Privacy Policy

1. GENERAL

At VerifyVASP Pte. Ltd. (referred to as "VV", "we", "us" and "our"), we are committed to protect the privacy and Personal Data (as defined in clause 2 below) of our clients who has subscribed to our Service, as Licensee (also referred to as "you", "yours"). We believe in being transparent about the data or information we collect, the reasons or basis for collecting it and how we use such data or information. In keeping with these principles, our Privacy Policy explains our information handling practices, including how we collect, use, process, and disclose Personal Data or other types of information when you register and subscribe to our Service.

Unless otherwise stated herein, the defined terms used in this Privacy Policy shall have the meanings ascribed to them in clause 2 of the definition section of this Privacy Policy and to the definition and meaning specified in clause 2 of the Terms of Service.

Privacy and data protection is a fundamental commitment at VV, which is an essential component of our core services and integral to our operating environment. We protect the data and privacy of our Licensee and operate our Service to strict privacy and data protection standards and in compliance with Applicable Law.

We take our commitment to privacy seriously and seek to deliver a strong degree of privacy by ensuring that all data is protected by design, operating on principles of data minimisation, as well as by ensuring our full compliance with all applicable privacy and data protection laws. VV operates a secure lifecycle data management, by establishing privacy and data protection throughout the entire lifecycle of the data involved, ensuring that the data is securely retained, and then securely destroyed at the end of the process.

Please take a moment to read this Privacy Policy carefully. If you have any questions about this Privacy Policy, please contact our Customer Support.

(a) ACCEPTANCE OF PRIVACY POLICY

By accessing and using our Service, you confirm your acceptance of the terms of this Privacy Policy. Where we require your additional consent to use, process or disclose your Personal Data for reasons other than those specified in this Privacy Policy, we will ask for your permission before carrying out such processing.

By providing the Licensee Corporate Data, including Personal Data of the related or connected parties (i.e., directors, shareholders, beneficial owners and Authorised Users), you undertake that the disclosure of Personal Data to VV is for VV's purposes (as described below or in the relevant privacy notice) and is within the scope of the consent given to you by such related or connected parties.

You further accept that the Licensee Corporate Data, including any Personal Data provided to VV, may be shared with other counterparty VASP in order to facilitate the exchange of information pursuant to the Service. If you do not agree to this feature, please contact our Customer Support, which in turn, may preclude you from accessing information relating to other counterparty VASP.

If you do not agree or are not comfortable with any aspect of this Privacy Policy, you should immediately discontinue access or use of the VV Platform and contact our Customer Support to terminate your account.

(b) CHANGES TO THIS PRIVACY POLICY

VV reserves the right to modify this Privacy Policy at any time. We will notify you of any material changes made to this Privacy Policy, by posting on our website or via such other means for VV to notify you of the revision to the Privacy Policy. If you have any questions, requests or complaints relating to your Personal Data or this Privacy Policy, please contact our Customer Support.

(c) DATA CONTROLLER

To the extent that VV acts as a Controller (as specified below), the Controller is:

VerifyVASP Pte. Ltd.
1 Harbourfront Avenue, #13-03, Singapore 098632
Tel: + 65 6721-9982
Email: [email protected]

(d) CUSTOMER SUPPORT

Any questions, requests and complaints about VV's responsibilities regarding the protection of Personal Data can be directed to this email address: [email protected]

(e) DATA PROTECTION OFFICER (DPO)

The DPO is responsible for (a) protecting the Personal Data or information, which have been provided pursuant to the use and access of the Service; (b) answering questions, requests and complaints which have been addressed to VV and/or sent directly to the attention of the DPO. The DPO is authorised to carry out internal supervision in connection with VV's responsibilities under this Privacy Policy. Alternatively, any questions, requests and complaints about VV's responsibilities regarding the protection of Personal Data can be directed to our Customer Support, who in turn will refer the matter to VV's DPO.

In any event VV's Data Protection Officer can be contacted at the following email address:

Attn: Data Protection Officer [email protected]

(f) VV'S POLICIES, PRINCIPLES AND PRACTICES

VV's policies and practices are designed to ensure privacy and to protect all data in our possession, whether considered Personal Data or not.

We operate according to the following stated principles and objectives:

Appropriateness: We regularly review our Terms of Service, Documentation and Privacy Policy, published on our website to ensure we can clearly explain how we handle data and information.
Transparency: Contact details of VV's Customer Support, Data Protection Officer and availability of the data policies are stated in this Privacy Policy, which is publicly posted on our website.
Privacy by design:Respect for privacy and protecting data is paramount at every stage of the design, development and delivery of our Service.
Data minimisation: We collect the minimum amount of data needed to fulfil our Service obligations.
Data retention limitation: We will cease the retention of any data or remove the means by which the Personal Data can be associated with any particular individuals, as soon as it is reasonable to assume the retention of data is no longer necessary for any legal, business or record purposes.
Awareness: We provide awareness training to all our employees and relevant Affiliate to ensure they have a clear understanding of the importance of data privacy and how to ensure data is protected.

Our use and protection of data is strictly controlled according to policies and processes, which are subject to audit review. Our data messaging service, which consists of encrypting data, includes data protection controls. Our Data Protection Officer regularly reviews these controls and makes appropriate modification within the related policies as may be required, which includes Personal Data protection, data retrieval and privacy statement.

2. PROCESSING OF PERSONAL DATA

(a) DEFINITIONS

Other than the following words defined below, all other capitalized words and expressions used in this Privacy Policy shall be defined and carry the same meaning, as stated in clause 2 of the Definition section of the Terms of Service.

"Controller" means the natural or legal person, association, agency or other body which, alone or jointly with others, determines the purpose and means of processing the Personal Data.
"Data Processor or Data Intermediary" means a natural or legal person, public authority, agency or other body, which processes Personal Data on behalf of the Controller.
"Data Subject" refers to the information provided by you as part of the Licensee Corporate Data that includes any information attributable to the Licensee and any individual persons who can be identified, directly or indirectly from an identifier such as the name, date and place of birth, address and account number, as the case maybe.
"Personal Data" refers to any information relating to an identified or identifiable natural person ('data subject'). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Take note that the definition of Personal Data under PDPA does not extend to anonymised data, as such anonymised data cannot be used to identify individuals. In addition, data of non-natural persons or body corporates are not considered Personal Data.
"Processing" refers to any operation or sets of operations that are performed on Personal Data, whether or not by automated means, including for example, collection, use, transfer and disclosure of Personal Data.

(b) VV AS DATA CONTROLLER

As With regard to any Licensee Corporate Data collected, which may include Personal Data of individual shareholders, directors and Authorized Users, we act as a Controller.

As a Controller, we will process the following categories of data:

Identity Data: including name, date and country of incorporation, business registration number and registered address, nature of business, type of business license and validity, name and country of supervising regulator; name of individual directors, shareholders, contact person or Authorized Users including username and password of the Authorized Users, the date of birth, nationality, passport number and/or valid government identity number, country of birth, country of residence and residential address of the individuals;
Contact Data: including e-mail address and mobile phone number of the contact person and Authorized Users (as the case may be);
Financial Data: including billing information, information on payment methods;
Technical Data: including information on technical usage of our Service, IP addresses in server logs and usage logs.

We will process this data for the following purposes and on the following legal basis:

i. We process Identity, Contact and Financial Data to enter into a contract with our Licensee and to address the relevant legal and regulatory obligations under the Applicable Law, including those relating to Know Your Clients ("KYC") / Anti Money Laundering ("AML") and Countering Financing Terrorism ("CFT"). We also perform invoicing and manage the contractual obligation and relationship. The legal basis for this is the legitimate interest in complying with legal obligations, contractual necessity and performance.

ii. We also process Identity and Contact Data to deliver targeted marketing communications, newsletters and materials relating to VV and its Service which may be of interest to our Licensee and their Authorized Users. The legal basis for this is based on the consent of each Licensee and the Licensee may choose to unsubscribe to any marketing communications by following the instructions provided in each marketing email.

iii. We use Identity and Technical Data to enable the Licensee to access and use the VV Platform. The legal basis for this is due to contractual necessity and performance.

iv. We use Technical Data to administer and protect the VV Platform, to ensure the safety and security of the Service and to improve and/or troubleshoot any potential problems relating to the Service. The legal basis for this is for business improvement purposes and our legitimate interest in protecting and improving our infrastructure. This legitimate interest outweighs the legitimate interest of the data subjects.

v. We use Identity and Contact Data to communicate with our Licensee or to respond to inquiries of any data subjects directed at us. Insofar as this concerns contractual performance, the legal basis shall be contractual performance. Otherwise, the legal basis shall be our legitimate interest in communicating with data subjects or processing the request.

vi. We may use all categories of data to respond to any governmental, regulatory or law enforcement requests to which we are legally obligated to comply. The legal basis for this is our compliance with a legal obligation if it is a legal obligation of VV and/or it is in our legitimate interest in complying with any legal obligations that may apply to us outside Singapore, which may include the European Union jurisdictions and South Korea.

vii. We disclose the Licensee Corporate Data with other VASP alliance members in order to facilitate information sharing and fulfil counterparty VASP due diligence requirement. Such disclosure is based on the consent of each Licensee. Licensee may opt-out of this feature by notifying our Customer Support, acknowledging that its refusal will prevent the Licensee who chose to opt-out, from accessing other VASP's Licensee Corporate Data. Service.

(c) VV AS A PROCESSOR / DATA INTERMEDIARY

With regard to the VV Platform and the processing of any End User Data, we act as a Processor or Data Intermediary. Licensee will remain as the Controller in regard to any End User Data that is transmitted through the VV Platform.

The messages and data flows between the Licensee and counterparty VASPs are encrypted with both logical and physical security measures implemented and monitored for continued effectiveness. Encryption and Licensee- to-Licensee authentication are adopted to prevent unauthorised access by, or malicious injection of data from internal or external sources. We constantly monitor the data messaging services on the VV Platform for suspicious activity.

As a Processor or Data Intermediary, VV has no direct relationship with the End Users and does not have any means to access the End User Data nor does VV have any search capabilities in order to look for specific individual or non-individuals data mentioned in the End User Data. Consequently, VV is unable to assist its Licensee to respond to any data protection requests coming from the End Users in exercising their Data Subject's rights.

Licensee should determine if their domicile laws have adopted FATF's Travel Rule Recommendation into local AML/CFT laws. Licensee are required to assess and ensure relevant consent, sufficient legal basis and justifications have been established, prior to any End User Data transmission via the VV Platform. Licensee should established consent from the End Users (where required) and ensure that the End Users are appropriately informed of the purpose and necessity for which their Personal Data are disclosed and shared with various counterparties, pursuant to the Travel Rule regulatory requirement.

(d) CONFIDENTIALITY, INTEGRITY, AND SECURITY

We require that the Licensee apply the process of encryption and decryption protocol to the End User Data (which may include Personal Data) when transmitting it via VV Platform, ensuring the confidentiality and protection of any Licensee Corporate Data, which is used for providing the Service.

We will apply the appropriate technical, physical, and organisational security measures to protect the End User Data against accidental or unlawful decryption and any Licensee Corporate Data against destruction, loss, alteration, unauthorised disclosure or access, and/or against other anticipated threats or hazards and relevant unlawful forms of processing.

(e) PERSONAL DATA BREACH NOTIFICATION

In case of a Personal Data breach relating to the Licensee Corporate Data, leading to an accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to that Personal Data that we process as a Controller, we will notify the Personal Data breach to the Singapore's Personal Data Protection Commission (PDPC), and/or to any such other Regulator, as may be required.

If required under the Applicable Law, VV will notify the Licensee of any security incidents that lead to the accidental or unlawful decryption of the End User Data, and/or any destruction, loss, alteration, unauthorised disclosure of, or access to any Licensee Corporate Data without undue delay after becoming aware of the Personal Data breach. VV will also notify such Personal Data breach to the relevant Data Protection Authority, including the PDPC without undue delay and, where feasible, not later than 72 hours after becoming aware of it, unless the Personal Data breach is unlikely to result in a risk to the rights and freedoms of individuals.

(f) DATA RETENTION

We take measures to delete Personal Data when the information is no longer necessary for the purposes for which VV processes it, unless we are required by Applicable Law to keep the data or information for a longer period. When determining the retention period, we take into account various criteria, such as the type of products and services requested or provided, the nature and length of VV's relationships with the Licensee, possible re-enrolment with VV's products and services by the Licensee, the impact on the Service that VV provides if VV deletes some Personal Data, or any other possible business purposes and the mandatory retention periods provided by any Applicable Laws and the statute of limitations.

(g) REQUESTS FROM REGULATORS OR LAW ENFORCEMENT AGENCIES

We do not have access to, nor are we able to view, any Personal Data contained within End User Data. Accordingly, any inquiries or requests from regulatory or law enforcement authorities concerning End User Personal Data will be referred directly to the relevant Licensee.

For other categories of data under our control—such as Licensee Corporate Data—we evaluate each request or inquiry from such authorities on a case-by-case basis. Where disclosure is required by Applicable Laws or deemed necessary, we may disclose such data. Where legally permissible, we will notify the affected Licensee of any such disclosure, unless prohibited from doing so by law.

(h) ABOUT THE SECURITY MEASURES

We have controls in place that are designed to ensure adequate security, taking into account its encryption protocol, the costs of implementation and the nature, scope, context and purposes of processing as well as the relative rights of the individuals concerned. VV reviews its security measures on a regular basis.

Our service commitment include our commitment in terms of confidentiality, integrity, and availability of the various data. Our information security framework is governed by an information security policy, supported by technical and organisational security measures which are formally documented in our security policy. We will engage a reputable independent auditor to perform an audit on the prevailing security control policies established on the VV Platform or core messaging services, in accordance with international standards, which will provide some audit assurances on key considerations around availability, processing integrity, confidentiality and privacy, and will enable us to provide an independent, third-party assurance as to the adequacy of the design of the controls, and the fact that VV have an effective operating process and security controls.

This security framework includes, but is not limited to:

Logical and physical access controls, restricting logical access to data-processing systems and functionality (authorisation) to authorised individuals and/or when applicable, restricting physical access to its data-processing facilities only to authorised individuals;
Cryptographic or encryption controls, protecting the confidentiality and integrity of the Licensee Corporate Data and the End User Data which may include Personal Data, during electronic transmission and central archival; and
Availability controls, by establishing a capacity planning mechanism to determine resource utilisation to ensure continuous operation of the information systems and Service, and business continuity plan to regulate business continuity management and to recover data and Service as much as it is reasonably possible, to ensure VV achieves its Availability obligation as specified in Schedule 1 of the Terms of Service.

The independent audit reports provide information on VV's key security measures. VV's Board, or its delegated body, reviews and decides on the scope of the audit to be performed, periodically.

(i) VV EMPLOYEES & SUB-CONTRACTORS

We ensure that our employees are bound by confidentiality obligations with regard to the processing of any Licensee Corporate Data and the encryption protocol relating to the End User Data. Our employees are properly instructed and required to comply with VV's obligations as stated in this Privacy Policy.

In the provision of the Service, we may engage and otherwise interact with any third-party data Processors or Affiliates to process the data, which may include Personal Data, in order to assist VV in delivering the Service. We impose the same data protection terms on any sub-processors and subcontractors we appoint to protect the data and apply the same standard as stated in this Privacy Policy. We remain responsible and will be liable for any breach that is caused by any act, error or omission of the sub-processors and subcontractors. We may, upon reasonable request, make available to you the current list of sub-processors and subcontractors that are processing the Personal Data as part of the Licensee Corporate Data.

(j) DATA SUBJECT RIGHTS UPON PROCESSING

Data Subjects arising from the Licensee Corporate Data shall have the following rights when we process their Personal Data as Controller:

i. Right of access: the right at any time to demand information in our possession or under our control concerning the processing of their Personal Data.

ii. Right of rectification: the right to demand of us to correct and/or complete the data subject's Personal Data if the Personal Data processed is incorrect or incomplete.

iii. Right of erasure: the right to demand Personal Data to be deleted if (1) the Personal Data concerning the Data Subject is no longer necessary for the purposes for which they were collected or otherwise processed; (2) Data Subject revoke their consent to the Processing and there is no other legal basis for the Processing; (3) Data Subject's Personal Data have been processed illegally; or (4) the deletion of the Data Subject's Personal Data is necessary to fulfil a legal obligation under any Applicable Law to which we are subject to.

iv. Right to restriction of Processing: Data Subject may request to restrict the Processing of their Personal Data if (1) they deny the accuracy of the Personal Data for a period of time that enables us to verify the accuracy of the Personal Data; (2) the Processing is unlawful and the Data Subject refuse to delete the Personal Data and instead request the restriction of the use of the Personal Data; or (3) we no longer need the Personal Data for the purposes of processing, but the Data Subject need them to assert, exercise or defend legal claims.

v. Right to data portability: Data Subject has the right to obtain their Personal Data in a structured, commonly used and machine-readable format. Data Subjects have the right to transmit their data to another Controller. Where technically feasible, Data Subjects have the right to have their data transmitted directly from us to another Controller.

vi. Right to withdraw consent: Any consent is provided freely. If Data Subjects give us their consent to process their Personal Data, they have the right to revoke their consent at any time. The revocation of consent does not affect the lawfulness of Processing based on consent before its revocation. To withdraw consent, please send us an e-mail to [email protected] or contact your account manager directly.

vii. Right to lodge a complaint with the supervisory authority: Data Subjects have the right to address a supervisory authority for any questions or complaints.

viii. Right to object: If the Data Subject resides in the European Economic Area (EEA), they have the right to object, on grounds relating to their particular situation, at any time to the Processing of their Personal Data, including profiling related to direct marketing purposes or for any scientific or historical research or statistical purposes. We will no longer Process the Personal Data unless we demonstrate compelling legitimate grounds for the Processing which override the Data Subject's interests, rights and freedoms or for the establishment, exercise or defence of legal claims.

(k) INTERNATIONAL TRANSFER OF PERSONAL DATA

Data Subjects who are located outside of Singapore should be aware that the data that we process in relation to you will be transferred to and stored in Singapore and/or Korea, unless otherwise stated. Data Subjects who resides in the European Economic Area ('EEA') should also be aware that Singapore or any other relevant jurisdiction laws may not be subject to equivalent data protection laws as in the EEA. It may also be processed by staff situated outside the EEA who works for us or for one of our suppliers.

We transfer Personal Data to Singapore, Korea and/or other jurisdiction in order to:

store it;
enable us to provide products or services and fulfil our contract with you. This includes order fulfilment, processing of payment details, and the provision of support services;
facilitate the operation of VV, where it is in our legitimate interests and we have concluded these are not overridden by your rights; or
meet any legal requirement.

Where Personal Data is transferred to a destination outside of the EEA, we will ensure that a transfer only takes place if an appropriate level of protection exists and suitable safeguards are provided. Please contact us if you require more information.

------ Intentionally left Blank ------