These Supplemental Terms for Authentication Services (the “Supplemental Terms”) strictly pertain to Customer’s election and use of certain Authentication Services provided by Bottomline Technologies (de), Inc. (“Bottomline”) through its third-party service provider, LexisNexis Risk Solutions FL Inc. (“LexisNexis”) (Bottomline and LexisNexis collectively referred to as “Service Provider”), that attempt to verify the identity of an individual and/or confirm the individual’s rights to certain accounts (“Authentication Services”). In the event of a conflict between the Supplemental Terms and the Bottomline Technologies Terms of Service or similar master agreement entered into between Bottomline and Customer (the “Terms”), these Supplemental Terms shall control.
1. RESTRICTED LICENSE. Service Provider hereby grants to Customer a restricted license to use the Authentication Services and any data contained therein, subject to the restrictions and limitations set forth below:
(i) GLBA Data. Some of the information contained in the Authentication Services is "nonpublic personal information," as defined in the Gramm-Leach-Bliley Act (15 U.S.C. § 6801, et seq.) and related state laws, (collectively, the "GLBA"), and is regulated by the GLBA C'GLBA Data''). Customer shall not obtain and/or use GLBA Data through the Authentication Services, in any manner that would violate the GLBA, or any similar state or local laws, regulations and rules. Customer acknowledges and agrees that it may be required to certify its permissible use of GLBA Data falling within an exception set forth in the GLBA at the time it requests information in connection with certain Authentication Services and will recertify upon request by Service Provider. Customer certifies with respect to GLBA Data received through the Authentication Services that it complies with the Interagency Standards for Safeguarding Customer Information issued pursuant to the GLBA.
(ii) DPPA Data. Certain information contained in the Authentication Services is “personal information,” as defined in the Drivers Privacy Protection Act (18 U.S.C. § 2721, et seq.) and related state laws, (collectively, the “DPPA”), and is regulated by the DPPA (“DPPA Data”). Customer shall not obtain and/or use DPPA Data through the Authentication Services in any manner that would violate the DPPA. Customer acknowledges and agrees that it may be required to certify its permissible use of DPPA Data at the time it requests information in connection with certain Authentication Services and will recertify upon request by Service Provider.
(iii) Copyrighted and Trademarked Materials. Customer shall not remove or obscure any trademarks, copyright notices or other notices contained on materials accessed through the Authentication Services.
(iv) Additional Terms. Certain materials contained within the Authentication Services are subject to additional obligations and restrictions. Without limitation, these services include news, business information (e.g., Dun & Bradstreet reports), and federal legislative and regulatory materials. To the extent that Customer receives such materials through the Authentication Services, Customer agrees to comply with the General Terms and Conditions for Use of Authentication Services contained at the following website: www.lexisnexis.com/terms/general (the "General Terms''). The General Terms are hereby incorporated into these Supplemental Terms by reference.
(v) Fair Credit Reporting Act. The Authentication Services provided pursuant to these Supplemental Terms are not provided by "consumer reporting agencies," as that term is defined in the Fair Credit Reporting Act, (15 U.S.C. §1681, et seq.), (the "FCRA''), and do not constitute "consumer reports" as that term is defined in the FCRA. Accordingly, the Authentication Services may not be used in whole or in part as a factor in determining eligibility for credit, insurance, employment or another purpose in connection with which a consumer report may be used under the FCRA. Further, (A) Customer certifies that it will not use any of the information it receives through the Authentication Services to determine, in whole or in part an individual's eligibility for any of the following products, services or transactions: (1) credit or insurance to be used primarily for personal, family or household purposes; (2) employment purposes; (3) a license or other benefit granted by a government agency; or (4) any other product, service or transaction in connection with which a consumer report may be used under the FCRA or any similar state statute, including without limitation apartment rental, check-cashing, or the opening of a deposit or transaction account; (B) by way of clarification, without limiting the foregoing, Customer may use, except as otherwise prohibited or limited by these Supplemental Terms, information received through the Authentication Services for the following purposes: (1) to verify or authenticate an individual's identity; (2) to prevent or detect fraud or other unlawful activity; (3) to locate an individual; (4) to review the status of a legal proceeding; (5) to collect a debt, provided that such debt collection does not constitute in whole or in part, a determination of an individual consumer's eligibility for credit or insurance to be used primarily for personal, family or household purposes; or (6) to determine whether to buy or sell consumer debt or a portfolio of consumer debt in a commercial secondary market transaction, provided that such determination does not constitute in whole or in part, a determination of an individual consumer's eligibility for credit or insurance to be used primarily for personal, family or household purposes; (C) specifically, if Customer is using the Authentication Services in connection with collection of a consumer debt on its own behalf, or on behalf of a third party, Customer shall not use the Authentication Services: (1) to revoke consumer credit; (2) to accelerate, set or change repayment terms; or (3) for the purpose of determining a consumer's eligibility for any repayment plan; provided, however, that Customer may, consistent with the certification and limitations set forth in this section (viii), use the Authentication Services for identifying, locating, or contacting a consumer in connection with the collection of a consumer's debt or for prioritizing collection activities; and (D) Customer shall not use any of the information it receives through the Authentication Services to take any "adverse action," as that term is defined in the FCRA.
(vi) Retention of Records. For uses of GLB Data, DPPA Data and MVR Data, as described in Sections (ii), (iii) and (ix), Customer shall maintain for a period of five (5) years a complete and accurate record (including consumer identity, purpose and, if applicable, consumer authorization) pertaining to every access to such data.
2. SECURITY. Customer acknowledges that the information available through the Authentication Services may include personally identifiable information and it is Customer's obligation to keep all such accessed information confidential and secure. Accordingly, Customer shall (a) restrict access to Authentication Services to those employees who have a need to know as part of their official duties; (b) ensure that none of its employees shall (i) obtain and/or use any information from the Authentication Services for personal reasons, or (ii) transfer any information received through the Authentication Services to any party except as permitted hereunder; (c) keep all user identification numbers, and related passwords, or other security measures (collectively, "User IDs'') confidential and prohibit the sharing of User IDs; (d) immediately deactivate the User ID of any employee who no longer has a need to know, or for terminated employees on or prior to the date of termination; (e) in addition to any obligations under Paragraph 1, take all commercially reasonable measures to prevent unauthorized access to, or use of, the Authentication Services or data received therefrom, whether the same is in electronic form or hard copy, by any person or entity; (f) maintain and enforce data destruction procedures to protect the security and confidentiality of all information obtained through the Authentication Services as it is being disposed; (g) unless otherwise required by law, purge all information received through the Authentication Services and stored electronically or on hard copy by Customer within ninety (90) days of initial receipt; (h) be capable of receiving the Authentication Services where the same are provided utilizing "secure socket layer," or such other means of secure transmission as is deemed reasonable by LexisNexis; (i) not access and/or use the Authentication Services via mechanical, programmatic, robotic, scripted or other automated search means, other than through batch or machine-to-machine applications approved by LexisNexis; and (j) take all steps to protect their networks and computer environments, or those used to access the Authentication Services, from compromise. Customer agrees that on at least a quarterly basis it will review searches performed by its User IDs to ensure that such searches were performed for a legitimate business purpose and in compliance with all terms and conditions herein. Customer will implement policies and procedures to prevent unauthorized use of User IDs and the Authentication Services, and will immediately notify Service Provider in writing if Customer suspects, has reason to believe or confirms that a User ID or the Authentication Services (or data derived directly or indirectly therefrom) is or has been lost, stolen, compromised, misused or used, accessed or acquired in an unauthorized manner or by any unauthorized person, or for any purpose other than legitimate business reasons. Customer shall remain solely liable for all costs associated therewith and shall further reimburse Service Provider for any expenses it incurs due to Customer's failure to prevent such impermissible use or access of User IDs and/or the Authentication Services, or any actions required as a result thereof. Furthermore, in the event that the Authentication Services provided to Customer include personally identifiable information (including, but not limited to, social security numbers, driver's license numbers or dates of birth), the following shall apply: Customer acknowledges that, upon unauthorized acquisition or access of or to such personally identifiable information, including but not limited to that which is due to use by an unauthorized person or due to unauthorized use (a "Security Event"), Customer shall, in compliance with law, notify the individuals whose information was potentially accessed or acquired that a Security Event has occurred, and shall also notify any other parties (including but not limited to regulatory entities and credit reporting agencies) as may be required in Service Provider’s reasonable discretion. Customer agrees that such notification shall not reference Service Provider or the product through which the data was provided, nor shall Service Provider be otherwise identified or referenced in connection with the Security Event, without Service Provider’s express written consent. Customer shall be solely responsible for any other legal or regulatory obligations which may arise under applicable law in connection with such a Security Event and shall bear all costs associated with complying with legal and regulatory obligations in connection therewith. Customer shall remain solely liable for claims that may arise from a Security Event, including, but not limited to, costs for litigation (including attorneys' fees), and reimbursement sought by individuals, including but not limited to, costs for credit monitoring or allegations of loss in connection with the Security Event, and to the extent that any claims are brought against Service Provider, shall indemnify Service Provider from such claims. Customer shall provide samples of all proposed materials to notify consumers and any third-parties, including regulatory entities, to Service Provider for review and approval prior to distribution in the event of a Security Event, Service Provider may, in its sole discretion, take immediate action, including suspension or termination of Customer's account, without further obligation or liability of any kind.
3. PERFORMANCE. Service Provider will use commercially reasonable efforts to deliver the Authentication Services requested by Customer and to compile information gathered from selected public records and other sources used in the provision of the Authentication Services; provided, however, that Customer accepts all information “AS IS.” Customer acknowledges and agrees that Service Provider obtains its data from third party sources, which may or may not be completely thorough and accurate, and that Customer shall not rely on Service Provider for the accuracy or completeness of information supplied through the Authentication Services. Without limiting the foregoing, the criminal record data that may be provided as part of the Authentication Services may include records that have been expunged, sealed, or otherwise have become inaccessible to the public since the date on which the data was last updated or collected. Customer understands that Customer may be restricted from accessing certain Authentication Services which may be otherwise available. Service Provider reserves the right to add materials and features to, and to discontinue offering any of the materials and features that are currently a part of, the Authentication Services in the event that Service Provider discontinues a material portion of the materials and features that Customer regularly uses in the ordinary course of its business, and such materials and features are part of a flat fee subscription plan to which Customer has subscribed, Service Provider will, at Customer's option, issue a prorated credit to Customer's account of any prepaid unused fees.
4. INTELLECTUAL PROPERTY; CONFIDENTIALITY. Customer agrees that Customer shall not reproduce, retransmit, republish, or otherwise transfer for any commercial purposes the Authentication Services' information, programs or computer applications. Customer acknowledges that Service Provider (and/or its third party data providers) shall retain all right, title, and interest under applicable contractual, copyright, patent, trademark, Trade Secret and related laws in and to the Authentication Services and the data and information that they provide. Customer shall use such materials in a manner consistent with Service Provider's interests and the terms and conditions herein, and shall notify Service Provider of any threatened or actual infringement of Service Provider's rights. Notwithstanding anything in these Supplemental Terms to the contrary, Service Provider or Service Provider’s data provider shall own Customer's search inquiry data used to access the Authentication Services (in the past or future) and may use such data for any purpose consistent with applicable federal, state and local laws, rules and regulations. Customer and Service Provider acknowledge that they each may have access to confidential information of the disclosing party ("Disclosing Party'') relating to the Disclosing Party's business including, without limitation, technical, financial, strategies and related information, computer programs, algorithms, know-how, processes, ideas, inventions (whether patentable or not), schematics, Trade Secrets (as defined below) and other information (whether written or oral), and in the case of Service Provider’s information, product information, pricing information, product development plans, forecasts, data contained in Authentication Services, and other business information ("Confidential Information"). Confidential Information shall not include information that: (i) is or becomes (through no improper action or inaction by the Receiving Party (as defined below)) generally known to the public; (ii) was in the Receiving Party's possession or known by it prior to receipt from the Disclosing Party; (iii) was lawfully disclosed to Receiving Party by a third party and received in good faith and without any duty of confidentiality by the Receiving Party or the third party; or (iv) was independently developed without use of any Confidential Information of the Disclosing Party by employees of the Receiving Party who have had no access to such Confidential Information. "Trade Secret" shall be deemed to include any information which gives the Disclosing Party an advantage over competitors who do not have access to such information as well as all information that fits the definition of "trade secret" set forth in the Official Code of Georgia Annotated § 10-1-761(4). Each receiving party ("Receiving Party'') agrees not to divulge any Confidential Information or information derived therefrom to any third party and shall protect the confidentiality of the Confidential Information with the same degree of care it uses to protect the confidentiality of its own confidential information and trade secrets, but in no event less than a reasonable degree of care. Notwithstanding the foregoing, the Receiving Party may disclose Confidential Information solely to the extent required by subpoena, court order or other governmental authority, provided that the Receiving Party shall give the Disclosing party prompt written notice of such subpoena, court order or other governmental authority so as to allow the Disclosing party to have an opportunity to obtain a protective order to prohibit or restrict such disclosure at its sole cost and expense. Confidential Information disclosed pursuant to subpoena, court order or other governmental authority shall otherwise remain subject to the terms applicable to Confidential Information. Each party's obligations with respect to Confidential Information shall continue for so long as Service Provider provides Authentication Services to Customer, and for a period of five (5) years thereafter, provided however, that with respect Trade Secrets, each party's obligations shall continue for so long as such Confidential Information continues to constitute a Trade Secret.
5. WARRANTIES/LIMITATION OF LIABILITY. Neither Service Provider, nor its subsidiaries and affiliates, nor any third party data provider (for purposes of indemnification, warranties, and limitations on liability, Service Provider, its subsidiaries and affiliates, and its data providers are hereby collectively referred to as "Service Provider") shall be liable to Customer (or to any person claiming through Customer to whom Customer may have provided data from the Authentication Services) for any loss or injury arising out of or caused in whole or in part by Service Provider's acts or omissions in procuring, compiling, collecting, interpreting, reporting, communicating, or delivering the Authentication Services. If, notwithstanding the foregoing, liability can be imposed on Service Provider, then Customer agrees that Service Provider's aggregate liability for any and all losses or injuries arising out of any act or omission of Service Provider in connection with anything to be done or furnished under these Supplemental Terms, regardless of the cause of the loss or injury, and regardless of the nature of the legal or equitable right claimed to have been violated, shall never exceed One Hundred Dollars ($100.00); and Customer covenants and promises that it will not sue Service Provider for an amount greater than such sum even if Customer and/or third parties were advised of the possibility of such damages and that it will not seek punitive damages in any suit against Service Provider. Service Provider does not make and hereby disclaims any warranty, express or implied with respect to the Authentication Services. Service Provider does not guarantee or warrant the correctness, completeness, merchantability, or fitness for a particular purpose of the Authentication Services or information provided therein. In no event shall Service Provider be liable for any indirect, incidental, or consequential damages, however arising, incurred by Customer from receipt or use of information delivered hereunder or the unavailability thereof. Due to the nature of public record information, the public records and commercially available data sources used in Authentication Services may contain errors. Source data is sometimes reported or entered inaccurately, processed poorly or incorrectly, and is generally not free from defect. Authentication Services are not the source of data, nor are they a comprehensive compilation of the data. Before relying on any data, it should be independently verified.
6. INDEMNIFICATION. Customer hereby agrees to protect, indemnify, defend, and hold harmless Service Provider from and against any and all costs, claims, demands, damages, losses, and liabilities (including attorneys' fees and costs) arising from or in any way related to (a) use of information received by Customer (or any third party receiving such information from or through Customer) furnished by or through Service Provider; (b) breach of any terms, conditions, representations or certifications in these Supplemental Terms; and (c) any Security Event. Service Provider hereby agrees to protect, indemnify, defend, and hold harmless Customer from and against any and all costs, claims, demands, damages, losses, and liabilities (including attorneys' fees and costs) arising from or in connection with any third party claim that the Authentication Services or data contained therein, when used in accordance with these Service Provider’s instructions, infringe a United States patent or United States registered copyright, subject to the following: (i) Customer must promptly give written notice of any claim to Service Provider; (ii) Customer must provide any assistance which Service Provider may reasonably request for the defense of the claim (with reasonable out of pocket expenses paid by Service Provider); and (iii) Service Provider has the right to control the defense or settlement of the claim; provided, however, that the Customer shall have the right to participate in, but not control, any litigation for which indemnification is sought with counsel of its own choosing, at its own expense. Notwithstanding the foregoing, Service Provider will not have any duty to indemnify, defend or hold harmless Customer with respect to any claim of infringement resulting from (1) Customer's misuse of the Authentication Services; (2) Customer's failure to use any corrections made available by Service Provider; (3) Customer's use of the Authentication Services in combination with any product or information not provided or authorized in writing by Service Provider; or (4) any information, direction, specification or materials provided by Customer or any third party. If an injunction or order is issued restricting the use or distribution of any part of the Authentication Services, or if Service Provider determines that any part of the Authentication Services is likely to become the subject of a claim of infringement or violation of any proprietary right of any third party, Service Provider may in its sole discretion and at its option (A) procure for Customer the right to continue using the Authentication Services; (B) replace or modify the Authentication Services so that they become non-infringing, provided such modification or replacement does not materially alter or affect the use or operation of the Authentication Services; or (C) terminate these Supplemental Terms and refund any fees relating to the future use of the Authentication Services. The foregoing remedies constitute Customer's sole and exclusive remedies and Service Provider’s entire liability with respect to infringement claims or actions.
7. AUDIT. Customer understands and agrees that, in order to ensure compliance with the FCRA, GLBA, DPPA, other similar state or federal laws, regulations or rules, regulatory agency requirements, these Supplemental Terms, and Bottomline’s obligations under its contracts with LexisNexis, Bottomline may conduct periodic reviews of Customer's use of the Authentication Services and may, upon reasonable notice, audit Customer's records, processes and procedures related to Customer's use, storage and disposal of Authentication Services and information received therefrom. Customer agrees to cooperate fully with any and all audits and to respond to any such audit inquiry within ten (10) business days, unless an expedited response is required. Violations discovered in any review and/or audit by Bottomline will be subject to immediate action including, but not limited to, suspension or termination of the license to use the Authentication Services, reactivation fees, legal action, and/or referral to federal or state regulatory agencies.
8. SURVIVAL OF AGREEMENT. Provisions hereof related to release of claims; indemnification; use and protection of information, data and Authentication Services; payment for the Authentication Services; audit; Service Provider’s use and ownership of Customer's search inquiry data; disclaimer of warranties; security; customer data and governing law shall survive any termination of the license to use the Authentication Services.
9. EMPLOYEE TRAINING. Customer shall train new employees prior to allowing access to Authentication Services on Customer's obligations under these Supplemental Terms, including, but not limited to, the licensing requirements and restrictions under Paragraph 1 and the security requirements of Paragraph 2. Customer shall conduct a similar review of its obligations under these Supplemental Terms with existing employees who have access to the Authentication Services no less than annually. Customer shall keep records of such training.
10. ATTORNEYS' FEES. The prevailing party in any action, claim or lawsuit brought pursuant to these Supplemental Terms is entitled to payment of all attorneys' fees and costs expended by such prevailing party in association with such action, claim or lawsuit.
11. CUSTOMER CHANGES/CREDIT REPORT. Customer acknowledges and understands that Service Provider will only allow Customer access to the Authentication Services if Customer's credentials can be verified in accordance with Service Provider’s internal credentialing procedures. Customer shall notify Bottomline immediately of any changes to the information on Customer's Application for the Authentication Services, and, if at any time Customer no longer meets Service Provider’s criteria for providing such service, Bottomline may terminate these Supplemental Terms and the Authentication Services provided. Customer is required to promptly notify Bottomline of a change in ownership of Customer's company, any change in the name of Customer's company, and/or any change in the physical address of Customer's company.
12. CHANGE IN AGREEMENT. By receipt of the Authentication Services, Customer agrees to, and shall comply with, changes to the Restricted License granted Customer in Paragraph 1 herein, changes in pricing, and changes to other provisions of these Supplemental Terms as Service Provider may make from time to time by notice to Customer via e-mail, online "click wrap" amendments, facsimile, mail, invoice announcements, or other written notification. All e-mail notifications shall be sent to the individual named in the Customer Administrator Contact Information section, unless stated otherwise in these Supplemental Terms. Service Provider may, at any time, impose restrictions and/or prohibitions on the Customer's use of the Authentication Services or certain data. Customer understands that such restrictions or changes in access may be the result of a modification in Service Provider’s policy, a modification of third party agreements, a modification in industry standards, a Security Event or a change in law or regulation, or the interpretation thereof. Upon written notification by Service Provider of such restrictions, Customer agrees to comply with such restrictions.
13. PUBLICITY. Customer will not name Service Provider or refer to its use of the Authentication Services in any press releases, advertisements, promotional or marketing materials, or make any other third party disclosures regarding Service Provider or Customer's use of the Authentication Services.
14. PRIVACY PRINCIPLES. With respect to personally identifiable information regarding consumers, the parties further agree as follows: Service Provider has adopted the "Data Privacy Principles" ("Principles"), which may be modified from time to time, recognizing the importance of appropriate privacy protections for consumer data, and Customer agrees that Customer (including its directors, officers, employees or agents) will comply with the Principles or Customer's own comparable privacy principles, policies, or practices. The Principles are available at http://www.lexisnexis.com/privacy/data-privacy-principles.aspx.
15. FORCE MAJEURE. The parties will not incur any liability to each other or to any other party on account of any loss or damage resulting from any delay or failure to perform all or any part of these Supplemental Terms (except for payment obligations) to the extent such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control, and without the negligence of, the parties. Such events, occurrences, or causes include, without limitation, acts of God, telecommunications outages, internet outages, power outages, any irregularity in the announcing or posting of updated data files by the applicable agency, strikes, lockouts, riots, acts of war, floods, earthquakes, fires, and explosions.
16. ENTIRE AGREEMENT. Except as otherwise provided herein, these Supplemental Terms constitutes the final written agreement and understanding of the parties and is intended as a complete and exclusive statement of the terms of the agreement, which shall supersede all other representations, agreements, and understandings, whether oral or written, which relate to the use of the Authentication Services and all matters within the scope of these Supplemental Terms. Without limiting the foregoing, the provisions related to confidentiality and exchange of information contained in these Supplemental Terms shall, with respect to the Authentication Services and all matters within the scope of these Supplemental Terms, supersede any separate nondisclosure agreement that is or may in the future be entered into by the parties hereto. Any new, other, or different terms supplied by the Customer beyond the terms contained herein, including those contained in purchase orders or confirmations issued by the Customer, are specifically and expressly rejected by Bottomline unless Bottomline agrees to them in a signed writing specifically including those new, other, or different terms. The terms contained herein shall supersede and govern in the event of a conflict between these terms and any new, other, or different terms in any other writing. These Supplemental Terms can be executed in counterparts and faxed or electronic signatures will be deemed originals.
17. MISCELLANEOUS. If any provision of these Supplemental Terms or any exhibit shall be held by a court of competent jurisdiction to be contrary to law, invalid or otherwise unenforceable, such provision shall be changed and interpreted so as to best accomplish the objectives of the original provision to the fullest extent allowed by law, and in any event the remaining provisions of these Supplemental Terms shall remain in full force and effect. The headings in these Supplemental Terms are inserted for reference and convenience only and shall not enter into the interpretation hereof.
