Subscription Specific Terms: Payment Hub

Last Updated: November 21, 2025

The Subscription-Specific Terms below govern your use of certain Subscription Services. Capitalized terms used in these Subscription-Specific Terms but not defined below, are defined in the Orbipay Subscription Agreement (the “Agreement”).

Table of Contents

1. Terms Applicable to Account Validation
2. Terms Applicable to Fraud Scoring
3. Terms Applicable to Online Banking Authentication
4. Terms Applicable to Zelle
5. Terms Applicable to Bank Verification Service – Plus

1. Terms Applicable to Bank Account Validation.

(a) Information made available to Client through the “Bank Account Validation” Subscription Service, is referred to as “Validation Data.”

(b) Client shall ensure that its use of Validation Data complies with, as applicable, and as a reseller, if applicable, shall cause its Customers to comply with: (i) the Fair Credit Reporting Act, 15 U.S.C. § 1681 et. seq. (“FCRA”), as amended by the Fair and Accurate Credit Transactions Act of 2003 (“FACTA”); (ii) the Americans with Disabilities Act (“ADA”) and other applicable equal opportunity laws; (iii) the Gramm-Leach-Bliley Act of 1999, 15 U.S.C. § 6801 et. seq. (“GLBA”) (iv) the Driver’s Privacy Protection Act of 1994, 18 U.S.C. § 2721(b)(3) (“DPPA”); (v) the laws of the applicable state issuing Motor Vehicle Records (“MVR”); (vi) the Equal Credit Opportunity Act (“ECOA”); (vii) the Truth In Lending Act (“TILA”); and (viii) all other applicable local, state and federal laws regarding Validation Data, as well as the permissions and limitations of the applicable Validation Data provider (as identified by Alacriti).
(c) Client shall ensure that, as applicable, and as a reseller, if applicable, shall cause its Customers to ensure: (i) it has a specific “permissible purpose” as defined in the FCRA or “permitted use” under the GLBA for which the consumer credit or other Validation Data is requested and that such will be used for no other purpose or use, (tendering this “permissible purpose” or “permitted use” in such form or manner as reasonably requested by Alacriti); (ii) it secures consumer credit and other Validation Data on individuals solely for its own internal one-time use in accordance with this Agreement, and for such other “permissible purpose” related to a business transaction as is defined by the FCRA or “permitted use” under the GLBA; (iii) notify Alacriti promptly if the reason or need for the Validation Data becomes different than originally claimed, for which a signed written amendment to the Agreement is required, provided that the new use consists of a “permissible purpose” as defined in the FCRA or a “permitted use” under the GLBA; (iv) and it does not resell, distribute, sublicense, compile, create derivative works of, or revise Validation Information.
(d) Client acknowledges, and as a reseller, if applicable, shall cause its Customers to acknowledge receipt of the “Notice to Users of Consumer Reports: Obligations of Users Under the FCRA” as required by the FCRA, which can be viewed and printed here: https://www.microbilt.com/Cms_Data/Contents/MicroBilt/Media/Docs/Appendix%20N.pdf.
(e) Client agrees that it shall, and if applicable cause its Customers to: (i) document the legal basis for requesting Validation Data, such as a “permissible purpose” or “permitted use,” and obtain in advance and retain on file appropriate application, release, consent and/or authorization forms (“Forms”) from any credit applicant, job applicant or other individual on whom Validation Data is sought; (ii) disclose to such individual(s) as and when required by Applicable Law that credit and/or other Validation Data (including investigative credit report Information, if applicable) will be sought on such individual(s); and (iii) it will provide consumer(s) with answers about their own credit report or when credit is denied, terminated or changed or when an application is declined, based in whole or in part on Validation Data, resulting in “adverse action” as defined in FCRA, with MicroBilt’s name (“MicroBilt Corporation”), address (“1640 Airport Rd. Suite 115 Kennesaw, GA 30144”) and toll free phone number (“800-884-4747”) (and not that of Alacriti or any other third party, unless required by Applicable Law).
(f) Client shall retain Forms for five (5) years in all cases where credit is extended or an application approved and in any case where credit is declined or an application declined, and shall make available such Forms to Alacriti upon reasonable notice.
(g) Client shall take all reasonable precautions to ensure that Validation Data on individuals (including scores) will be disclosed internally only to those of its employees whose duties reasonably relate to the legitimate business purpose for which the data was requested.
(h) Client acknowledges that access to Validation Data may be suspended or terminated as required by Microbilt or the applicable licensor of Validation Data to Microbilt.

2. Terms Applicable to Fraud Scoring.
(a) The fraud scoring features of the Subscription Services, together with all risk scores and other data made available through such features, are collectively “Fraud Scoring Materials.” Client shall not, and shall ensure that its Customers (if applicable) do not: (i) publish, resell, re-license, or transmit the Fraud Scoring Materials; (ii) cache or store the Fraud Scoring Materials; (iii) use the Fraud Scoring Materials for individuals residing outside of the territory set forth in the applicable Order; (iv) remove the copyright notice or permission notice from the Fraud Scoring Materials; (v) use the Fraud Scoring Materials for any purpose except its internal business purposes; (vi) copy or post any Fraud Scoring Materials on any third party networked computer or publish the Fraud Scoring Materials in any medium; (vii) modify the Fraud Scoring Materials; (viii) use the Fraud Scoring Materials outside of the transaction pursuant to which they were obtained and then only for regulatory, compliance, or similar purposes; (ix) use the Fraud Scoring Materials for any unlawful purpose or in furtherance of any unlawful purpose, or any purpose that does not comply with the acceptable uses, as identified in the Acceptable Use Application Form completed by Client and provided to Alacriti; (x) use the Fraud Scoring Materials in any way that violates any applicable United States and International laws, including any of the following (to the extent they apply): (A) the Fair Credit Reporting Act, 15 U.S.C. § 1681, et seq. (“FCRA”); (B) the Gramm Leach Bliley Act, 15 U.S.C. § 6801, et seq., (C) the Driver’s Privacy Protection Act, 18 U.S.C. § 2721, et seq. and similar and/or associated state laws and regulations governing the use and disclosure of drivers’ license information; (D) the California Consumer Privacy Act, Cal. Civ. Code §§ 1798.100 et seq., including any amendments and any implementing regulations thereto (“CCPA”); or (E) any other statute, regulation, rule or other governmental mandate that governs the use of the Fraud Scoring Materials; (xi) use the Fraud Scoring Materials for any purposes enumerated in the FCRA in lieu of obtaining a “Consumer Report” (as such term is defined in the FCRA); (xii) use the Fraud Scoring Materials for the purpose of serving as a factor in: (A) establishing an individual’s creditworthiness or eligibility for credit or insurance or assessing risks associated with existing credit obligations; (B) evaluating an individual for employment purposes; (C) determining an individual’s eligibility for a license or other benefit that depends on an applicant’s financial responsibility or status; or (E) for any other purpose under the FCRA or any similar law or regulatory requirement; (xiii) use the Fraud Scoring Materials in the preparation of a Consumer Report; (xiv) take any adverse action, which is based in whole or in part on the Fraud Scoring Materials, against any consumer (the terms “adverse action” and “consumer” shall have the same respective meaning s as those terms are defined in the FCRA); (xv) use the Fraud Scoring Materials in a way that: (A) violates, misappropriates or impairs any Alacriti or third party rights, including but not limited to property, intellectual property, privacy, publicity and treatment of personal information; (B) is abusive, deceptive, defamatory, offensive or obscene; (C) permits or seeks to permit the unauthorized use, disclosure or access of/to the Fraud Scoring Materials, including but not limited to (except as expressly permitted by applicable law or contract): data mining, copying, storing, transmitting, assigning, (re)selling, (sub)licensing, distributing, displaying, publishing, benchmarking, scanning, monitoring, mirroring, framing, embedding, scraping, linking, modifying, translating, combining, creating derivative works, disassembling, decompiling, and reverse engineering; (D) violates contractual usage restrictions or circumvents any monitoring, reporting or authentication mechanisms; or (E) has the goal or effect of: (1) circumventing, breaching, probing or compromising any privacy or security measures; (2) gaining unauthorized access to any information, services or systems (including but not limited to phishing, pharming or spoofing); or (3) disrupting the integrity, availability or operation of any information, services or systems (e.g. DoS, DDoS). The Fraud Scoring Materials are not provided or processed through a consumer-reporting agency as defined by the FCRA or any similar law or regulatory requirement; (xvi) use the Fraud Scoring Materials for marketing purposes or resell or broker the Fraud Scoring Materials to any third party; (xvii) use the Fraud Scoring Materials for personal (non-business) purposes; (xviii) use the Fraud Scoring Materials to provide data processing services to third-parties or evaluate the data of or for third-parties; (xix) access the Fraud Scoring Materials from Internet Protocol addresses located outside of the United States; or (xx) use the Fraud Scoring Materials to create a competing product.
(b) Client accepts the Fraud Scoring Materials “AS IS.” Client acknowledges and agrees that Alacriti obtains Fraud Scoring Materials from third-party sources, which may or may not be completely thorough and accurate, and that Client shall not rely on Alacriti for the accuracy or completeness of the Fraud Scoring Materials. Without limiting the foregoing, the criminal record data that may be provided as part of the Fraud Scoring Materials may include records that have been expunged, sealed, or otherwise have become inaccessible to the public since the date on which the data was last updated or collected. Client understands that it may be restricted from accessing certain Fraud Scoring Materials which may be otherwise available. Alacriti reserves the right to add materials and features to, and to discontinue offering any of the materials and features that are currently a part of, the Fraud Scoring Materials. While the Fraud Scoring Materials may be used to assist Client in its compliance with applicable laws and regulations, Client acknowledges and agrees that it is solely responsible for its own legal and regulatory compliance obligations. Without limiting the generality of the foregoing sentence, if Client is a regulated entity subject to the provisions of the U.S. Bank Secrecy Act and implementing regulations, including associated AML requirements, Client shall be solely responsible for its compliance with these laws and regulations and associated regulatory requirements.
(c) Client represents and warrants that neither Client, Customers, not any of its or their shareholders, directors, officers or other principals is a citizen of, entity that is formed in, or has its principal place of business in, a country which is subject to any embargo, prohibition, or similar sanction under applicable laws, or is an individual who is identified on the Specially Designated Nationals or Blocked Persons list provided by the U.S. Treasury Department (the “SDN List”). Client represents and warrants that neither Client nor Customers, nor any of its or their shareholders, directors, officers, agents, employees, or other persons associated with or acting on its behalf: (i) have received or will receive any unlawful contribution, gift, entertainment, or other payment from the other in connection with the provision or receipt of services hereunder; (ii) is a governmental entity; or (iii) is in violation of, or will violate any applicable anti- corruption or anti-bribery laws, rules, or regulations in connection with the provision or receipt of any services hereunder. Client represents and warrants that it will access and use the Fraud Scoring Materials only within the United States of America. Client acknowledges Alacriti’s right to suspend, cancel, or otherwise terminate access to or use of the Fraud Scoring Materials at any time. If Client or any of its Customers conduct, manage or provide any services in connection with gaming/gambling/lotteries, alcohol, tobacco, cannabis or pharmaceuticals (collectively, “Regulated Industries”), Client warrants, and shall ensure its applicable Customers warrants, that it does so in accordance with all Applicable Laws and that it has obtained all necessary licenses, registrations, certifications and consents. As used in this clause (c), “Customers” means only those entities to whom Client makes the Fraud Scoring Materials available for their own use in connection with their provision of their services to their customers or members (e.g., a B2B basis).
(d) Client agrees as a condition to using the Fraud Scoring Materials that it will provide feedback data on historic transactions (i.e., transactions that were analyzed by the Fraud Scoring Materials after the Effective Date) as required by Alacriti. Examples of feedback data include but are not limited to labels on the outcomes of transactions or other similar information, such as “confirmed good identity”, “confirmed third party fraud” , “fake ID” , “identity fraud decline”). In addition, Client will integrate with the Alacriti-provided feedback API, or at a minimum provide monthly files to Alacriti via SFTP, in accordance with Alacriti’s requirements. In addition, if requested by Alacriti, Client shall integrate its mobile applications with the data-collection SDK provided by Alacriti, in accordance with Alacriti’s requirements. This SDK will enable collection of device risk data. Client shall maintain proper integration with the latest version of each applicable component of the Fraud Scoring Materials (e.g., Sigma models, APIs, SDKs) promptly following Alacriti making them generally available and giving Client written notice thereof (email sufficing).
(e) Prior to accessing the Fraud Scoring Materials, Client shall fully complete and return to Alacriti, an Acceptable Use Application Form as provided by Alacriti. Alacriti reserves the right to reject the application without reason or for any reason whatsoever, without recourse against Alacriti or any of its employees, officers, directors, agents, affiliates, or other designees. Client authorizes Alacriti to independently verify the information provided and perform research about the individuals and/or companies identified herein, including via credit header data and public records.
(f) Alacriti and the other third parties who assist Alacriti in providing the Fraud Scoring Materials, may process and use any information provided by Client or Customers in connection with the Fraud Scoring Materials (“Fraud Scoring Information”), for Alacriti’s and their business purposes. Client hereby grants, and shall ensure that each Customer shall grant, to Alacriti a non-exclusive, sublicensable, license to use, copy, store, transmit and display Fraud Scoring Information as provided above. Client shall obtain, and shall ensure each Customer obtains, all necessary consents and approvals required pursuant to Applicable Laws, including: (i) the transfer of Fraud Scoring Information to Alacriti and such other third parties; (ii) the use of such Fraud Scoring Information by Alacriti and such third parties; and (iii) the access by Alacriti or such third parties to Customer Proprietary Network Information (“CPNI” as such term is defined in the Telecommunications Act).
(g) Alacriti, upon reasonable advance notice to Client (which will be at least 30 days), at Alacriti’s sole cost and expense, shall have the rights to engage a third-party auditor whom is a nationally-recognized accounting firm and subject to a non-disclosure or similar agreement with Client, to audit and inspect Client’s books and records that are necessary to verify Client’s compliance with this Section 7, including, without limitation, compliance with all Applicable Laws, but no more frequently than once during a twelve (12) month period. Client agrees to cooperate reasonably with respect to any and all audits and to respond to such audit inquiry within fifteen (15) business days, unless an expedited response is required as requested in writing by a regulator. If any audit results in Alacriti being notified that Client is not in compliance with a legal requirement or any of Client’s obligations to Alacriti, Alacriti, in its sole discretion, may: (i) require Client to take appropriate action to remedy the noncompliance and provide Alacriti with evidence of the steps taken to rectify the audit finding; (ii) have the right to terminate the applicable Order.
(h) As part of the Fraud Scoring Materials Alacriti may provide Client with access to sample code (“Sample Code”) or software development kit consisting of documentation (“Documentation”), redistributable libraries (“Libraries”), and any upgrades, modified versions, additions, and improvements therefor, if any (collectively, the “SDK”) designed to enable software developers to integrate the Fraud Scoring Materials into Client’s own branded applications and/or website (“Applications”). With respect to the SDK:
(i) Subject to compliance with all the terms and conditions set forth in the Agreement, solely during the term of the applicable Order and in connection with Client’s and its Customers’ use of the Fraud Scoring Materials, Alacriti grants Client the following limited, non-exclusive, non-transferable, non-sublicensable, revocable licenses to: (A) use, and (where applicable) authorize its employees to use, and create a reasonable number of copies of, the Documentation internally solely in connection with modifying Client’s own branded Applications to incorporate functionalities provided by the Fraud Scoring Materials; (B) incorporate unmodified Libraries into Applications, solely for the purpose of enabling interoperability with the Fraud Scoring Materials, solely in accordance with all applicable Documentation; and (C) use, copy, modify, and redistribute the Sample Code pursuant to the applicable third-party license, as identified in the headers or associated Documentation, solely for the purpose of enabling interoperability with the Fraud Scoring Materials.
(ii) The SDK is owned by Alacriti or its third-party licensors and is licensed, not sold, to Client, solely as part of the Fraud Scoring Materials. Except as expressly provided above, the foregoing license does not include any right to: (A) redistribute, sell, lease, license, publicly display or modify, make any derivative works to, any portion of the SDK; (B) use or implement any undocumented feature or API, or use any documented feature or API other than in accordance with applicable Documentation. Except if, and solely to the extent that, such a restriction is impermissible under Applicable Law or applicable Third Party Software (defined below) license terms, Client may not: (Y) decompile, reverse engineer, or otherwise access or attempt to access the source code for the SDK not made available to Client in source code form, or make or attempt to make any modification to the SDK; or (z) remove, obscure, interfere with or circumvent any feature of the SDK, including without limitation any copyright or other intellectual property notices, security, or access control mechanism. Client may not use the SDK for any purpose other than integrating with the Fraud Scoring Materials in a manner consistent with the Documentation. If Client is prohibited under Applicable Law from using the SDK or the Fraud Scoring Materials associated with them, Client may not use them, and Client will comply with all Applicable Laws and regulations (including without limitation laws and regulations related to consumer privacy and export controls) in connection with Client’s use of the SDK.
(iii) The SDK consists of a package of components, including certain third-party software (“Third Party Software”) that are provided by their authors under separate license terms (the “Third Party Terms”), as described in more detail in the SDK.
(iv) The SDK (including as embedded in or utilized by any Application) is the confidential and proprietary information of Alacriti and its licensors and subject to the confidentiality obligations set forth in the Agreement. Client shall take all reasonable precautions to prevent unauthorized persons from obtaining access to or use of the SDK and shall notify Alacriti immediately when Client becomes aware of any such access or use.
(v) Client acknowledges that any consumer information collected by Alacriti and the third parties that assist with the Fraud Scoring Materials, in connection with the Document Verification and Device Risk features, including without limitation device ID, and device and interaction data, is: (A) processed on the basis of the legitimate interests of Alacriti and Client under Applicable Law; (B) collected by consumer’s devices and transferred directly to Alacriti and/or its third party vendors; (C) processed by Alacriti and/or its vendors for the purposes set forth in the Agreement, including but not limited to the purposes Alacriti deems necessary, appropriate or customary to perform the services, and to operate the business of which the services are a part; and (D) retained by Alacriti and/or its vendors after consumers terminate their accounts with Client. Client shall ensure its privacy disclosures, including but not limited to website and mobile app privacy policies, accurately reflect and disclose the collection of such personal information, including facial images/biometrics and identity documents via the Fraud Scoring Materials, and Alacriti’s and/or its vendors’ processing of such consumer information as set forth herein; and shall obtain all consents (including express and/or affirmative consents as appropriate) which are or may be required by Applicable Laws and shall comply with all requirements of such Applicable Laws (including any consumer notification requirements) necessary. Client will notify Alacriti of any requests by consumers relating to Alacriti’s and/or its vendors’ processing of consumers’ information, including requests by consumers to access information or opt out. Neither Client nor its Customers will claim to consumers that they respond to Do Not Track signals.(i) Some of the information contained in the Fraud Scoring Materials is “nonpublic personal information,” as defined in the Gramm-Leach-Bliley Act (15 U.S.C. § 6801, et seq.) and related state laws, (collectively, the “GLBA”), and is regulated by the GLBA (“GLBA Data”). Client shall not obtain and/or use GLBA Data through the Fraud Scoring Materials, in any manner that would violate the GLBA, or any similar state or local laws, regulations and rules. Client acknowledges and agrees that it may be required to certify its permissible use of GLBA Data falling within an exception set forth in the GLBA at the time it requests information in connection with certain Fraud Scoring Materials and will recertify upon request by Alacriti. Client certifies with respect to GLBA Data received through the Fraud Scoring Materials that it complies with the Interagency Standards for Safeguarding Customer Information issued pursuant to the GLBA.
(i) Some of the information contained in the Fraud Scoring Materials is “personal information,” as defined in the Drivers Privacy Protection Act (18 U.S.C. § 2721, et seq.) and related state laws, (collectively, the “DPPA”), and is regulated by the DPPA (“DPPA Data”). Client shall not obtain and/or use DPPA Data through the Fraud Scoring Materials in any manner that would violate the DPPA. Fraud Scoring Materials acknowledges and agrees that it may be required to certify its permissible use of DPPA Data at the time it requests information in connection with certain Fraud Scoring Materials and will recertify upon request by Alacriti.
(j) Alacriti may in its sole discretion permit Client to access full social security numbers (nine (9) digits) and driver’s license numbers (collectively, “QA Data”). If Client is authorized by Alacriti to receive QA Data, and Client obtains QA Data through the Fraud Scoring Materials, Client certifies it will not use the QA Data for any purpose other than as expressly authorized by Alacriti policies, the terms and conditions herein, and applicable laws and regulations. In addition to the restrictions on distribution otherwise set forth in below, Client agrees that it will not permit QA Data obtained through the Fraud Scoring Materials to be used by an employee or contractor that has not been pre-approved by Alacriti and for a purpose that was pre-approved by Alacriti. Client agrees it will certify, in writing, its uses for QA Data and recertify upon request by Alacriti. Client may not, to the extent permitted by the terms of this Agreement, transfer QA Data via email or ftp without Alacriti’s prior written consent. However, Client shall be permitted to transfer such information so long as: (i) a secured method (for example, sftp) is used; (ii) transfer is not to any third party; and (iii) such transfer is limited to such use as permitted under this Agreement. Alacriti may at any time and for any or no reason cease to provide or limit the provision of QA Data to Client.
(k) The Fraud Scoring Materials provided pursuant to this Agreement are not provided by “consumer reporting agencies,” as that term is defined in the Fair Credit Reporting Act, (15 U.S.C. §1681, et seq.), (the “FCRA”), and do not constitute “consumer reports” as that term is defined in the FCRA. Accordingly, the Fraud Scoring Materials may not be used in whole or in part as a factor in determining eligibility for credit, insurance, employment or another purpose in connection with which a consumer report may be used under the FCRA or any similar law or regulatory requirement. Further, (i) Client certifies that it will not use any of the information it receives through the Fraud Scoring Materials to determine, in whole or in part an individual’s eligibility for any of the following products, services or transactions: (A) credit or insurance to be used primarily for personal, family or household purposes; (B) employment purposes; (C) a license or other benefit granted by a government agency; or (D) any other product, service or transaction in connection with which a consumer report may be used under the FCRA or any similar statute, including without limitation apartment rental, check-cashing, or the opening of a deposit or transaction account; (ii) by way of clarification, without limiting the foregoing, Client may use, except as otherwise prohibited or limited by this Agreement, information received through the Fraud Scoring Materials for the following purposes: (A) to verify or authenticate an individual’s identity; (B) to prevent or detect fraud or other unlawful activity; (C) to locate an individual; (D) to review the status of a legal proceeding; (E) to collect a debt, provided that such debt collection does not constitute in whole or in part, a determination of an individual consumer’s eligibility for credit or insurance to be used primarily for personal, family or household purposes; or (F) to determine whether to buy or sell consumer debt or a portfolio of consumer debt in a commercial secondary market transaction, provided that such determination does not constitute in whole or in part, a determination of an individual consumer’s eligibility for credit or insurance to be used primarily for personal, family or household purposes; (iii) specifically, if Client is using the Fraud Scoring Materials in connection with collection of a consumer debt on its own behalf, or on behalf of a third party, Client shall not use the Fraud Scoring Materials: (A) to revoke consumer credit; (B) to accelerate, set or change repayment terms; or (C) for the purpose of determining a consumer’s eligibility for any repayment plan; provided, however, that Client may, consistent with the certification and limitations set forth in this section, use the Fraud Scoring Materials for identifying, locating, or contacting a consumer in connection with the collection of a consumer’s debt or for prioritizing collection activities; and (iv) Client shall not use any of the information it receives through the Fraud Scoring Materials to take any “adverse action,” as that term is defined in the FCRA or any similar law or regulatory requirement.
(l) If Client is permitted to access Motor Vehicle Records (“MVR Data”) from Alacriti, without in any way limiting Client’s obligations to comply with all state and federal laws governing use of MVR Data, the following specific restrictions apply and are subject to change: Client shall not use any MVR Data provided by Alacriti, or portions of information contained therein, to create or update a file that Client uses to develop its own source of driving history information. As requested by Alacriti, Client shall complete any state forms that Alacriti and/or its vendors are legally or contractually bound to obtain from Client before providing Client with MVR Data. Alacriti (and certain third-party vendors) may conduct reasonable and periodic audits of Client’s use of MVR Data. Further, in response to any audit, Client must be able to substantiate the reason for each MVR Data order.
(m) For uses of GLB Data, DPPA Data and MVR Data, Client shall maintain for a period of five (5) years a complete and accurate record (including consumer identity, purpose and, if applicable, consumer authorization) pertaining to every access to such data. Client agrees and acknowledges that Alacriti and/or its vendors may retain any data submitted by Client as necessary for business, legal, regulatory and compliance purposes for a period of at least seven (7) years.
(n) Client acknowledges that the information available through the Fraud Scoring Materials may include personally identifiable information and it is Client’s obligation to keep all such accessed information confidential and secure. Accordingly, Client shall: (i) restrict access to Fraud Scoring Materials to those employees who have a need to know as part of their official duties; (ii) ensure that none of its employees shall: (A) obtain and/or use any information from the Fraud Scoring Materials for personal reasons; or (B) transfer any information received through the Fraud Scoring Materials to any party except as permitted hereunder; (iii) keep all user identification numbers, and related passwords, or other security measures (collectively, “User IDs”) confidential and prohibit the sharing of User IDs; (iv) immediately deactivate the User ID of any employee who no longer has a need to know, or for terminated employees on or prior to the date of termination; (v) in addition to any other obligations, take all commercially reasonable measures to prevent unauthorized access to, or use of, the Fraud Scoring Materials or data received therefrom, whether the same is in electronic form or hard copy, by any person or entity; (vi) maintain and enforce data destruction procedures to protect the security and confidentiality of all information obtained through Fraud Scoring Materials as it is being disposed; (vii) unless otherwise required by law, purge all information received through the Fraud Scoring Materials and stored electronically or on hard copy by Client within ninety (90) days of initial receipt; (viii) be capable of receiving the Fraud Scoring Materials where the same are provided utilizing “secure socket layer,” or such other means of secure transmission as is deemed reasonable by Alacriti; (ix) not access and/or use the Fraud Scoring Materials via mechanical, programmatic, robotic, scripted or other automated search means, other than through batch or machine-to-machine applications approved by Alacriti; and (x) take all reasonable steps to protect their networks and computer environments, or those used to access the Fraud Scoring Materials, from compromise. Client agrees that on at least a quarterly basis it will review searches performed by its User IDs to ensure that such searches were performed for a legitimate business purpose and in compliance with all terms and conditions herein. Client will implement policies and procedures to prevent unauthorized use of User IDs and the Fraud Scoring Materials and will immediately notify Alacriti, in writing to Alacriti, if Client suspects, has reason to believe or confirms that a User ID or the Fraud Scoring Materials (or data derived directly or indirectly therefrom) is or has been lost, stolen, compromised, misused or used, accessed or acquired in an unauthorized manner or by any unauthorized person, or for any purpose other than legitimate business reasons. Client shall remain solely liable for all costs associated therewith and shall further reimburse Alacriti for any expenses it incurs due to Client’s failure to prevent such impermissible use or access of User IDs and/or the Fraud Scoring Materials, or any actions required as a result thereof. Furthermore, in the event that the Fraud Scoring Materials provided to the Client include personally identifiable information (including, but not limited to, social security numbers, driver’s license numbers or dates of birth), the following shall apply: Client acknowledges that, upon unauthorized acquisition or access of or to such personally identifiable information, including but not limited to that which is due to use by an unauthorized person or due to unauthorized use (a “Security Event”), Client shall, in compliance with law, notify the individuals whose information was potentially accessed or acquired that a Security Event has occurred, and shall also notify any other parties (including but not limited to regulatory entities and credit reporting agencies) as may be required in Alacriti’s reasonable discretion. Client agrees that such notification shall not reference Alacriti or the product through which the data was provided, nor shall Alacriti be otherwise identified or referenced in connection with the Security Event, without Alacriti’s express written consent. Client shall be solely responsible for any other legal or regulatory obligations which may arise under applicable law in connection with such a Security Event and shall bear all costs associated with complying with legal and regulatory obligations in connection therewith. Client shall remain solely liable for claims that may arise from a Security Event, including, but not limited to, costs for litigation (including attorneys’ fees), and reimbursement sought by individuals, including but not limited to, costs for credit monitoring or allegations of loss in connection with the Security Event. In the event of a Security Event, Alacriti may, in its sole discretion, take immediate action, including suspension or termination of Client’s account, without further obligation or liability of any kind.
(o) Notwithstanding anything to the contrary, Alacriti and/or its vendors may use Client search inquiry data used to access the Fraud Scoring Materials (in the past or future) for any business purpose consistent with applicable federal, state and local laws, rules and regulations.
(p) Client understands and agrees that, in order to ensure compliance with the FCRA, GLBA, DPPA, other similar state or federal laws, regulations or rules, regulatory agency requirements, this Agreement, and Alacriti’s obligations under its contracts with its data providers and Alacriti’s internal policies, Alacriti may conduct periodic reviews of Client’s use of the Fraud Scoring Materials and may, upon reasonable notice, audit Client’s records, processes and procedures related to Client’s use, storage and disposal of Fraud Scoring Materials and information received therefrom. Client agrees to cooperate fully and promptly with any and all audits. Violations discovered in any review and/or audit by Alacriti will be subject to immediate action including, but not limited to, suspension or termination of the license to use the Fraud Scoring Materials, reactivation fees, legal action, and/or referral to federal or state regulatory agencies.
(q) Neither Alacriti, nor its affiliates, nor any third-party data provider (for purposes of indemnification, warranties, and limitations on liability with respect to the Fraud Scoring Materials, Alacriti, its affiliates, and third-party data providers are hereby collectively referred to as “Alacriti”) shall be liable to Client (or to any person claiming through Client to whom Client may have provided data from the Fraud Scoring Materials) for any loss or injury arising out of or caused in whole or in part by Alacriti’s acts or omissions in procuring, compiling, collecting, interpreting, reporting, communicating, or delivering the Fraud Scoring Materials. If, notwithstanding the foregoing, liability can be imposed on Alacriti, then Client agrees that Alacriti’s aggregate liability for any and all losses or injuries arising out of any act or omission of Alacriti in connection with anything to be done or furnished under this Agreement, regardless of the cause of the loss or injury, and regardless of the nature of the legal or equitable right claimed to have been violated, shall not exceed the amounts paid by Client to Alacriti for the Fraud Scoring Materials in the twelve months immediately preceding the event giving rise to the cause of action. Alacriti does not make and hereby disclaims any warranty, express or implied with respect to the Fraud Scoring Materials. Alacriti does not guarantee or warrant the correctness, completeness, merchantability, or fitness for a particular purpose of the Fraud Scoring Materials or information provided therein. In no event shall Alacriti be liable for any indirect, incidental, or consequential damages, however arising, incurred by Client from receipt or use of information delivered hereunder or the unavailability thereof. Due to the nature of public record information, the public records and commercially available data sources used in Fraud Scoring Materials may contain errors. Fraud Scoring Materials are sometimes reported or entered inaccurately, processed poorly or incorrectly, and is generally not free from defect. Fraud Scoring Materials are not the source of data, nor are they a comprehensive compilation of the data. Before relying on any data, it should be independently verified.
(r) Without limiting Client’s obligations in the Agreement, Client hereby agrees to protect, indemnify, defend, and hold harmless Alacriti from and against any and all costs, damages, losses, and liabilities (including attorneys’ fees and costs) arising from or in any way related to third party claims or demands against Alacriti resulting from: (i) use of information received by Client (or any third party receiving such information from or through Client) furnished by or through Alacriti; and (ii) any Security Event.

(s) Certain features of the fraud scoring Services are provided by SardineAI Corp. (“SardineAI”). Client is responsible for ensuring that it understands which features are provided by SardineAI. All such features are subject to this clause (s).

(i) Client acknowledges and agrees that these features are developed, maintained, and provided by SardineAI, not Alacriti. Accordingly, Client agrees that Alacriti will have no liability for these features or SardineAI. Client agrees: (A) to bring all claims arising from or relating to SardineAI or such features, against only SardineAI, and expressly waives the right to, bring any such claims against any Alacriti Party; (B) Client may lose access to such features to the extent SardineAI stops providing such access, for example, if the agreement between Client and SardineAI or Alacriti and SardineAI, is terminated or expires; (C) Alacriti may disclose Client Materials and Confidential Information to SardineAI, after which SardineAI may process them as permitted in the agreement between Client and SardineAI (set forth below); and (D) SardineAI may provide Client-related data or information to Alacriti, which Alacriti may process as permitted in the Agreement. Client acknowledges that neither Alacriti nor SardineAI is a subcontractor, service provider, subprocessor, or similar term for the other. Each of Alacriti and SardineAI has its own contractual relationship directly with Client.

(ii) The following terms and conditions (these “Terms”) govern the use by Client of any products or services provided by SardineAI Corp. (“SardineAI”), pursuant to one or more agreements (each, an “Order”) between Client and Alacriti Payments Inc. and/or its affiliates. Client accepts the Terms. As used in the Terms, “Customer” means Client.

(iii) Definitions.
“API” means the application programming interface for sending data to or receiving data from the Services and any libraries made available to Customer for accessing the foregoing.
“Authorized Purpose” means fraud and compliance purposes that are conducted by Customer in compliance with these Terms.
“Customer Data” means, collectively, Provided Data and Submitted Data.
“Dashboard” means the web-based user interface for Customer to access portions of the Services.
“Documentation” means any user instructions, manuals, on-line help files, or other materials that are provided by SardineAI in connection with the SDK, API, or Services.
“Employee Users” means Customer’s employees or contractor personnel authorized by Customer to access and use the Services in connection with the Authorized Purpose.
“End Users” means the individual end users of Customer’s web-based platforms or mobile applications whose attributes are to be provided to the Services for purposes of performing fraud detection and identity verification.
“Provided Data” means any risk scores or other data pertaining to End Users that is provided by SardineAI to Customer via the Services.
“SardineAI Technology” means, collectively, the Services, API, SDK, Dashboard, Documentation, and any other services to be provided pursuant to these Terms.
“SDK” means the software development kit that is capable of being embedded into and integrated with Customer’s web based platforms and mobile applications.
“Services” means SardineAI’s proprietary technology platform and services provided hereunder.
“Submitted Data” means any data pertaining to End Users that is collected by Sardine AI through the Services or submitted by Customer, Customer Data, or End Users to the Services via the SDK or API.

(iv) Services; API and SDK.
Services. Subject to Customer’s ongoing compliance with the terms of these Terms, SardineAI hereby grants to Customer a non-exclusive, non-transferable, non-sublicensable, internal right commencing on the service start date set forth on the applicable Order and continuing for duration of such Order (the “Order Term”) to access and use, and allow Employee Users to access and use the Services solely for Customer’s internal business purposes in connection with the Authorized Purpose subject to any limitations set forth in the Order.
API and SDK License. Subject to Customer’s ongoing compliance with the terms of these Terms, SardineAI hereby grants Customer a non-exclusive, non-transferable, non-sublicensable, internal use only license, during the period of time commencing on the service start date set forth in an Order and continuing for the duration of the applicable Order Term to: (1) integrate and embed the SDK into and make the SDK available to End Users through Customer’s mobile applications and web based platforms, and (2) use the API to submit to and obtain information from the Services in accordance with any associated Documentation for the Authorized Purpose.

(v) Customer Obligations.
(A) Use Restrictions. Customer shall not, directly or indirectly, and shall not authorize any third party to: (1) decompile, disassemble, reverse engineer, or otherwise attempt to derive the source code, algorithms, or associated know-how of the SardineAI Technology; (2) write or develop any program based upon the SardineAI Technology or any portion of any of the foregoing, or otherwise use the SardineAI Technology in any manner for the purpose of developing, distributing or making available products or services that compete with the SardineAI Technology; (3) sell, sublicense, transfer, assign, lease, rent, distribute, or grant a security interest in the SardineAI Technology or any rights to any of the foregoing; (4) permit the SardineAI Technology to be accessed or used by any persons other than Employee Users and End Users accessing or using the SardineAI Technology in accordance with these Terms; (5) alter or remove any trademarks or proprietary notices contained in or on the SardineAI Technology; (6) circumvent or otherwise interfere with any authentication or security measures of the SardineAI Technology or otherwise interfere with or disrupt the integrity or performance of the foregoing; (7) without SardineAI’s prior written consent, use the Services or Provided Data in connection with its interactions with End Users who are not residents of the United States. Customer acknowledges that SardineAI may, but is under no obligation to monitor Customer’s use of the Services. SardineAI may suspend Customer’s, or an Employee User’s access to the Services for any period during which Customer or an Employee User is, or SardineAI has a reasonable basis for alleging Customer or an Employee User is, in noncompliance with the foregoing.
(B) Compliance. Customer shall: (1) ensure that its Employee Users’ and its End Users’ use of the Service complies with these Terms, (2) use commercially reasonable efforts to prevent and terminate any unauthorized access to or use of the Services, and (3) promptly notify SardineAI of any unauthorized access to or use of the Services of which it becomes aware.
(C) Consents and Disclosures. Customer shall be solely responsible for: (1) providing any and all legally required notices and disclosures to End Users; (2) offering all legally required choices to End Users to enable them to exercise any granted privacy rights, and (3) for obtaining all informed consents from End Users required, to permit: (a) Customer to use the SardineAI Technology and receive the Services, including, without limitation, as described in Section 5 of these Terms; (b) Customer’s provision of Submitted Data to SardineAI under the Agreement; and (c) SardineAI’s use, accessing, storing, and processing of the Submitted Data in accordance with the Agreement, including without limitation, Customer’s use of automated decision making (“ADM”), if any.
(D) Permitted Purposes. Customer and will: (1) only use Provided Data and any results obtained from the use of the Services solely in connection with the Authorized Purpose as it relates to operating its business and (2) not disclose Provided Data to any third party. Customer acknowledges and agrees that, notwithstanding anything to the contrary herein, SardineAI may be obligated under applicable law to erase or delete certain Customer Data from the Services.
(E) Prohibited Purposes. Customer is prohibited from using the Services or Provided Data, in whole or in part, for the purpose of serving as a factor in establishing a person’s eligibility for credit, insurance, employment, or any other purpose authorized under the Fair Credit Reporting Act, 15 U.S.C. §1681, et seq. and Regulation V (“FCRA”) or any similar United States State statute. Customer further agrees that neither the Services nor the SardineAI Technology may be used to undertake ADM or profiling which produce potential legal affects concerning an individual or similarly affecting an individual. Specifically, in the EEA and the UK, neither the Services nor the SardineAI Technology are intended to be used for credit scoring, assessing creditworthiness, performing credit reporting or otherwise profiling an individual or opining on the financial health or legal posture of an individual unless done in a way that fully addresses the requirements of Article 22 of the General Data Protection Act (“GDPR”), as interpreted by applicable courts and regulatory bodies. In the United States, SardineAI is not a “credit reporting agency” or “consumer reporting agency” nor does it provide comparable services, regardless of terminology used under applicable law. Neither the Services nor Provided Data constitute a “consumer report” as those terms are defined by FCRA or other comparable statutes or regulations in an applicable jurisdiction. SardineAI makes no representation or warranty as to the credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living of any person. Customer shall not use the Services in order to take any “adverse action” as that term is defined in the FCRA and the Equal Credit Opportunity Act, 15 U.S.C. § 1691, et seq., or for a purpose that could have an adverse legal effect on an individual, however defined under applicable data and consumer protection laws. Without limiting the foregoing, Customer may use, except as otherwise prohibited or limited by this Agreement (including the restrictions contained above), the Services or Provided Data for the purpose of (a) verifying or authenticating an individual’s identity or (b) preventing or detecting fraud or other unlawful activity.

(vi) Data Processing and Security. Sardine and any affiliates involved in processing Customer Data, will access, use, and otherwise process any Personal Information contained therein, in accordance with the terms of the Data Processing Addendum executed concurrently herewith (the “DPA”). Sardine has implemented and will maintain technical, organizational, and physical safeguards to protect Personal Information as further described in the DPA.

(vii) Proprietary Rights.
Intellectual Property Rights. Customer acknowledges that SardineAI owns and retains all rights, title, and interest, including all intellectual property rights, in and to the SardineAI Technology, including all technology, software, algorithms, user interfaces, trade secrets, techniques, designs, inventions, works of authorship, and other tangible and intangible material and information pertaining thereto or included therein, and nothing in the Agreement shall preclude or restrict SardineAI from using or exploiting any concepts, ideas, techniques or know-how of or related to the SardineAI Technology or otherwise arising in connection with SardineAI’s performance under the Agreement. Other than as expressly set forth in the Agreement, no licenses or other rights in or to the SardineAI Technology are granted to Customer and all such rights are hereby expressly reserved.
Fraud Feedback. Customer agrees to provide to SardineAI on an ongoing basis comprehensive data related to all End User outcomes that were assessed, in whole or in part, using the Services (“Fraud Feedback”). As used herein Fraud Feedback will include End User KYC or other onboarding process, End User transactions, assessments of End User devices, and other outcomes that are processed and/or risk assessed using the Services. Fraud Feedback is a critical component of the Services’ ability to perform risk assessments, detect and prevent fraud, validate identities, and other fraud-related activities performed by the Services. Customer shall deliver the Fraud Feedback data to SardineAI via the API endpoints designated by SardineAI, including, without limitation, SardineAI’s Feedback API. Fraud Feedback shall be clearly associated with each corresponding End User event that was processed and/or risk assessed using the Services to ensure a direct linkage between the initial assessment and the ultimate outcome. Customer shall adhere to the data formats, transmission protocols, and security requirements for Fraud Feedback set forth in the Documentation, or otherwise reasonably specified by SardineAI. Customer represents and warrants that all Fraud Feedback provided to SardineAI shall be accurate, complete, and provided in a timely manner, enabling SardineAI to effectively utilize such data to provide and improve the Services.
Fraud Consortium; License to Customer Data. Customer wishes to participate in the consortium of SardineAI customers (the “Fraud Consortium”) that leverages data and insights contributed by consortium members to promote detection of fraudulent or potentially fraudulent activity through the Services. Accordingly, Customer grants SardineAI and its Affiliates a worldwide, non-exclusive, irrevocable, royalty-free license to use Customer Data, including, without limitation, Fraud Feedback, for a period of seven (7) years from SardineAI’s receipt of each element of Customer Data, to support operation and further development the Fraud Consortium, including by sharing Customer Data with other consortium members in a manner that does not identify Customer and by Combining Customer data with other data, including data derived from third-party sources, machine learning, and artificial intelligence applications. Notwithstanding the foregoing or any other provision of this Agreement, SardineAI shall only use Customer Data in conformity with the terms of these Terms, the DPA, and all applicable laws, including laws pertaining to individual privacy and security.
Requests and Suggestions. Customer may, from time to time, provide SardineAI with requests or suggestions for improvements to or expansions of the Services, including, without limitation new features, functionalities, or product offerings. SardineAI may use and exploit in any manner, on a worldwide, irrevocable, perpetual, royalty-free basis, any such requests or suggestions regarding the Services, provided that SardineAI shall not publicize or otherwise disclose Customer’s involvement therein.

(viii) Customer Data. Customer acknowledges and agrees that, notwithstanding anything to the contrary herein, SardineAI may, in its sole discretion, erase or delete from the Services any Customer Data that it reasonably believes is illegal, harmful, objectionable, lewd, not related to the function of or necessary for the use of the Services, or that SardineAI determines may, as a result of SardineAI possessing such data, harm SardineAI’s business or reputation.

(ix) Limitation of Liability. IN NO EVENT WILL SARDINEAI’S AGGREGATE LIABILITY AND DAMAGES ARISING OUT OF THESE TERMS EXCEED THE AMOUNTS ACTUALLY PAID BY CUSTOMER FOR THE SERVICES DURING THE TWELVE (12) MONTH PERIOD PRECEDING THE DATE OF THE CLAIM. THE LIMITATIONS AND DISCLAIMERS OF LIABILITY SET FORTH IN THIS SECTION WILL APPLY EVEN IF ANY LIMITED REMEDY SPECIFIED IN THESE TERMS IS FOUND TO HAVE FAILED OF ITS ESSENTIAL PURPOSE AND REGARDLESS OF THE THEORY OF LIABILITY. NOTWITHSTANDING ANYTHING TO THE CONTRARY, SARDINEAI AND ITS SUPPLIERS (INCLUDING BUT NOT LIMITED TO ALL EQUIPMENT AND TECHNOLOGY SUPPLIERS), OFFICERS, AFFILIATES, REPRESENTATIVES, CONTRACTORS AND EMPLOYEES SHALL NOT BE RESPONSIBLE OR LIABLE TO CUSTOMER WITH RESPECT TO ANY SUBJECT MATTER OF THESE TERMS OR TERMS AND CONDITIONS RELATED THERETO UNDER ANY CONTRACT, NEGLIGENCE, STRICT LIABILITY OR OTHER THEORY: (A) FOR ERROR OR INTERRUPTION OF USE OR FOR LOSS OR INACCURACY OR CORRUPTION OF DATA OR INFORMATION OR COST OF PROCUREMENT OF SUBSTITUTE GOODS, SERVICES OR TECHNOLOGY OR LOSS OF BUSINESS; (B) FOR ANY INDIRECT, EXEMPLARY, INCIDENTAL, PUNITIVE, RELIANCE, INCIDENTAL, SPECIAL OR CONSEQUENTIAL DAMAGES; (C) FOR ANY MATTER BEYOND SARDINEAI’S REASONABLE CONTROL; OR (D) FOR ANY AMOUNTS THAT, TOGETHER WITH AMOUNTS ASSOCIATED WITH ALL OTHER CLAIMS, EXCEED THE FEES PAID BY CUSTOMER TO CUSTOMER FOR THE SERVICES IN THE 12 MONTHS PRIOR TO THE ACT THAT GAVE RISE TO THE LIABILITY, IN EACH CASE, WHETHER OR NOT SARDINEAI HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

(x) Disclaimer. EXCEPT AS EXPRESSLY SET FORTH IN THESE TERMS, SARDINEAI HEREBY DISCLAIMS ALL WARRANTIES, WHETHER EXPRESS, IMPLIED OR STATUTORY, INCLUDING ANY AND ALL WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, LOSS OF DATA, OR ACCURACY OF RESULTS. SARDINEAI DOES NOT WARRANT THAT THE SARDINEAI TECHNOLOGY WILL BE ERROR-FREE, UNINTERRUPTED, OR COMPATIBLE WITH ANY PARTICULAR DEVICE, THAT ANY DATA PROVIDED BY OR THROUGH THE SARDINEAI TECHNOLOGY, INCLUDING PROVIDED DATA, WILL BE ACCURATE OR COMPLETE, OR, EXCEPT AS EXPRESSLY SET FORTH HEREIN, THAT SARDINEAI’S SECURITY MEASURES WILL BE SUFFICIENT TO PREVENT THIRD PARTY ACCESS TO CUSTOMER DATA. CUSTOMER ACKNOWLEDGES AND AGREES THAT (i) SARDINEAI AND THE SERVICES ONLY PROVIDE INFORMATION TO ASSIST CUSTOMER IN PERFORMING FRAUD AND ANOMALY DETECTION; (ii) SUCH INFORMATION IS NOT GUARANTEED TO BE ACCURATE OR TO SATISFY ANY LEGAL OR THIRD-PARTY STANDARD RELATING TO FRAUD AND ANOMALY DETECTION; AND (iii) CUSTOMER BEARS ALL RESPONSIBILITY, AND SARDINEAI WILL HAVE NO LIABILITY FOR DECISIONS BASED ON ANY PROVIDED DATA, OR ANY OTHER INFORMATION PROVIDED TO CUSTOMER VIA THE SERVICES OR BY SARDINEAI.

(xi) General Provisions.
Governing Law. These Terms shall be governed by and construed under the laws of the State of California without reference to conflict of laws principles. The application of the United Nations Convention on Contracts for The International Sale of Goods is expressly excluded. Subject first to Section 9(b), if a lawsuit or court proceeding is permitted under these Terms, the parties will be subject to the exclusive jurisdiction of the state and federal courts located in San Francisco County, California, and the parties hereby agree and consent to the exclusive jurisdiction and venue of such courts.
Arbitration. CUSTOMER AND SARDINEAI AGREE TO RESOLVE ALL DISPUTES ARISING UNDER OR IN CONNECTION WITH THESE TERMS THROUGH BINDING ARBITRATION. A PARTY WHO INTENDS TO SEEK ARBITRATION MUST FIRST SEND A WRITTEN NOTICE OF THE DISPUTE TO THE OTHER PARTY. THE PARTIES WILL USE GOOD FAITH EFFORTS TO RESOLVE THE DISPUTE DIRECTLY, BUT IF THE PARTIES DO NOT REACH AN AGREEMENT TO DO SO WITHIN 30 DAYS AFTER THE NOTICE IS RECEIVED, EITHER PARTY MAY COMMENCE AN ARBITRATION PROCEEDING. THE ARBITRATION WILL BE CONDUCTED IN ACCORDANCE WITH THE APPLICABLE RULES OF THE AMERICAN ARBITRATION ASSOCIATION (the “AAA RULES”). THE ARBITRATION WILL BE CONDUCTED IN ENGLISH IN SAN FRANCISCO, CALIFORNIA, USA. IF THE PARTIES DO NOT AGREE ON AN ARBITRATOR, THE ARBITRATOR WILL BE SELECTED IN ACCORDANCE WITH THE APPLICABLE RULES OF THE AAA FOR THE APPOINTMENT OF AN ARBITRATOR. THE SELECTION OF AN ARBITRATOR UNDER THE RULES OF THE AAA WILL BE FINAL AND BINDING ON THE PARTIES. THE ARBITRATOR MUST BE INDEPENDENT OF THE PARTIES. THE ARBITRATOR’S DECISION WILL BE FINAL AND BINDING ON BOTH PARTIES, AND THE ARBITRATOR MUST ISSUE A REASONED WRITTEN DECISION SUFFICIENT TO EXPLAIN THE ESSENTIAL FINDINGS AND CONCLUSIONS ON WHICH THE DECISION AND AWARD, IF ANY, ARE BASED. THE COSTS AND EXPENSES OF THE ARBITRATION WILL BE SHARED EQUALLY BY BOTH PARTIES; HOWEVER, IF THE ARBITRATOR FINDS THAT EITHER THE SUBSTANCE OF THE CLAIM OR THE RELIEF SOUGHT IN ARBITRATION IS FRIVOLOUS OR BROUGHT FOR AN IMPROPER PURPOSE (AS MEASURED BY THE STANDARDS SET FORTH IN FEDERAL RULE OF CIVIL PROCEDURE 11(b)), THEN THE PAYMENT OF ALL FEES WILL BE GOVERNED BY THE AAA RULES. NOTWITHSTANDING THE FOREGOING, THIS SECTION WILL NOT PROHIBIT EITHER PARTY FROM: (i) BRINGING AN INDIVIDUAL ACTION IN SMALL CLAIMS COURT; (ii) SEEKING INJUNCTIVE OR OTHER EQUITABLE RELIEF IN A COURT OF COMPETENT JURISDICTION; (iii) PURSUING AN ENFORCEMENT ACTION THROUGH THE APPLICABLE FEDERAL, STATE, OR LOCAL AGENCY IF THAT ACTION IS AVAILABLE; OR (iv) FILING SUIT IN A COURT OF LAW TO ADDRESS AN INTELLECTUAL PROPERTY INFRINGEMENT OR MISAPPROPRIATION CLAIM. IF THIS SECTION IS FOUND TO BE UNENFORCEABLE, THE PARTIES AGREE THAT THE EXCLUSIVE JURISDICTION AND VENUE DESCRIBED IN SECTION 9(a) WILL GOVERN ANY ACTION ARISING OUT OF OR RELATED TO THESE TERMS.
(C) Third Party Beneficiary. SardineAI is an intended third-party beneficiary of these Terms and is entitled to enforce all provisions set forth herein.
(D) Miscellaneous. If any provision of these Terms is found to be unenforceable or invalid, that provision will be limited or eliminated to the minimum extent necessary so that these Terms will otherwise remain in full force and effect and enforceable.

3. Terms Applicable to Online Banking Authentication.
(a) The online banking authentication features of the Subscription Services, together with all account and other information made available through such features, are collectively “Online Banking Authentication Materials.” The Online Banking Authentication Materials are provided by Trustly, Inc. (“Trustly”). Client must obtain Alacriti’s prior written consent before reselling access to the Online Banking Authentication Materials to Customers. Client shall ensure that any such resale Customer complies with this section as if it were Client. Client shall use the Online Banking Authentication Materials in accordance with Trustly’s guidelines (which may be updated from time-to-time by Trustly), as made available by Alacriti to Client (“Online Banking Authentication Requirements”). Client consents for Trustly to process data and information in connection with the Online Banking Authentication Materials as further described in Trustly’s privacy policy set forth here: https://www.trustly.net/us/privacy-policy, as it may be updated from time to time at the sole discretion of Trustly. Trustly shall ensure that each Customer whose data is processed by Trustly pursuant to the Agreement accepts Trustly’s “Terms of Use” and “Privacy Policy.”

(b) Client shall provide such financial or other information as required by the Online Banking Authentication Requirements, or which is reasonably requested by Trustly, to perform credit risk, security, qualification, and other reviews related to providing the Online Banking Authentication Materials or determining the financial condition of Client or its Customers (as applicable), provided that in no event will Client be required to provide any information that would reasonably be construed to cause Client to violate Applicable Law (for example, the Gramm Leach Bliley Act, or its implementing regulations, or any state privacy laws impacting consumer information). Client shall provide the requested information within fifteen (15) days of Trustly’s request. Client authorizes Trustly to investigate or reinvestigate at any time any information provided by Client in connection with the Online Banking Authentication Materials. Client authorizes, and will cause Customers (if applicable) to authorize, Trustly to obtain information about them from third parties when performing credit risk, security, qualification, and other reviews. Alacriti shall not provide to Trustly any information that Alacriti obtained from Client that is subject to GLBA.

(c) Client authorizes Trustly to audit Client’s books and records that are necessary to ensure Client’s compliance with this section, during Client’s regular business hours, solely for the purpose of ensuring that Client is in compliance with this section. Client specifically authorizes Trustly to perform an audit of Client’s operational controls, risk management practices, staffing and the need for training and ongoing support, and information technology infrastructure, to the extent necessary to ensure Client’s compliance with this section. Trustly shall provide a copy of the audit report to Client on request. Trustly shall bear all costs and expenses incurred in connection with any such audit. Client acknowledges and agrees that Trustly shall have the right to request specific, reasonable internal controls at Client’s location(s) that are necessary to remediate a non-compliance with this section that was discovered through such an audit, and Client shall comply with any such request or a reasonable alternative chosen by Client that resolves such non-compliance. In addition, Client agrees to allow Trustly to review available reports of independent audits performed at the Client’s location related to information technology, the Online Banking Authentication Materials, and any associated operational processes. Client agrees that if requested by Trustly, Client will complete a reasonable-length self-assessment of Client’s operations, management, staff, systems, internal controls, training, and risk management practices that would otherwise be reviewed by Trustly in an audit of Client. Client will provide to Trustly a copy of either their SAS-70 audit or other independent audit annually on Trustly’s request. On Client’s request, Alacriti shall request from Trustly any third-party audits, reports, or certifications of the systems used by Trustly to process Online Baking Authentication Materials. Alacriti shall promptly provide Client with a copy of any such third-party audits, reports, or certifications received back from Trustly.

(d) Subject to Client’s compliance with this section, Client is granted, during the Term a limited, nonexclusive, non-assignable, royalty free right and license to display and use the logos, trade names, trademarks, and service marks of Trustly (“Trustly Marks”) for the sole purpose of carrying out its obligations under this section, subject to the following conditions: (i) Client shall keep intact any proprietary notices of Trustly; (ii) it shall comply with Trustly’s trademark written use guidelines, as may be provided by Trustly or Alacriti from time to time, subject to a reasonable period of time to comply with each update; (iii) it acknowledges that all goodwill generated through its use of the Trustly Marks will inure to the benefit of Trustly; (iv) it hereby assigns and agrees to assign to Trustly any and all goodwill generated through its use of the Trustly Marks, without any payment or other consideration to it, and further agrees to take all actions necessary to effect such assignment; and (v) upon termination of its right to use the Online Banking Authentication Materials, it shall cease using the Trustly Marks.

(e) In each month of the Term, Alacriti shall ensure that the Online Banking Authentication Materials successfully (i.e., are able to identify, provide data relating to the applicable Customer, and the Customer’s external accounts are successfully linked to the Customer’s account(s) with Client such that Customer is able to view the external account in Customer’s system, and or effectuate transfers between the Customer’s accounts with Client and such linked external accounts) responds to ninety-nine percent (99%) of Client’s transactions submitted to the Online Banking Authentication Materials in such month. When requested by Client for a given month, Alacriti shall submit to Client a report detailing the foregoing percentage of success for such month. The data and related materials provided to Trustly by Customers will be maintained by Trustly in accordance with its data security policy, which will be reasonable taking into account the nature of the materials provided to Trustly. EXCEPT AS EXPRESSLY SET FORTH IN THIS SECTION, THE ONLINE BANKING AUTHENTICATION MATERISLS ARE PROVIDED “AS IS”, “WITH ALL FAULTS”, WITHOUT ANY WARRANTY OF ANY KIND, AND EACH OF ALACRITI AND TRUSTLY HEREBY DISCLAIMS ALL WARRANTIES, WHETHER EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. EXCEPT AS EXPRESSLY SET FORTH IN THIS SECTION, NEITHER ALACRITI NOR TRUSTLY MAKES ANY WARRANTY, OR PROVIDES ANY ASSURANCE, THAT THE ONLINE BANKING AUTHENTICATION MATERIALS WILL BE UNINTERRUPTED, SECURE, OR ERROR-FREE OR WILL MEET CLIENT’S REQUIREMENTS, MEET CERTIFICATION REQUIREMENTS OF ANY REGULATORY OR LICENSING AGENCY OR THAT ANY ERRORS WILL BE CORRECTED OR THAT THE OVERALL SYSTEM THAT MAKES THE ONLINE BANKING AUTHENTICATION MATERIALS AVAILABLE (INCLUDING BUT NOT LIMITED TO THE INTERNET, OTHER TRANSMISSION NETWORKS AND CLIENT’S LOCAL NETWORK AND EQUIPMENT) WILL BE AVAILABLE OR FREE OF VIRUSES OR OTHER HARMFUL COMPONENTS.

(f) Trustly shall have a royalty-free, worldwide, transferable, sublicensable, irrevocable, and perpetual license to use or incorporate into the Online Banking Authentication Materials, without restriction, any suggestions, enhancement requests, recommendations or other feedback (not including Customer-related information) provided by Client relating to the Online Banking Authentication Materials.

(g) Trustly may terminate access to the Online Banking Authentication Materials if any of the following circumstances occur: (i) a material change to any Applicable Law to which Trustly is required to comply, or fees Trustly is required to pay to provide the materials, makes it commercially impracticable for Trustly to continue to provide the materials; (ii) Client violates the NACHA Rules or this section; (iii) a change in Trustly’s underwriting or risk requirements causes Trustly to be unable to provide the materials, or a material change in Client’s business that violates Trustly’s underwriting or risk requirements; or (iv) if Client has used the Online Banking Authentication Materials for illegal or fraudulent activity.

(h) Trustly has the sole right to determine the method, details and means of providing the Online Banking Authentication Materials and may decline to process, settle, or provide them at any time because of regulatory, risk assessment, or other requirements. Trustly may use third parties or subcontractors in its sole discretion to provide certain components or portions of the Online Banking Authentication Materials, provided however, that Trustly shall remain liable for the acts or omissions of such subcontractors. Trustly may revise, upgrade, modify, replace, or reconfigure the Online Banking Authentication Materials at any time, including, without limitation removing certain features, functions, services, and software.

(i) Trustly is part of a group of companies (“Trustly Affiliated Companies”) which are all under the common control of Trustly Holding AB, a Swedish limited liability company. Depending upon the needs of Client, Trustly may utilize the services of one or more Trustly Affiliated Companies to perform or deliver certain aspects of the Online Banking Authentication Materials. Trustly is not a bank, a money services business (an “MSB”), or a money transmitter. Trustly does not offer banking services, MSB services (as defined by 31 Code of Federal Regulations Section 1010.100(ff)), or money transmission services, as such may be defined under applicable state law. Trustly provides no deposit account or other financial services. Trustly neither receives, possesses, transfers, nor transmits money. No Client may establish a financial account with Trustly, and Trustly shall not transmit any money.

(j) Client shall not store, use, disclose, or otherwise process any Online Banking Authentication Materials in a manner inconsistent with any consent obtained by the Client directly from the consumer. Client acknowledges that consumers own their information contained within the Online Banking Authentication Materials and that Client’s use, storage, disclosure, and processing of all such information is subject to the agreement between Client and the consumer.

(k) Each of Client and Alacriti shall promptly and without unreasonable delay notify the other upon discovery of any actual, or potential or threatened likely unauthorized access to, use or disclosure of any Online Banking Authentication Materials, whether caused by Client, Alacriti, Trustly, or a third party (“Security Breach”). Immediately upon discovery or notification of a Security Breach, the party experiencing the Security Breach shall investigate and take all steps to identify, prevent and mitigate the effects of any such Security Breach and the party experiencing the Security Breach shall bear its own costs associated therewith, including remediating the issue and sending notices to consumers, regulatory fines or fees, and any legal fees or judgments. The party experiencing the Security Breach shall promptly provide to the other party a detailed description of the incident, the Online Banking Authentication Materials accessed, the identity of affected consumers and such other information as may be requested concerning the Security Breach and conduct any recovery necessary to remediate the impact of such Security Breach as required by any Applicable Laws. The parties shall reasonably cooperate with each other in identifying any reasonable steps that should be implemented to limit, stop or otherwise remedy any actual or suspected Security Breach.

(l) Client agrees that Trustly may monitor or analyze Client’s use of the Online Banking Authentication Materials: (i) in order to verify Client’s compliance with this section; (ii) to ensure the quality and reliability of the Online Banking Authentication Materials; (iii) to improve the Online Banking Authentication Materials, provided that in doing so Trustly does not process any non-public personal information as defined by the Gramm-Leach-Bliley Act. Client will not intentionally interfere with such monitoring and understands that Trustly may use technical means to overcome any such interference. Client will comply with any reasonable requests from Trustly for any information or materials to verify Client’s compliance with this section and will provide Trustly with access to test accounts in order to enable Trustly to perform the monitoring described in this section. Trustly may suspend the Online Banking Authentication Materials if access to the test accounts and information described in this section is blocked or made inaccessible during the Term.

(m) With respect to Online Banking Authentication Materials that contain information that is subject to the FCRA: Client certifies that it has a legitimate business need for the information. Client certifies that the information provided will only be used for permissible purposes under the Fair Credit Reporting Act (“FCRA”), will not be used for employment purposes, and will not be used for any purpose other than the one transaction for which the information was provided. Neither Client, nor any of its respective agents or employees will disclose the results of any inquiry processed via the Online Banking Authentication Materials except to the consumer about whom such inquiry is made. If Client rejects any transaction (in whole or in part) because of the information obtained via the Online Banking Authentication Materials, Client shall provide the consumer all information regarding such transaction and the reasons for rejection as required by applicable legal requirements.

(n) Client shall use the Online Banking Authentication Materials in compliance with all federal, state and local laws, regulations and regulatory guidance including, without limitation, laws, regulations and Executive Orders administered by the Office of Foreign Assets Control of the US Department of the Treasury (“OFAC”), EU anti money laundering and counter terrorist financing directives and wire transfer regulation, including any and all applicable national legislation in the field of anti-money laundering and counter terrorist financing, anti-money laundering laws and regulations, money transmitter laws and regulations, know your customer (“KYC”) requirements, licensing requirements, securities laws, Electronic Fund Transfer Act and its Regulation E (“Regulation E”), and the NACHA Rules (collectively, “Legal Requirements”).

(o) Client shall not use the Online Banking Authentication Materials in connection with any of the following products or services, which may be updated from time to time by Trustly on written notice to Client. For clarity, this section does not prohibit Client from providing financial services to Customers that do business in one of the following categories, provided that the Online Banking Authentication Services are not used to transfer funds that were generated by the category:

● Money Remittance Businesses under without Client being in a possession of a valid banking license.
● Adult Entertainment
● Dating and Escort Sites
● Shell banks
● Asset-holding vehicles (trusts, foundations (other than charitable foundations) and private wealth management structures.)
● Marijuana dispensaries and related businesses
● Illegal drugs and drug paraphernalia
● Pseudo-pharmaceuticals
● Distribution of items protected by copyright
● Weapons and munitions (ammo, equipment, explosives), except for sports and antiques/collectors’ items
● Pyramid selling, Ponzi schemes or other “get rich quick” schemes
● Fortune tellers, mediums and other services speculating around supernatural phenomena
● Computer (including remote) tech support/performance optimization/ virus removal solutions (sellers/authorized resellers of downloadable and installable antivirus software fall outside of scope of this prohibition)
● Nazi and fascist memorabilia and militaria (both replicas and original artefacts) excluding:
o auction houses (as it is assumed that those are acting clearly for needs of collectors) and
o marketplaces (as it is assumed that those have relevant policies and content controls in place).

4. Terms Applicable to Zelle.
(a) Client acknowledges that the Zelle® P2P Payments Service, Disbursements with Zelle® and/or Small Business Payments Service, as applicable, each as defined in the Network Rules (as defined below) (collectively, “Zelle Services”) are provided by Early Warning Services, LLC (“Early Warning”).

(b) Authorized Use of the Zelle Services.

Upon execution of the Agreement or applicable Order for Zelle Services (the “Zelle Services Effective Date”), Client shall comply with and be subject to all provisions of the Zelle Network® Participation Rules (“Network Rules”) and the other Network Documents (as defined in the Network Rules), each as amended from time to time in accordance with the provisions thereof. Client acknowledges receipt of the Network Documents from Alacriti. Capitalized terms used but not otherwise defined herein shall have the meaning set forth in the Network Rules.

Client acknowledges that, by executing the Agreement or applicable Order for Zelle Services, it makes all representations, warranties and covenants given under the Network Documents, and that such representations, warranties, and covenants shall be enforceable against it.

Client agrees to use the Zelle Services solely for the purposes, and subject to the terms and conditions, set forth in the applicable Network Rules.

Client acknowledges and agrees that Alacriti is acting as Client’s Processor, as defined in the Network Rules.

Client acknowledges and agrees to the contribution requirements applicable to Account Owner Elements Data (as defined in the Network Rules) set forth in the Network Rules. Contribution may be direct to Early Warning, through Alacriti, or through a third-party technical integrator that has been approved by Early Warning and has entered into an agreement with Alacriti.

(c) Fees.

(i) Notwithstanding anything in the Network Rules to the contrary, all fees for Client’s use of the Zelle Services will be established by and billed to Client by Alacriti.

(ii) Client acknowledges they may be subject to noncompliance fees for failure to comply with the Network Rules.

(iii) Any Client-specific custom support or event-driven fees charged by Early Warning to Alacriti will be passed through to the Client.

(d) Third Party Beneficiary. Client acknowledges and agrees that Early Warning Services, LLC (“Early Warning”), and any of Early Warning’s affiliates providing the Zelle Services, are intended to be, and shall be third party beneficiaries of these Subscription-Specific Terms for the purpose of enforcing the terms of the Network Documents. Client further acknowledges and agrees that Early Warning and the other Network Participants are entitled to enforce their rights under the Network Documents directly against Client to the same extent as any other Network Participant under the Network Documents, including without limitation any right of the Network Operator to terminate Client’s participation in the Zelle Services in accordance with the Network Documents.

(e) Required Information. Client shall provide Alacriti with any information that Early Warning reasonably requests in connection with the Zelle Services. Client represents and warrants that all information provided by it to Alacriti in connection with the Zelle Services is accurate, complete, and correct as of the Zelle Services Effective Date. Client shall notify Alacriti if any such information changes.

(f) Termination and Suspension. Early Warning may terminate or suspend Client’s use of the Zelle Services for breach of the Agreement or the applicable Network Rules. Client may lose access to the Zelle Services to the extent Early Warning stops providing such access, for example, if the agreement between Alacriti and Early Warning is suspended, terminated, or expires.

(g) Feedback. If Client provides ideas, concepts, comments, reports, evaluations, suggestions for improvements, or other feedback to Alacriti or Early Warning regarding the Zelle Services, or any other products or services of Early Warning (collectively, “Feedback”), then Client grants to Early Warning a perpetual, worldwide license to use, disclose, publish, profit from, and otherwise exploit such Feedback, without restriction and without any attribution or compensation, or any applicable individual, for any purpose.

(h) GLBA. To the extent that any information obtained by Client in relation to the Zelle Services is “nonpublic personal information” about “consumers” or “customers” as such terms are defined in Title V of the Gramm-Leach-Bliley Act (“GLBA”), 15 U.S.C. § 6802, and in regulations issued thereunder (collectively, “Consumer Data”), then in addition to the obligations of Client in the Agreement, Client agrees that it will not disclose or use such Consumer Data other than to carry out its use of the Zelle Services or in any manner prohibited by the GLBA or the regulations issued thereunder. Client further covenants and agrees to maintain appropriate measures designed to meet the objectives of the applicable guidelines establishing information security standards as adopted by any federal regulatory agencies having jurisdiction over Client’s affairs. These measures include appropriate disposal of Consumer Data, as required, and taking appropriate actions to address incidents of unauthorized access to sensitive Consumer Data, including notification to Alacriti as soon as possible of any such incident. Without limiting the foregoing, Client represents and warrants that its information security program is designed to: (i) ensure the security and confidentiality of Consumer Data; (ii) protect against any anticipated threats or hazards to the security or integrity of such data; and (iii) protect against unauthorized access to or use of such data that could result in substantial harm or inconvenience to any consumer.

(i) Security Breach. In the event of a breach in security resulting in actual or suspected loss of or unauthorized access to Network Data, Transaction Data or Early Warning Confidential Information, Client shall: (i) immediately but in no event more than twenty four (24) hours after confirmation of such breach, notify Alacriti of the breach both orally and in writing; (ii) conduct a forensics examination to determine to what extent any Network Data, Transaction Data, or Early Warning Confidential Information was compromised; (iii) provide to Alacriti, in writing, details concerning the breach, including (A) nature and impact of the breach, (B) assessment of immediate risk due to the breach, (C) corrective actions already taken, and (D) corrective actions to be taken; (iv) cooperate with Early Warning, regulators and law enforcement to assist in regaining possession of Network Data, Transaction Data or Early Warning Confidential Information and prevent its further unauthorized use and to notify affected consumers if required by Applicable Law; and (v) take measures to restore and enhance its security policies and procedures to avoid further breaches.

(j) Access. Client shall not knowingly permit any person to access the Zelle Services if the person has been convicted of a crime in connection with: (i) a dishonest act, breach of trust, or money laundering, or has agreed to enter into a pretrial diversion or similar program in connection with a prosecution for such offense, as described in Section 19 of the Federal Deposit Insurance Act, 12 U.S.C. § 1829(a); or (ii) a felony.

(k) Audit.

(i) Early Warning shall have the right to conduct an information security program audit and/or review of Client, including any related policies, controls, processes, and procedures. In addition, upon request, Early Warning may also ask for a copy of Client’s most recent third-party data processing audit or review (e.g., SAS-70, Financial Institution Shared Assessments Program, Shared Assessment Significant Information Gathering (SIG) Questionnaire, Acceptable Use Procedures (AUP), etc.), as conducted by its external auditors related to the Zelle Services, as applicable.

(ii) If at any time Early Warning has a reasonable basis to believe that Client is not in compliance with the terms of the Agreement or Network Rules, or Early Warning identifies transaction activity that is not materially consistent with Client’s normal transaction activity based on past activity or compared to similar types of clients, including, but not limited to, dollar amounts, hit rate, and volume, Early Warning will notify Client, as applicable, and Client shall, within five (5) business days of Early Warning’s notification, provide Early Warning with such documentation and information as may be reasonably requested by Early Warning to verify compliance or address the anomalous transaction activity. If Client is not in compliance or compliance cannot be verified, Early Warning may, upon written notice, suspend Client’s participation in the Zelle Services and the parties may promptly meet to discuss the matter and develop a proposed resolution plan. The resolution plan, including resolution period, must be approved by Early Warning. On or before the approved resolution date, Client shall provide written certification to Early Warning (or other evidence as required), that the resolution plan has been fully implemented and that Cient is compliant with this Agreement and the Network Rules. If the resolution plan is not fully implemented on or before the approved resolution date, Early Warning may suspend or terminate the provision of the Zelle Services upon written notice to Alacriti or Client. Nothing in this section shall be construed to limit any of Early Warning’s other rights or remedies under the Agreement or Network Rules.

(iii) Except as set forth in (ii), the audit(s) and review(s) in the foregoing subsections shall be performed no more frequently than annually unless Early Warning has a reasonable basis to suspect that Client is in material breach of any provision of the Agreement or Network Rules, or a prior review or audit reveals any critical or high findings. Audits shall be conducted during normal business hours and upon prior written notice. Audits may be (A) consolidated to the extent practicable, (B) conducted via an online virtual session or onsite to the extent that any information reasonably requested, or data required by Early Warning in conjunction with such audit, is not able to be shared electronically or via documentation, or (C) contracted through an independent third party.

(iv) For an onsite audit of Client, Early Warning shall comply with Client’s reasonable security procedures and any such audit will not require the provision of information not relevant to the Zelle Services or any confidential information about third party suppliers. If Early Warning uses a third-party auditor to conduct any reviews pursuant to this section, such third-party auditor shall be an auditing firm reasonably acceptable to Early Warning and such firm shall enter into a confidentiality agreement as applicable. For the avoidance of doubt, Early Warning’s ability to conduct such compliance reviews including their form and frequency are also as permitted by the Network Rules. Early Warning shall bear its own expenses incurred in connection with any such audit.

(v) For the avoidance of doubt, Client is also subject to the applicable provisions of the applicable Network Rules with respect to the form and frequency of the Compliance Reviews and Attestations required by Early Warning

(l) Data. Ownership and use of Network Data and Transaction Data shall be governed by the Network Rules.

(m) Misc. Client agrees to bring all claims arising from or relating to the Subscription Services, Alacriti Parties, or the Agreement, against only Alacriti Payments LLC. Client agrees not to, and expressly waives the right to, bring any such claim against Early Warning. Alacriti may disclose Client Materials and Confidential Information to Early Warning, after which Early Warning may process them as permitted in the Network Rules. Early Warning may provide Client-related data or information to Alacriti, which Alacriti may process as permitted in the Agreement. Client acknowledges that neither Alacriti nor Early Warning is a subcontractor, service provider, subprocessor, or similar term for the other. Client agrees to execute any agreement required by Early Warning.

5. Terms Applicable to Bank Verification Service Plus

(a) The Bank Verification Service Plus is a feature of Akoya LLC’s (“Akoya”) data access network (“DAN”) that enables Client’s Customers to grant Client access to their financial data (“Network Data”) by connecting to their accounts at one or more participating financial institutions (“FIs”). Client acknowledges and agrees that the DAN is developed, maintained, and provided by Akoya, not Alacriti. Accordingly: (i) Client agrees to bring all claims arising from or relating to the Subscription Services, Alacriti Parties, or the Agreement, against only Alacriti Payments LLC; Client agrees not to, and expressly waives the right to, bring any such claim against Akoya; (ii) Client agrees to bring all claims arising from or relating to Akoya, the DAN, or the Network Data against only Akoya LLC; Client agrees not to, and expressly waives the right to, bring any such claim against any Alacriti Party; (iii) Client may lose access to the DAN and Network Data to the extent Akoya stops providing such access, for example, if the agreement between Alacriti and Akoya, is terminated or expires; (iv) Alacriti may disclose Client Materials and Confidential Information to Akoya, after which Akoya may process them as permitted in the privacy policy posted on its website; and (v) Akoya may provide Client-related data or information to Alacriti, which Alacriti may process as permitted in the Agreement. Client acknowledges that neither Alacriti nor Akoya is a subcontractor, service provider, sub processor, or similar term for the other.

(b) In its use of the DAN and Network Data, Client shall comply with the documentation posted at docs.akoya.com, as it may be updated by Akoya from time-to-time in Akoya’s sole discretion. Akoya may terminate or suspend Client’s use of the DAN for breach of the Agreement or the applicable documentation.

(d) The SLAs and support terms in the Agreement do not apply to the DAN.

(e) Client acknowledges that FIs may, at any time in their sole discretion, discontinue making any or all types of account information available either in general or specifically with respect to Client. Client acknowledges that FIs shall have the right to approve or reject the provision of Network Data with respect to Client in their sole discretion. Client shall not act as, or in any way representing itself as, an agent, supplier or vendor of any FI in connection with the Agreement.

(f) Client shall: (i) not retrieve Network Data from an FI through the use of Log-In Credentials (i.e., the username(s), password(s), or any other authentication methods used by a Customer to access any FI account or account information); (ii) not require, access, collect, request or seek Log-In Credentials from its Customers; and (iii) within one hundred eighty (180) days of the Effective Date, completely, permanently and securely destroy any Log-In Credentials in its possession or control that may be used to access Network Data from an FI. For clarity, this prohibition applies to all Log-In Credentials in Client’s possession or control that could be used to access Network Data from any FI from which a Customer has accessed Network Data through the DAN.

(g) To the extent permitted by Applicable Laws, Client as part of its hiring process shall conduct background checks on each employee or independent contractor who will have access to the DAN or Network Data.

(h) Client shall: (i) not use any Akoya or FI name, service mark, or trademark in combination with any other name or trademark in a manner that creates a combination trademark; (ii) contest the validity of, or take any action that a reasonable person would believe would impair, any part of such names or marks, or diminish or dilute their distinctiveness or validity; (iii) challenge ownership of such names or marks or registration thereof; or (iv) attempt to register any of such names or marks in its own name.

(i) Client shall be responsible for all systems that it uses to access the DAN and process Network Data. Client shall use industry best practices to prevent unauthorized access to the DAN through Client’s systems. In the event of a Security Breach (i.e., Akoya Confidential Information or Network Data has been lost, misplaced, disclosed, or accessed by an unauthorized person while in Client’s or its subcontractor’s possession or control), to the extent not prohibited by law enforcement or Applicable Laws, Client shall notify Alacriti promptly, but in any event within twenty-four (24) hours after it first has reasonable suspicion of the occurrence of the Security Breach. Such notice shall include a detailed description of the Security Breach, the type of Customer who was the subject of the Security Breach, and any other information that Alacriti reasonably requests concerning the Security Breach.

(j) Client shall not insert into or transmit through the DAN any malware. Client shall at all times deploy and maintain in connection with all systems that it uses to access the DAN, or process Network Data, up-to-date and reputable detection software for malware and shall otherwise take reasonable steps that are designed to ensure that its systems remain free from malware in all material respects, in each case, at a level consistent with industry security standards. If malware is found to have been introduced into the DAN by Client, Client shall promptly notify Alacriti, and Akoya shall use commercially reasonable efforts to eliminate the malware from the DAN at the expense of Client.

(k) With respect to systems that process Network Data, Client shall implement and maintain a comprehensive written information security program approved by its board of directors (or comparable governing body) or senior management that complies with: (i) the Gramm-Leach-Bliley Act and its applicable implementing regulations; and (ii) the following:

Client must maintain a comprehensive, written information security management program that complies with applicable laws, regulations, and standards. Client must designate one or more named employee to be responsible for the administration of its information security program.

Client must protect and encrypt in transit and at rest (including in backup) Nonpublic Personal Information (as defined, as applicable, in Regulation P, 12 C.F.R. ¬ß 1016.3(p) or the FTC Safeguards Rule, 16 C.F.R. ¬ß 314.2(l)) received from the Akoya DAN (“NPI”) and authentication credentials for the DAN, using industry accepted encryption protocols and algorithms such as TLS 1.2 and AES-256. Client shall also use reasonable and appropriate safeguards, including encryption where applicable, to protect Akoya’s Confidential Information that is provided via designated secure channels (e.g., API, SFTP, or communications designated by the sender as requiring secure handling).

Client must implement an information classification standard that includes categorization, handling, labeling, encryption use, key and certificate lifecycle management, permitted cryptographic algorithms and associated key lengths, hashing, and digital signatures.

Client must implement a logical access policy that includes but is not limited to the following: enforce the principle of least privilege, account provisioning and deprovisioning, password management, thresholds for inactivity, remote access, segregation of duties, access reviews, MFA for remote and privileged access, and assurance that shared user accounts are not utilized.

Information systems that process or store NPI or Akoya’s Confidential Information must be deployed with security hardened configurations and reviewed at least annually for compliance with Client’s security policies and standards.

Client’s production environment must be isolated from non-production environments. Additionally, NPI should not be used in non-production environments.

Malware protection mechanisms must exist and be deployed to all devices in a manner designed to detect and/or prevent against malware and other threats.

All network communications from Client to Akoya must be inspected and authorized to ensure that they are free from security vulnerabilities.

Client must implement technology, processes, and/or solutions designed to protect against the exfiltration of NPI and Akoya’s Confidential Information.

Client must utilize an independent third party to perform vulnerability scans and penetration tests of the Client’s in scope applications and networks at least annually. Remediation of identified vulnerabilities and security patching must be performed in a manner that is commensurate with the risk rating of the security vulnerability.

Procedures must be in place to securely delete NPI and Akoya’s Confidential Information prior to disposal or reuse of equipment used for logical or physical storage.

Any changes materially and adversely affecting the security, performance, or functionality of Client’s systems that process Network Data must be communicated to Alacriti prior to implementation.

Client’s subcontractors that process Network Data must be identified, assessed, managed, and monitored by Client in accordance with the terms of the Agreement, including compliance with this section.

Client must establish a security incident management program and incident response team to monitor, identify, investigate, contain, resolve, document, and report security incidents. The incident management program must be tested at least annually. In the event an incident or breach affects NPI or Akoya’s Confidential Information, Client must provide Alacriti with a report that includes a summary of the incident or breach and a summary and status of remediation efforts.

Client must establish a fraud management program designed to monitor, identify, prevent, investigate, remediate, and report actual and suspected instances of fraud internally and to Alacriti.

Client must apply reasonable and appropriate safeguards to all records related to the Client’s processing of Network Data and must retain the records as per the requirements defined in the Agreement or Applicable Laws, whichever is longer.

(l) During the term of the Agreement and for a period of twelve (12) months thereafter, upon Akoya’s reasonable notice (but not less than ten (10) days’ notice, except in the case of an audit by a regulator, in which case, notice shall be provided as far in advance as permitted by Applicable Laws), external auditors of Akoya, personnel of Akoya and regulators of Akoya may conduct audits of Client for compliance with these Subscription-Specific Terms, during Client’s normal business hours and in a manner that does not unreasonably interfere with Client’s business. Nothing in this clause requires Client to make available any information in violation of Applicable Law or a third-party contract, or that constitutes a trade secret. Audits shall occur no more than once per calendar year except under the following circumstances: (i) audits by regulators; (ii) a Security Breach of Client occurs; or (iii) if Akoya has a reasonable good faith belief that Client is not in material compliance with these Subscription-Specific Terms.

(m) At least annually, Client shall have a certified independent public accounting firm or another independent, certified, industry-recognized third party (e.g., PwC, Schellman): (i) conduct a review or assessment and provide an attestation, review, or report of all key Client systems and operational controls used in connection with any Network Data or Akoya’s Confidential Information under: (A) SOC 2 Type II, and (B) PCI-DSS Attestation of Compliance (if applicable), and (ii) conduct and provide a full summary of an independent network and application penetration test. Client shall provide a summary of all findings from such assessments to Alacriti upon Alacriti’s written request. Client shall implement all material recommendations set forth in such reports.

(n) Akoya or its designee may conduct a security and risk review of Client prior to Client accessing the DAN and every two (2) years thereafter. Akoya may share with FIs Akoya’s audit results and all summaries and reports provided by Client to Akoya or its auditors pursuant to this section; provided that, Akoya shall require any FI with which it shares such summaries and reports to treat them as Client’s Confidential Information.

(o) Client represents, warrants, and covenants to Alacriti and Akoya that: (i) it has all requisite legal and corporate power to execute and deliver the Agreement; (ii) it has taken all corporate action necessary for the authorization, execution, and delivery of the Agreement; (iii) no agreement or understanding with any third party that interferes with or shall interfere with its performance of its obligations under the Agreement; (iv) it has obtained and shall maintain all rights, approvals, and consents necessary to perform its obligations and grant all rights and licenses granted under the Agreement; (v) it has taken all action required to make the Agreement a legal, valid, and binding obligation of Client, enforceable against it in accordance with its terms; (vi) it has complied with Applicable Laws in its use of Network Data and performance of its obligations hereunder; (vii) Client is not a “consumer reporting agency” or “furnisher” as those terms are defined under the FCRA; (viii) Client will not access, collect, or use Network Data for the purpose of acting as a consumer reporting agency pursuant to the FCRA; and (ix) Client will not knowingly take or authorize any actions with respect to Network Data that would result in Akoya or any of its Affiliates, or any FI or its affiliates, being classified as a furnisher under the FCRA; and (x) neither Client nor any officer or director of Client is a person with whom any Applicable Law of the United States prohibits United States persons from dealing and none of them appear on the OFAC Specially Designated Nationals and Blocked Persons List.

(p) WITH RESPECT TO THE DAN AND NETWORK DATA, NIETHER AKOYA NOR ALACRITI MAKES ANY REPRESENTATIONS OR WARRANTIES AND EACH EXPLICITLY DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A SPECIFIC PURPOSE, AND NON-INFRINGEMENT. WITHOUT LIMITATION OF THE FOREGOING: AKOYA PROVIDES THE NETWORK DATA, THE DAN, AND ALL OTHER MATERIALS AND AKOYA IP “AS IS” AND “AS AVAILABLE;” NEITHER AKOYA NOR ALACRITI WARRANTS THAT THE DAN OR NETWORK DATA OR THE USE THEREOF SHALL BE TIMELY, SECURE, ERROR-FREE, FREE FROM MALWARE, BE PROVIDED (OR BE AVAILABLE) WITHOUT INTERRUPTION, OR MEET CLIENT’S BUSINESS OR OPERATIONS PURPOSES; NEITHER AKOYA NOR ALACRITI GUARANTEES OR WARRANTS ANY NETWORK DATA’S ACCURACY, RELIABILITY, COMPLETENESS, INTEGRITY, VALIDITY, CURRENTNESS, MERCHANTABILITY, OR FITNESS FOR A PARTICULAR PURPOSE OR THAT ANY ERRORS IN ANY NETWORK DATA WILL BE CORRECTED; NEITHER AKOYA NOR ALACRITI IS RESPONSIBLE FOR ANY FI’S REFUSAL OR FAILURE AT ANY TIME TO ALLOW ACCESS TO ANY NETWORK DATA. ALACRITI AND AKOYA DISCLAIM ALL LIABILITY AND RESPONSIBILITY ARISING OUT OF OR RESULTING FROM THE CONTENT OF, OR ANY ERRORS CONTAINED IN, ANY NETWORK DATA AND/OR THE ACTIONS OR FAILURES TO ACT OF ANY USER OF THE DAN OR ANY THIRD PARTY. AKOYA AND ALACRITI EXPRESSLY DISCLAIM ANY WARRANTY THAT THE DAN SHALL FUNCTION TO MEET CLIENT’S REQUIREMENTS OR CANNOT BE HACKED, TAMPERED WITH, OR MALICIOUSLY ACCESSED BY THIRD PARTIES. CLIENT ASSUMES ALL RISKS ASSOCIATED WITH ITS USE OF OR INABILITY TO USE THE DAN AND AKOYA IP. IT IS CLIENT’S SOLE RESPONSIBILITY TO DETERMINE THE SUITABILITY AND ADEQUACY OF THE DAN, NETWORK DATA, AND AKOYA IP. FIS AND THEIR AFFILIATES MAKE NO REPRESENTATIONS OR WARRANTIES AND EXPLICITLY DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A SPECIFIC PURPOSE, AND NON-INFRINGEMENT WITH RESPECT TO THE NETWORK DATA THEY MAKE AVAILABLE THROUGH THE DAN. WITHOUT LIMITATION OF THE FOREGOING, FIS AND THEIR AFFILIATES: PROVIDE THE NETWORK DATA “AS IS” AND “AS AVAILABLE”; DO NOT WARRANT THAT ANY NETWORK DATA OR THE USE THEREOF SHALL BE TIMELY, SECURE, ERROR-FREE, FREE FROM MALWARE, BE PROVIDED (OR BE AVAILABLE) WITHOUT INTERRUPTION, OR MEET CLIENT’S BUSINESS OR OPERATIONS PURPOSES; DO NOT GUARANTEE OR WARRANT ANY NETWORK DATA’S ACCURACY, RELIABILITY, COMPLETENESS, INTEGRITY, VALIDITY, CURRENTNESS, MERCHANTABILITY, OR FITNESS FOR A PARTICULAR PURPOSE; OR THAT ANY ERRORS IN ANY NETWORK DATA WILL BE CORRECTED. CLIENT EXPRESSLY UNDERSTANDS AND AGREES THAT IT ASSUMES ALL RISKS ASSOCIATED WITH ITS USE OF OR INABILITY TO USE NETWORK DATA. IT IS CLIENT’S SOLE RESPONSIBILITY TO DETERMINE THE SUITABILITY AND ADEQUACY OF NETWORK DATA.

(q) Client shall indemnify, defend, and hold Akoya, each FI, Alacriti, and its and their respective Affiliates, and the respective directors and officers of each harmless from and against any and all losses resulting from any claims (collectively, the “Akoya Indemnitees”) arising from: (i) the violation or alleged violation of any Applicable Law by Client or any of its Affiliates or subcontractors(each, a “Client Party”); (ii) any Client Party’s use of the DAN or Network Data; (iii) any Client’s Party’s violation or alleged violation of any agreement between any Client Party and any end user, including any consent obtains by the Client from the end user; (iv) the occurrence of a Security Breach of any Client Party; (v) any Client Party’s breach or alleged breach of these Subscription-Specific Terms; or (vi) any Client Party’s fraud, gross negligence, or willful misconduct

(r) AKOYA AND ALACRITI SHALL HAVE NO LIABILITY WHATSOEVER FOR: (i) ANY TRANSACTIONS OCCURRING BETWEEN OR AMONG ANY END USER AND CLIENT OR BETWEEN ANY END USER AND ANY FI ARISING FROM OR RELATING TO ANY NETWORK DATA OR (ii) ANY LOSSES ARISING FROM OR RELATING TO ANY INACCURACY, ERROR, OR OMISSION IN NETWORK DATA AS PROVIDED THROUGH THE DAN, ANY INTERRUPTION IN THE DAN, ANY INTERRUPTION OR DELAY IN THE TRANSMISSION OF NETWORK DATA, OR ANY ACTION, INACTION, OR DECISION OF ANY END USER BASED (IN WHOLE OR IN PART) ON NETWORK DATA TRANSMITTED THROUGH THE DAN. NONE OF AKOYA, ALACRITI, ANY OF THEIR AFFILIATES, ANY FIS, OR ANY OF THEIR PERSONNEL OR LICENSORS SHALL BE LIABLE TO CLIENT OR ANY OTHER PERSON FOR ANY LOSS OR INJURY ARISING OUT OF, OR CAUSED IN WHOLE OR IN PART BY, THE RELIANCE OF CLIENT OR SUCH OTHER PERSON ON THE CONTENT OF THE NETWORK DATA OR CLIENT’S OR SUCH OTHER PERSON’S ACTS OR OMISSIONS IN RELATION TO THE DAN OR THE NETWORK DATA TRANSMITTED THROUGH THE DAN.

(s) TO THE FULLEST EXTENT PERMITTED BY LAW, NONE OF AKOYA, ALACRITI, OR ANY OF THEIR AFFILIATES, SUPPLIERS, LICENSORS, OR FIS SHALL BE LIABLE UNDER THESE SUBSCRIPTION-SPECIFIC TERMS FOR ANY: (i) INDIRECT, INCIDENTAL, CONSEQUENTIAL, EXEMPLARY, PUNITIVE, OR SPECIAL DAMAGES; (ii) DAMAGES FOR LOSS, ERROR, OR INTERRUPTION OF USE OR NETWORK DATA (IN EACH CASE, WHETHER DIRECT OR INDIRECT); OR (iii) THE COST OF COVER OR LOSS OF BUSINESS, REVENUES, OR PROFITS (IN EACH CASE WHETHER DIRECT OR INDIRECT), REGARDLESS OF THE FORM OF THE ACTION OR THE THEORY OF RECOVERY (INCLUDING CONTRACT, TORT, NEGLIGENCE, STRICT LIABILITY, OR OTHERWISE), EVEN IF SUCH PERSON KNEW OR SHOULD HAVE KNOWN THAT SUCH DAMAGES OR LOSSES WERE POSSIBLE OR FORESEEABLE.

(t) TO THE FULLEST EXTENT PERMITTED BY LAW, AKOYA’S CUMULATIVE AGGREGATE LIABILITY ARISING OUT OF OR RELATED TO THESE SUBSCRIPTION-SPECIFIC TERMS SHALL NOT EXCEED THE AMOUNT PAID OR PAYABLE BY ALACRITI TO AKOYA FOR CLIENT’S USE OF THE DAN UNDER THESE SUBSCRIPTION-SPECIFIC TERMS DURING THE TWELVE (12) MONTH PERIOD PRIOR TO THE EVENT GIVING RISE TO LIABILITY, AND ALACRITI’S CUMULATIVE AGGREGATE LIABILITY ARISING OUT OF OR RELATED TO THESE SUBSCRIPTION-SPECIFIC TERMS SHALL NOT EXCEED THE AMOUNT PAID OR PAYABLE BY CLIENT TO ALACRITI FOR CLIENT’S USE OF THE DAN UNDER THESE SUBSCRIPTION-SPECIFIC TERMS DURING THE TWELVE (12) MONTH PERIOD PRIOR TO THE EVENT GIVING RISE TO LIABILITY.

(u) Upon the termination of Client’s Order for the DAN, Client shall immediately cease all access to and use of, and delete the Network Data.

(v) Client shall maintain in effect at all times during the Term, at its sole expense, sufficient and adequate insurance coverage for the types of business that it conducts. Without limitation of the foregoing, Client’s insurance coverages must cover claims (and any associated costs and damages, including data breach investigation, data breach notification, and credit monitoring costs) arising from: (i) Security Breaches; (ii) violations by Client of any privacy right; (iii) Client’s breach of Applicable Laws; (iv) Client’s breach of, or non-compliance with, PCI DSS or any similar rules; and (v) data theft, damage, destruction, or corruption, including unauthorized access, unauthorized use, identity theft, theft of personal information, and transmission of malware; and be in an amount not less than ten million dollars ($10,000,000) per claim and annual aggregate.

(w) Client shall provide the end user with a disclosure electronically or in writing that is clear, conspicuous, and segregated from other material. The disclosure shall include: (i) Client’s name; (ii) the name of the FI that controls or possesses the account information that Client seeks to access on the end user’s behalf; (iii) a brief description of the product or service that the end user has requested from Client and a statement that the Client will collect, use, and retain the Network Data only for the purpose of providing that product or service to the end user; (iv) the categories of account information that will be accessed by Client; (v) a statement from Client certifying to the end user that Client agrees to the obligations set forth in clause (x) below; and (vi) the following statement: “[Client] uses Akoya LLC to collect, standardize, and transmit to [Client] your account information.” Client shall obtain the End User’s express informed consent to the foregoing disclosure in the form of an electronic or written signature thereto. Client shall make available to the end user a copy of the disclosure described in this clause. Client shall provide contact information that enables an end user to receive answers to questions about Client’s access to the Network Data. Client shall establish and maintain reasonable written policies and procedures designed to ensure that Client provides to the end user, upon request, relevant information about its access to the end user’s Network Data. Client shall provide the end user with a mechanism to revoke consent for the collection, use, or retention of Network Data that is as easy to access and operate as the initial consent process. Client shall not impose on the end user costs or penalties for revoking consent. Client shall notify Alacriti and other third parties to which it has provided the end user’s Network Data when Client receives a revocation request from the end user. Upon receipt of an end user’s revocation request or notice of a revocation request from an FI, Client shall: (i) cease collecting the end user’s account information via the DAN; and (ii) cease use and retention of the end user’s Network Data, unless use or retention is required by Applicable Law.

(x) Client shall limit its collection, use, and retention of Network Data to what is reasonably necessary to provide the end user’s requested product or service. Client shall not collect, use or retain Network Data for (i) targeted advertising; (ii) cross-selling of other products or services; or (iii) the sale of Network Data (including de-identified and aggregated data). Collection of Network Data for purposes of clauses (x) and (w) includes the scope of Network Data collected and the duration and frequency of collection of Network Data. Client may not provide Network Data to a third party for a purpose inconsistent with clauses (w) or (x) of this section. Before providing Network Data to a third party, Client shall ensure that either it has obtained the applicable end user’s consent to do so and require the third party by contract to comply with these obligations.

(y) In addition to the limitations described in clauses (w) and (x), Client shall limit the duration of collection of Network Data to a reasonable period after the end user’s most recent consent. A period of one year is presumptively reasonable.

(z) To collect Network Data beyond the period described in cluse (y), Client shall obtain a new consent from the end user pursuant to the requirements above. Client may ask the end user for a new consent in any reasonable manner. If an end user does not provide Client with a new consent, Client shall: (i) cease collecting account information with respect to the end user; and (ii) cease use and retention of the end user’s Network Data that was previously collected pursuant to the end user’s consent.

(aa) Client shall establish and maintain written policies and procedures that are reasonably designed to ensure retention of records that are evidence of compliance with the requirements of these Subscription-Specific Terms. Such records shall include a copy of the disclosure that is signed or otherwise agreed to by the end user and reflects the date of the end user’s signature or other written or electronic consent and a record of any actions taken by the end user to revoke the end user’s consent. Client must retain such records with respect to an end user for not less than three years after Client obtains the end user’s most recent consent. Client shall periodically review its policies and procedures and update them as appropriate to ensure their continued effectiveness.

(bb) Client acknowledges and agrees that Akoya and any of Akoya’s affiliates providing the DAN or Network Data, and the FIs, are intended to be, and shall be third party beneficiaries of these Subscription-Specific Terms and the Agreement. Client further acknowledges and agrees that Akoya and the FIs are entitled to enforce their rights under the Subscription-Specific Terms and the Agreement directly against Client.