ENComplyAdvantage’s Data Processing Terms
These Data Processing Terms will apply to any personal data processed by ComplyAdvantage in the course of providing its Services whether acting as a processor of Clients or a processor of Resellers.
1. Interpretation.
(a) In these terms:
“Applicable Law” means any law, statute, regulation, bylaw or subordinate legislation in force from time to time as applicable and binding on ComplyAdvantage;
“Appropriate Safeguards” means such legally enforceable mechanism(s) for transfers of personal data as may be permitted under Data Protection Legislation from time to time;
“Data Processing Terms” mean these data processing terms applying between ComplyAdvantage and a Company;
“Data Protection Legislation” means the version of the Regulation (EU) 2016/679 (General Data Protection Regulation) (“GDPR”) transposed into UK law pursuant to the European Union (Withdrawal) Act 2018 and the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019/419, the Data Protection Act 2018, Privacy and Electronic Communications (EC Directive) Regulations 2003 and all applicable laws relating to the processing of Personal Data, privacy and security;
“Company” means a Client or, as the case may be, a Reseller;
“Client” means a person that has entered into an agreement with ComplyAdvantage for the provision of the Services;
“Company Personal Data” means any personal data relating to clients of a Company that is provided by the Company to ComplyAdvantage as part of the provision of the Services, including the personal data described in Annex 1 (Data Processing Information);
“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Company Personal Data transmitted, stored or otherwise processed by ComplyAdvantage or any of its sub-processors;
“Reseller” means a person that has an agreement with ComplyAdvantage to resell the Service;
“Service” means the anti-money laundering, Know Your Client (KYC), Know Your Business (KYB) and sanctions compliance services provided by ComplyAdvantage as more specifically set out in the order form executed between ComplyAdvantage and a Company;
“UK” means the United Kingdom; and
Terms such as “controller”, “data protection impact assessment”, “data subject”, “personal data”, “process/processing” and “processor” shall have the same meanings given to them in Data Protection Legislation.
2. Instructions and details of processing.
(a) ComplyAdvantage shall only process the types of personal data relating to the categories of data subjects for the specific purposes in each case as set out in Annex 1 (Data Processing Information) to these Data Processing Terms.
(b) ComplyAdvantage shall process Company Personal Data in compliance with:
(i) the obligations of processors under the Data Protection Legislation in respect of the performance of the Service; and
(ii) these Data Processing Terms.
(c) The Company shall comply, and, as applicable, shall procure that any controller for which it acts complies, with:
(i) all Data Protection Legislation in connection with the processing of personal data related to the Service, including maintaining all relevant regulatory registrations and notifications as required under Data Protection Legislation; and
(ii) these Data Processing Terms.
(d) ComplyAdvantage shall, at a Company’s request, provide reasonable assistance to Company with any data protection impact assessments which are required under applicable Data Protection Legislation and with any prior consultations which are required under Data Protection Legislation, in each case in relation to processing of Company Personal Data by ComplyAdvantage on behalf of a Company and taking into account the nature of the processing and information available to ComplyAdvantage.
(e) Insofar as ComplyAdvantage processes Company Personal Data of a Company, ComplyAdvantage shall:
(i) unless required to do otherwise by Data Protection Legislation, (and shall take steps to ensure each person acting under its authority shall) process the Company Personal Data only on and in accordance with these Data Processing Terms or as otherwise submitted in writing to ComplyAdvantage by a Company from time to time (the “Processing Instructions”);
(ii) inform a Company if ComplyAdvantage becomes aware of a Processing Instruction that, in the ComplyAdvantage’s opinion, infringes any Data Protection Legislation, provided that this shall be without prejudice to clause 2(c) and to the maximum extent permitted by Applicable Law, ComplyAdvantage shall have no liability howsoever arising (whether in contract, tort (including negligence) or otherwise) for any losses, costs, expenses or liabilities arising from or in connection with any processing in accordance with a Company’s Processing Instructions following a Company’s receipt of that information.
(f) A Company shall update the Processing Instructions accordingly prior to using the Service to process any personal data relating to a category of data subjects or type of personal data not specified in Annex 1 (Data Processing Information).
3. Technical and organisational measures.
(a) ComplyAdvantage shall implement the technical and organisational measures set out in Appendix 2 (Technical and Organisational Measures) to ensure a level of security of the Company Personal Data appropriate to the risks that are presented by the processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Company Personal Data transmitted, stored or otherwise processed, and shall take all measures required pursuant to Article 32 GDPR.
4. Using staff and other processors.
(a) Company grants to ComplyAdvantage specific authorisation to appoint the sub-processors listed at https://complyadvantage.com/sub-processors-list/ as sub-processors in connection with ComplyAdvantage’s performance of the Services.
(b) Company grants to ComplyAdvantage general authorisation to appoint additional or replacement sub-processors to process Company Personal Data on its behalf (for ComplyAdvantage’s performance of the Services), provided that ComplyAdvantage provides reasonable prior written notice of its intention to appoint each sub-processor, and a Company may object to any such appointment within two weeks of the date of such notice.
(c) Where a Company objects to the proposed appointment of a sub-processor, ComplyAdvantage shall consider the merits of Company’s objection and take such measures as ComplyAdvantage reasonably deems appropriate in the circumstances.
(d) ComplyAdvantage shall:
(i) prior to the relevant sub-processor carrying out any processing activities in respect of the Company Personal Data, appoint each sub-processor under a written contract enforceable by ComplyAdvantage containing materially the same obligations as under these Data Processing Terms;
(ii) ensure each such sub-processor complies with all such obligations; and
(iii) remain fully liable for all the acts and omissions of each sub-processor as if they were its own.
(e) ComplyAdvantage shall treat all Company Personal Data as strictly confidential and shall inform all its employees, agents, contractors and/or sub-processors engaged in processing the Company Personal Data of the confidential nature of such Personal Data.
(f) ComplyAdvantage shall take reasonable steps to ensure the reliability of any employee, agent, contractor and/or sub-processor who may have access to the Company Personal Data, ensuring in each case that access is limited to those persons or parties who need to access the relevant Personal Data, as necessary for the purposes set out in Annex 1 (Data Processing Information) in the context of that person’s or party’s duties to ComplyAdvantage.
(g) ComplyAdvantage shall ensure that all persons authorised by it (or by any sub-processor) to process Company Personal Data are subject to a binding written contractual obligation to keep the Company Personal Data confidential (except where disclosure is required in accordance with any Applicable Law, in which case ComplyAdvantage shall, where practicable and not prohibited by Applicable Law, notify a Company of any such requirement before such disclosure).
5. Assistance with a Company’s compliance and data subject rights.
(a) ComplyAdvantage shall without undue delay notify a Company if it receives a request from any governmental or regulatory body or law enforcement agency related to disclosure of the Company Personal Data unless prohibited by law or a legally binding order of such body or agency.
(b) ComplyAdvantage shall without undue delay, and in any case within forty-eight (48) hours, notify a Company if it receives a request from a data subject under any Data Protection Legislation in respect of Company Personal Data, including requests by a data subject to exercise their rights under Data Protection Legislation, and shall provide full details of that request.
(c) ComplyAdvantage shall, insofar as technically possible, provide such assistance as reasonably requested by Company to enable Company to comply with any exercise of rights by a data subject under any Data Protection Legislation in respect of the Company Personal Data.
6. International data transfers.
(a) A Company agrees that performance of the Services by ComplyAdvantage will result in the transfer of Company Personal Data to a country not recognised by Data Protection Legislation, including governmental decisions, as ensuring an adequate level of protection for personal data (including to any country requested by a Company). All transfers by ComplyAdvantage of Company Personal Data shall (to the extent required under Data Protection Legislation) be effected by way of Appropriate Safeguards and in accordance with Data Protection Legislation. The provisions of these Data Processing Terms shall constitute Company’s instructions with respect to transfers in accordance with clause 2.
(b) Company shall ensure that it has either a lawful basis or suitable instructions from any applicable controller(s) to permit any data transfers outside of the UK or EEA made at its request pursuant to clause 6(a), and shall indemnify and hold harmless ComplyAdvantage against all damages, losses, liabilities, judgments, penalties, fines, settlement amounts, fees, costs and expenses arising out of or attributable to a failure by a Company to obtain suitable instructions relating to such a transfer.
7. Records, information and audit.
(a) ComplyAdvantage shall maintain, in accordance with applicable provisions of the Data Protection Legislation, written records of its processing activities carried out on behalf of a Company.
(b) ComplyAdvantage shall, in accordance with Data Protection Legislation, make available to a Company such information as is reasonably necessary to demonstrate the ComplyAdvantage’s compliance with the obligations of data processors under Data Protection Legislation, and allow for and contribute to audits, including inspections, by a Company (or another auditor mandated thereby for this purpose, subject to a Company:
(i) giving ComplyAdvantage reasonable prior notice of such information request, audit and/or inspection being required;
(ii) ensuring that all information obtained or generated in connection with such information requests, inspections and audits is kept strictly confidential (save for disclosure to the Supervisory Authority or as otherwise required by Applicable Law);
(iii) ensuring that such audit or inspection is undertaken during normal business hours, with minimal disruption to the ComplyAdvantage’s business, the sub-processors’ business and the business of other customers of ComplyAdvantage; and
(iv) paying ComplyAdvantage’s reasonable costs for assisting with the provision of information and allowing for and contributing to inspections and audits.
(c) ComplyAdvantage shall immediately inform a Company if, in its opinion, an instruction pursuant to these Data Processing Terms infringes the GDPR or other Data Protection Legislation.
8. Breach notification.
(a) In respect of any Personal Data Breach, ComplyAdvantage shall:
(i) notify a Company of the Personal Data Breach without undue delay, but in any case, within seventy-two (72) hours of becoming aware of it;
(ii) provide a Company with such details of the Personal Data Breach, as required by it to meet its obligations to report a Personal Data Breach under Data Protection Legislation; and
(iii) shall co-operate with a Company and take such reasonable steps as are directed by a Company to assist in the investigation, mitigation, and remediation of each Personal Data Breach.
9. Deletion or return of Protected Data and copies.
(a) ComplyAdvantage shall, at a Company’s written request, either delete or return all the Company Personal Data of which it is the Processor under these Data Processing Terms to a Company in such form as a Company reasonably request within a reasonable time.
(b) Subject to clause 9(a), ComplyAdvantage shall retain Company Personal Data for a period of five years from the date of termination of a Company’s agreement with ComplyAdvantage, after which it shall be deleted save as required by Applicable Law.
Annex 1: Information on processing activities
| Data Protection Officer’s details | [email protected] |
|---|---|
| Subject matter | Personal data is processed for the purpose of providing anti-money laundering, KYC, KYB and sanctions compliance services. |
| Duration of Processing Activities | For the duration of ComplyAdvantage’s provision of the Services and thereafter in accordance with the Terms of Services unless the Company requests in writing for the data to be deleted sooner. |
| Nature and Purpose of the Processing Activities | Nature of data processing: providing and using anti-money laundering, KYC, KYB and sanctions compliance/case management tool.
Processing activities: access; collection; recording; retrieval; use; modification; hosting; storage; making available; monitoring (service delivery); deletion; destruction. |
| Types of Personal Data | The types of personal data to be processed by ComplyAdvantage under these data processing terms as Processor are:
Name, date of birth, customer reference number, case management and disposition actions taken, client KYC, risk level and compliance, information tags used by the Client. ComplyAdvantage may also process as part of the Services information relating to data subjects:
Additional types of personal data to be processed for Clients using Transaction Monitoring and/ or Transaction Screening Services: Payment message information including bank account numbers, transaction value and currency, expected customer behaviour profile/ grouping, transaction dates and times, system alerts related to data subject, address and country of residence, nationality. |
| Categories of Data Subject | Those persons required to undergo customer due diligence as part of the Controller’s sanctions and anti-money laundering procedures. |
| Data Transfer Method | HTTPS/TLS-encrypted API and web interface SFTP |
| Hosting Region for Company Data | Depending on the Company’s selection of one of the following AWS data centres:
|
Annex 2: Technical and Organisational Measures
Ongoing confidentiality, integrity, availability, and resilience of processing systems
| System architecture | We maintain a highly available system configuration on Amazon Web Services, ensuring low levels of downtime and minimising the risk of data loss. |
|---|---|
| Encryption | Data is encrypted in transit using HTTPS for web & API requests, and AES-256 at rest. |
| Update testing | New deployments to production systems are subject to code review, manual and automated testing, and a product team review before being rolled out. |
| Vulnerability testing | We conduct regular vulnerability scans of our production systems and system architecture. |
| System security | A web application firewall and intrusion detection system are in place. Deployment on AWS means we consistently have access to best-in-class security systems. |
| Access control | We maintain records of security privileges of individuals with access to client data and adopt a policy of least privilege. Security privileges are reviewed periodically and as part of starter/mover/leaver checks. |
| User authentication | Access is via email address and password, and we can restrict access to specified IP ranges upon request to add an additional layer of authentication. |
Restoring availability and access to personal data in a timely manner in the event of a physical or technical incident
| Disaster recovery | Client data is backed up daily and distributed across redundant hosting providers, providing additional resilience and a recent recovery point in the unlikely event of system failure. |
|---|
Regular testing, assessing, and evaluating of these measures’ effectiveness
| Information security management | Responsibility for information security is shared between the technical and operational teams, the leadership of which regularly reviews and improves existing practice, with internal audits, penetration testing, and ISO 27001 certification (BSI certificate IS 692029 effective 18 September 2018 and expiring 17 September 2024). |
|---|
Last updated on:
January 11, 2023