Referral Partner, to the extent it utilizes, accesses or reviews Plaid data, shall abide by the following terms and conditions:
1. Restrictions. Referral Partner will not make (i) the Plaid Services or information and data of any End User provided to Referral Partner via the Company, or in any other manner (such information and data, the “Plaid- Provided Data”) or any derivative work thereof available to, or use Plaid-Provided Data (or any derivative work thereof) for the benefit of, anyone other than Referral Partner or Referred Client; (ii) sell, resell, license, sublicense, distribute, rent, or lease any Plaid-Provided Data (or any derivative work thereof) to any third-party, or include any Plaid-Provided Data (or any derivative work thereof) in a service bureau, time-sharing, or equivalent offering; (iii) publicly disseminate information from any source regarding the performance of the Plaid-Provided Data; or (iv) attempt to create a substitute or similar service through use of, or access to, the Plaid- Provided Data. Referral Partner will use the Plaid-Provided Data only in compliance with: (a) the Referral Partner agreement, use case, and other restrictions imposed or agreed upon by Company. Notwithstanding anything to the contrary, Referral Partner accepts and assumes all responsibility for ensuring that Referral Partner uses the Plaid-Provided Data only in compliance with all federal, state, and other laws and regulations, including but not limited to any licensing, registration, or similar requirements, applicable to their respective activities, including but not limited to any such activities involving any Plaid-Provided Data or End User data. Referral Partner acknowledges and agrees that: (I) Plaid is neither a “consumer reporting agency” nor a “furnisher” of information to consumer reporting agencies under the Fair Credit Reporting Act (“FCRA”); and (II) the Plaid- Provided Data is not a “consumer report” under the FCRA. Referral Partner represents and warrants that it will not, and will not permit or enable any third party to, use the Plaid-Provided Data as a or as part of a “consumer report” as that term is defined in the FCRA, or otherwise use the Plaid-Provided Data such that the Plaid-Provided Data would be deemed “consumer reports” under the FCRA. Notwithstanding anything to the contrary, Referral Partner will be bound by, and will only use the Plaid-Provided Data in compliance with, the terms and conditions set forth in this agreement.
2. FI Data. Referral Partner may have access to information about or of End Users provided to Plaid by a bank, financial institution, or other data source (each, as designated by Plaid, “FI”, and such information, the “FI Data”).
(i) Referral Partner Obligations.
a. Data Deletion. Referral Partner will promptly Delete any FI Data upon request by the applicable End User through Referred Client; provided that Referral Partner may retain copies of FI Data solely to the extent required by applicable laws.
b. Compliance with Laws. Referral Partner will comply with all applicable privacy, security, and other laws pertaining to FI Data. Referral Partner will not use, store, disclose, or otherwise process any FI Data for any purpose not permitted under applicable laws.
c. Information Security Program. Referral Partner will maintain a comprehensive written information security program approved by its senior management (“Infosec Program”). The Infosec Program will include administrative, technical and physical measures designed to: (a) ensure the security of FI Data, (b) protect against unauthorized access to or use of FI Data and anticipated threats and hazards to FI Data and (c) ensure the proper disposal of FI Data. The Infosec Program will be appropriate to Referral Partner’s risk profile and activities, the nature of the Referral Partner application, and the nature of the FI Data received by Referral Partner. In any event, the Infosec Program will meet or exceed applicable control objectives captured in industry standards and best practices, such as AICPA Trust Service Criteria for Security, NIST 800-53, or ISO 27002, and will comply with applicable laws. Referral Partner will use up-to-date antivirus software and anti-malware tools designed to prevent viruses, malware, and other malicious code in the Referral Partner application or on Referral Partner’s systems.
d. Security Breach Obligations. Referral Partner will notify Company promptly (and in any event within twelve (12) hours) via an email to corporate@actumprocessing.com, following Referral Partner becoming aware of any Security Breach, providing a description of all known facts, the types of End Users affected, and any other information related to such Security Breach that Company may reasonably request. Referral Partner will reasonably cooperate with Company in investigating and remediating Security Breaches. Referral Partner will be responsible for the costs of investigating, mitigating, and remediating the Security Breach. “Security Breach” means any event that compromises the Referral Partner application or Referral Partner’s systems or that does or reasonably could compromise the security, integrity or confidentiality of FI Data or result in the unauthorized use, disclosure, or loss of FI Data.
e. Oversight and Cooperation. Toward assessing Referral Partner’s material compliance with this Section 2 (FI Data), Referral Partner will promptly provide all reasonably necessary information and cooperation requested by Company. In the event that Company has a good faith reason to believe that Referral Partner is not in material compliance with this Section 5 (FI Data), Company will notify Referral Partner and, upon Company’s request, Referral Partner will promptly provide sufficient documentation to demonstrate such material compliance. If the documentation provided by Referral Partner in accordance with the immediately prior sentence is insufficient (in Company’s reasonable discretion) to demonstrate such material compliance, Referral Partner will submit to a third-party audit by a firm selected by Referral Partner from a list of audit firms reasonably approved by Company to verify such compliance. Company may also conduct technical or operational assessments of Referral Partner, which will be subject to advance notice and will not occur more than once per year unless legally required and materially different in scope from a preceding audit.
f. Information Sharing. Where required by Company to a Referral Partner’s access or use of FI Data, Company may share with Plaid certain information related to Referral Partner’s compliance with this Section 2 (FI Data), including with respect to Referral Partner’s Infosec Program. Company will use commercially reasonable efforts to require that Plaid treat any such information in a confidential manner.
g. Insurance. Referral Partner will maintain insurance coverage appropriate to Referral Partner’s risk profile and activities, the nature of the Referral Partner application, and the nature of the FI Data received by Referral Partner; provided that such coverage will be no less than industry standard and will include cybersecurity liability insurance.
(ii) Indemnity. Referral Partner will indemnify, defend and hold harmless Company, each FI, Plaid, and the affiliates of each of the foregoing from any claims, actions, suits, demands, losses, liabilities, damages (including taxes), costs, and expenses arising from or in connection with: (a) any Security Breach resulting in unauthorized disclosure of FI Data provided to Referral Partner hereunder; or (b) Referral Partner’s unauthorized or improper use of FI Data provided to Referral Partner hereunder (including any unauthorized Data Sharing, transmission, access, display, storage, or loss). This Section 2(ii) (Indemnity) is not subject to any limitation of liabilities set forth in the Referral Partner Agreement. Each FI is a third-party beneficiary of this Section 2(ii) (Indemnity).