Last updated: 30 December, 2021
This is the privacy notice of Sum and Substance Ltd. incorporated and registered in England with company number 09688671 (hereinafter – Sumsub). Sumsub being a software-as-a-service business, takes its responsibilities with regard to the requirements of the EU GDPR and UK GDPR very seriously.
This Privacy Notice outlines how Sumsub is processing personal data, committed to protecting your information and provides the framework through which effective management of Data Protection matters can be achieved.
This Privacy Notice is addressed to Sumsub‘s clients as well as to those individuals who will provide their personal data to Sumsub for processing, including Sumsub’s public-facing websites.
The California residents may find the information on CCPA application in Provision 18 of this Notice.
Where the laws of Illinois, Washington, or Texas apply, it is necessary to refer to the “Special notice to residents of the states of Illinois, Washington, or Texas (USA)” (Provision 19 of this Privacy Notice). In the case of any conflict or ambiguity between the Special notice and the other provisions of this Privacy Notice, the former will prevail.
the Service Provider Agreement concluded with each Client, its annexes and appendices;
the legal entity to which Sumsub provides Services under the Agreement;
the personal identity verification service and connected services provided by Sumsub;
Data Controller, or Controller
the Client where it, alone or jointly with others, determines the purposes and means of the processing of personal data by written instruction for processing activities given to Sumsub;
Data Processor, or Processor
Sumsub where it processes personal data on behalf of a Data Controller;
processors authorised to exercise certain processing activities under the direct authority of Sumsub;
third-party service providers or public authorities used to collect additional information necessary for the provision of the Services.
any individual whose personal data Sumsub may process, including, but not limited to, Sumsub’s Clients’ customers and representatives, Users, Sumsub’s job applicants, Visitors, etc.
any information relating to an identified or identifiable Data Subject;
Special categories of personal data
a personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation;
Data concerning health
a personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status;
any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis used for service provision;
any individual in respect of whom the identity verification procedure (or any of its elements) is performed as part of the Services provided to a Client;
any individual using Sumsub’s Website, Sumsub’s Demo Mobile App or WebSDK Demo on Sumsub’s website;
any operation or set of operations performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
Personal data breach
a breach of data security leading to unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;
Restriction of processing
marking of stored personal data with the aim of limiting the scope of their processing in the future;
any freely given, specific, informed and unambiguous indication of the Data Subject’s wishes by which they, by a statement or by clear affirmative action, signify agreement to the processing of their personal data;
a dedicated account created by a prospective Client’s representative via the Website for the purposes of subsequent provision of Services and invoicing;
Sumsub’s public-facing website
prooface.io (hereinafter referred to as the “Prooface website” or “prooface.io”);
Sumsub’s Demo Mobile App
the mobile application owned by Sumsub and allowing individuals to test Sumsub’s verification procedures;
WebSDK Demo on Sumsub’s website
the web page running Sumsub’s iFrame with the liveness check step only;
Liveness Demo on Prooface website
the web page on prooface.io running Sumsub’s iFrame with the liveness check step only;
a system that allows Users and Visitors to have a real-time interaction with Sumsub’s support team in a chat box on the Website page in the browser;
Standard Contractual Clauses
standard sets of contractual terms and conditions adopted by the European Commission and ensuring appropriate safeguards for data transfers from the EU to third countries, which the Controller and the Processor both sign up to, where necessary;
European Economic Area (the European Union Member States, Norway, Iceland and Liechtenstein);
Anti-Money Laundering / Combating the Financing of Terrorism legal rules and standards as envisaged in the FATF recommendations, the EU regulations and national legislation;
Politically Exposed Persons (PEPs)
individuals who are or have been entrusted with prominent public functions (e.g., Heads of State or of government, senior politicians, senior government, judicial or military officials, senior executives of state-owned corporations, important political party officials), as well as their relatives and close associates;
the California Consumer Privacy Act of 2018, Civil Code sections 1798.100.
2. Scope of the Privacy Notice
Sumsub may act as a Data Processor
Sumsub processes personal data under Article 28 of the EU GDPR and the UK GDPR where it is engaged by a Controller to do so for the purposes of the respective Agreement.
Sumsub may act as a Data Controller
Sumsub may determine the purposes and means of personal data processing under Article 24 of the EU GDPR and the UK GDPR in certain cases. This applies, in particular, to the following situations:
3. Principles of personal data processing that Sumsub adheres to
Sumsub adheres to the principles of personal data protection as envisaged in the EU GDPR and UK GDPR. In accordance with these principles, personal data is:
4. Purposes of personal data processing
As the Data Controller
Sumsub may collect and further process personal data submitted via the Website in order to:
Sumsub may collect and further process personal data submitted via Sumsub’s Demo Mobile App for the purpose of obtaining a demonstration of the capabilities of Sumsub’s facial and/or identity verification service when the Sumsub’s сlients integrated with Sumsub service.
Sumsub may collect and further process personal data submitted via the Prooface website in order to:
As the Data Processor
Sumsub provides Services to its Clients, collecting and further processing Users’ personal data in order to verify their identities, which may be necessary for the Clients’ compliance with the applicable AML/CFT and/or other laws and regulations and/or the Clients’ internal due diligence policies and procedures.
Sumsub subjects personal data (including photos and scanned copies of documents) to automated reading, verification of authenticity, and other types of automated processing, such as cross-checks against multiple databases of Data Providers (e.g., PEP lists, global and country-specific sanctions lists, criminal lists, financial lists).
Once the personal data is no longer necessary for the relevant purpose, Sumsub, upon the written instruction of the Controller, erases it completely from its servers without leaving any backup copies after having transferred it to the Controller (if the Controller so requests).
5. Lawfulness of personal data processing
As the Data Controller
Sumsub always relies on the appropriate legal grounds of processing, which may depend on the processing purposes:
Sumsub ensures that no personal data is used for any purposes incompatible with the aforementioned ones.
As the Data Processor
Sumsub is engaged by its Clients (Controllers) to perform identity verification procedures in respect of their Users’. In line with Article 6 of the EU and UK GDPR, Controllers should rely on an appropriate legal ground when processing personal data. Most of Sumsub’s Clients rely on the following grounds for processing personal data:
The processing of personal data by Sumsub is covered by those legal grounds that are relied on by the certain Client Sumsub has the Agreement with.
6. Types of personal data processed by Sumsub
As the Data Controller, Sumsub may collect and further process the following personal data depending on the processing purpose:
Visitors’ personal data
When a Visitor interacts with the Website or Sumsub’s Demo Mobile App / WebSDK Demo on Sumsub’s website and Liveness Demo on Prooface’s website (e.g., by filling out forms or testing Sumsub’s identity verification procedures), Sumsub processes: (i) the data indicated below (as may be applicable); (ii) technical data, which includes, but is not limited to, information regarding the date, time and activity on the Website; IP address and domain name; software and hardware attributes; general geographic location (e.g., city, country) from Data Subject’s device.
Personal data of Users contacting Sumsub via a livechat, the “Contact Us” or ‘Make a request’ form on Sumsub.com or prooface.io
Personal data of Clients’ representatives Sumsub may process:
Personal data of Sumsub’s job applicants
Personal data of prospective Clients’ representatives data provided prior to or after the creation of a Personal Account:
Personal data of Visitors using Sumsub’s Demo Mobile App – depends on the service chosen by the Data Subject (liveness tool/liveness and identity document check tool):
Personal data of Visitors testing WebSDK Demo on Sumsub’s website – depends on the service chosen by the Data Subject (liveness tool/liveness and identity document check tool):
Personal data of Visitors testing Liveness Demo on Prooface’s website:
As the Data Processor, Sumsub may collect and further process the following personal data of Data Subjects depending on the particular Service being provided to the Controller:
7. Personal data retention period
The retention period depends entirely on the relevant data processing purpose:
Any Client’s request to delete all or any personal data related to a User is fulfilled within 30 days. This period is justified by the complexity of the systems and technologies Sumsub operates to process the data.
Users’ personal data may be retained for up to 90 days (from the Client’s request for data deletion) to comply with any applicable law, regulation, legal process, or governmental request and investigation; to assert legal rights or defend against legal claims; or to prevent, detect, or investigate illegal activity, fraud, abuse, violations of the Client’s or Sumsub’s terms of service, or threats to the security of the Services or the physical safety of any person. Sumsub will delete such personal data of the affected User when no longer legally obligated or reasonably required to retain it.
8. Processing of children’s personal data
When personal data are provided via Sumsub’s Demo Mobile App or WebSDK Demo on Sumsub’s website or Liveness Demo on Prooface’s website, Sumsub, as the Data Controller, only processes personal data of individuals who have reached the age of majority under the national laws of their country/countries of citizenship and/or residence. In case a child’s personal data is accidentally submitted to Sumsub, it will be deleted without undue delay.
Sumsub, as the Data Processor, may process personal data of children, understood as individuals under the age of majority under the national laws of the Controller’s country of incorporation, only when the Controller ensures that the person with parental responsibility for the child has consented to such processing. Otherwise, in case a child’s personal data is accidentally submitted to Sumsub, it will be deleted without undue delay.
9. Processing rules of personal data concerning health
As the Data Processor, Sumsub may process personal data concerning health, such as vaccination certificates data, test certificates (NAAT/RT-PCR test or a rapid antigen test) data, and data of certificates for persons who have recovered from COVID-19. Such processing may be necessary for the Controller’s compliance with the applicable laws and regulations and/or the Controller’s internal due diligence policies and procedures only when the Controller ensures that such processing is justified by the respective legal basis and the Data Subject is informed properly by the Controller.
10. Data Subjects’ rights
As the Data Controller, Sumsub respects and guarantees the following rights of each Data Subject:
To request Sumsub execute the rights mentioned above, the Data Subject should send a free form email to [email protected]. The information on actions taken on any request is provided to the Data Subject within one month. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. In this case, Sumsub will inform the Data Subject of any such extension within one month of receipt of the request, together with the reasons for the delay.
Sumsub guarantees that making a request for receiving personal data is free unless a reasonable cost is to be charged where requests are unfounded or excessive or repetitive in character.
As the Data Processor, Sumsub assists Controllers in the exercise of the Data Subject’s rights upon the respective Controller’s written instruction.
11. Withdrawing consent and objection to legitimate interest mechanism
Sumsub complies with the obligation of provisioning the mechanism for withdrawal of consent (Article 7 (3) EU GDPR and UK GDPR) and objection of processing based on the legitimate interests (Article 21 (1) EU GDPR and UK GDPR).
To withdraw consent or object to the processing justified by the legitimate interest, the Data Subject can send a free-form email to [email protected]sub.com or using the website form ‘Make a request’ in the Support section. After that, the Data Subject will go through the authentication procedure to prove that such a request is actually made by him/her and is valid in nature.
In cases where the Sumsub acts as a Processor, Sumsub can only assist the Data Subject in transmitting his/her request to the Controller (for whom the Data Subject was verified). Sumsub cannot make decisions regarding such requests on its own, as Sumsub acts in accordance with the written instructions of the Controller who exercises control over personal data.
A. Sumsub’s responsibilities
Sumsub is responsible for establishing policies and procedures in order to comply with the EU GDPR and the UK GDPR. Our Data Protection Officer can be contacted via the following e-mail address: [email protected]
B. Sumsub’s Data Protection Officer’s responsibilities
Sumsub’s Data Protection Officer holds responsibility for:
C. Sumsub’s personnel responsibilities
Sumsub’s personnel who are involved in personal data processing comply with the requirements of this Privacy Notice. Personnel ensures that:
D. Third-Party Processors acting on behalf of Sumsub
Where third-party companies are engaged to process personal data on behalf of Sumsub, responsibility for the security and appropriate use of the data remains with Sumsub.
Prior to engaging a Third-Party Processor, Sumsub ensures that it provides sufficient guarantees as regards personal data security. In particular, a written contract establishing the types of personal data to be processed and the purposes of such processing, as well as containing provisions on personal data protection, are concluded between Sumsub and the Third-Party Processor.
13. Specific measures to ensure data protection
Sumsub takes specific measures to ensure personal data protection, including, but not limited to, the following:
1 At present, all personal data is stored and processed on specially designated servers in Germany.
A. Physical security
Sumsub is working on preventing any unauthorised physical access, damage, or interference with Sumsub’s data processing facilities. In particular, Sumsub has established:
B. Software and network security
14. Personal data breaches
Where a personal data breach occurs or is suspected, it is reported immediately to the Data Protection Officer (DPO) or the CEO and, where applicable, to the data protection authority and the individual affected by the breach. The report includes full and accurate details of the incident (including its reasons and magnitude) and sets out the planned measures intended to eliminate the breach.
15. The Third-Parties and Recipients of personal data processing
A. Sumsub may have to apply third parties for data processing activities, that includes the following categories:
Sumsub requires the Third Parties to respect the security of personal data and to treat it in accordance with the applicable law. In addition, Third Parties are mostly limited to only accessing or using personal data to provide services to Sumsub and must provide reasonable assurances they will appropriately safeguard the data in line with Provision 12[d] of this Notice.
B. Sumsub may have to provide personal data to the Recipients, that includes the following categories:
16. Sumsub EU Representative
Sumsub EU representative is SUMSUB LTD - incorporated and registered in Cyprus with the company number HE 405087 whose registered office is located at Agiou Andreou, 153, 3036, Limassol.
17. Transfers of personal data to third countries or international organisations
Sumsub confirms that all personal data is submitted by Data Subjects Sumsub’s servers located in the EU and/or, subject to any national localisation requirements, in the respective country where such requirements exist. The Controller may choose the location of personal data processing (including storage) for the purposes of compliance with the applicable laws.
Where it is necessary for service provision or ensuring convenient and reliable communication with the Data Subjects, Sumsub transfers personal data outside of the EU/EEA or the UK to the Third-Parties and Recipients indicated in Provision 15 of this Notice.
Whenever a transfer of personal data outside the EU or the EEA is carried out, Sumsub implements appropriate safeguards as set out in Chapter V of the EU GDPR by transferring on the basis of EU Adequacy Decision (or UK Adequacy Regulations) and by concluding Standard Contractual Clauses with the Controller. Third-Party Processors likewise rely on appropriate safeguards, which includes Binding Corporate Rules, Standard Contractual Clauses, etc. Cross-border personal data transfers from the UK to the EU/EEA countries are permitted by the UK Government.
18. Sale of personal data and CCPA reference
It should be underlined that Sumsub does not sell personal data and strictly comply with restrictions and prohibitions under CCPA and the EU or the UK GDPR.
For more information on CCPA application to Sumsub processing activities please refer to CCPA Privacy Notification.
19. Special notice to residents of the states of Illinois, Washington or Texas (USA):
Personal data processed by Sumsub may include certain “biometric identifiers” (such as scans of facial geometry or voiceprints) and “biometric information” (data extracted from and based on biometric identifiers), which are used to verify the identity of the given Data Subject.
Whenever such biometric identifiers and/or biometric information (collectively “biometric data”) are used as part of the services rendered by Sumsub to any Controller, such data shall be processed by Sumsub on behalf of such Controller and permanently deleted (i) when the Controller so directs, (ii) when Sumsub ceases to have the relevant legal relationship with the Controller, or (iii) when 3 (three) years have passed since the respective Data Subject’s last interaction with Sumsub, whichever is earlier, unless either the Controller or Sumsub is legally obliged to store the data for a longer period. In the latter case, Sumsub shall not perform any operations regarding such data other than its storage for the period required by the applicable law.
Whenever biometric data are used for the sole purpose of testing or demonstrating Sumsub’s facial recognition products and services to potential Clients and/or Visitors, such data shall be automatically and irretrievably deleted within 24 hours upon collection.
In any event, biometric data shall only be collected and further processed by Sumsub after having obtained written informed consent of the respective Data Subject to such collection and further processing. By confirming (e.g., selecting the appropriate checkbox) that they have read and accepted the terms of biometric data processing prior to the identity verification procedure, the Data Subject shall be deemed to have given such consent.
In case of any conflict or inconsistency between the other provisions of this Privacy Notice and the terms of this special notice, the latter shall prevail whenever the laws of the states of Illinois, Washington or Texas (USA) are applicable to the legal relationship between Sumsub and any Data Subject.