your data and you wish to exercise any of these rights, you may contact us in writing at the address below or via email at privacy@prove.com at any time, or by using the “Exercise Your Rights” link at the bottom of our website. We will comply with applicable laws, but may not be able to honor your request in all circumstances.

You also have the right to lodge a complaint to your local data protection authority. Further information about how to contact your local data protection authority is available at: http://ec.europa.eu/justice/data-protection/bodies/authorities/index_en.htm.

Under the EU-U.S. DPF, the UK extension to the EU-U.S. DPF and the Swiss-U.S. DPF, you also have the possibility, under certain conditions, to invoke binding arbitration for complaints regarding DPF compliance not resolved by any of the other DPF mechanism, provided that you have invoked binding arbitration by delivering notice to us and following the procedures and subject to the conditions set forth in Annex I.

Consequences of Non-Compliance: The GDPR states that penalties for non-compliance with the GDPR must be effective, proportionate, and dissuasive for each individual case. Prove Identity, Inc. understands that GDPR-related fines can be up to 10 million euros or up to 2% of our entire global turnover of the preceding fiscal year, whichever is higher.

Inquiries and Complaints: In compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, Prove Identity, Inc. commits to resolve DPF Principles-related complaints about our collection and use of your personal data. EU, UK and Swiss individuals with inquiries or complaints regarding our handling of personal data received in reliance on the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF should first contact us as set out in Section 14 (Contacting Us) of this Policy.

Enforcement: The Federal Trade Commission has jurisdiction over Prove Identity, Inc.’s compliance the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF.

‍

13. OTHER GLOBAL PRIVACY LAWS

Many other countries have enacted comprehensive privacy laws that grant you similar rights in relation to how we Process your Personal Information.

Prove Identity, Inc. complies with all applicable legal requirements in a similar manner as required by local law (e.g., data processing agreements, transfer mechanisms, data protection officer requirements, etc.).

If you wish to exercise any of these rights, please contact us as set out in Section 14 (Contacting Us) of this Policy.

‍

14. CHANGES TO OUR PRIVACY POLICY

We reserve the right to change this Policy from time to time in our sole discretion. Since we may modify this Policy from time to time, we recommend that you check the current version of this Policy periodically. If we make any modifications to this Policy, we will update the “Effective Date” at the top. By continuing to use the Sites and Solutions or providing us with information after we have posted any updates to this Policy, you consent to the revised Policy and practices described in it.

To access this policy, please visit https://www.prove.com/legal/overview#Privacy-Policy.

‍

14. CONTACTING US

If you have any questions, comments, requests, or concerns regarding this Policy, or if you wish to file a complaint, please email us at privacy@prove.com, call us using our toll-free number at 888-315-8780, or use the “Exercise Your Rights” link at the bottom of our website. You can also contact Prove Identity, Inc.’s Data Protection Officer by writing to:

Prove Identity, Inc.

Attn: Prove Legal & Compliance Department

245 5th Avenue, 20th Floor

New York, NY 10016

‍

Recruitment Privacy Policy

WHAT DOES THIS PRIVACY POLICY COVER?

This Policy applies when Prove Identity, Inc. is the Controller of your Personal Information. This includes your use of our websites and branded social media pages, as well as when you receive emails, texts, faxes or have other communications with us (collectively, our “Sites”).

Prove Identity, Inc. acts in different roles with respect to your Personal Information depending on the nature of the Processing. This Policy does not apply:

Where Prove Identity, Inc. Processes your Personal Information as a Processor on behalf of our Clients. The Client’s privacy policy (not this Policy) applies when we Process your Personal Information as a Processor on their behalf. Please contact the Client directly if you have concerns about this Processing or which to exercise related privacy rights.
To any Personal Information you post to the public areas of our Sites. This includes, but is not limited to, comments to social media platforms and other public forums. Comments posted to public areas may be viewed, accessed, and used by third parties subject to the privacy practices and policies of the platform and/or foru

Prove Identity, Inc. is not responsible for other Controllers’ Processing activities, including our Clients and other Joint Controllers.
‍

WHAT PERSONAL INFORMATION DO WE COLLECT?

We collect Personal Information that you share with us when you contact us or interact with us through our website, email, phone or otherwise. You can decide not to provide certain information, or ask that any information you have previously shared is removed. If you do so, you may not be able to take full advantage of a career at Prove Identity, Inc. and progress an application.

For example, you may provide information to us when in contact about an opportunity to work at Prove Identity, Inc., sharing a CV or Resume or other career information.

Through these interactions you may share with us: your name, address, email address, postal address, contact number, career history (usually in the form of a CV) as well as any other Personal Information you include in your interactions with us. We may also ask for additional information to assist us with our recruitment process and in the event you are offered a job.

Collection and Use of Sensitive Personal Information

The following Sensitive Personal Information may be considered sensitive under the laws of your jurisdiction and may receive special protection:

Racial or ethnic origin.
Political opinions.
Religious or philosophical beliefs.
Trade union membership.
Genetic data.
Biometric data.
Data concerning health.
Data concerning sex life or sexual orientation.
Data relating to criminal convictions or offences.

We may collect and process the following Sensitive Personal Information when you voluntarily provide them, or we receive them from a third party with your consent, when relevant for a particular position to carry out our obligations under employment law, or as applicable law otherwise permits:

Physical or mental health condition or disability status to determine appropriate workplace accommodations and evaluate fitness for a particular position.
Race or ethnic origin to comply with statutory obligations.
Previous criminal charges or convictions where relevant for the position.

Where we have a legitimate need to process Sensitive Personal Information about you for purposes not identified above, we will only do so only after providing you with notice and, if required by law, obtaining your prior, express consent.

‍

HOW DO WE USE YOUR PERSONAL INFORMATION?

If you are applying for a job in the UK or EU, we may share your Personal Information with our Prove Identity, Inc. counterpart in the US. When we make such transfers, we do so in accordance with data protection legislation, for example by using the EU-US Data Privacy Framework and/or Standard Contractual Clauses where information is transferred from Prove Identity, Inc. Identity, Inc. in the UK or Ireland to Prove Identity, Inc. Identity, Inc. in the US.

By submitting your information, you agree to us transferring, storing and handling your Personal Information in this way.

We share your Personal Information with certain third parties who provide services on our behalf. They only have access to the Personal Information they need to perform those services. They are required to keep your Personal Information confidential and may not use it other than as we ask them to and always in accordance with this privacy policy.

We use the Personal Information you share with us in the following ways:

To communicate with you;
To provide you with updates about your application;
To provide services and support for any application you make;
To facilitate any application you make to Prove Identity, Inc.;
To provide updates to you about any changes to Prove Identity, Inc.’s policies, terms and conditions and any other matters which we may need to tell you;
If you have asked us to keep you informed of other opportunities at Prove Identity, Inc., we may periodically contact you to tell you about these; and
To respond to your queries and requests.

We are required by law to state a “legal basis for processing” i.e., to tell you on what grounds we are allowed to use your information. To assess your suitability for a role or process and consider your job application, we rely upon legitimate interests for the processing of your personal information as described above.
‍
We may share your Personal Information with the following third parties:

Affiliates and subsidiaries
Service providers for example, headhunters, vendors for screening and background checks, third-party benefit providers, payroll vendors etc.
Professional service firms such as auditors and legal counsel
Persons involved in mergers and acquisitions
Government such as federal agencies, courts and other government authorities as required by law.

‍

LINKS TO OTHER WEBSITES

Our Sites may contain links to other websites not operated or controlled by us (“Third Party Sites”), including social media websites which are not Prove Identity, Inc.-branded and other services. Personal Information that you share with Third Party Sites will be governed by the specific privacy policies and terms of service of the Third Party Sites and not by this Policy. By providing Third Party Site links on our Sites, Prove Identity, Inc. does not imply that we endorse or have reviewed the privacy policies of these sites. Please contact the Third Party Sites directly for information on their privacy policies and practices.
‍

HOW DO WE PROTECT YOUR PERSONAL INFORMATION?

Keeping information safe. Prove Identity, Inc. maintains reasonable administrative, technical, and physical security measures to protect your Personal Information, including unauthorized access and use. However, no security system is impenetrable. In the event that any Personal Information under our control is compromised as a result of a breach of security, we will take reasonable steps to investigate the situation and, where appropriate, notify those individuals whose information may have been compromised, and take other steps, in accordance with any applicable laws and regulations. In the event Personal Information in our possession is affected by a security event, we will notify our Clients (and where appropriate, consumers directly) in accordance with our contractual obligations and applicable law.

‍

Data retention. We will retain your Personal Information for as long as needed for the purposes for which it was collected. If we do not employ you, we may retain your Personal Information for up to 2 years for legal, analytical and system administration purposes and to consider you for potential job roles. If you are successful in your application, we will retain your information in accordance with our Prove Personnel Privacy Policy. A copy of this policy will be provided to you upon joining Prove.
‍

INFORMING US OF CHANGES

If you have previously applied to a job at Prove Identity, Inc. and would like to request that we update or delete the information that we hold about you, or would like a copy of that information, please send your name and email address to careers@prove.com.
‍

CROSS-BORDER DATA TRANSFERS

For applicants outside the United States, where permitted by applicable law, we may transfer your Personal Information we to the United States and other jurisdictions that may not be deemed to provide the same level of data protection as your home country for the purposes set out in this Privacy Notice.

Prove Identity, Inc. complies with the EU-U.S. Data Privacy Framework (“EU-U.S. DPF”) and the UK Extension to the EU-U.S. DPF (“UK Extension to the EU-U.S. DPF”) as administered by the U.S. Department of Commerce.

‍

Prove Identity, Inc. has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (“EU-U.S. DPF Principles”) with regard to the Processing of personal information received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF.

‍

If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/.

‍

In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, Prove Identity, Inc. commits to cooperate and comply respectively with the advice of the panel established by the EU data protection authorities (DPAs) and the UK Information Commissioner’s Office (ICO) with regard to unresolved complaints concerning our handling of human resources personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF in the context of the employment relationship.
‍

The country to which we send the Personal Information may be approved by the European Commission; or
The recipient may have signed a contract based on “model contractual clauses” approved by the European Commission, obliging them to protect your personal information.

‍

In the event your Personal Information is transferred to a third-party under the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, Prove Identity, Inc. shall remain liable if a third-party acting as an agent on our behalf processes your Personal Information in a manner that is inconsistent with the DPF Principles, unless we are able to prove that we are not responsible for the event giving rise to the damage.

‍

YOUR STATE PRIVACY RIGHTS

You have rights when it comes to how their Personal Information is handled. These rights may vary depending on the applicable jurisdiction, but may include:

The right to know: some text
- what Personal Information the Company maintains about you; and/or
- anyone with whom the Company has shared your Personal Information.
The right to access or correct your Personal Information, including obtaining the specific pieces of information we collected from you.
A right to delete your Personal Information, subject to limitations imposed by applicable law.
A right to opt-out of the sale of your Personal Information.
A right to opt-out of the use of your Personal Information for targeted advertising or marketing purposes.
A right to limit or consent to certain Sensitive Personal Information uses or disclosures.

To exercise these rights, please contact Prove Identity, Inc.’s Privacy Team at privacy@prove.com or by filling out an online request via the “Exercise Your Rights” page on Prove Identity, Inc.’s website.

‍

When exercising these rights, please note that we may request specific information from you to verify your identity.

‍

There may be instances where applicable law or regulatory requirements allow or require us to refuse to provide or delete some or all the Personal Information that we hold about you. We will inform you if we are unable to comply with your request and the reasons why we are unable to comply.

‍

YOUR RIGHTS UNDER EUROPEAN DATA PROTECTION LAWS

‍

Under European Data Protection Laws, Prove Identity, Inc. may be considered a controller and/or a processor depending on the nature of the transaction.

‍

Legal Basis for Processing under GDPR: Under European Data Protection Laws, Prove Identity, Inc. may process your personal data (as defined under applicable laws) if necessary:

For the performance of any contractual relationship we have with you;

For compliance with any legal obligation; and
For the purposes of Prove Identity, Inc.’s, our Client’s, or Trusted Sources’ legitimate interests in connection with providing our Solutions or with respect to our Sites, including:

user registration/authentication and providing client services;
to contact you and respond to your requests and enquiries;
for business administration, including statistical analysis;
to provide the Sites as well as our Solutions;
for fraud prevention and detection; and
to comply with applicable laws, regulations, or codes of practices.

‍

We may store personal data for as long as necessary to fulfill the purposes for which we process the data, except if required otherwise by law.

‍

Racial or ethnic origin
Political opinions
Religious, philosophical beliefs, or other beliefs of a similar nature
Trade union membership
Physical or mental health or condition
Sex life and sexual orientation
Genetic data
Data on criminal convictions

Specific Rights under European Data Protection Laws: If European Data Protection Laws, including but not limited to the UK GDPR and the EU GDPR, are applicable to you, you may have the following rights in respect of your personal data that we hold:

Right to object. You have a right to object to any processing based on our legitimate interests where there are grounds relating to your particular situation. YOU CAN OBJECT TO MARKETING ACTIVITIES FOR ANY REASON WHATSOEVER.

Right of access. The right to obtain access to your personal data in a common machine-readable format. Please note that the request for additional copies of personal data may result in reasonable fees based on administrative costs.

Right to rectification. The right to obtain rectification of your personal data without undue delay where that personal data is inaccurate or incomplete.

Right to erasure. The right to obtain the erasure of your personal data without undue delay in certain circumstances, such as where the personal data is no longer necessary in relation to the purposes for which it was collected or processed.

Right to restriction. The right to obtain the restriction of the processing undertaken by us on your personal data in certain circumstances, such as where the accuracy of the personal data is contested by you, for a period enabling us to verify the accuracy of that personal data.

Right to portability. The right to portability allows you to move, copy or transfer personal data easily from one organization to another.

Additionally, you have the right not to be subject to a decision based solely on automated processing, including profiling.

‍

Under the EU-U.S. DPF and the UK extension to the EU-U.S. DPF, you also have the possibility, under certain conditions, to invoke binding arbitration for complaints regarding DPF compliance not resolved by any of the other DPF mechanism, provided that you have invoked binding arbitration by delivering notice to us and following the procedures and subject to the conditions set forth in Annex I.

‍

Inquiries and Complaints: In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, Prove Identity, Inc. commits to resolve DPF Principles-related complaints about our collection and use of your human resources personal data. EU and UK individuals with inquiries or complaints regarding our handling of human resources personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF should first contact us as set out in Section 14 (Contacting Us) of this Policy.

‍

Enforcement: The Federal Trade Commission has jurisdiction over Prove Identity, Inc.’s compliance the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF.

‍

CHANGES TO OUR PRIVACY POLICY

We reserve the right to change this Policy from time to time in our sole discretion. Since we may modify this Policy from time to time, we recommend that you check the current version of this Policy periodically. If we make any modifications to this Policy, we will update the “Effective Date” at the top. By continuing to use the Sites and Solutions or providing us with information after we have posted any updates to this Policy, you consent to the revised Policy and practices described in it.

To access this policy, please visit https://www.prove.com/legal/overview#Privacy-Policy.

‍

CONTACTING US

If you have any questions, comments, requests, or concerns regarding this Policy, or if you wish to file a complaint, please email us at privacy@prove.com, call us using our toll-free number at 888-315-8780, or use the “Exercise Your Rights” link at the bottom of our website. You can also contact Prove Identity, Inc.’s Data Protection Officer by writing to:

‍

Prove Identity, Inc.

Attn: Prove Legal & Compliance Department

245 5th Avenue, 20th Floor

New York, NY 10016

‍

POLAND RECRUITMENT STATEMENT

‍

This statement only applies to applicants that are located in Poland.

‍

The Requirement of Providing Personal Data

‍

To consider you in the recruitment process, we need the following information from you:

Name (names) and surname
Date of birth
Preferred contact details
Information about education, professional qualifications, previous work experience (for positions where it is needed to confirm competences and experience).

‍

Giving the Personal Data listed above is voluntary, but necessary in the recruitment process. Providing additional Personal Data is optional.

‍

How Will We Use Your Personal Data in the Recruitment Process?

‍

We will collect and process your Personal Data to:

Consider you as a candidate in the recruitment process to Prove Identity, Inc. Identity, Inc.
Inform you via your indicated method of contact about the phases of the recruitment process you participate in
Invite you to take part in the recruitment tasks needed to assess your skills
Provide you with feedback during and after the recruitment process
With your consent, inform you about future recruitment processes for positions that meet your qualifications
We may also process your contact data to establish, exercise or defend legal claims arising with relation to the recruitment process.

‍

How Long Will We Keep Your Personal Data?

‍

The Personal Data that we collect about you in the recruitment process will be stored for the purposes related with that process, for no longer than 12 months after your application has been rejected.

‍

If you give consent for your Personal Data to be used for future recruitment processes (as mentioned above), during the 12 months, your Personal Information will be used for that purpose as well.

‍

To enable us to establish, exercise or defend legal claims arising with relation to the recruitment process, we will process your Personal Data for a period during which such claims can be raised and pursued.

‍

The Recipients of Your Personal Data

‍

The recipients of your Personal Data will be representatives and HR officers of Prove Identity, Inc.. Within those companies, information is transferred for internal administrative purposes.

‍

As part of the processing, Personal Data will be transferred to entities who have their registered offices outside of the EU, including the UK and the US. Where these transfers occur, we ensure appropriate safeguards are in place to protect the transfer. These include the EU-US Data Privacy Framework, the EU’s Standard Contractual Clauses and the UK’s International Data Transfer Addendum. Transfers are only made to countries where data subject rights are enforceable and effective legal remedies are available to you.

‍

Legal bases for Processing Your Personal Data

‍

Your Personal Data (as listed above) will be processed for current recruitment processes based on article 6(1)(b), 6(1)(c) GDPR and article 22(1) of the Labor Code. Additional information such as contact details can be processed based on consent (article 6(1)(a) GDPR) that can be withdrawn.

‍

Prove Identity, Inc. will also process your Personal Data for future recruitment processes if you give your consent (article 6(1)(1) GDPR and art.22(1) §1 of the Labor Code), that can be withdrawn at any time. Giving consent is voluntary and withdrawing it will not affect current the recruitment process.

‍

If there is information in the documents that is mentioned in article 9 GDPR, it is necessary for you to give consent to the processing of that information (article 9(2)(a) GDPR and art.22(1) §1 of the Labor Code) that can be withdrawn at any time.

‍

Labor law regulations: Labor Code art. 22 and Labors Minister and Social Policy §1 decree from May 28th1996 on the scope of keeping documentation by employers in matters related to the employment relationship and the manner of keeping personal files of an employee.

‍

Processing your Personal Data to establish, exercise or defend legal claims arising with relation to the recruitment process is based on legitimate interests pursued by Prove.

‍

Rights of Data Subjects

‍

You have the right to:

Access your Personal Data and receive a copy of it
Correct your Personal Data
Limit the processing of your Personal Information
Delete Personal Data
Submit a complaint to local Authorities (Urząd Ochrony Danych Osobowych; address 2 Stawki street, 00-193 Warsaw)

‍

CALIFORNIA PRIVACY STATEMENT

‍

Prove Identity, Inc. will collect and use your Personal Information, including Sensitive Personal Information (which may be held on paper, electronically or otherwise) about applicants for roles in our business. We are committed to properly handling the Personal Information collected or processed, in accordance with the California Privacy Rights Act (CPRA) and other applicable data protection laws.

‍

This Notice serves as our “Notice at Collection” under the CPRA.

‍

Categories of Personal Information We Collect

‍

We may collect the following categories of Personal Information and Sensitive Personal Information:

‍

Personal Identifiers: such as name, home address, phone number, email, passport number, driver’s license number, date of birth, signature, education, bank account details, medical information, health insurance information and unique personal identifiers (such as cookies and similar technologies).
Personal Information protected under California Civil Code Section 1798.80(e): such as information about your age, race, ethnicity, marital status, sex and gender.
California Customer Records employment and personal information: such as your name, signature, Social Security number, physical characteristics or description, photograph, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, current employment, employment history, membership in professional organizations, licenses and certifications, bank account number, credit card number, debit card number, or any other financial, medical or health insurance information.
Professional or employment related information: such as work history, academic and professional qualifications, educational records, references, and interview notes, background check, work authorization, performance and disciplinary records, salary, bonus, and other similar compensation data, and claims information, leave of absence information including religious, military and family obligations, health data concerning employee and their family members.
Education information: such as academic background, transcripts, accreditations and awards, and training.
Inferences taken from other personal information, including information to create a profile: such as information that refer to things such as your characteristics, behaviors, and abilities.
Sensitive Personal Information, as defined in the CPRA: such as driver’s license, passport information, bank account details, precise geolocation information, or information about your race, sexual orientation, health, or ethnic origin.
Other Personal Information: we may also collect information related to your job interviews, our background screening, or any other information you provide when applying for a job with us.

‍

Please note, we do not use your Sensitive Personal Information for any other purpose other than those outlined below that would permit you to limit the use of such information.

‍

Sources of Personal Information

‍

We will collect Personal Information directly from you during your application process or when you otherwise contact us. In most instances, you are required to provide your Personal Information for the recruitment process. Where the provision of your Personal Information is optional, we will inform you accordingly.

‍

We may combine the Personal Information you provide with information we collect from other sources, such as:

Recruitment partners
Academic institutions
Social media platforms or publicly accessible sources (e.g., Twitter, Facebook, LinkedIn)
Previous employers
Pre-employment screening and background check vendors
Other sources as directed by you for example, accreditation boards etc.

‍

Business Purposes for Collecting Personal Information

‍

We process the categories of Personal Information listed above for the following purposes:

Recruiting our employees. We use your Personal Information to manage the recruitment process which includes reviewing your job application, assessing your academic and professional background, and arrange and conduct interviews.
Conducting screening and background checks. Where you are successful in the recruitment process, we use your Personal Information for screening and background checks.
Equal opportunities legislation. We may process your Personal Information to monitor and report on our progress in promoting equal opportunities and compliance with equal opportunities legislation.
Complying with legislation. We use your Personal Information to comply with applicable laws, respond to legal orders, resolve legal disputes, action our rights in applicable employment or related contracts, and adhere to legal and regulatory requirements.
Our vital interests. We use your Personal Information to protect our vital interests by undertaking internal investigations, detect or prevent fraud or security incidents, protect our employees’ rights and safety, manage whistleblowing cases, and adhere to our company policies.

‍

Disclosure of Personal Information

‍

We may share your Personal Information with the following third parties:

Affiliates and subsidiaries
Service providers for example, headhunters, vendors for screening and background checks, third-party benefit providers, payroll vendors etc.
Professional service firms such as auditors and legal counsel
Persons involved in mergers and acquisitions
Government such as federal agencies, courts and other government authorities as required by law.

‍

Selling of Personal Information

‍

We will not sell the Personal Information, including any sensitive personal information, we collect about our employees or applicants for employment or share it with third parties for cross-context behavioral advertising.

‍

Purpose Limitation

‍

We will only process your Personal Information for the purposes outlined above.

‍

Data Minimization

‍

Your Personal Information will only be processed to the extent it is necessary for the purposes outlined to you.

‍

Protecting your Personal Information

‍

Keeping information safe. Prove Identity, Inc. maintains reasonable administrative, technical, and physical security measures to protect your Personal Information, including unauthorized access and use. However, no security system is impenetrable. In the event that any Personal Information under our control is compromised as a result of a breach of security, we will take reasonable steps to investigate the situation and, where appropriate, notify those individuals whose information may have been compromised, and take other steps, in accordance with any applicable laws and regulations. In the event Personal Information in our possession is affected by a security event, we will notify our Clients (and where appropriate, consumers directly) in accordance with our contractual obligations and applicable law.

‍

Your Rights

‍

The CPRA provides you with certain rights in relation to your Personal Information. These include:

The right to know: some text
- what Personal Information we have collected about you;
- anyone from whom we have collected your Personal Information from;
- the business purpose for collecting or disclosing your Personal Information; and/or
- anyone with whom we have shared your Personal Information with
The right to correct: the right to amend or correct your Personal Information
The right to delete: the right to delete your Personal Information, subject to limitations imposed by applicable law.
The right to non-discrimination: you have the right to not be discriminated against for exercising any of the rights outlined above, including the right to not be retaliated against in an employment setting

‍

When exercising these rights, please note that we may request specific information from you to verify your identity.

‍

Contacting Us

If you have any questions, comments, requests, or concerns regarding this Policy, or if you wish to file a complaint, please email us at privacy@prove.com, call us using our toll-free number at 888-315-8780, or use the “Exercise Your Rights” link at the bottom of our website. Prove's Data Protection Officer is Dayna Myers. You can also contact Prove Identity, Inc.’s Data Protection Officer by reaching out to DPO@prove.om or by writing to:

‍Prove Identity, Inc.‍

‍Attn: DPO - Prove Legal & Compliance Department‍

‍245 5th Avenue, 20th Floor

‍‍New York, NY 10016

‍

End User Terms & Conditions

Version 1.1 - Effective March 6, 2023

‍

Prove Identity, Inc. (hereinafter “Prove”, “we”, "our”, or “us”) provides digital identity verification and authentication products and services (our “Solutions”) which are designed to help prevent fraudulent transactions on behalf of our business clients and individuals like you (the “end user”, “consumer”, “you”, or “yourself”) when you interact online, such as when accessing mobile applications, logging into online accounts, or making digital payments. Our Solutions require the processing of information that either alone, or in combination with other information, can be used to identify you, including, without limitation, your first and last name, residential or mailing address, phone number, social security number or other government-issued number, date of birth, biometric data, IP address, or other data that is personally identifiable as defined under other applicable privacy and data protection laws (your “Personal Information”). These End User Terms & Conditions (our “Terms”) aim to help you understand how we collect, use, and share your Personal Information to develop, provide, improve, and protect our Solutions, and as otherwise outlined herein.

Please note that these Terms do not detail what our Clients do with your Personal Information when using our Solutions. For more information on how our Clients use your Personal Information for this type of processing, please contact the third party directly. For more information on Prove’s commitment to end user privacy and data protection practices, please review our Privacy Policy.

Our Goal

End user privacy, data protection, and transparency are very important to us. The goal of these Terms is to (i) clearly outline what Personal Information we collect from and about end users like you, and (ii) explain how we use, share, and treat that information for the purposes of (a) preventing fraud for third party application developers (our “Clients”) and (b) creating and maintaining Prove-managed, tokenized digital identities that power and inform our Solutions.

‍

Information We Collect and Categories of Sources

Prove may collect and further process the Personal Information you provide while using our Clients’ applications that integrate our Solutions to help verify your identity and/or authenticate you into our Clients’ applications or platforms in real-time. When you provide this information to access an online platform or perform an online transaction, you give us the identifiers on your behalf for future fraud detection and prevention purposes.

Depending on the Solutions you’re interacting with, Prove may collect and further process one or more of the following categories of information:

Identifiers that you provide to our Client directly, such as phone number and email address
Inferences that we have derived from the information we have collected, such as your location from your phone number and device IP address

Identifiers: Information You Provide

You share, or you authorize our Client to share, your Personal Information with Prove for the purpose of us verifying your identity and/or authenticating you into the Client application or platform (“Identifiers”). This may include Personal Information such as name, address, date of birth, phone number, social security number, and email address.

You authorize Prove to collect and further process those same Identifiers in order to create and maintain secure, tokenized digital identities that can be used during your future online transactions with Client and other third parties to help prevent identity theft and fraudulent transactions. ‘

Inferences: Information We Receive From Your Devices and/or Your Mobile Provider

You authorize Prove to collect and further process other device data when you use your device to connect our services through a Client’s application, such as IP address, that allows us to infer things about you such as location (“Inference Data”).

You authorize your wireless carrier to use or disclose information about your account and your wireless device, if available, to Prove and/or its service provider(s) for the duration of your business relationship, solely to help them identify you or your wireless device and to prevent fraud. This may include Inference Data. See our Privacy Policy for how we treat your data.

‍

How We Use Your Personal Information

We use your Personal Information, including Identifiers and Inference Data, for one or more of the following business purposes:

Provide Solutions: To operate, provide, and maintain our Solutions.
Develop Existing Solutions: To improve, enhance, modify, add to, and further develop our Solutions.
Protect Your Security and Privacy: To help protect you, our Clients, our partners, Prove, and others from fraud, malicious activity, and other privacy and security-related concerns.
Develop New Solutions: To develop new products and services.
Provide Support: To provide customer support to you or to our Clients, including to help respond to your inquiries related to our Solutions or developers’ applications.
For Legal Purposes: To comply with contractual or legal obligations under applicable law and for other legal purposes such as to establish and defend against claims.
With Your Consent: For other purposes with your consent or by your direction.

‍

When We Share Your Personal Information

We may share your Personal Information with certain third parties (i.e., Clients, data partners, and other subprocessors) for the purposes outlined below so long as the third party provides at least the same level of data protection as Prove does and only uses your Personal Information for permitted purposes stipulated in our applicable agreements limited to identity verification, user authentication, and fraud prevention:

Vendors: To provide our Solutions, provided such companies protect your information and only use it for the purposes we specify.

Business Transfers: We may share your Personal Information with other parties in connection with a company transaction, such as a merger, sale of company assets or shares, reorganization, financing, change of control or acquisition of all or a portion of our business by another company of a third party, or in the event of a bankruptcy or related or similar proceedings.

Legal Requirements: We may share your Personal Information with law enforcement, regulatory authorities, courts, and governmental agencies to comply with subpoenas or other legal orders, legal or regulatory requirements, and government requests. We may also disclose Personal Information to verify or enforce compliance with other agreements or policies governing our Solutions, applicable laws, rules, and regulations, or whenever we believe disclosure is necessary to limit our legal liability or to protect or enforce the rights, interests, or safety of the Solutions, end users, or other third parties. We reserve the right to report to law enforcement agencies any activities that we, in good faith, believe to be unlawful.

We may also share your Personal Information with others in an aggregated or otherwise anonymized form that does not reasonably identify you directly as an individual.

‍

How We Protect Personal Information

Keeping Personal Information Secure. Prove maintains appropriate administrative, technical, and physical security measures to protect your Personal Information, including controls that prevent the unauthorized access and use of such data. Prove’s Information Security Program aligns with security standards such as NIST 800-53 and industry best practices, and has been reviewed by accredited third party auditors.

Data Retention. We retain Personal Information for no longer than necessary to fulfil the purposes for which it was collected and used, as described in these Terms, unless we are required by law, regulation or for litigation and regulatory investigations to keep it for longer periods of time.

Please see the ‘Exercise Your Rights’ section of these Terms for more information on the options that are available to you, including the right to request deletion of Personal Information.

‍

International Data Transfers

Prove’s global headquarters are in the United States but we have affiliates and vendors that operate around the world to provide our Solutions. Where we transfer your Personal Information to a country that does not provide adequate data protection legislation, we will ensure that it is protected and transferred in a manner consistent with legal requirements applicable to the jurisdiction and classification of information, such as with the EU’s Standard Contractual Clauses.

‍

Consumer Privacy Rights (United States)

Several US states have enacted privacy and data protection-related statutes that grant you certain rights in connection with your Personal Information. Your state of residence will determine which rights are available to you. The following section references a sampling of those rights:

‍

California End User Rights

If you are a California resident, the California Consumer Privacy Act (as amended by the California Privacy Rights Act) provides you with certain rights with regards to your Personal Information:

Right to know. The right to know what Personal Information we have collected, sold, or disclosed about you over the past 12 months.
Right to delete. The right to request that we delete any Personal Information we’ve collected about you (subject to certain exceptions).
Right to opt out of sale. The right to opt out of the (i) sale of your Personal Information and (ii) sharing of your Personal Information for cross-context behavioral advertising.
Right to correction. The right to correct inaccurate Personal Information we maintain about you.
Right to portability. The right to portability allows you to easily move, copy, or transfer your Personal Information from one organization to another.
Right to limit the use of sensitive personal information. The right to limit the use of your Sensitive Personal Information (as defined in the statute) to specifically permitted purposes.

You may make an opt-out or related request by contacting us using the contact information in Section 13 below or clicking the “Do Not Sell My Personal Information” link at the bottom of Prove’s website.

‍

Colorado End User Rights

If you are a Colorado resident, the Colorado Privacy Act (CPA) provides you with certain rights with regards to your Personal Information:

Right of access. The right to confirm we are processing your Personal Information and to access such Personal Information. Please note that the request for additional copies of personal data may result in reasonable fees based on administrative costs.
Right to correction. The right to correct inaccurate Personal Information.
Right to opt out of sale or targeted advertising. The right to opt out of the sale of your Personal Information or processing of your Personal Information for targeted advertising purposes.
Right to delete. The right to request deletion of your personal information.
Right to portability. The right to portability allows you to easily move, copy, or transfer your Personal Information from one organization to another.
Right to opt out of profiling. The right to opt out of any profiling activity that furthers a decision producing legal or similarly significant effects for the consumer, including automated decisions.

Connecticut End User Rights

If you are a Connecticut resident, the Connecticut Personal Data Privacy and Online Monitoring Act (CTDPA) provides you with certain rights with regards to your Personal Information:

Right of access. The right to confirm whether we’re processing your Personal Information and to access that Personal Information. Please note that the request for additional copies of personal data may result in reasonable fees based on administrative costs.
Right to correction. The right to correct inaccurate Personal Information about you.
Right to delete. The right to have your personal data deleted from our records once we have received and confirmed your verifiable consumer request.
Right to portability. The right to portability allows you to move, copy or transfer personal data easily from one organization to another.
Right to opt out. The right to opt out of targeted advertising, the sale of your Personal Information, and profiling leading to decisions that will produce significant legal effects for you.

Utah End User Rights

If you are a Utah resident, the Utah Consumer Privacy Act (UCPA) provides you with certain rights with regards to your Personal Information:

Right of access. The right to confirm whether we’re processing your Personal Information iand to access that Personal Information. Please note that the request for additional copies of personal data may result in reasonable fees based on administrative costs.
Right to delete. The right to request deletion of the Personal Information you’ve provided to us.
Right to portability. The right to portability allows you to easily move, copy, or transfer your Personal Information from one organization to another.
Right to opt out. The right to opt out of targeted advertising or the sale of your Personal Information.

Virginia End User Rights

If you are a Virginia resident, the Consumer Data Protection Act (CDPA) provides you with certain rights with regards to your Personal Information:

Right of access. The right to confirm whether we process your Personal Information and to access that Personal Information.
Right to correction. The right to correct inaccuracies in your Personal Information.
Right to delete. The right to request deletion of Personal Information provided by or obtained about you.
Right to portability. The right to obtain a copy of your Personal Information for transmission to another organization.
Right to opt out. The right to opt out of targeted advertising, the sale of Personal Information, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning you.

Exercising Your Rights

If you wish to exercise any of the rights listed above, you may contact us in writing at the address above or via email at privacy@prove.com at any time, or by visiting the “Exercise Your Rights” page at the bottom of our website. We will comply with applicable laws but may not be able to honor your request in all circumstances.

‍

Exercise Your Rights

Updated October 31, 2024

‍

Prove is committed to protecting the privacy rights of consumers. When you digitally interact with companies that are also Prove’s business clients, Prove may be leveraged by those companies to verify your identity and help prevent fraud using your personal information, such as your full name, residential address, email address, mobile telephone number, date of birth, or Social Security Number. Our business clients are responsible for obtaining your consent for and/or giving you legal notice about this processing of your personal information.

Prove uses real-time, secure Application Programming Interface (API) calls to process and protect the personal information transmitted to us from third parties (e.g., our business clients and data partners) as part of our user authentication and identity verification processes. For most of Prove's products and services, Prove does not retain the personal information transmitted to us in real-time by our business clients, but we may retain certain personal data elements from other sources (including consumers directlto help empower our fraud algorithms.

If you are a resident of the European Union (EU) or the United Kingdom (UK), you may have certain rights under the General Data Protection Regulation (“GDPR”) or the UK GDPR to ask Prove to (among other things) rectify inaccurate personal data, erase your personal data, or restrict its processing. Prove will honor these consumer privacy rights, where applicable, as well as similar rights often available for residents of other non-EU countries with data protection and privacy frameworks.
If you are a resident of California, Colorado, Connecticut, Nevada, Utah, Virginia or other jurisdictions in the United States (US), you may be entitled to various consumer privacy rights, such as the right to opt out from having your personal information shared or used.

Prove will not discriminate against you for exercising your consumer privacy rights. However, before submitting a request to Prove directly, we highly recommend that you first contact the third party company you interacted with (e.g., via their website or mobile app) that uses our services. If you come to us first, we may not be able to fully respond to the request without knowing the identity of the third party company given that we may not store the personal information transmitted to us in real-time from our business clients.

If Prove, on its own or in collaboration with any third party company you’ve interacted with that shared your personal information with us, is able to successfully address your consumer privacy request (e.g., delete your personal information), please be aware that your personal information may be processed by Prove again in the future if/when you interact with the same company or a different company that is also a Prove business client and re-accept terms that include this type of processing (i.e., you opt-in or consent to processing your data for fraud-related purposes).

Please also note that in addition to helping protect you against fraud, Prove’s services make it easier and more convenient for you to interact with companies online and when you dial into call centers. For example, instead of having to answer cumbersome security questions or type in pin codes or passcodes (which can be easily intercepted by fraudsters), Prove’s services allow you to be quickly and securely authenticated, enabling you to complete business online and in call centers in a more expeditious manner. By opting out of Prove services, you may lose access to these time-saving and secure benefits.

To exercise your privacy rights, please fill out this form. Once the form has been completed, a member of Prove’s Global Privacy team will begin the process of reviewing your submission and contact you with further details.

‍

General Terms & Conditions

Version 1.1 - Effective March 8, 2023

‍

These General Terms and Conditions (“Agreement”) set forth the relationship between Prove Identity, Inc., a Delaware corporation with its principal offices at 245 Fifth Avenue, 20th Floor, New York, NY 10016 ("Prove”) and the individual party listed on the Portal account that is acknowledging this Agreement ("Developer") on behalf of its employer and/or another bonafide legal entity listed on the Portal account (“Client”).

By accepting this Agreement or accessing Prove’s Portal and/or Solutions, Developer certifies that it has all necessary rights to agree to the terms of this Agreement, including on behalf of Client. Furthermore, Developer represents and warrants that: (i) it has full legal authority to select a Plan and bind Client to the terms of this Agreement; (ii) Developer has read and understands the legal requirements and restrictions outlined in this Agreement; and (iii) Developer agrees to the terms of this Agreement on behalf of Client.

If Developer does not have the legal authority to bind Client to the terms of this Agreement, Developer shall not accept this Agreement or access the features covered by this Agreement.

This Agreement is effective as of the date of Developer’s acknowledgement and, as of that date, Client is considered a party of this Agreement. Prove may update or change the terms of this Agreement at any time at our discretion. If Prove makes any changes deemed to be material in its sole discretion, we will make a reasonable effort to inform you of such change. If you object to a change, your exclusive remedy is to cease any and all access and use of the Portal and Solutions.

DEFINITIONS

“Affiliate” means for any entity, any other entity that, directly or indirectly, Controls, is Controlled by or is under common Control with such entity.

"Confidential Information" means any confidential and/or proprietary information or data, in any form, format or media, disclosed by, or accessed or obtained from Disclosing Party (and any notes, summaries, memoranda or other derivatives prepared by the Receiving Party to the extent that they reflect or reveal such confidential and/or proprietary information or data, whether or not such confidential and/or proprietary information or data is marked as “confidential,” including, without limitation, (i) information or data that concerns the management, business affairs, relationships, operations, business plans, strategies, forecasts, projects, analyses, pricing, marketing, sales or financials of the Disclosing Party or its customers or vendors; (ii) information or data that concerns the Disclosing Party’s products, services, developments, product concepts, technical and/or platform interfaces, or software (including source and object code); (iii) information or data that concerns the Disclosing Party’s methodologies, techniques, designs, drawings, processes procedures, inventions, know-how, pending patents, or Trade Secrets; (iv) any Response Data or Personal Information obtained by either party as a result of this Agreement; (iv) any information or data the Disclosing Party may designate as being confidential, either orally or in writing; (v) any other information or data which, in the normal course of business, would be considered of a confidential nature; and (vi) any copies of the foregoing.

“Control” means, with respect to any entity, the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of such entity, whether through the ownership of voting securities (or other ownership interest), by contract or otherwise.

“Documentation” means the online help files and all other documentation and materials including SDKs (in any format or medium) relating to use of the Solutions and made available by Prove and all modifications to such files, documents or materials as may be updated from time to time.

“Intellectual Property Rights” means any and all intellectual property rights and proprietary rights throughout the world and protected under any applicable laws, rules and regulations, whether existing under intellectual property, unfair competition or trade secret laws, or under statute or at common law or equity, including but not limited to: (a) copyrights, trade secrets, trademarks, service marks, trade names, patents, inventions, invention disclosures, know-how, proprietary data and databases, methods, techniques, works of authorship, computer software, systems, change documentation, interfaces, Marks, designs, logos and trade dress, “moral rights,” mask works, rights of personality, publicity or privacy, and any other intellectual property and proprietary rights; and (b) any registration, application or right to apply for any of the rights referred to in this clause, including, any pending registrations or applications; and (c) any and all renewals, extensions and restorations thereof, now or hereafter in force and effect. Furthermore, if alternatively reasonable approaches and/or modifications to methodologies, techniques, design details, drawings, processes and procedures, inventions, know-how, pending patents, information disclosures, and/or other intellectual and/or proprietary property is/are reasonably likely to occur to one of ordinary skill in the relevant art, Intellectual Property Rights includes all those alternatively reasonable approaches and/or modifications unless otherwise expressly indicated.

“Marks” means all trademarks, service marks, trade names and logos and other proprietary designations identifying Prove and its products or services.

“Network” means the servers and other equipment on which Prove hosts Solutions.

“Personnel” means a party’s employees and contractors, and a party’s vendor’s employees and contractors.

“Plan” means the pay-as-you-go per Transaction model for the Solutions published on the Portal.

“Portal” means the webpage where the Developer may access all necessary information related to the Plan, the Documentation and the Solutions on behalf of Client.

“Processing” with reference to Personal Information includes collection, use, analysis, modification, deletion, sale, storage, sharing or transfer of such Personal Information.

"Personal Information" means, in any form, format or media, (i) any information that either alone, or in combination with other data, can be used to identify an individual, including, without limitation, the individual’s name, address, phone number, social security number or other government-issued number, financial account number, date of birth, address, biometric data (including gait analysis), mother’s maiden name, or other personal information; (ii) any information or data that is personally identifiable as defined under other applicable privacy and data protection laws.

“Representatives” means a party’s directors, officers, Affiliates, contractors, consultants, employees, advisors, agents, and any other representatives including legal counsel, accountants, and financial advisors.

“Response Data” means, any information Prove provides to Client and/or Developer in connection with Developer’s or Client’s use of the Solutions with the exception of any information that was initially provided by or on behalf of Client and/or Developer to Prove. Response Data is Prove Confidential Information.

“Security Breach” means (i) any act or omission that compromises the security, confidentiality, availability, and/or integrity of any data or information provided under this Agreement or the physical, technical, administrative or organizational safeguards put in place by Client and/or Developer that relate to the protection of the security, confidentiality or integrity of such data or information provided under this Agreement, or (ii) receipt of a complaint in relation to the privacy, security or data protection practices of Client and/or Developer or a breach or alleged breach of this Agreement relating to Client and/or Developer’s privacy, security and/or data protection practices.

“Solutions” means collectively (i) the access Prove provides Developer on behalf of Client to use the Solutions through the Network, which may include access via Graphical User Interfaces (“GUIs”) and portals and/or platforms; (ii) authentication solutions that interoperate with Client’s internal systems in order to provide user authentication for a mobile device application, website or other online service; (iii) the Solutions including data elements and Response Data, ; and (iv) the Documentation..

“Trade Secret” means information, without regard to form, including, but not limited to a formula, pattern, compilation, program, device, method, technique, process or product plans or product information that derives independent economic value, actual or potential, from not being generally known to or readily ascertainable through appropriate means by other persons who might obtain economic value from its disclosure or use; and is the subject of efforts that are reasonable under the circumstances to maintain its secrecy; and is information that is considered a Trade Secret under applicable law.

“Transaction” means every inquiry Developer, on behalf of Client, sends to Prove for validation.

‍2. APPOINTMENT AND GRANT OF LICENSE‍

2.1 License.

2.1.1 Grant. Subject to Developer’s continued compliance with all the terms of this Agreement (including all Exhibits attached hereto), Prove hereby grants Client a non-sublicensable, non-transferable, non-exclusive, revocable, restricted license during the Term to (i) access and use the Solutions, including all enhancements, updates and modifications, for Developer’s internal use on behalf of Client, in strict accordance with this Agreement. In no event will Client or Developer reproduce, modify, sell, sublicense or otherwise distribute the Solutions as a standalone product or service.

2.1.2 Source Code. No rights are granted to Developer or Client with respect to source code of any component of the Solutions. For clarity, sample code provided as illustrative examples is provided solely as part of the Documentation and is not itself a component of the Solutions.

2.2 License Restrictions. Except as otherwise permitted under this Agreement, Client will not, and will not permit Developer or any third party to:

(i) share, transfer, resell, bundle, rent, distribute, sublicense, or otherwise make the Solutions or Response Data available except as expressly set forth herein and subject to all the controls and protections set forth herein;

(ii) use the Portal or Solutions to send or store infringing or unlawful material;

(iii) send or store viruses, worms, time bombs, Trojan horses and other harmful or malicious code, files, scripts, agents or programs via the Portal or Solutions;

(iv) attempt to gain unauthorized access to, or disrupt the integrity or performance of, the Portal or Solutions or the data contained therein;

(v) adapt, modify, translate, copy, disassemble, decompile, reverse engineer, create derivative works of or make any other attempt by any means to discover or obtain the source code or other proprietary information or Response Data;

(vi) access the Portal or Solutions for the purpose of building a competitive product or service or copying its features or user interface for the purpose of reducing the number of transactions under this Agreement;

(vii) use the Portal or Solutions or permit them to be used, for purposes of product evaluation, benchmarking or other comparative analysis intended for publication without Prove’s prior written consent;

(viii) use the Response Data for marketing purpose;

(ix) maintain or create any table or database of any kind based on the Response Data for the purpose of avoiding subsequent billable API calls or other service requests to Prove or

(x) use the Portal or Solutions in any way that would violate any applicable federal, state, and local law, court order or regulation.

2.3 Right to Modify Portal or Solutions. Prove may, from time to time in its sole discretion, modify or enhance the Portal, Solutions and/or the Documentation and any such modifications or enhancements provided to Developer hereunder are deemed part of the Portal, Solutions and/or Documentation, as applicable.

2.4 Suspension. Prove, in its sole discretion, may immediately suspend Developer’s and Client’s right to access and use some or all of the Portal, Solutions, or Response Data if it believes that Client, or Developer on behalf of Client, has i) used the Portal, Solutions or Response Data in an illegal manner, ii) if Developer breaches Sections 6.1 and 6.2 of this Agreement, iii) if Prove reasonably believes that Developer’s or Client’s use of the Solutions is in violation of the license restrictions set forth in Section 2.1 or 2.2 above or iv) if Client has suffered a Security Breach.

2.5 Reporting by Prove. Developer, on behalf of Client, authorizes Prove to collect, store, host, access, use, reproduce and modify, during and after the Term, any and all data, inputs, responses and other information concerning Client and Developer’s use of the Solutions (i) bill Developer for its use of the Solutions (ii) prepare reports for Prove’s internal use, (iii) verify Developer’s compliance with the terms of this Agreement, (iv) perform or enforce its obligations under this Agreement, and (v) conduct data and usage analytics, parsing routes, data modeling and other analyses as deemed necessary by Prove to test, evaluate, develop and enhance Prove’s Solutions, including the creation and management of consumer-based, tokenized digital identities (with the legal consent of each individual consumer which may be collected by Prove directly through the Solutions). In addition, Prove may provide such data, inputs and information on a confidential basis to its technology partners and Affiliates for the purposes described in this Section 2.5.

2.6 Automated Services. Prove may from time to time provide Developer and/or Client with access to a chatbot, artificial intelligence search, or other automated service (“Automated Service”) that is not monitored or directly managed by a Prove employee. Prove has endeavored to ensure the accuracy and completeness of any information that Developer and/or Client may receive from an Automated Service, however Prove makes no warranties, express or implied, regarding the accuracy or completeness of any response Developer and/or Client receives, including any errors or omissions made by the Automated Service. Additionally, an Automated Service does not have any legal authority to bind Prove to any agreement (including financial terms or service levels) and any language put forward by an Automated Service purporting to bind Prove to any agreement shall be null and void.

ADDITIONAL DOCUMENTS

The following documents are hereby incorporated into this Agreement by reference:

Prove may update any of the above referenced documents at any time by posting a new version and providing appropriate notice in the Portal.

‍

‍4. OBLIGATIONS OF CLIENT & DEVELOPER

4.1 Compliance with Certain Laws.

(i) Personal Information. Developer understands that the Solutions may contain other sensitive information governed by certain laws regulating the Processing of Personal Information all of which Developer acknowledges and agrees to comply with on behalf of Client and to ensure that any third parties acting on behalf of Developer or Client also comply. This includes Client and Developer (on behalf of Client) agreeing to provide electronically Prove’s End User Terms & Conditions to each individual consumer each time they interact with Prove Solutions through Client’s online sites, products, and/or services in order for Prove to obtain and track consumers’ consent for their Processing of Personal Information.

4.2 Use of the Solutions.

(i) Developer’s use of Prove’s APIs, graphical user interfaces, platforms and other access solutions is limited to Developer’s access to and use on an authorized and credentialed basis. Developer will not, nor will Client, sublicense any of Prove’s Solutions for use by a third party and any attempted sublicensing will be void.

(ii) Storage of Response Data. All Response Data retained by Developer and Client will at all times be maintained in accordance with the confidentiality and information security provisions of the Agreement.

(iii) Liability for Response Data. Prove will have no liability with respect to claims arising from Developer’s interpretation or use of the Response Data or decisions and actions allegedly based upon such Response Data.

4.3 No Representations. Neither Developer or Client may make any representations, warranties or guarantees related to the Solutions unless authorized in advance in writing by Prove.

4.4 GLBA and DPPA Requirements. To the extent that Developer or Client receives Response Data that is Personal Information subject to the GLBA and/or the DPPA, and the regulations issued thereunder, Developer and Client acknowledge and agree that each will request, access and use such Solutions solely for the following specific use(s) listed below:

As necessary to effect, administer, or enforce a transaction requested or authorized by the Consumer;
To protect against or prevent actual or potential fraud, unauthorized transactions, claims, or other liability;
For required institutional risk control, or for resolving consumer disputes or inquiries;
For use solely in conjunction with a legal or beneficial interest held by Client relating to the Consumer;
For use solely in Client’s fiduciary or representative capacity on behalf of, and with the implied or express consent of, the Consumer;
To the extent specifically permitted or required under applicable laws other than the GLBA, and in accordance with the Right to Financial Privacy Act of 1978, to law enforcement agencies, to self-regulatory organizations, or for an investigation on a matter related to public safety; and/or,
To comply with applicable federal, state, or local laws, rules, and other applicable legal requirements.

4.5 FCRA Prohibition.

In relation to Consumers based in the United States, the Client shall not use the Solutions or Response Data to: (i) create a consumer report as defined under 15 USC §1681a (“Consumer Report”) or for use by a consumer reporting agency for the purpose of creating a Consumer Report; or (ii) for any other purpose to the extent it would cause Prove to be subject to the Fair Credit Reporting Act (“FCRA”) or any similar laws or regulations, or (iii) for any other FCRA permissible purposes;
Client acknowledges that Prove is a solutions provider and that its performance of its obligations under this Agreement does not fall within the scope of the FCRA. Client undertakes not to provide Prove with Consumer Report data or take any other action which may bring Prove within the scope of the FCRA. If, despite the above, Client’s interactions with Prove become subject to the FCRA, Client acknowledges that Prove will act as agent on Client’s behalf for the purposes of the FCRA.

4.6 TCPA Prohibition. Client will not use the Solutions to transmit any marketing communications or any communication that would violate any applicable federal, state, and local law, court order or regulation, including but not limited to the Telephone Consumer Protection Act, 47 U.S.C. § 227 (“TCPA”), the rules governing the Do Not Call Registry, currently found at http://www.donotcall.gov, the CAN-SPAM Act, and any other applicable marketing rules in the United States.

4.7 Privacy Requirements. In performing its obligations and exercising its rights under this Agreement, Client will comply with its obligations as a data controller under the applicable data protection and privacy laws. Developer and Client represent that one or both has or will provide notice and consent to its Consumers where legally required under applicable privacy laws including but not limited to the California Consumer Privacy Act (“CCPA”) and all other state data protection, privacy, and consumer protections laws in order to receive the Prove Solution. Client will retain such records of notice, and consent where it is legally required, for the duration of this Agreement, plus an additional year unless otherwise required by law.

4.8 Security Requirements.

4.8.1 Securing Personal Information. Client shall treat all Personal Information, as defined in the applicable Agreement, as sensitive and confidential. This includes, but is not limited to securing sensitive files, managing data access, securely disposing of data and paper records and managing devices. Unless otherwise permitted in the Agreement, Client shall not share or distribute Personal Information with any third party organization or person(s) without the express, written consent of Prove’s Legal Department, CFO, or CEO.

4.8.2 Personnel Security. For all Client Personnel who have access to Personal Information, Client shall: (i) Perform background checks that include, at a minimum, national criminal record checks going back seven (7) years, as well as legal identity verification and authentication (e.g., SSN verification); (ii) Require such Personnel to sign an agreement to maintain the confidentiality of such Personal information; (iii) Require such Personnel to be trained on acceptable use of systems, their obligations regarding privacy and data protection laws and their role in the prevention, detection and reporting of security incidents in addition to complying with all other Client security policies; and (iv) Communicate to such employees the relevant aspects of the Information Security Program, including the procedures and penalties for non-compliance. Additionally, Client shall implement a process to terminate access to Personal Information within twenty-four (24) hours upon the termination of Client Personnel.

4.8.3 Information Security Program. Client shall have implemented a documented information security program, policy and standards, and procedures (the “Information Security Program”) that is approved by senior management, meets industry best practices, and complies with all applicable regulatory requirements. Client shall internally review the Information Security Program, and all documentation supporting it, at least annually and revise in accordance with changes in industry best practices and/or applicable regulatory requirements. Client shall hire an accredited third party to review its Information Security Program at least annually in order to provide sufficient assurance documentation to Prove upon request or as part of an annual assessment (e.g., SOC 2, Type II report, PCI DSS 3.2 attestation of compliance, ISO 27001 certification, etc.).

4.8.4 Access Controls. All access to Personal Information by Client shall be limited by business need and using the principle of least privilege. All access and actions on Client systems must be attributable to a named individual or a machine process account. Client shall enforce segregation of duties for all development, test, and production environments.

4.8.5 Data Storage and Transmission. All Client systems used to process, transmit, store Personal Information must use strong cryptography controls: a minimum of Transport Layer Security (“TLS”) 1.2 for data in transit and at least 256-bit encryption for data at rest. Client shall use Secure File Transfer Protocols (“SFTP”) or another equally secure method/ channel when Personal Information is being transferred externally to/from Client. All Personal Information must be encrypted using TLS 1.2 or higher when in transit. If Personal Information is required to be stored on portable storage media or laptop, Client shall ensure that such Personal Information is encrypted with strong cryptography controls (at least 256 bit) and uncompromised technology.

4.8.6 Security Testing and Monitoring. Client shall implement and maintain security configurations, patch management, vulnerability management, and security tooling in line with industry best practices. Client shall test all web applications Processing, transmitting, or storing Personal Information against Open Web Application Security Project (“OWASP”) Top ten (10) web application security risks prior to going live and on a regular basis. Client shall conduct regular penetration testing of internal and external systems that process, transmit, or store Personal Information. Upon written request, Client shall provide Prove with the results of such testing, including summary reports, test details and dates, and information on the progress of remediation related to any findings.

4.8.7 Physical Security. Client shall implement and maintain a clearly defined and documented physical security policy supported by standards that meet industry best practices.

4.8.8 Data Destruction. On expiry or termination of this Agreement, Client shall promptly (and in no case longer than 30 days) and permanently delete all Personal Information, and direct any applicable subcontractor to do the same, unless otherwise approved expressly in writing by Prove’s Legal Department, CFO, or CEO. Where Personal Information is required to be retained by Client under applicable laws, this must be notified to Prove prior to the expiry or termination of this agreement with justification provided for its continued retention and anticipated timescales defined for its eventual destruction.

4.8.9 Security Incidents. Client shall document and maintain an Incident Response Plan (“IRP”) that is sufficient to comply with applicable data privacy laws. At a minimum, the IRP plan should be tested annually. Client shall document any security event impacting the confidentiality, integrity, or availability of Personal Information (“Security Incident”), including the root cause(s), analysis, and remediation. Client must immediately notify Prove after Client’s discovery of any actual or suspected Security Incident, unauthorized disclosure of Response Data or breach of this Agreement by sending an email to incident@prove.com, privacy@prove.com, and legal@prove.com and to the contract notice addressee set forth in Section 13.7 (Notices) of the Agreement by the means set forth therein. Client must provide Prove the following information to the extent such information is known at the time: (i) the nature, root cause and impact of the breach or disclosure; (ii) Client’s assessment of immediate risk due to the breach; (iii) corrective actions already taken; (iv) corrective measures to be taken; and (v) notifications made and to be made to regulatory authorities, customers, and consumers. Client must take all reasonable actions to mitigate the effects of such Security Incident or disclosure, including all necessary actions to recover the affected Response Data, and will reasonably cooperate with Prove in connection therewith. Client will not, without the prior written consent of Prove or unless required by law, reference Prove in any notification regarding unauthorized access or disclosure that affects Consumers (a “Breach Notice”). This section is subject to the requirements of state, federal, and local country laws or regulations, including but not limited to any obligation to provide prior notice to law enforcement.

4.8.10 Audit Rights. Client agrees to allow Prove to audit compliance with this Exbibit on a regular basis, but no more once than annually, for at least the length of the engagement (“Annual Reviews”). This may include, as determined by Prove, access to or copies of documentation related to Client’s Information Security Program, including but not limited to Client’s information security policies and procedures, as well as any recent external, third party assurance documentation (e.g., SOC 2, Type II report, PCI DSS 3.2 attestation of compliance, ISO 27001 certification, etc.).

‍

5 OBLIGATIONS OF PROVE

5.1 Provisioning and Onboarding Service. Provided that Prove has received all fees due under this Agreement from Developer, Prove will provide the Solutions ordered by Developer on behalf of Client in accordance with information received from Developer and the terms and conditions of this Agreement.

5.2 Technical Support. Prove is responsible for providing technical support for the Portal and Solutions to Developer and Client as described in the Portal Service Level Agreement. Prove will not have any support obligations with respect to errors caused by the combination, operation or use of the Solutions with any product not furnished by Prove if such errors would not have resulted from the unmodified, stand-alone Solutions.

‍

Developer Service Level Agreement

1. Definitions. For purposes of this Service Level Agreement ("SLA"), the following terms have the meanings set forth below. All capitalized terms in this SLA that are not defined in this Section 1 or elsewhere in this SLA have the meanings given to them in the General Terms & Conditions.

“Business Day” means a day, other than Saturday or Sunday, in which banks are open for business in New York, New York, USA.

“Defect” means any failure of the Solutions to operate in any material respect in accordance with the Agreement or relating Documentation.

“Expected Service Fee for the Month” means the sum of all Service Fees due to Prove pursuant to the Agreement.

“Incident” means any event which is not part of the standard operation of the Solutions and which causes, or may cause, an interruption to, or reduction of, the quality of the Solutions.

“Normal Business Hours” means 9:00 AM to 5:00 PM, [Eastern Time], on a Business Day.

“Response Time” means the elapsed time from the initial identification of an Incident by Prove or report by Client to Prove and a return call from the technical specialist working on the request to the Client Personnel acknowledging the Incident report with an assigned ticket number and providing a status update.

“Scheduled Maintenance” means the performance of tests, upgrades, improvements, preventive maintenance and other similar activities affecting the Solutions which are reasonably likely to cause the Solutions to become unavailable while such activities are being performed or which necessitate the temporary suspension of the Solutions in order for such activities to be performed with reasonable efficiency.

“Service Availability” means the percentage of availability of the Solutions in a particular calendar month calculated by the formula:

S = [(T - N) / T] * 100 where S Equals Solution Availability, N equals the number of minutes in which any Solution Outages occurred during the month and T equals the number of minutes in the month less the number of minutes in which Scheduled Maintenance was performed during the month.

“Solution Outage” means any condition or set of conditions where the Solutions fail to meet the service levels required under this Exhibit A, except to the extent such condition or set of conditions is caused by circumstances outside of Prove’s Span of Control.

“SLAs” means the service levels committed to by Prove pursuant to this Exhibit A.

“Span of Control” means Prove will be responsible for all Solution Outages and Incidents which include Solutions and the associated provisioning systems which are provided by Prove, not including external connections to MNOs and/or third party data providers or other third-party systems.

“System” means the Network.

2. Service Levels.

2.1 Availability of Solutions.

Subject to the terms and conditions of the Agreement, Prove shall provide the real-time API Solutions to Clients with a Solutions Availability of 99.9% exclusive of Scheduled Maintenance and any Incidents that are outside Prove’s Span of Control.

The commitment of availability of Solutions is restricted to the Prove System and does not include technical Incidents related to any type of external connection outside of Prove’s Span of Control, including Incidents impacting any third party data provider or other third-party system.

Client acknowledges and agrees that Prove cannot guarantee the total reliability of the Solutions which can be subject to, in addition to cases of force majeure events, Client equipment and/or third party software, hardware or network infrastructure failure outside of Prove’s data center and not under the direct control of Prove; failure of the external Internet beyond Prove’s network; electrical or Internet access disruptions; or attacks (i.e. hacks, denial of service attacks, malicious introduction of viruses and disabling devices) caused by third parties.

2.2 Scheduled Maintenance.

Prove reserves the right to plan Solutions interruptions for Scheduled Maintenance. Prove will plan Scheduled Maintenance when global traffic volumes are or are expected to be low and will use reasonable efforts to adjust the planned dates and/or times for Scheduled Maintenance based on Client’s needs. Client will be notified at least five (5) Business Days in advance of Scheduled Maintenance. Prove will notify Client as soon as practicable upon receipt by Prove of notification from any third party data provider or third party that is processing Client transactions of any third party data provider or third-party maintenance window that will result in downtime of the Solutions.

Prove will provide at least five (5) Business Days prior notification to Client when Scheduled Maintenance of the Solutions are to be expected. Notification will include the starting time, expected duration, and a summary of the changes to be performed during the maintenance period.

2.3 Emergency Maintenance.

Prove may, in its discretion, cause interruptions to the Solutions in the event maintenance or repair of the System is necessary and such maintenance or repair cannot occur as part of Scheduled Maintenance without adversely affecting operation of the Solutions. Prove shall provide Client as much notice as is practicable prior to causing such interruptions. Emergency maintenance resulting in a service impact will be reported as a Service Outage.

2.4 Reporting and Updates.

Prove will monitor and upon request provide Client monthly reporting on Incidents for the period including the total duration of Service Outages, Prove will make commercially reasonable efforts to maintain backward compatibility such that Solutions updates, software Maintenance Releases, and upgrades will be backward compatible with the previous versions of the Solutions. If a change will require losing backward compatibility, it will be communicated to Client three (3) months before that service or API is discontinued, provided that Prove has been afforded such notice of such change. In no circumstances will Client be required to purchase a particular software release, service update, or service upgrades in order to retain backward compatibility to the previous version of Solutions.

2.5 Service Level Credits.

Service Level Credits are Client’s sole and exclusive remedy for any violation of these SLAs. The total amount of Service Level Credits awarded in any one-month period will not, under any circumstance, exceed 5% of a Client’s cumulative total monthly service fees. Service Level Credits for these SLAs will only be calculated against fees that are calculated on a ‘per transaction basis’ and for real-time API calls only; fees that are paid on a ‘subscription basis’ are not eligible for Service Level Credits. If the Solutions Service Availability is less than 99.5% in a calendar month, Client may request a credit on their next invoice equal to the percentage of transactions that failed due to Service Availability falling below 99.5%. For example, if Service Availability fell to 99.4% during January and Client was unable to complete 0.1% of their monthly transactions as a result, Client may request a Service Level Credit equal to 0.1% of their January fees owed to Prove; or, if Service Availability fell to 99% during November and Client was unable to complete 0.2% of their monthly transactions as a result, Client may request a Service Level Credit equal to 0.2% of their November fees owed to Prove.

3. Beta Solution Feedback.

3.1 Beta Solution Feedback.

Recipient shall report to Developer, as soon as practical, any perceived defect in the Product. At the conclusion of the Beta Test, Recipient shall provide to Developer an evaluation of the Product, including both positive and negative aspects. This feedback will be provided through Developer appointed Slack Channel.

4. Support Solutions.

4.1 Software Support.

As Prove develops permanent solutions or fixes for known or potential Defects in the Solutions, it will promptly incorporate them in software Maintenance Releases in a diligent manner. Client will receive the benefit of standard software Maintenance Releases implemented by Prove subject to terms of this Exhibit A. Client will not incur installation costs for software Maintenance Releases.

4.2 Response Times.

In the event of a Defect or Service Outage, Prove will propose within the following time scales a solution, a workaround, or a plan:

Severity Level

1. Critical Priority: (The interface is unavailable to multiple users.)

Initial target response: Two (2) hours after notification of issue. Target resolution or workaround: 12 hours

2. High Priority: (When specific functions within the interface are not functioning as expected, but the interface itself is available. This also includes when you have difficulty accessing your account.)

Initial target response: Eight (8) hours from notification of issue. Target resolution or workaround: Within seventy-two (72) hours.

3. Normal Priority: (Standard functionality issues.)

Initial target response: Within 1 business day after notification Target resolution or workaround: Within five (5) business days.

4.3 Incident Ticket Reporting and Reviewing Process.

Incident ticket review meetings may be arranged upon Client’s written request and as agreed between Prove and Client, to track the progress of solving open Incident tickets.

‍

Vendor Data Processing Agreement

This Data Processing Agreement(“DPA”) is entered into by and between Prove Identity, Inc., a Delaware corporation with its principal offices at 245 Fifth Avenue, 20th Floor, New York, NY 10016 and its Affiliates (collectively “Prove”) and the counterparty listed in the signature block below (“Vendor”).

WHEREAS, Prove and Vendor have entered into one or more agreements (any such agreement individually or collectively referred to as the “Master Agreement”) that may require the processing of personal data as described therein.

WHEREAS, this DPA sets out the additional terms, requirements, and conditions on which the parties will obtain, handle, process, disclose, transfer, or store personal data when providing services under the Master Agreement.

NOW, THEREFORE, in consideration of the mutual covenants and agreements hereinafter set forth and for other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, the parties hereto agree as follows:

1. DEFINITIONS AND INTERPRETATION

1.1 Definitions

“Affiliates” means for any entity, any other entity that, directly or indirectly, Controls, is Controlled by or is under common Control with such entity.

“Confidential Information” has the same meaning ascribed to it as in the applicable Master Agreement.

“Consumer” means a customer of Prove that is a consumer.

“Control” means, with respect to any entity, the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of such entity whether through the ownership of voting securities (or other ownership interest), by contract or otherwise.

“Data Subject” means an individual who is the subject of the Personal Data and to whom or about the Personal Data relates, directly or indirectly. For the avoidance of doubt, this definition is intended to cover substantially similar terms under applicable Privacy and Data Protection Laws.

“EEA” means the European Economic Area.

“Personal Data” means any information directly or indirectly linked or associated to a particular identified or identifiable natural person, including but not limited to, names, dates of birth, postal addresses, telephone numbers, electronic mail addresses, social security numbers, and credit card numbers. For the avoidance of doubt, this definition is intended to cover “personal information,” “personal data,” or substantially similar terms under applicable Privacy and Data Protection Laws.

“Privacy and Data Protection Laws” means all applicable laws and regulations relating to the processing, protection, or privacy of Personal Data, including where applicable, the guidance and codes of practice issued by regulatory bodies in any relevant jurisdiction. This includes, but is not limited to, the California Consumer Protection Act (CCPA), California Privacy Rights Act (CPRA), Colorado Privacy Act, Virginia Consumer Data Protection Act, Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), European General Data Protection Regulation (GDPR), UK GDPR, and Brazilian General Data Protection Law (LGPD).

“Restricted Transfer” means the receipt, disclosure, access, transfer, or storage of Personal Data to any person or entity located in:

(i) any country outside the EEA (an “EEA Restricted Transfer”); and/or

(ii) any country outside the UK (a “UK Restricted Transfer”),

that the applicable supervisory authority has not deemed to provide an adequate level of protection under Privacy and Data Protection Laws.

“Security Breach” means any act or omission that compromises the security, confidentiality, integrity, or availability of Services Personal Data or that compromises the physical, technical, administrative, or organizational safeguards put in place to protect it. The loss of or unauthorized access, disclosure, or acquisition of Services Personal Data is a Security Breach whether or not the incident arises to the level of a security breach under the Privacy and Data Protection Laws.

“Sensitive Personal Data” means categories of Personal Data including but not limited to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data and biometric data used to uniquely identify a natural person, health data, and precise geolocation data. For the avoidance of doubt, this definition in intended to cover "sensitive data," "special categories of personal data," or substantially similar terms under applicable Privacy and Data Protection Laws.

“Services” means the services described in the Master Agreement or any other purposes specifically identified in Annex A. This includes “Solutions” as that term is defined in the Master Agreement (where applicable).

“Services Personal Data” means any Personal Data that Vendor:

(i) obtains, handles, processes, discloses, transfers, or stores on Prove’s behalf pursuant to or in connection with the Services (“Prove Personal Data”); and/or

(ii) transmits to Prove pursuant to or in connection with the Services.

For the avoidance of doubt, Services Personal Data (including Prove Personal Data) is Confidential Information.

“Standard Contractual Clauses” or “SCCs” means the standard contractual clauses for the transfer of personal data to third countries as approved by the European Commission (available here). Where applicable, the SCCs may be varied by the UK Transfer Addendum (available here).

“UK” means the United Kingdom of Great Britain and Northern Ireland.

1.2 This DPA is subject to the terms of the Master Agreement and is incorporated into the Master Agreement. Terms not defined in this DPA have the same meaning as the corresponding terms in the Master Agreement.

1.3 The Annexes form part of this DPA and will have effect as if set out in full in the body of this DPA. Any reference to this DPA includes the Annexes.

2. PERSONAL DATA TYPES AND PROCESSING PURPOSES

2.1 Prove and Vendor acknowledge that for the purpose of complying with any applicable Privacy and Data Protection Laws:

(i) Prove is the controller and Vendor is the processor with respect to any Prove Personal Data; and

(ii) Prove and Vendor are joint controllers with respect to any Services Personal Data.

2.2 The party acting as controller with respect to Services Personal Data retains control of such data and remains responsible for its compliance obligations under any applicable Privacy and Data Protection Laws, including providing any required notices and obtaining any required consents, and for processing instructions it gives to the party acting as processor.

2.3 Annex A provides general information regarding processing of Services Personal Data in accordance with this DPA and the Privacy and Data Protection Laws.

3. PROCESSING OBLIGATIONS

3.1 Each party shall only process Services Personal Data to the extent, and in such a manner, as is necessary to perform the Services in accordance with the other party’s written instructions. The parties will not process Services Data for any other purpose or in a way that does not comply with this DPA or the Privacy and Data Protection Laws.

3.2 Each party must promptly comply with any request or instruction from the other party to amend, transfer, or delete the Services Personal Data, or to stop, mitigate, or remedy any unauthorized processing.

3.3 Each party shall maintain the confidentiality of all Services Personal Data and shall not disclose Services Personal Data to third parties unless the other party or this DPA specifically authorizes the disclosure or as required by law. If a law requires any party to process or disclose Service Personal Data, such party must first inform the other party of the legal requirement and give that party an opportunity to object or challenge the requirement, unless the law prohibits such notice.

3.4 The parties shall reasonably assist one another with meeting any compliance obligations under the Privacy and Data Protection Laws, while also considering the nature of the processing and the information available. For the avoidance of doubt, Prove is not responsible for completing Vendor’s privacy impact assessments, data protection impact assessments, transfer impact assessments, or similar requirements; Prove will only provide information or evidence needed to support these compliance activities if it is not already provided in this DPA or otherwise available to Vendor.

4. EMPLOYEE ACCESS TO PERSONAL DATA

4.1 Parties shall limit any Personal Data access based on the principle of least privilege and to:

(i) those employees who require Personal Data access to meet the applicable party’s obligations under the Master Agreement; and

(ii) the part or parts of the Personal Data that those employees strictly require for the performance of their duties.

4.2 Parties shall ensure that all employees who have access to Personal Data:

(i) are informed of the Personal Data's confidential nature and use restrictions and are obliged to keep such date confidential.

(ii) have undertaken training on the Privacy and Data Protection Laws relating to the handling of Personal Data and how it applies to their particular duties; and

(iii) are aware of the applicable party’s duties and employee’s personal duties and obligations under the Privacy and Data Protection Laws and this DPA.

4.3 Each party’s employees and contractors (“Personnel”) who have access to Personal Data shall:

(i) perform background checks that include, at a minimum, national criminal record checks going back seven (7) years, as well as legal identity verification and authorization (e.g., National ID verification);

(ii) require Personnel to sign an agreement to maintain the confidentiality of such Personal Data; and

(iii) require Personnel to be trained on acceptable use of systems, their obligations regarding privacy and data protection laws, and applicable information security policies.

5. SECURITY

5.1 Considering the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, each party shall implement appropriate physical, administrative, technical, and organizational measures to ensure a level of security appropriate to the risk of the processing of Personal Data. These measures shall include, at a minimum, the vendor data protection standards set out in Annex D.

5.2 Each party shall immediately notify the other party if it becomes aware of any advance in technology and methods of working which indicate that the parties should adjust their security measures.

5.3 Each party shall take reasonable precautions to preserve the integrity of any Personal Data it processes and to prevent any corruption or loss, including but not limited to establishing effective back-up and data restoration procedures.

6. SECURITY INCIDENT NOTIFICATION AND MANAGEMENT

6.1 Each party shall document and maintain an Incident Response Plan (“IRP”) which shall be updated and tested at least annually. The IRP shall require that each party document any Security Breach or security event impacting the confidentiality, integrity, or availability of Personal Data (collectively, “Security Incidents”). The documentation should contain the root cause(s) of the Security Incident, any analysis conducted internally and by an external forensics firm, and any current or future planned remediation activities.

6.2 Each party shall notify the other party of a Security Incident promptly, but in no event later than 72 hours, upon discovery of such Security Incident.

6.3 Immediately following any Security Incident, the parties will coordinate with each other to investigate the matter. For Security Breaches specifically, the parties will reasonably cooperate in their handling of the matter, including:

(i) assisting with any investigation;

(ii) facilitating interviews with employees, former employees, and others involved in the matter; and

(iii) making available all relevant records, logs, files, data reporting, and other materials required to comply with the Privacy and Data Protection Laws or as otherwise reasonably required by the non-breaching party.

6.4 For Security Incidents involving Prove Personal Data, Prove will determine:

(i) whether and how to provide notice to any Data Subjects, regulators, law enforcement agencies, or others, as required by law or regulation; and

(ii)whether and to what extent to offer any type of remedy to affected Data Subjects.

6.5 For all other Security Incidents, Prove and Vendor will mutually determine:

(i) whether and how to provide notice of the Security Breach to any Data Subjects, regulators, law enforcement agencies, or others, as required by law or regulation; and

(ii) whether and to what extent to offer any type of remedy to affected Data Subjects.

6.6 The party suffering any Security Breach or Security Incident shall cover all reasonable expenses associated with the performance of the obligations under Sections 6.3 to Section 6.5, unless the Security Breach arose from the other party's specific instructions, negligence, willful default, or breach of this DPA, in which case that party will cover all reasonable expenses.

7. SUB-PROCESSORS

7.1 A list of third parties approved to process Prove Personal Data in connection with the provision of the Services (each a “Sub-processor”) can be provided.

7.2 The parties shall notify one another in writing of any intended change or addition to the Sub-processors and provide the opportunity to object to such change or addition within fourteen (14) days of notification. The party sending notification of any change or addition may cure an objection by:

(i) cancelling its plans to use the Sub-processor with regard to Services Personal Data;

(ii) offering an alternative to fulfill the Services without such Sub-Processor; or

(iii) taking corrective action requested by the objecting party to obtain approval of such Sub-processor.

7.3 Each party shall ensure, and provided evidence upon request, that its Sub-processors:

(i) have entered into a written contract that contains terms that are substantially the same as those set out in this DPA and meet all applicable Privacy and Data Protection Laws; and

(ii) are not authorized to process Services Personal Data for any other purpose than the Services.

7.4 Where a Sub-processor fails to fulfill its obligations under such written contract, the party engaging such Sub-processor remains fully liable to the other party for the Sub-processor’s performance of its agreement obligations.

8. RESTRICTED TRANSFERS

8.1 No party shall not make (nor instruct or permit a Sub-processor to make) a Restricted Transfer of any Services Personal Data except with the other party’s prior written consent and in accordance with Section 8.2.

8.2 In order to comply with Privacy and Data Protection Laws, the parties agree to incorporate the applicable SCCs as set out in Annex C and take all other actions required to legitimize the transfer, including implementing any needed supplementary measures or supervisory authority consultations.

8.3 The terms of the applicable SCCs shall control to the extent there is any conflict between the applicable SCCs and this DPA.

8.4 If required by any supervisory authority or the applicable Privacy and Data Protection Laws relating to a Restricted Transfer, the parties shall upon request of either party execute or re-execute the applicable SCCs as separate documents if required.

9. COMPLAINTS AND DATA SUBJECT RIGHTS REQUESTS

9.1 Each party must notify the other party promptly if it receives any complaint, notice, or communication that relates directly or indirectly to the processing of the Personal Data or to either party’s compliance with the Privacy and Data Protection Laws.

9.2 Each party must notify the other party within three (3) business days after verifying the identity of a Data Subject of any request to access to their Personal Data or exercise one of the Data Subject’s personal data rights.

9.3 Each party shall reasonably cooperate and assist at their own expense in responding to any complaint, notice, communication, or Data Subject request.

9.4 Vendor shall not disclose Services Personal Data to any Data Subject or to another third party without Prove’s prior consent unless required to do so by law.

9.5 Prove shall not disclose Services Personal Data to any Data Subject or to another third party without Vendor’s prior consent unless required to do so by law.

10. TERM AND TERMINATION

10.1 This DPA shall remain in full force and effect so long as:

(i) the Master Agreement remains in effect; or

(ii) Prove or Vendor as applicable retains any Personal Data related to the Master Agreement in its possession or control (the “Term”).

10.2 Any provision of this DPA that expressly or by implication should come into or continue in force on or after termination of the Master Agreement in order to protect Personal Data shall remain in full force and effect.

10.3 Any party’s failure to comply with the terms of this DPA is a material breach of the Master Agreement. In such event, non-breaching party may terminate the Master Agreement effective immediately upon written notice to the counterparty without further liability or obligation.

10.4 If a change in applicable Privacy and Data Protection Laws prevents either party from fulfilling all or part of its Master Agreement obligations, the parties will suspend the processing of Personal Data until that processing complies with the new requirements, unless the parties otherwise agree on an alternate remediation plan. If the parties are unable to bring the Personal Data processing into compliance with the Privacy and Data Protection Laws within thirty (30) days, either party may terminate the Master Agreement upon written notice to the other party.

11. DATA RETURN AND DESTRUCTION

11.1 At Prove’s request, Vendor shall promptly destroy or return to Prove all copies of, or access to, the Prove Personal Data in its possession or control, in the format and on the media reasonably specified.

11.2 On termination of the Master Agreement for any reason or expiry of its term, each party will promptly (and no later than 30 days) return or destroy all Confidential Information belonging to the other party unless retention of such data is necessary for reasonable archival, billing, legal, and regulatory compliance purposes. For the avoidance of doubt, retained Confidential Information shall not be used for any other purpose than for archival, billing, legal, and regulatory compliance.

11.3 If retention is necessary for archival, billing, legal, or regulatory compliance purposes as set out in Section 11.2 above, Vendor shall notify Prove in writing of that retention requirement, giving details of the documents or materials that it must retain, the legal basis for retention, and establishing a specific timeline for destruction once the retention requirement ends.

11.4 At Prove’s request, Vendor shall certify in writing that it has destroyed all Prove Personal Data as requested in Section 11.1 or 11.2.

12. RECORDS

12.1 Vendor shall keep detailed, accurate, and up-to-date records regarding any processing of Personal Data it carries out on behalf of the controller, including but not limited to, the access, control, and security of the Personal Data, approved subcontractors and affiliates, and the processing purposes (“Records of Processing”). The parties, when acting as controllers, shall also maintain adequate Records of Processing incompliance with applicable Data Protection & Privacy Laws.

12.2 The party acting as processor shall ensure that the Records of Processing are sufficient to enable the controller to verify the processor’s compliance with its obligations under this DPA.

13. AUDIT & ASSURANCE

13.1 Each party shall periodically audit its Personal Data processing practices and the information technology and information security controls for all facilities and systems used in complying with its obligations under this DPA.

13.2 Each party agrees to allow the other party to assess and verify compliance with this DPA on a regular basis, but no more once than annually, for at least the length of the engagement (“Annual Reviews”). This may include, as determined by the other party, access to or copies of documentation related to the Information Security Program, including but not limited to the information security policies and procedures, as well as any recent external, third party assurance documentation (e.g., SOC 2, Type II report, PCI DSS 3.2 attestation of compliance, ISO 27001 certification, etc.), and the results of any security testing, including summary reports, test details and dates, and information on remediation related to any findings.

14. WARRANTIES

14.1 The party acting as controller warrants and represents that it has:

(i) obtained all required consent(s) under applicable Privacy and Data Protection Laws to process Services Personal Data in order to receive the Services; and

(ii) provided all required privacy notice(s) under applicable Privacy and Data Protection Laws to process Services Personal Data in order to receive the Services.

14.2 Each party warrants and represents that:

(i) its employees, subcontractors, agents, and any other person or persons accessing Personal Data on its behalf are reliable and trustworthy and have received the required training on the Privacy and Data Protection Laws relating to the Personal Data;

(ii) it and anyone operating on its behalf will process the Personal Data in compliance with all applicable Privacy and Data Protection Laws and other laws, enactments, regulations, orders, standards, and other similar instruments;

(iii) it has no reason to believe that any Privacy and Data Protection Laws prevent it from providing any of the Services under the Master Agreement; and

(iv) considering the current technology environment and implementation costs, it will take appropriate technical and organizational measures to prevent the unauthorized or unlawful processing of Personal Data and the accidental loss or destruction of, or damage to, Personal Data, and ensure a level of security appropriate to:

(a) the harm that might result from such unauthorized or unlawful processing or accidental loss, destruction, or damage;

(b) the nature of the Personal Data protected; and

(c) comply with all applicable Privacy and Data Protection Laws, as well as its information and security policies, including the security requirements required in Section 5.

14.3 Each party warrants and represents that its expected use of any Personal Data as part of the Services complies with this DPA and all Privacy and Data Protection Laws.

15. NOTICE

15.1 Any notice or other communication given to a party under or in connection with this DPA shall be in writing by email, certified mail, hand delivery, or delivery by a reputable next business day carrier service delivered to:

For Prove:

Prove Identity, Inc.
245 Fifth Avenue, 20^th Floor
New York, NY 10016
Attn: Chief Compliance Officer
compliance@prove.com

15.2 Section 14.1 does not apply to the service of any proceedings or other documents in any legal action or, where applicable, any arbitration or other method of dispute resolution.

16. CONFIDENTIALITY

16.1 Each party shall treat Personal Data as Confidential Information. Each party shall ensure that its personnel and Sub-processors are subject to confidentiality obligations as least as restrictive as in the Master Agreement and this DPA.

16.2 Such confidentiality obligations shall survive the termination of this engagement.

17. MISCELLANEOUS

17.1 Neither party shall assign or transfer any rights or delegate any duties hereunder, in whole or in part, by operation of law or otherwise, without the other party’s express prior written consent, which will not be unreasonably withheld or delayed.

17.2 The terms of this DPA shall control to the extent there is any conflict between this DPA and the terms of the Master Agreement. Except as specifically amended and modified in writing by the parties, the terms and provisions of this DPA shall remain in full force and effect.

17.3 Without limiting the foregoing, the governing law clause and forum selection clause of the Master Agreement shall apply to any disputes arising out of this DPA.

‍

Trusted by 1,000+ leading companies to reduce fraud and improve consumer experiences, Prove is the world’s most accurate identity verification and authentication platform.