Important Notice: Please read these terms carefully before continuing

These Terms of Service (the “ToS”) govern your use of the Io.flow application programming interface (the “API”), developed, maintained and provided by Io.FinNet Group, Inc, a Delaware corporation, whose registered address is 4208 Six Forks Rd, 10th Floor, Raleigh, NC, 27609, United States of America (“Io.finnet”).

Last update – 4 August 2023


References to “we”, “us” or “our” mean Io.finnet; References to “you” and “your” means you as a user (a “User”) of the API, or in the case where you are using the API on behalf on an entity, said entity; References to a “Party” or “Parties” means you and us, solely or collectively.


1.1. Capacity – Age of Consent
You represent to us that you are above eighteen (18) years old and lawfully able to enter into these ToS and any adjacent contract and that, if you are entering into this agreement for a legal entity, you have the legal authority to bind that entity or the authorization from said legal entity to use the API.

1.2. Acceptance
You acknowledge that you will only access the API and use it after having had the opportunity to read the ToS and its schedules and having in fact done so, that your use and continued use of the API constitute acceptance of the ToS and that you agree to be bound by these ToS and its schedules as long as you maintain an access to the API.

You also agree to be bound by other legal and regulatory documents, including but not limited to the User Guide, FAQs, and API documentation (the “Documentation”), and represent that you have read and accept our Privacy Policy and that you accept the collection, use, disclosure and other handling of information as described within it.

Where you use the API as an interface to, or in conjunction with other Io.finnet products or services, the terms for those other products or services also apply.
In case of non-compliance by you with the provisions of the ToS and/or other documents, Io.finnet reserves the right to limit or suspend access to the API.

1.3. Modifications
You acknowledge and accept that these ToS may be amended by Io.finnet at any time.

Any substantial amendment will be notified to you and, as much as possible, will be given effect after a reasonable period of time, however, where amendments are addressing an urgent issue or are made for legal reasons they will be effective immediately upon publication of the updated ToS on our website.

Your continued use of the API following such updates will constitute acceptance of such changes and if you do not agree with any such amendments, your sole and exclusive remedy is the termination of the use of the API and termination of your access to it.

In the event of a conflict between the provisions of the ToS and its amendments, the amendments always prevail.

You also acknowledge that Io.finnet is free to modify the capabilities of the API or to stop providing them at any moment and you agree to hold Io.finnet harmless in such a case.

2.1. Description of the API
For more information about the functionalities of the API and the use of the API, please refer to the API documentation, the User Guide as well as FAQ.

2.2. Registration
In order to access the API, you must first be onboarded at a financial institution approved by Io.finnet and already integrated with the API and possess at least one account with said financial institution and be onboarded at Io.finnet.

As relates the onboarding to Io.finnet, you will be required to provide certain information as detailed in section 2 of the User Guide.
Once onboarded at the financial institution with an account and at Io.finnet, you will be provided with the API keys from Io.finnet.

3.1. License
Subject to the ToS, Io.finnet grants you a limited, non-exclusive, non-transferable, revocable license to use the API worldwide for the purpose of facilitating your and your customers’ pay-ins and payouts.

3.2. Limitations on the license – API prohibitions
Io.finnet reserves all rights attached to the API which are not expressly granted herein. The rights granted to you are subject to the following restrictions and you shall not:

a) reverse engineer, decompile, disassemble or otherwise attempt to discover the source code, object code or underlying structure, ideas or algorithms of any component of the API or any other data related to the API;

b) modify, translate, or create derivative works based on the API or any other data related to the API;

c) copy, rent, lease, distribute, pledge, assign, or otherwise transfer or encumber any rights to the API;

d) use the API in any manner that could damage, disable, overburden, impair or otherwise interfere with Io.finnet’s provision of the API or the normal operation of the API;

e) access the API for the purposes of monitoring availability, performance or functionality, or for any other benchmarking purposes, in any manner which materially interferes with the operation or performance of the API;

f) create Internet "links" to the API or ''frame"' or "mirror'' any content provided in the API on any other server, wireless or Internet-based device;

g) attempt to obscure, mask or otherwise conceal any branding of, or relating to, the API in any way, including wrapping, enclosing or otherwise packaging the API inside another business application, system or process; and

h) use or access the API to build or support and/or assist a third party in building or supporting other products or services.

3.3. Compliance with Law, Third Party Rights and Terms of Service
3.3.1 You will, concerning the use of the API and the services provided to your clients through the API, and, in cases where your end-users will use the API, you will require your end users to, comply with applicable law, regulation, third party rights (including without limitation laws regarding import or export of data or software, data protection laws and local laws) and these ToS (and will not knowingly enable your end user to violate these).

3.3.2 You will not use the API to encourage or promote illegal activity or the violation of third party rights.

3.3.3 You will notify Io.finnet if the information and documents that you provided in requesting access to the API are modified and will abide by requests for additional information that may be communicated to you by Io.finnet, at its sole discretion, to evaluate your continued eligibility to the API.

3.4. Permitted Access
You will only access (or attempt to access) the API by the means described in the User Guide. You must use your credentials and will not misrepresent or mask your identity when using the API.

3.5. Limitations
You acknowledge that Io.finnet has the sole discretion to enforce limits on your use of the API (for example, number of API requests you may make, number of users you may have). You agree that you will respect and not attempt to circumvent such limitations and that you shall seek Io.finnet’s consent should you wish to use the API past these limits.

3.6. Open Source Software
Our API requires or has included some open-source components. These open source components are licensed under the terms set forth in their applicable licenses, which constitute agreements separate for these ToS. Where the open source software license expressly supersedes the ToS, they will prevail.

4.1. You acknowledge that you are responsible for maintaining the confidentiality and security of your API key(s) and for all activities that occur under your API key(s) and it is your responsibility to discourage other API users from using your credentials. You acknowledge that you are solely responsible and will hold us harmless for any activities using your API credentials and that you shall take all necessary measures to safeguard your account information and prevent unauthorised access to your account.

4.2. Our communications to you and our API may contain Io.finnet confidential information, to be understood as information designated by Io.finnet as confidential or ought to be considered as confidential from its nature or from the circumstances surrounding its disclosure, including without limitation all regulatory, commercial, financial, administrative, intellectual property and technological information and any information concerning this Agreement but does not include information which is known to you before receiving it, is disclosed to you in good faith by a third party who had a right to make such a disclosure or is made public by us or is established to be part of the public domain otherwise than as a consequence of a breach from you.

4.3. You agree that confidential information shall be used by you only for the purposes of this Agreement and that you will not disclose this information to third parties without our written consent or a court order. You also represent that you will treat this confidential information with the same degree of security and care as your own and that you have an obligation to prevent this information from being misappropriated or wrongfully communicated.

All intellectual property rights associated with the API, including but not limited to copyrights, trademarks, and patents, are and shall remain the exclusive property of Io.finnet.

6.1.You, your end users and your clients remain the owners of the data and personal data that they communicate via the API pursuant to these ToS. Notwithstanding the foregoing, Io.finnet shall have the right to use these data for statistics purposes, to improve the API and to comply with regulations.

6.2. The conditions for the collection and processing of personal data, and the rights of the end users using the API are described in our Privacy Policy.

6.3 Io.finnet will treat you and your end users personal data as confidential and use its best efforts to protect it from unauthorised third-party access.

6.4 Io.finnet will comply with applicable data protection and privacy laws when accessing, collecting, processing, analysing and otherwise using your personal data, including the EU regulation 2016/679 on the protection of natural persons with regards to the processing of personal data and on the free movement of such data (“GDPR”).

6.5 In connection with the use of the API, Io.finnet may have access to personal data as defined by GDPR, and you agree to enter into the Data Protection Agreement in Schedule A.

6.6 You agree to handle any personal data obtained through the API in compliance with applicable privacy laws and regulations and to use commercially reasonable efforts to protect any data you may receive through the API, and to promptly report any unauthorised access to the extent required by law.


7.1. Term
The duration of these ToS will be from the date upon which you agree to these ToS and will continue until terminated as set forth below.

7.2. Termination
You may stop using the API at any time with or without notice. If you wish to terminate these ToS, you must provide us with a 30 day prior written notice and upon termination, terminate the use of the API.

You acknowledge that Io.finnet reserves the right to terminate the ToS at any time with you or discontinue the API or its features or your access to specific features for any reason and at any time without liability and that you will hold Io.finnet harmless in these instances.

7.3 Post termination obligations
Upon any termination of these ToS or discontinuation of your access to the API, you will cease using the API as all licenses granted under these ToS will terminate immediately and, except when doing so would cause you to violate any law or obligation, you will delete all content (data or content from our services or accessed via the API) if (i) we terminate your use of the APIs for breach; or (ii) you terminate your use of the API.

7.4 Surviving Provisions
Upon termination of these ToS, the following provisions shall survive and continue to apply: Intellectual Property, Confidentiality, Indemnification, Dispute Resolution, Personal data protection & security, Liability.


8.1. Representations and warranties of both Parties
Each of the Parties represents and warrants to the other Party that it has the full right and authority to deliver and accept these ToS and to perform its obligations under these ToS, and that neither the acceptance nor delivery of these ToS by such Party, nor consummation of the transactions contemplated hereby, will result in a breach or default under the terms and conditions of any contract, order, license, charter document or other agreement by which such Party is bound.

Each of the Parties represents and warrants to the other Party that it is a corporation duly organised, validly existing and in good standing under the laws of the jurisdiction of its incorporation and has all requisite power and authority to own, lease and operate its properties and to carry on its business as it is now being conducted.

8.2. Representations and warranties of Io.finnet
Io.finnet hereby represents and warrants to the you that, to its knowledge, Io.finnet is the owner of the API or otherwise has the right to grant to the you the rights set forth in these ToS, including without limitation, any third party software, data and materials included in the API.

8.3. Representations and warranties of the User
You represent and warrant that:
  I) Where you make use of the API under the instructions of your clients, you have obtained explicit consent and authorization from your clients (including as relates the collection and transfer of their personal data) to use the API on their behalf and/or for their benefit, in strict accordance with their instructions.
  II) You shall not use the API to engage in illegal, fraudulent, abusive or harmful activities, including but not limited to, unauthorised access, data scraping or spanning.
  III) You shall ensure that all information provided to us through the API or any associated platforms is accurate, complete, and up-to-date and where it evolves or is erroneous, that you shall promptly notify us.
  IV) Your use of the API does not infringe or violate any intellectual property rights, privacy rights, or other proprietary rights of any third party.
  V) You agree to indemnify and hold us harmless from any claims, damages, losses, liabilities and expenses arising out of or related to your use of the API, including any breach of these ToS.

9.1. Warranties Disclaimer

9.2. Limitations of liability


Additionally to any other limitation of liability contained in these ToS, we shall not be liable:

a) In case of breaches of security, which may cause damage to your personal data, unless there is proof that we are breaching one of our obligations;

b) Of the security of the personal data on the Internet and mobile networks;

c) Of the accuracy of the personal data and data that may have been provided by you;

d) In case of abnormal or illegal use of the API by you, for which you will be solely liable toward third parties;

e) For any damage arising out of your use of the API on non-compatible devices, jailbroken devices or devices infected with viruses or for your inability to use the API because of these.

f) For any damages, direct or indirect, material or immaterial, caused by your use of the API to us, other Users or any third party for which we decline any responsibility, in particular when the cause of the damage constitutes a breach of these ToS. You shall be solely liable for the damage detailed in this section.

9.3. Indemnification
Unless prohibited by applicable law, if you are a business, you will defend and indemnify us and our affiliates, directors, officers, employees and users against all liabilities, damages, losses, costs, fees (including legal fees), and expenses relating to any allegation or third-party claim as relates:

a) Your misuse or your end user’s misuse of the API;

b) Your violation or your end user’s violation of these ToS;

c) Any content or data routed into the API by you or used with the API by you, and those acting on your behalf or the behalf of your end-users.

To that effect, you acknowledge that you hold the entire and complete responsibility for your use of the API.

10.1.1 Assignments
These ToS are not assignable either by us or you without prior consent of the other Party. These ToS are binding upon and shall insure to the benefit of the Parties hereto and their respective assigns as permitted.

10.1.2 No automatic waivers
No failure on the part of any Party to these ToS to exercise, and no delay in exercising any right, power or single or partial exercise of any right, power or remedy by any Party shall preclude any other or further exercise of any other right, power or remedy.

10.1.3 Notices
You may contact Io.finnet through our help center or by writing an e-mail to customer@iofinnet.com for support related matters, privacy@iofinnet.com for data rights matters, legal@iofinnet.com for legal matters.Io.finnet will contact you through the e-mail address provided initially during your onboarding. Please be aware that it is your responsibility to inform Io.finnet of any changes to personal or communication channels.

10.1.4 Relationship of the Parties
Nothing in these Terms of Service is intended to create a partnership, joint-venture, employment or legal relationship of any kind that would impose liability upon one party for the act or failure to act of the other party, or to authorise either party to act as agent of the other party. Neither you or us shall have authority to make representations, act in the name of, or on behalf of, or otherwise between the other.

10.1.5 Dispute Resolution
These ToS and any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with it or its subject matter or formation shall be governed by and construed in accordance with the laws of the state of Delaware (without respect for its conflict of laws provisions) and each party agrees to submit to the exclusive jurisdiction of the federal or state courts of Delaware (other than in respect of enforcement in which case the Delaware courts shall have non exclusive jurisdiction).

SCHEDULE A - Data Protection Agreement

For the purposes of this Data Protection Agreement, you will be referred to as the ‘you”, “your” or the “Controller” and Io.finnet will be referred to as “we”, “us” or the “Processor”; Hereinafter jointly also to be referred to as the “Parties” and each separately as a “Party”;

1. This Data Protection Agreement (“DPA”) is by and between you and Io.finnet and shall take effect as from your acceptance of the ToS and shall apply where, in the course of providing the services as described in the Appendix 1 under the ToS, we Process (as defined below) Personal Data (as defined below) on your behalf.

2. This DPA is incorporated and forms part of the ToS.

3. It has been agreed upon between the Parties that this DPA shall apply not only to the extent that GDPR applies to the Processing of Personal Data from EU data subjects but will also apply GDPR standards to the processing of any Personal Data.

It is agreed as follows:

1. Definitions

“GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing or personal data and on the free movement of such data, and repealing Directive 95/46/EC.

“Data Protection Laws” shall mean the GDPR, but also any Data Protection Law applicable to the Personal Data of a given Data Subject.

The terms “Personal Data”, “Data Subject”, “Processing”, “Controller”, “Processor”, “Representative” and “Supervisory Authority” each as used in this DPA, have the meanings given in the GDPR, irrespective of whether the GDPR applies to that specific use or if another Data Protection Law is applicable.

2. Subject of this DPA

2.1. This DPA applies exclusively to the Processing of Personal Data within the framework of the ToS.

2.2. During the performance of the Agreement, the Processor will process personal data (“Personal Data”) on behalf of and on instructions from the Controller in the course of the performance of the ToS with the Controller. An overview of the categories of Personal Data, the purpose for which they are being processed and a description of the processing operation(s) are included in Appendix 1 to this DPA. The Controller shall be solely responsible for determining the purposes for which and the manner in which Personal Data are, or are to be, processed.

2.3. The ownership of the Personal Data that are being processed by the Processor shall remain with the Controller, unless the processing pertains to Personal Data of the Processor or its personnel.

3. Subject of this DPA

3.1. The Processor will act as the processor and the Controller will act as the controller.

3.2. The Processor warrants that it will only process the Personal Data on behalf of the Controller in a manner that is necessary for the performance of the ToS. Other processing operations will only be executed on written instructions of the Controller or if there is a statutory requirement to do so. The Processor shall never process the Personal Data concerning the Controller for any purposes of its own or that of others.

3.3. The Processor shall follow all reasonable instructions of the Controller in connection with the processing of the Personal Data in accordance with this DPA and the ToS. If the Processor is required to process the Personal Data as a result of Data Protection Laws, the Processor shall inform the Controller of that legal requirement before processing. The Processor shall immediately inform the Controller if in its opinion instructions are in conflict with the applicable law with regard to the processing of Personal Data or with the ToS between the Parties.

3.4. The Processor shall notify the Controller immediately and in writing when the Controller or a third party on behalf of the Controller provides, transfers or makes visible Personal Data which the Processor reasonably is not allowed to receive within the framework of the Agreement or any binding legal provision, with particular attention to special categories of data (as defined in Article 9(1) of the GDPR).

3.5. The Processor shall process the Personal Data demonstrably, in a proper and careful manner and in accordance with its obligations as a processor pursuant to the GDPR. The Processor shall also adhere to the stipulations that apply to the Controller pursuant to the appropriate national or local data protection laws.

3.6. The Processor will, at his own expense, implement and maintain appropriate technical and organisational measures to protect the Personal Data at all times against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure, access, or processing. The Processor shall be allowed to use such tools as it considers necessary to pursue those purposes.

3.7. The processor shall, at his own expense, cooperate with the Controller to:
(i) Allow the data subjects access to their Personal Data after approval and by order of the Controller;
(ii) Delete or correct Personal Data or provide Personal Data to the data subjects in a transmittable format;
(iii) To process any data subject requests regarding, amongst others, objection against direct marketing, profiling for direct marketing or individual automated decision making; (iv) Prove that Personal Data have been deleted or corrected if they are incorrect (or, in the event that the Controller does not agree to the Personal Data being incorrect, to establish the fact that the data subject considers its Personal Data to be incorrect);
(v) Assist the Controller with Any Data Protection Impact Assessment as required by Article 35 of the GDPR that relates to the services provided by the Processor to the Controller and the Personal Data Processed by the Processor on behalf of Controller, and
(vi) Otherwise give the Controller the opportunity to meet its obligations under GDPR or other applicable law in the field of personal data processing.

3.8. The Processor shall store and process the Personal Data concerning the Controller strictly separately from the Personal Data it processed for itself and on behalf of third parties.

4. Data transfers and Cross Border Data Transfers

4.1. Appendix 1 provides a list of transfers (and cross border transfers) for which the Controller grants its consent upon the conclusion of this DPA. The Controller shall at all times have the right to attach additional conditions to its consent to such Processing. The Controller is responsible for instructing the Processor on the list of countries to which it refuses that Personal Data be transferred.

4.2. The Parties acknowledge that some Data Protection Laws may require that additional measures be taken (notably a binding agreement entered into between Controller and Processor incorporating the EU standard clauses) to secure transfers of Personal Data outside the country or region they originate from. To that extent, the Parties have implemented these additional measures through a separate Personal Data transfer agreement in Appendix 2, the format of which they agree upon. The Processor agrees to accept any modification to such standard clauses which are necessary to comply with the laws applicable to such data transfer. Such binding agreement shall be without prejudice to the rights of the Controller under this DPA.

5. Confidentiality

5.1. The Processor will ensure that only personnel who may be required to assist in meeting its obligations under the Agreement or this DPA will have access to Personal Data and that such personnel have signed appropriate contractual confidentiality, data protection and data security obligations which are at least as restrictive as this DPA and that they will comply with such obligations. The Processor shall provide the Controller with copies of these agreements upon request. The Processor shall not be permitted to show, provide or otherwise make available the Personal Data to any third party, unless this is necessary or permitted pursuant to the Agreement as mentioned in Article 2 and included under Appendix 1, or in the event that explicit prior written consent has been obtained from the Controller to do so.

5.2. The Parties shall treat all information the Processor has to provide to the Controller by virtue of Article 6 and Article 7 of this DPA as strictly confidential.

6. Security & Verification of Personal Data

6.1. Without prejudice to any other security standards agreed upon elsewhere by the Parties, the Processor shall, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, implement appropriate technical and organisational measures to ensure a level of security appropriate to that risk, including as appropriate, the measures referred to in Article 32(1) of the GDPR. These measures include, in any case:    
     i) Measures ensuring that Personal Data will only be accessed by authorised personnel needing to access it for purposes outlined in Appendix 1;
    ii) Measures to protect the Personal Data against accidental or unlawful destruction, accidental loss or alteration, unauthorised or unlawful storage, processing, access or disclosure;
    iii) Measures to identify vulnerabilities with regard to the processing of the Personal Data in the systems used to provide services to the Controller;
    iv) Measures agreed upon by the Parties in the DPA.

6.2. The Processor shall at all times have in place an appropriate, written security policy with respect to the processing of Personal Data, outlining in any case the measures as set forth in Article 4.1. At the request of the Controller, the Processor shall provide a copy of such security policy, shall demonstrate the measures it has taken pursuant to this Article 6 and shall amend its security policy in accordance with the Controller’s further written instructions.

6.3. The Controller has the right to audit and test compliance with the measures mentioned above under articles 6.1 and 6.2. Such an audit will be performed by an independent third party. At the request of the Controller, the Processor shall in any case give the Controller the opportunity to do this once a year at a time to be decided by the Parties in mutual consultation or, if the Controller deems this necessary as a result of (suspected) data or privacy incidents. The Processor shall duly comply with any instructions given by the Controller as a result of such monitoring to amend the security policy.

6.4. The Processor shall provide reasonable cooperation and assistance to the Controller as the Controller may reasonably require to allow the Controller to comply with its Data Protection Laws obligations, as applicable, including in relation to data security, data breach notification, data protection impact assessments, prior consultation with supervisory authorities, the fulfilment of data subject’s rights, and any enquiry, notice or investigation by a supervisory authority. It being specified that this cooperation will extend to the inspection mentioned under Article 6.3

6.5. The Controller will bear the costs for the audit, unless the Processor does not comply with the DPA. In which case, the Processor will bear the cost of the audit.

6.6. Both Parties understand that security requirements are evolving and that efficient security requires a regular and renewed assessment and improvements of outdated security measures and/or processes. The Processor will constantly evaluate the measures as they are implemented and will aim to supplement and improve these measures in order to keep meeting its security obligations.

6.7. The Controller has the right to instruct the Processor to take additional security measures. Where an amendment to the ToS is necessary to execute such an instruction, the Parties shall negotiate an amendment to the ToS in good faith.

7. Monitoring, Information Obligations and Incident Management

7.1. The Processor shall actively monitor for any breaches of the security measures and shall report the results of the monitoring to the Controller in accordance with this Article 7 within the terms set by law.

7.2. As soon as any incident with regard to the processing of the Personal Data occurs, has occurred or could occur relating to security measures, the Processor is obliged to at all times notify the Controller immediately (and in any event within 24 hours) and to provide all relevant information about the nature of the incident, the risk that data have been or may be processed unlawfully and the measures that are or will be taken to resolve the incident or limit the consequences/damage as much as possible. The Processor will also specify a point of contact that the Controller can contact about the incident. The Processor will take all reasonable steps to mitigate the effects and to minimise any damage resulting from the incident.

7.3. The Processor will cooperate with the Controller at all times and will promptly follow the instructions of the Controller, in order to enable the Controller to conduct a thorough investigation into the incident, to formulate a correct response and to take suitable further steps in respect of the incident.

7.4. The term “incident” shall be understood to mean in any case:
    a) a complaint or a request (for information) of a natural person with regard to the processing of the Personal Data by the Processor;
    b) an investigation into or seizure of the Personal Data by government officials, or any indication that this is about to take place;
    c) any unauthorised or accidental access, processing, erasure, loss or any form of unlawful processing of the Personal Data;
    d) any breach of the security and/or confidentiality as set out in Article 32 GDPR or Articles 5 and 6 of this Data Processor Agreement, leading to the loss or any form of unlawful processing, including accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, the Personal Data, or any indication of such breach having taken place or being about to take place.

7.5. In case of an incident as meant in Article 7.4(d), the Processor shall notify the Data Controller within 24 hours after discovery of the incident through a notification including the following information:
    i. The nature of the incident;
    ii. The date and time upon which the incident took place and was discovered;
    iii. The (amount of) data subjects affected by the incident;
    iv. Which categories of Personal Data were involved with the incident; and
    v. Whether and, if so, which security measures – such as encryption – were taken to render the Personal Data incomprehensible or inaccessible to anyone without the authorization to access these data. The Data Controller alone may notify any public authority.

7.6. The Processor shall at all times have in place written procedures enabling it to provide an immediate response to the Controller about an incident, and to cooperate effectively with the Controller in addressing the incident, and shall provide the Controller with a copy of such procedures at the request of the Controller.

7.7. All notifications made pursuant to this Article 7 shall be addressed to the contact information of the Controller provided to enter into the ToS of this DPA or, if relevant, to another employee of the Controller designated by the Controller in writing during the term of this DPA.

7.8. If this is necessary under applicable law, the Controller shall inform the data subjects, supervisory authorities and other third parties of the incidents. The Processor shall not be allowed to provide information about incidents to data subjects or other third parties, except where the Processor has a legal obligation to do so.

8. Use of Subcontractors

8.1. The Processor shall not subcontract any of its activities as described in the ToS to any third party (sub-processor) without the prior written consent of the Controller.

8.2. The Processor shall impose the same or stricter obligations on the sub-processor engaged by it follows in this DPA or applicable law. The Processor shall monitor compliance thereof by the sub-processor.

8.3. Notwithstanding the consent of the Controller for engaging a third party, the Processor shall remain fully liable towards the Controller for the consequences of subcontracting the activities to a sub-processor. The consent of the Controller for subcontracting activities to a sub-processor shall not affect the requirement of consent in accordance with Article 4.1 of this DPA for the deployment of sub-processors in a country outside the European Economic Area without an adequate level of protection.

9. Liability and indemnity

9.1. The Processor agrees to indemnify the Controller against all third-party complaints, charges, claims, damages, losses, costs, liabilities, and expenses due to, arising out of, or relating in any way to the Processor’s breach of this DPA to meet its obligations and/or any violation by the Processor of applicable laws in the field of personal data processing in connection with Appendix 1 mentioned in Article 2 including, in any case, the GDPR.

9.2. The Controller will promptly notify the Processor in writing of any indemnification claim, but any failure to notify the Processor will not relieve the Processor from any indemnity liability or obligation it may have, except to the extent the Processor is materially prejudiced by that failure. The Controller will reasonably cooperate with the Processor, at the Processor’s expense, in connection with the defense, compromise or settlement of any indemnification claim. The Processor will not compromise or settle any claim in any manner, nor make any admission of liability, without the Controller’s prior written consent, with the Controller may provide in its sole discretion. The Controller may participate (at its own cost) in the defense, compromise, and settlement of the claim with counsel of its choosing.

10. Retention Periods, Returns and Destruction of Personal Data

10.1 The Processor shall not retain the Personal Data any longer than is strictly necessary and in any case not longer than until the end of this DPA or, if a retention period has been agreed between the Parties, not longer than this period, save for cases where applicable law mandates that the data be retained for a longer period.

10.2 Either (i) upon termination of this DPA, or if applicable at the end of the retention periods agreed or mandated by applicable law (ii) or, if not under mandated retention period, at the written request of the Controller, the Processor shall either immediately destroy the Personal Data or return them to the Controller, at the discretion of the Controller. At the request of the Controller, the Processor shall provide evidence of the fact that the data have been destroyed or removed. If return, destruction or removal is not possible, the Processor shall immediately notify the Controller thereof. In that case the Processor guarantees that he shall treat the Personal Data confidentially and shall no longer process them.

10.3 Upon the end of the DPA, the Processor shall inform all third parties involved in the processing of the Personal Data of the termination of the DPA and shall guarantee that all third parties involved will destroy the Personal Data or assign them to the Controller, at the discretion of the Controller.

10.4 If due to technical limitations a full deletion or destruction of the Personal Data is not deemed possible, the Processor shall take all necessary measures to (i) achieve the closest possible approximation of a full and permanent deletion and/or destruction and (ii) anonymise the remaining Personal Data and render them unavailable for further processing. The Processor shall inform the Controller in writing of such occurrence.

11. Records

The Processor will maintain an accurate, up-to-date written log of all processing of Personal Data performed on the Controller’s behalf. The written log shall include the following information:
     i. the categories of recipients to whom the Personal Data have been or will be disclosed;
    ii. to the extent that Personal Data is transferred to a third party outside of the European Economic Area, a list of such transfers (including the name of the relevant non-European Economic Area country and organisation), and documentation of the suitable safeguards in place for such transfers; and
    iii. a general description of the technical and organisational security measures referred to in this DPA. The Processor will provide the Controller with a copy of such log upon the Controller’s request.

Article 12 Miscellaneous

This DPA will terminate automatically upon termination of the ToS, which shall however not discharge the Processor from its obligations that are to survive the termination or expiration of the DPA, including the obligations detailed in Article 5, 6, 9 and 10 of this DPA.

Entire Agreement – Conflict with ToS
This DPA supersedes and cancels any previous data processing agreement between you and Io.finnet relating to the subject matter of this ToS and DPA, but it merely supplements, and does not supersede or cancel, the ToS, which remains in full force and effect according to its terms. In the event of a conflict between the terms of the ToS and this DPA, the terms of this DPA will apply.

Governing law and Venue
This DPA shall be governed to the same law as the ToS and any disputes arising out of or in connection with this DPA shall exclusively be submitted to the same competent courts as any disputes arising out of or in connection with the ToS.


Relevant information pertaining to the Personal Data, the processing purposes and description of the processing activity/activities, security measures and data transfers

1. Purpose and description of Processing


To set up, configure and manage Users accounts;

To provide Users with the features and functionalities of the API (here transfer the data from the User and its client(s) necessary to perform a transaction for a financial institution (EMI, PSP, E-money institution)

To send Users administrative notifications (if Users enable them) related to the function of the Software Products.


To manage the feedback, complaints and issues from Users;

To transfer a data privacy request to the privacy team;

To improve the quality and speed of customer care provided by Io.finnet to its Users.


To process payments when clients subscribe to the Software Products;

To fulfill Io.finnet’s accounting and legal obligations


To improve the Software Products and develop new features;

To send surveys to Users to gather experience and optimize the Software Products;

For statistical purposes in order to optimize the Software Products (such statistics are based on User data with the aim to generate general results).


To ensure the security, confidentiality, integrity and availability of the Software Products and prevent fraud.


To maintain a good business relationship with clients by organising contests, loyalty programs, sponsorship, and grant discounts to clients.

2. Categories of Personal Data being processed

Within the framework of this Addendum, the Processor shall solely process following categories of Personal Data:

Account data
User Account credentials (user id, email, );
User banking details (Physical address, SSI, payment method, transaction date and time, currency, amount);
User settings (newsletter preferences, language, protocols, notification settings, country).

Transaction Data
Underlying Client personal information (first and last name, physical address, SSI, payment method, transaction date and time, currency, amount);

Support ticket/inquiry data
Details regarding support tickets/inquiry (date, time, subject and content of tickets);
Content of exchanges with agents (emails, chat);
Any other data that may be necessary to resolve tickets/inquiry;

Commission Report Data
User Invoices, and other administrative documents;
User Payment details (SSI, payment method, transaction date and time, currency, amount paid);
User Contact information (first name, last name, email, phone number);
User Billing address (street, city, postal code, country);User Commission Report.

3. Categories of Data Subjects

- Customers of the Controller;
- Employees of the Processor;
- Employees of the Controller;
- Own customers of the Processor;

5. Retention

Personal Data shall be processed and stored in accordance with applicable laws.

6. Security Measures

Data Protection
- All databases and datasets are encrypted at rest and in-transit;
- Regular backups stored offsite and encrypted;

- Operational database are deployed in private subnets and restricted from the internet and/or controlled with strict no-access security groups.;
- Operational cloud resources deployed in a virtual private cloud (VPC) with strict networking controls.;

Access Controls
- Internal data access is controlled by strict IAM and/or Quicksight Access Groups;
- Provisioned access is reviewed quarterly.;

Audit Logging:
- Cloudtrail is used to track access to cloud resources and sensitive data, when, where and how.;

Incident Response Plan
- Formal processes and procedures that outline the steps we will take in the vent of a data breach or other security incident have been implemented;

7. Subprocessors


8. Transfer of personal Data

If applicable:
All transferred Personal Data shall meet the following conditions: (details of who receives the data (name-address) and copies of documents providing the necessary guarantees, such as the EU model contract clauses – Appendix 2 -).

- transfer to a country within the European Economic Area (= EU + Iceland + Liechtenstein + Norway) - transfer to a country providing adequate protection
- transfer under EU Model Contract

It being specified that, as is the Controller’s right, the Controller shall be kept informed of the cross-border transfers implicated in his use of the API and may, at any time, withdraw consent to these transfers.


Data Transfer Agreement | Standard contractual clauses for the transfer of personal data from the European Community to third party countries


For the purposes of the clauses:
a) “personal data”, “special categories of data/sensitive data”, “process/processing”, “controller”, “processor”, “data subject” and “supervisory authority/authority” shall have the same meaning as in Directive 95/46/EC of 24 October 1995 (whereby “the authority” shall mean the competent data protection authority in the territory in which the data exporter is established);

b) “the data exporter” shall mean the controller who transfers the personal data;

c) “the data importer” shall mean the controller who agrees to receive from the data exporter personal data for further processing in accordance with the terms of these clauses and who is not subject to a third country’s system ensuring adequate protection;

d) “clauses” shall mean these contractual clauses, which are a free-standing document that does not incorporate commercial business terms established by the parties under separate commercial arrangements.

The details of the transfer (as well as the personal data covered) are specified in Annex B, which forms an integral part of the clauses.

Obligations of the data exporter

The data exporter warrants and undertakes that:
a) The personal data have been collected, processed and transferred in accordance with the laws applicable to the data exporter.

b) It has used reasonable efforts to determine that the data importer is able to satisfy its legal obligations under these clauses.

c) It will provide the data importer, when so requested, with copies of relevant data protection laws or references to them (where relevant, and not including legal advice) of the country in which the data exporter is established.

d) It will respond to enquiries from data subjects and the authority concerning processing of the personal data by the data importer, unless the parties have agreed that the data importer will so respond, in which case the data exporter will still respond to the extent reasonably possible and with the information reasonably available to it if the data importer is unwilling or unable to respond. Responses will be made within a reasonable time.

e) It will make available, upon request, a copy of the clauses to data subjects who are third party beneficiaries under clause III, unless the clauses contain confidential information, in which case it may remove such information. Where information is removed, the data exporter shall inform data subjects in writing of the reason for removal and of their right to draw the removal to the attention of the authority. However, the data exporter shall abide by a decision of the authority regarding access to the full text of the clauses by data subjects, as long as data subjects have agreed to respect the confidentiality of the confidential information removed. The data exporter shall also provide a copy of the clauses to the authority where required.

I. Obligations of the data importer

The data importer warrants and undertakes that:
a) It will have in place appropriate technical and organisational measures to protect the personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, and which provide a level of security appropriate to the risk represented by the processing and the nature of the data to be protected.

b) It will have in place procedures so that any third party it authorises to have access to the personal data, including processors, will respect and maintain the confidentiality and security of the personal data. Any person acting under the authority of the data importer, including a data processor, shall be obligated to process the personal data only on instructions from the data importer. This provision does not apply to persons authorised or required by law or regulation to have access to the personal data.

c) It has no reason to believe, at the time of entering into these clauses, in the existence of any local laws that would have a substantial adverse effect on the guarantees provided for under these clauses, and it will inform the data exporter (which will pass such notification on to the authority where required) if it becomes aware of any such laws.

d) It will process the personal data for purposes described in Annex B, and has the legal authority to give the warranties and fulfil the undertakings set out in these clauses.

e) It will identify to the data exporter a contact point within its organisation authorised to respond to enquiries concerning processing of the personal data, and will cooperate in good faith with the data exporter, the data subject and the authority concerning all such enquiries within a reasonable time. In case of legal dissolution of the data exporter, or if the parties have so agreed, the data importer will assume responsibility for compliance with the provisions of clause I(e).

f) At the request of the data exporter, it will provide the data exporter with evidence of financial resources sufficient to fulfil its responsibilities under clause III (which may include insurance coverage).

g) Upon reasonable request of the data exporter, it will submit its data processing facilities, data files and documentation needed for processing to reviewing, auditing and/or certifying by the data exporter (or any independent or impartial inspection agents or auditors, selected by the data exporter and not reasonably objected to by the data importer) to ascertain compliance with the warranties and undertakings in these clauses, with reasonable notice and during regular business hours. The request will be subject to any necessary consent or approval from a regulatory or supervisory authority within the country of the data importer, which consent or approval the data importer will attempt to obtain in a timely fashion.

h) It will process the personal data, at its option, in accordance with:
i. the data protection laws of the country in which the data exporter is established, or

ii. the relevant provisions[1] of any Commission decision pursuant to Article 25(6) of Directive 95/46/EC, where the data importer complies with the relevant provisions of such an authorisation or decision and is based in a country to which such an authorisation or decision pertains, but is not covered by such authorisation or decision for the purposes of the transfer(s) of the personal data[2], or

iii. the data processing principles set forth in Annex A. Data importer to indicate which option it selects: Option 3; Initials of data importer: [°];

i) It will not disclose or transfer the personal data to a third party data controller located outside the European Economic Area (EEA) unless it notifies the data exporter about the transfer and
i. the third party data controller processes the personal data in accordance with a Commission decision finding that a third country provides adequate protection, or

ii. the third party data controller becomes a signatory to these clauses or another data transfer agreement approved by a competent authority in the EU, or

iii. data subjects have been given the opportunity to object, after having been informed of the purposes of the transfer, the categories of recipients and the fact that the countries to which data is exported may have different data protection standards, or iv. with regard to onward transfers of sensitive data, data subjects have given their unambiguous consent to the onward transfer

II. Liability and third party rights

a) Each party shall be liable to the other parties for damages it causes by any breach of these clauses. Liability as between the parties is limited to actual damage suffered. Punitive damages (i.e. damages intended to punish a party for its outrageous conduct) are specifically excluded. Each party shall be liable to data subjects for damages it causes by any breach of third party rights under these clauses. This does not affect the liability of the data exporter under its data protection law.

b) The parties agree that a data subject shall have the right to enforce as a third party beneficiary this clause and clauses I(b), I(d), I(e), II(a), II(c), II(d), II(e), II(h), II(i), III(a), V, VI(d) and VII against the data importer or the data exporter, for their respective breach of their contractual obligations, with regard to his personal data, and accept jurisdiction for this purpose in the data exporter’s country of establishment. In cases involving allegations of breach by the data importer, the data subject must first request the data exporter to take appropriate action to enforce his rights against the data importer; if the data exporter does not take such action within a reasonable period (which under normal circumstances would be one month), the data subject may then enforce his rights against the data importer directly. A data

[1] “Relevant provisions” means those provisions of any authorisation or decision except for the enforcement provisions of any authorisation or decision (which shall be governed by these clauses).
[2] However, the provisions of Annex A.5 concerning rights of access, rectification, deletion and objection must be applied when this option is chosen and take precedence over any comparable provisions of the Commission Decision selected.

III. Law applicable to the clauses

These clauses shall be governed by the law of the country in which the data exporter is established, with the exception of the laws and regulations relating to processing of the personal data by the data importer under clause II(h), which shall apply only if so selected by the data importer under that clause.

IV. Resolution of disputes with data subjects or the authority

a) In the event of a dispute or claim brought by a data subject or the authority concerning the processing of the personal data against either or both of the parties, the parties will inform each other about any such disputes or claims, and will cooperate with a view to settling them amicably in a timely fashion.

b) The parties agree to respond to any generally available non-binding mediation procedure initiated by a data subject or by the authority. If they do participate in the proceedings, the parties may elect to do so remotely (such as by telephone or other electronic means). The parties also agree to consider participating in any other arbitration, mediation or other dispute resolution proceedings developed for data protection disputes.

c) Each party shall abide by a decision of a competent court of the data exporter’s country of establishment or of the authority which is final and against which no further appeal is possible.

V. Termination

a) In the event that the data importer is in breach of its obligations under these clauses, then the data exporter may temporarily suspend the transfer of personal data to the data importer until the breach is repaired or the contract is terminated.

b) In the event that:
i. the transfer of personal data to the data importer has been temporarily suspended by the data exporter for longer than one month pursuant to paragraph (a);
ii. compliance by the data importer with these clauses would put it in breach of its legal or regulatory obligations in the country of import; iii. the data importer is in substantial or persistent breach of any warranties or undertakings given by it under these clauses;
iv. a final decision against which no further appeal is possible of a competent court of the data exporter’s country of establishment or of the authority rules that there has been a breach of the clauses by the data importer or the data exporter; or
v. a petition is presented for the administration or winding up of the data importer, whether in its personal or business capacity, which petition is not dismissed within the applicable period for such dismissal under applicable law; a winding up order is made; a receiver is appointed over any of its assets; a trustee in bankruptcy is appointed, if the data importer is an individual; a company voluntary arrangement is commenced by it; or any equivalent event in any jurisdiction occurs

then the data exporter, without prejudice to any other rights which it may have against the data importer, shall be entitled to terminate these clauses, in which case the authority shall be informed where required. In cases covered by (i), (ii), or (iv) above the data importer may also terminate these clauses.

c) Either party may terminate these clauses if (i) any Commission positive adequacy decision under Article 25(6) of Directive 95/46/EC (or any superseding text) is issued in relation to the country (or a sector thereof) to which the data is transferred and processed by the data importer, or (ii) Directive 95/46/EC (or any superseding text) becomes directly applicable in such country.

d) The parties agree that the termination of these clauses at any time, in any circumstances and for whatever reason (except for termination under clause VI(c)) does not exempt them from the obligations and/or conditions under the clauses as regards the processing of the personal data transferred.

VI. Variation of these clauses

The parties may not modify these clauses except to update any information in Annex B, in which case they will inform the authority where required. This does not preclude the parties from adding additional commercial clauses where required.

VII. Description of the Transfer

The details of the transfer and of the personal data are specified in Annex B. The parties agree that Annex B may contain confidential business information which they will not disclose to third parties, except as required by law or in response to a competent regulatory or government agency, or as required under clause I(e). The parties may execute additional annexes to cover additional transfers, which will be submitted to the authority where required. Annex B may, in the alternative, be drafted to cover multiple transfers.


Data processing principles

1. Purpose limitation: Personal data may be processed and subsequently used or further communicated only for purposes described in Annex B or subsequently authorised by the data subject.

2. Data quality and proportionality: Personal data must be accurate and, where necessary, kept up to date. The personal data must be adequate, relevant and not excessive in relation to the purposes for which they are transferred and further processed.

3. Transparency: Data subjects must be provided with information necessary to ensure fair processing (such as information about the purposes of processing and about the transfer), unless such information has already been given by the data exporter.

4. Security and confidentiality: Technical and organisational security measures must be taken by the data controller that are appropriate to the risks, such as against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, presented by the processing. Any person acting under the authority of the data controller, including a processor, must not process the data except on instructions from the data controller.

5. Rights of access, rectification, deletion and objection: As provided in Article 12 of Directive 95/46/EC, data subjects must, whether directly or via a third party, be provided with the personal information about them that an organisation holds, except for requests which are manifestly abusive, based on unreasonable intervals or their number or repetitive or systematic nature, or for which access need not be granted under the law of the country of the data exporter. Provided that the authority has given its prior approval, access need also not be granted when doing so would be likely to seriously harm the interests of the data importer or other organisations dealing with the data importer and such interests are not overridden by the interests for fundamental rights and freedoms of the data subject. The sources of the personal data need not be identified when this is not possible by reasonable efforts, or where the rights of persons other than the individual would be violated. Data subjects must be able to have the personal information about them rectified, amended, or deleted where it is inaccurate or processed against these principles. If there are compelling grounds to doubt the legitimacy of the request, the organisation may require further justifications before proceeding to rectification, amendment or deletion. Notification of any rectification, amendment or deletion to third parties to whom the data have been disclosed need not be made when this involves a disproportionate effort. A data subject must also be able to object to the processing of the personal data relating to him if there are compelling legitimate grounds relating to his particular situation. The burden of proof for any refusal rests on the data importer, and the data subject may always challenge a refusal before the authority.

6. Sensitive data: The data importer shall take such additional measures (e.g. relating to security) as are necessary to protect such sensitive data in accordance with its obligations under clause II.

7. Data used for marketing purposes: Where data are processed for the purposes of direct marketing, effective procedures should exist allowing the data subject at any time to “opt-out” from having his data used for such purposes.

8. Automated decisions: For purposes hereof “automated decision” shall mean a decision by the data exporter or the data importer which produces legal effects concerning a data subject or significantly affects a data subject and which is based solely on automated processing of personal data intended to evaluate certain personal aspects relating to him, such as his performance at work, creditworthiness, reliability, conduct, etc. The data importer shall not make any automated decisions concerning data subjects, except when:

a) i. such decisions are made by the data importer in entering into or performing a contract with the data subject, and ii. the data subject is given an opportunity to discuss the results of a relevant automated decision with a representative of the parties making such decision or otherwise to make representations to that parties.


b) where otherwise provided by the law of the data exporter.



Data subjects
The personal data transferred concern the following categories of data subjects: [to be completed]

Purposes of the transfer(s)
The transfer is made for the following purposes: [to be completed]

Categories of data
The personal data transferred concern the following categories of data: [to be completed]

The personal data transferred may be disclosed only to the following recipients or categories of recipients: [to be completed]

Sensitive data (if appropriate)
The personal data transferred concern the following categories of sensitive data: [to be completed]

Data protection registration information of data exporter (where applicable)
The personal data transferred concern the following categories of sensitive data: [to be completed]

Additional useful information (storage limits and other relevant information)
The personal data transferred concern the following categories of sensitive data: [to be completed]

Contact points for data protection enquiries
Data importer : [to be completed]
Data exporter [to be completed]