Policy on Government Data Requests

This document provides information on how Verbit and its affiliates (“Verbit”, “we” or “us”) address requests received from government, law enforcement, supervisory authorities, or courts, to give access to, or otherwise disclose to them our customers’ personal data (“government data requests”) processed by us, while ensuring compliance with our Terms of Use and Privacy Policy.

We always aim to protect our customers’ data while complying with applicable laws. Accordingly, we will never voluntarily provide authorities with access to customers’ personal data; but we may disclose such data under a compelling legal obligation to do so, such as a regulatory or legal obligation, a valid subpoena, court order, or search warrant (e.g., issued in connection with an official criminal investigation), issued to us by a court of competent jurisdiction.

Importantly, Verbit is not the ‘controller’ of the personal data that we process on our customers’ behalf, and we strongly believe that our customers should have as much control as possible over handling any such data disclosure requests. Accordingly, our first response to any government data request will always be to inform the requesting authority that any and all requests or demands for access to our customer’s data should be made directly to the customer concerned, and explain that Verbit is the ‘processor’ of such data on behalf of the customer.

Only where this is not possible will we continue to examine the request – for example, if the requesting authority declines to communicate the request to the customer or under exceptional circumstances as described below.

To give our customers the opportunity to challenge any government data request relating to their data, we will notify the relevant customer before disclosing any such data to the requesting authority, unless:

  1. Verbit is prohibited by law or court order from informing the customer;
  2. We have reason to believe there is an immediate risk of serious harm to people or to property that merits compliance with the request; or
  3. Prior notice would be counterproductive – for example, if we have reason to believe that an account was hijacked.

If Verbit is legally prohibited from notifying the relevant customer of the request prior to disclosure, we will:

  1. Review each government data request on a case-by-case basis, taking into account all applicable laws, so we can determine whether or not the request is lawful (see conditions below). If we find that the request is invalid or unlawful, we will challenge it using commercially reasonable means;
  2. Strive to minimize the amount of personal data disclosed to the greatest extent permissible; and
  3. Take reasonable steps to notify the relevant customer as soon as the confidentiality requirement expires.

In order to be valid and lawful, a government data request should include the following information:

  • The requesting party’s name (for example, the court that issued the subpoena or the government agency that authorized the request);
  • The law or other authority that compels disclosure;
  • A valid subpoena, court order or search warrant, as well as the criminal matter (if relevant);
  • The Verbit entity from which records are requested;
  • Indication of the data subject that is the subject-matter of the request (for example, an individual’s name or email);
  • A clear and specific description of the data requested;
  • A non-disclosure or restraining order, or the legal or regulatory basis, if Verbit is prohibited from notifying the customer concerned of the request;
  • The email address of the requesting authority, as well as a requested response date (if relevant).

For further questions, please contact Verbit’s DPO at dpo@verbit.ai.

Last updated: August 22, 2023