Harmony

    Legal

    Plaid End Client Flow-Down Terms

    Last updated: June 29, 2026

    Harmony provides certain features using data integration services from Plaid. As required by Harmony’s agreements with Plaid, the following End Client flow-down terms are incorporated by reference into Harmony’s End Client Agreement and govern your access to and use of Plaid’s services. They consist of (a) the Plaid, Inc. End Client Flow-Down Terms and (b) the Plaid Consumer Reporting Agency (CRA) End Client Flow-Down Terms, each set out below and each as amended by Plaid from time to time.

    Plaid, Inc. End Client Flow-Down Terms

    1. Restrictions

    Unless Plaid specifically agrees otherwise in writing, End Client will not, and will not enable or assist any third-party to: (i) attempt to reverse engineer, decompile, disassemble, or otherwise attempt to discover the source code, object code, or underlying structure, ideas, or algorithms of the Plaid services described at https://www.plaid.com (“Plaid Services”); (ii) modify, translate, or create derivative works based on the Plaid Services; (iii) make the Plaid Services or information and data of End Client’s end users (“End Users”) provided to End Client via the Plaid Services (such information and data, the “Plaid- Provided Data”) or any derivative work thereof available to, or use the Plaid Services or Plaid-Provided Data (or any derivative work thereof) for the benefit of, anyone other than End Client or End Users; (iv) sell, resell, license, sublicense, distribute, rent, or lease any Plaid Services or Plaid-Provided Data (or any derivative work thereof) to any third-party, or include any Plaid Services or Plaid-Provided Data (or any derivative work thereof) in a service bureau, time-sharing, or equivalent offering; (v) publicly disseminate information from any source regarding the performance of the Plaid Services or Plaid-Provided Data; or (vi) attempt to create a substitute or similar service through use of, or access to, the Plaid Services or Plaid- Provided Data. End Client will use the Plaid Services and Plaid-Provided Data only in compliance with: (a) the End Client application, use case, and other restrictions agreed between Plaid and Partner; (b) the Plaid developer policies (available at https://www.plaid.com/legal); (c) Plaid’s applicable technical user documentation (available at https://www.plaid.com/docs); and (d) any agreements between End Client and End Users (for clarity, including any privacy policy or statement). Notwithstanding anything to the contrary, as between Plaid and End Client, End Client accepts and assumes all responsibility for complying with all applicable laws and regulations in connection with End Client’s activities involving any Plaid Services, Plaid- Provided Data, or End User data. End Client acknowledges and agrees that: (I) Plaid is neither a “consumer reporting agency” nor a “furnisher” of information to consumer reporting agencies under the Fair Credit Reporting Act (“FCRA”); and (II) the Plaid-Provided Data is not a “consumer report” under the FCRA. End Client represents and warrants that it will not, and will not permit or enable any third party to, use the Plaid Services (including Plaid-Provided Data) as a or as part of a “consumer report” as that term is defined in the FCRA, or otherwise use the Plaid Services (including Plaid-Provided Data) such that the Plaid Services (including Plaid-Provided Data) would be deemed “consumer reports” under the FCRA. Notwithstanding anything to the contrary, End Client will be bound by, and will only use the Plaid Services and Plaid-Provided Data in compliance with, the terms and conditions set forth in this agreement.

    2. Secondary Investors

    Subject to this Section 2 (Secondary Investors), End Client may request that Plaid or Partner disclose Plaid-Provided Data or a Partner product or service including or incorporating Plaid-Provided Data (collectively, the “Shared Data”) to End Client’s Secondary Investors. “Secondary Investor” means a third-party investor or purchaser of a financial product originated by End Client and provided to an End User (e.g., a loan), with which investor or purchaser Plaid maintains a separate technical integration.

    (i) End Client represents and warrants to Plaid that, before disclosure of Shared Data to any Secondary Investor, End Client will provide and obtain all required (including under applicable law) notices and consents from the applicable End User with respect to disclosure of Shared Data to such Secondary Investor by Plaid or Partner.

    (ii) Notwithstanding anything to the contrary: (a) as between Plaid and End Client, solely End Client is responsible for its relationships with Secondary Investors and with Partner, including any related billing matters, technical support, or disputes; (b) End Client will enter into legally binding written agreements with each Secondary Investor that are consistent with this Section 2 (Secondary Investors) and all applicable terms and conditions of this Exhibit A (End Client Flow Down Terms), including Section 1 (Restrictions); and (c) as between Plaid and End Client, End Client will remain responsible for the Secondary Investors’ compliance with all of the terms and conditions of this Exhibit A (End Client Flow Down Terms) (including terms relating to use of Plaid-Provided Data or Shared Data).

    (iii) As between Plaid and End Client, End Client will be fully liable for: (a) any breach by End Client of this Section 2 (Secondary Investors); (b) any acts or omissions of Secondary Investors; and (c) any dispute arising among End Client, Partner, Secondary Investors, and/or End Users relating to the disclosure or use of Shared Data as contemplated in this Section 2 (Secondary Investors).

    3. Privacy and Authorizations

    Before any End User engages with Partner products or services which include, are derived from, or incorporate the Plaid Services, End Client warrants and will ensure that it provides all notices and obtains all consents required under applicable law to enable Plaid to process End User data in accordance with Plaid’s privacy policy (currently available at https://www.plaid.com/privacy). End Client will not: (i) make representations or other statements with respect to End User data that are contrary to or otherwise inconsistent with Plaid’s privacy policy; or (ii) interfere with any independent efforts by Plaid to provide End User notice or obtain End User consent.

    4. DISCLAIMER; ENFORCEMENT

    THE PLAID SERVICES, PLAID-PROVIDED DATA, AND ANY OTHER INFORMATION, SOFTWARE, PRODUCTS, SERVICES AND MATERIALS PROVIDED BY PLAID IN CONNECTION WITH THIS AGREEMENT ARE PROVIDED “AS IS.” TO THE FULLEST EXTENT PERMITTED BY LAW, NEITHER PLAID NOR ITS AFFILIATES, SUPPLIERS, LICENSORS, OR DISTRIBUTORS MAKE ANY WARRANTY OF ANY KIND, WHETHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE, INCLUDING, BUT NOT LIMITED TO, WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NONINFRINGEMENT, OR ANY WARRANTY THAT THE SERVICES ARE FREE FROM DEFECTS. WITHOUT LIMITING THE FOREGOING IN THIS SECTION 4 (DISCLAIMER; ENFORCEMENT), NEITHER PLAID NOR ITS AFFILIATES, SUPPLIERS, LICENSORS, OR DISTRIBUTORS MAKE ANY REPRESENTATION OR WARRANTY AS TO THE PLAID-PROVIDED DATA THAT MAY BE OBTAINED FROM USE OF THE PLAID SERVICES OR THAT ANY PLAID SERVICES WILL BE UNINTERRUPTED, OR THAT ANY DATA PROVIDED BY OR THROUGH ANY PLAID SERVICES WILL BE TIMELY, ACCURATE, OR COMPLETE. PLAID WILL BE AN INTENDED THIRD-PARTY BENEFICIARY OF THE AGREEMENT BETWEEN PARTNER AND END CLIENT AND MAY DIRECTLY ENFORCE SUCH AGREEMENT AGAINST END CLIENT, WITHOUT PARTNER’S CONSENT OR PARTICIPATION, BUT SOLELY RELATING TO THE PLAID-PROVIDED DATA (INCLUDING FI DATA) AND PLAID SERVICES THAT ARE PROVIDED BY PLAID TO PARTNER OR END CLIENT.

    5. FI Data

    Through the Partner Services or Plaid Services, End Client may have access to information about or of End Users provided to Plaid by a bank, financial institution, or other data source (each, as designated by Plaid, “FI”, and such information, the “FI Data”).

    (i) End Client Obligations.

    a. End User Consents. End Client will provide all notices to, and obtain all express consents from, each End User as required under applicable laws in connection with End Client’s use, storage, and other processing of any FI Data (such notices and consents, the “Express Consents”). Express Consents will: (A) be clear and conspicuous; (B)generally specify the categories of FI Data that End Client will receive and how End Client will use, store, and otherwise process FI Data; (C) be valid, enforceable, and expressly accepted by each End User; (D) identify any and all third parties or categories of third parties to whom End Client may provide FI Data for processing; (E) specify how End Users may exercise their right to revoke their Express Consent; and (F) include any other required disclosures under applicable laws. End Client will maintain records (which may include technical logs, screenshots, versions of Express Consents obtained) sufficient to demonstrate End Client’s compliance with this Section 5(i)(a) (End User Consents) and will promptly provide such records to Plaid upon request.

    b. Scope of Access. End Client will only access FI Data for which it has obtained Express Consents from the End User for the use case reviewed and permitted by Plaid in writing and consented to by the applicable End User (such use case, the “Permitted Use Case”). For clarity, key factors Plaid will consider during its review of a potential Permitted Use Case include whether the use case is appropriate and useful to provide the End User with the End Client application that the End User has enrolled in, whether the End Client application provides a direct benefit to the End User, whether the use case directly supports the development of new or improved product features for the benefit of End Users, and the jurisdiction(s) in which the End Client operates and/or stores FI Data. If End Client possesses FI Data that exceeds the scope of the End User’s Express Consents, End Client will use industry-standard means to permanently and securely delete (“Delete”) such FI Data; provided that End Client may retain such FI Data to the extent required by applicable laws. If End Client becomes aware that any data it receives from Plaid does not relate to the End User that End Client originally requested FI Data for, End Client will promptly notify Plaid and will Delete such data.

    c. Data Use. End Client will use, store and otherwise process FI Data solely in accordance with the End User’s Express Consents and applicable laws.

    d. Data Disclosure. End Client will not disclose, transfer, syndicate or distribute FI Data to any third party (including its Permitted Service Providers) (“Data Sharing”) except in each case with the End User’s Express Consent and in accordance with applicable laws. Notwithstanding anything to the contrary, End Client will not sell FI Data.

    e. Data Deletion. End Client will promptly Delete any FI Data upon request by the applicable End User; provided that End Client may retain copies of FI Data solely to the extent required by applicable laws.

    f. No Attribution. End Client will not charge End Users any fees attributable to an FI for (a) access to its FI Data or (b) use of End User’s account with an FI in connection with the End Client application. In addition, End Client will not suggest or imply a partnership, sponsorship, or other relationship with an FI based on End Client’s receipt of FI Data under the Partner- Client Agreement or this Section 5 (FI Data).

    g. No Other Access. During the term of the Agreement, End Client will only access FI Data through the Plaid Services or another manner that uses the FI’s authorized APIs. End Client will not “screen scrape” data from FIs or collect an End User’s log-on credentials for FI accounts, and will not otherwise knowingly obtain from a third party FI Data that was originally sourced through screen scraping an FI. End Client will immediately Delete any such End User log-on credentials in its possession. End Client will maintain records to demonstrate compliance with this Section 5(i)(g) (No Other Access). For the avoidance of doubt, nothing in this Section 5(i)(g) (No Other Access) will prohibit End Client from engaging any third party to obtain services similar to the Plaid Services, provided that such third-party services enable End Client's access to FI Data solely via the FI’s authorized APIs.

    h. Compliance with Laws. End Client will comply with all applicable privacy, security, and other laws pertaining to FI Data. End Client will not use, store, disclose, or otherwise process any FI Data for any purpose not permitted under applicable laws. For the avoidance of doubt, End Client acknowledges that Section 1033 of the Dodd-Frank Act may include obligations on End Client relating to processing, handling, and protecting FI Data. End Client will maintain a program designed to ensure compliance with applicable laws, including appropriately training End Client personnel.

    i. Information Security Program. End Client will maintain a comprehensive written information security program approved by its senior management (“Infosec Program”). The Infosec Program will include administrative, technical and physical measures designed to: (a) ensure the security of FI Data, (b) protect against unauthorized access to or use of FI Data and anticipated threats and hazards to FI Data and (c) ensure the proper disposal of FI Data. The Infosec Program will be appropriate to End Client’s risk profile and activities, the nature of the End Client application, and the nature of the FI Data received by End Client. In any event, the Infosec Program will meet or exceed applicable control objectives captured in industry standards and best practices, such as AICPA Trust Service Criteria for Security, NIST 800-53, or ISO 27002, and will comply with applicable laws. End Client will use up-to-date antivirus software and anti-malware tools designed to prevent viruses, malware, and other malicious code in the End Client application or on End Client’s systems.

    j. Security Breach Obligations. End Client will notify Plaid promptly (and in any event within twelve (12) hours) via an email to security@plaid.com, following End Client becoming aware of any Security Breach, providing a description of all known facts, the types of End Users affected, and any other information related to such Security Breach that Plaid may reasonably request. End Client will reasonably cooperate with Plaid in investigating and remediating Security Breaches. End Client will be responsible for the costs of investigating, mitigating, and remediating the Security Breach. “Security Breach” means any event that compromises the End Client application or End Client’s systems or that does or reasonably could compromise the security, integrity or confidentiality of FI Data or result in the unauthorized use, disclosure, or loss of FI Data.

    k. FI Confidential Information. If Plaid discloses to End Client any confidential or proprietary materials of an FI pertaining to the provision of FI Data hereunder (such materials, “FI Confidential Information”), such materials will be subject to the same obligations that apply to Partner’s Confidential Information under the Partner-Client Agreement, which will in no event be less protective of such information than a reasonable standard of care. FI Confidential Information will also be subject to the same obligations as FI Data under this Section 5(i) (End Client Obligations). End Client will promptly Delete FI Confidential Information in its possession upon Plaid’s request and will provide a written certification regarding such Deletion.

    l. Oversight and Cooperation. Toward assessing End Client’s material compliance with this Section 5 (FI Data), End Client will promptly provide all reasonably necessary information and cooperation requested by Plaid, an FI, or any entity with examination, supervision, or other legal or regulatory authority over Plaid or an FI. In the event that Plaid has a good faith reason to believe that End Client is not in material compliance with this Section 5 (FI Data), Plaid will notify End Client and, upon Plaid’s request, End Client will promptly provide sufficient documentation to demonstrate such material compliance. If the documentation provided by End Client in accordance with the immediately prior sentence is insufficient (in Plaid’s reasonable discretion) to demonstrate such material compliance, End Client will submit to a third-party audit by a firm selected by End Client from a list of audit firms reasonably approved by Plaid to verify such compliance. Plaid and FIs may also conduct technical or operational assessments of End Client, which will be subject to advance notice and will not occur more than once per year unless legally required and materially different in scope from a preceding audit.

    m. Information Sharing. Where required by an FI or relevant to an End Client’s access or use of FI Data from that FI, Plaid may share with such FI certain information related to End Client’s compliance with this Section 5 (FI Data), including with respect to End Client’s Infosec Program. Plaid will use commercially reasonable efforts to require that such FI treat any such information in a confidential manner.

    n. Insurance. End Client will maintain insurance coverage appropriate to End Client’s risk profile and activities, the nature of the End Client application, and the nature of the FI Data received by End Client; provided that such coverage will be no less than industry standard and will include cybersecurity liability insurance.

    o. Access Frequency. The parties acknowledge that as of the effective date of the Partner-Client Agreement, no guidelines regarding End Client’s frequency of “batch” pulls of FI Data (such guidelines, the “Guidelines”) apply to Plaid end clients. Notwithstanding the foregoing in this paragraph: (1) End Client will comply with any Guidelines provided in writing by Plaid (including via Partner); and (2) Plaid and Partner may enforce such Guidelines to the extent necessary in accordance with Plaid’s standard practices, which may include throttling, suspension or termination of End Client’s access.

    p. End Client Marks License. End Client hereby grants to Plaid and each FI (and each of their third-party service providers) the non-exclusive and non-transferable right and license to use End Client’s trademarks and service marks solely in connection with consent management activities, including use associated with End User facing consent management portals operated by Plaid or an FI.

    (ii) Suspension. Plaid may suspend End Client’s access to the Plaid Services or FI Data, in whole or in part, if Plaid determines or reasonably believes that: (a) End Client has breached this Section 5 (FI Data); (b) End Client’s use of the Plaid Services or FI Data will or has materially violated an agreement between Plaid and an applicable FI; (c) End Client’s use of the Plaid Services or FI Data will or does pose a risk of material harm, including material reputational harm, to End Users, an FI, or the Plaid Services. In addition, an FI may suspend End Client’s access to FI Data with respect to such FI. Plaid will use commercially reasonable efforts to: (1) notify Partner prior to any suspension described in this paragraph; (2) discuss with Partner in good faith any such suspension; and (3) resume End Client’s access to the Plaid Services and FI Data as promptly as is practicable after the basis for such suspension is cured to Plaid’s (and, as applicable, the relevant FI’s) reasonable satisfaction.

    (iii) Indemnity. End Client will indemnify, defend and hold harmless each FI, Plaid, and the affiliates of each of the foregoing from any claims, actions, suits, demands, losses, liabilities, damages (including taxes), costs, and expenses arising from or in connection with: (a) any Security Breach resulting in unauthorized disclosure of FI Data provided to End Client hereunder; or (b) End Client’s unauthorized or improper use of FI Data provided to End Client hereunder (including any unauthorized Data Sharing, transmission, access, display, storage, or loss). This Section 5(iii) (Indemnity) is not subject to any limitation of liabilities set forth in the Partner-Client Agreement. Each FI is a third-party beneficiary of this Section 5(iii) (Indemnity).

    (iv) Modifications. End Client acknowledges that continued access to FI Data provided by certain FIs may necessitate modifications to this Section 5 (FI Data) pertaining to all applicable Plaid end clients. End Client will accept such modifications to continue accessing or using the Plaid Services with respect to such FIs. Plaid will use commercially reasonable efforts to notify Partner of the modifications and the effective date of such modifications. If End Client objects to the modifications, its exclusive remedy is to cease any and all access and use of the Plaid Services as it relates to the applicable FI(s). Continued access to or use of such Plaid Services after the effective date of such modifications to this Section 5 (FI Data) will constitute End Client’s acceptance of such modifications.

    (v) Miscellaneous. In the event of a conflict with any other agreement or provision (including other provisions within the Partner-Client Agreement), the terms and conditions of this Section 5 (FI Data) will govern and prevail. Capitalized terms used in this Section 5 (FI Data) and not otherwise defined will have the meanings ascribed to them in the Agreement. All provisions of this Section 5 (FI Data) will remain in force in the event of the termination or expiration of this Section 5 (FI Data), the Agreement, or the Partner-Client Agreement.

    Plaid Consumer Reporting Agency (CRA) End Client Flow-Down Terms

    1. Restrictions

    Before any customers that are end users of Consumer Reports (each an “End Client”), as permissioned by the consumer that the Consumer Report (as defined below) relates to (the “End User”), engages with the Procurer products or services which include, are derived from, or incorporate the FCRA Services (as defined below) or Consumer Reports, End Client represents and warrants that it: (i) understands the nature of the information provided in the Consumer Report can change daily and agrees that each Consumer Report is provided for a one-time use; (ii) has certified that it understands and agrees that Plaid CRA’s provision of the FCRA Services do not indicate ownership or authorization to transact on a bank account and are not to be used by the End Client to confirm ownership or authorization to transact on a bank account; (iii) has certified that it shall ensure that its employees, agents, or contractors working on its behalf do not request and/or obtain Consumer Reports on themselves, coworkers, employees, family members, or friends unless it is in connection with a legitimate permissible purpose previously identified; (iv) has certified that it shall not use or store the FCRA Services outside of the United States; and (v) has certified that it shall not, and shall not enable or assist any third party to: (1) use the FCRA Services to create, enhance, or structure any database in any form for resale or external distribution; (2) modify, translate, or create derivative works based on the FCRA Services; (3) attempt to reverse engineer (except as permitted by law), decompile, disassemble, or otherwise attempt to discover the source code, object code, or underlying structure, ideas, or algorithms of the FCRA Services; (4) use the FCRA Services in any way that is defamatory, trade libelous, unlawfully threatening, or unlawfully harassing; (5) make the FCRA Services or Consumer Report (or any derivative work thereof) available to, or use the FCRA Services or Consumer Report (or any derivative work thereof) for the benefit of, anyone other than Procurer, End Users, or End Client; (6) publicly disseminate or disclose information from any source regarding the performance of the FCRA Services; or (7) attempt to create a substitute or similar service through use of, or access to, the FCRA Services. End Client represents and warrants that it will use the FCRA Service in accordance with (a) the rights granted under this Agreement, and (b) Plaid Inc. and its subsidiaries Developer Policy (available at www.plaid.com/legal). As used in the Agreement, FCRA Services means together (I) the API Package and (II) a consumer report, as is defined in 15 U.S.C. § 1681a(d), including any data relating to an End User included therein, deposit account verification and activity reports, and enhancements to the consumer reports (collectively “Consumer Reports”). Except as explicitly provided in the Agreement, the End Client agrees that it shall not disclose, disseminate, share, sublicense, resell, or otherwise redistribute the FCRA Services (or any part thereof) to any parent, subsidiary, affiliate, or other third party, except: (x) in connection with the sale of a loan to which the FCRA Services relate; (y) to the End User to whom the Consumer Report relates if an adverse action (as defined by the FCRA) has been taken based on the FCRA Services; or (z) as otherwise required by law.

    2. Permissible Purpose

    End Client warrants and ensures that it will, before requesting a Consumer Report: (i) certify to Procurer the End Client’s permissible purpose(s) under the FCRA for obtaining a Consumer Report; (ii) each time it requests a Consumer Report from Procurer, access and use the Consumer Report (a) solely as an end user of such information and (b) solely for the permissible purpose(s) previously identified to Procurer and for no other purpose; and (iii) notify Procurer and Plaid CRA in writing of any change to the permissible purpose certified previously to Procurer and provide to Plaid CRA from time to time, as reasonably necessary to maintain compliance with the FCRA, an updated certification regarding the permissible purpose(s) for using Consumer Reports, or evidence of compliance with the terms of these CRA Terms upon Plaid CRA's request. Towards assessing End Client’s compliance with its permissible purpose(s) certification and use of Consumer Reports, End Client will submit to an audit by Plaid CRA to verify such compliance.

    3. Required Consents

    End Client warrants and ensures that it will, before requesting a Consumer Report, provide all notices and obtain all consents required under applicable laws, regulations, and third-party agreements for Plaid CRA to provide the FCRA Services and to otherwise collect, use, and process End User data (including End User Input (as defined below)) in accordance with Plaid CRA’s privacy policy (currently available at https://plaid.com/plaid-check-consumer-report/privacy-policy/). End Client may provide Plaid CRA, directly or indirectly via Procurer, certain identifying information regarding an End User, such as first name, last name, and address, to use the FCRA Services (all such information, the “End User Input”).

    4. Retention of Documents

    All consumer authorizations required by the Agreement or by applicable law, along with all adverse action letters provided to consumers and consumer applications, including copies of government-issued identification needed to verify the identity of the applicant, shall be retained by End Client for a reasonable period of time, but not less than five (5) years, and evidence of such documents shall be made available for inspection by Plaid CRA, its third-party data vendors, or its designee upon demand.

    5. End User Authentication

    End Client certifies that, before requesting a Consumer Report, (i) it will verify the consumer’s identity prior to presenting the consumer with Plaid CRA’s channel, (ii) it understands that Plaid CRA may rely on this verification, and (iii) it understands and agrees that Plaid CRA has no obligation to separately authenticate or confirm the identity of any consumer presented to the Plaid CRA channel by the End User.

    6. DISCLAIMER; ENFORCEMENT

    THE FCRA SERVICES, CONSUMER REPORTS, AND ANY OTHER INFORMATION, SOFTWARE, PRODUCTS, SERVICES AND MATERIALS PROVIDED BY PLAID CRA IN CONNECTION WITH THE AGREEMENT ARE PROVIDED “AS IS.” TO THE FULLEST EXTENT PERMITTED BY LAW, NEITHER PLAID CRA NOR ITS AFFILIATES, SUPPLIERS, LICENSORS, OR DISTRIBUTORS MAKE ANY WARRANTY OF ANY KIND, WHETHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE, INCLUDING, BUT NOT LIMITED TO, ANY WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NONINFRINGEMENT, OR ANY WARRANTY THAT THE FCRA SERVICES ARE FREE FROM DEFECTS, ANY WARRANTY THAT ANY FCRA SERVICES WILL BE UNINTERRUPTED, OR THAT ANY DATA PROVIDED BY OR THROUGH ANY FCRA SERVICES WILL BE TIMELY, ACCURATE, OR COMPLETE. PLAID CRA WILL BE AN INTENDED THIRD-PARTY BENEFICIARY OF THE AGREEMENT BETWEEN PROCURER AND END CLIENT AND MAY DIRECTLY ENFORCE SUCH AGREEMENT AGAINST END CLIENT, WITHOUT PROCURER’S CONSENT OR PARTICIPATION, BUT SOLELY RELATING TO THE CONSUMER REPORTS (INCLUDING FI DATA) AND FCRA SERVICES THAT ARE PROVIDED BY PLAID CRA TO PROCURER OR END CLIENT.

    7. FI Data

    Through the Procurer Application or FCRA Services, End Client may have access to information about or of End Users provided to Plaid CRA by a bank, financial institution, or other data source (each, as designated by Plaid CRA, “FI”, and such information, the “FI Data”).

    a. End Client Obligations.

    i. End User Consents. End Client will provide all notices and obtain all express consents from each End User as required under applicable laws in connection with End Client’s use, storage and other processing of any End User Data (such notices and consents, the “Express Consents”). Express Consents will: (a) be clear and conspicuous; (b) generally specify the categories of End User Data that End Client will receive and how End Client will use, store and otherwise process it; (c) be valid, enforceable, and expressly accepted by each End User; (d) identify any and all third parties or categories of third parties to whom End Client may provide End User Data for processing; (e) specify how End Users may exercise their right to revoke their Express Consent; and (f) include any other required disclosures under applicable laws. End Client will maintain records (which may include technical logs, screenshots, versions of Express Consents obtained) to demonstrate its compliance with this Section 7(a)(i) and will promptly provide such records to Plaid CRA upon request.

    ii. Scope of Access. End Client will only access End User Data for which it has obtained Express Consents from the End User for the use case reviewed and permitted by Plaid CRA in writing that is consented to by the applicable End User (such use case, the “Permitted Use Case”). Key factors Plaid CRA will consider during its review include whether the use case is appropriate and useful to provide the End User with the End Client Application that the End User has enrolled in, whether the End Client Application provides a direct benefit to the End User, and whether the use case directly supports the development of new or improved product features for the benefit of End Users, and the jurisdiction(s) in which the End Client operates and/or stores End User Data. If End Client possesses End User Data that exceeds the scope of the End User’s Express Consents, End Client will use industry-standard means to permanently and securely delete (“Delete”) such End User Data. If End Client becomes aware that any data it receives from Plaid CRA does not relate to the End User that End Client originally requested End User Data for, End Client will promptly notify Plaid CRA and will Delete such data.

    iii. Data Use. End Client will use, store and otherwise process End User Data solely in accordance with the End User’s Express Consents and applicable laws.

    iv. Data Disclosure. End Client will not disclose, transfer, syndicate or distribute End User Data to any third party (including its Permitted Users) (“Data Sharing”) except in each case with the End User’s Express Consents and in accordance with applicable laws. Notwithstanding anything to the contrary, End Client will not sell End User Data.

    v. Data Deletion. End Client will promptly Delete any End User Data upon request by the applicable End User; provided that End Client may retain copies of End User Data solely to the extent required by applicable laws.

    vi. No Attribution. End Client will not charge End Users any fees attributable to an FI for (a) access to its End User Data or (b) use of End User’s account with an FI in connection with the End Client Application. In addition, End Client will not suggest or imply a partnership, sponsorship, or other relationship with an FI based on End Client’s receipt of End User Data under the Agreement or this Addendum.

    vii. No Other Access. End Client will only access End User Data through the FCRA Services or another manner that uses the FI’s authorized APIs. ENd Client will not “screen scrape” data from FIs or collect an End User’s log-on credentials for FI accounts, and will not otherwise knowingly obtain from a third party End User data that was originally sourced through screen scraping. End Client will immediately Delete any such End User log-on credentials in its possession. End Client will maintain records to demonstrate compliance with this Section 7(a)(vii) and will provide them to Plaid CRA upon request.

    viii. Compliance with Laws. End Client will comply with all applicable privacy, security and other laws, including, as applicable, the Gramm-Leach-Bliley Act, the California Consumer Privacy Act, and all other laws relating to End User Data. End Client will not use, store, disclose, or otherwise process any End User Data for any purpose not permitted under applicable laws. For the avoidance of doubt, End Client acknowledges that Section 1033 of the Dodd-Frank Act may include obligations on End Client relating to processing, handling, and protecting End User Data. End Client will maintain a program designed to ensure compliance with applicable laws, including appropriately training End Client personnel.

    ix. Information Security Program. End Client will maintain a comprehensive written information security program approved by its senior management (“Infosec Program”). The Infosec Program will include administrative, technical and physical measures designed to: (a) ensure the security of End User Data, (b) protect against unauthorized access to or use of End User Data and anticipated threats and hazards to End User Data and (c) ensure the proper disposal of End User Data. The Infosec Program will be appropriate to End Client’s risk profile and activities, the nature of the End Client Application, and the nature of the End User Data received by End Client. In any event, the Infosec Program will meet or exceed applicable control objectives captured in industry standards and best practices such as AICPA Trust Service Criteria for Security, NIST 800-53, or ISO 27002 and will comply with applicable laws. End Client will use up-to-date antivirus software and anti-malware tools designed to prevent viruses, malware and other malicious code in the End Client Application or on End Client’s systems.

    x. Security Breach Obligations. End Client will promptly notify Plaid CRA (and in no event after more than 12 hours) upon becoming aware of any Security Breach, providing a description of all known facts, the types of End Users affected, and any other information that Plaid may reasonably request. End Client will reasonably cooperate with Plaid CRA in investigating and remediating Security Breaches. End End Client will be responsible for the costs of investigating, mitigating, and remediating the Security Breach, including costs of credit monitoring, call centers, support, and other customary or legally required remediation. “Security Breach” means any event that compromises the End Client Application or End Client’s systems or that does or reasonably could compromise the security, integrity or confidentiality of End User Data or result in its unauthorized use, disclosure or loss.

    xi. FI Confidential Information. If Plaid CRA discloses to End Client any confidential or proprietary materials of an FI (such materials, “FI Confidential Information”), such materials will be subject to the same obligations that apply to Plaid CRA’s Confidential Information under the Agreement. FI Confidential Information will also be subject to the same obligations as End User Data under this Section 7(a) (End Client Obligations) of this Addendum. End Client will promptly Delete FI Confidential Information in its possession upon Plaid CRA’s request and will provide a written certification regarding such Deletion.

    xii. Oversight and Cooperation. End Client will promptly provide all reasonably necessary information and cooperation requested by Plaid CRA, an FI, or any entity with examination, supervision, or other legal or regulatory authority over Plaid CRA or an FI. In the event that Plaid CRA has a good faith reason to believe that End Client is not in material compliance with this Addendum, Plaid CRA will notify End Client and, at Plaid CRA’s option, End Client will promptly provide sufficient documentation to demonstrate such material compliance or submit to a third-party audit by a firm selected from a Plaid CRA-approved list of audit firms to verify such compliance. Plaid CRA and FIs may also conduct technical or operational assessments of End Client, which will be subject to advance notice and will not occur more than once per year unless legally required and materially different in scope from a preceding audit.

    xiii. Information Sharing. Where required by an FI and to the extent relevant to an EndClient’s access or use of End User Data from that FI, Plaid CRA may share with such FI certain information related to End Client’s compliance with this Addendum, including with respect to End Client’s Infosec Program. Plaid CRA will request that such FI treat any such information in a confidential manner.

    xiv. Insurance. End Client will maintain insurance coverage appropriate to End Client’s risk profile and activities, the nature of the End Client Application, and the nature of the End User Data received by End Client; provided that such coverage will be no less than industry standard and will include cybersecurity liability insurance.

    xv. Access Frequency. End Client will comply with any guidelines provided by Plaid CRA regarding End Client’s frequency of “batch” pulls of End User Data. Plaid CRA may enforce such guidelines in accordance with its standard practices, which may include throttling, suspension or termination of End Client’s access.

    xvi. End Client Marks License. End Client hereby grants to Plaid CRA and each FI (and each of their third-party service providers) the non-exclusive and non-transferable right and license to use End Client’s trademarks and service marks solely in connection with consent management activities, including use associated with End User facing consent management portals operated by Plaid CRA or an FI.

    b. Suspension. Plaid CRA may suspend or terminate End Client’s access to the FCRA Services or End User Data, in whole or in part, if it believes End Client has breached this Addendum or where End Client’s use of the FCRA Services or End User Data could violate or give rise to liability under any Plaid CRA agreement (including Plaid CRA’s agreement with any FI) or pose a risk of harm, including reputational harm, to any End User, FI, the FCRA Services, or Plaid CRA and its affiliates. In addition, an FI may suspend End Client’s access to End User Data with respect to such FI.

    c. Indemnity. End Client will indemnify, defend and hold harmless each FI, Plaid CRA, and the affiliates of each of the foregoing from any claims, actions, suits, demands, losses, liabilities, damages (including taxes), costs and expenses arising from or in connection with: (a) any Security Breach resulting in unauthorized disclosure of End User Data or (b) End Client’s unauthorized or improper use of End User Data (including any unauthorized Data Sharing, transmission, access, display, storage or loss). This Section 7(c) is not subject to any limitation of liabilities set forth in the Agreement. Each FI is a third-party beneficiary of this Section 7(c).

    d. Modifications. End Client acknowledges that continued access to End User Data provided by certain FIs may require modifications to this Addendum, and End Client will accept such modifications to continue accessing or using the FCRA Services with respect to such FIs. Plaid CRA will use commercially reasonable efforts to notify End Client of the modifications and the effective date of such modifications through communications via End Client’s account, email, or other means. If End Client objects to the modifications, its exclusive remedy is to cease any and all access and use of the FCRA Services as it relates to such FI(s). Continued access or use of such FCRA Services after the effective date of such modifications to this Addendum will constitute End Client’s acceptance of such modifications.

    e. Miscellaneous. In the event of a conflict with the Agreement, the terms and conditions of this Addendum will govern and prevail. Capitalized terms used in this Addendum and not otherwise defined will have the meanings ascribed to them in the Agreement. All provisions of this Addendum will remain in force in the event of this Addendum’s or the Agreement’s termination or expiration.