Product Annex: Single Verification Network
Version 2026-07-11 · Effective July 11, 2026
Rillis — Product Annex: Single Verification Network + User Consent Text (Refined)
Version: 2026-07-11 · Effective as of: July 11, 2026 This Annex is incorporated into the Master Terms and the DPA (Appendix 2). It refines your lawyer’s original draft (Sections 1 and 2) with additional protections based on industry and regulatory research.
Courtesy translation. This English version is provided for convenience. The Spanish version is the legally binding text and prevails in case of any discrepancy.
What changed relative to the original draft (summary). (1) An explicit rule was added for the allocation of liability between Donor and Recipient (a gap not even covered by Sumsub). (2) The SDK (real-time consent) vs. API model is distinguished, following Sumsub’s actual clause 12. (3) Freshness/currency of reused evidence was added. (4) The no-reliance language was strengthened, anchoring it to FATF Recommendation 10 vs. 17. (5) The blockchain clause was adjusted to the “hash + salt” standard for the right to erasure. (6) Cross-indemnity and treatment of the re-check selfie were added. (7) Marketing copy with a list of permitted/prohibited phrases.
Part 1 — Network Clauses for the Master Terms
N.1 (Definitions). “Single Verification Network” (the “Network”): a feature that allows a Verified Person who completed a verification with an originating Client (“Donor”) to, with their prior explicit consent, reuse the Verification Evidence in a process with another client (“Recipient”). “Verification Evidence”: the captured identity data (declared personal data, document images, facial image/selfie, and technical capture metadata), expressly excluding the Verification Results. “Verification Results”: any decision, score, screening outcome, risk classification, or outcome derived from the Donor’s process. “Re-Check Selfie”: the fresh facial image captured at the time of reuse for the 1:1 match.
N.2 (Participation — eligibility + activation). By accepting these Terms, the Client becomes eligible to participate as a Donor, Recipient, or both (contractual opt-out, following the Sumsub cl. 12.2 / Persona Connect pattern). Effective participation in a specific network requires (a) express operational activation agreed between the Client and Rillis (including execution of the applicable Network Annex, where relevant) and (b) configuration of the membership by Rillis. No Verified Person data will be accessible to other clients before such activation. The Client may opt out of any network at any time, effective for future reuses; reuses already completed are governed by N.6.
N.3 (What travels and what does not — a non-derogable architectural rule). Only Verification Evidence is communicated through the Network. The Donor’s Verification Results are NEVER communicated to the Recipient, whether directly or indirectly. Each reuse requires, as a non-derogable technical condition: (a) the Verified Person’s explicit, specific, and informed consent, given at the time of reuse and for the specific Recipient; (b) biometric re-verification (1:1 facial matching of the Re-Check Selfie against the originating facial image, with liveness detection); and (c) the Recipient’s execution of its own complete AML screening and other controls under its compliance program.
N.3-bis (Consent model — SDK vs. API). Where reuse is implemented via SDK, consent is obtained in real time from the Verified Person before any data is communicated (a data-portability request). Where implemented via API without the data subject’s real-time authorization, the Recipient Client represents and warrants that it has obtained and retains, on its own and in advance, the Verified Person’s valid consent to the reuse, and that it assumes responsibility for proving it. Rillis logs and versions, in an immutable record, the consent text displayed (with variables resolved), its version, and the date/time.
N.4 (Recipient’s compliance responsibility — no reliance). The Recipient acknowledges and agrees that: (a) the Network is a mechanism for reusing the capture of identity data and NOT a mechanism of reliance on third-party due diligence within the meaning of FATF Recommendation 17 or its transpositions; the operation falls under Recommendation 10 (the Recipient’s own customer due diligence); (b) the decision to approve, reject, or escalate is exclusively the Recipient’s, which retains full responsibility for its CDD/KYC and AML/CFT obligations; (c) Rillis and the Donor do not warrant the accuracy, currency, or sufficiency of the Verification Evidence for the Recipient’s regulatory purposes; and (d) if the Recipient wishes to establish a formal reliance arrangement with a Donor, it must agree to do so bilaterally and outside the Platform, at its sole responsibility.
N.5 (Data roles). For each reuse: (a) the Donor and the Recipient act, with respect to each other, as independent controllers (the Donor with respect to the originating capture and the consented communication; the Recipient with respect to subsequent processing, including its decision); (b) Rillis acts as processor for each of them with respect to the data it processes on their behalf, and as independent controller solely with respect to operation of the Network infrastructure (matching by verified identifier, consent logging, immutable audit records, and the integrity attestation under N.8); (c) details are governed by the DPA (Appendix 2).
N.6 (Access to originating evidence and retention). While the reuse link remains in effect, the Recipient will have read-only access to the originating Verification Evidence for its retention obligations and responses to authorities. Opting out of a network or termination of the Donor’s contract does not deprive the Recipient of access to the evidence from reuses already completed during its regulatory retention period. Rillis maintains an immutable record of: the identifier that produced the match, consent (text, date, and time), the result of the biometric re-check, and the screening re-run by the Recipient.
N.6-bis (Currency of the evidence — freshness). Reuse communicates the Verification Evidence as it existed as of the date of the originating verification. The Recipient is responsible for determining whether the age of the evidence is adequate for its use case and risk level, and for requiring a full re-verification where currency is material.
N.7 (Territorial and risk restrictions). Participation may be subject to configuration matrices by originating jurisdiction (including a requirement of full verification for captures from certain jurisdictions and blocking of high-risk jurisdictions in accordance with FATF lists). Where reuse involves an international transfer, it will be carried out in accordance with the DPA and only after being covered in the Verified Person’s consent.
N.8 (Blockchain integrity attestation). For each approved verification, Rillis generates an integrity attestation consisting of the on-chain recording of a cryptographic digest (hash) of the evidence package, with a random value (“salt”) kept off-chain. The Client acknowledges and agrees that: (a) the on-chain record contains exclusively the hash and non-identifying technical metadata — under no circumstances plaintext personal data; (b) the attestation allows a third party to verify that an evidence package presented matches bit-for-bit the one that existed at the time of verification (integrity and technical non-repudiation), without revealing its content; (c) given the nature of the technology, the hash is immutable and cannot be removed from the chain; deletion of the underlying personal data is performed off-chain in accordance with the DPA, after which, once the off-chain salt is also deleted, the residual hash can no longer be linked to an identifiable person; (d) the attestation evidences the integrity of the evidence, not the veracity of the identity or the correctness of the verification decision; (e) on-chain verification depends on the continued availability and accessibility of the network used, and Rillis does not warrant the perpetual existence of any third-party network.
N.9 (Allocation of liability and pool indemnities — new). Unless otherwise agreed in the Order Form: (a) the Donor is liable for, and will indemnify and hold harmless, the Recipient and Rillis against claims arising from the unlawful capture of the originating Verification Evidence or the absence of consent/legal basis for communicating it; (b) the Recipient is liable for, and will indemnify and hold harmless, the Donor and Rillis against claims arising from its verification decision and from processing following receipt, including any breach of its re-screening duty or a breach in its systems that exposes the received evidence; (c) Rillis is liable only for failures of the Network infrastructure under its control (matching, consent logging, logs, attestation), subject to the liability limits in the Master Terms; (d) no party warrants that a reused identity will not turn out to be fraudulent despite a matching biometric comparison (e.g., a fake originating document); the risk of originating identity fraud is allocated to the Recipient as part of its own due diligence. Each member is encouraged to maintain adequate liability insurance.
N.10 (Re-Check Selfie — new biometric processing). The Re-Check Selfie is biometric data captured on behalf of the Recipient (controller for subsequent processing), with Rillis as processor. Before capture, the Verified Person is shown the corresponding privacy notice and the applicable legal basis is obtained (explicit consent and/or the alternative basis recognized in the jurisdiction). (Open item No. 8 from the brief: confirm, by jurisdiction, whether it should be attributed to the Recipient or to Rillis; the recommended default is “on behalf of the Recipient.”)
Part 2 — End User Consent Text (Reuse Offer Screen)
Variables:
{empresa}= Recipient’s name;{pais}= destination country (the international-transfer sentence is shown only if the reuse crosses a border). Buttons: explicit acceptance + no-penalty decline.
Spanish
Ya estás verificado en la Red Rillis. Si aceptás, compartiremos tu verificación anterior — tus datos de identidad, las imágenes de tu documento y tu selfie — con {empresa} para que no tengas que repetir el proceso. {empresa} hará sus propias comprobaciones y decidirá de forma independiente. Te pediremos una selfie breve para confirmar que sos vos. (si cruza frontera) Tus datos se transferirán a {empresa} en {pais}. La integridad de tu verificación está protegida con un sello criptográfico registrado en blockchain; ese sello no contiene tus datos personales. Podés negarte y verificarte desde cero sin ningún perjuicio. Podés retirar tu consentimiento para reusos futuros en cualquier momento. Más información en la Política de Privacidad de la Red Rillis. [Acepto y continuar] [Prefiero verificarme de nuevo]
English
You’re already verified on the Rillis Network. If you accept, we will share your previous verification — your identity data, document images and selfie — with {company} so you don’t have to repeat the process. {company} will run its own checks and make its own independent decision. We’ll ask for a quick selfie to confirm it’s you. (cross-border only) Your data will be transferred to {company} in {country}. The integrity of your verification is protected by a cryptographic seal recorded on a blockchain; that seal contains no personal data. You may decline and verify from scratch at no disadvantage. You may withdraw your consent for future reuses at any time. Learn more in the Rillis Network Privacy Policy. [Accept and continue] [I’d rather verify again]
Portuguese
Você já está verificado na Rede Rillis. Se aceitar, compartilharemos sua verificação anterior — seus dados de identidade, as imagens do seu documento e sua selfie — com a {empresa}, para que você não precise repetir o processo. A {empresa} fará suas próprias checagens e decidirá de forma independente. Pediremos uma selfie rápida para confirmar que é você. (se cruzar fronteira) Seus dados serão transferidos para a {empresa} em {pais}. A integridade da sua verificação é protegida por um selo criptográfico registrado em blockchain; esse selo não contém seus dados pessoais. Você pode recusar e se verificar do zero sem qualquer prejuízo. Você pode retirar seu consentimento para reusos futuros a qualquer momento. Saiba mais na Política de Privacidade da Rede Rillis. [Aceito e continuar] [Prefiro me verificar de novo]
Notes on consent (for counsel):
- The full text displayed (with variables resolved), version, and date/time are stored in an immutable record, to evidence consent (burden of proof on the controller — express under Chile’s Law 21.719).
- The international-transfer sentence appears only when the reuse crosses a border.
- Mexico: the new LFPDPPP (Official Gazette, March 20, 2025) requires, for sensitive and financial data, express, written consent (Arts. 7–8). The verified-OTP flow plus an affirmative click with a logged date/time is intended to qualify as “written” in an equivalent electronic medium; it requires confirmation from local counsel and must be reconciled with the pending implementing Regulation (see memo, item 1).