These General Terms and Conditions of Sale (“GTC”) apply to the Services performed by Powens for its Clients.
The Service Provider and the Client are individually referred to as “the Party“ or collectively as “the Parties“.
These GTC are applicable in their entirety to any offer of Services performed by Powens (hereinafter referred to as “The Service Provider“) for its Clients (hereinafter referred to as “The Client“). The Client commits himself through a purchase order (hereinafter referred to as “the Purchase Order“). The GTC and its appendices, the potential Special Conditions and the Purchase Order constitute the contractual commitment between the Parties (hereinafter referred to as “the Contract“).
This Contract supersedes all prior documents and agreements between the Parties and may not be modified except by written agreement signed by the Parties.
In addition, any modification to the terms of a Purchase Order shall be subject to a corrective Purchase Order.
All provisions of the Agreement shall prevail over any purchase terms and conditions of the Client. Any condition contrary to the Agreement set forth by the Client, in its general terms and conditions of purchase or in any other document, shall not be binding on the Service Provider unless expressly accepted by the Service Provider.
The Agreement does not create any relationship of subordination between the Service Provider and the Client, both of whom are independent in the performance of their activities. They are free to determine the manner in which they conduct their business in accordance with their own organization. The Agreement shall in no way be construed as creating a common entity, a de facto or de jure association or an employer-employee relationship.
Capitalized terms and expressions used in the Contract shall have the meanings set forth below, whether used in the singular or plural:
“ACPR“: Refers to the Autorité de Contrôle Prudentiel et de Résolution.
“API” means the application programming interface provided by the Service Provider to enable the performance of the Contract.
“Connector”: Refers to the code that allows the aggregation of data.
“Contract”: Refers to these GTCs and its Annexes, the potential Special Conditions and the Purchase Order accepted by the Client by signing the Purchase Order.
“Client Data” means all information, personal data, records, documents, including any Confidential Information of the Client, relating to the Client’s business, personnel and direct Clients and the Clients of the Client. It also includes data transmitted to the Service Provider as well as data collected, generated, manipulated or modified by the Service Provider in the course of providing the Services to the Client, including Personal Data belonging to the Client, the Client’s client and the clients of the Client.
“PSD2”: Refers to the second European Directive 2015/2366 of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market.
“User ID”: Refers to the unique identifier assigned to each User allowing the Parties’ support teams to communicate. The correspondence between the User ID and the identity of the User is only available in the database located at the Client.
“Transfer Initiation”: Means any request to initiate a payment made by the Payer or the payment beneficiary, which has been authenticated by the Payer with their payment service provider, whether it is subsequently accepted or rejected by the Payer’s bank. This validation includes the authentication steps that the Payer must perform to confirm the request and will result in the billing of the Payable Product.
“Service(s)”: Means all services performed under the Contract, including the Products selected within the Purchase Order.
“Bank Product”: Refers to the services of the software solution developed by the Service Provider allowing the provision of information on accounts under Article L522-1 et seq. of the Monetary and Financial Code.
“Trust Product”: Refers to the services of the software solution developed by the Service Provider allowing access to a User’s supporting and administrative documents previously collected from the suppliers connected by the Service Provider.
“Pay Product”: Refers to the services of the software solution developed by the Service Provider allowing the initiation of payment under Article L522-1 et seq. of the French Monetary and Financial Code.
“Wealth Product” means the software solution services developed by the Service Provider allowing the aggregation of bank accounts other than payment accounts subject to PSD2.
“Account Check Product”: Refers to the services of the software solution developed by the Service Provider allowing access to the identity data of the account holder and/or the User.
“Advisory Product”: Refers to the services of the software solution developed by the Service Provider allowing the analysis of a User’s banking data in the form of a report and a set of metrics leading to a creditworthiness profile.
“Personal Data Regulation”: Refers to (i) the French Law No. 78-17 of January 6, 1978 relating to information technology, files and freedoms, as subsequently amended, (ii) Regulation (EU) No. 2016/679 of April 27, 2016 on the protection of individuals with regard to the Processing of personal data and on the free movement of such data, (iii) all legislative and regulatory texts, including the decisions, (iii) all legislative and regulatory texts, including the decisions, opinions and recommendations of the Community authorities and the Supervisory Authorities, as well as the decisions, opinions and recommendations of the Working Party on the Protection of Individuals with regard to the Processing of Personal Data (the “Article 29 Working Party”), as well as of the European Data Protection Committee established by Article 68 of the General Data Protection Regulation implementing the aforementioned texts.
“Users” means a user, whether an individual or a corporation, who has either performed at least one Synchronization in the last month or has initiated a Transfer. This User may also be referred to as the “Payer” in the context of a Transfer Initiation. Users are counted by Product.
“Webview” means the Service Provider’s technical environment to which the User is redirected in order to use the Service Provider’s services.
“Data Protection Impact Assessment”, “Personal Data”, “Data Subject(s)”, “Data Protection by Design”, “Data Protection by Default”, “Data Processor”, “Joint Data Processors”, “Subcontractor”, “Processing(s)”, “Transfers”, “Data Breaches”: have the meaning intended by the Personal Data Regulation.
As used herein, unless the context otherwise requires, the singular includes the plural and the plural includes the singular.
By the Agreement, the Service Provider grants to the Client, who accepts it, a non-exclusive and non-transferable right, except for its own customers, to use the API.
Unless otherwise specified in the Purchase Order, the Contract shall be effective as of the date the Purchase Order is signed by both Parties.
The Contract shall provide for a term of engagement indicated in the Purchase Order. The Contract shall then be renewed by tacit agreement for successive periods as indicated in the Purchase Order, unless terminated by either Party by physical or electronic registered mail with acknowledgement of receipt, at least ninety (90) days before the expiration of the current period.
3.1 The amount and frequency of billing for the Services provided by the Service Provider are set forth in the Purchase Order.
Invoicing shall begin by default on the first billing date specified in the Purchase Order; if not specified, billing shall begin on the effective date of the Contract.
The Parties agree that billing for tacitly renewed periods shall be based on the annualized prorated amount of the last month of service covered by the Purchase Order under the initial commitment period.
The number of Users shall be counted based on the number of Users counted each month per product and per domain. It is agreed between the Parties that the number of Users calculated by the Service Provider’s API will be the definitive number.
The basis for calculating the billing for the Pay Product is the number of Transfer Initiations counted each month. An Initiation will be counted following authentication by the Payor with its payment service provider, regardless of whether it is subsequently accepted or declined by the Payor or its payment service provider.
The Parties agree that all prices indicated in the Contract shall be subject to annual revision by operation of law and without formality, on the anniversary date of the conclusion of the Contract according to the variation of the SYNTEC index in accordance with the following formula
P = Po x S / So.
P = price after revision.
Po = initial price for the first revision, then price from the previous revision for subsequent revisions.
S = most recent SYNTEC index published on the date of the revision of the fee.
So = value of the SYNTEC index in effect on the date the Purchase Order was signed for the first revision, then value of the SYNTEC index on the day of the previous revision for subsequent revisions.
In the event of the disappearance of one or other of the indices, the Parties shall agree on the new index or indices to establish a formula with comparable effect.
3.2 Terms of payment for services
3.2.1 Terms of payment
Invoices are expressed in Euros and are exclusive of any applicable taxes, duties or fees. All invoices are payable upon receipt.
By default, all invoices will be made by direct debit. For this purpose, the SEPA direct debit mandate to be filled in and signed electronically is provided in the annex to the Purchase Order.
3.2.2 Additional services
Any additional services provided by the Service Provider under the Agreement shall be subject to specific payment in accordance with the terms of the Purchase Order.
3.2.3 Late payment
Any delay in payment will be subject to late payment penalties calculated at a rate equal to three times the legal interest rate in force in accordance with Article L 441-6 of the French Commercial Code and a fixed indemnity of 40 € for collection costs will be applied in addition to the late payment penalties in accordance with Article D 441-5 of the French Commercial Code.
3.2.4 Penalty clause
In the event that the Client’s failure to pay obliges the Service Provider to send multiple reminders, including one by formal notice to pay, and/or to initiate legal action, the Client shall pay, in addition to the principal amount of the invoice, costs, expenses and emoluments ordinarily and legally payable by the Client, an indemnity fixed at 15% of the principal amount of the claim, including VAT, by way of contractual and fixed damages.
The Service Provider shall recruit, remunerate, train and direct under its sole responsibility the personnel it appoints for the performance of the Services, as well as the subcontractors it may use. The Service Provider shall be solely responsible for the termination of the relationship with its personnel and Subcontractors and shall bear the consequences thereof.
The Services shall be performed at the Service Provider’s designated premises.
6.1 In general, the Parties as well as their permanent and non-permanent staff undertake to maintain the secrecy and confidentiality of the Confidential Information to which they will have access in the performance of the Agreement. The Parties further agree to prevent, by any means, the reproduction and use of documents or information originating from the Client not expressly related to the Services.
This obligation of confidentiality shall remain in effect for the term of the Agreement and thereafter for five (5) years from the date of termination of the Agreement.
6.2 These confidentiality obligations do not apply to the Parties where:
6.3 Notwithstanding 6.1 above, the Parties may disclose Confidential Information when required to do so by applicable laws and/or regulations and/or any regulatory, supervisory and/or tax authority and/or any court order. The Party that has disclosed the Confidential Information in this context undertakes to inform the other Party by any means, unless prohibited by law or regulation.
Under the Contract, the Parties:
During the whole duration of the Contract and the contractual guarantee of the API, the Service Provider implements all the financial, material and human means necessary to ensure the maintenance and the correction of the connectors, the accuracy and the good security of the personal data, in the strict respect of the rules of the art and the regulations on the protection of the personal data
Nevertheless, the Service Provider reserves the right to remove a connector if the interface proposed by the institution (API, website or other) is too unstable to guarantee a sufficient level of quality.
The Service Provider acknowledges that it has an obligation to inform, alert and advise the Client, which it undertakes to fulfill throughout the term of the Agreement.
The Client agrees to provide the Service Provider with all access and information considered necessary by the Service Provider for the proper provision of the service.
In addition, the Client agrees to:
The Client agrees to report as soon as possible to the Service Provider any anomaly, information or suspicious event that may reveal or provide an indication of a possible security compromise or fraud. Otherwise, the Client who would neglect to report such information or would do it voluntarily late, is likely to engage its responsibility towards the Provider.
10.1 Guarantees of the Service Provider
The Service Provider warrants that the API complies with the technical documentation available at the following address: https://docs.powens.com.
The Service Provider shall repair or replace, at its own cost, defective parts of the API and/or new versions of the API. If the Service Provider or the Client detects an error in the API and/or new versions of the API, the Service Provider shall implement, at no additional cost, another API.
The Service Provider warrants that the standards applicable to the infrastructure are in accordance with the state of the art commonly accepted in the market.
10.2 Client warranties
The Client shall indemnify the Service Provider against any claim by a User against the Service Provider as a result of fraudulent or abusive use of the Service Provider’s service through the Client, unless the Client can prove the Service Provider’s liability, even partial.
The Service Provider shall be liable only for direct damages suffered by the Client or Users as a result of the Service Provider’s failure to perform any of its obligations under the Agreement, with the express exclusion of compensation for any indirect or consequential damages, commercial damages, loss of business or turnover, financial loss, interruption of use or availability of data.
In case of theft, fraudulent use, or any other incident related to its data, occurring after the transfer to the Client’s environment of these data, the Client releases the Service Provider from any liability for these incidents.
In any event, the total liability of the Service Provider shall not exceed the total amount actually received by the Service Provider for the right of use in the calendar year in which the incident occurs.
Notwithstanding the foregoing, the Service Provider’s liability shall not be limited in the event of fraudulent, intentional or gross negligence on its part.
The Client is responsible for the Client relationship (questions, complaints, problems) on the services offered through the API of the Service Provider and will be the first contact of the Users.
The service proposed by the Service Provider will be accessible to the Users, via the Webview, thanks to a redirection from the Client’s website or application.
The User shall accept the Terms and Conditions of Use of the Service Provider when accessing the Webview for the first time and each time he/she logs in. In the event that the Terms and Conditions of Use are modified, the Service Provider undertakes to communicate the new Terms and Conditions of Use to the Client.
In the event of a request related to the Service Provider’s technology, the Service Provider undertakes to provide all necessary assistance to the Client for the processing of its Clients’ requests related to its technology.
The Service Provider undertakes to take all necessary precautions, in accordance with the legislation and regulations in force, to preserve the security of Users’ hosted data. These data are hosted in an encrypted way.
The Service Provider ensures the security of its computer system in accordance with the state of the art and will be held responsible in case of intrusion in its computer system if it has not put in place the required means to ensure its security. The Service Provider undertakes to report any security breach or update necessary to ensure the security of the hosting system of the Users’ data.
14.1 Support
Any request related to the technical part of the API will go through the support by sending an email to support@powens.com. On the day of the contract, the management of tickets is done through Jira. The support hours are from 9.30am to 7pm on working days. In case of modification of this procedure, the Service Provider will immediately inform the Client.
14.2 Maintenance
The Service Provider hereby undertakes to maintain the API or correct the malfunction of the API under the conditions defined below:
14.3 Hosting
All of the Service Provider’s servers are hosted in the European Union.
15.1 The contract may be terminated by operation of law upon simple written notification to the other Party at any time, in the event of failure by either Party to meet its obligations, fifteen (15) days after formal notice by physical or electronic registered letter with acknowledgement of receipt, which has remained without effect.
This fifteen (15) day notice shall not apply where the failure of one Party results in the other Party being placed in a situation of illegality that must be remedied without delay, particularly in the case of manifest and repeated breaches of the compliance requirements to which the Parties are subject.
15.2 In the event of termination of the contractual relationship, the Service Provider undertakes, at the Client’s discretion, to either destroy or securely return all data collected in a standard SQL format within thirty (30) days of the end of the notice period.
The data collected will be kept for a maximum of thirty (30) days after the end of the Contract. At the end of this period, the data will be automatically destroyed.
15.3 Termination will not defeat the warranty and liability provisions of the Parties.
15.4 Termination or expiration of the Agreement for any reason shall not relieve either Party of any obligations that arose prior to termination or expiration, or that inherently survive termination or expiration, such as, without limitation, obligations under the “Confidentiality” or “Intellectual Property” sections.
Each of the Parties undertakes, for the duration of the Contract, plus a period of twelve (12) months from its expiry, not to directly solicit an employee of the other Party assigned directly to the performance of this Contract without the prior written consent of the other Party.
Each Party undertakes, in the event of non-compliance with such a clause, to compensate the other Party with an indemnity equal to the total gross remuneration paid to such employee during the year preceding his departure.
The Parties undertake to comply with the applicable legal and regulatory provisions on the protection of personal data, in particular (i) Directive 95/46/EC and Law 78-17 of 6 January 1978 as amended, as well as (ii) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 as of 25 May 2018.
The responsibilities of each Party may be defined in the “Personal Data Processing” appendix of the GTC.
The API and connectors made available to the Client by the Service Provider in the performance of the Agreement shall remain the exclusive property of the Service Provider.
The Service Provider grants the Client for the duration of the Agreement, a non-exclusive license to use its API and connectors anywhere in the world so that the Client can provide its services to the Users.
The Service Provider represents that it has all rights to the API and connectors that are the subject of the Agreement. The Service Provider warrants to the Client that it has all the rights to enter into the Agreement, including but not limited to:
In this respect, the Service Provider shall indemnify the Client against any action, claim, demand or opposition from any person claiming an intellectual property right or an act of unfair competition and/or parasite, to which the performance of the agreement would have infringed.
The Client agrees not to file or claim, directly or indirectly, on its behalf or on behalf of a third party, in France and throughout the world, any title or intellectual property riht on the information it receives from the Service Provider under the Agreement. This obligation shall survive the termination of the Agreement.
The Client also agrees not to:
The Client will not be able to keep copies, consult, access or carry out any processing on the displayed data, except for those actions for which the User would have directly and explicitly consented with him. For these data, the Client will be able to save the results of the API queries in its databases and exploit these data. This data will be protected with a level of security at least equivalent to that implemented by the Service Provider.
The Service Provider grants a sub-license right to the Client’s legal entity Clients in the context of the provision by the Client of the API to such Clients in :
The Service Provider authorizes the Client to use its name in its corporate, commercial and advertising materials, in strict compliance with the provisions of the Agreement, for the sole purpose of informing its Clients and service providers, and, more generally, the public, where applicable, for the purpose of performing its obligations under the Agreement. Any commercial advertising to the public containing the name of the Service Provider shall, however, be subject to the Service Provider’s prior consent.
The Client authorizes the use of its trade name and logo by the Service Provider for marketing purposes and in its commercial documents intended for the public during the entire contractual period.
Each Party may not assign the Contract without the prior and express consent of the other Party.
If a Party suffers an event of force majeure, as defined by the laws and regulations in force, it shall notify the other Party as soon as possible after becoming aware of it. In this case, the Party that is the victim of the force majeure event must do everything possible to limit the impact that such an event could have on the performance of its obligations under the Contract. In the event of an event of force majeure, the respective obligations of the Parties shall be suspended and neither Party shall incur any liability as a result.
If an event of force majeure continues to prevent one of the Parties from performing a substantial part of its obligations under the Contract for more than one month, the other Party may terminate the Contract as of right and without compensation by sending the other Party written notice by physical or electronic registered mail with acknowledgement of receipt thirty (30) calendar days in advance.
The Parties are authorized to subcontract all or part of their obligations under the Contract. In the event that a subcontractor is used, the Parties shall remain fully responsible for the services performed under the Contract.
The Parties, by mutual agreement, expressly waive the provisions of Article 1195 of the Civil Code and consequently agree, in the event of unforeseen circumstances as defined by the aforementioned article, to bear all the economic and financial consequences thereof.
The Parties declare that they will scrupulously comply with the anti-corruption provisions applicable to the public and private sectors, codified in particular in Articles 432-11, 433-1, 435-1 et seq., 445-1 et seq. of the French Penal Code, L.442-6 of the French Commercial Code and Law n°2016-1691 of December 9, 2016 and/or any text that may supplement and/or replace them
In this respect, the Parties, their employees, servants and corporate officers, shall refrain from offering or receiving without right, directly or indirectly, offers, promises, gifts, presents, or benefits of any kind, for themselves or others, for the purpose of performing or refraining from performing or facilitating an act in violation of their legal and/or professional obligations and/or those arising from the Contract.
The Service Provider undertakes to comply with the Sanctions, the applicable regulations on the fight against money laundering and the financing of terrorism and the fight against corruption (in particular the French “Sapin II” law, US Foreign Corrupt Practices Act, UK Bribery Act).
The Service Provider shall not provide any products or services or act in any manner that may result, directly or indirectly, in a violation of the Sanctions. The Service Provider shall not engage in, support or participate in any transaction involving, directly or indirectly, (i) a Sanctioned Country, (ii) a Sanctioned Person, or (iii) which may constitute a violation of the Sanctions.
In the context of the Fight Against Money Laundering and Terrorist Financing (“LCB-FT“) applicable only to the Pay Product, the Service Provider must be able to identify the User of its Pay Product. In this specific situation, the Client will be considered as an external service provider of the Service Provider, and the relationship between the Parties will be governed by Article 10 of the Order of January 6, 2021 relating to the mechanism and internal control in the fight against money laundering and the financing of terrorism and the freezing of assets and the prohibition on making funds or economic resources available or using them.
For the outsourced services performed on behalf of the Service Provider, the Client shall transmit to the Service Provider, in accordance with Article R.561-5 of the CMF, at least the first and last name of the Users who are natural persons and the Siret number for the Users who are legal persons. This transmission will be done by API, and in case of failure of the API by e-mail.
In case of doubt about the identity of a User, the Service Provider may implement enhanced vigilance measures and request supporting documents and additional information from the Client. The Client undertakes to transmit these supporting documents within forty-eight (48) working hours.
The Client also agrees not to inform the User of the Service Provider’s suspicion. In case of persistent doubt, the Service Provider may choose not to offer the Pay Product to this User. The Client may not object to this.
The Client undertakes to inform the Service Provider of any event that may have a significant impact on its ability to perform the Outsourced Services effectively and in compliance with applicable law. In any event, the Client may not substantially modify the Outsourced Services without the prior written consent of the Service Provider.
The Client undertakes to ensure the continuity of the transmission of the said information by setting up a back-up mechanism if necessary. This can be done by transmitting the aforementioned information manually.
A steering committee will be held each year between the Service Provider and the Client to oversee the AML/CFT obligations. The Parties may decide to set up additional steering committees at the request of the Client.
Throughout the term of the Agreement, as part of the Pay Product, the Service Provider may perform or have performed by an independent third party audits of all or part of the Client’s payment activity (hereinafter referred to as “the Services“), subject to ten (10) days’ notice, except in the event of an emergency or an audit requested by a judicial or regulatory authority that does not allow such notice to be respected.
The Service Provider shall notify the Client in writing of the audit request within the time period specified above, specifying the nature and scope of the audit and the identity of all persons (including third party auditors) to whom the Service Provider wishes to entrust the audit. The scope of the audit must be relevant, and may only concern the services provided by the Client to the Service Provider in execution of this Agreement.
In the event of an on-site visit, an employee of the Client must be available to answer the Service Provider’s questions on the organization and security measures implemented. The third party auditor acting on behalf of the Service Provider may sign, upon request of the Client, a confidentiality agreement prior to his mission. The Parties shall mutually agree on the planning of the audit, the auditor undertaking to cause minimum disruption to the performance of the Services.
The Parties acknowledge that in the context of the audit, they are bound by an obligation of confidentiality. The Service Provider guarantees that the auditor will respect this obligation.
The Service Provider shall provide a copy of the audit report to the Client as soon as it is finalized, so that the Client may provide the Service Provider with any comments on the report. In the event that the audit report reveals shortcomings in compliance with the obligations of this Agreement, the Parties shall meet as soon as possible to draw up an action plan in which they shall determine the actions to be taken and shall classify them according to the degree of urgency of their implementation. The implementation of the action plan shall be borne by the Client. A monitoring system for this action plan will be put in place to verify that the Client is complying with its commitments.
If the audit does not reveal any shortcomings of the Client in the performance of its Services, the costs of the audit shall be borne exclusively by the Service Provider. However, in the event that the audit reveals serious deficiencies in the performance of the Services by the Client, the costs of the audit shall be borne exclusively by the Client.
In addition, the Client expressly agrees to allow the ACPR or any other equivalent foreign authority within the meaning of Articles L632-7, 632-12 and L632-13 of the Monetary and Financial Code (hereinafter “Foreign Authority”) to have access, including on site, to the information necessary for its mission and relating to the Services
In order to have access to the Client’s site, the persons mandated by the ACPR, or any other Foreign Authority, must justify their identity and their membership to the ACPR or to this Foreign Authority, and provide any document or letter of mission allowing to establish the legitimacy of their coming. The Client will then be released from its confidentiality obligations towards the ACPR or the said Foreign Authority, which the latter accepts.
26.1. If one of the Parties does not request the execution of one of the provisions of the Contract, it is understood that its attitude shall not be interpreted as a waiver of the right to invoke it in the future.
26.2. In accordance with Article 1184 of the Civil Code, when the cause of nullity affects only one or more Articles of the Contract, it shall not entail nullity of the entire act unless such Article(s) constitutes a determining element of the commitment of the Parties or of one of them. Apart from the aforementioned case, the nullity or unenforceability of any one of the Articles of the Contract shall not entail the nullity of the other Articles, which shall retain their full force and scope.
This Agreement is subject to French law.
The Parties agree to resolve amicably any dispute that may arise during the performance or interpretation of this Agreement. In the event of failure to reach an amicable agreement, the dispute shall fall under the exclusive jurisdiction of the Commercial Court of Paris or the International Chamber of the Paris Court of Appeal in case that the Client’s headquarter is based out of France. The proceedings shall be conducted in English.
These GTC and its annexes form an indivisible whole. In case of contradiction between the GTC and the Purchase Order, the provisions of the Purchase Order shall prevail over those of the GTC.
The appendices are as follows
As part of their contractual relationship, the Parties undertake to comply with the applicable regulations regarding the processing of personal data, in particular Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, applicable from 25 May 2018 (hereinafter referred to as “the European Data Protection Regulation”) and Law No. 78-17 of 6 January 1978 on information technology, data files, and civil liberties, as amended and consolidated.
The following distinctions should be made:
The Parties agree on the following roles:
(i) The Provider is the data controller for the processing carried out within the scope of the contract when:
In this case, the Provider is the data controller for the processing of data collected, transmitted, aggregated, categorized, stored, and anonymized under the Contract.
The Service Provider undertakes to process the Personal Data provided by the Client, as well as any data collected or generated during the execution of the Agreement, in strict compliance with this appendix and the purposes stated in Article 2, in accordance with the End User Privacy Policy.
(ii) The Client is the data controller and the Provider acts as a data processor for the processing carried out within the scope of the contract when the exclusive service provided under the contract is an unregulated service (WEALTH, TRUST, ADVISORY).
In the context of providing the Services, which may involve the Provider processing Personal Data on behalf of the Client, the Provider undertakes to:
Processing: Collection, extraction, consultation, aggregation, categorization, transmission, storage, anonymization, deletion.
Main Purposes: Provision of the service under the contract and provision of related user support
Subsequent Purposes: The Provider reserves the right to use the data for subsequent purposes, including:
*Subsequent processing activities identified with an asterisk may not be implemented as part of the performance of the service object of the Agreement.
Data Subjects: End-users
Data Types: Personal identification, documents, Open API: banking identifiers, aggregated account balances and transactions, other personal information available in the API of the account management payment service provider, Direct Access: all information available on the account management payment service provider’s website.
The Parties undertake to comply with the obligations set forth in the Personal Data Regulations in all Personal Data Processing operations carried out under the Contract.
3.1 Client’s obligations
The Client undertakes to ensure compliance with the Personal Data Regulations, in particular on the following points:
3.2 Obligations of the Service Provider
The Service Provider undertakes to ensure compliance with the Personal Data Regulations, in particular on the following points:
Lawfulness of Processing: The Service Provider undertakes to take into account, with respect to its tools, products, applications or services, the principles of Data Protection by Design and Data Protection by Default. The Service Provider also undertakes to notify the Client of any modification or change in the Services that may impact the Processing of Personal Data.
Accuracy, integrity and security of Personal Data: The Service Provider is solely responsible for the accuracy, quality and security of the Personal Data it collects and transmits to the Client under the Agreement, within the limits of the proper use of the services by the Person Concerned, and the inherent modifications to the websites and API DSP2 of the online banks.
Subcontracting: The performance of the Contract may not be entrusted by the Service Provider to any other Subcontractor without prior notice to the Client.
The Service Provider undertakes to use only Subcontractors with sufficient guarantees to ensure the implementation of the technical and organizational measures intended to ensure the security and confidentiality provided for in the Agreement.
As of the effective date of the Agreement, the Service Provider entrusts operations to the following authorized Subcontractors:
| Treatment | Subcontractor | Location |
| Data hosting (production) | Sewan/AWS | France |
| Data hosting (backups) | OVH | France |
| Data encryption | Gemalto (Thales group) | France |
| Data categorization* | Unnax CRIF |
Spain Italy |
*Subsequent processing activities identified with an asterisk may not be implemented as part of the performance of the service object of the Agreement.
Destruction upon completion of the Service: Upon completion of the Agreement or in the event of early termination of the Agreement for any reason, the Service Provider shall destroy any manual files or copies of the Personal Data held in its computer systems upon completion of the Agreement.
In the event that the law of the Union or the law of a Member State requires the retention of Personal Data, the Service Provider will inform the Client of this obligation.
Supervision of transfers of Personal Data: The Service Provider ensures that no Personal Data is transferred outside the European Economic Area (EEA) by him, his own Subcontractors, or persons acting under his authority or on his behalf, and this, whatever the nature of the Transfer (hosting, backup, maintenance, administration, helpdesk …).
3.3. Data Breach Notification:
The Parties’ security contact, available if needed to handle any Data Breach, can be reached at the following coordinates
Powens:
The Client:
Each Party undertakes to notify the other of any Data Breach that has direct or indirect consequences on the Processing, as well as any complaint that may be addressed to it by any Person Concerned by the Processing carried out under the Contract. Such notification shall be made as soon as possible and no later than twenty-four (24) hours after the discovery of the Data Breach or following the receipt of a complaint.
The affected Party shall specify the nature and consequences of the Data Breach, the steps already taken or proposed to be taken to remedy the Data Breach, and the persons from whom additional information may be obtained, and where possible, an estimate of the number of persons likely to be affected by the Data Breach.
In the event of a Personal Data Breach, the Party undertakes to carry out all necessary investigations into the breach in order to remedy the breach as soon as possible and to reduce the impact of such breach on the Data Subjects.
The Parties agree not to inform third parties, including Data Subjects, of any Data Breach without the prior written consent of the other Party, except as provided by the Personal Data Regulations.
Within the framework of the Agreement, the Service Provider remains fully and completely responsible for its obligations under the Anti-Money Laundering and Combating the Financing of Terrorism (AML-CFT). To do so, the Client agrees to comply with the present protocol, or any subsequent version duly transmitted by the Service Provider to the Client.
This appendix is intended to apply when the Client uses the Pay product in a PSP/marketplace distribution system.
In order to maintain an acceptable level of risk for the Service Provider, the Client will not offer the services of the Service Provider within the framework of this distribution system as a PSP or marketplace to the following types of clients
whose geographical criterion corresponds to one of the following cases:
whose counterparty payments correspond to :
whose temporality of service provision is as follows:
And in a general way, any Client who would seem to him to present a risk of fraud, money laundering or financing of terrorism.
The Service Provider reserves the right to reduce, amend or expand this list, subject to notification of such changes within a reasonable time.
2.1. Collection of information
The Client agrees to collect the following information about the clients to whom it offers the Service Provider’s Pay Product services:
The Service Provider may amend this information at a later date, and will notify the Client accordingly.
2.2. Transmission of information to the Service Provider
The Client will transmit this information either :
2.3 Verification of information
The Service Provider shall be responsible for verifying the information provided at the time of the commencement of the business relationship. If necessary, the Service Provider will collect all supporting documents from the beneficiary client, only resorting to the Client if the contact point provided by the latter proves ineffective.
The Client undertakes to comply with the obligations to provide information to end users in accordance with the Order of July 29, 2009 relating to relations between payment service providers and their Clients with regard to information obligations for payment service users and specifying the main stipulations that must be included in deposit account agreements and framework contracts for payment services
In other words, the Client undertakes to provide the End User with a unique transaction number linked to the Service Provider’s service, to inform the End User of the status of the transaction and, if applicable, of any additional costs associated with the payment service transaction.
When a claim of dissatisfaction (“Claim” hereinafter) on the area of security, or dissatisfaction with the payment initiation service, legitimate or otherwise, by an End User or merchant linked to the Service Provider’s service is escalated to the Client, the Client agrees to acknowledge or respond within 10 business days and forward the Claim to the Service Provider’s compliance department (compliance@powens.com). When the complaint concerns another domain, the Client will be the preferred point of contact for the User or the linked merchant.
The Parties agree that the Service Provider will monitor the above client list provided to the Service Provider:
The Client agrees in advance to cease offering the Service Provider’s services to the client(s) designated by the Service Provider, subject to written instructions documented by the Service Provider, in a situation where said client(s) would present a significant threat of fraud, illegal activity, money laundering or financing of terrorism, as well as any violation of the exclusion list defined within this protocol.
The Client hereby undertakes to:
5.1. Principles of AML/CFT monitoring and control
The Service Provider will remain fully responsible for the monitoring and control of the payment activity carried out via its services under its AML/CFT obligations, as well as any obligations arising therefrom. However, the Client undertakes to assist the Service Provider in its mission.
In case of doubt about the identity of a Client, the Client agrees to transmit to the Service Provider the supporting documents that he could have collected, as well as additional information that could be requested by the Service Provider and that would be in possession of the Client.
5.2. Upgrading a User to a higher level of vigilance
In case of suspicion about the End User of the Service Provider, the Client is informed that the Service Provider may implement enhanced vigilance measures, materializing by a verification of the identity of this person, as well as, if the situation justifies it, contacting and requesting additional information on the operation(s) carried out directly with the End User or with the Client.
The Client agrees not to disclose the Service Provider’s suspicion to the End User.
The Client shall not be entitled to claim against the Service Provider, including but not limited to, denial of service or loss of revenue, as a result of such action or the Service Provider’s decision to terminate the business relationship with such End User.
This change to a higher level of vigilance will be made according to the risk analysis carried out by the Service Provider, and renewed periodically.
The verification of the User’s identity may be carried out before or after the transaction in question depending on the combination of one or more criteria specific to each type of Client (unit amount, cumulative amount, number of unit transactions, etc.) or at the discretion of the Service Provider.
Agents have an obligation to train under anti-money laundering and anti-terrorist financing (AML/CFT) requirements. They can fulfill this obligation in two ways:
For any exchange under the LCB-FT, the parties’ correspondents are the following, in charge of transmitting or requesting the information referred to to the qualified parties within their organization:
The Client acknowledges that changes in the applicable regulations may result in a necessary variation of this Agreement. In the event of such a change, the Service Provider shall amend this Agreement and/or notify the Client within a reasonable period of time in order to implement the appropriate adjustments. In all cases, the parties agree to meet at least every six months to review the compliance elements presented in this protocol, or added to it, in order to make any necessary and/or desirable changes.
