Skip to main content
Didit Raises $2M and Joins Y Combinator (W26)
Didit
Didit
Business Terms and Conditions
Updated May 16, 2026 · didit.me/terms/business
Legal

Business Terms and Conditions

Updated: May 16, 2026

On this page

0. Acceptance of the Agreement

By (i) clicking "Register," "I Accept," or another similar button on the Business Console or Didit Website, (ii) signing an Order Form that references these Terms, or (iii) otherwise accessing or using the Services, you (the "Client") legally accept and agree to be bound by this Agreement on behalf of the legal entity or organization you represent.

By accepting this Agreement, the Client represents and warrants that it has the full legal authority to bind such entity or organization to these Terms and any related Annexes or Order Forms. If you do not have such authority, or if you do not agree with these Terms, you must not use or access the Services.

CONTINUED USE OF THE DIDIT PLATFORM CONSTITUTES UNEQUIVOCAL AND BINDING ACCEPTANCE OF THIS AGREEMENT IN ITS ENTIRETY.

1. Parties to the Agreement

The following parties are involved in this Agreement:

  • Service Provider ("Didit," "we," "us," "our"): the Didit entity contracting with the Client. The applicable contracting entity is determined by Section 16.6 (Governing Law and Jurisdiction):
    • Didit Identity Spain, S.L. — CIF B22929327, Calle Nápoles 227, P. 1, 08013 Barcelona, Spain. Contracts with Clients established in the European Union, European Economic Area, United Kingdom, Switzerland, and Latin America.
    • Didit Identity, Inc. — EIN 39-2860573, 1111B S Governors Ave STE 34855, Dover, Delaware 19904, United States. Contracts with Clients established in the United States, Canada, Asia-Pacific, the Middle East, and all other jurisdictions not allocated to Didit Identity Spain, S.L.
  • Client ("you," "your"):

The legal entity or person registering for an account on the Didit Platform or using the Services. The Client will be Didit's contracting party.

  • Notices:

All formal notices and communications related to this Agreement must be addressed to legal@didit.me or to the physical address of the applicable contracting entity above.

2. Structure and Order of Precedence

This Agreement is composed of the following documents, which shall be interpreted jointly. In case of conflict between the provisions of any of these documents, they shall prevail in the following descending order:

  1. Order Forms (Client-specific commercial documents detailing the acquisition of Services, volumes, and pricing).
  2. Annex 2 – Data Processing Agreement (DPA) (governing the processing of Personal Data).
  3. These Terms and Conditions of Service.
  4. Annex 1 – Service Level Agreement (SLA) (establishing the availability commitments for the Services).

3. Table of Contents

  1. Acceptance of the Agreement
  2. Parties to the Agreement
  3. Structure and Order of Precedence
  4. Table of Contents
  5. Definitions and Interpretations
  6. Term of the Agreement
  7. Access and Use of the Services
  8. Intellectual Property Rights
  9. Fees and Payment Terms
  10. Confidentiality
  11. Data Protection and Security
  12. Disclaimer of Warranties
  13. Limitation of Liability
  14. Indemnification
  15. Representations and Warranties
  16. Suspension and Termination
  17. General Provisions

    Annex 1 – Service Level Agreement (SLA) Annex 2 – Data Processing Agreement (DPA)

    4. Definitions and Interpretations

    For the purposes of this Agreement, the following terms shall have the meanings ascribed to them below:

    • Agreement: Refers to these Terms and Conditions of Service, together with any Order Form, Annex 1 (SLA), and Annex 2 (DPA), and any other policies or annexes referenced therein.
    • API: Means the application programming interfaces provided by Didit for integration with the Services.
    • Business Console: Refers to Didit's web administration portal, accessible via https://business.didit.me or any other URL Didit may designate, which allows the Client to manage its account and the Services.
    • Credits: Are the prepaid units denominated in USD that the Client acquires to pay for the use of the Services, according to the prices and conditions specified by Didit.
    • Access Credentials: Include, but are not limited to, passwords, API keys, authentication tokens, or any other security information provided by Didit to the Client to access the Services.
    • Client Data: All data, including Confidential Information and Personal Data of End-Users, that the Client or Authorized Users submit, upload, or process through the Services.
    • Personal Data: Shall have the meaning attributed in the EU General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) and/or any other applicable data protection law.
    • Documentation: Refers to any user manuals, technical specifications, implementation guides, API guides, policies, or support materials related to the Services that Didit makes available to the Client.
    • Effective Date: The date on which the Client first accepts this Agreement as set forth in Section 0.
    • Order Form: Any physical document or online form that formalizes the Client's purchase of Credits or specific Services, which references these Terms and forms part of this Agreement.
    • Force Majeure: Any event or circumstance beyond a Party's reasonable control that prevents or delays the performance of its obligations under this Agreement, such as acts of God, war, terrorism, insurrection, pandemic, natural disaster, global internet outages, energy shortages, strikes, sabotage, or governmental decisions.
    • Confidential Information: All non-public information disclosed by one Party to the other, whether orally, in writing, or by electronic means, that is designated as confidential or that, by the nature of the information or the circumstances of disclosure, should reasonably be understood as confidential. This includes, but is not limited to, technical, financial, business, customer, pricing information, marketing plans, software, source code, and Client Data.
    • Intellectual Property: Includes patents, copyrights, database rights, design rights, trademarks, trade names, know-how, trade secrets, and any other intellectual property rights, whether registered or unregistered, and applications therefor, in any part of the world.
    • SDK: Means the software development kits provided by Didit to facilitate the integration and use of the Services.
    • Services: Refers to the Didit identity and fraud infrastructure platform, including the Business Console, APIs, SDKs, Documentation, and any product line that Didit makes available to the Client, including User Verification (KYC), Business Verification (KYB), Transaction Monitoring, Wallet Screening (KYT), the Workflow Orchestrator, the Model Context Protocol (MCP) server, and any other service Didit may release under this Agreement.
    • Authorized User: Any person, such as an employee or contractor of the Client, whom the Client has authorized to access and use the Services on the Client's behalf, subject to the terms of this Agreement.
    • End-User: The natural person whose identity the Client seeks to verify using Didit's Services.
    • Verification: The process performed by Didit to verify an End-User's identity, which culminates in an Approved or Rejected result or any other status defined by Didit or in an Order Form.
    • Verification Feature: An individual component of the verification flow, such as ID Document Verification, Liveness Detection, Face Match, Face Search, AML Screening, Proof of Address, NFC Reading, Database Validation, Custom Questionnaires, Phone Verification, Email Verification, Device & IP Analysis, business-registry lookups, UBO extraction, officer data, entity AML, linked KYC, transaction-monitoring rule evaluation, wallet-screening lookups, or any other discrete step offered by Didit across the product lines.

    Interpretation:

    • Section titles are for convenience only and shall not affect the interpretation of this Agreement.
    • Words in the singular include the plural and vice versa.
    • The word "including" or "includes" means "including, without limitation."
    • Any reference to a law or regulation refers to that law or regulation as in force from time to time, including its amendments or replacements.

    5. Term of the Agreement

    5.1 Agreement Term: This Agreement shall commence on the Effective Date and shall continue in full force and effect until terminated by either Party in accordance with Section 16 hereof.

    5.2 No Minimum Commitment (unless specified in Order Form): Unless otherwise specified in an Order Form signed by the Client (e.g., for Enterprise plans with volume commitments), the Client may cease using the Services at any time. However, unused Credits shall not be refundable under any circumstances, as set forth in Section 9.4. Order Forms stipulating a minimum consumption commitment shall prevail over this clause.

    6. Access and Use of the Services

    6.1 Account Creation and Security: To access and use the Services, the Client must create an account in the Business Console. The Client is solely responsible for maintaining the confidentiality and security of its Access Credentials (including passwords and API keys) and for all activities that occur under its account, whether authorized or not. The Client must immediately notify Didit of any unauthorized use or suspected unauthorized use of its Access Credentials or account. Didit will not be liable for any loss or damage arising from the Client's failure to comply with this obligation.

    6.2 License: Subject to the Client's continuous compliance with this Agreement and timely payment of all applicable fees, Didit grants the Client a non-exclusive, worldwide license, during the term of the Agreement, to access and use the Services and Documentation for its business purposes, specifically to: (i) Verify the identity of its End-Users. (ii) Assist in the prevention and detection of fraud. (iii) Comply with applicable legal and regulatory obligations (e.g., KYC/AML).

    6.3 Resale and Sublicensing Rights: The Client may resell, sublicense, or otherwise make the Services available to third parties, provided that: (i) The Client ensures that such third parties comply with all applicable terms of this Agreement. (ii) The Client remains fully responsible and liable to Didit for any acts or omissions of such third parties. (iii) The Client enters into written agreements with such third parties that include terms no less protective of Didit than those contained in this Agreement. (iv) The Client notifies Didit of any significant sublicensing arrangements upon request.

    6.4 Use Restrictions: The Client agrees not to, and will not permit third parties to, perform any of the following actions:

    • Copy, modify, adapt, translate, reverse engineer, decompile, disassemble, or attempt to discover the source code or algorithms of the Services or any part thereof, except to the extent that such activity is expressly permitted by applicable and non-waivable law.
    • Build or attempt to build a competing identity verification service using the Services or any information obtained therefrom.
    • Use the Services for any unlawful, discriminatory, fraudulent, misleading, defamatory, obscene, abusive, harmful purpose, or in a manner that infringes the rights of third parties or applicable laws.
    • Use the Verification results or any Client Data obtained through the Services to train, develop, or improve machine learning (ML) or artificial intelligence (AI) models, or any other similar algorithm or technology, without Didit's prior written consent.
    • Interfere or attempt to interfere with the proper operation of the Services, including, without limitation, introducing viruses, trojans, worms, logic bombs, or any other malicious or technologically harmful material.
    • Attempt to gain unauthorized access to the Services, computer systems, or networks connected to the Services.
    • Remove, alter, or obscure any intellectual property rights notices or trademarks of Didit or third parties contained in the Services or Documentation.
    • Use the Services in a manner that exceeds the usage limits or Credit volumes purchased, or that imposes an unreasonable or disproportionately large load on Didit's infrastructure.
    • Abuse or circumvent the limitations of any free or trial plan by creating multiple organizations or accounts in the Business Console (https://business.didit.me), whether directly or indirectly, using the same or different identities, for the purpose of obtaining additional free-tier benefits beyond what is intended for a single Client. Where Didit has reasonable evidence that a person or entity has created or is operating multiple organizations to exploit the free plan, Didit may suspend or terminate the affected organizations and accounts, with notice where practicable.

    6.5 Client Responsibilities: The Client shall be solely responsible for:

    • Legal Compliance: Ensuring that its use of the Services, including the collection, processing, and use of Client Data and End-User Personal Data, fully complies with all applicable laws, regulations, and norms in its jurisdiction, including, but not limited to, data protection laws, anti-money laundering (AML), and combating the financing of terrorism (CFT) laws.
    • End-User Notices and Consents: Obtaining, and maintaining records of, all necessary notices, explicit consents, and authorizations from End-Users for the collection, processing, and transfer of their Personal Data (including biometric data, if applicable) to Didit and its sub-processors, as required by applicable data protection laws.
    • Client Security: Implementing and maintaining reasonable and appropriate security measures to protect Client Data before it is submitted to Didit and to secure its Access Credentials. This includes, without limitation, using secure connections (HTTPS), implementing signed webhooks, and other information security best practices.
    • Data Accuracy: Ensuring the accuracy, integrity, and legality of the Client Data submitted to Didit through the Services.

    6.6 Data Management and Deletion: Verification results and associated Client Data will be delivered to the Client via webhooks or Didit's API. The Client will have the ability to permanently delete any Verification record or Client Data via the API or the Business Console at any time, subject to Didit's retention policies and legal obligations as a data processor, as detailed in Annex 2 (DPA).

    7. Intellectual Property Rights

    7.1 Didit's Ownership: Didit (and its licensors, where applicable) retain all rights, title, and interest in and to the Services (including software, code, APIs, SDKs, models, algorithms, underlying technology), Documentation, Didit's trademarks, as well as any improvements, modifications, updates, derivatives, or developments thereof. Nothing in this Agreement shall be construed as a transfer of Intellectual Property ownership from Didit to the Client. The rights granted to the Client are solely licenses, and no implied licenses are granted under this Agreement.

    7.2 Client Data: The Client is and shall remain the sole owner of all rights, title, and interest in and to the Client Data. The Client grants Didit a worldwide, non-exclusive, royalty-free, sublicensable, and transferable license to process Client Data solely for the purpose of providing the Services to the Client and improving the Services, in accordance with Annex 2 (Data Processing Agreement) and Didit's Privacy Policy.

    7.3 Feedback: In the event that the Client or any of its Authorized Users provide Didit with any suggestions, ideas, enhancement requests, comments, recommendations, or other information related to the Services ("Feedback"), the Client hereby grants Didit a worldwide, perpetual, irrevocable, royalty-free, fully paid, transferable, sublicensable license to use, exploit, copy, modify, create derivative works, distribute, publicly display, publicly perform, and otherwise commercialize such Feedback for any purpose and in any manner, without any obligation or compensation to the Client.

    8. Fees and Payment Terms

    8.1 Prepaid Credits and Non-Expiry: Didit's Services are based on a prepaid Credits model. Credits purchased by the Client do not expire and can be used as long as the Agreement is in effect.

    8.2 Payment for Completed Verification Features: The Client will be charged for each Verification Feature that is successfully completed by the End-User during the verification flow, according to the applicable rates. This means: (i) If an End-User completes the ID Document Verification step, the Client will be charged for that feature. (ii) If an End-User completes the Liveness Detection step, the Client will be charged for that feature. (iii) Each additional Verification Feature completed (such as AML Screening, Proof of Address, NFC Verification, etc.) will incur its respective charge. (iv) No charges will apply for Verification Features that fail to complete due to a system failure on Didit's part.

    The specific pricing for each Verification Feature is set forth in Didit's pricing page or in the applicable Order Form.

    8.3 Pricing: The applicable prices for the Services are published on Didit's pricing page or, for customized or Enterprise plans, in the corresponding Order Form. Didit reserves the right to modify its prices at any time, which will be notified in advance in accordance with Section 17.2.

    8.4 Payment Process and Non-Refundability: The purchase of Credits will be made through the payment platform designated by Didit (currently Stripe or payment methods agreed upon in the Order Form). All payments are final, and purchased Credits are non-refundable, unless expressly stated otherwise in this Agreement or an Order Form. The prices indicated do not include taxes (such as VAT) or banking or processing fees, which will be the Client's responsibility.

    8.5 Failed Payments / Reversals and Account Suspension: In the event of three consecutive failed automatic payment attempts (for automatic Credit replenishment, if configured) or in case of non-payment of invoices issued for Enterprise plans, Didit may, at its sole discretion, suspend the Client's access to the Services or terminate this Agreement in accordance with Section 16. Didit reserves the right to charge interest on overdue payments at the maximum rate permitted by applicable law, calculated daily from the due date until the date of full payment.

    8.6 Enterprise Plans: For Clients who have contracted an Enterprise or customized plan through a signed Order Form, the specific pricing conditions, payment terms, minimum consumption commitments, and billing set forth in such Order Form shall supersede or complement the provisions of this Section 8.

    9. Confidentiality

    Each Party ("Receiving Party") agrees to protect the Confidential Information of the other Party ("Disclosing Party") with at least the same degree of care it uses to protect its own information of a similar nature, but never less than reasonable care. The Receiving Party will only use the Disclosing Party's Confidential Information to fulfill its obligations under this Agreement or as permitted by applicable law.

    9.1 Exclusions from Confidential Information: Confidential Information shall not include any information that: (a) is or becomes publicly known without the Receiving Party's fault; (b) was lawfully in the Receiving Party's possession prior to its disclosure by the Disclosing Party, without an obligation of confidentiality; (c) is disclosed to the Receiving Party by a third party without restriction or violation of any confidentiality obligation; (d) is independently developed by the Receiving Party without reference to the Disclosing Party's Confidential Information; or (e) is Client Data processed by Didit in aggregated or pseudonymized form for the improvement of its algorithms, as set forth in Annex 2 (DPA).

    9.2 Compelled Disclosure: The Receiving Party may disclose Confidential Information if required by law, court order, or a competent governmental authority, provided that, to the extent legally permissible, the Receiving Party gives the Disclosing Party sufficient prior notice to allow the Disclosing Party to seek a protective order or waiver.

    9.3 Personnel Obligation: Each Party shall ensure that its employees, agents, and contractors who have access to the other Party's Confidential Information are subject to confidentiality obligations that are at least as restrictive as those set forth in this Section 9.

    9.4 Survival: The confidentiality obligations set forth in this Section 9 shall remain in effect during the term of this Agreement and for a period of five (5) years from the date of its termination, except with respect to trade secrets, for which the confidentiality obligation shall be indefinite as long as such information maintains its trade secret status.

    10. Data Protection and Security

    The processing of Personal Data by Didit on behalf of the Client shall be governed by Annex 2 – Data Processing Agreement (DPA), which forms an integral part of this Agreement. The DPA details each Party's obligations regarding compliance with data protection laws, security measures, and the responsibilities of the data processor and data controller.

    11. Disclaimer of Warranties

    DIDIT'S SERVICES, INCLUDING THE PLATFORM, APIS, SDKS, AND DOCUMENTATION, ARE PROVIDED "AS IS" AND "AS AVAILABLE," WITHOUT WARRANTIES OF ANY KIND. TO THE FULLEST EXTENT PERMITTED BY APPLICABLE LAW, DIDIT EXPRESSLY DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT OF THIRD-PARTY RIGHTS, DATA ACCURACY, UNINTERRUPTED OR ERROR-FREE AVAILABILITY.

    DIDIT DOES NOT WARRANT THAT THE SERVICES WILL OPERATE UNINTERRUPTED, SECURELY, OR ERROR-FREE, THAT DEFECTS WILL BE CORRECTED, OR THAT THE SERVICES OR THE SERVERS THAT MAKE THEM AVAILABLE ARE FREE OF VIRUSES OR OTHER HARMFUL COMPONENTS. DIDIT MAKES NO WARRANTIES REGARDING THE RESULTS THAT MAY BE OBTAINED FROM THE USE OF THE SERVICES OR THE ACCURACY, RELIABILITY, OR COMPLETENESS OF ANY INFORMATION OBTAINED THROUGH THE SERVICES. THE CLIENT ASSUMES ALL RISKS ASSOCIATED WITH THE USE OF THE SERVICES.

    IN PARTICULAR, THE CLIENT ACKNOWLEDGES THAT IDENTITY VERIFICATIONS ARE COMPLEX PROCESSES BASED ON VARIOUS DATA SOURCES AND ALGORITHMS. DIDIT DOES NOT WARRANT THE IDENTITY OF ANY END-USER, THE TRUTHFULNESS OR AUTHENTICITY OF ANY IDENTITY DOCUMENT, OR THE ABSENCE OF FRAUD. THE RESULTS PROVIDED BY DIDIT'S SERVICES ARE FOR INFORMATIONAL PURPOSES ONLY AND SUPPORT THE CLIENT'S DECISION-MAKING PROCESS. THE CLIENT IS SOLELY RESPONSIBLE FOR ITS FINAL DECISIONS BASED ON OR NOT BASED ON DIDIT'S RESULTS, AND DIDIT ASSUMES NO LIABILITY WHATSOEVER FOR SUCH DECISIONS OR THE CONSEQUENCES THEREOF.

    12. Limitation of Liability

    TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT SHALL DIDIT, ITS AFFILIATES, DIRECTORS, EMPLOYEES, AGENTS, SUPPLIERS, OR LICENSORS BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, PUNITIVE, EXEMPLARY, OR DAMAGES FOR LOSS OF PROFITS, REVENUE, DATA, USE, OR GOODWILL, INCURRED BY THE CLIENT OR ANY THIRD PARTY, WHETHER IN AN ACTION IN CONTRACT, TORT (INCLUDING NEGLIGENCE), OR OTHERWISE, EVEN IF DIDIT HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

    DIDIT'S TOTAL AND CUMULATIVE LIABILITY UNDER THIS AGREEMENT FOR ANY CAUSE AND UNDER ANY THEORY OF LIABILITY SHALL BE LIMITED TO THE AMOUNT OF CREDITS OR SERVICE FEES ACTUALLY PAID BY THE CLIENT TO DIDIT IN THE TWELVE (12) MONTHS PRECEDING THE EVENT GIVING RISE TO THE CLAIM.

    THE LIMITATIONS SET FORTH IN THIS SECTION SHALL NOT APPLY TO LIABILITY ARISING FROM DIDIT'S GROSS NEGLIGENCE OR WILLFUL MISCONDUCT, RECIPROCAL INDEMNIFICATION OBLIGATIONS SET FORTH IN SECTION 14, OR IN CASES WHERE APPLICABLE LAW DOES NOT ALLOW THE EXCLUSION OR LIMITATION OF CERTAIN DAMAGES.

    13. Indemnification

    13.1 Indemnification by Client: The Client shall defend, indemnify, and hold harmless Didit, its affiliates, directors, employees, agents, and suppliers ("Didit Indemnified Parties") from and against any and all claims, demands, damages, liabilities, losses, costs, and expenses (including reasonable attorneys' fees) arising out of or related to: (i) The Client's breach of any of its obligations, representations, or warranties under this Agreement, including, but not limited to, those related to security, data protection, or use restrictions. (ii) Any claim by an End-User or a third party related to the Client's collection or processing of Personal Data (including failure to obtain necessary consents), or the Client's decisions based on Verification results. (iii) The Client's use of the Services in a manner that does not comply with applicable laws or regulations. (iv) The Client's or its Client Data's infringement of any third-party Intellectual Property or privacy rights.

    13.2 Indemnification by Didit: Didit shall defend, indemnify, and hold harmless the Client, its affiliates, directors, employees, and agents from and against any and all claims, demands, damages, liabilities, losses, costs, and expenses (including reasonable attorneys' fees) arising out of or related to a third-party claim that the Services, as provided by Didit to the Client and used in accordance with this Agreement, directly infringe a patent, copyright, or trademark of such third party.

    Exclusions: Didit's indemnification obligation shall not apply to claims arising from: (a) the Client's use of the Services in combination with any software, hardware, or data not provided by Didit; (b) modification of the Services by a party other than Didit; or (c) use of outdated versions of the Services if a newer, non-infringing version has been provided by Didit.

    13.3 Indemnification Procedure: The Party seeking indemnification ("Indemnified Party") shall: (i) promptly notify the indemnifying party ("Indemnifying Party") in writing of any claim; (ii) allow the Indemnifying Party exclusive control of the defense and settlement of the claim (provided that the settlement does not impose a non-monetary obligation on the Indemnified Party or admit liability on the part of the Indemnified Party without its prior written consent); and (iii) provide the Indemnifying Party with all reasonable assistance and cooperation, at the Indemnifying Party's expense.

    14. Representations and Warranties

    14.1 Client's Representations and Warranties: The Client represents and warrants to Didit that: (i) It has full legal capacity and authority to enter into and perform this Agreement. (ii) It will comply with all applicable laws, regulations, and norms in its use of the Services and in the collection, processing, and transfer of Client Data and Personal Data. (iii) It has obtained and will maintain all necessary consents, permissions, and authorizations from End-Users and any other natural person for Didit to process their Personal Data in accordance with this Agreement and the DPA. (iv) All Client Data provided to Didit is accurate, complete, and lawful, and the Client has the right to provide such data to Didit for processing.

    14.2 Didit's Representations and Warranties: Didit represents and warrants to the Client that: (i) It has full legal capacity and authority to enter into and perform this Agreement. (ii) The Services will be provided in a professional manner and in accordance with industry standards. (iii) The Services will substantially conform to the descriptions contained in the Documentation.

    15. Suspension and Termination

    15.1 Termination for Convenience:

    • By the Client: The Client may close its account and terminate this Agreement at any time, which will result in the forfeiture of unused Credits.
    • By Didit: Didit may terminate this Agreement and the Client's access to the Services for convenience, without cause, upon thirty (30) days' prior written notice. In such a case, Didit will refund the Client the value of any unused Credits.

    15.2 Termination for Cause: Either Party may terminate this Agreement immediately by written notice to the other Party if: (i) The other Party materially breaches any of its obligations under this Agreement and fails to cure such breach within thirty (30) days of receiving written notice specifying the breach. (ii) The other Party becomes bankrupt, insolvent, liquidates, dissolves, enters into a creditors' voluntary arrangement, or any similar proceeding.

    Didit may immediately suspend or terminate the Client's access to the Services, without prior notice or cure period, in the following cases: (a) Serious or repeated breach of Section 6.4 (Use Restrictions) or 6.5 (Client Responsibilities). (b) Unlawful, fraudulent, or abusive use of the Services. (c) Non-payment or repeated breach of payment terms. (d) When Didit determines, in its sole discretion, that the security or integrity of the Services or Client Data may be compromised. (e) In compliance with a court order or legal requirement. (f) Abuse of the free or trial plan through the creation of multiple organizations or accounts, as described in Section 6.4, where the affected organizations and accounts may be suspended or terminated.

    15.3 Effects of Termination: Upon termination of this Agreement for any reason: (i) All licenses and rights granted to the Client under this Agreement shall immediately cease. (ii) The Client shall cease all use of the Services and Documentation. (iii) Any outstanding amounts owed by the Client to Didit on the termination date shall become immediately due and payable. (iv) If the termination is for cause attributable to the Client, unused Credits will be forfeited and non-refundable. (v) Client Data retention and deletion obligations shall be governed by Annex 2 (DPA). (vi) The sections of this Agreement that, by their nature, should survive termination, including, without limitation, those relating to Intellectual Property, Confidentiality, Disclaimer of Warranties, Limitation of Liability, Indemnification, Governing Law and Jurisdiction, and General Provisions, shall remain in full force and effect.

    16. General Provisions

    16.1 Force Majeure: Neither Party shall be liable for any delay or failure to perform its obligations under this Agreement if such delay or failure is caused by Force Majeure. The affected Party shall notify the other Party of the Force Majeure event as soon as possible and shall make reasonable efforts to mitigate its effects.

    16.2 Modifications to the Agreement: Didit reserves the right to modify or update these Terms and Conditions, Annexes, or service policies at any time. Didit will notify the Client of such modifications at least thirty (30) days in advance by publishing the revised Terms on its Website or Business Console, or by sending direct notification to the Client. If the Client does not agree with the modifications, it may terminate the Agreement by written notice prior to the effective date of the new terms. The Client's continued use of the Services after the effective date of the modifications shall constitute binding acceptance of the revised terms.

    16.3 Assignment: The Client may not assign or transfer its rights or obligations under this Agreement, in whole or in part, without Didit's prior written consent. Any attempted assignment or transfer that does not comply with this provision shall be null and void. Didit may freely assign or transfer this Agreement, in whole or in part, to an affiliate or in connection with a merger, acquisition, corporate restructuring, or sale of all or substantially all of its assets.

    16.4 Severability: If any provision of this Agreement is held to be invalid or unenforceable by a court of competent jurisdiction, such provision shall be limited or eliminated to the minimum extent necessary, and the remaining provisions of this Agreement shall remain in full force and effect.

    16.5 No Waiver: The failure of either Party to exercise or delay in exercising any right or remedy under this Agreement shall not operate as a waiver of that right or remedy, nor shall it preclude any subsequent exercise of that right or remedy. An express waiver of any breach shall not constitute a waiver of any subsequent breach.

    16.6 Governing Law and Jurisdiction: The governing law and exclusive jurisdiction depend on the Client's place of establishment, which also determines the contracting Didit entity (see Section 1):

    • Clients established in the European Union, European Economic Area, United Kingdom, Switzerland, or Latin America contract with Didit Identity Spain, S.L. This Agreement is governed by the laws of Spain (without reference to its conflict-of-laws principles), and the Parties irrevocably submit to the exclusive jurisdiction of the courts of the city of Barcelona, Spain for any dispute arising out of or in connection with this Agreement.
    • Clients established in the United States, Canada, Asia-Pacific, the Middle East, and all other jurisdictions contract with Didit Identity, Inc. This Agreement is governed by the laws of the State of Delaware, United States of America (without reference to its conflict-of-laws principles), and the Parties irrevocably submit to the exclusive jurisdiction of the state and federal courts located in New Castle County, Delaware for any dispute arising out of or in connection with this Agreement.

    This Section 16.6 does not deprive a consumer of the mandatory protections of the law of the country of its habitual residence. The United Nations Convention on Contracts for the International Sale of Goods does not apply.

    16.7 Entire Agreement: This Agreement, including all Order Forms and Annexes, constitutes the entire and exclusive agreement between the Client and Didit with respect to its subject matter and supersedes all prior or contemporaneous communications, proposals, and agreements, whether oral or written, between the Parties.

    16.8 Relationship of the Parties: The Parties are independent contractors. This Agreement does not create a partnership, joint venture, employment, franchise, or agency relationship between the Client and Didit. Neither Party has any authority to bind the other or to incur obligations on behalf of the other.

    16.9 Notices: All notices required or permitted under this Agreement shall be in writing and shall be deemed delivered when: (a) personally delivered; (b) sent by certified or registered mail, return receipt requested; (c) sent by email to the notice addresses specified in Section 1 or in the Order Form (with confirmation of receipt); or (d) in the case of general notices from Didit to the Client, posted in the Business Console or on the Website.

    16.10 Export Compliance Laws: The Client represents and warrants that neither it nor its Authorized Users are subject to economic sanctions or embargoes imposed by the European Union, the United States, or other competent authorities, and that it will not use the Services for purposes prohibited by such export control laws.

    16.11 Publicity: The Client agrees that Didit may use the Client's name and logo in Didit's marketing materials and customer list, unless the Client notifies Didit in writing of its objection to such use.

    16.12 Survival: Sections 7 (Intellectual Property Rights), 8 (Fees and Payment Terms – in relation to amounts owed), 9 (Confidentiality), 11 (Disclaimer of Warranties), 12 (Limitation of Liability), 13 (Indemnification), 15.3 (Effects of Termination), and 16 (General Provisions) shall survive any termination or expiration of this Agreement.

    Annex 1 – Service Level Agreement (SLA)

    For Enterprise Plans, the operational conditions and service metrics signed in your Order Form will take precedence over this Annex.

    1. Scope: This Service Level Agreement ("SLA") applies to the operational availability of Didit's core verification API, the Business Console Dashboard, and SDK endpoints directly managed by Didit.

    2. Availability Commitment: Didit commits to maintaining a monthly uptime for the core Services according to the following metric:

    MetricCommitment
    Monthly Uptime (%)≥ 99.9 %

    3. Uptime Measurement: Uptime is measured minute by minute using Didit's internal monitoring tools. Downtime shall be considered any minute during which the core API or Dashboard fails to respond successfully to an HTTPS request (2XX/3XX status codes), as detected by Didit's monitoring system or reported and validated by the Client through a support alert.

    4. Uptime Exclusions: Monthly Uptime will not include downtime or service disruption resulting from:

    • Force Majeure: Events beyond Didit's reasonable control, as defined in Section 16.1 of the main Agreement.
    • Scheduled Maintenance: Periods of planned maintenance for the Services. Didit will endeavor to limit scheduled maintenance to a maximum of five (5) hours per month, with at least forty-eight (48) hours' prior notice provided via the Business Console or email.
    • Urgent Maintenance: Unscheduled maintenance required to resolve critical security or performance issues. Didit will attempt to provide reasonable prior notice, but this may not be possible in all cases.
    • Factors beyond Didit's reasonable control: Including, but not limited to, Client-side hardware or software issues, internet network outages not attributable to Didit, denial-of-service attacks exceeding standard mitigation thresholds, or failures of third-party service providers (such as cloud providers, unless gross negligence by Didit in their selection or management is demonstrated).
    • Acts or omissions by the Client or its Authorized Users: Including any breach of the Agreement.

    5. Service Credits (SLA Credits): If Didit fails to meet the Monthly Uptime Commitment set forth in Section 2, the Client may request a credit to its Didit account (in the form of non-refundable Didit Credits) in accordance with the following table:

    Monthly Uptime (%)% Credit on Monthly Spend (in Credits)
    < 99.9 % ≥ 99.0 %10 %
    < 99.0 % ≥ 95.0 %25 %
    < 95.0 %50 %

    5.1 Credit Claim Process: To request a credit, the Client must submit a written request to billing@didit.me within thirty (30) calendar days after the end of the month in which the SLA breach occurred. The request must include the date and time of the service interruption and a brief description of the interruption. The service credit is the Client's sole and exclusive remedy for any breach of the Uptime Commitment under this SLA. The credit value will be automatically applied to the Client's account in the next billing cycle or Credit replenishment.

    Annex 2 – Data Processing Agreement (DPA)

    This Data Processing Agreement ("DPA") forms an integral part of the main Agreement and is applicable whenever Didit processes Personal Data on behalf of the Client, in accordance with the General Data Protection Regulation (GDPR) and other applicable data protection laws.

    1. Context and Scope: This DPA sets out the rights and obligations of the Parties with respect to the processing of Personal Data by Didit as a Data Processor, acting on behalf of the Client as Data Controller.

    2. Roles and Nature of Processing:

    RoleCapacity
    ClientData Controller
    Didit (in relation to the Services)Data Processor
    Didit (aggregated/pseudonymized data)Independent Controller (for algorithm improvement)

    2.1 Details of Processing:

    • Purpose of Processing: Didit's processing of Personal Data is solely for the purpose of providing identity verification Services to the Client, including, but not limited to, the Client's KYC/AML compliance obligations, age verification, and fraud prevention.
    • Categories of Data Subjects: The Personal Data processed concerns End-Users whose identities are verified by the Client through the Services.
    • Categories of Personal Data: Processed data may include: identity document information (name, date of birth, nationality, document number), selfie/video images (including biometric data, such as facial data), contact data (email, phone), device and connection data (IP address, device type, location), and AML/sanctions screening data.
    • Duration of Processing and Retention: The default retention period for Personal Data processed in verification flows is indefinite ("unlimited") unless the Client configures a shorter period. The Client may configure retention per application in the Business Console between 30 days and 10 years, and may delete any individual session or Verification record at any time via the API endpoint `POST /v3/sessions/:session_id/delete/` or the Business Console. Didit will delete or return Personal Data upon the Client's instruction or termination of the Agreement, unless applicable law requires retention. Biometric data retention is in every case subject to, and capped by, applicable biometric-privacy laws and regulations — including the EU General Data Protection Regulation (GDPR) Article 9, the Illinois Biometric Information Privacy Act (BIPA), the Texas Capture or Use of Biometric Identifier Act (CUBI), Washington H.B. 1493, and any other applicable biometric-privacy law; where such law prescribes a shorter retention period or an earlier destruction obligation, that shorter or stricter rule prevails over any default or Client-configured retention period.

    2.2 Lawful Basis for Processing: The Client is solely responsible for determining the valid lawful basis for the collection and processing of End-Users' Personal Data, as well as for the transfer of such data to Didit. This may include, for example, the explicit consent of the data subject (especially for biometric data), performance of a contract, compliance with a legal obligation, or a legitimate interest. The Client undertakes to provide the necessary privacy notices and obtain the required consents from End-Users in accordance with applicable law before sending any Personal Data to Didit.

    2.3 Anonymized / Pseudonymized Model Training and Fraud Detection (Didit as Independent Controller): The Client acknowledges and agrees that Didit may use anonymized or pseudonymized data derived from Client Data for the following purposes as an Independent Controller:

    (i) Training and improvement of verification, biometric, and fraud-detection models — including document classifiers, liveness, face match, deepfake detection, injection-attack detection, and risk-scoring models — to enhance security, reduce fraud, and improve the accuracy of the Services for all customers.

    (ii) Cross-customer fraud-prevention safeguards — identifying and flagging known fraudulent actors, attack patterns, and attempted repeat-fraud across different Client applications using Didit's Services.

    Didit processes this data based on its legitimate interest in operating safe and accurate identity and fraud infrastructure, and applies anonymization, pseudonymization, aggregation, and access controls so that the data used for these purposes cannot reasonably be linked back to an identifiable individual outside the underlying Verification record.

    Opt-out. The Client (or an affected End-User) may opt out of the processing described in this Section 2.3 by (a) deleting the underlying Verification record via the API or the Business Console, which removes the record from training pipelines on the next refresh cycle, or (b) emailing privacy@didit.me with the relevant session identifier or account, requesting an opt-out. Opt-outs apply prospectively from the date of the request; Didit will also use commercially reasonable efforts to purge eligible records from active training datasets.

    3. Didit's Obligations (Data Processor): Didit undertakes to: (i) Process Personal Data only on documented instructions from the Client, unless required by Union or Member State law, in which case Didit shall inform the Client of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest. (ii) Ensure the confidentiality of Personal Data. Didit will ensure that persons authorized to process Personal Data undertake to respect confidentiality or are subject to an appropriate statutory obligation of confidentiality. (iii) Implement appropriate and robust technical and organizational measures (TOMs) to ensure a level of security appropriate to the risk, including data encryption at rest (AES-256) and in transit (TLS 1.3), key management in a dedicated Key Management Service (KMS), role-based access control, environment separation, resilience of processing systems and services, continuous monitoring, and regular security testing. Didit maintains SOC 2 Type 1 (Security, Availability, Confidentiality; SOC 2 Type 2 examination in progress), ISO/IEC 27001:2022, iBeta Level 1 Presentation Attack Detection (PAD) under ISO/IEC 30107-3, and the Tesoro / SEPBLAC / CNMV sandbox attestation issued under Spain's Ley 7/2020 financial sandbox. (iv) Assist the Client in fulfilling its obligations as Data Controller, taking into account the nature of the processing and the information available to Didit, including:

      (v) Notify the Client without undue delay of any Personal Data security breach that Didit becomes aware of. Didit will provide the Client with known information about the breach and cooperate with the Client in mitigating its effects and fulfilling notification obligations.

      4. Client's Obligations (Data Controller): The Client undertakes to: (i) Establish and maintain an adequate lawful basis for the processing and transfer of Personal Data to Didit. (ii) Provide the necessary privacy notices and obtain the required consents from End-Users, in accordance with applicable data protection laws, before using Didit's Services. (iii) Configure data retention periods via Didit's Console or API in accordance with its own legal obligations and internal policies. (iv) Respond to requests from supervisory authorities or data subjects that Didit redirects to the Client.

      5. Sub-processors: The Client grants Didit a general authorization for the engagement of sub-processors for the processing of Personal Data. Didit maintains an updated list of its sub-processors, which is shared with Clients and prospective Clients via email after a Non-Disclosure Agreement (NDA) is signed. To request the current list, email security@didit.me. Didit notifies subscribed Clients by email of any addition or change to the sub-processor list with sufficient advance notice to allow the Client to object. Didit imposes on its sub-processors data-protection obligations substantially similar to those set forth in this DPA and remains fully liable to the Client for its sub-processors' compliance with those obligations. The Client may object to a new sub-processor on reasonable data-protection grounds, in which case the Parties will work in good faith to find a solution, including the possibility of terminating the affected Service.

      6. Security Breaches: In the event of a Personal Data security breach: (i) Didit will notify the Client without undue delay after becoming aware of it. (ii) Didit will provide the Client with details about the breach, including the nature of the breach, the categories of data affected, the approximate number of data subjects and data records affected, the likely consequences, and the measures taken or proposed to address it and mitigate its possible adverse effects. (iii) Didit will reasonably cooperate with the Client in the investigation of the breach and in fulfilling its notification obligations to supervisory authorities and data subjects, although the final decision on such notifications shall rest with the Client.

      7. International Data Transfers: The primary data processed by Didit is hosted in the European Economic Area (EEA). Any transfer of Personal Data outside the EEA by Didit or its sub-processors will only be made on the basis of a legally recognized transfer mechanism under GDPR, such as Standard Contractual Clauses (SCCs) approved by the European Commission, an adequacy decision, or any other applicable legal mechanism to ensure an adequate level of protection.

      8. Deletion / Return of Personal Data: Upon written request by the Client or termination of this Agreement, Didit, at the Client's choice, will delete or return all Personal Data to the Client, unless applicable law requires Didit to retain the Personal Data. The Client can manage the deletion of its Personal Data via Didit's API or Console in accordance with its own retention policy.

      9. Audit and Documentation: Didit will make available to the Client, upon request and with reasonable prior notice (no less than 30 days), all information reasonably necessary to demonstrate compliance with the obligations set forth in this DPA. In the event the Client requires a direct audit of Didit's facilities or systems, such audit shall be limited and non-intrusive, subject to mutual agreement on scope and methodology, and the Client shall bear the reasonable costs associated therewith. On request and under a signed NDA, Didit provides its SOC 2 Type 1 report (SOC 2 Type 2 in progress), ISO/IEC 27001:2022 certificate, iBeta Level 1 PAD test report, and the published Tesoro / SEPBLAC / CNMV sandbox conclusion as audit artifacts.

      10. DPA Term: This DPA shall have the same term as the main Agreement. The clauses of this DPA related to confidentiality, deletion, liability, and audit shall survive the termination of the Agreement as required to comply with applicable laws.

      Didit Identity Spain, S.L. — CIF B22929327 · Calle Nápoles 227, P. 1, 08013 Barcelona, Spain
      Didit Identity, Inc. — EIN 39-2860573 · 1111B S Governors Ave STE 34855, Dover, Delaware 19904, United States
      © 2026 Didit · legal@didit.me · privacy@didit.me · security@didit.me · didit.me/terms/business

      Have questions about a specific document?

      Email legal@didit.me, privacy@didit.me, or security@didit.me — or message us on WhatsApp. We route you to the right contact.

      Talk to us
      Ask an AI to summarise this page