SentiLink Terms and Conditions
Version 1.3; July 2020
1. Introduction. These terms and conditions (“Terms and Conditions”), along with an order form that: (a) specifically refers to these Terms and Conditions; and (b) is signed by both Parties, (the “Order Form”) together comprise an agreement for services (collectively, the “Agreement”) between the customer listed in the applicable Order Form (the “Customer”) and SentiLink Corp (“SentiLink”). For the purposes of this Agreement, the terms “SentiLink” and “Customer” include all of their respective Affiliates. “Affiliate” means, with respect to a party, any entity which directly or indirectly, through one or more intermediaries, is controlled by, or is under common control with such party. In consideration of the mutual covenants and promises contained in these Terms and Conditions, SentiLink and the Customer agree as follows:
2. Placing an Order
2.1 SentiLink offers products and services that are designed to help institutions investigate the validity of the identity of Customer’s potential customers, as listed in Exhibit A (each a “Service,” and collectively, “Services”). An order for Services must be placed using an Order Form. In the event of a conflict between the provisions of these Terms and Conditions and the provisions of an Order Form, the provisions of the applicable Order Form will control.
2.2 The Order Form will contain a description of the type and quantity of the Services being purchased, the fees payable and any implementation or other terms and conditions applying to their supply. A Service is not included in an Order Form unless it has been specifically referenced therein. An Order Form shall only be effective when signed by both parties thereto.
3. Providing Services. The following subsections apply to the provision of any Service further described in the applicable Order Form:
3.1 SentiLink Responsibilities. If Customer pays all applicable fees when due, SentiLink shall provide Customer with (i) access to and use of the Service in accordance with these Terms and Conditions and SentiLink’s then-current standard user operating instructions and requirements made available to Customer from time-to-time (“Specifications”); and (ii) a license to use any Deliverables supplied hereunder for purposes permitted under the Gramm-LeachBliley Act of 1999 and its promulgating regulations (“GLBA”) on a one time basis in respect to a specific applicant seeking services from the Customer, provided such Deliverables are securely destroyed as soon as practicable after use. SentiLink shall perform the Service in compliance with all applicable law, rule, regulation, ordinance, code or order applicable to the provision of the Services (the “Laws Applicable To SentiLink”)
3.2 Customer Responsibilities. Customer shall: (i) provide to SentiLink all information SentiLink determines, in its discretion, necessary to provide or furnish the Service; (ii) use each Service in accordance with the Specifications and not resell any Services, Materials, Deliverables or other services or products provided by SentiLink; (iii) timely deliver any Customer Data (defined below) or other information deemed necessary by SentiLink for the provision of the Service in an electronic form and format approved by SentiLink; (iv) have sole responsibility for all Customer Data furnished by Customer or a third party (other than a third party engaged by SentiLink); (v) comply with law, rule, regulation, ordinance, code or order applicable to the acquisition, receipt or use of the Services by the Customer (the “Laws Applicable To Customer”) and the procedures set forth in the Specifications or any other literature provided to Customer by SentiLink; (vi) not use any Service, Materials or other Deliverables, in whole or in part, as a factor in determining eligibility for credit, insurance, or employment or for any other purpose contemplated by the Fair Credit Reporting Act (“FCRA”); and (vii) not reverse engineer any Services or application programming interface provided by SentiLink.
3.3 Customer Data.
3.3.1 Customer shall be solely responsible for the transmission of all information, data, records or documents (collectively, “Customer Data”) necessary for SentiLink to perform a Service at Customer’s expense, and, as between Customer and SentiLink, Customer shall bear any risk of loss resulting from that transmission until the Customer Data enters SentiLink’s environment. Data may include NPI (referenced in the GLBA as “Non-public Personal Information” or “NPI”), “customer information” (as defined in GLBA), and “consumer information” (as defined in GLBA). SentiLink shall bear the risk of loss resulting from Customer Data transmitted to Customer until the Customer Data enters Customer’s environment. If Customer directs SentiLink to disclose Customer Data to a third party, Customer shall bear any risk of loss or liability associated with that disclosure. In addition, SentiLink shall be held harmless from any claim resulting from the third party’s use of that Customer Data, and may, in its discretion, require the third party to enter into a written agreement with SentiLink governing disclosure of that Customer Data.
3.3.2 SentiLink shall only process Customer Data in accordance with this Agreement. SentiLink shall not be responsible for the accuracy, completeness or authenticity of any Customer Data furnished by Customer or a third party. SentiLink will use commercially reasonable efforts to verify the accuracy of Customer Data submitted to SentiLink by Customer, including processing Customer Data using SentiLink’s proprietary algorithm to produce certain results assessing fraud likeliness. Customer acknowledges that it will exercise its own independent judgement in determining the accuracy, reliability and completeness of any such results and Customer Data for which SentiLink processes and assumes sole responsibility and liability for results obtained from the use of the Services and for conclusions drawn from such use. If any Customer Data submitted by Customer or a third party to SentiLink is incorrect, incomplete or not in the required format, SentiLink may require Customer to resubmit the Customer Data.
3.3.3 By submitting Customer Data to SentiLink, Customer grants, and represents and warrants that it has all rights necessary to grant, all rights and licenses to the Customer Data required to send the Customer Data to SentiLink and for SentiLink and its subcontractors and service providers to provide the Service. SentiLink shall have no right to sublicense, sell, resell, or disclose to any third party the Customer Data.
3.3.4 Customer certifies its use of the Services is solely for uses permitted by the GLBA, and to protect against or prevent actual fraud, unauthorized transactions, claims or other liability.
3.4 SentiLink Supplied Data. This Section 3.5 applies to the extent that SentiLink provides SentiLink Supplied Data to Customer. “SentiLink Supplied Data” means any “nonpublic personal information” or “personally identifiable financial information,” as such terms are defined by the GLBA, that SentiLink provides to Customer. Customer Data is expressly excluded from SentiLink Supplied Data.
3.4.1 As between SentiLink and Customer, SentiLink owns all intellectual property rights in the SentiLink Supplied Data. No rights in the SentiLink Supplied Data are transferred hereunder except as expressly set out herein.
3.4.2 SentiLink licenses the SentiLink Supplied Data to Customer for one time use for fraud prevention purposes as allowed under the GLBA. SentiLink Supplied Data is licensed for the limited purposes of receiving Services hereunder and may not be sold, transferred or sublicensed without SentiLink’s prior written consent. SentiLink Supplied Data must be stored in the United States.
3.4.3 If Customer directs SentiLink to disclose SentiLink Supplied Data to a third party, Customer shall ensure that the third party only uses SentiLink Supplied Data for the Customer’s benefit and agrees to comply with all terms set forth herein related to SentiLink Supplied Data, including, but not limited to, taking all necessary security precautions to protect the confidentiality of the SentiLink Supplied Data.
3.4.4 Customer shall implement administrative, physical and technical safeguards to protect SentiLink Supplied Data from unauthorized access, acquisition, or disclosure, destruction, alteration, accidental loss, misuse, or damage that are no less rigorous than accepted banking industry practices, and shall ensure that all such safeguards, including the manner in which SentiLink Supplied Data is accessed, received, used, stored, processed, disposed of and disclosed, comply with applicable data protection and privacy laws, as well as the terms and conditions of this Agreement.
3.4.5 Within thirty (30) days of SentiLink’s written request, Customer must delete SentiLink Supplied Data in accordance with the NIST Special Publication 800-88 Revision 1, Guidelines for Media Sanitation December 18, 2014 (available at http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-88r1.pdf), or through degaussing of magnetic media in an electromagnetic flux field of 5000+ GER, or by shredding or mechanical disintegration, or such other standards SentiLink may reasonably require based on the classification and sensitivity of the SentiLink Supplier Data.
3.4.6 THE SENTILINK SUPPLIED DATA IS PROVIDED ON AN “AS IS” BASIS AND SENTILINK AND ITS DATA PROVIDERS, SERVICE PROVIDERS AND SUPPLIERS HEREBY DISCLAIM ANY AND ALL OTHER PROMISES, GUARANTEES, REPRESENTATIONS AND WARRANTIES WHETHER EXPRESS OR IMPLIED OR STATUTORY, INCLUDING THOSE REGARDING THE ACCURACY, CORRECTNESS, COMPLETENESS, CURRENTNESS, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OF THE SENTILINK SUPPLIED DATA. IN NO EVENT SHALL SENTILINK OR ITS DATA PROVIDERS, SERVICE PROVIDERS OR SUPPLIERS BE LIABLE TO CUSTOMER OR ANY PERSON OR ENTITY CLAIMING THROUGH CUSTOMER FOR ANY LOSS OR INJURY RELATING TO, ARISING OUT OF, OR CAUSED IN WHOLE OR IN PART BY, SENTILINK’S OR ITS DATA PROVIDERS’, SERVICE PROVIDERS’ OR SUPPLIERS’ ACTS OR OMISSIONS, EVEN IF NEGLIGENT, RELATING TO THE ACCURACY, CORRECTNESS, COMPLETENESS, OR CURRENTNESS OF THE SENTILINK SUPPLIED DATA. FOR THE AVOIDANCE OF DOUBT, SENTILINK AND ITS DATA PROVIDERS, SERVICE PROVIDERS AND SUPPLIERS SHALL NOT BE LIABLE FOR ANY LOSSES OR DAMAGES RELATED TO CUSTOMER’S USE OF THE SENTILINK SUPPLIED DATA, INCLUDING, BUT NOT LIMITED TO, ANY ACTIONS TAKEN BY CUSTOMER’S BASED ON SENTILINK SUPPLIED DATA.
3.5 Changes to Services. SentiLink may change any feature, function, or attribute of a Service, or any element of its systems or processes, or any Specification. If such change materially adversely impacts the functionality, performance or cost of the Service, Customer may terminate the use of the specific Service, provided Customer provides at least fifteen (15) days’ prior notice specifying the adverse impact and SentiLink does not cure or offset such adverse impact within fifteen (15) days of receipt of notice.
3.6 Problem Reporting and Resolution. Customer shall timely report any problems encountered with the Service. SentiLink shall promptly respond to each reported problem based on the severity of its effect on the Service.
3.7 Use of Integration Support. Where Customer uses a third-party integrator (“Integrator”) to integrate to SentiLink’s Services, then:
3.7.1 Customer appoints the Integrator as its limited agent for sending, accessing, storing and receiving data, including, but not limited to SentiLink Supplied Data, pursuant to this Agreement, and SentiLink is entitled to treat any instruction from the Integrator with respect to sending, accessing, storing and receiving data to be issued by Customer;
3.7.2 Customer shall ensure that the Integrator will comply in all respects with the terms and conditions of this Agreement as if it were Customer, including by ensuring the Integrator has sufficient security procedures in place to maintain the security and confidentiality of any NPI and SentiLink Supplied Data; and
3.7.3 Customer shall indemnify SentiLink with respect to any action, litigation, or claim arising from Customer's appointment of the Integrator as its agent hereunder or from Integrator’s violation of any term of this Agreement or Laws Applicable to Customer.
4. Use of Service. Except as otherwise permitted in the Agreement or in writing by SentiLink, Customer agrees to use a Service only for its own internal business purposes to service its U.S.-based operations and customers and will not sell or otherwise provide, directly or indirectly, any of the Service or any portion thereof to any other third party. Customer agrees that SentiLink may use all suggestions for improvement and comments regarding the Service that are furnished by Customer to SentiLink in connection with the Agreement, without accounting or reservation.
5. Materials. As a convenience, SentiLink may provide Customer with sample forms, procedures, scripts, marketing materials or other similar information (collectively, “Materials”). Customer shall have a license to use Materials solely in connection with its use of the Services or Deliverables and consistent with the Specifications. Customer’s license to use the Materials shall expire immediately upon termination of the Agreement or upon notice of termination from SentiLink. Customer is responsible for its use of Materials and bears sole liability for any such use.
6. Fees and Other Charges.
6.1 Payment. In consideration of SentiLink’s performance of its obligations hereunder, Customer will pay the fees specified in an applicable Order Form (the “Fees”). SentiLink may, in its sole discretion, increase or otherwise modify the Fees at each renewal period, as applicable, while this Agreement is in effect by providing Customer with thirty (30) days prior notice of any such change. If Customer does not agree to the new or changed Fees, Customer may exercise its right not to renew the Agreement for an additional renewal period. SentiLink will invoice Customer for Services on the first of each month. Except as otherwise stated in an Order Form, Customer agrees to pay all Fees on the invoice within thirty (30) days of receipt of the invoice.
6.2 Billing Errors. In the event of over-billing, SentiLink will correct the error by credit to Customer. If Customer was under-billed, SentiLink will add the under-billed amount to a future invoice or issue a new invoice, at its discretion. SentiLink may utilize any amounts owed to Customer under the Agreement to pay or reimburse SentiLink for amounts owed by Customer. In the event an error is not discovered and communicated to the other party within two billing cycles, both parties waive any right to dispute the erroneous bill.
6.3 Taxes. Customer will be responsible for the payment of any and all local, state, federal, or foreign taxes, levies, and duties of any nature, including value-added, sales, use, and withholding taxes directly applicable to Customer (“Taxes”). Customer is responsible for paying all Taxes, excluding only taxes based on SentiLink’s net income.
7. Intellectual Property. Customer is not acquiring a copyright, patent or other intellectual property right in any Service, Deliverable, Specifications or Materials, or in any data, modifications, customizations, enhancements, changes or work product related thereto. “Deliverable” means with respect to each Service all data, files, documents, reports, statements, extracts and other work product created by the Service and delivered to Customer as part of the Services (whether tangible or intangible), and specifically includes any SentiLink Supplied Data. For avoidance of doubt, Deliverables do not include Customer Data or any such Customer Data. Any intellectual property rights that existed prior to the Effective Date of the Agreement shall belong solely to the party owning them at that time. Neither party shall be entitled to any copyright, trademark, trade name, trade secret or patent of the other party. Customer shall not alter, obscure or revise any proprietary, restrictive, trademark or copyright notice included with, affixed to, or displayed in, on or by a Service, Third-Party Service, Deliverable or Specifications.
8. Confidentiality.
8.1 Each party shall treat information received from the other that is designated as “confidential” at or prior to disclosure (“Confidential Information”) as strictly confidential. SentiLink designates all information relating to the Services, Deliverables, Specifications and the terms of the Agreement as its Confidential Information. Customer designates as its Confidential Information Customer Data that is non-public financial information that is personally identifiable to a consumer (referenced in the GLBA as “Non-public Personal Information” or “NPI”) submitted to SentiLink. Each party designates its intellectual property, customer lists, business contacts, business plans, policies, procedures, techniques, know-how, standards, products, source or object code, product or service specifications, manuals, agreements, economic and financial information, marketing plans, data, reports, analyses, compilations, statistics, summaries, studies, and any other tangible or intangible information or any materials based thereon, furnished to the other party as Confidential Information of such disclosing party.
8.2 Each party shall: (i) restrict disclosure of the other party’s Confidential Information to employees, agents and Affiliates solely on a “need to know” basis in accordance with the Agreement; (ii) advise its employees and agents of their confidentiality obligations; (iii) require agents to protect and restrict the use of the other party’s Confidential Information; (iv) use the same degree of care to protect the other party’s Confidential Information as it uses to safeguard its own Confidential Information of similar importance, but in no event less than a reasonable degree of care; (v) establish procedural, physical and electronic safeguards, designed to meet the objectives of the GLBA’s safeguarding regulations, to prevent the compromise or unauthorized disclosure of Confidential Information; and (vi) notify the other party of any unauthorized possession or use of its Confidential Information promptly following confirmation of that unauthorized use or possession. To the extent a party receives NPI from the other, the disclosing party has the right to audit, no more than once a year, during normal business hours and upon 60 days advance written notice, the receiving party’s information security program and systems to the extent such systems maintain NPI.
8.3 Confidential Information shall remain the property of the party from or through whom it was provided. Except for NPI, neither party shall be obligated to preserve the confidentiality of any information that: (i) was previously known; (ii) is a matter of public knowledge; (iii) was or is independently developed; (iv) is released for disclosure with written consent; or (v) is received from a third party to whom it was disclosed without restriction. Disclosure of Confidential Information shall be permitted if it is: (a) required by law; (b) in connection with the tax treatment or tax structure of the Agreement; or (c) in response to a valid order of a U.S. court or other governmental body, provided the owner receives written notice and is afforded a reasonable opportunity to obtain a protective order. Upon termination of a Service and at the request of the disclosing party, the other party shall, except as otherwise set forth herein, destroy the other party’s Confidential Information relating to that Service in a manner designed to preserve its confidentiality, or, at the other party’s written request and expense, return it to the disclosing party; provided that, each party may retain the other party’s Confidential Information, subject to the confidentiality requirements hereof, to the extent required to comply with applicable legal and regulatory requirements or with internal backup policies and procedures.
8.4 Notwithstanding the foregoing and subject always to SentiLink’s obligation to keep all Customer Data confidential in accordance with Section 8.2, Customer hereby authorizes SentiLink to store, analyze and use all Customer Data provided by or on behalf of Customer and/or its customers in connection with the Services, and all information that is derived from such Customer Data, in order to provide and improve SentiLink’s fraud detection and prevention services, to create Depersonalized Information, to incorporate into its proprietary fraud prevention algorithms and models and fraud prevention services, and to disclose or use Depersonalized Information to enhance or improve SentiLink services or products or otherwise in order to prevent fraud, provided that (i) SentiLink cleanses such Customer Data to remove Customer’s name and any NPI and otherwise renders such Customer Data unidentifiable to any person, individual, consumer, or entity and not capable of being back-derived by an expert in the field using industry knowledge and available data-analytic tools and techniques (collectively, the “Depersonalized Information” ), and (ii) the Depersonalized Information is included in a data set comprising both Depersonalized Information derived from Customer Data and the Depersonalized Information derived from other SentiLink Customers (“Aggregate Form”) such that the Depersonalized Information cannot be linked to Customer. SentiLink’s rights with respect to Depersonalized Information or any data incorporated into its Services, including fraud prevention algorithms and models, under this provision shall survive the termination of the Agreement or any Service.
9. Indemnification. Each party (the “Indemnifying Party”) shall indemnify, defend and hold harmless the other party and its officers, employees, directors, agents, affiliates and shareholders (collectively, the “Indemnified Party”), in their individual capacities or otherwise, (i) from and against any and all Claims asserted by a third party (other than an Affiliate of the Indemnifying Party) against Indemnified Party, and (ii) from and against any damages, costs, and expenses of such third party awarded against Indemnified Party by a final court judgment or an agreement settling such Claims in accordance with this Section 9. As used in this Section 9, the term “Claim” means any action, litigation, or claim by a third party that result from, relate to, arise out of, or are incurred in connection with: (i) any damage caused by Indemnifying Party’s gross negligence or willful misconduct in connection with this Agreement; (ii) Indemnifying Party’s misuse of a Service, Materials, Specifications or Deliverables in a manner inconsistent with the Agreement or the Specifications; (iii) a failure to comply with Section 3.4.2; (iv) Indemnifying Party’s use of a service contemplated by this Agreement with computer programs or services not owned, licensed, approved (in writing) or provided by Indemnified Party; (v) Indemnifying Party’s failure to comply with the Laws Applicable To SentiLink or the Laws Applicable To Customer (as appropriate); (vi) any claim of libel, violation of privacy rights, unfair competition or infringement of patents, trademarks, copyrights or other intellectual property caused by Indemnifying Party; or (vi) any claim, action or suit by the Indemnifying Party’s customer. Indemnifying Party’s obligation to indemnify Indemnified Party pursuant to this Section 9 shall not be deemed to limit any claim Customer may have against Indemnified Party for breach of its obligations under the Agreement.
10. Limitation of Liability and Disclaimer of Warranties and Certain Losses.
10.1 Limitation of Liability. Except with respect to a party’s gross negligence, willful misconduct or fraud, or liability subject to the indemnity obligations set forth in Section 9, the total, cumulative liability of SentiLink or Customer under or in connection with this Agreement, whether arising in tort (including negligence), breach of contract, breach of statutory duty or otherwise shall, in all cases and in the aggregate, in respect of any and all claims, not exceed the amounts paid or payable by Customer to SentiLink during the one (1) year period immediately prior to the event giving rise to such liability. Except with respect to a party’s willful misconduct or fraud, or as specifically set out in the previous sentence, neither party shall be liable for any indirect, incidental, consequential, special, delay or punitive damages whatsoever (including damages for loss of business profits or revenue, business interruption, loss of information, or other pecuniary loss), even if the party was advised of the possibility of such damage.
10.2 Disclaimer of Liability for Certain Losses. Under no circumstances shall SentiLink be liable for any losses, claims, demands, penalties, actions, causes of action, suits, obligations, liabilities, damages, delays, costs or expenses, including reasonable attorneys’ fees (collectively, “Losses”) to the extent caused by: (i) Customer; (ii) a third party, other than SentiLink’s Affiliates, authorized agents or subcontractors; (iii) use of attachments, features, or devices not authorized by the Specifications; (iv) abuse, misuse, alteration or use that is inconsistent with the terms of the Agreement or Specifications; (v) software or systems not supplied by SentiLink; (vi) a Force Majeure Event; or (vii) a failure that is not directly attributable to SentiLink or under SentiLink’s direct control. In the event of any error by SentiLink in processing any Customer Data or preparing any report or file hereunder, SentiLink’s sole obligation shall be to correct the error by reprocessing the affected Customer Data or preparing and issuing a new file or report at no additional cost to Customer; provided, however, SentiLink’s obligation herein is contingent upon Customer notifying SentiLink of the error.
11. Disclaimer of Warranties. EXCEPT AS EXPRESSLY PROVIDED IN THESE TERMS AND CONDITIONS, SENTILINK DISCLAIMS ANY AND ALL WARRANTIES, CONDITIONS, OR REPRESENTATIONS (EXPRESS OR IMPLIED, ORAL OR WRITTEN) WITH RESPECT TO THE SERVICES, DELIVERABLES, AND MATERIALS PROVIDED UNDER THIS AGREEMENT, INCLUDING, WITHOUT LIMITATION, ANY AND ALL IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS OR SUITABILITY FOR ANY PARTICULAR PURPOSE, OR ERROR-FREE OPERATION (WHETHER OR NOT SENTILINK KNOWS, HAS REASON TO KNOW, HAS BEEN ADVISED, OR IS OTHERWISE IN FACT AWARE OF ANY SUCH PURPOSE), WHETHER ALLEGED TO ARISE BY LAW, BY REASON OF CUSTOM OR USAGE IN THE TRADE, OR BY COURSE OF DEALING. IN ADDITION, SENTILINK DISCLAIMS ANY WARRANTY OR REPRESENTATION TO ANY PERSON OTHER THAN CUSTOMER WITH RESPECT TO THE SERVICES, DELIVERABLES, EQUIPMENT, AND MATERIALS PROVIDED UNDER THIS AGREEMENT. CUSTOMER SHALL HAVE NO LIABILITY FOR ANY CLAIMS, LOSSES, OR DAMAGE CAUSED BY ERRORS OR OMISSIONS IN ANY INFORMATION PROVIDED TO SENTILINK BY CUSTOMER IN CONNECTION WITH THE DELIVERABLES OR SERVICES OR ANY ACTIONS TAKEN BY SENTILINK AT CUSTOMER’S DIRECTION. SENTILINK IS NOT A “CONSUMER REPORTING AGENCY,” AS DEFINED BY THE FCRA AND THE DELIVERABLES AND SERVICES DO NOT CONSTITUTE A “CONSUMER REPORT,” AS DEFINED BY FCRA AND SHALL NOT BE SUBJECT TO THE FCRA REQUIREMENTS RELATING TO DISPUTES, ACCESS, ACCURACY OR OTHERWISE.
12. Use of Names and Trademarks; Publicity. SentiLink may cite Customer as a customer in its sales presentation to prospects. Either party may, with the prior consent of the other (not to be unreasonably withheld, delayed or conditioned): (i) publicly announce the Parties’ relationship hereunder; (ii) issue a press release announcing the Parties’ relationship hereunder; and (iii) prepare a case study on Customer’s use of the Services.
13. Relationship. SentiLink is an independent contractor. Neither SentiLink nor any of its representatives are an employee, partner or joint venturer of Customer. Except as expressly stated in the Agreement, neither party shall be an agent of the other, nor have any authority to represent the other in any matter. Notwithstanding, Customer agrees SentiLink is its limited agent for purposes of obtaining “consumer reports,” as defined by the FCRA, for purposes of providing the Services.
14. Termination and Additional Remedies.
14.1 This Agreement starts on the Effective Date and continues for the period specified in the Order Form (the “Initial Term”). The Agreement will automatically renew for additional successive one (1) year terms unless a party gives written notice of its intention not to renew this Agreement at least thirty (30) days prior to the end of the then-current term (each a “Renewal Term” and with the Initial Term, the “Term”).
14.2 Termination. In addition to any other remedies, either party may terminate the Agreement, a Service if the other party: (i) fails to cure a material breach under this Agreement within thirty (30) days of receiving written notice to do so; (ii) is subject to a dissolution, reorganization, insolvency or bankruptcy action; (iii) suffers the appointment of a receiver, conservator or trustee; (iv) materially violates applicable Law or commits any act related to the Service with the intent to defraud the other party; or (v) discontinues performance under the Agreement because of a binding order of a court or regulatory body. In addition to the termination rights above, SentiLink may terminate a Service, in whole or in part, without penalty, if the Service is not able to be provided on commercially reasonable terms, including where SentiLink’s agreement to use any third-party software or service upon which the Service relies expires or is terminated.
15. Export Restrictions. SentiLink’s Confidential Information is subject to export controls under applicable federal and state laws, rules and regulations. Accordingly, Customer shall: (i) remain in compliance with all requirements associated with such laws (including obtaining any approval necessary for exportation of SentiLink Confidential Information); (ii) cooperate fully with any audit related to such laws; (iii) not utilize SentiLink’s Confidential Information in any country that is embargoed by the U.S. government; and (iv) not provide to SentiLink, as part of its regular business activities, any Personal Data (as such term is defined in the General Protection Regulation (“GDPR”), Regulation (EU) 2016/679), that is subject to GDPR.
16. Miscellaneous.
16.1 Neither party shall assign, subrogate or transfer any interest, obligation or right arising out of the Agreement without prior written consent from the other party; provided however that no consent is necessary in the event of an assignment due to a consolidation, merger, transfer or reorganization of a majority of the assets or stock of a party provided that the assignee agrees in writing to be bound by the Agreement. Subject to the foregoing, the terms of the Agreement shall be binding upon and inure to the benefit of permitted successors and assigns.
16.2 The Agreement shall be governed by the laws of the state of California, without regard to internal principles relating to conflict of laws. Any dispute, difference, controversy or claim arising out of or relating to the Agreement shall be settled by binding arbitration before a single arbitrator in San Francisco, California in accordance with the Commercial Arbitration Rules of the American Arbitration Association. Judgment on any resulting award may be entered into by any court having jurisdiction over the parties or their respective property. The arbitrator shall decide any issues submitted in accordance with the provisions and commercial purposes of the Agreement, and shall not have the power to award damages other than those described in the Agreement. The prevailing party in any dispute arising out of the Agreement shall be entitled to, and the arbitrator shall have jurisdiction to award, the recovery of reasonable attorneys’ fees, costs and expenses.
16.3 All notices must be in writing and delivered via email or overnight delivery to SentiLink at the address set forth below and to Customer at the billing address set forth in the Order Form. A party must provide thirty (30) days prior written notice before changing the address from which it provides or receives Services.
SentiLink Corp
171 2nd St., Fourth Floor
San Francisco, CA 94105
Email: legal.notices@sentilink.com
16.4 SentiLink shall not be liable for any loss, damage or failure due to causes beyond its control, including strikes, riots, earthquakes, epidemics, terrorist actions, wars, fires, floods, weather, power failure, telecommunications outage, acts of God or other failures, interruptions or errors not directly caused by SentiLink (“Force Majeure Event”).
16.5 Each party represents and warrants that it has full legal power and authority to enter into and perform its obligations without any additional consent or approval.
16.6 The Agreement together with any attachments thereto, constitute the entire agreement and understanding of the parties with respect to its subject matter and may only be modified by a written document signed by both parties. All prior agreements, understandings and representations regarding the same or similar services are superseded in their entirety. In the event of a conflict, ambiguity or contradiction in documents, the documents will take precedence over each other in accordance with the following ranking: (i) exhibits and attachments; (ii) Specifications; and (iii) these Terms and Conditions. The parties do not intend, nor shall there be, any third-party beneficiary rights.
16.7 No waiver of any provisions of the Agreement and no consent to any default under the Agreement shall be effective unless in writing and signed by the party against whom such waiver or consent is claimed. Waiver by a party of any default by the other party shall not be deemed a waiver of any other default.
16.8 If any provision(s) of this Agreement, including any attachments and exhibits hereto, is determined to be invalid, illegal, void, or unenforceable by reason of any law, order, judicial decision, or public policy, such provision(s) shall not affect any other provision of the Agreement, and the Agreement shall be interpreted and construed as if the invalid, illegal, void, or unenforceable provision had not been included to the extent necessary to bring the Agreement within the requirements of such law, order, judicial decision, or public policy. This Agreement shall not be construed more strongly against either party, regardless of who is more responsible for its preparation. The headings that appear in these Terms and Conditions are inserted for convenience only and do not limit or extend its scope.
16.9 Termination of the Agreement or a Service shall not impact any right or obligation arising prior to termination, and in any event, the Parties agree that any right or obligation which, by its nature, should survive termination of this Agreement will survive any such termination (including, but not limited to, Sections 8, 9, 10 and 16).
Exhibit A – Product Descriptions
Where Customer subscribes to one or more Service listed below, then:
SentiLink Scoring API
If Customer subscribes to the SentiLink Scoring API, SentiLink will provide access to the SentiLink Scoring API in order for Customer to determine the likelihood that an applicant’s identity is synthetic (i.e., it includes fabricated identity information). Customer’s use of the SentiLink Scoring API in accordance with the Materials will return the following scores (out of 1000 with a higher score indicating a higher probability):
· sentilink_first_party_synthetic_score: the likelihood that the identity is first-party synthetic fraud
· sentilink_third_party_synthetic_score: the likelihood that the identity is third party synthetic fraud
· sentilink_abuse_score: the likelihood that the identity is or is associated with synthetic fraud and/or other related fraud risks
SentiLink Blacklist API
If Customer subscribes to the SentiLink Blacklist API, SentiLink will provide access to the SentiLink Blacklist API in order for Customer to check whether a particular set of identity data has been reported as fraudulent to the SentiLink Blacklist by SentiLink or a SentiLink Blacklist subscriber or Customer. Use of the SentiLink Blacklist API in accordance with the Materials will return ‘matches’, along with a general description of the source of the initial post (such as the type of organization) and any subscriber supplied fraud label. If a Customer is provided access to and use of the SentiLink Blacklist API, Customer agrees it will post fraudulent identities to the blacklist maintained by SentiLink or provide to SentiLink all authorizations and information necessary to post fraudulent identities to the blacklist for other SentiLink customers or subscribers to use.
SentiLink ID Complete API
If Customer subscribes to the SentiLink ID Complete API, SentiLink will provide access to the SentiLink ID Complete API in order for Customer to attempt to resolve provided identity information. Use of the SentiLink ID Complete API in accordance with the Materials will resolve certain missing or incomplete fields (ex. DOBs, SSN4s) and suggest alternative information where applicable (ex. associated SSN with more history, DOB with corrected birth year), derived from a combination of Customer Data and SentiLink Supplied Data, using SentiLink’s proprietary matching logic.
SentiLink ID Fingerprint API
If Customer subscribes to the SentiLink ID Fingerprint API, SentiLink will provide access to the SentiLink ID Fingerprint API service in order for Customer to link devices to known applicants. Use of the SentiLink ID Fingerprint API in accordance with the Materials will allow Customer to identify applicant devices, and consequently, confirm if an applicant is applying from a new or known device.
SentiLink Manifest API
If Customer subscribes to the SentiLink ID Manifest API, SentiLink will provide access to certain records from SentiLink’s database in order to analyze whether an applicant’s identity is legitimate for fraud detection purposes. Use of the SentiLink Manifest API in accordance with the Materials will return information about an identity, and its history, such as former addresses or previous names.
SentiLink Fraud Attributes API
If Customer subscribes to the SentiLink Fraud Attributes API, SentiLink will provide access to certain fraud attributes derived from the application and SentiLink's data, for inputting into the Customer’s business rules or machine learning models. Use of the SentiLink Fraud Attributes API in accordance with the Materials will return numerical values that describe the identity and certain characteristics of abuse, such as the number of identities with the same name and date of birth or the length of the consumer’s history with the supplied SSN.
SentiLink Clustering API
If Customer subscribes to the SentiLink Clustering API, SentiLink will provide access to relationships between the applicant and other linked applications within your organization with overlapping PII attributes such as a shared phone number, email, or SSN.
SentiLink Processing Services
If Customer subscribes to the SentiLink Processing Services, SentiLink will provide access to the SentiLink Processing Services indicated in the Order Form to process government queries on behalf of permitted entities. Use of the SentiLink Processing Services in accordance with the Materials will allow permitted entities to submit government forms (ex. SSA89, 4506T, eCBSV) and receive the appropriate responses through SentiLink.
SentiLink Fraud Investigation Dashboard
If Customer subscribes to the SentiLink Fraud Investigation Dashboard, SentiLink will provide access to the SentiLink Fraud Investigation Dashboard to facilitate Customer analysis of applicant information and SentiLink-licensed associated information for the purpose of determining whether an applicant’s identity is legitimate. Use of the SentiLink Fraud Investigation Dashboard in accordance with the Materials allows Customer to access SentiLink’s proprietary user interface to conduct further analysis of specific applications for fraud detection purposes.
Exhibit B – Flow Down Terms applicable to consent-based social security number (“SSN”) verification (“CBSV Services”)
Where Customer subscribes to SentiLink Processing Services including CBSV Services, then:
WHEREAS, the parties are entering into an Agreement, pursuant to which SentiLink will provide certain products and services as described in more detail herein;
WHEREAS, SentiLink is authorized by the Social Security Administration (“SSA”) to provide consent-based social security number (“SSN”) verification (“CBSV Services”) to its customers; and
WHEREAS, Customer desires to procure CBSV Services from SentiLink.
NOW, THEREFORE, the parties hereby mutually agree as follows:
1. MANDATORY FLOW-DOWN TERMS
In order to provide the CBSV Services, SSA mandates that Customer acknowledge and agree to the following terms, and Customer hereby acknowledges and agrees to such terms:
a. Customer agrees that it shall use the verification only for the purpose stated in the consent form with respect to which such verification was provided, which must be made on Form SSA-89 (Authorization for SSA to Release SSN Verification) (a “Consent Form”), which such purpose shall, if such Consent Form is submitted to SSA by SentiLink, be communicated to Customer, and shall make no further use or re-disclosure of the verification; and
b. Section 1140 of the Social Security Act authorizes SSA to impose civil monetary penalties on any person who uses the words “Social Security” or other program-related words, acronyms, emblems, and symbols in connection with an advertisement, solicitation, or other communication, “in a manner which such person knows or should know would convey, or in a manner which reasonably could be interpreted or construed as conveying, the false impression that such item is approved, endorsed, or authorized by the Social Security Administration . . .” 42 U.S.C. § 1320b-10(a); and
c. SentiLink and Customer are specifically prohibited from using the words “Social Security” or other program-related words, acronyms, emblems, and symbols in connection with an advertisement for “identity verification”; and
d. SentiLink and Customer are specifically prohibited from advertising that SSN verification provides or serves as identity verification; and
e. SSA has the right of access to all SentiLink and Customer books and records associated with the CBSV Services at any time; and
f. Customer shall be subject to the following requirements for safeguarding and reporting the loss of any information about an individual maintained by an entity, including (i) any information that can be used to distinguish or trace an individual’s identity, such as name, SSN, date and place of birth, mother’s maiden name, or biometric records; and (ii) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information (collectively, “PII”) as follows:
(a) Customer shall establish, maintain, and follow its own policy and procedures to protect PII, including policies and procedures for reporting lost or compromised, or potentially lost or compromised, PII. Customer shall inform its employees who have been authorized to receive CBSV Services and verifications in connection therewith (“Authorized Recipients”) which handle PII of their individual responsibility to safeguard such information. In addition, Customer shall, within reason, take appropriate and necessary action to: (i) educate Authorized Recipients on the proper procedures designed to protect PII; and (ii) enforce their compliance with the policy and procedures prescribed. Further, Customer and its Authorized Recipients shall properly safeguard PII from loss, theft, or inadvertent disclosure, and each Authorized Recipient is responsible for safeguarding PII at all times, regardless of whether or not the Authorized Recipient is at his or her regular duty station.
(b) When Customer or an Authorized Recipient becomes aware or suspects that PII has been lost, compromised, or potentially compromised, Customer shall, in accordance with its incident reporting process, provide immediate notification of the incident to SentiLink, which will promptly report such incident to its primary SSA contact or, if the primary SSA contact is not readily available, one of two SSA alternates, if names of alternates have been provided.
(c) Customer shall provide SentiLink with updates on the status of the reported PII loss or compromise as they become available but shall not delay the initial report, and will assist SentiLink in providing such updates to the primary SSA contact or alternates, as applicable.
(d) Customer shall provide complete and accurate information about the details of the PII loss to assist SentiLink and SSA, including the following information:
(i) Contact information;
(ii) A description of the loss, compromise, or potential compromise (i.e., nature of loss/compromise/potential compromise, scope, number of files or records, type of equipment or media, etc.) including the approximate time and location of the loss;
(iii) A description of safeguards used, where applicable (e.g., locked briefcase, redacted personal information, password protection, encryption, etc.);
(iv) Name of SSA employee contacted (where directed to do so by SentiLink);
(v) Whether Customer or the Authorized Recipient has contacted or been contacted by any external organizations (i.e., other agencies, law enforcement, press, etc.);
(vi) Whether Customer or the Authorized Recipient has filed any other reports (i.e., Federal Protected Service, local police, and SSA reports; and
(vii) Any other pertinent information.
g. In addition, Customer shall follow any and all policies and procedures with respect to the safeguarding and reporting of loss of PII that are prescribed by SentiLink from time to time.
2. ACKNOWLEDGMENT
Customer acknowledges and agrees that SentiLink did not: (a) use the words “Social Security” or other program-related words, acronyms, emblems, and symbols in connection with an advertisement for “identity verification”; or (b) advertise to Customer that SSN verification provides or serves as identity verification.
3. INDEMNIFICATION
Notwithstanding any other provision of the Agreement or this Exhibit, Customer will indemnify and hold SentiLink and SSA, and its and their respective affiliates, employees, contractors and other representatives, and successors and assigns harmless from all claims, actions, causes of action, suits, debts, dues, controversies, restitutions, damages, losses, costs, fees, judgments, and any other liabilities caused by, arising out of, associated with, or resulting directly or indirectly from: (a) any acts or omissions of Customer, including but not limited to the disclosure or use of information by Customer (or SentiLink at Customer’s request or direction); (b) any errors in information provided by Customer in connection with this Exhibit; and/or (c) Customer’s receipt of the CBSV Services.
Exhibit C – Flow Down Terms applicable to Income Verification Express Services (“IVES Services”)
Where Customer subscribes to SentiLink Processing Services including IVES Services, then:
WHEREAS, the parties are entering into this Agreement, pursuant to which SentiLink will, at the request of Customer and subject to the terms hereof, obtain from the Internal Revenue Service (the “IRS”) certain information regarding the income of a prospective borrower of Customer’s (the “Borrower”) in order for Customer to verify the Borrower’s income (the “IVES Services”).
WHEREAS, Customer desires to procure the IVES Services from SentiLink.
NOW, THEREFORE, the parties hereby mutually agree as follows:
1. Conditions to Using the IVES Services
Prior to Customer using the IVES Services, Customer must first submit to SentiLink the following information related to the Customer’s representative enrolling in or otherwise accessing the IVES Services, such person being authorized to legally bind the Customer: (a) the name of such person; and (b) the last four digits of the Social Security Number of such person (collectively, the “Representative’s Information”). Customer must also submit to SentiLink Customer’s Employer Identification Number, Customer’s name, and Customer’s physical address (collectively, the “Customer’s information”). Prior to any use of the IVES Services, Customer must provide to SentiLink a list of all Customer’s authorized users that Customer authorizes to access the IVES Services or to otherwise access information provided by the IRS in connection with the IVES Services (such authorized users, the “Users”). Customer shall provide to SentiLink the name and information of any User subsequently granted access to IVES Services prior to any such access being granted to IVES Services. Customer shall authenticate the identities of all Users, and obtain from each User, the User’s name, date of birth, address, Social Security Number, email address and phone number. Customer shall immediately notify SentiLink if there is a change to any User information, including if a User’s access to the IVES Services is terminated, and shall restrict such User’s access to IVES Services.
Customer represents and warrants that: (i) all Representative’s Information is true, accurate and complete; (ii) all Customer’s Information is and will remain true, accurate, and complete; (iii) only Users who have been disclosed to SentiLink and are known to Customer shall have access the IVES Services or to otherwise access information provided by the IRS in connection with the IVES Services; (iv) Customer and its Users have a legitimate purpose for using IVES Services and for accessing or otherwise obtaining access information provided by the IRS in connection with the IVES Services, such legitimate purpose not to include any Prohibited Activities; and (v) Customer has procedures and policies in place to validate the identities of all individuals authorized to submit and retrieve information regarding Borrower’s income from the IRS in compliance with IRS regulations and the terms hereof. The representation and warranty in Section 1(i) - (v) are made continuously throughout the term of this Exhibit and are re-certified each time Customer utilizes the IVES Services or access information collected or stored in connection with the IVES Services.
2. Borrower Consent
Customer must obtain from each Borrower an executed copy of Form 4506-T, as amended or replaced by the IRS, and shall ensure each Borrower has provided consent for SentiLink and Customer to obtain such Borrower’s tax return transcript from the IRS.
3. Prohibited Use and Compliance with Law
Customer or its Users may not use the IVES Services or any information provided by the IRS in connection with the IVES Services for any purpose other than verifying the income of the Borrower, including using the IVES Services or any such information, in whole or in part, as a factor in determining eligibility for credit, insurance, or employment or for any other purpose contemplated by the Fair Credit Reporting Act (“FCRA”) (collectively, “Prohibited Use”). Customer certifies its use of the IVES Services is solely for uses permitted by Title V of the Gramm-Leach Bliley Act (Pub. L. 102-106) (the "Gramm-Leach-Bliley Act"), and to protect against or prevent actual fraud, unauthorized transactions, claims or other liability.
Customer shall, and shall cause each User, to comply with all applicable laws related to the use of the IVES Services and the information provided by the IRS in connection with the IVES Services, including any rules, guidance or guidelines provided by the IRS (e.g., IRS Publication 4557 and IRS Memorandum to Participants of the IRS Income Verification Express Service). Customer acknowledges it has read, understandings and agrees to comply with all terms set forth in the IRS Memorandum to Participants of the IRS Income Verification Express Service, including those terms applicable to a participant.
4. Delivery of Information and Access Controls
Delivery. All information provided by the IRS in connection with the IVES Services transferred between Customer and SentiLink shall be transferred using a secure method acceptable to both party’s information security group. SentiLink reserves the right to use any commercially reasonable means to encrypt the information provided by the IRS in connection with the IVES Services and to deliver such information in such encrypted form to Customer, in which case SentiLink shall provide Customer all necessary keys to decrypt such information.
Access Controls. Customer shall ensure only Users have access to IVES Services and any information collected or stored in connection with the IVES Services. Customer shall have, maintain, and adhere to a documented logical access control policy (“Access Control Policy”) that details: (a) the request, approval, and access provisioning process for Users seeking access to the IVES Services, (b) User access privileges (local or remote) based on job function (role/profile based, least privilege), (c) periodic recertification requirements for User access, (d) the requirements for on-boarding and off-boarding Users, (e) authentication methods (which shall be appropriately robust for the sensitivity of the data, application, or platform), and (f) the User inactivity threshold leading to account suspension and removal.
Customer shall have, maintain, and adhere to documented policies and procedures for the management of privileged user accounts that: (a) limits the creation of, and access to, privileged accounts to a pre-authorized set of Users; (b) requires the governance and review process to be maintained; and (c) controls the usage of privileged accounts through strong access control mechanisms. Customer shall not utilize National Identifiers, email addresses or Social Security Numbers, as User IDs for logon credentials to its applications. The access rights of all Users with access to information processing system(s) or media containing information collected or obtained in connection with the IVES Services will be removed immediately upon termination of their employment contract or agreement, or adjusted upon change of job function. Customer shall have, maintain and adhere to a documented password policy. Such policy shall require: (a) passwords must not be shared, (b) passwords must be communicated separately from the User ID, (c) the initial password generated is random, (d) a forced initial password change, (e) a minimum password length (not to be less than eight digits), (f) a minimum password complexity (to require at least one uppercase character, lowercase character, digit and special character), (g) limitations on password reuse, (h) password prompts shall lock when the threshold for allowable attempts is reached (not to be greater than three failed attempts in a 120-minute period), (i) a secure process for password resets, (j) passwords shall be saved only as one-way hash/encrypted files, (k) access to password files shall be restricted to system administrators, and (l) service account credentials shall not be stored in clear text in any application.
5. Security Controls and Security Breach
Customer shall be subject to the following requirements for safeguarding and reporting the loss of any information obtained in connection with the IVES Services, including (i) any information that can be used to distinguish or trace an individual’s identity, such as name, SSN, date and place of birth, mother’s maiden name, or biometric records; and (ii) any other information that is linked or linkable to an individual, such financial, and employment information (collectively, “PII”) as follows:
(a) Customer shall establish, maintain, and follow its own policies and procedures to protect PII, including policies and procedures for reporting lost or compromised, or potentially lost or compromised, PII, such policies and procedures to comply with Gramm-Leach-Bliley Act. Customer shall inform Users which handle PII of their individual responsibility to safeguard such information. In addition, Customer shall, within reason, take appropriate and necessary action to: (i) educate Users on the proper procedures designed to protect PII; (ii) install on all systems maintaining PII anti-virus and anti-malware tools and services; and (iii) enforce compliance with any policy and procedures Customer may have related to safeguarding non-public personal information, as defined by Gramm-Leach-Bliley Act. Further, Customer and its Users shall properly safeguard PII from loss, theft, or inadvertent disclosure in accordance with applicable law, including IRS Publication 4557 and Gramm-Leach-Bliley Act, and each Users is responsible for safeguarding PII at all times, regardless of whether or not the User is at his or her regular duty station.
(b) When Customer or a User becomes aware or suspects that PII has been lost, compromised, or potentially compromised (a “Security Breach”), Customer shall provide immediate notification of the incident to SentiLink. For the avoidance of doubt, a Security Breach shall include access of PII by any person who is not a User or access by any person, including a User, that is not for a legitimate purpose, as set forth herein.
(c) Customer shall provide SentiLink with updates on the status of the reported Security Breach as they become available but shall not delay the initial report.
(d) Customer shall provide complete and accurate information about the details of the Security Breach to assist SentiLink, including the following information: (i) contact information; (ii) a description of the loss, compromise, or potential compromise (i.e., nature of loss/compromise/potential compromise, scope, number of files or records, type of equipment or media, etc.) including the approximate time and location of the loss; (iii) a description of safeguards used, where applicable (e.g., locked briefcase, redacted personal information, password protection, encryption, etc.); (iv) whether Customer or a User has contacted or been contacted by any external organizations (i.e., other agencies, law enforcement, press, etc.); (iv) whether Customer or a User has filed any other reports (i.e., Federal Protected Service, local police, and IRS reports; and (v) any other pertinent information.
6. Retention Requirements and Registration
Retention Requirements. Customer shall maintain for a period of five (5) years copies of all information identified in Section 7 and all information provided to SentiLink pursuant to Section 1. Customer shall provide such information to SentiLink upon request. Customer understands SentiLink is independently required to maintain records of all requests by Customer for IVES Services and all information related to Customer and Users, and Customer may disclose such information to any government regulator. Customer understands SentiLink’s obligations to maintain records does not relieve Customer of its obligations under this Section 6.
Re-Registration. In the event Customer or its Users do not use the IVES Services for a consecutive sixty (60) day period, SentiLink may require Customer to resubmit all information required by the IRS or otherwise required by SentiLink to re-enroll Customer in the IVES Services.
7. Audit Rights
Upon request of the IRS (or SentiLink at the request of the IRS) or any authorized third-party auditor, Customer agrees to provide documentation that includes: (a) evidence of verification of the identity of each User; (b) the name of the representative that verified each User; (c) documentation of the methods used to conduct verification; (d) proof of Borrower authorization to retrieve information from the IRS using the IVES Services; (e) list of authorized Users submitting and retrieving IRS transcripts; (f) evidence of security controls implement; and (f) any other information requested by the IRS or its authorized third-party auditor.
8. Indemnification
Notwithstanding any other provision of the Agreement or this Exhibit, Customer will indemnify and hold SentiLink and its affiliates, employees, contractors and other representatives, and successors and assigns harmless from all claims, actions, causes of action, suits, debts, dues, controversies, restitutions, damages, losses, costs, fees, judgments, and any other liabilities caused by, arising out of, associated with, or resulting directly or indirectly from: (a) any acts or omissions of Customer, including but not limited to the disclosure or use of information by Customer (or SentiLink at Customer’s request or direction); (b) any errors in information provided by Customer in connection with this Exhibit; (c) any violation of the terms of this Exhibit, the Agreement or applicable law; (d) any Security Breach; (d) Customer’s failure to obtain Borrower’s consent to access records from the IRS; and/or (e) Customer’s receipt of the IVES Services.
Exhibit D – Flow Down Terms applicable to electronic consent-based social security number (“SSN”) verification (“eCBSV Services”)
1. DEFINITIONS
Client or SSN holder – Individual who authorizes SSA to verify his or her SSN to the Customer by providing Written Consent.
Customer Certification – Certification provided to SSA at least every 2 years by the Customer as required by the Banking Bill in accordance with the requirements under Section 2.a of this Exhibit and in Attachment B.
eCBSV Services – The services offered by the SSA as defined by the Banking Bill which allows permitted entities to verify if an individual’s SSN, name, and date of birth combination matches Social Security records.
Electronic Signature – An electronic sound, symbol, or process, attached to or logically associated with a contract or other record and executed or adopted by a person with the intent to sign the record, as defined in section 106 of the Electronic Signatures in Global and National Commerce (E-SIGN) Act (15 U.S.C. § 7006), and otherwise in compliance with the Banking Bill and this Exhibit.
Financial Institution – Has the meaning given the term in section 509 of the Gramm-Leach- Bliley Act (GLBA).
Fraud Protection Data – As defined by the Banking Bill, a combination of the SSN holder’s name (including the first name and any family forename or surname of the individual), SSN, and date of birth including the month, day, and year.
SSN Verification –The response disclosed to the Customer after conducting a verification of the SSN holder’s Fraud Protection Data.
Supporting Documentation – All records or information necessary for SentiLink or the SSA to conduct audits as required herein, and includes (without limitation) all completed and signed Written Consents, evidence documenting the specific purpose for each Written Consent, if not referenced within the individual Written Consent, SSN Verifications, and any audit logs or audit trails required to be kept hereunder. Supporting Documentation must be maintained in an accessible electronic format, when available. If not available, paper documentation will suffice.
Written Consent – Written Consent, including electronic, by which the SSN holder gives SSA permission to disclose SSN Verification results to SentiLink and the Customer in connection with a credit transaction or any circumstance described in section 604 of the Fair Credit Reporting Act (15 U.S.C. § 1681b). The Written Consent must meet SSA’s requirements in Section 4 of this Exhibit and SSA’s regulations. The Written Consent must clearly specify to whom the information may be disclosed, that the SSN holder wants SSA to disclose the SSN Verification, and, where applicable, during which timeframe the SSN Verification may be disclosed (see 20 CFR Part 401.100).
2. MANDATORY FLOW-DOWN TERMS
In order to provide the eCBSV Services, the SSA mandates that Customer acknowledge and agree to the following terms, and Customer hereby acknowledges and agrees to such terms:
a. Customer must provide a (i) EIN verification form; and (ii) Permitted Entity Certification to SentiLink in the form attached as Appendix 1; before being able to access the SSN Verification Services, and thereafter on every second anniversary of this Exhibit;
b. Customer must submit SSN Verification requests only: (1) pursuant to the Written Consent (obtained in accordance with Section 4 of this Exhibit) received from the SSN holder; and (2) in connection with a credit transaction or any circumstance described in section 604 of the Fair Credit Reporting Act (15 U.S.C. § 1681b);
c. Customer must not alter the Written Consent in any way either before or after the SSN holder signs the Written Consent. For the avoidance of doubt, fax date/time stamps, barcodes, quick response codes or tracking/loan numbers added to the margin of a form do not constitute an alteration;
d. Customer must submit the Written Consent within the time specified on the Written Consent, or if none, within 90 calendar days from the date the SSN holder signs the Written Consent;
e. Customer must maintain an audit trail to track its eCBSV activities in accordance with the requirements of this Exhibit;
f. Customer must inform all of its employees with access to the SSN Verification or Written Consent of the confidential nature of the SSN Verification and Written Consent and the administrative, technical, and physical safeguards required to protect the SSN Verification and Written Consent from improper disclosure. Customer must store all information received hereunder in an area that is physically safe (i.e., password protected hard drive, USB drive or disk) from unauthorized access at all times;
g. Customer must not reuse the SSN Verification; provided that Customer may mark the SSN Holder’s identity as “verified” or “unverified”;
h. Customer must process all SSN Verifications or Written Consents in a manner that will protect the confidentiality of the records; track the dissemination of the records; prevent the unauthorized use of SSN Verifications and Written Consents; and prevent access to the records by unauthorized persons;
i. Customer agrees that it shall use the verification only for the purpose stated in the consent form with respect to which such verification was provided, which must be made on Form SSA-89 (Authorization for SSA to Release SSN Verification) (a “Consent Form”), which such purpose shall, if such Consent Form is submitted to SSA by SentiLink, be communicated to Customer, and shall make no further use or re-disclosure of the verification;
j. Report any SNN Holder complaint to the nearest SSA field office; and
k. Customer must properly safeguard SSN Verifications and Written Consents to which it has access from loss, theft, or inadvertent disclosure.
3. CONSENT
In order to obtain a valid Written Consent, that Customer must meet SSA’s requirements as set forth in this Section. A valid Written Consent includes one of the three following forms of consent:
a. SSA-89 (standardized consent form titled Authorization for SSA to Release SSN Verification), with the SSN holder’s wet signature; or
b. SSA-89, in a “pdf fillable” form, signed electronically by the SSN holder, with an Electronic Signature that meets the requirements set forth in Section 8 below; or
c. An electronic form of consent that incorporates one of the two options provided in Attachment B, into the Customer' existing electronic business process, with the title of the Written Consent in “bold” font followed directly by the SSA-provided language.
4. RETENTION
a. Customer must retain the Supporting Documentation for a period of five (5) years from the date of the SSN Verification request, either electronically or in paper form, and must make the Written Consent and all other Supporting Documentation available to SentiLink and the SSA upon request. For the avoidance of doubt, the Written Consent and the information therein, as well as the associated record of SSN Verification must be perpetually treated as Confidential Information.
b. If Customer retains the Written Consent in paper format, it must store the Written Consent in a manner that meets all regulatory requirements. If Customer retains the Written Consent electronically, it must retain the Written Consents in a downloadable manner that accounts for integrity and intent of the Written Consents and: (1) password protect any electronic files used for storage; (2) restrict access to the files to the only necessary personnel; and (3) put in place and follow adequate disaster recovery procedures. SSN Verifications must also be protected in this manner. When storing a Written Consent electronically, Customer must destroy any original Written Consent in paper form.
c. When the Written Consent includes reference to
i. a static or general purpose (see Attachment B, Option 1), the Customer must:
1. Maintain evidence that documents the specific purpose of the SSN Verification request, in a way that clearly links the specific purpose of the transaction to the relevant Written Consent, for a period of five years from the date of the SSN Verification request that preserves the accuracy and integrity of the records, and that is accessible to Sentilink, SSA and SSA’s auditors.
ii. a specific purpose (see Attachment B, Option 2), maintain evidence of the relevant Written Consent, for a period of five years from the date of the SSN Verification request.
5. ONSITE AND OTHER REVIEWS
Customer acknowledges and agrees that
a. SSA may make onsite inspections of its site, including a systems review limited to eCBSV-related systems, to ensure that it is in compliance with this Exhibit, and to assess overall system security.
b. SSA may make periodic, random reviews of the Written Consents to confirm that the SSN holder properly completed the Written Consent.
6. REQUESTS REQUIRING APPROVAL
a. Customer must not submit an SSN Verification request with respect to a minor or legally incompetent individual without the prior written consent of, and subject to any conditions identified by, SentiLink.
7. ELECTRONIC SIGNATURE REQUIREMENTS
A valid electronic Written Consent must be executed in accordance with the requirements as set forth in this Section:
a. The Electronic Signature must be consistent with section 106 of the E-SIGN Act (15 U.S.C. § 7006); provided that the Customer is not required to use any specific technology to obtain the Electronic Signature.
b. It must be clear to the SSN Holder, either in the Written Consent or elsewhere in the signing process, that he or she is signing SSA’s Written Consent. Examples of intent to sign methods deemed appropriate include, but are not limited to:
i. Clicking a clearly labeled “Accept” button (e.g., “By [clicking the [SIGN/ I AGREE/I ACCEPT] button], you are signing the consent for SSA to disclose your SSN Verification to [Permitted Entity and/or Financial Institution]. You agree that your electronic signature has the same legal meaning, validity, and effect as your handwritten signature.”); or
ii. Allowing the signer to opt out of electronically signing the record by providing an option to decline).
c. The Electronic Signature must be attached to or logically associated with the Written Consent being signed, and where applicable, have the capability for an accurate and unaltered version to be retained by the parties involved. Examples of acceptable forms of associating the electronic signature to the record include, but are not limited to:
i. a process that permanently appends the signature data to the consent being signed; or
ii. a database-type link between the signature data and the consent.
d. Customer must ensure there is a means to preserve the integrity of the electronic signature by retaining and implementing safeguards to prevent it from being modified or altered in accordance with the requirements set forth in this Exhibit.
e. There must be a means to retrieve and reproduce legible, accurate, and readable hard or electronic copies of the Written Consent reflecting all Electronic Signature requirements in this section for auditing and monitoring purposes under the Banking Bill and the Privacy Act of 1974, as amended.
8. PROTECTING AND REPORTING THE LOSS OF SSN VERIFICATIONS OR WRITTEN CONSENTS
Customer must comply with following requirements for safeguarding and reporting the loss of any information about an individual maintained by an entity, including (i) any information that can be used to distinguish or trace an individual’s identity, such as name, SSN, date and place of birth, mother’s maiden name, or biometric records; and (ii) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information (collectively, “PII”) as follows:
a. Customer shall establish, maintain, and follow its own policy and procedures to protect PII, including policies and procedures for reporting lost or compromised, or potentially lost or compromised, PII. Customer shall inform its employees who have been authorized to receive CBSV Services and verifications in connection therewith (“Authorized Recipients”) which handle PII of their individual responsibility to safeguard such information. In addition, Customer shall, within reason, take appropriate and necessary action to: (i) educate Authorized Recipients on the proper procedures designed to protect PII; and (ii) enforce their compliance with the policy and procedures prescribed. Further, Customer and its Authorized Recipients shall properly safeguard PII from loss, theft, or inadvertent disclosure, and each Authorized Recipient is responsible for safeguarding PII at all times, regardless of whether or not the Authorized Recipient is at his or her regular duty station.
b. In addition, Customer shall follow any and all policies and procedures with respect to the safeguarding and reporting of loss of PII that are reasonably prescribed by SentiLink from time to time.
c. When Customer or an Authorized Recipient becomes aware or suspects that PII has been lost, compromised, or potentially compromised, Customer shall, in accordance with its incident reporting process, provide immediate notification of the incident to SentiLink and hereby authorizes SentiLink to report the same information to SSA.
d. Customer shall provide SentiLink with updates on the status of the reported PII loss or compromise as they become available but shall not delay the initial report, and will assist SentiLink in providing such updates to the SSA.
e. Customer shall provide complete and accurate information about the details of the PII loss to assist SentiLink and SSA, including the following information:
i. Contact information;
ii. A description of the loss, compromise, or potential compromise (i.e., nature of loss/compromise/potential compromise, scope, number of files or records, type of equipment or media, etc.) including the approximate time and location of the loss;
iii. A description of safeguards used, where applicable (e.g., locked briefcase, redacted personal information, password protection, encryption, etc.);
iv. Whether Customer or the Authorized Recipient has contacted or been contacted by any external organizations (i.e., other agencies, law enforcement, press, etc.);
v. Whether Customer or the Authorized Recipient has filed any other reports (i.e., Federal Protected Service, local police, and SSA reports; and
vi. Any other pertinent information.
9. TERMINATION OR SUSPENSION
SentiLink may suspend or terminate the eCBSV Service immediately by written notice upon determining, in its reasonable discretion that:
a. Customer has failed to comply with its responsibilities under this Exhibit or the Banking Bill.
b. This Exhibit or the eCBSV service is prohibited by any applicable law or regulation, at which point this user agreement will be null and void as of the effective date specified in such law or regulation;
c. There has been a change to the SSA’s statutory requirements.
Notwithstanding the foregoing, all provisions in this Exhibit relating to data security and safeguards shall remain in effect for as long as Customer retains such information. Customer specifically waives any right to judicial review of SSA’s decision to cancel, suspend or terminate the provision of eCBSV services to SentiLink or Customer.
10. AUDIT REQUIREMENTS
Customer agrees that it will be subject to mandatory audits conducted by SSA at SSA’s discretion at any time, in accordance with the following:
a. The SSA or an SSA-appointed CPA firm will perform the audit to ensure that all SSN Verification requests are in compliance with this user agreement and the Banking Bill.
b. The Customer must produce supporting documentation upon request for purposes of the audit promptly and in any event within five (5) business days of any request.
c. If the results of the audit indicate that Customer has not complied with any term of this Exhibit or the Banking Bill, SSA, in addition to referring the matter to the appropriate regulatory enforcement agency in accordance with the Banking Bill, may:
i. Perform additional onsite inspections, audits, or compliance reviews;
ii. In accordance with federal law, refer the report to its Office of the Inspector General for appropriate action, including referral to the Department of Justice for criminal prosecution;
iii. Suspend eCBSV services;
iv. Terminate Customer’s access to the eCBSV Service; and/or,
v. Take any other action SSA deems appropriate.
Customer also agrees that SentiLink may audit its compliance with this Agreement upon ten (10) business days notice but no more than once in any twelve month period.
11. UNILATERAL AMENDMENTS
This Exhibit may be unilaterally amended at any time to implement the following:
a. Minor administrative changes requested by the SSA, such as changes to SSA contact information; or
b. Procedural changes requested by the SSA, such as method of transmitting requests and results and limits on the number of SSN Verification requests.
SentiLink will notify the Customer promptly of any unilateral amendments under this section.
12. DISCLAIMERS
a. Neither SentiLink nor SSA is responsible for any financial or other loss incurred by the Customer, whether directly or indirectly, through the use of any data provided pursuant hereunder. Neither SentiLink nor SSA is responsible for reimbursing the Customer for any costs the Customer incurs hereunder.
b. Neither SentiLink nor SSA is liable for any damages or loss resulting from errors in information provided to the Customer under this Exhibit. Furthermore, neither SentiLink nor SSA is liable for damages or loss resulting from the destruction of any materials or data provided by Customer. All information furnished to the Customer will be subject to the limitations and qualifications, if any, transmitted with such information. If, because of any such error, loss, or destruction attributable to SSA, SSA must re-perform the services under this user agreement.
c. If for any reason SSA delays or fails to provide the services, or discontinues all or any part of the services, neither SentiLink nor SSA are liable for any damages or loss resulting from such delay, failure, or discontinuance.
13. NOTIFICATIONS AND ACKNOWLEDGMENT
Customer acknowledges and agrees that
a. SSA’s SSN Verification does not provide proof or confirmation of identity. eCBSV is designed to provide a permitted entity with only a “yes” or “no” verification of whether the SSN verified with SSA’s records. If SSA’s records show that the SSN holder is deceased, eCBSV returns a death indicator. SSN Verifications do not verify an individual's identity. eCBSV does not verify employment eligibility, nor does it interface with the Department of Homeland Security’s (DHS) verification system, and it will not satisfy DHS’s I-9 requirements. The Permitted Entity and Financial Institution(s) is services, if any, acknowledges that SSA’s SSN Verification verifies that the Fraud Protection Data provided by the Permitted Entity matches or does not match the data in SSA records. SSA’s SSN Verification does not authenticate the identity of the SSN holder or conclusively prove that the SSN holder is who he or she claims to be.
b. It is a Financial Institution as defined herein.
c. SSA may change its method of receiving SSN Verification requests and providing SSN Verification results to the Permitted Entity at any time; however, SSA will provide as much notice as is possible.
d. Customer must submit requests for SSN Verifications either in one or more individual requests electronically for real-time machine to machine or similar functionality for accurate electronic responses within a reasonable period of time from submission, or in batch format for accurate electronic responses within 24 hours. All SSN Verification requests must conform to the Banking Bill and specify the full name (including first name and any family or forename or surname), date of birth (including the month, day, and year), and SSN of each SSN holder whose SSN the Customer seeks to verify.
e. SentiLink did not: (a) use the words “Social Security” or other program-related words, acronyms, emblems, and symbols in connection with an advertisement for “identity verification”; or (b) advertise to Customer that SSN verification provides or serves as identity verification.
f. SSA will ensure the eCBSV system has commercially reasonable uptime and availability.
g. Section 1140 of the Social Security Act authorizes SSA to impose civil monetary penalties on any person who uses the words “Social Security” or other program- related words, acronyms, emblems, and symbols in connection with an advertisement, solicitation, or other communication, “in a manner which such person knows or should know would convey, or in a manner which reasonably could be interpreted or construed as conveying, the false impression that such item is approved, endorsed, or authorized by the Social Security Administration . . . .” 42 U.S.C. § 1320b-10(a).
14. CONSTRAINTS ON ADVERTISING AND MARKETING
a. Customer must not use the words “Social Security” or other eCBSV program-related words, acronyms, emblems, and symbols in connection with an advertisement for “identity verification.”
b. Customer must not advertise that an SSN Verification provides or serves as identity verification.
c. Customer must not advertise that eCBSV will eliminate synthetic identity fraud or any type of fraud.
d. Customer must not advertise in any way that it maintains a repository of data verified by SSA, including advertising to prospective or current clients, consumers, or otherwise to the public.
e. Customer must not represent that any verifications it provides based on its own marked records are SSA-verified data or SSN Verifications.
f. Customer must represent that such verifications are verifications from its own records and information, and it bears full responsibility for the accuracy of its verification representations. This requirement survives expiration or termination of this Exhibit and the Agreement.
g. The SSA reserves the right to conduct on-site visits to review the Customer’s documentation and in-house procedures for protection of and security arrangements for the SSN Verification and Written Consent and adherence to terms of this Exhibit.
15. INDEMNITY
Notwithstanding any other provision of this user agreement, the Customer will indemnify and hold SentiLink and the SSA harmless from all claims, actions, causes of action, suits, debts, dues, controversies, restitutions, damages, losses, costs, fees, judgments, and any other liabilities caused by, arising out of, associated with, or resulting directly or indirectly from, any acts or omissions of the Customers, including but not limited to the disclosure or use of information by the Customer, or any errors in information provided to SentiLink hereunder.
Attachment A - Certification Statement {INSERT CUSTOMER’S NAME}
Exhibit A - Certification Statement {INSERT PERMITTED ENTITY’s NAME}
CERTIFICATION STATEMENT FOR
PERMITTED ENTITIES USING THE SSN VERIFICATION PROCESS
(Signature required biennially)
Name and address of Permitted Entity:
______________________________________________________________________ ______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
The following certification must be completed prior to SSA authorizing use of the eCBSV system.
I, ________________________on behalf of the company listed above, certify that this entity attests to each of the following four (4) declarations:
1. The entity is a Permitted Entity.
2. The entity is in compliance with the Banking Bill.
3. The entity is, and will remain, in compliance with its privacy and data security requirements, as described in title V of the Gramm-Leach-Bliley Act (15 U.S.C. § 6801, et seq.), with respect to information the entity receives from the Commissioner pursuant to the Banking Bill.
4. The entity will retain sufficient records to demonstrate its compliance with its certification and the Banking Bill for a period of not less than two (2) years.
The permitted entity will provide this Certification to SSA, and not submit any SSN Verification request to SSA if the Certification is older than two (2) years old or the permitted entity cannot attest to any one of the four (4) declarations.
The signatory, if electronically signing this document, agrees that his/her electronic signature has the same legal validity and effect as his/her handwritten signature on the document, and that it has the same meaning as his/her handwritten signature.
[Please clearly print or type your designated company official’s name, title, and phone number and have him/her provide an electronic or wet signature and date below.]
Company Official Name___________________________________________________
Company Official Title ___________________________________________________
Company Official Phone Number____________________________________________
Signature__________________________________________Date_________________
Attachment B – SSA Written Consent Template
Option 1: Static Purpose:
Authorization for the Social Security Administration to Disclose Your Social Security Number Verification
I authorize the Social Security Administration (SSA) to verify and disclose to [Name of Financial Institution] through [Name of Service Provider, (if one), their service provider] for the purpose of this transaction whether the name, Social Security Number (SSN) and date of birth I have submitted matches information in SSA records. My consent is for a one-time validation within the next [number of days].
Option 2: Dynamic Purpose:
Authorization for the Social Security Administration to Disclose Your Social Security Number Verification
I authorize the Social Security Administration (SSA) to verify and disclose to [Name of Financial Institution] through [Name of Service Provider, (if one), their service provider] for the purpose of [insert specific purpose] whether the name, Social Security Number (SSN) and date of birth I have submitted matches information in SSA records. My consent is for a one-time validation within the next [number of days].
