Cloud Services Agreement

Download PDF

Cloud Services Agreement

Effective November 4, 2022

This Cloud Services Agreement (this “Agreement”) is binding legal contract by and between Nametag Inc., a Delaware corporation, with a place of business at 520 E Denny Way, Seattle, WA 98122 (“Nametag”) and the entity or company entering into an Order Form (“Customer”). By entering into the Order Form, Customer is agreeing to be bound by the terms of this Agreement.

1. Definitions.

Capitalized terms, not otherwise defined in the body of this Agreement or in the Nametag Policies or additional terms provided through the links herein, will have the following meanings:

1.1 “Affiliate” means, with respect to any entity, any other entity that, directly or indirectly, through one or more intermediaries, controls, is controlled by, or is under common control with, such entity. The term “control” means the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through the ownership of voting securities, by contract, or otherwise.

1.2 “Agreement” means collectively: the body of this Agreement, the Nametag Policies, the URL terms referenced herein, and all Order Forms.

1.3 “Analytics Data” means all aggregate, de-identified data and other information relating to the provision, use and performance of various aspects of the Services (including the use of Customer Data) that is collected by Nametag.

1.4 “Customer Data” means non-public information provided by Customer to Nametag under this Agreement in order to receive the Services, and excludes all End User Information.

1.5 “Documentation” means any the then current written specifications, user documentation, training materials, validation test plans, and other documents relating to the Services that Nametag makes generally available to its customers.

1.6 “End User” means a real person about whom Customer requests Personal Information from Nametag using the Services. A third party End Users’ use of the Services is exclusively governed by the terms of the EULA. For the avoidance of doubt, the EULA will not apply to or be binding on End Users who are current employees of Customer.

1.7 “End User Information” means information and common data provided by the End User to Nametag in connection with usage of the Services (e.g., scans of government-issued IDs, etc.).

1.8 “Equipment” is defined in Section 2.8.

1.9 “EULA” means the End User License Agreement which sets forth the terms of service governing each third party End User’s use of the Services.

1.10 “Fees” is defined in Section 5.1.

1.11 “Initial Service Term” means the duration of Customer’s initial subscription to the Services, as set forth on the Order Form.

1.12 “Nametag Platform” means Nametag’s proprietary software platform, made available as a cloud service, used to: (1) collect Personal Information from End User; (2) validate the authenticity of Personal Information; (3) obtain consent from End User to share Personal Information with Customer; and (4) share validated Personal Information with Customer.

1.13 “Order Form” means the applicable order form document signed by the parties, and which details the specifics of Customer’s subscription to the Cloud Services, and a description of the Services to be provided, as well as details such as the applicable Fees, Term, the maximum number of authorized users, as applicable, and any additional terms pertaining to the Services.

1.14 “Personal Information” is defined in the DPA.

1.15 “Proprietary Information” is defined in Section 3.1

1.16 “Services” means collectively, access to the Nametag Platform, the Documentation, Support Services, and all Nametag products, reports and related information services and software provided to Customer hereunder on a cloud basis, as set forth in more detail on the Order Form.

1.17 “SLA” is defined in Section 2.2.

1.18 “Support Services” is defined in Section 2.2.

1.19 “Term” is defined in Section 6.1.

2. Services; Support; Restrictions and Customer Responsibilities

2.1 Provision of Services. Subject to the terms of this Agreement, Nametag will use commercially reasonable efforts to provide the Services. To use the Services, Customer will be asked to create one or more administrative accounts. As part of the account creation process, Customer will be asked to verify its identity within the Nametag app. Nametag reserves the right to refuse registration of, or cancel the account as it deems inappropriate. Nametag grants Customer a non-exclusive, non-transferable, right to allow Customer access to the features and functions of the Services in accordance with the terms and conditions of this Agreement for Customer’s internal business purposes. With respect to any software that is distributed or provided to Customer for use on Customer devices, as applicable, Nametag grants Customer a non-exclusive, non-transferable, non-sublicensable license to use such software during the Term only in connection with use of the Services. Nametag also grants to Customer a non-exclusive, non-transferable and non-sublicensable right to make a reasonable number of copies of the Documentation solely for use by authorized user in connection with their access and use of the Services. All Documentation will be made available through the Nametag Platform.

2.2 Support. Subject to the terms hereof, Nametag will provide Customer with reasonable technical support services in accordance with the Nametag’s the current standard practices. Nametag will be reasonably available during its standard support hours to provide Customer with problem resolution and technical support in connection with the Services and use of the Nametag Platform during the Term (the “Support Services”). Customer will have the ability to obtain Support Services from Nametag at a dedicated email address,, or via additional contact information which might be provided to Customer by Nametag upon completion of the onboarding process. The Services will also be provided in accordance with Nametag’s then-standard Service Level Agreement available at (“SLA”). Customer will have the ability to view a current uptime status of the Services at the following link: Notwithstanding the foregoing, and for the avoidance of doubt, and as set forth in the EULA, no direct End-User support will be provided by Nametag in connection with any of the Services.

2.3 Backups. Nametag, at its expense, will make (or will cause a third-party vendor to make) a complete daily backup of all Customer Data. Such backup copy will be stored in a secure, offsite location. Nametag will provide Customer with a copy of all such Customer Data upon Customer’s written request (and, in any event, upon expiration or termination of this Agreement) in a manner, via a transmission method, and in a format then supported by Nametag. Customer acknowledges that Nametag will not have any liability to Customer for any loss of any of the Customer Data whatsoever in connection with use of the Services.

2.4 Disaster Recovery Plan. Nametag shall maintain and keep current a disaster recovery plan for Nametag locations from which Nametag performs hosting and maintenance services under this Agreement and will make such plan available to Customer for review upon request, subject to the confidentiality provisions hereof. In addition, Nametag will require that any Nametag contractors used to provide the Services also maintain and keep current a disaster recovery plan for locations from which such contractors perform hosting and maintenance Services and, upon Customer’s reasonable request, will make such plan available to Customer for review to the extent feasible under the circumstances.

2.5 Restrictions. Customer will not, directly or indirectly: reverse engineer, decompile, disassemble or otherwise attempt to discover the source code, object code or underlying structure, ideas, know-how or algorithms relevant to the Services or any software, documentation or data related to the Services; modify, translate, or create derivative works based on the Services (except to the extent expressly permitted by Nametag or authorized within the Services); use the Services for time sharing or service bureau purposes or otherwise for the benefit of a third; or remove any copyright, trademark, or other proprietary notices or labels; or use the Services or any Nametag Confidential Information to create a competitive service or contest the validity of any Nametag intellectual property rights.

2.6 Export Compliance. Customer may not remove or export from the United States or allow the export or re-export of the Services, or anything related thereto, or any direct product thereof in violation of any restrictions, laws or regulations of the United States Department of Commerce, the United States Department of Treasury Office of Foreign Assets Control, or any other United States or foreign agency or authority. As defined in FAR section 2.101, the Services and Documentation are “commercial items” and according to DFAR section 252.2277014(a)(1) and (5) are deemed to be “commercial computer software” and “commercial computer software documentation.” Consistent with DFAR section 227.7202 and FAR section 12.212, any use modification, reproduction, release, performance, display, or disclosure of such commercial software or commercial software documentation by the U.S. Government will be governed solely by the terms of this Agreement and will be prohibited except to the extent expressly permitted by the terms of this Agreement.

2.7 Acceptable Use. Customer may not use the Services to collect, upload, transmit, display, or distribute any End User Information (i) that violates any third-party right, including any copyright, trademark, patent, trade secret, moral right, privacy right, right of publicity, or any other intellectual property or proprietary right; (ii) that is unlawful, harassing, abusive, tortious, threatening, harmful, invasive of another’s privacy, vulgar, defamatory, false, intentionally misleading, trade libelous, pornographic, obscene, patently offensive, promotes racism, bigotry, hatred, or physical harm of any kind against any group or individual or is otherwise objectionable; (iii) that is harmful to minors in any way; or (iv) that is in violation of any law, regulation, or obligations or restrictions imposed by any third party. In addition, Customer may not: (i) upload, transmit, or distribute to or through the Services any computer viruses, worms, or any software intended to damage or alter a computer system or data; (ii) send through the Services unsolicited or unauthorized advertising, promotional materials, junk mail, spam, chain letters, pyramid schemes, or any other form of duplicative or unsolicited messages, whether commercial or otherwise; (iii) use the Services to harvest, collect, gather or assemble information or data regarding other users (including but not limited to other users e-mail addresses or End User Information) without their and Nametag’s explicit consent; (iv) interfere with, disrupt, or create an undue burden on servers or networks connected to the Services, or violate the regulations, policies or procedures of such networks; (v) attempt to gain unauthorized access to the Services (or to other computer systems or networks connected to or used together with the Services), by any means; (vi) harass or interfere with any other user’s use and enjoyment of the Services; or (vi) create multiple accounts. Customer hereby agrees to indemnify, defend, and hold harmless Nametag against any damages, losses, liabilities, fines, sanctions, settlements and expenses (including without limitation costs and attorneys’ fees) in connection with any claim or action that arises from an alleged violation of the foregoing. Although Nametag has no obligation to monitor Customer’s use of the Services, Nametag may do so and may prohibit any use of the Services it believes may be (or alleged to be) in violation of the foregoing; and/or any such use in violation of the license restrictions set forth in this Agreement. In addition to, and without limiting the foregoing, Nametag may discontinue or suspend Customer’s access to the Services immediately if (a) Customer fails to make a payment for 30 days following notice of its due date; (b) Customer has (or Nametag reasonably suspects that it has) breached or misappropriated or infringed Nametag’s intellectual property or proprietary rights in the Services and/or violated any of the license restrictions set forth in this Agreement, as determined by Nametag in its sole discretion; and/or (c) Nametag reasonably believes that Customer’s acts or omissions hereunder could otherwise cause material detriment to its brand and/or pose significant legal risk to Nametag. Nametag will promptly restore access to the Services only after such violation(s) has been cured (if the violation is capable of cure).

2.8 Customer Equipment. Customer shall be responsible for obtaining and maintaining any equipment and ancillary services needed to connect to, access or otherwise use the Services, including, without limitation, modems, hardware, servers, software, operating systems, networking, web servers and the like (collectively, “Equipment”). Customer shall also be responsible for maintaining the security of the Equipment, Customer account, passwords (including but not limited to administrative and user passwords) and files, and for all uses of Customer’s account or the Equipment.

2.9 Optional Professional Services. Customer may request Nametag to perform certain implementation and other professional services. Any such services will be rendered under a separately negotiated professional services agreement.

3. Confidentiality; Ownership

3.1 Confidentiality. Each party (the “Receiving Party”) understands that the other party (the “Disclosing Party”) has disclosed or may disclose business, technical or financial information relating to the Disclosing Party’s business (hereinafter referred to as “Proprietary Information” of the Disclosing Party). Proprietary Information of Nametag includes the Services, non-public information regarding features, functionality, pricing, customer lists, and performance of the Services. Proprietary Information of Customer includes all Customer Data. All End User Information will be owned by the End User(s). Any use of the End User Information by Nametag for other identity scenarios will require the End User’s prior consent. The Receiving Party agrees: (i) to take reasonable precautions to protect such Proprietary Information, and (ii) not to use (except in performance of the Services or as otherwise permitted herein) or divulge to any third person any such Proprietary Information. The Disclosing Party agrees that the foregoing shall not apply with respect to any information after three (3) years following the disclosure thereof (except with regard to trade secrets of a party which will continue to be held in confidence for as long as the information constitutes a trade secret under applicable law) or any information that the Receiving Party can document (a) is or becomes generally available to the public, or (b) was in its possession or known by it prior to receipt from the Disclosing Party, or (c) was rightfully disclosed to it without restriction by a third party, or (d) was independently developed without use of any Proprietary Information of the Disclosing Party or (e) is required to be disclosed by law.

3.2 Customer Ownership. Customer shall have access to all End User Information that is authorized for sharing by an End User, and for any updates to that data for the defined time period as consented by the End User. Customer shall own all right, title and interest in and to the Customer Data, as well as any data that is based on or derived from the Customer Data and provided to Customer as part of Customer’s usage of the Services, and that is specific as to Customer, excluding any End User Information.

3.3 Nametag Ownership. Nametag shall own and retain all right, title and interest in and to: (a) the Services and the Documentation, and all improvements, upgrades, updates, enhancements or modifications thereto; (b) any software, applications, inventions or other technology developed in connection with the Services or support; (c) all Analytical Data; and (d) all intellectual property rights related to any of the foregoing. This is not a work made-for-hire agreement, as that term is defined in Section 101 of Title 17 of the United States Code.

3.4 Feedback. Customer may, at its election, provide Nametag with suggestions, enhancement requests, recommendations, ideas, comments or other feedback regarding Nametag’s products and services, including the Services (“Feedback”). Feedback is not considered Customer Information. Feedback is voluntary and Nametag will treat any Feedback as non-confidential and non-proprietary. Nametag may use and fully exploit such Feedback in any manner we deem appropriate without obligation of any kind. Customer hereby assigns to Nametag all rights, including all intellectual property rights, in and to the Feedback. Customer will not submit to Nametag any Feedback that Customer considers to be confidential or proprietary.

4. Data Privacy and Security

4.1 Data Privacy. To the extent applicable, Nametag’s standard Data Processing Addendum (“DPA”) located at shall govern responsibilities with respect to Personal Information processed in connection with this Agreement where relevant, and is hereby incorporated by reference into the Agreement. In addition, Nametag will comply with all applicable laws and regulations in connection with providing the Services under this Agreement, including all applicable data privacy laws and regulations.

4.2 Personal Information Processing. In accordance with the DPA, all Personal Information will be stored and processed in the countries set forth in the DPA, and will not be transported to or Processed and stored in any other country without Customer’s or End User’s prior written consent. Personal Information received from Customers or End Users in Asia, North America or South America will be stored and processed in the United States. Personal Information received from Customers or End Users in Europe or Africa will be stored and processed in Ireland or Germany. From time to time, Nametag may add additional regional data centers, and will provide written notice to Customer or End User of the same.

4.3 Analytics Data. Notwithstanding anything to the contrary, Nametag shall have the right to collect and analyze Analytics Data in order to compile statistical and performance information related to the provision, improvement, and operation of the Services (including, but not limited to, for diagnostic and corrective purposes) and to use such Analytics Data both during and after the Term for the purpose of providing and improving the Services and Nametag’s other products and services. Customer acknowledges that Nametag may also distribute, use and provide the Customer Data to Nametag’s service providers who act on Nametag’s behalf in providing the Services (e.g. third party web hosting providers); as well as to third parties chosen by Nametag that are used to provide various additional services (and enhancements), and which can be provided for the benefit of Customer, (e.g., analytics services, and any other value-added services which may be offered by Nametag from time to time in connection with the Services provided under this agreement, as applicable).

4.4 Security. Nametag will maintain physical, administrative, and technical safeguards consistent with applicable industry-accepted practices designed to protect the confidentiality, integrity, and availability of the Customer Data, including adhering to the security measures set forth at Exhibit A, attached hereto and made a part hereof. In addition, Nametag will maintain its SOC 2 Type II standing, or an equivalent, throughout the Term.

5. Financial Terms

5.1 Fees. Customer will pay Nametag the then-applicable fees described in the Order Form for the Services in accordance with the terms therein and in this Agreement (the “Fees”). Unless otherwise expressly set forth in an Order Form or in this Agreement, all Fees are due in advance, in full, within thirty (30) days of the date of Nametag’s corresponding invoice, and are non-refundable and non-cancellable. If Customer’s use of the Services exceeds the number of authorized users, transactions, or other Service restrictions set forth on the Order Form (as applicable) or otherwise requires the payment of additional Fees (per the terms of this Agreement), Customer shall be billed for such usage at the rates set forth in the Order Form or if no such rates are specified, Nametag’s then current rates, and Customer agrees to pay the additional fees in the manner provided herein. Nametag reserves the right to change the Fees or applicable charges and to institute new charges and Fees at the end of the Initial Service Term or the then-current renewal term, as the case may be, upon thirty (30) days prior notice to Customer (which may be sent by email). Any such increases in the Fees will take effect after the end of the Initial Term or the then-current renewal term, as applicable. If Customer believes that Nametag has billed Customer incorrectly, Customer must contact Nametag no later than 60 days after the closing date on the first billing statement in which the error or problem appeared, in order to receive an adjustment or credit. Inquiries should be directed to Nametag’s customer support department.

5.2 Late Payments. Unpaid amounts are subject to a finance charge of 1.5% per month on any outstanding balance, or the maximum permitted by law, whichever is lower, plus all expenses of collection and attorneys’ fees. In addition, Nametag may suspend provision and access to the Services until such amounts are paid in full.

5.3 Taxes. Customer shall be responsible for all sales, use, value added, excise, and other taxes and tariffs, associated with Services, other than U.S. taxes based on Nametag’s net income.

6. Term and Termination

6.1 Term. Subject to earlier termination as provided below, this Agreement is for the duration of the Initial Service Term specified in the Order Form. At the end of the Initial Service Term, the term shall be automatically renewed for additional periods of the same duration as the Initial Service Term or the prior renewal term, as applicable (the Initial Service Term, together with any renewal term(s), collectively, the “Term”), unless either party notifies the other party in writing of its election not to renew at least thirty (30) days prior to the end of the then-current term.

6.2 Termination. In addition to any other remedies it may have, either party may also terminate this Agreement upon thirty (30) days’ notice, if the other party materially breaches any of the terms or conditions of this Agreement, and fails to cure such breach within such thirty (30) day notice period. Customer will pay in full for the Services up to and including the last day on which the Services are provided. Upon any termination of the Agreement, and unless otherwise prohibited by applicable law, Nametag will make all authorized Customer Data available to Customer for electronic retrieval for a period of thirty (30) days, but thereafter Nametag may delete the data from its systems. All Sections of this Agreement which by their nature should survive termination will survive termination, including, without limitation, confidentiality obligations; indemnification obligations; provisions pertaining to ownership; all license restrictions; warranty disclaimers; and limitations of liability; as well as all outstanding payment amounts.

7. Warranties and Disclaimer

Each party represents and warrants that: (a) it has the full right, power, and authority to enter into this Agreement; (b) it will comply with all laws and regulations applicable to its business in performing its obligations and exercising its rights under this Agreement; and (c) it will use industry best practices designed to prevent the transmission of viruses and other intentionally harmful code to the other party. Nametag further represents that the Services will materially comply with the Documentation. HOWEVER, NAMETAG DOES NOT WARRANT THAT THE SERVICES WILL BE UNINTERRUPTED OR ERROR FREE; NOR DOES IT MAKE ANY WARRANTY AS TO THE RESULTS THAT MAY BE OBTAINED FROM USE OF THE SERVICES. EXCEPT AS EXPRESSLY SET FORTH IN THIS SECTION, THE SERVICES, ARE PROVIDED “AS IS” AND “AS AVAILABLE”. NAMETAG EXPRESSLY DISCLAIMS ALL OTHER WARRANTIES, EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT. No oral or written information or advice given by Nametag or any of its personnel or agents shall create any other Nametag warranties or in any way increase the scope of Nametag’s obligations hereunder.

8. Indemnification

Nametag shall indemnify, defend, and hold Customer harmless from liability to third parties resulting from infringement by the Services of any United States patent or any copyright, trademark, or misappropriation of any trade secret, provided that Nametag is promptly notified of any and all threats, claims and proceedings related thereto and given reasonable assistance and the sole control over defense and settlement; Nametag will not be responsible for any settlement it does not approve in writing. The foregoing obligations do not apply with respect to portions or components of the Services (i) not supplied by Nametag, (ii) made in whole or in part in accordance with Customer specifications, (iii) that are modified by anyone other than Nametag, (iv) combined with other products, processes or materials where the alleged infringement relates to such combination, (v) where Customer continues allegedly infringing activity after being notified thereof or after being informed of modifications that would have avoided the alleged infringement, or (vi) where Customer’s use of the Services is not strictly in accordance with this Agreement. If, due to a claim of infringement, the Services are held by a court of competent jurisdiction to be or are believed by Nametag to be infringing, Nametag may, at its option and expense (a) replace or modify the Service to be non-infringing provided that such modification or replacement contains substantially similar features and functionality, (b) obtain for Customer a license to continue using the Service, or (c) if neither of the foregoing is commercially practicable, terminate this Agreement and Customer’s rights hereunder and provide Customer a refund of any prepaid, unused fees for the Services on a pro-rata basis. THE FOREGOING CONSTITUTES CUSTOMER’S SOLE AND EXCLUSIVE REMEDIES AND NAMETAG’S SOLE AND EXCLUSIVE LIABILITY WITH REGARD TO CLAIMS OF INFRINGEMENT.

9. Limitation of Liability


The allocations of liability in this Section represent the agreed, bargained-for understanding of the parties and we would be unwilling to enter into this Agreement without these allocations. The limitation of liability and types of damages stated in this Agreement are intended by the parties to apply regardless of the form of lawsuit or claim a party may bring, whether in tort, contract or otherwise, and regardless of whether any limited remedy provided for in this Agreement fails of its essential purpose. For purpose of this Section, the term “Nametag” includes Nametag, and its officers, directors, employees, agents, representatives, affiliates, successors and assigns.

10. Publicity

Unless Customer notifies Nametag in writing that desires to opt out of the activities described in this Section, Nametag may use Customer’s name and logo on Nametag’s main website, in investor briefings, and in marketing, promotional, or other materials available to the public. Such activities will be subject to Customer’s usage guidelines that are provided in writing and/or made available to Nametag. Upon request, Customer otherwise agrees to reasonably cooperate with Nametag to serve as a reference account, such cooperation will not unreasonably interfere with Customer’s operations and be conducted at times convenient to Customer.

11. Force Majeure

In no event shall either party be liable to the other party, or be deemed to have breached this Agreement, for any failure or delay in performing its obligations under this Agreement (except for any obligations to make payments), if and to the extent such failure or delay is caused by any circumstances beyond such Party’s reasonable control, including but not limited to acts of God, flood, fire, earthquake, pandemics, explosion, war, terrorism, invasion, riot or other civil unrest, strikes, labor stoppages or slowdowns or other industrial disturbances, or passage of law or any action taken by a governmental or public authority, including imposing an embargo.

12. Miscellaneous

In the event of conflict between the body of this Agreement and any Order Form or any terms made available through a URL herein, the conflict will be resolved according to the following order of precedence: the Order Form will govern over the body of the Agreement and the URL terms; and the URL terms will govern over the body of the Agreement. If any provision of this Agreement is found to be unenforceable or invalid, that provision will be limited or eliminated to the minimum extent necessary so that this Agreement will otherwise remain in full force and effect and enforceable. This Agreement is not assignable or transferable without the non-assigning party’s prior written consent; provided, however, that a party may, upon written notice to the other party and without the consent of the other party, assign or otherwise transfer this Agreement: (i) to any of its Affiliates, or (ii) in connection with a change of control transaction (whether by merger, consolidation, sale of equity interests, sale of all or substantially all assets, or otherwise), provided that in the case of a change of control of a party, the acquiring company is not a competitor of the other party. Any assignment or other transfer in violation of this Section will be null and void. Subject to the foregoing, this Agreement will be binding upon and inure to the benefit of the Parties hereto and their permitted successors and assigns. This Agreement is the complete and exclusive statement of the mutual understanding of the parties and supersedes and cancels all previous written and oral agreements, communications and other understandings relating to the subject matter of this Agreement. Any terms and conditions which may appear as pre-printed language or otherwise be on, attached to, or inserted within any order forms, quotes, invoices, bills, or other similar forms or documents issued by Customer shall be of no force or effect even if such forms or documents are accepted by Nametag. All waivers and modifications must be in a writing signed by both parties, except as otherwise provided herein. Nametag’s relationship with Customer is solely that of an independent contractor. No agency, partnership, joint venture, or employment relationship is created as a result of this Agreement and Customer does not have any authority of any kind to bind Nametag in any respect whatsoever. All notices under this Agreement will be in writing and will be deemed to have been duly given when received, if personally delivered; when receipt is electronically confirmed, if transmitted by facsimile or e-mail; the day after it is sent, if sent for next day delivery by recognized overnight delivery service; and upon receipt, if sent by certified or registered mail, return receipt requested. This Agreement shall be governed by the laws of the State of Delaware without regard to its conflict of laws provisions. Any legal suit, action, or proceeding arising out of or related to this Agreement or the licenses granted hereunder will be instituted exclusively in the federal courts of the United States or the courts of the State of Delaware in each case located in New Castle County, and each Party irrevocably submits to the exclusive jurisdiction of such courts in any such suit, action, or proceeding. This Agreement may be accepted in electronic form (e.g., by an electronic or digital signature or other means of demonstrating assent) and Customer’s acceptance will be deemed binding between the parties. Customer will not contest the validity or enforceability of this Agreement because it was accepted in electronic form.

Exhibit A. Security Measures

The following is a description of the technical and organizational measures implemented by Nametag (including any relevant certifications) designed to provide an appropriate level of security, taking into account the nature, scope, context and purpose of the Processing, and the risks for the rights and freedoms of natural persons.


Nametag is a Cloud-based identity platform that provides validated identity on the web, in person, and over the phone with a low-friction enrollment process that positively validates people using their US government-issued identification and facial recognition. The person authenticated by the identification retains control over who is using their information, while the company or person using their information has no need to store PII. Everyone—people and companies—is more secure using Nametag.

To provide this, we must make sure that your sensitive data is secure, and protecting it is our most important responsibility. We’re committed to being transparent about our security practices and helping you understand our approach.


Our service is currently hosted on infrastructure operated by Amazon Web Services (AWS).

AWS is Amazon’s global scale technical infrastructure designed to provide security through the entire information processing lifecycle. This infrastructure provides secure deployment of services, secure storage of data with end user privacy safeguards, secure communications between services, secure and private communication with customers over the internet, and safe operation by administrators.

The security of the infrastructure is designed in progressive layers starting from the physical security of data centers, continuing on to the security of the hardware and software that underlie the infrastructure, and finally, the technical constraints and processes in place to support the operational security of data stored with Nametag.

AWS invests heavily in securing its infrastructure with many hundreds of engineers dedicated to security and privacy.

Data Encryption

Nametag handles data in these contexts:

  • at rest on your phone in our app (there is no permanent storage in the app, but we do use the app to send and receive data for enrollment, sharing requests, and display purposes).

  • over the public Internet from your phone to the Nametag services in AWS.

  • at rest in AWS storage (databases and object storage buckets).

  • from Nametag services in AWS to people with whom you share your data—either another user’s Nametag app, or a website that requires authenticated data about you, or someone on the phone confirming your identity.

In the cases of our app and the Nametag services and storage within AWS, the data is encrypted at rest and in transit. In the cases of a third-party website or voice verification, please refer to that third-party’s security documentation.

For some functions, we must manage secrets on your behalf. For example, in order to implement OAuth, we create keys that authenticate your application for information access. Wherever we check access to a resource, for example access to our API or when our app communicates with our services, we either store those secrets using a one-way hash (bcrypt2) or authenticate them with a digital signature (ECDSA with a P-256 key)

Secure Deployment

The Nametag source code is stored in a central code repository. Making changes to the software requires the review and approval of at least one other member of the team. Our software infrastructure is short-lived and deployed in its entirety on a regular basis. Rather than modify running systems, we destroy and replace systems to deploy new versions.

Because deployments are automated, it is unusual for staff to access the production environment directly. This access is extremely rare and limited to key personnel. All such access is audited and recorded.

Security Vulnerabilities

We have made architectural choices that make vulnerabilities more difficult to introduce. For example, the identity and privilege level of the remote user is threaded throughout the application, all the way to the datastore, which enforces access rules in a testable, auditable place. The peer-code review process serves as a backstop against intentional or accidental vulnerabilities. We use automated static analysis tools that alert us to potential security problems in the code, and those checks must pass in order for code to get deployed.

We have automated tools that monitor for security vulnerabilities in the third-party code dependencies and automatically propose patch updates.

We rely on AWS’s mature vulnerability management practice for patching known vulnerabilities at the operating system, virtualization, and hardware layers.

We divide our systems into separate environments for development, staging and production. Each environment is an independent domain with respect to network access control, service account credentials, and secrets. No access to the production, staging or development environments is allowed except on known protocols and ports via our front-end load balancers.

All access to our services from user devices, or between our client software and our service is protected by TLS version 1.2 or higher.

Our public endpoints, (for example, receive an A+ rating from Qualys SSL Labs.

Authorizing Access

To minimize the risk of data exposure, Nametag adheres to the principle of least privilege. Employees are only authorized to access data that they reasonably must handle in order to do their job: all engineers have access to their development environments, fewer engineers have access to the staging environment (only those who need access to perform their jobs), and far fewer have access to the production environment.

All internal systems require our employees to authenticate with unique user accounts.

Data Residency

Personal Information received from Customers or End Users in Asia, North America or South America will be stored and processed in the United States. Personal Information received from Customers or End Users in Europe or Africa will be stored and processed in Ireland or Germany.

Employee Training

All employees complete mandatory security awareness training once per year. In addition to general resistance to online threats, we teach our staff to resist social engineering attacks through our support channels. All employees are trained in protecting the identities and confidential information of our clients. Although we do not generally handle protected health information (PHI), all employees are trained to identify and report any incidental contact with it.


All access to internal systems, including production and business systems, requires hardware backed multi-factor authentication,


We collect logs from all our servers. We routinely examine logs for suspicious activity and operational issues. We scrub logs of personal data and operational secrets before archiving them.

Business Continuity

All data that we store for you are regularly backed up. We regularly simulate the backup and recovery process to make sure it works smoothly. Copies of backups are stored in multiple data centers in different regions and are encrypted in transit and at rest.

Nametag is insured for cybercrime damage and loss.

To improve public health and the safety and longevity of our team, all Nametag employees who can safely receive vaccines must be vaccinated against COVID-19.

Download Cloud Services PDF