E-IDV Global Ltd

Privacy & Cookies Policy

This Privacy Policy describes how E‑IDV Global Ltd, a Jersey company with registration number 132357 (“E-IDV”, “we”, “our” or “us”) collect, use, and share information in connection with your use of our websites (including www.e-idv.co.uk, www.e-idv.je, www.e-idvglobal.com), services, and applications (collectively, the “Services”).

This Privacy Policy (the “Privacy Policy”) does not apply to information our customers may process when using our Services.

We may collect and receive information about users of our Services (“users”, “you” or “your”) from various sources, including: (i) information you provide through your user account on the Services (your “Account”) if you register for the Services; (ii) your use of the Services; and (iii) from third party websites, services, and partners.

We recommend that you read this Privacy Policy in full to ensure you are fully informed. If you have any questions about this Privacy Policy or E‑IDV’s data collection, use, and disclosure practices, please contact us at [email protected]

  1. INFORMATION WE COLLECT
    1. Information You Provide
      1. Account Registration When you register for an Account, we may ask for your contact information, including items such as name, company name, address, email address, and telephone number.
      2. Payment Infomation When you add your financial account information to your Account, that information is directed to our third-party payment processor. We do store your financial account information on our systems to enable billing for the services you have requested; we have access to, and may retain, subscriber information through our third-party payment processor.
      3. Communications If you contact us directly, we may receive additional information about you such as your name, email address, phone number, the contents of the message and/or attachments you may send us, and any other information you may choose to provide. We may also receive a confirmation when you open an email from us. The personal information that you are asked to provide, and the reasons why you are asked to provide it, will be made clear to you at the point we ask you to provide your personal information.
    2. Information We Collect When You Use Our Services
      1. Cookies and Other Tracking Technologies As is true of most websites, we gather certain information automatically and store it in log files. In addition, when you use our Services, we may collect certain information automatically from your device. This information may include internet protocol (IP) addresses, browser type, internet service provider (ISP), referring/exit pages, operating system, date/time stamp, clickstream data, landing page, and referring URL. To collect this information, a cookie may be set on your computer or device when you visit our Services. Cookies contain a small amount of information that allows our web servers to recognise you. We store information that we collect through cookies, log files, and/or clear gifs to record your preferences. We may also automatically collect information about your use of features of our Services, about the functionality of our Services, frequency of visits, and other information related to your interactions with the Services. We do not track your use across different websites and services. Our cookies are session cookies and have a limited life.
      2. Usage of our Services When you use our Services, we may collect information about your engagement with and utilisation of our Services, such as storage capacity, navigation of our Services, and system-level metrics. We use this data to operate the Services, maintain and improve the performance and utilisation of the Services, develop new features, protect the security and safety of our Services and our customers, and provide customer support. We also use this data to develop aggregate analysis and business intelligence that enable us to operate, protect, make informed decisions, and report on the performance of our business.
    3. Information We Receive from Third Parties
      1. Third-Party Accounts If you choose to link to our Services through a third party account, we will receive information about that account, such as your authentication token from the third-party account, to authorise linking. If you wish to limit the information available to us, you should visit the privacy settings of your third-party accounts to learn about your options.
      2. Third-Party Partners We may also receive publicly available information about you from our third-party partners and combine it with data that we have about you.
      3. Data Controllers and Sub-Processors We may also receive data from Data Controllers and Sub-Processors, described in more detail in Appendix 3, who provide services relating to the provision of our Services.
  2. HOW WE USE INFORMATION

    We use the information we collect in various ways, including to:

    • Provide, operate, and maintain our Services;
    • Improve, personalise, and expand our Services;
    • Understand and analyse how you use our Services;
    • Develop new products, services, features, and functionality;
    • Communicate with you, either directly or through a Third-Party with whom your account is linked, including for customer service, to provide you with updates and other information relating to the Service, and for marketing and promotional purposes;
    • Process your transactions, including identity verification checks as appropriate;
    • Send you text messages and notifications;
    • Find and prevent fraud; and
    • For compliance purposes, including enforcing our Terms of Use, or other legal rights, or as may be required by applicable laws and regulations or requested by any judicial process or governmental agency.
  3. HOW WE SHARE INFORMATION

    We may share the information we collect in various ways, including the following:

    1. Vendors, Service Providers, Data Controllers and Sub-Processors We may share information with third-party vendors and service providers described in more detail in Appendix 3, that provide services on our behalf, such as helping to provide our Services, or for promotional and/or marketing purposes, and to provide you with information relevant to you such as product announcements, software updates, special offers, or other information.
    2. Aggregate Information Where legally permissible, we may use and share information about users with our partners in aggregated or de-identified form that can’t reasonably be used to identify you.
    3. Third-Party Partners We also share information about users’ use of the services with third-party partners, with whom you have linked your account, in order identify your use of the services and to carry out billing for your services usage.
    4. Analytics We use analytics providers such as Google Analytics. Google Analytics uses cookies to collect non-identifying information. Google provides some additional privacy options regarding its Analytics cookies at http://www.google.com/policies/privacy/partners/.
    5. Business Transfers Information may be disclosed and otherwise transferred to any potential acquirer, successor, or assignee as part of any proposed merger, acquisition, debt financing, sale of assets, or similar transaction, or in the event of insolvency, bankruptcy, or receivership in which information is transferred to one or more third parties as one of our business assets.
    6. As Required By Law and Similar Disclosures We may also share information to (i) satisfy any applicable law, regulation, legal process, or governmental request; (ii) enforce this Privacy Policy and our Terms of Use, including investigation of potential violations hereof; (iii) detect, prevent, or otherwise address fraud, security, or technical issues; (iv) respond to your requests; or (v) protect our rights, property or safety, our users and the public. This includes exchanging information with other companies and organisations for fraud protection and spam/malware prevention.
    7. With Your Consent We may share information with your consent.
  4. LEGAL BASIS FOR PROCESSING PERSONAL INFORMATION

    Our legal basis for collecting and using the personal information described above will depend on the personal information concerned and the specific context in which we collect it.

    However, we will normally collect personal information from you only (i) where we need the personal information to perform a contract with you; (ii) where the processing is in our legitimate interests and not overridden by your rights; or (iii) where we have your consent to do so. We have a legitimate interest in operating our Services and communicating with you as necessary to provide these Services, for example when responding to your queries, improving our platform, undertaking marketing, or for the purposes of detecting or preventing illegal activities.

    In some cases, we may also have a legal obligation to collect personal information from you or may otherwise need the personal information to protect your vital interests or those of another person.

    If we ask you to provide personal information to comply with a legal requirement or to perform a contract with you, we will make this clear at the relevant time and advise you whether the provision of your personal information is mandatory or not (as well as of the possible consequences if you do not provide your personal information).

  5. THIRD-PARTY SERVICES
    1. You may access other third-party services through the Services, for example by clicking on links to those third-party services from within the Services. We are not responsible for the privacy policies and/or practices of these third-party services, and we encourage you to carefully review their privacy policies.
  6. SECURITY
    1. E‑IDV is committed to protecting your information. To do so, we employ a variety of security technologies and measures designed to protect information from unauthorized access, use, or disclosure. The measures we use are designed to provide a level of security appropriate to the risk of processing your personal information. However, please bear in mind that the Internet cannot be guaranteed to be 100% secure.
  7. DATA RETENTION
    1. We retain personal information we collect from you where we have an ongoing legitimate business need to do so (for example, to provide you with a service you have requested or to comply with applicable legal, tax, or accounting requirements).
    2. When we have no ongoing legitimate business need to process your personal information, we will either delete or anonymize it or, if this is not possible (for example, because your personal information has been stored in backup archives), then we will securely store your personal information and isolate it from any further processing until deletion is possible.
  8. ACCESS
    1. If you are a registered user, you may access certain information associated with your Account by logging into our Services or emailing [email protected]
    2. To protect your privacy and security, we may also take reasonable steps to verify your identity before updating or removing your information. The information you provide us may be archived or stored periodically by us according to backup processes conducted in the ordinary course of business for disaster recovery purposes. Your ability to access and correct your information may be temporarily limited where access and correction could: inhibit E‑IDV’s ability to comply with a legal obligation; inhibit E‑IDV’s ability to investigate, make or defend legal claims; result in disclosure of personal information about a third party; or result in breach of a contract or disclosure of trade secrets or other proprietary business information belonging to E‑IDV or a third party.
  9. YOUR DATA PROTECTION RIGHTS

    If you are a resident of the UK, British Crown Dependencies or EEA, you have the following data protection rights:

    1. If you wish to access, correct, update, or request deletion of your personal information, you can do so at any time by emailing [email protected]
    2. In addition, you can object to the processing of your personal information, ask us to restrict the processing of your personal information, or request portability of your personal information. Again, you can exercise these rights by emailing [email protected]
    3. You have the right to opt-out of marketing communications we send you at any time. You can exercise this right by clicking on the "unsubscribe" or "opt-out" link in the marketing emails we send you. To opt-out of other forms of marketing, please contact us by emailing [email protected]
    4. Similarly, if we have collected and process your personal information with your consent, then you can withdraw your consent at any time. Withdrawing your consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, nor will it affect the processing of your personal information conducted in reliance on lawful processing grounds other than consent.
    5. You have the right to complain to a data protection authority about our collection and use of your personal information. For more information, please contact your local data protection authority
    6. Further details on our Data Processing Agreement are given in Appendix 1.

    We respond to all requests we receive from individuals wishing to exercise their data protection rights in accordance with applicable data protection laws.

  10. YOUR CHOICES

    You cannot use the features of the Services without registering. You may unsubscribe from receiving certain promotional emails from us. If you wish to do so, simply follow the instructions found at the end of the email. Even if you unsubscribe, we may still contact you for informational, transactional, account-related, or similar purposes.

    Many browsers have an option for disabling cookies, which may prevent your browser from accepting new cookies or enable selective use of cookies. Please note that, if you choose not to accept cookies, you will be unable to access the Services as we will be unable to verify your identity for security.

  11. CHILDREN’S PRIVACY

    E‑IDV does not knowingly collect information from children under the age of 18, and children under 18 are prohibited from using our Services. If you learn that a child has provided us with personal information in violation of this Privacy Policy, you can notify us at [email protected]

  12. CHANGES TO THIS PRIVACY POLICY

    This Privacy Policy may be modified from time-to-time, so please review it frequently. Changes to this Privacy Policy will be posted on our website. If we materially change the ways in which we use or share personal information previously collected from you through our Services, we will notify you through our Services, by email, or other communication.

  13. INTERNATIONAL DATA TRANSFERS

    E‑IDV is a global business. We may transfer personal information to countries other than the country in which the data was originally collected. These countries may not have the same data protection laws as the country in which you initially provided the information. When we transfer your personal information to other countries, we will protect that information as described in this Privacy Policy and in accordance with Data Protection Laws.

  14. Contact Us

    If you have any questions or concerns about this Privacy Policy, please feel free to email us at [email protected]

    The data controller of your personal information is E‑IDV GLOBAL LTD, registered in Jersey, with company number: 132357.

Effective Date

This Privacy Policy became effective on: 4th January 2024.

Appendix 1

Data Processing Agreement

This Customer Data Processing Agreement reflects the requirements of the Data Protection (Jersey) Law 2018 and associated General Data Protection Regulation (“GDPR”) Regulation (EU) 2016/79. E-IDV’s products and services offered in Jersey are GDPR ready and this DPA provides you with the necessary documentation of this readiness.

All capitalised terms not defined in this DPA shall have the meanings set forth in the Agreement. You enter into this DPA on behalf of your organisation and, to the extent required under Data Protection Laws, in the name and on behalf of any Users which you choose to grant access to the Services through your organisations registered account.

The parties agree as follows:

  1. Scope and Applicability of this DPA
    1. This DPA applies where and only to the extent that E‑IDV processes Personal Data on behalf of the Customer in the course of providing the Services and such Personal Data is subject to Data Protection Laws of Jersey. The parties agree to comply with the terms and conditions in this DPA in connection with such Personal Data.
    2. Role of the Parties As between E‑IDV and the Registered Organisation, Registered Organisation is the Controller of Personal Data and E‑IDV shall process Personal Data only as a Processor on behalf of Registered Organisation. Nothing in the Agreement or this DPA shall prevent E‑IDV from using or sharing any data that E‑IDV would otherwise collect and process independently of Registered Organisation’s use of the Services.
    3. Customer Obligations Customer agrees that (i) it shall comply with its obligations as a Controller under Data Protection Laws in respect of its processing of Personal Data and any processing instructions it issues to E‑IDV; and (ii) it has provided notice and obtained (or shall obtain) all consents and rights necessary under Data Protection Laws for E‑IDV to process Personal Data and provide the Services pursuant to the Agreement and this DPA.
    4. E‑IDV Processing of Personal Data As a Processor, E‑IDV shall process Personal Data only for the following purposes: (i) processing to perform the Services in accordance with the Agreement; (ii) processing to perform any steps necessary for the performance of the Agreement; and (iii) to comply with other reasonable instructions provided by Registered Organisation to the extent they are consistent with the terms of this Agreement and only in accordance with Registered Organisation’s documented lawful instructions. The parties agree that this DPA and the Agreement set out the Registered Organisation’s complete and final instructions to E‑IDV in relation to the processing of Personal Data and processing outside the scope of these instructions (if any) shall require prior written agreement between Registered Organisation and E‑IDV.
    5. Nature of the Data E‑IDV handles Data provided by Registered Organisation. Such Data may contain special categories of data depending on how the Services are used by Registered Organisation. The Data may be subject to the following process activities: (i) storage and other processing necessary to provide, maintain and improve the Services provided to the Registered Organisation; (ii) to provide customer and technical support to Customer; and (iii) disclosures as required by law or otherwise set forth in the Agreement.
    6. E‑IDV Data Notwithstanding anything to the contrary in the Agreement (including this DPA), Registered Organisation acknowledges that E‑IDV shall have a right to use and disclose data relating to and/or obtained in connection with the operation, support and/or use of the Services for its legitimate business purposes, such as billing, account management, technical support and product development. To the extent any such data is considered personal data under Data Protection Laws, E‑IDV is a Controller of such data and accordingly shall process such data in compliance with Data Protection Laws.
  2. Further Processing
    1. Authorised Data Controllers and Sub-processors Registered Organisation agrees that E‑IDV may engage Data Controllers and Sub-processors to process Personal Data on Registered Organisation’s behalf. The Data Controllers and Sub-processors currently engaged by E‑IDV and authorized by the Registered Organisation are shown in Appendix 2.
    2. Sub-processor Obligations E‑IDV shall: (i) enter into a written agreement with the Sub-processor and the Sub-processor shall protect the Personal Data to the standard required by Data Protection Laws; and (ii) remain responsible for its compliance with the obligations of this DPA and for any acts or omissions of the Sub-processor that cause E‑IDV to breach any of its obligations under this DPA.
    3. Changes to Data Controllers and Sub-processors E‑IDV shall provide Registered Organisation reasonable advance notice (for which email shall suffice) if it adds or removes Data Controllers and Sub-processors.
    4. Objection to Data Controllers and Sub-processors Registered Organisation may object in writing to E-IDV’s appointment of a new Sub-processor on reasonable grounds relating to data protection by notifying E‑IDV promptly in writing within five (5) calendar days of receipt of E-IDV’s notice in accordance with Section 2.3. Such notice shall explain the reasonable grounds for the objection. In such event, the parties shall discuss such concerns in good faith with a view to achieving commercially reasonable resolution. If this is not possible, either party may terminate the applicable Services that cannot be provided by E‑IDV without the use of the objected-to-new Sub-processor.
  3. Security
    1. Security Measures E‑IDV shall implement and maintain appropriate technical and organisational security measures to protect Personal Data from Security Incidents and to preserve the security and confidentiality of the Personal Data.
    2. Confidentiality of Processing E‑IDV shall ensure that any person who is authorised by E‑IDV to process Personal Data (including its staff, agents and subcontractors) shall be under an appropriate obligation of confidentiality (whether a contractual or statutory duty).
    3. Security Incident Response Upon becoming aware of a Security Incident, E‑IDV shall notify the Registered Organisation without undue delay and shall provide timely information relating to the Security Incident as it becomes known or as is reasonably requested by the Registered Organisation.
    4. Updates to Security Measures Registered Organisation acknowledges that the Security Measures are subject to technical progress and development and that E‑IDV may update or modify the Security Measures from time to time provided that such updates and modifications do not result in the degradation of the overall security of the Services purchased by the Registered Organisation.
  4. Security Reports and Audits
    1. E‑IDV shall maintain records of its security standards. Upon Registered Organisation's written request, E‑IDV shall provide (on a confidential basis) details of relevant information security management compliance, audit report summaries and/or other documentation reasonably required by Registered Organisation to verify E‑IDV's compliance with this DPA. E‑IDV shall further provide written responses (on a confidential basis) to all reasonable requests for information made by the Registered Organisation, including responses to information security and audit questionnaires, that Customer (acting reasonably) considers necessary to confirm E‑IDV's compliance with this DPA, provided that Registered Organisation shall not exercise this right more than once per year.
  5. International Transfers
    1. Processing Locations E‑IDV stores and processes Data (defined below) in data centres located inside and outside Jersey, the UK and the European Union. E‑IDV shall implement appropriate safeguards to protect the Personal Data, wherever it is processed, in accordance with the requirements of Data Protection Laws.
    2. Transfer Mechanism Notwithstanding Section 5.1, to the extent E‑IDV processes or transfers (directly or via onward transfer) Personal Data under this DPA from Jersey or the UK (“Data”) in or to countries which do not ensure an adequate level of data protection within the meaning of applicable Data Protection Laws of the foregoing territories, the parties agree that E‑IDV shall provide appropriate safeguards for such data by ensuring the processing of such data is in accordance with Data Protection Laws. Registered Organisation hereby authorises any transfer of Data to, or access to Data from, such destinations outside Jersey or the UK subject to these measures having been taken.
  6. Return or Deletion of Data
    1. Upon deactivation of the Services, all Personal Data shall be deleted, save that this requirement shall not apply to the extent E‑IDV is required by applicable law to retain some or all of the Personal Data, or to Personal Data it has archived on back-up systems, which such Personal Data E‑IDV shall securely isolate and protect from any further processing, except to the extent required by applicable law.
  7. Cooperation
    1. To the extent that Registered Organisation is unable to independently access the relevant Personal Data within the Services, E‑IDV shall (at Customer's expense) taking into account the nature of the processing, provide reasonable cooperation to assist Registered Organisation by appropriate technical and organisational measures, in so far as is possible, to respond to any requests from individuals or applicable data protection authorities relating to the processing of Personal Data under the Agreement. In the event that any such request is made directly to E‑IDV, E‑IDV shall not respond to such communication directly without Registered Organisation's prior authorisation, unless legally compelled to do so. If E‑IDV is required to respond to such a request, E‑IDV shall promptly notify Customer and provide it with a copy of the request unless legally prohibited from doing so.
    2. To the extent E‑IDV is required under Data Protection Law, E‑IDV shall (at Registered Organisation’s expense) provide reasonably requested information regarding E‑IDV's processing of Personal Data under the Agreement to enable the Registered Organisation to carry out data protection impact assessments or prior consultations with data protection authorities as required by law.
  8. Miscellaneous
    1. This DPA is a part of and incorporated into the Terms and Conditions of Use so references to "Agreement" in the Agreement shall include this DPA.
    2. In no event shall any party limit its liability with respect to any individual’s data protection rights under this DPA or otherwise.
    3. This DPA shall be governed by and construed in accordance with governing law and jurisdiction provisions of Jersey, unless required otherwise by Data Protection Laws.

Appendix 2

Data Controllers, Data Processers & Sub-Processors

  1. Where Users have selected Services related to Identity Verification, PEPs, Sanctions list checks and/or adverse media screening services on a Customer who has given their consent, E‑IDV may share data with the London Stock Exchange Group PLC, a Sub-Processor of data, with whom E‑IDV has a service agreement. London Stock Exchange Group privacy and cookie policy is described at https://www.lseg.com/en/policies/privacy-and-cookie-statement. Where the London Stock Exchange Group PLC provide data, they are the Data Controller of that data.
  2. Where Users have selected Services related to identity verification services on a Customer who has given their consent, E‑IDV may share data with Hooyu Limited (a wholly owned subsidiary of Mitek Systems Inc.), a Sub-Processor of data, with whom E‑IDV has a service agreement. Hooyu Limited privacy policy is described at https://www.hooyu.com/legal/privacy-policy and their terms and conditions of use are at https://www.hooyu.com/legal/terms-and-conditions

Appendix 3

Supplier/Sub-Outsourcing Arrangements applicable to Jersey Clients

INTRODUCTION

  1. E‑IDV operates from its Head Office in Jersey, plus other UK-based offices, and employs around 30 people across these locations.
  2. E‑IDV business is designed to help our customers make intelligent and responsible decisions by providing innovative software, data and information to clients and consumers. We assist our customers in understanding and protecting themselves against any association with financial crime.
  3. E‑IDV is an innovative software company that allows its clients to access world-class financial crime prevention solutions through its creative website hub. Through its “outsourcing” arrangements with its suppliers, E‑IDV is committed to conducting business ethically and sustainably and requires the same of our supply chain of financial crime prevention solutions (SUPPLIERS). The current solutions providers are shown in Appendix 2 (Data Controllers, Data Processors, and Sub-Processors).
  4. E‑IDV outsourced suppliers are essential in our sustainability, business, and technical performance. E‑IDV will only engage with a supplier where formal contractual agreement(s) exist.

E‑IDV DIGITAL OUTSOURCING

INTRODUCTION

  1. Many financial services regulators state:
    1. Where E‑IDV engages and contracts with a customer on a defined activity, this arrangement will be seen as “OUTSOURCING”
  2. In Jersey, the Jersey Financial Service Commission (JFSC) Outsourcing Policy (OSP) Issued 1 March 2017, Last revised 1 December 2023 (effective from 1 January 2024) states that outsourcing is:
    1. an arrangement between a Business (e.g., E‑IDV customer) and a Service Provider (e.g., E‑IDV) by which:
      1. a Service Provider performs Outsourced Activity and
      2. where that Service Provider’s failure to perform or inadequate performance of such Outsourced Activity would materially prevent, disrupt, or impact upon the continuing compliance of that Business’ Regulated Activity with the applicable Regulatory Laws
  3. Considering the above definition, the only service E‑IDV provides that meets this test in Jersey is:
    1. Hooyu Limited is a wholly owned subsidiary of MiTek Systems Inc.

JFSC OSP SEVEN (X7) CORE PRINCIPLES

  1. Central to the JFSC OSP seven (x7) core principles. Concerning these x7 principles, E‑IDV will endeavour to ensure all of its customers in Jersey and globally can easily comply. To do so, E‑IDV has adopted these x7 principles as follows:
    1. Core Principle No.1
      1. JFSC OSP STATES
        1. An E‑IDV customer is responsible for and accountable to their regulator (e.g., JFSC) for any Outsourced Activity.
      2. E‑IDV Response
        1. E‑IDV has ensured that its contracts and business terms meet the x7 core principles in so far as they apply. E‑IDV will ensure it provides any management information promptly.
    2. Core Principle No.2
      1. JFSC OSP STATES
        1. An E‑IDV customer must ensure that any Service Provider performing Outsourced Activity is Fit and Proper
      2. E‑IDV Response
        1. E‑IDV will cooperate with a potential customer and a customer on an ongoing basis to ensure it meets the standards required to be ‘fit and proper’ within the meaning of applicable regulatory laws in the jurisdiction where its customer operates. For example, 4.3.5 Use of E-ID from the JFSC Handbook for the prevention and detection of money laundering, the countering of terrorist financing, and the countering of proliferation financing
    3. Core Principle No.3
      1. JFSC OSP STATES
        1. An E‑IDV customer must place an Outsourcing Agreement with the Service Provider before the start of the Outsourced Activity.
      2. E‑IDV Response
        1. This Appendix 3, along with the main body of this agreement, is designed to meet this principle.
    4. Core Principle No.4
      1. JFSC OSP STATES
        1. An E‑IDV customer must maintain adequate capacity and resources to implement all necessary policies and procedures to ensure that a Service Provider continues to be Fit and Proper Core Principle
      2. E‑IDV Response
        1. E‑IDV's unique and innovative website and call centre will allow an E‑IDV customer to question E‑IDV on any operating matter. E‑IDV commit to answering any question promptly but no more than five (x5) working days.
    5. Core Principle No.5
      1. JFSC OSP STATES
        1. An E‑IDV customer must maintain suitable contingency plans if a Service Provider’s performance suffers a material disruption or ends unexpectedly.
      2. E‑IDV Response
        1. if E‑IDV suffers a material disruption or ends unexpectedly, all customer data will be readily available through its backup solutions.
    6. Core Principle No.6
      1. JFSC OSP STATES
        1. Except for where the OSP provides explicitly otherwise, An E‑IDV customer must complete and upload an Outsourcing Notification before they appoint E‑IDV as a Service Provider. And where the Outsourced Activity is not Regulated Activity (E‑IDV or its supply chain are not regulated), there is nothing more to do.
      2. E‑IDV Response
        1. The JFSC notification process is outlined in Appendix A of the JFSC OSP
        2. E‑IDV will ensure it assists customers in completing this notification if asked.
    7. Core Principle No.7
      1. JFSC OSP STATES
        1. An E‑IDV customer must ensure that there is nothing in the Service Provider’s performance of the Outsourced Activity that would prevent or restrict the JFSC regulatory powers in respect of the Business or the Outsourced Activity
      2. E‑IDV Response
        1. E‑IDV, as a Jersey business, albeit not regulated by the JFSC, will cooperate with any JFSC inspection and or request for information in so far the JFSC follow the correct legal format

SUB-OUTSOURCING TO E‑IDV SUPPLIERS

  1. E‑IDV has a supply chain of suppliers. According to the JFSC OSP, these suppliers must be treated as “sub-outsourcing” relationships. The JFSC definition is:
    1. Sub-outsourcing is an arrangement between a Service Provider (E‑IDV) and a Sub-Contractor (E‑IDV SUPPLIER) by which the Sub-Contractor performs Outsourced Activity that E‑IDV would otherwise undertake on behalf of its customer.
  2. The JFSC says where Sub-Outsourcing takes place, an E‑IDV customer must adhere to Core Principles 1, 2, 3, 5 and 7 of the OSP.
  3. Principles 1, 2, 3, 5, and 7 are as follows with E-IDVs responses.
    1. Core Principle No. 1
      1. JFSC OSP STATES
        1. A Business is responsible for and accountable to the JFSC for any Outsourced activity. A Business cannot delegate accountability or responsibility for Outsourced Activity, including Sub-Outsourcing.
      2. E‑IDV Response
        1. E‑IDV will always make a customer aware of its supply chain and the agreement of each provider in the supply chain and cooperate with any enquiry about an E‑IDV supplier.
    2. Core Principle No. 2 (A)
      1. JFSC OSP STATES
        1. A Business must
          1. Must ensure that any Service Provider performing Outsourced activity is Fit and Proper and
          2. must carry out adequate due diligence and risk assessment of each Service Provider and Sub-Contractor under the Sub-Outsourcing and
          3. Should be able to object to any Service Provider or Sub-Contractor should it not meet the required standards of compliance or oversight (as assessed by the Business).
      2. E‑IDV Response
        1. E‑IDV has addressed this above in the x7 core principles.
    3. Core Principle No. 2 (B)
      1. JFSC OSP STATES
        1. A business should put in place an Outsourcing Agreement between it and the Service Provider which states, amongst other things,
          1. Sub-outsourcing is permitted, provided that the Business
            1. has prior knowledge of it,
            2. has granted its approval and
            3. has adequately considered all associated risks.
      2. E‑IDV Response
        1. E‑IDV has addressed this above in the x7 core principles.
    4. Core Principle No. 2 (C)
      1. JFSC OSP STATES
        1. An exception to the above 2(B)
          1. Obtaining a business's approval for sub-outsourcing may not always be practical because the Sub-Outsourced Activity is provided on standard terms and conditions.
          2. In these minimal circumstances, the JFSC expect a Business to manage the relationship with E‑IDV (its primary Service Provider) carefully and to file a post-event Outsourcing Notification as soon as it is on notice of the Sub-Outsourcing detailing why it was not possible to make an Outsourcing Notification before the commencement of the Sub Outsourced Activity, and
          3. If a “No” Objection is required but is not granted, the relevant business must terminate its relationship with the primary Service Provider as soon as reasonably practicable.
      2. E‑IDV Response
        1. E‑IDV has addressed this above in the x7 core principles.
    5. Core Principle No. 2 (D)
      1. JFSC OSP STATES
        1. For any Sub-Outsourcing of Cloud Services, a Business should
          1. review any Sub-Outsourcing relevant to the Business’ Regulated Activity to assess whether such Sub-Outsourcing would enable the Business to continue to comply with all applicable Regulatory Laws or other regulatory requirements which apply to its Regulated Activity
          2. consider the nature of the information or data being stored, managed, or transmitted by the Sub-Contractor and whether the due diligence and risk assessment of the Service Provider and/or the Sub-Contractor would support this arrangement.
          3. If the Business is unsatisfied with any of the above, it should be able to object and prevent the Sub-Outsourcing from going ahead.
      2. E‑IDV Response
        1. E‑IDV has addressed this above in the x7 core principles.
    6. Core Principle No. 3
      1. JFSC OSP STATES
        1. A Business must put in place an Outsourcing Agreement with the Service Provider before the start of the Outsourced Activity
      2. E‑IDV Response
        1. E‑IDV has addressed this above in the x7 core principles.
    7. Core Principle No.5
      1. JFSC OSP STATES
        1. A Business must maintain suitable contingency plans if a Service Provider’s performance suffers a material disruption or ends unexpectedly. A Business remains fully responsible for ensuring that appropriate contingency plans are in place where there are Sub-Outsourcing.
      2. E‑IDV Response
        1. E‑IDV has addressed this above in the x7 core principles.
    8. Core Principle No.7
      1. JFSC OSP STATES
        1. A Business must ensure that there is nothing in the Service Provider’s performance of the Outsourced Activity that would prevent or restrict the JFSC regulatory powers regarding the Business or the Outsourced Activity. Sub-outsourcing should not avoid or limit the JFSC legal or regulatory authorities regarding the Business or the Outsourced Activity. Nor should it restrict the business’ ability to conduct ongoing compliance monitoring of the outsourced activity by the service provider and/or Subcontractor with applicable regulatory laws or other regulatory requirements that apply to its regulated activity.
      2. E‑IDV Response
        1. E‑IDV has addressed this above in the x7 core principles.