Master Services Agreement

Last Updated: November 27, 2023

Thanks for your interest in Plaid! This Master Services Agreement (this "Agreement") is a legally binding agreement governing access to and use of Plaid's Services. This Agreement is entered into between Plaid Inc. (f.k.a. Plaid Technologies, Inc.), a Delaware corporation ("Plaid") and the entity or person placing an Order or accessing or using the Services ("Client"). If you are placing an Order or accessing or using the Services on behalf of a company, organization, or other entity, then that entity is the Client. In that case, you are binding that entity to this Agreement and you represent and warrant that you are authorized to do so.

By clicking "I agree" (or a similar checkbox or button), placing an Order, or accessing or using the Services, you indicate your assent to be bound by this Agreement. If you do not agree to this Agreement, do not use or access the Services. This Agreement contains mandatory arbitration provisions that require the use of arbitration to resolve disputes. Please read it carefully.

The "Effective Date" of this Agreement is the earlier of (a) the date on which Client first accesses or uses the Services and (b) the date on which Client's first Order is agreed to by Plaid.

Plaid may modify this Agreement from time to time in accordance with Section 9 (Modifications to this Agreement) below.

1. ACCESS RIGHTS; RESTRICTIONS

1.1 Access . Subject to the Client's compliance with the terms and conditions of this Agreement, Plaid hereby agrees that during the applicable term of an Order (as defined below), the Client has the non-exclusive right to: (i) internally use the package of application programming interface materials provided by Plaid (the "API Package") solely as necessary to make an application owned and operated by the Client, which application is described in such Order or otherwise approved by Plaid in writing (the "Client Application"), interoperate with the Plaid services described on https:/ /www.plaid.com/ (collectively with the API Package, the "Services"), (ii) use the Services in such Client Application provided to end users (consumers or businesses) (the "End Users") for the use case permitted by Plaid in writing, including, but not limited to, as set forth in the applicable Order or in the Plaid dashboard, and (iii) use the End User information and data provided via the Services (collectively, the "Output") solely in such Client Application for such use case. All use of the Services and Output must be only as provided in this Agreement, only in accordance with Plaid's applicable technical user documentation and subject to the applicable use case, Client Application, and business unit restrictions (if any). The "Order" means, whether available on Plaid's website or otherwise, a Plaid order form, pricing schedule, pricing plan, or rate card for the Services.

1.2 Restrictions. Client will not, and will not enable or assist any third-party to: (i) attempt to reverse engineer (except as permitted by law), decompile, disassemble, or otherwise attempt to discover the source code, object code, or underlying structure, ideas, or algorithms of the Services; (ii) modify, translate, or create derivative works based on the Services; (iii) make the Services or Output (or any derivative work thereof) available to, or use the Services or Output(or any derivative work thereof) for the benefit of anyone other than Client or End Users; (iv) sell, resell, license, sublicense, distribute, rent or lease any Services or Output (or any derivative work thereof) to any third-party, or include any Services or Output in a service bureau, time-sharing, or equivalent offering; (v) publicly disseminate or disclose information from any

source regarding the performance of the Services or Output; or (vi) attempt to create a substitute or similar service through use of, or access to, the Services or Output. Client will use the Services and Output only in accordance with (a) the rights granted hereunder, (b) the Plaid developer policies (available at https:/ /www.plaid.com/legal), a nd (c) any agreements between Client and End Users (for clarity, including any privacy policy or statement). Notwithstanding anything to the contrary, the Client accepts and assumes all responsibility for complying with all applicable laws and regulations in connection with all of Client's activities involving any Services, Output, or End User data. In addition, Client acknowledges and agrees that Plaid is neither a "consumer reporting agency" nor a "furnisher" of information to consumer reporting agencies under the Fair Credit Reporting Act ("FCRA") and the Output is not a "consumer report" under the FCRA and cannot be used as or in such. Client represents and warrants that it will not, and will not permit or enable any third-party to, use the Services (including Output) as a or as part of a "consumer report" as that term is defined in the FCRA or otherwise use the Services (including Output) such that the Services (including Output) would be deemed "consumer reports" under the FCRA. Client will comply with Schedule 1 (Addendum to Master Services Agreement) and the provisions set forth in any product or territory specific exhibit, addendum, or other document attached to this Agreement, but such provisions will only apply if Client uses the Service set forth in such document. In the event of a conflict between the terms and conditions of this Agreement and the terms and conditions of any such product or territory specific exhibit, addendum, or other attachment, the terms and conditions of such exhibit, addendum, or other attachment will govern and prevail.

1.3 Ownership. Except for the rights expressly granted under this Section 1, Plaid reserves and retains all right, title, and interest in and to the Services which includes but is not limited to the API Package and any related Output (except for raw End User data, which belongs to the End User), software, products, works, and other intellectual property created, used, or provided by Plaid for the purposes of this Agreement. To the extent the Client provides Plaid with any feedback relating to the Services (including, without limitation, feedback related to usability, performance, interactivity, bug reports and test results) ("Feedback"), Plaid will own all right, title and interest in and to such Feedback (and the Client hereby makes all assignments necessary to achieve such ownership).

1.4 Privacy and Authorizations. Before any End User engages with the Client Application in a manner that uses the Services, the Client warrants and will ensure that it provides all notices and obtains all consents required under applicable law to enable Plaid to process End User data in accordance with Plaid's end user privacy policy (currently available at https:/ /www.plaid.com/legal). Client will not (i) make representations or other statements with respect to End User data that are contrary to or otherwise inconsistent with Plaid's end user privacy policy or (ii) interfere with any independent efforts by Plaid to provide End User notice or obtain End User consent.

1.5 Permitted Service Providers . Client may permit its employees, agents, contractors and service providers to access the Services and Output on Client's behalf (such parties, the "Permitted Service Providers"). Client will be responsible for all Permitted Service Providers' compliance with the terms and conditions of the Agreement (including, without limitation, such terms and conditions as they relate to the use of the Services and Output), and Client represents and warrants that it will: (i) not make the Services or Output available to any third parties aside from Permitted Service Providers; (ii) ensure that Permitted Service Providers are only using the Services and Output for the sole benefit of, and solely on behalf of, Client; (iii) ensure that Permitted Service Providers are not using the Services or Output for their own benefit or purposes, including to improve their own products (except to the extent necessary for

the Permitted Service Providers to provide its services to, on behalf of, and for the sole benefit of Client); and (iv) contractually require Permitted Service Providers to only use the Services and Output for the sole benefit of, and solely on behalf of, Client and contractually prohibit Permitted Service Providers from using the Services or Output for their own purposes or benefit. Client is responsible under Section 2 (Payments) of the Agreement for any fees or charges incurred by its Permitted Service Providers in their use of the Services. If Client enables any third parties as Permitted Service Providers, Client (and not Plaid) remains solely responsible for its relationships with such third parties and for any related billing matters, technical support, or disputes.

1.6 Development Accounts . In addition to allowing production access to the Services as described in Section 1.1 ("Production Access"), Plaid may offer free sandbox or development accounts for the Services ("Development Accounts"). Client may use Development Accounts solely for internal evaluation of the Services to determine whether to place a paid Order, and not for Production Access or any other purpose. In using Development Accounts, Client must comply with Plaid's relevant documentation, policies, and instructions, including as relates to the data types and use cases eligible for Development Accounts. Plaid may make available different types of Development Accounts, and each Development Account may have limited functionality and other usage limits. Plaid may modify or disable Development Accounts (and delete related data submitted by Client or provided by Plaid) without notice or liability to Client. Plaid has no support obligations for Development Accounts. Subject to this paragraph, Development Accounts remain subject to the terms and conditions of this Agreement, including without limitation Sections 1.2 (Restrictions) through 1.5 (Permitted Service Providers), 1.7 (Compliance Reviews), 6 (Warranty; Disclaimer), and 7 (Limitation of Liability).

1.7 Compliance Reviews . To access or use the Services, whether Development Accounts or Production Access, Client must successfully pass Plaid's compliance reviews, which may include automated verifications, online questionnaires, and requests for information ("Compliance Reviews"). As part of the Compliance Reviews, Client must provide prompt responses to Plaid's requests for information about Client, the Client Application, Client's business and associated entities, and Client's intended use of the Services. Client represents and warrants that all information it provides to Plaid as part of Compliance Reviews will be accurate and complete, and Client will immediately notify Plaid if any previously provided information is out-of-date or becomes inaccurate. Client may be required to complete more than one Compliance Review, for instance, to enable Development Accounts or upgrade to Production Access, or as requested by Plaid based on changes in Client's use of the Services or increased risk factors. Client's passage or failure of any Compliance Review is in Plaid's sole discretion. If Client fails any Compliance Review or fails to provide prompt and complete responses within three business days after Plaid's requests for information (even if Client has passed a previous Compliance Review or received provisional access to the Services), Plaid may suspend, revoke, or terminate Client's access to the Services, without notice or liability to Client.

1.8 Non-GA Services . From time to time Plaid may invite Client to try Plaid features/functions, products, or services that are not generally available to Plaid's clients ("Non-GA Services"). Client may accept or decline any such invite in its sole discretion. Any Non-GA Services will be designated as alpha, beta, trial, pilot, limited release, developer preview, non-production or by a description of similar import. Non-GA Services are provided for evaluation purposes, may contain bugs or errors, and may be subject to additional terms. Non-GA Services are not considered "Services" hereunder and are provided solely and exclusively "AS IS" with no express or implied warranty of any kind. CLIENT ASSUMES AND

UNCONDITIONALLY RELEASES PLAID FROM ALL RISKS ASSOCIATED WITH THE USE OF ANY NON-GA SERVICES. Plaid may discontinue the Non-GA Services at any time in its sole discretion. Plaid does not promise or represent that Non-GA Services will be made generally available.

2. PAYMENTS

Client will pay Plaid for the Services as set forth in each Order (the "Payments"). Unless otherwise specified in an Order, Payments must be made within fifteen (15) days from the date of Plaid's invoice. Unpaid invoices are subject to a finance charge of 1.5% per month or the maximum permitted by law, whichever is lower, plus all expenses of collection. The Client will be responsible for all (i) taxes associated with Services other than taxes based on Plaid's net income and (ii) Plaid's costs of collection in the event of the Client's delinquent payment. All Payments made are non-refundable (unless required under applicable law), non-cancellable, and not subject to setoff.

3. TERM; TERMINATION

3.1 Term of Agreement. This Agreement will commence on the Effective Date and will continue in effect unless terminated in accordance with this Agreement. On the effective date of termination of this Agreement, all Orders under the Agreement will also terminate unlessotherwise agreed by Plaid and the Client.

3.2 Term of Orders . Unless otherwise specified in the Order, (i) each Order will have a term of twelve (12) months (an "Initial Term") beginning on the effective date of such Order; (ii) after the Initial Term, such Order will automatically renew for one (1) year periods (each a "Renewal Term") unless either party provides the other party with at least sixty (60) days' written notice prior to the end of the Initial Term or the Renewal Term; and (iii) Plaid may revise its rates for the Services by providing Client with at least seventy-five (75) days' written notice. Where applicable under the Order, such increases will be effective for the following Renewal Term, and Plaid will provide notice of such increases prior to the end of the then-current Initial Term or Renewal Term.

3.3 Termination.

(i) For Cause . Either party may terminate this Agreement and any applicable Orders in the event the other party materially breaches the terms of this Agreement or any Order and fails to cure such breach within ten (10) days from receipt of written notice thereof. In addition, Plaid may immediately suspend the Services in the event it determines or believes that (a) there is unauthorized access to the Services via Client's account, (b) continued provision of the Services may do material harm to Plaid or its networks or systems or reputation or subject Plaid to liability, or (c) Client materially breached Section 1 or 2 of this Agreement. For clarity, notice of termination for an Order will not be construed to be notice of termination for this Agreement or for any other Order.

(ii) For Convenience . If there are no active Orders, either party may terminate this Agreement for any reason and without cause upon at least thirty (30) days' prior written notice to the other party; provided that such right to terminate will not apply prior to the commencement of the initial Order.

(iii) Effect of Termination . Upon termination of an Order, all rights granted to Client with respect to such Order will terminate and Client will make no further use of the terminated Services or the applicable API Package (copies of which will be immediately returned to Plaid or destroyed).

Except for Section 1.1 with respect to any terminated Order, all provisions of this Agreement will survive any termination of this Agreement or any Order hereunder.

4. CONFIDENTIALITY

During the term of this Agreement, each party (a "Disclosing Party") may disclose, under this Agreement, to the other party (a "Receiving Party") confidential and/or proprietary materials and information of the Disclosing Party ("Confidential Information"). All materials and information disclosed by Disclosing Party to Receiving Party under this Agreement and identified at the time of disclosure as "Confidential" or bearing a similar legend, and all such other information that the Receiving Party reasonably should have known was the Confidential Information of the Disclosing Party, will be considered Confidential Information; for the avoidance of doubt, the Service, all pricing information and terms of this Agreement, are Confidential Information of Plaid. Receiving Party will maintain the confidentiality of the Confidential Information and will not disclose such information to any third-party without the prior written consent of the Disclosing Party. Receiving Party will only use the Confidential Information internally for the purposes contemplated under this Agreement. The obligations in this Section 4 will not apply to any information that: (i) is made generally available to the public without breach of this Agreement, (ii) is developed by the Receiving Party independently from the Disclosing Party's Confidential Information, (iii) is disclosed to Receiving Party by a third-party without restriction, or (iv) was in the Receiving Party's lawful possession prior to the disclosure to the Receiving Party and was not obtained by the Receiving Party either directly or indirectly from the Disclosing Party. Receiving Party may disclose Confidential Information as required by law or court order; provided that, Receiving Party provides Disclosing Party with prompt written notice thereof and uses its best efforts to limit disclosure. At any time, upon Disclosing Party's request, Receiving Party will return to Disclosing Party all Disclosing Party's Confidential Information in its possession, including, without limitation, all copies and extracts thereof. Notwithstanding the foregoing, (a) Receiving Party may disclose Confidential Information to any third-party to the limited extent necessary to exercise its rights, or perform its obligations, under this Agreement, or to any prospective acquirer of Receiving Party; provided that, all such third parties are bound in writing by obligations of confidentiality and nonuse at least as protective of the Disclosing Party's Confidential Information as this Agreement and (b) all Feedback and the API Package will be solely Plaid's "Confidential Information."

5. INDEMNITY

The Client will defend, indemnify and hold Plaid harmless from and against all third-party claims, actions, proceedings, regulatory investigations, damages, losses, judgments, settlements, costs and expenses (including attorneys' fees), arising from or in connection with: (i) Client breach of any laws or regulations (including with respect to privacy); (ii) Client's or any Permitted Service Provider's use of the Services and Output; or (iii) Client's violation of any agreements it has with any End User.

6. WARRANTY; DISCLAIMER

THE SERVICES ARE PROVIDED "AS IS." TO THE FULLEST EXTENT PERMITTED BY LAW, NEITHER PLAID NOR ITS AFFILIATES, SUPPLIERS, LICENSORS, AND DISTRIBUTORS MAKE ANY WARRANTY OF ANY KIND, EXPRESS, IMPLIED, STATUTORY OR OTHERWISE, INCLUDING, BUT NOT LIMITED TO, WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NONINFRINGEMENT, OR ANY WARRANTY THAT THE SERVICES ARE FREE FROM DEFECTS. PLAID DOES NOT MAKE ANY WARRANTY AS TO THE OUTPUT THAT MAY BE OBTAINED FROM USE OF THE SERVICES. CLIENT, IF AN INDIVIDUAL, MAY HAVE OTHER STATUTORY RIGHTS; HOWEVER, TO THE FULLEST EXTENT PERMITTED BY LAW, THE DURATION OF STATUTORILY REQUIRED

WARRANTIES, IF ANY, WILL BE LIMITED TO THE SHORTEST PERIOD PERMITTED BY LAW.

7. LIMITATION OF LIABILITY

TO THE FULLEST EXTENT PERMITTED BY LAW, NEITHER PLAID NOR ITS AFFILIATES, SUPPLIERS, LICENSORS, AND DISTRIBUTORS WILL BE LIABLE UNDER THIS AGREEMENT FOR ANY: (A) INDIRECT, SPECIAL, INCIDENTAL, CONSEQUENTIAL, EXEMPLARY, OR PUNITIVE DAMAGES; (B) LOSS, ERROR, OR INTERRUPTION OF USE OR DATA (IN EACH CASE, WHETHER DIRECT OR INDIRECT); OR (C) COST OF COVER OR LOSS OF BUSINESS, REVENUES, OR PROFITS (IN EACH CASE WHETHER DIRECT OR INDIRECT), EVEN IF THE PARTY KNEW OR SHOULD HAVE KNOWN THAT SUCH DAMAGES WERE POSSIBLE. TO THE FULLEST EXTENT PERMITTED BY LAW, PLAID'S AGGREGATE LIABILITY IN CONNECTION WITH EACH ORDER (INCLUDING ALL LIABILITY UNDER THIS AGREEMENT THAT ARISES AS A RESULT OF SUCH ORDER) WILL NOT EXCEED THE AMOUNT PAID OR PAYABLE BY CLIENT TO PLAID DURING THE SIX (6) MONTH PERIOD PRIOR TO THE EVENT GIVING RISE TO LIABILITY (PROVIDED THAT, IF NO FEES ARE PAID OR PAYABLE, SUCH AMOUNTS WILL BE LIMITED TO ONE HUNDRED DOLLARS (US$100.00)). THE PARTIES AGREE THAT THE WAIVERS AND LIMITATIONS SPECIFIED IN THIS SECTION 7 APPLY REGARDLESS OF THE FORM OF ACTION, WHETHER IN CONTRACT, TORT (INCLUDING NEGLIGENCE), STRICT LIABILITY, OR OTHERWISE AND WILL SURVIVE AND APPLY EVEN IF ANY LIMITED REMEDY SPECIFIED IN THIS AGREEMENT IS FOUND TO HAVE FAILED OF ITS ESSENTIAL PURPOSE.

8. MISCELLANEOUS

If any provision of this Agreement is found to be unenforceable or invalid, that provision will be limited or eliminated to the minimum extent necessary so that this Agreement will otherwise remain in full force and effect and enforceable. This Agreement is not assignable or transferable by Client except with Plaid's prior written consent; provided, however, that Client may, upon prior written notice to Plaid, transfer and assign its rights and obligations under this Agreement to an affiliate or in connection with a merger, acquisition, corporate reorganization, or sale of all or substantially all of its assets to which this Agreement relates. If such a transfer or assignment is made in favor of a direct competitor of Plaid, then Plaid may terminate this Agreement upon written notice to Client. Plaid may freely assign this Agreement. This Agreement is the complete and exclusive statement of the mutual understanding of the parties and supersedes and cancels all previous written and oral agreements, communications, and other understandings relating to the subject matter of this Agreement, and all waivers and modifications must be in a writing signed by both parties, except as otherwise provided herein. No agency, partnership, joint venture, or employment is created as a result of this Agreement. Plaid's notice address is Plaid Inc., P.O. Box 7775 #35278, San Francisco, CA 94120, Attn: Legal; with a copy (which does not constitute notice) to legalnotices@plaid.com. Any notices in connection with this Agreement will be in writing and sent by first class mail, confirmed facsimile or major commercial rapid delivery courier service to the address specified above (or such other address as may be properly specified by written notice hereunder). Email notice will be permitted by Plaid if sent to the Client's dashboard account email address. Any delay in or failure of performance by either party under this Agreement will not be considered a breach of this Agreement and will be excused to the extent caused by any occurrence beyond the reasonable control of such party including, but not limited to, acts of God, power outages, governmental actions and requirements, and the acts and omissions of Plaid's data suppliers. During the term of this Agreement, (a) Client agrees to participate in case studies and other similar marketing efforts reasonably requested by Plaid; (b) Plaid may disclose that Client is a Plaid customer to third parties; and (c) Plaid may include on and in Plaid's website, case

studies, marketing materials, and conference presentations and other speaking opportunities, Client's testimonials and other feedback regarding the Services, name, website URL, use case, and logo and other marks. Upon request from Client, Plaid will promptly stop making the disclosure and use described in the foregoing sentence except to the extent already included in any then-existing materials. This Agreement will be governed by the laws of the State of California, without regard to the conflict of law provisions thereof. The application of 1980 United Nations Convention on Contracts for the International Sale of Goods is expressly excluded. Except for claims for injunctive or equitable relief or claims regarding intellectual property rights (which may be brought in any competent court), any dispute arising under this Agreement will be finally settled in accordance with the Comprehensive Arbitration Rules of the Judicial Arbitration and Mediation Service, Inc. ("JAMS") by a single arbitrator appointed in accordance with such Rules. The arbitration will take place in San Francisco, California, USA, in the English language and the arbitral decision may be enforced in any court of competent jurisdiction. With respect to any court challenge to JAMS jurisdiction to arbitrate any claim or dispute arising or relating to this Agreement, the parties consent to exclusive jurisdiction and venue in the state and Federal courts located in San Francisco, California. With respect to all disputes arising in relation to this Agreement, but not subject to the preceding arbitration provision, the parties consent to exclusive jurisdiction and venue in the state and Federal courts located in San Francisco, California.

9. MODIFICATIONS

From time to time, Plaid may modify this Agreement. Plaid will use commercially reasonable efforts to notify Client of the modifications and the effective date of such modifications through communications via Client's account, email, or other means.

Development Accounts: Client must accept the modifications to continue accessing or using Development Accounts. If Client objects to the modifications, its exclusive remedy is to cease any and all access and use of Development Accounts.

Production Access: If the effective date of the modifications is during the term of a paid Order for Production Access and Client objects to the modifications, then (as its exclusive remedy) Client may terminate its affected Order upon notice to Plaid, and Plaid will refund to client any fees it has pre-paid for use of the Services for the terminated portion of the term of the applicable Order. To exercise this right, Client must provide Plaid with notice of its objection and termination within thirty (30) days after Plaid provides notice of the modifications.

Client may be required to click to accept or otherwise agree to the modified Agreement in order to continue accessing or using the Services, and in any event continued access or use of the Services after the modified version of this Agreement goes into effect will constitute Client's acceptance of such modified version.

SCHEDULE 1 Addendum to Master Services Agreement

Effective as of the Effective Date, this Addendum to Master Services Agreement (" Addendum ") is hereby incorporated in and expressly made a part of the Agreement. Through the Services, Client may have access to information about or of End Users provided to Plaid by a bank, financial institution, or other data source (each, as designated by Plaid, " FI ", and such information, the " End User Data ").

1. End User Data.

a. End User Consents. Client will provide all notices and obtain all express consents from each End User as required under applicable laws in connection with Client's use, storage and other processing of any End User Data (such notices and consents, the " Express Consents "). Express Consents will be clear and conspicuous and will generally specify the categories of End User Data that Client will receive and how Client will use, store and otherwise process it, in addition to any other required disclosures under applicable laws. Client will maintain records (which may include technical logs, screenshots, versions of Express Consents obtained) to demonstrate its compliance with this Section 1(a) and will promptly provide such records to Plaid upon request.

b. Scope of Access. Client will only access End User Data for which it has obtained Express Consents from the End User for the use case reviewed and permitted by Plaid in writing that is consented to by the applicable End User (such use case, the " Permitted Use Case "). Key factors Plaid will consider during its review include whether the use case is appropriate and useful to provide the End User with the Client Application that the End User has enrolled in, whether the Client Application provides a direct benefit to the End User, and whether the use case directly supports the development of new or improved product features for the benefit of End Users, and the jurisdiction(s) in which the Client operates and/or stores End User Data. If Client possesses End User Data that exceeds the scope of the End User's Express Consents, Client will use industry-standard means to permanently and securely delete (" Delete ") such End User Data.

c. Data Use. Client will use, store and otherwise process End User Data solely in accordance with the End User's Express Consents and applicable laws.

d. Data Disclosure. Client will not disclose, transfer, syndicate or distribute End User Data to any third party (including its Permitted Service Providers) (" Data Sharing ") except in each case with the End User's Express Consents and in accordance with applicable laws. Notwithstanding anything to the contrary, Client will not sell End User Data.

e. Data Deletion. Client will promptly Delete any End User Data upon request by the applicable End User; provided that Client may retain copies of End User Data solely to the extent required by applicable laws.

f. No Attribution. Client will not charge End Users any fees attributable to an FI for (a) access to its End User Data or (b) use of End User's account with an FI in connection with the Client Application. In addition, Client will not publicize its receipt of End User Data from specific FIs under the Agreement or this Addendum.

g. No Other Access. Client will only access End User Data through the Services or another manner that uses the FI's authorized APIs. Client will not "screen scrape" data from FIs or collect an End User's log-on credentials for FI accounts,

and will not otherwise knowingly obtain from a third party End User data that was originally sourced through screen scraping. Client will immediately Delete any such End User log-on credentials in its possession. Client will maintain records to demonstrate compliance with this Section 1(g) and will provide them to Plaid upon request.

2. Client Obligations .

a. Compliance with Laws. Client will comply with all applicable privacy, security and other laws, including, as applicable, the Gramm-Leach-Bliley Act, the California Consumer Privacy Act, and all other laws relating to End User Data. Client will not use, store, disclose, or otherwise process any End User Data for any purpose not permitted under applicable laws.

b. Information Security Program. Client will maintain a comprehensive written information security program approved by its senior management (" Infosec Program "). The Infosec Program will include administrative, technical and physical measures designed to: (a) ensure the security of End User Data, (b) protect against unauthorized access to or use of End User Data and anticipated threats and hazards to End User Data and(c) ensure the proper disposal of End User Data. The Infosec Program will be appropriate to Client's risk profile and activities, the nature of the Client Application, and the nature of the End User Data received by Client. In any event, the Infosec Program will meet or exceed applicable control objectives captured in industry standards and best practices such as AICPA Trust Service Criteria for Security, NIST 800-53, or ISO 27002 and will comply with applicable laws. Client will use up-to-date antivirus software and anti-malware tools designed to prevent viruses, malware and other malicious code in the Client Application or on Client's systems.

c. Security Breach Obligations. Client will promptly notify Plaid (and in no event after more than 12 hours) upon becoming aware of any Security Breach, providing a description of all known facts, the types of End Users affected, and any other information that Plaid may reasonably request. Client will reasonably cooperate with Plaid in investigating and remediating Security Breaches. Client will be responsible for the costs of investigating, mitigating, and remediating the Security Breach, including costs of credit monitoring, call centers, support, and other customary or legally required remediation. " Security Breach " means any event that compromises the Client Application or Client's systems or that does or reasonably could compromise the security, integrity or confidentiality of End User Data or result in its unauthorized use, disclosure or loss.

d. FI Confidential Information. If Plaid discloses to Client any confidential or proprietary materials of an FI (such materials, " FI Confidential Information "), such materials will be subject to the same obligations that apply to Plaid's Confidential Information under the Agreement. FI Confidential Information will also be subject to the same obligations as End User Data under this Section 2 (Client Obligations) of this Addendum.

e. Oversight and Cooperation. Client will promptly provide all reasonably necessary information and cooperation requested by Plaid, an FI, or any entity with examination, supervision, or other legal or regulatory authority over Plaid or an FI. In the event that Plaid has a good faith reason to believe that Client is not in material compliance with this Addendum, Plaid will notify Client and, at Plaid's option, Client will promptly provide sufficient documentation to demonstrate such

material compliance or submit to a third-party audit by a firm selected from a Plaidapproved list of audit firms to verify such compliance. Plaid and FIs may also conduct technical or operational assessments of Client, which will be subject to advance notice and will not occur more than once per year unless legally required and materially different in scope from a preceding audit.

f. Information Sharing. Where required by an FI and to the extent relevant to a Client's access or use of End User Data from that FI, Plaid may share with such FI certain information related to Client's compliance with this Addendum, including with respect to Client's Infosec Program. Plaid will request that such FI treat any such information in a confidential manner.

g. Insurance. Client will maintain insurance coverage appropriate to Client's risk profile and activities, the nature of the Client Application, and the nature of the End User Data received by Client; provided that such coverage will be no less than industry standard and will include cybersecurity liability insurance.

h. Access Frequency. Client will comply with any guidelines provided by Plaid regarding Client's frequency of "batch" pulls of End User Data. Plaid may enforce such guidelines in accordance with its standard practices, which may include throttling, suspension or termination of Client's access.

3. Suspension . Plaid may suspend or terminate Client's access to the Services or End User Data, in whole or in part, if it believes Client has breached this Addendum or where Client's use of the Services or End User Data could violate or give rise to liability under any Plaid agreement (including Plaid's agreement with any FI) or pose a risk of harm, including reputational harm, to any End User, FI, the Services, or Plaid and its affiliates. In addition, an FI may suspend Client's access to End User Data with respect to such FI.
4. Indemnity . Client will indemnify, defend and hold harmless each FI, Plaid, and the affiliates of each of the foregoing from any claims, actions, suits, demands, losses, liabilities, damages (including taxes), costs and expenses arising from or in connection with: (a) any Security Breach resulting in unauthorized disclosure of End User Data or (b) Client's unauthorized or improper use of End User Data (including any unauthorized Data Sharing, transmission, access, display, storage or loss). This Section 4 is not subject to any limitation of liabilities set forth in the Agreement. Each FI is a third-party beneficiary of this Section 4.
5. Miscellaneous . In the event of a conflict with the Agreement, the terms and conditions of this Addendum will govern and prevail. Capitalized terms used in this Addendum and not otherwise defined will have the meanings ascribed to them in the Agreement. All provisions of this Addendum will remain in force in the event of this Addendum's or the Agreement's termination or expiration.

SCHEDULE 2 Platform Support Addendum - Plaid Basic Service Levels

THIS ADDENDUM WILL ONLY APPLY IF CLIENT HAS PURCHASED "PLATFORM SUPPORT (BASIC)".

Terms used but not defined in this Addendum will be defined as set forth in the Agreement.

Plaid will provide the following support for the Services set forth above, to the extent and in the manner described in Sections 1 - 4 of this Addendum:

24/7 access to Plaid support dashboard, docs, and ticketing;
Support team availability and response time commitments from 9am-5pm PST for applicable service issues (i.e., Incident Severity 1, Incident Severity 2, and Incident Severity 3);
Upkeep/maintenance of Plaid APIs;
Monitoring, upkeep, and maintenance of Plaid's data access connections to financial institutions; and
Access to shared services of the Plaid platform, including but not limited to Plaid Link, crossproduct APIs, and Plaid-generated access tokens.

1. General Support.

1.1. Product Support. Client will provide Level 1 Support and Level 2 Support (as each is further described below within this Section 1) to End Users. Plaid will provide Level 3 Support (as further described below within this Section 1) to Client via the Plaid dashboard (dashboard.Plaid.com/support) and Plaid support personnel.
- 1.1.1. "Level 1 Support" means services provided by Client to an End User to review a symptomssolutions database for known error resolutions; an attempt to provide an acceptable error resolution.
- 1.1.2. "Level 2 Support" means services provided by Client to an End User to perform an in-depth analysis of a suspected error; an attempt to recreate the error and to provide an acceptable error resolution.
- 1.1.3. "Level 3 Support" means services provided by Plaid support personnel to Client towards answering questions related to operational use of the Services and resolving errors in the Client Application that are determined to be, or are highly probable to be, the result of a defect caused by Plaid design or engineering or the result of a complex interaction between the Client Application and the Services that cannot be resolved by Client, and which errors require product engineering knowledge or expertise towards isolating and affecting a resolution.

2. Basic Support.

2.1. Severity Levels and Response Times. Following Client submitting a Ticket, Plaid's support team will use commercially reasonable efforts to provide to Client an Informative Response within the applicable response time described in Table A (Response Times) below.
- 2.1.1. "Business Hours" means the hours between 9:00AM and 5:00PM PST, Monday through Friday, excluding U.S. federally observed holidays.

2.1.2. "Incident Severity Ticket" means a Ticket reporting an error concerning Client's use of the Services that is either an Incident Severity Level 1, Incident Severity Level 2, or Incident Severity Level 3 (as defined in Table C (Severity Level Definitions) below, respectively).
2.1.3. "Informative Response" means a Plaid response to an Incident Severity Ticket that will include: (a) a classification of the error described in the applicable Incident Severity Ticket as either an Incident Severity Level 1, Incident Severity Level 2, or Incident Severity Level 3; (b) identification of the origin of the applicable error (i.e., as "Plaid" or "non-Plaid") to the extent known by Plaid's support personnel upon initial triage of such error; and (c) additional information known by Plaid's senior support team regarding the error described in the applicable Incident Severity Ticket upon initial triage of such error (e.g., the impacted Services and estimated time for resolution).
2.1.4. "Institution Success Rate" is defined as the sum of: (a) the number of Items that are successful; plus (b) the number of Items that are unsuccessful due to user errors, financial institution errors, or other errors outside of Plaid's control; divided by (c) the number of Item attempts by all Plaid end users across all applicable financial institutions.
2.1.5. "Item" means a Plaid end user's connection to a financial institution using the Services.
2.1.6. "Service Downtime" means the total number of one (1) minute periods in the applicable calendar month for which the Plaid's servers used to provide the Services to Client have a Service Success Rate below 90%.
2.1.7. "Service Success Rate" means the number of API requests successfully made to the applicable Services (i.e., requests whereby such Services are accessible, available, and perform according to their applicable technical specifications), divided by the total number of API requests attempted across all Plaid clients during the applicable period.
2.1.8. "Ticket" means a support case or ticket opened by Client on the Plaid dashboard to report an error concerning Client's use of the Services. For the avoidance of doubt, and notwithstanding anything to the contrary: (i) upon Plaid's reasonable assessment of the facts pertaining to each Ticket, Plaid may classify such Ticket (i.e., as an Incident Severity 1, Incident Severity 2, Incident Severity 3, or none of the foregoing); and (ii) the relevant terms of this Addendum will apply in accordance with such classification.

Table A: Response Times
Severity Level	Response Time
Incident Severity 1	Six (6) Business Hours from when the Incident Severity Ticket is received by Plaid.
Incident Severity 2	Six (6) Business Hours from when the Incident Severity Ticket is received by Plaid.
Incident Severity 3	Six (6) Business Hours from when the Incident Severity Ticket

is received by Plaid.

Table B: Severity Level Definitions
Severity Level	Definition
Incident Severity 1	Service Downtime totaling ten (10) or more, with all one (1) minute periods comprising such Service Downtime occurring consecutively.
Incident Severity 2	A Services error resulting in an Institution Success Rate of 85% or less over a six (6) hour period.
Incident Severity 3	A Services error resulting in an Institution Success Rate of more than 85% but less than 90% over a six (6) hour period.

2.2. Applicability of Response Times Credits. Response Times Credits will be applied against future payments due from Client to Plaid. The Response Times Credits will, as applicable, be Client's sole and exclusive remedy and Plaid's sole obligation in connection with Plaid breaches of this Section 2.
- 2.2.1. "Response Times Credit" means a dollar credit that Plaid may credit back to an eligible Client account, calculated by multiplying the applicable percentage set forth in the Response Times Credits column of Table C (Service Fee Credit Percentage) below (i.e., which percentage corresponds to the applicable (a) Severity Level, per the first column in Table C, and (b) description within the Response Failure column in Table C) by the monthly fees for the Basic Support paid by Client to Plaid pertaining to the affected calendar month (for clarity, excluding any one-time fees and fixed fees).
- 2.2.2. "Basic Support" means the support services described in this Section 2.

Table C: Service Fee Credit Percentage
Severity Level	Response Failure	Response Times Credits
Incident Severity 1 or 2	Four (4) Incident Severity 1 or Incident Severity 2 Tickets are not responded to (in accordance with this Section 2) within the applicable period specified in Table A during one (1) calendar month.	20%

Incident Severity 1 or 2	Five (5) or more Incident Severity 1 or Incident Severity 2 Tickets are not responded to (in accordance with this Section 2) within the applicable period specified in Table A during one (1) calendar month.	40%
Incident Severity 3	Greater than five (5) Incident Severity 3 Tickets are not responded to (in accordance with this Section 2) within the applicable period specified in Table A during one (1) calendar month.	20%

3. Exclusions. Notwithstanding anything to the contrary in this Addendum or the Agreement, Plaid will have no responsibility or liability for or in connection with any errors, problems, unavailability, delays in response time, suspension, or termination of the Services, or any other performance issues that arise from: (i) Client's inability to receive data from the Services due to errors, problems, or unavailability of Plaid's data providers (e.g., financial institutions); (ii) use by End Users; (iii) inaccurate or missing information in Client's API call or an API call that is otherwise invalid; (iv) factors outside of Plaid's reasonable control, including but not limited to any force majeure event, Internet access issue, and related or similar problems; (v) Client's software or hardware; (vi) third party software or hardware; (vii) abuses or other activity that leads to a suspension or termination or violates the Agreement; or (viii) planned downtime or maintenance.

4. Effectiveness of Obligations. Notwithstanding anything to the contrary in this Addendum or the Agreement, solely so long as the pricing for Basic Support effective as of the Effective Date via the applicable Order ("Basic Support Fee") remains effective: (i) Plaid will provide the Basic Support (and otherwise comply with Section 2 of this Addendum); and (ii) Client will be eligible to receive Response Times Credits. For the avoidance of doubt, in the event that the Basic Support Fee becomes ineffective (e.g., due to Client electing not to continue its Basic Support Fee commitment in accordance with the applicable Order, or electing to renew the applicable Order neither with the Basic Support Fee intact nor with higher pricing for Basic Support replacing the Basic Support Fee), then as of the effective date of such change Section 2 of this Addendum will no longer apply and Client will be ineligible to receive any Response Times Credits.

Exhibit A "Assets" Product Specific Provisions

THE FOLLOWING PROVISIONS WILL ONLY APPLY IF CLIENT USES PLAID'S "ASSETS" PRODUCT.

Subject to this Exhibit A, Client may request that Plaid disclose Output to Client's Secondary Investors. "Secondary Investor" means a third-party investor or purchaser of a financial product originated by Client and provided to an End User (e.g., a loan), with which investor or purchaser Plaid maintains a separate technical integration.

(i) Client represents and warrants to Plaid that, before disclosure of Output to any Secondary Investor, Client will provide all required notices to and obtain all required consents (including notices and consents required under applicable law) from the applicable End User with respect to Plaid's disclosure of Output to such Secondary Investor.

(ii) Notwithstanding any Plaid technical integration or anything else in the Agreement to the contrary: (a) Client is solely responsible for its own relationships with Secondary Investors, including any related billing matters, technical support, or disputes; (b) Client will enter into legally binding written agreements with each Secondary Investor that are consistent with this Exhibit A and all applicable terms and conditions of the Agreement, including, without limitation, Section 1.1 (Access) and 1.2 (Restrictions); and (c) Client will remain responsible for compliance by Secondary Investors with all of the terms and conditions of the Agreement (including, without limitation, terms relating to use of Output).

Client's indemnification obligations in Section 5 of the Agreement are deemed to include (a) any breach by Client of this Exhibit A, (b) any acts or omissions of Secondary Investors, and (c) any dispute arising among Client, Secondary Investors, and/or End Users relating to the disclosure or use of Output as contemplated in this Exhibit A.

Exhibit B "Income" and "Employment" Product Specific Provisions

THE FOLLOWING PROVISIONS WILL ONLY APPLY IF CLIENT USES PLAID'S "INCOME" OR "EMPLOYMENT" PRODUCTS (collectively, the "Income and Employment Services").

1. Requested Information. In connection with certain features and functionalities of the Income and Employment Services, Client may be required to provide to Plaid certain End User information and documentation, including without limitation, the End User's name, phone number, employer's name, account information, and payroll information and documentation (such End User information and documentation, the "Requested Information"). Client represents and warrants that (a) all Requested Information provided to Plaid is true, accurate, and complete and (b) Client has provided all notices and obtained all consents required under applicable laws, regulations, and third-party agreements for (i) Client to share all Requested Information with Plaid and (ii) Plaid to collect, use, disclose, and otherwise process all Requested Information in accordance with Plaid's end user privacy policy (currently available at https:/ /www.plaid.com/legal), i ncluding without limitation, to provide the Income and Employment Services to Client. Client further covenants that it will not (a) make representations or other statements with respect to any Requested Information that are contrary to or otherwise inconsistent with the Agreement, this Exhibit B, or Plaid's end user privacy policy or (b) interfere with any independent efforts by Plaid to provide End User notice or obtain End User consent. The parties acknowledge and agree that the Services include the Income and Employment Services, and any information of or related to End Users that is provided to Client via the Income and Employment Services will be considered Output for purposes of the Agreement and this Exhibit B.

2. Secondary Investors. Client may request that Plaid disclose Output for the Income and Employment Services to Secondary Investors using the token integration mutually agreed to by Plaid and Client. "Secondary Investor" means a third-party investor or purchaser of a financial product originated by Client and provided to an End User (e.g., a loan), with which investor or purchaser Plaid maintains a separate technical integration. Client represents and warrants that Client has provided all notices and obtained all consents required under applicable laws, regulations, and third-party agreements for Plaid's disclosure of Output to Secondary Investors. Notwithstanding any Plaid technical integration or anything in the Agreement or this Exhibit B to the contrary, (a) Client is solely responsible for its own relationships with Secondary Investors, including any related billing matters, technical support, or disputes; (b) Client will enter into legally binding written agreements with each Secondary Investor that are consistent with all applicable terms and conditions of the Agreement and this Exhibit B, including, without limitation, Sections 1.1 (Access) and 1.2 (Restrictions) of the Agreement and other terms and conditions relating to use of Output; and (c) Client will remain responsible for Secondary Investors' compliance with all such terms and conditions.

3. Additional Indemnity. Client will defend, indemnify, and hold Plaid harmless against all third-party claims, actions, proceedings, regulatory investigations, damages, losses, judgments, settlements, costs, and expenses (including attorneys' fees) arising from or in connection with any (a) breach by Client of this Exhibit B, (b) infringement, misappropriation, or other violation of any third party's intellectual property or other rights by any of the Requested Information provided by Client to Plaid, (c) acts or omissions of Secondary Investors related to Output, and (d) dispute arising among Client, Secondary Investors, and/or End Users relating to the disclosure, use, or other processing of Output provided pursuant to this Exhibit B.

Exhibit C "Signal" Product Specific Provisions

THE FOLLOWING PROVISIONS WILL ONLY APPLY IF CLIENT USES PLAID'S "SIGNAL" PRODUCT (the "Signal Service").

1. Use of the Signal Service; Restrictions. Client acknowledges and agrees that (i) any score, risk tier, data attribute, or other output provided by Plaid to Client via the Signal Service (collectively, the "Signal Output") does not constitute a "consumer report" as that term is defined in the federal Fair Credit Reporting Act ("FCRA"), 15 USC 1681 et seq., its implementing regulations, and relevant state consumer reporting laws and regulations, and (ii) Plaid is neither a "consumer reporting agency" nor a "furnisher" of information to consumer reporting agencies under the FCRA. Accordingly, Client acknowledges and agrees that the Signal Service and any Signal Output may not be used in whole or in part as a factor in determining an End User's eligibility for credit, insurance, employment or any other permissible purpose under the FCRA. Client further agrees that it will not (and will not permit or enable any third party to) use the Signal Service or any Signal Output in any manner such that either of the foregoing would be deemed as, or as part of, a "consumer report" under the FCRA. Client will not disclose or otherwise make available any Signal Output to any third party, including without limitation, the End User. Client acknowledges and agrees that any breach of this Exhibit C by Client will be deemed a material breach of the Agreement by Client. The parties acknowledge and agree that the Services include the Signal Service and that Output includes the Signal Output (as defined below) for purposes of the Agreement and this Exhibit C.

2. Term. Client may access the Signal Service subject to the Agreement and this Exhibit C. This Exhibit C will remain in effect until terminated in accordance with the terms of the Agreement or this Exhibit C. Plaid may suspend the Signal Service in the event it determines or believes that (i) there is unauthorized access to the Signal Service via Client's account, (ii) continued provision of the Signal Service may do material harm to Plaid or its networks, systems or reputation, or subject Plaid to liability, or (iii) Client has materially breached the terms of this Exhibit C. Except for Client's right to use the Signal Service to generate the Signal Output, all provisions of this Exhibit C will survive any expiration or termination of this Exhibit C.

3. Transaction Data. Client may provide to Plaid certain transaction information in connection with the Signal Service (such information, the "Transaction Data"). Client warrants and will ensure that it provides all notices and obtains all consents required under applicable laws, regulations, and third-party agreements for (i) Client to share the Transaction Data with Plaid and (ii) Plaid to provide the Signal Service to Client and to otherwise collect, use, and process the Transaction Data in accordance with Plaid's end user privacy policy (currently available at https:/ /www.plaid.com/legal). Client's indemnification obligations under the Agreement are deemed to include any breach by Client of this Exhibit C.

4. Feedback; Cooperation. Client will: (i) integrate within the Client Application, and provide feedback via, certain Plaid API feedback endpoints as required by Plaid in connection with Client's use of the Signal Service; and (ii) provide to Plaid the feedback, impression, reaction, product recommendation, and related information reasonably requested by Plaid in connection with Client's use of the Signal Service (all feedback and related information described in this sentence, collectively, the "Signal Feedback"). Plaid will own all right, title, and interest in and to the Signal Feedback, and Client hereby makes all assignments necessary to achieve such ownership. The Signal Feedback will be Plaid Confidential Information. Client will (a) promptly support and cooperate with all Signal Service updates that are introduced by Plaid, and (b) use

commercially reasonable efforts to cooperate with Plaid on A/B testing pertaining to the Signal Service.

5. Disclaimer. The parties acknowledge and agree that the Signal Service is provided "AS IS" with no express or implied Plaid warranty or indemnity of any kind. PLAID DISCLAIMS ALL WARRANTIES RELATING TO THE SIGNAL SERVICE, WHETHER EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION ANY WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Client acknowledges and agrees that: (i) the Signal Output is not intended to be used as the sole basis for any decision affecting a transaction or End User and that Client (and not Plaid) is responsible for any and all decisions and actions made by Client; and (ii) notwithstanding anything to the contrary in the Agreement and to the fullest extent permitted by law, Plaid will not be liable under this Addendum or the Agreement for any cost of cover, ACH return losses, or loss of business, revenues, or profits (in each case whether direct or indirect).

Exhibit D "IDV Services" Product Specific Provisions

THE FOLLOWING PROVISIONS WILL ONLY APPLY IF CLIENT USES PLAID'S "IDENTITY VERIFICATION" OR "MONITOR" PRODUCTS.

1. DEFINITIONS

1.1. "Client Data" means data in electronic form that is transmitted through the IDV Services by, or on behalf of, Client and/or End Users, as applicable. For the avoidance of doubt, Output (as defined in the Agreement) does not include Client Data that is returned back to Client as a part of the IDV Services.

1.2. "Plaid Identity Verification" means the IDV Services that collect Client Data from Client or End Users, as determined by Client via the Dashboard.

1.3. "Plaid Monitor" means the anti-money-laundering screening IDV Services.

1.4. "IDV Services" means the Services comprised of the Plaid Identity Verification and Plaid Monitor, as applicable, and includes the Dashboard. For the avoidance of doubt, the Services include the IDV Services.

1.5. "Dashboard" means the portion of the IDV Services comprised of the IDV Services dashboard.

1.6. "DPPA" means the Drivers Privacy Protection Act, 18 U.S.C. § 2721, et. seq.

1.7. "GLBA" means the Gramm-Leach-Bliley Act, 15 U.S.C. § 6801, et seq.

1.8. "PII" means Client Data that relates to an End User and is deemed "personal data" or "personal information" (or analogous variations of such terms) under applicable privacy or data protection law.

For the purposes of this Exhibit D, references to "controller" and "processor" under this Exhibit D will be replaced with any corresponding terms with analogous meanings defined under applicable laws (for example, "business" and "service provider" under the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020).

2. IDV SERVICES

2.1. Access. Client may use the IDV Services subject to, and only in accordance with, applicable laws, the Agreement (including this Exhibit D), and any agreements between Client and End Users (for clarity, including any privacy policy or terms of service). Additionally, without limiting the foregoing, Client may only use the IDV Services (i) in the normal course of its business to verify the accuracy of information submitted by End Users, and (ii) to match provided Client Data for screening purposes.

2.2. Instructions. To enable Plaid to provide the IDV Services to Client, Client will instruct Plaid via the Dashboard and as further specified in this Exhibit D. In accordance with this Exhibit D, such instructions will include direction to Plaid regarding: (i) the applicable Client Data that will be processed by the IDV Services on behalf of Client and its End Users and when such processingwill occur; and (ii) the End Users who will provide Client Data through the IDV Services.

2.3. Consent . Client represents and warrants to Plaid that Client will provide all notices to and obtain all consents from the applicable End Users, each, as required under applicable law, regulations, and third-party agreements, to enable (i) Client to disclose, use, and otherwise

process Client Data, as applicable, and (ii) Plaid (inclusive of Plaid's affiliates, subcontractors or service providers, and data sources) to collect, use, disclose, and otherwise process Client Data as needed for Plaid to provide the IDV Services or exercise Plaid's rights under this Exhibit D. Client will maintain records sufficient to demonstrate its compliance with this Section 2.3 and will promptly provide such records to Plaid upon request.

2.4. Client Data . Client grants to Plaid and its affiliates, including BlockScore, LLC, a limited and non-exclusive license to copy, store, configure, display, back test, transmit, and otherwise process Client Data as necessary to provide the IDV Services and develop enhancements in accordance with the end user privacy statement available at https://cognitohq.com/privacystatement, as applicable. Without limiting the immediately prior sentence, Plaid will: (i) use Client Data at the direction of Client; and (ii) disclose Client Data to subcontractors subject to restrictions similar to those of Plaid under this Exhibit D. Notwithstanding anything to the contrary, Plaid may disclose Client Data as required by law or court order; provided that, to the extent legally permissible, Plaid will promptly notify Client of such requirement and use best efforts to limit such disclosure. Subject to the foregoing in this paragraph, Client will retain its existing rights in and to Client Data and, as between the parties, will retain ownership of Client Data. For the avoidance of doubt and notwithstanding the other provisions of this Exhibit D, the parties hereto acknowledge and agree that Plaid may use, reproduce, disclose, or otherwise exploit de-identified or anonymized Client Data (i.e., Client Data from which PII has been removed, de-identified, or anonymized) in any way in Plaid's sole discretion. Plaid reserves the right to provide the IDV Services, through use of its subcontractors and/or affiliates (including, for clarity, its subcontractor and affiliate BlockScore, LLC) or otherwise, worldwide.

3. COMPLIANCE

3.1. GLBA; DPPA. Client certifies that all Client's and Permitted Service Providers' uses of, and purposes pertaining to, the IDV Services are and will be in accordance with and solely comprised of, as applicable the uses and purposes: (i) described in Section 6802(e) of GLBA and the United States Federal Trade Commission rules promulgated thereunder, as may be interpreted from time to time by a competent regulatory authority; or (ii) permitted under DPPA.

3.2. Processing on Client's Behalf. Client acknowledges and agrees that, solely with regard to the Client Data processed in relation to the IDV Services: (i) Client will determine the purpose and means by which Client Data is processed; (ii) Plaid will act on Client's instructions with respect to how, what, when, and why Client Data is to be processed by Plaid; and that therefore

(iii) Client will be deemed a data controller with regard to such Client Data; and (iv) Plaid will be deemed a data processor with regard to such Client Data (e.g., for clarity, where Plaid is facilitating watchlist or antifraud screening services). Client will direct applicable End Users to Client's privacy policy for any queries or requests regarding such End Users' rights with respect to, and the processing of, the PII applicable to the IDV Services. For the avoidance of doubt, Client acknowledges and agrees that Client's privacy policy controls with respect to the processing of all PII applicable to the IDV Services and that Client is, and will remain, responsiblefor maintaining and making available any data retention policy or provision regarding Plaid's storage of PII on Client's behalf in relation to Plaid's provision of the IDV Services hereunder. In addition, Plaid and Client may mutually agree upon the retention periods for various types of Client data. Plaid will not: (a) process the PII for any purpose other than as necessary to perform the IDV Services on behalf of the Client; (b) process the PII for a commercial purpose other than providing the IDV Services to the Client; (c) sell any PII, (d) process the PII outside of the direct business relationship between Client and Plaid; or (e) combine the PII with any other personal information Plaid collects (directly or via any third party)other than as expressly permitted for processors under applicable laws.

3.3. Details of Processing. Client controls the types of PII that may be processed in connection with the IDV Services, which may include: name, address, date of birth, phone number, identification documents, and images and video (such as photos or selfies). The duration of processing of PII is for the term of the relevant Order relating to the IDV Services, unless otherwise agreed to by the parties.

3.4. FCRA. Client acknowledges and agrees that Plaid is neither a "consumer reporting agency" nor a "furnisher" of information to consumer reporting agencies under the FCRA andthe Client Data is not a "consumer report" under the FCRA and cannot be used as or in such. Client represents and warrants that it will not, and will not permit or enable any third party to,use the Services or any Client Data as a or as part of a "consumer report" as that term isdefined in the FCRA or otherwise use the Services or any Client Data such that the Services (or any Client Data) would be deemed "consumer reports" under the FCRA.

3.5. Client Responsibilities. Notwithstanding any non-Client technical integration or anything in this Exhibit D or the Agreement to the contrary, Client is solely responsible for its own relationships with End Users, including any related billing matters, technical support, or disputes. Without limiting anything in this Exhibit D or the Agreement, Client will publish and maintain an easily accessible, legally sufficient (i) terms of service regarding each applicable End User's use of the Client's services and (ii) privacy policy, as further discussed in Section 3.2of this Exhibit D. Client will promptly notify Plaid upon making any material changes to such Client terms of service and/or privacy policy. Client is, and will remain, solely responsible and liable for each End User's and each Permitted Service Provider's use of and access to the IDV Services. Client will have sole responsibility for the accuracy, quality, integrity, legality, reliability, and appropriateness of all Client Data, and for verifying the same.

3.6. Plaid Responsibilities . In connection with its processing of any Client Data, Plaid will comply with all obligations applicable to it as a processor under applicable laws and provide the same level of privacy protection as is required by applicable laws. Client reserves the right upon notice to Plaid to take reasonable and appropriate steps to stop and remediate unauthorized use of PII. Plaid will make available to Client all information reasonably necessary to demonstrate its compliance with the obligations in this Exhibit D and applicable laws, to the extent suchinformation is related to the IDV Services.

4. DISCLAIMER

Plaid makes no warranty with respect to, and disclaims all liability as pertaining to, the accuracy of any data: (i) uploaded to or otherwise provided to or for the IDV Services by or on behalf of Client or End Users; and (ii) provided by, as processed by, or otherwise originating from Plaid or Plaid's data sources in relation to the IDV Services. With respect to the IDV Services, Plaid disclaims all liability for the errors and omissions of Plaid and its data sources.

5. SECURITY

5.1. Plaid InfoSec Program . Plaid will use commercially reasonable efforts to develop, implement, maintain, and enforce a written information security program ("Plaid InfoSec Program") that contains administrative, technical, and physical controls that are appropriate to Plaid's size and the complexity, nature, and scope of the IDV Services. The Plaid InfoSec Program will be reasonably designed to: (i) ensure the security and confidentiality of Client Data; (ii) protect against any anticipated threats or hazards to the security or integrity of Client Data; and (iii) protect against unauthorized access to or use of Client Data. The Plaid InfoSec Program will comply with all information and data security requirements promulgated by applicable state and federal laws and regulations in the U.S. Plaid will review and test the design and operational effectiveness of the Plaid InfoSec Program at least annually.

Additionally, Plaid will: (a) maintain SSAE No. 18 SOC 2; and (b) upon reasonable request from Client (no more than once per calendar year), provide to Client a copy of the Executive Summary of Plaid's then-current SOC 2 report conducted by a third-party assessor.

5.2. Security Incident . If Plaid becomes aware of any event that: (i) compromises the security, integrity, or confidentiality of PII; and (ii) results in the unauthorized access, use, disclosure, or loss of PII (collectively, a "Security Incident"), then to the extent that such Security Incident occurred on or affects any systems or facilities owned or operated by Plaid, and unless prohibited by applicable law, Plaid will promptly following Plaid becoming aware of such Security Incident: (a) notify Client and reasonably assist Client in satisfying any of its notification obligations imposed under applicable laws in connection with any Security Incident; and (b) investigate and use commercially reasonable efforts to remedy and mitigate the effects of the Security Incident.

6. EFFECT OF TERMINATION

Upon termination or expiration of an Order relating to the IDV Services: (i) Client will destroy or return to Plaid all IDV Services documentation provided to Client relating to such Order; (ii) following Plaid's receipt of Client's request in writing, Plaid will delete (rather than return) all Client Data stored on Plaid's servers relating to such Order, unless retention of the Client Data is required under applicable law; and (iii) Client will have thirty (30) days to download any Client Data relating to such Order before Plaid may delete such information. Plaid disclaims all liability pertaining to: (a) Plaid's deletion of such Client Data after such termination or expiration; and (b) Client's use of the IDV Services and Client Data (including, for clarity, any other deletion of Client Data) after such termination or expiration.

7. INDEMNITY

Client's indemnification obligations in the Agreement are deemed to include: (i) breaches by Client of this Exhibit D; (ii) acts or omissions of Client employees, affiliates, clients, or contractors; (iii) disputes or claims relating to the disclosure or use of Client Data by Client or its Permitted Service Providers.

8. MISCELLANEOUS

Plaid may update the IDV Services and their relevant documentation from time to time; provided that Plaid will use commercially reasonable efforts to notify Client in the event of material changes to the IDV Services in the manner and to the extent Plaid notifies all of its relevant clients of the same, towards ensuring that such clients may continue to use the IDV Services with minimal interruption.

Exhibit E

"Enrich" Product Specific Provisions

THE FOLLOWING PROVISIONS WILL ONLY APPLY IF CLIENT USES PLAID'S "ENRICH" PRODUCT.

1. Use of the Plaid Enrich Services & Input. Client may provide to Plaid certain information in connection with its use of the Enrich Services, including without limitation, transaction descriptions, transaction identifiers, transaction amounts, transaction currency codes, and any other data fields agreed by the parties (all such information, the "Client Input"). Client warrants and will ensure that it provides all notices and obtains all consents required under applicable laws, regulations, and third-party agreements for: (i) Client to share all Client Input with Plaid; and (ii) Plaid to provide the Enrich Services to Client and to otherwise collect, use, and process Input in accordance with Plaid's end user privacy policy (available at https:/ /www.plaid.com/legal).
2. Enrich Services and Enrich Output. Based upon its processing (including certain standardization and enhancement) of the Client Input in accordance with Plaid's technical documentation, the Enrich Services may generate and return to Client, via the API Package, the Enrich Services output (the "Enrich Output"). The parties acknowledge and agree that the Services include the Enrich Services and the Output includes the Enrich Output.
3. Additional Restrictions. Client will not, and will not enable or assist any third-party to: (i) reverse engineer the Enrich Output; (ii) use the Enrich Output (or any fields therein) in relation to any transaction other than the one to which the relevant Client Input relates, including any similar future transactions; or (iii) download, cache, or otherwise save the merchant logo images provided by Plaid for any purpose. Without limiting the foregoing, Client may store Enrich Output solely to the extent necessary to support Client's internal use of the Enrich Services (e.g., for surfacing transaction data within Client's user experience, delivering spending insights, determining rewards and similar product decision offerings, or for targeted marketing, partnership considerations, and other internal analyses) in accordance with the Agreement.
4. Additional Indemnity. Client's indemnification obligations in the Agreement are deemed to include any breach by (or on behalf of) Client of this Exhibit E.

Exhibit F

"Identity Match Add-On" Product Specific Provisions

THE FOLLOWING PROVISIONS WILL ONLY APPLY IF CLIENT USES PLAID'S "IDENTITY MATCH ADD-ON" PRODUCT.

Identity Match Add-On. Client may provide (either via the endpoint designated for the service or otherwise) to Plaid certain end user information in connection with its use of Plaid's Identity Match Add-On product, an enhanced feature of Plaid's Identity product, including without limitation, name, phone number, email address, address, and any other data field or label agreed to by the parties (such product, the "Identity Match Add-On Service", and any such end user information, the "Input"). The Services include the Identity Match Add-On Service. Client warrants and will ensure that it provides all notices and obtains all consents required under applicable laws, regulations, and third-party agreements for (a) Client to share all Input with Plaid as a data controller and (b) Plaid to use, collect, retain, and otherwise process Input as a data controller to provide the Identity Match Add-On Service to Client and to develop, improve, and operate Plaid's fraud prevention and detection services. Notwithstanding anything to the contrary, to the extent Plaid has independently obtained broader rights to Input (e.g., directly from end users, through a third party, or under applicable laws or regulations), nothing in this paragraph will limit such broader rights. Client's indemnification obligations under the Agreement are deemed to include any breach by Client of this Exhibit. The parties acknowledge and agree that Input is not the Confidential Information of either party. Capitalized terms used and not otherwise defined in this paragraph have the meanings ascribed to them in the Agreement.