NETBANK (A RURAL BANK) INC.
BANKING-AS-A-SERVICE (BAAS) LICENSE AGREEMENT

BACKGROUND AND NATURE OF THE AGREEMENT

Subject to the terms and conditions under this Agreement, the DFS Provider shall allow access to its banking services (“Services”) via application programming interfaces ("APIs"), file upload platform (“File Upload Platform”), and/or a white-labeled mobile application (“White-Labeled App”) which are all made available in an openly accessible developer portal website, hereinafter called the “Netbank Virtual”.
The Services, APIs, File Upload Platform, White-Labeled App, Netbank Virtual, including all elements, objects, rights, materials, licenses, codes, tools, credentials, and access, software libraries, software tools, sample source code, published specifications, and documentations within, will all be collectively known in this Agreement and its attachments as the “BaaS Program”
TPSPs can use and access the BaaS Program to (i) build products and serve their clients and end-users (“End-User”) using the End-User's data where necessary and/or (ii) streamline their internal processes and capabilities.
This agreement, including all attachments, schedules and documents incorporated by reference, sets out the rights and obligations of each Party as they relate to the provision of the BaaS Program
The TPSP will put in place terms and conditions with the End-User directly in relation to the provision of the Services.
By signing this Agreement, the TPSP hereby agrees to be bound by this Agreement and further agrees that its attachments, and all future updates and revisions announced through Netbank Virtual and circulations thereto are deemed incorporated in this Agreement and made integral parts hereof (collectively, the “Terms”). The DFS Provider will duly notify the TPSP of the said updates before implementation of such.

GRANT OF LICENSE BY THE DFS PROVIDER

BaaS Program License. Subject to the terms set forth in this Agreement and in the annexes herein attached and policies implemented from time to time, the DFS Provider grants the TPSP a limited, non-exclusive, revocable, non-transferable, non-sublicensable, royalty-free license to access and use the BaaS Program solely to:
1. Use the BaaS Program or otherwise enable the TPSP's internal development efforts to build applications, platforms and/or services (“TPSP’s Products”) in conjunction with the Services referenced in this Agreement for which the BaaS Program was provided;
2. receive information and send requests related to the BaaS Program in accordance with this API Agreement;
3. display digital content and information solely in the TPSP's Products;
4. modify content only to format it for display to end TPSPs; and
5. use and display DFS Provider Marks only to identify that applications, platforms and/or services are a result of DFS Provider’s BaaS Program which originated from the DFS Provider, and in no case without the DFS Provider’s written consent.

License to the DFS Provider’s trademarks. Subject to the terms set forth in this Agreement, the DFS Provider hereby grants the TPSP a limited, non-exclusive, revocable, non-transferable, non-sublicensable, royalty-free license to include the DFS Provider’s trademarks in the TPSP’s Products solely for the limited purpose of identifying the source of the content/services that will be developed as part of the BaaS Program. The TPSP will strictly follow all rules and branding guidelines provided by the DFS Provider as part of the BaaS Program.
1. At all times, each use of the DFS Provider’s trademarks by the TPSP:
  1. must be in conjunction with the DFS Provider’s Terms and Conditions and/or the TPSP’s Products;
  2. must not disparage or cause harm to, impair, prejudice or tarnish the image, reputation or goodwill of the DFS Provider, its products and services, trademarks, tradenames, intellectual and other proprietary rights (whether registered or not), or cause either the DFS Provider, its directors, officers or employees to be in breach of relevant rules and regulations. In the event that the DFS Provider is, in its reasonable determination, exposed or is in danger of being exposed to any claim, threat, event, activity, act or conduct by TPSP that impairs, prejudices and/or tarnishes or may impair, prejudice or tarnish the image, reputation or goodwill, of the DFS Provider or any of its products or services, the DFS Provider's directors, officers or employees, or cause them to violate any law, directive or regulation, the DFS Provider shall have the right to immediately terminate this Agreement upon notice to the TPSP.
  3. is subject to prior written approval by the DFS Provider at its sole discretion.

The TPSP may not use any of the DFS Provider’s trademarks for any purpose not expressly authorized herein, unless it is with the DFS Provider’s prior written consent.
The TPSP shall not efface, remove, or modify the DFS Provider’s trademarks from the TPSP’s Products.
The TPSP's use of the DFS Provider's Trademarks shall in no way be interpreted nor be represented to be equivalent to the DFS Provider's warranty over, recommendation, approval or endorsement of the TPSP's Product/s and such statement shall be disclosed clearly, published and made visible to the End-Users and all TPSPs of the TPSP's Products.

GRANT OF LICENSE TO THE DFS PROVIDER
1. Subject to the terms set forth in this Agreement, the TPSP, with respect to the TPSP’s name, products, trademarks and associated logos (collectively, “TPSP’s Marks”), hereby grants the DFS Provider, for the duration of this Agreement, a royalty-free, non-exclusive, worldwide, irrevocable right, and perpetual license to:

use, demonstrate, and display the TPSP’s Marks for purposes of marketing, demonstrating, and making the TPSP’s Products available to the DFS Provider’s clients;
link to and direct the DFS Provider’s clients to the TPSP’s Products;
sublicense the foregoing rights to the DFS Provider’s affiliates at no cost to the DFS Provider or the DFS Provider’s affiliate;
subject to the Data Privacy measures stated in this Agreement, reveal personal information about the TPSP’s officers and/or developers for attribution purposes, handling inquiries, and other purposes the DFS Provider reasonably deems necessary under this Agreement;
publicly refer to the TPSP, orally or in writing, as a user of the DFS Provider’s BaaS Program;
publish the TPSP’s Marks (with or without a link to TPSP’s Application) on the DFS Provider’s site, platforms, press releases, and promotional materials without additional consent;
use, modify, commercially exploit and/or incorporate into the BaaS Program any suggestions, enhancement, requests, recommendations or other feedback the DFS Provider receives from the TPSP. If incorporated, such suggestions enhancement, requests, recommendations or feedback shall form part of and shall become the DFS Provider’s Intellectual Property and BaaS Program, and the DFS Provider shall not be obligated to provide financial compensation to the TPSP or any other person in connection with such suggestions, enhancement, requests, recommendations or feedback; and
any and all other acts related to the foregoing that will enable the DFS Provider to exercise its rights and perform its obligations under this Agreement. Any use of TPSP’s Marks shall be in accordance with TPSP’s reasonable trademark usage policies if such policies are communicated to the DFS Provider.

USE LIMITATIONS AND OTHER OBLIGATIONS

TPSP understands that any violation of the following shall be considered breach and shall entitle the DFS Provider to immediate termination of this Agreement, suspension or termination of access to the BaaS Program and shall make TPSP immediately liable, together with any other party involved in the violation, to the DFS Provider for full indemnity, damages and all other remedies under this Agreement and applicable law.

Software. The TPSP will not or not attempt to, nor will allow others to, under any circumstance:
1. reverse engineer, decompile, disassemble, decrypt, de-obfuscate, unmask all or any portion of the BaaS Program; and
2. interfere with, modify, disrupt or disable features and functionalities or security controls of all elements under the BaaS Program, including any such mechanism used to restrict or control the functionality, or defeat, avoid, bypass, remove, deactivate or otherwise circumvent any software protection or monitoring mechanisms of the elements and services within the BaaS Program; and
3. reproduce, duplicate, copy, sell, resell or exploit any portion of the BaaS Program without the express written permission by and agreement with the DFS Provider.
File Upload Platform [to be disregarded if not applicable to the TPSP]. If applicable, the TPSP will be given access to the file upload platform as one of the channels where requests for transaction processing and banking services can be passed to the DFS Provider.
1. The TPSP agrees to upload a file in the mutually agreed format supplied with complete, relevant, truthful, and accurate information that is necessary to properly process the requests under the BaaS Program.
2. The TPSP shall ensure that there are adequate funds in the nominated Settlement Account (as stated in Section 6 of this Agreement) from which debit and credit instructions would be imposed on. In the event that the funds are not sufficient, the transaction and file shall be void and, in such cases, both Parties agree that no valid transaction has been made.
3. The TPSP shall, at all times, agree and abide to the product and service guidelines (format, process, limitations, restrictions, cut-off time and schedule) presented by the DFS Provider and as part of the BaaS Program.
4. The file uploaded or sent to the File Upload Platform including the content, details, and data within it is the TPSP’s sole responsibility. In case of erroneous, inaccurate, incorrect, and/or malicious details in the file uploaded/sent to the File Upload Platform, the TPSP acknowledges that the TPSP is solely responsible, and the DFS Provider has no responsibility or liability of any kind. The TPSP agrees to fully defend, hold harmless, and indemnify the DFS Provider, its subsidiaries, affiliates, parent, directors, officers, employees, agents, and representatives from and against all claims, disputes, settlements, awards, damages, losses, expenses and costs (including legal costs).
5. The TPSP shall ensure that only appointed and authorized users shall have access to the File Upload Platform and to keep their credentials and authentication tokens secure and strictly confidential, and take steps to prevent unauthorized use thereof.
White-Labeled App [to be disregarded if not applicable to the TPSP]. If applicable, the DFS Provider can provide a white-labeled mobile banking application to the TPSP from which select banking services will be made available.
1. The White-Labeled App can be customizable by the TPSP up to the extent that is defined by the DFS Provider.
2. The DFS Provider will customize the White-Labeled App based on the mutually agreed branding, services, and components and publish it in the Google Play Store and Apple Store (collectively, the “App Stores”),
3. The TPSP will provide all the necessary and relevant information, resources, and support to assist the DFS Provide in customizing the White-Labeled App. The TPSP assumes sole responsibility for the resources, content, materials, and marks that are provided to the DFS Provider for customization and it ensures that it is compliant with the policies and regulations of the App Stores. In case of erroneous, inaccurate, incorrect, and/or malicious details in the materials sent to the DFS Provider, the TPSP acknowledges that the TPSP is solely responsible, and the DFS Provider has no responsibility or liability of any kind. The TPSP agrees to fully defend, hold harmless, and indemnify the DFS Provider, its subsidiaries, affiliates, parent, directors, officers, employees, agents, and representatives from and against all claims, disputes, settlements, awards, damages, losses, expenses and costs (including legal costs).
4. The TPSP acknowledges that the DFS Provider cannot control and guarantee the approval decisions or the timeframe for review and approval by the App Stores. Upon completion of the customization of the White-Labeled App and the final approval by the App Stores, the DFS Provider will make the customized White-Labeled App available to the TPSP for distribution and use of the TPSP’s End-User.
5. The TPSP shall abide to any upfront fee, such as set up fees, that may be required by the DFS Provider to support the development and customization of the White-Labeled App. The TPSP acknowledges that setup fees are non-refundable once the initiative has started.
6. The TPSP will assist in testing and assessing the customized White-Labeled App to ensure its usability and reliability. Once deemed satisfactory, the TPSP shall sign-off on the current build of the customized White-Labeled App which signifies the TPSP’s acceptance of the product to be published in the App Stores.
7. The DFS Provider, at its sole option, may from time to time provide updates to the White-Labeled App. The TPSP is required to accept updates, and acknowledges that, by downloading or installing the updates, those updates will be considered part of the White-Labeled App and subject to the terms and conditions of this Agreement.
8. Except as set forth in this section, all rights, title and interest in and to: (a) the White-Labeled App and (b) all works, inventions and other subject matter incorporating, based on, or derived from any White-Labeled App, including all customizations (exclusive of TPSP’s own trademarks and copyrights), enhancements, improvements and other modifications thereof, by whomsoever made and including all Intellectual Property Rights therein, are and will remain with the DFS Provider. The TPSP acknowledges and agrees that the TPSP has no right under this Agreement to receive the source code for the Application.
9. The TPSP shall act as the direct support for its own End-User and receive the needs and concerns with the White-Labeled App. The DFS Provider will not have any liability related to or arising from the use or access of the TPSP’s End-User. The DFS Provider will provide the necessary support to the TPSP if the issue or concern has been deemed to be within the DFS Provider’s Services.

Access and Use of Authentication Tokens and Credentials.
1. The TPSP will not or attempt to (and will not allow others to) under any circumstance:
  1. distribute, disclose, publish, market, sell, rent, lease, sublicense or assign to a third party any BaaS Program credentials and authentication tokens to which the TPSP has access unless otherwise expressly permitted herein or specifically authorized in writing by the DFS Provider;
  2. distribute, publish, or allow access or linking to BaaS Program from any location or source other than the TPSP’s Products;
2. The DFS Provider shall provide tokens and credentials that will serve access to the TPSP acceptance testing environment (“UAT”), and production environment (“PROD”) which are all hosted within the DFS Provider’s capabilities.
3. The TPSP shall only access or use any material or environment within the BaaS Program which contains non-public information, through the unique licensed access credentials issued upon successful registration and creation of accounts within the BaaS Program. Such information shall be treated as strictly confidential and shall be used only for purposes allowed under this Agreement as expressly relayed to the DFS Provider. Such access in no way grants nor will ever grant any proprietary rights or interest over said information to TPSP. For the avoidance of doubt, the DFS Provider owns all tokens and credentials (including, but not limited to, any and all intellectual property rights related thereto). In accordance to Clause 16.3, the DFS Provider reserves the right to limit access to and/or suspend the TPSP’s access to the BaaS Program at its sole discretion and without need of prior notification in the event it determines that the TPSP has breached this Agreement or the Terms and Conditions.

Use of Licensed Materials and Content. The TPSP will not or attempt to (and will not allow others to) under any circumstance:
1. distribute, disclose, publish, market, sell, rent, lease, sublicense or assign to any third party the licensed materials or any part thereof to which the TPSP has access under the BaaS Program unless otherwise expressly permitted herein or specifically authorized in writing by the DFS Provider;
2. use any licensed material, the Services, APIs, File Upload Platform, White-Labeled App, Netbank Virtual, and/or any element within the BaaS Program for any unlawful, illegal, harmful, offensive, threatening, abusive, libelous, harassing, defamatory, vulgar, obscene, profane, hateful, fraudulent, sexually explicit, unauthorized, or other improper purposes that encourages conduct that would constitute a criminal offense, give rise to civil liability, or otherwise violate any applicable laws;
3. publish results of any benchmark test runs on the Services, APIs, File Upload Platform, White-Labeled App, Netbank Virtual, and/or any element within the BaaS Program without prior written permission from the DFS Provider;
4. aggregate, cache, or store location data and other geographic information contained in the Services, APIs, File Upload Platform, White-Labeled App, Netbank Virtual, and/or any element within the BaaS Program. The license only allows the TPSP to use such location data and geographic information to identify the location tagged by the elements within the BaaS Program. Any use of location data or geographic information on a standalone basis or beyond the license granted herein is a breach of this DFS Provider’s API Agreement which will entitle the DFS Provider to indemnity under Sec. 12 hereof.

End-User Data Privacy. To the extent that TPSP’s Products will store, process or transmit end-user data (“End-User Data”), the TPSP warrants that it has secured the consent of the end user to the extent required by the Data Privacy Act of 2012, its Implementing Rules and Regulations (IRR) and other relevant issuances of the National Privacy Commission (NPC).

To the extent that End-User Data was received by the DFS Provider from the TPSP about the latter’s end-users, the TPSP acknowledges and agrees that the DFS Provider is a processor as defined under the DPA, IRR, and other relevant issuances of the NPC. As such, the DFS Provider agrees to:

Process all End-User Data only upon the documented instructions of the TPSP;
Ensure that an obligation of confidentiality is imposed on persons authorized to process the End-User Data;
Implement appropriate security measures and comply with the DPA and its IRR and other issuances of the NPC;
Not engage another processor without prior instruction or written consent from the TPSP: Provided, that any such arrangement instructed by or consented to by the Partner shall ensure that the same obligations for data protection under the contract or legal act are implemented, taking into account the nature of the processing;
Assist the TPSP, by appropriate technical and organizational measures and to the extent possible, to fulfil the obligation to respond to requests by end TPSPs relative to the exercise of their rights;
Assist the TPSP in ensuring compliance with the DPA, its IRR, other relevant laws, and issuances of the Commission, taking into account the nature of processing and the information available to DFS Provider;
At the choice of the TPSP, delete or return all Personal Data to the TPSP after the end of the provision of services relating to the processing: Provided, that this includes deleting existing copies unless storage is authorized by the DPA or another law;
Make available to the TPSP all information necessary to demonstrate compliance with the obligations laid down in the DPA and its IRR, and allow for and contribute to audits, including inspections, conducted by the DFS Provider or another auditor mandated by the latter;
Immediately inform the TPSP if, in its opinion, an instruction infringes the DPA, its IRR, or any other issuance of the NPC.

Data Privacy to Other Third-Party Service Providers
1. The TPSP acknowledges that, under an obligation of confidentiality, the DFS Provider will allow access to personal data to authorized third-party service providers/vendors/suppliers/subcontractors/consultants who provide outsourced functions including, within or outside the Philippines, among others:

Cloud storage facilities/systems to meet the company’s storage management requirements;
Credit Investigation;
Collections;
Marketing;
Internet & Mobile applications; and
Other outsourcing functions as approved by its Board of Directors.

With this, the TPSP agrees that other corporate partners (“Other Third Party Partners”) may be informed that the TPSP’s clients have accounts in Netbank. The Other Third Party Partners will not be informed that the client has been opened by the TPSP and will not have access to personal data, other than the name. The Other Third Party Partners also will not have access to the balances of the accounts opened as a result of the TPSP’s partnership with the client and will not be able to see any details of transactions.

The DFS Provider remains responsible over the personal data disclosed to the Other Third Party Partners. As such, the DFS Provider will ensure that the Other Third Party Partners are contractually obligated to comply with the requirements of the Data Privacy Act of 2012 ( RA 10173) and its implementing rules and regulations and shall process data strictly in accordance with the purposes enumerated above.

The DFS Provider may employ third-party companies and individuals (“Other Third Party Providers”) for the following purposes:

To facilitate our Service;
To provide the Service on our behalf;
To perform Service-related services; or
To assist us in analyzing how our Service is used.

The DFS Provider provides the Other Third Party Provider access to personal information for the effective performance of their assigned task on the DFS Provider’s behalf, based on the DFS Provider’s instructions and in compliance with the DFS Provider’s Privacy Policy and other appropriate confidentiality and security measures.

To the extent that customer record, account, and transaction information were received by the TPSP from the DFS Provider about the former’s end-users, the TPSP acknowledges and agrees that the TPSP will abide by the clauses stated in Schedule 3 and Section 3 of the “Data Sharing Agreement” of this Agreement and Republic Act No. 1405.

Content and BaaS Program Updates. The TPSP acknowledges that the DFS Provider is the sole and exclusive owner of the BaaS Program. The DFS Provider may update or modify content, material and systems within the BaaS Program from time to time, and at its sole discretion without need for notice to the TPSP and without incurring any liability therefor. The TPSP is required to implement and use the most current version of the Services, APIs, File Upload Platform, White-Labeled App, Netbank Virtual, and/or any element within the BaaS Program and to make any changes to the TPSP’s Products that are required as a result of such update, at the TPSP’s sole cost and expense. Updates may adversely affect the manner in which the TPSP’s Products access or communicate with the DFS Provider’s APIs or display content.

The TPSP acknowledges that the TPSP is solely responsible, and the DFS Provider has no responsibility or liability of any kind for the content, development, operation, support or maintenance of the products built, developed or provided by the TPSP.

Sole Liability for Access to the BaaS Program and for TPSP Products. The TPSP acknowledges that the TPSP is solely responsible, and the DFS Provider has no responsibility or liability of any kind for the content, development, operation, support or maintenance of the products built, developed or provided by the TPSP. Neither does the DFS Provider have any liability related to or arising from the TPSP's use or access the Services, APIs, File Upload Platform, White-Labeled App, Netbank Virtual, and/or any element within the BaaS Program, or from the TPSP End-User’s use and access of TPSP's Products.

Support. This Agreement does not entitle the TPSP to any support or assistance from the DFS Provider with regard to the development of the TPSP’s Products or with regard to support and assistance to the End-User of the TPSP's Products. The TPSP shall not represent to any such End-User or any party that (i) the DFS Provider is available nor obligated to provide such support, (ii) the DFS Provider has any liability in relation to the TPSP’s Product(s).

The TPSP is solely and entirely responsible for the TPSP’s Products including but not limited to any actions taken and/or any claims made by others related to the TPSP’s Products, the development, operation, maintenance and compliance with all applicable laws of the TPSP's Products, and all materials that appear on or within the TPSP’s Products.

Security Procedures and Protocols.

The TPSP warrants that it shall always comply with all instructions or recommendations that the DFS Provider may issue from time to time regarding integration and security. The TPSP agrees that the DFS Provider is not responsible for the privacy, security or integrity of the TPSP’s Products. The TPSP shall be solely liable for setting up, maintaining, and regularly reviewing security arrangements concerning access to, and use of, the Services, APIs, File Upload Platform, White-Labeled App, Netbank Virtual, any element within the BaaS Program including information stored on the TPSP’s computing and communications systems, and authorized and designated TPSPs’ control of passwords, security devices and access to the Services, APIs, File Upload Platform, White-Labeled App, Netbank Virtual, and/or any element within the BaaS Program.
The TPSP confirms and warrants that it has assessed the security procedures and protocols within the BaaS API Program and has determined that these features, in combination with its own security measures, are adequate for the services and accounts opened in connection with this Agreement across all development environments.
The TPSP shall ensure that its duly authorized and designated users, personnel, and/or staff shall keep their credentials and authentication tokens secure and strictly confidential, and take steps to prevent unauthorized use thereof. The TPSP shall indemnify and agrees to hold the DFS Provider, its subsidiaries, affiliates, parent, directors, officers, employees, agents, and representatives, free and harmless from any and all claims, whether filed or threatened, of liability, loss, injury or damage caused to any party related to, arising from or incidental to such unauthorized access,
The TPSP is solely responsible for the performance and protection of any browser, operating system, or application used to connect to the elements within the BaaS Program including the prompt adoption by the TPSP of all security patches and other security measures issued or recommended from time to time by the suppliers of such browsers, operating systems, or applications.
In the event that the TPSP requests for access to the UAT environment, the TPSP shall first submit said request to the DFS Provider with all information required by the DFS Provider which shall include, at a minimum, the specific scope and functionalities of the TPSP’s Products. The DFS Provider shall have a right to require access to the test version of the TPSP’s Products to perform the DFS Provider's own testing or a product presentation.
In the event that the TPSP requests for access to the PROD environment, the TPSP must ensure that the specifications of the TPSP’s Products meet the agreed scope, purpose, and functionalities stated in the Application Specifications Section stated and defined in the Partner Dashboard and as an Annex of this Agreement .
The DFS Provider has no obligation to grant the requested access to the UAT and PROD environments. At a minimum, the DFS Provider must be satisfied that the TPSP’s Products meet certain internal and external regulatory standards, specifications, and policies, including Information Security and privacy policies, end-user obligations, and procedures. Notwithstanding the grant of said request, the DFS Provider shall be held free and harmless from and TPSP shall indemnify the DFS Provider, its subsidiaries, affiliates, parent, directors, officers, employees, agents, and representatives, for any and all claims, whether filed or threatened, of liability, loss, injury or damage by any party related to, arising from or incidental to the TPSP’s negligence or misconduct with respect to such access to the UAT and PROD environments.

Service Usage and Charges. The number of calls and requests sent to the Services, APIs, File Upload Platform, White-Labeled App, Netbank Virtual, and/or any element within the BaaS Program will be solely upon the TPSP’s discretion but is subject to fees and charges as stated in the subscription plans provided in the BaaS Program and in accordance with the agreed rates as stated and defined in the Partner Dashboard or, for customized commercial models, stated and defined as an Annex of this Agreement or other Agreements to be executed by the Parties.
The TPSP shall at all times, respect and comply with the technical and policy-implemented limitations of the Services, APIs, File Upload Platform, White-Labeled App, Netbank Virtual, and/or any element within the BaaS Program and the restrictions set by the DFS Provider found either in this Agreement, or otherwise relayed to TPSP, in designing and implementing the TPSP’s Products. Without limiting the foregoing, The TPSP shall not violate any explicit limitations on calling or otherwise utilizing the Services, APIs, File Upload Platform, White-Labeled App, Netbank Virtual, and/or any element within the BaaS Program.
The TPSP shall promptly block, and notify the DFS Provider of, any known or suspected unauthorized or prohibited use of any element within the BaaS Program;
The TPSP shall ensure that the necessary terms and conditions set forth in this Agreement will reflect in the terms of service that will govern the use of TPSP Products by TPSP’s end-users.
The DFS Provider shall have the right to audit, directly or through its representatives, at any time (during reasonable hours if onsite audits are necessary), without need for prior notice, the TPSP’s use of and access to the Services, APIs, File Upload Platform, White-Labeled App, Netbank Virtual, and/or any element within the BaaS Program and the TPSP will fully cooperate and provide all required information and assistance for this purpose. The TPSP agrees to immediately perform modifications and/or corrective measures regarding its use of and access to the Services, APIs, File Upload Platform, White-Labeled App, Netbank Virtual, and/or any element within the BaaS Program to comply with the recommendation of DFS Provider.

END-USER AUTHENTICATION AND CONSENT

On each occasion that the Services, APIs, File Upload Platform, White-Labeled App, Netbank Virtual, and/or any element within the BaaS Program receives a call from the TPSP for the End-User’s data, the DFS Provider will authenticate each End-User and authenticate the TPSP.
Once satisfied as to the identity of both the End-User and the TPSP, the DFS Provider will then provide the TPSP with the relevant and necessary data regarding the End-User that is required in order to carry out the End-User's request for access or use of TPSP’s Products solely for the purposes of providing the End-Users with TPSP’s services.
When the TPSP receives the relevant and necessary data regarding the End-User, the TPSP will provide the End-User with the products and services that the End-User requested for.

SETTLEMENT ACCOUNT

To avail of the DFS Provider’s BaaS Program or any component thereof, the TPSP shall:

open a deposit account with the DFS Provider (“Settlement Account”) against which all debit and credit transactions necessary for the use of the BaaS Program and the fees, charges, and penalties as described below, in accordance with the agreed rates stated in stated and defined as an Annex of this Agreement or otherwise imposed on TPSP shall be debited.; and
maintain a sufficient balance in the Settlement Account to cover the transaction requests sent to the APIs, File Upload Platform, and White-Labeled App for processing and to cover the fees, charges, and penalties to be collected by the DFS Provider as stated in this Agreement. If there is insufficient balance in the Settlement Account, the DFS Provider will not be able to process the transactions of the TPSP that requires balance in the Settlement Account. If there is another commercial term imposed on the Settlement Account in another agreement with the DFS Provider, the consolidated commercial terms of all the said agreements shall be considered to be applicable on the Settlement Account. For this purpose, the TPSP hereby authorizes the DFS Provider to automatically debit against and/or credit to the Settlement Account all debit and credit transactions necessary for the use of the BaaS Program, fees, charges and penalties due to the DFS Provider without need of prior notice to the TPSP. For the avoidance of doubt, the fees, charges and penalties imposed under this Agreement are in addition to all other fees, charges and penalties imposed on TPSP or on the Settlement Account for any other product or service provided by the DFS Provider or under any other agreement with the DFS Provider. The DFS Provider shall not assume any liability for the consequences or risks related to, arising from or incidental to its debiting of the Settlement Account under this Agreement, including any claim of loss, liability or damage of any party and the TPSP shall indemnify and hold the DFS Provider, its subsidiaries, affiliates, parent, directors, officers, employees, agents, and representatives, free and harmless against any such liability and risk.

INVOICING AND PAYMENTS

TPSP shall pay the fees, charges, and penalties as stated and defined in the Partner Dashboard, this Agreement, and other agreements to be executed by the Parties.
All payments to be made to the DFS Provider by the TPSP under this Agreement shall be paid in the manner stated in this Section. The DFS Provider shall send to the TPSP a monthly receipt, within fifteen (15) calendar days after the end of each month that shows the usage of the BaaS Program by the TPSP and corresponding fees, charges and penalties. Said fees, charges and penalties are immediately due and payable upon the sending of said invoice by the DFS Provider and are collected via an Auto-Debit Arrangement as stated in clause 6.2.
The TPSP acknowledges that it has the responsibility to report to the DFS Provider in case of any discrepancy in the invoice.
In such a case that the available balance on the Settlement Account is not sufficient to cover the payable amount at the moment of the auto-debit collection, the DFS Provider will inform the TPSP to fund the account to cover the collection. The DFS Provider will re-attempt to perform the auto-debit collection against the settlement account on a daily basis until there is sufficient balance to pay the invoice and/or penalties in full. The DFS Provider reserves the right to terminate the access to the BaaS Program during such a scenario.
Unless otherwise allowed by the DFS Provider in writing or if the TPSP is a Top Withholding Tax Agent identified by the Bureau of Internal Revenue (BIR) or is in any case required by the law or the BIR to be a withholding tax agent, the DFS Provider shall have the right to automatically deduct the full amount of all fees, charges and penalties, including Creditable Withholding Tax (“CWT”) payable by the TPSP from the Settlement Account through an Auto Debit Arrangement. The TPSP, in signing this Agreement, hereby consents and authorizes the DFS Provider to deduct any and all amounts due to the DFS Provider under this Agreement. Any debiting not done for whatever reason as mentioned above shall not constitute a waiver of the DFS Provider's right to be paid and to debit said amounts. As such, the DFS Provider shall have the right to immediately debit said un-debited amounts without need of further notice.
If the TPSP chooses to remit the CWT directly to the Bureau of Internal Revenue (BIR), it shall only be credited the amount of the CWT upon the submission of the Certificate of Creditable Tax Withheld at Source (BIR Form No. 2307) evidencing CWT payment not later than fifteen (15) calendar days from the end of the month when the deduction was made by the DFS Provider. Should the TPSP fail to submit the said document within the given period, the DFS Provider shall have no obligation to credit back the CWT to the TPSP’s Settlement Account and shall have every right to refuse any request by the TPSP for the reimbursement of the amount deducted.

DISCLAIMERS

The BaaS Program and content therein are made available on an as is-where is basis and the DFS Provider makes no warranties, promises or claims related to the availability, uptime, or accuracy, absence of errors, viruses, malware or defects, suitability or fitness for a particular purpose of BaaS Program and/or any content within. The DFS Provider shall thus not be liable for any claims of liability, damage, loss or injury that may be caused, directly or indirectly, to any party and the TPSP shall hold the DFS Provider free and harmless from said liability where such errors, mistakes, viruses, malware, defects, or delays affecting the availability, uptime, or accuracy, are not attributable to the DFS Provider’s gross negligence and willful misconduct.
Nothing herein shall be construed as a representation by the DFS Provider that the information and materials contained in or accessed through the BaaS Program is absolutely appropriate or automatically available for use in geographic areas or jurisdictions other than the Philippines. Separate agreements may be necessary per jurisdiction on a case to case basis and if needed and applicable.

NO POACHING Unless TPSP has the prior written agreement with the DFS Provider’s client, during the effectivity of this Agreement for any reason, the TPSP agrees to not, directly or indirectly, for the TPSP’s benefit or on behalf of any person, corporation, partnership or entity whatsoever, call on, solicit, perform services for, interfere with, or endeavor to entice away from the DFS Provider the clients to whom the DFS Provider provides services through the BaaS Program by offering similar services. For this purpose, the TPSP further agrees to not solicit, perform services for, interfere with, or endeavor to entice away any client that has an engagement with the DFS Provider. In the event that the DFS Provider becomes aware of an engagement that the TPSP has entered with an existing DFS Provider client that overlaps the Services, the DFS Provider shall inform the TPSP and the TPSP shall discontinue the engagement with the client or establish terms that will be agreed by both parties.

REVIEW OF COMMERCIAL TERMS

This Agreement, specifically the commercial terms thereof, i.e. fees, charges, and/or the related documents or instruments required herein, shall be reviewed by both Parties every six (6) months or an earlier period as determined by any Party, reckoned from the date of execution of this Agreement. If no review of commercial terms was conducted, both Parties shall continue with the existing agreement. The DFS Provider reserves the right to impose or revise the fees, charges, and commercial terms with prior notice, in line with clause 1.6, before imposition of such revision.

INTELLECTUAL PROPERTY OWNERSHIP
1. Except for the TPSP's intellectual property rights in the TPSP Products not derived from the DFS Provider IP and Confidential Information as defined herein, any and all intellectual property embodied in, supporting and contained in the Services, APIs, File Upload Platform, White-Labeled App, Netbank Virtual, and/or any element within the BaaS Program, this Agreement and its attachments, any and all information relating to the DFS Provider, its customers or service providers, technology, technological improvements, all trademarks, domain names, trade secrets, formulas, ideas, designs, concepts, specifications, drawings, blueprints, tracings, diagrams, models, samples, flow charts, data computer programs, disks, diskettes, tapes, algorithms, software programs, discoveries, research, development, licenses, software, hardware, systems, solutions, content, data, processes, forms, materials, know-how (whether registered or not), its businesses, products and services, designs, framework, business models, processes, rules, requirements, mechanics, terms and conditions, circulars, policies and procedures, guidelines, marketing plans or techniques, customer names, including data logs, database files, market data, client data, transaction data, data analytics, statistics, loan documentation, audit trails, operational data, any and all written, oral or other information, whether tangible or intangible, which originates from the DFS Provider, its agents, customers, service or data providers, or which are hosted in or processed by the DFS Provider, including any information related to any identified or identifiable natural or legal person, such as the DFS Provider’s employees, customers, potential customers, partners or any other third party (including such third parties’ employees) and any other additional data deemed as personal data under the DPA, IRR and all applicable issuances of the NPC applicable personal data protection laws, regardless of whether such data and/or information is in raw, formatted, developed, transformed or derived form, and any and all other intellectual property and/or proprietary rights or assets, are the sole property of the DFS Provider (or of its licensors under License agreements with the DFS Provider, as the case may be) ("DFS Provider IP and Confidential Information"). Except for those explicitly granted under this Agreement, no other rights, permissions, or licenses, express or implied, are granted, or can be deemed to be granted to the TPSP, its end TPSPs, or any other party with respect to any of the DFS Provider's IP and Confidential Information.

The TPSP expressly acknowledges that the DFS Provider holds and shall retain all worldwide right, title and interest in and to the DFS Provider IP and Confidential Information and TPSP agrees not to do, or ensure that its end TPSPs or any party given access to the DFS Provider IP or Confidential Information pursuant to the license granted to TPSP is prohibited from doing and shall not do, anything inconsistent with such ownership, including without limitation, disputing, challenging or questioning the DFS Provider’s ownership of the DFS Provider IP, challenging the DFS Provider's capacity to grant the licenses granted herein, or otherwise copying or exploiting the DFS Provider IP, during or at any time after the completion, expiry or termination of this Agreement. TPSP hereby assigns to the DFS Provider the entire Intellectual Property and other proprietary rights whether vested, contingent or future and all rights of action and all other rights of whatever nature in and to the DFS Provider IP, whether now existing or in the future created, to which TPSP may now or may at any time after the date of this Agreement or any renewals or extensions, be entitled by virtue of or pursuant to any of the laws in force in any part of the world throughout the world. TPSP shall execute all further documents and deeds necessary or required by the DFS Provider to effect, perfect, record, or register such assignment.

CONFIDENTIALITY AND NON-DISCLOSURE OF DFS PROVIDER IP AND CONFIDENTIAL INFORMATION

With respect to the DFS Provider IP and Confidential Information disclosed to or to which TPSP, its TPSPs or any party gains access to pursuant to or by virtue of this Agreement, the TPSP agrees to comply, and ensure that said end-users and other TPSPs comply (including explicitly mandating the same in writing on said TPSPs), with the following:

a. Protect and treat the DFS Provider IP and Confidential Information with the strictest confidentiality, ensuring that the same is protected from unauthorized use, access, or disclosure, in the same manner that the TPSP would use to protect their own confidential and proprietary information of a similar nature and in no event with less than the standards required under applicable law, by the DFS Provider or the applicable reasonable degree of care, whichever is more stringent;

b. Not make or provide copies of, divulge, disseminate, or otherwise disclose to any third party the DFS Provider IP and Confidential Information;

c. Use said Information only as necessary in exercising rights granted in this Agreement, noting that any doubt in the scope of said rights shall be interpreted in favor of confidentiality;

d. Destroy all copies of the DFS Provider IP and Confidential Information in the TPSP’s and/or the TPSP’s contractors’ or third-party agents' or end-users' possession, or control, in whatever form, and, upon request, certify such destruction to the DFS Provider upon termination of this Agreement.

REPRESENTATIONS AND WARRANTIES. The TPSP warrants and represents that:
1. It possesses all required authority and permits to enter into this Agreement;
2. It possesses all required regulatory licenses, registrations, and compliance controls to operate the services that they are providing/looking to provide to the End-User;
3. Its signatory is able and duly authorized to enter into this Agreement on behalf of the TPSP;
4. It is not concealing or disguising its identity or its affiliation with any entity or person, and its real intention and purposes or the purposes of the TPSP Products, from the DFS Provider;
5. It has a legitimate, lawful purpose for accessing and using the DFS Provider’s API Program and any component therein;
6. It will not perform any act or make any statement that causes harm or may, in the determination of the DFS Provider, cause harm to the DFS Provider, its directors, officers or employees or to the DFS Provider IP and Confidential Information, or cause the DFS Provider, its directors, officers or employees, service providers or customers to be in breach of laws, rules and regulations, or any of the DFS Provider's obligations with another party, or which cause or may cause damage to or impair, prejudice or tarnish the image, reputation or goodwill of and attached to the DFS Provider, its products or services, its directors, officers or employees. In the event that the DFS Provider, in its sole reasonable determination, is exposed or is in danger of being exposed to any claim, threat, event, activity, act or conduct by TPSP, its End-User or any party that gained access to any of the Services, APIs, File Upload Platform, White-Labeled App, Netbank Virtual, and/or any element within the BaaS Program (or Confidential Information) by virtue of or pursuant to this Agreement, that causes or exposes or may cause or expose the DFS Provider, its directors, officers and employees, customers or service providers, to any damage, loss or liability, or that impairs, prejudices and/or tarnishes or may impair, prejudice or tarnish the image, reputation or goodwill, of the DFS Provider, its directors, officers or employees or any of the DFS Provider's products or services, the DFS Provider shall have the right to immediately terminate this Agreement and/or suspend or terminate TPSP's license and all related access to the Services, APIs, File Upload Platform, White-Labeled App, Netbank Virtual, and/or any element within the BaaS Program, DFS Provider IP and Confidential Information, without need for notice to TPSP.
7. The TPSP Products and the use thereof by its End-Users and the activities with respect to such TPSP Products do not and will not violate, misappropriate or infringe upon the intellectual property rights of any third party, violate any laws and regulations, or violate or circumvent any contractual obligation of TPSP;
8. Its execution of this Agreement and performance of its obligations herein do not violate any laws and regulations;
9. It has the ability to access and use the BaaS Program with privacy and has in place all security measures reasonably adequate to preserve the confidentiality and security of the BaaS Program and the DFS Provider IP and Confidential Information, including the ability to promptly block, and notify the DFS Provider of, any known or suspected unauthorized or prohibited use of any element within the BaaS Program;
10. The TPSP's access to and use of the Services, APIs, File Upload Platform, White-Labeled App, Netbank Virtual, and/or any element within the BaaS Program or participation in the BaaS Program shall not, at any time interrupt, interfere, or adversely affect the operations or performance of the operational systems of the DFS Provider.
11. The TPSP agrees to notify the DFS provider of any projected changes to volume or service utilization patterns that affect access to and use of the Services, APIs, File Upload Platform, White-Labeled App, Netbank Virtual, and/or any element within the BaaS Program

INDEMNITY
1. The TPSP hereby agrees to fully defend, hold harmless, and indemnify the DFS Provider, its subsidiaries, affiliates, parent, directors, officers, employees, agents, and representatives, from and against all claims, disputes, settlements, awards, damages, losses, expenses and costs (including legal costs) suffered or incurred by the DFS Provider in connection with or arising from:
  1. the TPSP’s access of the Services, APIs, File Upload Platform, White-Labeled App, Netbank Virtual, and/or any element within the BaaS Program, and/or related online services, or
  2. any other party's access of the Services, APIs, File Upload Platform, White-Labeled App, Netbank Virtual, and/or any element within the BaaS Program, and/or related online services using the TPSP’s BaaS Program credentials and/or authentication tokens, or
  3. the TPSP’s breach of its obligations in and/or provision of this Agreement, and any and all updates thereto
  4. the TPSP’s breaches any of its direct or implied representations and warranties under this Agreement or any of said representations or warranties becomes invalid, unlawful or unenforceable;
  5. any claim or dispute between the TPSP and its End-User arising from and in connection with the use of the BaaS Program and/or with this Agreement and the addenda hereto;
  6. The TPSP’s commission or omission of acts which, in the opinion of the End-User, shall or has endangered the interest and security of the End-User or its assets, goodwill or reputation; and
  7. The TPSP’s direct acts or omissions resulted in violation of the Data Privacy Act of the Philippines and other applicable data protection laws.
2. The DFS Provider hereby agrees to fully defend, hold harmless, and indemnify the TPSP, its subsidiaries, affiliates, parent, directors, officers, employees, agents, and representatives, from and against all claims, disputes, settlements, awards, damages, losses, expenses and costs (including legal costs) suffered or incurred by the TPSP in connection with or arising from TPSP’s use of information materials provided by DFS Provider, pursuant to the terms of this Agreement, the TPSP agrees to settle such claims or take other necessary measures to protect the DFS Provider from any further damages and losses, and shall fully indemnify the DFS Provider, its subsidiaries, affiliates, parent, directors, officers, employees, agents, and representatives for such further damages and losses.

LIMITATION OF LIABILITY
1. The DFS Provider shall not be liable for any and all losses, damages, injuries, or claims of whatever nature due to fortuitous events, force majeure, typhoons, floods, earthquakes, public disturbances, calamities, and other similar causes or due to any act or circumstance beyond the control of the DFS Provider, or for which the DFS Provider is not responsible, or not otherwise attributable to the gross fault or negligence of the DFS Provider, such as but not limited to: (a) prolonged power outages, breakdown in computers and communication facilities, and similar causes; (b) inaccurate, incomplete or delayed transmission of information to the TPSP due to disruption or failure of communication devices used for the facilities; (c) indirect, incidental, or consequential loss of data, loss of profit, or damage suffered by the TPSP due to the use or non-use of the BaaS Program; (d) inability to process service requests due to the downtimes and issues on the external 3rd-party systems that the components of the BaaS Program are connected to.
2. The DFS Provider shall not be liable for any and all losses, damages, or claims of whatever nature due to the TPSP’s non-compliance of the TPSP to the stipulations stated in Annex 2 - Section 1 of this agreement.
  1. The DFS Provider shall not be liable for any and all losses, damages, or claims of whatever nature due to the TPSP’s non-compliance to the API integration general guidelines that are stated in, but not limited to, the “General Guidelines” section of the Netbank Virtual API Documentation (https://virtual.netbank.ph/docs#section/GENERAL-GUIDELINES) and Annex 2 - Section 1 of this agreement.
  2. The DFS Provider shall not be liable for any and all losses, damages, or claims of whatever nature due to the TPSP’s mishandling and/or misinterpretation of the information or data extracted from the elements of the BaaS Program (API responses, Partner Dashboard, and Email Advisories, etc.) such as, but not limited to the scenarios stated in Annex 2 - Section 2 of this agreement.
3. The TPSP’s use of the Services, APIs, File Upload Platform, White-Labeled App, Netbank Virtual, and/or any element within the BaaS Program is at the TPSP’s sole risk. The TPSP shall be solely responsible for any damage to the TPSP’s Products or loss of data that results from the download or use of BaaS Program.
4. To the maximum extent permitted by applicable law, in no event shall the DFS Provider be liable for any special, incidental, indirect, or consequential damages whatsoever (including without limitation damages for loss of business profits or revenue; business interruption or work stoppage; computer failure or malfunction; loss of business information, data or data use; loss of goodwill; or any other pecuniary loss) arising from or incidental to the TPSP’s negligence or misconduct that leads to the inability to use the Services, APIs, File Upload Platform, White-Labeled App, Netbank Virtual, and/or any element within the BaaS Program or the provision of or failure to provide support services, even if the DFS Provider has been advised of the possibility of such damages.
5. The DFS Provider shall in no case be involved in any claim or dispute between the TPSP and its End-User except if the claim or dispute is due to the gross negligence and wilful misconduct of the DFS Provider.
6. Notwithstanding the foregoing, DFS Provider’s aggregate monetary liability for violations of this Agreement will not exceed an amount equal to the total fees paid by TPSP to DFS Provider within the preceding twelve-month period pursuant to this Agreement.

INTEGRITY CLAUSE

TPSP certifies that it has not, directly or indirectly, given or promised to give, and will not give, any gift or favor to any director, officer, employee or any authorized representative of the DFS Provider or any of its subsidiaries or affiliates in connection with the preparation, execution and implementation of this Agreement, except for ceremonial or token gifts of nominal value that are appropriate to the occasion on which they are given. TPSP acknowledges that any violation of this clause is a material breach of this Agreement that will result in the immediate termination of this Agreement and entitle DFS Provider to all rights and remedies under the law and this Agreement.

Neither the TPSP nor, to the best of knowledge of the TPSP after due and reasonable inquiry, any director, officer, agent, employee or other person associated with or acting on behalf of the TPSP, has: (a) used any corporate funds for any unlawful contribution, gift, entertainment or other unlawful expense relating to a political activity; (b) made any direct or indirect unlawful payment to any foreign or domestic government official or employee from corporate funds; (c) violated or is in violation of any provision of the Anti-graft and Corrupt Practices Act of RA 3019; or (d) made any bribe, rebate, payoff, influence payment, kickback or other unlawful payment prohibited under any applicable law or regulation equivalent or similar to the RA 3019 or equivalent laws in other jurisdictions.

TERM AND TERMINATION

This Agreement shall be effective for one (1) year commencing on the date of signing hereof (the “Initial Term”) unless earlier terminated, cancelled, revoked or rescinded by any party in accordance with the termination clauses hereunder. This Agreement shall be renewed automatically for a succeeding term of one (1) year each (the “Renewal Term”) unless either party gives written notice to the other at least thirty (30) days prior to the expiration of any term.

The TPSP may terminate this Agreement at any time before the end of the Initial Term or any Renewal Term by serving a written notice to the DFS Provider ninety (90) days before the intended date of termination.

The DFS Provider shall have the right to terminate this Agreement with immediate effect without need of notification if the TPSP has stopped accessing / using the DFS Provider’s API Portal, the APIs, and all of its content or has failed to meet the required ADB for a continuous and uninterrupted period of ninety (90) calendar days. The Parties understand that a notice by the TPSP regarding the reasons for non-use, such as but not limited to lack of activity or transactions of the Sublicensees, interrupts the ninety (90) day period.

The DFS Provider may immediately terminate or suspend this Agreement or the provision of any service, any rights granted herein, and/or the TPSP’s license to the API Portal, at its sole discretion at any time, for any reasonably providing written notice to the TPSP, in the following cases:
1. in event that the DFS Provider is alerted and/or becomes aware of any of the prohibited behavior or actions stated herein, or
2. if in the DFS Provider’s discretion the TPSP’s continuous access to the service and/or license will cause reputational, compliance, and regulatory, legal, and commercial risk or any other source of potential loss to the DFS Provider, or
3. in event that the DFS Provider is alerted and/or becomes aware of any violation to the representations, warranties, and integrity clauses stated in this Agreement, or
4. in event that the DFS Provider is alerted and/or becomes aware of any breach related to the access and credentials of the TPSP

The termination or modification of any service or rights shall not prejudice any obligation or liability incurred by the TPSP.

Effect of Termination. Upon termination of this Agreement, all licenses granted by the DFS Provider are considered revoked and the TPSP must cease access and use of the Baas Program and all other licensed materials, provided that any such termination shall not relieve the TPSP from liability for any willful breach of this Agreement (which includes without limitation the making of any representation or warranty by the TPSP in this Agreement that the TPSP knew was not true or accurate in all material respects when made. Sections 4 (Use Limitations and Other Obligations), 7 (Fees), 8 (Disclaimers), 10 (Intellectual Property Ownership), 11 (Confidentiality and Non-Disclosure), 12 (Representations and Warranties), 13 (Indemnity), 14 (Limitation of Liability), 16 (Term and Termination), 17.1 (Non-Waiver), 17.2 (Governing Law and Jurisdiction) and 17.3 (Severability) shall remain in full force and effect and survive any termination of this Agreement.

GENERAL PROVISIONS

Non-waiver. The waiver by the DFS Provider of a specific breach, default or its failure to insist upon a strict performance of any of the terms, conditions and covenants hereof shall not constitute the waiver of any subsequent breach or default or a relinquishment, abandonment or waiver of any right or remedy available to the DFS Provider. No waiver by the DFS Provider shall be effective and binding unless expressed in writing and signed by the parties.

Governing Law and Jurisdiction. This Agreement shall be governed by, and construed in accordance with, the laws of the Philippines, without regard to its conflict of laws provisions, and the parties agree to submit to the exclusive jurisdiction of the courts of Makati, Philippines.

Severability. This Agreement represents the complete agreement concerning the DFS Provider’s BaaS Program and may be varied, modified, altered, or amended only by a written agreement executed by the Parties after the date of execution hereof. If any provision of this Agreement is held to be unenforceable, such provision shall be reformed only to the extent necessary to make it enforceable.

Neither this Agreement nor any right hereunder may be assigned by the TPSP without the written consent of the DFS Provider.

Section and other Headings. Sections and other headings contained in this Agreement are for reference only and shall not affect the meaning or interpretation of this Agreement.

Counterparts. This Agreement may be executed in two or more counterparts, both of which shall be an original, but together shall be treated as one single document.

ANNEX 2

ADDITIONAL STIPULATIONS

The TPSP understands that:

Section 1. The TPSP must abide by the all of the implementation guidelines stated in the “General Guidelines” section of the Netbank Virtual API Documentation (https://virtual.netbank.ph/docs#section/GENERAL-GUIDELINES)

To fully understand the difference between the development environments of Netbank Virtual
To fully understand and properly implement the Authentication Method required to connect and call the APIs
To fully understand and properly handle the different error scenarios and reasons for rejection from the APIs
To fully understand and properly handle API Timeout scenarios

Section 2. The TPSP must not mishandle and/or misinterpret the information and data extracted from the elements of the BaaS Program (API responses, Partner Dashboard, and Email Advisories, etc.). Here is a list of mishandling and misinterpretation instances that the TPSP must avoid:

API Errors and Timeouts from the APIs
- These API Errors must not be misinterpreted as failed transactions:
  - All Code 13 Errors
  - All 500 Internal Server Errors
  - API Timeout/No response from the API
- API Errors and timeouts must not be misinterpreted as failed transactions and must be validated further by the TPSP through the following mechanisms:
  - By using the idempotency-key header as stated in the “General Guidelines - API TIMEOUT HANDLING AND IDEMPOTENCY” section of the Netbank Virtual API Documentation (https://virtual.netbank.ph/docs#section/GENERAL-GUIDELINES/API-TIMEOUT-HANDLING-AND-IDEMPOTENCY)
  - By validating the transactions via the “Channel Transactions” section of the Netbank VIrtual Partner Dashboard (https://virtual.netbank.ph/transactions/channel/live)
  - By raising and validating with the Netbank Support Team (support@netbank.ph) by sending the following information:
    - API Endpoint URL
    - Environment (UAT/PROD)
    - Trace Id
    - Time of transaction
- For the avoidance of doubt, Disburse-to-Account transactions must only be considered as a "FAILED Transaction" by the TPSP if:
  - the Disburse-to-Account APIs clearly state that the “status” of the transaction is “Rejected” or
  - the Partner Dashboard clearly states that the “status” of the transaction is “Rejected”

ANNEX 3

DATA SHARING AGREEMENT

This Data Sharing Agreement (“DSA”) is effective as of the Effective Date of this Agreement and is entered into by and among the DFS Provider and the TPSP and are hereinafter referred to as such or individually as a “Party” and collectively as the “Parties”, as the case may be.

DEFINITIONS

“Agreement” means the BaaS License Agreement, this DSA and all attached Schedules;

“Authorized Personnel” refers to employee/s or officer/s of the Parties authorized to collect and/or to process Personal Data either by the function of their office or position, or through specific authority.

“Business Day” means a day other than a Saturday, a Sunday, legal holiday, or any other day on which banks located within the Philippines are not open for business.

“Consent of the Data Subject” means to any freely given, specific, informed indication of will, whereby the Data Subject agrees to the collection and Processing of his/her Personal, Sensitive Personal, or Privileged Information. It shall be evidenced by written, electronic, or recorded means. It may also be given on behalf of a Data Subject by any lawful representative or an agent specifically authorized by the Data Subject to do so.

“Data Subject” refers to an individual who has provided his/her personal information to either Party and has consented to the use and processing thereof, including the sharing and disclosure of the same with third parties in accordance with this Agreement.

“Law” includes any applicable legislation passed by the Congress, ordinances implemented by local government units and administrative issuances, implementing rules and regulations.

“Person” includes (a) any corporation, company, limited liability company, partnership, governmental authority, joint venture, fund, trust, association, syndicate, organization, or other entity or group of persons, whether incorporated or not, and (b) any natural person or individual.

“Personal Information” as defined in the Data Privacy Act of 2012, means any information whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual.

“Personal Data” as defined in the Data Privacy Act of 2012, refers to all types of Personal information, and/or Sensitive Personal Information, and/or Privileged Information collected and processed by the Parties.

“Personal Data Breach” refers to an actual breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed.

“Privileged Information” refers to any and all forms of data, which, under the Rules of Court and other pertinent laws, constitute privileged communication.

“Sensitive Personal Information” refers to Personal Information:

About an individual’s race, ethnic origin, marital status, age, color and religious, philosophical or political affiliations;
About an individual’s health, education, genetics or sexual life, or to any proceeding for any offense committed or alleged to have been committed by such individual, the disposal of such proceedings, or of the sentence of any court in such proceedings;
Issued by government agencies peculiar to an individual, which includes, but not limited to, social security numbers, previous or current health records, licenses or its denials, suspension, revocation, and tax returns; and
Specifically established by an executive order or an act of Congress to be kept classified.

“Shared Data” refers to all Personal Information being shared by Parties with the under this Agreement.

SCOPE AND PERMITTED USE OF SHARED DATA

Covered Data Subjects and Personal Information. The Parties shall provide the other Party access to the Personal Data of the Data Subjects identified in Schedules “1” and “2” hereof, respectively (the “Shared Data”). It is hereby understood that the right to use and process the Shared Data granted to the receiving Party shall be non-exclusive and non-assignable without the prior written consent of Party sharing the Data. The receiving Party may request to access additional data from the originating Party from time to time as may be necessary to achieve the Purposes as defined below.

Purpose of Data Sharing. The access and processing of the Shared Data shall be exclusively used for the specific purposes enumerated in Schedule “3” hereof and for no other purpose whatsoever (the “Purposes”). If the receiving Party intends to use the Personal Data for other purposes, it shall make a written notice to the originating Party. The approval of the originating Party of such request shall form part of this Agreement.

No Warranty. The Shared Data provided to the receiving Party are based on the documents submitted, information collected, and contents affirmed from the originating Party. Neither Party warrants the sufficiency, truth, or completeness of the Shared Data beyond those that the Data Subject consents to be shared, processed, and used by the Parties in relation to this Agreement.

Consent of the Data Subject. Unless otherwise required or authorized by law, the originating Party shall first obtain the consent of affected Data Subjects prior to the processing of such data, including the data sharing contemplated by this Agreement.

ACCESS TO THE SHARED DATA

Electronic Transmission of Shared Data. To facilitate efficiency in the transmission of Shared Data between the Parties, NETBANK shall grant TPSP access to a limited terminal system, and/or a File Upload Platform, and/or White-Labeled App (collectively the “BaaS Program”). Furthermore, a party may transfer the Shared Data by electronic transmission subject to its internal data privacy policies. Upon the request of the Data Recipient, the originating Party may provide electronic copies of the Shared Data in a secured and in a structured and commonly used format. The originating Party may (a) grant the Authorized Personnel of the data Recipient online access to its electronic data servers, (b) transmit the Shared Data by encrypted email, (c) transfer the shared data through a Secure File Transfer Protocol, or (d) by providing the Data Recipient access to its Cloud Service facility.

Frequency and Interval of Data Transfer. The originating Party shall transfer the Shared Data to the Data Recipient whenever there are new Data Subjects applicable for the Purposes. The originating Party shall inform the Data Recipient of the transfer or transmission of the Shared Data and the necessary access requirements such as the required passwords, as appropriate. The originating Party shall ensure that the Shared Data shall be in a format that is secured and structured and commonly used.

SAFEGUARDS FOR PRIVACY AND SECURITY OF SHARED DATA

Full Compliance with the Data Privacy Act of 2012. The Parties shall ensure full compliance with the requirements of the Data Privacy Act of 2012 and other applicable rules and regulations, including its direct obligations to the Data Subjects. The Data Recipient shall process the Shared Data solely and exclusively for the purposes for which the Personal Data, or access to it, is provided pursuant to the terms and conditions of the Memorandum of Understanding and this Agreement. Accordingly, the Data Recipient shall have such privacy policy manuals and data processing protection systems in place as to ensure privacy and security of the Shared Data, particularly in relation to the collection, access, use, storage, disposal, and disclosure of personal information.

Standard of Care. The Data Recipient shall exercise the same degree of care and diligence as it uses to protect its own Personal data and confidential information, but in no event less than reasonable care, to protect the Shared Data from misuse and unauthorized access or disclosure.

Safeguards for the Shared Data. The Data Recipient shall use appropriate organization, physical and technical safeguards to protect the Shared Data from misuse and unauthorized access or disclosure, including maintaining adequate physical controls and password protections for any server or system on which the Shared Data is stored, ensuring that Shared Data is not stored on any mobile device or transmitted electronically unless encrypted, and taking any other measures reasonably necessary to prevent any use or disclosure of the Shared Data other than as allowed under the Memorandum of Understanding and this Agreement.

Permitted Disclosures. The Data Recipient shall not disclose the identity of any Data Subject whose personal information is included in the Shared Data or attempt to contact those individuals unless otherwise in furtherance of the purpose of the Memorandum of Understanding. The Data Recipient may only disclose the Shared Data to its officers, directors, employees, consultants, and representatives only to the extent necessary, and under reasonable terms and conditions as may be agreed upon with the originating Party and for the fulfillment of the purpose, contract, or legal obligation contemplated in the License Agreement and this Agreement.

Required Disclosures. Should the Data Recipient be obliged under the Law to disclose any portion of the Shared Data, the Data Recipient shall promptly notify the originating Party before disclosing such Shared Data and shall use reasonable endeavors to assist the originating Party to obtain a protective order to prevent or limit such disclosure, as may be applicable.

Personal Data Breach Management. Within seventy-two (72) hours, or such period as may be prescribed by law, from becoming aware of any unauthorized use or disclosure of the Shared Data, the Data Recipient shall promptly report such unauthorized use or disclosure to originating Party, the National Privacy Commission, and the affected Data Subjects, as applicable under the Data Privacy Act of 2012 and other relevant issuances.

Cooperation and Mitigation. The Data Recipient shall cooperate with originating Party in any remediation measure that the latter determines in its discretion as necessary to comply with the applicable reporting requirements, and/or to mitigate the effects of any Personal Data Breach. These remediation measures include restoring goodwill with stakeholders such as but not limited to research subjects, collaborators, governmental authorities, and the public.

No Fault or Liability. The obligation of either Party to report or respond to a Data Breach, as defined under the DPA, is not and will not be construed as an acknowledgment by either Party of any fault or liability for the Data Breach.

Rights of Data Subjects. The Parties agree and acknowledge that the Data Subjects have the right to obtain a copy of this Agreement, and to access, update, or correct their respective Personal Data, or withdraw consent to the use of any of their Personal Data as defined in this Agreement, and may file complaints with, and/or seek assistance from the National Privacy Commission in case of violation of their rights. The Data Recipient shall promptly notify the originating Party of any requests received from Data Subjects in connection with the foregoing rights. The Parties shall cooperate with each other to comply with the requests of Data Subjects to the extent permitted by Law.

Agents and Subcontractors. The Data Recipient shall not subcontract any of its processing operations without the prior written consent of originating Party. Where the Data Recipient subcontracts any Processing of Personal Information under this Agreement with the written consent of originating Party, it shall do so only by way of a written agreement with the subcontractor, which imposes the same obligations on the subcontractor as are imposed on the Data Recipient under this Agreement. Further, the Data Recipient shall maintain a list of subcontracting agreements concluded pursuant to this Agreement, which shall be updated at least once a year. Upon a Party’s request, the list and relevant agreements shall be made available to the requesting Party and/or to any relevant regulatory authority, if applicable.

No Modification of Data. The Data Recipient shall not copy, decompile, modify, reverse engineer, or create derivative works out of any of the Shared Data.

Retention of Data. The Data Recipient will continue to retain the Data in accordance with the retention policies of the originating Party unless a different period for retention shall be agreed upon by both parties. The originating Party shall provide the other Party with its retention policies, as may be applicable.

TERM

This Agreement shall take effect on the Effective Date and shall be coterminous with the License Agreement unless terminated earlier in accordance with the provisions of this Agreement.

This Agreement shall be subject to periodic reviews to ensure the sufficiency of the safeguards implemented for data privacy and security.

DEFAULT AND TERMINATION

This Agreement may be terminated on any of the following grounds:

Upon mutual agreement of the Parties;
Upon material breach of any provision of this Agreement by a Party; or
In case any Party becomes insolvent, bankrupt, or enters receivership, dissolution, or liquidation.

In case of an event of default under the immediately preceding section, the non-defaulting party shall send a written notice to the defaulting party to remedy or cure the default within fifteen (15) business days from the receipt of such notice. Should the defaulting party fail to cure the default within the grace period, the non-defaulting party shall have the right to either terminate the Agreement prior to the expiration date of the term, without need of any court action, with the right to claim appropriate damages. Should the default arise from breach of personal data security, the Responsible Party shall indemnify the other Party in full for any cost, action, claim, or expense that may arise therefrom.

Notwithstanding the provisions of this Section, either Party shall have the right to pre-terminate the Agreement without cause, without penalty, upon written notice of at least thirty (30) business days prior to the intended date of termination.

Upon the expiration or termination of this Agreement for any reason whatsoever, the Data Recipient shall return the Shared Data and any other property, information, and documents, including confidential information, provided by the originating Party within ten (10) business days from the date of termination. The Data Recipient shall also destroy all copies of the Shared Data and any other property, information, and documents that are in its possession and those that it shared with other entities. Upon request by the originating Party, the Data Recipient shall deliver to the originating Party a certificate confirming the Data Recipient’s compliance with said return or destruction of the Shared Data in accordance with this section. In any case, the Data Recipient shall ensure that the Shared Data are properly disposed of in such a way that would prevent further processing as well as improper, unauthorized, accidental, or unlawful access.

REPRESENTATIONS AND WARRANTIES

Each Party represents and warrants to the other Party that:

It is duly incorporated, validly existing, and in good standing under the laws of the Republic of the Philippines.

It has the full legal right, power, and authority to execute and deliver this Agreement and to consummate the obligations contemplated herein. This Agreement has been duly executed and delivered under the laws of the Republic of Philippines and constitutes a legal, valid and binding obligation of the Parties, against the other in accordance with its terms.

The execution, delivery, and performance of this Agreement will not result in any breach of, or constitute a default under, any agreement, contract or instrument to which it is a party.

To the best of its knowledge, it has not failed to disclose any material fact that may affect the execution and performance of this Agreement during its effectivity. A material fact is defined as one where, had one Party known of such fact either during the negotiation or at any time during the life of this Agreement that Party would not have entered into this Agreement.

It has not gone into liquidation or passed any resolution for winding up, no petition for winding up has been presented against it, and that no receiver and/or manager has been appointed or is threatened or expected to be appointed.

All governmental, corporate, and other requirements, licenses, authorizations and permits necessary or desirable in connection with the entry into, performance, validity, and enforceability of, and the transactions contemplated by, this Agreement, have been obtained or effected and are in full force and effect.

It will update itself, on a regular basis, on the issuances of the National Privacy Commission and other Laws and shall strictly adhere thereto.

The Data Recipient further agrees and warrants the following -

Nothing prevents the Data Recipient from fulfilling its obligations under this Agreement. Should it become aware of any event which is likely to have a substantial adverse effect on its warranties and obligations set forth in this Agreement, it will promptly notify the originating Party of such event, in which case the originating Party shall be entitled to either suspend the transfer of Personal Data under this Agreement or immediately terminate the Agreement by providing written notice to the Data Recipient;

It will ensure that an obligation of confidentiality is imposed on the Authorized Personnel to process the Shared Data and take reasonable steps to ensure the reliability and integrity of any its personnel who have access to the Shared Data. Only those Authorized Personnel on a need-to-know basis shall be given access to such Shared Data.

It will promptly notify originating Party about: (i) Any legally binding request for disclosure of the Shared Data by virtue of a court order or in compliance with any Law unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation; and (ii) Any requests received from Data Subjects. For purposes of item (ii), the Parties shall cooperate to properly respond and address such requests to the extent allowed by law which may involve the Data Subject’s right to access, copy, correct, rectify, erase or remove their Personal Data.

Either Party may transfer, store, and/or process the Shared Data outside the Philippines. The relevant Party shall ensure that the Shared Data will be protected at a standard that is comparable to that under the Laws/Applicable Data Protection Law.

It will register with the National Privacy Commission, as necessary, to comply with the provisions of the Laws. For this purpose, the Parties likewise warrant that its systems relative to its Technical, Physical, Organizational Security Measures are in place to comply with the Laws.

All representations, warranties and covenants made by the Parties in this Agreement shall survive the closing and consummation of this Agreement.

INDEMNIFICATION AND LIMITATION OF LIABILITY

The Parties agree that under the Laws, each Party remains accountable for Personal Data under its control or custody, including Shared Data. To this extent, the Parties therefore agree to irrevocably and unconditionally indemnify and hold the other Party, its officers, employees, and agents, free and harmless from and against any and all claims, suits, actions or demands or losses, damages, costs and expenses including, without limiting the generality of the foregoing, attorney's fees and costs of suit that the other Party may suffer or incur by reason or in respect of:

A Party’s breach of any of the warranties and obligations set forth in this Agreement, regardless of the cause of such breach; or

Any act, omission or negligence of the Data Recipient that causes or results in the other Party being in breach of its obligations under the Laws.

This Section shall survive the termination or expiration of this Agreement.

MISCELLANEOUS PROVISIONS

This Agreement and all the provisions hereof shall be binding upon and inure to the benefit of the Parties. Neither Party may assign its interest and obligations under this Agreement, without the prior written consent of the other.

This Agreement, including any annexes and other documents referred to herein, constitutes the entire agreement and supersedes all other prior agreements and understandings, both written and oral, among the Parties. Each of the Parties undertakes to execute such documents and perform such acts as may reasonably be necessary to give effect to this Agreement. Any amendment of any provision of this Agreement shall be in a writing signed by the Parties.

This Agreement shall be governed by and construed in accordance with the law of the Republic of the Philippines.

All rights and remedies conferred under this Agreement or by any other instrument or law shall be cumulative, and may be exercised singularly or concurrently. Failure by either party to enforce any provision of this Agreement shall not be deemed a waiver of future enforcement of that or any other provision of this Agreement.

Any notices or communications required or permitted hereunder or otherwise in connection herewith shall be in writing and shall be sufficiently given if (i) delivered by hand, (ii) sent by registered mail, return receipt requested, postage prepaid, (iii) sent by email, (iv) delivered by a nationally-recognized overnight courier service, receipt obtained from addressee, to the following addresses or to such other address as any of the Parties may from time to time designate by notice given in writing.

If to DFS Provider to:

NETBANK (A RURAL BANK), INC.

Bagong Lipunan, Brgy. 1, 5500 Romblon, Romblon

Data Protection Officer:

Email:

If to TPSP to:

<TPSP’s Corporate Name>

<TPSP’s Address>

Data Protection Officer: <Name of the TPSP DPO>

Email: <Email address of the TPSP DPO>

This Agreement is not intended to confer upon any person other than the parties hereto any rights or remedies hereunder.

Unless otherwise provided by law, the Parties agree that all forms of data or information received or gathered by its employees and agents from the other Party in the course of or in the performance of their obligations under this Agreement shall be deemed and kept confidential. Such data or information shall not be divulged to any third party without the prior written consent of the other Party.

The invalidity or unenforceability of any provision of this Agreement shall not affect the validity or enforceability of any other portion or provision. Any invalid or unenforceable portion or provision shall be deemed severed from this Agreement. The Parties shall negotiate an equitable adjustment in the remaining portions or provisions of this Agreement to effect the underlying purposes of this Agreement.

SCHEDULE “1”

Type or Categories of Personal Information that can be provided

BY DFS PROVIDER -

Customer record details
1. Name (Title, First Name, Middle Name, Last Name)
2. Birthdate, Birthplace, Gender, Civil Status
3. Contact Number, Email Address
4. Address
5. Income, Work Description
6. TIN and SSS number
7. Date / time of account creation
8. Customer ID generated by Netbank
9. Customer Identification File (CIF) Number generated by Netbank
Bank account details
1. Account Type, Number,
2. Status
3. Account holder name and Customer ID
4. Available and Current Balance. Average Daily Balance
5. Interest rate, Accrued Interest Amount
6. Maximum Balance Limit
7. Minimum Balance to earn interest
8. Required Maintaining Balance
Transaction details, movement and history
1. Transaction ID, Date and Time
2. Type of Transaction (Debit/Credit)
3. Status of the Transaction
4. Settlement Rail used for the transaction
5. Source Account Number and bank details
6. Destination Account Number and bank details
7. Remarks and Reference IDs from the Partner

BY TPSP -

Name (Title, First Name, Middle Name, Last Name)
Birthdate
Birthplace
Gender
Civil Status
Contact Number
Email Address
Address
Income, Work Description
TIN and SSS number

SCHEDULE “2”

Categories of Data Subject whose Personal Information belongs to

DFS PROVIDER –

Deposit clients

TPSP -

Deposit clients

SCHEDULE “3”

Authorized Purposes of the Data Sharing

The Data Recipient may use the Shared Data for the following purposes –

To process the Data Subject’s transaction with the parties
To provide the Data Subjects with information and offers from the Data Recipient, which may include newsletters, marketing, or promotional materials and other information on services and products offered by the Data Recipient or its partners;
To offer the Data Subjects products and/or services of the Data Recipient which may be of interest to the Data Subjects;
To collect, process and/or transmit non-protected data for purposes of statistical analysis in an aggregated format;
To enable Data Recipient to conduct surveys, questionnaires, contests, and other similar promotions;
To engage in research activities;
To enhance the functionality, utility, features of the Data Recipient’s Platform, goods, and/or services; and
To conduct a credit assessment and check the credit qualification of a Data Subject.

If you have any questions or suggestions about our Terms and Conditions, do not hesitate to contact us at support@netbank.ph

NETBANK (A RURAL BANK) INC.
BANKING-AS-A-SERVICE (BAAS) LICENSE AGREEMENT

BACKGROUND AND NATURE OF THE AGREEMENT

GRANT OF LICENSE BY THE DFS PROVIDER

GRANT OF LICENSE TO THE DFS PROVIDER

USE LIMITATIONS AND OTHER OBLIGATIONS

To the extent that End-User Data was received by the DFS Provider from the TPSP about the latter’s end-users, the TPSP acknowledges and agrees that the DFS Provider is a processor as defined under the DPA, IRR, and other relevant issuances of the NPC. As such, the DFS Provider agrees to:

The TPSP acknowledges that the TPSP is solely responsible, and the DFS Provider has no responsibility or liability of any kind for the content, development, operation, support or maintenance of the products built, developed or provided by the TPSP.

Security Procedures and Protocols.

SETTLEMENT ACCOUNT

INVOICING AND PAYMENTS

DISCLAIMERS

REVIEW OF COMMERCIAL TERMS

INTELLECTUAL PROPERTY OWNERSHIP

CONFIDENTIALITY AND NON-DISCLOSURE OF DFS PROVIDER IP AND CONFIDENTIAL INFORMATION