• Supplier hosts the Supplier Data
• Supplier is a Sub-processor of Client Information
• Client Information includes Personal Data
• The Sub-processor is based in United States
• The Sub-processor is located outside of the EEA
• Where GDPR applies to the End User, the End User must rely on a derogation to transfer Client Information to the Sub-processor based outside of the EEA in accordance with Article 49 GDPR.

The Supplier Data that GBG uses to provide US Mobile Carrier Check is supplied by GBG’s Data Supplier. GBG is obliged under the terms of its agreement with its Data Supplier to ensure that all End Users agree to comply with the following provisions:

1. DEFINITIONS
1.1. In these Additional Terms, the following definitions shall apply, in addition to the definitions set out in the General Terms:
“Permitted Purpose” means use of the Supplier Data solely for its own internal purposes and only for the purpose of validating a customer’s identity for the purposes of fraud avoidance, identity verification, transaction authentication, or account origination in connection with commercial transactions undertaken by the customer with the End User.

2. USE OF THE SUPPLIER DATA
2.1. The Supplier Data may only be used for the Permitted Purpose in accordance with these terms.
2.2. The End User warrants that it will not use the Supplier Data for any reason outside of the Permitted Purpose, and shall not resell, distribute, sublicence, or transfer the Supplier Data to any third party.
2.3. The End User will immediately notify GBG of, and be fully responsible for, any unauthorised collection, storage, disclosure, use of and access to the Supplier Data or sensitive information.
2.4. The Supplier Data will be provided only with respect to those mobile carriers and data sources that have authorised the use of such data in connection with the provision of Service, and then only to the extent and for the period that such service or data is available or provided by such mobile carriers and data sources.
2.5. No authorisation is given to the End User and no right is conferred to End User to use the Supplier Data or any data or information provided by the Data Supplier for any use in creating a consumer report or for use by a consumer reporting agency for the purpose of creating a consumer report as those terms are defined under 15 USC § 1681a et. seq.
2.6. The End User will comply with all data security, marketing and consumer protection laws that apply to the collection, access, disclosure, and use of Personal Data and will not cause the Data Supplier or any mobile carrier to be in violation of any such applicable laws. Additionally, the End User will comply with:
(a) applicable industry standards and practices; and
(b) any reasonable and customary privacy-related policies or guidelines within thirty (30) calendar days of receipt of such policies or guidelines from the Data Supplier. If the End User conducts any direct marketing, it may not rely on any exception to any law governing direct marketing (e.g. the established-business-relationship rule) without first getting the written approval of the Data Supplier.

3. DATA PROTECTION AND COMPLIANCE WITH RELEVANT LAWS
3.1. The Supplier Data used to provide this element of the Service is hosted by the Data Supplier. In order to perform the Services, the Data Supplier shall act as Sub-processor of Client Information (including any Personal Data supplied) for the sole purpose of delivering this element of the Service. The End User authorises GBG to appoint the Data Supplier as Sub-Processor for the purposes specified in this clause 3.1.
3.2. The Data Supplier is based in the United States, which is located outside of the EEA. Where GDPR applies to the End User, the End User acknowledges that prior to submitting Client Information to GBG for processing it shall determine, and is solely liable for ensuring that it can rely on a derogation to transfer Client Information to the Sub-processor based outside of the EEA in accordance with Article 49 GDPR.

4. LIABILITY
4.1. The Supplier Data may not be used to obtain, collect or otherwise submit inquiries with respect to any person under the age of 13, and the End User shall not submit any inquiry, make any API call, or otherwise seek to obtain such information from the Data Supplier. The End User shall indemnify, defend and save the Data Supplier harmless from any loss, damage, cost or expense incurred by the Data Supplier arising out of or in connection with any violation of the forgoing provision or any violation of the Children’s Online Privacy Protection Act of 1988 (COPPA) or any rules, regulations or orders adopted thereunder.

5. SUSPENSION AND TERMINATION
5.1. The Data Supplier will have the right to suspend, disable or restrict access to the Supplier Data for system maintenance, technical upgrades or service enhancements normally during the late evening or early morning hours US Pacific Time.
5.2. The Data Supplier shall have the right to discontinue any data source at any time. Should the supply of the Supplier Data cease, GBG will use reasonable endeavours to find an alternative supplier on the same or similar commercial terms. In the event that GBG is unable to find an alternative at an acceptable cost to both Parties, either Party may terminate this part of the Service.