Version 1.1 - Effective March 8, 2023

‍

These General Terms and Conditions (“Agreement”) set forth the relationship between Prove Identity, Inc., a Delaware corporation with its principal offices at 245 Fifth Avenue, 20th Floor, New York, NY 10016 ("Prove”) and the individual party listed on the Portal account that is acknowledging this Agreement ("Developer") on behalf of its employer and/or another bonafide legal entity listed on the Portal account (“Client”).

By accepting this Agreement or accessing Prove’s Portal and/or Solutions, Developer certifies that it has all necessary rights to agree to the terms of this Agreement, including on behalf of Client. Furthermore, Developer represents and warrants that: (i) it has full legal authority to select a Plan and bind Client to the terms of this Agreement; (ii) Developer has read and understands the legal requirements and restrictions outlined in this Agreement; and (iii) Developer agrees to the terms of this Agreement on behalf of Client. 

If Developer does not have the legal authority to bind Client to the terms of this Agreement, Developer shall not accept this Agreement or access the features covered by this Agreement.

This Agreement is effective as of the date of Developer’s acknowledgement and, as of that date, Client is considered a party of this Agreement. Prove may update or change the terms of this Agreement at any time at our discretion. If Prove makes any changes deemed to be material in its sole discretion, we will make a reasonable effort to inform you of such change. If you object to a change, your exclusive remedy is to cease any and all access and use of the Portal and Solutions.

1. DEFINITIONS

“Affiliate” means for any entity, any other entity that, directly or indirectly, Controls, is Controlled by or is under common Control with such entity. 

"Confidential Information" means any confidential and/or proprietary information or data, in any form, format or media, disclosed by, or accessed or obtained from Disclosing Party (and any notes, summaries, memoranda or other derivatives prepared by the Receiving Party to the extent that they reflect or reveal such confidential and/or proprietary information or data, whether or not such confidential and/or proprietary information or data is marked as “confidential,” including, without limitation, (i) information or data that concerns the management, business affairs, relationships, operations, business plans, strategies, forecasts, projects, analyses, pricing, marketing, sales or financials of the Disclosing Party or its customers or vendors; (ii) information or data that concerns the Disclosing Party’s products, services, developments, product concepts, technical and/or platform interfaces, or software (including source and object code); (iii) information or data that concerns the Disclosing Party’s methodologies, techniques, designs, drawings, processes procedures, inventions, know-how, pending patents, or Trade Secrets; (iv) any Response Data or Personal Information obtained by either party as a result of this Agreement; (iv) any information or data the Disclosing Party may designate as being confidential, either orally or in writing; (v) any other information or data which, in the normal course of business, would be considered of a confidential nature; and (vi) any copies of the foregoing.

“Control” means, with respect to any entity, the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of such entity, whether through the ownership of voting securities (or other ownership interest), by contract or otherwise.

“Documentation” means the online help files and all other documentation and materials including SDKs (in any format or medium) relating to use of the Solutions and made available by Prove and all modifications to such files, documents or materials as may be updated from time to time.

“Intellectual Property Rights” means any and all intellectual property rights and proprietary rights throughout the world and protected under any applicable laws, rules and regulations, whether existing under intellectual property, unfair competition or trade secret laws, or under statute or at common law or equity, including but not limited to: (a) copyrights, trade secrets, trademarks, service marks, trade names, patents, inventions, invention disclosures, know-how, proprietary data and databases, methods, techniques, works of authorship, computer software, systems, change documentation, interfaces, Marks, designs, logos and trade dress, “moral rights,” mask works, rights of personality, publicity or privacy, and any other intellectual property and proprietary rights; and (b) any registration, application or right to apply for any of the rights referred to in this clause, including, any pending registrations or applications; and (c) any and all renewals, extensions and restorations thereof, now or hereafter in force and effect.  Furthermore, if alternatively reasonable approaches and/or modifications to methodologies, techniques, design details, drawings, processes and procedures, inventions, know-how, pending patents, information disclosures, and/or other intellectual and/or proprietary property is/are reasonably likely to occur to one of ordinary skill in the relevant art, Intellectual Property Rights includes all those alternatively reasonable approaches and/or modifications unless otherwise expressly indicated.

“Marks” means all trademarks, service marks, trade names and logos and other proprietary designations identifying Prove and its products or services.

“Network” means the servers and other equipment on which Prove hosts Solutions.

“Personnel” means a party’s employees and contractors, and a party’s vendor’s employees and contractors.

“Plan” means the pay-as-you-go per Transaction model for the Solutions published on the Portal.

“Portal” means the webpage where the Developer may access all necessary information related to the Plan, the Documentation and the Solutions on behalf of Client.

“Processing” with reference to Personal Information includes collection, use, analysis, modification, deletion, sale, storage, sharing or transfer of such Personal Information.

"Personal Information" means, in any form, format or media, (i) any information that either alone, or in combination with other data, can be used to identify an individual, including, without limitation, the individual’s name, address, phone number, social security number or other government-issued number, financial account number, date of birth, address, biometric data (including gait analysis), mother’s maiden name, or other personal information; (ii) any information or data that is personally identifiable as defined under other applicable privacy and data protection laws.

“Representatives” means a party’s directors, officers, Affiliates, contractors, consultants, employees, advisors, agents, and any other representatives including legal counsel, accountants, and financial advisors.

“Response Data” means, any information Prove provides to Client and/or Developer in connection with Developer’s or Client’s use of the Solutions with the exception of any information that was initially provided by or on behalf of Client and/or Developer to Prove. Response Data is Prove Confidential Information.

“Security Breach” means (i) any act or omission that compromises the security, confidentiality, availability, and/or integrity of any data or information provided under this Agreement or the physical, technical, administrative or organizational safeguards put in place by Client and/or Developer that relate to the protection of the security, confidentiality or integrity of such data or information provided under this Agreement, or (ii) receipt of a complaint in relation to the privacy, security or data protection practices of Client and/or Developer or a breach or alleged breach of this Agreement relating to Client and/or Developer’s privacy, security and/or data protection practices.

“Solutions” means collectively (i) the access Prove provides Developer on behalf of Client to use the Solutions through the Network, which may include access via Graphical User Interfaces (“GUIs”) and portals and/or platforms; (ii) authentication solutions that interoperate with Client’s internal systems in order to provide user authentication for a mobile device application, website or other online service; (iii) the Solutions including data elements and Response Data, ; and (iv) the Documentation.. 

“Trade Secret” means information, without regard to form, including, but not limited to a formula, pattern, compilation, program, device, method, technique, process or product plans or product information that derives independent economic value, actual or potential, from not being generally known to or readily ascertainable through appropriate means by other persons who might obtain economic value from its disclosure or use; and is the subject of efforts that are reasonable under the circumstances to maintain its secrecy; and is information that is considered a Trade Secret under applicable law.

“Transaction” means every inquiry Developer, on behalf of Client, sends to Prove for validation.

‍2. APPOINTMENT AND GRANT OF LICENSE‍

2.1 License.

2.1.1 Grant.  Subject to Developer’s continued compliance with all the terms of this Agreement (including all Exhibits attached hereto), Prove hereby grants Client a non-sublicensable, non-transferable, non-exclusive, revocable, restricted license during the Term to (i) access and use the Solutions, including all enhancements, updates and modifications, for Developer’s internal use on behalf of Client, in strict accordance with this Agreement. In no event will Client or Developer reproduce, modify, sell, sublicense or otherwise distribute the Solutions as a standalone product or service.

2.1.2 Source Code.  No rights are granted to Developer or Client with respect to source code of any component of the Solutions.  For clarity, sample code provided as illustrative examples is provided solely as part of the Documentation and is not itself a component of the Solutions.

2.2 License Restrictions.  Except as otherwise permitted under this Agreement, Client will not, and will not permit Developer or any third party to: 

(i) share, transfer, resell, bundle, rent, distribute, sublicense, or otherwise make the Solutions or Response Data available except as expressly set forth herein and subject to all the controls and protections set forth herein;

(ii) use the Portal or Solutions to send or store infringing or unlawful material;

(iii) send or store viruses, worms, time bombs, Trojan horses and other harmful or malicious code, files, scripts, agents or programs via the Portal or Solutions;

(iv) attempt to gain unauthorized access to, or disrupt the integrity or performance of, the Portal or Solutions or the data contained therein;

(v) adapt, modify, translate, copy, disassemble, decompile, reverse engineer, create derivative works of or make any other attempt by any means to discover or obtain the source code or other proprietary information or Response Data;

(vi) access the Portal or Solutions for the purpose of building a competitive product or service or copying its features or user interface for the purpose of reducing the number of transactions under this Agreement;

(vii) use the Portal or Solutions or permit them to be used, for purposes of product evaluation, benchmarking or other comparative analysis intended for publication without Prove’s prior written consent;

(viii) use the Response Data for marketing purpose;

(ix) maintain or create any table or database of any kind based on the Response Data for the purpose of avoiding subsequent billable API calls or other service requests to Prove or

(x) use the Portal or Solutions in any way that would violate any applicable federal, state, and local law, court order or regulation.

2.3 Right to Modify Portal or Solutions. Prove may, from time to time in its sole discretion, modify or enhance the Portal, Solutions and/or the Documentation and any such modifications or enhancements provided to Developer hereunder are deemed part of the Portal, Solutions and/or Documentation, as applicable.

2.4 Suspension.  Prove, in its sole discretion, may immediately suspend Developer’s and Client’s right to access and use some or all of the Portal, Solutions, or Response Data if it believes that Client, or Developer on behalf of Client, has i) used the Portal, Solutions or Response Data in an illegal manner, ii) if Developer breaches Sections 6.1 and 6.2 of this Agreement, iii) if Prove reasonably believes that Developer’s or Client’s use of the Solutions is in violation of the license restrictions set forth in Section 2.1 or 2.2 above or iv) if Client has suffered a Security Breach.

2.5 Reporting by Prove.  Developer, on behalf of Client, authorizes Prove to collect, store, host, access, use, reproduce and modify, during and after the Term, any and all data, inputs, responses and other information concerning Client and Developer’s use of the Solutions (i) bill Developer for its use of the Solutions (ii) prepare reports for Prove’s internal use, (iii) verify Developer’s compliance with the terms of this Agreement, (iv) perform or enforce its obligations under this Agreement, and (v) conduct data and usage analytics, parsing routes, data modeling and other analyses as deemed necessary by Prove to test, evaluate, develop and enhance Prove’s Solutions, including the creation and management of consumer-based, tokenized digital identities (with the legal consent of each individual consumer which may be collected by Prove directly through the Solutions).  In addition, Prove may provide such data, inputs and information on a confidential basis to its technology partners and Affiliates for the purposes described in this Section 2.5. 

3. ADDITIONAL DOCUMENTS

The following documents are hereby incorporated into this Agreement by reference: 

• Portal Service Level Agreement
• Trademark Guidelines

Prove may update any of the above referenced documents at any time by posting a new version and providing appropriate notice in the Portal.

‍

‍4. OBLIGATIONS OF CLIENT & DEVELOPER

4.1 Compliance with Certain Laws. 

(i) Personal Information. Developer understands that the Solutions may contain other sensitive information governed by certain laws regulating the Processing of Personal Information all of which Developer acknowledges and agrees to comply with on behalf of Client and to ensure that any third parties acting on behalf of Developer or Client also comply. This includes Client and Developer (on behalf of Client) agreeing to provide electronically Prove’s End User Terms & Conditions to each individual consumer each time they interact with Prove Solutions through Client’s online sites, products, and/or services in order for Prove to obtain and track consumers’ consent for their Processing of Personal Information.

4.2 Use of the Solutions.

(i) Developer’s use of Prove’s APIs, graphical user interfaces, platforms and other access solutions is limited to Developer’s access to and use on an authorized and credentialed basis.  Developer will not, nor will Client, sublicense any of Prove’s Solutions for use by a third party and any attempted sublicensing will be void.  

(ii) Storage of Response Data.  All Response Data retained by Developer and Client will at all times be maintained in accordance with the confidentiality and information security provisions of the Agreement. 

(iii) Liability for Response Data. Prove will have no liability with respect to claims arising from Developer’s interpretation or use of the Response Data or decisions and actions allegedly based upon such Response Data. 

4.3 No Representations.  Neither Developer or Client may make any representations, warranties or guarantees related to the Solutions unless authorized in advance in writing by Prove.

4.4 GLBA and DPPA Requirements. To the extent that Developer or Client receives Response Data that is Personal Information subject to the GLBA and/or the DPPA, and the regulations issued thereunder, Developer and Client acknowledge and agree that each will request, access and use such Solutions solely for the following specific use(s) listed below:

• As necessary to effect, administer, or enforce a transaction requested or authorized by the Consumer;
• To protect against or prevent actual or potential fraud, unauthorized transactions, claims, or other liability;
• For required institutional risk control, or for resolving consumer disputes or inquiries;
• For use solely in conjunction with a legal or beneficial interest held by Client relating to the Consumer;
• For use solely in Client’s fiduciary or representative capacity on behalf of, and with the implied or express consent of, the Consumer;
• To the extent specifically permitted or required under applicable laws other than the GLBA, and in accordance with the Right to Financial Privacy Act of 1978, to law enforcement agencies, to self-regulatory organizations, or for an investigation on a matter related to public safety; and/or,
• To comply with applicable federal, state, or local laws, rules, and other applicable legal requirements.

4.5 FCRA Prohibition. 

• In relation to Consumers based in the United States, the Client shall not use the Solutions or Response Data to: (i) create a consumer report as defined under 15 USC §1681a (“Consumer Report”) or for use by a consumer reporting agency for the purpose of creating a Consumer Report; or (ii) for any other purpose to the extent it would cause Prove to be subject to the Fair Credit Reporting Act (“FCRA”) or any similar laws or regulations, or (iii) for any other FCRA permissible purposes;
• Client acknowledges that Prove is a solutions provider and that its performance of its obligations under this Agreement does not fall within the scope of the FCRA.  Client undertakes not to provide Prove with Consumer Report data or take any other action which may bring Prove within the scope of the FCRA.  If, despite the above, Client’s interactions with Prove become subject to the FCRA, Client acknowledges that Prove will act as agent on Client’s behalf for the purposes of the FCRA.

4.6 TCPA Prohibition. Client will not use the Solutions to transmit any marketing communications or any communication that would violate any applicable federal, state, and local law, court order or regulation, including but not limited to the Telephone Consumer Protection Act, 47 U.S.C. § 227 (“TCPA”), the rules governing the Do Not Call Registry, currently found at http://www.donotcall.gov, the CAN-SPAM Act, and any other applicable marketing rules in the United States.

4.7   Privacy Requirements. In performing its obligations and exercising its rights under this Agreement, Client will comply with its obligations as a data controller under the applicable data protection and privacy laws. Developer and Client represent that one or both has or will provide notice and consent to its Consumers where legally required under applicable privacy laws including but not limited to the California Consumer Privacy Act (“CCPA”) and all other state data protection, privacy, and consumer protections laws in order to receive the Prove Solution. Client will retain such records of notice, and consent where it is legally required, for the duration of this Agreement, plus an additional year unless otherwise required by law. 

4.8 Security Requirements. 

4.8.1     Securing Personal Information. Client shall treat all Personal Information, as defined in the applicable Agreement, as sensitive and confidential. This includes, but is not limited to securing sensitive files, managing data access, securely disposing of data and paper records and managing devices. Unless otherwise permitted in the Agreement, Client shall not share or distribute Personal Information with any third party organization or person(s) without the express, written consent of Prove’s Legal Department, CFO, or CEO.

4.8.2 Personnel Security. For all Client Personnel who have access to Personal Information, Client shall: (i) Perform background checks that include, at a minimum, national criminal record checks going back seven (7) years, as well as legal identity verification and authentication (e.g., SSN verification); (ii) Require such Personnel to sign an agreement to maintain the confidentiality of such Personal information; (iii) Require such Personnel to be trained on acceptable use of systems, their obligations regarding privacy and data protection laws and their role in the prevention, detection and reporting of security incidents in addition to complying with all other Client security policies; and (iv) Communicate to such employees the relevant aspects of the Information Security Program, including the procedures and penalties for non-compliance. Additionally, Client shall implement a process to terminate access to Personal Information within twenty-four (24) hours upon the termination of Client Personnel.

4.8.3 Information Security Program. Client shall have implemented a documented information security program, policy and standards, and procedures (the “Information Security Program”) that is approved by senior management, meets industry best practices, and complies with all applicable regulatory requirements. Client shall internally review the Information Security Program, and all documentation supporting it, at least annually and revise in accordance with changes in industry best practices and/or applicable regulatory requirements. Client shall hire an accredited third party to review its Information Security Program at least annually in order to provide sufficient assurance documentation to Prove upon request or as part of an annual assessment (e.g., SOC 2, Type II report, PCI DSS 3.2 attestation of compliance, ISO 27001 certification, etc.).

4.8.4 Access Controls. All access to Personal Information by Client shall be limited by business need and using the principle of least privilege. All access and actions on Client systems must be attributable to a named individual or a machine process account. Client shall enforce segregation of duties for all development, test, and production environments.  

4.8.5 Data Storage and Transmission. All Client systems used to process, transmit, store Personal Information must use strong cryptography controls: a minimum of Transport Layer Security (“TLS”) 1.2 for data in transit and at least 256-bit encryption for data at rest. Client shall use Secure File Transfer Protocols (“SFTP”) or another equally secure method/ channel when Personal Information is being transferred externally to/from Client. All Personal Information must be encrypted using TLS 1.2 or higher when in transit. If Personal Information is required to be stored on portable storage media or laptop, Client shall ensure that such Personal Information is encrypted with strong cryptography controls (at least 256 bit) and uncompromised technology.

4.8.6 Security Testing and Monitoring. Client shall implement and maintain security configurations, patch management, vulnerability management, and security tooling in line with industry best practices. Client shall test all web applications Processing, transmitting, or storing Personal Information against Open Web Application Security Project (“OWASP”) Top ten (10) web application security risks prior to going live and on a regular basis.  Client shall conduct regular penetration testing of internal and external systems that process, transmit, or store Personal Information. Upon written request, Client shall provide Prove with the results of such testing, including summary reports, test details and dates, and information on the progress of remediation related to any findings.   

4.8.7 Physical Security. Client shall implement and maintain a clearly defined and documented physical security policy supported by standards that meet industry best practices.

4.8.8 Data Destruction. On expiry or termination of this Agreement, Client shall promptly (and in no case longer than 30 days) and permanently delete all Personal Information, and direct any applicable subcontractor to do the same, unless otherwise approved expressly in writing by Prove’s Legal Department, CFO, or CEO. Where Personal Information is required to be retained by Client under applicable laws, this must be notified to Prove prior to the expiry or termination of this agreement with justification provided for its continued retention and anticipated timescales defined for its eventual destruction.

4.8.9 Security Incidents. Client shall document and maintain an Incident Response Plan (“IRP”) that is sufficient to comply with applicable data privacy laws. At a minimum, the IRP plan should be tested annually.    Client shall document any security event impacting the confidentiality, integrity, or availability of Personal Information (“Security Incident”), including the root cause(s), analysis, and remediation. Client must immediately notify Prove after Client’s discovery of any actual or suspected Security Incident, unauthorized disclosure of Response Data or breach of this Agreement by sending an email to incident@prove.com, privacy@prove.com, and legal@prove.com and to the contract notice addressee set forth in Section 13.7 (Notices) of the Agreement by the means set forth therein.  Client must provide Prove the following information to the extent such information is known at the time: (i) the nature, root cause and impact of the breach or disclosure; (ii) Client’s assessment of immediate risk due to the breach; (iii) corrective actions already taken; (iv) corrective measures to be taken; and (v) notifications made and to be made to regulatory authorities, customers, and consumers.  Client must take all reasonable actions to mitigate the effects of such Security Incident or disclosure, including all necessary actions to recover the affected Response Data, and will reasonably cooperate with Prove in connection therewith.  Client will not, without the prior written consent of Prove or unless required by law, reference Prove in any notification regarding unauthorized access or disclosure that affects Consumers (a “Breach Notice”).  This section is subject to the requirements of state, federal, and local country laws or regulations, including but not limited to any obligation to provide prior notice to law enforcement.

4.8.10 Audit Rights. Client agrees to allow Prove to audit compliance with this Exbibit on a regular basis, but no more once than annually, for at least the length of the engagement (“Annual Reviews”). This may include, as determined by Prove, access to or copies of documentation related to Client’s Information Security Program, including but not limited to Client’s information security policies and procedures, as well as any recent external, third party assurance documentation (e.g., SOC 2, Type II report, PCI DSS 3.2 attestation of compliance, ISO 27001 certification, etc.).

‍

5 OBLIGATIONS OF PROVE

5.1 Provisioning and Onboarding Service.  Provided that Prove has received all fees due under this Agreement from Developer, Prove will provide the Solutions ordered by Developer on behalf of Client in accordance with information received from Developer and the terms and conditions of this Agreement. 

5.2 Technical Support.  Prove is responsible for providing technical support for the Portal and Solutions to Developer and Client as described in the Portal Service Level Agreement.  Prove will not have any support obligations with respect to errors caused by the combination, operation or use of the Solutions with any product not furnished by Prove if such errors would not have resulted from the unmodified, stand-alone Solutions. 

‍