Software as Service Agreement

  1. Riskified responsibilities

    1. Provision of Services. Riskified will make the Services available to Client as described in this Agreement and the order form(s) (each, an “Order Form”). “Services” means the products and services, ordered by Client pursuant to an Order Form.
    2. Support. Riskified, at its own expense, will provide Client with reasonable technical support in accordance with Riskified’s standard practices.
    3. Security Program. Riskified shall establish and maintain a data privacy and information security program that includes physical, technical, administrative, and organizational safeguards, that is designed to: (i) ensure the security and confidentiality of the Client Confidential Information; (ii) protect against any anticipated threats or hazards to the security or integrity of the Client Confidential Information; and (iii) protect against unauthorized disclosure, access to, or use of the Client Confidential Information, in each case, in accordance with the security schedule attached hereto.
    4. Fair Credit Reporting Act. The Parties agree that Riskified, is not a consumer-reporting agency as defined by the Fair Credit Reporting Act, 15 U.S.C. §1681 et seq. (“FCRA”), and that the Services provided to Client hereunder do not constitute “Consumer Reports,” as defined in the FCRA. Client will not use the Service to determine any consumer’s eligibility for any product or service to be used by a consumer for personal, family or household purposes. Client will not use the Service in whole or in part: (i) as a factor in establishing a consumer’s eligibility for credit; (ii) as a factor in establishing a consumer’s eligibility for insurance; (iii) for employment purposes; (iv) in connection with a determination of an individual’s eligibility for a license or other benefit granted by a governmental authority; or (v) in connection with any permissible purpose as defined by the FCRA.
  2. Client data

    1. License to Client Data. Client grants Riskified and its Affiliates the worldwide, non-exclusive, royalty-free, perpetual, fully-paid-up, and irrevocable, right to: (i) use data received from or made available by Client (“Client Data”) to provide Services to (a) Client and (b) Riskified’s and its Affiliates other clients; provided that Riskified and its Affiliates shall only use the Client Data to provide the services and shall not disclose Client Data to such other clients; (ii) incorporate the Client Data into Riskified’s services; (iii) and use the Client Data in accordance with Riskified’s Privacy Policy. For the avoidance of doubt, Riskified uses a combination of  client data from all of its clients as well as third-party sources to provide its services; without such Client Data, Riskified is unable to provide the services. Riskified may provide Client Data to third parties in order for Riskified to provide the Services and Client consents to such transfer of Client Data.
    2. Client Authorization. Client shall obtain all consents and make all disclosures needed in order for Riskified to use the Client Data as permitted by this Agreement. Furthermore, Riskified may disclose Client Data pursuant to a data subject access request or consumer data request as required by law or in its sole discretion. Notwithstanding anything herein to the contrary, Riskified shall be permitted to retain and use Client Data associated with a chargeback after the expiration or termination of this Agreement or any Order Form. Solely for purposes of the California Consumer Privacy Act of 2018, Cal. Civil Code § 1798.100 et seq. (as may be amended from time to time) (the “CCPA”), (i) Riskified is acting as a Service Provider (as defined in the CCPA) for Client as a Business (as defined in the CCPA), (ii) except as set forth herein, Riskified is prohibited from selling the Client Data or retaining, using, or disclosing the  Client Data for any purpose other than for the specific purpose of performing the Services, (iii) Client hereby instructs Riskified that the Business Purpose includes Riskified using and retaining the Client Data internally for the benefit of all of Riskified’s clients for detecting fraud, optimizing e-commerce solutions and similar performance enhancing purposes and (iv) Riskified understands and will comply with the restrictions herein.
    3. Client Responsibility.  Client is solely responsible for all aspects of Client Data, including its sourcing, inputting, accuracy, quality, integrity and management. Client shall be responsible for (i) obtaining consent from Client’s end customers, (ii) the provision of notices to Client’s end customers, (iii) obtaining consent to use automated decision making, (iv) providing Client’s end customers with the ability to exercise any access rights, and (v)  any requirements or limitations regarding the processing of data of minors, in each case, to the extent required under applicable law.
  3. Client obligations

    1. Use Restrictions. Except for the rights granted herein, no other rights in or to any Service, express or implied, are granted to Client. Without limiting the foregoing, Client may not: (i) transfer any of its rights to use the Service; (ii) sell, rent, lease or share the Service or the results thereof; (iii) permit any person who is not an Authorized User to use or access the Service; (iv) attempt to copy, modify, duplicate, create derivative works from, frame, mirror, republish, download, display, transmit, or distribute all or any portion of Riskified’s online software application provided as part of the Service; (v) attempt to reverse compile, disassemble, reverse engineer or otherwise reduce to human-perceivable form all or any part of the Services; (vi) access all or any part of the Service or information included therein (e.g., Riskified’s recommendation to approve or decline a transaction) in order to build, improve upon, develop a product or service which competes with the Service; (vii) use the Service other than for the purpose described herein; (viii) load or penetration test the Service in any way that is, or could reasonably be expected to be, detrimental to Riskified’s ability to provide services to any other Client; (ix) send Riskified any data regulated under PCI; (x) use the Service or provide data to Riskified in a manner that violates any applicable law, ordinance, regulation or administrative order; or (xi) permit any other Person to do any of the foregoing.
    2. Client IT Infrastructure. Client is solely responsible for obtaining and maintaining network connections and telecommunications links from its systems to Riskified  and all problems, conditions, delays, delivery failures as well as all other loss or damage arising from or relating to Client’s network connections or telecommunications links or caused by the internet. Notwithstanding anything herein to the contrary, Riskified is not responsible for technical issues due to Client’s failure to comply with Riskified’s instructions; or modification or alteration of the Service by any anyone other than Riskified or Riskified’s duly authorized contractors or agents.
    3. Authorized Users; Credentialing. Only those users authorized by Client may use the Service (each, an “Authorized User”). Any violation of the terms and/or conditions of this Agreement by an Authorized User shall be deemed to be a violation by Client of such terms and conditions. Client is solely responsible for the security and proper creation, use and termination of all Authorized User names, passwords and other security devices used in connection with the Service and shall take all reasonable steps to ensure that they are kept confidential and secure, are used properly and are not disclosed to unauthorized Persons. Client shall immediately notify Riskified in writing if there is any reason to believe that an Authorized User name, password, or any other security device has or is likely to become known to anyone not authorized to use it, or is being or is likely to be used in an unauthorized way. Riskified reserves the right to require Client to change any or all its Authorized User names, passwords or other security devices used by Client in connection with the Service, and Client shall promptly comply with any such requirement. 
    4. Audit; Competition; Exclusivity. Riskified may audit Client’s use of the Services upon reasonable advance notice, during business hours, not more than once per calendar year, provided that such limitations shall not apply if Riskified has reasonable cause to believe that Client is using or permitting the Service to be used in an unauthorized manner. Client will not permit any employee, consultant or Person who is direct or indirect competitor of Riskified to access or use the Services. For the Term of this Agreement (as defined below), Client agrees that it shall not receive services from another chargeback guarantee provider.
  4. Fees and payment

    1. Fees. Client agrees to pay the fees described in this Agreement and/or the Order Forms (the “Fees”). 
    2. Invoicing; Non-refundable. Client will be billed by invoice on a monthly basis and Client agrees to remit payment (i) if over $3,000, by wire transfer or ACH (ii) if $3,000 or under, by credit card, in each case, within the period specified on the Order Form.  Except as otherwise specified herein or in an Order Form, Fees are non-canceleable and non-refundable.
    3. Late Payment; Disputes. Unpaid amounts are subject to a finance charge of 1.5% per month or the maximum percentage permitted by law, whichever is lower, in addition to all reasonable costs of collection, including reasonable attorney’s fees. Any good faith objection to an invoice shall be provided in writing to Riskified within thirty (30) days of receipt of the invoice, otherwise Client waives any objections and such invoice will be deemed final, not subject to dispute, and accepted by Client.
    4. Taxes. All fees are exclusive of taxes or duties. If Riskified is required to collect or pay any federal, state, or local tax under this Agreement, or any other similar taxes or duties levied by any governmental authority, excluding taxes levied on Riskified’s net income, then such taxes and/or duties shall be billed to and paid by Client upon receipt of invoice.
    5. Payment Failure; Service Suspension. Riskified may suspend the Service in whole or part if Client fails to make any overdue payment within five (5) days of written demand by Riskified. 
  5. Term and termination

    1. Term of Agreement. This Agreement begins on the Effective Date and continues until the earlier of (i) the expiration of all Order Form(s) or (ii) termination by either Party as set out herein.
    2. Term of Services. The term of each Service shall be set out in an Order Form. Except as otherwise specified in an Order Form, the term for each Service shall be for one (1) year (the “Initial Term”) and will automatically renew for consecutive periods equal to the Term specified or one (1) year, whichever is longer (each, a “Renewal Term”, and together the “Term”), unless either Party notifies the other Party of its intent to terminate such Services at least sixty (60) days prior to the end of the applicable Term.
    3. Early Termination by Client. During the Term, Client may terminate this Agreement for convenience upon ninety (90) days written notice (“Early Termination”). In the event of Early Termination, Client shall pay Riskified an amount equal to the gross average monthly Fees invoiced by Riskified and multiplied by the number of months remaining in the Term. Client acknowledges and agrees that the foregoing payment constitutes liquidated damages and is not a penalty and that the amount of actual loss due to the foregoing is difficult to precisely estimate and the amount of liquidated damages bears a reasonable proportion to the probable loss that Riskified will suffer in relation to the foregoing. 
    4. Early Termination by Riskified. Riskified may terminate this Agreement or any Order Form upon thirty (30) days notice. 
    5. Termination for Breach. Either Party may terminate this Agreement if the other Party materially breaches this Agreement and fails to cure within thirty (30) days of receipt of written notice from the other Party outlining the nature of such breach. 
    6. Data Portability. Following written request by Client, within thirty (30) days after expiration or termination of the Agreement, and provided Client has paid all Fees, including with respect to any invoices not yet due, Riskified shall make available to Client for download one or more electronic files of Client Data stored by Riskified. After such thirty (30) day period, Riskified shall have no obligation to maintain or provide any Client Data.
  6. Representations and warranties; Covenants

    1. Mutual Representations and Warranties; Covenants. Each Party represents, warrants and covenants to the other Party that it has the full power and authority to enter into this Agreement.
    2. DISCLAIMER. EXCEPT AS EXPRESSLY PROVIDED IN THIS AGREEMENT, RISKIFIED IS PROVIDING THE SERVICES “AS IS” AND RISKIFIED DOES NOT MAKE ANY WARRANTY OF ANY KIND, WHETHER EXPRESS, IMPLIED, STATUTORY OR OTHERWISE AND SPECIFICALLY DISCLAIMS ALL IMPLIED WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW
  7. Indemnification

    1. Indemnification by Riskified. Riskified shall defend and indemnify Client against claims, actions, proceedings, losses, damages, expenses and costs (including reasonable attorney’s fees) arising out of or in connection with third-party claims alleging infringement by the Services of any patent or copyright or misappropriation of any trade secret. The foregoing defense and indemnification obligations do not apply if (i) the allegation does not state with specificity that the Services are the basis of the claim against Client; (ii) a claim against Client arises from the use or combination of the Services or any part thereof with software, hardware, data, or processes not provided by Riskified, if the Services or use thereof would not infringe without such combination; (iii) a claim against Client arises from Services under an Order Form for which there is no charge; or (iv) a claim against Client arises from Client Data, third-party applications, services or software or Client’s breach of this Agreement or applicable Order Forms.
    2. Indemnification by Client. Client shall defend and indemnify Riskified against claims, actions, proceedings, losses, damages, expenses and costs (including reasonable attorney’s fees) arising out of or in in connection with third-party claims alleging (i) Client’s use of the Service violates applicable law, including, without limitation, client’s failure to obtain any required consents for data processing and to use automated decision making, and (ii) Client Data infringes or misappropriates a copyright, patent, trademark, trade secret, privacy or proprietary right  or violates any right, law, or regulation applicable to such Client Data.
    3. Indemnification Process. As a condition to the indemnification obligations set out herein, the indemnified Person shall: (i) promptly notify the indemnifying Party of any claim for which indemnity will be sought; provided that no delay in providing such notice shall relieve the indemnifying Party of any liability or obligations hereunder except to the extent the indemnifying Party has been prejudiced by such delay; (ii) permit the indemnifying Party to assume control of the defense and settlement of such claim with counsel of its choosing; and (iii) provide cooperation reasonably requested by the indemnifying Party in investigating and defending such claim, at the indemnifying Party’s expense (provided that the indemnified Person shall not be entitled to compensation for time spent providing such cooperation). The indemnified Person shall have the right to participate in (but not control) the defense of any such claim, at its sole cost and expense, using counsel of its choosing.
    4. Exclusive Remedy. This “Indemnification” section states the indemnifying party’s sole liability to, and the indemnified party’s exclusive remedy against, the other party for any third-party claim described in this section.
  8. Exclusions; Limitation of liability

    1. Exclusion of Consequential and Related Damages. IN NO EVENT WILL EITHER PARTY OR ITS AFFILIATES HAVE ANY LIABILITY FOR ANY LOST PROFITS, REVENUES, GOODWILL OR INDIRECT, SPECIAL, INCIDENTAL, CONSEQUENTIAL, COVER, BUSINESS INTERRUPTION OR PUNITIVE DAMAGES, ANY LOSS OF DATA, WHETHER AN ACTION IS IN CONTRACT OR TORT AND REGARDLESS OF THE THEORY OF LIABILITY, EVEN IF A PARTY OR ITS AFFILIATES HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES OR IF A PARTY’S OR ITS AFFILIATES’ REMEDY OTHERWISE FAILS OF ITS ESSENTIAL PURPOSE. THE FOREGOING DISCLAIMER WILL NOT APPLY TO THE EXTENT PROHIBITED BY LAW.
    2. Limitation on Liability. IN NO EVENT SHALL THE AGGREGATE LIABILITY OF EITHER PARTY, TOGETHER WITH ALL OF ITS AFFILIATES, ARISING OUT OF OR RELATED TO THIS AGREEMENT EXCEED THE TOTAL AMOUNT PAID BY CLIENT FOR THE SERVICES GIVING RISE TO THE LIABILITY IN THE SIX (6) MONTHS PRECEDING THE FIRST INCIDENT OUT OF WHICH THE LIABILITY AROSE. THE FOREGOING LIMITATION WILL APPLY WHETHER AN ACTION IS IN CONTRACT OR TORT AND REGARDLESS OF THE THEORY OF LIABILITY, BUT WILL NOT LIMIT CLIENTS PAYMENT OBLIGATIONS HEREUNDER. 
    3. ANY CLAIM OR ACTION BY EITHER PARTY RELATED TO THIS AGREEMENT, INCLUDING, BUT NOT LIMITED TO, THE SERVICE, MUST BE COMMENCED WITHIN TWO (2) YEARS AFTER THE DATE ON WHICH THE ACT, EVENT, CONDITION, OR OMISSION GIVING RISE TO SUCH CLAIM OR ACTION OCCURRED OR COULD HAVE REASONABLY BEEN DISCOVERED. ANY ACTION NOT BROUGHT WITHIN THAT TWO (2) YEAR PERIOD SHALL BE BARRED, WITHOUT REGARD TO ANY LONGER LIMITATIONS PERIOD SET FORTH IN ANY APPLICABLE LAW OR STATUTE.
  9. Confidentiality

    1. Confidential Information” shall mean information that is proprietary or confidential and is either clearly labelled as such or identified as Confidential Information or that a reasonable person should understand to be confidential given the nature of the information, which is disclosed by the disclosing Party in connection with this Agreement whether before, on or after the Effective Date. Confidential Information includes the terms of this Agreement. Confidential Information does not include any of the following: (i) information that is or becomes part of the public domain or otherwise available on an unrestricted basis to one or more third Persons without violation of this Agreement by the receiving Party; (ii) information that was known to or in the possession of the receiving Party on a non-confidential basis prior to the disclosure thereof to the receiving Party by the disclosing Party, as evidenced by written records; (iii) information that was developed independently by or on behalf of the receiving Party, without use of or reference to the Confidential Information; or (iv) information that is disclosed to the receiving Party by a third Person without violation of this Agreement by the receiving Party.
    2. Protection of Confidential Information. Each Party shall hold the other’s Confidential Information in confidence and, unless required by law, not make the other’s Confidential Information available to any third-party, or use the other’s Confidential Information for any purpose other than to provide the Services contemplated under this Agreement. Each Party shall take all reasonable steps to ensure that the other’s Confidential Information to which it has access is not disclosed or distributed in violation of the terms of this Agreement; and neither Party shall be responsible for any loss, destruction, alteration or disclosure of Confidential Information caused by any third-party. Each Party may be given access to Confidential Information from the other Party in order to perform its obligations under this Agreement.
    3. Compelled Disclosure. The obligations of the Parties under this Section shall not apply to the extent of any disclosure required pursuant to a duly authorized subpoena, court order, or government authority, provided that the receiving Party has provided prompt notice and assistance to the disclosing Party prior to such disclosure, so that such Party may seek a protective order or other appropriate remedy to protect against disclosure.
    4. Injunctive Relief. Any breach of the confidentiality obligations set forth in this Section may constitute a material breach of this Agreement, which the breaching Party acknowledges may cause irreparable harm to the non-breaching Party, leaving it without an adequate remedy at law. As such, any such breach shall entitle the non-breaching Party to seek injunctive relief in addition to all other remedies, without necessity of posting of a bond or other security in connection therewith.
  10. Proprietary rights and licences

    1. Ownership. Client acknowledges and agrees that Riskified and/or its Affiliates and/or licensors own all Intellectual Property Rights in the Services and associated documentation. Except as expressly stated herein, this Agreement does not grant Client any rights to, or in any Intellectual Property Rights or any other rights or licenses in respect of the Services or the associated documentation. Client acknowledges that the Services, associated documentation and the inventions, know-how and methodology embodied therein are proprietary to, and are the valuable trade secrets of, Riskified and its Affiliates and licensors, as applicable, and that the Services constitutes Confidential Information of Riskified and/or its Affiliates. For purposes of this Agreement, “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control,” for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.
    2. Intellectual Property Rights” shall mean all rights throughout the world in any and all of the following: (i) patents, patent applications, patent disclosures and inventions (whether patentable or not); (ii) trademarks, service marks, trade dress, trade names, logos, corporate names, Internet domain names and registrations and applications for the registration thereof together with all of the goodwill associated therewith; (iii) copyrights and copyrightable works (including computer programs and mask works) and registrations and applications for registration thereof; (iv) trade secrets, know-how and other proprietary information of a like kind; (v) waivable or assignable rights of publicity, waivable or assignable moral rights; and (vi) all other forms of intellectual property, such as data and databases, in each case, to the extent protectable under applicable law.
    3. License to Use Feedback. Client grants to Riskified and its Affiliates a worldwide, perpetual, irrevocable, royalty-free license to use and incorporate into Riskified and its Affiliates’ services any suggestion, enhancement request, recommendation, correction or other feedback provided by Client or its Authorized Users relating to the operation of the Service.
  11. Publicity

    1. Press Release. The Parties agree to issue a joint press release announcing the relationship between the companies within six (6) months from the Effective Date of this Agreement. Riskified’s marketing team will work together with the Client’s communications or marketing department on the wording and distribution of any such content/release.
    2. Use of Logo. Riskified may use Client’s name and logo on Riskified’s website and promotional and marketing materials and will use such name and/or logo in accordance with Client’s trademark and/or brand guidelines, as provided to Riskified.
  12. Insurance

    1. Coverage. Riskified has obtained and will maintain the following insurance coverages during the Term: (i) Professional Liability (including Products Liability, Privacy, Intellectual Property Infringement,Cyber Liability) insurance in the amount of at least $10,000,000 ($5,000,000 per occurrence) on a claims made basis, (ii) Directors and Officers insurance in the amount of at least $5,000,000 on a claims made basis, as well as policies for Business Owners, Workers’ Compensation and Employer’s Liability insurance .
    2. Upon Client’s written request, Riskified shall provide Client with certificates of insurance evidencing the above coverage. Additionally, upon Client’s written request, Riskified will name Client as an additional insured.
  13. Who are you contracting with; Governing law & Venue

    1. Contracting Party.  If Client is domiciled in the North America, Central America, or South America, Client is entering into this Agreement with Riskified Inc.  If Client is domiciled elsewhere, Client is entering into this Agreement with Riskified Ltd., a limited liability company organized under the laws of Israel.
    2. Governing Law and Venue. This Agreement shall be governed by and construed in accordance with the laws of the State of New York. The Parties hereby irrevocably consent and submit to the exclusive jurisdiction and venue of the state and federal courts in the State of New York. Notices to Riskified shall be addressed to 220 5th Avenue, 2nd Floor, New York, NY 10001, Attn: Legal Department.
    3. Arbitration. Notwithstanding anything herein to the contrary, any controversy, dispute or claim arising out of or related to this Agreement that cannot be resolved by informal and good-faith negotiations between authorized representatives of the parties shall be settled by final and binding arbitration to be conducted by an arbitration tribunal in the State, City and County of New York, NY pursuant to the rules of the American Arbitration Association.
  14. General provisions

    1. No Joint Venture or Partnership. The parties are independent contractors. This Agreement does not create a partnership, joint venture, franchise, agency, fiduciary, or employment relationship between the parties.
    2. Waiver. No failure or delay by either Party in exercising any right under this Agreement will constitute a waiver of that right.
    3. Notice. Any notice given pursuant to this Agreement shall be in writing and shall be provided by personal delivery, mailing, facsimile or email. Any such notice shall be deemed to have been given on (i) the day such notice or communication is personally delivered, (ii) three (3) days after such notice or communication is mailed by prepaid certified or registered mail, (iii) one (1) business day after such notice or communication is sent by overnight courier. Notice sent by either facsimile or email shall be deemed effective when the receipt is electronically confirmed.
    4. Force Majeure. If either Party is unable to perform any obligation (excluding any payment obligation) under this Agreement because of any matter beyond that Party’s reasonable control, such as lightning, flood, exceptionally severe weather, fire, explosion, war, civil disorder, industrial disputes (whether or not involving employees of either Party), acts of local or central government or other competent authorities, problems with telecommunications providers, hostile network attacks or other events beyond a Party’s reasonable control (each, a “Force Majeure Event”), that Party will have no liability (including any obligation to issue refunds or credits) to the other for such failure to perform; provided, however, that such Party shall resume performance promptly upon removal of the circumstances constituting the Force Majeure Event.
    5. Interpretation. In the event of any conflict between this Agreement and an Order Form, the terms of such Order Form will control.
    6. Assignment. Client may not assign or otherwise transfer this Agreement, or delegate any duty or assign or otherwise transfer any right hereunder, including by operation of law, without the prior written consent of Riskified. Any purported attempted assignment, transfer or delegation shall be null and void. Riskified may assign this Agreement (i) to an Affiliate or (ii) in the event of any change of Control.
    7. Counterparts. This Agreement may be executed in one or more counterparts, in original or electronic form, each of which shall be deemed an original, but all of which together shall constitute one and the same Agreement.
    8. Severability. If any provision of this Agreement is found to be unenforceable or invalid, that provision will be limited or eliminated to the minimum extent necessary so that this Agreement will otherwise remain in full force and effect and enforceable.
    9. Modification. Riskified reserves the right to update these terms with or without notice to you. Your continued use of the Service constitutes your acceptance of any such modifications.

Schedule A Fraud Prevention Service

  1. Fraud Prevention Service.

    1. Service. Riskified will (i) review all card-not-present orders (each, an “Order”) submitted by Client (each, a “Submitted Order”), (ii) provide Client with an approve (“Approve Notice”) or decline recommendation, and (iii) where Riskified has provided an Approve Notice and Client has fulfilled the Order and such Order is subject to a chargeback pursuant to the reason codes set out below, Riskified shall provide the Chargeback Guarantee (as defined below).
    2. Additional Definitions.Approved Orders” are those Submitted Orders for which Riskified issues an Approve Notice.
    3. Cancelled Orders” are those Approved Orders that are subsequently either: (i) cancelled by Client (ii) returned by Client’s end customer, (iii) declined by Client’s bank or payment gateway or (iv) otherwise not fulfilled by Client for legitimate reasons, in each case, within two (2) weeks from the issuance date of the Approve Notice. Upon request from Riskified, Client shall provide documentary evidence that such Submitted Order was not fulfilled upon request from Riskified.
  2. Order Review.

    1. Client Discretion. Client, in its sole discretion, may approve or reject an order.
    2. Excluded Orders. Riskified may choose not to review a Submitted Order if (i) the Order was already fulfilled by the Client; (ii) more than one (1) week has passed since the Order was created; or (iii) the Client Data or a portion thereof does not meet the standards set by Riskified during the integration process.
  3. Chargeback Guarantee.

    1. Chargeback Guarantee – Generally. Client’s sole and exclusive remedy for an Order covered by the Chargeback Guarantee shall be the payment of liquidated damages in an amount equal to the chargeback amount. The Chargeback Guarantee (A) shall be the lower of: (i) the original order value and (ii) the amount stated in the original chargeback notice submitted to Riskified (e.g., to reflect any changes in the order value after it was approved by Riskified), (B) shall exclude the fees charged for review of such order and (C) shall be reduced by any amounts recovered by Client for such order and (D) shall exclude any fees incurred by Client in relation to such chargeback (e.g., from the card schemes or Client’s acquiring bank and/or payment gateway) (the “Chargeback Guarantee”).  Such Chargeback Guarantee shall apply only if Client is current in its payment of fees to Riskified.
    2. Crediting Process. Riskified will provide reimbursement for amounts owed to Client pursuant to the Chargeback Guarantee on a monthly basis as a credit to Client’s account (e.g., chargeback amounts for March would be set off from the payment owned by Client in the April invoice). Following termination or expiration of this Agreement, Riskified shall provide reimbursement via wire transfer in the event the reimbursement amount exceeds the fees owed to Riskified.
    3. Required Documentation. Client must submit the following documents in order for an order to be covered by the Chargeback Guarantee:
      1. A copy of the original chargeback notification, which must include the following:
        1. A chargeback reason or reason code.
        2. The original order date and order amount
        3. For orders in which the customer used a credit card to place the order, the notice must include the first six (6) and last four (4) digits of the credit card.
        4. If the order was placed using an alternative payment method (e.g. PayPal) the notice must include the customer’s name and customer email.
      2. For orders of tangible goods, the Client must also provide Riskified with a proof of delivery in one of two formats:
        1. A copy of the shipping form (as provided by the shipping company) containing the delivery address, reroute information, date of delivery and the parcel delivery status; or
        2. A valid tracking number from a shipping company.
      3. Any other documents that Riskified reasonably requires from Client.
      4. Excluded Orders. The following orders are not covered by the Chargeback Guarantee.
        1. Not Approved. The order did not result in Riskified providing an Approve Notice. 
        2. Not Fraud Related. The chargeback reason is other than a reason code set out herein.
        3. Chargeback Notice / Order Mismatch. The information in the chargeback notice does not match the information in the original order.
        4. Delivery. Tangible goods delivered to an address other than the shipping address set out in the original order. 
        5. Late Submission of Chargeback. The chargeback was submitted to Riskified for reimbursement more than five (5) days after the chargeback notice issuance date or if the date of the chargeback notice is before the order shipping date. Timely notice of a chargeback is essential for Riskified to prevent future fraud associated with the transaction resulting in the chargeback. As such, if Client fails to notify Riskified of more than a total accumulated $25,000 in chargebacks within the aforementioned period after receiving such chargebacks, and if Riskified can demonstrate that such failure to submit chargebacks resulted in future chargebacks (“Downstream Chargebacks”), Riskified will not provide the Chargeback Guarantee for any such Downstream Chargebacks.
        6. Eligibility Period. The Chargeback Guarantee shall be valid for period of six (6) months from the date of the Approval Notice. 
        7. Disputing Party. Orders for which Client does not make Riskified the first and primary point of contact for disputing the chargeback through Client’s payment gateway and/or bank. 
        8. Reclamation of Goods by Client. Order for which Client is successful in reclaiming the goods. In such case, the Chargeback Guarantee amount shall be limited to the to the order shipping costs. 
        9. Failure to Provide Notice. Riskified reserves the right to decline to reimburse for chargebacks if the Client fails to timely comply with its notice obligations, pursuant to section 5(c), below.
        10. Failure to Provide Support or Comply with Cancellation, Return or refund Policy. Orders for which (1) Client fails to provide ordinary course end customer support, (2) Client or a third party fails to cancel, refund, reimburse or return goods or services pursuant to applicable Client or third party policies that apply at the time of the Approve Notice or (3) Client or third party fail to refund or cause the refund to its end customer within a reasonable time period.
        11. Failure to provide Goods or Services. Orders that the underlying goods or services were not provided to the end user.
      5. Chargeback Review. Riskified will review each chargeback within five (5) business days of submission of all required documents and information.
  4. Chargeback Representment.

    1. Process Owner. Riskified will manage and have sole discretion over the representment process.
    2. Upon Riskified’s request, Client agrees to assign all of its rights, title and interest in and to any claim(s) Client may have against an end customer (e.g., for “friendly fraud”).
  5. Client Obligations.

    1. Provision of Client Data. Client will provide Riskified with all Client Data and API configurations, as requested by Riskified, in order for Riskified to analyze a Submitted Order, including but not limited to the web-beacon data. Client represents and warrants that any Client Data submitted by or made available by Client prior to the Effective Date is accurate and complete.
    2. Order Information Modification. Client agrees and acknowledges that each update of order details, which includes but is not limited to updating the shipping and billing customer name or address, customer email, order amount or payment details, submitted after the issuance of an Approved Notice, will result in the order being submitted for additional review and Client may be charged the order review fee for any such updated details.
    3. Client Data Breach. Client will notify Riskified in writing no later than seventy-two hours of discovering that end-customer data has been accessed or is believed to have been accessed by an unauthorized party; or, (ii) that any end-customer login or account credentials have been or are believed to have been compromised.
  6. Reason Codes.

    1. Visa
      1. 10.1: EMV Liability Shift Counterfeit Fraud (Online Only)
      2. 10.4: Other Fraud – Card Absent Environment
    2. MasterCard 
      1. 4837/37: Fraud Transaction No Cardholder Authorization
      2. 4840/40: Fraudulent Processing of Transactions
      3. 4863/63: Cardholder Does Not Recognize Potential Fraud
    3. American Express
      1. FR2: Fraudulent Transaction
      2. F29: Fraudulent Transaction – Card Not Present
    4. Discover
      1. UA02: Fraud Card Not Present Transaction
      2. AA: Transaction Does Not Recognize
      3. 7030: Unauthorized purchase

Riskified covers any and all chargebacks that are of card not present “unauthorized credit card use”. The above reason codes shall be deemed to be automatically updated, without amendment hereto, to reflect changes made by the credit card networks and will automatically apply to the Service as of the date of such change. 

 

Services Privacy Policy

Riskified provide online merchants (each, a “Merchant”) with services that help merchants optimize their e-commerce experience, including by preventing fraudulent online transactions, preventing account takeover, offering consumers an alternative payment method and increasing payment authorization (the “Services”). Merchants integrate our Services on their websites and mobile apps where consumers like you place orders (collectively, the “Merchant Website”). After you place an order, the Merchant Website may request that we process your personal data to provide our services.

This Privacy Policy (“Policy”) explains the privacy practices of Riskified Ltd., on behalf of ourselves and for the benefit of our affiliates (“Riskified”, “we”, “our”, or “us”) for our Services. It describes how we collect, use and share personal data, and the rights and options available to you with respect to your information.

You are not obligated by law to provide us with your personal data, but the Merchant Website may require that you provide us with your personal data to enable the processing of orders you place. Please note that this Policy does not cover the practices or policies of Merchants, the Merchant Website, or other parties.

INFORMATION WE COLLECT

During the past 12 months we have collected the categories of information listed below, and anticipate that we will continue to collect such information. This information is collected directly from you, from Merchants, from our service providers, from publicly available sources and through the Merchant Website and is used by us to provide Services for our merchants, to improve those services and as otherwise described in Use of Collected Information below.

Transaction data. When you place an order with a Merchant Website, we collect various data regarding your transaction, which may include  personal data, such as your name, email, address, the items you purchased, price paid, shipping information, and (if you have one) basic information from your account on the Merchant Website. We also collect basic information about your payment and billing method. We do not collect or keep your complete credit card number. 

Device data. We collect information about the personal computer or mobile device you use to access the Merchant Website. This includes the device model, operating system, unique identifiers, browser type, mobile network information, and the Internet Protocol (IP) address through which you accessed the Merchant Website. 

Geo-location data. If you use the mobile app of a Merchant Website, we collect your geo-location when you are actively using the app. If you use the Merchant website, we collect your city-approximate geo-location.

Analytical data. We collect analytical data about your use of the Merchant Website. For example, we collect the frequency of your access to the Merchant Website, the time you spend accessing the Merchant Website, when you scroll, as well as any events sent to a behavioral tracking service, the pages that referred you to the Merchant Website, as well as the pages and items on the Merchant Website that you viewed or interacted with.

Cross-references. We also cross-reference, verify, and enhance the accuracy of the data outlined above using third-party online sources such as search engines, social networks, white pages, and mapping services. If you have provided the Merchant with access to information of third-party platforms, (including social networks), we may also receive the same access permissions to the information that you made public.

Inquiries. If you contact us for questions or complaints, we will collect the information related to your inquiry and to verify your identity. This may include your name, email address, postal address, telephone number and other contact information, depending on the nature of your inquiry.

USE OF COLLECTED INFORMATION

When a Merchant asks us to review an order you place on a Merchant Website, we review the data of your activities across all the Merchant Websites of our Merchants as well as any other data collected. We use this data to provide the Merchant a fraud analysis indicating whether or not the order is, in our assessment, a fraudulent online transaction. It is then at the discretion of the Merchant (not Riskified) to accept or decline your order.

We also use the information we collect for the following purposes:

  • Improving and enhancing Services and developing new services;
  • Statistical analysis of consumers’ activities;
  • Handling your requests and complaints;
  • Enforcing this Policy and preventing misuse of the Services;
  • Taking any action in any case of disputes involving you, in relation to the Services; and,
  • Any other action that may be mandated by law or undertaken to protect our legal rights and property and/or those of third parties.

SHARING INFORMATION COLLECTED

We may share the information outlined in this Policy with others, in the following instances:

With our third-party service providers

We use service providers to assist us in providing the Services. We only share with them the limited elements of the personal data we collect which are strictly necessary for them to provide us with their service. These service providers include data sources, such as white pages, data providers, and mapping services and other similar services. We do this in order to cross-reference, verify, and enhance the accuracy of the data that we collect. Some of these service providers may use the data we share with them for their own permitted purposes, in accordance with their own terms and policies subject to applicable law, such as Google’s Privacy Policy and Terms of Service.

With the Merchant

We may share limited elements of your personal data with the Merchant from whom you made your transaction was made. This information sharing will be for the purpose of reviews, audits or dispute handling or responding to your request for access to your personal data.

With Our Partners

Riskified partners with certain entities, such as banks, card networks, and/or payment gateways, and may provide them with elements of your personal data in order to optimize order approval.

When required for Legal Purposes

We may share your personal data with third parties if we believe it is required by law or for the purpose of exercising legitimate legal rights. For instance, it could be necessary to share your data in order to comply with legal proceedings, to protect or exercise the legal rights of Riskified or our Merchants, or to respond to lawful requests.

With Corporate Group Entities or in a Business Transfer

We may share your personal data with our corporate group entities but their use of such information must comply with the Policy. Your data may also be shared if the operation of the Services is organized within a different framework or through another legal structure or entity, such as due to a merger or acquisition.

Non-Personal Data

We may use the information we collect to compile aggregated, anonymized, or de-identified information. We may share de-identified or aggregated information with any number of parties.

With you

We may share the data we possess about you with you upon your verifiable request or with other parties at your direction. We may contract with one or more vendors in order to verify your identity. In order to submit a request, please email support@riskified.com.

Transfer of Data Outside Your Territory

We may store and process information in the US, the EU, Israel, and in other countries. We may also process information using cloud services.

We frequently process information under arrangements aimed at providing an adequate level of data protection. This may include processing in countries that the EU has determined maintain adequate data protection, the use of model contract clauses, or other mechanisms. You may contact us as noted below to obtain a copy of the arrangements we use to transfer information outside of the European Economic Area, the UK, or Switzerland.  

In certain cases the laws in some of these countries may nevertheless provide a lesser degree of data protection than the laws of your own country. However, we will transfer your information to entities within other such countries for the purpose of processing as described in this Policy.

LOCATION SPECIFIC INFORMATION

Residents of the European Union

If you are a resident of the European Economic Area, the UK or  Switzerland, or any other territory with similar data protection laws, the following section is applicable to how we collect and manage your personal data.

  • As a data controller we rely on our legitimate interests to process your information, including the use of our service providers assisting us to deliver the Services. We may also receive your explicit consent through the Merchant Website. The Merchant Website relies on their own valid legal basis for processing your information, which may be in the form of consent, legitimate interest or execution of a contract.
  • The Merchant Website may, at its own discretion, use Riskified’s Services to make a decision on whether to accept or decline your order based solely on automated processing. It may do so if you have given your consent, if needed to enter into or perform a contract, or if authorized by law. Please direct inquiries concerning approval of your order based solely on automated means to the Merchant Website.
  • If the law grants you such rights, you may ask to access, correct, or delete your personal data that is stored in our systems. You may also ask for our confirmation as to whether or not we process your personal data. Subject to the limitations in law, you may request that we update, correct, or delete inaccurate or outdated information. You may also request that we suspend the use of any personal data that you contest the accuracy of, while we verify the status of that data. You may also be entitled to obtain personal data that you directly provided us and have the right to transmit it to another party. However, we will continue retaining, using and sharing certain information if it is associated with fraudulent activity or to comply with legal obligations.
  • Several of our data sources are companies operating in countries outside of your local territory or the European Economic Area, in legal environments that may not be adequate by EU data protection standards. You may opt out of having your personal data shared with those data sources. However, opting out may prevent us from providing Services and, as a result, may prevent you from using the Merchant Website. Irrespective of requests to opt out, if your personal data is associated with fraudulent activity we may continue to retain, use and share certain information, in order to prevent unlawful practices.

If you wish to exercise any of these rights, you can contact us at: support@riskified.com, our Data Protection Officer at privacy@riskified.com, or our EU representative, Lionheart Squared (Europe) Ltd, at riskified@lionheartsquared.eu; 2 Pembroke House, Upper Pembroke Street 28-32, Dublin, D02 EK84 Ireland. When handling these requests, we may ask for additional information to confirm your identity and your request. In addition, you may also have the right to submit a complaint with the relevant supervisory authority – you can find the relevant contact details here.

Residents of California

If you reside in California or other jurisdictions where such rights are provided by applicable law, you have specific rights regarding your personal data. This section describes the rights that you have and explains how to exercise those rights.

  • Right to Know About Personal Data Collected, Disclosed or Sold. You have the right to request that we disclose certain information to you about our collection, use, disclosure or sale of your personal data over the past 12 months. Once we receive and confirm your verifiable consumer request (see Exercising Access, and Deletion Rights), and subject to certain limitations that we describe below, we will disclose such information to you. You have the right to request any or all of the following:
  • The categories of personal data we collected about you.
  • The categories of sources from which the personal data is collected.
  • Our business or commercial purpose for collecting or selling that personal data.
  • The categories of third parties with whom we share that personal data.
  • The specific pieces of personal data we collected about you.

 

  • Right to Request Deletion. You have the right to request that we delete any of your personal data that we collected from you and retained, subject to certain exceptions. Once we receive and confirm your verifiable consumer request (see Exercising Access, and Deletion Rights), we will delete (and direct our service providers to delete) your personal data from our records. However, we may retain personal data that has been de-identified or aggregated. Furthermore, we may deny your deletion request if retaining the information is necessary for us in order to perform certain actions permitted by applicable law, specifically such as detecting data security incidents or protecting against fraudulent or illegal activity.  Therefore, we may retain your personal data despite such request.

 

  • Exercising Access and Deletion Rights. To exercise the access and deletion rights described above, please submit a request to us by emailing support@riskified.com.

Only you, or a person or business entity registered with the California Secretary of State that you authorize to act on your behalf (an “authorized agent”), may make the requests set forth above. You may also make a request on behalf of your minor child. 

The request should include your contact information and describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it. In addition, you should provide sufficient information (including, at minimum, your name, address, and e-mail address) that allows us to reasonably verify that you are the person about whom we collected the  personal data or an authorized representative.

We will respond to consumer requests in a reasonably timely manner. If we require extra time to respond, we will inform you of the reason and extension period in writing.

In order to protect the security of your  personal data, we will not honor a request if we cannot verify your identity or authority to make the request and confirm the  personal data relates to you. The method used to verify your identity will vary depending on the nature of the request. Generally speaking, verification will be performed by a third-party service provide.

Any disclosures we provide may only cover the 12-month period preceding our receipt of your request. We are not obligated to provide the information set forth above under “Right to Know About Personal Data Collected, Disclosed or Sold” more than twice in a 12-month period.

We do not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request. 

  •  Personal Data Sales Opt-Out. We do not “sell” information, as sales are defined under applicable laws.

 

  • Non-Discrimination. We will not discriminate against you for exercising any of your legal rights.

INFORMATION SECURITY

We implement industry standard measures to reduce risks caused by the potential loss of information, unauthorized access, or use of information. However, no measure can provide absolute information security and we cannot provide protections beyond what is within our reasonable control.

DATA RETENTION

The personal data we collect is retained only for as long as necessary to provide the Services or any newly developed services under this Policy. We retain the  personal data we receive from the Merchant for no more than 48 months, unless you request that we delete this information, or if it is required by us to establish, exercise, or defend against legal claims, or comply with legal obligations. When we dispense with data it is either deleted from our system or anonymize without further notice to you.

POLICY REGARDING CHILDREN

We do not knowingly collect personal data from children under the age of 13, and children under the age of 16 in the EU or California. If a parent or guardian becomes aware that his or her child has provided us with personal data without their consent, he or she should contact us at support@riskified.com. If we become aware that a child under such ages has provided us with personal data, we will delete such information from our files unless we have appropriate consent, where applicable, or unless we are required to maintain it for law-enforcement or legal purposes

CHANGES TO THIS POLICY

If we materially change this Policy in a manner that adversely affects your rights, or the protections afforded to your personal data, such changes will only affect the personal data we collect after the Policy change, unless you agree to us treating the personal data previously collected in accordance with the new Policy.

CONTACT US

You may contact us with any questions or comments, at: support@riskified.com

Our postal address is: 30 Kalischer Street, Tel Aviv, Israel, postal code 6525724 or 220 Fifth Avenue, Floor 2, New York, NY 10001.

Effective date of the policy: September 2, 2021

 

Riskified respects the privacy of the users of our website at https://www.riskified.com (the “Site”) and is committed to protecting the information that is collected and/or is disclosed by the Site users (“users” or “you”). This Website Privacy Policy (“Policy”) explains the privacy practices of Riskified Ltd., on behalf of ourselves and for the benefit of our affiliates (“Riskified”, “we”, “our”, or “us”) for use of the Site.

 

INFORMATION WE COLLECT

During the past 12 months we have collected the categories of information listed below, and will continue to collect such information. This information is collected from you, directly, through your browsing session on the Site and through third parties and is used by us to improve our services and as otherwise described below.

Riskified collects information from our users at several different points on our Site. Personal data such as a user’s name, address, contact information, and other personally-identifiable information may be collected from you and stored in our databases when you register to the Site, request support, enter into a sales promotion, or otherwise interact with us (for example through the “contact us” option). If you do not provide us with the required information we may not be able to provide you with the information/services requested by you. Registered users may have a user name and password to access their information.

When you use the Site we may automatically collect personal data through cookies or other online technologies. This may include internet traffic data such as a user’s IP address, domain server, type of computer, type of web browser, your browsing session on the Site (e.g., the pages accessed and links clicked), the referral source and website navigation paths of your visit and your interactions on the Site. This information is helpful for us to operate our site, for marketing purposes or for improving a user’s experience on the Site.

We may also collect information about you from our business partners and other service providers, including personal data (e.g., contact information such as emails and general information associated with your IP or device), to help to operate our site, for marketing purposes or for improving your experience on the Site.
We may also collect statistical and other aggregated data related to your use of the Site or services thereon as well as information on Site usage patterns. This information is collected and used as non-individually identifiable information.

 

HOW WE USE INFORMATION AND WHO WE SHARE IT WITH

We use the information collected to analyze trends, administer the Site, improve our services, track users movements around the Site, and gather demographic information about our user base. We also use the collected information to respond to your requests and contact you. We compile and store the collected information to generate reports related to our users’ access to and use of our Site and services. We may use specific information collected to personalize and deliver content marketed directly to you and measure its effectiveness, subject to requirements of applicable law.

To the extent required under applicable data processing laws and regulations any personal data that we collect may be stored in our database and will be used in accordance with such applicable laws and regulations.

We do not share, distribute, sell, or rent any of your personal data with/to third parties, except to assist us with the above activities and in the following circumstances where we may use the information we collect:

  • The information is required by law in order to prevent, investigate, or take action regarding illegal activities;
  • In response to legal process, court orders, subpoenas;
  • To establish or exercise our legal rights or defend against legal claims;
  • For the purpose of providing and operating the Site we may share information with trusted third party partners for purpose of providing Site-related services to us. We will require that these third parties comply with this Privacy Policy or with privacy policies at least as protective as this Privacy Policy.
  • We may also request your permission to use your information in other ways. Such use is subject to your consent.
  • Any data processing performed by these third parties will, if and when required by law, be governed by a data processing agreement in the form required by law preserving your statutory data protection rights.
  • In case of a business transfer. In the conduct of our business, we may go through a business transaction such as a sale, merger, reorganization or bankruptcy proceeding. Information collected from users of the Site, including personal data, could be transferred as part of such transaction. By submitting your personal data through the Site, you agree that your information may be transferred to third parties under such circumstances.

 

COOKIES

A cookie is a piece of data sent from a website while the user is browsing and stored on a user’s hard drive to contain information about the user. We use cookies to enhance the user experience, improve our service, including by means such as storing passwords or preference information. We may also use cookies to track and monitor usage of the Site for the purposes of marketing and operational improvements.

Riskified’s Site uses both ‘session’ and ‘persistent’ cookies. ‘Session cookies’ are created and stored temporarily while the user browses and are deleted from the device when the browser is closed. ‘Persistent cookies’ are saved on the user’s device for a fixed period and becomes active when they visit the Site.

Users located in the EU will receive a pop up notification informing them that cookies are operating on our Site. Most browsers will allow you to erase cookies from your computer hard drive, block acceptance of cookies, or receive a warning before a cookie is stored.

 

INTEREST-BASED ADVERTISING

We may work with third parties who collect information on our Site and elsewhere through the use of cookies and similar methods in order to serve you with relevant advertisements on other services or to determine that you have seen our advertisements on other services and for other retargeting purposes. We do not respond to or honor “do not track” (a/k/a DNT) signals or similar mechanisms automatically transmitted by web browsers for which we cannot evaluate your choice.

E-MAIL COMMUNICATIONS

You have the ability to opt out of receiving marketing communications from Riskified at any time. You can opt out by either changing your email preferences or using the link provided at the bottom of each email message. You may not opt out of administrative emails (for example, emails about your transactions or policy changes) while you are a registered user.

We do not send emails to anyone without permission and we do not sell or rent email addresses to any unauthorized third party. If you believe that you have received an unsolicited email from us, please contact us at support@riskified.com and we will investigate.

 

DATA RETENTION

We retain the personal data we receive through the Site for no more than 48 months, unless you request that we delete this information, or if it is required by us to establish, exercise, or defend against legal claims, or comply with legal obligations. When we dispense with data it is either deleted from our system or anonymized without further notice to you.

 

APPLICANTS DATA

We use information about job applicants (from the website or any other source) such as their contact details, name, professional experience and CV, and other information needed to consider their hiring (Applicants Data). Additionally, we use Applicants Data for statistical purposes to improve our recruitment processes. We may use data of applicants that have not been accepted for a specific position, for internal purpose or to inform them of future job opportunities that we believe may suit them. We care about your privacy and will not share your Applicants Data with anyone else for other purposes. Applicants Data will be retained for 48 months or a longer period as may be allowed for by law. For any request or question regarding your Applicants Data and privacy, please contact legal@riskified.com.

 

POLICY REGARDING CHILDREN

We do not knowingly collect personally identifiable information from children under the age of 13, or 16 in the EU. If a parent or guardian becomes aware that his or her child has provided us with personal data without their consent, he or she should contact us at support@riskified.com. If we become aware that a child under such ages has provided us with personal data, we will delete such information from our files unless we have appropriate consent, where applicable, or unless we are required to maintain it for law-enforcement or legal purposes.

 

SECURITY

We follow generally accepted industry standards and best practices to protect the personal data submitted to us, both during transmission and once we receive it. However, due to the nature of Internet communications and evolving technologies, unauthorized entry or use, hardware or software failure, or other factors, the security of user information may be compromised at any time. No method of transmission over the Internet or method of electronic storage is 100% secure. We cannot guarantee the absolute security of personal data and disclaim any assurance that such information will remain free from loss, misuse, or alteration by third parties who, despite our efforts, obtain unauthorized access.

 

CHANGES AND CONSENT TO PRIVACY POLICY

By registering with Riskified or by using the Site without prior registration you agree to the terms of this Privacy Policy. We reserve the right to change the provisions of the Privacy Policy from time to time and you are therefore advised to check it regularly. Your continued use of the Site after any change to the policy constitutes your acceptance of this Privacy Policy.

 

LINKS

Our Site may have links to the sites of other companies. We are not responsible for their privacy practices. We encourage you to learn about the privacy policies of those companies.

 

LOCATION SPECIFIC INFORMATION

Residents of the European Union

If you are a resident of the European Economic Area, the UK or Switzerland, or any other territory with similar data protection laws, the following section is applicable to how we collect and manage your personal data.

As a data controller we rely on our legitimate interests to process your information, while at times we may rely on your consent, the need to comply with a legal obligation or perform a contract with you.

If the law grants you such rights, you may ask to access, correct, or delete your personal data that is stored in our systems. You may also ask for our confirmation as to whether or not we process your personal data. Subject to the limitations in law, you may request that we update, correct, or delete inaccurate or outdated information. You may also request that we suspend the use of any personal data that you contest the accuracy of, while we verify the status of that data. You may also be entitled to obtain personal data that you directly provided us and have the right to transmit it to another party. However, we will continue retaining, using and sharing certain information if it is associated with fraudulent activity or to comply with legal obligations.

If you wish to exercise any of these rights, contact us at: support@riskified.com. When handling these requests, we may ask for additional information to confirm your identity and your request.

Several of our service providers are companies operating in countries outside of your local territory or the European Economic Area, in legal environments that may not be adequate by EU data protection standards. You may opt out of having your personal data shared with those data sources, however, opting out may prevent you from using the Site. Irrespective of requests to opt out, if your personal data is associated with fraudulent activity we may continue to retain, use and share certain information, in order to prevent unlawful practices.

We may store and process information in the US, the EU, Israel, and in other countries. We may also process information using cloud services.

We frequently process information under arrangements aimed at providing an adequate level of data protection. This may include processing in countries that the EU has determined maintain adequate data protection, the use of model contract clauses, or other mechanisms. You may contact us as noted below to obtain a copy of the arrangements we use to transfer information outside of the European Economic Area, the UK, or Switzerland.

In certain cases the laws in some of these countries may provide a lesser degree of data protection than the laws of your own country. However, we will transfer your information to entities within other such countries for the purpose of processing as described in this Policy.

If you wish to exercise any of these rights, you can contact us at:

support@riskified.com, our Data Protection Officer at privacy@riskified.com, or our EU representative, Lionheart Squared (Europe) Ltd, at riskified@lionheartsquared.eu; 2 Pembroke House, Upper Pembroke Street 28-32, Dublin, D02 EK84 Ireland. When handling these requests, we may ask for additional information to confirm your identity and your request. In addition, you may also have the right to submit a complaint with the relevant supervisory authority – you can find the relevant contact details here.

Residents of California

If you reside in California or other jurisdictions where such rights are provided by applicable law, you have specific rights regarding your personal data. This section describes the rights that you have and explains how to exercise those rights.

  • Right to Know About Personal Data Collected, Disclosed or Sold. You have the right to request that we disclose certain information to you about our collection, use, disclosure or sale of your personal data over the past 12 months. Once we receive and confirm your verifiable consumer request (see Exercising Access, and Deletion Rights), and subject to certain limitations that we describe below, we will disclose such information to you. You have the right to request any or all of the following:
    • The categories of or specific pieces of personal data we collected about you.
    • The categories of sources from which the personal data is collected.
      Our business or commercial purpose for collecting or selling that personal data.
    • The categories of third parties with whom we share that personal data.
  • Right to Request Deletion. You have the right to request that we delete any of your personal data that we collected from you and retained, subject to certain exceptions. Once we receive and confirm your verifiable consumer request (see Exercising Access, and Deletion Rights), we will delete (and direct our service providers to delete) your personal data from our records. However, we may retain personal data that has been de-identified or aggregated. Furthermore, we may deny your deletion request if retaining the information is necessary for us in order to perform certain actions permitted by applicable laws, specifically such as detecting data security incidents or protecting against fraudulent or illegal activity. Therefore, we may retain your personal data despite such request.
  • Exercising Access and Deletion Rights. To exercise the access and deletion rights described above, please submit a request to us by emailing support@riskified.com

Only you, or a person or business entity registered with the California Secretary of State that you authorize to act on your behalf (an “authorized agent”), may make the requests set forth above. You may also make a request on behalf of your minor child.

The request should include your contact information and describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it. In addition, you should provide sufficient information (including, at minimum, your name, address, and e-mail address) that allows us to reasonably verify that you are the person about whom we collected the personal data or an authorized representative.

We will respond to consumer requests in a reasonably timely manner. If we require extra time to respond, we will inform you of the reason and extension period in writing.

In order to protect the security of your personal data, we will not honor a request if we cannot verify your identity or authority to make the request and confirm the personal data relates to you. The method used to verify your identity will vary depending on the nature of the request. Generally speaking, verification will be performed by a third-party service provide.

Any disclosures we provide will only cover the 12-month period preceding our receipt of your request. We are not obligated to provide the information set forth above under “Right to Know About Personal Data Collected, Disclosed or Sold” more than twice in a 12-month period.

We do not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.

Personal Data Sales Opt-Out. We do not “sell” information, as sales are defined under applicable laws.

Non-Discrimination. We will not discriminate against you for exercising any of your legal rights.

Last updated: September 2, 2021

Our Commitment to Security

We work day in and day out to ensure that Riskified isn’t just the best fraud management solution but also the safest solution. It is our commitment to you, your customers, our business partners, and everyone in between, that Riskified sets the gold standard for security in eCommerce fraud management. If you ever have any questions about Riskified’s security, please contact us at support@riskified.com, and we’ll route your inquiry to our security team.


Data and Information Security at Riskified

Business is built on a foundation of trust, and we take that very seriously – both the trust you place in us, and the trust your customers place in you. Thus, maintaining the privacy and security of your customers’ data is a top priority. In addition, we are thoughtful of the impact any downtime or interference might have on your customers’ experience.

Riskified’s data and information security strategies are designed to ensure your data and your customers’ personal information remain protected while avoiding availability issues and providing a high level of service at all times.

Riskified is committed to securing our customers data, and actively invests in creating a protected service that our customers can trust. We have taken a number of measures and have put in place mechanisms to prevent unauthorized access to the data:

  • At Riskified, we do not store personally identifiable information (PII) data locally. All Riskified client data is stored on Amazon Web Services (AWS) using 256-bit Advanced Encryption Standard (AES-256).
  • Riskified maintains ISO 27001:2013 Certification and uses it as the basis for our information security management system (ISMS). This ensures we have the proper processes and programs in place. As part of this certification, we conduct employee training, restrict access to certain data points, and separate duties between our operations and research teams.
  • To ensure we maintain a constant high level of service, we have put in place business continuity plans, devised incident management procedures, and have implemented disaster recovery procedures. Riskified understands that it provides a mission-critical service to our customers. Our main API service is architected with multiple fallbacks both on the application layer and the physical infrastructure on which it relies. All of Riskified infrastructure (including our API) is hosted on Amazon Web Services (AWS) within multiple availability zones (AZ) and regions.

Additional Security Mechanisms

We’re constantly working on more ways to make Riskified the most-secure fraud-management solution. Some mechanisms are published here, and others we keep private. But rest assured, security is a primary focus for Riskified.