DPA (US SPL)

US State Privacy Laws Data Processing Addendum

This is an addendum to the Customer Terms of Service or other electronic or mutually executed written agreement between FingerprintJS Inc. (“FingerprintJS”) and Customer (each a “Party”; collectively the “Parties”) that references it (“Agreement”). This Addendum shall only apply and bind the Parties if and to the extent the US State Privacy Laws apply to the Processing of Customer Personal Information (each as defined below). All capitalized terms not defined in this Addendum shall have the meanings set forth in the Agreement. This Addendum prevails over any conflicting terms of the Agreement, but does not otherwise modify the Agreement. Customer enters into this Addendum on behalf of itself and, to the extent required under the US Data Protection Laws, in the name and on behalf of its Authorized Affiliates (defined below).

The Parties agree as follows:

1. DEFINITIONS

• “Additional Services” means additional model-driven fraud prediction and detection services, as agreed between the Customer and FingerprintJS.
• “Affiliate” means an entity that directly or indirectly Controls, is Controlled by or is under common Control with an entity.
• “Authorized Affiliate” means any of Customers’ Affiliate(s) permitted to or otherwise receiving the benefit of the Service and Additional Services pursuant to the Agreement.
• "Controller" has the meaning, or equivalent meaning given to such term, or equivalent terms, under the US Data Protection Laws including a "Business" under the CCPA.
• “CCPA” means the California Consumer Privacy Act of 2018, Cal. Civ. Code § 1798.100 et seq., as amended, including its implementing regulations and the California Privacy Rights Act of 2020.
• “Control” or “Controlled” means the possession, directly or indirectly, of the power to direct or cause the direction of management and policies of an entity, whether through the ability to exercise voting power, by contract or otherwise.
• “Customer” shall have the meaning ascribed to it in the Agreement.
• “Customer Personal Information” means any Personal Information that FingerprintJS and/or its Affiliates Processes in the course of providing the Service and Additional Services to Customer under the Agreement as set out in Schedule 1.
• "Data Subject" means an individual to whom Personal Information relates.
• "Deidentified Data" means data created using Customer Personal Information that cannot reasonably be linked to such Customer Personal Information, directly or indirectly.
• “Personal Information” means “personal information”, “personal data”, “personally identifiable information” or similarly defined data or information under US Data Protection Laws.
• "Processing" means any operation or set of operations (including storage) that is performed on Personal Information or on sets of Personal Information, whether or not by automated means. "Process", "Processes" and "Processed" will be interpreted accordingly.
• “Processor” has the meaning, or equivalent meaning given to such term, or equivalent terms, under the US Data Protection Laws including "Service Provider" under the CCPA.
• "Security Incident" means any breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Personal Information.
• "Sub-processor" means a Processor instructed to Process Personal Information on behalf of another Processor.
• "US Data Protection Laws" means all applicable federal and state laws rules, regulations, and governmental requirements relating to data protection, the Processing of Personal Information, privacy and/or data protection in force from time to time in the United States, including (without limitation) the CCPA.

2. SCOPE AND APPLICABILITY OF THIS ADDENDUM

2.1 This DPA applies where and only to the extent that FingerprintJS Processes Customer Personal Information in the course of providing the Service and Additional Services and such Processing of Customer Personal Information is subject to US Data Protection Laws. The Parties agree to comply with the terms and conditions in this DPA in connection with the Processing of such Customer Personal Information.

2.2 Customer is a Controller and appoints FingerprintJS as a Processor to Process the Personal Information on behalf of Customer.

3. INSTRUCTIONS FOR INFORMATION PROCESSING

3.1 FingerprintJS will only Process Customer Personal Information on behalf of and under the instructions of Customer and in accordance with US Data Protection Laws. The Agreement and this DPA shall constitute the instructions to FingerprintJS for the Processing of Customer Personal Information by FingerprintJS. The Customer may issue further written instructions in accordance with this DPA.

3.2 The details of the Processing of Customer Personal Information under the Agreement and this DPA, including the type of data subject, nature and purpose and duration of Processing are described in the Agreement and in Schedule 1.

3.3 FingerprintJS is prohibited from:

• (a) selling Customer Personal Information or otherwise making Customer Personal Information available to any third party for monetary or other valuable consideration;
• (b) sharing Customer Personal Information with any third party for cross-context behavioral advertising;
• (c) retaining, using, or disclosing Customer Personal Information for any purpose other than for the business purposes specified in the Agreement or as otherwise permitted by US Data Protection Laws;
• (d) retaining, using, or disclosing Customer Personal Information outside of the direct business relationship between the Parties, unless permitted by US Data Protection Laws; and
• (e) except as otherwise permitted by US Data Protection Laws, combining Customer Personal Information with Personal Information that FingerprintJS receives from or on behalf of another person or persons, or collects from FingerprintJS’ own interaction with the applicable Data Subject.

3.4 Without limiting the foregoing, FingerprintJS may retain, use or disclose Personal Information:

• (a) for internal use by FingerprintJS to build or improve the quality of its Service and Additional Services, even if this business purpose is not specified in the Agreement;
• (b) to prevent, detect, or investigate detect data security incidents or protect against malicious, deceptive, fraudulent or illegal activity, even if this business purpose is not specified in the Agreement; or
• (c) for the purposes set out in US Data Protection Laws, including in California Civil Code section 1798.145, subdivisions (a)(1) through (a)(7).

4. COMPLIANCE AND NOTICE

4.1 Each Party agrees to comply with applicable obligations under US Data Protection Laws, and shall provide the same level of privacy protection to Personal Information as required by US Data Protection Laws.

4.2 Customer represents and warrants that:

• (a) it has provided notice to Data Subjects, as required under US Data Protection Laws for a Controller, that the Personal Information is being used or shared as set forth in the Agreement; and
• (b) taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the security measures set out in Schedule 2 are:
  • (i) appropriate to ensure the security of the Customer Personal Information, including protection against a Security Incident; and
  • (ii) otherwise consistent with the Customer's obligations US Data Protection Laws.

5. SUB-PROCESSORS

5.1 FingerprintJS shall: (i) enter into a written agreement with any Sub-processor Processing Customer Personal Information imposing the same data protection obligations on the Sub-processor as set out in this DPA; and (ii) remain responsible for its compliance with the obligations of this DPA and for any acts or omissions of the Sub-processor that cause FingerprintJS to breach any of its obligations under this DPA.

5.2 FingerprintJS shall provide Customer with fourteen (14) calendar days' notice (for which email shall suffice) of the appointment of any Sub-processors, including any information reasonably necessary to enable the Customer to assess the Sub-processor and exercise its right to object.

5.3 If the Customer objects to FingerprintJS' use of a new Sub-processor it shall: (i) notify FingerprintJS of its objection promptly in writing within five (5) calendar days of receipt of FingerprintJS' notice in accordance with Section 5.2; and (ii) provide documentary evidence that reasonably shows that the Sub-processor does not or cannot comply with the requirements in this DPA. In such an event, the Parties shall discuss such concerns in good faith with a view to achieving commercially reasonable resolution. If this is not possible, either Party may terminate the applicable Service and Additional Services that cannot be provided by FingerprintJS without the use of the objected-to new Sub-processor by giving to the other Party thirty (30) calendar days' written notice. During such notice period, FingerprintJS may suspend the affected portion of the Service and Additional Services.

6. SECURITY AND AUDITS

6.1 FingerprintJS shall implement and maintain appropriate technical and organizational security measures to protect Customer Personal Information from Security Incidents and preserve the security and confidentiality of the Customer Personal Information, in accordance with FingerprintJS' security standards described in Schedule 2 (the “Security Measures”).

6.2 Customer acknowledges that the Security Measures are subject to technical progress and development and that FingerprintJS may, by written notice to the Customer, update or modify the Security Measures from time to time following any review by FingerprintJS of the Security Measures, provided that such updates and modifications do not result in the degradation of the overall level of protection afforded to the Customer Personal Information by FingerprintJS under this DPA.

6.3 FingerprintJS will notify Customer in writing without undue delay after becoming aware of any Security Incident, and reasonably cooperate with regards to any obligation of Customer under US Data Protection Laws to make any notifications in respect of a Security Incident, such as to individuals, supervisory authorities or other regulatory authorities.

6.4 FingerprintJS' notification of, or response to, a Security Incident under this Section 6 will not be construed as an acknowledgement by FingerprintJS of any fault or liability with respect to the Security Incident.

6.5 FingerprintJS shall ensure that any person who is authorized by FingerprintJS to Process Customer Personal Information (including its staff, agents and subcontractors) shall be under an appropriate obligation of confidentiality (whether a contractual or statutory duty).

6.6 Customer shall have the right to take reasonable and appropriate steps to help ensure that FingerprintJS uses the Customer Personal Information collected pursuant to the Agreement in a manner consistent with its obligations under US Data Protection Laws. Customer may, upon notice to FingerprintJS, take reasonable and appropriate steps to stop and remediate unauthorized use of Personal Information.

6.7 FingerprintJS shall allow, cooperate with and contribute to, reasonable assessments, audits or inspections by Customer (or its designated assessor or auditor, or an independent assessor) of FingerprintJS' policies and technical and organizational security measures with respect to Customer Personal Information.

6.8 With respect to any assessments, audits or inspections conducted under Section 6.7, the Parties agree that:

• (a) all such assessments, audits or inspections shall be conducted:
  • (i) only once per year, or more frequently if any audit indicates that FingerprintJS is in non-compliance with this DPA;
  • (ii) on reasonable written notice to FingerprintJS;
  • (iii) only during FingerprintJS' normal business hours;
  • (iv) in a manner that does not disrupt FingerprintJS' business; and
  • (v) by reference to an appropriate and accepted control standard or framework; and
• (b) the Customer (or, where applicable, a third-party independent auditor appointed by the Customer) shall:
  • (i) enter into a confidentiality agreement with FingerprintJS prior to conducting the audit in such form as FingerprintJS may request; and
  • (ii) ensure that its personnel comply with FingerprintJS' and any Sub-processor's policies and procedures when attending FingerprintJS' or Sub-processor's premises, as notified to the Customer by FingerprintJS or Sub-processor. 6.9 FingerprintJS shall provide written responses (on a confidential basis) to all reasonable requests for information made by Customer, including responses to information security and audit questionnaires, that Customer (acting reasonably) considers necessary to confirm FingerprintJS' compliance with this DPA, provided that Customer shall not exercise this right more than once per year.
• 6.10 FingerprintJS shall notify Customer if it makes a determination that it can no longer meet its obligations under US Data Protection Laws.

7. DATA SUBJECT REQUESTS

7.1 If FingerprintJS receives a request made pursuant to US Data Protection Laws directly from a Data Subject with respect to Personal Information, then FingerprintJS shall either act on behalf of Customer or in accordance with Customer’s instructions in responding to the request or inform the Data Subject that the request cannot be acted upon because the request has been sent to a Processor. FingerprintJS is not required to comply with a request submitted by the Data Subject directly to FingerprintJS to the extent FingerprintJS has collected, used, Processed or retained the Personal Information in its role as a Processor to the Controller.

7.2 FingerprintJS shall provide reasonable assistance to Customer in facilitating compliance with verifiable Data Subject rights requests, including but not limited to providing the Controller the Data Subject’s Personal Information in FingerprintJS’ possession, which FingerprintJS obtained as a result of providing the Service to Customer, and by correcting inaccurate information, or by enabling Customer to do the same. In the event FingerprintJS has collected Personal Information pursuant to a written contract with Customer, FingerprintJS shall assist Customer through appropriate technical and organizational measures complying with requirements under US Data Protection Laws, including the requirements of subdivisions (d) through (f) of Cal. Civ. Code 1798.100, taking into account the nature of the Processing.

8. DEIDENTIFIED DATA

8.1 If FingerprintJS receives Deidentified Data from or on behalf of Customer, or creates Deidentified Data, FingerprintJS shall:

• (a) take reasonable measures to ensure the information cannot be associated with a Data Subject;
• (b) publicly commit to Process the Deidentified Data solely in deidentified form and not to attempt to reidentify the information; and
• (c) contractually obligate any recipients of the Deidentified Data to comply with the foregoing requirements and Data Protection Laws.

9. RETURN AND DELETION

9.1 Upon deactivation of the Service and Additional Services, FingerprintJS shall, subject to Section 9.2: (i) if requested to do so by the Customer within seven (7) days of the date of termination of the Agreement or deactivation of the Service and Additional Services, return a complete copy of all Customer Personal Information by secure file transfer in such a format as notified by the Customer to FingerprintJS; and (ii) delete and use all reasonable efforts to procure the deletion of all other copies of Customer Personal Information Processed by FingerprintJS or any Sub-processors.

9.2 FingerprintJS may retain Customer Personal Information:

• (a) to the extent required by applicable laws, and only for such period and such purposes as required by applicable laws; or
• (b) to the extent that the Customer Personal Information has been archived on back-up systems, provided that FingerprintJS shall securely isolate and protect such Customer Personal Information from any further Processing, except to the extent required by applicable law, and purge such Customer Personal Information from the applicable back-up systems in accordance with its normal back-up cycle.

9.3 FingerprintJS shall, with respect to any Customer Personal Information retained in accordance with Section 9.2 ensure the confidentiality of all such Customer Personal Information.

10. COSTS

10.1 The Customer shall pay to FingerprintJS on demand all costs and expenses incurred by FingerprintJS in connection with:

• (a) implementing any changes to the Service and Additional Services under Section 5.3;
• (b) facilitating and contributing to any audits of FingerprintJS under Section 6;
• (c) facilitating and contributing to any audits of FingerprintJS conducted by a supervisory authority; and
• (d) any assistance provided by FingerprintJS to the Customer with its fulfilment of its obligations to respond to Data Subjects' requests under Section 7.

11. MISCELLANEOUS

11.1 Except for the changes made by this DPA, the Agreement remains unchanged and in full force and effect. In the event of any conflict between the Agreement and this DPA, this DPA shall take precedence.

11.2 This DPA is a part of and incorporated into the Agreement so references to "Agreement" in the Agreement shall include this DPA.

11.3 In no event shall any Party limit its liability with respect to any individual's data protection rights under this DPA or otherwise.  

SCHEDULE 1

DETAILS OF PROCESSING

Data Subjects

The personal data transferred concern the following categories of data subjects:

• The Customer’s end users who visit the Customer’s sites and services (“End Users”).
• The Customer's employees and contractors that the Customer authorizes to access and use the Service (“Authorized Users”).

Nature and Purpose(s) of the Data Processing

The purpose of the data transfer and further Processing is the provision and maintenance of FingerprintJS' Service and Additional Services, including internal record-keeping, billing, product development and sales and marketing.

Duration

The Personal Information will be retained for the duration of the Agreement, subject to Section 9 of the DPA.

Categories of Data

The personal data transferred concern the following categories of data:

End Users:

• Personal data contained within Visitor Data, including information relating to an End User's device, operating system, browser, browser configuration, IP address, and approximate location, and IDs associated with successful detections of fraud on the Customer’s sites and services.

Authorized Users:

• contact information, including name, address, phone number, email address, login details, employing / engaging organization;
• account information, including login information;
• payment and transaction information;
• support request information;
• contact preferences, including preference set for notifications, marketing communications;
• comments and opinions; and
• technical information regarding access to the Service (including IP address, approximate location, pages viewed and log data, display and active functionalities).

Sensitive data

None.  

SCHEDULE 2

TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES

1. Introduction

FingerprintJS employs a combination of policies, procedures, guidelines and technical controls to protect the personal data it Processes from accidental loss and unauthorized access, disclosure or destruction.

2. Governance and Policies

FingerprintJS has organized leadership and defined policies related to information security to ensure alignment with business objectives to adequately serve clients. These policies are reviewed and approved annually by management and updates are communicated to employees and relevant external parties.

Roles and responsibilities for teams and team members are defined within FingerprintJS’ organizational structure and reporting lines as well as written job descriptions. Management reviews FingerprintJS’ organizational structure at least annually as part of strategic planning, and any changes are made as needed based on changing reporting lines, authorities, and responsibilities.

FingerprintJS has the following security policies and related Processes in place:

• (a) Data classification and business impact assessment
• (b) Selection, documentation, and implementation of security controls
• (c) Assessment of security controls
• (d) User access authorization and provisioning
• (e) Removal of user access
• (f) Monitoring of security controls
• (g) Security management

3. Access control

FingerprintJS has implemented role-based access controls that limit access to sensitive information to only those individuals who require access based on job function, active employment, and management approval. FingerprintJS maintains an up-to-date and complete inventory of information technology assets and asset owners.

Administrative level access to FingerprintJS’ critical systems (network, application, source code, and related databases) is limited to appropriate individuals based on job function and current employment with FingerprintJS.

Administrative level access to critical system components including (production servers, databases, system infrastructure components, and front-end application level) are restricted to appropriate individuals based on job function and current employment with FingerprintJS.

Access to the Amazon Web Services ("AWS") environment is controlled with security groups configured to prevent access based on predefined access control lists. Monitoring tools are in place to monitor the AWS environment and administrators receive notification of issues detected by the system based on pre-defined alert thresholds.

Sensitive authentication data such as service accounts and encryption keys are stored in a key management system. Access to sensitive authentication data is limited to only appropriate individuals based on job function and active employment with FingerprintJS.

Remote access to FingerprintJS' network and system infrastructure requires a unique username, password, and one-time multi-factor authentication code to authenticate. Remote access to FingerprintJS' network and system infrastructure is limited to only appropriate individuals based on job function and active employment with FingerprintJS.

Access to FingerprintJS' systems requires a unique username and password. Password complexity standards within AWS are enforced and include the following:

• (a) Minimum password length is 16 characters
• (b) Require at least one uppercase letter from Latin alphabet (A–Z)
• (c) Require at least one lowercase letter from Latin alphabet (a–z)
• (d) Require at least one number
• (e) Require at least one non alphanumeric character ! @ # $ % ^ & * ( ) _ + - = [ ] | '.
• (f) Passwords expires in 90 days
• (g) Allow users to change their own password

4. Segmentation of personal data

FingerprintJS has logically segmented its network so that unrelated portions of the information system are isolated from each other. All public internet facing systems are segregated from the production network through network segmentation, firewalling, logical access restrictions, and the use of a load balancers which restricts access to production infrastructure. FingerprintJS' information security program prohibits the use of shared user accounts unless approved by management.

5. Encryption and Transmission

All data classified as potentially sensitive is encrypted at the database level while at rest. All media containing sensitive data, including electronic, hardcopy, and photocopy, is destroyed when it is no longer needed for business or legal reasons as defined in FingerprintJS' terms of service.

All data in transit is encrypted including the following:

• (a) Information transmitted over the public internet (HTTPS)
• (b) Data transferred within system components (TLS)
• (c) Data transferred between organizations (SFTP)

Access to modify data transmission protocols is limited to appropriate individuals based on job function, current employment status, and inquiry with FingerprintJS' management team.

All authentication and data transmission to the production applications, the operating systems hosting the applications, and associated production databases take place over secure transmission channels (i.e. VPN, SSH, SFTP, TLS). All production databases are encrypted using AES-256 bit encryption.

6. Data Backup, Recovery and Availability

FingerprintJS performs incremental backups of its critical information systems on a daily basis, and full backups are performed on at least a weekly basis. FingerprintJS’ management is alerted in the case of a backup failure, and backup failures are tracked to remediation.

Established entity standards exist for infrastructure and software hardening and configurations for key system components and infrastructure. FingerprintJS has established a business continuity plan and disaster recovery plan, both of which are reviewed, tested, and updated on an annual basis.

Customer data is backed up for 90 days in the primary data store, unless otherwise stated in the Customer’s contract. After 90 days, unless otherwise stated in Customer’s contract, it becomes the customer’s responsibility to manage, back up, or otherwise store their data per their use case.

All primary data stores are retained for at least 90 days unless otherwise specified in the customer’s contract.

To ensure data availability and avoid issues with data older than 90 days, customers are advised to configure webhooks in their dashboard account. All data received via webhooks should be backed up securely on their end.

FingerprintJS is fully responsible for the availability of product and services.

7. Incident Management and System Monitoring

FingerprintJS' management team has implemented an incident response plan that outlines the requirements for responding to anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity's ability to meet its objectives.

Security events are documented, reviewed, and tracked to final remediation by data importer's management team. A root cause analysis is conducted to determine the cause and mitigate the risk of such an incident occurring in the future.

FingerprintJS has security monitoring tools in place to monitor FingerprintJS' production environment and provide an ongoing solution to monitor security threats and unusual system activities. FingerprintJS' management team receives alerts from the tools, based on predefined thresholds, and confirmed security issues are tracked to remediation.

FingerprintJS engages a third-party to perform external penetration tests of the system on an annual basis. Management assesses and prioritizes the results of the penetration test and tracks issues of medium criticality or above to final remediation.

8. Asset and Software Management

FingerprintJS has implemented a change management policy that outlines the requirements for authorization, design, development, configuration, documentation, testing, approval, and implementation of changes to infrastructure, data, and software. All system changes are tested, reviewed, and approved prior to implementation to the production environment. Access to make changes to source code is limited to only appropriate individuals based on job function and active employment with FingerprintJS.

Version control software is in place to manage current versions of source code. Audit logs of all commits to source code libraries are maintained.

Source code scans are performed on in-scope application source code to detect potential vulnerabilities prior to the release of source code into the production environment. Any high-risk vulnerabilities are tracked to remediation prior to the promotion of each change into the production environment.

9. Physical Security

FingerprintJS has a cloud-based infrastructure in AWS and relies on this subservice organization to operate physical access controls to the data centers hosting FingerprintJS' infrastructure. Additionally, FingerprintJS does not own any facilities containing information assets which would require physical security controls to be implemented.

10. Endpoint Security

FingerprintJS has enforced the following mobile device hardening standards for laptops and mobile phones:

• (a) Evidence of device encryption
• (b) Enterprise antivirus enabled
• (c) Antivirus daily updates
• (d) Requirement of user name and password
• (e) Patches or regular OS updates

All laptops with access to FingerprintJS' network are configured to enforce hard drive encryption.

FingerprintJS' security policy prohibits the use of removable media storage without prior approval from management.

Anti-virus/anti-malware software is installed on workstations and laptops supporting the system. Antivirus software is configured to receive an updated virus signature at least daily. Network operations receives a report of devices that have not been updated in more than 24 hours and follows up on those devices.

11. Service providers

FingerprintJS has written contracts in place with service providers which require them to implement appropriate security measures to protect the personal data to which they have access and to limit the use of personal data in accordance with FingerprintJS' instructions.

12. Customer Communications

FingerprintJS has reporting mechanisms in place for reporting security issues and compliance concerns from internal and external system users. Each report is reviewed by appropriate management personnel, based on the nature of the suspected security issues, in accordance with FingerprintJS' Incident Response Policy.

Security incidents and unauthorized disclosures of internal or external user data are communicated to data subjects, relevant legal and regulatory authorities, and others as required by law, contract, or at the advice of legal counsel, per the incident response plan.

Customer responsibilities, which include responsibility for reporting operational failures, incidents, problems, concerns, and complaints, and the process for doing so, are described within customer agreements. FingerprintJS communicates relevant security and privacy commitments, made available on its public-facing website or by written request.

When major changes to security or privacy commitments are made, FingerprintJS communicates these changes to impacted stakeholders via email.

System descriptions are made available to authorized external users that delineate the boundaries of the system and describe relevant system components as well as the purpose and design of the system.

13. Staff training and awareness

FingerprintJS maintains security policies and procedures which communicate objectives and responsibilities for internal control, necessary to support the function of internal control. Policies and procedures are made available to employees in FingerprintJS' policy document repository.

FingerprintJS has established standards and guidelines for management's, employees', and contractors' ethical behavior, as outlined in FingerprintJS' employee handbook. The handbook includes a termination policy for personnel who violate FingerprintJS' policies and procedures, which may include disciplinary action up to and including involuntary termination.

All employees and contractors are required to sign an employment agreement, that requires personnel to adhere to FingerprintJS' code of conduct, security, and confidentiality policies and procedures as part of their initial terms and conditions of employment.

FingerprintJS has implemented a formal disciplinary process to address instances of noncompliance with FingerprintJS' standards of conduct related to security which includes disciplinary measures up to and including termination.

Roles and responsibilities are defined by written job descriptions and communicated to FingerprintJS' employees upon hire, as well as to their managers and supervisors.

Management monitors personnel compliance with the code of conduct through a complaint submission system which serves as a mechanism for reporting deviations from the code of conduct. Any deviations to the code of conduct are addressed immediately in accordance with the employee handbook.