Skip to content
Close
SEARCH
Login
Talk to Sales
Login
Talk to Sales
Payment Methods

Standard ACH
Standard processing times.

Same Day ACH
Expedite your payments.

Instant Payments
Transfers in near real-time.

 
Features

Digital Wallet
Initiate faster transactions by utilizing Dwolla's Digital Wallet to hold funds.

Dwolla Dashboard
Access and manage your payments data through our user-friendly interface.

Mass Pay
Send multiple bank transfers with a single API request.

Drop-In Components
Complete a payment integration more quickly using pre-built components.

Webhooks
Real-time notifications.

Correlation IDs
Tracking transactions and reconciling bank records.

Addenda Records
Additional transaction information, like a note or memo.

Security

Open Banking Services
Instant account verification, balance checks and fraud mitigation.

Tokenization
Digital interactions result in unique identifiers.

Bank Verification
Smoother, safer, more efficient transactions.

Secure Exchange Solution
Securely exchange data with trusted partners.

Benefits

Sandbox Environment
Simulate use cases and try out features.

Dedicated Support
Supporting your payments journey.

LEGAL DOCUMENTATION

For Dwolla Clients

Dwolla Open Banking Services Agreement

This Dwolla Open Banking Services Agreement (the “Open Banking Services Agreement”) is a legally binding agreement between you and Dwolla, Inc. (“Dwolla”) and applies to your use of the Open Banking Services, as defined in this Agreement.

It is important that you read and understand this Open Banking Services Agreement as it governs your use of the Open Banking Services. You represent and warrant that you have the authority to accept this Open Banking Services Agreement on behalf of the legal entity you have registered at www.dwolla.com (“you”, “your” or “Client” throughout this Open Banking Services Agreement) and to provide any information that you share with Dwolla. By indicating your acceptance of this Open Banking Services Agreement or by executing an order form (“Order Form”) or other agreement that references this Open Banking Services Agreement, you agree to be bound by this Open Banking Services Agreement. If you do not accept this Open Banking Services Agreement, you must not access or use the Open Banking Services.

Dwolla offers software and services, as more fully described in this Open Banking Services Agreement, to facilitate the accessing of banking and financial data via Dwolla’s exchange session, which provides a Third-Party Service Provider’s link to a user interface the End User accesses to provide End User Data.  You retrieve the End User Data from the user interface that the End User has authorized to be shared with you and Dwolla through Dwolla’s application programming interface (“Dwolla API”). You desire to use these services to help streamline and improve your onboarding process on your platform, website and/or application (each, an “Application”). You and Dwolla agree the terms herein govern your use of Dwolla’s software and services. 

Dwolla may amend this Open Banking Services Agreement at any time by providing notice to you.  Notice may be provided to you on www.dwolla.com, on any other website maintained by Dwolla, by email or by any other reasonable means.  The amended Open Banking Services Agreement is effective when posted or as of the date indicated, and your continued use of the Open Banking Services constitutes your acceptance of any amended Open Banking Services Agreement.

The parties therefore agree as follows:

Dwolla Open Banking Services

  1. Description.  The Open Banking Services is accessed through an API which will permit you to:
    A. Utilize Dwolla’s service providers (“Third-Party Service Providers”) to perform the Open Banking Services, as defined in Section 1.7 of Exhibit B below,”) ordered by you through an Ordering Document;
    B. Upon successful authorization from End User, obtain specific details about End User and it’s financial institution account through the Third-Party Service Provider; and
    C. Obtain certain information, which may include information about payment activity, Customers or End Users  or External Parties.

  2. Account and Open Banking Services Access Requirements
    1. Authorization. As provided in Exhibit D below, incorporated herein by reference, you must obtain each End User’s agreement to the EULA prior to the use of or access to the Open Banking Services by the End User.
    2. Credentials. You are solely responsible for maintaining the security of your Dwolla credentials, including passwords, security codes, and any key and secret issued to you to permit access to the API used for the Open Banking Services (the “Credentials”). Prior to the date Dwolla makes the Open Banking Services available to you (the “Open Banking Services Go Live Date”), you will be responsible for paying the Implementation Fee (as listed in the Order Form), as applicable. You may not sell, transfer, sublicense or disclose the Credentials to any third party, other than third party service providers who need such information to perform services for you. You are solely responsible for any activity using the Credentials, including any losses or liability that may arise from you sharing or failing to secure the Credentials. 
    3. User Permissions. You may permit your employees, Your Affiliates, contractors, agents, or other third-party (each, an “Authorized User”) to access the Open Banking Services on your behalf. You will remain responsible for any actions taken by an Authorized User and for ensuring Authorized Users comply with the terms of this Open Banking Services Agreement. Authorized Users may only access or use the Open Banking Services for your internal business purposes and in accordance with this Open Banking Services Agreement. You are responsible for determining which Authorized Users may obtain access to certain features, functionality and data within the Open Banking Services. Dwolla is expressly permitted to rely on your creation of Authorized Users and user settings to release data or to initiate payments, if applicable, pursuant to instructions received through the Open Banking Services. Any third parties enabled as Authorized Users do not form any relationship with Dwolla and Dwolla will not be liable for any disputes, billing, or other matters between you and such Authorized User(s).
    4. Third Party Agreements. Dwolla does not guarantee the availability of access to or reliability of services from Third-Party Service Providers.

  3. Acceptable Use
    1. Compliance. You represent and warrant that your use of the Open Banking Services will only be for lawful and legitimate purposes and will at all times comply with: (a) all applicable federal, state, and local laws, rules, regulations, and guidance, including, without limitation, those governing payment services, consumer protections, privacy, and data security (“Applicable Law”); (b) this Open Banking Services Agreement; and (c) the Integration Requirements.
    2. Prohibitions. Without limiting the generality of Section 3.1, and in addition to any prohibitions and/or restrictions set out in Exhibit B, Dwolla Terms and Conditions for Third-Party Services and Products, incorporated herein by reference, you agree you will not and will not permit your Authorized Users to:
      A. License, sublicense, sell, resell, transfer, assign or distribute Open Banking Services without express written permission from Dwolla;
      B. Reverse engineer, disassemble, decompile, disable, copy, modify, or translate the Open Banking Services or any of its features, components, or elements or otherwise attempt to discover the source code of the Open Banking Services;
      C. Replicate and/or resell the Open Banking Services or create a competitive product or any product built using the ideas, features, functions, and other components of the Open Banking Services;
      D. Use the Open Banking Services for any purpose other than your legitimate internal business purposes;
      E. Use the Open Banking Services for any fraudulent, unlawful, deceptive, or abusive purposes or in any manner intended to harm an end user, Dwolla, or any third party; 
      F. Circumvent Dwolla’s intended limitations for any feature of the Open Banking Services; 
      G. Use the Open Banking Services in a manner inconsistent with any developer documentation, integration guidance, or other technical, policy, or other requirements communicated by Dwolla or posted on Dwolla’s website, each as may be updated from time to time (the “Integration Requirements”); or 
      H. Attempt any of the foregoing.

  4. Fees & Payment Terms
    1. Ordering Document. You agree to pay fees for the Open Banking Services in accordance with each Order Form or other document the parties may agree to for purchase of additional services which makes reference to this Open Banking Services Agreement (each an “Ordering Document”). In the event that you access and use any features or functionality not permitted on an Ordering Document, you understand this unauthorized use is cause for termination and agree to pay Dwolla’s current rate for such feature or functionality.
    2. Taxes. Fees are exclusive of all taxes, and you are responsible to pay any applicable taxes and may not withhold or offset payment of any fees to Dwolla to account for such tax obligations. You are solely responsible for paying and collecting any applicable taxes, duties, levies, or tariffs imposed with respect to your transactions initiated through the Open Banking Services. In the event Dwolla incurs a sales tax liability as a result of your sale of goods or services and/or Dwolla receives an assessment from a taxing authority directly attributable to your transaction activity, you will indemnify Dwolla for all taxes, interest, and penalties that may be assessed.

  5. Term and Termination
    1. Term. This Open Banking Services Agreement shall begin on the Effective Date and continue until terminated as set out in Section 5.2 below (the “Term”). 
    2. Termination. Either party may terminate this Open Banking Services Agreement and any Ordering Document(s) at any time by providing the other party with written notice.  Notwithstanding the foregoing, this Open Banking Services Agreement will remain in effect until the date when the last Ordering Document for the Open Banking Services hereunder has expired, was not renewed or terminated.  Notwithstanding anything to the contrary in this Open Banking Services Agreement and/or any Ordering Document, Dwolla may terminate this Open Banking Services Agreement and/or any Ordering Document for Open Banking Services: (a) if you fail to pay Fees or any other amounts owed under this Open Banking Services Agreement within ten (10) days of Dwolla sending notice to you that payment is owed; (b) immediately upon written notice to you in the event you violate this Open Banking Services Agreement or any other applicable Dwolla policy or agreement; (c) immediately upon written notice to you if your use of the Open Banking Services poses unacceptable risk, including but not limited to financial or data security risk, to Dwolla and/or its Third-Party Service Providers in Dwolla’s sole discretion; or (d) immediately upon written notice to you in the event of the termination or suspension of Dwolla’s relationship with any or all of its Third-Party Service Providers and/or Dwolla no longer offers or provides any or all of the Open Banking Services.
    3. Effect of Termination. Upon termination or expiration of this Open Banking Services Agreement, you will: (a) immediately stop using the Open Banking Services; and (b) remove any associated Dwolla Marks, as defined in Section 9.1 below, from your application and/or website. Termination does not release you from any obligation to pay for fees due and payable to Dwolla at the time of termination. Any continued use of Open Banking Services by you after termination of this Open Banking Services Agreement will be subject to all terms herein, including without limitation any payment terms or fees agreed to in the corresponding Ordering Document.

  6. Security and Privacy
    1. Personal Information. You represent and warrant that you have obtained express consent to provide Dwolla any identifying information of individuals processed using Open Banking Services (“Client PII”). Dwolla agrees not to sell or share, retain, use, or disclose Client PII for any purpose other than providing Open Banking Services as described in this Open Banking Services Agreement or meeting regulatory obligations. Dwolla agrees to delete Client PII (a) upon termination or expiration of this Open Banking Services Agreement, or (b) upon written request from you if such information is not necessary for the provision of the Dwolla Open Banking Service(s). You agree you will not provide to Dwolla the information of any individual living in any jurisdiction other than the United States without written permission from Dwolla. If you instruct Dwolla to share any Client PII to a third party, you represent that such request is compliant with Applicable Law and your published privacy policy.
    2. Security. Each party agrees that it will, for the Term of the Open Banking Services Agreement, maintain commercially reasonable administrative, technical, and physical controls which are documented in writing, approved by senior management, and designed to protect and secure data against unauthorized use, access, or disclosure. Each party agrees to provide the other party with evidence to demonstrate compliance with this Section 6.2 upon written request. Dwolla may immediately suspend your access to the Open Banking Services if Dwolla determines that your use of the Open Banking Services poses an unacceptable security risk to Dwolla or its other clients. Each party agrees to promptly notify the other party of any event that it has reasonably determined compromised the security, integrity or confidentiality of the other party’s data provided under this Open Banking Services Agreement, including Client PII (“Security Event”). Such notice will include all known facts related to the Security Event and the data affected. The parties agree to cooperate in investigating, mitigating and remediating the Security Event.
    3. Audit.  Dwolla may audit, examine and otherwise monitor your compliance with this Open Banking Services Agreement and you agree to cooperate fully with any such audit.  Within 30 days of notice from Dwolla, you will provide to Dwolla or its third party auditor (either, a “Dwolla Auditor”) access to and assistance with: documents, records, reports, or other data, information or materials compiled, maintained, or otherwise available to the extent related to your compliance with this Open Banking Services Agreement and not prohibited from disclosure by Applicable Law.  If a Dwolla Auditor determines that you are not in compliance with this Open Banking Services Agreement, you will take appropriate action to remedy the non-compliance and will provide Dwolla with evidence of the steps taken to achieve compliance with the time frame agreed upon by the parties.
  7. Confidentiality
    1. Confidential Information Definition. “Confidential Information” means any type of information disclosed by one party (“Disclosing Party”) to the other party (“Receiving Party”) under this Open Banking Services Agreement, regardless of the form of disclosure and which (a) is clearly marked as “confidential” or “proprietary” at the time of such disclosure, or (b) should, by its nature and the circumstances of disclosure, reasonably be understood to be confidential by Receiving Party. For clarity, all Feedback and Open Banking Services are Dwolla’s Confidential Information. Notwithstanding the foregoing, Confidential Information does not include information that was already in Receiving Party’s possession at the time of disclosure, as substantiated in writing, or enters the public domain without breach of this Open Banking Services Agreement.
    2. Confidentiality Obligation. Receiving Party must maintain the confidentiality of Disclosing Party’s Confidential Information in a commercially reasonable manner and in a manner no less stringent than the measures it employs to protect its own most confidential and proprietary information. Receiving Party must not use Disclosing Party’s Confidential Information for any purpose other than as necessary to perform Receiving Party’s obligations under this Open Banking Services Agreement. Receiving Party may disclose Confidential Information that is required to be disclosed pursuant to any statute, regulation, order, subpoena or document discovery request, or in response to an inquiry or request of any governmental or regulatory agency or self-regulatory organization, provided that, to the extent not prohibited, Receiving Party will notify Disclosing Party of such request as soon as practicable in order to afford Disclosing Party an opportunity to seek a protective order. Receiving Party’s obligation to maintain the confidentiality of Confidential Information will survive the termination or expiration of this Open Banking Services Agreement for any reason.

  8. Intellectual Property
    1. Dwolla API License. Dwolla grants you a limited, non-exclusive, non-transferable, non-sublicensable, revocable license to access, use, and integrate the Open Banking Services into your services or payment technology in accordance with this Open Banking Services Agreement (“API License”). This API License may be immediately revoked or terminated by Dwolla if you share your Credentials in a manner not permitted by this Open Banking Services Agreement or that otherwise breaches this Open Banking Services Agreement. “Dwolla,” the Dwolla logo, and any other service marks, trademarks, logos or graphics used in Open Banking Services (“Dwolla Marks”) are trademarks, registered trademarks, or otherwise intellectual property of Dwolla and you do not obtain any right or license to the Dwolla Marks under this Open Banking Services Agreement. You may not remove or obscure any Dwolla Marks displayed or contained in Open Banking Services.
    2. Ownership. Dwolla is the exclusive owner of and retains all right, title, and interest to Open Banking Services provided by Dwolla, including but not limited to the Dwolla APIs; the Dwolla Dashboard; the exchange session(s); the applicable Dwolla software and technology and all modifications, enhancements, upgrades, and updates thereto; the Dwolla Marks; and all intellectual property rights therein and thereto (collectively, the “Dwolla IP”). There are no implied licenses under this Open Banking Services Agreement. Except as set out in this Open Banking Services Agreement, you will not acquire any rights in the foregoing and you will not copy, transmit, transfer, modify or create derivative works, reverse engineer, reverse compile, reverse assemble or otherwise determine or derive source code of the Dwolla IP, nor permit or authorize any third party to do any of the foregoing.
      A. Feedback. You may voluntarily provide suggestions or ideas for improvements or modifications to Open Banking Services (“Feedback”). Nothing in this Open Banking Services Agreement will prohibit Dwolla from using, profiting from, disclosing, publishing, or otherwise exploiting any Feedback, nor create any obligation to compensate you for the provision of Feedback.
    3. Insurance. In addition to the insurance requirements set out in Exhibit C below, incorporated herein by reference, you agree to obtain and maintain throughout the Term of this Open Banking Services Agreement insurance coverage that (a) meets industry standards and (b) is reasonably appropriate to your business profile, risks, and activities, including the use and disclosure of personally identifiable information. Such coverage must include cyber liability insurance.
    4. Indemnification. You agree to defend, indemnify and hold harmless Dwolla, its third party service providers and Dwolla and their respective officers, directors, employees, suppliers and agents from and against any and all third party claims, liabilities, damages, actions, proceedings, penalties, fines, costs, losses or expenses, including settlement amounts and reasonable attorneys' fees and costs, arising out of or in any way connected with your:  (i) access to or use of the Open Banking Services; (ii) negligence or willful misconduct;  (iii) actual or alleged violation of any third party rights, or any applicable laws, regulation or rules; (iv) violation or breach of this Open Banking Services Agreement; or (v) infringement, or infringement by any other user of your account, of any intellectual property or other right of anyone.
    5. Limited Warranty. YOU AGREE THAT YOUR USE OF THE OPEN BANKING SERVICES AND ALL INFORMATION AND CONTENT (INCLUDING THAT OF THIRD PARTIES) IS AT YOUR RISK AND IS PROVIDED ON AN "AS IS" AND "AS AVAILABLE" BASIS. DWOLLA, AND ITS SERVICE PROVIDERS, DISCLAIM ALL WARRANTIES OF ANY KIND AS TO THE USE OF THE OPEN BANKING SERVICES, WHETHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. DWOLLA, AND ITS SERVICE PROVIDERS, MAKE NO WARRANTY THAT THE OPEN BANKING SERVICES (i) WILL MEET YOUR REQUIREMENTS, (ii) WILL BE UNINTERRUPTED, TIMELY, SECURE, OR ERROR-FREE, (iii) THE RESULTS THAT MAY BE OBTAINED FROM THE SERVICES WILL BE ACCURATE OR RELIABLE, (iv) THE QUALITY OF ANY PRODUCTS, SERVICES, INFORMATION, OR OTHER MATERIAL OBTAINED BY YOU THROUGH THE OPEN BANKING SERVICES WILL MEET YOUR EXPECTATIONS, OR (v) ANY ERRORS IN THE OPEN BANKING SERVICES OR TECHNOLOGY WILL BE CORRECTED. ANY MATERIAL DOWNLOADED OR OTHERWISE OBTAINED THROUGH THE USE OF THE OPEN BANKING SERVICES IS DONE AT YOUR OWN DISCRETION AND RISK AND YOU ARE SOLELY RESPONSIBLE FOR ANY DAMAGE TO YOUR COMPUTER SYSTEM OR LOSS OF DATA THAT RESULTS FROM THE DOWNLOAD OF SUCH MATERIAL. DWOLLA, ON BEHALF OF ITSELF AND ALL THIRD PARTY DATA PROVIDERS AND SERVICE PROVIDERS, EXPRESSLY DISCLAIMS ANY TYPE OF REPRESENTATION OR WARRANTY REGARDING THE AVAILABILITY OR RESPONSE TIME OF THE OPEN BANKING SERVICES OR CONTENT OR INFORMATION OBTAINED THROUGH THE OPEN BANKING SERVICES OR THAT SUCH ACCESS WILL BE UNINTERRUPTED OR ERROR-FREE AND, EXCEPT AS EXPRESSLY PROVIDED FOR HEREIN, EXPRESSLY DISCLAIMS THE ACCURACY, COMPLETENESS AND CURRENCY OF ALL INFORMATION COLLECTED ON YOUR BEHALF. NO ADVICE OR INFORMATION, WHETHER ORAL OR WRITTEN, OBTAINED BY YOU FROM DWOLLA OR ITS SERVICE PROVIDERS THROUGH OR FROM THE OPEN BANKING SERVICES WILL CREATE ANY WARRANTY NOT EXPRESSLY STATED IN THESE TERMS.
    6. Limitation of Liability.  YOU AGREE THAT DWOLLA, ITS SERVICE PROVIDERS, AND DWOLLA’S AND THEIR RESPECTIVE OFFICERS, DIRECTORS, AGENTS, EMPLOYEES OR SUPPLIERS WILL NOT BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, PUNITIVE, CONSEQUENTIAL OR EXEMPLARY DAMAGES OR LOSSES, INCLUDING, BUT NOT LIMITED TO DAMAGES FOR LOSS OF PROFITS, GOODWILL, USE, DATA OR OTHER LOSSES, EVEN IF DWOLLA HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES, RESULTING FROM (i) THIS OPEN BANKING SERVICES AGREEMENT; (ii) THE USE OR THE INABILITY TO USE OR THE UNAVAILABILITY OF THE OPEN BANKING SERVICES, INCLUDING AT DWOLLA’S WEBSITE/MOBILE APPLICATION/API OR OF ANY THIRD PARTY ACCOUNT PROVIDER'S WEBSITE/MOBILE APPLICATION; (ii) THE COST OF GETTING SUBSTITUTE GOODS AND SERVICES, (iii) ANY PRODUCTS, DATA, INFORMATION, GOODS OR SERVICES PURCHASED, RECEIVED, PAID FOR OR OBTAINED OR MESSAGES RECEIVED OR TRANSACTIONS ENTERED INTO, THROUGH OR FROM THE OPEN BANKING SERVICES, (iv) UNAUTHORIZED ACCESS TO OR ALTERATION OF YOUR TRANSMISSION OR DATA, (v) STATEMENTS OR CONDUCT OF ANYONE ON THE OPEN BANKING SERVICES, (vi) THE USE, INABILITY TO USE, UNAUTHORIZED USE, PERFORMANCE OR NON-PERFORMANCE OF ANY THIRD PARTY ACCOUNT PROVIDER SITE, EVEN IF THE PROVIDER HAS BEEN ADVISED PREVIOUSLY OF THE POSSIBILITY OF SUCH DAMAGES, OR (vii) ANY OTHER MATTER RELATING TO THE OPEN BANKING SERVICES. REGARDLESS, IN NO EVENT WILL DWOLLA’S LIABILITY UNDER THIS OPEN BANKING SERVICES AGREEMENT EXCEED THE FEES DWOLLA HAS RECEIVED FROM YOU UNDER THIS OPEN BANKING SERVICES AGREEMENT DURING THE 12 MONTHS PRECEDING THE EVENT GIVING RISE TO A CLAIM. THIS LIMITATION OF LIABILITY WILL APPLY TO THE FULLEST EXTENT PERMITTED BY LAW.
    7. General.

      A. Marketing. You agree to participate in case studies upon written request by Dwolla. Further, you agree that Dwolla may include you in materials identifying you as a customer of Dwolla and a user of the Open Banking Services. You authorize Dwolla to use your name, website, logo, or other trademarks or service marks to identify you as a customer of Dwolla on the Dwolla website, marketing materials, and in public presentations. If you desire to opt out of being included in such communications and materials, you may notify Dwolla at marketing@dwolla.com. Upon receipt of and in accordance with such request, Dwolla will cease making references to you and make reasonable efforts to remove you from any already existing marketing materials.
      B. Customer Support for End Users.  You are solely responsible for providing customer support for your services to End Users and, if applicable, for any goods or services that are sold via your Application.  You must clearly disclose your support policy and publish your customer support contact information in an easily accessible manner within any Application through which you offer your services.  If your End User requests Dwolla’s customer support contact information, provide the following: support@dwolla.com and 1-888-289-8744.
      C. Dispute Resolution for End Users.  You are responsible for resolving all End User disputes related to your services (“Client Services End User Dispute”), including any Client Services End User Dispute communicated by an End User to Dwolla. Dwolla has no obligation nor any liability associated with a Client Services End User Dispute resolution policies and procedures.  You agree to provide Dwolla with any requested information regarding the status and/or resolution of a Client Services End User Dispute.  Dwolla has the right but no obligation to provide support to an End User that contacts Dwolla regarding a Client End User Dispute, and in such event, you must provide Dwolla with any information Dwolla reasonably requests for the purposes of assisting End User.
      D. Assignment. You may not assign your rights and obligations under this Open Banking Services Agreement without the prior written consent of Dwolla, which will not be unreasonably withheld. Dwolla may transfer or assign this Open Banking Services Agreement or any of its rights, obligations, or duties under this Open Banking Services Agreement at any time.
      E. Independent Contractor Relationship. You and Dwolla are independent contractors, and this Open Banking Services Agreement does not create any partnership, agency, or joint venture relationship between you and Dwolla. You may not and may not attempt to represent, warrant, or obligate Dwolla to any commitment with any third party.
      F. Force Majeure. Dwolla is not responsible for any failure to perform its obligations under this Open Banking Services Agreement during any period in which such performance is delayed by circumstances beyond its reasonable control, including, but not limited to, weather, fire, flood, earthquake, war, embargo, strike, riot, civil unrest, acts of terrorism, failure or interruption of public or private infrastructure, or the intervention of any government entity. In the event of such a failure, Dwolla’s obligations will be suspended until Dwolla is able to perform.
      G. Notices.  All notices to Dwolla must be sent by email to legal@dwolla.com. Notices to you may be sent to the email address set forth on the signature page.
      H. Governing Law; Waiver of Jury Trial. This Open Banking Services Agreement will be construed in accordance with, and governed by, the laws of the State of Iowa, without regard to its conflict of laws principles. You waive your right to a jury trial in any judicial proceeding involving any claim relating to or arising under this Open Banking Services Agreement.
      I. No Third Party Beneficiaries. This Open Banking Services Agreement is intended for the exclusive benefit of you and Dwolla and not intended to benefit any third party.
      J. Entire Agreement, Conflicts, No Waiver, Construction. This Open Banking Services Agreement and any documents incorporated by reference, constitute the entire agreement between the parties. Any failure by Dwolla to enforce any right or provision of this Open Banking Services Agreement will not constitute a waiver of such right or provision. If any provision of this Open Banking Services Agreement is held to be invalid or unenforceable, such provision will be interpreted to fulfill its intended purpose to the maximum extent permitted by law, and the remaining provisions will remain in full force and effect. All provisions of this Open Banking Services Agreement that by their nature are intended to survive termination or expiration of this Open Banking Services Agreement will survive termination of this Open Banking Services Agreement for any reasons. No provision of this Open Banking Services Agreement will be construed against a party by reason of that party drafting such provision.

Exhibit B
Dwolla Terms and Conditions for Third-Party Open Banking Services and Products

This Dwolla Terms and Conditions for Open Banking Third Party Services and Products Exhibit (“Open Banking Services Exhibit”) applies to your use of the Open Banking Services provided to you through one of Dwolla’s Third-Party Service Providers (as defined below).   Hereinafter “you” “your” or “Client” means the Client and “us” “we” “our” or “Dwolla” refers to Dwolla, Inc. (protecting its third-party service provider).

  1. DEFINITIONS
    1. “Anonymous & Aggregated Data” means End User Data and information that is anonymized and aggregated  with similar data and information to the extent that the original End USer Data and information is no longer attributable to Dwolla, you, or to any specific End User. 
    2. “Balance Check” means an Open Banking Service ordered by you that you can use to periodically gather account balances in an account without collecting transaction data.  Account types accessed include depository accounts. You can retrieve these account balances using an API request to help ensure your End Users have the appropriate funds.
    3. Customer” means your end user that has opened a Customer Account.
    4. Customer Account” means an account that has been opened by an End User through the Dwolla Platform Services (as defined in the Dwolla Platform Agreement) through your Application and that you manage through your Application.

    5. Destroy” means to delete or destroy information using data destruction procedures that meet or exceed the NIST Special Publication 800-88 Guidelines for Media Sanitization.

    6. "Documentation” means the Third-Party Service Provider Materials, Third-Party Service Provider User Guide and applicable Spec Sheet(s).
    7. “End User” mean an individual who is a Customer who is at least 18 years old and a resident of the United States or a Receive-Only User who is authorized by you to use or access the Open Banking Services and who has (i) been supplied an identification and password by you or at your direction or (ii) for whom a unique user record is created by or authorized to be created by you within the Open Banking Services. 
    8. “End User Data” means End User’s login, password, any other authentication information required by you or an End User’s third-party financial institution, and any End User transaction data. 
    9. Instant Account Verification (without identity check)” means an Open Banking Service ordered by you that accesses financial account information, including account and routing numbers, for direct deposit accounts such as checking, savings, and money market accounts.
    10. “Open Banking Services” means Instant Account Verification, Balance Check, and the other products and services ordered by you through an Ordering Document to which these terms apply and are made  available by Third-Party Service Provider through its online, web-based application or mobile components via designated websites, IP  addresses, application programming interface(s), or other means.
    11. “Nonpublic Personal Information” means personally identifiable financial information as defined under  Regulation P, 12 C.F.R. 216, or the Gramm-Leach-Bliley Act, 15 U.S.C. 6801 et seq., or information otherwise considered privileged, confidential, private, nonpublic or personal given protected status under applicable law.
    12. “Receive Only User” means an individual who is a resident of the United States and is at least 13 years old and has obtained parental permission if under 18 to receive funds that uses the payment services you offer through your website and/or mobile application who may only receive payments and does not create a Dwolla account.
    13. “Spec Sheet” means a document provided by Dwolla or Third-Party Service Provider that describes the work by Third-Party Service Provider and you that is necessary to configure the Open Banking Services purchased by you in an Ordering Document.
    14. “Service Provider” means any third-party entity which provides End User Data or other data to a Third-Party Service Provider for use in the Open Banking Services pursuant to a contractual agreement.
    15. "Third-Party Data Provider” means any third-party entity, including financial institutions, which provides End User Data or other data to Dwolla or Dwolla’s technology providers for use in the Open Banking Services.
    16. "Third-Party Service Provider” means a third-party entity that provides the Open Banking Services or professional services.
    17. "Third-Party Service Provider Materials” means any materials that Third-Party Service Provider provides to you as part of, or in the course of providing, the Open Banking Services or professional services including implementation materials provided through Third-Party Service Provider’s developer portal or through Dwolla.
    18. "Third-Party Service Provider Technology” means technology owned by Third-Party Service Provider or licensed to Third-Party Service Provider by a third-party (including the Open Banking Services, professional services, software tools, algorithms, software (in source and object forms), user interface  designs, architecture, toolkits, plug-ins, objects and Documentation, network designs, processes, know-how,  methodologies, trade secrets, and any related intellectual property rights throughout the world) and feedback made to Third-Party Service Provider that are incorporated into any of the foregoing (which are hereby irrevocably assigned to Third-Party Service Provider),  as well as any of the modifications or extensions of the above, whenever or wherever developed.
    19. “Third-Party Service Provider User Guide” means the applicable user guides, frequently asked questions, help, and other  documentation provided by Third-Party Service Provider to you including such documentation provided through Dwolla. For some Third-Party Service Provider products, additional guidance is accessible from within the Open Banking Services under the “help” menu. 
    20. "Your Affiliates” means any entity that directly or indirectly controls, is controlled by, or is under common control with you. “Control”, for purposes of this definition, means direct or indirect  ownership or control of more than 50% of the voting interests of the subject entity.

  2. LICENSE AND RESTRICTIONS
    1. License Grant. Subject to, and except as explicitly set forth in, the terms of this Open Banking Services Exhibit, Dwolla grants you a non-exclusive and non-transferable right, solely during the Term:
      (A) to permit authorized End Users to access and use the Open Banking Services;
      (B) to use the Open Banking Services in accordance with the Documentation and Integration Requirements and solely for your internal  business purposes; and 
      (C) to use the Third-Party Service Provider Materials solely in conjunction with your authorized use of the Open Banking Services.
    2. Restrictions. All rights not expressly granted to you hereunder are reserved by Dwolla and Third-Party Service Provider. You agree that you must not, and must not permit or authorize any third party (including but not limited to End  Users) to: 
      (A) use the Open Banking Services in (i) violation of any Applicable Law or regulatory guideline or for fraudulent purposes, or (ii) a manner that would cause a material risk to the security or operations of Dwolla or any of its clients or partners, Third-Party Service Provider or any if its clients, or to the continued normal operation of other Dwolla or Third-Party Service Provider clients;
      (B) copy, sublicense, sell, resell, rent, lease, transfer, assign, distribute, time share or otherwise commercially exploit or make the Open Banking Services available to any third  party, other than to End Users or as otherwise contemplated by this Open Banking Services Agreement; 
      (C) attempt to gain unauthorized access to the Open Banking Services or their related systems or networks, or modify, create derivative works of, adapt, translate, reverse engineer (including monitoring or accessing inputs or output flowing through a system or an application), decompile, or otherwise attempt to discover within any Third-Party Service Provider Technology, the source code, data representations, or underlying algorithms, processes  and methods. (This restriction will not apply to the extent it limits any non-waivable right you may enjoy under Applicable Law); 
      (D) access the Open Banking Services in order to build a competitive product or service, or copy any ideas, features,  functions or graphics of the Open Banking Services; 
      (E) frame, scrape, link to, republish, download, display, transmit, or mirror any content forming part of the Open Banking Services, other than on your own intranets or otherwise for your own internal business purposes; 
      (F) remove, obscure, or alter any proprietary notices associated with the Open Banking Services or Third-Party Service Provider Materials; 
      (G) use End User Data obtained through the Open Banking Services in any way as, or as part of, a consumer report as that term is defined by the Fair Credit Reporting Act 15 U.S.C. §1681; 
      (H) process through Open Banking Services any data that falls under the protections of the Health Insurance Portability  and Accountability Act of 1996;
      (I) circumvent, disable, or stress test any security or other technological features of the Open Banking Services; 
      (J) re-identify or attempt to re-identify Anonymous & Aggregated Data End User Data provided in a de-identified form;
      (K) knowingly use the Open Banking Services to send or store infringing, obscene, threatening, libelous, or other unlawful or tortious material, including, without limitation, material harmful to or that causes damage to any property or violative of any person’s or third-party’s privacy rights or in any manner that encourages, supports or promotes illegal activities or unlawful gambling;
      (L) use the Open Banking Services in any manner to provide service bureau, time sharing or other computer services to third parties, except where necessary to use the Open Banking Services;
      (M) intentionally or knowingly upload to the Open Banking Services or use the Open Banking Services to intentionally send or store viruses, worms, time bombs, trojan horses, or any other harmful or malicious code, files, scripts, agents or programs; or
      (N) conduct any platform or system level testing of the Open Banking Services, including, without limitation, load or security testing, without first obtaining Third-Party Service Provider’s written consent.

  3. THIRD PARTIES.
    1. Third-Party Providers. You are responsible for complying with any applicable terms and conditions of any third-party products, services, and platforms you use in conjunction with the Open Banking Services, which are not provided by Dwolla or Third-Party Service Provider as part of the Open Banking Services. 
    2. Your Third-Party Access. 
      (A) Use by Your Affiliates. Subject to their compliance with the terms of this Open Banking Services Exhibit, your Affiliates may use and access the Open Banking Services, Documentation or End User Data. 
      (B) Outsourcing and Third-Party Access. You may allow your third-party contractor to operate, use or access the Open Banking Services or End User Data solely on your behalf, provided such use or access is only for your direct beneficial business purposes. 
      (C) Responsibility for Third-Party Access. You acknowledge and agree that you are solely responsible for ensuring that any of Your Affiliates, contractors, agents, or other third-party operating, using or accessing the Open Banking Services or End User Data on your behalf assumes and complies with the obligations flowed down to you under this Open Banking Services Agreement.
      (D) Your Responsibility. You are responsible and liable for the acts or omissions of Your Affiliates and all third parties authorized by you to access the Open Banking Services, Integration Requirements, Documentation, or End User Data as if they were your own acts or omissions. 
    3. Third-Party Data Providers
      (A) You acknowledge that, at your instruction or the instruction of an End User, End User Data may be sourced from Third-Party Data Providers. 
      (B) You acknowledge that End User Data may include Nonpublic Personal Information and you agree to protect that End User Data as detailed in the Data Protection Terms set out in Exhibit C, which is incorporated herein by reference.
      (C) You acknowledge that End User Data you source from Third-Party Data Providers carries with it the obligations detailed in the Third-Party Data Provider Terms set out in Exhibit D, and you agree to  comply with therewith.

  4. CONSUMER DATA OWNERSHIP, PERMITTED USES, AND RESPONSIBILITY
    1. Ownership. As between Dwolla and you, you own (or where applicable), must ensure you have a valid license to use) the End User Data.
    2. Permitted Use. You grant Dwolla and, through Dwolla, Third-Party Service Provider:
      (A) a non-exclusive, worldwide, royalty free license to reproduce, display, adapt, enhance, aggregate,  transmit, distribute and otherwise use and access the End User Data as necessary or reasonable to provide the Open Banking Services and to generate Anonymous & Aggregated Data; 
      (B) a non-exclusive, royalty free, revocable, limited license, during the term of this Open Banking Services Agreement, to use your trademarks, marks, logos and trade names (“Your Marks”), and to sublicense the same to Service Provider(s) and Third-Party Data Providers, for the sole purpose of providing the Open Banking Services (e.g., identifying you to End Users as a source or recipient of End User Data, or rebranding of the Open Banking Services in those scenarios where you have licensed such white-labeled rights, if applicable). Dwolla, Third-Party Service Provider and/or you will use Your Marks and will require that any Third Party Data Provider use Your Marks in compliance with any reasonable trademark use policies you may promulgate from time to time and provide to Dwolla in writing; and 
      (C) a non-exclusive, royalty free, worldwide, transferrable, sublicensable, perpetual and irrevocable license to reproduce, display, adapt, enhance, transmit, distribute and otherwise use Anonymous &  Aggregated Data. 
    3. Responsibility.
      (A) End User Consent.
                  (i) You must only request End User Data through the Open Banking Services that is expressly consented to by the End User.  
            (ii) If you both access End User Data and initiate payments, you must obtain separate and distinct consents from End User for these separate activities 
            (iii) You shall maintain such systems and procedures as may be reasonably necessary or otherwise required by Dwolla or Third-Party Service Provider (consistent with Applicable Law and industry best practices) to actively track,  monitor and document such End User consent and any revocation thereof. 
            (iv) Consents will be valid until (i) End User revokes their consent with you, Dwolla, Third-Party Service Provider or End User’s financial institution; (ii) a change in the End User terms and conditions issued by you, Dwolla, Third-Party Service Provider or End User’s financial institution requires new consents to be obtained; or (iii) the privacy laws require new consents to be obtained
      (B) End User Control. You must provide End Users the ability to unlink such End User Data from your application or service. Upon request by End User, or as required with privacy laws, you must promptly and permanently delete and/or anonymize all End User Data in your possession or control of and Dwolla will promptly notify Third-Party Service Provider of the same. Notwithstanding the foregoing, you may retain End User Data to the extent required by applicable law and regulations. In the event that you unlink (or request the unlinking  of) End User Data from any Dwolla application or service, Dwolla will promptly notify the Third-Party Service Provider of the same.  In addition, you shall provide End Users with controls to manage consent, including by ensuring the End User is able to withdraw consent in accordance with applicable privacy laws. 
      (C) End User Data Access. Dwolla may provide a list of Internet Protocol addresses (“IP Addresses”) to Third-Party Service Provider from  which Third-Party Service Provider may access End User Data from you on behalf of End Users. Dwolla may update the provided list from time to time. You must not block or otherwise obstruct  Third-Party Service Provider and/or Dwolla from accessing End User Data using the IP Addresses in the provided list.
      (D) Representations.  You will not: (i) make representations or other statements with respect to Nonpublic Personal Information that are contrary to or otherwise inconsistent with Third-Party Service Provider’s privacy policy or (ii) interfere with any independent efforts by Third-Party Service Provider to provide End User notice or obtain End User consent.

  5. Suspension. Dwolla and/or Third-Party Service Provider will have the right to suspend your Open Banking Services account or your access, in whole or in part, to the Open Banking Services  and any End User Data upon reasonable, good-faith belief that:
    (A) you are acting in an unauthorized manner with respect to your access to the Open Banking Services or any End User Data; 
    (B) there is a material risk to the security or integrity of the Open Banking Services, the End User Data, or any systems of Dwolla, Dwolla’s technology providers, any Third-Party Data Provider, or you; or 
    (C) suspending access is reasonably necessary to prevent harm to the business or reputation of  Dwolla, a Dwolla technology provider, any Third-Party Data Provider, and/or their respective  customers. 

Your use of the Open Banking Services may be limited if your Open Banking Services account or access to your Open Banking Services is suspended. Any suspension will be reasonably limited in scope. Unless prohibited by Applicable Law, Dwolla will use reasonable efforts to provide timely notice of the suspension to you, including a description of the scope and reasons for the suspension. Such notice may occur after the suspension or restriction has occurred. Dwolla may also, in its reasonable discretion, contact any End User for Dwolla’s purposes, including fraud investigation and/or risk management purposes. If Dwolla contacts an End User for such purposes, Dwolla will notify you to the extent permissible under Applicable Law. The Parties will cooperate in good faith to remediate the reason for any suspension. Upon resolution of the issue causing the suspension, Dwolla will promptly permit you to resume using the Open Banking Services.


Exhibit C
Data Protection Terms
 
  1. INFORMATION SECURITY
    In connection with this Open Banking Services Agreement, you may have access to and/or be provided with information concerning End Users and their past or present accounts including End User Data or other information falling within the definition of Nonpublic Personal Information. In connection with all such Nonpublic Personal Information, you must:  
    1. handle, keep, maintain and secure from others the Nonpublic Personal Information, End User Data, and Confidential Information to which you have access or are provided, with the utmost of care and confidentiality. In no event will you take precautions any less stringent than those employed to protect your own proprietary and confidential information;
    2. allow the Nonpublic Personal Information and End User Data to be accessed and used only in connection with the provisions of this Open Banking Services Agreement;
    3. not share, disclose, provide or permit access to any Nonpublic Personal Information or End User Data by any other person or entity, except as permitted hereunder or as permitted by the applicable End User;
    4. with respect to any third party provided access to Nonpublic Personal Information or Confidential Information, you will enter into a written agreement with such third party requiring safeguarding of Nonpublic Personal Information, End User Data or Confidential Information in a manner no less restrictive than your obligations under this Open Banking Services Agreement;
    5. implement appropriate safeguards and programs (including, but not limited to security controls such as physical and logical access, configuration and change management processes, data encryption, strong authentication, vulnerability and risk management, asset management, media protection, application security, network security, intrusion detection, security event monitoring and alerting, internal and external security program audits, security incident detection and response, and employee security training) consistent with best practices in the financial services industry and all Applicable Law, designed to help ensure the security and confidentiality of Nonpublic Personal Information and to protect against unauthorized access to or use of Nonpublic Personal Information that could result in substantial harm and measurable damage to End User, Dwolla or Third-Party Service Provider;
    6. establish and maintain a written information security program that is consistent with generally accepted industry standards, including “Generally Accepted Principles and Practices for Securing Information and Technology Systems” (GAPPs) issued by the National Institute of Standards & Technology and/or the ISO 27000, including safeguards against the disclosure, destruction, loss, or alteration of Consumer Data. At a minimum, your written information security program will be designed to: (i) ensure the security, integrity, and confidentiality of all End User Data; (ii) detect patterns, practices, or specific activity that indicates the possible existence of identity theft or other threats or hazards to the security or integrity of End User Data; (iii) protect against unauthorized access, interception, use, or disclosure of End User Data; (iv) ensure that all transfers of End User Data are accomplished in a secure and confidential manner and in compliance with best practices in the financial services industry and latest industry encryption standards, including encryption of all End User Data at rest and in transit, using commercially reasonable encryption; (v) ensure the proper disposal of End User Data, where applicable; (vi) inventory information systems that contain End User Data or are otherwise critical to achieving business purposes; (vii) implement risk-informed identity and access management, implementing the principles of least privilege and need-to-know; (viii) ensure multi-factor authentication for access to any information system containing End User Data except where a reasonably equivalent or more secure access control has been approved; and (ix) execute regular vulnerability assessments and required remediation timelines for identified vulnerabilities;
    7. notify the affected party of any known unauthorized access to or use of Nonpublic Personal Information, as soon as is practicable, after confirmation of such event;
    8. identify and assess reasonably foreseeable threats to the security of Nonpublic Personal Information or End User Data and adjust security mechanisms to address new threats; and
    9. maintain on all of its systems on which End User Data is accessed, stored, used or otherwise processed (i) real-time intrusion detection systems, and (ii) up-to-date and reputable antivirus software and/or other commensurate anti-malware tools and applications. Without limiting your obligations under Section 3 (Security Incident), you must promptly report any patterns, practices, or specific activity detected with respect to your or Dwolla’s systems that may indicate the possible existence of identity theft, and must take appropriate steps to prevent or mitigate the same.

  2. SECURITY INCIDENT
    1. Notification. You will promptly (and in any event, within 48 hours of discovery) notify Dwolla of a Security Incident (as defined below). Such notice must include a detailed description of the Security Incident, and any other information Dwolla may reasonably request concerning the Security Incident, including, without limitation, the number of records, types of information, and number of End Users impacted by the Security Incident, the known or suspected causes of the Security Incident, any actual or anticipated impact on Dwolla or its customers, and remediation plans. You will maintain records of all actual or suspected Security Incidents consistent with security best practices in the financial services industry and will make such reports available to Dwolla upon request.
    2. Mitigation. You agree to promptly and at your own cost and expense investigate and take all reasonable measures necessary or advisable to mitigate the effects of and remedy any Security Incident, including, where appropriate and without limitation, providing credit monitoring services and related call center or similar support activities to impacted parties.
    3. Reasonable Assistance. You further agree to fully cooperate with and provide all reasonable assistance to Dwolla in regard to its investigation of any Security Incident. Without limiting the generality of the foregoing, you will cooperate with Dwolla in determining its legal obligations with respect to notification of End Users, regulators, and/or law enforcement, if any, and you agree to provide to Dwolla any documentation in your possession which is necessary for Dwolla to issue required or advisable notifications or communications.
    4. Disclosure. Unless otherwise required by Applicable Law or pursuant to an agreement with an unrelated third party, you will not (and will ensure that each of your representatives and agents do not) inform or make any statements to any unrelated third party of any Security Incident without first obtaining Dwolla’s prior written consent. Where any disclosure of a Security Incident is required by Applicable Law, you will use commercially reasonable efforts to obtain Dwolla’s approval regarding such disclosure.
    5. Dispute Management. You must notify Dwolla within 48 hours of receiving any complaint alleging the improper or unauthorized access or use of End User Data. You will be responsible for managing all disputes or issues raised by an End User with respect to any of your applications; provided, however, that Dwolla, Third-Party Service Provider and/or Service Provider may, at its option, as applicable, engage directly with any End User with respect to issues or complaints relating to the authorized access or use of End User Data, and may take all steps deemed necessary by Dwolla, Third-Party Service Provider or Service Provider to resolve such issues or complaints, including, without limitation, terminating access to the Open Banking Services and/or to any End User Data. Notwithstanding the foregoing, you acknowledge and agree that you will remain responsible for any unauthorized access or use of End User Data once it has been accessed through the Open Banking Services, is in your possession or control, or thereafter.
    6. Definition. For purposes of this Open Banking Services Agreement, “Security Incident” will mean any actual or reasonably suspected breach, incident or other event that compromises (or would be reasonably likely to result in a compromise of) the security, integrity or confidentiality of the End User Data, Dwolla’s or Third-Party Service Provider’s Confidential Information, or Confidential Information of Dwolla or Third-Party Service Provider held by your third party service providers that handle or otherwise process End User Data, or that otherwise results in (or that would be reasonably likely to result in) the unauthorized access, use, disclosure or loss of End User Data, Dwolla’s or Third-Party Service Provider’s Confidential Information, or Confidential Information of Dwolla or Third-Party Service Provider held by your third party service providers that handle or otherwise process End User Data.

  3. BACKGROUND INVESTIGATIONS. During the Term hereof and for such period thereafter as you will retain possession or control of End User Data, you will maintain comprehensive hiring and employment policies and procedures designed to ensure that all of your personnel with access to the Open Banking Services or to any End User Data possess appropriate character, disposition and honesty. In connection with the foregoing, you must, to the extent permitted by Applicable Law, conduct at your expense pre-employment background checks and other investigations of your employees and other personnel that may obtain access to the Open Banking Services or End User Data. Such background checks and investigations must include, but are not limited to: (a) confirmation of identity and personal information; (b) felony and misdemeanor and national criminal searches (where permissible); and (c) confirmation the individual is not on the Specially Designated Nationals (SDNs) list published by the United States Department of the Treasury’s Office of Foreign Assets Control (OFAC) (or national equivalent) and global sanctions enforcement searches. You must not permit any of your employees or other personnel to access the Open Banking Services or End User Data until such individual has passed the outlined background screening. You will not permit any employee or other personnel who has been formally charged with a crime that is a dishonest act or breach of trust as set forth in Section 19 of the Federal Deposit Insurance Act, or who you know has otherwise engaged in any material act of dishonesty or breach of trust, to access or use the Open Banking Services or End User Data, in accordance with all applicable federal, state, and local law. You must reasonably cooperate with any investigation undertaken by Dwolla and/or Third-Party Service Provider with respect to any act of dishonesty, breach of trust, or violation of law by any of you employees or personnel with respect to the Open Banking Services or the End User Data.

  4. INSURANCE. You must obtain and maintain at your own expense, throughout the Term and for a period of two years thereafter, (a) sufficient insurance coverage for your business, your activities hereunder, and any reasonably anticipated risks; and (b) without limiting the foregoing, as applicable (1) Commercial General Liability Insurance, (2) Crime Insurance (Employee Dishonesty), and (3) Cyber Risk/Data Security and Privacy Liability Insurance covering claims (and any associated costs and damages, including data breach investigation, data breach notification and credit monitoring costs) arising from: (i) breaches of computer systems and data security, (ii) violations of any privacy right, (iii) breaches of data privacy and data security laws and regulations, (iv) breach of PCI-DSS or any similar rules promulgated by the PCI Council, and (v) data theft, damage, destruction, or corruption, including unauthorized access, unauthorized use, identity theft, theft of personally identifiable information, and transmission of a computer virus or other type of malicious code.  For the avoidance of doubt, your insurance coverage shall not limit your liability as set forth under this Open Banking Services Agreement.

Exhibit D
Third-Party Data Provider Terms

  1. EULA
    (A) End User Access. You must ensure, prior to any access or use of the Open Banking Services, each End User’s agreement to minimum end user terms and conditions governing such End User’s use and access to the Open Banking Services in the form of an end user license agreement governing such End User’s use of the Open Banking Services that is substantially equivalent to and includes terms at least as protective of Dwolla and Third-Party Service Provider as those minimum end user terms and conditions as detailed in the Open Banking Services End User Terms and Conditions (“EULA”) (set forth at https://www.dwolla.com/legal/open-banking-end-user-terms) and incorporated herein by reference. You are responsible for all activity that occurs in your End User accounts and for your End User’s compliance with this Open Banking Services Agreement and the EULA.
    (B) Updates. Dwolla and Third-Party Service Providers may amend and supplement the EULA at any time during the Term by providing notice to you, either directly or through Dwolla. You will have thirty (30) days from receipt of such notice to update your EULA to reflect such amendment or supplement, or as otherwise provided for by Dwolla and/or Third-Party Service Providers.
    (C) Your specific Terms. You must update the EULA, based on your specific use case, to: (i) accurately set forth what data, including all compilations, aggregations, and combinations of the same, is collected, how collected data will be used, and how collected data will be accessed, shared, exchanged, or sold; (ii) provide clear and conspicuous disclosures to all End Users and prospective End Users sufficient to comply with Applicable Law regarding the collection, use, and sharing described, including Anonymous & Aggregated Data; (iii) identify or disclose to each End Users any and all categories of third parties to whom End User Data may be provided or who may use, receive, store, or process the same; and (iv) describe how the End User Data will be protected in the event that you cease operating as a going concern or otherwise cease to make available your application and/or mobile website to End Users, describing how End User Data in your possession or control will be safeguarded, deleted, and purged in such circumstances.  A reference to your privacy policy is included in Section 2 of the EULA.  If your privacy policy does not cover the items set out in this Section 1(C), or meet the EULA requirements set out in this Open Banking Services Agreement, you agree to update the EULA or otherwise provide the information required by this Agreement to each of your End Users and obtain their agreement to such by express consent.

  2. DATA REQUIREMENTS. You will provide to Third-Party Service Provider, either directly or through Dwolla, as determined by Third-Party Service Provider, information regarding your data requirements, which Third-Party Service Provider may disclose to Third-Party Data Providers, in order to facilitate its provision of the Open Banking Services. You shall not charge End User any fees that identify, or are identifiable to, Dwolla, Third-Party Service Provider, any Third-Party Data Provider, or to End User’s use of the Open Banking Services.

  3. API MONITORING. Dwolla, Third-Party Service Provider, and Third-Party Data Providers, as applicable, have the right to monitor any and all use of the Open Banking Services and Third-Party Data Provider connections to the Open Banking Services (including frequency of access and types of data received) without notice to you or your personnel.

  4. DATA HOSTING. You may only host and/or store End User Data from locations within the United States unless otherwise approved in advance and in writing by Third-Party Service Provider and applicable Third-Party Data Providers.

  5. DATA USE.
    (A) End User Consent.
              (i) Credentials.  Except as otherwise expressly permitted in this Agreement, you shall not, and you shall not permit or enable any third party or service provider to collect, store, or use any End User bank account credentials as part of their integration with the Open Banking Services, or access to any data relating to an End User that you know or have reason to believe was procured via screen scraping.  Before accessing the Open Banking Services, you must stop using and Destroy any End User bank account credentials you hold. Upon Dwolla’s and/or Third-Party Service Provider’s request, you must certify and provide reasonable verification that you have Destroyed such data and that you do not have any End User bank account credentials.
         (ii) Previously Collected Data. Prior to accessing the Open Banking Services, you shall delete any End User data which was not obtained in accordance with the terms of this Open Banking Services Agreement or through a provider with a valid agreement with the applicable Third-Party Data Provider.
         (iii) Deletion of End User Data.  Upon termination of this Open Banking Services Agreement for any reason, you shall Destroy all End User Data in accordance with your retention policies, unless you have permission from the applicable End User to retain such End User Data and you continue to maintain appropriate technical and organizational safeguards for such End User Data.  Within sixty (60) days following termination of this Open Banking Services Agreement you must certify and provide verification to Dwolla and/or Third-Party Service Provider that you have complied with the deletion requirements of this Section 5(A)(iii).
    (B) End User Data.  With respect to End User Data made available through the Open Banking Services from Third-Party Data Provider, you will not, nor will you attempt to or otherwise enable a third party to: (i) use, disclose or process the End User Data to target market products or services to End Users that are directly competitive to those offered by any Third-Party Data Provider, by using such End Users’ status as a customer of a Third-Party Data Provider as criteria; (ii) use any APR, APY, credit limit or similar data included within the End User Data to ascertain confidential or proprietary information of any Third-Party Data Provider, including, without limitation, credit models, credit algorithms, and other business processes and calculations not available to the public;  (iii) sell, transfer or rent Nonpublic Personal Information to marketers or any other third party; (iv) use Nonpublic Personal Information for marketing purposes, unless you obtain Dwolla or Third-Party Service Provider’s prior express written consent, as applicable, express consent from the applicable End User for such use and such use is in strict compliance with privacy laws; (v) combine Nonpublic Personal Information relating to an End User with data relating to other End Users or with data obtained from third parties; (vi) process End User’s bank credentials other than as required to access or use the Open Banking Services, as authorized by End User, as permitted by Third-Party Service Provider, and as permitted under privacy laws; (vii) process any Nonpublic Personal Information, or access or use the Open Banking Services, other than in strict compliance with privacy laws; or (viii) process any Nonpublic Personal Information, or access or use the Open Banking Services, in any manner that would be a breach of contract or agreement between Dwolla and Third-Party Service Provider and End User and Third-Party Service Provider.

  6. COMPLIANCE
    (A) In addition to the audit set out in Section 6.3 of the Open Banking Services Agreement, during the Term of the Open Banking Services Agreement and for one year thereafter, you will, upon reasonable advance written notice from Third-Party Service Provider and/or Dwolla, (i) permit Third-Party Service Provider, through its internal and external auditors or those of any Third-Party Data Provider, to audit, review and inspect (A) your books, records, and other documents, including security logs, and (B) your systems, networks, and facilities (an “Audit”), or (ii) provide to Dwolla, Third-Party Service Provider or any Third-Party Data Provider a written attestation of your compliance with the terms and conditions of this Open Banking Services Agreement governing the processing of End User Data, the prompt reporting of all Security Incidents, and obligation to refrain from re-identifying or attempting to re-identify any aggregated or de-identified End User Data (an “Attestation”).
    (B) All Audits will be conducted for the sole and exclusive purposes of confirming your compliance with the data handling and security terms and conditions of this Open Banking Services Agreement, and will occur during regular business hours, at Dwolla’s, Third-Party Service Provider’s or an applicable Third-Party Data Provider’s sole cost and expense, and, except following the occurrence of a Security Incident, no more frequently than once per year. You agree to reasonably cooperate with any Audit performed pursuant to this Section 6 and must promptly take all actions necessary to remediate any material deficiencies and non-compliance discovered as a result of any Audit or Attestation.
    (C) At least annually during the Term, you must have a certified independent public accounting firm or another independent, certified, industry-recognized third party: (i) conduct a review or assessment and provide a full attestation, review, or report under SOC 2 Type II (or, such reasonably comparable standard) of all your systems and operational controls used by you to access the Open Banking Services or access, store, or process any End User Data; and (ii) conduct and provide a full report of an independent network and application penetration test.
    (D) You must provide copies of all such reports and the results of any testing to Dwolla and Third-Party Service Provider (each, an “Attestation”).
    (E) All Attestations and the results of any of your Audits will be considered your Confidential Information; provided, however, that Dwolla and/or Third-Party Service Provider may disclose copies of the same to any Third-Party Data Provider at Third-Party Service Provider’s sole discretion, provided such Third-Party Data Provider is bound by written obligations of confidentiality which are in no event less than a reasonable standard of care.
    (F) Nothing in this Section 6 is or will be construed as limiting the rights of any governmental or regulatory authority to conduct audits or investigations. You acknowledge that Dwolla and Third-Party Service Provider intend to fully comply with all governmental and regulatory authorities, including with respect to any law enforcement or judicial investigations, and that in connection with the foregoing, Dwolla and Third-Party Service Provider may disclose the identity of, and any information transmitted or received by, persons accessing the Open Banking Services. You agree to fully cooperate with any audits or investigations conducted by a governmental or regulatory authority pursuant to Applicable Law.
    (G) Notwithstanding anything to the contrary, upon written request, you will provide information reasonably needed to demonstrate compliance with the obligations in this Exhibit D and privacy laws.