These terms (the “Security Terms”) set forth Bottomline and Customer data privacy and security and compliance obligations.  Capitalized terms not defined in these Security Terms have the meaning given to them in the Terms.  

1.   Regulatory Compliance.

a. General. Customer shall be responsible for compliance with all state and federal laws and regulations governing healthcare providers, banks or other financial institutions; and regulatory disclosure requirements, including, but not limited to, any disclosure to its end users with respect to privacy, financial and other legal notices and disclosures to its end users and to obtain all required consent from its end users to use the Products and Services. Bottomline shall comply with federal and state rules and regulations as they relate to vendors of Internet banking and healthcare services. In the event that there is a significant change in the manner by which the Products and Services can be delivered as a result of a change in regulatory requirements, Bottomline and Customer shall, in good faith, work together to remediate any disparities in the provisioning of the Products and Services. If either party determines that Bottomline’s continued provision of the Products and Services is not technically or commercially feasible due to a change in regulatory requirements, that party may elect to terminate these Terms, by providing the other party with thirty (30) days prior written notice.  In the event that compliance with a change in state regulatory requirements requires any material expenditure of time or resources by Bottomline, Customer may pay for additional Professional Services.
b. Interagency Guidelines. To the extent applicable to the nature of the Products and Services, Bottomline represents and warrants that it has implemented and maintains information security practices designed to meet the objectives of the Gramm Leach Bliley Act, Section 501(b) (15 U.S.C. 6801) and the Interagency Guidelines Establishing Standards for Safeguarding Customer Information and Rescission of Year 2000 Standards for Safety and Soundness (together, the “Guidelines”).
c. HIPAA, HITECH. To the extent applicable to the nature of the Products and Services, Bottomline represents and warrants that its Products and Services are compliant with the Health Insurance Portability and Accountability Act of 1996, as amended (“HIPAA”), including the processing of Protected Health Information (“PHI”) as defined by HIPAA, and the Health Information Technology for Economic and Clinical Health Act (“HITECH”).  A copy of Bottomline’s Business Associate Agreement is available upon request.
d. CCPA. To the extent applicable to the nature of the Products and Services, Bottomline represents and warrants that its Products and Services are compliant with the California Consumer Privacy Act of 2018, as amended (“CCPA”), including the processing of personal information as defined by the CCPA.
e. SBA. To the extent applicable to the nature of the Products and Services, Bottomline represents and warrants that its Products and Services are compliant with the Small Business Administration Data Privacy Protection Standards and Policy of 2020.
f. Law Enforcement. If law enforcement requests access to Customer Material via a validly issued subpoena, an investigative demand or warrant, Customer hereby expressly authorizes Bottomline to share information about Customer and its Customer Material with law enforcement.

2.    Confidentiality.

a.    Generally. “Confidential Information” means any and all information and material disclosed by one party (the “Discloser”) to the other party (the “Recipient”) including but not limited to Customer Materials, trade secrets, know-how, inventions, techniques, processes, programs, ideas, algorithms, formulas, schematics, testing procedures, software design and architecture, computer code, internal documentation, design and functional specifications, product requirements, problem reports, performance information, documents, and other technical, business, product, marketing, customer, financial information, or any other information the Recipient knows or ought to is confidential due to its nature. Recipient shall hold all Confidential Information in strict confidence and shall not disclose any Confidential Information to any third party, other than to its employees, agents and consultants who need to know such information and who are bound by restrictions no less restrictive than those set forth herein. Recipient shall take the same degree of care that it uses to protect its own confidential information of similar nature (but in no event less than reasonable care) to protect the confidentiality thereof. Confidential Information does not include information that (i) is or becomes generally known by the public (other than as a result of its disclosure by a party to these Terms), (ii) was or becomes available to a party on a non-confidential basis from a person not otherwise bound by these Terms or is not otherwise known to be prohibited from transmitting the information, or (iii) is independently developed by the parties, provided that the party claiming an exception shall have the burden of establishing such exception. 
b.    Consumer Information.  Bottomline acknowledges that Customer’s Confidential Information may include nonpublic personal information (“Non-Public Information”) as defined by the Gramm-Leach-Bliley Act (15 U.S.C. §6809) and regulations promulgated thereunder.  Bottomline agrees not to use or disclose such Non-Public Information other than to carry out the purposes for which such Non-Public Information is disclosed to Bottomline.  Customer’s Confidential Information may also include Customer’s Consumer Information (as defined below).  “Consumer Information” means any personally identifiable record, or compilation of records, about an individual, whether in paper, electronic, or other form, which is a consumer report or is derived from a consumer report and which is maintained or otherwise possessed by or on behalf of Customer for a business purpose.  Bottomline shall properly dispose of Consumer Information in a manner designed to be consistent with the objectives of the Interagency Guidelines Establishing Standards for Safeguarding Member Information (12 C.F.R. §717.83 and 12 C.F.R. §748, Appendix A) and the Final Rules implementing Section 216 of the Fair and Accurate Credit Transactions Act of 2003 (15 U.S.C §1601) as promulgated by the Interagencies and the NCUA, as amended from time to time.

3.   Security.

a.    Security Measures. Bottomline has implemented and will maintain commercially reasonable administrative, physical and technical safeguards and security measures (collectively, “Security Measures”) that are designed to ensure the security of Customer Materials. Bottomline’s Security Measures include, without limitation: (i) access controls to information systems and physical locations where Customer Materials are stored, (ii) fraud prevention controls, (iii) encryption of electronic information, (iv) segregation of duties, (v) appropriate employee background checks, and (vi) incident response policies and procedures for suspected or actual unauthorized access to Customer Materials or systems, including appropriate reporting to regulatory and law enforcement agencies. As part of Bottomline’s provision of the Products and Services, Customer may be required to comply with certain Security Measures.  
b.    FFIEC. Upon request, Bottomline will provide to Customer a description of its Security Measures (i.e., the SSAE18 Report).  To the extent applicable to the nature of the Products and Services, Bottomline may be subject to periodic examinations from federal and state agencies, which may include examination under the Federal Financial Institutions Examination Council Guidelines (the “FFIEC Guidelines”). Results of any examinations under the FFIEC Guidelines are distributed to Customer at the discretion of and by the applicable federal supervisory agency.  
c.    Security Breach Notification. Unless precluded by law, regulation or law enforcement, Bottomline agrees to notify Customer of any Security Breach (as defined herein) of Customer’s or its end users’ data within forty-eight (48) hours following discovery.  “Security Breach” means an unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of Personal Information (as defined herein) maintained by Bottomline on behalf of Customer.  “Personal information” means unencrypted first name or first initial and last name and one or more of the following: Social Security Number; driver's license number or state identification card number; or account number, credit or debit card number in conjunction with required security code, access code, or password that would permit access to a Customer end user’s healthcare or financial account.

4.   Export Laws. Customer’s use of the Products and Services is subject to compliance with United States and other applicable export control and trade sanctions laws, rules and regulations, including without limitation, the U.S. Export Administration Regulations, administered by the U.S. Department of Commerce’s Bureau of Industry and Security (“BIS”), the Foreign Corrupt Practices Act (“FCPA”) and U.S. trade sanctions, administered by the U.S. Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) (collectively, “Export Control Laws”).  Customer will not export, re-export, download or otherwise transmit the Products and Services, or technical data relating thereto, in violation of any applicable Export Control Laws. In particular, Customer acknowledges that the Products and Services, or any part thereof, may not be exported, transmitted, or re-exported to, or otherwise used in: (a) any country subject to a U.S. embargo or comprehensive trade sanctions or that has been designated a state sponsor of terrorism by the U.S. Government  (“Sanctioned Countries”); or (b) anyone identified on any U.S. Government restricted party lists (including without limitation, the Specially Designated Nationals and Blocked Persons List, Sectoral Sanctions Identifications List, and Foreign Sanctions Evaders List, administered by OFAC, and the Entity List, Denied Persons List, and Unverified List administered by BIS) (collectively, “Restricted Party Lists”). By purchasing a Product or Service, Customer represents and warrants that it is not located in any Sanctioned Country or on any Restricted Party List. Customer acknowledges that the Products and Services may not be available in all jurisdictions and that Customer is solely responsible for complying with applicable Export Control Laws, including Customer’s transfer and processing of Customer Material and the region in which any of the foregoing occur.


footer curve