Terms and Conditions

Exhibit A MINIMUM END USER LICENSEE TERMS

Client shall include license terms materially similar to those found herein with any permitted distribution of the Finicity Services made available to Users (“Licensee,” “You,” “you,” “Your,” or “your”):

1. LICENSEE ACCESS INFORMATION AND ACCOUNT DATA

You are solely responsible for (a) maintaining the confidentiality and security of your access number(s), password(s), security question(s) and answer(s), account number(s), login information, and any other security or access information, used by you, or anyone you authorize on your behalf, to access the Services and your provider accounts (collectively, “Licensee Access Information”), and (b) preventing unauthorized access to or use of the information, files or data that you store or use in or with the Services (collectively, “Account Data”). You will be responsible for all electronic communications, including account registration and other account holder information, email and financial, accounting and other data (“Communications”) entered using the Licensee Access Information. It is assumed that any Communications received through use of the Licensee Access Information were sent or authorized by you. You agree to immediately notify us if you become aware of any loss, theft or unauthorized use of any Licensee Access Information. We reserve the right to deny you access to the Services (or any part thereof) if we reasonably believe that any loss, theft or unauthorized use of Licensee Access Information has occurred. You must inform us of, and hereby grant to us and our third party vendors permission to use, Licensee Access Information to the extent we deem necessary to enable us to provide the Services to you, including updating and maintaining Account Data, addressing errors or service interruptions, and to enhance the types of data and services we may provide to you in the future.

Notwithstanding any provision of our Privacy Policy to the contrary, compiled, anonymized data concerning your financial transactions, or other available data that is collected through your use of the Services, may be used by our third party vendors to conduct certain analytical research, performance tracking and benchmarking. Our third party vendors may publish summary or aggregate results relating to metrics comprised of research data, from time to time, and distribute, sell or license such compiled, anonymized data for any purpose, including but not limited to, helping to improve products and services and assisting in troubleshooting and technical support or any other purpose permitted by Applicable Law. To the extent such information is shared or disclosed, it will not contain any of your personally identifiable information.

2. PROVIDER SERVICES
2.1 General.

In connection with your use of the Services and as part of the functionality of the Services, you may have access to certain online services or information that may be made available by your provider(s) (“Provider Services”), including online banking, online payment, online investment account download, online bill pay, online trading, and other account information available from your provider(s). The Services are designed to allow you to access Provider Services (if and to the extent provided by your provider(s)) to set up banking and other information, schedule the Services to access your account(s), download transactions into the Services and otherwise aggregate information from your account(s) with your provider(s). You acknowledge and agree that we have no control over the provision of Provider Services or provision of access to the Provider Services by your provider(s), do not guarantee that you will be able to use the Services with the Provider Services, and will have no liability whatsoever for any actions or inactions on the part of the provider(s) resulting in your inability to use the Services to access your accounts, obtain data, download transactions, or otherwise use or access the Provider Services.

2.2 Collection of Provider Account Information.

You acknowledge that in accessing your data and information through the Services, your provider account access number(s), password(s), security question(s) and answer(s), account number(s), login information, and any other security or access information, and the actual data in your account(s) with such provider(s) such as bank and other account balances, credit card charges, debits and deposits (collectively, “Provider Account Data”), may be collected and stored in the Services. You authorize us and our third party vendors, in conjunction with the operation and hosting of the Services, to use certain Provider Account Data to (a) collect your Provider Account Data, (b) reformat and manipulate such Provider Account Data, (c) create and provide hypertext links to your provider(s), (d) access the providers’ websites using your Provider Account Data, (e) update and maintain your account information, (f) address errors or service interruptions, (g) enhance the type of data and services we can provide to you in the future, and (h) take such other actions as are reasonably necessary to perform the actions described in (a) through (g) above. You hereby represent that you are the legal owner of your Provider Account Data and that you have the authority to appoint, and hereby expressly do appoint, us or our third party vendors as your agent with a limited power of attorney, and appoint us or our third party vendors as your attorney-in-fact and agent, to access third party sites and/or retrieve and use your Provider Account Data through whatever lawful means with the full power and authority to do and perform each thing necessary in connection with such activities, as you could do in person, including, without limitation, accepting any new and/or updated terms and conditions from your provider on your behalf, in providing Services to you. You also expressly authorize Provider to share and disclose your Provider Account Data to us on your behalf to facilitate your use of your Provider Account Data for products and services agreed to by you. You further acknowledge that we do not, nor does our third party vendor review your Provider Account Data and agree that we are not responsible for its completeness or accuracy. Any transactions or informational activities performed at any provider’s website are not made through the Services and we assume no responsibility for such transactions or activities. You are solely responsible for any charges associated with your provider(s). The permissions, uses and access rights granted to our third party vendors hereunder shall continue until such parties are notified by us or you that the Services have been terminated.

2.3 Information from Providers’ Websites.

You acknowledge and agree that (a) some providers may not allow the Services to access the Provider Services, (b) providers may make changes to their websites, with or without notice to us, that may prevent or delay aggregation of information from such websites, and (c) the Services may “refresh” the Provider Account Data by collecting the Provider Account Data nightly, so your most recent transactions may not be reflected in any account balances or other account information presented to you in the Services. If you see a discrepancy in the Provider Account Data, and in any case before making any transactions or decisions based on such account information presented in the Services, you should check the last refresh date for the account and confirm Provider Account Data is correct by following the link back to the applicable provider or otherwise confirm that Provider Account Data is up to date and accurate.

3. SOFTWARE USE, STORAGE AND ACCESS

We shall have the right, in our sole discretion and with reasonable notice, to establish or change limits concerning use of the Services, temporarily or permanently, including but not limited to (a) the amount of storage space you have on the Services at any time, and (b) the number of times (and the maximum duration for which) you may access the Services in a given period of time. We reserve the right to make any such changes effective immediately to maintain the security of the system or Licensee Access Information or to comply with any laws or regulations, and to provide you with electronic or written notice within thirty (30) days after such change. You may reject changes by discontinuing use of the Services to which such changes relate. Your continued use of the Services will constitute your acceptance of and agreement with such changes. Maintenance upon the Services may be performed from time-to-time resulting in interrupted service, delays or errors in the Services. Attempts to provide prior notice of scheduled maintenance will be made, but provider cannot guarantee that such notice will be provided.

4. EXPORT RESTRICTIONS

You acknowledge that the Services and any software underlying such Services are subject to the U.S. Export Administration Regulations (15 CFR, Chapter VII) and that you will comply with these regulations. You will not export or re-export the software or Services, directly or indirectly, to: (a) any countries that are subject to U.S. export restrictions; (b) any end user who has been prohibited from participating in U.S. export transactions by any federal agency of the U.S. government; or (c) any end user who you know or have reason to know will utilize them in the design, development or production of nuclear, chemical or biological weapons. You further acknowledge that this product may include technical data subject to export and re-export restrictions imposed by U.S. law.

5. DISCLAIMER

YOU ACKNOWLEDGE AND AGREE THAT THE SERVICES AND ANY THIRD PARTY SERVICES ARE PROVIDED “AS IS” AND “AS AVAILABLE.” THE THIRD PARTY VENDOR AND ITS LICENSORS MAKE NO WARRANTY, EXPRESS, IMPLIED, OR STATUTORY, AND DISCLAIM ANY AND ALL WARRANTIES WITH RESPECT TO THE SERVICES OR ANY THIRD PARTY SERVICES; IN WHOLE OR IN PART, INCLUDING WITHOUT LIMITATION ANY IMPLIED WARRANTY OF FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY, TITLE, OR NON-INFRINGEMENT. YOU UNDERSTAND AND EXPRESSLY AGREE THAT ANY USE OF THE SERVICES OR THIRD PARTY SERVICES WILL BE AT YOUR SOLE RISK. VENDOR AND ITS (a) LICENSORS AND (b) THIRD PARTY VENDORS DO NOT WARRANT THE COMPREHENSIVENESS, COMPLETENESS, CORRECTNESS, LEGALITY, OR ACCURACY OF THE SERVICES OR THIRD PARTY SERVICES, IN WHOLE OR IN PART, OR THAT THE SERVICES WILL BE SECURE, UNINTERRUPTED OR ERROR FREE. YOU ARE SOLELY RESPONSIBLE FOR ANY DAMAGE TO YOUR COMPUTER SYSTEM OR OTHER DEVICE OR LOSS OF DATA THAT RESULTS FROM YOUR USE OF THE SERVICES OR THIRD PARTY SERVICES.

6. COMPLIANCE WITH FAIR CREDIT REPORTING ACT
6.1 You acknowledge that applications that use consumer data to generate scores or other reports or that otherwise will be utilized by application users in connection with making a decision as to whether to enter into the following types of transactions or on what terms the transaction will be offered (“Financial Apps”) may be subject to the provisions of the Federal Fair Credit Reporting Act (“FCRA”) and equivalent state laws:
  • Extend credit to an applicant.
  • Issue an insurance policy to an applicant.
  • Employ a job applicant.
  • Rent an apartment to a prospective tenant.
  • Sell a product to, provide a service to or otherwise enter into a transaction initiated by a prospective customer.
  • Accept a check or credit card as payment for a sale.
  • Other activities set forth in Section 604 of the FCRA (15 U.S.C. §1681b) and in interpretations of Section 604 by the Federal Trade Commission and the Bureau of Consumer Financial Protection.
6.2 You acknowledge and agree that, in connection with Finicity Corporation’s (“Finicity”) products and services as a third party vendor of ours, data will be transmitted or made available in a mechanical manner by Finicity, and that to the extent Finicity is involved, Finicity will not alter the substance of the data unless authorized by you. You hereby authorize Finicity to access your provider to obtain Provider Account Data and other Provider Services on your behalf and at your authorization. Finicity is providing the service of data delivery only as requested by you, the ultimate end-user, as requested and authorized by you, the owner of such information. You acknowledge that Finicity is not a reseller of data (other than in the manner described in paragraph 1 with respect to anonymized data) but simply provides the service of transferring data as requested and you from one party to the party directed and authorized by you to receive the data.
7. THIRD PARTY BENEFICIARY; INDEMNIFICATION

You agree that Finicity is a third party beneficiary of the above provisions, with all rights to enforce such provisions as if Finicity were a party to this Agreement. You agree to protect Finicity and their affiliates from any and all third party claims, liability, damages, expenses and costs caused by or arising from your use of the Services, your violation of these terms or your infringement, or infringement by any other user of your account, of any intellectual property or other right of anyone.

8. LIMITATION OF LIABILITY.

YOU AGREE THAT NEITHER WE NOR FINICITY NOR ANY OF THEIR AFFILIATES, ACCOUNT PROVIDERS OR ANY OF THEIR AFFILIATES WILL BE LIABLE FOR ANY HARMS, WHICH LAWYERS AND COURTS OFTEN CALL DIRECT, INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL OR EXEMPLARY DAMAGES, INCLUDING, BUT NOT LIMITED TO, DAMAGES FOR LOSS OF PROFITS, GOODWILL, USE, DATA OR OTHER INTANGIBLE LOSSES, EVEN IF WE OR FINICITY HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES, RESULTING FROM: (i) THE USE OR THE INABILITY TO USE THE SERVICE; (ii) THE COST OF GETTING SUBSTITUTE GOODS AND SERVICES, (iii) ANY PRODUCTS, DATA, INFORMATION OR SERVICES PURCHASED OR OBTAINED OR MESSAGES RECEIVED OR TRANSACTIONS ENTERED INTO, THROUGH OR FROM THE SERVICE; (iv) UNAUTHORIZED ACCESS TO OR ALTERATION OF YOUR TRANSMISSIONS OR DATA; (v) STATEMENTS OR CONDUCT OF ANYONE ON THE SERVICE; (vi) THE USE, INABILITY TO USE, UNAUTHORIZED USE, PERFORMANCE OR NON-PERFORMANCE OF ANY THIRD PARTY ACCOUNT PROVIDER SITE, EVEN IF THE PROVIDER HAS BEEN ADVISED PREVIOUSLY OF THE POSSIBILITY OF SUCH DAMAGES; OR (vii) ANY OTHER MATTER RELATING TO THE SERVICE.

Exhibit B MINIMUM END USER LICENSEE TERMS

Client shall include license terms materially similar to those found herein with any permitted distribution of the Finicity Services made available to Users (“Licensee,” “You,” “you,” “Your,” or “your”):

1. Finicity Developer Support

Finicity will provide Client technical support through the Finicity Developer Portal. The Portal provides Knowledgebase, Developer Community, FAQs, and an electronic ticket submission mechanism. Developer Support tickets may be submitted 24/7 and must be submitted by designated Client escalation team members as mutually agreed in order to be accepted by Finicity. The Finicity Developer Support team will respond to support queries from 9AM to 5PM Mountain Time, Monday through Friday (except for U.S. Holidays). In the event of unscheduled platform downtime, Client may contact the Finicity Operations Alert System at +1(801) 658-9222 to submit an emergency downtime message. Messages submitted on this system will be routed to our Network Operations Team and launch our emergency incident response and escalation process.

2. Data Source Support

Finicity will use commercially reasonable efforts to restore Data Source connectivity as soon as possible. While Finicity will make commercially reasonable efforts to restore connectivity for the top 40 Financial Institutions within 24 hours and all other Financial Institutions within 48 hours of notification by Client, Data Source availability and repair time cannot be guaranteed due to factors outside of Finicity’s control, including the availability of information provided by the Financial Institutions. In some instances, some Data Sources will not be able to be restored and will be removed pursuant to Section 5.6 of the Master Services Agreement. In addition, Data Source connectivity support ticket requests must be submitted through the Finicity API with the corresponding error information in order to be accepted by Finicity and subject to the commercially reasonable efforts to restore connectivity within the period outlined above.

3. Finicity Platform and API (System) Services Availability
  1. (a) System Availability Calculation: means the ratio of hours found by dividing (i) a numerator consisting of the actual number of hours the Finicity Services is available in any rolling three (3) calendar month period by (ii) a denominator consisting of the total number of hours in the three (3) month period (excluding (x) Client outages or service issues (y) scheduled maintenance and deploys and (z) Force Majeure Events. Finicity employs a system availability-monitoring tool that operates on a twenty-four hour, seven day a week basis.

  2. (b) If Finicity fails to meet the System Availability standards set forth in Section (c) below during any given rolling three (3) calendar month period, Finicity shall apply the percentage credit set forth in Section (c) below, based on the amount invoiced to Client for the Finicity Services accrued and paid by Client during the three (3) month period. The System Availability standard shall be calculated based on a three (3) month average and a credit applied if the calculated average for the three (3) month period is less than the System Availability standard. Finicity shall apply such credits against any amounts invoiced to Client for the Finicity Services from the next complete billing cycle following the three-month period. Finicity has no obligation to issue any service credit unless (i) Client reports the service failure to Finicity immediately on becoming aware of it; and (ii) requests such service credit in writing within thirty (30) days of the service level failure. This Section 3 sets forth Provider’s sole obligation and liability and User’s sole remedy for any Service level failure.

  3. (c) System Availability Standards during rolling three month period.

  4. (i) System Availability greater than or equal to 99.5%: no credit.

  5. (ii) System Availability greater than or equal to 99.0% and less than 99.5%: credit of 5% of the next month’s invoice as provided above.

  6. (iii) System Availability greater than or equal to 98.0% and less than 99.0%: credit of 7% of the next month’s invoice as provided above.

  7. (iV) System Availability less than 98.0%: credit of 10% of the next month’s invoice as provided above.

  8. In the event Client has received a credit pursuant to Sections (c)(i) through (c)(iv) above, the calculation of the actual number of hours the Finicity Services is available shall be reset and, the rolling three (3) calendar month period shall begin anew with the following month without regard to the prior months’ system availability statistics.

  9. (d) The System Availability calculation and credit do not apply to any unavailability, suspension, or termination that result from:

  10. (i) Any force majeure event or Internet access or related problems beyond the demarcation point of Finicity Systems.

  11. (ii) That result from any actions or inactions of Client or Users;

  12. (iii) That result from Client’s equipment, software or other technology;

  13. (iv) That result from any maintenance as provided for pursuant to the Agreement; or

  14. (v) Arising from our suspension and termination of your right to use the Finicity Systems in accordance with the Agreement.

4. Disaster Recovery & Business Continuity

a. Finicity has put in place and will maintain during the term of this Agreement, a disaster recovery plan designed to minimize the risks associated with a disaster affecting Finicity’s ability to provide the Finicity Services under this Agreement that are consistent with industry standard practices. Finicity will test its disaster recovery plan annually.

b. On an annual basis, Finicity shall provide its then-current business continuity plan (“Business Continuity Plan”) to Client. The Business Continuity Plan shall include: (a) services and Protected Information backup and recovery procedures; and (b) fail-over procedures. Finicity shall test its Business Continuity Plan on an annual basis and shall provide the test results not more than once annually to Client upon its request.

c. Finicity’s recovery time objective (RTO) under such Business Continuity Plan is seventy-two (72) hours from the time Finicity declares a disaster. Finicity will maintain adequate backup procedures in order to recover Client’s User data to the point of the last available good backup, with a recovery point objective (RPO) of twenty-four (24) hours, depending on the availability of data. Finicity will test its disaster recovery plan annually. Annually upon request, Finicity will provide a summary of its disaster recovery plan and test results, excluding any proprietary information or member information.

d. As part of the Finicity Services, Finicity will, at its own expense, promptly replace or regenerate from Finicity’s media any Protected Information that Finicity has otherwise lost or damaged, or will obtain at Finicity’s expense a new copy of such lost or damaged Protected Information to the extent such is recoverable. The foregoing notwithstanding, Finicity’s application programming interfaces and any data deleted from User interaction with the Finicity Services are excluded from the requirements herein.

5. Breach/Unauthorized Access

Finicity will promptly and fully disclose to Client any information related to a breach or unauthorized access of the Protected Information maintained by Finicity and (a) take appropriate action to address any incident of unauthorized access to enable Client to expeditiously implement its security response program as required by applicable federal, state or local laws, rules or regulations, and (b) provide Client with assurances that such action has occurred.

6. Additional Finicity Obligations
  1. (a) Finicity will process and use the Protected Information only pursuant to the terms expressly provided in this Agreement, any applicable Order Form(s) and in accordance with Applicable Law.

  2. (b) Finicity will conduct due diligence reviews of its subcontractors related to its processing and use of the Protected Information.

  3. (c) Finicity and each of its subcontractor’s processes Protected Information in compliance with data security protocols consistent with this Agreement and Applicable Law, which rules include a provision that prohibits the disclosure of Protected Information to third parties except in accordance with data security protocols consistent with this Agreement and Applicable Law.

7. Priorities

Each incident is assigned a priority based on the severity of the support request. The severity is determined by:

The End Users ability to use the software to execute the intended business function;

The extent to which the End User is unable to perform that function;

The impact on the business of not being able to perform that function as well as the standard use of the function as designed by Finicity.

Support request priorities are:

PRIORITYDESCRIPTION
Severity 4 The Services in the production environment is not available or critically affected, and no acceptable workaround or alternative solution is available.
Severity 3 The Services in the production environment is seriously affected, and no acceptable workaround or alternative solution is available.
Severity 2 The Services in the production environment is restricted, but operational, and no acceptable workaround or alternative solution is available.
Severity 1 The Services in the production environment is generally unaffected, or a request for information, enhancement, product clarification, or documentation is needed.
8. Resolution TIMES
Response and resolution times for each is set out in the following table:

First Response Time is defined as the time from when an issue is raised with Finicity until an assignment to a specific representative is made and that representative has acknowledged receipt of the issue.

Resolution Time is defined as the time from when an issue is raised with Finicity until a reasonable fix is provided which could be in the form of a recommended workaround to the problem or acknowledgement by the Finicity Product Management department of a required code change, which will be communicated to the Client.

Issues requiring product code changes are not held to the corresponding resolution time standard, however all attempts to supply a valid workaround will be made by Finicity. The response and resolution time targets listed below represent a standard of average response and resolution times for all clients over time, rather than a resolution window for a single issue. This means that often issues may be resolved faster than the target time.

Severity Rating First Response Time Resolution Time
Severity 4 2 days 4 hours
Severity 3 4 days 8 hours
Severity 2 8 days 10 hours
Severity 1 14 days 48 hours
Exhibit C MINIMUM END USER LICENSEE TERMS

These Requirements are incorporated into, and made a part of the "Agreement" between Finicity and the Client, having an Effective Date as outlined in this “Agreement”. The Client must at all times ensure that any allowable Finicity data held in their systems is stored in a secure way. These requirements are mandatory for Client and other allowed developer Clients that have an API Account. In the event of any breach of security which has the potential to expose information such as Finicity customer data, API certificates, tokens or other sensitive data, the Client must immediately advise Finicity by emailing security@finicity.com

1. CLIENT RESPONSIBILITIES
1.2 Background Checks/Investigation.
1.2.1 Background Investigation. Prior to any Services being performed, Client agrees that it will complete a thorough background check on any Employees who will have access to the Client’s or Client’s customers Protected Information.
1.2.2 Background Check Requirement. Background checks will, at a minimum, include an investigation for, and review of, any state and federal Convictions and will be retained by Client.
1.3 Security Controls. In connection with any Confidential Information received, maintained, processed, created, stored, or otherwise accessed by a Party, it shall implement and maintain, and cause its subcontractors to implement and maintain: (i) an information security program with appropriate administrative, technical and physical safeguards and security controls; (ii) record retention, and incident response policies, procedures and practices; (iii) back-up, business continuity and disaster recovery plans, procedures, capabilities and facilities that are tailored to and appropriate for the obligations hereunder, and are otherwise designed to insure the confidentiality, integrity and availability of the Confidential Information; and (iv) all safeguards, measures, procedures, policies and other requirements specified herein.
1.4 Organizational Security.
1.4.1 Client will ensure access control mechanisms exist for your Operational staff, and appropriate policies are set about appropriate use of data. In addition, client will impose the same requirements on its Extended Workforce and will remain fully responsible for its Extended Workforce's compliance.
1.4.2 Highly sensitive data such as Finicity keys and certificates should be stored in a secure manner where access is strictly controlled and not publicly accessed (such as being stored within the web root).
1.5 Physical and Environmental Security.

a. Client will protect all areas, including loading docks, holding areas, telecommunications areas, cabling areas and off-site areas that contain Information Processing System(s) or media containing Protected Information by the use of appropriate security controls.

b. Access will be controlled by use of a defined security perimeter, appropriate security barriers, entry controls and authentication controls as determined by the Client's security risk assessment. All personnel will be required to wear some form of visible identification to identify them as Employees, contractors, visitors, et cetera.

c. Visitors to highly sensitive areas such as data centers will be supervised, or cleared via an appropriate background check for non-escorted access.

2. Communications and Operations Management
2.1 Protections against Malicious Code and Phishing/Trojan Horse Exploits. Client will use training, detection, prevention, and recovery controls to protect against Phishing, Trojan horse exploits, and malicious software.
2.2 Protection of Data at Rest. All protected data at rest must be stored in an encrypted format.
2.3 Media Handling. Client will control media containing Protected Information to protect against unauthorized access or misuse.
2.4 Exchange of Information. To protect the confidentiality and integrity of Protected Information in transit, Client will:

a. Perform routine (no less than monthly) inventory and risk assessment of all data exchange channels (including but not limited to FTP, HTTP, HTTPS, and SMTP) at a minimum for those data exchange channels used to transmit Protected Information in order to identify and mitigate risks to Protected Information from the use of these channels.

b. Monitor all data exchange channels to detect unauthorized information (including without limitation PII) releases.

c. Use appropriate security controls and agreed upon data exchange channels when exchanging Protected Information.

d. Use industry standard enhanced security measures (at a minimum 256-bit AES encryption) to encrypt Protected Information transmitted via open networks including but not limited to the Internet and wireless.

3. Access Control
3.1 User Access Management. To protect against unauthorized access or misuse of Protected Information Client will:

a. Employ a formal user registration and de-registration procedure for granting and revoking access and access rights to all Information Processing System(s).

b. Employ a formal password management process and the use of Strong Passwords.

c. Perform recurring reviews of users' access and access rights to ensure that they are appropriate for the users' role.

3.2 Network Access Control. Access to internal, external, and public network services that allow access to Information Processing System(s) will be tightly controlled to isolate Protected Information with managed access control. Access controls should be reviewed on a quarterly basis to ensure appropriateness.
3.3 Mobile Computing and Remote Working. To safeguard Protected Information from the risks inherent in mobile computing and remote working, Client will,

a. Perform a risk assessment, which at a minimum identifies and mitigates risks to Protected Information from mobile computing and remote working.

b. Maintain a policy and procedures for managing mobile computing and remote working.

3.4 Internet Facing Services Access Controls. To protect Protected Information from the risks inherent in being stored, accessed, or processed on Internet facing services, Client will, use a secure sign-on authentication for all Internet facing services that store, access, or process Protected Information.
3.5 Information Security Incident Management. To protect Information Processing System(s) and system files containing Protected Information, Client will, maintain a process to ensure that Information Security Events are reported through appropriate management channels as quickly as possible. Client will ensure that its Extended Workforce has a similar process.
4.0 Security Vulnerability Review and Scans. Client authorizes Finicity to conduct a comprehensive security vulnerability review, including a Client application security vulnerability scan, application penetration testing, static analysis, and; if requested a manual code review. Client further agrees to address any security concerns found through a security vulnerability review prior to Finicity allowing access to the Finicity Services.