Service Schedule – Connectivity – USA

Last update: August 3, 2023

1. DEFINITIONS

“Errors” shall have the meaning ascribed to it in Section 3(e).

Unless otherwise defined herein, all capitalized terms carry the definitions ascribed to them in the Master Terms, or Order Form, as applicable.

2. CONNECTIVITY SERVICE

Pursuant to the Flinks Master Terms and Conditions set forth at https://flinks.com/terms-conditions/, and the applicable Order Form between Flinks and Client, Flinks shall provide Client with the following Service:

a) The core functions of Connectivity include, without limitation:

1. The ability to search through a list of supported Data Sources within the Territory designated in any applicable Order Form(s); 
2. The ability to obtain metadata on the type of authentication required for each Data Source (e.g. questions, multi-factor authentication); 
3. The aggregation of enriched data from each Data Source, including the End-Customer’s name, account transactions, account number, account transit number, and account institution number; and

b) Where Client wishes to consume End-Customer Data from Data Sources through Flinks’ “Open Banking” APIs with applicable Data Sources, Client shall comply with the obligations set forth in Schedule A-2 attached hereto entitled “Schedule A-2 – End-Customer Data via Data Access Method (USA)”.

c) Should Client anticipate a temporary increase in the number of End-Customers using the Embedded Service, or Accounts established through the Services (each a “Volume Spike”) for reasons including, but not limited to, marketing campaigns or activations, Client will provide Flinks with no less than forty-eight (48) hours prior written notice of an anticipated Volume Spike specifying the anticipated (i) commencement of such Volume Spike, (ii) duration of such Volume Spike, and (iii) approximate number of End- Customers using the Connection Method or Data Access Method during such Volume Spike (the “Volume Spike Notice”). Flinks shall not be responsible for any reduction in the Connection Method Availability, or unavailability thereof, including as relates to the Data Access Method, Flinks Connect’s availability, and Flinks’ general ability to deliver the Services during the Volume Spike where Client fails to provide Flinks with a Volume Spike Notice, as applicable.

d) The above Service do not include any professional, technical, consulting or integration services.

3. SERVICE TERMS

a) Set Up

Flinks shall set up and deploy the Service so that it is operational for Client at no cost or charge to Client.

b) Application

Client shall be solely responsible for (i) providing, operating and maintaining the Application ii) hosting the Application on the Client’s site, and (ii) hosting, operating and maintaining the Integrated Service, all pages on which the Integrated Service is displayed or made available for use by End-Customers, and the Client’s website. 

c) Data Sources

All Data Sources that are generally available to all Flinks clients operating in the Territory will be available to Client. Flinks will be entitled to remove any Data Source from the Services for any reason in its reasonable discretion.

d) Operational Metrics

Connection Method Availability and Flinks Connect Availability are monitored on a 24/7 basis and assessed on a monthly basis. Flinks commits to deploy its best efforts to ensure 99% Connection Method Availability and Flinks Connect Availability, excluding Scheduled Maintenance, Emergency Maintenance and any Data Source malfunction outside of Flinks’ control.

e) Technical Support

In the event that any bugs, defects, delays, hindrances, or other errors (collectively, “Errors”) occur, Client will report to Flinks the Error in accordance with the Severity Levels (to be reasonably determined by Client) as set forth in Schedule A hereto. Flinks commits to deploy its best efforts to respond to an Error, depending on the Severity Level, within the time frames set forth in Schedule A entitled “Schedule A – Support”, starting from the time Client notifies Flinks of the Error.

SCHEDULE A – SUPPORT

1. Technical support times for the Service described in this Service Schedule are as follows during the Term: 

Severity Level	Acknowledgement Time	Engagement Method
“Severity Level 1” is an emergency condition which makes the use or continued use of any one or more functions of the Software impossible or significantly impaired. The condition requires an immediate solution that is not already available to Client.	Upon reception of report from the Client.	If found by Flinks: Flinks shall call or email the Client business lead. If found by Client: Client shall open a support ticket by emailing [email protected] (Canada) or [email protected] (USA) and shall immediately call or email Flinks’ relationship manager assigned to Client.
“Severity Level 2” is, other than any Severity Level 1 problem, any condition which makes the use or continued use of any one or more functions of the Software difficult and which Client cannot reasonably circumvent or avoid on a temporary basis without the expenditure of significant time or effort.	< 1 hour	If found by Flinks: Flinks shall email the Client business lead. If found by Client: Client shall open a support ticket by emailing [email protected] (Canada) or [email protected] (USA) and shall call or email Flinks’ relationship manager assigned to Client.
“Severity Level 3” is, other than any Severity Level 1 problem or Severity Level 2 problem, any limited condition which is not critical in that no loss of Client Data occurs and which Client can reasonably circumvent or avoid on a temporary basis without the expenditure of significant time or effort.	< 4 hours	If found by Flinks: Flinks shall update the Status Update website (status.flinks.com). If found by Client: Client shall open a support ticket by emailing [email protected] (Canada) or [email protected] (USA).
“Severity Level 4” is, other than any Severity Level 1 problem, Severity Level 2 problem or Severity Level 3 problem, a minor condition or Documentation error which Client can easily circumvent or avoid. Additional requests for new feature suggestions, which are defined as new functionality in existing Software, are also classified as Severity Level 4.	< 1 day	If found by Flinks: Flinks shall contact Client to schedule an ad hoc meeting or a quarterly business review. If found by Client: Client shall contact Flinks’ relationship manager assigned to Client.

SCHEDULE A-2 – END-CUSTOMER DATA VIA DATA ACCESS METHOD (USA)

1. DEFINITIONS

“Auditors” shall have the meaning ascribed to it in Section 5.2(e) to this Schedule A-2.

“Express Consent” means the electronic communication from a Person to a Party granting permission for a specific action that is maintained in a system log or database that ensures completeness and integrity, and permits verification of the consent upon request of the records. Express Consent must be presented and captured in a clear and conspicuous manner and may not automatically enroll a customer into an agreement without taking an express action. 

“Internal User” means Client Personnel accessing the US Data Access Method from time to time.

“Red Flags” shall have the meaning ascribed to it in Section 5.1(c) to this Schedule A-2 or Section 4(a)(iii) of Appendix 2 to this Schedule A-2.     

“US Data Source” means any provider of a Data Source that is made available through the US Data Access Method from time to time. 

2. SERVICE LICENSE – US DATA ACCESS METHOD

2.1 License

Subject to the terms and conditions set forth in this Schedule A-2, Flinks hereby grants to Client a limited, revocable, non-exclusive, non-sublicensable, non-transferable license to use the US Data Access Method and the Flinks Technology as necessary for Client to receive and use End-Customer Data in accordance with this Amendment.

2.2 SLA (Frequency of Access to the US Data Access Method)

a) The US Data Access Method will respond to a US Data Source API call made by Client within seconds of receiving said API call. Flinks shall abandon (timeout) any such US Data Source API call that takes longer than thirty (30) seconds and retry processing of said US Data Source API call at a later time. 

b) In order to reasonably preserve US Data Sources’ systems’ integrity and availability, such US Data Sources may limit the number of US Data Source API calls per second or per day. The Parties hereto agree and recognize that US Data Sources may modify these limits or create or modify tiers of access limitations as is reasonably necessary to meet the above goal. Requests exceeding these thresholds will be rejected and must be resubmitted at a later date/time.

3. PRIVACY

3.1 Consent

1. Subject to the terms of the Agreement, Flinks will permit Client to use and access the US Data Access Method solely for Client to collect End-Customer Data as authorized by each respective End-Customer in support of the Client providing the Client Services to that End-Customer. 
2. With respect to consents required to be obtained from End-Customers hereunder, Client must have and maintain such systems and procedures as may be reasonably necessary or otherwise required by Flinks and US Data Sources to actively track, monitor, and document such End-Customer consent and any revocation thereof.
3. Pursuant to the terms of the Agreement and then only to the extent permitted by that End-Customer’s Express Consent and by Applicable Laws, Flinks may share End-Customer Data with Client as requested by the End-Customer in support of providing Client Services. 
4. Subject to c) above, Client shall not sell, exploit, commercialize, or otherwise reveal (i) any End-Customer Data, (ii) any information based on or derived from End-Customer Data, including in any de-identified form, Aggregated Data and Anonymized Data, or (iii) any combination or aggregation of End-Customer Data, including in any de-identified form, Aggregated Data and Anonymized Data, with other information or data. 
5. Client shall, prior to any access or use of the US Data Access Method, include in each respective End-Customer Agreement the minimum terms and conditions governing such End-Customer’s use and access to the Client Services in the form of an End-Customer Agreement that is substantially equivalent to and includes terms at least as protective of Flinks and US Data Sources as those minimum End-Customer terms and conditions attached hereto as Appendix 1 to Schedule A-2 – End- Customer Minimum Terms and Conditions, as amended and supplemented from time to time in accordance with this Agreement.

3.2 End-Customer Agreement

1. Notwithstanding the foregoing or anything to the contrary herein, the End-Customer Agreement shall: (i) be prominent, written, accurate and easy-to-understand by a reasonable consumer; (ii) accurately set forth what data (including all compilations, aggregations, and combinations of the same) is collected, how collected data will be used, and how collected data will be shared, exchanged, or sold; (iii) provide clear and conspicuous disclosures to all End-Customers and prospective End-Customers, legally sufficient to comply with applicable law regarding the collection, use, and sharing described; (iv) identify or disclose to each End-Customer any and all categories of third parties to whom End-Customer Data may be provided or who may use, receive, store, or process the same; (v) inform End-Customers of their rights with respect to End-Customer Data including, without limitation, the right to terminate access and require deletion; (vi) inform End-Customers that the End-Customer Data does not represent an official record of the End-Customer’s account with any relevant financial institution; (vii) state that Client  is acting independently, and not on behalf of any third party, in providing its application or services; (viii) describe how the End-Customer Data will be protected in the event that Flinks or Client ceases operating as a going concern or otherwise ceases to make available the Client Services to End-Customers, describing how End-Customer Data in Client’s possession or control will be safeguarded, deleted, and purged in such circumstances; (ix) provide US Data Sources the same liability restrictions and limitations and warranty disclaimers to which Flinks and Client are entitled under such End-Customer Agreement, to include but not be limited to: (a) exclusion of all implied warranties, including without limitation for merchantability and fitness for a particular purpose; (b) exclusion of consequential, special, indirect, incidental, punitive, exemplary and tort damages in connection with the Client Services and End-Customer Data made available through the US Data Access Method; and (c) inclusion of a quantifiable limitation of liability for direct and indirect damages in connection with the US Data Access Method as further set forth herein; (vi) release Flinks and US Data Sources of all liability and obligation related to any delays, inaccuracies or incomplete Client Services caused by the failure of Flinks and/or Client and/or its third party providers to properly or timely meet their obligations or requirements; and (viii) be agreed to by End-Customers prior to access to the US Data Access Method or restrict such access until after End-Customers consent to the End-Customer Agreement has expressly occurred.
2. In accordance with the End-Customer Agreement, Client shall secure the grant of a nonexclusive, worldwide, royalty-free license for Flinks and US Data Sources to reproduce, display, adapt, enhance, aggregate, transmit, distribute and otherwise use End-Customer Data as necessary or reasonable to provide the Services and to use the End-Customer Data in anonymized and aggregated form for generating Aggregated Data.
3. Flinks may amend and supplement Schedule A-2 at any time during the Term by providing written notice to Client. Client shall have sixty (60) days from receipt of such notice to update its End-Customer Agreement to reflect such amendment or supplement, provided that Client must always comply with Applicable Law.

3.3 End-Customer Account Unlinking and Deletion

Client must provide End-Customers the ability to unlink such End-Customer Data from any Client application or service. In the event that any End-Customer unlinks (or requests the unlinking of) its End-Customer Data from any Client application or service, Client will promptly notify Flinks of the same. Upon request by End-Customer, Client shall promptly and permanently delete all End-Customer Data in its possession or control, and promptly notify Flinks of the same.

4. RESTRICTIONS

4.1

When accessing an End-Customer’s online account, Client shall not engage in any other activities beyond accessing the information that an End-Customer has directed Client to access, including but not limited to: altering an End-Customer’s account settings, initiating payments or money movement, accepting terms and conditions on behalf of an End-Customer, or responding to a query intended for an End-Customer.

4.2

Without limiting the foregoing, and regardless of whether the applicable End-Customer has consented, Client or Client’s third-party providers shall not: (1) market, sell, lease, license, or otherwise commercialize any End-Customer Data or any Aggregated Data or derived from End-Customer Data; or (2) use or disclose for marketing purposes any End-Customer Data or other personal or personally-identifiable information received by Client or Client’s third party providers from or through US Data Sources or their APIs. (3) analyze, aggregate, or otherwise use APR, APY, or credit limit data to reverse engineer or otherwise ascertain or derive a US Data Sources’ confidential and/or proprietary commercial information, including credit models, credit algorithms, or other business processes or calculations which are not otherwise available to the public. (4) collect, use, or retain any historical values for APR, APY, or credit limit once an updated value has been received via a US Data Source’s API.

4.3

Client shall not use or disclose any End-Customer Data accessed through the Services, except for the purposes of: (i) providing the End-Customer Data directly to the applicable End-Customer; (ii) storing, processing, and transmitting the End-Customer Data in accordance with the consents granted by the End-Customer; and (iii) complying with applicable law or mandatory requests of a government or regulatory body.

4.4

Client shall not: (i) make the US Data Access Method available to anyone other than authorized Client Personnel and End-Customers; (ii) license, sublicense, sell, resell, rent, lease, transfer, assign (except as permitted by the Agreement), distribute, time share or otherwise commercially exploit or make the US Data Access Method available to any third party, other than to Clients and End-Customers or otherwise contemplated by this Amendment; (iii) attempt to gain unauthorized access to the US Data Access Method or related systems or networks; (iv) access the US Data Access Method with the intent of building a new competitive product or service, or copy any ideas, features, functions or graphics of the US Data Access Method in order to build such new competitive product or service; (v) access or engage in any use of the US Data Access Method in a manner that abuses or materially disrupts Flinks or US Data Sources’ networks, security systems, the US Data Access Method or websites; (vi) interfere with or disrupt the integrity or performance of the US Data Access Method or data contained therein; (vii) modify, copy, display, republish, or create derivative works based on the US Data Access Method or the underlying software; (viii) modify, copy, or create derivative works of the US Data Sources’ materials; (ix) frame, scrape, link to or mirror any content forming part of the US Data Access Method (provided that this shall not limit Flinks or Client’s ability to gather End-Customer Data in accordance with the proper use of the US Data Access Method), other than on Clients’ own intranets or otherwise for its own internal business purposes; (x) reverse engineer, reverse assemble, disassemble, decompile or otherwise attempt to decipher any code used in the US Data Access Method, underlying software, or US Data Sources’ materials; (xi) use the US Data Access Method for fraudulent purposes or otherwise in violation of Applicable Laws; (xii) send Flinks or US Data Sources, or process through the US Data Access Method, any data of an End-Customer, or any third party, that falls under the protections of the Health Insurance Portability and Accountability Act (HIPAA) of 1996; (xiii) use the US Data Access Method to send spam or otherwise duplicative or unsolicited messages in violation of Applicable Laws; (xiv) use the US Data Access Method or End-Customer Data to send or store infringing, obscene, threatening, libelous, or otherwise unlawful or tortious material, including material harmful to children or violative of third-party privacy rights or in any manner that encourages, supports, or promotes illegal activities or unlawful gambling; (xv) upload to the US Data Access Method  or use the US Data Access Method to send or store viruses, worms, time bombs, Trojan horses or other harmful or malicious code, files, scripts, agents or programs; (xvi) conduct any platform or system level testing of the US Data Access Method; (xvii) permit any third party to utilize or access the US Data Access Method except Client and End-Customer access and third parties expressly permitted under this Agreement or for whom Flinks has given Client prior written permission; or (xviii) where the End-Customer Data is provided in a de-identified form, re-identify or attempt to re-identify such End-Customer Data.

4.5

With respect to End-Customer Data made available through the US Data Access Method, Client shall not attempt to use, disclose or process the End-Customer Data to target market products or services to End-Customers that are directly competitive to those offered by any US Data Source, by using such End-Customer’s status as a customer of a US Data Source as criteria.

5. SECURITY

5.1 Data Security

1. Client will establish and maintain a written information security program that is consistent with the generally accepted industry standards, including SSAE-18 SOC2 Type 2, which include safeguards against the disclosure, destruction, loss, or alteration of End-Customer Data. Client will institute security measures consistent with best practices in the financial services industry.
2. Each Client’s written information security program will, at a minimum, be designed to: (a) ensure the security, integrity and confidentiality of End-Customer Data; (ii) protect against any anticipated threats or hazards to the security or integrity of End-Customer  Data; (iii) protect against unauthorized access to or use of End-Customer Data that could result in substantial harm or inconvenience to the person or entity to whom the End-Customer Data relates; and (iv) ensure the proper disposal of End-Customer Data.
3. With regard to End-Customer Data, and to the extent 16 C.F.R. Part 681 (Identity Theft Rules) is applicable to Client, each Client will have policies and procedures to detect patterns, practices, or specific activity that indicates the possible existence of identity theft (“Red Flags”) that may arise in the performance of Client’s obligations under the Agreement and report the Red Flags to Flinks and take appropriate steps to prevent or mitigate identity theft.
4. Each Client will only transfer (including internal Client transfers that occur beyond the internal firewalls of a Client) End-Customer Data in a secure and confidential manner, including, at a minimum, encrypting the data in accordance with best practices in the financial services industry.
5. Each Client will use a Flinks approved real-time intrusion detection system on all Client Systems. Each Client will actively monitor the intrusion detection system for activities that correspond to attempts at breaking the security of the Client System. Along with the deployment of such an intrusion detection system, each Client will adopt and follow operational procedures to disable the source of any perceived attack and escalation procedures to notify Flinks and Client security groups for follow-up action.
6. Each Client will provide real-time security event logging data for all Client Systems that contain, process, transact or in any way make up the control or processing environment of the US Data Source’s data or systems, to a log retention server that Flinks designates and operates.

5.2 Security & Audits 

1. In addition to Flinks’ other audit rights under the Amendment, Auditors and applicable US Data Sources may, no more than once per calendar year, conduct on-site security reviews and assessments, vulnerability testing, and disaster recovery testing Client Systems used for hosting, storing or processing End-Customer Data, and otherwise audit a Client’s operations for compliance with the security requirements described herein. If vulnerabilities are identified, Client will: (i) promptly document
2. and, within formally established timelines, implement a mutually agreed upon remediation plan; and (ii) upon Flinks’, applicable US Data Sources’ or Auditors’ request, provide Flinks, such US Data Sources’ or such Auditors with the status of the implementation.Commencing in the year on which Client first accesses the US Data Access Method, once annually, Client will have a certified independent public accounting firm or another independent, certified, industry-recognized third party: (i) conduct a review or assessment and provide a full attestation, review, or report under SOC 2 Type II of all key Client Systems and operational controls used in connection with any End-Customer Data; and (ii) conduct and provide a full report of an independent network and application penetration test. Upon reasonable written request, Client will make available all findings from these attestations, reviews, and tests to Flinks and applicable US Data Sources. Each Client will implement commercially reasonable recommendations set forth in such attestations, reviews, reports and other reasonable recommendations made by Flinks or US Data Sources arising out of their respective analysis of such reviews. Each Client will, upon Flinks’ or such applicable US Data Sources’ reasonable request, provide Flinks and/or such applicable US Data Sources with the status of such implementation.
3. Client agrees that (i) Flinks and/or applicable US Data Sources may monitor, record and review any access to the US Data Access Method at any time and without notice to Client (ii) Flinks and applicable US Data Sources may, wherever they do business, store and otherwise process business contact information of any Client that has provided such information in connection with this Agreement, for example, name, business telephone, address, email, and user ID for business dealings with Client, and (iii) the personnel and resources of Flinks and US Data Sources are located at sites worldwide and Flinks and such US Data Sources may use such personnel and resources to carry out their rights and obligations under the Agreement. Client consents to the foregoing, and Client will ensure that all Client Personnel are advised of, and have consented to, all such activities. Client, on its own behalf and on behalf of Client Personnel, waives any right or claims of privacy (express or implied) with respect to all such activities.
4. Client acknowledges that Flinks and US Data Sources intend to cooperate fully with any government authorities, including law enforcement or judicial investigations, regarding any access to the US Data Access Method or any End-Customer Data. This cooperation may include disclosure of the identity of, and the information transmitted or received by, Personnel and Persons accessing the US Data Access Method.
5. Flinks and applicable US Data Sources, their internal and external auditors, their Personnel and regulators (“Auditors”) have the right, but not the obligation, during the Term, to, no more than once per calendar year, unless requested by Flinks’ or US Data Sources’ regulators, audit, review and inspect books and records and any other documents, including security logs, as well as the facilities and systems of any Client. Other than with respect to audits, reviews or inspections by regulators or US Data Sources or in an emergency, Flinks will provide Client reasonable notice of any audit, review or inspection. Client agrees to reasonably cooperate and assist, without charge, in any audit, review or inspection of such books and records that Flinks or US Data Sources may undertake. In addition to the audit described herein, Client shall cooperate in quarterly contract reviews from Flinks and US Data Sources to confirm compliance with agreed-to terms.

5.3 End-Customer Complaints

Client will notify Flinks within twenty-four (24) hours upon becoming aware of any concerns raised by an End-Customer relating to unauthorized access or unauthorized use of End-Customer Data made available through the US Data Access Method. Client will be responsible for managing any disputes or issues raised by an End-Customer relating to the US Data Access Method. Flinks and US Data Sources will have the right to engage with the End-Customer directly regarding any issues and complaints relating to the unauthorized access of End-Customer Data, and will have the right to terminate access to any End-Customer Data at any time to address an End-Customer issue or complaint; provided, that, Client will remain solely responsible for any unauthorized access or use of End-Customer Data once it is accessed or in the possession of Client.

5.4 Security Breach

In the event of an actual or suspected Security Breach at the premises of Client, Client will notify Flinks promptly. Such notice shall include a detailed description of the Security Breach, and any other information Flinks may reasonably request concerning the Security Breach. Client agrees to promptly, at its own expense, investigate the Security Breach, identify, prevent and mitigate the effects of any such Security Breach, and carry out any remediation necessary, in its reasonable judgment, including providing notification to the affected End-Customers. Following any Security Breach, Client will cooperate reasonably with Flinks in determining its legal obligations with respect to notifying its customers, regulators, US Data Sources and/or law enforcement, if any. The Parties shall provide each other any documentation reasonably necessary to issue such communication(s) and notification(s).

5.5 Suspension of Access

a) Flinks will have the right to suspend the access of any Client, in whole or in part, to any US Data Access Method and End-Customer Data for the following reason(s): (i) Flinks and/or US Data Source’s good-faith belief that such Client is acting in an unauthorized manner with respect to its access to any US Data Access Method or End-Customer Data; (ii) an End-Customer requests that Flinks and/or US Data Source no longer permit such Client to access its End-Customer Data (such suspension will only be applied to the requesting End-Customer); (iii) Flinks and/or US Data Source’s good-faith belief that there is a material risk to the security or integrity of the US Data Access Method, End-Customer Data, systems or operations of a US Data Source, or Client Systems; or (iv) that suspending access is reasonably necessary to prevent harm to the business or reputation of any of Flinks or a US Data Source and/or End-Customers.

b) The Parties will work together in good faith to remediate the reason for any suspension, with Flinks having the final authority as to the reasonable duration and extent of any suspension. At any point, upon notice to Client, Flinks will have the right to terminate the Client’s access to the US Data Access Method and End-Customer Data by providing Client notice to address the risk of a Security Breach or where necessary to comply with a requirement of Applicable Laws.

c) Upon receipt of notice of suspension, the Client will immediately: (a) cease attempting to access the affected End-Customer Data, whether through the US Data Access Method or otherwise; and (b) comply with Flinks’ reasonable requests to assist Flinks in remediating and preventing further harm.

6. CONFIDENTIALITY

6.1 Obligations

a) Neither Party shall (i) make any use or copies of the Confidential Information of the other except as necessary to perform its obligations under the Agreement, (ii) acquire any right in or assert any lien against the Confidential Information of the other, or (iii) refuse for any reason (including a default or material breach of the Agreement by the other Party) to promptly provide the other Party’s Confidential Information (including all copies thereof) to it if requested in writing to do so.

b) Client will ensure that Client Personnel comply with these confidentiality provisions, and that all Client Personnel handling such Confidential Information have been appropriately trained in the implementation of the applicable information security policies and procedures. Client is responsible and liable for all acts and omissions of all Client Personnel. Client must regularly audit and review its respective information security policies and procedures to ensure their continued effectiveness and determine whether adjustments are necessary in light of circumstances including changes in technology, customer information systems or threats or hazards to Confidential Information.

c) Notwithstanding anything to the contrary set forth elsewhere in the Agreement, Flinks will be permitted to (1) identify any Client by name, as a recipient of End-Customer Data, and (2) disclose the existence of the Agreement and the terms and conditions hereof to any independent third party audit firm (engaged by Flinks) that agrees to hold in confidence the Agreement and its terms (subject to customary and reasonable exceptions and except as otherwise expressly set forth herein).

6.2 Exceptions

Any combination of Confidential Information disclosed with information not so classified will not be deemed to be an exclusion of the Parties’ confidentiality obligations as set forth in the Agreement merely because individual portions of such a combination are free of any confidentiality obligation or are separately known in the public domain.

6.3 Control & Oversight

During the term, Client will ensure the following:

a) Information. A security awareness program must be in place or implemented that communicates security policies to all Client Personnel having access to Confidential Information.

b) Notification to Flinks of changes that may impact the security of Confidential Information, as determined by Client in its sole discretion, acting reasonably. Such changes requiring notification include, by way of example and not limitation, outsourcing of computer networking, data storage, management and processing or other information technology functions or facilities and the implementation of external web-enabled (Internet) access to Confidential Information.

c) Use of strong, industry-standard encryption of Confidential Information transmitted over public networks (e.g., Internet, non-dedicated leased lines) and backup tapes residing at off-site storage facilities.

6.4 Reports

Upon request or on a periodic basis as mutually agreed upon between the Parties, Client will provide Flinks with reports in connection with the utilization of the US Data Access Method and access to End-Customer Data, including the number of End-Customers using specific Client Services, the number of logins to the US Data Access Method, the number of End-Customers notified to authorize any Client to access End-Customer Data through the US Data Access Method, the number of completed migrations to the US Data Access Method and connectivity success rates and errors (collectively the “Access Activity”). Client will submit samples of such reports within 30 days after the Effective Date to Flinks for its approval, and incorporate any input or change request from Flinks within 30 days of receipt of such input or change request. 

7. REPRESENTATIONS & WARRANTIES

7.1 Authorities of Non-Infringement

Each Party represents, warrants and covenants that it has all rights and authority required: (a) to enter into this Agreement, free from all liens, claims, encumbrances, security interests and other restrictions; (b) to provide the information or materials required to be provided to the other Party in accordance with the terms herein; (c) for the other Party to use such information or materials in accordance with the provisions of the Agreement, and that such use will not violate any Applicable Law. 

7.2 Personnel Policies

Each Party maintains and effectively administers comprehensive policies and procedures for qualifying its Personnel who are natural persons, and that those policies and procedures include work authorization verification, background checks, all to the extent permitted by applicable law and any applicable collective bargaining agreement.

7.3 Harmful Code

Each Party will use commercially reasonable efforts to eliminate in any computer systems it uses to exchange software or other data electronically with the other Party or its customers, any computer code designed to damage, disrupt, disable, harm, or otherwise impede in any manner, the orderly operation of any software, data files, firmware, hardware, computer system or network.

7.4 Client Covenants

Client covenants that during the Term:

• Client will prevent (i) the introduction or proliferation of any computer virus into Flinks’ and/or US Data Source’s systems or any other systems used in connection with the provision of the US Data Access Method, and (ii) damage or loss of any Flinks and/or US Data Source System or End-Customer. Without limiting Client’s other obligations under the Agreement, Client covenants that if there is any damage or loss to Flinks’ and/or US Data Source’s systems, or End-Customer Data caused by a Client or caused or introduced by viruses or a computer virus in or passed through a Client System or other resources provided by a Client, then Client will mitigate (including restoration of such End-Customer Data on a Flinks and/or US Data Source System, and End-Customer Data) the cause and effects of such damage, loss, viruses or Computer Virus (including restoring or recovering any data or results at no charge to Flinks and/or US Data Source within a commercially reasonable time); 
• Client shall not operate as a “consumer reporting agency” as that term is defined under the Fair Credit Reporting Act (“FCRA”), and that if any Client ever becomes a “consumer reporting agency,” or otherwise subject to FCRA, it will comply with all applicable rules and regulations of FCRA. Client acknowledges that, in connection, with the Agreement Flinks is not a consumer reporting agency nor a furnisher of information to consumer reporting agencies, and no Client will use any US Data Source End-Customer Data furnished under the Agreement to prepare or compile a consumer report. Client agrees that it will notify Flinks, as legally permitted and practicable, of any regulatory investigation initiated by any regulator with jurisdiction involving FCRA. 

8. DISCLAIMER OF WARRANTIES

8.1 DISCLAIMER OF WARRANTIES

1. CLIENT AGREES (i) THE SERVICES AND PROFESSIONAL SERVICES DO NOT CONSTITUTE THE PROVISION OF LEGAL ADVICE OR SERVICES IN ANY MANNER; (ii) THE SERVICES DO NOT ENSURE CLIENT’S COMPLIANCE WITH ALL APPLICABLE LAWS; AND (iii) CLIENT IS SOLELY RESPONSIBLE FOR ITS COMPLIANCE WITH ALL APPLICABLE LAWS. FLINKS, ON BEHALF OF ITSELF AND US DATA SOURCES, EXPRESSLY DISCLAIMS ANY TYPE OF REPRESENTATION OR WARRANTY REGARDING THE AVAILABILITY OR RESPONSE TIME OF THE SERVICES OR END-CUSTOMER DATA OR THAT ACCESS TO THE SERVICES OR END-CUSTOMER DATA WILL BE UNINTERRUPTED OR ERROR-FREE AND, EXCEPT AS EXPRESSLY PROVIDED FOR HEREIN, EXPRESSLY DISCLAIMS THE ACCURACY, COMPLETENESS AND CURRENCY OF ALL END-CUSTOMER DATA.
2. UNLESS EXPRESSLY PROVIDED OTHERWISE IN THIS AGREEMENT, NEITHER FLINKS NOR ANY US DATA SOURCE, NOR ANY OF THEIR RESPECTIVE PERSONNEL WILL BE LIABLE TO CLIENT FOR ANY LOSS OR INJURY ARISING OUT OF, OR CAUSED IN WHOLE OR IN PART BY, THE US DATA ACCESS METHOD OR END-CUSTOMER DATA OR THEIR ACTS OR OMISSIONS IN RELATION TO THE US DATA ACCESS METHOD OR END-CUSTOMER DATA. 

9. MISCELLANEOUS

9.1 Data Residency

Client will store and host End-Customer Data from locations within the United States. Any change to the location of the storage or hosting of End-Customer Data to outside of the United States must be approved in advance by Flinks in writing. 

9.2 Precedence

Notwithstanding anything to the contrary in the Agreement, in the event of any inconsistency between the Agreement, any schedule, exhibit, appendix, statement of work thereto and this Amendment (including related appendices hereto), this Amendment (including related appendices hereto) will govern.

APPENDIX 1 TO SCHEDULE A-2

END-CUSTOMER AGREEMENT – MINIMUM TERMS AND CONDITIONS

This End-Customer agreement contains the terms and conditions for your use of services that we may provide to you and that involve accessing third party account information (“Services”). Hereinafter “you” “your” means the End-Customer and “us” “we” or “our” refers to Flinks and US Data Sources.  

1. Provide Accurate Information. You represent and agree that all information you provide to us in connection with the Services is accurate, current, and complete. You agree not to misrepresent your identity or account information. You agree to keep account information secure, up to date and accurate. You represent that you are a legal owner, or an authorized user, of the accounts at third party sites which you include or access through the Services, and that you have the authority to (i) designate us and our service providers as your agent, (ii) use the Services, and (iii) give us and our service providers the passwords, usernames, and all other information you provide. 
2. Content You Provide. Your use of the Services is your authorization for us or our service providers, as your agent, to access third party sites which you designate in order to retrieve information. You are licensing to us and our service providers any information, data, passwords, usernames, PINS, personally identifiable information or other content you provide through the Services. You authorize us or our service providers to use any information, data, passwords, usernames, PINS, personally identifiable information or other content you provide through the Services or that we or our service providers retrieve on your behalf for purposes of providing the Services, to offer products and services, and for other permissible business purposes. Except as otherwise provided herein, we or our service providers may store, use, change, or display such information or create new content using such information.
3. Authority to Access Information. Unless and until this End-Customer agreement is terminated, you grant us and our service providers the right to access information at third-party sites on your behalf. Third-party sites shall be entitled to rely on the authorizations granted by you or through your account. For all purposes hereof, you hereby grant us and our service providers the right to access third-party sites to retrieve information, use such information, as described herein, with the full power and authority to do and perform each and every act and thing required and necessary to be done in connection with such activities, as fully to all intents and purposes as you might or could do in person. Upon notice to us, you may (i) revoke our right to access information at third party sites on your behalf, or (ii) subject to Section 7 herein, request deletion of information collected from third party sites. You understand and agree that the Services are not sponsored or endorsed by any third-party site. YOU ACKNOWLEDGE AND AGREE THAT WHEN WE OR OUR SERVICE PROVIDERS ACCESS AND RETRIEVE INFORMATION FROM THIRD-PARTY SITES, WE ARE ACTING AT YOUR REQUEST AND WITH YOUR PERMISSION AND AUTHORIZATION, AND NOT ON BEHALF OF THE THIRD-PARTY SITES. 
4. Third Party Accounts. With respect to any third-party sites we may enable you to access through the Services or with respect to any non-Financial Institution accounts you include in the Services, you agree to the following:
   1. You are responsible for all fees charged by the third party in connection with any non- Financial Institution accounts and transactions. You agree to comply with the terms and conditions of those accounts and agree that this End-Customer agreement does not amend any of those terms and conditions. If you have a dispute or question about any transaction on a non- Financial Institution account, you agree to direct these to the account provider.
   2. Any links to third party sites that we may provide are for your convenience only, and we and our service providers do not sponsor or endorse those sites. Any third-party services, which you may be able to access through the Services, are services of the listed institutions. Neither we nor our service providers have no responsibility for any transactions and inquiries you initiate at third party sites. The third-party sites you select are solely responsible for their services to you. We nor our service providers are not liable for any damages or costs of any type arising out of or in any way connected with your use of the services of those third parties.
5. Limitations of Services. When using the Services, you may incur technical or other difficulties. Neither we nor our service providers are responsible for any technical or other difficulties or any resulting damages that you may incur. Any information displayed or provided as part of the Services is for informational purposes only, does not represent an official record of your account, may not reflect your most recent transactions, and should not be relied on for transactional purposes. We and our service providers reserve the right to change, suspend or discontinue any or all of the Services at any time without prior notice.  In the event that Services are discontinued, your information shall be retained in accordance with this Agreement and our privacy policies.
6. Acceptance of End-Customer Agreement and Changes. Your use of the Services constitutes your acceptance of this End-Customer agreement. This End-Customer agreement is subject to change from time to time. We will notify you of any material change via e-mail or on our website by providing a link to the revised End-Customer agreement. Your continued use will indicate your acceptance of the revised End-Customer agreement. The licenses, user obligations, and authorizations described herein are ongoing.
7. Aggregated Data.  Anonymous, aggregate information, comprising financial account balances, other financial account data, or other available data that is collected through your use of the Services, may be used by us and our service providers to conduct certain analytical research, performance tracking and benchmarking.  Our service providers may publish summary or aggregate results relating to metrics comprised of research data, from time to time, and distribute or license such anonymous, aggregated research data for any purpose, including but not limited to, helping to improve products and services and assisting in troubleshooting and technical support.  Your personally identifiable information will not be shared with or sold to third parties. 
8. Ownership. You agree that we and our service providers, as applicable, retain all ownership and proprietary rights in the Services, associated content, technology, mobile applications and websites.
9. End-Customer Conduct. You agree not to use the Services or the content or information delivered through the Services in any way that would: (a) be fraudulent or involve the sale of counterfeit or stolen items, including but not limited to use of the Services to impersonate another person or entity; (b) violate any law, statute, ordinance or regulation (including without limitation those governing export control, consumer protection, unfair competition, anti-discrimination or false advertising); (c) create liability for us or our service providers or cause us to lose the services of our service providers; (d) access the information and content programmatically by macro or other automated means; or I use the Services in such a manner as to gain unauthorized entry or access to computer systems.
10. Indemnification. You agree to defend, indemnify and hold us harmless , our third party service providers and their officers, directors, employees and agents from and against any and all third party claims, liabilities, damages, losses or expenses, including settlement amounts and reasonable attorneys’ fees and costs, arising out of or in any way connected with your access to or use of the Services, your violation of these terms or your infringement, or infringement by any other user of your account, of any intellectual property or other right of anyone.
11. Disclaimer. The Services are not intended to provide legal, tax or financial advice. The Services, or certain portions and/or functionalities thereof, are provided as strictly educational in nature and are provided with the understanding that neither we nor our third-party providers are engaged in rendering accounting, investment, tax, legal, or other professional services. If legal or other professional advice including financial, is required, the services of a competent professional person should be sought. We and our third-party providers specifically disclaim any liability, loss, or risk which is incurred as consequence, directly or indirectly, of the use and application of any of the content on this site. Further, we and our third-party providers are not responsible for any credit, insurance, employment or investment decisions or any damages or other losses resulting from decisions that arise in any way from the use of the Services or any materials or information accessible through it. Past performance does not guarantee future results. We and our third-party providers do not warrant that the Services comply with the requirements of the FINRA or those of any other organization anywhere in the world.
12. DISCLAIMER OF WARRANTIES. YOU AGREE YOUR USE OF THE SERVICES AND ALL INFORMATION AND CONTENT (INCLUDING THAT OF THIRD PARTIES) IS AT YOUR RISK AND IS PROVIDED ON AN “AS IS” AND “AS AVAILABLE” BASIS. WE, AND OUR SERVICE PROVIDERS, DISCLAIM ALL WARRANTIES OF ANY KIND AS TO THE USE OF THE SERVICES, WHETHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. WE, AND OUR SERVICE PROVIDERS, MAKE NO WARRANTY THAT THE SERVICES (i) WILL MEET YOUR REQUIREMENTS, (ii) WILL BE UNINTERRUPTED, TIMELY, SECURE, OR ERROR-FREE, (iii) THE RESULTS THAT MAY BE OBTAINED FROM THE SERVICES WILL BE ACCURATE OR RELIABLE, (iv) THE QUALITY OF ANY PRODUCTS, SERVICES, INFORMATION, OR OTHER MATERIAL OBTAINED BY YOU THROUGH THE SERVICES WILL MEET YOUR EXPECTATIONS, OR (v) ANY ERRORS IN THE SERVICES OR TECHNOLOGY WILL BE CORRECTED. ANY MATERIAL DOWNLOADED OR OTHERWISE OBTAINED THROUGH THE USE OF THE SERVICES IS DONE AT YOUR OWN DISCRETION AND RISK AND YOU ARE SOLELY RESPONSIBLE FOR ANY DAMAGE TO YOUR COMPUTER SYSTEM OR LOSS OF DATA THAT RESULTS FROM THE DOWNLOAD OF SUCH MATERIAL. WE, ON BEHALF OF OURSELVES AND ALL THIRD PARTY DATA PROVIDERS, EXPRESSLY DISCLAIM ANY TYPE OF REPRESENTATION OR WARRANTY REGARDING THE AVAILABILITY OR RESPONSE TIME OF THE SERVICES OR CONTENT OR INFORMATION OBTAINED THROUGH THE SERVICES OR THAT SUCH ACCESS WILL BE UNINTERRUPTED OR ERROR-FREE AND, EXCEPT AS EXPRESSLY PROVIDED FOR HEREIN, EXPRESSLY DISCLAIM THE ACCURACY, COMPLETENESS AND CURRENCY OF ALL INFORMATION COLLECTED ON YOUR BEHALF.  NO ADVICE OR INFORMATION, WHETHER ORAL OR WRITTEN, OBTAINED BY YOU FROM US OR OUR SERVICE PROVIDERS THROUGH OR FROM THE SERVICES WILL CREATE ANY WARRANTY NOT EXPRESSLY STATED IN THESE TERMS.
13. LIMITATION OF LIABILITY. YOU AGREE THAT WE AND OUR THIRD PARTY SERVICE PROVIDERS WILL NOT BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL OR EXEMPLARY DAMAGES, INCLUDING, BUT NOT LIMITED TO DAMAGES FOR LOSS OF PROFITS, GOODWILL, USE, DATA OR OTHER LOSSES, EVEN IF WE HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES, RESULTING FROM (i) THE USE OR THE INABILITY TO USE THE SERVICES AT OUR WEBSITE/MOBILE APPLICATION OR OF ANY THIRD PARTY ACCOUNT PROVIDER’S WEBSITE/MOBILE APPLICATION; (ii) THE COST OF GETTING SUBSTITUTE GOODS AND SERVICES, (iii) ANY PRODUCTS, DATA, INFORMATION OR SERVICES PURCHASED OR OBTAINED OR MESSAGES RECEIVED OR TRANSACTIONS ENTERED INTO, THROUGH OR FROM THE SERVICES, (iv) UNAUTHORIZED ACCESS TO OR ALTERATION OF YOUR TRANSMISSION OR DATA, (v) STATEMENTS OR CONDUCT OF ANYONE ON THE SERVICES, (vi) THE USE, INABILITY TO USE, UNAUTHORIZED USE, PERFORMANCE OR NON-PERFORMANCE OF ANY THIRD PARTY ACCOUNT PROVIDER SITE, EVEN IF THE PROVIDER HAS BEEN ADVISED PREVIOUSLY OF THE POSSIBILITY OF SUCH DAMAGES, OR (vii) ANY OTHER MATTER RELATING TO THE SERVICES.
14. WAIVER OF JURY TRIAL AND CLASS ACTION.  You agree that, with respect to any dispute with us or our service providers, arising out of or relating to your use of the Services or these terms: (i) YOU ARE GIVING UP YOUR RIGHT TO HAVE A TRIAL BY JURY; and (ii) YOU ARE GIVING UP YOUR RIGHT TO SERVE AS A REPRESENTATIVE, AS A PRIVATE ATTORNEY GENERAL, OR IN ANY OTHER REPRESENTATIVE CAPACITY, OR TO PARTICIPATE AS A MEMBER OF A CLASS OF CLAIMANTS, IN ANY LAWSUIT INVOLVING SUCH DISPUTE.
15. Export Restrictions.  You acknowledge that the Services and any software underlying such Services are subject to the U.S. Export Administration Regulations (15 CFR, Chapter VII) and that you will comply with these regulations. You will not export or re-export the software or Services, directly or indirectly, to: (1) any countries that are subject to U.S. export restrictions; (2) any end-customer who has been prohibited from participating in U.S. export transactions by any federal agency of the U.S. government; or (3) any end-customer who you know or have reason to know will utilize them in the design, development or production of nuclear, chemical or biological weapons. You further acknowledge that the Services may include technical data subject to export and re-export restrictions imposed by U.S. law.
16. Other Terms. You may not assign this End-Customer agreement. A determination that any provision of this End-Customer agreement is unenforceable or invalid shall not render any other provision of this End-Customer agreement unenforceable or invalid.