Platform Security & Compliance
GeoComply’s reputation is founded on trust and being a good custodian of the personal data of their end users that our customers provide us. Our customers need to know we are responsible not only for the safekeeping of their end users’ data, but also that we will use it appropriately in helping them meet their business goals and regulatory obligations. We are also conscious that our business activities affect our customers’ end users (such as those placing online wagers, or streaming a movie), and that we have a duty of care to prevent their personal data from being misused and for anything outside of what is expected and legally permitted.
Our CEO, Anna Sainsbury, continues to reinforce that we exist to help ensure that critical transactions on the internet are done safely and using the minimal amount of personal information necessary to do so. GeoComply’s privacy taskforce and senior leaders participate in regular meetings and assessments to review data use concerns, changes to applicable legislation, and evolving risks for our customers and their users. We actively question and refocus how we use personal data, such as:
- Is our data usage aligned with our customers’ expectations?
- Is our data usage aligned with our customers’ end users’ expectations (such as our customers’ iGaming players, streamers, or other users)?
- What laws and regulations do we need to comply with?
- What are the risks to individuals if data was accessed or lost?
- Although we can use the data in this manner, should we be doing so?
How We Obtain & Use Location Data
Typically, our customers have regulatory obligations and/or legitimate business reasons to limit access to their services to those within a specific geographical area. There are often building, property, state/province and country restrictions for where certain activities can be conducted or where content may be accessed. For example, online wagering is restricted from within US Federal properties and gaming operators are required to prevent this activity from occurring. This is just one of the many location-based challenges our customers face.
We offer several different products and services for a customer to verify the location of their end users. They can purchase a database that contains a list of IP Addresses of known Tor Nodes, VPNs, and proxies to reference on their own; they can install hardware beacons to determine whether a device is within their specific properties; or they can use our cloud services where we perform real-time analysis on a device to understand whether location information being reported can be trusted.
When we perform real-time analysis, our customers provide information about their end users’ devices. GPS satellite data, wireless and cellular network data, and internet connections can assist us in confirming a location. We also cross-reference this with other device information to determine if a user is attempting to mask their location. Device performance, network performance, memory usage, and clock differences reported by different means can be used to understand whether a user is really where they say they are. We insist that our customers only send this data with a pseudonym to help protect identities of their users – we don’t ever want to know who a user is unless we absolutely need to.
The location data in our possession was provided to us for a specific purpose determined by our customers; we do not resell or cross-share this personal information with other customers, nor do we use any data that may directly target individuals or customers for other purposes. The exception is when we are required to by laws or regulations within specific markets, states, or countries or when we may be obligated to detect and share device information of suspected fraudulent activity (such as anti-money-laundering, bonus abuse, and account takeover attempts) with regulators, law enforcement, and with other customers who are operating within the same industry.
What Other Information Do We Collect & Use?
We’re known for helping our customers understand the location of their end users, but our capabilities help fulfill many types of regulated obligations, such as the need for financial services providers to confirm the identity of their customers to combat against money laundering. Before the internet, people interacted in-person at their local bank or with an investment advisor; these days, it seems to be only on special occasions when we’re meeting people face to face. This is often referred to as “Know Your Customer” (KYC) activity and GeoComply makes it easier for its customers.
GeoComply isn’t buying or selling personal information; we’re also not collecting credit reports, phone numbers, addresses, or mortgage data from unsuspecting people. If a GeoComply customer needs to confirm the identity of their users, they provide us the information they are required to collect (like a name, address, phone numbers, or government issued ID), and we forward it to respected providers who have been authorized to provide a verification service. We then pass those results back to our customers. We don’t hold the results for long, once it’s been confirmed that it’s been reviewed and processed by our customers and we no longer have any regulatory obligations to maintain it. In essence, we’re making it easier for our customers to interact with different verification providers without needing to know the technical complexities to do so.
How We Work With Law Enforcement
GeoComply understands the importance of the trust that our customers – and their end users – place in us with respect to how we use personal information. From time to time, we may receive requests from industry regulators, and local or national law enforcement agencies seeking access to data belonging to a customer or one or more of their end users. It’s our policy to cooperate with law enforcement in a manner consistent with applicable law and our contractual obligations with our customers.
GeoComply is required to obtain a license to operate within specific regulated sectors such as US iGaming. In these situations, our license requires us to work with a government regulator who is responsible for monitoring for compliance with applicable laws. These regulators have legal powers to access and request data from GeoComply and other companies operating in the same industry (e.g. from companies offering online sports betting or financial services) without the need of warrants, subpoenas, and other legal instruments. When a regulator requests data from GeoComply to assist with managing their jurisdiction, we are required to cooperate.
Law Enforcement Agencies
In unregulated industries, or where we receive a request from law enforcement agencies outside of the context of sector regulator authority, GeoComply requires a legally binding and valid request for the data in its possession, including any direct access to customer and their user data. When this situation occurs, we are contractually obligated to notify the affected customer(s) unless we are explicitly prohibited from doing so by law.
Where possible, we refer the requesting agency to the affected customer, as we believe our customers should have control over their respective data. GeoComply acts as “custodians of data and processing” on behalf of our customers, and government agencies seeking access should address the request directly with that customer whenever possible.
We do not disclose customer data or the data of their users to law enforcement agencies unless compelled by law or specified as required within the regulations of specific industries. GeoComply reviews each request for customer and their users’ data and only complies if we determine the request is legally binding and valid. We require law enforcement agencies to follow the legal process under applicable laws, such as issuing their request via a subpoena, court order, or search warrant. Where we believe a government request for customer data is invalid or unlawful, we endeavour to challenge it. If we are required to disclose customer data to law enforcement agencies, we ensure the transfer is necessary and proportionate, and will provide the minimum amount of information possible. GeoComply may make exceptions and provide data in emergency situations such as when there is imminent harm to a child or the risk of death or serious physical injury to a person.