These terms and conditions (“Terms and Conditions”), along with an order form that: (a) specifically refers to these Terms and Conditions; and (b) is signed by both Parties, (the “Order Form”) together comprise an agreement for services (collectively, the “Agreement”) between the customer listed in the applicable Order Form (the “Customer”) and SentiLink Corp (“SentiLink”). For the purposes of this Agreement, the terms “SentiLink” and “Customer” include all their respective Affiliates. “Affiliate” means, with respect to a party, any entity which directly or indirectly, through one or more intermediaries, is controlled by, or is under common control with such party. In consideration of the mutual covenants and promises contained in these Terms and Conditions, SentiLink and the Customer agree as follows:
Placing an Order

2.1 SentiLink offers products and services that are designed to help institutions investigate the validity of the identity of Customer’s potential customers, as listed in Exhibit A (each a “Service,” and collectively, “Services”). An order for Services must be placed using an Order Form. In the event of a conflict between the provisions of these Terms and Conditions and the provisions of an Order Form, the provisions of the applicable Order Form will control.

2.2 The Order Form will contain a description of the type, duration and quantity of the Services being purchased, the fees payable and any implementation or other terms and conditions applying to their supply. A Service is not included in an Order Form unless it has been specifically referenced therein. An Order Form shall only be effective when signed by both parties thereto.
Providing Services. The following subsections apply to the provision of any Service further described in the applicable Order Form:

3.1 SentiLink Responsibilities. If Customer pays all applicable fees when due, SentiLink shall provide Customer with (i) access to and use of the Service in accordance with these Terms and Conditions and any then-current standard user operating instructions and requirements made available to Customer from time-to-time, including the SentiLink API documents (“Specifications”); and (ii) a license to use any Deliverables supplied hereunder for purposes permitted under the Gramm-LeachBliley Act of 1999 and its promulgating regulations (“GLBA”). SentiLink shall perform the Service in compliance with all applicable law, rule, regulation, ordinance, code or order generally applicable to the provision of the Services (the “Laws Applicable To SentiLink”)

3.2 Customer Responsibilities. Customer shall: (i) provide to SentiLink information reasonably necessary to provide or furnish the Service; (ii) use each Service in accordance with the Specifications and not resell any Services, Materials, Deliverables or other services or products provided by SentiLink; (iii) timely deliver any Customer Data (defined below) or other information in an electronic form and format reasonably requested by SentiLink; (iv) comply with law, rule, regulation, ordinance, code or order applicable to the acquisition, receipt or use of the Services by the Customer (the “Laws Applicable To Customer”) and the procedures set forth in the Specifications or any other literature provided to Customer by SentiLink; (v) not use any Service, Materials or other Deliverables, in whole or in part, as a factor in determining eligibility for credit, insurance, or employment or for any other purpose contemplated by the Fair Credit Reporting Act (“FCRA”); (vi) not reverse engineer any Services or application programming interface provided by SentiLink; and (vii) not submit a request for Service with respect to a minor or legally incompetent individual without the prior written consent of, and subject to any conditions identified by, SentiLink.

3.3 Customer Data.

3.3.1 Customer shall be solely responsible for the transmission of all information, data, records or documents (collectively, “Customer Data”) necessary for SentiLink to perform a Service at Customer’s expense, and, as between Customer and SentiLink, Customer shall bear any risk of loss resulting from that transmission until the Customer Data enters SentiLink’s environment. Data may include NPI (referenced in the GLBA as “Non-public Personal Information” or “NPI”), “customer information” (as defined in the GLBA), and “consumer information” (as defined in the GLBA). SentiLink shall bear the risk of loss resulting from Customer Data transmitted to Customer until the Customer Data enters Customer’s environment.

3.3.2 SentiLink shall only process Customer Data in accordance with this Agreement. SentiLink shall not be responsible for the accuracy, completeness or authenticity of any Customer Data furnished by Customer or a third party. SentiLink will use commercially reasonable efforts to verify the accuracy of Customer Data submitted to SentiLink by Customer. Customer acknowledges that it will exercise its own independent judgement in determining the accuracy, reliability and completeness of the Services and assumes sole responsibility and liability for results obtained from the use of the Services and for conclusions drawn from such use. If any Customer Data submitted by Customer or a third party to SentiLink is incorrect, incomplete or not in the required format, SentiLink may require Customer to resubmit the Customer Data.

3.3.3 By submitting Customer Data to SentiLink, Customer grants, and represents and warrants that it has all rights necessary to grant, all rights and licenses to the Customer Data required to send the Customer Data to SentiLink and for SentiLink and its subcontractors and service providers to provide the Service. SentiLink shall have no right to sublicense, sell, resell, or disclose to any third party the Customer Data.

3.3.4 Customer certifies its use of the Services is solely for uses permitted by the GLBA, and to protect against or prevent actual fraud, unauthorized transactions, claims or other liability.

3.4 SentiLink Supplied Data. This Section 3.4 only applies to the extent that SentiLink provides SentiLink Supplied Data to Customer. “SentiLink Supplied Data” means any “nonpublic personal information” or “personally identifiable financial information,” as such terms are defined by the GLBA, that SentiLink provides to Customer. Customer Data is expressly excluded from SentiLink Supplied Data, and is provided for the sole and exclusive purpose of protecting against or preventing actual fraud, unauthorized transactions, claims or other liability.

3.4.1 As between SentiLink and Customer, SentiLink owns all intellectual property rights in the SentiLink Supplied Data. No rights in the SentiLink Supplied Data are transferred hereunder except as expressly set out herein.

3.4.2 SentiLink licenses the SentiLink Supplied Data to Customer for fraud prevention purposes as allowed under the GLBA. SentiLink Supplied Data is licensed for the limited purposes of receiving Services hereunder and may not be sold, transferred or sublicensed without SentiLink’s prior written consent. SentiLink Supplied Data must be stored in the United States.

3.4.3 If Customer directs SentiLink to disclose SentiLink Supplied Data to a third party, Customer shall ensure that the third party only uses SentiLink Supplied Data for the Customer’s benefit and agrees to comply with all terms set forth herein related to SentiLink Supplied Data, including, but not limited to, taking all necessary security precautions to protect the confidentiality of the SentiLink Supplied Data.

3.4.4 THE SENTILINK SUPPLIED DATA IS PROVIDED ON AN “AS IS” BASIS AND SENTILINK AND ITS DATA PROVIDERS, SERVICE PROVIDERS AND SUPPLIERS HEREBY DISCLAIM ANY AND ALL OTHER PROMISES, GUARANTEES, REPRESENTATIONS AND WARRANTIES WHETHER EXPRESS OR IMPLIED OR STATUTORY, INCLUDING THOSE REGARDING THE ACCURACY, CORRECTNESS, COMPLETENESS, CURRENTNESS, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OF THE SENTILINK SUPPLIED DATA. IN NO EVENT SHALL SENTILINK OR ITS DATA PROVIDERS, SERVICE PROVIDERS OR SUPPLIERS BE LIABLE TO CUSTOMER OR ANY PERSON OR ENTITY CLAIMING THROUGH CUSTOMER FOR ANY LOSS OR INJURY RELATING TO, ARISING OUT OF, OR CAUSED IN WHOLE OR IN PART BY, SENTILINK’S OR ITS DATA PROVIDERS’, SERVICE PROVIDERS’ OR SUPPLIERS’ ACTS OR OMISSIONS, EVEN IF NEGLIGENT, RELATING TO THE ACCURACY, CORRECTNESS, COMPLETENESS, OR CURRENTNESS OF THE SENTILINK SUPPLIED DATA. FOR THE AVOIDANCE OF DOUBT, SENTILINK AND ITS DATA PROVIDERS, SERVICE PROVIDERS AND SUPPLIERS SHALL NOT BE LIABLE FOR ANY LOSSES OR DAMAGES RELATED TO CUSTOMER’S USE OF THE SENTILINK SUPPLIED DATA, INCLUDING, BUT NOT LIMITED TO, ANY ACTIONS TAKEN BY CUSTOMER’S BASED ON SENTILINK SUPPLIED DATA.

3.5 Changes to Services. SentiLink may change any feature, function, or attribute of a Service, or any element of its systems or processes, or any Specification; provided that SentiLink will provide Customer with as much notice as reasonably practicable thereof. If such change materially adversely impacts the functionality, performance or cost of the Service, Customer may terminate the use of the specific Service, provided Customer provides at least fifteen (15) days’ prior notice specifying the adverse impact and SentiLink does not cure or offset such adverse impact within fifteen (15) days of receipt of notice.

3.6 Problem Reporting and Resolution. Customer shall use commercially reasonable efforts to timely report any problems encountered with the Service. SentiLink shall promptly respond to each reported problem based on the severity of its effect on the Service.

3.7 Use of Integration Support. This Section 3.7 only applies to the extent that Customer uses a third-party integrator to integrate SentiLink’s Services. Where Customer uses a third-party integrator (“Integrator”) to integrate to SentiLink’s Services, then:

3.7.1 Customer appoints the Integrator as its limited agent for sending, accessing, storing and receiving data, including, but not limited to SentiLink Supplied Data, pursuant to this Agreement, and SentiLink is entitled to treat any instruction from the Integrator with respect to sending, accessing, storing and receiving data to be issued by Customer;

3.7.2 Customer shall ensure that the Integrator will comply in all respects with the terms and conditions of this Agreement as if it were Customer, including by ensuring the Integrator has sufficient security procedures in place to maintain the security and confidentiality of any NPI and SentiLink Supplied Data; and

3.7.3 Customer shall indemnify SentiLink with respect to any action, litigation, or claim arising from Customer's appointment of the Integrator as its agent hereunder or from Integrator’s violation of any term of this Agreement or Laws Applicable to Customer.
Use of Service. Except as otherwise permitted in the Agreement or in writing by SentiLink, Customer agrees to use a Service only for its own internal business purposes to service its U.S.-based operations and customers and will not sell or otherwise provide, directly or indirectly, any of the Service or any portion thereof to any other third party. Customer agrees that SentiLink may use all suggestions for improvement and comments regarding the Service that are furnished by Customer to SentiLink in connection with the Agreement, without accounting or reservation.
Materials. As a convenience, SentiLink may provide Customer with sample forms, procedures, scripts, marketing materials or other similar information (collectively, “Materials”). Customer shall have a license to use Materials solely in connection with its use of the Services or Deliverables and consistent with the Specifications. Customer’s license to use the Materials shall expire immediately upon termination of the Agreement or upon notice of termination from SentiLink. Customer is responsible for its use of Materials and bears sole liability for any such use.
Fees and Other Charges

6.1 Payment. In consideration of SentiLink’s performance of its obligations hereunder, Customer will pay the fees specified in an applicable Order Form (the “Fees”). SentiLink may, in its sole discretion, increase or otherwise modify the Fees at each renewal period, as applicable, while this Agreement is in effect by providing Customer with thirty (30) days prior notice of any such change. If Customer does not agree to the changed Fees, Customer may exercise its right not to renew the Agreement for an additional renewal period. Except as otherwise stated in an Order Form, Customer agrees to pay all Fees on the invoice within thirty (30) days of receipt of the invoice.

6.2 Billing Errors. In the event of over-billing, SentiLink will correct the error by credit to Customer. If Customer was under-billed, SentiLink will add the under-billed amount to a future invoice or issue a new invoice, at its discretion. SentiLink may utilize any amounts owed to Customer under the Agreement to pay or reimburse SentiLink for amounts owed by Customer. In the event an error is not discovered and communicated to the other party within two billing cycles, both parties waive any right to dispute the erroneous bill.

6.3 Taxes. Customer will be responsible for the payment of any and all local, state, federal, or foreign taxes, levies, and duties of any nature, including value-added, sales, use, and withholding taxes directly applicable to Customer (“Taxes”). Customer is responsible for paying all Taxes, excluding only taxes based on SentiLink’s net income.
Intellectual Property. Customer is not acquiring a copyright, patent or other intellectual property right in any Service, Deliverable, Specifications or Materials, or in any data, modifications, customizations, enhancements, changes or work product related thereto. “Deliverable” means with respect to each Service all data, files, documents, reports, statements, extracts and other work product created by the Service and delivered to Customer as part of the Services (whether tangible or intangible), and specifically includes any SentiLink Supplied Data. For avoidance of doubt, Deliverables do not include Customer Data or any such Customer Data. Any intellectual property rights that existed prior to the Effective Date of the Agreement shall belong solely to the party owning them at that time. Neither party shall be entitled to any copyright, trademark, trade name, trade secret or patent of the other party. Customer shall not alter, obscure or revise any proprietary, restrictive, trademark or copyright notice included with, affixed to, or displayed in, on or by a Service, Third-Party Service, Deliverable or Specifications.
Data Security

8.1 The purpose of this Section 8 (Data Security) is to ensure that this Agreement conforms to applicable privacy laws, including Gramm-Leach-Bliley Act and its promulgating regulations, and otherwise sets forth SentiLink’s rights and obligations with respect to the use and disclosure of non-public financial information that is personally identifiable to a consumer (referenced in the GLBA as “Non-public Personal Information” or “NPI” and including Customer Data and SentiLink Supplied Data). All disclosure of NPI under this Agreement will be subject to the provisions of this Section 8 (Data Security). SentiLink represents and warrants that its use, storage, disposal and disclosure of Customer Data does and will comply with all applicable federal and state privacy and data protection laws, and it will protect the privacy of all Customer Data to at least the same extent that Customer must maintain that confidentiality under applicable law. Customer represents and warrants that its use, storage, disposal and disclosure of SentiLink Supplied Data does and will comply with all applicable federal and state privacy and data protection laws, and it will protect the privacy of all SentiLink Supplied Data to at least the same extent that SentiLink must maintain that confidentiality under applicable law. Without limiting the foregoing, each party will not disclose NPI to any third party other than to (a) its employees, consultants, attorneys and accountants with a need to know such NPI in connection with a permitted use of such NPI under this Agreement; provided that any such person is bound to treat NPI confidentially as a condition of employment or of access to NPI or by professional obligations imposing comparable terms; or (b) any regulatory authority (1) in connection with an examination of a party; or (2) pursuant to a specific requirement to provide such NPI by such regulatory authority or pursuant to compulsory legal process; provided, however, that SentiLink (in the case of Customer Data) and Customer (in the case of SentiLink Supplied Data) seeks the full protection of confidential treatment for any disclosed NPI to the extent available under applicable law governing such disclosure, and with respect to clause (2), to the extent permitted by applicable law (y) provides at least ten (10) business days’ prior notice of such proposed disclosure if reasonably possible under the circumstances, and (z) seeks to redact the NPI to the fullest extent possible under applicable law governing such disclosure. Each party will use reasonable encryption and authentication technology that provides a reasonable level of security that complies with applicable law for NPI.

8.2 SentiLink will establish and maintain appropriate administrative, technical and physical safeguards designed to (i) protect the security, confidentiality and integrity of the Customer Data; (ii) protect against any anticipated threats or hazards to the security or integrity of Customer Data and systems maintaining Customer Data; (iii) protect against unauthorized access to or use of Customer Data; and (iv) ensure the proper disposal of Data (collectively, the “Security Program”). SentiLink has, within the last twelve (12) months, tested such Security Program and has determined it is sufficient to enable SentiLink to comply with the requirements set forth herein. Supplier shall, on an annual basis, audit its systems that process Customer Data. Such audits are to be performed by an independent third-party auditor that tests against the most current Service Organization Controls (SOC) 2, Type II reporting framework as developed by the American Institute of Certified Public Accountants (AICPA) (“SOC 2 Type II Audit”).

8.3 In the event of a Security Breach (as defined below) experienced by SentiLink, SentiLink will notify Customer of the Security Breach as soon as practicable, but no later than seventy-two (72) hours after SentiLink becomes aware of the Security Breach. Immediately following notification under this section of the Security Breach, SentiLink and Customer will coordinate with each other to investigate the Security Breach. SentiLink agrees to reasonably cooperate with Customer in handling the matter, including: (i) assisting with any investigation; (ii) providing Customer with physical access to the facilities and operations affected in the event any regulatory authority with jurisdiction over Customer requests or otherwise requires Customer to physically access such facilitates or operations; (iii) facilitating interviews with relevant SentiLink employees and others involved in the matter; and (iv) making available solely for review at SentiLink’s premises all relevant records, logs, files, data reporting and other materials required to comply with applicable law, regulation, or bona fide internal compliance policies. SentiLink will at its own expense use best efforts to immediately contain and remedy its Security Breach and prevent any further Security Breach, including taking any and all action necessary to comply with applicable privacy rights, laws, regulations and standards. In the event of a Security Breach, SentiLink will reimburse Customer for Customer’s reasonable, documented out-of-pocket costs of (i) providing notifications and other remediation to its customers required by applicable law (e.g., annual credit monitoring) and (ii) paying any regulatory fines issued against Customer as a result of such unauthorized access to Customer Data. SentiLink agrees to maintain and preserve all documents, records and other data related to any Security Breach. “Security Breach” means (i) an actual or suspected breach of availability, confidentiality or integrity of data or the physical, technical, administrative or organizational safeguards put in place by SentiLink or its third-party service provider that relate to the protection of Customer Data, or (ii) any unauthorized disclosure of Customer Data by SentiLink or its service providers.

8.4 Any Customer Data will be destroyed within thirty (30) days after (a) the termination or expiration of this Agreement or (b) the written request of Customer. Where Customer Data is required to be destroyed, SentiLink must delete Customer Data in accordance with the NIST Special Publication 800-88 Revision 1, Guidelines for Media Sanitation December 18, 2014 (available at http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-88r1.pdf), or through degaussing of magnetic media in an electromagnetic flux field of 5000+ GER, or by shredding or mechanical disintegration, or such other standards Customer may reasonably require based on the classification and sensitivity of the Customer Data.
Confidentiality

9.1 Each party shall treat information received from the other that is designated as “confidential” at or prior to disclosure (“Confidential Information”) as strictly confidential. SentiLink designates all information relating to the Services, Deliverables, Specifications and the terms of the Agreement as its Confidential Information. Customer designates as its Confidential Information Customer Data that is NPI submitted to SentiLink. Each party designates its intellectual property, customer lists, business contacts, business plans, policies, procedures, techniques, know-how, standards, products, source or object code, product or service specifications, manuals, agreements, economic and financial information, marketing plans, data, reports, analyses, compilations, statistics, summaries, studies, and any other tangible or intangible information or any materials based thereon, furnished to the other party as Confidential Information of such disclosing party.

9.2 Each party shall: (i) restrict disclosure of the other party’s Confidential Information to employees, agents and Affiliates solely on a “need to know” basis in accordance with the Agreement; (ii) advise its employees and agents of their confidentiality obligations; (iii) require agents to protect and restrict the use of the other party’s Confidential Information; (iv) use the same degree of care to protect the other party’s Confidential Information as it uses to safeguard its own Confidential Information of similar importance, but in no event less than a reasonable degree of care; (v) establish procedural, physical and electronic safeguards, designed to meet the objectives of the GLBA’s safeguarding regulations, to prevent the compromise or unauthorized disclosure of Confidential Information; and (vi) notify the other party of any unauthorized possession or use of its Confidential Information promptly following confirmation of that unauthorized use or possession. To the extent a party receives NPI from the other, the disclosing party has the right to audit, no more than once a year, during normal business hours and upon 60 days advance written notice, the receiving party’s information security program and systems to the extent such systems maintain NPI.

9.3 Confidential Information shall remain the property of the party from or through whom it was provided. Except for NPI, neither party shall be obligated to preserve the confidentiality of any information that: (i) was previously known; (ii) is a matter of public knowledge; (iii) was or is independently developed; (iv) is released for disclosure with written consent; or (v) is received from a third party to whom it was disclosed without restriction. Disclosure of Confidential Information shall be permitted if it is: (a) required by law; (b) in connection with the tax treatment or tax structure of the Agreement; or (c) in response to a valid order of a U.S. court or other governmental body, provided the owner receives written notice and is afforded a reasonable opportunity to obtain a protective order. Upon termination of a Service and at the request of the disclosing party, the other party shall, except as otherwise set forth herein, destroy the other party’s Confidential Information relating to that Service in a manner designed to preserve its confidentiality, or, at the other party’s written request and expense, return it to the disclosing party; provided that, each party may retain the other party’s Confidential Information, subject to the confidentiality requirements hereof, to the extent required to comply with applicable legal and regulatory requirements or with internal backup policies and procedures.

9.4 Notwithstanding the foregoing and subject always to SentiLink’s obligation to keep all Customer Data confidential in accordance with Section 9.2, Customer hereby authorizes SentiLink to store, analyze and use all Customer Data provided by or on behalf of Customer and/or its customers in connection with the Services, and all information that is derived from such Customer Data, in order to provide and improve SentiLink’s fraud detection and prevention services, to create Depersonalized Information, to incorporate into its proprietary fraud prevention algorithms and models and fraud prevention services, and to disclose or use Depersonalized Information to enhance or improve SentiLink services or products or otherwise in order to prevent fraud, provided that (i) SentiLink cleanses such Customer Data to remove Customer’s name and any NPI and otherwise renders such Customer Data unidentifiable to any person, individual, consumer, or entity and not capable of being back-derived by an expert in the field using industry knowledge and available data-analytic tools and techniques (collectively, the “Depersonalized Information” ), and (ii) the Depersonalized Information is included in a data set comprising both Depersonalized Information derived from Customer Data and the Depersonalized Information derived from other SentiLink Customers (“Aggregate Form”) such that the Depersonalized Information cannot be linked to Customer. SentiLink’s rights with respect to Depersonalized Information or any data incorporated into its Services, including fraud prevention algorithms and models, under this provision shall survive the termination of the Agreement or any Service.
Indemnification

10.1 SentiLink Indemnity. SentiLink shall, subject to Section 10, defend, indemnify and hold harmless Customer and its parents, subsidiaries, affiliates and their respective officers, directors, members, employees, representatives, shareholders, agents and shareholders (individually and collectively, the “Customer Indemnitee Parties”) from and against any damages, awards, judgments, settlement amounts, fines, penalties, losses, costs and expenses (including reasonable legal fees and expenses and costs of investigation) and other liabilities arising out of any lawsuit, action, claim, demand, administrative action, arbitration or other legal proceeding brought or asserted against any Customer Indemnitee Parties by a third party as a result of or in connection with: (i) SentiLink’s gross negligence or willful misconduct; or (ii) SentiLink’s failure to comply with the Laws Applicable To SentiLink.

10.2 SentiLink Intellectual Property Indemnity. SentiLink shall, subject to Section 11, indemnify and hold Customer harmless, from and against any claim against Customer by reason of Customer’s use of the Services as permitted hereunder, brought by a third party alleging that the Services infringe or misappropriate a third party’s valid United States patent, copyright, trademark or trade secret. SentiLink shall, at its expense, defend such claim and pay damages finally awarded against Customer in connection therewith, including the reasonable fees and expenses of the attorneys engaged by SentiLink for such defense. If the Services, or parts thereof, become, or in SentiLink’s opinion may become, the subject of an infringement claim, SentiLink may, at its option: (i) procure for Customer the right to continue using the Services as set forth herein; (ii) replace or modify the Services to make it non-infringing, provided such replacement or modification does not compromise SentiLink’s obligations under this Agreement; or (iii) if options (i) or (ii) are not commercially and reasonably practicable as determined by SentiLink, terminate this Agreement and the applicable Order. SentiLink will have no liability or obligation under this Section with respect to any claim if such claim is caused in whole or in part by: (x) Customer’s use of a Service not in accordance with this Agreement and Specifications; (y) modification of a Service by anyone other than SentiLink; or (z) the combination, operation, or use of any Service with other hardware or software not provided by SentiLink where the Services would not by itself be infringing. THIS SECTION 10.2 STATES SENTILINK’S ENTIRE LIABILITY AND CUSTOMER’S SOLE REMEDY WITH RESPECT TO ANY INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS BY THE SERVICES

10.3 Customer Indemnity. Customer shall, subject to Section 11, defend, indemnify and hold harmless SentiLink and its parents, subsidiaries, affiliates and their respective officers, directors, members, employees, representatives, shareholders, agents and shareholders (individually and collectively, the “SentiLink Indemnitee Parties”) from and against any damages, awards, judgments, settlement amounts, fines, penalties, losses, costs and expenses (including reasonable legal fees and expenses and costs of investigation) and other liabilities arising out of any lawsuit, action, claim, demand, administrative action, arbitration or other legal proceeding brought or asserted against any SentiLink Indemnitee Parties by a third party as a result of or in connection with: (i) Customer’s gross negligence or willful misconduct; (ii) Customer’s failure to comply with the Laws Applicable To Customer; (iii) SentiLink Indemnitee Parties’ use of Customer Data, including any claim against brought by a third party alleging that the SentiLink Indemnitee Parties’ use of Customer Data, as permitted hereunder, infringe or misappropriate a third party’s valid patent, copyright, trademark or trade secret; or (iv) any claim, action or suit by a consumer of Customer’s products and services relating to or arising from the use of the Services with respect to that consumer.

10.4 Other Claims. Each party’s obligation to indemnify the other party pursuant to this Section 10 shall not be deemed to limit any claim such party may have against the other party for breach of its obligations under the Agreement.

10.5 Indemnity Procedure. The indemnification obligations in this Section shall be subject to the indemnified party: (i) promptly notifying the indemnifying party in writing upon receiving notice of any threat or claim of such action; (ii) giving the indemnifying party exclusive control and authority over the defense and/or settlement of such claim (provided any such settlement unconditionally releases the indemnified party of all liability); and (iii) providing reasonable assistance requested by the indemnifying party, at the indemnifying party’s expense.
Limitation of Liability and Disclaimer of Warranties and Certain Losses.

11.1 Waiver of Consequential Damages. EXCEPT WITH RESPECT TO A PARTY’S WILLFUL MISCONDUCT OR FRAUD OR BREACH OF ITS CONFIDENTIALLY OBLIGATION HEREUNDER, TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT WILL EITHER PARTY BE LIABLE FOR ANY INDIRECT, SPECIAL, INCIDENTAL, CONSEQUENTIAL, PUNITIVE, EXEMPLARY DAMAGES OF ANY KIND, OR ANY LOST PROFITS OR LOST SAVINGS, HOWEVER CAUSED, WHETHER FOR BREACH OR REPUDIATION OF CONTRACT, TORT, BREACH OF WARRANTY, NEGLIGENCE, OR OTHERWISE, WHETHER OR NOT SUCH PARTY WAS ADVISED OF THE POSSIBILITY OF SUCH LOSS OR DAMAGES.

11.2 Limitation of Monetary Damages.Except for a party’s (a) indemnification obligations under this Agreement; and (b) liability arising from such party’s gross negligence, fraud or willful misconduct, and in all cases subject to Section 11.1, the maximum aggregate liability of a party to the other party for all claims arising out of or relating to this Agreement, regardless of the form of any such claim, shall not exceed a sum equal to the amounts paid or payable by Customer to SentiLink during the one (1) year period immediately prior to the event giving rise to such liability. In no event shall a party’s total aggregate liability under this Agreement for claims arising out of such party’s indemnification obligations or a breach of its confidentially obligation under this Agreement exceed four times (4x) the amount paid by Customer to SentiLink under this Agreement during the one (1) year period immediately prior to the event giving rise to such liability.

11.3 Disclaimer of Liability for Certain Losses. Under no circumstances shall SentiLink be liable for any damages, awards, judgments, settlement amounts, fines, penalties, losses, costs and expenses (including reasonable legal fees and expenses and costs of investigation) and other liabilities to the extent caused by: (i) Customer; (ii) a third party, other than SentiLink’s Affiliates, authorized agents or subcontractors; (iii) use of attachments, features, or devices not authorized by the Specifications; (iv) abuse, misuse, alteration or use that is inconsistent with the terms of the Agreement or Specifications; (v) software or systems not supplied by SentiLink; (vi) a Force Majeure Event; or (vii) a failure that is not directly attributable to SentiLink or under SentiLink’s direct control. In the event of any error by SentiLink in processing any Customer Data or preparing any report or file hereunder, SentiLink’s sole obligation shall be to correct the error by reprocessing the affected Customer Data or preparing and issuing a new file or report at no additional cost to Customer; provided, however, SentiLink’s obligation herein is contingent upon Customer notifying SentiLink of the error.
Disclaimer of Warranties. EXCEPT AS EXPRESSLY PROVIDED IN THESE TERMS AND CONDITIONS, SENTILINK DISCLAIMS ANY AND ALL WARRANTIES, CONDITIONS, OR REPRESENTATIONS (EXPRESS OR IMPLIED, ORAL OR WRITTEN) WITH RESPECT TO THE SERVICES, DELIVERABLES, AND MATERIALS PROVIDED UNDER THIS AGREEMENT, INCLUDING, WITHOUT LIMITATION, ANY AND ALL IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS OR SUITABILITY FOR ANY PARTICULAR PURPOSE, OR ERROR-FREE OPERATION (WHETHER OR NOT SENTILINK KNOWS, HAS REASON TO KNOW, HAS BEEN ADVISED, OR IS OTHERWISE IN FACT AWARE OF ANY SUCH PURPOSE), WHETHER ALLEGED TO ARISE BY LAW, BY REASON OF CUSTOM OR USAGE IN THE TRADE, OR BY COURSE OF DEALING. IN ADDITION, SENTILINK DISCLAIMS ANY WARRANTY OR REPRESENTATION TO ANY PERSON OTHER THAN CUSTOMER WITH RESPECT TO THE SERVICES, DELIVERABLES, EQUIPMENT, AND MATERIALS PROVIDED UNDER THIS AGREEMENT. SENTILINK SHALL HAVE NO LIABILITY FOR ANY CLAIMS, LOSSES, OR DAMAGE CAUSED BY ERRORS OR OMISSIONS IN ANY INFORMATION PROVIDED TO SENTILINK BY CUSTOMER IN CONNECTION WITH THE DELIVERABLES OR SERVICES OR ANY ACTIONS TAKEN BY SENTILINK AT CUSTOMER’S DIRECTION. SENTILINK IS NOT A “CONSUMER REPORTING AGENCY,” AS DEFINED BY THE FCRA AND THE DELIVERABLES AND SERVICES DO NOT CONSTITUTE A “CONSUMER REPORT,” AS DEFINED BY FCRA AND SHALL NOT BE SUBJECT TO THE FCRA REQUIREMENTS RELATING TO DISPUTES, ACCESS, ACCURACY OR OTHERWISE.
Use of Names and Trademarks; Publicity. SentiLink may cite Customer as a customer in its sales presentation to prospects and on its public website. Either party may, with the prior consent of the other (not to be unreasonably withheld, delayed or conditioned): (i) publicly announce the Parties’ relationship hereunder; (ii) issue a press release announcing the Parties’ relationship hereunder; and (iii) prepare a case study on Customer’s use of the Services.
Relationship. SentiLink is an independent contractor. Neither SentiLink nor any of its representatives are an employee, partner or joint venturer of Customer. Except as expressly stated in the Agreement, neither party shall be an agent of the other, nor have any authority to represent the other in any matter. Notwithstanding, and only to the extent Customer provides consumer reports to SentiLink, Customer agrees SentiLink is its limited agent for purposes of obtaining “consumer reports,” as defined by the FCRA, for purposes of providing the Services.
Termination and Additional Remedies

15.1 This Agreement starts on the Effective Date and continues for the period specified in the Order Form (the “Initial Term”). The Agreement will automatically renew for additional successive one (1) year terms unless a party gives written notice of its intention not to renew this Agreement at least thirty (30) days prior to the end of the then-current term (each a “Renewal Term” and with the Initial Term, the “Term”).

15.2 Termination. In addition to any other remedies, either party may terminate the Agreement, a Service if the other party: (i) fails to cure a material breach under this Agreement within thirty (30) days of receiving written notice to do so; (ii) is subject to a dissolution, reorganization, insolvency or bankruptcy action; (iii) suffers the appointment of a receiver, conservator or trustee; (iv) commits any act related to the Service with the intent to defraud the other party; or (v) discontinues performance under the Agreement because of a binding order of a court or regulatory body. In addition to the termination rights above, SentiLink may terminate a Service, in whole or in part, without penalty, if the Service is not able to be provided on commercially reasonable terms, including where SentiLink’s agreement to use any third-party software or service upon which the Service relies expires or is terminated.
Export Restrictions. SentiLink’s Confidential Information is subject to export controls under applicable federal and state laws, rules and regulations. Accordingly, Customer shall: (i) remain in compliance with all requirements associated with such laws (including obtaining any approval necessary for exportation of SentiLink Confidential Information); (ii) cooperate fully with any audit related to such laws; (iii) not utilize SentiLink’s Confidential Information in any country that is embargoed by the U.S. government; and (iv) not provide to SentiLink, as part of its regular business activities, any Personal Data (as such term is defined in the General Protection Regulation (“GDPR”), Regulation (EU) 2016/679), that is subject to GDPR.
Miscellaneous

17.1 Neither party shall assign, subrogate or transfer any interest, obligation or right arising out of the Agreement without prior written consent from the other party; provided however that no consent is necessary in the event of an assignment due to a consolidation, merger, transfer or reorganization of a majority of the assets or stock of a party provided that the assignee agrees in writing to be bound by the Agreement. Subject to the foregoing, the terms of the Agreement shall be binding upon and inure to the benefit of permitted successors and assigns.

17.2 The Agreement shall be governed by the laws of the state of California, without regard to internal principles relating to conflict of laws. Any dispute, difference, controversy or claim arising out of or relating to the Agreement shall be settled by binding arbitration before a single arbitrator in San Francisco, California in accordance with the Commercial Arbitration Rules of the American Arbitration Association. Judgment on any resulting award may be entered into by any court having jurisdiction over the parties or their respective property. The arbitrator shall decide any issues submitted in accordance with the provisions and commercial purposes of the Agreement, and shall not have the power to award damages other than those described in the Agreement. The prevailing party in any dispute arising out of the Agreement shall be entitled to, and the arbitrator shall have jurisdiction to award, the recovery of reasonable attorneys’ fees, costs and expenses.

17.3 All notices must be in writing and delivered via email or overnight delivery to SentiLink at the address set forth below and to Customer at the billing address set forth in the Order Form. A party must provide thirty (30) days prior written notice before changing the address from which it provides or receives Services.

SentiLink Corp

33 New Montgomery Street, Suite 500

San Francisco, CA 94105

Email: legal.notices@sentilink.com

17.4 SentiLink shall not be liable for any loss, damage or failure due to causes beyond its control, including strikes, riots, earthquakes, epidemics, terrorist actions, wars, fires, floods, weather, power failure, telecommunications outage, acts of God or other failures, interruptions or errors not directly caused by SentiLink (“Force Majeure Event”).
17.5 Each party represents and warrants that it has full legal power and authority to enter into and perform its obligations without any additional consent or approval.
17.6 The Agreement together with any attachments thereto, constitute the entire agreement and understanding of the parties with respect to its subject matter and may only be modified by a written document signed by both parties. All prior agreements, understandings and representations regarding the same or similar services are superseded in their entirety. In the event of a conflict, ambiguity or contradiction in documents, the documents will take precedence over each other in accordance with the following ranking: (i) exhibits and attachments; (ii) Specifications; and (iii) these Terms and Conditions. The parties do not intend, nor shall there be, any third-party beneficiary rights.
17.7 No waiver of any provisions of the Agreement and no consent to any default under the Agreement shall be effective unless in writing and signed by the party against whom such waiver or consent is claimed. Waiver by a party of any default by the other party shall not be deemed a waiver of any other default.
17.8 If any provision(s) of this Agreement, including any attachments and exhibits hereto, is determined to be invalid, illegal, void, or unenforceable by reason of any law, order, judicial decision, or public policy, such provision(s) shall not affect any other provision of the Agreement, and the Agreement shall be interpreted and construed as if the invalid, illegal, void, or unenforceable provision had not been included to the extent necessary to bring the Agreement within the requirements of such law, order, judicial decision, or public policy. This Agreement shall not be construed more strongly against either party, regardless of who is more responsible for its preparation. The headings that appear in these Terms and Conditions are inserted for convenience only and do not limit or extend its scope.
17.9 Termination of the Agreement or a Service shall not impact any right or obligation arising prior to termination, and in any event, the Parties agree that any right or obligation which, by its nature, should survive termination of this Agreement will survive any such termination (including, but not limited to, Sections 8, 10, 11 and 17).

Exhibit A – Product Descriptions

Where Customer subscribes to one or more Services listed below, then:

Synthetic Fraud Scores

If Customer subscribes to Synthetic Fraud Scores, SentiLink will provide access to Synthetic Fraud Scores in order for Customer to determine the likelihood that an applicant’s identity is synthetic (i.e., it includes fabricated identity information). Customer’s use of Synthetic Fraud Scores in accordance with the Materials will return the following scores (between 1 and 999 with a higher score indicating a higher probability):

- - sentilink_first_party_synthetic_score: the likelihood that the identity is first party synthetic fraud
  - sentilink_third_party_synthetic_score: the likelihood that the identity is third party synthetic fraud
  - sentilink_abuse_score: the likelihood that the identity is or is associated with synthetic fraud and/or other related fraud risks

ID Theft Scores

If Customer subscribes to ID Theft Scores, SentiLink will provide access to the ID Theft Scores in order for Customer to determine the likelihood that an applicant’s identity is being used without authorization. Customer’s use of ID Theft Scores in accordance with the Materials will return a score (between 1 and 999 with a higher score indicating a higher probability).

Insights

If Customer subscribes to Insights, SentiLink will provide access to Insights in order for Customer to get further intelligence about the different pieces of personally-identifiable information included in an application and the risk associated with them. Customer’s use of Insights in accordance with the Materials may return one or more alerts that identify relevant characteristics relating to the applicant’s identity.

KYC

If Customer subscribes to KYC, SentiLink will provide access to KYC in order for Customer to determine which aspects of an applicant’s identity can be trusted and which need to be further verified. Customer’s use of KYC in accordance with the Materials may return one or more alerts that identify relevant characteristics relating to the applicant’s identity.

ID Complete

If Customer subscribes to ID Complete, SentiLink will provide access to ID Complete in order for Customer to attempt to resolve provided identity information. Use of ID Complete in accordance with the Materials will resolve certain missing or incomplete fields (such as dates of birth or social security numbers) and suggest alternative information where applicable (such as associated social security numbers with more history, or dates of birth correcting typographical errors), derived from a combination of Customer Data and SentiLink Supplied Data, using SentiLink’s proprietary matching logic.

Pinning

If Customer subscribes to Pinning, SentiLink will provide access to Pinning in order for Customer to determine the best matching identity (if any) from SentiLink’s proprietary identity database. Customer’s use of Pinning in accordance with the Materials will return a unique identifier that can be stored and used to match other applications from the same identity.

First Party Fraud Flags

If Customer subscribes to First Party Fraud Flags, SentiLink will provide access to the First Party Fraud Flags in order for Customer to determine whether an applicant has characteristics that indicate a heightened probability of identity-related fraud. Customer’s use of First Party Fraud Flags in accordance with the Materials may return one or more flags that will identify particular characteristics that indicate a heightened probability of identity-related fraud.

Manifest

If Customer subscribes to Manifest, SentiLink will provide access to certain records from SentiLink’s database in order to analyze whether an applicant’s identity is legitimate and/or fraudulent. Use of Manifest in accordance with the Materials will return information about an identity, and its history, such as former addresses or previous names.

Dashboard

If Customer subscribes to the Dashboard, SentiLink will provide access to the Dashboard to facilitate Customer analysis of applicant information and SentiLink-licensed associated information for the purpose of determining whether an applicant’s identity is legitimate. Use of the Dashboard in accordance with the Materials allows Customer to access SentiLink’s proprietary user interface to conduct further analysis of and/or request further information with respect to specific applications for fraud detection purposes.

eCBSV

If Customer subscribes to eCBSV, SentiLink will process eCBSV requests on behalf of permitted entities. Use of eCBSV in accordance with the Materials will allow permitted entities to submit eCBSV forms to the Social Security Administration and receive the appropriate responses which may be provided by API or through a user interface.

Exhibit B – Flow Down Terms applicable to electronic consent-based social security number (“SSN”) verification (“eCBSV Services”)

1. DEFINITIONS

Client or SSN holder – Individual who authorizes SSA to verify his or her SSN to the Customer by providing Written Consent.

Customer Certification – Certification provided to SSA at least every 2 years by the Customer as required by the Banking Bill in accordance with the requirements under Section 2.a of this Exhibit and in Attachment B.

eCBSV Services – The services offered by the SSA as defined by the Banking Bill which allows permitted entities to verify if an individual’s SSN, name, and date of birth combination matches Social Security records.

Electronic Signature – An electronic sound, symbol, or process, attached to or logically associated with a contract or other record and executed or adopted by a person with the intent to sign the record, as defined in section 106 of the Electronic Signatures in Global and National Commerce (E-SIGN) Act (15 U.S.C. § 7006), and otherwise in compliance with the Banking Bill and this Exhibit.

Financial Institution – Has the meaning given the term in section 509 of the Gramm-Leach- Bliley Act (GLBA).

Fraud Protection Data – As defined by the Banking Bill, a combination of the SSN holder’s name (including the first name and any family forename or surname of the individual), SSN, and date of birth including the month, day, and year.

SSN Verification –The response disclosed to the Customer after conducting a verification of the SSN holder’s Fraud Protection Data.

Supporting Documentation – All records or information necessary for SentiLink or the SSA to conduct audits as required herein, and includes (without limitation) all completed and signed Written Consents, evidence documenting the specific purpose for each Written Consent, if not referenced within the individual Written Consent, SSN Verifications, and any audit logs or audit trails required to be kept hereunder. Supporting Documentation must be maintained in an accessible electronic format, when available. If not available, paper documentation will suffice.

Written Consent – Written Consent, including electronic, by which the SSN holder gives SSA permission to disclose SSN Verification results to SentiLink and the Customer in connection with a credit transaction or any circumstance described in section 604 of the Fair Credit Reporting Act (15 U.S.C. § 1681b). The Written Consent must meet SSA’s requirements in Section 4 of this Exhibit and SSA’s regulations. The Written Consent must clearly specify to whom the information may be disclosed, that the SSN holder wants SSA to disclose the SSN Verification, and, where applicable, during which timeframe the SSN Verification may be disclosed (see 20 CFR Part 401.100).

2. MANDATORY FLOW-DOWN TERMS

In order to provide the eCBSV Services, the SSA mandates that Customer acknowledge and agree to the following terms, and Customer hereby acknowledges and agrees to such terms:

a. Customer must provide a (i) EIN verification form; and (ii) Permitted Entity Certification to SentiLink in the form attached as Appendix 1; before being able to access the eCBSV Services, and thereafter on every second anniversary of this Exhibit;

b. Customer must submit SSN Verification requests only: (1) pursuant to the Written Consent (obtained in accordance with Section 4 of this Exhibit) received from the SSN holder; and (2) in connection with a credit transaction or any circumstance described in section 604 of the Fair Credit Reporting Act (15 U.S.C. § 1681b);

c. Customer must not alter the Written Consent in any way either before or after the SSN holder signs the Written Consent. For the avoidance of doubt, fax date/time stamps, barcodes, quick response codes or tracking/loan numbers added to the margin of a form do not constitute an alteration;

d. Customer must submit the Written Consent within the time specified on the Written Consent, or if none, within 90 calendar days from the date the SSN holder signs the Written Consent;

e. Customer must maintain an audit trail to track its eCBSV activities in accordance with the requirements of this Exhibit;

f. Customer must inform all of its employees with access to the SSN Verification or Written Consent of the confidential nature of the SSN Verification and Written Consent and the administrative, technical, and physical safeguards required to protect the SSN Verification and Written Consent from improper disclosure. Further: (i) Customer must store all information received hereunder in an area that is physically safe (i.e., password protected hard drive, USB drive or disk) from unauthorized access at all times; (ii) Customer agrees to ensure that SSN Verifications are encrypted at rest and in transit; (iii) Customer agrees to ensure that SSN Verifications are stored within the jurisdiction of the United States (i.e., within the continental United States, Hawaii, Alaska, Puerto Rico, Guam, and the Virgin Islands.); (iv) to the extent Customer intends to utilize any third party or cloud service provider in connection with services described in this Exhibit: (A) Customer agrees to ensure such third party or cloud service provider adheres to the requirements contained in subclauses (i), (ii) and (iii) above; and (B) Customer must not provide the third party or cloud service provider the key to unencrypt the SSN Verification maintained in their environment.

g. Customer must not reuse the SSN Verification; provided that Customer may mark the SSN Holder’s identity as “verified” or “unverified”;

h. Customer must process all SSN Verifications or Written Consents in a manner that will protect the confidentiality of the records; track the dissemination of the records; prevent the unauthorized use of SSN Verifications and Written Consents; and prevent access to the records by unauthorized persons;

i. Customer agrees that it shall use the verification only for the purpose stated in the consent form with respect to which such verification was provided, which must be made on Form SSA-89 (Authorization for SSA to Release SSN Verification) (a “Consent Form”), which such purpose shall, if such Consent Form is submitted to SSA by SentiLink, be communicated to Customer, and shall make no further use or re-disclosure of the verification;

j. Report any SNN Holder complaint to the nearest SSA field office; and

k. Customer must properly safeguard SSN Verifications and Written Consents to which it has access from loss, theft, or inadvertent disclosure.

3. CONSENT

In order to obtain a valid Written Consent, the Customer must meet SSA’s requirements as set forth in this Section. A valid Written Consent includes one of the three following forms of consent:

a. SSA-89 (standardized consent form titled Authorization for SSA to Release SSN Verification), with the SSN holder’s wet signature; or

b. SSA-89, in a “pdf fillable” form, signed electronically by the SSN holder, with an Electronic Signature that meets the requirements set forth in Section 8 below; or

c. An electronic form of consent that incorporates one of the two options provided in Attachment B, into the Customer's existing electronic business process, with the title of the Written Consent in “bold” font followed directly by the SSA-provided language.

4. RETENTION

a. Customer must retain the Supporting Documentation for a period of five (5) years from the date of the SSN Verification request, either electronically or in paper form, and must make the Written Consent and all other Supporting Documentation available to SentiLink and the SSA upon request. For the avoidance of doubt, the Written Consent and the information therein, as well as the associated record of SSN Verification, must be perpetually treated as Confidential Information.

b. If Customer retains the Written Consent in paper format, it must store the Written Consent in a manner that meets all regulatory requirements. If Customer retains the Written Consent electronically, it must retain the Written Consents in a downloadable manner that accounts for integrity and intent of the Written Consents and: (1) password protect any electronic files used for storage; (2) restrict access to the files to the only necessary personnel; and (3) put in place and follow adequate disaster recovery procedures. SSN Verifications must also be protected in this manner. When storing a Written Consent electronically, Customer must destroy any original Written Consent in paper form.

c. When the Written Consent includes reference to

i. a static or general purpose (see Attachment B, Option 1), the Customer must:

1. Maintain evidence that documents the specific purpose of the SSN Verification request, in a way that clearly links the specific purpose of the transaction to the relevant Written Consent, for a period of five years from the date of the SSN Verification request that preserves the accuracy and integrity of the records, and that is accessible to Sentilink, SSA and SSA’s auditors.

i.i. a specific purpose (see Attachment B, Option 2), maintain evidence of the relevant Written Consent, for a period of five years from the date of the SSN Verification request.

5. ONSITE AND OTHER REVIEWS

Customer acknowledges and agrees that:

a. SSA may make onsite inspections of its site, including a systems review limited to eCBSV-related systems, to ensure that it is in compliance with this Exhibit, and to assess overall system security.

b. SSA may make periodic, random reviews of the Written Consents to confirm that the SSN holder properly completed the Written Consent.

6. REQUESTS REQUIRING APPROVAL

a. Customer must not submit an SSN Verification request with respect to a minor or legally incompetent individual without the prior written consent of, and subject to any conditions identified by, SentiLink.

7. ELECTRONIC SIGNATURE REQUIREMENTS

A valid electronic Written Consent must be executed in accordance with the requirements as set forth in this Section:

a. The Electronic Signature must be consistent with section 106 of the E-SIGN Act (15 U.S.C. § 7006); provided that the Customer is not required to use any specific technology to obtain the Electronic Signature.

b. It must be clear to the SSN Holder, either in the Written Consent or elsewhere in the signing process, that he or she is signing SSA’s Written Consent. Examples of intent to sign methods deemed appropriate include, but are not limited to:

i. Clicking a clearly labeled “Accept” button (e.g., “By [clicking the [SIGN/ I AGREE/I ACCEPT] button], you are signing the consent for SSA to disclose your SSN Verification to [Permitted Entity and/or Financial Institution]. You agree that your electronic signature has the same legal meaning, validity, and effect as your handwritten signature.”); or

ii. Allowing the signer to opt out of electronically signing the record by providing an option to decline.

c. The Electronic Signature must be attached to or logically associated with the Written Consent being signed, and where applicable, have the capability for an accurate and unaltered version to be retained by the parties involved. Examples of acceptable forms of associating the electronic signature to the record include, but are not limited to:

i. a process that permanently appends the signature data to the consent being signed; or

ii. a database-type link between the signature data and the consent.

d. Customer must ensure there is a means to preserve the integrity of the electronic signature by retaining and implementing safeguards to prevent it from being modified or altered in accordance with the requirements set forth in this Exhibit.

e. There must be a means to retrieve and reproduce legible, accurate, and readable hard or electronic copies of the Written Consent reflecting all Electronic Signature requirements in this section for auditing and monitoring purposes under the Banking Bill and the Privacy Act of 1974, as amended.

8. PROTECTING AND REPORTING THE LOSS OF SSN VERIFICATIONS OR WRITTEN CONSENTS

Customer must comply with following requirements for safeguarding and reporting the loss of any information about an individual maintained by an entity, including (i) any information that can be used to distinguish or trace an individual’s identity, such as name, SSN, date and place of birth, mother’s maiden name, or biometric records; and (ii) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information (collectively, “PII”) as follows:

a. Customer shall establish, maintain, and follow its own policy and procedures to protect PII, including policies and procedures for reporting lost or compromised, or potentially lost or compromised, PII. Customer shall inform its employees who have been authorized to receive eCBSV Services and SSN Verifications in connection therewith (“Authorized Recipients”) which handle PII of their individual responsibility to safeguard such information. In addition, Customer shall, within reason, take appropriate and necessary action to: (i) educate Authorized Recipients on the proper procedures designed to protect PII; and (ii) enforce their compliance with the policy and procedures prescribed. Further, Customer and its Authorized Recipients shall properly safeguard PII from loss, theft, or inadvertent disclosure, and each Authorized Recipient is responsible for safeguarding PII at all times, regardless of whether or not the Authorized Recipient is at his or her regular duty station.

b. In addition, Customer shall follow any and all policies and procedures with respect to the safeguarding and reporting of loss of PII that are reasonably prescribed by SentiLink from time to time.

c. When Customer or an Authorized Recipient becomes aware or suspects that PII has been lost, compromised, or potentially compromised, Customer shall, in accordance with its incident reporting process, provide immediate notification of the incident to SentiLink and hereby authorizes SentiLink to report the same information to SSA.

d. Customer shall provide SentiLink with updates on the status of the reported PII loss or compromise as they become available but shall not delay the initial report, and will assist SentiLink in providing such updates to the SSA.

e. Customer shall provide complete and accurate information about the details of the PII loss to assist SentiLink and SSA, including the following information:

i. Contact information;

ii. A description of the loss, compromise, or potential compromise (i.e., nature of loss/compromise/potential compromise, scope, number of files or records, type of equipment or media, etc.) including the approximate time and location of the loss;

iii. A description of safeguards used, where applicable (e.g., locked briefcase, redacted personal information, password protection, encryption, etc.);

iv. Whether Customer or the Authorized Recipient has contacted or been contacted by any external organizations (i.e., other agencies, law enforcement, press, etc.);

v. Whether Customer or the Authorized Recipient has filed any other reports (i.e., Federal Protected Service, local police, and SSA reports; and

vi. Any other pertinent information.

9. TERMINATION OR SUSPENSION

SentiLink may suspend or terminate the eCBSV Service immediately by written notice upon determining, in its reasonable discretion that:

a. Customer has failed to comply with its responsibilities under this Exhibit or the Banking Bill.

b. This Exhibit or the eCBSV service is prohibited by any applicable law or regulation, at which point this user agreement will be null and void as of the effective date specified in such law or regulation;

c. There has been a change to the SSA’s statutory requirements.

Notwithstanding the foregoing, all provisions in this Exhibit relating to data security and safeguards shall remain in effect for as long as Customer retains such information. Customer specifically waives any right to judicial review of SSA’s decision to cancel, suspend or terminate the provision of eCBSV services to SentiLink or Customer.

10. AUDIT REQUIREMENTS

Customer agrees that it will be subject to mandatory audits conducted by SSA at SSA’s discretion at any time, in accordance with the following:

a. The SSA or an SSA-appointed CPA firm will perform the audit to ensure that all SSN Verification requests are in compliance with this user agreement and the Banking Bill.

b. The Customer must produce supporting documentation upon request for purposes of the audit promptly and in any event within five (5) business days of any request.

c. If the results of the audit indicate that Customer has not complied with any term of this Exhibit or the Banking Bill, SSA, in addition to referring the matter to the appropriate regulatory enforcement agency in accordance with the Banking Bill, may:

i. Perform additional onsite inspections, audits, or compliance reviews;

ii. In accordance with federal law, refer the report to its Office of the Inspector General for appropriate action, including referral to the Department of Justice for criminal prosecution;

iii. Suspend eCBSV services;

iv. Terminate Customer’s access to the eCBSV Service; and/or,

v. Take any other action SSA deems appropriate.

Customer also agrees that SentiLink may audit its compliance with this Agreement upon ten (10) business days notice but no more than once in any twelve month period.

11. UNILATERAL AMENDMENTS

This Exhibit may be unilaterally amended at any time to implement the following:

a. Minor administrative changes requested by the SSA, such as changes to SSA contact information; or

b. Procedural changes requested by the SSA, such as method of transmitting requests and results and limits on the number of SSN Verification requests.

SentiLink will notify the Customer promptly of any unilateral amendments under this section.

12. DISCLAIMERS

a. Neither SentiLink nor SSA is responsible for any financial or other loss incurred by the Customer, whether directly or indirectly, through the use of any data provided pursuant hereunder. Neither SentiLink nor SSA is responsible for reimbursing the Customer for any costs the Customer incurs hereunder.

b. Neither SentiLink nor SSA is liable for any damages or loss resulting from errors in information provided to the Customer under this Exhibit. Furthermore, neither SentiLink nor SSA is liable for damages or loss resulting from the destruction of any materials or data provided by Customer. All information furnished to the Customer will be subject to the limitations and qualifications, if any, transmitted with such information. If, because of any such error, loss, or destruction attributable to SSA, SSA must re-perform the services under this user agreement.

c. If for any reason SSA delays or fails to provide the services, or discontinues all or any part of the services, neither SentiLink nor SSA are liable for any damages or loss resulting from such delay, failure, or discontinuance.

13. NOTIFICATIONS AND ACKNOWLEDGMENT

Customer acknowledges and agrees that

a. SSA’s SSN Verification does not provide proof or confirmation of identity. eCBSV is designed to provide Customer with only a “yes” or “no” verification of whether the SSN verified with SSA’s records. If SSA’s records show that the SSN holder is deceased, eCBSV returns a death indicator. SSN Verifications do not verify an individual's identity. eCBSV does not verify employment eligibility, nor does it interface with the Department of Homeland Security’s (DHS) verification system, and it will not satisfy DHS’s I-9 requirements. Customer acknowledges that SSA’s SSN Verification verifies that the Fraud Protection Data provided by the Customer matches or does not match the data in SSA records. SSA’s SSN Verification does not authenticate the identity of the SSN holder or conclusively prove that the SSN holder is who he or she claims to be.

b. It is a Financial Institution as defined herein.

c. SSA may change its method of receiving SSN Verification requests and providing SSN Verification results to the Customer at any time; however, SSA will provide as much notice as is possible.

d. Customer must submit requests for SSN Verifications either in one or more individual requests electronically for real-time machine to machine or similar functionality for accurate electronic responses within a reasonable period of time from submission, or in batch format for accurate electronic responses within 24 hours. All SSN Verification requests must conform to the Banking Bill and specify the full name (including first name and any family or forename or surname), date of birth (including the month, day, and year), and SSN of each SSN holder whose SSN the Customer seeks to verify.

e. SentiLink did not: (a) use the words “Social Security” or other program-related words, acronyms, emblems, and symbols in connection with an advertisement for “identity verification”; or (b) advertise to Customer that SSN verification provides or serves as identity verification.

f. SSA will ensure the eCBSV system has commercially reasonable uptime and availability.

g. Section 1140 of the Social Security Act authorizes SSA to impose civil monetary penalties on any person who uses the words “Social Security” or other program- related words, acronyms, emblems, and symbols in connection with an advertisement, solicitation, or other communication, “in a manner which such person knows or should know would convey, or in a manner which reasonably could be interpreted or construed as conveying, the false impression that such item is approved, endorsed, or authorized by the Social Security Administration . . . .” 42 U.S.C. § 1320b-10(a).

14. CONSTRAINTS ON ADVERTISING AND MARKETING

a. Customer must not use the words “Social Security” or other eCBSV program-related words, acronyms, emblems, and symbols in connection with an advertisement for “identity verification.”

b. Customer must not advertise that an SSN Verification provides or serves as identity verification.

c. Customer must not advertise that eCBSV will eliminate synthetic identity fraud or any type of fraud.

d. Customer must not advertise in any way that it maintains a repository of data verified by SSA, including advertising to prospective or current clients, consumers, or otherwise to the public.

e. Customer must not represent that any verifications it provides based on its own marked records are SSA-verified data or SSN Verifications.

f. Customer must represent that such verifications are verifications from its own records and information, and it bears full responsibility for the accuracy of its verification representations. This requirement survives expiration or termination of this Exhibit and the Agreement.

g. The SSA reserves the right to conduct on-site visits to review the Customer’s documentation and in-house procedures for protection of and security arrangements for the SSN Verification and Written Consent and adherence to terms of this Exhibit.

15. INDEMNITY

Notwithstanding any other provision of this user agreement, the Customer will indemnify and hold SentiLink and the SSA harmless from all claims, actions, causes of action, suits, debts, dues, controversies, restitutions, damages, losses, costs, fees, judgments, and any other liabilities caused by, arising out of, associated with, or resulting directly or indirectly from, any acts or omissions of the Customers, including but not limited to the disclosure or use of information by the Customer, or any errors in information provided to SentiLink hereunder.

16. FULFILLMENT

Customer agrees and acknowledges that the SSN Verifications may be fulfilled by SentiLink Verification Services Corp., a wholly owned subsidiary of SentiLink Corp.

Attachment A - Certification Statement {INSERT CUSTOMER’S NAME}

Exhibit A - Certification Statement {INSERT PERMITTED ENTITY’s NAME}

CERTIFICATION STATEMENT FOR

PERMITTED ENTITIES USING THE SSN VERIFICATION PROCESS

(Signature required biennially)

Name and address of Permitted Entity:

______________________________________________________________________

The following certification must be completed prior to SSA authorizing use of the eCBSV system.

I, ________________________on behalf of the company listed above, certify that this entity attests to each of the following four (4) declarations:

1. The entity is a Permitted Entity.

2. The entity is in compliance with the Banking Bill.

3. The entity is, and will remain, in compliance with its privacy and data security requirements, as described in title V of the Gramm-Leach-Bliley Act (15 U.S.C. § 6801, et seq.), with respect to information the entity receives from the Commissioner pursuant to the Banking Bill.

4. The entity will retain sufficient records to demonstrate its compliance with its certification and the Banking Bill for a period of not less than two (2) years.

The permitted entity will provide this Certification to SSA, and not submit any SSN Verification request to SSA if the Certification is older than two (2) years old or the permitted entity cannot attest to any one of the four (4) declarations.

The signatory, if electronically signing this document, agrees that his/her electronic signature has the same legal validity and effect as his/her handwritten signature on the document, and that it has the same meaning as his/her handwritten signature.

[Please clearly print or type your designated company official’s name, title, and phone number and have him/her provide an electronic or wet signature and date below.]

Company Official Name___________________________________________________

Company Official Title ___________________________________________________

Company Official Phone Number____________________________________________

Signature__________________________Date_

Attachment B – SSA Written Consent Template

Option 1: Static Purpose:

Authorization for the Social Security Administration to Disclose Your Social Security Number Verification

I authorize the Social Security Administration (SSA) to verify and disclose to [Name of Financial Institution] through [Name of Service Provider, (if one), their service provider] for the purpose of this transaction whether the name, Social Security Number (SSN) and date of birth I have submitted matches information in SSA records. My consent is for a one-time validation within the next [number of days].

Option 2: Dynamic Purpose: