Legal Privacy & Security
Software as a Service Agreement
This Software as a Service Agreement and related schedules (“SaaS”) is effective as of the earlier of: (a) the last date of the signature of this SaaS; and (b) the last date of the signature of the first Order Form (defined below) (the “Effective Date”), by and between the entity named below and each of its Affiliates entering into an Order Form (“Client”) and either Riskified, Inc., or Riskified Ltd., as set out in Section 13 (“Riskified”). Each of Riskified and Client are individually referred to as a “Party” and collectively as the “Parties”.
-
Riskified responsibilities
- Provision of Services. Riskified will make the Services available to Client, as described in this SaaS and related order forms with schedules (each, an “Order Form”, and with the SaaS, the “Agreement”). Each Client Affiliate receiving the Services shall execute a separate Order Form. “Services” means the products and services provided by Riskified and/or its Affiliates. For the avoidance of doubt, by executing an Order Form, each Client Affiliate shall be bound to this SaaS. “Affiliate” means any entity that directly or indirectly Controls, is Controlled by, or is under common Control with the subject entity. “Control” for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests and/or management of the subject entity.
- Support. Riskified, at its own expense, will provide Client with technical support in accordance with Riskified’s standard practices.
- Security and Data Protection Program. Riskified will maintain physical, administrative, and technical safeguards consistent with industry-accepted practices including the International Organization for Standardization (ISO) 27001:2013 and a System and Organizational Controls (SOC) 2, Type II report to protect the confidentiality, integrity, and availability of Client Data (defined below). The Parties will adhere to the terms of the Data Processing Addendum (“DPA”), available at https://security.riskified.com/, which is incorporated herein by reference, with respect to any “personal data” or “personal information”, as such terms are defined by applicable law, that are processed in connection with the Agreement, unless the Parties have executed a separate data processing addendum, which shall prevail. Riskified reserves the right to update such measures, as set forth at https://security.riskified.com/, provided that any updates shall not materially diminish the level of security applicable to the Services. Client is responsible for reviewing the information Riskified makes available regarding its data processing and security and making an independent determination as to whether the Services meet Client’s requirements and legal obligations.
-
Client Responsibilities
- Use Restrictions. Except for the rights granted in the Agreement, no other rights in or to any Services, express, implied or otherwise, are granted to Client. Without limiting the foregoing, Client shall not, and shall not allow, directly or through a third party to: (i) use the Services other than for the purpose permitted herein; (ii) transfer, sell, rent, lease or share the Services or the results, including recommendations; (iii) permit any person who is not an Authorized User (defined below) to use or access the Services or the results thereof; (iv) attempt to copy, modify, duplicate, create derivative works from, frame, mirror, republish, download, display, transmit, or distribute all or any portion of Riskified’s online software application provided as part of the Services; (v) attempt to reverse compile, disassemble, reverse engineer or otherwise reduce to human-perceivable form all or any part of the Services; (vi) access the Services or use the results thereof in order to build, improve upon, develop a product or service which competes with the Services or frustrates the purpose of the Agreement; (vii) make available to Riskified any data regulated under PCI; (viii) use the Services or provide data to Riskified in a manner that violates any applicable law, ordinance, regulation or administrative order; or (ix) take any action that imposes or may impose (as determined in Riskified’s reasonable discretion) an unreasonable or disproportionately large load on the servers, API, network, bandwidth, or other cloud infrastructure which operate or support the Services, or otherwise systematically abuse or disrupt the integrity of such servers, network, bandwidth, or infrastructure, including but not limited to API calls exceeding a volume of 700% of Client’s daily average of API calls (or such other volume reasonably determined by Riskified), all as reasonably measured by Riskified.
- Client Security Standards and Data Protection. Client shall establish and maintain a data security and protection program that includes physical, technical, administrative, and organizational safeguards no less rigorous than accepted industry practices and as required by applicable law, that is designed to ensure the access to, and security of, the Client Data, Client’s platform and systems, as well as any integrations associated therewith, and as reasonably requested by Riskified. Client is solely responsible for all aspects of Client Data, including its sourcing, inputting, accuracy, quality, integrity and management and maintaining reasonable security measures with respect to the Client Data while in its possession and control.
- Client IT Infrastructure. Client is solely responsible for obtaining and maintaining network connections and telecommunications links from its systems to Riskified, and for all problems, conditions, delays, delivery failures, as well as all other loss or damage arising from or relating to Client’s network connections or telecommunications links or caused by the internet. Notwithstanding anything herein to the contrary, Riskified is not responsible for technical issues due to Client’s failure to comply with Riskified’s instructions; or modification or alteration of the Services by any anyone other than Riskified or Riskified’s duly authorized contractors or agents.
- Audit; Competition. Client agrees to provide its reasonable cooperation in the event Riskified audits Client’s use of the Service, which may occur only upon reasonable advance notice, during Client’s business hours, not more than once per calendar year or in connection with a breach of the Agreement. For the Term of the Agreement (defined below), Client agrees that it shall not receive third party fraud mitigation services.
- Authorized Users; Credentialing. Only those users authorized by Client may use the Services (each, an “Authorized User”). Any violation of the Agreement by an Authorized User shall be deemed to be a violation by Client. Client is solely responsible for the security and proper creation, use and termination of all Authorized User names, passwords and other security devices used in connection with the Services and shall take all reasonable steps to ensure that they are kept confidential and secure, are used properly and are not disclosed to unauthorized persons. Client shall immediately notify Riskified in writing if there is any reason to believe that any security credentials or any other security device has or was likely compromised or used in an unauthorized way. Riskified may require Client to change any of its Authorized User’s usernames, passwords or other security devices used by Client in connection with the Services, and Client shall promptly comply with any such requirement.
- Fair Credit Reporting Act. Client acknowledges that Riskified, is not a consumer-reporting agency as defined by the Fair Credit Reporting Act, 15 U.S.C. §1681 et seq. (“FCRA”), and that the Services provided to Client hereunder do not constitute “Consumer Reports,” as defined in the FCRA. Client represents and warrants that it shall not use the Services to determine any consumer’s eligibility for any product or service to be used by a consumer for personal, family or household purposes. Further, Client represents and warrants that it shall not use the Services in whole or in part: (i) as a factor in establishing a consumer’s eligibility for credit; (ii) as a factor in establishing a consumer’s eligibility for insurance; (iii) for employment purposes; (iv) in connection with a determination of an individual’s eligibility for a license or other benefit granted by a governmental authority; or (v) in connection with any permissible purpose as defined by the FCRA.
- Sanctions; Compliance. Client acknowledges the Services do not guarantee compliance with any specific law or regulation. Client represents and warrants that: (1) neither Client, nor any of its directors, officers, employees, Authorized Users, customers and/or end-users: (a) is subject to sanctions and/or named as specifically designated national on the most current list published by the U.S. Treasury Department Office of Foreign Asset Control (“OFAC“) at its official website (“Prohibited Persons“), or (b) are located, organized, or resident in a country or territory that is, or whose government is, the target of sanctions imposed by OFAC (“Sanctioned Area“) and (2) Client implements appropriate controls designed to comply with sanctions regulations, including but not limited to OFAC.
-
Client Data
- Provision of Client Data. Client is solely responsible for ensuring it is authorized to provide or make available the data it provides or makes available to Riskified and the Services (collectively, the “Client Data”), including the provision of any requisite notices and obtaining consent to the extent required under applicable law (which may include but not be limited to for the use of automated decision making). Client Data required by Riskified and processed in connection with the Services is detailed in documentation made available by Riskified, including in the DPA.
- License to Client Data. Client consents to and grants Riskified and its Affiliates the worldwide, non-exclusive, royalty-free, perpetual, sub-licensable, fully-paid-up, and irrevocable, right to: (i) use the Client Data to provide the Services; (ii) use the Client Data to improve the Services; and (iii) process such Client Data in accordance with the DPA and Riskified’s Privacy Policy. In order to provide the Services, Riskified and its Affiliates combine data from their clients and will provide Client Data to third parties to the extent permitted under this Agreement.
-
Fees and payment
- Fees. Client and/or Client Affiliate, as applicable, agree to pay the fees described in the Agreement (the “Fees”).
- Invoicing; Non-refundable. Except as otherwise specified herein or in an Order Form, amounts due are invoiced on a monthly basis and due within thirty (30) days of Client’s receipt of the applicable invoice (“Payment Term”). Client agrees to remit payment by wire transfer or ACH, unless the invoice is $3,000 or less, in which event Client may remit payment by credit card. Fees are non-cancelable and non-refundable. Each Client Affiliate will be invoiced separately. Should the Parties agree to allow Client to pay in a currency other than USD, GBP or EUR, Client shall be charged an additional 0.15% on the invoiced amount.
- Late Payment; Disputes. Unpaid amounts are subject to a finance charge of 1.5% per month, or the maximum percentage permitted by law (whichever is lower), in addition to all reasonable costs of collection, including reasonable attorneys’ fees. Any good faith objection to an invoice shall be provided in writing to Riskified within the applicable Payment Term, otherwise Client would be deemed to waive any objections, and such invoice will be deemed final and not subject to dispute.
- Taxes. All fees are exclusive of taxes and duties. If the Services are subject to collection or payment of any federal, state, or local tax under the Agreement, or any other similar taxes or duties levied by any governmental authority, excluding taxes levied on Riskified’s net income, then such taxes and/or duties shall be invoiced to and paid solely by Client upon receipt of invoice.
- Service Suspension. Riskified may suspend the Services (in whole or part) if Client fails to pay an overdue payment within ten (10) days of written demand by Riskified.
-
Term and termination
- Term of SaaS. The SaaS begins on the Effective Date and continues until the termination or expiration of all Order Form(s) between Riskified and Client and/or Client’s Affiliates.
- Term of Order Form. The start date and term of the Service(s) shall be set out in an Order Form. Except as otherwise specified in an Order Form, the term for each Order Form shall be for one (1) year (the “Initial Term”). The Initial Term will automatically renew for consecutive periods, each equal to the Initial Term specified, or one (1) year, whichever is longer (each, a “Renewal Term”, and together with the Initial Term, the “Term”), unless either Party notifies the other Party of its intent not to renew such Services at least sixty (60) days prior to the end of the then-current Term.
- Early Termination by Client. Client may terminate an Order Form for convenience upon ninety (90) days written notice (“Early Termination”). In the event of Early Termination, Client shall pay Riskified an amount equal to the gross average monthly Fees invoiced by Riskified and multiplied by the number of months remaining in the then-current Term (“Early Termination Fee”), which will be reduced by any and all credits owed to Client in the final invoice. Client acknowledges and agrees that the Early Termination Fee constitutes liquidated damages and is not a penalty and that the amount of actual loss due to the foregoing is difficult to precisely estimate and the amount of liquidated damages bears a reasonable proportion to the probable loss that Riskified will suffer in relation to the foregoing.
- Termination for Breach. If a Party materially breaches the Agreement and fails to cure such breach within thirty (30) days of receipt of written notice from the other Party outlining the nature of such breach, then the other Party may terminate the affected Order Form(s).
-
Representations and warranties; covenants
- Mutual Representations and Warranties; Covenants. Each Party represents, warrants and covenants to the other Party that it has the full power and authority to enter into the Agreement.
- Future Functionality. Client agrees that its entry into the Agreement is not contingent on the delivery of any future functionality or features, or dependent on any oral or written comments or commitments made by Riskified regarding future functionality or features.
- DISCLAIMER. EXCEPT AS EXPRESSLY PROVIDED IN THE AGREEMENT, RISKIFIED IS PROVIDING THE SERVICES “AS IS” AND “AS AVAILABLE” AND RISKIFIED DOES NOT MAKE AND CLIENT HAS NOT RELIED UPON ANY WARRANTY OF ANY KIND, WHETHER EXPRESS, IMPLIED, STATUTORY OR OTHERWISE IN ENTERING INTO THE AGREEMENT. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, RISKIFIED SPECIFICALLY DISCLAIMS ALL IMPLIED WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT.
-
Indemnification
- Indemnification by Riskified. Riskified shall defend and indemnify Client against claims, actions, proceedings, losses, damages, out-of-pocket expenses and costs (including reasonable attorney’s fees), finally awarded and arising out of or in connection with any third-party claim alleging infringement by the Services of any patent or copyright or misappropriation of any trade secret. The foregoing defense and indemnification obligations do not apply if: (i) the allegation does not state the Services are the basis of the claim against Client; (ii) a claim against Client arises from the use or combination of the Services or any part thereof with software, hardware, data, or processes not provided by Riskified, if the Services or use thereof would not infringe without such combination; (iii) a claim against Client arises from Services under an Order Form for which there is no charge; or (iv) a claim against Client arises from Client Data, third-party applications, services or software or Client’s breach of the Agreement.
- Indemnification by Client. Client shall defend and indemnify Riskified against claims, actions, proceedings, losses, damages, expenses and costs (including reasonable attorney’s fees) arising out of or in connection with any third-party claim, alleging: (i) Client’s use of the Services violates applicable law or payment network rule, or (ii) Client Data infringes or misappropriates a copyright, patent, trademark, trade secret, privacy or other proprietary right, or Client’s provision of Client Data to the Services violates any right, law, or regulation applicable to such Client Data.
- Indemnification Process. As a condition to the indemnification obligations set out herein, the indemnified Party shall: (i) promptly notify the indemnifying Party of any claim for which indemnity will be sought; provided that no delay in providing such notice shall relieve the indemnifying Party of any liability or obligations hereunder except to the extent the indemnifying Party has been prejudiced by such delay; (ii) permit the indemnifying Party to assume sole control of the defense and settlement of such claim with counsel of its choosing; and (iii) provide cooperation reasonably requested by the indemnifying Party in investigating and defending such claim, at the indemnifying Party’s expense (provided that the indemnified Party shall not be entitled to compensation for time spent providing such cooperation). The indemnified Party shall have the right to participate in (but not control) the defense of any such claim, at its sole cost and expense, using counsel of its choosing.
- Exclusive Remedy. This “Indemnification” section states the indemnifying Party’s sole obligation and liability to, and the indemnified Party’s exclusive remedy against, the indemnified Party for any third-party claim described in this section.
-
Exclusions; limitation of liability
- Exclusion of Consequential and Related Damages. IN NO EVENT WILL EITHER PARTY OR ITS AFFILIATES HAVE ANY LIABILITY FOR ANY LOST PROFITS, REVENUES, GOODWILL OR INDIRECT, SPECIAL, INCIDENTAL, CONSEQUENTIAL, COVER, BUSINESS INTERRUPTION OR PUNITIVE DAMAGES, ANY LOSS OF DATA, WHETHER AN ACTION IS IN CONTRACT OR TORT AND REGARDLESS OF THE THEORY OF LIABILITY, EVEN IF A PARTY OR ITS AFFILIATES HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES OR IF A PARTY’S OR ITS AFFILIATES’ REMEDY OTHERWISE FAILS OF ITS ESSENTIAL PURPOSE. THE FOREGOING DISCLAIMER WILL NOT APPLY TO THE EXTENT PROHIBITED BY LAW.
- Limitation on Liability. IN NO EVENT SHALL THE AGGREGATE LIABILITY OF EITHER PARTY, TOGETHER WITH ALL OF ITS AFFILIATES, ARISING OUT OF OR RELATED TO THE AGREEMENT, EXCEED THE TOTAL AMOUNT PAID BY CLIENT AND/OR ITS AFFILIATES FOR THE SERVICES UNDER THE APPLICABLE ORDER FORM(S) GIVING RISE TO THE LIABILITY IN THE SIX (6) MONTHS PRECEDING THE FIRST INCIDENT OUT OF WHICH THE LIABILITY AROSE. THE FOREGOING LIMITATION WILL APPLY WHETHER AN ACTION IS IN CONTRACT OR TORT AND REGARDLESS OF THE THEORY OF LIABILITY, BUT WILL NOT LIMIT CLIENT’S PAYMENT OBLIGATIONS HEREUNDER.
- Claim Period. ANY CLAIM OR ACTION BY EITHER PARTY RELATED TO THE AGREEMENT, INCLUDING, BUT NOT LIMITED TO THE SERVICE, MUST BE COMMENCED WITHIN TWO (2) YEARS AFTER THE DATE ON WHICH THE ACT, EVENT, CONDITION, OR OMISSION GIVING RISE TO SUCH CLAIM OR ACTION, OCCURRED OR COULD HAVE REASONABLY BEEN DISCOVERED (“CLAIM PERIOD”). ANY ACTION NOT BROUGHT WITHIN THE CLAIM PERIOD SHALL BE BARRED, NOTWITHSTANDING ANY LONGER LIMITATIONS PERIOD SET FORTH IN ANY APPLICABLE LAW OR STATUTE.A
-
Confidentiality
- “Confidential Information” shall mean information made available by a Party or its Affiliates (“Discloser”) to the other Party or its Affiliates (“Recipient”), that is proprietary or confidential and is either clearly labeled or identified as Confidential Information or that a reasonable person should understand to be confidential given the nature of the information or the circumstances of its disclosure, and whether such information is disclosed by the Discloser in connection with the Agreement before, on or after the Effective Date. Confidential Information includes the terms of the Agreement. Confidential Information does not include any of the following: (i) information that is or becomes part of the public domain or otherwise available on an unrestricted basis to one or more third persons without violation of the Agreement by the Recipient; (ii) information that was known to or in the possession of the Recipient on a non-confidential basis prior to the disclosure thereof to the Recipient by the Discloser, as evidenced by written records; (iii) information that was developed independently by or on behalf of the receiving Party, without use of or reference to the Confidential Information; (iv) information that is disclosed to the Recipient by a third person without violation of the Agreement by the Recipient; or (v) Client Data, which shall be subject to the terms of the DPA, related Security Addendum, Riskified’s Privacy Policy, and applicable law.
- Protection of Confidential Information. Each Party shall hold the other’s Confidential Information in confidence and, unless required by law, not make the other’s Confidential Information available to any third-party or use the other’s Confidential Information other than as permitted under the terms of the Agreement. Each Party shall take all reasonable steps to ensure that the other’s Confidential Information to which it has access is not disclosed or distributed in violation of the terms of the Agreement.
- Compelled Disclosure. The obligations of the Parties under this Section shall not apply to the extent of any disclosure required pursuant to a duly authorized subpoena, court order, government authority or under any other legal obligation, provided that the Recipient has provided prompt notice and assistance to the Discloser prior to such disclosure, so that Discloser may seek a protective order or other appropriate remedy to protect against disclosure.
- Injunctive Relief. Any breach or threatened breach of the obligations set forth in this section may constitute a material breach of the Agreement, which the breaching Party acknowledges may cause irreparable harm to the non-breaching Party, leaving it without an adequate remedy at law. As such, any such breach shall entitle the non-breaching Party to seek any equitable relief, in addition to all other remedies, without necessity of posting of a bond or other security in connection therewith.
-
Proprietary rights and licenses
- Ownership. Client acknowledges and agrees that Riskified and/or its Affiliates and/or licensors exclusively own all Intellectual Property Rights in and to the Services and associated documentation. Except as expressly stated herein, the Agreement does not grant Client any rights to or in any Intellectual Property Rights or any other rights or licenses with respect to the Services or the associated documentation. Client acknowledges that the Services, associated documentation and the inventions, know-how and methodology embodied therein are proprietary to, and are the valuable trade secrets of, Riskified and its Affiliates and licensors, as applicable, and that the Services and associated documentation constitute Confidential Information of Riskified and/or its Affiliates. “Intellectual Property Rights” shall mean all rights throughout the world in and to any and all of the following: (i) patents, patent applications, patent disclosures and inventions (whether patentable or not); (ii) trademarks, service marks, trade dress, trade names, logos, corporate names, Internet domain names and registrations and applications for the registration thereof together with all of the goodwill associated therewith; (iii) copyrights and copyrightable works (including computer programs and mask works) and registrations and applications for registration thereof; (iv) trade secrets, know-how and other proprietary information of a like kind; (v) waivable or assignable rights of publicity, waivable or assignable moral rights; and (vi) all other forms of intellectual property, such as data and databases, in each case, to the extent protectable under applicable law, as well as any derivative works of any intellectual property.
- Feedback. Client grants to Riskified and its Affiliates a worldwide, perpetual, irrevocable, royalty-free license to use and incorporate into Services any suggestion, enhancement request, recommendation, correction or other feedback provided by or derived from Client or its Authorized Users use of the Services. Client hereby waives and agrees not to assert any moral rights (or similar rights) in and to such feedback, as well as any rights to royalties or other payments.
-
Publicity
- Press Release. The Parties agree to issue a joint press release announcing the relationship between the companies within six (6) months from the Effective Date. Riskified’s marketing team will cooperate with the Client regarding the drafting and distribution of any such content.
- Use of Logo. Riskified may use Client’s name and logo on Riskified’s website and in any promotional and marketing materials, in accordance with Client’s trademark and/or brand guidelines, as provided to Riskified.
-
Insurance
- Coverage. Riskified has obtained and will maintain the following insurance coverages during the Term: (i) Professional Liability (including Products Liability, Privacy, Intellectual Property Infringement, Cyber Liability) insurance in the amount of at least $10,000,000 ($5,000,000 per occurrence) on a claims made basis, (ii) Directors and Officers insurance in the amount of at least $5,000,000 on a claims made basis, as well as policies for Business Owners, Workers’ Compensation and Employer’s Liability insurance.
- COI. Upon Client’s written request, Riskified shall provide Client with certificates of insurance evidencing the above coverage. Additionally, upon Client’s written request, Riskified will name Client as an additional insured with respect to Riskified’s aforementioned Professional Liability insurance coverage.
-
Contracting party; governing law & venue; arbitration
- Contracting Party. If Client is domiciled in North America, Central America, or South America, Client is entering into the Agreement with Riskified, Inc., a Delaware corporation. If Client is domiciled elsewhere, Client is entering into the Agreement with Riskified Ltd., a limited liability company organized under the laws of Israel.
- Governing Law and Venue. The Agreement shall be governed by and construed in accordance with the laws of the State of New York. The Parties hereby irrevocably consent and submit to the exclusive jurisdiction and venue of the state and federal courts in the State of New York.
- Arbitration. Notwithstanding anything herein to the contrary, any controversy, dispute or claim arising out of or related to this Agreement that cannot be resolved by informal and good-faith negotiations between authorized representatives of the parties shall be settled by final and binding arbitration to be conducted by an arbitration tribunal in the State, City and County of New York, NY pursuant to the rules of the American Arbitration Association.
-
General provisions
- No Joint Venture or Partnership. The Parties are independent contractors. The Agreement does not create a partnership, joint venture, franchise, agency, fiduciary, or employment relationship.
- Waiver. No failure or delay by either Party in exercising any right under the Agreement will constitute a waiver of that right.
- Notice. Any notice given pursuant to the Agreement shall be in writing and shall be provided by personal delivery, registered mail, or email. Any such notice shall be deemed to have been given on (i) the day such notice or communication is personally delivered, (ii) three (3) days after such notice or communication is mailed by registered mail, (iii) one (1) business day after such notice or communication is sent by overnight courier, or (iv) Notice sent by email shall be deemed effective when the receipt is electronically confirmed. Notices to Riskified shall be addressed to 220 5th Avenue, 2nd Floor, New York, NY 10001, Attn: Legal Department; with a copy to [email protected].
- Affiliates. All obligations of either party and its respective Affiliates under the Agreement are joint and several.
- Force Majeure. If either Party is unable to perform any obligation (excluding any payment obligation) under the Agreement because of any matter beyond that Party’s reasonable control, such as flood, exceptionally severe weather, fire, explosion, war, terrorist attack, civil disorder, protests, industrial dispute (whether or not involving employees of either Party), acts of local or central government or other competent authorities, problems with telecommunications providers, hostile network attacks, pandemics or other events beyond a Party’s reasonable control (each, a “Force Majeure Event”), that Party will have no liability (including any obligation to issue refunds or credits) to the other for such failure to perform; provided, however, that such Party shall resume performance promptly upon removal of the circumstances constituting the Force Majeure Event.
- Interpretation. To the extent of any conflict in terms between: (a) this SaaS and/or its schedules, and (b) an Order Form and/or its schedules, then the terms of such Order Form and/or its schedules shall control.
- Assignment. Client may not assign or otherwise transfer the Agreement without prior written consent by Riskified. Riskified may assign or delegate the Agreement, or any duty or right under the Agreement to an Affiliate.
- Counterparts. The Agreement may be executed in one or more counterparts, in original or electronic form, each of which shall be deemed an original, but all of which together shall constitute one and the same Agreement.
- Severability. If any provision of the Agreement is found to be unenforceable or invalid, that provision will be limited or eliminated to the minimum extent necessary so that the Agreement will otherwise remain in full force and effect and enforceable.
- Entire Agreement; Amendments. The Agreement, including any schedules, exhibits, annexes and/or Order Forms, is the complete and exclusive statement of the mutual understanding of the Parties and supersedes and cancels all previous written and oral agreements, communications and other understandings relating to the subject matter of the Agreement. Any and all waivers, amendments and modifications regarding the Agreement must be in writing and signed by both parties.
NOTE: comprehensive information on Riskified’s information security and compliance programs can be found on our Security Portal at https://security.riskified.com/.
Riskified Services Privacy Notice
Riskified provides online merchants (each, a “Merchant”) with services that help Merchants optimize their e-commerce experience, including by detecting and preventing fraudulent online transactions, fraudulent activity and abuse of Merchant’s policies, account takeover, facilitating alternative payment methods, and increasing payment authorization (collectively, the “Services”). Merchants integrate our Services on their e-commerce platforms where consumers place orders for goods and services (collectively, the “Merchant Website”).
This Services Privacy Notice (“Notice”) explains the privacy practices of Riskified Ltd. and our affiliates (“Riskified”, “we”, “our”, or “us”) in connection with our Services. It describes how we collect, use, and share information that relates to personal data, and the rights and options available to you with respect to your personal data. To supplement this Notice and to the extent required under applicable law, Riskified shall process personal data in accordance with the Data Processing Addendum, available at: https://security.riskified.com/ (“DPA”).
You are not obligated to provide us with your personal data, but the Merchant Website may require that you provide the Merchant with your personal data, which it then transfers to us, to enable the processing of orders you place. A Merchant may also choose to deploy Riskified’s web-beacon on their site, facilitating additional data collection. Please note that this Notice does not cover the practices or policies of Merchants, the Merchant Website, or other parties.
INFORMATION WE COLLECT
The information we process includes information relating to identified or identifiable natural persons, known as personal data. The categories of information we collect, including in the past twelve (12) months, are listed below. This information is collected directly from you, from Merchants, from our service providers, from publicly available sources and through the Merchant Website and is used by us to provide Services and as otherwise described in “Use of Collected Information” below.
Merchant data. When you interact with the Merchant Website, place an order on a Merchant Website, or submit claims and chargebacks, we may collect various commercial data regarding your activity with the Merchant, which may include personal data, such as your name, email, address, phone number, the items you purchased, price paid, claim and chargeback information, payment method, billing method, shipping information, and (if you have one) basic information from your account on the Merchant Website. We do not collect complete credit card numbers.
Device data. We collect information about the personal computer or mobile device you use to access the Merchant Website. This includes, for example, the device model, operating system, unique identifiers, browser type, mobile network information, and the Internet Protocol (IP) address through which you accessed the Merchant Website.
Location data. We may also request access to or otherwise receive information about your device’s general location when you use the Merchant Website. Your location data may be based on your IP address and other location-aware technologies, but is not intended to be precise.
Analytical data. We collect analytical data about your use of the Merchant Website. For example, we collect the frequency of your access to the Merchant Website, the time you spend accessing the Merchant Website, online activity, including copy and paste events, the pages that referred you to the Merchant Website, as well as the pages and items on the Merchant Website that you viewed or interacted with.
Cross-references. We also cross-reference, verify, and enhance the accuracy of the data outlined above using third-party sources such as search engines, social networks, white pages, banks, and mapping services. If you have provided the Merchant with access to information of third-party platforms (including social networks), we may also receive the same access permissions to the information that you made public.
Inquiries. If you contact us for questions or complaints, we will collect the information related to your inquiry and to verify your identity through a Know Your Customer process. This may include identifiers such as your name, email address, postal address, telephone number and other contact information, depending on the nature of your inquiry.
Sensitive Personal Information. Depending on your interactions with certain Merchants, we may collect personal data that is considered “sensitive” under applicable laws. For example, we may collect your passport information if you interact with a Merchant Website that provides travel services.
USE OF COLLECTED INFORMATION
We collect and use information for our legitimate interests and for business and commercial purposes in accordance with the practices described in this Notice. Our business purposes, including in the past twelve (12) months, include:
- Providing our Services;
- Improving and enhancing Services and developing new services;
- Statistical analysis of consumers’ activities;
- Handling your requests and complaints;
- Enforcing this Notice and preventing misuse of the Services;
- Taking any action in any case of disputes involving you, in relation to the Services; and,
- Any other action that may be mandated by law or undertaken to protect our legal rights and property and/or those of third parties.
SHARING INFORMATION COLLECTED
We may share the information outlined in the section “Information We Collect” with others, in the following instances:
With Service Providers
We use service providers to assist us in providing the Services. We share limited elements of the personal data we collect that are strictly necessary for them to provide us with their services. These service providers include data sources and other services to cross-reference, verify, and enhance the Services.
In addition, Riskified may share information with certain entities, such as banks, card networks, payment gateways, and/or payment service providers, to optimize order approval, detect fraudulent activity, test new data sources and relevant services or otherwise in accordance with applicable law. Some of these third parties may use the data we share with them for their own permitted purposes, in accordance with their own terms and policies subject to applicable law, such as Google’s Privacy Notice and Terms of Service.
With Merchants
We may share limited elements of your personal data with Merchants. This information sharing will be for the purpose of providing the Services and responding to requests related to your exercising of data rights.
When Required for Legal Purposes
We may share your personal data with third parties if we believe it is required by law or for the purpose of exercising legal rights. Examples where it could be necessary to share your data include: to comply with legal proceedings, respond to lawful requests, protect or exercise the legal rights of Riskified or our Merchant respond to chargebacks, and dispute chargeback claims.
Under certain circumstances, Riskified may be required to disclose your Personal Data in response to a valid request by public authorities, including to meet national security or law enforcement requirements, based on our legitimate interests or legal obligations.
With Corporate Group Entities or in a Business Transfer
We may share your personal data with our corporate group entities, but their use of such information must comply with the Notice. Your data may also be shared if the operation of the Services is organized within a different framework or through another legal structure or entity, such as due to a merger or acquisition.
Non-Personal Data
We may use the information we collect to compile aggregated, anonymized, or de-identified information. To the extent permitted by applicable law, we may share de-identified or aggregated information with any number of parties. Where we maintain or use de-identified data, we will continue to maintain and use the de-identified data only in a de-identified fashion and will not attempt to re-identify the data.
With you
We may share the data we possess about you with you upon a verifiable request or with other parties at your direction. In order to protect you, we may contract with one or more vendors in order to verify your identity. To submit a request, please email [email protected].
Liability in Cases of Onward Transfers
We remain liable if we transfer personal information to a third party where such third party t processes such personal information in a manner inconsistent with this Notice, unless we are able to show that we are not responsible for the event giving rise to the damage.
Transfer of Data Outside Your Territory
In order to provide the Services, we may store and process your information in the US, the EU, Israel, and in other countries. We may also process information using cloud services. As a result, your personal data may be processed in a country whose laws provide a lesser degree of data protection than the laws of your home country.
Riskified may transfer Personal Data from the EEA and the UK to the United States (US) and other countries. When Riskified engages in such transfers, it relies on the below mechanisms.
- Adequacy Decisions, as adopted by the European Commission (EC) based on Article 45 of General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR). For the full list of countries deemed adequate to date, please visit: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions
- UK Secretary of State, based on Article 45 of the UK GDPR and Section 17A of the Data Protection Act 2018. For the full list of countries deemed adequate to date, please visit: https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/international-transfers/international-transfers-a-guide/
- Transfer Impact Assessments (TIAs) are performed by Riskified to monitor and audit transfers from the EEA and UK to other countries to ensure a level of protection that is essentially equivalent to the one guaranteed by the EEA and UK.
- Standard Contractual Clauses (SCCs) and the UK Information Commissioner’s Office’s International Data Transfer Addendum (IDTA), as applicable, supplemented by additional security measures as recommended by the European Data Protection Board.
- Riskified, Inc., a Delaware corporation, located at 220 5th Avenue, 2nd Floor, New York, NY 10001, adheres to and is covered by Riskified’s submission to the EU-US Data Privacy Framework, Swiss-US Data Privacy Framework, and the UK Extension to the EU-US Data Privacy Framework (collectively, “DPF”), as set forth by the U.S. Department of Commerce. Riskified has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. Riskified has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is a conflict between the terms in this Notice and any of the DPF Principles, then the DPF Principles shall govern. To learn more about the Data Privacy Framework program, and to view our certification, please visit: https://www.dataprivacyframework.gov/s/
Riskified remains responsible, and is liable, under the DPF Principles for the processing of your Personal Data it receives and subsequently transfers to third parties, except where Riskified can demonstrate that Riskified was not responsible for the event giving rise to the damages.
Riskified commits to resolve complaints about your privacy and our collection or use of your Personal Data transferred to the U.S. pursuant to the DPF Principles. Residents of the EEA, UK, or CH with complaints or questions under the DPF Principles should first contact Riskified’s Data Protection Officer, Yossi Yeshua [email protected]. Riskified will investigate and address the complaint or question within 45 days of our receipt of your email. Unresolved complaints under the DPF Principles may be lodged with JAMS, an independent dispute resolution body at: https://www.jamsadr.com/DPF-Dispute-Resolution. This service is provided at no cost to you. If your complaint remains unresolved, in whole or in part, after contacting Riskified’s DPO directly, and pursuing the arbitration service with JAMS, you may under certain conditions invoke binding arbitration with Riskified as detailed here: https://www.dataprivacyframework.gov/s/article/ANNEX-I-introduction-dpf?tabset-35584=2. Riskified is subject to the Federal Trade Commission (FTC) for the purpose of DPF enforcement.
JURISDICTION SPECIFIC INFORMATION
Residents of the European Union, UK, Switzerland, or Other Jurisdictions with Similar Data Protection Obligations
If you are a resident of the European Economic Area, the UK or Switzerland, or any other territory with similar data protection laws, the following section is applicable to how we collect, process and manage your personal data.
- As a data controller we rely on our legitimate interests to process your information to detect and protect against fraudulent transactions and to develop, market, and offer fraud detection and prevention services to our Merchants, including the permitted use of our service providers assisting us to deliver the Services. In some cases, we may rely upon your consent to process personal data, which we received through the Merchant Website. Please note that a Merchant is also a data controller and is responsible for its legal basis for processing your personal data, which may be in the form of consent, legitimate interest, or execution of a contract.
- Riskified only provides recommendations through its Services. A Merchant, at its discretion, may use the Services to automatically make a decision on whether to accept or decline your activity. Such automated processing may be based on your consent, necessity to perform a contract between you and the Merchant, or is otherwise permitted by law. Please visit the applicable Merchant Website with any inquiries concerning approval of your activity based on automated means.
- If the law grants you such rights, you may contact us to confirm whether we process your personal data, and if we do, you may request to access, correct, or delete your personal data that is stored in our systems subject to applicable law. You may also request that we suspend the use of any personal data that you contest the accuracy of, while we verify the status of that data. You may also be entitled to obtain personal data that you directly provided us and have the right to transmit it to another party. Please note we may not comply with all requests related to your right to access, delete, or modify the personal data within our possession, as the exercise of such rights may be subject to certain legal exemptions. We may retain certain information if it is associated with fraudulent activity.
- Several entities receiving the data under this Notice are companies operating in countries outside of your local territory or the European Economic Area, in legal environments that may not be adequate by EU data protection standards. You may opt out of having your personal data shared with those data sources. However, opting out may prevent us from providing Services and, as a result, may prevent you from using the Merchant Website. Irrespective of requests to opt out, if your personal data is associated with fraudulent activity we may continue to retain, use and share certain information, in order to prevent unlawful practices.
If you wish to submit a complaint under the relevant EEA supervisory authority – you can find the relevant contact details here. If you wish to submit a complaint with the UK’s Information Commissioner’s Office, you may do so here.
Residents of California
Pursuant to the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (“CCPA”), Riskified and its affiliates are providing you with this CCPA notice, which applies solely to California consumers who visit or purchase goods or services on a Merchant Website. This notice does not apply to personal data that Riskified processes from its website or we collect from job applicants, contractors, or employees.
If you are a Merchant, please see the DPA, which shall govern the processing agreement between you and Riskified.
Information from our Merchants. If personal data about you has been processed by us as a “service provider” or “contractor”, as appropriate, and you wish to exercise any rights you have with such personal information, please inquire with the Merchant directly. If you wish to make your request directly with us, please provide the name of the Merchant on whose behalf we processed your personal data. We will refer your request to that Merchant, and will support them to the extent required by applicable law in responding to your request.
Please note that only you, or a person or business entity that you authorize to act on your behalf (an “authorized agent”), may make the requests set forth above. You may also make a request on behalf of your minor child.
Residents of Connecticut, Virginia, Utah, Colorado, and Other U.S. States with Similar Data Protection Obligations
Pursuant to various data protection laws in the United States, Riskified and its affiliates are providing you with this privacy notice, which applies solely to consumers who visit or purchase goods or services on a Merchant Website who are residents of one of these states. This notice does not apply to personal data that Riskified processes from its website or we collect from job applicants, contractors, or employees.
If you are a Merchant, please see the DPA, which shall govern the processing agreement between you and Riskified.
Information from our Merchants. If personal data about you has been processed by us as a “processor”, as appropriate, on behalf of a Merchant and you wish to exercise any rights you have with such personal information, please inquire with the Merchant directly. If you wish to make your request directly with us, please provide the name of the Merchant on whose behalf we processed your personal data. We will refer your request to that Merchant, and will support them to the extent required by applicable law in responding to your request.
Please note that only you, or a person or business entity that you authorize to act on your behalf (an “authorized agent”), may make the requests set forth above. You may also make a request on behalf of your minor child.
Residents of Japan
If you are a resident of Japan or any other territory with data protection laws similar to the Act on the Protection of Personal Information (“APPI”), the following section is applicable to how we collect, process and manage your personal data.
Riskified may jointly use personal data in accordance with procedures permitted by law to the extent needed to carry out our business operations, as detailed in this Privacy Policy, including but not limited to the uses listed under the title above “Use of Collected Information”. When we jointly utilize personal information with other companies, we are hereby providing notice of the following.
- The information and categories of personal data listed under the title above ‘Information We Collect’, detail the types of personal data that may be used jointly.
- We may share personal data as part of our Joint Use, with those types of entities listed under the title above ‘Sharing Information Collected’. Also, we jointly use personal data in accordance with the APPI with Japanese Merchants which may engage with us from time to time for the receipt of our Services. The entity responsible for the management of the jointly-used personal data, including those jointly used with Japanese Merchants, is Riskified. You can look up our official address and the name of our legal representative on our corporate website.
- The details of the person responsible on behalf of Riskified for the management of personal data are listed under the title above ‘Transfer of Data Outside Your Territory’.
For procedures for responding to a request for (i) notifying the purpose of use of your personal data, (ii) disclosure of your personal data, (iii) making a correction, addition, or deletion on the content of your personal data, (iv) ceasing of use or deletion of your personal data in case your personal data is handled in violation of APPI, or (v) ceasing of sharing of your personal data to third parties in case your personal data is shared in violation of APPI, we will notify you without delay upon your request, including the fees and expenses we may collect from you for such procedures (if any).
We will take the necessary and appropriate measures to manage the security of personal data, including preventing the leakage, loss, or damage of the personal data we handle.
We may entrust the handling of your personal data to a third party residing outside Japan and establishes a system necessary for continuously taking measures equivalent to those we must take pursuant to the provisions of APPI (“Equivalent Measures”). We will take necessary measures to ensure the continuous implementation of the Equivalent Measures by the third party and provide you with information on the necessary measures at your request.
In order to lodge a complaint about our handling of your personal data or to contact us for such other purposes, please contact our Data Protection Officer by email address shown under the title ‘Contact Us’ in the last part of this Privacy Notice.
SECURITY
We implement industry standard measures to reduce risks caused by the potential loss of confidentiality, integrity or availability of information. However, no measure can provide absolute information security and we cannot provide protections beyond what is within our reasonable control. For more information, please visit https://security.riskified.com/.
EMPLOYEE SELF-ASSESSMENT
For the purpose of assessing data access controls, Riskified polls its employees on an annual basis to self-report whether they access personal data in their role.
DATA RETENTION
The personal data we collect is retained only for as long as necessary to provide the Services and to achieve any other purpose that is compatible with the purpose under which the personal data was collected, up to 48 months from when such personal data was received by us. Personal Data may be deleted earlier subject to contractual agreements with Merchants or pursuant to a data deletion request. However, Personal Data may be retained longer if it is required by us to establish, exercise, or defend against legal claims, to comply with legal obligations, or if permitted by applicable law. When we dispense with data it is either deleted from our system or anonymized without further notice to you.
NOTICE REGARDING CHILDREN
We do not knowingly collect personal data from individuals under prohibited ages in accordance with applicable laws, which may be 13 years of age or 16 years of age, depending on the child’s residence. If you are a parent or guardian, and believe we have collected personal information about your child without your consent, please contact us at [email protected]. If we become aware that a child has provided us with personal data, we will delete such information from our files unless we have appropriate consent, where applicable, or unless we are required to maintain it for law-enforcement or legal purposes.
CHANGES TO THIS NOTICE
We will update this Notice in response to changing business circumstances and legal developments. If we materially change this Notice in a manner that adversely affects your rights or in how we use your personal information, or the protections afforded to your personal data, we will post such changes prior to implementing the change. We encourage you to periodically review this Notice to be informed of how we are processing your personal information.
CONTACT US
You may contact us with any questions or comments, at:
By email, to our Data Protection Officer: [email protected]
By mail:
Riskified Ltd.
Sderot Sha’ul HaMelech 37, Tel Aviv, Israel, 6492806
220 Fifth Avenue, Floor 2, New York, NY 10001
GDPR Representative:
Riskified has appointed Lionheart Squared (Europe) Ltd. as its GDPR Representative in the EEA. You can submit questions and comments pertaining to Riskified’s compliance under the GDPR by email to [email protected] or by mail to Lionheart Squared (Europe) Ltd., 2 Pembroke House, Upper Pembroke Street 28-32, Dublin, D02 EK84 Ireland.
Last updated: April 8, 2024
NOTE: comprehensive information on Riskified’s information security and compliance programs can be found on our Security Portal at https://security.riskified.com/.
Riskified Website Privacy Notice
Riskified respects the privacy of the users of our website at https://www.riskified.com (the “Site”) and is committed to protecting the information that is collected and/or is disclosed by the Site users (“users” or “you”). This Website Privacy Notice (“Notice”) explains the privacy practices of Riskified Ltd., on behalf of ourselves and our affiliates (“Riskified”, “we”, “our”, or “us”) and how we collect, use, disclose, store, and otherwise process Personal Data in our role as a Controller when you interact or use our Site.
This Notice does not cover the handling of Personal Data when Riskified is processing Personal Data on behalf of our merchants, e.g. Personal Data submitted by merchants for processing through the Services. For more information, merchants should review the Services Privacy Policy (https://www.riskified.com/terms/#privacy) and applicable Data Processing Addendum (DPA).
DEFINITIONS
“Personal Data” means information made available to Riskified through the Site that, either in isolation or in combination of other information, enables you to be directly or indirectly identified.
“Controller” is a “data controller” or “business”, as such terms are defined by applicable data privacy law, and is the party that sets out the purposes and means of processing of Personal Data.
“Processor” is a “processor”, “service provider”, “contractor”, and “third party”, as such terms are defined by applicable data privacy law, and is a party that processes Personal Data on behalf of or pursuant to a written contract with Controller.
PERSONAL DATA WE PROCESS AND FOR WHAT PURPOSES
Personal Data you provide to us. We collect Personal Data that you choose to provide to us, for example, on an online form or if you register for any events. We use this data to handle your requests and any complaints, administer our Site, organize and host events, and provide content you request from us. It may also be used for marketing and advertising and, with your consent, to provide direct marketing. We may also rely on our legitimate interest to contact you to offer related services that may be of interest to you based on the services or content that you may have requested from us.
You always have the right to opt out of receiving marketing communications from Riskified at any time. You can opt out by either changing your email preferences or using the link provided at the bottom of each email message. You may not opt out of administrative emails (for example, emails about your transactions or policy changes) while you are a registered user.
We do not send emails to anyone without permission and we do not sell or rent email addresses to any unauthorized third party. If you believe that you have received an unsolicited email from us, please contact us at [email protected] and we will investigate.
Personal Data we automatically collect. When you visit the Site, we collect online activity through the use of cookies and other trackers. Depending on your browser settings, the information we collect may include, but not be limited to, your device IP address, referring website, what pages your device visited, and the time that your device visited our Site. Visit our Cookie Policy in the COOKIES section below for more information on the types of cookies and other trackers we use on our Site. We use this data to administer our Site, to improve our Site, for trend monitoring, marketing, and to keep our Site secure.
Personal Data we collect from third parties. If your Personal Data has been collected as you interacted with our Site and/or registered or attended one of our events, your Personal Data, as stored in our customer-relationship-management platform (CRM), may be enriched or updated to ensure it is accurate and up to date and to ensure that we achieve the purpose for which it was originally collected.
PERSONAL DATA WE DISCLOSE TO THIRD PARTIES
Service Providers. We may share your Personal Data with vendors, consultants and other service providers to perform services on our behalf. These Processors include website analytics providers, tools to prevent spam and other security risks, CRM service providers, to conduct surveys, and provide event registration. If Riskified transfers your Personal Data to a Processor, Riskified remains responsible for ensuring that such Processor processes your Personal Data to the standard required by applicable privacy and security laws.
Marketing Operations. We may share your Personal Data as part of our marketing operations, with third parties through our use of cookies and other tracking technologies on our Site. Our use of cookies and other tracking technologies is based on the choices you make from the footer of our Site. Our use of Personal Data collected for marketing operations is limited to the following purposes: (i) targeting specific audiences based on Site’s user’s locations and interests; (ii) personalizing ads; and (iii) tracking the performance of marketing campaigns.
Event Partners. We may share your Personal Data with our events’ sponsors. Please refer to the terms and conditions provided to you during registration for more information.
Riskified Group. Riskified, Ltd. is the parent company to several wholly-owned subsidiaries, including Riskified, Inc., a Delaware corporation. We may share your Personal Data within the Riskified family of companies for the purposes consistent with this Notice, based on our legitimate interests, or out of contractual necessity.
Business Transfer. If we or our assets are acquired, or if we go out of business, enter bankruptcy, or go through some other change of control, Personal Data may be one of the assets transferred to a third party.
Protection of Riskified and Others. Riskified reserves the right to process Personal Data as necessary to (i) comply with law or a court order, (ii) enforce our agreements with you and other our agreements with other parties, or (iii) protect the rights, property, and/or safety of Riskified, our employees, our merchants, or others.
Disclosure to Law Enforcement. Under certain circumstances, Riskified may be required to disclose your Personal Data in response to a valid request by public authorities, including to meet national security or law enforcement requirements, based on our legitimate interests or legal obligations. Riskified does not voluntarily disclose any Personal Data to government authorities or otherwise grant them access to such data.
In the event Riskified receives a legally binding subpoena, warrant, or other court order from a government authority requesting that it disclose Personal Data, Riskified will only provide the requested data in response to formal and valid legal process. Specifically, Riskified’s legal team will review the request to ensure that it satisfies applicable legal requirements. If there are legitimate and lawful grounds for challenging the request, Riskified will do so where appropriate. Riskified’s policy is to construe such requests narrowly to limit the scope of the personal data provided.
DATA RETENTION
We store your Personal Data for different time periods depending on the category of Personal Data and the nature of relationship that you have with us. We consider the following criteria when we are making decisions on how long we will retain your Personal Data: (i) the category of Personal Data; (ii) whether the Personal Data is deleted based on specific schedules; (iii) whether further retention of the Personal Data is necessary to achieve the purpose for which Personal Data was collected; (iv) how long we need to retain the Personal Data to comply with our legal obligations or sound professional practices; and (v) legitimate interests or legal purposes, such as fraud prevention, record-keeping, security and integrity, or enforcing our legal rights.
SECURITY
We use appropriate technical, organizational, and administrative security measures to protect any Personal Data we store from loss, misuse, and unauthorized access, disclosure, alteration, and destruction. For an updated list of our certifications and security reports, please visit our Security Portal, located at https://security.riskified.com/.
THIRD PARTY WEBSITES
The Site may include links to other websites that are not owned or controlled by Riskified (“Third Party Websites”). We are not responsible for, and this Notice does not apply to, any personal data collected via Third Party Websites. We do not endorse any of the products or services described or offered on such Third Party Websites, nor the companies who own or operate such Third Party Websites. We remind you to read the Third Party Websites’ privacy notices to understand how your personal data is used and protected.
COOKIES
A cookie is a piece of data sent from a website while the user is browsing and stored on a user’s hard drive to contain information about the user. We use cookies to enhance the user experience, improve our service, including by means such as storing passwords or preference information. We may also use cookies to track and monitor usage of the Site for the purposes of marketing and operational improvements.
Riskified’s Site uses both ‘session’ and ‘persistent’ cookies. ‘Session cookies’ are created and stored temporarily while the user browses and are deleted from the device when the browser is closed. ‘Persistent cookies’ are saved on the user’s device for a fixed period and become active when they visit the Site.
Users located in the EU will receive a pop up notification informing them that cookies are operating on our Site. Most browsers will allow you to erase cookies from your computer hard drive, block acceptance of cookies, or receive a warning before a cookie is stored.
INTERNATIONAL DATA TRANSFERS
Riskified operates globally. Therefore, Personal Data of individuals who visit our Site may be transferred and accessed from around the world, such as from countries where Riskified, our affiliates, or Processors operate. We will protect Personal Data in accordance with this Notice wherever it is processed.
Residents in the European Economic Area (EEA), United Kingdom (UK), and Switzerland (CH)
Riskified may transfer Personal Data from the EEA and the UK to the United States (US) and other countries. When Riskified engages in such transfers, it relies on the below mechanisms.
- Adequacy Decisions, as adopted by the European Commission (EC) based on Article 45 of General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR). For the full list of countries deemed adequate to date, please visit: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions
- UK Secretary of State, based on Article 45 of the UK GDPR and Section 17A of the Data Protection Act 2018. For the full list of countries deemed adequate to date, please visit: https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/international-transfers/international-transfers-a-guide/
- Transfer Impact Assessments (TIAs) are performed by Riskified to monitor and audit transfers from the EEA and UK to other countries to ensure a level of protection that is essentially equivalent to the one guaranteed by the EEA and UK.
- Standard Contractual Clauses (SCCs) and the UK Information Commissioner’s Office’s International Data Transfer Addendum (IDTA), as applicable, supplemented by additional security measures as recommended by the European Data Protection Board.
- Riskified, Inc., a Delaware corporation, located at 220 5th Avenue, 2nd Floor, New York, NY 10001, adheres to and is covered by Riskified’s submission to the EU-US Data Privacy Framework, Swiss-US Data Privacy Framework, and the UK Extension to the EU-US Data Privacy Framework (collectively, “DPF”), as set forth by the U.S. Department of Commerce. Riskified has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. Riskified has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is a conflict between the terms in this Notice and any of the DPF Principles, then the DPF Principles shall govern. To learn more about the Data Privacy Framework program, and to view our certification, please visit: https://www.dataprivacyframework.gov/s/
Riskified remains responsible, and is liable, under the DPF Principles for the processing of your Personal Data it receives and subsequently transfers to third parties, except where Riskified can demonstrate that Riskified was not responsible for the event giving rise to the damages.
Riskified commits to resolve complaints about your privacy and our collection or use of your Personal Data transferred to the U.S. pursuant to the DPF Principles. Residents of the EEA, UK, or CH with complaints or questions under the DPF Principles should first contact Riskified’s Data Protection Officer, Yossi Yeshua at [email protected]. Riskified will investigate and address the complaint or question within 45 days of our receipt of your email. Unresolved complaints under the DPF Principles may be lodged with JAMS, an independent dispute resolution body at: https://www.jamsadr.com/DPF-Dispute-Resolution. This service is provided at no cost to you. If your complaint remains unresolved, in whole or in part, after contacting Riskified’s DPO directly, and pursuing the arbitration service with JAMS, you may under certain conditions invoke binding arbitration with Riskified as detailed here: https://www.dataprivacyframework.gov/s/article/ANNEX-I-introduction-dpf?tabset-35584=2. Riskified is subject to the Federal Trade Commission (FTC) for the purpose of DPF enforcement.
HOW CAN I EXERCISE MY PRIVACY RIGHTS
Depending on your local data privacy laws, you may have certain rights relating to your Personal Data. Subject to any statutory exceptions and limitations, these rights may include:
- The right to know what Personal Data is collected and for what purpose.
- The right to know what Personal Data is being “sold” or “shared” and for what purpose and the categories of recipients of your Personal Data.
- The right to access your Personal Data.
- The right to have your Personal Data rectified, corrected, or updated.
- The right to have your Personal Data deleted, including from any third parties where your Personal Data has been sold, shared, or disclosed.
- The right to opt-out of the “sale” or “sharing” of your Personal Data
- The right to object to the processing of your Personal Data
- The right not to be subject to any automated decision making and profiling.
To exercise any of these rights or if you have any questions regarding these rights, please email [email protected]. If you are located in the EEA, you may alternatively contact our EU representative, Lionheart Squared (Europe) Ltd, at [email protected]; 2 Pembroke House, Upper Pembroke Street 28-32, Dublin, D02 EK84 Ireland. Our privacy team will review your request and respond to you in a timely manner. If we are unable to comply with your request due to an exception or limitation or if we need more time, we will explain this in writing.
You may utilize an agent to make a request on your behalf. We will ask for written, signed permission that the agent has been authorized to act on your behalf. Once the authorization has been provided, we will review the request and respond to the agent in a timely manner. You may also make a request on behalf of your minor child.
Riskified does not collect or use any sensitive categories of Personal Data and does not discriminate against you for exercising your privacy rights.
We remind you that you have a right to lodge a complaint with a supervisory authority should you feel dissatisfied with our processing of your Personal Data or adherence to the terms of this Notice. For residents of the EEA – you can find the relevant contact details here. For residents of California, Colorado, Connecticut, Utah, or Virginia, please see the section titled RESIDENTS OF CALIFORNIA, COLORADO, CONNECTICUT, UTAH, AND VIRGINIA.
RESIDENTS OF CALIFORNIA, COLORADO, CONNECTICUT, UTAH, AND VIRGINIA
Right to Know
Residents of California, Colorado, Connecticut, Utah, and Virginia have certain rights regarding the Personal Data that businesses collect and process about them.
Among these rights is the right to know the categories of Personal Data that is collected by Riskified, the grounds on which such Personal Data is used or otherwise processed, and what Personal Data is made available to third parties.
In the past 12-months we have collected, and will continue to collect, the following categories of Personal Data for our business purposes: (i) personal identifiers, such as name, postal address, IP address and IP location data, phone number, email address; (ii) Internet activity, such as interactions with the Site; and (iii) inferences drawn from the foregoing categories of Personal Data.
In addition, in the past 12-months we have shared Personal Data with third parties as necessary for specific business purposes, as specified under section PERSONAL DATA WE DISCLOSE TO THIRD PARTIES. This includes: (i) personal identifiers, such as name, postal address, phone number, and email address; (ii) Internet activity, such as interactions with the Site; and (iii) inferences drawn from the foregoing categories of Personal Data.
Riskified does not sell Personal Data to third parties for monetary consideration but it may be made for other benefits defined by applicable U.S. state privacy law. For details on this sharing please review the section PERSONAL DATA WE DISCLOSE TO THIRD PARTIES. Riskified does not sell or share Personal Data of individuals who are under 16 years of age.
Exercising Your U.S. Privacy Rights
You have a right to direct Riskified to not sell or share your Personal Data. To exercise this right, as well as a list of other rights that may be available to you, please see section HOW CAN I EXERCISE MY PRIVACY RIGHTS?
We endeavor to respond to privacy rights in a prompt manner and within the statutory required timeframes. If we need more time, we will inform you of the reason and extension period in writing to the verified email address associated with the request. We do not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why and provide you with a cost estimate before completing your request.
Right to Appeal – California, Colorado, Utah
If Riskified does not timely action your privacy request within the 45 days’ response period, or in the event of an extension, within the maximum 90-days respond period, we will inform you in writing of the reasons for not taking action as well as provide an explanation of any rights you have to appeal the decision.
Right to Appeal – Virginia and Connecticut
You may appeal to Riskified our refusal to take action on a privacy request within a reasonable period of time after your receipt of our decision. Within 60-days of receipt of an appeal, Riskified will inform you in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decisions. If the appeal is defined, Riskified will provide you with a method through which you may contact the Attorney General of Virginia (if you are a Virginia resident) or Attorney General of Connecticut (if you are a Connecticut resident) to submit a complaint.
“DO NOT TRACK” DISCLOSURE
Riskified does not monitor or respond to Do Not Track browser disclosures.
“NOTICE REGARDING CHILDREN
We do not knowingly collect or solicit Personal Data from anyone under the age of 13. If you are under 13, do not send any Personal Data about yourself to us. If we learn that we have collected Personal Data from a child under age 13, we will delete that information as quickly as possible. If you believe that a child under 13 may have provided us their Personal Data, please contact us at [email protected].
CHANGES TO THIS NOTICE
You can see when this Notice was last updated by checking the date at the top of this page. You are responsible for periodically reviewing this Notice but we will notify you about material updates to this Notice by placing a notice on our Site.
CONTACT US
You may contact us with any questions or comments, at:
By email, to our Data Protection Officer: [email protected]
By mail:
Riskified Ltd.
Sderot Sha’ul HaMelech 37, Tel Aviv, Israel, 6492806
Riskified, Inc.
220 Fifth Avenue, Floor 2, New York, NY 10001
GDPR Representative:
Riskified has appointed Lionheart Squared (Europe) Ltd. as its GDPR Representative in the EEA. You can submit questions and comments pertaining to Riskified’s compliance under the GDPR by email to [email protected] or by mail to Lionheart Squared (Europe) Ltd., 2 Pembroke House, Upper Pembroke Street 28-32, Dublin, D02 EK84 Ireland.
Last updated: March 18, 2024
Vendor Code of Conduct
Riskified Ltd. (“Riskified” ) strives to achieve the highest standard of business and professional integrity, and seeks to avoid even the appearance of improper behavior. We expect our vendors, suppliers, distributors, partners, business associates, and third party representatives (“Vendors” ) to uphold these standards of conduct and professional integrity and communicate them to their organization.
This Vendor Code of Conduct (“Code”) sets forth Riskified’s expectation that its Vendors uphold the highest standards of ethics and comply with all applicable laws and regulations.
These expectations should complement each Vendor’s own company policies, applicable legal requirements, and the terms of any agreements that a Vendor may have with Riskified. Failure to comply with this Code could result in termination of the business relationship. Riskified encourages Vendors to raise questions or concerns about this Code to their Riskified point of contact.
Riskified’s Code of Business Conduct and Ethics, which sets forth our compliance standards in more detail, is available at https://ir.riskified.com/corporate-governance/documents-charters Riskified expects its Vendors to be honest, ethical and transparent when dealing with Riskified, its employees, customers and other third parties.
Vendors are expected to monitor Vendors own compliance with this Code and report any integrity concern or violations of this Code or otherwise involving or affecting Riskified. When requested, Vendors are expected to assist Riskified in investigating concerns.
-
Compliance with applicable governmental laws, rules, and regulations
Riskified expects its Vendors to comply with all laws, rules and regulations that apply to the Vendor’s business, particularly those related to Vendor’s performance of duties for Riskified.
-
Anti-corruption compliance & business expenses
Riskified prohibits bribes, kickbacks, or other improper or illegal payments of anything of value from being directly or indirectly offered, paid, promised or authorized in any way related to Riskified, whether it involves public officials (including officers or employees of governments or state-owned entities) or private parties.
Riskified also prohibits bribery to influence a public official, to obtain or retain business from any party, or to secure an unfair business advantage.
Riskified also prohibits Vendors from making facilitation payments, or small, unofficial payments to public officials to expedite routine, non-discretionary government processes or decisions (even if permissible under local law).
All business expenses provided by Vendors related to Riskified’s business – including gifts (whether money or any other thing of value), hospitality, entertainment, events, travel, or accommodation – must comply with any agreements with Riskified; have a legitimate business purpose; be reasonable and modest in value and frequency; comply with local law; and be accurately recorded. Riskified prohibits the provision of cash gifts.
-
Export, customs, trade control, and anti-money laundering
Riskified expects its Vendors to comply with all applicable export, customs, and trade control laws and regulations, including economic and trade sanctions laws, antiboycott laws, and any related licensing requirements.
Riskified also expects its Vendors to comply with all applicable anti-money laundering laws and regulations.
-
Conflicts of interest & corporate opportunities
Vendors should avoid actual or potential business or financial conflicts of interest – i.e., instances where the Vendor’s personal interests (including interests of the Vendor itself or the Vendor’s employees, officers, or directors) interfere or appear to interfere with Riskified’s interests.
Vendors are prohibited from directly or indirectly (a) taking personally for themselves opportunities that are discovered through the use of Riskified property, information or positions; (b) using Riskified property, information or positions for personal gain; or (c) competing with Riskified for business opportunities.
Any actual or potential conflicts of interest must be immediately reported to Riskified.
-
Insider trading
As a Vendor of Riskified, you may have access to material non-public information about Riskified, other companies, or their respective subsidiaries.
Vendors may not purchase or sell any type of security while in possession of “material nonpublic information” relating to the security or the issuer of such security, whether the issuer of such security is Riskified or any other company. Information is material if there is a substantial likelihood that a reasonable investor would consider it important in making a decision to buy, sell, or hold a security, or if the fact is likely to have a significant effect on the market price of the security.
Riskified prohibits its Vendors from “tipping” others (e.g., family or friends) regarding material nonpublic information about securities.
-
Antitrust, competition, and fair dealing
Riskified expects its Vendors to comply with applicable antitrust and competition laws designed to promote fair and open competition, particularly as it relates to Riskified.
Vendors should not directly or indirectly enter into any formal or informal agreement with competitors that fixes or controls prices, divides or allocates markets, limits the production or sale of products, boycotts certain suppliers or customers, eliminates competition or otherwise unreasonably restrains trade.
Vendors are expected to deal fairly with customers, service providers, suppliers, competitors and employees.
Vendors should not take unfair advantage of anyone through manipulation, concealment, abuse of privileged information, misrepresentation of material facts, or any other unfair dealing practice.
-
Record management and recording transactions
Vendors are expected to ensure that all financial books, records and accounts related to their relationship with Riskified accurately reflect transactions and events.
Vendors should not falsify documents, transactions, or accounting records.
-
Confidential information
We expect our Vendors to safeguard and protect Riskified’s confidential information, as well as the confidential information of Riskified’s customers, suppliers, shareholders, Riskified employees, or other third parties. Confidential information should be interpreted broadly to include all non-public information relating to Riskified or other companies that would be harmful to the relevant company (or useful to competitors) if disclosed, including financial results or prospects, information provided by a third party, trade secrets, new product or marketing plans, research and development ideas, manufacturing processes, potential acquisitions or investments, or information of use to the Riskified’s competitors or harmful to Riskified or its customers if disclosed.
Riskified prohibits its Vendors from misusing proprietary information or trade secret information that was obtained without the owner’s consent; or from using confidential information for personal gain.
-
Data privacy
Vendors should comply with all applicable laws and regulations regarding the protection of personal information or other sensitive or protected information, and assist Riskified in complying with its own obligations in this regard Vendors’ privacy policies and notices should accurately reflect the data processing activities carried out by the Vendor, and should at all times be consistent with the processes by which data flows between Vendors and Riskified.
Riskified expects its Vendors to notify Riskified immediately in the event of an actual or suspected data breach resulting in the dissemination of personal information relating to Riskified or its subsidiaries, customers, management, employees or other related parties, and of the steps Vendors are taking to address the breach.
Riskified expects its Vendors to review and comply with Riskified’s Privacy Policy available at https://www.riskified.com/terms/.
-
Human rights, employee relations and non-discrimination
We expect our Vendors to comply with all applicable human rights laws prohibiting child, forced, indentured, or involuntary labor.
Riskified expects its Vendors to pay wages in compliance with applicable minimum wage laws, respect maximum working hour standards and provide benefits in compliance with all applicable laws.
Riskified also expects its Vendors to conduct themselves in a professional manner with courtesy and respect for others. Riskified will not tolerate harassment by our Vendors in any form, including verbal, physical, or sexual harassment.
Riskified is committed to providing equal opportunities in employment, development, and advancement for all qualified persons and to promoting diversity and inclusion – and our Vendors are expected to share that commitment. Riskified does not tolerate illegal discrimination or harassment of any kind by its Vendors.
-
Environment, safety, and health
Riskified expects its Vendors to manage and operate in a manner protective of human health, safety, and the environment, especially as it relates to Vendors work with Riskified.
Riskified expects its Vendors to comply with both the letter and spirit of the applicable health, safety and environmental laws and regulations and to attempt to develop a cooperative attitude with government inspection and enforcement officials.
-
Use and protection of riskified corporate assets
If provided with Riskified assets (including technology, software, proprietary information, or other physical assets), Vendors are expected to protect these assets and ensure their efficient use for legitimate business purposes.
In The News
The Paypers, 9 June 2021
Riskified Joins Shopify Plus Certified App Program
Finextra / American Express, 2 June 2021
AmEx makes online fraud fighting tech available to more merchants
Air Cargo Week, 7 May 2021
IATA Partners with Riskified to Help Detect Ticket Fraud
Pagamenti Digitali, 3 May 2021
Payments of up to 500 euros can be processed without two-factor authentication, thanks to service launched by Axerve (Italian)