Launching AI-driven Fraud Detection
ComplyAdvantage’s Data Processing Terms
These Data Processing Terms will apply to any personal data processed by ComplyAdvantage in the course of providing the Service when acting as a processor of Clients.
In these terms:
“Applicable Law” means any law, statute, regulation, bylaw or subordinate legislation in force from time to time as applicable and binding on ComplyAdvantage;
“Appropriate Safeguards” means such legally enforceable mechanism(s) for transfers of personal data as may be permitted under Data Protection Legislation from time to time;
“Data Processing Terms” mean these data processing terms applying between ComplyAdvantage and the Client;
“Data Protection Legislation” means the version of the Regulation (EU) 2016/679 (General Data Protection Regulation) (“GDPR”) transposed into UK law pursuant to the European Union (Withdrawal) Act 2018 and the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019/419, the Data Protection Act 2018, Privacy and Electronic Communications (EC Directive) Regulations 2003 and all applicable laws relating to the processing of personal data, privacy and security;
“Client” means the entity that has entered into an agreement with ComplyAdvantage for the provision of the Services;
“Client Personal Data” means any personal data relating to customers of the Client that is provided by the Client to ComplyAdvantage as part of the provision of the Services, including the personal data described in Annex 1 (Data Processing Information);
“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Client Personal Data transmitted, stored or otherwise processed by ComplyAdvantage or any of its sub-processors;
“Service” means the anti-money laundering, Know Your Client (KYC), Know Your Business (KYB) and sanctions compliance services provided by ComplyAdvantage as more specifically set out in the order form executed between ComplyAdvantage and the Client;
“UK” means the United Kingdom; and
Terms such as “controller”, “data protection impact assessment”, “data subject”, “personal data”, “process/processing” and “processor” shall have the same meanings given to them in Data Protection Legislation.
2. Instructions and details of processing.
(a) ComplyAdvantage shall only process the types of personal data relating to the categories of data subjects for the specific purposes in each case as set out in Annex 1 (Data Processing Information) to these Data Processing Terms. The Client shall not send to ComplyAdvantage any personal data which is not reasonably necessary for ComplyAdvantage to provide the Services.
(b) ComplyAdvantage shall process Client Personal Data in compliance with:
- (i) the obligations of processors under the Data Protection Legislation in respect of the performance of the Service; and
- (ii) these Data Processing Terms.
(c) The Client shall comply, and, as applicable, shall procure that any controller for which it acts complies, with:
- (i) all Data Protection Legislation in connection with the processing of personal data related to the Service, including maintaining all relevant regulatory registrations, providing notifications and obtaining consents as required under Data Protection Legislation; and
- (ii) these Data Processing Terms.
(d) The Client warrants and represents that all personal data provided to ComplyAdvantage pursuant to these Data Processing Terms shall comply in all respects, including in terms of its collection, storage and processing (which shall include the Client ensuring that any required fair processing information and all necessary consents have been given to and received from the data subjects), with Data Protection Legislation. Nothing in this clause 2 shall require ComplyAdvantage to check or monitor the accuracy, contents or Client’s use of any personal data and, accordingly, ComplyAdvantage has no liability or responsibility whatsoever howsoever arising directly or indirectly to the Client for the accuracy, contents or Client’s use of such personal data.
(e) ComplyAdvantage shall, at the Client’s request, provide reasonable assistance to the Client with any data protection impact assessments which are required under applicable Data Protection Legislation and with any prior consultations which are required under Data Protection Legislation, in each case in relation to processing of Client Personal Data by ComplyAdvantage on behalf of the Client and taking into account the nature of the processing and information available to ComplyAdvantage.
(f) Insofar as ComplyAdvantage processes Client Personal Data of the Client, ComplyAdvantage shall:
- (i) unless required to do otherwise by Data Protection Legislation, (and shall take steps to ensure each person acting under its authority shall) process the Client Personal Data only on and in accordance with these Data Processing Terms or as otherwise submitted in writing to ComplyAdvantage by the Client from time to time (the “Processing Instructions”);
- (ii) inform the Client if ComplyAdvantage becomes aware of a Processing Instruction that, in the ComplyAdvantage’s opinion, infringes the GDPR or any other Data Protection Legislation, provided that this shall be without prejudice to clause 2(c) and to the maximum extent permitted by Applicable Law, ComplyAdvantage shall have no liability howsoever arising (whether in contract, tort (including negligence) or otherwise) for any losses, costs, expenses or liabilities arising from or in connection with any processing in accordance with the Client’s Processing Instructions following the Client’s receipt of that information.
(g) The Client shall update the Processing Instructions accordingly prior to using the Service to process any personal data relating to a category of data subjects or type of personal data not specified in Annex 1 (Data Processing Information).
3. Technical and organisational measures.
(a) ComplyAdvantage shall implement the technical and organisational measures set out in Annex 2 (Technical and Organisational Measures) to ensure a level of security of the Client Personal Data appropriate to the risks that are presented by the processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to the Client Personal Data transmitted, stored or otherwise processed, and shall take all measures required pursuant to Article 32 GDPR.
(b) The Client acknowledges that the Services may be provided by ComplyAdvantage on a multi-tenanted environment at ComplyAdvantage’s sole discretion.
4. Using staff and other processors.
(a) The Client grants to ComplyAdvantage specific authorisation to appoint the sub-processors listed at https://complyadvantage.com/sub-processors-list/ as sub-processors in connection with ComplyAdvantage’s performance of the Services.
(b) The Client grants to ComplyAdvantage general authorisation to appoint additional or replacement sub-processors to process Client Personal Data on its behalf (for ComplyAdvantage’s performance of the Services), provided that ComplyAdvantage provides reasonable prior written notice of its intention to appoint each sub-processor, and the Client may object to any such appointment within two weeks of the date of such notice.
(c) Where the Client objects to the proposed appointment of a sub-processor, ComplyAdvantage shall consider the merits of the Client’s objection and take such measures as ComplyAdvantage reasonably deems appropriate in the circumstances.
(d) ComplyAdvantage shall:
- (i) prior to the relevant sub-processor carrying out any processing activities in respect of the Client Personal Data, appoint each sub-processor under a written contract enforceable by ComplyAdvantage containing materially the same obligations as under these Data Processing Terms;
- (ii) ensure each such sub-processor complies with all such obligations; and
- (iii) remain fully liable for all the acts and omissions of each sub-processor as if they were its own.
(e) ComplyAdvantage shall treat all Client Personal Data as strictly confidential and shall inform all its employees, agents, contractors and/or sub-processors engaged in processing the Client Personal Data of the confidential nature of such personal data.
(f) ComplyAdvantage shall take reasonable steps to ensure the reliability of any employee, agent, contractor and/or sub-processor who may have access to the Client Personal Data, ensuring in each case that access is limited to those persons or parties who need to access the relevant personal data, as necessary for the purposes set out in Annex 1 (Data Processing Information) in the context of that person’s or party’s duties to ComplyAdvantage.
(g) ComplyAdvantage shall ensure that all persons authorised by it (or by any sub-processor) to process Client Personal Data are subject to a binding written contractual obligation to keep the Client Personal Data confidential (except where disclosure is required in accordance with any Applicable Law, in which case ComplyAdvantage shall, where practicable and not prohibited by Applicable Law, notify the Client of any such requirement before such disclosure).
5. Assistance with the Client’s compliance and data subject rights.
(a) ComplyAdvantage shall without undue delay notify the Client if it receives a request from any governmental or regulatory body or law enforcement agency related to disclosure of the Client Personal Data unless prohibited by law or a legally binding order of such body or agency.
(b) ComplyAdvantage shall without undue delay, and in any case within seventy-two (72) hours, notify the Client if it receives a request from a data subject under any Data Protection Legislation in respect of Client Personal Data, including requests by a data subject to exercise their rights under Data Protection Legislation, and shall provide full details of that request.
(c) ComplyAdvantage shall, insofar as technically possible, provide such assistance as reasonably requested by the Client to enable the Client to comply with any exercise of rights by a data subject under any Data Protection Legislation in respect of the Client Personal Data.
6. International data transfers.
(a) The Client agrees that performance of the Services by ComplyAdvantage will result in the transfer of the Client Personal Data to a country not recognised by Data Protection Legislation, including governmental decisions, as ensuring an adequate level of protection for personal data (including to any country requested by the Client). All transfers by ComplyAdvantage of the Client Personal Data shall (to the extent required under Data Protection Legislation) be effected by way of Appropriate Safeguards and in accordance with Data Protection Legislation. The provisions of these Data Processing Terms shall constitute Processing Instructions with respect to transfers in accordance with clause 2.
(b) The Client shall ensure that it has a lawful basis to permit any data transfers outside of the UK or EEA made at its request pursuant to clause 6(a), and shall indemnify and hold harmless ComplyAdvantage against all damages, losses, liabilities, judgments, penalties, fines, settlement amounts, fees, costs and expenses arising out of such Processing Instructions relating to such a transfer.
7. Records, information and audit.
(a) ComplyAdvantage shall maintain, in accordance with applicable provisions of the Data Protection Legislation, written records of its processing activities carried out on behalf of the Client.
(b) ComplyAdvantage shall, in accordance with Data Protection Legislation, make available to the Client such information as is reasonably necessary to demonstrate ComplyAdvantage’s compliance with the obligations of data processors under Data Protection Legislation, and allow for and contribute to audits, including inspections, by the Client (or another auditor mandated thereby for this purpose, subject to the Client:
- (i) giving ComplyAdvantage reasonable prior notice of such information request, audit and/or inspection being required;
- (ii) ensuring that all information obtained or generated in connection with such information requests, inspections and audits is kept strictly confidential (save for disclosure to the Supervisory Authority or as otherwise required by Applicable Law);
- (iii) ensuring that such audit or inspection is undertaken during normal business hours, with minimal disruption to ComplyAdvantage’s business, the sub-processors’ business and the business of other customers of ComplyAdvantage; and
- (iv) paying ComplyAdvantage’s reasonable costs for assisting with the provision of information and allowing for and contributing to inspections and audits.
8. Breach notification.
(a) In respect of any Personal Data Breach, ComplyAdvantage shall:
- (i) notify the Client of the Personal Data Breach without undue delay;
- (ii) provide the Client with such details of the Personal Data Breach, as required by it to meet its obligations to report a Personal Data Breach under Data Protection Legislation; and
- (iii) shall co-operate with the Client and take such reasonable steps as are directed by the Client to assist in the investigation, mitigation, and remediation of each Personal Data Breach.
9. Deletion or return of Client Personal Data and copies.
(a) ComplyAdvantage shall, at the Client’s ’s written request, either delete or return all the Client Personal Data of which it is the processor under these Data Processing Terms to the Client in such form as the Client reasonably requests within a reasonable time before the termination of these Data Processing Terms save where ComplyAdvantage is required to continue processing the Client Personal Data by Applicable Law.
(b) These Data Processing Terms shall terminate upon the termination of the agreement for the provision of the Services between ComplyAdvantage and the Client.
Annex 1: Data Processing Information
|Data Protection Officer’s details||[email protected]|
|Subject matter||Personal data is processed for the purpose of providing anti-money laundering, KYC, KYB and sanctions compliance services.|
|Duration of Processing Activities||For the duration of ComplyAdvantage’s provision of the Services unless the Client requests in writing for the data to be deleted sooner.|
|Nature and Purpose of the Processing Activities||Nature of data processing: providing and using anti-money laundering, KYC, KYB and sanctions compliance/case management tool.
Processing activities: access; collection; recording; retrieval; use; modification; hosting; storage; making available; monitoring (service delivery); deletion; destruction.
|Types of Personal Data||The types of personal data to be processed by ComplyAdvantage under these data processing terms as processor are:
Name, date of birth, customer reference number, case management and disposition actions taken, client KYC, risk level and compliance, information tags used by the Client.
ComplyAdvantage may also process as part of the Services information relating to data subjects:
Additional types of personal data to be processed for Clients using Transaction Monitoring and/ or Transaction Screening Services:
Payment message information including bank account numbers, transaction value and currency, expected customer behaviour profile/ grouping, transaction dates and times, system alerts related to data subject, address and country of residence, nationality.
|Categories of Data Subject||Those persons required to undergo customer due diligence as part of the Client’s sanctions and anti-money laundering procedures.|
|Data Transfer Method||HTTPS/TLS-encrypted API and web interface
|Hosting Region for Company Data||Depending on the Client’s selection of one of the following AWS data centres:
Annex 2: Technical and Organisational Measures
Ongoing confidentiality, integrity, availability, and resilience of processing systems
|System architecture||We maintain a highly available system configuration on Amazon Web Services, ensuring low levels of downtime and minimising the risk of data loss.|
|Encryption||Data is encrypted in transit using HTTPS for web & API requests, and AES-256 at rest.|
|Update testing||New deployments to production systems are subject to code review, manual and automated testing, and a product team review before being rolled out.|
|Vulnerability testing||We conduct regular vulnerability scans of our production systems and system architecture.|
|System security||A web application firewall and intrusion detection system are in place. Deployment on AWS means we consistently have access to best-in-class security systems.|
|Access control||We maintain records of security privileges of individuals with access to client data and adopt a policy of least privilege. Security privileges are reviewed periodically and as part of starter/mover/leaver checks.|
|User authentication||Access is via email address and password, and we can restrict access to specified IP ranges upon request to add an additional layer of authentication.|
Restoring availability and access to personal data in a timely manner in the event of a physical or technical incident
|Disaster recovery||Client data is backed up daily and distributed across redundant hosting providers, providing additional
resilience and a recent recovery point in the unlikely event of system failure.
Regular testing, assessing, and evaluating of these measures’ effectiveness
|Information security management||Responsibility for information security is shared between the technical and operational teams, the leadership
of which regularly reviews and improves existing practice, with internal audits, penetration testing, and ISO
27001 certification (BSI certificate IS 692029 effective 18 September 2018 and expiring 17 September 2024).