Age Verification Client T&Cs (the “Terms and Conditions”)

Last updated on: 3 March 2025

This “Agreement” (comprising these Terms and Conditions, its Schedule and any Order Form or Statement of Work) governs your use of Age Verification on your Client Applications.

By signing an Order Form, or if signing up without an Order Form opening an account on the Yoti Hub, a legally binding contract governed by the Agreement will be created between the Yoti entity specified in the Order Form, or as identified in clause 15 of these Terms and Conditions (“Yoti”) and the Client. The Client is referred to as “you” or “your”.

IT IS AGREED

Definitions

This Agreement uses phrases which have specific meanings. They are set out in Schedule 1.

1. Data Protection

1.1. Where Yoti is a Data Processor and the Client is a Data Controller of Personal Data the Data Processing Agreement in Schedule 2 will apply.

1.2. You are responsible for the configuration of Age Verification to meet your specific requirements and applicable law. This includes choosing:

1.2.1. Which age verification methods are presented to your Users;

1.2.2. Whether Yoti provides you with the age or the age+ status of a User.

1.3. Age Verification will not send you a date of birth, name or any other identifiable personal data.

2. Use of Age Verification

Grant of licence

2.1. Yoti grants to you a non-transferable, non-sub-licensable, royalty free, revocable, non-exclusive licence to use Age Verification for the Client Applications from the date on which Yoti signs the Order Form, or (if earlier) the date Yoti approves the opening of your Hub Account. This licence is automatically suspended during any period when your use of your Hub account is suspended and will terminate automatically and irrevocably on termination of this Agreement for any reason.

2.2. Yoti may amend any part of Age Verification at any time in its absolute discretion with no prior warning to you, including by adding or removing methods of age verification, provided that no other change materially reduces the functionality of Age Verification.

2.3. Yoti may need to amend the Software every now and again to fix bugs, improve security or improve functionality. In the unlikely event that a change in your integration or the Software is required by you then you must do so within 30 days of notice from Yoti.

2.4. If you are using Age Estimation or Yoti IDV on US citizens then you warrant that:

2.4.1. You will capture a User’s consent to Yoti’s capturing and use of biometrics (if face match or liveness is being used) in a manner that is compliant with US law. Where made available, this will be through Yoti’s consent collection screen, unless agreed otherwise by Yoti in writing in advance;

2.4.2. any biometric template received by you through Age Estimation or Yoti IDV must be deleted within three years of the initial purpose being satisfied or the last interaction with the user, whichever occurs first;

2.4.3. You will need to publish a policy explaining your use of biometrics and your retention period that also identifies Yoti as a party that is capturing biometric information on your behalf with a link to Yoti’s biometric policy.

2.5. You indemnify us against all losses (including damages, settlement costs, defending lawsuits and regulatory action against us) for any failure to comply with clause 2.4, above.

Restrictions on use

2.5. In relation to your use of Age Verification, either during the term of this Agreement or at any time afterwards, it is a condition of this Agreement that you must:

a. only use it in compliance with all applicable laws;

b. only use Age Verification to receive Attributes solely for proper and lawful business purposes and otherwise in accordance with this Agreement;

c. only make backup copies of the Software for your lawful use. You must keep a written record of the number and location of Software copies, which you must provide to Yoti on request, and take all reasonable steps to prevent unauthorised copying of the Software;

d. not use any methods in Age Verification to determine if they are within the scope of a patent;

e. not modify, copy, adapt, translate or create derivative works based on any part of Age Verification or attempt to discover any source code or underlying ideas or algorithms or reverse engineer, decompile or disassemble any part of Age Verification for any purpose;

f. not attempt to gain, or gain, unauthorised access to, or disrupt the integrity or performance of Age Verification or any Attributes;

g. not use Age Verification or any Attributes or any generated results to directly or indirectly train any machine learning algorithm;

h. not use Age Verification to commit, or with the intention to commit, any unlawful, fraudulent, dishonest, threatening, invasive or improper behaviour;

i. not and are not permitted to sub-license, assign, hold on trust or novate this Agreement to or on behalf of any person;

j. provide all cooperation and information reasonably required by Yoti in relation to Age Verification, including all information and materials reasonably required by Yoti to make Age Verification available to you. You must ensure that such information is up-to-date and accurate in all material respects;

k. not provide a service which is the same as or similar to Age Verification or use any part of Age Verification to build a competitive product or service or copy its features, technology or user interface;

l. not store an image of the photo or still frame used by Yoti to estimate age without Yoti’s prior written approval, which it can withhold in its absolute discretion; or

m. not act or omit to act in any way that results in damage to Yoti’s business or reputation.

3. Reservations

3.1 Yoti reserves the right to cease supporting Digital ID for older mobile operating systems that are no longer supported by Google or Apple and for phone models that are not used by a significant proportion of Yoti users in Yoti’s absolute opinion. Yoti is not liable to you if Google or Apple remove Digital ID from their respective app stores for any reason.

3.2. Yoti may change its onboarding or verification processes for the Digital ID or IDV at any time. Digital ID and IDV do not accept every identity document. You must check Yoti’s published materials to check if the national documents you require are supported by Digital ID and IDV. Yoti reserves the right to amend the list at any time without notice.

3.3. The Transaction Charges for IDV are just for an automated data extraction of the age from an ID document and, if enabled by you, for automated passive liveness, face match and document authenticity checks. Please speak to us if you require more than those automated checks.

4. Use of Attributes

4.1. You are permitted to use Attributes provided to you by Users for your proper and lawful purposes in order to verify the age of Users with respect to your Client Applications.

4.2. Except where Age Verification is being used for the purpose of verifying the age associated with a User’s account with you, you are not permitted to re-use the trust or any information gleaned from Attributes and must request a new Age Verification each time a User comes to a Client Application.

4.3. You may use Attributes provided to you by Users only in accordance with your relevant policies (including your privacy policy) as such policies are amended from time to time and at all times in accordance with applicable laws. You are responsible directly to your Users to process any Attributes provided to you by us in accordance with all Privacy Laws.

4.4. Except with the prior written consent of Yoti you may not resell, sublicense, lease, share, transfer, make representations about or otherwise make available any Attribute or any trust or information gleaned from the foregoing to any third party or as part of any joint venture or partnership with any third party. Further, you may not store any Attribute in any publicly distributed ledger (such as a public blockchain) without our written prior consent, which we can withhold in our absolute discretion.

5. Third Party Service

Various Third Party Services are offered for age verification through Age Verification. Yoti has no obligation to host any Third Party Services on Age Verification, but we may in our sole discretion choose to do so from time to time. We can withdraw the provision of any Third Party Service on Age Verification at any time without giving you notice. Yoti does not guarantee that any Third Party Service is suitable for any particular purpose and as between Yoti and you the Third Party Service is provided “as is” and we disclaim any and all implied or express representations, warranties, terms or conditions in connection with the Third Party Service.

6. Fees and Transaction Charges and Payment Terms

Transaction Charges

6.1. Transaction Charges shall be calculated in accordance with the prices and currency we have agreed with you in the Order Form for the relevant Transactions and are stated exclusive of VAT. Where no Order Form is in place for any age verification you are using, Yoti may charge at its then current pricing schedule rate (whether or not you have seen such pricing).

6.2. The chargeable events for each age verification option are below:

6.2.1. for Digital ID; Age Estimation: Credit Card and Age Tokens: when an Attribute is returned to You;

6.2.2. for age with IDV: a document submission to Yoti;

6.2.3. for Third Party Services: when a request is made by you and/or a User for that Third Party Service; and

6.2.4. for a user simply authenticating their Age Verification account, when the Attribute is shared with you by Yoti.

6.3. It is possible for a Session to consist of more than one Transaction. Where any of the Transaction types identified at 6.2.1 and age with automated IDV are included in a single Session, they will be collectively deemed one Transaction with the chargeable event being the one applicable to the first of those Transactions to be used in that Session. Any other types of Transaction carried out in that Session shall be charged separately. A maximum of 1 attempt per Transaction type is included per Session, with the exception of Age Estimation which can have up to 2 attempts depending on the retries permitted by you.

Fees

6.4. Fees shall be charged as specified in an Order Form or Statement of Work. Where any of the following work is carried out by Yoti and the fees do not have an associated price (including being identified as “Not Applicable”) in an Order Form, the following fees shall apply:

a. Set up fee: £250;

b. Integration support: to help the Client with Age Verification. This service shall be charged at a half day fee rate of £750, with a minimum charge of £750;

c. Due diligence support: to assist the Client with its due diligence processes (eg Client’s security questionnaires). This service shall be charged at a half day fee rate of £750, with a minimum charge of £750;

d. Theme support: to individualise Age Verification according to the Client’s specifications. This service shall be charged at a half day fee rate of £7350, with a minimum charge of £750 with a charge of £150 per month per brand for ongoing support; and

e. Additional languages: to translate Age Verification into a language other than the languages that come included. This service shall be charged as a one off fixed fee (quote available on request).

Payment Terms

6.5. Payment card details may be entered and saved to automatically pay for future invoices. Any card details entered are stored by our payment partner, Stripe, who will apply a charge to the saved payment card upon issuance of a new invoice. If you do not have a saved payment card, you shall receive a payment link, requiring you to enter your payment card details for each invoice issued to you. You must settle any outstanding invoices within 14 days of the date of the invoice.

6.6. If you fail to make any payment due to Yoti under this Agreement by the due date then, without limiting Yoti’s other remedies, we may charge interest on the overdue amount at 4% per annum above Barclays Bank’s sterling base rate from time to time. Interest shall accrue on a daily basis from the due date until actual payment of the overdue amount, including before and after judgment. You must pay the interest together with the overdue amount.

6.7. You must pay all amounts due under this Agreement in full without any set-off, counterclaim, deduction or withholding (except for any deduction or withholding required by law). Yoti may at any time, without limiting its other rights or remedies, set off any amount owed to it by you against any amount payable by Yoti to you.

6.8. Some of our Fees and Transaction Charges are reduced if you are an Eligible Charity, please contact us.

6.9. Yoti reserves the right to require payment in advance to cover external costs if you have selected to receive Third Party Services and it is likely you will consume a large volume of those checks.

7. Suspension and Termination

7.1. The term of this Agreement is for one year from the date this Agreement is entered into. This Agreement automatically rolls over for successive 12 month periods unless either party gives at least 30 days’ prior written notice to the other party before the next renewal date.

Rights to suspend

7.2. Yoti reserves the right to suspend for an indefinite period:

a. your use of Age Verification or the receipt of Attributes if access to any other Yoti product associated with you is suspended or terminated for whatever reason;

b. your use of Age Verification or the receipt of Attributes if you fail to make any payment due to Yoti by the due date for payment. Yoti reserves the right to request advance payment from you after payment is made before your access to Age Verification is resumed;

c. your use of Age Verification or the receipt of Attributes if Yoti discovers or suspects that your terms of use or privacy policy are unlawful or do not provide adequate protection to Users, or if you have breached your own terms of use or privacy policy with respect to Users or if you are being investigated, or are awaiting investigation, by the Information Commissioner’s Office or any other regulatory or governmental body in any jurisdiction;

d. your use of Age Verification or the receipt of Attributes if Yoti suspects that you have committed a material breach of any term of this Agreement whilst it investigates that suspected breach;

e. your use of Age Verification or receipt of Attributes if you do not respond in a timely manner to a query from us or one of your Users concerning your use of Age Verification or Attributes received from Users;

f. your use of Age Estimation (i) if you do not set a suitable age buffer for the age threshold (in the reasonable opinion of Yoti) or (ii) to protect itself from reputational harms or legal claims likely to occur (in Yoti’s reasonable opinion) from your use of Age Estimation; and

g. your use of Age Verification or use of Attributes for any other reason whatsoever if Yoti believes, in its absolute discretion, that there is reasonable cause to do so.

Rights to terminate this Agreement

7.3. Either party may terminate this Agreement with immediate effect on written notice to the other party if the other party commits a material breach of this Agreement that is not remediable. Either party may terminate this Agreement with immediate effect on written notice to the other party if the other party commits a remediable material breach and that breach is not remedied within 30 days of written notice to do so.

7.4. Yoti may terminate this Agreement with immediate effect if:

a. you breach or exceed the conditions of use of this Agreement;

b. where you are a sole trader, you breach our Consumer Terms and Conditions. We may also terminate with immediate effect if a director or senior person at your Organisation breaches our Consumer Terms and Conditions;

c. you suffer or incur any form of insolvency or enter into an arrangement with your creditors;

d. you fail to pay any amount due under this Agreement on the due date for payment;

e. you have provided incomplete or inaccurate information to Yoti during the account set-up process or fail to maintain such information on a timely basis;

f. a territory you operate in introduces a data localisation requirement that affects the Attributes we store or where we must store them or introduces any law that could require Yoti to build a ‘back door’ to any data Yoti stores or processes. Alternatively, Yoti may elect on notice to you to restrict your use of Age Verification by territory rather than terminate the Agreement;

g. you are or become a competitor of Yoti or Age Verification, or that you control any person or organisation which is a competitor of Yoti or Age Verification. Yoti shall determine if you are a competitor in its sole discretion; or

h. Yoti believes, in its absolute discretion, that your continued use of our product is causing harm to Users, our product to others or our reputation or goodwill.

7.5. Termination of the Agreement shall not affect any rights, remedies, obligations or liabilities of the parties that have accrued up to the date of termination.

7.6. Any provision of this Agreement that is intended to come into or continue in force on or after termination of the Agreement shall remain in full force and effect notwithstanding termination.

8. Consequences of termination

8.1. If this Agreement is terminated by either party for any reason:

a. all rights granted to you under this Agreement shall cease;

b. you shall stop using Age Verification and the Software;

c. you shall pay all outstanding amounts due by you to Yoti (with interest, if applicable), whether or not Yoti has submitted invoices relating to those amounts to you. The invoices shall be payable by you immediately on receipt; and

d. you shall permanently delete, destroy or return to Yoti (at Yoti’s election) all copies of the Software and Documentation in your possession or control and on request shall promptly provide a signed declaration from a director that this paragraph has been complied with.

9. Licence and publicity

9.1. You acknowledge that all Intellectual Property Rights in or arising out of or in connection with Age Verification, the Attributes and the Documentation is owned by Yoti, and you do not have any rights in or to Age Verification, the Attributes or the Documentation, other than the limited licence granted to you under this Agreement.

9.2. You must not do and must procure that no person on your behalf does anything which could infringe the Intellectual Property Rights of Yoti including any of the Intellectual Property Rights arising from or in connection with Age Verification and/or the Documentation or otherwise pursuant to the terms of this Agreement. Any and all rights not expressly granted to you under this Agreement shall be reserved to Yoti.

9.3. You must not do and must procure that no person on your behalf does anything which could infringe the Intellectual Property Rights of any third party arising from or in connection with your use of Age Verification.

9.4. By entering into this Agreement, you agree that Yoti may use your trading name, and official logo(s) on our website and marketing materials about your use, or intended use, of Yoti Age Verification. We will ask your consent for uses beyond this.

9.5. Whenever you mention your age verification publicly you must state that you use the ‘Age Verification provided by Yoti’. Any statistics or metrics you state relating to Age Verification must be agreed by Yoti in advance and the basis of its calculation must be shared with Yoti.

9.6. You may not post a link to www.yoti.com on your website, social media channels, online materials or advertisements without the prior consent of Yoti (by email is fine), which Yoti may withhold in its absolute discretion.

9.7. Yoti warrants to you that your use and access of Age Verification shall not infringe the Intellectual Property Rights of any third party, provided your use of Age Verification is strictly in accordance with this Agreement. If the use of any Intellectual Property Rights comprised in Age Verification are determined by a court of competent jurisdiction to infringe the Intellectual Property Rights of any third party, Yoti’s sole liability to you will be to do any of the following at Yoti’s discretion: (a) securing a licence or other right to continue use of the relevant third party intellectual property right as part of Age Verification; (b) replacing the relevant part of Age Verification; and (c) suspending or terminating provision of the relevant part (or, if necessary, the whole) of Age Verification.

10. Liability

Accuracy of Attributes

10.1. Yoti will use its reasonable skill and care in verifying or authenticating (including when using the Products in which Attributes are estimated, like Age Estimation) Attributes of Users, but will have no liability to you, and hereby disclaims to the fullest extent possible under applicable laws all implied representations, warranties, conditions and terms in respect of the accuracy of any Attributes, whether verified by Yoti or not; all Attributes are acquired and used by you at your own risk.

10.2. Yoti gives no representation, warranty or undertaking in respect of the suitability of the Attributes for any purpose whatsoever, including any decisions made or processes (whether automated or otherwise) used by you to enter into, progress, suspend, terminate, reduce or end any agreement, arrangement, relationship, licence or transaction, or to provide any product, service, membership, access or other facility to any person whatsoever, all of which you undertake at your sole risk. Age Verification may be used globally and in many sectors but we do not warrant that Age Verification will be compliant with, or make you compliant with, laws or regulations which may be applicable to you.

Availability and functionality of Age Verification

10.3. Yoti will use all commercially reasonable endeavours to ensure that Age Verification is generally accessible and usable by Clients and Users. However, Yoti gives no guarantee as to the availability of Age Verification, or any component of Age Verification, or in relation to the capacity, latency, responsiveness, accuracy or proper operation of Age Verification. If Yoti becomes aware of any defect affecting the operation of Age Verification, we will take reasonable steps to restore the proper operation of Age Verification in all material respects as soon as reasonably practicable and within Yoti’s available resources, but Yoti gives no guarantees in relation to response times, fix times or otherwise.

10.4. Yoti monitors onboarding experience and wait times by country and document type. For Digital ID, if there is a high number of Users within a certain group (eg document type from a specific country) creating a Yoti app account for your service and you are either (i) not accepting those Users onto your service or (ii) not targeting those Users specifically, then Yoti reserves the right to withdraw support for that group in order to protect other Users’ experience with the Yoti app. If there are a large number of Users using a certain document type that Yoti cannot automate data extraction, and this risk was not agreed with Yoti in advance, then Yoti reserves the right to take mitigating action including deprioritising the checks, withdrawing support for that document and/or (on notice to you) increasing the Transaction Charges payable by you for those Users.

11. General Liability

11.1. Except as expressly stated in this Agreement, Yoti provides Age Verification “as is” and all representations, warranties, undertakings, conditions and other terms which might otherwise be implied into this Agreement are hereby excluded to the fullest extent permitted by law. Yoti gives no representation, warranty or undertaking in respect of Age Verification in connection with this Agreement except as expressly set out in this Agreement.

11.2. Nothing in this Agreement limits or excludes the liability of either party for: (a) death or personal injury resulting from its negligence; (b) fraud or fraudulent misrepresentations; (c) any loss that may not be limited or excluded under applicable law; (d) any fee due; or (e) under an indemnity given in this Agreement.

11.3. Subject to clause 11.2, Yoti shall not be liable to you, whether in contract, tort (including negligence), breach of statutory duty, or otherwise, arising under or in connection with this Agreement for any:

a. loss of profits;

b. loss of sales or business;

c. loss of agreements or contracts;

d. loss of anticipated savings;

e. cost of introducing a replacement service;

f. loss of use or corruption of software, data or information;

g. losses arising from enforcement action by regulators, including any fines;

h. loss or damage to goodwill; and

i. any indirect, consequential or incidental loss.

11.4. Subject to clause 11.2, the maximum aggregate liability of Yoti to you, any of your Affiliates or your Users, whether in contract, tort (including negligence), for breach of statutory duty, or otherwise shall be capped at the higher of: (i) a sum equal to 125% of the fees you have actually paid to us in the prior 12 months to the breach; and (ii) £1,000.

11.5. The parties both agree that the above limitations and exclusions of liability reflect the commercially agreed allocation of risk between the parties for Age Verification, taking into account the fees, and that the above limitations and exclusions of liability are reasonable and proportionate.

11.6. You indemnify on demand Yoti, our directors, our employees and our contracting parties against any and all losses, liabilities, costs (including professional costs), expenses, damages, interest and other sums suffered or incurred by or on behalf of Yoti arising directly or indirectly from any breach of this Agreement by you.

11.7. Each party acknowledges and takes full responsibility for any activities it carries out in relation to where liability falls on it under this Agreement.

12. Force majeure

Yoti shall not be in breach of the Agreement nor liable for any delay in performing, or failure to perform, any of its obligations under the Agreement where such delay or failure results from events, circumstances or causes beyond its reasonable control including but not limited to failure of the internet, power outages, failure of third party networks, failure of AWS or Azure, industrial actions (but not industry action affecting Yoti staff), war, pandemics, civil unrest and terrorist activity. Yoti may take mitigating measures to reduce the impact of a force majeure event.

13. Confidentiality

13.1. Each party shall, for the duration of this Agreement and thereafter, keep confidential all information of a confidential nature (including pricing, trade secrets and information of commercial value) which may become known to such party and which relates to or is owned by the other party or any of its Affiliates. Neither party shall use the other party’s confidential information for its own purposes (other than implementation of this Agreement) nor, without the prior written consent of the other, disclose it to any third party (except its professional advisors or as may be required by any law or any legal or regulatory authority). The foregoing obligations shall not apply (or shall cease to apply) if that information: (a) is public knowledge or already known to such party at the time of disclosure; or (b) subsequently becomes public knowledge other than by breach of this Agreement; or (c) subsequently comes lawfully into the possession of such party from a third party. Each party shall use its reasonable endeavours to prevent the unauthorised disclosure of any confidential information.

13.2. No party shall make, or permit any person to make, any public announcement concerning this Agreement without the prior written consent of the other party (such consent not to be unreasonably withheld or delayed), except as otherwise permitted in this Agreement or as required by a binding order from any governmental or regulatory authority which has the authority to force disclosure, any court or other authority of competent jurisdiction, providing that the disclosing party is given a reasonable time to dispute the order if possible.

14. General

14.1. Audit: the security of the Yoti operations and technical systems are audited to both ISO 27001 and SOC 2 standards each year. The Age product is also audited to the requirements of the United Kingdom PAS 1296 (online age verification). Please contact us if you wish to review our SOC 2 and PAS 1296 report.

14.2. Waiver: No failure or delay by a party to exercise in whole or part any right or remedy provided under this Agreement or by law shall constitute a waiver of that or any other right or remedy.

14.3. Entire agreement: This Agreement contains the entire agreement between the parties relating to the use of Age Verification by you when this Agreement was accepted by you to the exclusion of any other agreement or arrangement. Neither party has relied on any prior agreement, document or representation (including innocent and negligent misrepresentations) in entering into this Agreement. Nothing in this clause shall operate to exclude or limit a party’s liability for fraud or fraudulent misrepresentation.

14.4. Conflict of terms: If there is any conflict between an Order Form or Statement of Work and this Agreement, the terms of the Order Form or Statement of Work shall prevail.

14.5. Severance: If any term of this Agreement is or becomes invalid, illegal or unenforceable, it shall be deemed modified to the minimum extent necessary to make it valid, legal and enforceable. If such modification is not possible, the relevant provision or part-provision shall be deemed deleted. Any modification to or deletion of a provision or part-provision under this section shall not affect the validity and enforceability of the rest of the Agreement.

14.6. Third parties: Except for Yoti’s Affiliates, which may enforce the terms of this Agreement, a person who is not a party to the Agreement shall not have any rights under the Contracts (Rights of Third Parties) Act 1999 or otherwise to enforce any term of the Agreement.

14.7. Notices: Any notice or other communication given to a party under or in connection with the Agreement shall be in writing by email which for you shall be to the email address you used to create your account on the Hub and for us shall be the email address provided below in clause 15.1, which shall be deemed to have been received immediately after transmission provided that no automatically generated email communicating an out of office response or failed delivery is received by the sender.

14.8. References in this Agreement: If we refer to a statute or statutory provision, this reference includes amendments or re-enactments of that legislation, and any subordinate legislation. Any phrase introduced by the terms including, include, or in particular, or any similar expression, are illustrative and do not limit the words preceding those terms.

14.9. Subcontracting and Assignment: Yoti may subcontract or assign any of its rights and obligations in this Agreement to its Affiliates, provided that the Yoti entity you are contracting with remains directly responsible to you. Please note that all services carried out in respect of data subjects located anywhere in the United States of America are carried out by Yoti USA, Inc. using technology licensed from Yoti Limited.

15. Contracting Party, Governing Law, Notices and Jurisdiction

15.1. Who you are contracting with, the address to which you should send notices, which law applies in the event of a dispute and which courts have jurisdiction depend on where you are domiciled.

15.2. If you are domiciled in the Republic of India then:

15.2.1. you are contracting with Yoti Biometric Identity Private Limited whose CIN is U74999DL2016FTC306577 and whose registered address is 183 Ground floor Gayatri Tech Park EPIP Near iGate Whitefield Road KIADB Industrial Bangalore-66. You can contact us by writing to us at: organisations@yoti.com or at our registered address;

15.2.2. this Agreement, and any dispute or claim arising out of or in connection with it (including non-contractual disputes or claims) shall be governed by, and construed in accordance with the laws of India; and

15.2.3. the courts of India shall have exclusive jurisdiction to settle any dispute or claim that arises out of or in connection with this Agreement or your use of the Yoti Platform.

15.3. If you are domiciled in the USA or Canada then:

15.3.1. you are contracting with Yoti USA Inc, a company registered in California whose company registration number is C4047096 and whose registered office is at 345 Grove Street, Second Floor, San Francisco, CA94102. You can contact us by writing to us at: organisations@yoti.com or at our United Kingdom registered office address;

15.3.2. this Agreement, and any dispute or claim arising out of or in connection with it (including non-contractual disputes or claims) shall be governed by, and construed in accordance with the laws of England; and

15.3.3. if we are bringing court action against you then the courts of California shall have non-exclusive jurisdiction and if you are bringing court action against us then the courts of England and Wales shall have exclusive jurisdiction, in each case to settle any dispute or claim that arises out of or in connection with this Agreement or your use of the Yoti Platform.

15.4. If you are domiciled in Australia or New Zealand then:

15.4.1. you are contracting with Yoti Australia Pty Ltd, a company registered in Victoria whose company registration number is (ABN 49 634 795 841) with registered offices at The Hub Southern Cross, L2 696 Bourke Street, Melbourne, 3000, Victoria Australia. You can contact us by writing to us at: organisations@yoti.com or at the above address;

15.4.2. this Agreement, and any dispute or claim arising out of or in connection with it (including non-contractual disputes or claims) shall be governed by, and construed in accordance with the laws of Victoria; and

15.4.3. the courts of Victoria shall have exclusive jurisdiction to settle any dispute or claim that arises out of or in connection with this Agreement or your use of the Yoti Platform.

15.5. If you are domiciled anywhere outside of the Republic of India, USA, Canada, Australia and New Zealand then:

15.5.1. you are contracting with Yoti Limited, a company registered in England and Wales whose company registration number is 08998951 and whose registered office is at 6th Floor, 107 Leadenhall St, London, EC3A 4AF, United Kingdom. Our registered VAT number is 199947617. You can contact us by writing to us at: organisations@yoti.com or at our United Kingdom registered office address;

15.5.2. this Agreement, and any dispute or claim arising out of or in connection with it (including non-contractual disputes or claims) shall be governed by, and construed in accordance with the laws of England; and

15.5.3. if we are bringing court action against you then the courts of England and Wales shall have non-exclusive jurisdiction and if you are bringing court action against us then the courts of England and Wales shall have exclusive jurisdiction, in each case to settle any dispute or claim that arises out of or in connection with this Agreement or your use of the Yoti Platform.

Schedule 1 to the Terms - Definitions

Affiliate means any entity that directly or indirectly controls, is controlled by, or is under common control with a party to this Agreement from time to time.

Adequate Country means a country or territory recognised in accordance with relevant data protection regimes as ensuring adequate protection under EU GDPR, UK GDPR, Data Protection Act 2018 or Switzerland, for personal data processed subject to those discrete laws.

Age Estimation means the age estimation product powered by Yoti which may involve a liveness test. Please see Yoti’s white paper for more information: https://www.yoti.com/blog/yoti-age-estimation-white-paper/.

Age Verification means the online cloud solution that requires Users to prove their age to Yoti and then shares Attributes with you which you can then read.

Attribute means an age assurance status relating to a User and includes age, age+ and all connected metadata.

Client Application means any site, microsite, app, iframe or other online platform that the Client wishes to use Age Verification.

Client Personal Data means the Personal Data of (i) your individual Users; and/or (ii) your employees.

Data Controller, Data Processor and Personal Data have the meaning in the Privacy Laws.

Digital ID means the age verification solution where a User uses the Yoti app, integrated into Age Verification.

Documentation means any document and guidance (whether in electronic or hard copy) issued by or on behalf of Yoti to assist you in using Age Verification.

Eligible Charity means a charity (generally registered in its local jurisdiction) which Yoti determines in its discretion qualifies as an Eligible Charity. We will confirm within 30 days of registration. Please see our FAQs on our website which sets out our non-binding criteria.

EU Data Protection Laws means data protection laws applicable in the European Union, including but not limited to: (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) (“GDPR”); (ii) Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector; and (iii) applicable national implementations of (i) and (ii); and (iii) Swiss Federal Data Protection Act and its Ordinance (“Swiss DPA”); in each case, as may be amended, superseded or replaced.

Fees means the fees payable for bespoke services such as the one off set up fee, integration support, colour theming of Age Verification, due diligence support and translation services.

IDV means Yoti’s one time identity verification solution, integrated into Age Verification.

Intellectual Property Rights means patents, rights to inventions, copyright, trademarks, logos and service marks, business names and domain names, rights in designs, rights in computer software, database rights, rights to use, and protect the confidentiality of, confidential information (including know-how and trade secrets), and any other intellectual property rights, in each case whether registered or unregistered and including all applications, renewals or extensions and all similar or equivalent rights which subsist or will subsist in the future in any part of the world.

Order Form means the written order form or equivalent document under which an order for the use of one or more services for Age Verification has been made by you and agreed to by Yoti.

Organisation means anyone (which may include you) operating as a business.

Personal Data Breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Client Personal Data transmitted, stored or otherwise Processed by Yoti and/or our Sub-Processors in connection with the Agreement.

Privacy Laws means the UK General Data Protection Regulation 2016, the Data Protection Act 2018 and other applicable and equivalent local data protection laws including EU Data Protection Laws and UK Data Protection Laws.

Session means the process of Age Verification, regardless of which age verification method(s) it contains, that is initiated for the purpose of producing an Attribute for a single User under a single Session ID.

Software means all software and code made available by us to you in accordance with this Agreement, including any APIs or SDKs used for integration with Age Verification.

Statement of Work means a written document under which a request for Yoti to carry out additional work for you outside of our standard use of age services for Age Verification that has been agreed to by Yoti.

Third Party Services means the products or services of third parties which Yoti may make available to you via Age Verification from time to time such as, for example only, database checks, Mobile Phone Number checks , Social Security Number checks or email age estimation.

Transaction means the carrying out by Yoti of a single age verification process for age assurance purposes.

Transaction Charges means the charges payable by you in respect of Transactions.

UK Data Protection Laws means data protection laws applicable in the United Kingdom including but not limited to (i) the GDPR as it forms parts of the United Kingdom domestic law by virtue of Section 3 of the European Union (Withdrawal) Act 2018 (“UK GDPR”); (ii) the Data Protection Act 2018; and (iii) the Privacy and Electronic Communications Regulations (“PECR”); in each case, as may be amended, superseded or replaced.

User means an individual who wishes to prove their age to access your services.

Year means a period of 12 months from the date the Client accepts this Agreement.

Schedule 2 - Data Processing Agreement

1. Introduction

This Data Processing Agreement (“DPA”) reflects the parties agreement with respect to the processing of Personal Data in connection with the Agreement.
This DPA applies when your Personal Data is being processed by Yoti as Data Processor on behalf of you as Data Controller.
This DPA supplements and forms an integral part of the Agreement. In case of any conflict or inconsistency with the terms of the Agreement, this DPA will take precedence over the terms of the Agreement to the extent of such conflict or inconsistency.

2. Your Responsibilities

Compliance with laws: You are responsible for complying with all requirements that apply to you as Data Controller, Service Provider or otherwise under Privacy Laws with respect to the processing of Client Personal Data. In particular you are responsible for ensuring, in respect of Client Personal Data stored, handled or otherwise processed by Yoti, that it
1. establishes lawful bases or grounds necessary for processing and or transferring of Client Personal Data;
2. obtains any necessary permissions or consents from individuals;
3. complies with any and all transparency and notification requirements with respect to individuals;
4. conducts any necessary impact or risk assessments; and
5. provides Yoti with lawful instructions for processing of Client Personal Data.
Instructions: The parties agree that the Agreement and this DPA constitute your instructions for the processing of Client Personal Data. Any additional or subsequent instructions must be made in writing and agreed between the parties.

3. Yoti Obligations as Processor

Compliance with laws: Yoti shall comply with all the relevant requirements of the Privacy Laws.
Instructions: Yoti shall process the Client Personal Data only to the extent necessary to perform its obligations under the Agreement and in accordance with documented instructions from you. Yoti will inform you if, in Yoti’s reasonable opinion, your instructions in relation to Client Personal Data do not comply with the Privacy Laws.
Confidentiality: Yoti shall maintain the confidentiality of the Client Personal Data including ensuring that any person accessing any Client Personal Data on Yoti’s behalf is informed of the confidential nature and is subject to appropriate confidentiality obligations.
Security: Yoti shall implement all technical and organisational security measures set out in Yoti’s ISO 27001, 27701 certifications and annually certified SOC 2 Type II report, which includes, but is not limited to:
1. the pseudonymisation and encryption of personal data;
2. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
3. a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of processing;
4. limiting access to production environments to staff whose role requires access to production, which excludes developers;
5. requiring approval for changes to the production environment from a senior member of staff except in the case of an emergency change, such as a change to stop an ongoing breach or data loss;
6. requiring peer reviews of programmatic changes before release; and
7. annual penetration testing of our platform and network infrastructure.
Personal Data Breach: Yoti will notify you via your designated email address without undue delay and in any event not later than 72 hours after becoming aware of a Personal Data Breach involving Client Personal Data.
Audits: Yoti shall make available to you all information necessary to demonstrate compliance with your obligations under Privacy Laws and allow for and contribute to audits. You agree that you will exercise audit rights under this Agreement by requesting SOC 2 and PAS 1296 report, which Yoti will provide, subject to appropriate confidentiality obligations and measures, in order for you to verify Yoti’s compliance with Privacy Laws. Further Yoti will, on your written request, provide responses to all reasonable requests for information to confirm Yoti’s compliance with Privacy Laws, provided that you will not exercise this right more than once per calendar year, unless you have reasonable grounds to suspect non-compliance.
Data Subject Rights: Yoti shall assist you, taking into account the nature of the processing and insofar as possible, with your obligation to respond to data subject’s rights requests relating to processing undertaken on behalf of you.
Deletion or Return of Client Personal Data: Yoti shall delete or return all Client Personal Data in Yoti’s possession or control upon termination of the Agreement, except where Yoti are otherwise required by applicable law to retain such Client Personal Data.
Assistance: Yoti shall provide reasonable assistance to you, taking into account the nature of the processing and information available to Yoti, with data protection impact assessments; and prior consultations.
Transfers: Yoti will only transfer Client Personal Data in compliance with Applicable Data Protection Law. You specifically authorise Yoti to conduct the transfers outlined in the Details of Processing.

4. Sub-Processors

Acknowledgement and authorisation of Supplier Controllership: You acknowledge and agree that, notwithstanding other provisions of this DPA, a Yoti supplier may independently act as a controller of Client Personal Data for their own purposes (“Supplier Controller”) and that the supplier is responsible for complying with applicable law in relation to that processing. Supplier Controllers are identified in the Details of Processing in clause 6 of this DPA.
Engagement of Sub-Processors: Yoti will only engage a Sub-Processor to process the Client Personal Data where that Sub-Processor provides sufficient guarantees with regards to implementing appropriate technical and organisational measures in such a manner as to comply with Privacy Laws.
Specific Authorisation for Sub-Processors: You authorise Yoti to engage Sub-Processors to process Client Personal Data for the purposes of performing Yoti’s obligations under the Agreement. You specifically authorise Yoti to use the Sub-Processors in the Details of Processing in clause 6.
Notification of new Sub-Processors: Yoti will notify you via your designated email address of any proposed changes concerning the addition or replacement of Sub-Processors. You may object to the proposed change within thirty (30) days of such notification on reasonable grounds and where you can demonstrate the proposed Sub-Processors will not be able to process Personal Data in accordance with Privacy Laws. Where you object you agree to discuss your concerns with Yoti in order to find a reasonable solution. Where no such solution can be reached Yoti will, at its sole discretion, either:
1. appoint a new Sub-Processor; or
2. allow you to terminate the Agreement without liability to either party (but without prejudice to any fees incurred prior to such termination).

5. Transfers

Transfers subject to EU Data Protection Laws: To the extent that the provision of services necessarily involves a Restricted Transfer to you (for example where you have an address that is not in an Adequate Country), the EU SCCs (Module 4 Processor-Controller with Yoti as exporter) are hereby incorporated by reference into this DPA and will be deemed to have been executed by the parties with the following clarifications
1. Clause 7 (docking clause): clause is not included.
2. Clause 11 (redress): optional paragraph is removed.
3. Clause 17 (governing law): Ireland is selected.
4. Clause 18 (choice of forum): Ireland is selected.
5. Part A, Annex I (List of the Parties): as populated in the Agreement.
6. Part B, Annex I (Description of Transfer): as populated in the DPA.
7. Part C, Annex I (Competent Supervisory Authority): to be identified in accordance with Clause 13.
8. Annex II and Annex III: not applicable to Module 4 of SCCs.
Transfers subject to UK Data Protection Laws: To the extent that the provision of service requires a Restricted Transfer to you (for example where you have an address that is not in an Adequate Country) the EU SCCs and UK Addendum (Yoti as exporter) are hereby incorporated by reference into this DPA and will be deemed to have been executed by the Parties in accordance with clause 5(a) and with the following clarifications:
1. Tables 1, 2 and 3 of the UK Addendum will be deemed completed with the information in the Agreement and in this DPA; and
2. Any conflict between the EU SCCs and the UK Addendum will be resolved in accordance with Sections 10 and 11 of the UK Addendum.
Transfers subject to Swiss Law: Where the Swiss Federal Act on Data Protection of June 1992, as amended or replaced (“Swiss FADP”), applies the EU SCCs in Annex 1 will apply as follows
1. the Swiss Data Protection and Information commissioner is the exclusive supervisory authority;
2. the term “Member State” must not be interpreted in such a way as to exclude data subjects of Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18 of the EU SCCs; and
3. references to the GDPR in the EU SCCs shall also include reference to the equivalent provisions of the Swiss FADP.
Onward Transfers: Onward transfers of Client Personal Data from Yoti to its Sub-Processors are as outlined in the Details of Processing.

6. Details of Processing

The details relating to processing, purposes, scope and duration of processing as well as the categories of Client Personal Data processed in connection with the Agreement are set out below:

a. Processing Instructions: You instruct Yoti to assist in performing age verification on Users in accordance with the Agreement.

b. Categories of Data Subjects: Users or other individuals.

c. Types of Personal Data¹:

Category	Personal Data Type(s)	Purpose(s) of Processing
Digital ID (DID)
DID age attribute	Age over/under as derived from DoB in the ID Document on DID	To calculate whether a User is of the requisite age
Facial Age Estimation
Facial Age Estimation	Facial image/selfie	To estimate the age of the User and check the User is a real personal (optional liveness detection)
Identity Document Verification (IDV) Check
ID Document	Photo of ID Document + extracted DoB	To check whether it is a genuine document, to extract the DoB and optional face match with the selfie for extra verification
Credit Card Check
Credit Card details	Credit card number (last 4 digits only), expiry date, CVC, postcode	To send the data to a payment service provider and confirm the User has a credit card and use that to infer the User is over the age as set by you
Mobile Provider Check
Mobile Phone Number	Mobile phone number and (optional) name, date of birth, address (bill payer details)	To send to third-party providers who subsequently confirm via the mobile network operators or other records that the details provided by the User match details of the mobile account or to check associated identity details. This match is used to make an assumption about the User’s age
Time Based One Time Password (TOTP)	Time based one time password, mobile phone number	To confirm that the mobile number/phone is in the User’s possession at the time of the check
Database Check
Database checks	Postal address, name, date of birth, and social security number	To determine whether the details match the relevant database
E-ID Check
Swedish Bank ID data	Date of Birth, Name, national ID number	To check whether the details match to the relevant E-ID
Danish MitID data	Date of Birth, Name, national ID number
Finnish Trust Network Data	Date of Birth, Name, national ID number
Polish MojeID data; Polish eDO app data; Czech BankID data; Czech MojeID data	Name, Date of Birth, Address
LA Wallet data	Age range based on individuals Date of Birth from their state identity document
Email Address Check
Email address check	Email address and country code²	To check whether the details are associated with a person over 18
Reusable Age Checks
Age Account	Age Token, username and password	To allow Users to store their Age Tokens in an Age Account and re-use age checks on another browser or device (only available if requested and enabled by you)
Age Token	A type of cookie that is stored in an Individual’s browser and contains results of the age check plus information on how and when it was performed	To allow you and Users to re-use the result of an age check they previously performed (optional feature)
Results of Age Checks
Results	Age in years / age over under and any connected metadata	To provide and store on your behalf

¹ Not all Personal Data will be processed – the precise Personal Data will depend on the type(s) of check selected as well as configuration.

² Note that this involves checking the email address against third party databases and returning whether that email address is found in various marketing segments that indicate the User is over the age of 18.

d. Sensitive Personal Data

e. Subject Matter and Duration of Processing: Yoti will process Client Personal Data for age verification services as described in the Agreement, for the duration of the Agreement.

f. Nature and Purpose of Processing: Yoti will process Client Personal Data in order to provide AVS, as configured by the Client, to the Client.

g. Retention of Client Personal Data³:

Data Type	Retention
Digital ID (DID)
App age attribute	Deleted as soon as check is complete
Facial image/selfie	Deleted as soon as check is complete
Facial Age Estimation
Facial image/selfie	Deleted as soon as check is complete
Identity Document Verification (IDV) Check
ID Document	Deleted as soon as check is complete (excluding optional manual fallback reviews where ID Document image is kept for 28 days then deleted)
Facial image/selfie	Deleted as soon as check is complete (excluding optional manual fallback reviews where the facial image/selfie is kept for 28 days and then deleted)
Credit Card Check
Credit Card details	Deleted as soon as check is complete
Mobile Provider Check
Phone Number	Deleted as soon as check is complete
TOTP	Deleted as soon as check is complete
E-ID Check
Swedish Bank ID data	Deleted as soon as check is complete
Danish MitID data
Finnish Trust Network Data
Polish MojeID data; Polish eDO app data; Czech BankID data; Czech MojeID data
Database Check
Postal address, name, date of birth, and social security number	Deleted as soon as check is complete
Email Address Check
Email Address	Deleted as soon as check is complete
Reusable Age Checks
Age Token	30 days or until User deletes from browser cache (note anonymous record of check is retained even if User deletes their Age Token)
Age Account	Indefinitely or until User requests deletion
Results of Age Checks
Age in years / age over under and information about checks performed Liveness/face match results	Stored in accordance with your set retention

³ Note that Supplier Controllers may retain the data for longer – see Sub-Processors.

h. Storage Location

Data Type	Storage Location
Personal Data used to conduct checks	Checks are processed on Yoti servers in Yoti Tier 2 data centre(s) within the UK or in a UK-region AWS S3 bucket (or Montreal region for Canadian Clients only)⁴
Results of checks	Encrypted records are stored either on premise in Yoti Tier 2 data centre(s), within the UK, or in a UK-region AWS S3 bucket (or Montreal region for Canadian Clients only)

⁴ See also List of Sub-Processors for additional processing locations

i. Sub-Processors⁵

Name	Purpose of processing	Corporate Entity Location	Location of processing	Transfer Mechanism (if applicable)
Identity Document Verification (IDV) Check
Yoti India	To conduct manual fallback checks for document authentication and face match (optional)	India	India	SCCs + UK Addendum
FRS Labs⁶	To conduct Indian document authentication	India	India	N/A
Database Check
Experian	To check data against existing record in database to determine if there is a match	UK	Global	Adequacy, SCCs
Aristotle	To check data against existing record in database to determine if there is a match	UK	Global	Adequacy, SCCs
Veratad	To check data against existing record in database to determine if there is a match	US	US	SCCs, Data Privacy Framework
E-ID Check
Signicat AB	To authenticate individuals via National Digital IDs	EU	EEA	N/A (within EEA)
Credit Card Check
Stripe	To confirm individual has a credit card	Ireland	US	SCCs
Mobile Phone Check
Telesign	To confirm data provided by individual matches details from mobile network operators or other records	US	US	SCCs
TMT Verify⁷	To confirm data provided by individual matches details from mobile network operators or other records	UK	UK/EEA	Adequacy
Esendex	To provide OTP SMS verification	UK	UK/EU	Adequacy
Twilio⁸	To provide OTP SMS verification	US	US	SCCs (UK Addendum)
Email Address Check
Versium⁹	To check email address data against third party supplier database to determine if there is a match	US	US	SCCs (UK Addendum)
Storage (all checks)
Amazon Web Services EMEA SARL	To process and/or store data and results of checks (as applicable)	Luxembourg	Germany/UK	N/A (within EEA/UK)

⁵ Not all Sub-Processors listed will necessarily be used – the precise Sub-Processors will depend on the types of check you select as well as configuration i.e. selection of manual fallback reviews.

⁶ FRS Labs is a Sub-Processor of Yoti India

⁷ Supplier Controller: TMT acts as an independent controller of the mobile phone number – they also retain the phone number encrypted following the check as a billing record.

⁸ Supplier Controller: Twilio acts as an independent controller of the mobile phone number for OTP.

⁹ Versium retains the email address for 2 years as a record of the check. Versium is only used in the US for US users. Versium is a processor of Yoti USA Inc and Sub-Processor of Yoti Ltd.

Schedule 3 - Supplemental Terms for the Use of Experian Services

Definitions – in this Schedule 3 the following defined terms have the following meanings:

Derivative Output means information, data and materials that are derived, prepared or generated by Experian and/or its sub-contractors within Experian’s environment pursuant to (and/or as a consequence of) the Experian Services, including search footprints but excluding the Yoti’s Intellectual Property Rights.

Experian means Experian Limited, a company registered in England and Wales.

Experian Data means any of the data and/or databases and/or scores supplied by Experian to Yoti in connection with the Experian Services.

Experian Documentation means any or all of the following items belonging to Experian: specification, user documentation, marketing materials, product documentation, technical documentation including guidelines relating to data security and access and/or statements of functionality.

Experian Materials means any of the items developed and/or licensed by Experian to Yoti in connection with this Agreement and includes software, trade marks and Experian Documentation and Experian Data; and

Experian Services means the database checks for proof of age performed by Experian.

If the Client’s configuration of Age Verification requires that Yoti make available to the Client the Experian Services, then the Supplemental Terms in the table below shall apply to the Client’s use of Age Verification:

Nature of the Experian Services

1. Nature of the Experian Services

1.1. The Experian Services are not intended to be used as the sole basis for any business decision, and are based upon data which is provided by third parties, the accuracy and/or completeness of which it would not be possible and/or economically viable for Experian to guarantee. The Experian Services also involve models and techniques based on statistical analysis, probability and predictive behaviour. Experian is therefore not able to accept any liability, other than that it will use its reasonable skill and care in performing the Experian Services, for:

1.1.1. any inaccuracy, incompleteness or other error in the Experian Data which arises as a result of data provided to Experian by Yoti, the Client or any third party;

1.1.2. any failure of the Experian Services to achieve any particular result for the Client.

Licence and Use

2. Licence and Use

2.1. Yoti grants the Client a non-exclusive licence to use any Experian Materials provided to the Client as part of the Client’s use of the Experian Services. The licence granted under this clause is made separately in respect of each individual element of the Experian Materials and commences on the day that each such element of Experian Materials is first made available to the Client.

2.2. The Licence granted under clause 2.1 will automatically expire on termination of this Agreement for any reason, except if Experian terminates its licence with Yoti, upon which time this licence will terminate immediately.

2.3. The Client agrees that it will:

2.3.1. use the Experian Services and Experian Materials for the purpose of using Age Verification only and in accordance with any Documentation;

2.3.2. except as expressly permitted in clause 2.1, not sell, transfer, sub-license, distribute, commercially exploit or otherwise make available to, or use for the benefit of, any third party any of the Experian Services or Experian Materials;

2.3.3 not (and will not allow the User or any third party to) adapt, alter, modify, reverse engineer, de compile or otherwise interfere with the Experian Materials without the prior written consent of Experian or as otherwise permitted by law;

2.4. only take such copies of the Experian Materials as are reasonably required for the use of the Experian Materials in accordance with this Agreement.

Intellectual Property Rights

3. Intellectual Property Rights

3.1. All Intellectual Property Rights in the Experian Services, Experian Materials and the Derivative Output will remain vested in Experian (or its relevant licensors) and to the extent that any rights in such materials and data vest in the Client by operation of law, the Client hereby assigns such rights to Experian.