Third-Party Application Terms for Finicity Service

The following additional terms and conditions (the “Third-Party Application Terms for Finicity Service”) supplement the terms and conditions of any Order and the Quiltt Terms of Service (any such Order and the Quiltt Terms of Service and these Third Party Application Terms for Finicity Service collectively referred to herein as the “Agreement”) with respect to Customer’s and its End Users’ access to and use of the products and services that Quiltt offers from Finicity Corporation (“Finicity”) as a Third-Party Application. In the event of a conflict between these Third-Party Application Terms for Finicity Service and the terms and conditions relating to the Quiltt Services, these Third-Party Application Terms for Finicity Service control and govern with respect to the Finicity Service. Capitalized terms that are not defined in these Third-Party Application Terms for Finicity Services have the meanings given to them in the Quiltt Terms of Service or the applicable Order.

  1. Additional Definitions. some text
    1. Applicable Law” means applicable US local, state, and federal laws, statutes, orders (including executive orders), rules, regulations, ordinances, standards, treaties, and directives.
    2. Business Purpose” means the use of Personal Information for Customer’s operational purposes, or other notified purposes, provided that the use of Personal Information is in accordance with Applicable Law and is reasonably necessary and proportionate to achieve the operational purpose for which the Personal Information was collected or processed or for another operational purpose that is compatible with the context in which the Personal Information was collected.
    3. Explicit Consent” means an electronic communication with a Person that: (a) provides sufficient notice to such Person regarding how End User Data associated with that person will be used, including access, usage, storage, retention, and disposal of such Person’s End User Data (including any use of anonymized data derived from the End User Data) and the process for the revocation of consent (which process shall enable a Person to readily revoke such consent); and (b) obtains from such Person permission for a specific action that is maintained in a system log or database that ensures completeness and integrity and permits verification of the consent upon request. Explicit Consent must be consistent with Applicable Law and standards developed for the collection of consent by the Financial Data Exchange (or subsequent industry organization) and at a minimum must be presented and captured in a clear and conspicuous manner and may not include a technology solution or script that automatically enrolls a Person into an agreement without taking an express, recordable action.
    4. Finicity Materials” means any data or materials provided by or on behalf of Finicity to Customer, other than End User Data.
    5. Finicity Service” means any products or services provided by Finicity that Customer receives via an Order with Quiltt.
    6. Finicity Subscription” means an End User’s right to use the Finicity Service purchase by Customer through Quiltt pursuant to the terms of the Agreement.
    7. Finicity Technology” means (a) the Finicity Service and the Finicity System, and (b) the Finicity Materials.
    8. Finicity System” means the equipment, APIs, interfaces, and all software and administrative platforms necessary to provide the Finicity Service.
    9. Information Security Incident” means any actual or suspected unauthorized processing, loss, use, disclosure, acquisition of, or access to any Personal Information or End User Data.
    10. Person” means any individual, partnership, joint venture, corporation, company, bank, trust, unincorporated organization, government or any department, agency or instrumentality thereof.
    11. Personal Information” means any information relating to an identified or identifiable individual, whether electronically or otherwise recorded, including but not limited to contact information, demographic information, passport number, Social Security number or other national identification number, bank account information, Primary Account Number and authentication information (e.g., identification codes, passwords), online identifier (e.g., username, IP address), biometric record, or as otherwise defined under applicable Privacy and Data Protection Law.
    12. Privacy and Data Protection Law” means any US law, statute, declaration, decree, legislation, enactment, order, ordinance, regulation, rule or circular (in each case as amended and replaced from time to time) which relates to the protection of individuals with regards to (i) Applicable Laws governing the Processing of Personal Information, including but not limited to the Gramm-Leach-Bliley Act, the California Consumer Privacy Act (as amended and replaced from time to time) and similar U.S. state and federal privacy laws; (ii) Applicable Laws regulating unsolicited email, telephone, and text message communications; (iii) Applicable Laws relating to security breach notifications; (iv) Applicable Laws imposing minimum security requirements; (v) Applicable Laws requiring the secure disposal of records containing certain Personal Information; (vi) Applicable Laws regulating international data transfers and on-soil requirements; (vii) Applicable Laws regulating incident reporting and data breach notification requirements, including guidelines and recommendations from the competent regulators; (viii) other similar Applicable Laws; (ix) to the extent applicable, the Payment Card Industry Data Security Standards; and (x) all applicable provisions of a party’s written information security policies, procedures and guidelines.
    13. Processing of Personal Information” (or “Processing/Process”) means any operation or set of operations which is performed on Personal Information or on sets of Personal Information, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
    14. Provider” means a financial institution or other entity that possesses account information regarding an End User.
    15. Registration Data” means End User account access information and registration information as provided by End Users to Quiltt or Finicity for the purpose of accessing End User Data from a Provider.
  1. Grant of Rights.some text
    1. Access to Finicity Service and Finicity Materials. In exchange for payment of the fees listed on the Order, and subject to the terms of the Quiltt Terms of Service and these Third-Party Application Terms for Finicity Service, Quiltt and Finicity grant Customer a limited, revocable, nonexclusive, non-assignable, non-transferable license and right, solely during the term of a Finicity Subscription: (a) to access and use the Finicity Service for Customer’s Business Purpose with End Users, in accordance with the End User’s Explicit Consent and the terms of the Agreement; and (b) to use the Finicity Materials solely in conjunction with Customer’s authorized use of the Finicity Service.
    2. Restrictions. Except as otherwise explicitly permitted in the Agreement or as may be expressly required by Applicable Law, Customer and End Users shall (i) use the Finicity Technology only pursuant to these Third Party Application Terms for Finicity Service; (ii) not attempt to gain unauthorized access to the Finicity Technology or their related systems or networks; (iii) not access and/or engage in any use of the Finicity Technology in a manner that abuses or materially disrupts Finicity’s networks, security systems, and/or websites; (iv) not interfere with or disrupt the integrity or performance of the Finicity Technology or third-party data contained therein; (v) not access or use the Finicity Technology in any manner or for any purpose that infringes, misappropriates or otherwise violates any Intellectual Property Right or other right of any third party; (vi) not access or use the Finicity Technology for purposes of competitive analysis of the Finicity Technology, the development, provision or use of a competing software service or product or any other purpose that is to Finicity’s detriment or commercial disadvantage, except as explicitly permitted by Finicity in writing; (vii) not use the Finicity Technology for fraudulent purposes or otherwise in violation of Applicable Law; (viii) except for End Users saving their own End User credentials, not retain, save or otherwise maintain any End User credentials or other Personal Information that could be used to access such End User’s financial information and other data; (ix) not use any “screen scraping” process(es) to obtain End User Data directly or indirectly from any Provider from which Finicity obtains End User Data on behalf of any End User through the use of Registration Data (and not APIs or data feeds provided by or on behalf of Finicity as part of the Finicity Technology); (x) not modify, adapt, alter, translate, or create derivative works from the Finicity Technology; (xi) not sublicense, distribute, sell, lease, rent, loan, or otherwise transfer the Finicity Technology to any third party; (xii) not reverse engineer, decompile, disassemble, or otherwise attempt to derive the source code for the Finicity Technology; and (xiii) not otherwise use or copy the Finicity Technology, except as expressly permitted under the Agreement and applicable Order Form. If Customer becomes aware of any actual or threatened activity prohibited by this Section 2(b), Customer shall immediately: (x) take all reasonable and lawful measures within their respective control that are necessary to stop the activity or threatened activity and to mitigate its effects (including, where applicable, by discontinuing and preventing any unauthorized access to the Finicity Technology); and (y) notify Finicity of any such actual or threatened activity.
  2. Compliance with Laws. some text
    1. Export Compliance. Customer will fulfill its obligations in accordance with all Applicable Law, including the Foreign Corrupt Practices Act, the UK Bribery Act, and all other applicable anti-corruption and anti-bribery laws. In connection with Customer’s use of Finicity Service and cross-border transfer of the Finicity Technology, Customer will comply with all applicable export, re-export, and import control laws and regulations of all applicable jurisdictions, and will not export or re-export Finicity Technology. Customer will not engage in any activities related to these Third Party Application Terms for Finicity Service or the Finicity Service with a Person who is identified on a list maintained by the U.S. Treasury Department’s Office of Foreign Assets Control of specially designated nationals and blocked persons subject to financial sanctions. Such list is currently accessible at: www.treasury.gov/ofac.
    2. FCRA. Customer shall comply at all times with all Applicable Law related to its use of the Finicity Service. Without limitation, but only where applicable, Customer shall comply with the federal Fair Credit Reporting Act, 15 U.S.C. §1681 et seq. (“FCRA”), and any applicable analogous state law, as well as all applicable regulations and administrative requirements thereunder. Customer acknowledges that use of the Finicity Service or data obtained or processed using the Finicity Service may be subject to the FCRA or analogous state laws. If Customer uses or provides through the Quiltt Services any Finicity Service that is not labeled as for FCRA use or authorized by Finicity for use in accordance with the FCRA, or obtains through Finicity Service data that is not subject to the FCRA, Customer shall not use or provide through the Quiltt Services such Finicity Service or data for any FCRA-related purpose. Finicity may from time-to-time request additional information from Customer regarding its use of the Finicity Service and/or compliance with the FCRA, and Customer agrees to reasonably cooperate with any such requests. Such requests may include, but not be limited to, the examination of Customer’s policies and/or procedures for: (a) confirming and documenting “permissible purpose” for any FCRA-scoped Finicity Service, including due diligence efforts conducted for such confirmation; (b) verifying the identity of end users for any FCRA-scoped Finicity Service; and (c) processing and resolving FCRA reinvestigations of consumer disputes.
    3. Consumer Reports. Customer shall not obtain any Finicity Service as the user of a “consumer report” as defined in the FCRA. Finicity is providing the Finicity Service only as requested by and with the Explicit Consent of the End User.
  3. Display of Marks. Customer agrees that Finicity may display Customer’s name, marks, and services (including logo) within Finicity’s End User consent and disclosure platform currently called “Finicity Connect” and share the name, marks, and services of Customer to Provider to identify Customer as a recipient of the Finicity Service. Customer consents to Providers’ (and their authorized technology service providers’) display of Customer’s name, marks, and services (including logo) within their user authentication and consent management platforms.
  4. Representations and Warranties. Customer hereby represents and warrants to Quiltt that the documents, information, responses, and materials provided to Quiltt and/or Finicity by Customer in connection with Finicity’s on-boarding procedures and/or services are true and accurate in all material respects. Customer agrees that Finicity may provide such information to Providers.
  5. Unauthorized Use. Customer shall: (a) use commercially reasonable efforts to prevent unauthorized access to or use of the Finicity Technology, and (b) notify Quiltt promptly of any such unauthorized access or use.
  6. Personal Information. Customer will comply with all Applicable Law, including Privacy and Data Protection Law and laws relating in any way to the confidentiality of Personal Information, including Applicable Laws regulating banking secrecy and outsourcing requirements, to the extent applicable to its business or the Finicity Service received under the Agreement. Except to the extent prohibited by applicable legal, regulatory or law enforcement requirements, Customer will promptly inform Quiltt, in each case in writing if any competent authority, regulator or public authority with jurisdiction over Customer requests disclosure of, or information about, the Personal Information that is processed in connection with the Finicity Service. Customer will, without limiting its rights under Applicable Law, cooperate with Finicity as reasonably necessary to comply with any direction or ruling made by such authorities.
  7. Information Security. Customer will develop, maintain and implement a comprehensive written information security program that: (a) complies with the requirements of Section 7 above; (b) includes, without limitation, technical, physical, and administrative/organizational safeguards designed to (x) ensure the security and confidentiality of Personal Information; (y) protect against any anticipated threats or hazards to the security and integrity of Personal Information; and (z) protect against any Information Security Incident; and (c) include, without limitation, regular testing or other monitoring of the effectiveness of its information safeguards.
  8. Information Security Incidents. Except to the extent prohibited by Applicable Law or law enforcement requirements, each Customer will inform Quiltt in writing of any Information Security Incident within 48 hours of its discovery. For purposes of this provision, “discovery” will mean the first day the Information Security Incident is known to have occurred by any employee, officer or agent of the impacted party. Such notice will summarize in reasonable detail the effect on the other party, if known, of the Information Security Incident and the corrective action taken or to be taken. The applicable party will promptly take all necessary corrective actions, and will cooperate fully with the other in all reasonable and lawful efforts to mitigate the effects such Information Security Incident. Notwithstanding anything contained herein or otherwise, except to the extent prohibited by applicable legal, regulatory or law enforcement requirements, Customer must obtain the approval of Finicity prior to the publication or communication of any filings, communications, notices, press releases or reports related to any Information Security Incident that expressly mentions Finicity or its affiliates.
  9. Additional Customer Obligations. some text
    1. Disclosure of Data. Customer shall not use or disclose End User Data or Registration Data for any purpose that is not expressly permitted under these Third Party Application Terms for Finicity Service or by an Explicit Consent given to Customer by the End User to whom such data relates. Without limiting the foregoing, Customer shall not sell, license, transfer, or otherwise disclose the End User Data or Registration Data to any other party. Customer agrees that Finicity and its Affiliates may use or disclose End User Data and Registration Data to provide the Finicity Service and for purposes permitted by Applicable Law and/or End User consent, which may include: (a) to comply with requirements or requests by any judicial process or governmental agency having or claiming jurisdiction over Finicity or a Finicity Affiliate; (b) for accounting, auditing, billing, reconciliation, and collection activities; (c) to protect against or prevent actual or potential fraud, unauthorized transactions, claims, or other liability; (d) to manage risk exposures, service quality, and Quiltt’s compliance with the agreement between Finicity and Quiltt; (e) to provide products or services to Customer or other parties, provided that such products or services do not identify Customer or any End User; (f) to prepare internal reports for use by Finicity or its Affiliates’ staff, management, and consultants for the purposes of operating, evaluating, and managing Finicity or its Affiliates’ business; (g) to prepare, share, and furnish compilations, analyses, and other reports of aggregated or anonymized End User Data in any geography and for any purpose permitted by law, provided that the data in such compilations, analyses, or other reports does not identify Recipient or any User; (h) to comply with Applicable Law; and (i) for other purposes for which consent has been provided by the End User to whom the End User Data relates.
    2. End Users. Customer shall not allow a Person to be an End User of the Finicity Service unless such Person has: (a) agreed to the Quiltt End User Terms of Service that Quiltt requires of individual end-user customers of Quiltt’s products and services, which are available at https://www.quiltt.io/policies/terms-and-conditions; (b) provided Explicit Consent to Finicity to be legally bound by the Finicity terms and conditions and privacy notice presented through the user experience before accessing the Finicity Service; and (c) provided Explicit Consent to Customer consenting to Customer’s specific business purpose.
    3. Restricted Access. Unless prohibited by Applicable Law, Customer will not permit any person to have access to Finicity Technology or End User Data when such person has been convicted of a crime or has agreed to or entered into a pretrial diversion or similar program with: (a) a dishonest act or a breach of trust, as set forth in Section 19 of the Federal Deposit Insurance Act; or (b) a felony.
    4. End User Data Storage. Customer will only use, store, host, or process End User Data within the United States of America. Notwithstanding the foregoing, Customer may allow read-only access to such data subject to the confidentiality and security requirements of the Agreement.
    5. Customer will maintain customary insurance with industry standard limits and terms, at its own expense, to cover potential losses and liabilities which may arise in connection with or in any way related to its performance of obligations as described in these Third Party Application Terms for Finicity Service and promptly provide evidence of such insurance if requested by Finicity or Quiltt.
    6. Customer shall maintain all necessary documentation to evidence its compliance with these Third Party Application Terms for Finicity Service and Applicable Law in connection with its use of the Finicity Service for a period of six (6) years after the expiration or termination of all Orders incorporating these Third Party Application Terms for Finicity Service, or for such longer period as otherwise may be required by Applicable Law. Customer shall provide Finicity and Quiltt with access to such documentation upon request.  Finicity or its authorized representative may, on reasonable notice no more than once every year, audit (a) Customer’s activities related to its use of the Finicity Service; and (b) Customer’s products and services and the use of such products and services that utilizes Finicity Technology, for compliance with Applicable Law and these Third Party Application Terms for Finicity Service.
    7. Security Requirements. Customer agrees to comply with the security requirements set forth in Exhibit A.
  10. Suspension of Access. Customer understands that Finicity may temporarily suspend Quiltt’s, Customer’s and/or any End User(s)’ access to one or more components of the Finicity Service, as described below, without penalty or liability, to address the following circumstances: (a) if Finicity reasonably believes there has been a security issue at, or an unauthorized access by, Quiltt, Customer or an End User that endangers the integrity, safety, stability or security of the Finicity Service and suspension of one or more of the components of the Finicity Service will mitigate the adverse impact of such issue or access, then Finicity may suspend access to the Finicity Service, to the extent necessary to mitigate the adverse impact, until such impact has been reasonably resolved; (b) if Finicity reasonably believes Quiltt, Customer, or an End User is engaging in fraud or any conduct in violation of Applicable Law relating to or in connection with the Finicity Service, in each case that creates (i) a reasonable likelihood of an adverse risk to the Finicity Service or (ii) liability for Finicity, and the suspension of one or more components of the Finicity Service will mitigate the adverse impact or liability, Finicity may suspend the Finicity Service to the extent necessary to mitigate the adverse impact or liability, until such impact or liability has been reasonably resolved; (c) Finicity receives a judicial or other governmental demand or order, subpoena, or law enforcement request that expressly or by reasonable implication so requires suspension; or (d) non-payment of fees or other uncured breach by Quiltt.  

Exhibit A

Minimum System Security Requirements

Customer will, at a minimum, implement the types of security measures set forth in this Exhibit A. In no event shall any technical requirement be less protective than the corresponding exemplary requirement in this Exhibit. Capitalized terms not otherwise defined in this Exhibit A have the meaning set forth in the Agreement. In the event of any potential breach or actual breach of security which has the potential to expose and/or impact information such as End User Data, Registration Data, Finicity data, API certificates, tokens or other sensitive data, Customer must immediately advise Finicity by emailing soc@mastercard.com and calling (636) 722-3600. These requirements herein are mandatory for Customer, and any other expressly permitted party that have an API account or that receive End User Data and/or Registration Data for any purpose.

  1. Physical access control. Technical and organizational measures to prevent unauthorized persons from gaining access to the data processing systems available in premises and facilities (including, without limitation, databases, application servers and related hardware), where Personal Information is processed, including, without limitation:
  • Establishing security areas, restriction of access paths;
  • Establishing access authorizations for employees and third parties;
  • Access control system (ID reader, magnetic card, chip card);
  • Key management, card-keys procedures;
  • Door locking (electric door openers etc.);
  • Security staff, janitors;
  • Surveillance facilities, video/CCTV monitor (as permitted under local law), alarm system; and
  • Securing decentralized data processing equipment and personal computers.
  1. Virtual access control. Technical and organizational measures to prevent data processing systems from being used by unauthorized persons including, without limitation:
  • User identification and authentication procedures;
  • ID/password security procedures (special characters, minimum length, change of password);
  • Automatic blocking (e.g., password or timeout);
  • Monitoring of break-in-attempts and automatic turn-off of the user ID upon several erroneous passwords attempts; and
  • Creation of one master record per user, user master data procedures, per data processing environment.
  1. Data access control. Technical and organizational measures to ensure that persons entitled to use a data processing system gain access only to such Personal Information in accordance with their access rights, and that Personal Information cannot be read, copied, modified or deleted without authorization, including, without limitation:
  • Internal policies and procedures;
  • Control authorization schemes;
  • Differentiated access rights (profiles, roles, transactions and objects);
  • Monitoring and logging of accesses;
  • Disciplinary action against employees who access Personal Information without authorization;
  • Reports of access;
  • Access procedure;
  • Change procedure; and
  • Deletion procedure.
  1. Disclosure control. Technical and organizational measures to ensure that Personal Information cannot be read, copied, modified or deleted without authorization during electronic transmission, transport or storage on storage media (manual or electronic), and that it can be verified to which companies or other legal entities Personal Information is disclosed, including, without limitation:
  • Tunneling;
  • Logging; and
  • Transport security.
  1. Entry control. Technical and organizational measures to monitor whether data have been entered, changed or removed (deleted), and by whom, from data processing systems, including, without limitation:
  • Logging and reporting systems;
  • Audit trails and documentation; and
  • Rate limiting or reduction in the amount of sub-accounts that can be created or linked to (max 8 recommended).
  1. Availability control. Technical and organizational measures to ensure that Personal Information is protected against accidental destruction or loss (physical/logical) including, without limitation:
  • Backup procedures;
  • Mirroring of hard disks (e.g., RAID technology);
  • Uninterruptible power supply (UPS);
  • Remote storage;
  • Antivirus/firewall systems; and
  • Disaster recovery plan.
  1. Separation control. Technical and organizational measures to ensure that Personal Information collected for different purposes can be processed separately including, without limitation:
  • Separation of databases;
  • “Internal client” concept / limitation of use;
  • Segregation of functions (production/testing); and
  • Procedures for storage, amendment, deletion, transmission of data for different purposes.
  1. End Point control. Technical and organizational measures to ensure that end points involved in touching, storing or accessing Personal Information are protected against unauthorized access or penetration, including, without limitation:
  • Industry standard anti-malware solutions;
  • Encryption of data at rest using AES256 bit as a minimum; and
  • Routing penetration testing and/or vulnerability management and review.

Quiltt Logo

© 2024 Quiltt, Inc. All rights reserved.