Subscription Specific Terms: Loan Payment

Last Updated: November 11, 2025

The Subscription-Specific Terms below govern your use of certain Subscription Services. Capitalized terms used in these Subscription-Specific Terms but not defined below, are defined in the Orbipay Subscription Agreement (the “Agreement”).

Table of Contents

1. Terms Applicable to ACH Transactions
2. Terms Applicable to Card Transactions
3. Terms Applicable to All Transactions
4. Terms Applicable to Chatbot Functionality (Ella)
5. Terms Applicable to Account Validation
6. Terms Applicable to Account Updater
7. Terms Applicable to Online Banking Authentication
8. Terms Applicable to Aperture Connector
9. Terms Applicable to LMS Connections Module Connector
10. Terms Applicable to Bank Verification Service – Plus

1. Terms Applicable to ACH Transactions.

(a) The definition of “Applicable Law” includes: (i) the NACHA rules and operating regulations (“NACHA Rules”); (ii) sanction laws administered by the Office of Foreign Assets Control; (iii) the Electronic Funds Transfer Act; (iv) the Unlawful Internet Gambling Enforcement Act; (v) the Federal Reserve Board Regulation E; (vi) laws, rules, regulations, and orders administered by the Financial Crimes Enforcement Network; and (vii) with respect to international Transactions, the rules applicable to IAT ACH Transactions, as each may be amended, revised, or replaced from time-to-time.

(b) “NACHA” means the National Automated Clearing House Association and all regional payment alliances associated with it.

(c) “ODFI” or “Originating Depository Financial Institution” has the meaning given in the NACHA Rules.

(d) In order for Alacriti to comply with anti-terrorism, financial services, and other applicable laws and regulations, Know Your Customer (“KYC”), and requirements imposed by NACHA, Client must provide Alacriti with information about itself, its shareholders, its activities, and its products and services. Client warrants to Alacriti that all information it provides Alacriti is true, correct and up to date, and Client acknowledges that Alacriti is relying upon such information in establishing this Agreement and in providing the Subscription Services. Client authorizes Alacriti to verify the information provided by Client. Alacriti may use this information to perform customer due diligence, identity verification, and various underwriting, fraud and risk reviews.

(e) Client represents and warrants to Alacriti that each Client settlement account used to receive or fund settlement of Transactions processed, or fund ACH returns or refunds, through the Subscription Services, is a business account in accordance with NACHA Rules. Client agrees that Alacriti’s ODFI bank (as defined in the NACHA Rules) is an intended third-party beneficiary to the Agreement and entitled to all of its benefits.

(f) Client: (i) assumes the responsibilities of and makes the warranties of an Originator under the NACHA Rules, and agrees to reimburse ODFI for returns, reversals, adjustments, reclamations and warranty claims and responsibilities related to Client’s ACH entries; (ii) agrees to comply with the NACHA Rules, including but not limited to the requirements of Article Three (Obligations of Originators), Article Five (Obligations of Third-Party Senders) and if international ACH entries are initiated by Client, then the NACHA Rules applicable to IAT ACH entries, (iii) agrees to comply with all applicable state and federal laws, rules and regulations, including but not limited to sanction laws administered by the Office of Foreign Assets Control, the Electronic Funds Transfer Act, the Unlawful Internet Gambling Enforcement Act and Federal Reserve Board Regulation E (the foregoing and the NACHA Rules are, collectively, the “Applicable Rules”); and (iv) acknowledges that ACH entries may not be initiated that violate the laws of the United States, including but not limited to the sanctions laws, regulations and orders administered by OFAC, laws, regulations, rules and orders administered by FinCEN (as such terms are defined below), and any state laws, regulations or orders applicable to the providers of ACH payment services.

(g) Client represents and warrants as to each ACH entry that it has obtained the necessary authorizations under the Applicable Rules and that it shall not initiate any funds transfer after the authorization for the same has been revoked (or the agreement between Client and its third-party sender (“TPS”) has been terminated). With respect to each IAT Entry TPS sends to ODFI on behalf of Client, Client represents and warrants to ODFI that such IAT Entry is in compliance with United States law, including, but not limited to, rules promulgated and programs administered by OFAC and FinCen, that no such IAT Entry violates United States law, including, but not limited to, rules promulgated and programs administered by OFAC and FinCen, that neither TPS nor the Client are acting on behalf of or transmitting funds to any party subject to OFAC sanctions and that such IAT Entry complies with the laws and payment system rules of the receiving country. Client acknowledges that ODFI and other parties must comply with the Applicable Rules and United States law for IAT Entries. The performance by each of these parties, including ODFI, of obligations with respect to IAT Entries may cause delays in processing, settlement and/or availability of IAT Entries. Client waives and releases ODFI from any liability or obligation, including, but not limited to, funds availability obligations, caused by or arising out of any such delay associated with IAT Entries.

2. Terms Applicable to Card Transactions.

(a) The definition of “Applicable Law” includes the operating rules of the Networks and Payment Brands, and the Payment Card Industry Data Security Standard, as any or all of the foregoing may be amended, revised, or replaced from time-to-time.

(b) “Networks” means Pulse, Star, NYCE, and/or any other electronic payment network authorization, routing, processing or funds transfer system for transmitting Transactions and settlement thereof.

(c) “Merchant Processing Services Terms and Conditions” means the terms and conditions posted at http://www.alacriti.com/legal/merchant-terms (and any successor or related locations designated by Alacriti), as may be updated by Alacriti from time to time and are incorporated herein by reference.

(d) “Payment Brand” means any payment method provider whose payment method is used by the Subscription Services, including Visa U.S.A., Inc., Visa International, MasterCard International Incorporated, Discover Financial Services, Inc., American Express Travel Related Services Company Inc., and other credit and debit card providers, debit network providers, gift card, and other stored value and loyalty program providers. Payment Brand also includes the Payment Card Industry Security Standards Council.

(e) “Refund Policy” means the terms and conditions posted at http://www.alacriti.com/legal/refund-policy (and any successor or related locations designated by Alacriti), as may be updated by Alacriti from time to time and are incorporated herein by reference.

(f) In order for Alacriti to comply with anti-terrorism, financial services, and other applicable laws and regulations, Know Your Customer (“KYC”), and requirements imposed by the Payment Brands, Client must provide Alacriti with information about itself, its shareholders, its activities, and its products and services. Client warrants to Alacriti that all information it provides Alacriti is true, correct and up to date, and Client acknowledges that Alacriti is relying upon such information in establishing this Agreement and in providing the Subscription Services. Client authorizes Alacriti to verify the information provided by Client. Alacriti may use this information to perform customer due diligence, identity verification, and various underwriting, fraud and risk reviews.

(g) Prior to using the Subscription Services to process Transactions via Payment Cards, Client must accept an acknowledgement of the processing instructions and guidelines, as required by Alacriti’s payment processors. Such acceptance may be by execution of a paper agreement, or digital signature of an electronic agreement. Such agreement will be in the form set forth at either https://www.alacriti.com/legal/Fiserv-Sub-Merchant-Processing-Agreement or https://www.alacriti.com/legal/Elavon-Sub-Merchant-Processing-Agreement, as determined by Alacriti (“Processor Agreement”). Client shall also comply with the Merchant Processing Services Terms and Conditions. Client agrees that: (i) Alacriti is an intended third-party beneficiary of the Processor Agreement and entitled to all of its benefits; and (ii) Alacriti’s payment processor is an intended third-party beneficiary to the Agreement and entitled to all of its benefits.

(h) Alacriti reserves the right to refuse to process any Transaction made subject to a refund policy of which Alacriti has not been notified in advance. Client’s refund policy must comply with the Refund Policy.

(i) Alacriti may terminate the Agreement immediately upon written notice if: (i) Client or any person owning or controlling Client’s business is or becomes listed in the MATCH file (Member Alert to Control High-Risk Merchants) maintained by Visa and MasterCard; (ii) any Payment Brand notifies Alacriti that it is no longer willing to accept Client’s Transaction Data; or (iii) there exists any circumstances that create or could tend to create harm or loss to the goodwill to any Payment Brand or Alacriti.

(j) Client’s use of the Subscription Services must comply with the Payment Card Industry Data Security Standards (“PCI-DSS”) and, if applicable to Client’s business, the Payment Application Data Security Standards (“PA-DSS”) (collectively, the “PCI Standards”). The PCI Standards include requirements to maintain materials or records that contains payment card or Transaction data in a safe and secure manner with access limited to authorized personnel. The specific steps Client will need to take to comply with the PCI Standards will depend on Client’s implementation of the Subscription Services. Client will promptly provide Alacriti, or any applicable third party, with documentation demonstrating Client’s compliance with the PCI Standards, upon request. If Client does not provide documentation sufficient to satisfy Alacriti or the relevant third party, that Client is compliant with the PCI Standards, then Alacriti, and any applicable third party, may access Client’s business premises on reasonable notice to verify Client’s compliance with the PCI Standards. If Client does not comply with the PCI Standards, or if Alacriti or any applicable third party is unable to verify Client’s compliance with the PCI Standards, Alacriti may suspend access to the Subscription Services or terminate the Agreement. If Client intends to use a third-party service provider to store or transmit Transaction Data, then Client must not share any data with the service provider until Client verifies that the third party holds sufficient certifications under the PCI Standards, and notify Alacriti of Client’s intention to share Transaction Data with the service provider. Further, Client agrees to never store or hold any “Sensitive Authentication Data”, as defined by the PCI Standards (including CVC or CVV2), at any time. Client will reimburse Alacriti for all fines, penalties, fees, and other costs associated with Client’s failure to comply with this clause, promptly after Alacriti’s request. Such request will include reasonable detail regarding the amounts owed.

(k) Alacriti may increase the Fees related to processing Card Transactions, to take into account increases in the underlying costs associated with processing such Transactions (for example, an increase in the fees charged to Alacriti by the Networks). Alacriti will give Client notice of such increase promptly after becoming aware of the corresponding increase in Alacriti’s underlying costs.

3. Terms Applicable to All Transactions.

(a) “Prohibited Categories List” means the list posted at http://www.alacriti.com/legal/prohibited (and any successor or related locations designated by Alacriti), as may be updated by Alacriti from time to time and are incorporated herein by reference.

(b) “Settlement Terms” means the terms and conditions posted at http://www.alacriti.com/legal/settlement (and any successor or related locations designated by Alacriti), as may be updated by Alacriti from time to time and is incorporated herein by reference.

(c) “Transaction” means a credit, debit, ACH, or other electronic transaction processed by Alacriti on behalf of Client or a Customer, including purchases, disbursements, cash withdrawals, disputes, chargebacks, and refunds.

(d) “Transaction Data” means the written or electronic record of a Transaction, including, without limitation, an authorization code or settlement record, which is submitted to Alacriti.

(e) Client acknowledges that settlement of Transactions will occur as set forth in the Settlement Terms. Client shall not use the Subscription Services to send or receive payments relating to any of the prohibited categories set forth on the Prohibited Categories List. Alacriti may terminate the Agreement upon five (5) days prior written notice if Client has failed to maintain the Minimum Balance required by the Settlement Terms.

(f) Where Client uses the Subscription Services to receive or collect payments on behalf of a merchant (e.g., Client provides management services for a group of utility companies) (collectively, “Payee(s)”), Client represents and warrants to Alacriti that Client has all requisite power, authorization, and authority (including, having been appointed as an attorney in fact by its Payee) to, among other things, and hereby does (i) appoint Alacriti as the Payee’s agent for the limited purpose of receiving, collecting, facilitating, and/or transmitting payments on behalf of each Payee from Customers making Payments to the Payee; and (ii) agree, on behalf of each Payee, that receipt of funds from Payee’s customers by Alacriti on Payee’s behalf in connection with Subscription Services transactions (i) will be deemed receipt of funds from Payee’s customers by the Payee; and (ii) will satisfy a Payee’s customer’s obligations to the Payee in the amount of the applicable payment by the Payee’s customer. Where the provisions of this section apply, references in this Agreement to Client acknowledgements, representations, warranties, authorizations or consents will be on behalf of Client and Payees.

(g) Alacriti may send documents to Client and tax authorities for Transactions processed using the Subscription Services. Specifically, pursuant to Applicable Law (including the Internal Revenue Code), Alacriti may be required to file periodic informational returns with taxing authorities in relation to Client’s use of the Subscription Services.

(h) Termination of the Agreement does not affect either party’s respective rights and obligations under this Agreement as to Transaction Data submitted before termination or expiration. If Client submits Transaction Data to Alacriti after the date of termination or expiration, Alacriti may, at its sole discretion and without waiving any of its rights or remedies under this Agreement, process such Transaction Data in accordance with and subject to all of the terms of this Agreement.

(i) Alacriti may provide Client with third-party hardware, software, or systems, such as “point of sale” systems, that facilitate the transmission of Transactions (collectively, “POS Systems”). Client acknowledges and agrees that Alacriti provides such POS Systems only as a convenience, and none of the Alacriti Parties will be liable for any POS System or the acts or omissions of the third-party provider of any POS System.
(j) Upon notice of termination of the Agreement, Alacriti may estimate the aggregate dollar amount of Chargebacks, ACH Returns and other obligations, liabilities and expenses that Alacriti reasonably anticipates subsequent to termination, and Client agrees to immediately deposit such amount in Client’s Settlement Account. Where possible, Alacriti will first attempt to collect or set-off amounts owed to it and to its affiliates from the Settlement Account or from funds that Client holds in reserve. Accordingly, the authorization granted to Alacriti in Section 3 of the Agreement remains in effect for a period of six (6) months following the date of termination of the Agreement. In addition, Alacriti may collect any amounts Client owes under the Agreement by deducting or setting-off amounts that are owed to the Client. Client grants Alacriti a lien and security interest in all funds for Transactions that Alacriti process for Client, including funds that Alacriti deposits into the Settlement Account and Client-Funding Account, as well as funds held in any other bank accounts to which such Transaction funds are deposited or transferred. This means that if Client has not paid funds that Client owes to Alacriti, Customers, or to any Alacriti affiliates, then Alacriti has a right superior to the rights of any of Client’s other creditors to seize or withhold funds owed for Transactions processed through the Subscription Services, and to debit or withdraw funds from any bank account associated with Client’s Subscription Services account (including the Settlement Account and Client-Funding Account). Upon Alacriti’s request, Client will execute and deliver any documents and pay any associated fees Alacriti considers necessary to create, perfect, and maintain a security interest in such funds (such as the filing of a form UCC-1).
(k) Client acknowledges that Alacriti may also charge Customers fees in order to use the Subscription Services. Alacriti is responsible for disclosing any such fees to the Customer.
(l) Client will maintain books and records relating to its compliance with the Agreement and Applicable Law (“Records”), during the Term and for a period of six (6) years after. Client shall ensure that its Records contain all Transaction Data processed through the Subscription Services. Client agrees to allow Alacriti (or Alacriti’s designee) reasonable access to Client’s facilities and Records, and will use commercially reasonable efforts to obtain for Alacriti the right of access for such Records which are not in Client’s possession, as the case may be, as is reasonably necessary for Alacriti to audit Client’s compliance with Applicable Law and the Agreement. Except where Alacriti or its designee discovered a deficiency or violation during an immediately preceding audit or have a reasonable and good faith belief of a material change to Client’s business or operations, Alacriti may not perform an audit of Client more than once in any calendar year. If any audit results in a conclusion that Client is not in compliance with Applicable Law or the Agreement, or results in the identification of any control deficiency or other error or deficiency that could reasonably be expected to have an adverse impact on the Subscription Services then Client shall take immediate steps consistent with reasonable commercial practices to correct the noncompliance, error or deficiency.

4. Terms Applicable to Chatbot Functionality (Ella). 

(a) At Client’s option, the Subscription Services may also include a chatbot which: (i) facilitates communication between Client and Customers; (ii) enables bill payment for Customers that have a valid payment method saved within the Subscription Services; and (iii) includes other features and functionality as may be made available by Alacriti from time-to-time (“Chatbot”).

(b) Alacriti, in its sole discretion, will support the Chatbot on a variety of third-party platforms, such as Facebook Messenger, Google Home, and Amazon Echo (the “Platforms”). Client acknowledges that Alacriti’s ability to provide the Chatbot to Client on a given Platform is subject to: (i) the Platform making available the APIs and other tools necessary for Alacriti to provide the Chatbot; (ii) the Platform’s terms and conditions; and (iii) Client maintaining an account on that Platform. A Customer’s ability to use the Chatbot on a given Platform is subject to that Customer maintaining an account on that Platform.

(c) Client shall:

(i) Ensure that the “Terms of Service” (or similar agreement) displayed to Customers as part of the account-pairing process for the Chatbot contains at least, and is not inconsistent with, the minimum terms and conditions specified in clause (d) below;

(ii) Not use the Chatbot to facilitate direct conversations between Customers and healthcare providers, or to send or collect any personal health information;

(iii) Not use the Chatbot to send or collect any payment card data, bank account information, or similar sensitive information of Customers;

(iv) Not make any customizations or other modifications to the Chatbot’s scripts or intents that would encourage or induce a Customer to disclose personal health information, payment card data, bank account information, or other sensitive information through the Chatbot; and

(v) Not use any data or other information obtained or derived from a Customer’s use of the Chatbot in a way that violates: (A) any Applicable Law; or (B) the applicable Platform’s terms and conditions.

(d) Chatbot Minimum Terms and Conditions:

(i) Acknowledgement. Client and Customer must acknowledge that the terms and conditions pertaining to the Chatbot (the “Chatbot Terms”) are agreed to by and between Client and Customer only, and not with Alacriti Payments, LLC.

(ii) Chatbot Interaction. The Chatbot Terms must include the following with respect to Customer’s interaction with the Chatbot:

(A) Customer must be informed that the Chatbot is not intended to have conversations with Customer about sensitive topics, like Customer’s personal health information, payment card information, or bank account information (collectively, “Sensitive Information”). Customer should be explicitly instructed not to communicate with the Chatbot about any Sensitive Information. Client shall explicitly disclaim all liability relating to the Chatbot on behalf of itself and its vendors, including, without limitation, liability arising from Customer providing or attempting to provide Sensitive Information to the Chatbot.

(B) Client may commit to using commercially reasonable efforts to provide bill due alerts and notifications directly through the Platform(s), and allowing Customer to use the Chatbot to make payments using the Platforms. However, Client shall explicitly disclaim all liabilities regarding making payments via the Chatbot, and Client shall advise Customer to check Customer’s account statements or contact Client directly if Customer has any questions concerning Customer’s payments. Client shall not make any warranties or other promises about the Chatbot, or any commitments about the specific functions of the Chatbot, or their reliability, availability, or ability to meet Customer’s needs.

(iii) Third-Party Terms. The Chatbot Terms must require the Customer to acknowledge that by using the Chatbot, Customer also agrees to, and shall use the Chatbot in accordance with, applicable law, the Google API Terms of Service, and the Platform’s terms and conditions. The Chatbot Terms must obtain the Customer’s consent for Client, Alacriti Payments, LLC, Alphabet, Inc., and the applicable Platform to collect and use information relating to the Customer’s use of the Chatbot as set forth in each of their respective privacy policies.

(iv) Third-Party Beneficiary. The Chatbot Terms must require Customer to agree that Alacriti Payments, LLC is a third-party beneficiary of the Chatbot Terms, and that Alacriti Payments, LLC will have the right to enforce the Chatbot Terms against Customer as a third-party beneficiary.

(v) Binding Arbitration and Class Action Waiver. The Chatbot Terms must include a binding arbitration provision for any and all Disputes (as defined below), which provision is no less stringent than the following:

(A) Scope. Any and all Disputes arising out of or related to the Chatbot will be resolved through individual arbitration, excluding any action by Client or Client’s vendors to enjoin the infringement or misuse of such party’s intellectual property rights. The term “Dispute” means any claim or controversy related to the Chatbot, including but not limited to any and all: (1) claims for relief and theories of liability, whether based in contract, tort, fraud, negligence, statute, regulation, ordinance, or otherwise; (2) claims that arose before the Chatbot Terms or any prior agreement; (3) claims that arise after the expiration or termination of the Chatbot Terms; and (4) claims that are currently the subject of purported class action litigation in which the Customer is not a member of a certified class.

(B) Waiver of Class Actions and Collective Relief. The Chatbot Terms must provide that Customer will have no right for any claims to be arbitrated or litigated on a class action, joint or consolidated basis, or on bases involving claims brought in a purported representative capacity on behalf of the general public (such as a private attorney general), other subscribers, or other persons. The Chatbot Terms must provide that the arbitrator may award relief only in favor of the individual Customer seeking relief and only to the extent necessary to provide relief warranted by that individual Customer’s claim; the arbitrator may not consolidate more than one Customer’s claims, and may not otherwise preside over any form of a representative or class proceeding.

(vi) Severability and Waiver of Jury Trial. The Chatbot Terms must provide that if the class action waiver and collective relief provision of the arbitration provision is illegal or unenforceable, then the entire arbitration provision will be unenforceable and the dispute will be decided by a court. The arbitration provision must further provide that in any event, whether in court or in arbitration, Client and Customer agree to waive the right to a trial by jury to the fullest extent allowed by law. However, if any other clause in the arbitration provision is found to be illegal or unenforceable, the Chatbot Terms must provide that such clause will be severed from the arbitration provision and the remainder of the arbitration provision given full force and effect.

(vii) Continuation. The Chatbot Terms must provide that the arbitration provision will survive the termination or expiration of the Chatbot Terms.

5. Terms Applicable to Bank Account Validation.

(a) Information made available to Client through the “Bank Account Validation” Subscription Service, is referred to as “Validation Data.”

(b) Client shall ensure that its use of Validation Data complies with, as applicable, and as a reseller, if applicable, shall cause its Customers to comply with: (i) the Fair Credit Reporting Act, 15 U.S.C. § 1681 et. seq. (“FCRA”), as amended by the Fair and Accurate Credit Transactions Act of 2003 (“FACTA”); (ii) the Americans with Disabilities Act (“ADA”) and other applicable equal opportunity laws; (iii) the Gramm-Leach-Bliley Act of 1999, 15 U.S.C. § 6801 et. seq. (“GLBA”) (iv) the Driver’s Privacy Protection Act of 1994, 18 U.S.C. § 2721(b)(3) (“DPPA”); (v) the laws of the applicable state issuing Motor Vehicle Records (“MVR”); (vi) the Equal Credit Opportunity Act (“ECOA”); (vii) the Truth In Lending Act (“TILA”); and (viii) all other applicable local, state and federal laws regarding Validation Data, as well as the permissions and limitations of the applicable Validation Data provider (as identified by Alacriti).
(c) Client shall ensure that, as applicable, and as a reseller, if applicable, shall cause its Customers to ensure: (i) it has a specific “permissible purpose” as defined in the FCRA or “permitted use” under the GLBA for which the consumer credit or other Validation Data is requested and that such will be used for no other purpose or use, (tendering this “permissible purpose” or “permitted use” in such form or manner as reasonably requested by Alacriti); (ii) it secures consumer credit and other Validation Data on individuals solely for its own internal one-time use in accordance with this Agreement, and for such other “permissible purpose” related to a business transaction as is defined by the FCRA or “permitted use” under the GLBA; (iii) notify Alacriti promptly if the reason or need for the Validation Data becomes different than originally claimed, for which a signed written amendment to the Agreement is required, provided that the new use consists of a “permissible purpose” as defined in the FCRA or a “permitted use” under the GLBA; (iv) and it does not resell, distribute, sublicense, compile, create derivative works of, or revise Validation Information.
(d) Client acknowledges, and as a reseller, if applicable, shall cause its Customers to acknowledge receipt of the “Notice to Users of Consumer Reports: Obligations of Users Under the FCRA” as required by the FCRA, which can be viewed and printed here: https://www.microbilt.com/Cms_Data/Contents/MicroBilt/Media/Docs/Appendix%20N.pdf.
(e) Client agrees that it shall, and if applicable cause its Customers to: (i) document the legal basis for requesting Validation Data, such as a “permissible purpose” or “permitted use,” and obtain in advance and retain on file appropriate application, release, consent and/or authorization forms (“Forms”) from any credit applicant, job applicant or other individual on whom Validation Data is sought; (ii) disclose to such individual(s) as and when required by Applicable Law that credit and/or other Validation Data (including investigative credit report Information, if applicable) will be sought on such individual(s); and (iii) it will provide consumer(s) with answers about their own credit report or when credit is denied, terminated or changed or when an application is declined, based in whole or in part on Validation Data, resulting in “adverse action” as defined in FCRA, with MicroBilt’s name (“MicroBilt Corporation”), address (“1640 Airport Rd. Suite 115 Kennesaw, GA 30144”) and toll free phone number (“800-884-4747”) (and not that of Alacriti or any other third party, unless required by Applicable Law).
(f) Client shall retain Forms for five (5) years in all cases where credit is extended or an application approved and in any case where credit is declined or an application declined, and shall make available such Forms to Alacriti upon reasonable notice.
(g) Client shall take all reasonable precautions to ensure that Validation Data on individuals (including scores) will be disclosed internally only to those of its employees whose duties reasonably relate to the legitimate business purpose for which the data was requested.
(h) Client acknowledges that access to Validation Data may be suspended or terminated as required by Microbilt or the applicable licensor of Validation Data to Microbilt.

6. Terms Applicable to Card Account Updater.

(a) Client represents to Alacriti that it (and if Client is a reseller, then Client represents to Alacriti that Client’s Customers each):

(i) Have a legitimate business need to receive updated cardholder account information (for example, a subscription or membership services involving recurring payments);
(ii) Are not in a high-risk category as determined by VISA, MasterCard, American Express, or Discover; and
(iii) Are approved by VISA, MasterCard, American Express, or Discover (as applicable).

(b) Client acknowledges that requests for updates to cardholder information are improper if it, or if Client is a reseller, Client’s Customer, does not have an on-going, active relationship with the cardholders whose accounts are the subject of update requests. Accordingly, Client will, or if Client is a reseller, Client will ensure that Client’s Customers, update each consumer’s “status” within the Subscription Services as needed to accurately reflect when such consumer ceases to have an on-going, active relationship with Client or such Customer (as applicable).
(c) Alacriti is not responsible for any inaccuracy or incompleteness in: (i) any information accessed or used in connection with the account updater programs or the Service; or (ii) the updated information that VISA, MasterCard, American Express, and/or Discover return to Alacriti.

7. Terms Applicable to Online Banking Authentication.

(a) The online banking authentication features of the Subscription Services, together with all account and other information made available through such features, are collectively “Online Banking Authentication Materials.” The Online Banking Authentication Materials are provided by Trustly, Inc. (“Trustly”). Client must obtain Alacriti’s prior written consent before reselling access to the Online Banking Authentication Materials to Customers. Client shall ensure that any such resale Customer complies with this section as if it were Client. Client shall use the Online Banking Authentication Materials in accordance with Trustly’s guidelines (which may be updated from time-to-time by Trustly), as made available by Alacriti to Client (“Online Banking Authentication Requirements”). Client consents for Trustly to process data and information in connection with the Online Banking Authentication Materials as further described in Trustly’s privacy policy set forth here: https://www.trustly.net/us/privacy-policy, as it may be updated from time to time at the sole discretion of Trustly. Trustly shall ensure that each Customer whose data is processed by Trustly pursuant to the Agreement accepts Trustly’s “Terms of Use” and “Privacy Policy.”

(b) Client shall provide such financial or other information as required by the Online Banking Authentication Requirements, or which is reasonably requested by Trustly, to perform credit risk, security, qualification, and other reviews related to providing the Online Banking Authentication Materials or determining the financial condition of Client or its Customers (as applicable), provided that in no event will Client be required to provide any information that would reasonably be construed to cause Client to violate Applicable Law (for example, the Gramm Leach Bliley Act, or its implementing regulations, or any state privacy laws impacting consumer information). Client shall provide the requested information within fifteen (15) days of Trustly’s request. Client authorizes Trustly to investigate or reinvestigate at any time any information provided by Client in connection with the Online Banking Authentication Materials. Client authorizes, and will cause Customers (if applicable) to authorize, Trustly to obtain information about them from third parties when performing credit risk, security, qualification, and other reviews. Alacriti shall not provide to Trustly any information that Alacriti obtained from Client that is subject to GLBA.

(c) Client authorizes Trustly to audit Client’s books and records that are necessary to ensure Client’s compliance with this section, during Client’s regular business hours, solely for the purpose of ensuring that Client is in compliance with this section. Client specifically authorizes Trustly to perform an audit of Client’s operational controls, risk management practices, staffing and the need for training and ongoing support, and information technology infrastructure, to the extent necessary to ensure Client’s compliance with this section. Trustly shall provide a copy of the audit report to Client on request. Trustly shall bear all costs and expenses incurred in connection with any such audit. Client acknowledges and agrees that Trustly shall have the right to request specific, reasonable internal controls at Client’s location(s) that are necessary to remediate a non-compliance with this section that was discovered through such an audit, and Client shall comply with any such request or a reasonable alternative chosen by Client that resolves such non-compliance. In addition, Client agrees to allow Trustly to review available reports of independent audits performed at the Client’s location related to information technology, the Online Banking Authentication Materials, and any associated operational processes. Client agrees that if requested by Trustly, Client will complete a reasonable-length self-assessment of Client’s operations, management, staff, systems, internal controls, training, and risk management practices that would otherwise be reviewed by Trustly in an audit of Client. Client will provide to Trustly a copy of either their SAS-70 audit or other independent audit annually on Trustly’s request. On Client’s request, Alacriti shall request from Trustly any third-party audits, reports, or certifications of the systems used by Trustly to process Online Baking Authentication Materials. Alacriti shall promptly provide Client with a copy of any such third-party audits, reports, or certifications received back from Trustly.

(d) Subject to Client’s compliance with this section, Client is granted, during the Term a limited, nonexclusive, non-assignable, royalty free right and license to display and use the logos, trade names, trademarks, and service marks of Trustly (“Trustly Marks”) for the sole purpose of carrying out its obligations under this section, subject to the following conditions: (i) Client shall keep intact any proprietary notices of Trustly; (ii) it shall comply with Trustly’s trademark written use guidelines, as may be provided by Trustly or Alacriti from time to time, subject to a reasonable period of time to comply with each update; (iii) it acknowledges that all goodwill generated through its use of the Trustly Marks will inure to the benefit of Trustly; (iv) it hereby assigns and agrees to assign to Trustly any and all goodwill generated through its use of the Trustly Marks, without any payment or other consideration to it, and further agrees to take all actions necessary to effect such assignment; and (v) upon termination of its right to use the Online Banking Authentication Materials, it shall cease using the Trustly Marks.

(e) In each month of the Term, Alacriti shall ensure that the Online Banking Authentication Materials successfully (i.e., are able to identify, provide data relating to the applicable Customer, and the Customer’s external accounts are successfully linked to the Customer’s account(s) with Client such that Customer is able to view the external account in Customer’s system, and or effectuate transfers between the Customer’s accounts with Client and such linked external accounts) responds to ninety-nine percent (99%) of Client’s transactions submitted to the Online Banking Authentication Materials in such month. When requested by Client for a given month, Alacriti shall submit to Client a report detailing the foregoing percentage of success for such month. The data and related materials provided to Trustly by Customers will be maintained by Trustly in accordance with its data security policy, which will be reasonable taking into account the nature of the materials provided to Trustly. EXCEPT AS EXPRESSLY SET FORTH IN THIS SECTION, THE ONLINE BANKING AUTHENTICATION MATERISLS ARE PROVIDED “AS IS”, “WITH ALL FAULTS”, WITHOUT ANY WARRANTY OF ANY KIND, AND EACH OF ALACRITI AND TRUSTLY HEREBY DISCLAIMS ALL WARRANTIES, WHETHER EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. EXCEPT AS EXPRESSLY SET FORTH IN THIS SECTION, NEITHER ALACRITI NOR TRUSTLY MAKES ANY WARRANTY, OR PROVIDES ANY ASSURANCE, THAT THE ONLINE BANKING AUTHENTICATION MATERIALS WILL BE UNINTERRUPTED, SECURE, OR ERROR-FREE OR WILL MEET CLIENT’S REQUIREMENTS, MEET CERTIFICATION REQUIREMENTS OF ANY REGULATORY OR LICENSING AGENCY OR THAT ANY ERRORS WILL BE CORRECTED OR THAT THE OVERALL SYSTEM THAT MAKES THE ONLINE BANKING AUTHENTICATION MATERIALS AVAILABLE (INCLUDING BUT NOT LIMITED TO THE INTERNET, OTHER TRANSMISSION NETWORKS AND CLIENT’S LOCAL NETWORK AND EQUIPMENT) WILL BE AVAILABLE OR FREE OF VIRUSES OR OTHER HARMFUL COMPONENTS.

(f) Trustly shall have a royalty-free, worldwide, transferable, sublicensable, irrevocable, and perpetual license to use or incorporate into the Online Banking Authentication Materials, without restriction, any suggestions, enhancement requests, recommendations or other feedback (not including Customer-related information) provided by Client relating to the Online Banking Authentication Materials.

(g) Trustly may terminate access to the Online Banking Authentication Materials if any of the following circumstances occur: (i) a material change to any Applicable Law to which Trustly is required to comply, or fees Trustly is required to pay to provide the materials, makes it commercially impracticable for Trustly to continue to provide the materials; (ii) Client violates the NACHA Rules or this section; (iii) a change in Trustly’s underwriting or risk requirements causes Trustly to be unable to provide the materials, or a material change in Client’s business that violates Trustly’s underwriting or risk requirements; or (iv) if Client has used the Online Banking Authentication Materials for illegal or fraudulent activity.

(h) Trustly has the sole right to determine the method, details and means of providing the Online Banking Authentication Materials and may decline to process, settle, or provide them at any time because of regulatory, risk assessment, or other requirements. Trustly may use third parties or subcontractors in its sole discretion to provide certain components or portions of the Online Banking Authentication Materials, provided however, that Trustly shall remain liable for the acts or omissions of such subcontractors. Trustly may revise, upgrade, modify, replace, or reconfigure the Online Banking Authentication Materials at any time, including, without limitation removing certain features, functions, services, and software.

(i) Trustly is part of a group of companies (“Trustly Affiliated Companies”) which are all under the common control of Trustly Holding AB, a Swedish limited liability company. Depending upon the needs of Client, Trustly may utilize the services of one or more Trustly Affiliated Companies to perform or deliver certain aspects of the Online Banking Authentication Materials. Trustly is not a bank, a money services business (an “MSB”), or a money transmitter. Trustly does not offer banking services, MSB services (as defined by 31 Code of Federal Regulations Section 1010.100(ff)), or money transmission services, as such may be defined under applicable state law. Trustly provides no deposit account or other financial services. Trustly neither receives, possesses, transfers, nor transmits money. No Client may establish a financial account with Trustly, and Trustly shall not transmit any money.

(j) Client shall not store, use, disclose, or otherwise process any Online Banking Authentication Materials in a manner inconsistent with any consent obtained by the Client directly from the consumer. Client acknowledges that consumers own their information contained within the Online Banking Authentication Materials and that Client’s use, storage, disclosure, and processing of all such information is subject to the agreement between Client and the consumer.

(k) Each of Client and Alacriti shall promptly and without unreasonable delay notify the other upon discovery of any actual, or potential or threatened likely unauthorized access to, use or disclosure of any Online Banking Authentication Materials, whether caused by Client, Alacriti, Trustly, or a third party (“Security Breach”). Immediately upon discovery or notification of a Security Breach, the party experiencing the Security Breach shall investigate and take all steps to identify, prevent and mitigate the effects of any such Security Breach and the party experiencing the Security Breach shall bear its own costs associated therewith, including remediating the issue and sending notices to consumers, regulatory fines or fees, and any legal fees or judgments. The party experiencing the Security Breach shall promptly provide to the other party a detailed description of the incident, the Online Banking Authentication Materials accessed, the identity of affected consumers and such other information as may be requested concerning the Security Breach and conduct any recovery necessary to remediate the impact of such Security Breach as required by any Applicable Laws. The parties shall reasonably cooperate with each other in identifying any reasonable steps that should be implemented to limit, stop or otherwise remedy any actual or suspected Security Breach.

(l) Client agrees that Trustly may monitor or analyze Client’s use of the Online Banking Authentication Materials: (i) in order to verify Client’s compliance with this section; (ii) to ensure the quality and reliability of the Online Banking Authentication Materials; (iii) to improve the Online Banking Authentication Materials, provided that in doing so Trustly does not process any non-public personal information as defined by the Gramm-Leach-Bliley Act. Client will not intentionally interfere with such monitoring and understands that Trustly may use technical means to overcome any such interference. Client will comply with any reasonable requests from Trustly for any information or materials to verify Client’s compliance with this section and will provide Trustly with access to test accounts in order to enable Trustly to perform the monitoring described in this section. Trustly may suspend the Online Banking Authentication Materials if access to the test accounts and information described in this section is blocked or made inaccessible during the Term.

(m) With respect to Online Banking Authentication Materials that contain information that is subject to the FCRA: Client certifies that it has a legitimate business need for the information. Client certifies that the information provided will only be used for permissible purposes under the Fair Credit Reporting Act (“FCRA”), will not be used for employment purposes, and will not be used for any purpose other than the one transaction for which the information was provided. Neither Client, nor any of its respective agents or employees will disclose the results of any inquiry processed via the Online Banking Authentication Materials except to the consumer about whom such inquiry is made. If Client rejects any transaction (in whole or in part) because of the information obtained via the Online Banking Authentication Materials, Client shall provide the consumer all information regarding such transaction and the reasons for rejection as required by applicable legal requirements.

(n) Client shall use the Online Banking Authentication Materials in compliance with all federal, state and local laws, regulations and regulatory guidance including, without limitation, laws, regulations and Executive Orders administered by the Office of Foreign Assets Control of the US Department of the Treasury (“OFAC”), EU anti money laundering and counter terrorist financing directives and wire transfer regulation, including any and all applicable national legislation in the field of anti-money laundering and counter terrorist financing, anti-money laundering laws and regulations, money transmitter laws and regulations, know your customer (“KYC”) requirements, licensing requirements, securities laws, Electronic Fund Transfer Act and its Regulation E (“Regulation E”), and the NACHA Rules (collectively, “Legal Requirements”).

(o) Client shall not use the Online Banking Authentication Materials in connection with any of the following products or services, which may be updated from time to time by Trustly on written notice to Client. For clarity, this section does not prohibit Client from providing financial services to Customers that do business in one of the following categories, provided that the Online Banking Authentication Services are not used to transfer funds that were generated by the category:

● Money Remittance Businesses under without Client being in a possession of a valid banking license.
● Adult Entertainment
● Dating and Escort Sites
● Shell banks
● Asset-holding vehicles (trusts, foundations (other than charitable foundations) and private wealth management structures.)
● Marijuana dispensaries and related businesses
● Illegal drugs and drug paraphernalia
● Pseudo-pharmaceuticals
● Distribution of items protected by copyright
● Weapons and munitions (ammo, equipment, explosives), except for sports and antiques/collectors’ items
● Pyramid selling, Ponzi schemes or other “get rich quick” schemes
● Fortune tellers, mediums and other services speculating around supernatural phenomena
● Computer (including remote) tech support/performance optimization/ virus removal solutions (sellers/authorized resellers of downloadable and installable antivirus software fall outside of scope of this prohibition)
● Nazi and fascist memorabilia and militaria (both replicas and original artefacts) excluding:
o auction houses (as it is assumed that those are acting clearly for needs of collectors) and
o marketplaces (as it is assumed that those have relevant policies and content controls in place).

8. Terms Applicable to Aperture Connector.
(a) The “Aperture Connector” is a feature of Akuvo LLC’s (“Akuvo”) Aperture platform (“Aperture”) that enables the Subscription Services to process transactions initiated from Aperture. Client acknowledges and agrees that Aperture and the Aperture Connector are developed, maintained, and provided by Akuvo, not Alacriti. Accordingly: (i) Client agrees to bring all claims arising from or relating to the Subscription Services, Alacriti Parties, or the Agreement, against only Alacriti Payments LLC; Client agrees not to, and expressly waives the right to, bring any such claim against Akuvo; (ii) Client agrees to bring all claims arising from or relating to Akuvo, Aperture, or the Aperture Connector, against only Akuvo LLC; Client agrees not to, and expressly waives the right to, bring any such claim against any Alacriti Party; (iii) Client may lose access to the Aperture Connector to the extent Akuvo stops providing such access, for example, if the agreement between Client and Akuvo or Alacriti and Akuvo, is terminated or expires; (iv) Alacriti may disclose Client Materials and Confidential Information to Akuvo, after which Akuvo may process them as permitted in the agreement between Client and Akuvo; and (v) Akuvo may provide Client-related data or information to Alacriti, which Alacriti may process as permitted in the Agreement. Client acknowledges that neither Alacriti nor Akuvo is a subcontractor, service provider, subprocessor, or similar term for the other. Each of Alacriti and Akuvo has its own contractual relationship directly with Client.

9. Terms Applicable to LMS Collections Module Connector.

(a) The “LMS Collections Module Connector” is a feature of Temenos USA, Inc.’s (“Temenos”) Lifecycle Management Suite platform (“LMS”) that enables the Subscription Services to process transactions initiated from LMS. Client acknowledges and agrees that LMS and the LMS Collections Module Connector are developed, maintained, and provided by Temenos, not Alacriti. Accordingly:

(i) Client agrees to bring all claims arising from or relating to the Subscription Services, Alacriti Parties, or the Agreement, against only Alacriti Payments LLC; Client agrees not to, and expressly waives the right to, bring any such claim against Temenos; (ii) Client agrees to bring all claims arising from or relating to Temenos, LMS, or the LMS Collections Module Connector, against only Temenos USA, Inc.; Client agrees not to, and expressly waives the right to, bring any such claim against any Alacriti Party; (iii) Client may lose access to the LMS Collections Module Connector to the extent Temenos stops providing such access, for example, if the agreement between Client and Temenos or Alacriti and Temenos, is terminated or expires; (iv) Alacriti may disclose Client Materials and Confidential Information to Temenos, after which Temenos may process them as permitted in the agreement between Client and Temenos; and (v) Temenos may provide Client-related data or information to Alacriti, which Alacriti may process as permitted in the Agreement. Client acknowledges that neither Alacriti nor Temenos is a subcontractor, service provider, subprocessor, or similar term for the other. Each of Alacriti and Temenos has its own contractual relationship directly with Client.

10. Terms Applicable to Bank Verification Service Plus

(a) The Bank Verification Service Plus is a feature of Akoya LLC’s (“Akoya”) data access network (“DAN”) that enables Client’s Customers to grant Client access to their financial data (“Network Data”) by connecting to their accounts at one or more participating financial institutions (“FIs”). Client acknowledges and agrees that the DAN is developed, maintained, and provided by Akoya, not Alacriti. Accordingly: (i) Client agrees to bring all claims arising from or relating to the Subscription Services, Alacriti Parties, or the Agreement, against only Alacriti Payments LLC; Client agrees not to, and expressly waives the right to, bring any such claim against Akoya; (ii) Client agrees to bring all claims arising from or relating to Akoya, the DAN, or the Network Data against only Akoya LLC; Client agrees not to, and expressly waives the right to, bring any such claim against any Alacriti Party; (iii) Client may lose access to the DAN and Network Data to the extent Akoya stops providing such access, for example, if the agreement between Alacriti and Akoya, is terminated or expires; (iv) Alacriti may disclose Client Materials and Confidential Information to Akoya, after which Akoya may process them as permitted in the privacy policy posted on its website; and (v) Akoya may provide Client-related data or information to Alacriti, which Alacriti may process as permitted in the Agreement. Client acknowledges that neither Alacriti nor Akoya is a subcontractor, service provider, sub processor, or similar term for the other.

(b) In its use of the DAN and Network Data, Client shall comply with the documentation posted at docs.akoya.com, as it may be updated by Akoya from time-to-time in Akoya’s sole discretion. Akoya may terminate or suspend Client’s use of the DAN for breach of the Agreement or the applicable documentation.

(d) The SLAs and support terms in the Agreement do not apply to the DAN.

(e) Client acknowledges that FIs may, at any time in their sole discretion, discontinue making any or all types of account information available either in general or specifically with respect to Client. Client acknowledges that FIs shall have the right to approve or reject the provision of Network Data with respect to Client in their sole discretion. Client shall not act as, or in any way representing itself as, an agent, supplier or vendor of any FI in connection with the Agreement.

(f) Client shall: (i) not retrieve Network Data from an FI through the use of Log-In Credentials (i.e., the username(s), password(s), or any other authentication methods used by a Customer to access any FI account or account information); (ii) not require, access, collect, request or seek Log-In Credentials from its Customers; and (iii) within one hundred eighty (180) days of the Effective Date, completely, permanently and securely destroy any Log-In Credentials in its possession or control that may be used to access Network Data from an FI. For clarity, this prohibition applies to all Log-In Credentials in Client’s possession or control that could be used to access Network Data from any FI from which a Customer has accessed Network Data through the DAN.

(g) To the extent permitted by Applicable Laws, Client as part of its hiring process shall conduct background checks on each employee or independent contractor who will have access to the DAN or Network Data.

(h) Client shall: (i) not use any Akoya or FI name, service mark, or trademark in combination with any other name or trademark in a manner that creates a combination trademark; (ii) contest the validity of, or take any action that a reasonable person would believe would impair, any part of such names or marks, or diminish or dilute their distinctiveness or validity; (iii) challenge ownership of such names or marks or registration thereof; or (iv) attempt to register any of such names or marks in its own name.

(i) Client shall be responsible for all systems that it uses to access the DAN and process Network Data. Client shall use industry best practices to prevent unauthorized access to the DAN through Client’s systems. In the event of a Security Breach (i.e., Akoya Confidential Information or Network Data has been lost, misplaced, disclosed, or accessed by an unauthorized person while in Client’s or its subcontractor’s possession or control), to the extent not prohibited by law enforcement or Applicable Laws, Client shall notify Alacriti promptly, but in any event within twenty-four (24) hours after it first has reasonable suspicion of the occurrence of the Security Breach. Such notice shall include a detailed description of the Security Breach, the type of Customer who was the subject of the Security Breach, and any other information that Alacriti reasonably requests concerning the Security Breach.

(j) Client shall not insert into or transmit through the DAN any malware. Client shall at all times deploy and maintain in connection with all systems that it uses to access the DAN, or process Network Data, up-to-date and reputable detection software for malware and shall otherwise take reasonable steps that are designed to ensure that its systems remain free from malware in all material respects, in each case, at a level consistent with industry security standards. If malware is found to have been introduced into the DAN by Client, Client shall promptly notify Alacriti, and Akoya shall use commercially reasonable efforts to eliminate the malware from the DAN at the expense of Client.

(k) With respect to systems that process Network Data, Client shall implement and maintain a comprehensive written information security program approved by its board of directors (or comparable governing body) or senior management that complies with: (i) the Gramm-Leach-Bliley Act and its applicable implementing regulations; and (ii) the following:

Client must maintain a comprehensive, written information security management program that complies with applicable laws, regulations, and standards. Client must designate one or more named employee to be responsible for the administration of its information security program.

Client must protect and encrypt in transit and at rest (including in backup) Nonpublic Personal Information (as defined, as applicable, in Regulation P, 12 C.F.R. ¬ß 1016.3(p) or the FTC Safeguards Rule, 16 C.F.R. ¬ß 314.2(l)) received from the Akoya DAN (“NPI”) and authentication credentials for the DAN, using industry accepted encryption protocols and algorithms such as TLS 1.2 and AES-256. Client shall also use reasonable and appropriate safeguards, including encryption where applicable, to protect Akoya’s Confidential Information that is provided via designated secure channels (e.g., API, SFTP, or communications designated by the sender as requiring secure handling).

Client must implement an information classification standard that includes categorization, handling, labeling, encryption use, key and certificate lifecycle management, permitted cryptographic algorithms and associated key lengths, hashing, and digital signatures.

Client must implement a logical access policy that includes but is not limited to the following: enforce the principle of least privilege, account provisioning and deprovisioning, password management, thresholds for inactivity, remote access, segregation of duties, access reviews, MFA for remote and privileged access, and assurance that shared user accounts are not utilized.

Information systems that process or store NPI or Akoya’s Confidential Information must be deployed with security hardened configurations and reviewed at least annually for compliance with Client’s security policies and standards.

Client’s production environment must be isolated from non-production environments. Additionally, NPI should not be used in non-production environments.

Malware protection mechanisms must exist and be deployed to all devices in a manner designed to detect and/or prevent against malware and other threats.

All network communications from Client to Akoya must be inspected and authorized to ensure that they are free from security vulnerabilities.

Client must implement technology, processes, and/or solutions designed to protect against the exfiltration of NPI and Akoya’s Confidential Information.

Client must utilize an independent third party to perform vulnerability scans and penetration tests of the Client’s in scope applications and networks at least annually. Remediation of identified vulnerabilities and security patching must be performed in a manner that is commensurate with the risk rating of the security vulnerability.

Procedures must be in place to securely delete NPI and Akoya’s Confidential Information prior to disposal or reuse of equipment used for logical or physical storage.

Any changes materially and adversely affecting the security, performance, or functionality of Client’s systems that process Network Data must be communicated to Alacriti prior to implementation.

Client’s subcontractors that process Network Data must be identified, assessed, managed, and monitored by Client in accordance with the terms of the Agreement, including compliance with this section.

Client must establish a security incident management program and incident response team to monitor, identify, investigate, contain, resolve, document, and report security incidents. The incident management program must be tested at least annually. In the event an incident or breach affects NPI or Akoya’s Confidential Information, Client must provide Alacriti with a report that includes a summary of the incident or breach and a summary and status of remediation efforts.

Client must establish a fraud management program designed to monitor, identify, prevent, investigate, remediate, and report actual and suspected instances of fraud internally and to Alacriti.

Client must apply reasonable and appropriate safeguards to all records related to the Client’s processing of Network Data and must retain the records as per the requirements defined in the Agreement or Applicable Laws, whichever is longer.

(l) During the term of the Agreement and for a period of twelve (12) months thereafter, upon Akoya’s reasonable notice (but not less than ten (10) days’ notice, except in the case of an audit by a regulator, in which case, notice shall be provided as far in advance as permitted by Applicable Laws), external auditors of Akoya, personnel of Akoya and regulators of Akoya may conduct audits of Client for compliance with these Subscription-Specific Terms, during Client’s normal business hours and in a manner that does not unreasonably interfere with Client’s business. Nothing in this clause requires Client to make available any information in violation of Applicable Law or a third-party contract, or that constitutes a trade secret. Audits shall occur no more than once per calendar year except under the following circumstances: (i) audits by regulators; (ii) a Security Breach of Client occurs; or (iii) if Akoya has a reasonable good faith belief that Client is not in material compliance with these Subscription-Specific Terms.

(m) At least annually, Client shall have a certified independent public accounting firm or another independent, certified, industry-recognized third party (e.g., PwC, Schellman): (i) conduct a review or assessment and provide an attestation, review, or report of all key Client systems and operational controls used in connection with any Network Data or Akoya’s Confidential Information under: (A) SOC 2 Type II, and (B) PCI-DSS Attestation of Compliance (if applicable), and (ii) conduct and provide a full summary of an independent network and application penetration test. Client shall provide a summary of all findings from such assessments to Alacriti upon Alacriti’s written request. Client shall implement all material recommendations set forth in such reports.

(n) Akoya or its designee may conduct a security and risk review of Client prior to Client accessing the DAN and every two (2) years thereafter. Akoya may share with FIs Akoya’s audit results and all summaries and reports provided by Client to Akoya or its auditors pursuant to this section; provided that, Akoya shall require any FI with which it shares such summaries and reports to treat them as Client’s Confidential Information.

(o) Client represents, warrants, and covenants to Alacriti and Akoya that: (i) it has all requisite legal and corporate power to execute and deliver the Agreement; (ii) it has taken all corporate action necessary for the authorization, execution, and delivery of the Agreement; (iii) no agreement or understanding with any third party that interferes with or shall interfere with its performance of its obligations under the Agreement; (iv) it has obtained and shall maintain all rights, approvals, and consents necessary to perform its obligations and grant all rights and licenses granted under the Agreement; (v) it has taken all action required to make the Agreement a legal, valid, and binding obligation of Client, enforceable against it in accordance with its terms; (vi) it has complied with Applicable Laws in its use of Network Data and performance of its obligations hereunder; (vii) Client is not a “consumer reporting agency” or “furnisher” as those terms are defined under the FCRA; (viii) Client will not access, collect, or use Network Data for the purpose of acting as a consumer reporting agency pursuant to the FCRA; and (ix) Client will not knowingly take or authorize any actions with respect to Network Data that would result in Akoya or any of its Affiliates, or any FI or its affiliates, being classified as a furnisher under the FCRA; and (x) neither Client nor any officer or director of Client is a person with whom any Applicable Law of the United States prohibits United States persons from dealing and none of them appear on the OFAC Specially Designated Nationals and Blocked Persons List.

(p) WITH RESPECT TO THE DAN AND NETWORK DATA, NIETHER AKOYA NOR ALACRITI MAKES ANY REPRESENTATIONS OR WARRANTIES AND EACH EXPLICITLY DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A SPECIFIC PURPOSE, AND NON-INFRINGEMENT. WITHOUT LIMITATION OF THE FOREGOING: AKOYA PROVIDES THE NETWORK DATA, THE DAN, AND ALL OTHER MATERIALS AND AKOYA IP “AS IS” AND “AS AVAILABLE;” NEITHER AKOYA NOR ALACRITI WARRANTS THAT THE DAN OR NETWORK DATA OR THE USE THEREOF SHALL BE TIMELY, SECURE, ERROR-FREE, FREE FROM MALWARE, BE PROVIDED (OR BE AVAILABLE) WITHOUT INTERRUPTION, OR MEET CLIENT’S BUSINESS OR OPERATIONS PURPOSES; NEITHER AKOYA NOR ALACRITI GUARANTEES OR WARRANTS ANY NETWORK DATA’S ACCURACY, RELIABILITY, COMPLETENESS, INTEGRITY, VALIDITY, CURRENTNESS, MERCHANTABILITY, OR FITNESS FOR A PARTICULAR PURPOSE OR THAT ANY ERRORS IN ANY NETWORK DATA WILL BE CORRECTED; NEITHER AKOYA NOR ALACRITI IS RESPONSIBLE FOR ANY FI’S REFUSAL OR FAILURE AT ANY TIME TO ALLOW ACCESS TO ANY NETWORK DATA. ALACRITI AND AKOYA DISCLAIM ALL LIABILITY AND RESPONSIBILITY ARISING OUT OF OR RESULTING FROM THE CONTENT OF, OR ANY ERRORS CONTAINED IN, ANY NETWORK DATA AND/OR THE ACTIONS OR FAILURES TO ACT OF ANY USER OF THE DAN OR ANY THIRD PARTY. AKOYA AND ALACRITI EXPRESSLY DISCLAIM ANY WARRANTY THAT THE DAN SHALL FUNCTION TO MEET CLIENT’S REQUIREMENTS OR CANNOT BE HACKED, TAMPERED WITH, OR MALICIOUSLY ACCESSED BY THIRD PARTIES. CLIENT ASSUMES ALL RISKS ASSOCIATED WITH ITS USE OF OR INABILITY TO USE THE DAN AND AKOYA IP. IT IS CLIENT’S SOLE RESPONSIBILITY TO DETERMINE THE SUITABILITY AND ADEQUACY OF THE DAN, NETWORK DATA, AND AKOYA IP. FIS AND THEIR AFFILIATES MAKE NO REPRESENTATIONS OR WARRANTIES AND EXPLICITLY DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A SPECIFIC PURPOSE, AND NON-INFRINGEMENT WITH RESPECT TO THE NETWORK DATA THEY MAKE AVAILABLE THROUGH THE DAN. WITHOUT LIMITATION OF THE FOREGOING, FIS AND THEIR AFFILIATES: PROVIDE THE NETWORK DATA “AS IS” AND “AS AVAILABLE”; DO NOT WARRANT THAT ANY NETWORK DATA OR THE USE THEREOF SHALL BE TIMELY, SECURE, ERROR-FREE, FREE FROM MALWARE, BE PROVIDED (OR BE AVAILABLE) WITHOUT INTERRUPTION, OR MEET CLIENT’S BUSINESS OR OPERATIONS PURPOSES; DO NOT GUARANTEE OR WARRANT ANY NETWORK DATA’S ACCURACY, RELIABILITY, COMPLETENESS, INTEGRITY, VALIDITY, CURRENTNESS, MERCHANTABILITY, OR FITNESS FOR A PARTICULAR PURPOSE; OR THAT ANY ERRORS IN ANY NETWORK DATA WILL BE CORRECTED. CLIENT EXPRESSLY UNDERSTANDS AND AGREES THAT IT ASSUMES ALL RISKS ASSOCIATED WITH ITS USE OF OR INABILITY TO USE NETWORK DATA. IT IS CLIENT’S SOLE RESPONSIBILITY TO DETERMINE THE SUITABILITY AND ADEQUACY OF NETWORK DATA.

(q) Client shall indemnify, defend, and hold Akoya, each FI, Alacriti, and its and their respective Affiliates, and the respective directors and officers of each harmless from and against any and all losses resulting from any claims (collectively, the “Akoya Indemnitees”) arising from: (i) the violation or alleged violation of any Applicable Law by Client or any of its Affiliates or subcontractors(each, a “Client Party”); (ii) any Client Party’s use of the DAN or Network Data; (iii) any Client’s Party’s violation or alleged violation of any agreement between any Client Party and any end user, including any consent obtains by the Client from the end user; (iv) the occurrence of a Security Breach of any Client Party; (v) any Client Party’s breach or alleged breach of these Subscription-Specific Terms; or (vi) any Client Party’s fraud, gross negligence, or willful misconduct

(r) AKOYA AND ALACRITI SHALL HAVE NO LIABILITY WHATSOEVER FOR: (i) ANY TRANSACTIONS OCCURRING BETWEEN OR AMONG ANY END USER AND CLIENT OR BETWEEN ANY END USER AND ANY FI ARISING FROM OR RELATING TO ANY NETWORK DATA OR (ii) ANY LOSSES ARISING FROM OR RELATING TO ANY INACCURACY, ERROR, OR OMISSION IN NETWORK DATA AS PROVIDED THROUGH THE DAN, ANY INTERRUPTION IN THE DAN, ANY INTERRUPTION OR DELAY IN THE TRANSMISSION OF NETWORK DATA, OR ANY ACTION, INACTION, OR DECISION OF ANY END USER BASED (IN WHOLE OR IN PART) ON NETWORK DATA TRANSMITTED THROUGH THE DAN. NONE OF AKOYA, ALACRITI, ANY OF THEIR AFFILIATES, ANY FIS, OR ANY OF THEIR PERSONNEL OR LICENSORS SHALL BE LIABLE TO CLIENT OR ANY OTHER PERSON FOR ANY LOSS OR INJURY ARISING OUT OF, OR CAUSED IN WHOLE OR IN PART BY, THE RELIANCE OF CLIENT OR SUCH OTHER PERSON ON THE CONTENT OF THE NETWORK DATA OR CLIENT’S OR SUCH OTHER PERSON’S ACTS OR OMISSIONS IN RELATION TO THE DAN OR THE NETWORK DATA TRANSMITTED THROUGH THE DAN.

(s) TO THE FULLEST EXTENT PERMITTED BY LAW, NONE OF AKOYA, ALACRITI, OR ANY OF THEIR AFFILIATES, SUPPLIERS, LICENSORS, OR FIS SHALL BE LIABLE UNDER THESE SUBSCRIPTION-SPECIFIC TERMS FOR ANY: (i) INDIRECT, INCIDENTAL, CONSEQUENTIAL, EXEMPLARY, PUNITIVE, OR SPECIAL DAMAGES; (ii) DAMAGES FOR LOSS, ERROR, OR INTERRUPTION OF USE OR NETWORK DATA (IN EACH CASE, WHETHER DIRECT OR INDIRECT); OR (iii) THE COST OF COVER OR LOSS OF BUSINESS, REVENUES, OR PROFITS (IN EACH CASE WHETHER DIRECT OR INDIRECT), REGARDLESS OF THE FORM OF THE ACTION OR THE THEORY OF RECOVERY (INCLUDING CONTRACT, TORT, NEGLIGENCE, STRICT LIABILITY, OR OTHERWISE), EVEN IF SUCH PERSON KNEW OR SHOULD HAVE KNOWN THAT SUCH DAMAGES OR LOSSES WERE POSSIBLE OR FORESEEABLE.

(t) TO THE FULLEST EXTENT PERMITTED BY LAW, AKOYA’S CUMULATIVE AGGREGATE LIABILITY ARISING OUT OF OR RELATED TO THESE SUBSCRIPTION-SPECIFIC TERMS SHALL NOT EXCEED THE AMOUNT PAID OR PAYABLE BY ALACRITI TO AKOYA FOR CLIENT’S USE OF THE DAN UNDER THESE SUBSCRIPTION-SPECIFIC TERMS DURING THE TWELVE (12) MONTH PERIOD PRIOR TO THE EVENT GIVING RISE TO LIABILITY, AND ALACRITI’S CUMULATIVE AGGREGATE LIABILITY ARISING OUT OF OR RELATED TO THESE SUBSCRIPTION-SPECIFIC TERMS SHALL NOT EXCEED THE AMOUNT PAID OR PAYABLE BY CLIENT TO ALACRITI FOR CLIENT’S USE OF THE DAN UNDER THESE SUBSCRIPTION-SPECIFIC TERMS DURING THE TWELVE (12) MONTH PERIOD PRIOR TO THE EVENT GIVING RISE TO LIABILITY.

(u) Upon the termination of Client’s Order for the DAN, Client shall immediately cease all access to and use of, and delete the Network Data.

(v) Client shall maintain in effect at all times during the Term, at its sole expense, sufficient and adequate insurance coverage for the types of business that it conducts. Without limitation of the foregoing, Client’s insurance coverages must cover claims (and any associated costs and damages, including data breach investigation, data breach notification, and credit monitoring costs) arising from: (i) Security Breaches; (ii) violations by Client of any privacy right; (iii) Client’s breach of Applicable Laws; (iv) Client’s breach of, or non-compliance with, PCI DSS or any similar rules; and (v) data theft, damage, destruction, or corruption, including unauthorized access, unauthorized use, identity theft, theft of personal information, and transmission of malware; and be in an amount not less than ten million dollars ($10,000,000) per claim and annual aggregate.

(w) Client shall provide the end user with a disclosure electronically or in writing that is clear, conspicuous, and segregated from other material. The disclosure shall include: (i) Client’s name; (ii) the name of the FI that controls or possesses the account information that Client seeks to access on the end user’s behalf; (iii) a brief description of the product or service that the end user has requested from Client and a statement that the Client will collect, use, and retain the Network Data only for the purpose of providing that product or service to the end user; (iv) the categories of account information that will be accessed by Client; (v) a statement from Client certifying to the end user that Client agrees to the obligations set forth in clause (x) below; and (vi) the following statement: “[Client] uses Akoya LLC to collect, standardize, and transmit to [Client] your account information.” Client shall obtain the End User’s express informed consent to the foregoing disclosure in the form of an electronic or written signature thereto. Client shall make available to the end user a copy of the disclosure described in this clause. Client shall provide contact information that enables an end user to receive answers to questions about Client’s access to the Network Data. Client shall establish and maintain reasonable written policies and procedures designed to ensure that Client provides to the end user, upon request, relevant information about its access to the end user’s Network Data. Client shall provide the end user with a mechanism to revoke consent for the collection, use, or retention of Network Data that is as easy to access and operate as the initial consent process. Client shall not impose on the end user costs or penalties for revoking consent. Client shall notify Alacriti and other third parties to which it has provided the end user’s Network Data when Client receives a revocation request from the end user. Upon receipt of an end user’s revocation request or notice of a revocation request from an FI, Client shall: (i) cease collecting the end user’s account information via the DAN; and (ii) cease use and retention of the end user’s Network Data, unless use or retention is required by Applicable Law.

(x) Client shall limit its collection, use, and retention of Network Data to what is reasonably necessary to provide the end user’s requested product or service. Client shall not collect, use or retain Network Data for (i) targeted advertising; (ii) cross-selling of other products or services; or (iii) the sale of Network Data (including de-identified and aggregated data). Collection of Network Data for purposes of clauses (x) and (w) includes the scope of Network Data collected and the duration and frequency of collection of Network Data. Client may not provide Network Data to a third party for a purpose inconsistent with clauses (w) or (x) of this section. Before providing Network Data to a third party, Client shall ensure that either it has obtained the applicable end user’s consent to do so and require the third party by contract to comply with these obligations.

(y) In addition to the limitations described in clauses (w) and (x), Client shall limit the duration of collection of Network Data to a reasonable period after the end user’s most recent consent. A period of one year is presumptively reasonable.

(z) To collect Network Data beyond the period described in cluse (y), Client shall obtain a new consent from the end user pursuant to the requirements above. Client may ask the end user for a new consent in any reasonable manner. If an end user does not provide Client with a new consent, Client shall: (i) cease collecting account information with respect to the end user; and (ii) cease use and retention of the end user’s Network Data that was previously collected pursuant to the end user’s consent.

(aa) Client shall establish and maintain written policies and procedures that are reasonably designed to ensure retention of records that are evidence of compliance with the requirements of these Subscription-Specific Terms. Such records shall include a copy of the disclosure that is signed or otherwise agreed to by the end user and reflects the date of the end user’s signature or other written or electronic consent and a record of any actions taken by the end user to revoke the end user’s consent. Client must retain such records with respect to an end user for not less than three years after Client obtains the end user’s most recent consent. Client shall periodically review its policies and procedures and update them as appropriate to ensure their continued effectiveness.

(bb) Client acknowledges and agrees that Akoya and any of Akoya’s affiliates providing the DAN or Network Data, and the FIs, are intended to be, and shall be third party beneficiaries of these Subscription-Specific Terms and the Agreement. Client further acknowledges and agrees that Akoya and the FIs are entitled to enforce their rights under the Subscription-Specific Terms and the Agreement directly against Client.