Skip to content
Close
SEARCH
Login
Talk to Sales
Login
Talk to Sales
PAY BY BANK

Instant Payments
Real-time payment processing.

Same Day ACH
Same day payment processing.

Standard ACH
Standard processing times.

 

 

 
FEATURES

Unified API
Fast transactions integrated with open banking all in one platform.

Automated Payments
Modernize your payments with pay by bank automation.

Mass Pay
Send multiple bank transfers with a single API request.

Open Banking Services
Instant account verification, balance checks and fraud mitigation.

Digital Wallet
Initiate faster transactions by utilizing Dwolla's Digital Wallet to hold funds.

 

 

Data Visibility
Access and manage your payments data through our user-friendly dashboard.

Security
Dwolla's platform is monitored 24/7/365 using a combination of internal and external tools and services.

Integration
Dwolla makes integrating pay by bank payments fast and easy.

Sandbox Environment
Simulate use cases and try out features.

Dedicated Support
Supporting your payments journey every step of the way.

SOLUTIONS

Enterprise
High-transacting payment automation

Balance
A digital wallet solution 

Connect
Direct bank connections 

 

 
INDUSTRIES

Insurance
Modernize outdated insurance payments

Real Estate
Revolutionize your real estate payments

Lending
Accelerate your lending operations

Healthcare
Elevate your healthcare payments

Manufacturing
Transform your manufacturing payments

USE CASES

B2B Payments
Streamline your business payments

Unload/Load Digital Wallet
Seamlessly move funds on and off your platform

Payouts
Pay out funds quickly and securely

LEGAL DOCUMENTATION

For Dwolla Clients

Dwolla Open Banking Services Agreement

Summary of Changes to the Dwolla Open Banking Services Agreement Terms of Service - April 18, 2025

We are updating the Dwolla Open Banking Services Agreement, which applies to your use of the Dwolla Open Banking Services. The following provides a summary of the changes to the Dwolla Open Banking Services Agreement.  To see all of the changes, please read the full Dwolla Open Banking Services Agreement.

 1. Under the header, we updated the Last Updated date to April 18, 2025.
 2. We made changes to the Dwolla Open Banking Services Agreement to update data handling and protection, security protocols, and end user, compliance, and third party requirements effective April 18, 2025 as further detailed in the following sections:

  • Dwolla Open Banking Services Agreement
    • Section 5.2 (Termination)
  • Exhibit B
    • Section 1 (Definitions)
    • Section 2.2 (Restrictions)
    • Section 3.3 (Third-Party Data Providers)
    • Section 4.2 (Permitted Use)
    • Section 4.3 (Responsibility)
  • Exhibit C
    • Section 1 (Information Security)
    • Section 2 (Security Incident)
    • Section 3 (Background Investigation)
    • Section 4 (Insurance)
    • Section 5 (Subcontractors)
  • Exhibit D
    • Section 1 (EULA)
    • Section 2 (Data Requirements)
    • Section 3 (API Monitoring)
    • Section 4 (Data Hosting)
    • Section 5 (Data Use and Credentials)
    • Section 6 (Compliance; Audits)

This Dwolla Open Banking Services Agreement (the “Open Banking Services Agreement”) is a legally binding agreement between you and Dwolla, Inc. (“Dwolla”) and applies to your use of the Open Banking Services, as defined in this Agreement.

It is important that you read and understand this Open Banking Services Agreement as it governs your use of the Open Banking Services. You represent and warrant that you have the authority to accept this Open Banking Services Agreement on behalf of the legal entity you have registered at www.dwolla.com (“you”, “your” or “Client” throughout this Open Banking Services Agreement) and to provide any information that you share with Dwolla. By indicating your acceptance of this Open Banking Services Agreement or by executing an order form (“Order Form”) or other agreement that references this Open Banking Services Agreement, you agree to be bound by this Open Banking Services Agreement. If you do not accept this Open Banking Services Agreement, you must not access or use the Open Banking Services.

Dwolla offers software and services, as more fully described in this Open Banking Services Agreement, to facilitate the accessing of banking and financial data via Dwolla’s exchange session, which provides a Third-Party Service Provider’s link to a user interface the End User accesses to provide End User Data.  You retrieve the End User Data from the user interface that the End User has authorized to be shared with you and Dwolla through Dwolla’s application programming interface (“Dwolla API”). You desire to use these services to help streamline and improve your onboarding process on your platform, website and/or application (each, an “Application”). You and Dwolla agree the terms herein govern your use of Dwolla’s software and services. 

Dwolla may amend this Open Banking Services Agreement at any time by providing notice to you.  Notice may be provided to you on www.dwolla.com, on any other website maintained by Dwolla, by email or by any other reasonable means.  The amended Open Banking Services Agreement is effective when posted or as of the date indicated, and your continued use of the Open Banking Services constitutes your acceptance of any amended Open Banking Services Agreement.

The parties therefore agree as follows:

  1. Dwolla Opening Banking Services

    1. Description.The Open Banking Services is accessed through an API which will permit you to:
      A. Utilize Dwolla's service providers ("Third-Party Service Providers") to perform the Open Banking Services, as defined in Section 1.7 of Exhibit B below,") ordered by you through an Ordering Document;
      B. Upon successful authorization from End User, obtain specific details about End User and it's financial institution account through the Third-Party Service Provider; and
      C. Obtain certain information, which may include information about payment activity, Customers or End Users or External Parties.

  2. Account and Open Banking Services Access Requirements
    1. Authorization. As provided in Exhibit D below, incorporated herein by reference, you must obtain each End User’s agreement to the EULA prior to the use of or access to the Open Banking Services by the End User.
    2. Credentials. You are solely responsible for maintaining the security of your Dwolla credentials, including passwords, security codes, and any key and secret issued to you to permit access to the API used for the Open Banking Services (the “Credentials”). Prior to the date Dwolla makes the Open Banking Services available to you (the “Open Banking Services Go Live Date”), you will be responsible for paying the Implementation Fee (as listed in the Order Form), as applicable. You may not sell, transfer, sublicense or disclose the Credentials to any third party, other than third party service providers who need such information to perform services for you. You are solely responsible for any activity using the Credentials, including any losses or liability that may arise from you sharing or failing to secure the Credentials. 
    3. User Permissions. You may permit your employees, Your Affiliates, contractors, agents, or other third-party (each, an “Authorized User”) to access the Open Banking Services on your behalf. You will remain responsible for any actions taken by an Authorized User and for ensuring Authorized Users comply with the terms of this Open Banking Services Agreement. Authorized Users may only access or use the Open Banking Services for your internal business purposes and in accordance with this Open Banking Services Agreement. You are responsible for determining which Authorized Users may obtain access to certain features, functionality and data within the Open Banking Services. Dwolla is expressly permitted to rely on your creation of Authorized Users and user settings to release data or to initiate payments, if applicable, pursuant to instructions received through the Open Banking Services. Any third parties enabled as Authorized Users do not form any relationship with Dwolla and Dwolla will not be liable for any disputes, billing, or other matters between you and such Authorized User(s).
    4. Third Party Agreements. Dwolla does not guarantee the availability of access to or reliability of services from Third-Party Service Providers.

  3. Acceptable Use
    1. Compliance. You represent and warrant that your use of the Open Banking Services will only be for lawful and legitimate purposes and will at all times comply with: (a) all applicable federal, state, and local laws, rules, regulations, and guidance, including, without limitation, those governing payment services, consumer protections, privacy, and data security (“Applicable Law”); (b) this Open Banking Services Agreement; and (c) the Integration Requirements.
    2. Prohibitions. Without limiting the generality of Section 3.1, and in addition to any prohibitions and/or restrictions set out in Exhibit B, Dwolla Terms and Conditions for Third-Party Services and Products, incorporated herein by reference, you agree you will not and will not permit your Authorized Users to:
      A. License, sublicense, sell, resell, transfer, assign or distribute Open Banking Services without express written permission from Dwolla;
      B. Reverse engineer, disassemble, decompile, disable, copy, modify, or translate the Open Banking Services or any of its features, components, or elements or otherwise attempt to discover the source code of the Open Banking Services;
      C. Replicate and/or resell the Open Banking Services or create a competitive product or any product built using the ideas, features, functions, and other components of the Open Banking Services;
      D. Use the Open Banking Services for any purpose other than your legitimate internal business purposes;
      E. Use the Open Banking Services for any fraudulent, unlawful, deceptive, or abusive purposes or in any manner intended to harm an end user, Dwolla, or any third party; 
      F. Circumvent Dwolla’s intended limitations for any feature of the Open Banking Services; 
      G. Use the Open Banking Services in a manner inconsistent with any developer documentation, integration guidance, or other technical, policy, or other requirements communicated by Dwolla or posted on Dwolla’s website, each as may be updated from time to time (the “Integration Requirements”); or 
      H. Attempt any of the foregoing.

  4. Fees & Payment Terms
    1. Ordering Document. You agree to pay fees for the Open Banking Services in accordance with each Order Form or other document the parties may agree to for purchase of additional services which makes reference to this Open Banking Services Agreement (each an “Ordering Document”). In the event that you access and use any features or functionality not permitted on an Ordering Document, you understand this unauthorized use is cause for termination and agree to pay Dwolla’s current rate for such feature or functionality.
    2. Taxes. Fees are exclusive of all taxes, and you are responsible to pay any applicable taxes and may not withhold or offset payment of any fees to Dwolla to account for such tax obligations. You are solely responsible for paying and collecting any applicable taxes, duties, levies, or tariffs imposed with respect to your transactions initiated through the Open Banking Services. In the event Dwolla incurs a sales tax liability as a result of your sale of goods or services and/or Dwolla receives an assessment from a taxing authority directly attributable to your transaction activity, you will indemnify Dwolla for all taxes, interest, and penalties that may be assessed.

  5. Term and Termination
    1. Term. This Open Banking Services Agreement shall begin on the Effective Date and continue until terminated as set out in Section 5.2 below (the “Term”). 
    2. Termination. Either party may terminate this Open Banking Services Agreement and any Ordering Document(s) at any time by providing the other party with written notice.  Notwithstanding the foregoing, this Open Banking Services Agreement will remain in effect until the date when the last Ordering Document for the Open Banking Services hereunder has expired, was not renewed or terminated.  Notwithstanding anything to the contrary in this Open Banking Services Agreement and/or any Ordering Document, Dwolla may terminate this Open Banking Services Agreement and/or any Ordering Document for Open Banking Services: (a) if you fail to pay Fees or any other amounts owed under this Open Banking Services Agreement within ten (10) days of Dwolla sending notice to you that payment is owed; (b) immediately upon written notice to you in the event you violate this Open Banking Services Agreement or any other applicable Dwolla policy or agreement; (c) immediately upon written notice to you if your use of the Open Banking Services poses unacceptable risk, including but not limited to financial or data security risk, to Dwolla and/or its Third-Party Service Providers in Dwolla’s sole discretion; (d) immediately upon written notice to you in the event of the termination or suspension of Dwolla’s relationship with any or all of its Third-Party Service Providers and/or Dwolla no longer offers or provides any or all of the Open Banking Services; or (e) as otherwise provided in this Open Banking Services Agreement. 
    3. Effect of Termination. Upon termination or expiration of this Open Banking Services Agreement, you will: (a) immediately stop using the Open Banking Services; and (b) remove any associated Dwolla Marks, as defined in Section 9.1 below, from your application and/or website. Termination does not release you from any obligation to pay for fees due and payable to Dwolla at the time of termination. Any continued use of Open Banking Services by you after termination of this Open Banking Services Agreement will be subject to all terms herein, including without limitation any payment terms or fees agreed to in the corresponding Ordering Document.

  6. Security and Privacy
    1. Personal Information. You represent and warrant that you have obtained express consent to provide Dwolla any identifying information of individuals processed using Open Banking Services (“Client PII”). Dwolla agrees not to sell or share, retain, use, or disclose Client PII for any purpose other than providing Open Banking Services as described in this Open Banking Services Agreement or meeting regulatory obligations. Dwolla agrees to delete Client PII (a) upon termination or expiration of this Open Banking Services Agreement, or (b) upon written request from you if such information is not necessary for the provision of the Dwolla Open Banking Service(s). You agree you will not provide to Dwolla the information of any individual living in any jurisdiction other than the United States without written permission from Dwolla. If you instruct Dwolla to share any Client PII to a third party, you represent that such request is compliant with Applicable Law and your published privacy policy.
    2. Security. Each party agrees that it will, for the Term of the Open Banking Services Agreement, maintain commercially reasonable administrative, technical, and physical controls which are documented in writing, approved by senior management, and designed to protect and secure data against unauthorized use, access, or disclosure. Each party agrees to provide the other party with evidence to demonstrate compliance with this Section 6.2 upon written request. Dwolla may immediately suspend your access to the Open Banking Services if Dwolla determines that your use of the Open Banking Services poses an unacceptable security risk to Dwolla or its other clients. Each party agrees to promptly notify the other party of any event that it has reasonably determined compromised the security, integrity or confidentiality of the other party’s data provided under this Open Banking Services Agreement, including Client PII (“Security Event”). Such notice will include all known facts related to the Security Event and the data affected. The parties agree to cooperate in investigating, mitigating and remediating the Security Event.
    3. Audit.  Dwolla may audit, examine and otherwise monitor your compliance with this Open Banking Services Agreement and you agree to cooperate fully with any such audit.  Within 30 days of notice from Dwolla, you will provide to Dwolla or its third party auditor (either, a “Dwolla Auditor”) access to and assistance with: documents, records, reports, or other data, information or materials compiled, maintained, or otherwise available to the extent related to your compliance with this Open Banking Services Agreement and not prohibited from disclosure by Applicable Law.  If a Dwolla Auditor determines that you are not in compliance with this Open Banking Services Agreement, you will take appropriate action to remedy the non-compliance and will provide Dwolla with evidence of the steps taken to achieve compliance with the time frame agreed upon by the parties.
  7. Confidentiality
    1. Confidential Information Definition. “Confidential Information” means any type of information disclosed by one party (“Disclosing Party”) to the other party (“Receiving Party”) under this Open Banking Services Agreement, regardless of the form of disclosure and which (a) is clearly marked as “confidential” or “proprietary” at the time of such disclosure, or (b) should, by its nature and the circumstances of disclosure, reasonably be understood to be confidential by Receiving Party. For clarity, all Feedback and Open Banking Services are Dwolla’s Confidential Information. Notwithstanding the foregoing, Confidential Information does not include information that was already in Receiving Party’s possession at the time of disclosure, as substantiated in writing, or enters the public domain without breach of this Open Banking Services Agreement.
    2. Confidentiality Obligation. Receiving Party must maintain the confidentiality of Disclosing Party’s Confidential Information in a commercially reasonable manner and in a manner no less stringent than the measures it employs to protect its own most confidential and proprietary information. Receiving Party must not use Disclosing Party’s Confidential Information for any purpose other than as necessary to perform Receiving Party’s obligations under this Open Banking Services Agreement. Receiving Party may disclose Confidential Information that is required to be disclosed pursuant to any statute, regulation, order, subpoena or document discovery request, or in response to an inquiry or request of any governmental or regulatory agency or self-regulatory organization, provided that, to the extent not prohibited, Receiving Party will notify Disclosing Party of such request as soon as practicable in order to afford Disclosing Party an opportunity to seek a protective order. Receiving Party’s obligation to maintain the confidentiality of Confidential Information will survive the termination or expiration of this Open Banking Services Agreement for any reason.

  8. Intellectual Property
    1. Dwolla API License. Dwolla grants you a limited, non-exclusive, non-transferable, non-sublicensable, revocable license to access, use, and integrate the Open Banking Services into your services or payment technology in accordance with this Open Banking Services Agreement (“API License”). This API License may be immediately revoked or terminated by Dwolla if you share your Credentials in a manner not permitted by this Open Banking Services Agreement or that otherwise breaches this Open Banking Services Agreement. “Dwolla,” the Dwolla logo, and any other service marks, trademarks, logos or graphics used in Open Banking Services (“Dwolla Marks”) are trademarks, registered trademarks, or otherwise intellectual property of Dwolla and you do not obtain any right or license to the Dwolla Marks under this Open Banking Services Agreement. You may not remove or obscure any Dwolla Marks displayed or contained in Open Banking Services.
    2. Ownership. Dwolla is the exclusive owner of and retains all right, title, and interest to Open Banking Services provided by Dwolla, including but not limited to the Dwolla APIs; the Dwolla Dashboard; the exchange session(s); the applicable Dwolla software and technology and all modifications, enhancements, upgrades, and updates thereto; the Dwolla Marks; and all intellectual property rights therein and thereto (collectively, the “Dwolla IP”). There are no implied licenses under this Open Banking Services Agreement. Except as set out in this Open Banking Services Agreement, you will not acquire any rights in the foregoing and you will not copy, transmit, transfer, modify or create derivative works, reverse engineer, reverse compile, reverse assemble or otherwise determine or derive source code of the Dwolla IP, nor permit or authorize any third party to do any of the foregoing.
      A. Feedback. You may voluntarily provide suggestions or ideas for improvements or modifications to Open Banking Services (“Feedback”). Nothing in this Open Banking Services Agreement will prohibit Dwolla from using, profiting from, disclosing, publishing, or otherwise exploiting any Feedback, nor create any obligation to compensate you for the provision of Feedback.
    3. Insurance. In addition to the insurance requirements set out in Exhibit C below, incorporated herein by reference, you agree to obtain and maintain throughout the Term of this Open Banking Services Agreement insurance coverage that (a) meets industry standards and (b) is reasonably appropriate to your business profile, risks, and activities, including the use and disclosure of personally identifiable information. Such coverage must include cyber liability insurance.
    4. Indemnification. You agree to defend, indemnify and hold harmless Dwolla, its third party service providers and Dwolla and their respective officers, directors, employees, suppliers and agents from and against any and all third party claims, liabilities, damages, actions, proceedings, penalties, fines, costs, losses or expenses, including settlement amounts and reasonable attorneys' fees and costs, arising out of or in any way connected with your:  (i) access to or use of the Open Banking Services; (ii) negligence or willful misconduct;  (iii) actual or alleged violation of any third party rights, or any applicable laws, regulation or rules; (iv) violation or breach of this Open Banking Services Agreement; or (v) infringement, or infringement by any other user of your account, of any intellectual property or other right of anyone.
    5. Limited Warranty. YOU AGREE THAT YOUR USE OF THE OPEN BANKING SERVICES AND ALL INFORMATION AND CONTENT (INCLUDING THAT OF THIRD PARTIES) IS AT YOUR RISK AND IS PROVIDED ON AN "AS IS" AND "AS AVAILABLE" BASIS. DWOLLA, AND ITS SERVICE PROVIDERS, DISCLAIM ALL WARRANTIES OF ANY KIND AS TO THE USE OF THE OPEN BANKING SERVICES, WHETHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. DWOLLA, AND ITS SERVICE PROVIDERS, MAKE NO WARRANTY THAT THE OPEN BANKING SERVICES (i) WILL MEET YOUR REQUIREMENTS, (ii) WILL BE UNINTERRUPTED, TIMELY, SECURE, OR ERROR-FREE, (iii) THE RESULTS THAT MAY BE OBTAINED FROM THE SERVICES WILL BE ACCURATE OR RELIABLE, (iv) THE QUALITY OF ANY PRODUCTS, SERVICES, INFORMATION, OR OTHER MATERIAL OBTAINED BY YOU THROUGH THE OPEN BANKING SERVICES WILL MEET YOUR EXPECTATIONS, OR (v) ANY ERRORS IN THE OPEN BANKING SERVICES OR TECHNOLOGY WILL BE CORRECTED. ANY MATERIAL DOWNLOADED OR OTHERWISE OBTAINED THROUGH THE USE OF THE OPEN BANKING SERVICES IS DONE AT YOUR OWN DISCRETION AND RISK AND YOU ARE SOLELY RESPONSIBLE FOR ANY DAMAGE TO YOUR COMPUTER SYSTEM OR LOSS OF DATA THAT RESULTS FROM THE DOWNLOAD OF SUCH MATERIAL. DWOLLA, ON BEHALF OF ITSELF AND ALL THIRD PARTY DATA PROVIDERS AND SERVICE PROVIDERS, EXPRESSLY DISCLAIMS ANY TYPE OF REPRESENTATION OR WARRANTY REGARDING THE AVAILABILITY OR RESPONSE TIME OF THE OPEN BANKING SERVICES OR CONTENT OR INFORMATION OBTAINED THROUGH THE OPEN BANKING SERVICES OR THAT SUCH ACCESS WILL BE UNINTERRUPTED OR ERROR-FREE AND, EXCEPT AS EXPRESSLY PROVIDED FOR HEREIN, EXPRESSLY DISCLAIMS THE ACCURACY, COMPLETENESS AND CURRENCY OF ALL INFORMATION COLLECTED ON YOUR BEHALF. NO ADVICE OR INFORMATION, WHETHER ORAL OR WRITTEN, OBTAINED BY YOU FROM DWOLLA OR ITS SERVICE PROVIDERS THROUGH OR FROM THE OPEN BANKING SERVICES WILL CREATE ANY WARRANTY NOT EXPRESSLY STATED IN THESE TERMS.
    6. Limitation of Liability.  YOU AGREE THAT DWOLLA, ITS SERVICE PROVIDERS, AND DWOLLA’S AND THEIR RESPECTIVE OFFICERS, DIRECTORS, AGENTS, EMPLOYEES OR SUPPLIERS WILL NOT BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, PUNITIVE, CONSEQUENTIAL OR EXEMPLARY DAMAGES OR LOSSES, INCLUDING, BUT NOT LIMITED TO DAMAGES FOR LOSS OF PROFITS, GOODWILL, USE, DATA OR OTHER LOSSES, EVEN IF DWOLLA HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES, RESULTING FROM (i) THIS OPEN BANKING SERVICES AGREEMENT; (ii) THE USE OR THE INABILITY TO USE OR THE UNAVAILABILITY OF THE OPEN BANKING SERVICES, INCLUDING AT DWOLLA’S WEBSITE/MOBILE APPLICATION/API OR OF ANY THIRD PARTY ACCOUNT PROVIDER'S WEBSITE/MOBILE APPLICATION; (ii) THE COST OF GETTING SUBSTITUTE GOODS AND SERVICES, (iii) ANY PRODUCTS, DATA, INFORMATION, GOODS OR SERVICES PURCHASED, RECEIVED, PAID FOR OR OBTAINED OR MESSAGES RECEIVED OR TRANSACTIONS ENTERED INTO, THROUGH OR FROM THE OPEN BANKING SERVICES, (iv) UNAUTHORIZED ACCESS TO OR ALTERATION OF YOUR TRANSMISSION OR DATA, (v) STATEMENTS OR CONDUCT OF ANYONE ON THE OPEN BANKING SERVICES, (vi) THE USE, INABILITY TO USE, UNAUTHORIZED USE, PERFORMANCE OR NON-PERFORMANCE OF ANY THIRD PARTY ACCOUNT PROVIDER SITE, EVEN IF THE PROVIDER HAS BEEN ADVISED PREVIOUSLY OF THE POSSIBILITY OF SUCH DAMAGES, OR (vii) ANY OTHER MATTER RELATING TO THE OPEN BANKING SERVICES. REGARDLESS, IN NO EVENT WILL DWOLLA’S LIABILITY UNDER THIS OPEN BANKING SERVICES AGREEMENT EXCEED THE FEES DWOLLA HAS RECEIVED FROM YOU UNDER THIS OPEN BANKING SERVICES AGREEMENT DURING THE 12 MONTHS PRECEDING THE EVENT GIVING RISE TO A CLAIM. THIS LIMITATION OF LIABILITY WILL APPLY TO THE FULLEST EXTENT PERMITTED BY LAW.
    7. General.

      A. Marketing. You agree to participate in case studies upon written request by Dwolla. Further, you agree that Dwolla may include you in materials identifying you as a customer of Dwolla and a user of the Open Banking Services. You authorize Dwolla to use your name, website, logo, or other trademarks or service marks to identify you as a customer of Dwolla on the Dwolla website, marketing materials, and in public presentations. If you desire to opt out of being included in such communications and materials, you may notify Dwolla at marketing@dwolla.com. Upon receipt of and in accordance with such request, Dwolla will cease making references to you and make reasonable efforts to remove you from any already existing marketing materials.
      B. Customer Support for End Users.  You are solely responsible for providing customer support for your services to End Users and, if applicable, for any goods or services that are sold via your Application.  You must clearly disclose your support policy and publish your customer support contact information in an easily accessible manner within any Application through which you offer your services.  If your End User requests Dwolla’s customer support contact information, provide the following: support@dwolla.com and 1-888-289-8744.
      C. Dispute Resolution for End Users.  You are responsible for resolving all End User disputes related to your services (“Client Services End User Dispute”), including any Client Services End User Dispute communicated by an End User to Dwolla. Dwolla has no obligation nor any liability associated with a Client Services End User Dispute resolution policies and procedures.  You agree to provide Dwolla with any requested information regarding the status and/or resolution of a Client Services End User Dispute.  Dwolla has the right but no obligation to provide support to an End User that contacts Dwolla regarding a Client End User Dispute, and in such event, you must provide Dwolla with any information Dwolla reasonably requests for the purposes of assisting End User.
      D. Assignment. You may not assign your rights and obligations under this Open Banking Services Agreement without the prior written consent of Dwolla, which will not be unreasonably withheld. Dwolla may transfer or assign this Open Banking Services Agreement or any of its rights, obligations, or duties under this Open Banking Services Agreement at any time.
      E. Independent Contractor Relationship. You and Dwolla are independent contractors, and this Open Banking Services Agreement does not create any partnership, agency, or joint venture relationship between you and Dwolla. You may not and may not attempt to represent, warrant, or obligate Dwolla to any commitment with any third party.
      F. Force Majeure. Dwolla is not responsible for any failure to perform its obligations under this Open Banking Services Agreement during any period in which such performance is delayed by circumstances beyond its reasonable control, including, but not limited to, weather, fire, flood, earthquake, war, embargo, strike, riot, civil unrest, acts of terrorism, failure or interruption of public or private infrastructure, or the intervention of any government entity. In the event of such a failure, Dwolla’s obligations will be suspended until Dwolla is able to perform.
      G. Notices.  All notices to Dwolla must be sent by email to legal@dwolla.com. Notices to you may be sent to the email address set forth on the signature page.
      H. Governing Law; Waiver of Jury Trial. This Open Banking Services Agreement will be construed in accordance with, and governed by, the laws of the State of Iowa, without regard to its conflict of laws principles. You waive your right to a jury trial in any judicial proceeding involving any claim relating to or arising under this Open Banking Services Agreement.
      I. No Third Party Beneficiaries. This Open Banking Services Agreement is intended for the exclusive benefit of you and Dwolla and not intended to benefit any third party.
      J. Entire Agreement, Conflicts, No Waiver, Construction. This Open Banking Services Agreement and any documents incorporated by reference, constitute the entire agreement between the parties. Any failure by Dwolla to enforce any right or provision of this Open Banking Services Agreement will not constitute a waiver of such right or provision. If any provision of this Open Banking Services Agreement is held to be invalid or unenforceable, such provision will be interpreted to fulfill its intended purpose to the maximum extent permitted by law, and the remaining provisions will remain in full force and effect. All provisions of this Open Banking Services Agreement that by their nature are intended to survive termination or expiration of this Open Banking Services Agreement will survive termination of this Open Banking Services Agreement for any reasons. No provision of this Open Banking Services Agreement will be construed against a party by reason of that party drafting such provision.

Exhibit B
Dwolla Terms and Conditions for Third-Party Open Banking Services and Products

This Dwolla Terms and Conditions for Open Banking Third Party Services and Products Exhibit (“Open Banking Services Exhibit”) applies to your use of the Open Banking Services provided to you through one of Dwolla’s Third-Party Service Providers (as defined below).   Hereinafter “you” “your” or “Client” means the Client and “us” “we” “our” or “Dwolla” refers to Dwolla, Inc. (protecting its third-party service provider).

  1. DEFINITIONS
    1. “Anonymous & Aggregated Data” means End User Data and information that is anonymized and aggregated  with similar data and information to the extent that the original End User Data and information is no longer attributable to Dwolla, you, or to any specific End Use, so it meets the prevailing standard of “De-identified” as set out in Applicable Law. The parties to this Open Banking Services Agreement may use any Anonymous & Aggregated Data that is generated by the Open Banking Services or derived from your use of the Services in accordance with the Privacy Laws and each party’s respective privacy policy. 
    2. “Balance Check” means an Open Banking Service ordered by you that you can use to periodically gather account balances in an account without collecting transaction data.  Account types accessed include depository accounts. You can retrieve these account balances using an API request to help ensure your End Users have the appropriate funds.
    3. Customer” means your end user that has opened a Customer Account.
    4. Customer Account” means an account that has been opened by an End User through the Dwolla Platform Services (as defined in the Dwolla Platform Agreement) through your Application and that you manage through your Application.

    5. Destroy” means to delete or destroy information using data destruction procedures that meet or exceed the NIST Special Publication 800-88 Guidelines for Media Sanitization.

    6. "Documentation” means the Third-Party Service Provider Materials, Third-Party Service Provider User Guide and applicable Spec Sheet(s).
    7. “End User” mean an individual who is a Customer who is at least 18 years old and a resident of the United States or a Receive-Only User who is authorized by you to use or access the Open Banking Services and who has (i) been supplied an identification and password by you or at your direction or (ii) for whom a unique user record is created by or authorized to be created by you within the Open Banking Services. 
    8. “End User Data” means End User’s login, password, transaction data, account number, any other authentication information required by Third-Party Service Provider or End User’s financial institution, and any other data, in each case received through the Services.  For the avoidance of doubt, End User Data includes Personal Information.
    9. “End User Request” means any request by an individual (or by another person acting on behalf of an individual), including End Users (as defined in this Open Banking Services Agreement), to exercise a right under any Privacy Laws, or any other complaint or inquiry or similar communication about the use of services that are based on the Open Banking Services.
    10. Instant Account Verification (without identity check)” means an Open Banking Service ordered by you that accesses financial account information, including account and routing numbers, for direct deposit accounts such as checking, savings, and money market accounts.
    11. “Marks” means the trademarks, marks, logos, trade names, and service marks owned or licensed by a party.
    12. “Nonpublic Personal Information” means personally identifiable financial information as defined under  Regulation P, 12 C.F.R. 216, or the Gramm-Leach-Bliley Act, 15 U.S.C. 6801 et seq., any End User Data that is protected as “personal data”, "personally identifiable information" or “personal information" under Privacy Laws, including any and all information that (alone or when used in combination with other information) is capable of being associated with, or could reasonably be associated with an individual, or information otherwise considered privileged, confidential, private, nonpublic or personal given protected status under applicable law. 
    13. “Open Banking Services” means Instant Account Verification, Balance Check, and the other products and services ordered by you through an Ordering Document to which these terms apply and are made  available by Third-Party Service Provider through its online, web-based application or mobile components via designated websites, IP  addresses, application programming interface(s), or other means. 
    14. “Privacy Law” means any applicable law, regulation, rule or other mandatory legal obligation which regulates the Processing of Nonpublic Personal Information or that otherwise relates to data protection, data security or Personal Data Breach notification obligations for Nonpublic Personal Information, including (without limitation and only as applicable between the parties) the U.S. Gramm-Leach Bliley Act (GLBA); the GDPR, the UK GDPR, Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector; the California Consumer Privacy Act (CCPA) as amended, superseded or updated from time to time and similar law.
    15. “Processing” means any operation or set of operations that is performed upon Nonpublic Personal Information or on sets of Nonpublic Personal Information, whether or not by automated means, such as collection, recording, structuring, storage, alteration, accessing, consultation, use, copying, disclosure, combination, de-dentification, redaction, erasure or destruction.  (“Process”, “Processes” and “Processed” are construed accordingly).
    16. “Receive Only User” means an individual who is a resident of the United States and is at least 13 years old and has obtained parental permission if under 18 to receive funds that uses the payment services you offer through your website and/or mobile application who may only receive payments and does not create a Dwolla account.
    17. “Spec Sheet” means a document provided by Dwolla or Third-Party Service Provider that describes the work by Third-Party Service Provider and you that is necessary to configure the Open Banking Services purchased by you in an Ordering Document.
    18. “Service Provider” means any third-party entity which provides End User Data or other data to a Third-Party Service Provider for use in the Open Banking Services pursuant to a contractual agreement.
    19. "Third-Party Data Provider” means any third-party entity, including financial institutions, which provides End User Data or other data to Dwolla or Dwolla’s technology providers, or Third-Party Data Provider, for use in the Open Banking Services.
    20. "Third-Party Service Provider(s)” means a third-party entity that provides the Open Banking Services or professional services.
    21. "Third-Party Service Provider Materials” means any materials that Third-Party Service Provider provides to you as part of, or in the course of providing, the Open Banking Services or professional services including implementation materials provided through Third-Party Service Provider’s developer portal or through Dwolla.
    22. “Third-Party Service Provider Privacy Policy” means Third-Party Service Provider’s privacy policies describing Third-Party Service Providers’ processing of End User Data and Nonpublic Personal Information, as amended from time to time.
    23. "Third-Party Service Provider Technology” means technology owned by Third-Party Service Provider or licensed to Third-Party Service Provider by a third-party (including the Open Banking Services, professional services, software tools, algorithms, software (in source and object forms), user interface  designs, architecture, toolkits, plug-ins, objects and Documentation, network designs, processes, know-how,  methodologies, trade secrets, and any related intellectual property rights throughout the world) and feedback made to Third-Party Service Provider that are incorporated into any of the foregoing (which are hereby irrevocably assigned to Third-Party Service Provider),  as well as any of the modifications or extensions of the above, whenever or wherever developed.
    24. “Third-Party Service Provider User Guide” means the applicable user guides, frequently asked questions, help, and other  documentation provided by Third-Party Service Provider to you including such documentation provided through Dwolla. For some Third-Party Service Provider products, additional guidance is accessible from within the Open Banking Services under the “help” menu. 
    25. "Your Affiliates” means any entity that directly or indirectly controls, is controlled by, or is under common control with you. “Control”, for purposes of this definition, means direct or indirect  ownership or control of more than 50% of the voting interests of the subject entity.

  2. LICENSE AND RESTRICTIONS
    1. License Grant. Subject to, and except as explicitly set forth in, the terms of this Open Banking Services Exhibit, Dwolla grants you a non-exclusive and non-transferable right, solely during the Term:
      (A) to permit authorized End Users to access and use the Open Banking Services;
      (B) to use the Open Banking Services in accordance with the Documentation and Integration Requirements and solely for your internal  business purposes; and 
      (C) to use the Third-Party Service Provider Materials solely in conjunction with your authorized use of the Open Banking Services.
    2. Restrictions. All rights not expressly granted to you hereunder are reserved by Dwolla and Third-Party Service Provider. You agree that you must not, and must not permit or authorize any third party (including but not limited to End  Users) to: 
      (A) use the Open Banking Services in (i) violation of any Applicable Law or regulatory guideline or for fraudulent purposes, or (ii) a manner that would cause a material risk to the security or operations of Dwolla or any of its clients or partners, Third-Party Service Provider or any if its clients, or to the continued normal operation of other Dwolla or Third-Party Service Provider clients;
      (B) copy, sublicense, sell, resell, rent, lease, transfer, assign, distribute, license, distribute, publish or publicly display, modify, duplicate, create derivative works from, translate, frame, scrape, mirror, republish, download, display, transmit, disassemble, decompile, reverse engineer all or any portion of the Open Banking Services, time share or otherwise commercially exploit or attempt to derive source code of the Open Banking Services or make the Open Banking Services available to any third  party, other than to End Users or as otherwise contemplated by this Open Banking Services Agreement; 
      (C) attempt to gain unauthorized access to the Open Banking Services or their related systems or networks, or modify, create derivative works of, adapt, translate, reverse engineer (including monitoring or accessing inputs or output flowing through a system or an application), decompile, or otherwise attempt to discover within any Third-Party Service Provider Technology, the source code, data representations, or underlying algorithms, processes  and methods. (This restriction will not apply to the extent it limits any non-waivable right you may enjoy under Applicable Law); 
      (D) access the Open Banking Services in order to build a competitive product or service, or copy any ideas, features,  functions or graphics of the Open Banking Services; 
      (E) frame, scrape, link to, republish, download, display, transmit, or mirror any content forming part of the Open Banking Services, other than on your own intranets or otherwise for your own internal business purposes; 
      (F) remove, obscure, or alter any copyright, trademark or other proprietary notices associated with the Open Banking Services, Third-Party Service Provider Materials or SDKs; 
      (G) use End User Data obtained through the Open Banking Services in any way as, or as part of, a consumer report as that term is defined by the Fair Credit Reporting Act 15 U.S.C. §1681(“FCRA”); 
      (H) process through Open Banking Services or share with Third-Party Service Provider any data that falls under the protections of the Health Insurance Portability  and Accountability Act of 1996 or the Washington My Health My Data Act.  You shall promptly notify Dwolla and/or Third-Party Service Provider, as applicable, if you inadvertently process or share data in breach of this provision;
      (I) circumvent, disable, or stress test any security or other technological features of the Open Banking Services or the systems of any Third-Party Data Provider through which End User Data is sourced;  
      (J) re-identify or attempt to re-identify Anonymous & Aggregated Data End User Data provided in a de-identified form;
      (K) knowingly use the Open Banking Services to send or store infringing, obscene, threatening, libelous, or other unlawful or tortious material, including, without limitation, material harmful to or that causes damage to any property or violative of any person’s or third-party’s privacy rights or in any manner that encourages, supports or promotes illegal activities or unlawful gambling;
      (L) use the Open Banking Services or any Third-Party Data Provider systems in any manner to provide service bureau, time sharing or other computer services to third parties, except where necessary to use the Open Banking Services; that would cause a material risk to the security or operations of Third-Party Data Providers, or that would constitute excessive or abusive usage;
      (M) intentionally or knowingly upload to the Open Banking Services or use the Open Banking Services to intentionally send or store viruses, worms, time bombs, trojan horses, or any other harmful or malicious code, files, scripts, agents or programs;
      (N) conduct any platform or system level testing of the Open Banking Services, including, without limitation, load or security testing, without first obtaining Third-Party Service Provider’s written consent.
      (O) sell, rent, lease, loan, license, distribute, publish or publicly display, copy, modify, duplicate, create derivate works from, translate, frame, scrape, mirror, republish, download, display, transmit, disassemble, decompile, reverse engineer all or any portion of, or otherwise attempt to derive source code of the Third-Party Data Provider services; or 
      (P) You shall not identify by name any Third-Party Service Provider or Third-Party Data Provider in: any press release, statements to the media, social media postings, or public disclosure except as otherwise expressly authorized or permitted in this Open Banking Services Agreement.
  3. THIRD PARTIES.
    1. Third-Party Providers. You are responsible for complying with any applicable terms and conditions of any third-party products, services, and platforms you use in conjunction with the Open Banking Services, which are not provided by Dwolla or Third-Party Service Provider as part of the Open Banking Services. 
    2. Your Third-Party Access. 
      (A) Use by Your Affiliates. Subject to their compliance with the terms of this Open Banking Services Exhibit, your Affiliates may use and access the Open Banking Services, Documentation or End User Data. 
      (B) Outsourcing and Third-Party Access. You may allow your third-party contractor to operate, use or access the Open Banking Services or End User Data solely on your behalf, provided such use or access is only for your direct beneficial business purposes. 
      (C) Responsibility for Third-Party Access. You acknowledge and agree that you are solely responsible for ensuring that any of Your Affiliates, contractors, agents, or other third-party operating, using or accessing the Open Banking Services or End User Data on your behalf assumes and complies with the obligations flowed down to you under this Open Banking Services Agreement.
      (D) Your Responsibility. You are responsible and liable for the acts or omissions of Your Affiliates and all third parties authorized by you to access the Open Banking Services, Integration Requirements, Documentation, or End User Data as if they were your own acts or omissions. 
    3. Third-Party Data Providers
      (A) You acknowledge that End User Data may be sourced from Third-Party Data Providers, and such parties may be required by Applicable Law or regulatory enforcement to oversee recipients of End User Data. You agree to cooperate with any reasonable requests of Dwolla, Third-Party Service Provider or such Third-Party Data Providers to attest or otherwise certify to your compliance with Applicable Law or this Open Banking Services Agreement.
      (B) You acknowledge that End User Data may include Nonpublic Personal Information and you agree to protect that End User Data as detailed in the Data Protection Terms set out in Exhibit C, which is incorporated herein by reference.
      (C) You acknowledge that End User Data you source from Third-Party Data Providers carries with it the obligations detailed in the Third-Party Data Provider Terms set out in Exhibit D, and you agree to  comply with therewith.

  4. CONSUMER DATA OWNERSHIP, PERMITTED USES, AND RESPONSIBILITY
    1. Ownership. As between Dwolla and you, you own (or where applicable), must ensure you have a valid license to use) the End User Data.
    2. Permitted Use. You grant Dwolla and, through Dwolla, Third-Party Service Provider:
      (A) a non-exclusive, worldwide, royalty free license to reproduce, display, adapt, enhance, aggregate,  transmit, distribute and otherwise use and access the End User Data as necessary or reasonable to provide the Open Banking Services and to generate Anonymous & Aggregated Data; 
      (B) a non-exclusive, royalty free, revocable, limited license, during the term of this Open Banking Services Agreement, to use your trademarks, marks, logos, trade names and service marks owned or leased by you (“Your Marks”), and to sublicense the same to Service Provider(s) and Third-Party Data Providers, for the sole purpose of providing the Open Banking Services (e.g., identifying you to End Users as a source or recipient of End User Data, or rebranding of the Open Banking Services in those scenarios where you have licensed such white-labeled rights, if applicable). Dwolla, Third-Party Service Provider and/or you will use Your Marks and will require that any Third Party Data Provider use Your Marks in compliance with any reasonable trademark use policies you may promulgate from time to time and provide to Dwolla in writing; and 
      (C) a non-exclusive, royalty free, worldwide, transferrable, sublicensable, perpetual and irrevocable license to reproduce, display, adapt, enhance, transmit, distribute and otherwise use Anonymous &  Aggregated Data. 
    3. Responsibility.
      (A) End User Consent.
                  (i) You must only request End User Data through the Open Banking Services that is expressly consented to by the End User or reasonably necessary to provide the End User’s requested product or service.  You shall provide all notices and obtain all consents in the form and substance required under Privacy Laws to enable Dwolla and Third-Party Service Provider to lawfully Process End User Data.  Your consent may not include a technology solution that automatically enrolls an End User into an agreement without such End User taking an express action.  You shall, and shall ensure that all third parties to whom you provide access to End User Data, (i) Process and disclose End User Data solely in accordance with Applicable Laws, this Open Banking Services Agreement, your privacy policy, Third-Party Service Provider’s privacy policies and the End User’s consent, and (ii) limit collection, use, and retention of End User Data to what is reasonably necessary to provide the End User’s requested product or service.
          (ii) Your disclosures to End Users shall (i) be clear, conspicuous, segregated from other material, and present in valid and enforceable terms and conditions, (ii) include the categories of End User Data being collected and processed, the categories of data recipients, a description of how End User Data will be used, accessed, shared or sold, and any other terms or disclosures required by Applicable Law, (iii) disclose to the End User any use by you of Anonymous & Aggregated Data, including Processing related to derivatives, compilations or combinations of End User Data, any anonymization and/or de-identification of End Use Data, and any aggregation of End User Data with other data, (iv) inform End USers that the End User Data does not represent an official record of the End User’s account with its financial institution, (v) state that you are acting independently and that the End User’s financial institution has no responsibility or liability with respect to your service or application, and (vi) describe how the End User may exercise their privacy right.
          (iii) If you both access End User Data and initiate payments, you must obtain separate and distinct consents from End User for these separate activities. 
          (iv) You shall maintain such systems and procedures as may be reasonably necessary or otherwise required by Dwolla or Third-Party Service Provider (consistent with Applicable Law and industry best practices) to actively track,  monitor and document such End User consent and any revocation thereof. You shall maintain records that, at a minimum, (i) include the scope of the consent and related disclosures, covered data elements, the date the End User provided consent, the consent effective date, and the consent expiration or termination date, and, to the extent required by Applicable Law, any consent and disclosure elements described under the applicable sections of this Exhibit B; (ii) are maintained in a system log or database that ensures completeness and integrity of records.  Upon request, you will provide copies, or acceptable evidence, of such consents and disclosures.   
          (iv) Third-Party Service Provider, End User’s Financial Institution and/or Dwolla will suspend your access to a specific End User’s data if such End User revokes consent with you, Third-Party Service Provider or the financial institution.  Third-Party Service Provider or a Third Party Data Provider may also require End Users to re-authenticate their consent upon (i) a Security Event impacting such End User, (ii) a change in the End User terms and conditions of you, Third-Party Service Provider, Third Party Data Provider that requires a new consent to be obtained; or (iii) the end of a specific period of time as required under Applicable Law or by the Third Party Data Provider’s policies Consents You shall limit the duration of your collection of End User Data to the maximum period permitted under Applicable Law, or as consented by the End User (whichever is shorter) and, prior to or following the expiration of such period, shall obtain a new consent from the End User to continue or resume, as applicable, collection and Processing of the End User’s data.
      (B) End User Control. You must provide End Users with a simple and readily accessible method to revoke consent in accordance with applicable Privacy Laws and may not charge fees or penalties to End Users for exercising their rights to revoke consent.  You shall notify Dwolla and/or Third-Party Service Provider, as applicable, (including with information sufficient to enable Third-Party Service Provider to notify its Third Party Data Providers, as necessary) and any other third party required to be notified by you under Applicable Law, promptly upon receiving an End User’s consent revocation. Upon such revocation, you shall cease all attempts to access the applicable End User Data, and shall no longer use or retain any previously collected End User Data unless reasonably necessary to provide the End User’s requested product or service.
      (C) End User Data Access. Dwolla may provide a list of Internet Protocol addresses (“IP Addresses”) to Third-Party Service Provider from  which Third-Party Service Provider may access End User Data from you on behalf of End Users. Dwolla may update the provided list from time to time. You must not block or otherwise obstruct  Third-Party Service Provider and/or Dwolla from accessing End User Data using the IP Addresses in the provided list.
      (D) Representations.  You will not: (i) make representations or other statements with respect to Nonpublic Personal Information that are contrary to or otherwise inconsistent with Third-Party Service Provider’s privacy policy or (ii) interfere with any independent efforts by Third-Party Service Provider to provide End User notice or obtain End User consent.
      (E) End User Requests. 
          (i) End User Requests.  You shall use the technical controls provided by Third-Party Service Provider through its API and/or the Dwolla Account in order to comply with your obligations to access, retrieve, correct and Destroy End User Data per an End User Request. The parties shall, taking into account the nature of the Processing, cooperate in good faith and provide reasonable assistance to each other in complying with End User Requests.
          (ii) Requests to Customers. You shall respond to and fulfill End User Requests, as applicable, made directly to you by an End User or on behalf of an End User in accordance with Privacy Laws.
          (iii) Requests to Third-Party Service Provider.  Third-Party Service will, as applicable, respond to End User Requests made directly to Third-Party Service Provider in accordance with Privacy Laws provided that Third-Party Service Provider is able to identify the End User. If Third-Party Service Provider is not able to identify the End User or the End User Request has been escalated for any reason, Third-Party Service Provider will advise the End User to contact the Third-Party Service Provider that provides services to the End User.  You shall be responsible for identifying any such End Users that contact you to exercise End User Requests and providing Third-Party Service Provider with information sufficient to allow Third-Party Service Provider to identify the End User and fulfill the End User Request as regards the data held by Third-Party Service Provider.
          (iv) Suspension of Access.  Third-Party Service Provider and/or Dwolla will have the right to engage with the End User directly regarding any End User Requests and will have the right to suspend your access to any End User Data at any time to address such End User Request.
      (F) Information and Assistance.  Upon written request, you will provide Dwolla, Third-Party Service Provider and/or Third Party Data Provider with information reasonably needed to demonstrate compliance with the obligations in Exhibit B, C and D and the Privacy Laws.  You shall provide reasonable assistance in fulfilling legal obligations under Applicable Law, including Privacy Laws (including contributing to data protection impact assessments and consultations with supervisory authorities.
  5. Suspension. Dwolla and/or Third-Party Service Provider will have the right to suspend your Open Banking Services account or your access, in whole or in part, to the Open Banking Services  and any End User Data upon reasonable, good-faith belief that:
    (A) you are acting in an unauthorized manner with respect to your access to the Open Banking Services or any End User Data; 
    (B) there is a material risk to the security or integrity of the Open Banking Services, the End User Data, or any systems of Dwolla, Dwolla’s technology providers, any Third-Party Data Provider, or you; or 
    (C) suspending access is reasonably necessary to prevent harm to the business or reputation of  Dwolla, a Dwolla technology provider, any Third-Party Data Provider, and/or their respective  customers. 

Your use of the Open Banking Services may be limited if your Open Banking Services account or access to your Open Banking Services is suspended. Any suspension will be reasonably limited in scope. Unless prohibited by Applicable Law, Dwolla will use reasonable efforts to provide timely notice of the suspension to you, including a description of the scope and reasons for the suspension. Such notice may occur after the suspension or restriction has occurred. Dwolla may also, in its reasonable discretion, contact any End User for Dwolla’s purposes, including fraud investigation and/or risk management purposes. If Dwolla contacts an End User for such purposes, Dwolla will notify you to the extent permissible under Applicable Law. The Parties will cooperate in good faith to remediate the reason for any suspension. Upon resolution of the issue causing the suspension, Dwolla will promptly permit you to resume using the Open Banking Services.


Exhibit C
Data Protection Terms
 
  1. INFORMATION SECURITY
    In connection with this Open Banking Services Agreement, you may have access to and/or be provided with information concerning End Users and their past or present accounts including End User Data, other information falling within the definition of Nonpublic Personal Information, or Confidential Information. In connection with all such End User Data, Nonpublic Personal Information and Confidential Information, you must: 
    1. handle, keep, maintain and secure from others the Nonpublic Personal Information, End User Data, and Confidential Information to which you have access or are provided, with the utmost of care and confidentiality. In no event will you take precautions any less stringent than those employed to protect your own proprietary and confidential information;
    2. only in connection with the provisions of this Open Banking Services Agreement, allow the Nonpublic Personal Information and End User Data to be accessed and used by your Personnel, including subcontractors, only in connection with the provisions of this Open Banking Services Agreement and ensure that all Personnel, including subcontractors, have agreed to maintain the confidentiality of the End User Data, Nonpublic Personal Information and Confidential Information; 
    3. not share, disclose, provide or permit access to any Nonpublic Personal Information or End User Data by any other person or entity, except as permitted hereunder or as permitted by the applicable End User;
    4. with respect to any third party provided access to Nonpublic Personal Information or Confidential Information, enter into a written agreement with such third party requiring safeguarding of Nonpublic Personal Information, End User Data or Confidential Information in a manner no less restrictive than your obligations under this Open Banking Services Agreement;
    5. implement appropriate safeguards and programs (including, but not limited to security controls such as physical and logical access, configuration and change management processes, data encryption, strong authentication, vulnerability and risk management (including regular vulnerability assessments and required remediation timelines for identified vulnerabilities), asset management, media protection, application security, network security monitoring and logging to detect unauthorized access to, use of, or tampering with End User Data, intrusion detection, security event monitoring and alerting, internal and external security program audits, security incident detection and response, and employee security training) consistent with best practices in the financial services industry and all Applicable Law, designed to help ensure the security and confidentiality of Nonpublic Personal Information and to protect against unauthorized access to or use of Nonpublic Personal Information that could result in substantial harm and measurable damage to End User, Dwolla or Third-Party Service Provider; 
    6. establish and maintain a written information security program that is consistent with applicable law and regulation including Section 501 of the GLBA, or if you are not subject to Section 501 of the GLBA, 16 CFT part 314 (the Federal Trade Commission’s Standards for Safeguarding Customer Information) as well as generally accepted industry standards, including “Generally Accepted Principles and Practices for Securing Information and Technology Systems” (GAPPs) issued by the National Institute of Standards & Technology and/or the ISO 27000, to safeguard against the unauthorized disclosure, destruction, loss, or alteration of End User Data. At a minimum, your written information security program will be designed to: (i) ensure the security, integrity, and confidentiality of all End User Data; (ii) detect patterns, practices, or specific activity that indicates the possible existence of identity theft or other threats or hazards to the security or integrity of End User Data; (iii) protect against unauthorized access, interception, use, or disclosure of End User Data; (iv) ensure that all transfers of End User Data are accomplished in a secure and confidential manner and in compliance with best practices in the financial services industry and latest industry encryption standards, including encryption of all End User Data at rest and in transit, using commercially reasonable encryption; (v) ensure the secure disposal of End User Data, where applicable; (vi) inventory information systems that contain End User Data or are otherwise critical to achieving business purposes; (vii) implement appropriate risk-informed identity and access management, implementing the principles of least privilege and need-to-know; (viii) ensure multi-factor authentication for access to any information system containing End User Data except where a reasonably equivalent or more secure access control has been approved; and (ix) execute regular vulnerability assessments and required remediation timelines for identified vulnerabilities;
    7. notify the affected party of any known unauthorized access to or use of Nonpublic Personal Information, as soon as is practicable, after confirmation of such event;
    8. disclose, if you learn of any vulnerability affecting or reasonably believed to affect a Dwolla, Third-Party Service Provider or Third Party Data Provider system within the scope of this  Open Banking Services Agreement, the vulnerability to Dwolla or Third-Party Service Provider, as applicable.  You shall not make any public disclosures regarding such vulnerability which identify Dwolla, Third-Party Service Provider or Third Party Data Provider by name or Marks, or other information which may reasonably allow a third party to associate Dwolla, Third-Party Service Provider or Third Party Data Provider with the vulnerability.
    9. identify and assess reasonably foreseeable threats to the security of Nonpublic Personal Information or End User Data and adjust security mechanisms to address new threats; and
    10. maintain on all of its systems on which End User Data is accessed, stored, used or otherwise processed (i) real-time intrusion detection systems, and (ii) up-to-date and reputable antivirus software and/or other commensurate anti-malware tools and applications. Without limiting your obligations under Section 3 (Security Incident), you must promptly report any patterns, practices, or specific activity detected with respect to your or Dwolla’s systems that may indicate the possible existence of identity theft, and must take appropriate steps to prevent or mitigate the same.

  2. SECURITY INCIDENT
    1. Notification. You will promptly (and in any event, within 48 hours of discovery) notify Dwolla and/or Third-Party Service Provider, as applicable, of a Security Incident (as defined below). Such notice must include a detailed description of the Security Incident, and any other information Dwolla may reasonably request concerning the Security Incident, including, without limitation, the number of records, types of information, and number of End Users impacted by the Security Incident, the known or suspected causes of the Security Incident, any actual or anticipated impact on Dwolla or its customers, and remediation plans. You will maintain records of all actual or suspected Security Incidents consistent with security best practices in the financial services industry and will make such reports available to Dwolla upon request. 
    2. Mitigation. You agree to promptly and at your own cost and expense investigate and take all reasonable measures necessary or advisable to mitigate the effects of and remedy any Security Incident, including, where appropriate and without limitation, providing credit monitoring services and related call center or similar support activities to impacted parties.
    3. Reasonable Assistance. You further agree to fully cooperate with and provide all reasonable assistance to Dwolla in regard to its investigation of any Security Incident and agrees to provide any information available that Dwolla reasonably needs to comply with its obligations under Privacy Law. Without limiting the generality of the foregoing, you will cooperate with Dwolla in determining its legal obligations with respect to notification of End Users, regulators, and/or law enforcement, if any, and you agree to provide any documentation in your possession which is necessary for Dwolla to issue required or advisable notifications or communications.
    4. Disclosure. Unless otherwise required by Applicable Law or pursuant to an agreement with an unrelated third party, you will not (and will ensure that each of your representatives and agents do not) inform or make any statements to any unrelated third party of any Security Incident without first obtaining Dwolla’s prior written consent. Where any disclosure of a Security Incident is required by Applicable Law, you will use commercially reasonable efforts to obtain Dwolla’s approval regarding such disclosure.
    5. Dispute Management. You must notify Dwolla within 48 hours after receiving confirmation of or receiving any complaint alleging known or reasonably suspected improper or unauthorized access or use of End User Data. You will be responsible for managing all disputes or issues raised by an End User with respect to any of your applications; provided, however, that Dwolla, Third-Party Service Provider and/or Service Provider may, at its option, as applicable, engage directly with any End User with respect to issues or complaints relating to the authorized access or use of End User Data, and may take all steps deemed necessary by Dwolla, Third-Party Service Provider or Service Provider to resolve such issues or complaints, including, without limitation, terminating access to the Open Banking Services and/or to any End User Data. Notwithstanding the foregoing, you acknowledge and agree that you will remain responsible for any unauthorized access or use of End User Data once it has been accessed through the Open Banking Services, is in your possession or control, or thereafter.
    6. Definition. For purposes of this Open Banking Services Agreement, “Security Incident” will mean any actual or reasonably suspected breach, incident or other event that compromises (or would be reasonably likely to result in a compromise of) the security, integrity or confidentiality of the End User Data, Dwolla’s or Third-Party Service Provider’s Confidential Information, or Confidential Information of Dwolla or Third-Party Service Provider held by your third party service providers that handle or otherwise process End User Data, or that otherwise results in (or that would be reasonably likely to result in) the unauthorized access, use, disclosure or loss of End User Data, Dwolla’s or Third-Party Service Provider’s Confidential Information, or Confidential Information of Dwolla or Third-Party Service Provider held by your third party service providers that handle or otherwise process End User Data, including Nonpublic Personal Information and any non-public Documentation. 

  3. BACKGROUND INVESTIGATIONS. During the Term hereof and for such period thereafter as you will retain possession or control of End User Data, you will maintain comprehensive hiring and employment policies and procedures designed to ensure that all of your personnel with access to the Open Banking Services or to any End User Data possess appropriate character, disposition and honesty. In connection with the foregoing, you must, to the extent permitted by Applicable Law, conduct at your expense pre-employment background checks and other investigations of your employees and other personnel that may obtain access to the Open Banking Services or End User Data prior to their accessing the Open Banking Services or End User Data. Such background checks and investigations must include, but are not limited to: (a) confirmation of identity and personal information; (b) felony and misdemeanor and national criminal searches (where permissible); and (c) confirmation the individual is not on the Specially Designated Nationals (SDNs) list published by the United States Department of the Treasury’s Office of Foreign Assets Control (OFAC) (or national equivalent) and global sanctions enforcement searches. You must not permit any of your employees or other personnel to access the Open Banking Services or End User Data until such individual has passed the outlined background screening. You will not permit any employee or other personnel who has been formally charged with a crime that is a dishonest act or breach of trust as set forth in Section 19 of the Federal Deposit Insurance Act, or who you know has otherwise engaged in any material act of dishonesty or breach of trust, to access or use the Open Banking Services or End User Data, in accordance with all applicable federal, state, and local law. You must reasonably cooperate with any investigation undertaken by Dwolla and/or Third-Party Service Provider with respect to any act of dishonesty, breach of trust, or violation of law by any of you employees or personnel with respect to the Open Banking Services or the End User Data. 

  4. INSURANCE. You must obtain and maintain at your own expense, throughout the Term and for a period of two years thereafter, (a) sufficient insurance coverage for your business, your activities hereunder, and any reasonably anticipated risks; and (b) without limiting the foregoing, as applicable (1) Commercial General Liability Insurance, (2) Crime Insurance (Employee Dishonesty), and (3) with limits of not less than five million dollars per claim, Professional Liability, Cyber Risk/Data Security and Privacy Liability Insurance covering claims (and any associated costs and damages, including acts, errors and omissions, data breach investigation, data breach notification and credit monitoring costs) arising from: (i) breaches of computer systems and data security, (ii) violations of any privacy right, (iii) breaches of data privacy and data security laws and regulations, (iv) breach of PCI-DSS or any similar rules promulgated by the PCI Council, and (v) data theft, damage, destruction, or corruption, including unauthorized access, unauthorized use, identity theft, theft of personally identifiable information, and transmission of a computer virus or other type of malicious code.  For the avoidance of doubt, your insurance coverage shall not limit your liability as set forth under this Open Banking Services Agreement.

  5. SUBCONTRACTORS.
    1. You will require any subcontractor who Processes or has access to End User Data or Third-Party Data Provider Confidential Information to comply with requirements substantially equivalent to your obligations under this Open Banking Services Agreement, as applicable to the scope and nature of such subcontractor’s work.
    2. Upon Third-Party Service Provider’s request, you shall provide a list of all subcontractors (a) if necessary for Dwolla, Third-Party Service Provider or any Third-Party Data Provider to comply with the request of a regulator, or (b) if Dwolla, Third-Party Service Provider or any Third-Party Data Provider reasonably believes that you have breached your obligations under this Open Banking Services Agreement.  In the case of (b), you acknowledge that Dwolla, Third-Party Service Provider or its Third-Party Data Provider(s) will have the right to refuse (or cease to allow) access to, or to require you to refuse (or cease to allow) access to a subcontractor as necessary to comply with  third-party oversight or other risk management obligations under Applicable Law. Any list of subcontractors provided pursuant to this provision shall be your Confidential Information.

Exhibit D
Third-Party Data Provider Terms

  1. EULA
    (A) End User Access. You must ensure, prior to any access or use of the Open Banking Services, each End User’s agreement to minimum end user terms and conditions governing such End User’s use and access to the Open Banking Services in the form of an end user license agreement governing such End User’s use of the Open Banking Services that is substantially equivalent to and includes terms at least as protective of Dwolla, Third-Party Service Provider, and Third-Party Data Provider as those minimum end user terms and conditions as detailed in the Open Banking Services End User Terms and Conditions (“EULA”) (set forth at https://www.dwolla.com/legal/open-banking-end-user-terms) and incorporated herein by reference. You are responsible for all activity that occurs in your End User accounts and for your End User’s compliance with this Open Banking Services Agreement and the EULA.
    (B) Updates. Dwolla and Third-Party Service Providers may amend and supplement the EULA at any time during the Term by providing notice to you, either directly or through Dwolla. You will have thirty (30) days from receipt of such notice to update your EULA to reflect such amendment or supplement, or as otherwise provided for by Dwolla and/or Third-Party Service Providers.
    (C) Your specific Terms. You must update the EULA, based on your specific use case, to: (i) accurately set forth what data, including all compilations, aggregations, and combinations of the same, is collected, how collected data will be used, and how collected data will be accessed, shared, exchanged, or sold; (ii) provide clear and conspicuous disclosures to all End Users and prospective End Users, segregated from other material, and present in valid and enforceable terms and conditions, sufficient to comply with Applicable Law regarding the collection, use, and sharing described, including Anonymous & Aggregated Data; (iii) identify or disclose to each End Users any and all categories of third parties to whom End User Data may be provided or how End User Data will be used, assessed, received, stored, shared, sold, or processed; and (iv) describe how the End User Data will be protected in the event that you cease operating as a going concern or otherwise cease to make available your application and/or mobile website to End Users, describing how End User Data in your possession or control will be safeguarded, deleted, and purged in such circumstances.  A reference to your privacy policy is included in Section 2 of the EULA.  If your privacy policy does not cover the items set out in this Section 1(C), or meet the EULA requirements set out in this Open Banking Services Agreement, you agree to update the EULA or otherwise provide the information required by this Open Banking Services Agreement to each of your End Users and obtain their agreement to such by express consent.

  2. DATA REQUIREMENTS. You will provide to Third-Party Service Provider, either directly or through Dwolla, as determined by Third-Party Service Provider, information regarding your data requirements, which Third-Party Service Provider may disclose to Service Provider(s) and/or Third-Party Data Providers, who, in the event Confidential Information is being shared, are under written confidentiality obligations with Third-Party Service Provider consistent with those set out in this Open Banking Services Agreement, in order to facilitate its provision of the Open Banking Services. You shall not charge End User any fees that identify, or are identifiable to, Dwolla, Third-Party Service Provider, any Service Provider(s), Third-Party Data Provider, or to End User’s use of the Open Banking Services. 

  3. API MONITORING. Dwolla, Third-Party Service Provider, Service Provider(s) and/or Third-Party Data Providers, as applicable, have the right to monitor any and all use of the Open Banking Services and Third-Party Data Provider connections to the Open Banking Services (including frequency of access and types of data received) without notice to you or your personnel.

  4. DATA HOSTING. You may only host and/or store End User Data and any Third Party Data Provider confidential Information you receive from locations within the United States unless otherwise approved in advance and in writing by Third-Party Service Provider and/or applicable Third-Party Data Providers. 

  5. DATA USE AND CREDENTIALS.
    (A) End User Consent.
              (i) Credentials.  Except as otherwise expressly permitted in this Open Banking Services Agreement, you shall not, and you shall not permit or enable any third party or service provider to collect, store, or use any End User bank account credentials as part of their integration with the Open Banking Services, or access to any data relating to an End User that you know or have reason to believe was procured via screen scraping.  Before accessing the Open Banking Services, you must stop using and Destroy any End User bank account credentials you hold. Upon Dwolla’s and/or Third-Party Service Provider’s request, you must certify and provide reasonable verification that you have Destroyed such data and that you do not have any End User bank account credentials.
         (ii) Previously Collected Data. Prior to accessing the Open Banking Services, you shall delete any End User data which was not obtained in accordance with the terms of this Open Banking Services Agreement or through a provider with a valid agreement with the applicable Third-Party Data Provider.
         (iii) Deletion of End User Data. You shall delete or anonymize End User Data (i) as required by Privacy Laws, (ii) upon request by an End User or (iii) upon notification of a deletion request from Third-Party Service Provider.  If you access or retain End User Data that is not expressly consented to by the End User, you shall promptly delete such End User Data. To the extent permitted under Applicable Law, you may retain Nonpublic Personal Information for the period reasonably necessary to provide the services requested by the applicable End User or as otherwise required by Applicable Law. Upon termination of this Open Banking Services Agreement for any reason, you shall Destroy all End User Data in accordance with your retention policies, unless you have permission from the applicable End User to retain such End User Data, you continue to maintain appropriate technical and organizational safeguards for such End User Data and such retention is not prohibited under Applicable Law. Within sixty (60) days following termination of this Open Banking Services Agreement you must certify and provide verification to Dwolla and/or Third-Party Service Provider that you have complied with the deletion requirements of this Section 5(A)(iii).
    (B) End User Data.  With respect to End User Data made available through the Open Banking Services from Third-Party Data Provider, you will not, nor will you attempt to or otherwise enable a third party to: (i) use, disclose or process the End User Data to target market products or services to End Users that are directly competitive to those offered by any Third-Party Data Provider, by using such End Users’ status as a customer of a Third-Party Data Provider as criteria; (ii) use any information obtained through the Open Banking Services, including, without limitation, any APR, APY, credit limit or any other information contained in the End User Data to ascertain confidential or proprietary information of any Service Provider or any Third-Party Data Provider, including, without limitation, credit models, credit algorithms, and other business processes and calculations not available to the public. Further, you shall not, and shall not allow any third party to, collect, use, or retain any historical APR, APY, or or credit information once updated values have been received via the Open Banking Services ;  (iii) sell, transfer or rent Nonpublic Personal Information to marketers or any other third party; (iv) use End User Data or Nonpublic Personal Information for marketing purposes, including, without limitation, cross-selling or targeted advertising, unless you obtain Dwolla or Third-Party Service Provider’s prior express written consent, as applicable, express consent from the applicable End User for such use and such use is in strict compliance with Privacy Laws; (v) combine Nonpublic Personal Information relating to an End User with data relating to other End Users or with data obtained from third parties or other sources with the intent of extracting unconsented data or unauthorized data; (vi) Process End User’s bank credentials other than as required to access or use the Open Banking Services, as authorized by End User, as permitted by Third-Party Service Provider, and as permitted under Privacy Laws; (vii) process any Nonpublic Personal Information, or access or use the Open Banking Services, other than in strict compliance with Privacy Laws; or (viii) process any Nonpublic Personal Information, or access or use the Open Banking Services, in any manner that would be a breach of contract or agreement between Dwolla and Third-Party Service Provider and End User and Third-Party Service Provider.
    (C) Suspension of Access. A Third-Party Data Provider may immediately limit, suspend, or terminate your access to such Third-Party Data Provider’s End User Data (i) in the event of a material financial or reputational risk to such Third-Party Data Provider; (ii) in the event of a Security Incident or a threat that affects the stability, security and integrity of the Third-Party Data Provider’s End User Data or systems; (iii) if such Third-Party Data Provider reasonably believes that you are in breach of the data protection and security requirements; or (iv) for any other reason in Third-Party Data Provider’s sole discretion, including, without limitation, if reasonably necessary to avoid violating Applicable Law or regulatory guidance.
    (D) FCRA. In addition to the restrictions set forth in this Open Banking Services Agreement, you shall notify Third-Party Service Provider and/or Dwolla, as applicable, as legally permitted and practicable of any regulatory investigation initiated by any regulator with jurisdiction over you involving FCRA.  You will not use the End User Data as a factor in establishing an individual’s eligibility for credit, insurance, employment or any government license or benefit, to take any “adverse action” (as defined in the FCRA), or in any manner that would cause Third-Party Service Provider, any Third-Party Data Provider or the End User’s applicable financial institution, to be deemed a “furnisher” as the term is defined in the FCRA.  If Third-Party Service Provider or its third-Party Data Providers reasonably determine that your use of End User Data may reasonably cause Third-Party Service Provider or its Third-Party Data Providers to be deemed a “furnisher”, Third-Party Service Provider may terminate this Open Banking Services Agreement upon notice to you in writing by certified or registered mail, a nationally recognized overnight courier service or, where specified, via email.  Notices shall be deemed to have been received (i) on the date delivered if by a recognized overnight courier, fees prepaid; (ii) on the date received, if by registered or certified mail (fees prepaid, return receipt requested); (iii) or in the case of email, on the day the email is sent if sent during normal business hours, or, if not, on the subsequent business day.

  6. COMPLIANCE; AUDITS
    (A) In addition to the audit set out in Section 6.3 of the Open Banking Services Agreement, during the Term of the Open Banking Services Agreement and for one year thereafter, you will, upon reasonable advance written notice from Third-Party Service Provider and/or Dwolla, (i) permit Third-Party Service Provider, through its internal and external auditors or those of any Third-Party Data Provider, to audit, review and inspect (A) your books, records, and other documents, including security logs, and (B) your systems, networks, and facilities (an “Audit”), or (ii) provide to Dwolla, Third-Party Service Provider or any Third-Party Data Provider a written attestation of your compliance with the terms and conditions of this Open Banking Services Agreement governing the Processing of End User Data, the prompt reporting of all Security Incidents, and obligation to refrain from re-identifying or attempting to re-identify any aggregated or de-identified End User Data (an “Attestation”).
    (B) All Audits will be conducted for the sole and exclusive purposes of confirming your compliance with the data handling and security terms and conditions of this Open Banking Services Agreement, and will occur during regular business hours, at Dwolla’s, Third-Party Service Provider’s or an applicable Third-Party Data Provider’s sole cost and expense, and, except following the occurrence of a Security Incident, no more frequently than once per year. You agree to reasonably cooperate with any Audit performed pursuant to this Section 6 and must promptly take all actions necessary to remediate any material deficiencies and non-compliance discovered as a result of any Audit or Attestation.
    (C) Information Security Audits. At least annually during the Term, you must have a certified independent public accounting firm or another independent, certified, industry-recognized third party: (i) conduct a review or assessment and provide a full attestation, review, or report under SOC 2 Type II or an equivalent assessment framework such as ISO 27001 (or, such reasonably comparable standard acceptable to Third-Party Service Provider in its reasonable sole discretion) of all your systems and operational controls used by you to access the Open Banking Services or access, store, or process any End User Data; and (ii) conduct and provide a full report of an independent network and application penetration test. 
    (D) You must provide copies of all such reports and the results of any testing to Dwolla and Third-Party Service Provider (each, an “Attestation”).
    (E) All Attestations and the results of any of your Audits will be considered your Confidential Information; provided, however, that Dwolla, Third-Party Service Provider and/or Service Providers may disclose copies of the same to any Third-Party Data Provider at their sole discretion, provided such Third-Party Data Provider is bound by written obligations of confidentiality which are in no event less than a reasonable standard of care.
    (F) Government Audits. Nothing in this Exhibit D is or will be construed as limiting the rights of any governmental or regulatory authority to conduct audits or investigations. You acknowledge that Dwolla and Third-Party Service Provider intend to fully comply with all governmental and regulatory authorities of Dwolla, Third-Party Service Provider and Third-Party Data Provider, including with respect to any law enforcement or judicial investigations, and that in connection with the foregoing, Dwolla and Third-Party Service Provider may disclose the identity of, and any information transmitted or received by, persons accessing the Open Banking Services. You agree to fully cooperate with any audits or investigations conducted by a governmental or regulatory authority pursuant to Applicable Law.
    (G) Data Protection Audits. 
        (i) You are audited/assessed at least annually by internal auditors and/or accredited external auditors/auditing firms on various components of your enterprise and platforms in accordance with industry best practices.  At least annually, you shall provide Dwolla and Third-Party Service Provider with an audit report, issued by an independent third-party auditor, demonstrating your compliance with Privacy Laws and your related obligations under this Open Banking Services Agreement (each a “Data Protection Audit Report”). In addition you shall make available to Dwolla and Third-Party Service Provider all information reasonably requested by Dwolla and Third-Party Service Provider required pursuant to Dwolla’s or Third Party Service Provider’s risk assessment policy, as applicable.  Notwithstanding the foregoing, you will not provide a copy of your internal risk assessment to Dwolla or Third-Party Service Provider.  Dwolla and Third-Party Service Provider shall treat all such Data Protection Audit Reports as your Confidential Information and shall not use the Data Protection Audit Reports for any other purpose.  Notwithstanding the foregoing, Dwolla and Third-Party Service Provider may disclose copies of the same to Third-Party Data Provider(s) in their sole discretion, provided that such Third-Party Data Providers are subject to a confidentiality agreement with Dwolla, Third-Party Service Provider, or Service Provider(s) that binds such Third-Party Data Provider to maintaining the confidentiality of your Confidential Information consistent with the confidentiality provisions of this Open Bank Services Agreement.
        (ii) In the event of (a) a Security Incident or (b) Dwolla or Third-Party Service Provider, in each of their sole and reasonable discretion, determine that a Data Protection Audit Report you provide fails to adequately demonstrate your compliance with Privacy Laws or  your related obligations under this Open Banking Services Agreement, you shall upon Dwolla’s or Third-Party Service Provider’s reasonable written request, make available to Dwolla or Third-Party Service Provider, as applicable, all reasonably required information necessary to demonstrate compliance with your obligations under the Privacy Laws and your related obligations under this Open Banking Services Agreement, and allow for (and contribute to) audits, including inspections conducted by Dwolla or Third-Party Service Provider or another auditor under the instruction of Dwolla or Third-Party Service Provider, subject to the following:
           a. Such audits, including inspections, shall begin upon not less than 15 days’ notice except in the event of a Security Incident, provided that the audit will (i) not disrupt your business; (ii) be conducted during business hours; (iii) not interfere with the interest of your other customers; and (iv) not exceed a period of two successive business days.
           b. Dwolla, Third-Party Service Providers (or their third party auditors, respectively) will comply with your relevant security policies and appropriate confidentiality obligations as set out in this Open Banking Services Agreement.
           c. You will contribute to the audit by providing Dwolla or Third-Party Service Provider, as applicable, with reasonable assistance; and
           d. Notwithstanding anything hearing to the contrary, physical or logical access to your computer systems will not be permitted, and you will not be required to display or otherwise disclose any confidential information of any third party or any information that could jeopardize the security or integrity of your computer systems.
    (H) Notwithstanding anything to the contrary, upon written request, you will provide information reasonably needed to demonstrate compliance with the obligations in this Exhibit D and Privacy Laws.

 

Exhibit E

Dwolla Terms and Conditions for Plaid Open Banking Services and Products

 

The Dwolla Terms and Conditions for Plaid Open Banking Services and Products (“Open Banking Services Exhibit - Plaid”) applies to your use of the Open Banking Services provided to you through Plaid Inc. (“Plaid”). Hereinafter “you” “your” or “Client” means the Client and “us” “we” “our” or “Dwolla” refers to Dwolla, Inc. (protecting Plaid).

Dwolla may amend this Open Banking Services Exhibit - Plaid at any time by providing notice to you. Notice may be provided to you on www.dwolla.com, on any other website maintained by Dwolla, by email or by any other reasonable means. The amended Open Banking Services Exhibit - Plaid is effective when posted or as of the date indicated, and your continued use of the Open Banking Services constitutes your acceptance of any amended Open Banking Services Exhibit - Plaid.

For purposes of this Open Banking Services Exhibit - Plaid, Third-Party Service Provider or Third-Party Service Providers, as referenced in the Open Banking Services Agreement, refers to Plaid Inc. In addition, for the sake of clarity and for purposes of this Open Banking Services Exhibit - Plaid, any reference in the Open Banking Services Agreement to Exhibit B will be to this Exhibit E instead and Exhibits C and D of the Dwolla Open Banking Services Agreement do not apply to your use of the Open Banking Services provided to you through Plaid.

Definitions:

“Anonymous & Aggregated Data” means End User Data and information that is anonymized and aggregated with similar data and information to the extent that the original End User Data and information is no longer attributable to Dwolla, Plaid, you, or to any specific End User.

“Balance Check” means an Open Banking Service ordered by you that you can use to periodically gather account balances in an account without collecting transaction data. Account types accessed include depository accounts. You can retrieve these account balances using an API request to help ensure your End Users have the appropriate funds.

“Customer” means your end user that has opened a Customer Account.

“Customer Account” means an account that has been opened by an End User through the Dwolla Platform Services (as defined in the Dwolla Platform Agreement) through your Application and that you manage through your Application.

“End User” or “End Users” in addition to the definition of End Users in Section 1 below, End User means an individual who is a Customer who is at least 18 years old and a resident of the United States or a Receive-Only User who is authorized by you to use or access the Open Banking Services and who has (i) been supplied an identification and password by you or at your direction or (ii) for whom a unique user record is created by or authorized to be created by you within the Open Banking Services.

“End User Data” means End User’s login, password, any other authentication information required by you or an End User’s third-party financial institution, and any End User transaction data.

“Instant Account Verification (without identity check)” means an Open Banking Service ordered by you that accesses financial account information, including account and routing numbers, for direct deposit accounts such as checking, savings, and money market accounts.

“Nonpublic Personal Information” means personally identifiable financial information as defined under Regulation P, 12 C.F.R. 216, or the Gramm-Leach-Bliley Act, 15 U.S.C. 6801 et seq., or information otherwise considered privileged, confidential, private, nonpublic or personal given protected status under applicable law.

“Open Banking Services” means Instant Account Verification, Balance Check, and the other products and services ordered by you through an Ordering Document to which these terms apply and are made available by Plaid through its online, web-based application or mobile components via designated websites, IP addresses, application programming interface(s), or other means.

“Receive Only User” means an individual who is a resident of the United States and is at least 13 years old and has obtained parental permission if under 18 to receive funds that uses the payment services you offer through your website and/or mobile application who may only receive payments and does not create a Dwolla account.

"Third-Party Data Provider” means any third-party entity, including financial institutions, which provides End User Data or other data to Dwolla or Dwolla’s technology providers for use in the Open Banking Services.

"Your Affiliates” means any entity that directly or indirectly controls, is controlled by, or is under common control with you. “Control”, for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.

  1. Restrictions. Unless Plaid specifically agrees otherwise in writing, you will not, and will not enable or assist any third-party to: (i) attempt to reverse engineer, decompile, disassemble, or otherwise attempt to discover the source code, object code, or underlying structure, ideas, or algorithms of the Plaid services described at https://www.plaid.com ("Plaid Services"); (ii) modify, translate, or create derivative works based on the Plaid Services; (iii) make the Plaid Services or information and data of your end users ("End Users") provided to you via the Plaid Services (such information and data, the "Plaid- Provided Data") or any derivative work thereof available to, or use the Plaid Services or Plaid-Provided Data (or any derivative work thereof) for the benefit of, anyone other than you or End Users; (iv) sell, resell, license, sublicense, distribute, rent, or lease any Plaid Services or Plaid-Provided Data (or any derivative work thereof) to any third-party, or include any Plaid Services or Plaid-Provided Data (or any derivative work thereof) in a service bureau, time-sharing, or equivalent offering; (v) publicly disseminate information from any source regarding the performance of the Plaid Services or Plaid-Provided Data; or (vi) attempt to create a substitute or similar service through use of, or access to, the Plaid Services or Plaid-Provided Data. You will use the Plaid Services and Plaid-Provided Data only in compliance with: (a) your application, use case, and other restrictions agreed between Plaid and Dwolla; (b) the Plaid developer policies (available at https:// www.plaid.com/legal); (c) Plaid's applicable technical user documentation (available at https://www.plaid.com/docs); and (d) any agreements between you and End Users (for clarity, including any privacy policy or statement). Notwithstanding anything to the contrary, as between Plaid and you, you accept and assume all responsibility for complying with all applicable laws and regulations in connection with your activities involving any Plaid Services, Plaid-Provided Data, or End User data. You acknowledge and agree that: (I) Plaid is neither a "consumer reporting agency" nor a "furnisher" of information to consumer reporting agencies under the Fair Credit Reporting Act ("FCRA"); and (II) the Plaid- Provided Data is not a "consumer report" under the FCRA. You represents and warrants that it will not, and will not permit or enable any third party to, use the Plaid Services (including Plaid-Provided Data) as a or as part of a "consumer report" as that term is defined in the FCRA, or otherwise use the Plaid Services (including Plaid-Provided Data) such that the Plaid Services (including Plaid-Provided Data) would be deemed "consumer reports" under the FCRA. Notwithstanding anything to the contrary, you will be bound by, and will only use the Plaid Services and Plaid-Provided Data in compliance with, the terms and conditions set forth in this agreement.
  2. Secondary Investors. If applicable and agreed to by you and Dwolla, and subject to this Section 2 (Secondary Investors), you may request that Plaid or Dwolla disclose Plaid- Provided Data or a Dwolla product or service including or incorporating Plaid-Provided Data (collectively, the "Shared Data") to your Secondary Investors. "Secondary Investor" means a third-party investor or purchaser of a financial product originated by you and provided to an End User (e.g., a loan), with which investor or purchaser Plaid maintains a separate technical integration.

        (i) You represent and warrant to Plaid that, before disclosure of Shared Data to any Secondary Investor, you will provide and obtain all required (including under applicable law) notices and consents from the applicable End User with respect to disclosure of Shared Data to such Secondary Investor by Plaid or Dwolla.
       (ii) Notwithstanding anything to the contrary: (a) as between Plaid and you, solely you are responsible for its relationships with Secondary Investors and with Dwolla, including any related billing matters, technical support, or disputes; (b) you will enter into legally binding written agreements with each Secondary Investor that are consistent with this Section 2 (Secondary Investors) and all applicable terms and conditions of this Open Banking Services Exhibit - Plaid (Dwolla Terms and Conditions for Plaid Open Banking Services and Products), including Section 1 (Restrictions); and (c) as between Plaid and you, you will remain responsible for the Secondary Investors' compliance with all of the terms and conditions of this Open Banking Services Exhibit - Plaid (Dwolla Terms and Conditions for Plaid Open Banking Services and Products) (including terms relating to use of Plaid- Provided Data or Shared Data).
       (iii) As between Plaid and you, you will be fully liable for: (a) any breach by you of this Section 2 (Secondary Investors); (b) any acts or omissions of Secondary Investors; and (c) any dispute arising among you, Dwolla, Secondary Investors, and/or End Users relating to the disclosure or use of Shared Data as contemplated in this Section 2 (Secondary Investors).
  3. Privacy and Authorizations. Before any End User engages with Dwolla products or services which include, are derived from, or incorporate the Plaid Services, you warrant and will ensure that you provide all notices and obtain all consents required under applicable law to enable Plaid to process End User data in accordance with Plaid's privacy policy (currently available at https://www.plaid.com/privacy). You will not: (i) make representations or other statements with respect to End User data that are contrary to or otherwise inconsistent with Plaid's privacy policy; or (ii) interfere with any independent efforts by Plaid to provide End User notice or obtain End User consent.
  4. DISCLAIMER; ENFORCEMENT. THE PLAID SERVICES, PLAID-PROVIDED DATA, AND ANY OTHER INFORMATION, SOFTWARE, PRODUCTS, SERVICES AND MATERIALS PROVIDED BY PLAID IN CONNECTION WITH THIS OPEN BANKING SERVICES EXHIBIT - PLAID ARE PROVIDED "AS IS." TO THE FULLEST EXTENT PERMITTED BY LAW, NEITHER PLAID NOR ITS AFFILIATES, SUPPLIERS, LICENSORS, OR DISTRIBUTORS MAKE ANY WARRANTY OF ANY KIND, WHETHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE, INCLUDING, BUT NOT LIMITED TO, WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NONINFRINGEMENT, OR ANY WARRANTY THAT THE SERVICES ARE FREE FROM DEFECTS. WITHOUT LIMITING THE FOREGOING IN THIS SECTION 4 (DISCLAIMER; ENFORCEMENT), NEITHER PLAID NOR ITS AFFILIATES, SUPPLIERS, LICENSORS, OR DISTRIBUTORS MAKE ANY REPRESENTATION OR WARRANTY AS TO THE PLAID-PROVIDED DATA THAT MAY BE OBTAINED FROM USE OF THE PLAID SERVICES OR THAT ANY PLAID SERVICES WILL BE UNINTERRUPTED, OR THAT ANY DATA PROVIDED BY OR THROUGH ANY PLAID SERVICES WILL BE TIMELY, ACCURATE, OR COMPLETE. PLAID WILL BE AN INTENDED THIRD- PARTY BENEFICIARY OF THE AGREEMENT BETWEEN DWOLLA AND YOU AND MAY DIRECTLY ENFORCE SUCH AGREEMENT AGAINST YOU, WITHOUT DWOLLA'S CONSENT OR PARTICIPATION, BUT SOLELY RELATING TO THE PLAID-PROVIDED DATA (INCLUDING FI DATA) AND PLAID SERVICES THAT ARE PROVIDED BY PLAID TO DWOLLA OR YOU.
  5. FI Data. Through the Open Banking Services or Plaid Services, you may have access to information about or of End Users provided to Plaid by a bank, financial institution, or other data source (each, as designated by Plaid, "Fl", and such information, the "FI Data").

    (i) Your Obligations.
      (A) End User Consents. You will provide all notices to, and obtain all express consents from, each End User as required under applicable laws in connection with your use, storage, and other processing of any FI Data (such notices and consents, the "Express Consents"). Express Consents will: (A) be clear and conspicuous; (B) generally specify the categories of FI Data that you will receive and how you will use, store, and otherwise process FI Data; (C) b valid, enforceable, and expressly accepted by each End User; (D) identify any and all third parties or categories of third parties to whom End Client may provide FI Data for processing; (E) specify how End Users may exercise their right to revoke their Express Consent; and (F) include any other required disclosures under applicable laws. You will maintain records (which may include technical logs, screenshots, versions of Express Consents obtained) sufficient to demonstrate your compliance with this Section 5(i)(a) (End User Consents) and will promptly provide such records to Plaid upon request.

      (B) Scope of Access. You will only access FI Data for which you have obtained Express Consents from the End User for the use case reviewed and permitted by Plaid in writing and consented to by the applicable End User (such use case, the "Permitted Use Case"). For clarity, key factors Plaid will consider during its review of a potential Permitted Use Case include whether the use case is appropriate and useful to provide the End User with your application that the End User has enrolled in, whether your application provides a direct benefit to the End User, whether the use case directly supports the development of new or improved product features for the benefit of End Users, and the jurisdiction(s) in which you operate and/or store FI Data. If you possess FI Data that exceeds the scope of the End User's Express Consents, you will use industry-standard means to permanently and securely delete ("Delete") such FI Data; provided that you may retain such FI Data to the extent required by applicable laws. If you become aware that any data you receive from Plaid does not relate to the End User that you originally requested FI Data for, you will promptly notify Plaid and will Delete such data.

      (C) Data Use. You will use, store and otherwise process FI Data solely in accordance with the End User's Express Consents and applicable laws

      (D) Data Disclosure. You will not disclose, transfer, syndicate or distribute FI Data to any third party (including its Permitted Service Express Consent and in accordance with applicable laws. Notwithstanding anything to contrary, you will not sell FI data.

      (E) Data Deletion. You will promptly Delete any FI Data upon request by the applicable End User; provided that you may retain copies of FI Data solely to the extent required by applicable laws.

      (F) No Attribution. You will not charge End Users any fees attributable to an FI for (a) access to its FI Data or (b) use of End User's account with an FI in connection with the End Client application. In addition, you will not suggest or imply a partnership, sponsorship, or other relationship with an FI based on your receipt of FI Data under the Open Banking Services Agreement or this Section 5 (FI Data).

      (G) No Other Access. During the term of the Open Banking Services Agreement, you will only access FI Data through the Plaid Services or another manner that uses the FI's authorized APIs. You will not "screen scrape" data from Fls or collect an End User's log- on credentials for FI accounts, and will not otherwise knowingly obtain from a third party FI Data that was originally sourced through screen scraping an FI. You will immediately Delete any such End User log-on credentials in its possession. You will maintain records to demonstrate compliance with this Section 5(i)(g) (No Other Access). For the avoidance of doubt, nothing in this Section 5(i)(g) (No Other Access) will prohibit you from engaging any third party to obtain services similar to the Plaid Services, provided that such third-party services enable End Client's access to FI Data solely via the FI's authorized APIs.

      (H) Compliance with Laws. You will comply with all applicable privacy, security, and other laws pertaining to FI Data. You will not use, store, disclose, or otherwise process any FI Data for any purpose not permitted under applicable laws. For the avoidance of doubt, you acknowledge that Section 1033 of the Dodd-Frank Act may include obligations on you relating to processing, handling and protecting FI Data. You will maintain a program designed to ensure compliance with applicable laws, including appropriately training your personnel.

      (I) Information Security Program. You will maintain a comprehensive written information security program approved by your senior management ("Infosec Program"). The Infosec Program will include administrative, technical and physical measures designed to: (a) ensure the security of FI Data, (b) protect against unauthorized access to or use of FI Data and anticipated threats and hazards to FI Data and (c) ensure the proper disposal of FI Data. The Infosec Program will be appropriate to your risk profile and activities, the nature of your application, and the nature of the FI Data received by you. In any event, the Infosec Program will meet or exceed applicable control objectives captured in industry standards and best practices, such as AICPA Trust Service Criteria for Security, NIST 800-53, or ISO 27002, and will comply with applicable laws. You will use up-to-date antivirus software and anti-malware tools designed to prevent viruses, malware, and other malicious code in your application or on your systems.

      (J) Security Breach Obligations. You will notify Dwolla and Plaid promptly (and in any event within twelve (12) hours) via an email to security@plaid.com, following you becoming aware of any Security Breach, providing a description of all known facts, the types of End Users affected, and any other information related to such Security Breach that Plaid and/or Dwolla may reasonably request. You will reasonably cooperate with Plaid and/or Dwolla in investigating and remediating Security Breaches. You will be responsible for the costs of investigating, mitigating, and remediating the Security Breach. "Security Breach" means any event that compromises your application or your systems or that does or reasonably could compromise the security, integrity or confidentiality of FI Data or result in the unauthorized use, disclosure, or loss of FI Data.

      (K) FI Confidential Information. If Plaid discloses to you any confidential or proprietary materials of an FI pertaining to the provision of FI Data hereunder (such materials, "FI Confidential Information"), such materials will be subject to the same obligations that apply to Dwolla's Confidential Information under the Open Banking Services Agreement, which will in no event be less protective of such information than a reasonable standard of care. FI Confidential Information will also be subject to the same obligations as FI Data under this Section 5(i) (End Client Obligations). You will promptly Delete FI Confidential Information in your possession upon Plaid’s request and will provide a written certification regarding such Deletion.

      (L) Oversight and Cooperation. Toward assessing your material compliance with this Section 5 (FI Data), you will promptly provide all reasonably necessary information and cooperation requested by Plaid, an FI, or any entity with examination, supervision, or other legal or regulatory authority over Plaid or an FI. In the event that Plaid has a good faith reason to believe that you are not in material compliance with this Section 5 (FI Data), Plaid will notify you and, upon Plaid's request, you will promptly provide sufficient documentation to demonstrate such material compliance. If the documentation provided by you in accordance with the immediately prior sentence is insufficient (in Plaid's reasonable discretion) to demonstrate such material compliance, you will submit to a third-party audit by a firm selected by you from a list of audit firms reasonably approved by Plaid to verify such compliance. Plaid and FIs may also conduct technical or operational assessments of you, which will be subject to advance notice and will not occur more than once per year unless legally required and materially different in scope from a preceding audit.

     (M) Information Sharing. Where required by an FI or relevant to your access or use of FI Data from that FI, Plaid may share with such FI certain information related to your compliance with this Section 5 (FI Data), including with respect to your Infosec Program. Plaid will use commercially reasonable efforts to require that such FI treat any such information in a confidential manner.

     (N) Insurance. You will maintain insurance coverage appropriate to your risk profile and activities, the nature of your application, and the nature of the FI Data received by you; provided that such coverage will be no less than industry standard and will include cybersecurity liability insurance.

     (O) Access Frequency. The parties acknowledge that as of the effective date of the Open Banking Services Agreement, no guidelines regarding your frequency of "batch" pulls of FI Data (such guidelines, the "Guidelines") apply to Plaid end clients. Notwithstanding the foregoing in this paragraph: (1) You will comply with any Guidelines provided in writing by Plaid (including via Dwolla); and (2) Plaid and Dwolla may enforce such Guidelines to the extent necessary in accordance with Plaid's standard practices, which may include throttling, suspension or termination of your access.

     (P) Your Marks License.  You hereby grant to Palid, each FI (and each of their third-party service providers), and Dwolla the non-exclusive and non-transferrable right and license to use your trademarks and service marks solely in connection with consent management activities, including use associated with your facing consent management portals operated by Plaid or an FI.

    (ii) Suspension. Plaid and/or Dwolla may suspend your access to the Open Banking Services, Plaid Services or FI Data, in whole or in part, if Plaid and/or Dwolla determines or reasonably believes that: (a) there is unauthorized access to the Plaid Services and/or the Open Banking Services via your Dwolla account; (b) you have breached this Section 5 (FI Data); (c) your use of the Open Banking Services, Plaid Services or FI Data will or has materially violated the Open Banking Services Agreement and/or an agreement between Plaid and an applicable FI; (d) your use of the Open Banking Services, Plaid Services or FI Data will or does pose a risk of material harm, including material reputational harm, to End Users, an FI, the Open Banking Services or the Plaid Services. In addition, an FI may suspend your access to FI Data with respect to such FI. Plaid will use commercially reasonable efforts to: (1) notify Dwolla prior to any suspension described in this paragraph; (2) discuss with Dwolla in good faith any such suspension; and (3) resume your access to the Plaid Services and FI Data as promptly as is practicable after the basis for such suspension is cured to Plaid's (and, as applicable, the relevant FI's) reasonable satisfaction. Unless prohibited by Applicable Law, in the event of a suspension by Dwolla, Dwolla will use reasonable efforts to provide timely notice of the suspension to you, including a description of the scope and reasons for the suspension. Such notice may occur after the suspension or restriction has occurred. Dwolla may also, in its reasonable discretion, contact any End User for Dwolla’s purposes, including fraud investigation and/or risk management purposes. If Dwolla contacts an End User for such purposes, Dwolla will notify you to the extent permissible under Applicable Law. The Parties will cooperate in good faith to remediate the reason for any suspension. Upon resolution of the issue causing the suspension, Dwolla will promptly permit you to resume using the Open Banking Services.

    (iii) Indemnity. In addition to Section 8.4 of the Open Banking Services Agreement You will indemnify, defend and hold harmless each FI, Plaid, Dwolla and the affiliates of each of the foregoing from any claims, actions, suits, demands, losses, liabilities, damages (including taxes), costs, and expenses arising from or in connection with: (a) any Security Breach resulting in unauthorized disclosure of FI Data provided to you hereunder; or (b) your unauthorized or improper use of FI Data provided to you hereunder (including any unauthorized Data Sharing, transmission, access, display, storage, or loss). This Section 5(iii) (Indemnity) is not subject to any limitation of liabilities set forth in the Open Banking Services Agreement. Each FI is a third-party beneficiary of this Section 5(iii) (Indemnity).

    (iv) Modifications. You acknowledge that continued access to FI Data provided by certain FIs may necessitate modifications to this Section 5 (FI Data) pertaining to all applicable Plaid end clients. You will accept such modifications to continue accessing or using the Plaid Services with respect to such FIs. Plaid will use commercially reasonable efforts to notify Dwolla of the modifications and the effective date of such modifications. If you object to the modifications, your exclusive remedy is to cease any and all access and use of the Plaid Services as it relates to the applicable FI(s). Continued access to or use of such Plaid Services after the effective date of such modifications to this Section 5 (FI Data) will constitute your acceptance of such modifications.

    (v) Miscellaneous. In the event of a conflict with any other agreement or provision (including other provisions within the Open Banking Services Agreement), the terms and conditions of this Section 5 (FI Data) will govern and prevail. Capitalized terms used in this Section 5 (FI Data) and not otherwise defined will have the meanings ascribed to them in the Agreement. All provisions of this Section 5 (FI Data) will remain in force in the event of the termination or expiration of this Section 5 (FI Data), this Open Banking Services Exhibit - Plaid, or the Open Banking Services Agreement.