Legal Privacy & Security

Software as a Service Agreement

This Software as a Service Agreement and related schedules (“SaaS”) is effective as of the earlier of: (a) the last date of the signature of this SaaS; and (b) the last date of the signature of the first Order Form (defined below) (the “Effective Date”), by and between the entity named below and each of its Affiliates entering into an Order Form (“Client”) and either Riskified, Inc., or Riskified Ltd., as set out in Section 13 (“Riskified”). Each of Riskified and Client are individually referred to as a “Party” and collectively as the “Parties”.

  1. Riskified responsibilities

    1. Provision of Services. Riskified will make the Services available to Client, as described in this SaaS and related order forms with schedules (each, an “Order Form”, and with the SaaS, the “Agreement”). Each Client Affiliate receiving the Services shall execute a separate Order Form. “Services” means the products and services provided by Riskified and/or its Affiliates. For the avoidance of doubt, by executing an Order Form, each Client Affiliate shall be bound to this SaaS. “Affiliate” means any entity that directly or indirectly Controls, is Controlled by, or is under common Control with the subject entity. “Control” for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests and/or management of the subject entity.
    2. Support. Riskified, at its own expense, will provide Client with technical support in accordance with Riskified’s standard practices.
    3. Security and Data Protection Program. Riskified will maintain physical, administrative, and technical safeguards consistent with industry-accepted practices including the International Organization for Standardization (ISO) 27001:2013 and a System and Organizational Controls (SOC) 2, Type II report to protect the confidentiality, integrity, and availability of Client Data (defined below). The Parties will adhere to the terms of the Data Processing Addendum (“DPA”), available at https://security.riskified.com/, which is incorporated herein by reference, with respect to any “personal data” or “personal information”, as such terms are defined by applicable law, that are processed in connection with the Agreement, unless the Parties have executed a separate data processing addendum, which shall prevail. Riskified reserves the right to update such measures, as set forth at https://security.riskified.com/, provided that any updates shall not materially diminish the level of security applicable to the Services. Client is responsible for reviewing the information Riskified makes available regarding its data processing and security and making an independent determination as to whether the Services meet Client’s requirements and legal obligations.
  2. Client Responsibilities

    1. Use Restrictions. Except for the rights granted in the Agreement, no other rights in or to any Services, express, implied or otherwise, are granted to Client. Without limiting the foregoing, Client shall not, and shall not allow, directly or through a third party to: (i) use the Services other than for the purpose permitted herein; (ii) transfer, sell, rent, lease or share the Services or the results, including recommendations; (iii) permit any person who is not an Authorized User (defined below) to use or access the Services or the results thereof; (iv) attempt to copy, modify, duplicate, create derivative works from, frame, mirror, republish, download, display, transmit, or distribute all or any portion of Riskified’s online software application provided as part of the Services; (v) attempt to reverse compile, disassemble, reverse engineer or otherwise reduce to human-perceivable form all or any part of the Services; (vi) access the Services or use the results thereof in order to build, improve upon, develop a product or service which competes with the Services or frustrates the purpose of the Agreement; (vii) make available to Riskified any data regulated under PCI; (viii) use the Services or provide data to Riskified in a manner that violates any applicable law, ordinance, regulation or administrative order; or (ix) take any action that imposes or may impose (as determined in Riskified’s reasonable discretion) an unreasonable or disproportionately large load on the servers, API, network, bandwidth, or other cloud infrastructure which operate or support the Services, or otherwise systematically abuse or disrupt the integrity of such servers, network, bandwidth, or infrastructure, including but not limited to API calls exceeding a volume of 700% of Client’s daily average of API calls (or such other volume reasonably determined by Riskified), all as reasonably measured by Riskified.
    2. Client Security Standards and Data Protection. Client shall establish and maintain a data security and protection program that includes physical, technical, administrative, and organizational safeguards no less rigorous than accepted industry practices and as required by applicable law, that is designed to ensure the access to, and security of, the Client Data, Client’s platform and systems, as well as any integrations associated therewith, and as reasonably requested by Riskified. Client is solely responsible for all aspects of Client Data, including its sourcing, inputting, accuracy, quality, integrity and management and maintaining reasonable security measures with respect to the Client Data while in its possession and control.
    3. Client IT Infrastructure. Client is solely responsible for obtaining and maintaining network connections and telecommunications links from its systems to Riskified, and for all problems, conditions, delays, delivery failures, as well as all other loss or damage arising from or relating to Client’s network connections or telecommunications links or caused by the internet. Notwithstanding anything herein to the contrary, Riskified is not responsible for technical issues due to Client’s failure to comply with Riskified’s instructions; or modification or alteration of the Services by any anyone other than Riskified or Riskified’s duly authorized contractors or agents.
    4. Audit; Competition. Client agrees to provide its reasonable cooperation in the event Riskified audits Client’s use of the Service, which may occur only upon reasonable advance notice, during Client’s business hours, not more than once per calendar year or in connection with a breach of the Agreement. For the Term of the Agreement (defined below), Client agrees that it shall not receive third party fraud mitigation services.
    5. Authorized Users; Credentialing. Only those users authorized by Client may use the Services (each, an “Authorized User”). Any violation of the Agreement by an Authorized User shall be deemed to be a violation by Client. Client is solely responsible for the security and proper creation, use and termination of all Authorized User names, passwords and other security devices used in connection with the Services and shall take all reasonable steps to ensure that they are kept confidential and secure, are used properly and are not disclosed to unauthorized persons. Client shall immediately notify Riskified in writing if there is any reason to believe that any security credentials or any other security device has or was likely compromised or used in an unauthorized way. Riskified may require Client to change any of its Authorized User’s usernames, passwords or other security devices used by Client in connection with the Services, and Client shall promptly comply with any such requirement.
    6. Fair Credit Reporting Act. Client acknowledges that Riskified, is not a consumer-reporting agency as defined by the Fair Credit Reporting Act, 15 U.S.C. §1681 et seq. (“FCRA”), and that the Services provided to Client hereunder do not constitute “Consumer Reports,” as defined in the FCRA. Client represents and warrants that it shall not use the Services to determine any consumer’s eligibility for any product or service to be used by a consumer for personal, family or household purposes. Further, Client represents and warrants that it shall not use the Services in whole or in part: (i) as a factor in establishing a consumer’s eligibility for credit; (ii) as a factor in establishing a consumer’s eligibility for insurance; (iii) for employment purposes; (iv) in connection with a determination of an individual’s eligibility for a license or other benefit granted by a governmental authority; or (v) in connection with any permissible purpose as defined by the FCRA.
    7. Sanctions; Compliance. Client acknowledges the Services do not guarantee compliance with any specific law or regulation. Client represents and warrants that: (1) neither Client, nor any of its directors, officers, employees, Authorized Users, customers and/or end-users: (a) is subject to sanctions and/or named as specifically designated national on the most current list published by the U.S. Treasury Department Office of Foreign Asset Control (“OFAC“) at its official website (“Prohibited Persons“), or (b) are located, organized, or resident in a country or territory that is, or whose government is, the target of sanctions imposed by OFAC (“Sanctioned Area“) and (2) Client implements appropriate controls designed to comply with sanctions regulations, including but not limited to OFAC.
  3. Client Data

    1. Provision of Client Data. Client is solely responsible for ensuring it is authorized to provide or make available the data it provides or makes available to Riskified and the Services (collectively, the “Client Data”), including the provision of any requisite notices and obtaining consent to the extent required under applicable law (which may include but not be limited to for the use of automated decision making). Client Data required by Riskified and processed in connection with the Services is detailed in documentation made available by Riskified, including in the DPA.
    2. License to Client Data. Client consents to and grants Riskified and its Affiliates the worldwide, non-exclusive, royalty-free, perpetual, sub-licensable, fully-paid-up, and irrevocable, right to: (i) use the Client Data to provide the Services; (ii) use the Client Data to improve the Services; and (iii) process such Client Data in accordance with the DPA and Riskified’s Privacy Policy. In order to provide the Services, Riskified and its Affiliates combine data from their clients and will provide Client Data to third parties to the extent permitted under this Agreement.
  4. Fees and payment

    1. Fees. Client and/or Client Affiliate, as applicable, agree to pay the fees described in the Agreement (the “Fees”).
    2. Invoicing; Non-refundable. Except as otherwise specified herein or in an Order Form, amounts due are invoiced on a monthly basis and due within thirty (30) days of Client’s receipt of the applicable invoice (“Payment Term”). Client agrees to remit payment by wire transfer or ACH, unless the invoice is $3,000 or less, in which event Client may remit payment by credit card. Fees are non-cancelable and non-refundable. Each Client Affiliate will be invoiced separately. Should the Parties agree to allow Client to pay in a currency other than USD, GBP or EUR, Client shall be charged an additional 0.15% on the invoiced amount.
    3. Late Payment; Disputes. Unpaid amounts are subject to a finance charge of 1.5% per month, or the maximum percentage permitted by law (whichever is lower), in addition to all reasonable costs of collection, including reasonable attorneys’ fees. Any good faith objection to an invoice shall be provided in writing to Riskified within the applicable Payment Term, otherwise Client would be deemed to waive any objections, and such invoice will be deemed final and not subject to dispute.
    4. Taxes. All fees are exclusive of taxes and duties. If the Services are subject to collection or payment of any federal, state, or local tax under the Agreement, or any other similar taxes or duties levied by any governmental authority, excluding taxes levied on Riskified’s net income, then such taxes and/or duties shall be invoiced to and paid solely by Client upon receipt of invoice.
    5. Service Suspension. Riskified may suspend the Services (in whole or part) if Client fails to pay an overdue payment within ten (10) days of written demand by Riskified.
  5. Term and termination

    1. Term of SaaS. The SaaS begins on the Effective Date and continues until the termination or expiration of all Order Form(s) between Riskified and Client and/or Client’s Affiliates.
    2. Term of Order Form. The start date and term of the Service(s) shall be set out in an Order Form. Except as otherwise specified in an Order Form, the term for each Order Form shall be for one (1) year (the “Initial Term”). The Initial Term will automatically renew for consecutive periods, each equal to the Initial Term specified, or one (1) year, whichever is longer (each, a “Renewal Term”, and together with the Initial Term, the “Term”), unless either Party notifies the other Party of its intent not to renew such Services at least sixty (60) days prior to the end of the then-current Term.
    3. Early Termination by Client. Client may terminate an Order Form for convenience upon ninety (90) days written notice (“Early Termination”). In the event of Early Termination, Client shall pay Riskified an amount equal to the gross average monthly Fees invoiced by Riskified and multiplied by the number of months remaining in the then-current Term (“Early Termination Fee”), which will be reduced by any and all credits owed to Client in the final invoice. Client acknowledges and agrees that the Early Termination Fee constitutes liquidated damages and is not a penalty and that the amount of actual loss due to the foregoing is difficult to precisely estimate and the amount of liquidated damages bears a reasonable proportion to the probable loss that Riskified will suffer in relation to the foregoing.
    4. Termination for Breach. If a Party materially breaches the Agreement and fails to cure such breach within thirty (30) days of receipt of written notice from the other Party outlining the nature of such breach, then the other Party may terminate the affected Order Form(s).
  6. Representations and warranties; covenants

    1. Mutual Representations and Warranties; Covenants. Each Party represents, warrants and covenants to the other Party that it has the full power and authority to enter into the Agreement.
    2. Future Functionality. Client agrees that its entry into the Agreement is not contingent on the delivery of any future functionality or features, or dependent on any oral or written comments or commitments made by Riskified regarding future functionality or features.
    3. DISCLAIMER. EXCEPT AS EXPRESSLY PROVIDED IN THE AGREEMENT, RISKIFIED IS PROVIDING THE SERVICES “AS IS” AND “AS AVAILABLE” AND RISKIFIED DOES NOT MAKE AND CLIENT HAS NOT RELIED UPON ANY WARRANTY OF ANY KIND, WHETHER EXPRESS, IMPLIED, STATUTORY OR OTHERWISE IN ENTERING INTO THE AGREEMENT. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, RISKIFIED SPECIFICALLY DISCLAIMS ALL IMPLIED WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT.
  7. Indemnification

    1. Indemnification by Riskified. Riskified shall defend and indemnify Client against claims, actions, proceedings, losses, damages, out-of-pocket expenses and costs (including reasonable attorney’s fees), finally awarded and arising out of or in connection with any third-party claim alleging infringement by the Services of any patent or copyright or misappropriation of any trade secret. The foregoing defense and indemnification obligations do not apply if: (i) the allegation does not state the Services are the basis of the claim against Client; (ii) a claim against Client arises from the use or combination of the Services or any part thereof with software, hardware, data, or processes not provided by Riskified, if the Services or use thereof would not infringe without such combination; (iii) a claim against Client arises from Services under an Order Form for which there is no charge; or (iv) a claim against Client arises from Client Data, third-party applications, services or software or Client’s breach of the Agreement.
    2. Indemnification by Client. Client shall defend and indemnify Riskified against claims, actions, proceedings, losses, damages, expenses and costs (including reasonable attorney’s fees) arising out of or in connection with any third-party claim, alleging: (i) Client’s use of the Services violates applicable law, or (ii) Client Data infringes or misappropriates a copyright, patent, trademark, trade secret, privacy or other proprietary right, or Client’s provision of Client Data to the Services violates any right, law, or regulation applicable to such Client Data.
    3. Indemnification Process. As a condition to the indemnification obligations set out herein, the indemnified Party shall: (i) promptly notify the indemnifying Party of any claim for which indemnity will be sought; provided that no delay in providing such notice shall relieve the indemnifying Party of any liability or obligations hereunder except to the extent the indemnifying Party has been prejudiced by such delay; (ii) permit the indemnifying Party to assume sole control of the defense and settlement of such claim with counsel of its choosing; and (iii) provide cooperation reasonably requested by the indemnifying Party in investigating and defending such claim, at the indemnifying Party’s expense (provided that the indemnified Party shall not be entitled to compensation for time spent providing such cooperation). The indemnified Party shall have the right to participate in (but not control) the defense of any such claim, at its sole cost and expense, using counsel of its choosing.
    4. Exclusive Remedy. This “Indemnification” section states the indemnifying Party’s sole obligation and liability to, and the indemnified Party’s exclusive remedy against, the indemnified Party for any third-party claim described in this section.
  8. Exclusions; limitation of liability

    1. Exclusion of Consequential and Related Damages. IN NO EVENT WILL EITHER PARTY OR ITS AFFILIATES HAVE ANY LIABILITY FOR ANY LOST PROFITS, REVENUES, GOODWILL OR INDIRECT, SPECIAL, INCIDENTAL, CONSEQUENTIAL, COVER, BUSINESS INTERRUPTION OR PUNITIVE DAMAGES, ANY LOSS OF DATA, WHETHER AN ACTION IS IN CONTRACT OR TORT AND REGARDLESS OF THE THEORY OF LIABILITY, EVEN IF A PARTY OR ITS AFFILIATES HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES OR IF A PARTY’S OR ITS AFFILIATES’ REMEDY OTHERWISE FAILS OF ITS ESSENTIAL PURPOSE. THE FOREGOING DISCLAIMER WILL NOT APPLY TO THE EXTENT PROHIBITED BY LAW.
    2. Limitation on Liability. IN NO EVENT SHALL THE AGGREGATE LIABILITY OF EITHER PARTY, TOGETHER WITH ALL OF ITS AFFILIATES, ARISING OUT OF OR RELATED TO THE AGREEMENT, EXCEED THE TOTAL AMOUNT PAID BY CLIENT AND/OR ITS AFFILIATES FOR THE SERVICES UNDER THE APPLICABLE ORDER FORM(S) GIVING RISE TO THE LIABILITY IN THE SIX (6) MONTHS PRECEDING THE FIRST INCIDENT OUT OF WHICH THE LIABILITY AROSE. THE FOREGOING LIMITATION WILL APPLY WHETHER AN ACTION IS IN CONTRACT OR TORT AND REGARDLESS OF THE THEORY OF LIABILITY, BUT WILL NOT LIMIT CLIENT’S PAYMENT OBLIGATIONS HEREUNDER.
    3. Claim Period. ANY CLAIM OR ACTION BY EITHER PARTY RELATED TO THE AGREEMENT, INCLUDING, BUT NOT LIMITED TO THE SERVICE, MUST BE COMMENCED WITHIN TWO (2) YEARS AFTER THE DATE ON WHICH THE ACT, EVENT, CONDITION, OR OMISSION GIVING RISE TO SUCH CLAIM OR ACTION, OCCURRED OR COULD HAVE REASONABLY BEEN DISCOVERED (“CLAIM PERIOD”). ANY ACTION NOT BROUGHT WITHIN THE CLAIM PERIOD SHALL BE BARRED, NOTWITHSTANDING ANY LONGER LIMITATIONS PERIOD SET FORTH IN ANY APPLICABLE LAW OR STATUTE.A
  9. Confidentiality

    1. Confidential Information” shall mean information made available by a Party or its Affiliates (“Discloser”) to the other Party or its Affiliates (“Recipient”), that is proprietary or confidential and is either clearly labeled or identified as Confidential Information or that a reasonable person should understand to be confidential given the nature of the information or the circumstances of its disclosure, and whether such information is disclosed by the Discloser in connection with the Agreement before, on or after the Effective Date. Confidential Information includes the terms of the Agreement. Confidential Information does not include any of the following: (i) information that is or becomes part of the public domain or otherwise available on an unrestricted basis to one or more third persons without violation of the Agreement by the Recipient; (ii) information that was known to or in the possession of the Recipient on a non-confidential basis prior to the disclosure thereof to the Recipient by the Discloser, as evidenced by written records; (iii) information that was developed independently by or on behalf of the receiving Party, without use of or reference to the Confidential Information; (iv) information that is disclosed to the Recipient by a third person without violation of the Agreement by the Recipient; or (v) Client Data, which shall be subject to the terms of the DPA, related Security Addendum, Riskified’s Privacy Policy, and applicable law.
    2. Protection of Confidential Information. Each Party shall hold the other’s Confidential Information in confidence and, unless required by law, not make the other’s Confidential Information available to any third-party or use the other’s Confidential Information other than as permitted under the terms of the Agreement. Each Party shall take all reasonable steps to ensure that the other’s Confidential Information to which it has access is not disclosed or distributed in violation of the terms of the Agreement.
    3. Compelled Disclosure. The obligations of the Parties under this Section shall not apply to the extent of any disclosure required pursuant to a duly authorized subpoena, court order, government authority or under any other legal obligation, provided that the Recipient has provided prompt notice and assistance to the Discloser prior to such disclosure, so that Discloser may seek a protective order or other appropriate remedy to protect against disclosure.
    4. Injunctive Relief. Any breach or threatened breach of the obligations set forth in this section may constitute a material breach of the Agreement, which the breaching Party acknowledges may cause irreparable harm to the non-breaching Party, leaving it without an adequate remedy at law. As such, any such breach shall entitle the non-breaching Party to seek any equitable relief, in addition to all other remedies, without necessity of posting of a bond or other security in connection therewith.
  10. Proprietary rights and licenses

    1. Ownership. Client acknowledges and agrees that Riskified and/or its Affiliates and/or licensors exclusively own all Intellectual Property Rights in and to the Services and associated documentation. Except as expressly stated herein, the Agreement does not grant Client any rights to or in any Intellectual Property Rights or any other rights or licenses with respect to the Services or the associated documentation. Client acknowledges that the Services, associated documentation and the inventions, know-how and methodology embodied therein are proprietary to, and are the valuable trade secrets of, Riskified and its Affiliates and licensors, as applicable, and that the Services and associated documentation constitute Confidential Information of Riskified and/or its Affiliates. “Intellectual Property Rights” shall mean all rights throughout the world in and to any and all of the following: (i) patents, patent applications, patent disclosures and inventions (whether patentable or not); (ii) trademarks, service marks, trade dress, trade names, logos, corporate names, Internet domain names and registrations and applications for the registration thereof together with all of the goodwill associated therewith; (iii) copyrights and copyrightable works (including computer programs and mask works) and registrations and applications for registration thereof; (iv) trade secrets, know-how and other proprietary information of a like kind; (v) waivable or assignable rights of publicity, waivable or assignable moral rights; and (vi) all other forms of intellectual property, such as data and databases, in each case, to the extent protectable under applicable law, as well as any derivative works of any intellectual property.
    2. Feedback. Client grants to Riskified and its Affiliates a worldwide, perpetual, irrevocable, royalty-free license to use and incorporate into Services any suggestion, enhancement request, recommendation, correction or other feedback provided by or derived from Client or its Authorized Users use of the Services. Client hereby waives and agrees not to assert any moral rights (or similar rights) in and to such feedback, as well as any rights to royalties or other payments.
  11. Publicity

    1. Press Release. The Parties agree to issue a joint press release announcing the relationship between the companies within six (6) months from the Effective Date. Riskified’s marketing team will cooperate with the Client regarding the drafting and distribution of any such content.
    2. Use of Logo. Riskified may use Client’s name and logo on Riskified’s website and in any promotional and marketing materials, in accordance with Client’s trademark and/or brand guidelines, as provided to Riskified.
  12. Insurance

    1. Coverage. Riskified has obtained and will maintain the following insurance coverages during the Term: (i) Professional Liability (including Products Liability, Privacy, Intellectual Property Infringement, Cyber Liability) insurance in the amount of at least $10,000,000 ($5,000,000 per occurrence) on a claims made basis, (ii) Directors and Officers insurance in the amount of at least $5,000,000 on a claims made basis, as well as policies for Business Owners, Workers’ Compensation and Employer’s Liability insurance.
    2. COI. Upon Client’s written request, Riskified shall provide Client with certificates of insurance evidencing the above coverage. Additionally, upon Client’s written request, Riskified will name Client as an additional insured with respect to Riskified’s aforementioned Professional Liability insurance coverage.
  13. Contracting party; governing law & venue; arbitration

    1. Contracting Party. If Client is domiciled in North America, Central America, or South America, Client is entering into the Agreement with Riskified, Inc., a Delaware corporation. If Client is domiciled elsewhere, Client is entering into the Agreement with Riskified Ltd., a limited liability company organized under the laws of Israel.
    2. Governing Law and Venue. The Agreement shall be governed by and construed in accordance with the laws of the State of New York. The Parties hereby irrevocably consent and submit to the exclusive jurisdiction and venue of the state and federal courts in the State of New York.
    3. Arbitration. Notwithstanding anything herein to the contrary, any controversy, dispute or claim arising out of or related to this Agreement that cannot be resolved by informal and good-faith negotiations between authorized representatives of the parties shall be settled by final and binding arbitration to be conducted by an arbitration tribunal in the State, City and County of New York, NY pursuant to the rules of the American Arbitration Association.
  14. General provisions

    1. No Joint Venture or Partnership. The Parties are independent contractors. The Agreement does not create a partnership, joint venture, franchise, agency, fiduciary, or employment relationship.
    2. Waiver. No failure or delay by either Party in exercising any right under the Agreement will constitute a waiver of that right.
    3. Notice. Any notice given pursuant to the Agreement shall be in writing and shall be provided by personal delivery, registered mail, or email. Any such notice shall be deemed to have been given on (i) the day such notice or communication is personally delivered, (ii) three (3) days after such notice or communication is mailed by registered mail, (iii) one (1) business day after such notice or communication is sent by overnight courier, or (iv) Notice sent by email shall be deemed effective when the receipt is electronically confirmed. Notices to Riskified shall be addressed to 220 5th Avenue, 2nd Floor, New York, NY 10001, Attn: Legal Department; with a copy to legal@riskified.com.
    4. Affiliates. All obligations of either party and its respective Affiliates under the Agreement are joint and several.
    5. Force Majeure. If either Party is unable to perform any obligation (excluding any payment obligation) under the Agreement because of any matter beyond that Party’s reasonable control, such as flood, exceptionally severe weather, fire, explosion, war, terrorist attack, civil disorder, protests, industrial dispute (whether or not involving employees of either Party), acts of local or central government or other competent authorities, problems with telecommunications providers, hostile network attacks, pandemics or other events beyond a Party’s reasonable control (each, a “Force Majeure Event”), that Party will have no liability (including any obligation to issue refunds or credits) to the other for such failure to perform; provided, however, that such Party shall resume performance promptly upon removal of the circumstances constituting the Force Majeure Event.
    6. Interpretation. To the extent of any conflict in terms between: (a) this SaaS and/or its schedules, and (b) an Order Form and/or its schedules, then the terms of such Order Form and/or its schedules shall control.
    7. Assignment. Client may not assign or otherwise transfer the Agreement without prior written consent by Riskified. Riskified may assign or delegate the Agreement, or any duty or right under the Agreement to an Affiliate.
    8. Counterparts. The Agreement may be executed in one or more counterparts, in original or electronic form, each of which shall be deemed an original, but all of which together shall constitute one and the same Agreement.
    9. Severability. If any provision of the Agreement is found to be unenforceable or invalid, that provision will be limited or eliminated to the minimum extent necessary so that the Agreement will otherwise remain in full force and effect and enforceable.
    10. Entire Agreement; Amendments. The Agreement, including any schedules, exhibits, annexes and/or Order Forms, is the complete and exclusive statement of the mutual understanding of the Parties and supersedes and cancels all previous written and oral agreements, communications and other understandings relating to the subject matter of the Agreement. Any and all waivers, amendments and modifications regarding the Agreement must be in writing and signed by both parties.

NOTE: comprehensive information on Riskified’s information security and compliance programs can be found on our Security Portal at https://security.riskified.com/.

Services Privacy Policy

Riskified provide online merchants (each, a “Merchant”) with services that help merchants optimize their e-commerce experience, including by preventing fraudulent online transactions, preventing account takeover, offering consumers an alternative payment method and increasing payment authorization (the “Services”). Merchants integrate our Services on their websites and mobile apps where consumers like you place orders (collectively, the “Merchant Website”). After you place an order, the Merchant Website may request that we process your personal data to provide our services.

This Privacy Policy (“Policy”) explains the privacy practices of Riskified Ltd., on behalf of ourselves and for the benefit of our affiliates (“Riskified”, “we”, “our”, or “us”) for our Services. It describes how we collect, use and share personal data, and the rights and options available to you with respect to your information.

You are not obligated by law to provide us with your personal data, but the Merchant Website may require that you provide us with your personal data to enable the processing of orders you place. Please note that this Policy does not cover the practices or policies of Merchants, the Merchant Website, or other parties.

INFORMATION WE COLLECT

During the past 12 months we have collected the categories of information listed below, and anticipate that we will continue to collect such information. This information is collected directly from you, from Merchants, from our service providers, from publicly available sources and through the Merchant Website and is used by us to provide Services for our merchants, to improve those services and as otherwise described in Use of Collected Information below.

Transaction data. When you place an order with a Merchant Website, we collect various data regarding your transaction, which may include  personal data, such as your name, email, address, the items you purchased, price paid, shipping information, and (if you have one) basic information from your account on the Merchant Website. We also collect basic information about your payment and billing method. We do not collect or keep your complete credit card number. 

Device data. We collect information about the personal computer or mobile device you use to access the Merchant Website. This includes the device model, operating system, unique identifiers, browser type, mobile network information, and the Internet Protocol (IP) address through which you accessed the Merchant Website. 

Geo-location data. If you use the mobile app of a Merchant Website, we collect your geo-location when you are actively using the app. If you use the Merchant website, we collect your city-approximate geo-location.

Analytical data. We collect analytical data about your use of the Merchant Website. For example, we collect the frequency of your access to the Merchant Website, the time you spend accessing the Merchant Website, when you scroll, as well as any events sent to a behavioral tracking service, the pages that referred you to the Merchant Website, as well as the pages and items on the Merchant Website that you viewed or interacted with.

Cross-references. We also cross-reference, verify, and enhance the accuracy of the data outlined above using third-party online sources such as search engines, social networks, white pages, and mapping services. If you have provided the Merchant with access to information of third-party platforms, (including social networks), we may also receive the same access permissions to the information that you made public.

Inquiries. If you contact us for questions or complaints, we will collect the information related to your inquiry and to verify your identity. This may include your name, email address, postal address, telephone number and other contact information, depending on the nature of your inquiry.

USE OF COLLECTED INFORMATION

When a Merchant asks us to review an order you place on a Merchant Website, we review the data of your activities across all the Merchant Websites of our Merchants as well as any other data collected. We use this data to provide the Merchant a fraud analysis indicating whether or not the order is, in our assessment, a fraudulent online transaction. It is then at the discretion of the Merchant (not Riskified) to accept or decline your order.

We also use the information we collect for the following purposes:

  • Improving and enhancing Services and developing new services;
  • Statistical analysis of consumers’ activities;
  • Handling your requests and complaints;
  • Enforcing this Policy and preventing misuse of the Services;
  • Taking any action in any case of disputes involving you, in relation to the Services; and,
  • Any other action that may be mandated by law or undertaken to protect our legal rights and property and/or those of third parties.

SHARING INFORMATION COLLECTED

We may share the information outlined in this Policy with others, in the following instances:

With our third-party service providers

We use service providers to assist us in providing the Services. We only share with them the limited elements of the personal data we collect which are strictly necessary for them to provide us with their service. These service providers include data sources, such as white pages, data providers, and mapping services and other similar services. We do this in order to cross-reference, verify, and enhance the accuracy of the data that we collect. Some of these service providers may use the data we share with them for their own permitted purposes, in accordance with their own terms and policies subject to applicable law, such as Google’s Privacy Policy and Terms of Service.

With the Merchant

We may share limited elements of your personal data with the Merchant from whom you made your transaction was made. This information sharing will be for the purpose of reviews, audits or dispute handling or responding to your request for access to your personal data.

With Our Partners

Riskified partners with certain entities, such as banks, card networks, and/or payment gateways, and may provide them with elements of your personal data in order to optimize order approval.

When required for Legal Purposes

We may share your personal data with third parties if we believe it is required by law or for the purpose of exercising legitimate legal rights. For instance, it could be necessary to share your data in order to comply with legal proceedings, to protect or exercise the legal rights of Riskified or our Merchants, or to respond to lawful requests.

With Corporate Group Entities or in a Business Transfer

We may share your personal data with our corporate group entities but their use of such information must comply with the Policy. Your data may also be shared if the operation of the Services is organized within a different framework or through another legal structure or entity, such as due to a merger or acquisition.

Non-Personal Data

We may use the information we collect to compile aggregated, anonymized, or de-identified information. We may share de-identified or aggregated information with any number of parties.

With you

We may share the data we possess about you with you upon your verifiable request or with other parties at your direction. We may contract with one or more vendors in order to verify your identity. In order to submit a request, please email support@riskified.com.

Transfer of Data Outside Your Territory

We may store and process information in the US, the EU, Israel, and in other countries. We may also process information using cloud services.

We frequently process information under arrangements aimed at providing an adequate level of data protection. This may include processing in countries that the EU has determined maintain adequate data protection, the use of model contract clauses, or other mechanisms. You may contact us as noted below to obtain a copy of the arrangements we use to transfer information outside of the European Economic Area, the UK, or Switzerland.  

In certain cases the laws in some of these countries may nevertheless provide a lesser degree of data protection than the laws of your own country. However, we will transfer your information to entities within other such countries for the purpose of processing as described in this Policy.

LOCATION SPECIFIC INFORMATION

Residents of the European Union

If you are a resident of the European Economic Area, the UK or  Switzerland, or any other territory with similar data protection laws, the following section is applicable to how we collect and manage your personal data.

  • As a data controller we rely on our legitimate interests to process your information, including the use of our service providers assisting us to deliver the Services. We may also receive your explicit consent through the Merchant Website. The Merchant Website relies on their own valid legal basis for processing your information, which may be in the form of consent, legitimate interest or execution of a contract.
  • The Merchant Website may, at its own discretion, use Riskified’s Services to make a decision on whether to accept or decline your order based solely on automated processing. It may do so if you have given your consent, if needed to enter into or perform a contract, or if authorized by law. Please direct inquiries concerning approval of your order based solely on automated means to the Merchant Website.
  • If the law grants you such rights, you may ask to access, correct, or delete your personal data that is stored in our systems. You may also ask for our confirmation as to whether or not we process your personal data. Subject to the limitations in law, you may request that we update, correct, or delete inaccurate or outdated information. You may also request that we suspend the use of any personal data that you contest the accuracy of, while we verify the status of that data. You may also be entitled to obtain personal data that you directly provided us and have the right to transmit it to another party. However, we will continue retaining, using and sharing certain information if it is associated with fraudulent activity or to comply with legal obligations.
  • Several of our data sources are companies operating in countries outside of your local territory or the European Economic Area, in legal environments that may not be adequate by EU data protection standards. You may opt out of having your personal data shared with those data sources. However, opting out may prevent us from providing Services and, as a result, may prevent you from using the Merchant Website. Irrespective of requests to opt out, if your personal data is associated with fraudulent activity we may continue to retain, use and share certain information, in order to prevent unlawful practices.

If you wish to exercise any of these rights, you can contact us at: privacy_requests@riskified.com, or our EU representative, Lionheart Squared (Europe) Ltd, at riskified@lionheartsquared.eu; 2 Pembroke House, Upper Pembroke Street 28-32, Dublin, D02 EK84 Ireland. When handling these requests, we may ask for additional information to confirm your identity and your request. In addition, you may also have the right to submit a complaint with the relevant supervisory authority – you can find the relevant contact details here.

Residents of California

If you reside in California or other jurisdictions where such rights are provided by applicable law, you have specific rights regarding your personal data. This section describes the rights that you have and explains how to exercise those rights.

  • Right to Know About Personal Data Collected, Disclosed or Sold. You have the right to request that we disclose certain information to you about our collection, use, disclosure or sale of your personal data over the past 12 months. Once we receive and confirm your verifiable consumer request (see Exercising Access, and Deletion Rights), and subject to certain limitations that we describe below, we will disclose such information to you. You have the right to request any or all of the following:
  • The categories of personal data we collected about you.
  • The categories of sources from which the personal data is collected.
  • Our business or commercial purpose for collecting or selling that personal data.
  • The categories of third parties with whom we share that personal data.
  • The specific pieces of personal data we collected about you.

 

  • Right to Request Deletion. You have the right to request that we delete any of your personal data that we collected from you and retained, subject to certain exceptions. Once we receive and confirm your verifiable consumer request (see Exercising Access, and Deletion Rights), we will delete (and direct our service providers to delete) your personal data from our records. However, we may retain personal data that has been de-identified or aggregated. Furthermore, we may deny your deletion request if retaining the information is necessary for us in order to perform certain actions permitted by applicable law, specifically such as detecting data security incidents or protecting against fraudulent or illegal activity.  Therefore, we may retain your personal data despite such request.

 

  • Exercising Access and Deletion Rights. To exercise the access and deletion rights described above, please submit a request to us by emailing support@riskified.com.

Only you, or a person or business entity registered with the California Secretary of State that you authorize to act on your behalf (an “authorized agent”), may make the requests set forth above. You may also make a request on behalf of your minor child. 

The request should include your contact information and describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it. In addition, you should provide sufficient information (including, at minimum, your name, address, and e-mail address) that allows us to reasonably verify that you are the person about whom we collected the  personal data or an authorized representative.

We will respond to consumer requests in a reasonably timely manner. If we require extra time to respond, we will inform you of the reason and extension period in writing.

In order to protect the security of your  personal data, we will not honor a request if we cannot verify your identity or authority to make the request and confirm the  personal data relates to you. The method used to verify your identity will vary depending on the nature of the request. Generally speaking, verification will be performed by a third-party service provide.

Any disclosures we provide may only cover the 12-month period preceding our receipt of your request. We are not obligated to provide the information set forth above under “Right to Know About Personal Data Collected, Disclosed or Sold” more than twice in a 12-month period.

We do not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request. 

  •  Personal Data Sales Opt-Out. We do not “sell” information, as sales are defined under applicable laws.

 

  • Non-Discrimination. We will not discriminate against you for exercising any of your legal rights.

INFORMATION SECURITY

We implement industry standard measures to reduce risks caused by the potential loss of information, unauthorized access, or use of information. However, no measure can provide absolute information security and we cannot provide protections beyond what is within our reasonable control.

See our Security Portal (https://security.riskified.com) for more information.

DATA RETENTION

The personal data we collect is retained only for as long as necessary to provide the Services or any newly developed services under this Policy. We retain the  personal data we receive from the Merchant for no more than 48 months, unless you request that we delete this information, or if it is required by us to establish, exercise, or defend against legal claims, or comply with legal obligations. When we dispense with data it is either deleted from our system or anonymize without further notice to you.

POLICY REGARDING CHILDREN

We do not knowingly collect personal data from children under the age of 13, and children under the age of 16 in the EU or California. If a parent or guardian becomes aware that his or her child has provided us with personal data without their consent, he or she should contact us at support@riskified.com. If we become aware that a child under such ages has provided us with personal data, we will delete such information from our files unless we have appropriate consent, where applicable, or unless we are required to maintain it for law-enforcement or legal purposes

CHANGES TO THIS POLICY

If we materially change this Policy in a manner that adversely affects your rights, or the protections afforded to your personal data, such changes will only affect the personal data we collect after the Policy change, unless you agree to us treating the personal data previously collected in accordance with the new Policy.

CONTACT US

You may contact us with any questions or comments, at: support@riskified.com

Our postal address is: Sderot Sha’ul HaMelech 37, Tel Aviv, Israel, postal code 6492806 or 220 Fifth Avenue, Floor 2, New York, NY 10001.

Effective date of the policy: September 2, 2021

 

Riskified respects the privacy of the users of our website at https://www.riskified.com (the “Site”) and is committed to protecting the information that is collected and/or is disclosed by the Site users (“users” or “you”). This Website Privacy Policy (“Policy”) explains the privacy practices of Riskified Ltd., on behalf of ourselves and for the benefit of our affiliates (“Riskified”, “we”, “our”, or “us”) for use of the Site.

 

INFORMATION WE COLLECT

During the past 12 months we have collected the categories of information listed below, and will continue to collect such information. This information is collected from you, directly, through your browsing session on the Site and through third parties and is used by us to improve our services and as otherwise described below.

Riskified collects information from our users at several different points on our Site. Personal data such as a user’s name, address, contact information, and other personally-identifiable information may be collected from you and stored in our databases when you register to the Site, request support, enter into a sales promotion, or otherwise interact with us (for example through the “contact us” option). If you do not provide us with the required information we may not be able to provide you with the information/services requested by you. Registered users may have a user name and password to access their information.

When you use the Site we may automatically collect personal data through cookies or other online technologies. This may include internet traffic data such as a user’s IP address, domain server, type of computer, type of web browser, your browsing session on the Site (e.g., the pages accessed and links clicked), the referral source and website navigation paths of your visit and your interactions on the Site. This information is helpful for us to operate our site, for marketing purposes or for improving a user’s experience on the Site.

We may also collect information about you from our business partners and other service providers, including personal data (e.g., contact information such as emails and general information associated with your IP or device), to help to operate our site, for marketing purposes or for improving your experience on the Site.
We may also collect statistical and other aggregated data related to your use of the Site or services thereon as well as information on Site usage patterns. This information is collected and used as non-individually identifiable information.

 

HOW WE USE INFORMATION AND WHO WE SHARE IT WITH

We use the information collected to analyze trends, administer the Site, improve our services, track users movements around the Site, and gather demographic information about our user base. We also use the collected information to respond to your requests and contact you. We compile and store the collected information to generate reports related to our users’ access to and use of our Site and services. We may use specific information collected to personalize and deliver content marketed directly to you and measure its effectiveness, subject to requirements of applicable law.

To the extent required under applicable data processing laws and regulations any personal data that we collect may be stored in our database and will be used in accordance with such applicable laws and regulations.

We do not share, distribute, sell, or rent any of your personal data with/to third parties, except to assist us with the above activities and in the following circumstances where we may use the information we collect:

  • The information is required by law in order to prevent, investigate, or take action regarding illegal activities;
  • In response to legal process, court orders, subpoenas;
  • To establish or exercise our legal rights or defend against legal claims;
  • For the purpose of providing and operating the Site we may share information with trusted third party partners for purpose of providing Site-related services to us. We will require that these third parties comply with this Privacy Policy or with privacy policies at least as protective as this Privacy Policy.
  • We may also request your permission to use your information in other ways. Such use is subject to your consent.
  • Any data processing performed by these third parties will, if and when required by law, be governed by a data processing agreement in the form required by law preserving your statutory data protection rights.
  • In case of a business transfer. In the conduct of our business, we may go through a business transaction such as a sale, merger, reorganization or bankruptcy proceeding. Information collected from users of the Site, including personal data, could be transferred as part of such transaction. By submitting your personal data through the Site, you agree that your information may be transferred to third parties under such circumstances.

 

COOKIES

A cookie is a piece of data sent from a website while the user is browsing and stored on a user’s hard drive to contain information about the user. We use cookies to enhance the user experience, improve our service, including by means such as storing passwords or preference information. We may also use cookies to track and monitor usage of the Site for the purposes of marketing and operational improvements.

Riskified’s Site uses both ‘session’ and ‘persistent’ cookies. ‘Session cookies’ are created and stored temporarily while the user browses and are deleted from the device when the browser is closed. ‘Persistent cookies’ are saved on the user’s device for a fixed period and becomes active when they visit the Site.

Users located in the EU will receive a pop up notification informing them that cookies are operating on our Site. Most browsers will allow you to erase cookies from your computer hard drive, block acceptance of cookies, or receive a warning before a cookie is stored.

 

INTEREST-BASED ADVERTISING

We may work with third parties who collect information on our Site and elsewhere through the use of cookies and similar methods in order to serve you with relevant advertisements on other services or to determine that you have seen our advertisements on other services and for other retargeting purposes. We do not respond to or honor “do not track” (a/k/a DNT) signals or similar mechanisms automatically transmitted by web browsers for which we cannot evaluate your choice.

E-MAIL COMMUNICATIONS

You have the ability to opt out of receiving marketing communications from Riskified at any time. You can opt out by either changing your email preferences or using the link provided at the bottom of each email message. You may not opt out of administrative emails (for example, emails about your transactions or policy changes) while you are a registered user.

We do not send emails to anyone without permission and we do not sell or rent email addresses to any unauthorized third party. If you believe that you have received an unsolicited email from us, please contact us at support@riskified.com and we will investigate.

 

DATA RETENTION

We retain the personal data we receive through the Site for no more than 48 months, unless you request that we delete this information, or if it is required by us to establish, exercise, or defend against legal claims, or comply with legal obligations. When we dispense with data it is either deleted from our system or anonymized without further notice to you.

 

APPLICANTS DATA

We use information about job applicants (from the website or any other source) such as their contact details, name, professional experience and CV, and other information needed to consider their hiring (Applicants Data). Additionally, we use Applicants Data for statistical purposes to improve our recruitment processes. We may use data of applicants that have not been accepted for a specific position, for internal purpose or to inform them of future job opportunities that we believe may suit them. We care about your privacy and will not share your Applicants Data with anyone else for other purposes. Applicants Data will be retained for 48 months or a longer period as may be allowed for by law. For any request or question regarding your Applicants Data and privacy, please contact legal@riskified.com.

 

POLICY REGARDING CHILDREN

We do not knowingly collect personally identifiable information from children under the age of 13, or 16 in the EU. If a parent or guardian becomes aware that his or her child has provided us with personal data without their consent, he or she should contact us at support@riskified.com. If we become aware that a child under such ages has provided us with personal data, we will delete such information from our files unless we have appropriate consent, where applicable, or unless we are required to maintain it for law-enforcement or legal purposes.

 

SECURITY

We follow generally accepted industry standards and best practices to protect the personal data submitted to us, both during transmission and once we receive it. However, due to the nature of Internet communications and evolving technologies, unauthorized entry or use, hardware or software failure, or other factors, the security of user information may be compromised at any time. No method of transmission over the Internet or method of electronic storage is 100% secure. We cannot guarantee the absolute security of personal data and disclaim any assurance that such information will remain free from loss, misuse, or alteration by third parties who, despite our efforts, obtain unauthorized access.

 

CHANGES AND CONSENT TO PRIVACY POLICY

By registering with Riskified or by using the Site without prior registration you agree to the terms of this Privacy Policy. We reserve the right to change the provisions of the Privacy Policy from time to time and you are therefore advised to check it regularly. Your continued use of the Site after any change to the policy constitutes your acceptance of this Privacy Policy.

 

LINKS

Our Site may have links to the sites of other companies. We are not responsible for their privacy practices. We encourage you to learn about the privacy policies of those companies.

 

LOCATION SPECIFIC INFORMATION

Residents of the European Union

If you are a resident of the European Economic Area, the UK or Switzerland, or any other territory with similar data protection laws, the following section is applicable to how we collect and manage your personal data.

As a data controller we rely on our legitimate interests to process your information, while at times we may rely on your consent, the need to comply with a legal obligation or perform a contract with you.

If the law grants you such rights, you may ask to access, correct, or delete your personal data that is stored in our systems. You may also ask for our confirmation as to whether or not we process your personal data. Subject to the limitations in law, you may request that we update, correct, or delete inaccurate or outdated information. You may also request that we suspend the use of any personal data that you contest the accuracy of, while we verify the status of that data. You may also be entitled to obtain personal data that you directly provided us and have the right to transmit it to another party. However, we will continue retaining, using and sharing certain information if it is associated with fraudulent activity or to comply with legal obligations.

If you wish to exercise any of these rights, contact us at: support@riskified.com. When handling these requests, we may ask for additional information to confirm your identity and your request.

Several of our service providers are companies operating in countries outside of your local territory or the European Economic Area, in legal environments that may not be adequate by EU data protection standards. You may opt out of having your personal data shared with those data sources, however, opting out may prevent you from using the Site. Irrespective of requests to opt out, if your personal data is associated with fraudulent activity we may continue to retain, use and share certain information, in order to prevent unlawful practices.

We may store and process information in the US, the EU, Israel, and in other countries. We may also process information using cloud services.

We frequently process information under arrangements aimed at providing an adequate level of data protection. This may include processing in countries that the EU has determined maintain adequate data protection, the use of model contract clauses, or other mechanisms. You may contact us as noted below to obtain a copy of the arrangements we use to transfer information outside of the European Economic Area, the UK, or Switzerland.

In certain cases the laws in some of these countries may provide a lesser degree of data protection than the laws of your own country. However, we will transfer your information to entities within other such countries for the purpose of processing as described in this Policy.

If you wish to exercise any of these rights, you can contact us at:

support@riskified.com, our Data Protection Officer at privacy@riskified.com, or our EU representative, Lionheart Squared (Europe) Ltd, at riskified@lionheartsquared.eu; 2 Pembroke House, Upper Pembroke Street 28-32, Dublin, D02 EK84 Ireland. When handling these requests, we may ask for additional information to confirm your identity and your request. In addition, you may also have the right to submit a complaint with the relevant supervisory authority – you can find the relevant contact details here.

Residents of California

If you reside in California or other jurisdictions where such rights are provided by applicable law, you have specific rights regarding your personal data. This section describes the rights that you have and explains how to exercise those rights.

  • Right to Know About Personal Data Collected, Disclosed or Sold. You have the right to request that we disclose certain information to you about our collection, use, disclosure or sale of your personal data over the past 12 months. Once we receive and confirm your verifiable consumer request (see Exercising Access, and Deletion Rights), and subject to certain limitations that we describe below, we will disclose such information to you. You have the right to request any or all of the following:
    • The categories of or specific pieces of personal data we collected about you.
    • The categories of sources from which the personal data is collected.
      Our business or commercial purpose for collecting or selling that personal data.
    • The categories of third parties with whom we share that personal data.
  • Right to Request Deletion. You have the right to request that we delete any of your personal data that we collected from you and retained, subject to certain exceptions. Once we receive and confirm your verifiable consumer request (see Exercising Access, and Deletion Rights), we will delete (and direct our service providers to delete) your personal data from our records. However, we may retain personal data that has been de-identified or aggregated. Furthermore, we may deny your deletion request if retaining the information is necessary for us in order to perform certain actions permitted by applicable laws, specifically such as detecting data security incidents or protecting against fraudulent or illegal activity. Therefore, we may retain your personal data despite such request.
  • Exercising Access and Deletion Rights. To exercise the access and deletion rights described above, please submit a request to us by emailing support@riskified.com

Only you, or a person or business entity registered with the California Secretary of State that you authorize to act on your behalf (an “authorized agent”), may make the requests set forth above. You may also make a request on behalf of your minor child.

The request should include your contact information and describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it. In addition, you should provide sufficient information (including, at minimum, your name, address, and e-mail address) that allows us to reasonably verify that you are the person about whom we collected the personal data or an authorized representative.

We will respond to consumer requests in a reasonably timely manner. If we require extra time to respond, we will inform you of the reason and extension period in writing.

In order to protect the security of your personal data, we will not honor a request if we cannot verify your identity or authority to make the request and confirm the personal data relates to you. The method used to verify your identity will vary depending on the nature of the request. Generally speaking, verification will be performed by a third-party service provide.

Any disclosures we provide will only cover the 12-month period preceding our receipt of your request. We are not obligated to provide the information set forth above under “Right to Know About Personal Data Collected, Disclosed or Sold” more than twice in a 12-month period.

We do not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.

Personal Data Sales Opt-Out. We do not “sell” information, as sales are defined under applicable laws.

Non-Discrimination. We will not discriminate against you for exercising any of your legal rights.

Last updated: September 2, 2021

Vendor Code of Conduct

Riskified Ltd. (“Riskified” ) strives to achieve the highest standard of business and professional integrity, and seeks to avoid even the appearance of improper behavior. We expect our vendors, suppliers, distributors, partners, business associates, and third party representatives (“Vendors” ) to uphold these standards of conduct and professional integrity and communicate them to their organization.

This Vendor Code of Conduct (“Code”) sets forth Riskified’s expectation that its Vendors uphold the highest standards of ethics and comply with all applicable laws and regulations.

These expectations should complement each Vendor’s own company policies, applicable legal requirements, and the terms of any agreements that a Vendor may have with Riskified. Failure to comply with this Code could result in termination of the business relationship. Riskified encourages Vendors to raise questions or concerns about this Code to their Riskified point of contact.

Riskified’s Code of Business Conduct and Ethics, which sets forth our compliance standards in more detail, is available at https://ir.riskified.com/corporate-governance/documents-charters Riskified expects its Vendors to be honest, ethical and transparent when dealing with Riskified, its employees, customers and other third parties.

Vendors are expected to monitor Vendors own compliance with this Code and report any integrity concern or violations of this Code or otherwise involving or affecting Riskified. When requested, Vendors are expected to assist Riskified in investigating concerns.

  1. Compliance with applicable governmental laws, rules, and regulations

    Riskified expects its Vendors to comply with all laws, rules and regulations that apply to the Vendor’s business, particularly those related to Vendor’s performance of duties for Riskified.

  2. Anti-corruption compliance & business expenses

    Riskified prohibits bribes, kickbacks, or other improper or illegal payments of anything of value from being directly or indirectly offered, paid, promised or authorized in any way related to Riskified, whether it involves public officials (including officers or employees of governments or state-owned entities) or private parties.

    Riskified also prohibits bribery to influence a public official, to obtain or retain business from any party, or to secure an unfair business advantage.

    Riskified also prohibits Vendors from making facilitation payments, or small, unofficial payments to public officials to expedite routine, non-discretionary government processes or decisions (even if permissible under local law).

    All business expenses provided by Vendors related to Riskified’s business – including gifts (whether money or any other thing of value), hospitality, entertainment, events, travel, or accommodation – must comply with any agreements with Riskified; have a legitimate business purpose; be reasonable and modest in value and frequency; comply with local law; and be accurately recorded. Riskified prohibits the provision of cash gifts.

  3. Export, customs, trade control, and anti-money laundering

    Riskified expects its Vendors to comply with all applicable export, customs, and trade control laws and regulations, including economic and trade sanctions laws, antiboycott laws, and any related licensing requirements.

    Riskified also expects its Vendors to comply with all applicable anti-money laundering laws and regulations.

  4. Conflicts of interest & corporate opportunities

    Vendors should avoid actual or potential business or financial conflicts of interest – i.e., instances where the Vendor’s personal interests (including interests of the Vendor itself or the Vendor’s employees, officers, or directors) interfere or appear to interfere with Riskified’s interests.

    Vendors are prohibited from directly or indirectly (a) taking personally for themselves opportunities that are discovered through the use of Riskified property, information or positions; (b) using Riskified property, information or positions for personal gain; or (c) competing with Riskified for business opportunities.

    Any actual or potential conflicts of interest must be immediately reported to Riskified.

  5. Insider trading

    As a Vendor of Riskified, you may have access to material non-public information about Riskified, other companies, or their respective subsidiaries.

    Vendors may not purchase or sell any type of security while in possession of “material nonpublic information” relating to the security or the issuer of such security, whether the issuer of such security is Riskified or any other company. Information is material if there is a substantial likelihood that a reasonable investor would consider it important in making a decision to buy, sell, or hold a security, or if the fact is likely to have a significant effect on the market price of the security.

    Riskified prohibits its Vendors from “tipping” others (e.g., family or friends) regarding material nonpublic information about securities.

  6. Antitrust, competition, and fair dealing

    Riskified expects its Vendors to comply with applicable antitrust and competition laws designed to promote fair and open competition, particularly as it relates to Riskified.

    Vendors should not directly or indirectly enter into any formal or informal agreement with competitors that fixes or controls prices, divides or allocates markets, limits the production or sale of products, boycotts certain suppliers or customers, eliminates competition or otherwise unreasonably restrains trade.

    Vendors are expected to deal fairly with customers, service providers, suppliers, competitors and employees.

    Vendors should not take unfair advantage of anyone through manipulation, concealment, abuse of privileged information, misrepresentation of material facts, or any other unfair dealing practice.

  7. Record management and recording transactions

    Vendors are expected to ensure that all financial books, records and accounts related to their relationship with Riskified accurately reflect transactions and events.

    Vendors should not falsify documents, transactions, or accounting records.

  8. Confidential information

    We expect our Vendors to safeguard and protect Riskified’s confidential information, as well as the confidential information of Riskified’s customers, suppliers, shareholders, Riskified employees, or other third parties. Confidential information should be interpreted broadly to include all non-public information relating to Riskified or other companies that would be harmful to the relevant company (or useful to competitors) if disclosed, including financial results or prospects, information provided by a third party, trade secrets, new product or marketing plans, research and development ideas, manufacturing processes, potential acquisitions or investments, or information of use to the Riskified’s competitors or harmful to Riskified or its customers if disclosed.

    Riskified prohibits its Vendors from misusing proprietary information or trade secret information that was obtained without the owner’s consent; or from using confidential information for personal gain.

  9. Data privacy

    Vendors should comply with all applicable laws and regulations regarding the protection of personal information or other sensitive or protected information, and assist Riskified in complying with its own obligations in this regard Vendors’ privacy policies and notices should accurately reflect the data processing activities carried out by the Vendor, and should at all times be consistent with the processes by which data flows between Vendors and Riskified.

    Riskified expects its Vendors to notify Riskified immediately in the event of an actual or suspected data breach resulting in the dissemination of personal information relating to Riskified or its subsidiaries, customers, management, employees or other related parties, and of the steps Vendors are taking to address the breach.

    Riskified expects its Vendors to review and comply with Riskified’s Privacy Policy available at https://www.riskified.com/terms/.

  10. Human rights, employee relations and non-discrimination

    We expect our Vendors to comply with all applicable human rights laws prohibiting child, forced, indentured, or involuntary labor.

    Riskified expects its Vendors to pay wages in compliance with applicable minimum wage laws, respect maximum working hour standards and provide benefits in compliance with all applicable laws.

    Riskified also expects its Vendors to conduct themselves in a professional manner with courtesy and respect for others. Riskified will not tolerate harassment by our Vendors in any form, including verbal, physical, or sexual harassment.

    Riskified is committed to providing equal opportunities in employment, development, and advancement for all qualified persons and to promoting diversity and inclusion – and our Vendors are expected to share that commitment. Riskified does not tolerate illegal discrimination or harassment of any kind by its Vendors.

  11. Environment, safety, and health

    Riskified expects its Vendors to manage and operate in a manner protective of human health, safety, and the environment, especially as it relates to Vendors work with Riskified.

    Riskified expects its Vendors to comply with both the letter and spirit of the applicable health, safety and environmental laws and regulations and to attempt to develop a cooperative attitude with government inspection and enforcement officials.

  12. Use and protection of riskified corporate assets

    If provided with Riskified assets (including technology, software, proprietary information, or other physical assets), Vendors are expected to protect these assets and ensure their efficient use for legitimate business purposes.