Legal, Privacy, Security, and Regulatory

Here you’ll find the legal documents, security standards, and policies that are core to our service. You’ll also find information about how we comply with regulatory guidance.

Privacy Policy

Confirmation Privacy Statement

Effective on: August 30, 2019

This privacy policy applies to www.confirmation.com, and learn.confirmation.com (“Confirmation Website(s)”) owned and operated by Confirmation. This privacy policy describes how Confirmation collects, shares, secures and uses the personal information you provide on the Confirmation Website(s). It also describes the choices available to you regarding our use of your personal information and how you can access and update this information.

  1. What personal data and protected health information (PHI) Confirmation collects.
  2. What personal data third parties collect through the Website(s).
  3. What organization collects the information.
  4. How Confirmation uses the information.
  5. With whom Confirmation may share user information.
  6. What choices are available to users regarding collection, use, and distribution of the information.
  7. What types of security procedures are in place to protect the loss, misuse or alteration of the information under Confirmation’s control.
  8. How users can correct any inaccuracies in the information.

INFORMATION COLLECTION AND USE

Registration

In order to use the Confirmation website(s), a user must first complete the registration form. During registration, a user is required to give professional and personal contact information (such as name and email address). We use this information to validate our users and to, therefore, grant access to our service. We also ask our accounting customers to provide their CPA registration/credentialing information in order to validate his/her status to include employment verification.

Order

We request information from the user on our order form. A user must provide contact information (such as name, email, and shipping address) and financial information (such as credit card number, expiration date). This information is used for billing purposes and to fill customer’s orders. If we have trouble processing an order, the information is used to contact the user.

Third party information is collected on the site (such as client information entered for the purpose of conducting confirmations of accounts) The following are the types of information that are requested for a client: contact information, client’s name, client contact name, client address, client contact’s email address. This information is used to validate the client users of the service. A welcome email is generated to the clients to notify them that they have been set up on the service by their accountant and to provide them notification of their initial security codes. These emails are only used for the primary purpose of providing the service of the site and are not used for any secondary purposes.

INFORMATION USE

Confirmation, through its online service production website(s), collects three types of information:

  1. General Personal Data
  2. Customer Financial Information
  3. Protected Health Information (PHI)

General Personal Data is used to validate the user, associate transactional confirmation activities including authorization, determine access permissions, and to facilitate communications from the site. The customer is free to modify this information at any time.

Customer Financial Information includes certain bank/company balance information that is stored in our database on a temporary basis, and credit card payment information provided by the customer at the time of the payment for the provision of services.

PHI may be stored on Confirmation’s HIPAA compliant system as a document attachment to a legal confirmation request when/if this information is deemed pertinent to the legal confirmation audit.

All Customer Financial information or legal confirmation attachments containing PHI residing within Confirmation’s secure processing controls will be maintained and stored according to our stated security and privacy policies. Confirmation takes no responsibility for Customer Financial Information once this data is no longer within Confirmation’s control (e.g., data downloaded by the user, or mailed confirmations). The Confirmation website(s) serve the function of an online provider of balance assurance services for its customers. This service is designed for use by accountants in their conducting of audit procedures as described by Generally Accepted Accounting Standards (GAAS).

We process General Personal Data only for so long as is necessary for the purpose(s) for which it was originally collected, after which it will be deleted or archived except to the extent that it is necessary for us to continue to comply with our legal obligations, resolve disputes, and enforce our agreements.

Profile

We store information specifically given to us by our users through the account set up process, and/or the account edit process. In addition, we store the IP address, browser type, Internet Service Provider (ISP) and access times. We do not store the information provided through the use of cookies. A profile has stored information that provides the company with information describing the end user of our service. All such collected information is used only for the conducting of the provision of our service.

Cookies and Other Tracking Technologies

We, Confirmation, and our analytics or service providers use cookies or similar technologies in analyzing trends, administering the site, tracking users’ movements around the site and to gather demographic information about our user base as a whole. We may receive reports based on the use of these technologies by these companies on an individual as well as aggregated basis.

We use cookies to remember users’ settings (e.g. language preference), for authentication. Users can control the use of cookies at the individual browser level. If you reject cookies, you may still use our site, but your ability to use some features or areas of our site may be limited.

Online Advertising

We use Google AdWords, Google Analytics, Google Display Network, Adobe Analytics, and HubSpot to track user behavior and manage our advertising on other sites. Our third party partners may use technologies such as cookies to gather information about your activities on this site and other sites in order to provide you advertising based upon your browsing activities and interests. If you wish to not have this information used for the purpose of serving you interest-based ads, you may opt-out by clicking here. Please note this does not opt you out of being served ads. You will continue to receive generic ads.

Log Files

Like most standard website(s) servers, we use log files. This includes Internet Protocol (IP) addresses, browser type, and Internet Service Provider (ISP), referring/exit pages, operating system and access time. Confirmation and its production Website(s), use log files only to track errors in the system. Log file information is not tied to a user’s personal data.

INFORMATION COLLECTED FOR OUR CLIENTS

Confirmation collects information under the direction of its clients and has no direct relationship with the individuals whose personal data it processes. If you are a customer of one of our Clients and would no longer like to be contacted by one of our Clients that use our service, please contact the Client that you interact with directly. We may transfer personal information to companies that help us provide our service. Transfers to subsequent third parties are covered by the service agreements with our Clients.

An individual who seeks access, or who seeks to correct, amend, or delete inaccurate data should direct his query to the Confirmation’s Client (the data controller). If requested to remove data we will respond within 30 days. We will retain personal data we process on behalf of our Clients for as long as needed to provide services to our Client. Confirmation will retain this personal information as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements.

COMMUNICATIONS FROM THE SITE

Core Communications

These include email, mail, and call communications to facilitate the processing of audit confirmations, announce new enhancements to the service, aid in common user account administration functions, distribute information on upcoming site maintenance, and to provide notice of various updates to our terms of service or policies. These also include communications designed to educate and provide resources to both new and existing users on how to use the application, welcome emails, training sessions, and Responder Network updates.

Customer Support

We communicate with users on a regular basis to provide requested services, and in regard to issues relating to their account, we reply via email or phone in accordance with the user’s wishes.

Marketing Communications

We may from time to time send emails or mail to provide you with information regarding new product and service offerings, product and service notifications, and/or complementary resources.

Generally, you may not opt-out of Customer Support or Core Communications. If you do not wish to receive them, you have the option to deactivate your account. If you do not wish to receive marketing communications you can simply not consent to receive them (if your location requires consent), use the “Manage Your Preferences” and “Unsubscribe” links provided within each marketing email message, or contact Customer Support at Customer.Support@confirmation.com.

SHARING

We will share your personal data or legal confirmation attachments containing PHI with third parties only in the ways that are described in this privacy policy. We do not sell your personal data or legal confirmation attachments containing PHI to third parties.

Legal Disclaimer

In certain situations, Confirmation may be required to disclose personal data or legal confirmation attachments containing PHI in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

Though we make every effort to preserve user privacy, we may also need to disclose personal data or legal confirmation attachments containing PHI when required by law such as to comply with a subpoena, bankruptcy proceedings, or similar legal process when we believe in good faith that disclosure is necessary to protect our rights, protect your safety or the safety of others, investigate fraud, or respond to a government request.

Aggregate Information (non-personal data)

We do not share aggregated demographic information with our partners and advertisers. These are the instances in which we will share users’ personal data or legal confirmation attachments containing PHI:

Third Party Intermediaries

We use PCI-DSS compliant outside credit card processing companies to bill users for services. These companies do not retain, share, store, or use personal data for any secondary purposes.

Business Transitions

In the event Confirmation goes through a business transition, such as a merger, being acquired by another company, or selling a portion of its assets, users’ personal data or legal confirmation attachments containing PHI will, in most instances, be part of the assets transferred. Users will be notified via prominent notice on our website(s) for 30 days prior to a change of ownership or control of their personal data or legal confirmation attachments containing PHI. If as a result of the business transition, the users’ personally identifiable information or legal confirmation attachments containing PHI will be used in a manner different from that stated at the time of collection they will be given choice consistent with our notification of changes section prior to the information being used for the new purposes.

Surveys & Contests

From time to time, our site requests information from users via surveys or contests. Participation in these surveys or contests is completely voluntary and the user, therefore, has a choice whether or not to disclose this information. The requested information typically includes contact information (such as name and shipping address), and demographic information (such as zip code). Contact information will be used to notify the winners and award prizes. Survey information will be used for purposes of monitoring or improving the use and satisfaction of this site. Users’ personally identifiable information is not shared with third parties unless we give prior notice and choice. Though we may use an intermediary to conduct these surveys or contests, they may not use users’ personal data for any secondary purposes.

SECURITY

This Website(s) takes every precaution to protect our users’ information. When users submit sensitive information via the Website(s), their information is protected both online and offline.

The Confirmation Website(s)s are entirely encrypted and protected using 256-bit encryption with a public RSA 2048-bit key for SSL Extended Validation Certificates with Server Gated Cryptography by DigiCert for internet communications. This means that when our registration/order form asks users to enter sensitive information (such as credit card number), that information is encrypted. While we use SSL encryption to protect sensitive information online, we also use appropriate technical and organizational measures to protect user-information offline. All of our users’ information, not just the sensitive information mentioned above, is restricted in our offices. Only employees who need the information to perform a specific job (for example, our billing clerk or a Customer Support representative) are granted access to personal data. The servers that store personal data are in a secure environment, in a hardened hosting facility. However, no method of transmission over the Internet, or method of electronic storage, is 100% secure. Therefore, we cannot guarantee its absolute security.

If users have any questions about the security at our Website(s), users can send an email to: Customer.Support@confirmation.com (www.confirmation.com) or learn@confirmation.com (https://learn.confirmation.com/learn).

SUPPLEMENTATION OF INFORMATION

In order for the website(s) to properly fulfill its obligation to users, it is necessary for us to supplement the information we receive with information from 3rd party sources. We use outside sources to verify a user’s accounting credentials to validate that user’s access to our system. If you provide us personal information about others, or if others give us your information, we will only use that information for the specific reason for which it was provided to us.

Personal Data Management and Inquiries

You have the following rights in relation to personal data relating to you that we process:

  1. Upon request, Confirmation will provide you with information about whether we hold any of your personal information. You may also request a copy or access to the personal data concerned.
  2. If your personal data changes (such as zip code, phone, email or postal address) you can update your data by editing your user profile on the Confirmation.com Website(s) or by contacting Customer Support.
  3. Where we are processing personal data relating to you on the basis of your prior consent to that processing, you may withdraw your consent at any time, after which we shall stop the processing concerned.
  4. If you have a complaint about the processing of your personal data by Confirmation, please contact Customer Support. If we are unable to rectify the issue to your satisfaction, you are always able to lodge a formal complaint with the applicable Supervisory Authority.

Personal data inquiries can be submitted by contacting the Confirmation Data Protection Officer at Customer.Support@confirmation.com (www.confirmation.com) or learn@confirmation.com (learn.confirmation.com/learn). We will respond to your request within 30 days.

Social Media Widgets

Our website(s) includes social media features, such as the Facebook “Like” button, and Widgets, such as the “Share This” button or interactive mini-programs that run on our website(s). These features may collect your Internet Protocol (IP) address, which page you are visiting on our website(s), and may set a cookie to enable the feature to function properly. Social media features and widgets are either hosted by a third party or hosted directly on our website(s). Your interactions with these features are governed by the privacy statement of the company providing it.

Testimonials

We display personal testimonials of satisfied customers on our site in addition to other endorsements. With your consent, we may post your testimonial along with your name. If you wish to update or delete your testimonial, you can contact us at Customer.Support@confirmation.com (www.confirmation.com) or learn@confirmation.com (https://learn.confirmation.com/learn).

Links to 3rd Party Sites

Our website includes links to other website(s) whose privacy practices may differ from those of Confirmation. If you submit personal data to any of those sites, your information is governed by their privacy policies. We encourage you to carefully read the privacy statement of any website(s) you visit.

Notification of Changes

If we decide to change our privacy statement, we will post those changes to this privacy statement, the homepage, and other places we deem appropriate so our users are always aware of what information we collect, how we use it, and under what circumstances, if any, we disclose it. We will use information in accordance with the privacy statement under which the information was collected.

If, however, we are going to use a user’s personal data in a manner different from that stated at the time of collection we will notify users via email prior to the change becoming effective. Users will have a choice as to whether or not we use their information in this different manner. However, if users have opted out of all communication with the site through deactivating their account, then they will not be contacted, nor will their personal data be used in this new manner. In addition, if we make any material changes in our privacy practices that do not affect user information already stored in our database, we will post a prominent notice on our website(s) prior to the changes taking effect. In some cases where we post a notice, we will also email users, who have opted to receive communications from us, notifying them of the changes in our privacy practices.

REGIONAL PRIVACY REQUIREMENTS

EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield

The data that we process in relation to you may be transferred to, and stored at, a destination outside the European Economic Area (“EEA”) and Switzerland, that may not be subject to equivalent data protection law. It may also be processed by staff situated outside these areas who work for us or for one of our suppliers. This includes staff engaged in activities such as the fulfillment of orders, the processing of payment details, and the provision of support services.

Where personal data is transferred in relation to providing our services, we will take all steps reasonably necessary to ensure that it is protected by appropriate safeguards. Confirmation and its subsidiary companies (Confirmation International LLC, and Confirmation Technology Services LLC) participates in and has certified its compliance with the EU-U.S. Privacy Shield Framework and the Swiss-U.S Privacy Shield Framework. Confirmation is committed to subjecting all personal data received from the European Union (EU) member countries and Switzerland, respectively, in reliance on the Privacy Shield Framework, to the Framework’s applicable Principles. To learn more about the Privacy Shield Frameworks, and to view our certification, visit the U.S. Department of Commerce’s Privacy Shield List (https://www.privacyshield.gov/list).

Confirmation is responsible for the processing of personal data it receives, under the Privacy Shield Framework, and subsequently transfers to a third party acting as an agent on its behalf. Confirmation complies with the Privacy Shield Principles for all onward transfers of personal data from the EU and Switzerland, including the onward transfer liability provisions. With respect to personal data received or transferred pursuant to the Privacy Shield Frameworks, Confirmation is subject to the regulatory enforcement powers of the U.S. Federal Trade Commission. In certain situations, Confirmation may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

If you have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact our U.S.-based third-party dispute resolution provider (free of charge) at https://feedback-form.truste.com/watchdog/request. Under certain conditions, more fully described on the Privacy Shield Website(s) (https://www.privacyshield.gov/article?id=How-to-Submit-a-Complaint), you may invoke binding arbitration when other dispute resolution procedures have been exhausted.

EU General Data Protection Regulation (GDPR)

In providing our services, we act as a data processor on behalf of the users of our services in relation to personal data that is processed using the service, in which case we will process the relevant personal data only for the purpose(s) of providing the service and otherwise in accordance with our agreement with the users and the regulations that apply to us directly as a data processor.

Legal Basis for Personal Data Processing

Collecting, processing, and using personal data by Confirmation occurs under the following legal bases:

  • Legitimate Interest – User validation, transactional confirmation activities including authorization, user access permissions, user account management, core site communications, and customer support.
  • Consent – Marketing communications.

Data Protection Officer

Compliance with Confirmation’s privacy policy and applicable data protection laws is verified regularly with internal impact assessments and other controls. The coordination of these activities is the responsibility of the Data Protection Officer, who can be contacted in accordance with the contact information below.

Dan Zangwill
Data Protection Officer
DataInquiries@confirmation.com

Automated Decisions

Personal data processed by Confirmation is never used to make automated decisions that would have negative consequences for its data subjects.

Supervisory Authority

The United Kingdom’s Information Commissioner’s Office is the lead supervisory authority for Confirmation in the EU and can provide further information about your rights and our obligations in relation to personal data, as well as to address any complaints that you have about our processing of your personal data.

Contact Information

If users have any questions or suggestions regarding our privacy statement, please contact us at:

TRUSTe     

For Requesters of Confirmations

User Agreement

THE FOLLOWING DESCRIBES THE TERMS ON WHICH CAPITAL CONFIRMATION INC. OFFERS YOU ACCESS TO OUR SERVICES.

Welcome to the User Agreement for Capital Confirmation Inc. This Agreement describes the terms and conditions applicable to your use of our services available under the domains and sub-domains of www.confirmation.com, and learn.confirmation.com (“Confirmation Website(s)”) owned and operated by Capital Confirmation, and the general principles for the websites of our subsidiaries. If you do not agree to be bound by the terms and conditions of this Agreement, do not use or access our services. You evidence your acceptance of the terms and conditions of this Agreement by checking the box for the “Yes, I have read and accept the User Agreement.” statement and clicking the “Create New Account” button on Capital Confirmation’s website and through your use of any of the Confirmation.com services (aka “Confirm” service).

If you have any questions, please email us at customer.support@confirmation.com.

You must read, agree with and accept all of the terms and conditions contained in this User Agreement and the Privacy Statement, which include those terms and conditions expressly set out below and those incorporated by reference, before you may become a member of Capital Confirmation. We strongly recommend that, as you read this User Agreement, you also access and read the information contained in the other pages and websites referred to in this document, as they may contain further terms and conditions that apply to you as a Capital Confirmation user. Please note: underlined words and phrases are links to these pages and websites. By accepting this User Agreement, you also agree that your use of other Capital Confirmation websites will be governed by the terms and conditions posted on those websites.

We may amend this Agreement at any time by posting the amended terms on our site. Except as stated below, all amended terms shall automatically be effective immediately upon posting on our site. You will not be notified in writing or by email of any changes in this Agreement. This Agreement may not be otherwise amended except in writing signed by you and Capital Confirmation Inc. This Agreement is effective starting March 1, 2003.

1. Membership Eligibility.
Our services are available only to individuals who can form legally binding contracts under applicable law. Without limiting the foregoing, our services are not available to minors or to temporarily or indefinitely suspended Capital Confirmation members. If you are a minor, you cannot use this service. If you do not qualify, please do not use our services. Further, your Capital Confirmation account (including feedback) and User Id may not be transferred or sold to another party. If you are registering as a business entity, you represent that you have the authority to bind the entity to this Agreement. If you are registered as an individual, you represent that you are the individual you purport to be.

2. Fees and Service.
Capital Confirmation provides a venue for digital transaction management, including but not limited to, audit confirmations, accounts receivable/accounts payable confirmations, credit inquiries, employee benefit plan audits and confirmations, and legal confirmations for accounting firms, law firms, banks, and other users, (the “Service”). The Service also includes the provision of ancillary services deemed reasonably necessary by Capital Confirmation to run a venue for digital transaction management, including but not limited to customer support, billing, and account management.

Joining our service is free. There is a charge for requesting and receiving confirmations. Our Fees and Credit Policy is available here and is incorporated by reference. We may change our Fees and Credit Policy and the fees for our services from time to time. Our changes to the policy are effective after we provide you with at least fourteen (14) days’ notice of the changes by posting the changes in this Agreement. However, we may choose to temporarily change our Fee Policy and the fees for our services for promotional events and such changes are effective when we post the temporary promotional event on the www.confirmation.com website. When you purchase a confirmation you have an opportunity to review and accept the fees that you will be charged for the use of our services. We may in our sole discretion change some or all of our services at any time. In the event we introduce a new service, the fees for that service are effective at the launch of the service. Unless otherwise stated, all fees are quoted in U.S. Dollars. You are responsible for paying all fees associated with using our service and our website and all applicable taxes.

3. Capital Confirmation is a Venue.
3.1 Capital Confirmation is not a bank or law firm nor are we an authorized bank or law firm representative. Instead, our site acts as a venue to allow users to request, receive, and buy confirmations at any time, from anywhere. We are not involved in the actual transaction between users of and providers of the confirmation information. As a result, we have no control over the quality, accuracy, timeliness or legality of the requests and the responses, or the truth or accuracy of the requests and responses. We also cannot ensure that a provider will actually complete a transaction.

3.2 Identity Verification. We use many techniques to identify our users when they register on our site. However, because user verification on the Internet is difficult, Capital Confirmation cannot and does not confirm each user’s purported identity. Thus, we have established a user-initiated communication system to help you evaluate with whom you are dealing. We encourage you to communicate directly with individual parties through the tools available on our site.

3.3 Release. Because we are a venue, in the event that you have a dispute with one or more users, you release Capital Confirmation (and our officers, directors, agents, subsidiaries, joint ventures and employees) from claims, demands and damages (actual and consequential) of every kind and nature, known and unknown, suspected and unsuspected, disclosed and undisclosed, arising out of or in any way connected with such disputes. If you are a California resident, you waive California Civil Code §1542, which says: “A general release does not extend to claims which the creditor does not know or suspect to exist in his favor at the time of executing the release, which if known by him must have materially affected his settlement with the debtor.”

3.4 Information Control. We do not control the information provided by other users that is made available through our system. You may find other user’s information to be inaccurate. Please use caution, common sense, and safe practices when using our site.

3.5 Customer Support. Monday through Friday between the hours of 8:00 A.M. and 5:00 P.M. Central Standard Time, customer support shall be available free of charge by telephone or by email at one or more phone numbers or email addresses to be specified on our website located at www.confirmation.com.

4. Authorizing, Requesting and Purchasing.
By authorizing, requesting and purchasing a confirmation you agree to be bound by the conditions of this Agreement. Requests are not retractable. If you choose to authorize, request or purchase a confirmation you are certifying that you have the legal right to authorize, request or purchase such confirmations.

5. Address Lookup.
Capital Confirmation pulls Address Lookup information from public and private data sources. The Public Records, private records and commercially available data sources used in this system have errors and are not complete. Data is sometimes entered poorly and processed incorrectly. This system should not be relied upon as definitively accurate. Before relying on any data this system supplies, it should be independently verified.

6. Out-of-Network Confirmations.
The Out-of-Network confirmation service requires the requestor to enter the contact information for the responder and the responder’s company. Because you as the requestor determine who and at which entity an out-of-network confirmation is directed, and therefore which entity and who at that entity is the responder, you agree to accept full and sole responsibility for the verification and validation of the identity of the individual responder and the company they claim to represent. You understand that Capital Confirmation has not and will not validate the identity of the responder or the company they claim to represent. You release and hold harmless Capital Confirmation from any and all claims related to the responder’s identity and/or the identity of the company the responder claims to represent if you request confirmations through www.confirmation.com using the Out-of-Network confirmation service.

7. Fraud.
Without limiting any other remedies, Capital Confirmation may suspend or terminate your account if we suspect that you (by conviction, settlement, insurance investigation, or otherwise) have engaged in fraudulent activity in connection with our site.

8. Your Information.
8.1 Definition. “Your Information” is defined as any information you provide to us or other users in the registration or confirmation process, in any message area or through any email feature. You are solely responsible for Your Information, and we act as a passive conduit for your online distribution and publication of Your Information.

8.2 Restricted Activities. Your Information (or any items listed) and your activities on the site shall not: (a) be false, inaccurate or misleading; (b) be fraudulent; (c) infringe any third party’s copyright, patent, trademark, trade secret or other proprietary rights or rights of publicity or privacy; (d) violate any law, statute, ordinance or regulation (including, but not limited to, those governing consumer protection or antidiscrimination); (e) be defamatory, trade libelous, unlawfully threatening or unlawfully harassing; (f) be obscene or contain child pornography; (g) contain any viruses, Trojan horses, worms, time bombs, cancelbots, easter eggs or other computer programming routines that may damage, detrimentally interfere with, surreptitiously intercept or expropriate any system, data or personal information; and (h) create liability for us or cause us to lose (in whole or in part) the services of our ISPs or other suppliers. Furthermore, you may not authorize or request any confirmation on the site (or consummate any transaction that was initiated using our service) that, by authorizing or paying to us the usage fee or the final value fee, could cause us to violate any applicable law, statute, ordinance or regulation.

8.3 License. Solely to enable Capital Confirmation to use the information you supply us with, so that we are not violating any rights you might have in that information, you agree to grant us a non-exclusive, worldwide, perpetual, irrevocable, royalty-free, sublicensable (through multiple tiers) right to exercise the copyright, publicity, and database rights (but no other rights) you have in Your Information, in any media now known or not currently known, with respect to Your Information. Capital Confirmation will only use Your Information in accordance with our Privacy Statement.

9. Ownership of Intellectual Property.
Capital Confirmation shall have and retain all rights, title and interest in all Intellectual Property relating to the Service or arising out of the relationship described in this Agreement. “Intellectual Property” means all ideas, discoveries, inventions, developments, designs, improvements, trademarks, service marks, trade secrets, proprietary information, programs, source code, object code, applications for patents, patents, copyrights (for the duration thereof, including renewals, extensions, and reversions thereof), copyrightable works, and the goodwill associated therewith, including enhancements, improvements, and derivative works, either presently existing or hereinafter arising. You hereby assign and transfer to Capital Confirmation any and all rights in any such Intellectual Property, either presently existing or hereinafter arising, and agree to take such actions (at Capital Confirmation’s expense) as Capital Confirmation may reasonably request to secure such rights for Capital Confirmation. While a registered user of our service, and for a period of two (2) years from the date of last login, you agree not to offer services or assist others in offering services that would compete in any way with the services offered by Capital Confirmation. Unsolicited ideas or product feedback will automatically become our property, without any compensation to you and we may use or distribute such submissions and their contents for any purpose and in any way without any obligations of confidentiality or otherwise.

9.1 License. You agree to grant us a non-exclusive, worldwide, perpetual, irrevocable, royalty-free, sublicensable (through multiple tiers) right to use your company name, registered trademark, word mark, service mark, and logo in correspondence with Clients and Users related to the Service.

10. Access and Interference.
You agree that you will not use any robot, spider, other automatic device, or manual process to monitor or copy our web pages or the content contained herein without our prior expressed written permission. You agree that you will not reverse engineer, disassemble, decompile, decode, adapt, develop, or modify the website or Service, or otherwise attempt to derive or gain access to the source code of the website or Service, in whole or in part. You agree that you will not use any device, software or routine to bypass our security features, or to interfere or attempt to interfere with the proper working of the Capital Confirmation site or any activities conducted on our site. You agree that you will not take any action that imposes an unreasonable or disproportionately large load on our infrastructure. Much of the information on our site is updated on a real time basis and is proprietary or is licensed to Capital Confirmation by our users or third parties. You agree that you will not copy, reproduce, alter, modify, create derivative works, or publicly display any content (except for Your Information) from our website without the prior expressed written permission of Capital Confirmation or the appropriate third party. You must ensure that all information you supply to us through our website or Service, or in relation to our website or Service, is true, accurate, complete and not misleading. You shall have sole responsibility for the legality, reliability, integrity, accuracy, and quality of this information. You shall not access all or any part of our website or Service to build a product or service which competes with the Service. You shall not attempt to obtain, or assist third parties in obtaining, access to our website or Service, other than as provided under this Agreement. You shall not make, nor permit any party to make, any use of our website or Service other than to avail of the Service. You shall not make alterations to, or permit our website or Service or any part of it to be combined with, or become incorporated into, any other programs. You shall not provide or otherwise make available our website or the Service in whole or in part (including object and source code), in any form, to any person without our prior written consent. You shall not infringe on our licensors’ intellectual property rights or those of any third party in relation to your use of our website or Service. We may make available to you certain Application Programming Interfaces (an “API” or “APIs”) to achieve additional functionality for users, and provide capabilities or integrations that leverage one or more of our products or services available at www.confirmation.com or provided by our affiliates, which you may use where applicable, subject to our then current fees (if any) for such APIs. Unless previously authorized by us, or our affiliates, you must not automatically connect (whether through APIs or otherwise) any Service to other data, software, services or networks.

11. Breach.
Without limiting other remedies, we may immediately remove you, warn our community of your actions, issue a warning, temporarily suspend, indefinitely suspend or terminate your membership and refuse to provide our services to you if: (a) you breach this Agreement or the documents it incorporates by reference; (b) we are unable to verify or authenticate any information you provide to us; or (c) we believe that your actions may cause financial loss or legal liability for you, our users or us.

12. Electronic Communications; Identifiers and Passwords; Binding Effect.
You will receive and transmit information to us over the Internet using SSL technology and 2048-bit encryption. You must use Internet browsers that will support the use of 2048-bit encryption. In order to initiate a session where information is transmitted, you will select and use an identification code (such as a “log-in ID”) and a password. You shall protect and safeguard its identification code and password, and shall only permit authorized employees to use the identification code and password in connection with the service. We, and all other persons receiving information from you that has been transmitted using the identification code and password selected by you, shall be entitled to rely in all instances that the information so transmitted has been transmitted by you, that such information is true, accurate and complete in all respects, with the same effect and intent as if such information had been transmitted in written form bearing your written signature. If you believe that your identification code and password have been lost, stolen or compromised in any respect, please notify us immediately at 1-866-325-72011. Communications using the identification code and password received after we have had an opportunity to respond to your notice will not be valid or effective.

13. Privacy.
We do not sell or rent your personal information to third parties and only use your information as described in the Privacy Statement available at https://www.confirmation.com/legal-security-privacy/index.html. We take the protection of our users’ privacy seriously. We store and process your information on computers located in Ireland and the United States that are protected with security measures.

Customer Financial information residing within Confirmation.com’s processing controls will be maintained and stored according to our security and privacy policies. Confirmation.com takes no responsibility for Customer Financial information once this data is no longer within Confirmation.com’s control (e.g., data downloaded by a user or mailed confirmations).

If you object to your information being collected, used, transferred, or otherwise processed in this way, please do not use our services.

13.1 Data Protection Legislation. When using our Services or otherwise providing Personally Identifiable Information to us, you agree to comply with all applicable laws governing or relating to the processing of that Personally Identifiable Information (“Data Protection Laws”). “Personally Identifiable Information” shall mean any information relating to an identified or identifiable natural person whose information you provide to us and that we process as part of the Service or in connection with this Agreement. You confirm that any Personally Identifiable Information that has been provided by you has been collected and disclosed in accordance with Data Protection Laws. When using the Service, you shall not input, upload, maintain or disclose any irrelevant or unnecessary information about individuals.

13.2. Personal Data transferred outside of your home country. Without limiting the foregoing and for clarity, you agree that we may transfer your personal information outside of your home country to another country where the laws may not provide an equivalent level of protection and you confirm that we may so transfer any Personally Identifiable Information that has been provided by you.

Where the provision of Service by us to you involves any transfer of Personally Identifiable Information that has been provided by you outside of the European Economic Area or Switzerland (by way of direct or indirect transfer), the parties agree that the transfers will be done in accordance with Schedule 1 attached hereto. If any other Data Protection Laws require you and us to implement appropriate safeguards to legitimize the transfer of Personally Identifiable Information to a third country, you will let us know and we will negotiate in good faith to implement the required safeguards.

14. Client Authentication.
You certify that any and all subject(s) set up as your client(s) on the Confirmation.com service are authorized representatives of your client.

15. Authorization.
You certify that any confirmations requested are with the subject(s) prior written permission. You agree to keep the authorization on file for a minimum of 5 years. Typically this written permission is in the form of a client engagement letter. You warrant that the release of the subject information will not result in a breach of any applicable Data Protection Laws.

16. Audit Rights.
Capital Confirmation may, from time to time, conduct various audits of your practices and procedures to determine your compliance with this Agreement. You will reasonably cooperate in all those audits. Capital Confirmation may conduct on-site and/or off-site audits of your facilities as Capital Confirmation determines during normal business hours, and upon reasonable notice.

17. No Warranty.
WE, OUR SUBSIDIARIES, EMPLOYEES AND OUR SUPPLIERS PROVIDE OUR WEB SITE AND SERVICES, INCLUDING BUT NOT LIMITED TO ANY APIS, ON AN “AS IS” BASIS WITHOUT ANY WARRANTIES OF ANY KIND. WE, TO THE FULLEST EXTENT PERMITTED BY LAW, DISCLAIMS ALL WARRANTIES, INCLUDING THE WARRANTY OF MERCHANTABILITY, NON-INFRINGEMENT OF THIRD-PARTIES’ RIGHTS, AND THE WARRANTY OF FITNESS FOR A PARTICULAR PURPOSE. WE MAKE NO WARRANTIES ABOUT THE ACCURACY, RELIABILITY, COMPLETENESS, OR TIMELINESS OF THE SERVICES OR ANY CONTENT THEREIN. WE MAKE NO WARRANTIES THAT THE WEBSITE OR SERVICE WILL REMAIN AVAILABLE. WE RESERVE THE RIGHT TO DISCONTINUE OR ALTER ANY OR ALL OF THE WEBSITE OR SERVICE, AND TO STOP PUBLISHING OUR WEBSITE OR SERVICE AT ANY TIME AND IN OUR SOLE DISCRETION WITHOUT NOTICE OR EXPLANATION, AND YOU WILL NOT BE ENTITLED TO ANY COMPENSATION OR OTHER PAYMENT UPON THE DISCONTINUANCE OR ALTERATION OF OUR WEBSITE OR SERVICES. FOR THE AVOIDANACE OF ALL DOUBT, WE DO NOT WARRANT, NOR WILL BE RESPONSIBLE FOR, ANY PRODUCTS, SERVICES, FUNCTIONALITY, OR INTERFACES THAT ARE PROVIDED BY YOU OR ANY THIRD PARTY.

18. Liability Limit.
IN NO EVENT SHALL WE, OUR SUBSIDIARIES, EMPLOYEES OR OUR SUPPLIERS BE LIABLE FOR LOST PROFITS OR ANY SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF OR IN CONNECTION WITH OUR SITE, OUR SERVICES, INCLUDING WITHOUT LIMITATION USE OF ANY APIS, OR THIS AGREEMENT (HOWEVER ARISING, INCLUDING NEGLIGENCE). THE USER SHALL HAVE NO LIABILITY WITH RESPECT TO THE SERVICE FOR CONSEQUENTIAL, EXEMPLARY, SPECIAL, INCIDENTAL, OR PUNITIVE DAMAGES EVEN IF IT HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

IN NO EVENT SHALL WE, OUR SUBSIDIARIES, EMPLOYEES OR OUR SUPPLIERS BE LIABLE WITH RESPECT TO THE ACCURACY OR RELIABILITY OF INFORMATION PROVIDED BY THE AUDITOR, WHETHER INPUTTED INTO THE CAPITAL CONFIRMATION WEBSITE OR ANY ASSOCIATED PLATFORMS BY US CAPITAL CONFIRMATION OR BY THE AUDITOR. THE AUDITOR MAINTAINS THE SOLE RESPONSIBILITY AND LIABILITY FOR REVIEWING AND APPROVING THE INFORMATION POPULATED INTO THE CAPITAL CONFIRMATION WEBSITE AND ASSOCIATED PLATFORMS.
OUR LIABILITY, AND THE LIABILITY OF OUR SUBSIDIARIES, EMPLOYEES, AND SUPPLIERS, TO YOU OR ANY THIRD PARTIES IN ANY CIRCUMSTANCE IS LIMITED TO THE LESSOR OF (A) THE AMOUNT OF FEES YOU PAY TO US IN THE 12 MONTHS PRECEDING THE FIRST DATE ON WHICH SUCH LIABILITY AROSE, OR (B) $100. NOTWITHSTANDING ANYTHING TO THE CONTRARY HEREIN YOUR SOLE AND EXCLUSIVE REMEDY FOR ANY FAILURE OR NONPERFORMANCE OF ANY APIS PROVIDED BY CAPITAL CONFIRMATION SHALL BE FOR CAPITAL CONFIRMATION TO USE COMMERCIALLY REASONABLE EFFORTS TO ADJUST OR REPAIR THE NONPERFORMING APIS.

19. Fair Credit Reporting Disclosure.
The parties acknowledge that CCI is not a consumer reporting agency as such term is defined in the federal Fair Credit Reporting Act, 15 U.S.C. 1581 et seq. (“FCRA”) and therefore, is not subject to the requirements or provisions of the FCRA. Any reports accessed through the Services or Sites do not constitute consumer reports as such term is defined in the FCRA, and accordingly, such reports may not be used to determine eligibility for credit, employment, insurance underwriting, tenant screening or for any other purpose provided for in the FCRA. CCI makes no representations or warranties as to its compliance or certifications with respect to the Fair Credit Reporting Act or its regulatory requirements. However, other Users, including banking institutions, financial organizations, credit reporting agencies, and other entities with which the User may interact through the Services or Sites may be subject to the Fair Credit Reporting Act. CCI makes no representations or warranties about such other User’s compliance or certifications with respect to the Fair Credit Reporting Act or its regulatory requirements. CCI shall not be deemed a guarantor of the accuracy or completeness of information provided by other Users.

20. Indemnity.
You shall indemnify and hold Capital Confirmation and (as applicable) our parent, subsidiaries, affiliates, officers, directors, agents, and employees and the financial institutions harmless from any and all third-party claims, losses and damages, liability, and costs, including attorney’s fees, against, or incurred by, Capital Confirmation to the extent such claims, damages, liability and costs result directly or indirectly from: (a) your negligence or intentional conduct; (b) your breach of your obligations under this Agreement including, but not limited to, any breach which results in the unauthorized and/or non-permissible use of information obtained via Capital Confirmation’s Confirmation.com service or any other such service under this Agreement; (c) any claim that our website or Service or the use thereof infringes upon, misappropriates, or violates any intellectual property rights of any third party, provided that such claim results from or is related to (i) an unauthorized modification of our website or Service; (ii) the combination of the website or Service with software, hardware, or equipment not provided by us if our website or Service alone would not be the subject of such claim; or (iii) your unauthorized use of the website or Service; (d) any data breach suffered by you, your vendor or processor, or by a vendor or processor for Capital Confirmation; or (e) any claim, action, audit, investigation, regulatory action, inquiry, or other proceeding that arises out of or relates to your failure to comply with any applicable laws and regulations in connection with the transfer of personal data to or outside the EU/EEA including any applicable Data Protection Laws.

21. Confidentiality.
You may be given access to our confidential information or confidential information from other authorized Users in relation to your use of our website or Service. Information and knowledge related to the operation and processes of the website and Service are also considered confidential information. You shall hold confidential information in confidence and, unless required by law, not make confidential information available to any third party, or use confidential information for any purpose other than as provided for in using our website or Service. You shall take all reasonable steps to ensure that confidential information to which you have access is not disclosed or distributed by any person in violation of this Agreement. You acknowledge that details of the Service constitute our confidential information.

22. Legal Compliance.
You represents and warrants that you have read, understand and shall comply with all laws, regulations and judicial actions including, but not limited to, the Identity Theft and Assumption Deterrence Act, the Fraud and False Statements Act, the USA Freedom Act, the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), the Gramm-Leach-Bliley Act and the Fair Credit Reporting Act (15 U.S.C. 1681 et seq.), including without limitation, all amendments thereto, and all other applicable federal or state legislation, regulations and judicial actions, as now or as may become effective.

You certify that you will use the service and the information received for no other purpose than is legally permissible. You understand that if the system is used improperly by company personnel, or if its access codes are made available to any unauthorized personnel due to carelessness on the part of you or any other, you may be held responsible for financial losses, fees or monetary charges that may be incurred and that its access privileges may be terminated. You will not obtain, retain, use, or provide access to the Service to an affiliate or any third party in a manner that may breach any applicable export control or economic sanctions laws and regulations for any jurisdiction, including the United States of America, the United Kingdom and the European Union and its Member States. You warrant that neither you, nor any affiliate to which you provide access to the Service, is affiliated with a specially designated or sanctioned entity under any of those laws and that, in any transaction relating to Confirmation or the Service, such transactions will not involve sanctioned parties, including without limitation through the use of bank accounts at banks that are sanctioned parties. Further, the parties represent and warrant that they have read, understand and shall comply with all applicable laws, regulations and judicial actions including, but not limited to, anti-bribery laws, anti-corruption laws, anti-slavery laws, anti-human trafficking, tax laws, any applicable law aimed at preventing the facilitation of criminal behavior.

23. British Banker’s Association, BBA Enterprises Limited plus any other group company of the British Banker’s Association (Together the “BBA”)
Nothing in this agreement shall limit the BBA’s liability for death or personal injury caused by its negligence or that or its personnel; fraud or fraudulent misrepresentation; or for any other liability which cannot be excluded under English law, even if any other terms of this Agreement would suggest that this might otherwise be the case.

You expressly acknowledge and agree that the BBA: (a) is not a part to this Agreement and is not involved in the design, supply or support of Capital Confirmation Inc’s services including the service promoted to UK banks as “BBA Confirmations”; (b) makes no representation or warranty that the services will be adequate or appropriate for you and its requirements and any BBA trademarks or logos present in marketing materials or other documents o not represent and endorsement of the service; (c) shall not be responsible for providing any of the services; and (d) shall have no liability to you whatsoever whether direct or indirect and whether in contact, tort (including negligence), misrepresentation or for any other reason in respect of any of the services provided under this agreement.

24. No Agency.
You and Capital Confirmation are independent contractors, and no agency, partnership, joint venture, employee-employer or franchiser-franchisee relationship is intended or created by this Agreement.

25. Notices.
Except as explicitly stated otherwise, any notices shall be given by postal mail to Capital Confirmation Inc. Attn: Legal Department 214 Centerview Drive, Suite 100, Brentwood, TN 37027 (in the case of Capital Confirmation) or to the email address you provide to Capital Confirmation during the registration process (in your case). Notice shall be deemed given 24 hours after email is sent, unless the sending party is notified that the email address is invalid. Alternatively, we may give you notice by certified mail, postage prepaid and return receipt requested, to the address provided to Capital Confirmation during the registration process. In such case, notice shall be deemed given 3 days after the date of mailing.

26. Arbitration.
Any legal controversy or legal claim arising out of or relating to this Agreement or our services, excluding legal action taken by Capital Confirmation to collect our fees and/or recover damages for, or obtain an injunction relating to, the Capital Confirmation site operations, intellectual property, and our services, shall be settled by binding arbitration in accordance with the commercial arbitration rules of the American Arbitration Association. Any such controversy or claim shall be arbitrated on an individual basis, and shall not be consolidated in any arbitration with any claim or controversy of any other party. The arbitration shall be conducted in Nashville, Tennessee, and judgment on the arbitration award may be entered into any court having jurisdiction thereof. Either you or Capital Confirmation may seek any interim or preliminary relief from a court of competent jurisdiction in Nashville, Tennessee necessary to protect the rights or property of you or Capital Confirmation pending the completion of arbitration. Should either party file an action contrary to this provision, the other party may recover attorney’s fees and costs up to $1000.00.

27. Additional Terms.
The following policies are incorporated into this Agreement by reference and provide additional terms and conditions related to specific services offered on our site:

Privacy Statement:
https://www.confirmation.com/legal-security-privacy/index.html.

Fee and Credit Policy:
https://www.confirmation.com/resources/uncategorized/fees-and-credit-policy/

Each of these policies may be changed from time to time and are effective immediately after we post the changes on our site, except for the Privacy Statement for which we will provide you with thirty days prior notice. In addition, when using particular services on our site, you agree that you are subject to any posted policies or rules applicable to services you use through our site, which may be posted from time to time. All such posted policies or rules are hereby incorporated by reference into this Agreement.

You acknowledge and agree that: (a) members of Capital Confirmation’s Group may be retained as sub-processors; and (b) Capital Confirmation and members of Capital Confirmation’s Group respectively may engage third-party sub-processors in connection with the provision of the Services. We do not guarantee and shall not be liable for the performance of any sub-processor or sub-contractor.

28. Governing Law.
This Agreement shall be governed in all respects by the laws of the State of Tennessee, without reference to conflict of laws principles. You further consent to exclusive jurisdiction by the United States District Court for the Middle District of Tennessee.

29. Assignment.
You agree that this Agreement and all incorporated agreements may be automatically assigned by Capital Confirmation, in our sole discretion, to a third party in the event of a merger or acquisition. You may not, without our prior written consent, assign, transfer, sub-contract or otherwise deal with any of your rights and/or obligations under this Agreement.

30. General.
We do not guarantee continuous, uninterrupted or secure access to our services, and operation of our site may be interfered with by numerous factors outside of our control. If any provision of this Agreement is held to be invalid or unenforceable, such provision shall be struck and the remaining provisions shall be enforced. Headings are for reference purposes only and in no way define, limit, construe or describe the scope or extent of such section. Our failure to act with respect to a breach by you or others does not waive our right to act with respect to subsequent or similar breaches. English is the official language used for content on the Confirmation.com website. Through the use of a third-party provider Confirmation.com provides its users with limited English proficiency to access information on the site. Translations made through this automated process should not be considered exact particularly in cases of technical and legal terminology. Additionally, some files including graphs, photos and portable document formats (pdfs) cannot be translated through this process. Capital Confirmation Inc. does not warrant the accuracy or reliability of any information translated by this system and shall not be liable for any losses caused by such reliance on the accuracy or reliability of such information. While every effort is made to ensure the accuracy of the translation, portions may be incorrect. Any person or entity who relies on information obtained from the system does so at his or her own risk. This Agreement sets forth the entire understanding and agreement between us with respect to the subject matter hereof. Sections 2 (Fees and Services) with respect to fees owed for our services, 3.3 (Release), 8.3 (License), 10 (Access and Interference), 18 (Liability Limit), 19 (Indemnity) and 23 (Arbitration) shall survive any termination or expiration of this Agreement.

31. Disclosures.
The services hereunder are offered by Capital Confirmation Inc., located at 214 Centerview Drive, Suite 100, Brentwood, Tennessee 37027. Fees for our services are described above in Section 2 (Fees and Services).

32. Disputes.
Disputes between you and Capital Confirmation regarding our services may be reported to Customer Support by mailing us at Capital Confirmation, Customer Support, 214 Centerview Drive, Suite 100, Brentwood, TN 37027. We encourage you to report all user-to-user disputes to your local law enforcement, postmaster general, or a certified mediation or arbitration entity.

33. Your Acceptance of this User Agreement.
You evidence your acceptance of this User Agreement by clicking on “Accept User Agreement and Add Account” button on the Capital Confirmation website or by using the Confirmation.com service. Such acceptance shall have the same legal effect as your written signature set forth on a written document containing the terms and conditions of this User Agreement.

Schedule 1
EUROPEAN DATA TRANSFERS

We process Personally Identifiable Information outside of the European Economic Area (EEA) and Switzerland including in third countries which may not be recognized by the European Commission or the Swiss Federal Data Protection and Information Commission as providing an adequate level of privacy protection, such as in the United States.

Capital Confirmation will enter into the Standard Contractual Clauses approved by the European Commission to legitimize the transfers of Personally Identifiable Information outside of the EEA and/or Switzerland to an inadequate third country. If we are required to enter into the Standard Contractual Clauses to legitimize the transfer of Personally Identifiable Information outside of the EEA and/or Switzerland, then the parties hereby agree to the Standard Contractual Clauses set forth in Attachment 1 (for those cases where we act as a processor with respect to personal data) below, and you evidence your acceptance of the Standard Contractual Clauses by clicking on “Accept User Agreement and Add Account” button on the Capital Confirmation website or by using the Confirmation.com service.

Notwithstanding the foregoing, if the Standard Contractual Clauses are not a valid transfer mechanism to legitimize the transfers of Personally Identifiable Information outside of the EEA to the United States (or another third country that does not provide an equivalent level of protection even with the use of such data transfer agreements), then you shall procure the appropriate consent of any data subject whose Personally Identifiable Information is transferred to us to enable us to transfer that Personally Identifiable Information to the United States (or such other third country).

Attachment 1: Standard Contractual Clauses (Processor)

For the transfer of personal data outside of the EEA and/or Switzerland to processors established in third countries which do not ensure an adequate level of data protection, the data exporter and the data importer have agreed on the following Contractual Clauses (the Clauses) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in Appendix 1.

Notwithstanding the foregoing, if the following Contractual Clauses are not a valid transfer mechanism to legitimize the transfers of Personal Data outside of the EEA and/or Switzerland to the United States (or another third country that does not provide an equivalent level of protection even with the use of such data transfer Clauses), you shall procure the appropriate consent of any data subject whose Personal Data is transferred to us to enable the Parties to transfer that Personal Data to the United States (or such other third country).

Clause 1
Definitions

For the purposes of the Clauses:
(a) ‘personal data’, ‘special categories of data’, ‘process/processing’, ‘controller’, ‘processor’, ‘data subject’ and ‘supervisory authority’ shall have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data;

(b) ‘the data exporter’ means the party who transfers the personal data;

(c) ‘the data importer’ means the processor who agrees to receive from the data exporter personal data intended for processing on his behalf after the transfer in accordance with his instructions and the terms of the Clauses and who is not subject to a third country’s system ensuring adequate protection within the meaning of Article 25(1) of Directive 95/46/EC;

(d) ‘the sub-processor’ means any processor engaged by the data importer or by any other sub-processor of the data importer who agrees to receive from the data importer or from any other sub-processor of the data importer personal data exclusively intended for processing activities to be carried out on behalf of the data exporter after the transfer in accordance with his instructions, the terms of the Clauses and the terms of the written subcontract;

(e) ‘the applicable data protection law’ means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data applicable to a data controller in the Member State in which the data exporter is established;

(f) ‘technical and organisational security measures’ means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.

Clause 2
Details of the transfer

The details of the transfer and in particular the special categories of personal data where applicable are specified in Appendix 1 which forms an integral part of the Clauses.

Clause 3
Third-party beneficiary clause

(a) The data subject can enforce against the data exporter this Clause, Clause 4(b) to (i), Clause 5(a) to (e), and (g) to (j), Clause 6(1) and (2), Clause 7, Clause 8(2), and Clauses 9 to 12 as third-party beneficiary.

(b) The data subject can enforce against the data importer this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where the data exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity.

(c) The data subject can enforce against the sub-processor this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity. Such third-party liability of the sub-processor shall be limited to its own processing operations under the Clauses.

(d) The parties do not object to a data subject being represented by an association or other body if the data subject so expressly wishes and if permitted by national law.

Clause 4
Obligations of the data exporter

The data exporter agrees and warrants:
(a) that the processing, including the transfer itself, of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the Member State where the data exporter is established) and does not violate the relevant provisions of that State;

(b) that it has instructed and throughout the duration of the personal data-processing services will instruct the data importer to process the personal data transferred only on the data exporter’s behalf and in accordance with the applicable data protection law and the Clauses;

(c) that the data importer will provide sufficient guarantees in respect of the technical and organisational security measures specified in Appendix 2 to this contract;

(d) that after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation;

(e) that it will ensure compliance with the security measures;

(f) that, if the transfer involves special categories of data, the data subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not providing adequate protection within the meaning of Directive 95/46/EC;

(g) to forward any notification received from the data importer or any sub-processor pursuant to Clause 5(b) and Clause 8(3) to the data protection supervisory authority if the data exporter decides to continue the transfer or to lift the suspension;

(h) to make available to the data subjects upon request a copy of the Clauses, with the exception of Appendix 2, and a summary description of the security measures, as well as a copy of any contract for sub-processing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information;

(i) that, in the event of sub-processing, the processing activity is carried out in accordance with Clause 11 by a sub-processor providing at least the same level of protection for the personal data and the rights of data subject as the data importer under the Clauses; and

(j) that it will ensure compliance with Clause 4(a) to (i).

Clause 5
Obligations of the data importer

The data importer agrees and warrants:
(a) to process the personal data only on behalf of the data exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;

(b) that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;

(c) that it has implemented the technical and organisational security measures specified in Appendix 2 before processing the personal data transferred;

(d) that it will promptly notify the data exporter about:

(e) any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation;
i. any accidental or unauthorised access; and
ii. any request received directly from the data subjects without responding to that request, unless it has been otherwise authorised to do so;
iii. to deal promptly and properly with all inquiries from the data exporter relating to its processing of the personal data subject to the transfer and to abide by the advice of the supervisory authority with regard to the processing of the data transferred;

(f) at the request of the data exporter to submit its data-processing facilities for audit of the processing activities covered by the Clauses which shall be carried out by the data exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the data exporter, where applicable, in agreement with the supervisory authority. The data importer has included the security requirements detailed in Appendix 2 at the request of the data exporter, and the data exporter agrees that such security requirements and the audit obligations and rights under the Master Agreement will be deemed to fully satisfy the audit rights granted to the data exporter under Clauses 5(f) and 12.2;

(g) to make available to the data subject upon request a copy of the Clauses, or any existing contract for sub-processing, unless the Clauses or contract contain commercial information, in which case it may remove such commercial information, with the exception of Appendix 2 which shall be replaced by a summary description of the security measures in those cases where the data subject is unable to obtain a copy from the data exporter;

(h) that, in the event of sub-processing, it has previously informed the data exporter and obtained its prior written consent (whether under or in connection with the Master Agreement or otherwise);

(i) that the processing services by the sub-processor will be carried out in accordance with Clause 11;

(j) to send promptly, on request, a copy of any sub-processor agreement it concludes under the Clauses to the data exporter.

Clause 6
Liability

1. The parties agree that any data subject, who has suffered damage as a result of any breach of the obligations referred to in Clause 3 or in Clause 11 by any party or sub-processor is entitled to receive compensation from the data exporter for the damage suffered.

2. If a data subject is not able to bring a claim for compensation in accordance with paragraph 1 against the data exporter, arising out of a breach by the data importer or his sub-processor of any of their obligations referred to in Clause 3 or in Clause 11, because the data exporter has factually disappeared or ceased to exist in law or has become insolvent, the data importer agrees that the data subject may issue a claim against the data importer as if it were the data exporter, unless any successor entity has assumed the entire legal obligations of the data exporter by contract of by operation of law, in which case the data subject can enforce its rights against such entity.
a. The data importer may not rely on a breach by a sub-processor of its obligations in order to avoid its own liabilities.

3. If a data subject is not able to bring a claim against the data exporter or the data importer referred to in paragraphs 1 and 2, arising out of a breach by the sub-processor of any of their obligations referred to in Clause 3 or in Clause 11 because both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, the sub-processor agrees that the data subject may issue a claim against the data sub-processor with regard to its own processing operations under the Clauses as if it were the data exporter or the data importer, unless any successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law, in which case the data subject can enforce its rights against such entity. The liability of the sub-processor shall be limited to its own processing operations under the Clauses.

Clause 7
Mediation and jurisdiction

(a) The data importer agrees that if the data subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the Clauses, the data importer will accept the decision of the data subject:

(b) to refer the dispute to mediation, by an independent person or, where applicable, by the supervisory authority;

(c) to refer the dispute to the courts in the Member State in which the data exporter is established.

(d) The parties agree that the choice made by the data subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.

Clause 8
Cooperation with supervisory authorities

1. The data exporter agrees to deposit a copy of this contract with the supervisory authority if it so requests or if such deposit is required under the applicable data protection law.

2. The parties agree that the supervisory authority has the right to conduct an audit of the data importer, and of any sub-processor, which has the same scope and is subject to the same conditions as would apply to an audit of the data exporter under the applicable data protection law.

3. The data importer shall promptly inform the data exporter about the existence of legislation applicable to it or any sub-processor preventing the conduct of an audit of the data importer, or any sub-processor, pursuant to paragraph 2. In such a case the data exporter shall be entitled to take the measures foreseen in Clause 5(b).

Clause 9
Governing law

The Clauses shall be governed by the law of the Member State in which the data exporter is established.

Clause 10
Variation of the contract

The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clause.

Clause 11
Sub-processing

1. The data importer shall not subcontract any of its processing operations performed on behalf of the data exporter under the Clauses without the prior written consent of the data exporter. Where the data importer subcontracts its obligations under the Clauses, with the consent of the data exporter, it shall do so only by way of a written agreement with the sub-processor which imposes the same obligations on the sub-processor as are imposed on the data importer under the Clauses. Where the sub-processor fails to fulfil its data protection obligations under such written agreement the data importer shall remain fully liable to the data exporter for the performance of the sub-processor’s obligations under such agreement.

2. The prior written contract between the data importer and the sub-processor shall also provide for a third-party beneficiary clause as laid down in Clause 3 for cases where the data subject is not able to bring the claim for compensation referred to in paragraph 1 of Clause 6 against the data exporter or the data importer because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law. Such third-party liability of the sub-processor shall be limited to its own processing operations under the Clauses.

3. The provisions relating to data protection aspects for sub-processing of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which the data exporter is established.

4. The data exporter shall keep a list of sub-processing agreements concluded under the Clauses and notified by the data importer pursuant to Clause 5(j), which shall be updated at least once a year. The list shall be available to the data exporter’s data protection supervisory authority.

Clause 12
Obligation after the termination of personal data-processing services

1. The parties agree that on the termination of the provision of data-processing services, the data importer and the sub-processor shall, at the choice of the data exporter, return all the personal data transferred and the copies thereof to the data exporter or shall destroy all the personal data and certify to the data exporter that it has done so, unless legislation imposed upon the data importer prevents it from returning or destroying all or part of the personal data transferred. In that case, the data importer warrants that it will guarantee the confidentiality of the personal data transferred and will not actively process the personal data transferred anymore.

2. The data importer and the sub-processor warrant that upon request of the data exporter and/or of the supervisory authority, it will submit its data-processing facilities for an audit of the measures referred to in paragraph 1.

On behalf of the data exporter:
Name (written out in full):
Position:
Address:
Other information necessary in order for the contract to be binding (if any): (stamp of organisation)
Signature

On behalf of the data importer:
Capital Confirmation, Inc.
Name (written out in full): Diana Flanders
Position: VP, Business Integrations
Address: Capital Confirmation, Inc. 214 Centerview Drive, Suite 100, Brentwood, TN 37027
Other information necessary in order for the contract to be binding (if any): N/A
Signature

Appendix 1
to the Standard Contractual Clauses

This Appendix forms part of the Clauses and must be completed and signed by the parties

The Member States may complete or specify, according to their national procedures, any additional necessary information to be contained in this Appendix

Data exporter

The data exporter is (please specify briefly your activities relevant to the transfer):

The data exporter will export the personal data contained in the client’s documentation to the responders via the Confirmation.com platform. Exported data will concern personal data of data exporter’s employees with access given to the online platform handled by the data importer. Also, data exporter’s client data for the purposes of forwarding data exporter’s audit requests to responders by the data importer.

Data importer

The data importer is (please specify briefly activities relevant to the transfer):
Capital Confirmation Inc.

The data importer provides an online venue for digital transaction management, including but not limited to, audit confirmations, accounts receivable/accounts payable confirmations, credit inquiries, employee benefit plan audits and confirmations, and legal confirmations for accounting firms, law firms, banks, and other users. Processed data will concern data exporter’s employees for which accounts in the platform handled by the data importer will be created. Also, data exporter’s client data for the purposes of forwarding data exporter’s audit requests to responders by the data importer.

Data subjects

The personal data transferred concern the following categories of data subjects (please specify):

Data exporter’s employees and personal data of data exporter’s client’s representatives and other subjects mentioned in the documentation, which is sent to the responder

Categories of data

The personal data transferred concern the following categories of data (please specify):

The categories of data are: names, surnames, addresses, account numbers, financial information, PESEL number and other personal data of the subjects mentioned in the documentation sent to the responder. Employees, partners, principals, directors, former employees, former partners, former principals, former directors, new hires, individual contractors and temporary staff of the data exporter, as well as applicants, dependants, contractors / subcontractors, clients, suppliers/vendors of the data exporter

Special categories of data (if appropriate)

Not applicable

Processing operations

The personal data transferred will be subject to the following basic processing activities (please specify):

The platform Confirmation.com is internet-based system, that allows the data exporter to send documentation to auditors for the needs of the audit. The documentation will be encrypted by the data importer while uploading it to the platform, so the data importer should not get access to the contents of the documentation and personal data contained in the documentation beyond the scope necessary to perform the encryption process.

DATA EXPORTER
Name:
Authorised Signature

DATA IMPORTER
Capital Confirmation Inc.
Name: Diana Flanders
Authorised Signature

Appendix 2
to the Standard Contractual Clauses

This Appendix forms part of the Clauses and must be completed and signed by the parties.

Description of the technical and organisational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) (or document/legislation attached):

Data Importer has implemented the technical and organisation security measures set out in the Agreements and incorporated herein by reference.

DATA EXPORTER
Name:
Authorised Signature
Capital Confirmation Inc.
Name: Diana Flanders
Authorised Signature

For Responders of Confirmations

User Agreement

THE FOLLOWING DESCRIBES THE TERMS ON WHICH CAPITAL CONFIRMATION INC. OFFERS YOU ACCESS TO OUR SERVICES.

Welcome to the User Agreement for Capital Confirmation Inc. This Agreement describes the terms and conditions applicable to your use of our services available under the domains and sub-domains of www.confirmation.com, and learn.confirmation.com (“Confirmation Website(s)”) owned and operated by Capital Confirmation, and the general principles for the websites of our subsidiaries. If you do not agree to be bound by the terms and conditions of this Agreement, do not use or access our services. You evidence your acceptance of the terms and conditions of this Agreement through your use of any of the Confirmation.com services (aka “Confirm” service).

If you have any questions, please email us at customer.support@confirmation.com.

You must read, agree with and accept all of the terms and conditions contained in this User Agreement and the Privacy Statement, which include those terms and conditions expressly set out below and those incorporated by reference, before you may become a member of Capital Confirmation. We strongly recommend that, as you read this User Agreement, you also access and read the information contained in the other pages and websites referred to in this document, as they may contain further terms and conditions that apply to you as a Capital Confirmation user. Please note: underlined words and phrases are links to these pages and websites. By accepting this User Agreement, you also agree that your use of other Capital Confirmation websites will be governed by the terms and conditions posted on those websites.

We may amend this Agreement at any time by posting the amended terms on our site. Except as stated below, all amended terms shall automatically be effective immediately upon posting on our site. You will not be notified in writing or by email of any changes in this Agreement. This Agreement may not be otherwise amended except in writing signed by you and Capital Confirmation Inc. This Agreement is effective starting March 1, 2003.

1. Membership Eligibility.
Our services are available only to individuals who can form legally binding contracts under applicable law. Without limiting the foregoing, our services are not available to minors or to temporarily or indefinitely suspended Capital Confirmation members. If you are a minor, you cannot use this service. If you do not qualify, please do not use our services. Further, your Capital Confirmation account (including feedback) and User Id may not be transferred or sold to another party. If you are registering as a business entity, you represent that you have the authority to bind the entity to this Agreement. If you are registered as an individual, you represent that you are the individual you purport to be.

2. Fees and Service.
Capital Confirmation provides a venue for digital transaction management, including but not limited to, audit confirmations, accounts receivable/accounts payable confirmations, credit inquiries, employee benefit plan audits and confirmations, and legal confirmations for accounting firms, law firms, banks, and other users (the “Service”). Joining and using our service to respond to audit confirmations is free. Our changes to the policy are effective after we provide you with at least fourteen (14) days’ notice of the changes by posting the changes in this Agreement. In the event we introduce a new service, the fees for that service are effective at the launch of the service. The Service also includes the provision of ancillary services deemed reasonably necessary by Capital Confirmation to run a venue for digital transaction management, including but not limited to customer support, billing, and account management.

3. Capital Confirmation is a Venue.
3.1 Capital Confirmation is not an accounting firm or client user nor are we an authorized accounting firm or client user representative. Instead, our site acts as a venue to allow users to respond to audit confirmations. We are not involved in the actual transaction between users of and providers of the confirmation information. As a result, we have no control over the quality, accuracy, timeliness or legality of the requests and the responses, or the truth or accuracy of the requests and responses.

3.2 Identity Verification. We use many techniques to identify our users when they register on our site. However, because user verification on the Internet is difficult, Capital Confirmation cannot and does not confirm each user’s purported identity. Thus, we have established a user-initiated communication system to help you evaluate with whom you are dealing. We encourage you to communicate directly with individual parties through the tools available on our site.

3.3 Release. Because we are a venue, in the event that you have a dispute with one or more users, you release Capital Confirmation (and our officers, directors, agents, subsidiaries, joint ventures and employees) from claims, demands and damages (actual and consequential) of every kind and nature, known and unknown, suspected and unsuspected, disclosed and undisclosed, arising out of or in any way connected with such disputes. If you are a California resident, you waive California Civil Code §1542, which says: “A general release does not extend to claims which the creditor does not know or suspect to exist in his favor at the time of executing the release, which if known by him must have materially affected his settlement with the debtor.”

3.4 Information Control. We do not control the information provided by other users that is made available through our system. You may find other user’s information to be inaccurate. Please use caution, common sense, and safe practices when using our site.

3.5 Customer Support. Monday through Friday between the hours of 8:00 A.M. and 5:00 P.M. Central Standard Time, customer support shall be available free of charge by telephone or by email at one or more phone numbers or email addresses to be specified on our website located at www.confirmation.com.

4. Responding.
By responding to a confirmation request you agree to be bound by the conditions of this Agreement. Responses are not retractable. If you choose to respond to a confirmation you are certifying that you have the legal right to respond to such confirmations on behalf of the company you purport to represent and work for, or in the case of an individual who is responding, you are certifying that you are the person you purport to be.

5. Fraud.
Without limiting any other remedies, Capital Confirmation may suspend or terminate your account if we suspect that you (by conviction, settlement, insurance investigation, or otherwise) have engaged in fraudulent activity in connection with our site.

6. Your Information.
6.1 Definition. “Your Information” is defined as any information you provide to us or other users in the registration or confirmation process, in any message area or through any email feature. You are solely responsible for Your Information, and we act as a passive conduit for your online distribution and publication of Your Information.

6.2 Restricted Activities. Your Information (or any items listed) and your activities on the site shall not: (a) be false, inaccurate or misleading; (b) be fraudulent; (c) infringe any third party’s copyright, patent, trademark, trade secret or other proprietary rights or rights of publicity or privacy; (d) violate any law, statute, ordinance or regulation (including, but not limited to, those governing consumer protection or antidiscrimination); (e) be defamatory, trade libelous, unlawfully threatening or unlawfully harassing; (f) be obscene or contain child pornography; (g) contain any viruses, Trojan horses, worms, time bombs, cancelbots, easter eggs or other computer programming routines that may damage, detrimentally interfere with, surreptitiously intercept or expropriate any system, data or personal information; and (h) create liability for us or cause us to lose (in whole or in part) the services of our ISPs or other suppliers. Furthermore, you may not authorize and respond to any confirmation on the site (or consummate any transaction that was initiated using our service) that, by authorizing and responding to us the usage fee or the final value fee, could cause us to violate any applicable law, statute, ordinance or regulation.

6.3 License. Solely to enable Capital Confirmation to use the information you supply us with, so that we are not violating any rights you might have in that information, you agree to grant us a non-exclusive, worldwide, perpetual, irrevocable, royalty-free, sublicensable (through multiple tiers) right to exercise the copyright, publicity, and database rights (but no other rights) you have in Your Information, in any media now known or not currently known, with respect to Your Information. Capital Confirmation will only use Your Information in accordance with our Privacy Statement.

7. Ownership of Intellectual Property.
Capital Confirmation shall have and retain all rights, title and interest in all Intellectual Property relating to the Service or arising out of the relationship described in this Agreement. “Intellectual Property” means all ideas, discoveries, inventions, developments, designs, improvements, trademarks, service marks, trade secrets, proprietary information, programs, source code, object code, applications for patents, patents, copyrights (for the duration thereof, including renewals, extensions, and reversions thereof), copyrightable works, and the goodwill associated therewith, including enhancements, improvements, and derivative works, either presently existing or hereinafter arising. You hereby assign and transfer to Capital Confirmation any and all rights in any such Intellectual Property, either presently existing or hereinafter arising, and agree to take such actions (at Capital Confirmation’s expense) as Capital Confirmation may reasonably request to secure such rights for Capital Confirmation. While a registered user of our service, and for a period of two (2) years from the date of last login, you agree not to offer services or assist others in offering services that would compete in any way with the services offered by Capital Confirmation. Unsolicited ideas or product feedback will automatically become our property, without any compensation to you and we may use or distribute such submissions and their contents for any purpose and in any way without any obligations of confidentiality or otherwise.

8. Access and Interference.
You agree that you will not use any robot, spider, other automatic device, or manual process to monitor or copy our web pages or the content contained herein without our prior expressed written permission. You agree that you will not reverse engineer, disassemble, decompile, decode, adapt, develop, or modify the website or Service, or otherwise attempt to derive or gain access to the source code of the website or Service, in whole or in part. You agree that you will not use any device, software or routine to bypass our security features, or to interfere or attempt to interfere with the proper working of the Capital Confirmation site or any activities conducted on our site. You agree that you will not take any action that imposes an unreasonable or disproportionately large load on our infrastructure. Much of the information on our site is updated on a real time basis and is proprietary or is licensed to Capital Confirmation by our users or third parties. You agree that you will not copy, reproduce, alter, modify, create derivative works, or publicly display any content (except for Your Information) from our website without the prior expressed written permission of Capital Confirmation or the appropriate third party. You must ensure that all information you supply to us through our website or Service, or in relation to our website or Service, is true, accurate, complete and not misleading. You shall have sole responsibility for the legality, reliability, integrity, accuracy, and quality of this information. You shall not access all or any part of our website or Service to build a product or service which competes with the Service. You shall not attempt to obtain, or assist third parties in obtaining, access to our website or Service, other than as provided under this Agreement. You shall not make, nor permit any party to make, any use of our website or Service other than to avail of the Service. You shall not make alterations to, or permit our website or Service or any part of it to be combined with, or become incorporated into, any other programs. You shall not provide or otherwise make available our website or the Service in whole or in part (including object and source code), in any form, to any person without our prior written consent. You shall not infringe on our licensors’ intellectual property rights or those of any third party in relation to your use of our website or Service. We may make available to you certain Application Programming Interfaces (an “API” or “APIs”) to achieve additional functionality for users, and provide capabilities or integrations that leverage one or more of our products or services available at www.confirmation.com or provided by our affiliates, which you may use where applicable, subject to our then current fees (if any) for such APIs. Unless previously authorized by us, or our affiliates, you must not automatically connect (whether through APIs or otherwise) any Service to other data, software, services or networks.

9. Breach.
Without limiting other remedies, we may immediately remove you, warn our community of your actions, issue a warning, temporarily suspend, indefinitely suspend or terminate your membership and refuse to provide our services to you if: (a) you breach this Agreement or the documents it incorporates by reference; (b) we are unable to verify or authenticate any information you provide to us; or (c) we believe that your actions may cause financial loss or legal liability for you, our users or us.

10. Electronic Communications; Identifiers and Passwords; Binding Effect.
You will receive and transmit information to us over the Internet using SSL technology and 2048-bit encryption. You must use Internet browsers that will support the use of 2048-bit encryption. In order to initiate a session where information is transmitted, you will either select and use an identification code (such as a “log-in ID”) and a password or will be prompted to click a link to log-in. You shall protect and safeguard identification codes, passwords, log-in links/emails, and shall only permit authorized employees or yourself to use the identification code and password, or to click the log-in link, in connection with the service. We, and all other persons receiving information from you that has been transmitted using either the identification code and password selected by you, or the log-in link/email, shall be entitled to rely in all instances that the information so transmitted has been transmitted by you, that such information is true, accurate and complete in all respects, with the same effect and intent as if such information had been transmitted in written form bearing your written signature. If you believe that your identification code and password have been lost, stolen or compromised in any respect, please notify us immediately at 1-866-325-7201. Communications using the identification code and password received after we have had an opportunity to respond to your notice will not be valid or effective.

11. Privacy.
We do not sell or rent your personal information to third parties and only use your information as described in the Privacy Statement available at https://www.confirmation.com/legal-security-privacy/index.html. We take the protection of our users’ privacy seriously. We store and process your information on computers located in Ireland and the United States that are protected with security measures.

Customer Financial information residing within Confirmation.com’s processing controls will be maintained and stored according to our security and privacy policies. Confirmation.com takes no responsibility for Customer Financial information once this data is no longer within Confirmation.com’s control (e.g., data downloaded by a user or mailed confirmations).

If you object to your information being collected, used, transferred, or otherwise processed in this way, please do not use our services.

11.1 Data Protection Legislation. When using our Services or otherwise providing Personally Identifiable Information to us, you agree to comply with all applicable laws governing or relating to the processing of that Personally Identifiable Information (“Data Protection Laws”). “Personally Identifiable Information” shall mean any information relating to an identified or identifiable natural person whose information you provide to us and that we process as part of the Service or in connection with this Agreement. You confirm that any Personally Identifiable Information that has been provided by you has been collected and disclosed in accordance with Data Protection Laws. When using the Service, you shall not input, upload, maintain or disclose any irrelevant or unnecessary information about individuals.

11.2 Personal Data transferred outside of your home country. Without limiting the foregoing and for clarity, you agree that we may transfer your personal information outside of your home country to another country where the laws may not provide an equivalent level of protection and you confirm that we may so transfer any Personally Identifiable Information that has been provided by you.

Where the provision of Service by us to you involves any transfer of Personally Identifiable Information that has been provided by you outside of the European Economic Area or Switzerland (by way of direct or indirect transfer), the parties agree that the transfers will be done in accordance with Schedule 1 attached hereto. If any other Data Protection Laws require you and us to implement appropriate safeguards to legitimize the transfer of Personally Identifiable Information to a third country, you will let us know and we will negotiate in good faith to implement the required safeguards.

12. Supervisor, Secretary, Coordinator and Clerk Authentication.
You certifies that any and all subject(s) set up as your supervisor(s), secretary(s), coordinator(s) and/or clerk(s) on the Confirm service are your authorized and employed representatives of the .

13. Audit Rights.
Capital Confirmation may, from time to time, conduct various audits of your practices and procedures to determine your compliance with this Agreement. You will reasonably cooperate in all those audits. Capital Confirmation may conduct on-site and/or off-site audits of your facilities as Capital Confirmation determines during normal business hours, and upon reasonable notice.

14. No Warranty.
WE, OUR SUBSIDIARIES, EMPLOYEES AND OUR SUPPLIERS PROVIDE OUR WEB SITE AND SERVICES, INCLUDING BUT NOT LIMITED TO ANY APIS, ON AN “AS IS” BASIS WITHOUT ANY WARRANTIES OF ANY KIND. WE, TO THE FULLEST EXTENT PERMITTED BY LAW, DISCLAIMS ALL WARRANTIES, INCLUDING THE WARRANTY OF MERCHANTABILITY, NON-INFRINGEMENT OF THIRD-PARTIES’ RIGHTS, AND THE WARRANTY OF FITNESS FOR A PARTICULAR PURPOSE. WE MAKE NO WARRANTIES ABOUT THE ACCURACY, RELIABILITY, COMPLETENESS, OR TIMELINESS OF THE SERVICES OR ANY CONTENT THEREIN. WE MAKE NO WARRANTIES THAT THE WEBSITE OR SERVICE WILL REMAIN AVAILABLE. WE RESERVE THE RIGHT TO DISCONTINUE OR ALTER ANY OR ALL OF THE WEBSITE OR SERVICE, AND TO STOP PUBLISHING OUR WEBSITE OR SERVICE AT ANY TIME AND IN OUR SOLE DISCRETION WITHOUT NOTICE OR EXPLANATION, AND YOU WILL NOT BE ENTITLED TO ANY COMPENSATION OR OTHER PAYMENT UPON THE DISCONTINUANCE OR ALTERATION OF OUR WEBSITE OR SERVICES. FOR THE AVOIDANACE OF ALL DOUBT, WE DO NOT WARRANT, NOR WILL BE RESPONSIBLE FOR, ANY PRODUCTS, SERVICES, FUNCTIONALITY, OR INTERFACES THAT ARE PROVIDED BY YOU OR ANY THIRD PARTY.

15. Liability Limit.
IN NO EVENT SHALL WE, OUR SUBSIDIARIES, EMPLOYEES OR OUR SUPPLIERS BE LIABLE FOR LOST PROFITS OR ANY SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF OR IN CONNECTION WITH OUR SITE, OUR SERVICES, INCLUDING WITHOUT LIMITATION USE OF ANY APIS, OR THIS AGREEMENT (HOWEVER ARISING, INCLUDING NEGLIGENCE). THE USER SHALL HAVE NO LIABILITY WITH RESPECT TO THE SERVICE FOR CONSEQUENTIAL, EXEMPLARY, SPECIAL, INCIDENTAL, OR PUNITIVE DAMAGES EVEN IF IT HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

IN NO EVENT SHALL WE, OUR SUBSIDIARIES, EMPLOYEES OR OUR SUPPLIERS BE LIABLE WITH RESPECT TO THE ACCURACY OR RELIABILITY OF INFORMATION PROVIDED BY THE AUDITOR, WHETHER INPUTTED INTO THE CAPITAL CONFIRMATION WEBSITE OR ANY ASSOCIATED PLATFORMS BY US CAPITAL CONFIRMATION OR BY THE AUDITOR. THE AUDITOR MAINTAINS THE SOLE RESPONSIBILITY AND LIABILITY FOR REVIEWING AND APPROVING THE INFORMATION POPULATED INTO THE CAPITAL CONFIRMATION WEBSITE AND ASSOCIATED PLATFORMS.

OUR LIABILITY, AND THE LIABILITY OF OUR SUBSIDIARIES, EMPLOYEES, AND SUPPLIERS, TO YOU OR ANY THIRD PARTIES IN ANY CIRCUMSTANCE IS LIMITED TO THE GREATER OF (A) THE AMOUNT OF FEES YOU PAY TO US IN THE 12 MONTHS PRECEDING THE FIRST DATE ON WHICH SUCH LIABILITY AROSE, AND (B) $100. NOTWITHSTANDING ANYTHING TO THE CONTRARY HEREIN YOUR SOLE AND EXCLUSIVE REMEDY FOR ANY FAILURE OR NONPERFORMANCE OF ANY APIS PROVIDED BY CAPITAL CONFIRMATION SHALL BE FOR CAPITAL CONFIRMATION TO USE COMMERCIALLY REASONABLE EFFORTS TO ADJUST OR REPAIR THE NONPERFORMING APIS.

16. Fair Credit Reporting Disclosure.
The parties acknowledge that CCI is not a consumer reporting agency as such term is defined in the federal Fair Credit Reporting Act, 15 U.S.C. 1581 et seq. (“FCRA”) and therefore, is not subject to the requirements or provisions of the FCRA. Any reports accessed through the Services or Sites do not constitute consumer reports as such term is defined in the FCRA, and accordingly, such reports may not be used to determine eligibility for credit, employment, insurance underwriting, tenant screening or for any other purpose provided for in the FCRA. CCI makes no representations or warranties as to its compliance or certifications with respect to the Fair Credit Reporting Act or its regulatory requirements. However, other Users, including banking institutions, financial organizations, credit reporting agencies, and other entities with which the User may interact through the Services or Sites may be subject to the Fair Credit Reporting Act. CCI makes no representations or warranties about such other User’s compliance or certifications with respect to the Fair Credit Reporting Act or its regulatory requirements. CCI shall not be deemed a guarantor of the accuracy or completeness of information provided by other Users.

17. Indemnity.
You shall indemnify and hold Capital Confirmation and (as applicable) our parent, subsidiaries, affiliates, officers, directors, agents, and employees and the financial institutions harmless from any and all third-party claims, losses and damages, liability, and costs, including attorney’s fees, against, or incurred by, Capital Confirmation to the extent such claims, damages, liability and costs result directly or indirectly from: (a) your negligence or intentional conduct; (b) your breach of its obligations under this Agreement including, but not limited to, any breach which results in the unauthorized and/or non-permissible use of information obtained via Capital Confirmation’s Confirmation.com service or any other such service under this Agreement; (c) any claim that our website or Service or the use thereof infringes upon, misappropriates, or violates any intellectual property rights of any third party, provided that such claim results from or is related to (i) an unauthorized modification of our website or Service; (ii) the combination of the website or Service with software, hardware, or equipment not provided by us if our website or Service alone would not be the subject of such claim; or (iii) your unauthorized use of the website or Service; (d) any data breach suffered by you, your vendor or processor, or by a vendor or processor for Capital Confirmation; or (e) any claim, action, audit, investigation, regulatory action, inquiry, or other proceeding that arises out of or relates to your failure to comply with any applicable laws and regulations in connection with the transfer of personal data to or outside the EU/EEA including any applicable data protection legislation.

18. Confidentiality.
You may be given access to our confidential information or confidential information from other authorized Users in relation to your use of our website or Service. Information and knowledge related to the operation and processes of the website and Service are also considered confidential information. You shall hold confidential information in confidence and, unless required by law, not make confidential information available to any third party, or use confidential information for any purpose other than as provided for in using our website or Service. You shall take all reasonable steps to ensure that confidential information to which you have access is not disclosed or distributed by any person in violation of this Agreement. You acknowledge that details of the Service constitute our confidential information.

19. Legal Compliance.
You represents and warrants that it has read, understands and shall comply with all laws, regulations and judicial actions including, but not limited to, the Identity Theft and Assumption Deterrence Act, the Fraud and False Statements Act, the USA Freedom Act, the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), the Gramm-Leach-Bliley Act and the Fair Credit Reporting Act (15 U.S.C. 1681 et seq.), including without limitation, all amendments thereto, and all other applicable federal or state legislation, regulations and judicial actions, as now or as may become effective.

You certify that you will use the service and the information received for no other purpose than is legally permissible. You understand that if the system is used improperly by your personnel, or if its access codes are made available to any unauthorized personnel due to carelessness on your part or any other, you may be held responsible for financial losses, fees or monetary charges that may be incurred and that its access privileges may be terminated. You will not obtain, retain, use, or provide access to the Service to an affiliate or any third party in a manner that may breach any applicable export control or economic sanctions laws and regulations for any jurisdiction, including the United States of America, the United Kingdom and the European Union and its Member States. You warrant that neither you, nor any affiliate to which you provide access to the Service, is affiliated with a specially designated or sanctioned entity under any of those laws and that, in any transaction relating to Confirmation or the Service, such transactions will not involve sanctioned parties, including without limitation through the use of bank accounts at banks that are sanctioned parties. Further, the parties represent and warrant that they have read, understand and shall comply with all applicable laws, regulations and judicial actions including, but not limited to, anti-bribery laws, anti-corruption laws, anti-slavery laws, anti-human trafficking, tax laws, any applicable law aimed at preventing the facilitation of criminal behavior.

20. British Banker’s Association, BBA Enterprises Limited plus any other group company of the British Banker’s Association (Together the “BBA”)
Nothing in this agreement shall limit the BBA’s liability for death or personal injury caused by its negligence or that or its personnel; fraud or fraudulent misrepresentation; or for any other liability which cannot be excluded under English law, even if any other terms of this Agreement would suggest that this might otherwise be the case.

You expressly acknowledge and agree that the BBA: (a) is not a party to this Agreement and is not involved in the design, supply or support of Capital Confirmation Inc’s services including the service promoted to UK banks as “BBA Confirmations”; (b) makes no representation or warranty that the services will be adequate or appropriate for you and its requirements and any BBA trademarks or logos present in marketing materials or other documents do not represent an endorsement of the service; (c) shall not be responsible for providing any of the services; and (d) shall have no liability to you whatsoever whether direct or indirect and whether in contact, tort (including negligence), misrepresentation or for any other reason in respect of any of the services provided under this agreement.

21. No Agency.
You and Capital Confirmation are independent contractors, and no agency, partnership, joint venture, employee-employer or franchiser-franchisee relationship is intended or created by this Agreement.

22. Notices.
Except as explicitly stated otherwise, any notices shall be given by postal mail to Capital Confirmation Inc. Attn: Legal Department 214 Centerview Drive, Suite 100, Brentwood, TN 37027 (in the case of Capital Confirmation) or to the email address you provide to Capital Confirmation during the registration process (in your case). Notice shall be deemed given 24 hours after email is sent, unless the sending party is notified that the email address is invalid. Alternatively, we may give you notice by certified mail, postage prepaid and return receipt requested, to the address provided to Capital Confirmation during the registration process. In such case, notice shall be deemed given 3 days after the date of mailing.

23. Arbitration.
Any legal controversy or legal claim arising out of or relating to this Agreement or our services, excluding legal action taken by Capital Confirmation to collect our fees and/or recover damages for, or obtain an injunction relating to, the Capital Confirmation site operations, intellectual property, and our services, shall be settled by binding arbitration in accordance with the commercial arbitration rules of the American Arbitration Association. Any such controversy or claim shall be arbitrated on an individual basis, and shall not be consolidated in any arbitration with any claim or controversy of any other party. The arbitration shall be conducted in Nashville, Tennessee, and judgment on the arbitration award may be entered into any court having jurisdiction thereof. Either you or Capital Confirmation may seek any interim or preliminary relief from a court of competent jurisdiction in Nashville, Tennessee necessary to protect the rights or property of you or Capital Confirmation pending the completion of arbitration. Should either party file an action contrary to this provision, the other party may recover attorney’s fees and costs up to $1000.00.

24. Governing Law.
This Agreement shall be governed in all respects by the laws of the State of Tennessee, without reference to conflict of laws principles. You further consent to exclusive jurisdiction by the United States District Court for the Middle District of Tennessee.

25. Assignment.
You agree that this Agreement and all incorporated agreements may be automatically assigned by Capital Confirmation, in our sole discretion, to a third party in the event of a merger or acquisition. You may not, without our prior written consent, assign, transfer, sub-contract or otherwise deal with any of your rights and/or obligations under this Agreement.

26. Additional Terms.
The following policies are incorporated into this Agreement by reference and provide additional terms and conditions related to specific services offered on our site:

Privacy Statement:
https://www.confirmation.com/legal-security-privacy/index.html

Each of these policies may be changed from time to time and are effective immediately after we post the changes on our site, except for the Privacy Statement for which we will provide you with thirty days prior notice. In addition, when using particular services on our site, you agree that you are subject to any posted policies or rules applicable to services you use through our site, which may be posted from time to time. All such posted policies or rules are hereby incorporated by reference into this Agreement.

You acknowledge and agree that: (a) members of Capital Confirmation’s Group may be retained as sub-processors; and (b) Capital Confirmation and members of Capital Confirmation’s Group respectively may engage third-party sub-processors in connection with the provision of the Services.

27. General.
We do not guarantee continuous, uninterrupted or secure access to our services, and operation of our site may be interfered with by numerous factors outside of our control. If any provision of this Agreement is held to be invalid or unenforceable, such provision shall be struck and the remaining provisions shall be enforced. Headings are for reference purposes only and in no way define, limit, construe or describe the scope or extent of such section. Our failure to act with respect to a breach by you or others does not waive our right to act with respect to subsequent or similar breaches. English is the official language used for content on the Confirmation.com website. Through the use of a third-party provider Confirmation.com provides its users with limited English proficiency to access information on the site. Translations made through this automated process should not be considered exact particularly in cases of technical and legal terminology. Additionally, some files including graphs, photos and portable document formats (pdfs) cannot be translated through this process. Capital Confirmation Inc. does not warrant the accuracy or reliability of any information translated by this system and shall not be liable for any losses caused by such reliance on the accuracy or reliability of such information. While every effort is made to ensure the accuracy of the translation, portions may be incorrect. Any person or entity who relies on information obtained from the system does so at his or her own risk. This Agreement sets forth the entire understanding and agreement between us with respect to the subject matter hereof. Sections 2 (Fees and Services) with respect to fees owed for our services, 3.3 (Release), 6.3 (License), 8 (Access and Interference), 15 (Liability Limit), 16 (Indemnity) and 20 (Arbitration) shall survive any termination or expiration of this Agreement.

28. Disclosures.
The services hereunder are offered by Capital Confirmation Inc., located at 214 Centerview Drive, Suite 100, Brentwood, Tennessee 37027. Fees for our services are described above in Section 2 (Fees and Services).

29. Disputes.
Disputes between you and Capital Confirmation regarding our services may be reported to Customer Support by mailing us at Capital Confirmation, Customer Support, 214 Centerview Drive, Suite 100, Brentwood, TN 37027. We encourage you to report all user-to-user disputes to your local law enforcement, postmaster general, or a certified mediation or arbitration entity.

30. Your Acceptance of this User Agreement.
You evidence your acceptance of this User Agreement by using the Confirmation.com service. Such acceptance shall have the same legal effect as your written signature set forth on a written document containing the terms and conditions of this User Agreement.

Schedule 1

EUROPEAN PERSONAL DATA TRANSFERS

We process Personally Identifiable Information outside of the European Economic Area (EEA) and Switzerland including in third countries which may not be recognized by the European Commission or the Swiss Federal Data Protection and Information Commission as providing an adequate level of privacy protection, such as in the United States.

Capital Confirmation will enter into the Standard Contractual Clauses approved by the European Commission to legitimize the transfers of Personally Identifiable Information outside of the EEA and/or Switzerland to an inadequate third country.

If we are required to enter into the Standard Contractual Clauses to legitimize the transfer of Personally Identifiable Information outside of the EEA and/or Switzerland, then the parties hereby agree to the Standard Contractual Clauses set forth in Attachment 1 (for those cases where we act as a processor with respect to personal data) below, and you evidence your acceptance of the Standard Contractual Clauses by clicking on “Accept User Agreement and Add Account” button on the Capital Confirmation website or by using the Confirmation.com service.

Notwithstanding the foregoing, if the Standard Contractual Clauses are not a valid transfer mechanism to legitimize the transfers of Personally Identifiable Information outside of the EEA to the United States (or another third country that does not provide an equivalent level of protection even with the use of such data transfer agreements), then you shall procure the appropriate consent of any data subject whose Personally Identifiable Information is transferred to us to enable us to transfer that Personally Identifiable Information to the United States (or such other third country).

Attachment 1: Standard Contractual Clauses (Processor)

For the transfer of personal data outside of the EEA and/or Switzerland to processors established in third countries which do not ensure an adequate level of data protection, the data exporter and the data importer have agreed on the following Contractual Clauses (the Clauses) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in Appendix 1.

Notwithstanding the foregoing, if the following Contractual Clauses are not a valid transfer mechanism to legitimize the transfers of Personal Data outside of the EEA and/or Switzerland to the United States (or another third country that does not provide an equivalent level of protection even with the use of such data transfer Clauses), you shall procure the appropriate consent of any data subject whose Personal Data is transferred to us to enable the Parties to transfer that Personal Data to the United States (or such other third country).

Clause 1
Definitions

For the purposes of the Clauses:
(a) ‘personal data’, ‘special categories of data’, ‘process/processing’, ‘controller’, ‘processor’, ‘data subject’ and ‘supervisory authority’ shall have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data;
(b) ‘the data exporter’ means the party who transfers the personal data;
(c) ‘the data importer’ means the processor who agrees to receive from the data exporter personal data intended for processing on his behalf after the transfer in accordance with his instructions and the terms of the Clauses and who is not subject to a third country’s system ensuring adequate protection within the meaning of Article 25(1) of Directive 95/46/EC;
(d) ‘the sub-processor’ means any processor engaged by the data importer or by any other sub-processor of the data importer who agrees to receive from the data importer or from any other sub-processor of the data importer personal data exclusively intended for processing activities to be carried out on behalf of the data exporter after the transfer in accordance with his instructions, the terms of the Clauses and the terms of the written subcontract;
(e) ‘the applicable data protection law’ means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data applicable to a data controller in the Member State in which the data exporter is established;
(f) ‘technical and organisational security measures’ means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.

Clause 2
Details of the transfer

The details of the transfer and in particular the special categories of personal data where applicable are specified in Appendix 1 which forms an integral part of the Clauses.

Clause 3
Third-party beneficiary clause

(a) The data subject can enforce against the data exporter this Clause, Clause 4(b) to (i), Clause 5(a) to (e), and (g) to (j), Clause 6(1) and (2), Clause 7, Clause 8(2), and Clauses 9 to 12 as third-party beneficiary.
(b) The data subject can enforce against the data importer this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where the data exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity.
(c) The data subject can enforce against the sub-processor this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity. Such third-party liability of the sub-processor shall be limited to its own processing operations under the Clauses.
(d) The parties do not object to a data subject being represented by an association or other body if the data subject so expressly wishes and if permitted by national law.

Clause 4
Obligations of the data exporter

The data exporter agrees and warrants:
(a) that the processing, including the transfer itself, of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the Member State where the data exporter is established) and does not violate the relevant provisions of that State;
(b) that it has instructed and throughout the duration of the personal data-processing services will instruct the data importer to process the personal data transferred only on the data exporter’s behalf and in accordance with the applicable data protection law and the Clauses;
(c) that the data importer will provide sufficient guarantees in respect of the technical and organisational security measures specified in Appendix 2 to this contract;
(d) that after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation;
(e) that it will ensure compliance with the security measures;
(f) that, if the transfer involves special categories of data, the data subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not providing adequate protection within the meaning of Directive 95/46/EC;
(g) to forward any notification received from the data importer or any sub-processor pursuant to Clause 5(b) and Clause 8(3) to the data protection supervisory authority if the data exporter decides to continue the transfer or to lift the suspension;
(h) to make available to the data subjects upon request a copy of the Clauses, with the exception of Appendix 2, and a summary description of the security measures, as well as a copy of any contract for sub-processing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information;
(i) that, in the event of sub-processing, the processing activity is carried out in accordance with Clause 11 by a sub-processor providing at least the same level of protection for the personal data and the rights of data subject as the data importer under the Clauses; and
(j) that it will ensure compliance with Clause 4(a) to (i).

Clause 5
Obligations of the data importer

The data importer agrees and warrants:
(a) to process the personal data only on behalf of the data exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
(b) that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
(c) that it has implemented the technical and organisational security measures specified in Appendix 2 before processing the personal data transferred;
(d) that it will promptly notify the data exporter about:
(e) any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation;
i. any accidental or unauthorised access; and
ii. any request received directly from the data subjects without responding to that request, unless it has been otherwise authorised to do so;
iii. to deal promptly and properly with all inquiries from the data exporter relating to its processing of the personal data subject to the transfer and to abide by the advice of the supervisory authority with regard to the processing of the data transferred;
(f) at the request of the data exporter to submit its data-processing facilities for audit of the processing activities covered by the Clauses which shall be carried out by the data exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the data exporter, where applicable, in agreement with the supervisory authority. The data importer has included the security requirements detailed in Appendix 2 at the request of the data exporter, and the data exporter agrees that such security requirements and the audit obligations and rights under the Master Agreement will be deemed to fully satisfy the audit rights granted to the data exporter under Clauses 5(f) and 12.2;
(g) to make available to the data subject upon request a copy of the Clauses, or any existing contract for sub-processing, unless the Clauses or contract contain commercial information, in which case it may remove such commercial information, with the exception of Appendix 2 which shall be replaced by a summary description of the security measures in those cases where the data subject is unable to obtain a copy from the data exporter;
(h) that, in the event of sub-processing, it has previously informed the data exporter and obtained its prior written consent (whether under or in connection with the Master Agreement or otherwise);
(i) that the processing services by the sub-processor will be carried out in accordance with Clause 11;
(j) to send promptly, on request, a copy of any sub-processor agreement it concludes under the Clauses to the data exporter.

Clause 6
Liability

1. The parties agree that any data subject, who has suffered damage as a result of any breach of the obligations referred to in Clause 3 or in Clause 11 by any party or sub-processor is entitled to receive compensation from the data exporter for the damage suffered.
2. If a data subject is not able to bring a claim for compensation in accordance with paragraph 1 against the data exporter, arising out of a breach by the data importer or his sub-processor of any of their obligations referred to in Clause 3 or in Clause 11, because the data exporter has factually disappeared or ceased to exist in law or has become insolvent, the data importer agrees that the data subject may issue a claim against the data importer as if it were the data exporter, unless any successor entity has assumed the entire legal obligations of the data exporter by contract of by operation of law, in which case the data subject can enforce its rights against such entity.
a. The data importer may not rely on a breach by a sub-processor of its obligations in order to avoid its own liabilities.
3. If a data subject is not able to bring a claim against the data exporter or the data importer referred to in paragraphs 1 and 2, arising out of a breach by the sub-processor of any of their obligations referred to in Clause 3 or in Clause 11 because both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, the sub-processor agrees that the data subject may issue a claim against the data sub-processor with regard to its own processing operations under the Clauses as if it were the data exporter or the data importer, unless any successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law, in which case the data subject can enforce its rights against such entity. The liability of the sub-processor shall be limited to its own processing operations under the Clauses.

Clause 7
Mediation and jurisdiction

1. The data importer agrees that if the data subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the Clauses, the data importer will accept the decision of the data subject:
2. to refer the dispute to mediation, by an independent person or, where applicable, by the supervisory authority;
3. to refer the dispute to the courts in the Member State in which the data exporter is established.
4. The parties agree that the choice made by the data subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.

Clause 8
Cooperation with supervisory authorities

1. The data exporter agrees to deposit a copy of this contract with the supervisory authority if it so requests or if such deposit is required under the applicable data protection law.
2. The parties agree that the supervisory authority has the right to conduct an audit of the data importer, and of any sub-processor, which has the same scope and is subject to the same conditions as would apply to an audit of the data exporter under the applicable data protection law.
3. The data importer shall promptly inform the data exporter about the existence of legislation applicable to it or any sub-processor preventing the conduct of an audit of the data importer, or any sub-processor, pursuant to paragraph 2. In such a case the data exporter shall be entitled to take the measures foreseen in Clause 5(b).

Clause 9
Governing law

The Clauses shall be governed by the law of the Member State in which the data exporter is established.

Clause 10
Variation of the contract

The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clause.

Clause 11
Sub-processing

1. The data importer shall not subcontract any of its processing operations performed on behalf of the data exporter under the Clauses without the prior written consent of the data exporter. Where the data importer subcontracts its obligations under the Clauses, with the consent of the data exporter, it shall do so only by way of a written agreement with the sub-processor which imposes the same obligations on the sub-processor as are imposed on the data importer under the Clauses. Where the sub-processor fails to fulfil its data protection obligations under such written agreement the data importer shall remain fully liable to the data exporter for the performance of the sub-processor’s obligations under such agreement.
2. The prior written contract between the data importer and the sub-processor shall also provide for a third-party beneficiary clause as laid down in Clause 3 for cases where the data subject is not able to bring the claim for compensation referred to in paragraph 1 of Clause 6 against the data exporter or the data importer because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law. Such third-party liability of the sub-processor shall be limited to its own processing operations under the Clauses.
3. The provisions relating to data protection aspects for sub-processing of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which the data exporter is established.
4. The data exporter shall keep a list of sub-processing agreements concluded under the Clauses and notified by the data importer pursuant to Clause 5(j), which shall be updated at least once a year. The list shall be available to the data exporter’s data protection supervisory authority.

Clause 12
Obligation after the termination of personal data-processing services

1. The parties agree that on the termination of the provision of data-processing services, the data importer and the sub-processor shall, at the choice of the data exporter, return all the personal data transferred and the copies thereof to the data exporter or shall destroy all the personal data and certify to the data exporter that it has done so, unless legislation imposed upon the data importer prevents it from returning or destroying all or part of the personal data transferred. In that case, the data importer warrants that it will guarantee the confidentiality of the personal data transferred and will not actively process the personal data transferred anymore.
2. The data importer and the sub-processor warrant that upon request of the data exporter and/or of the supervisory authority, it will submit its data-processing facilities for an audit of the measures referred to in paragraph 1.

On behalf of the data exporter:
Name (written out in full): [Insert name of the authorised signatory]
Position: [Insert position of the authorised signatory]
Address:
Other information necessary in order for the contract to be binding (if any): (stamp of organisation)
Signature

On behalf of the data importer:
Capital Confirmation, Inc.
Name (written out in full): Diana Flanders
Position: VP, Business Integrations
Address: Capital Confirmation, Inc. 214 Centerview Drive, Suite 100, Brentwood, TN 37027
Other information necessary in order for the contract to be binding (if any): N/A
Signature

Appendix 1
to the Standard Contractual Clauses

This Appendix forms part of the Clauses and must be completed and signed by the parties

The Member States may complete or specify, according to their national procedures, any additional necessary information to be contained in this Appendix

Data exporter

The data exporter is (please specify briefly your activities relevant to the transfer):

The data exporter will export the personal data contained in the client’s documentation to the requestors via the Confirmation.com platform. Exported data will concern personal data of data exporter’s employees with access given to the online platform handled by the data importer. Also, data exporter’s customers data for the purposes of forwarding data exporter’s audits to requestors by the Importer.

Data importer

The data importer is (please specify briefly activities relevant to the transfer):

Capital Confirmation Inc.

The data importer provides an online venue for digital transaction management, including but not limited to, audit confirmations, accounts receivable/accounts payable confirmations, credit inquiries, employee benefit plan audits and confirmations, and legal confirmations for accounting firms, law firms, banks, and other users. Processed data will concern data exporter’s employees for which accounts in the platform handled by the data importer will be created. Also, data exporter’s customers data for the purposes of forwarding data exporters confirmations to requestors by the data importer.

Data subjects

The personal data transferred concern the following categories of data subjects (please specify):

Data exporter’s employees and personal data of data exporter’s client’s representatives and other subjects mentioned in the documentation, which is sent to the requestor

Categories of data

The personal data transferred concern the following categories of data (please specify):
-names, surnames, names of authorized representatives of the data exporter’s clients
-including but not limited to: names, surnames, addresses, account numbers, financial information, PESEL number and other personal data of the subjects mentioned in the documentation sent to the requestor.

Special categories of data (if appropriate)

Not applicable

Processing operations

The personal data transferred will be subject to the following basic processing activities (please specify):

The platform Confirmation.com is internet-based system, that allows the data exporter to send documentation to auditors for the needs of the audit. The documentation will be encrypted by the data importer while uploading it to the platform, so the data importer should not get access to the contents of the documentation and personal data contained in the documentation beyond the scope necessary to perform the encryption process.

DATA EXPORTER
Name:
Authorised Signature

DATA IMPORTER
Capital Confirmation, Inc.
Name: Diana Flanders
Authorised Signature

Appendix 2
to the Standard Contractual Clauses

This Appendix forms part of the Clauses and must be completed and signed by the parties.

Description of the technical and organisational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) (or document/legislation attached):

Data Importer has implemented the technical and organisation security measures set out in the Agreements and incorporated herein by reference.

DATA EXPORTER
Name:
Authorised Signature
Capital Confirmation Inc.
Name: Diana Flanders
Authorised Signature

For Clients

User Agreement

THE FOLLOWING DESCRIBES THE TERMS ON WHICH CAPITAL CONFIRMATION INC. OFFERS YOU ACCESS TO OUR SERVICES.

Welcome to the User Agreement for Capital Confirmation Inc. This Agreement describes the terms and conditions applicable to your use of our services available under the domains and sub-domains of www.confirmation.com, and learn.confirmation.com (“Confirmation Website(s)”) owned and operated by Capital Confirmation, and the general principles for the websites of our subsidiaries. If you do not agree to be bound by the terms and conditions of this Agreement, do not use or access our services. You evidence your acceptance of the terms and conditions of this Agreement through your use of any of the Confirmation.com services (aka “Confirm™” service).

If you have any questions, please email us at customer.support@confirmation.com.

You must read, agree with and accept all of the terms and conditions contained in this User Agreement and the Privacy Statement, which include those terms and conditions expressly set out below and those incorporated by reference, or do not use our service. We strongly recommend that, as you read this User Agreement, you also access and read the information contained in the other pages and websites referred to in this document, as they may contain further terms and conditions that apply to you as a Capital Confirmation user. Please note: underlined words and phrases are links to these pages and websites. By accepting this User Agreement, you also agree that your use of other Capital Confirmation websites will be governed by the terms and conditions posted on those websites.

We may amend this Agreement at any time by posting the amended terms on our site. Except as stated below, all amended terms shall automatically be effective immediately upon posting on our site. You will not be notified in writing or by email of any changes in this Agreement. This Agreement may not be otherwise amended except in writing signed by you and Capital Confirmation Inc. This Agreement is effective starting March 1, 2003.

1. Membership Eligibility.

Our services are available only to individuals who can form legally binding contracts under applicable law. Without limiting the foregoing, our services are not available to minors or to temporarily or indefinitely suspended Capital Confirmation members. If you are a minor, you cannot use this service. If you do not qualify, please do not use our services. Further, your Capital Confirmation account (including feedback) and User Id may not be transferred or sold to another party. If you are registering as a business entity, you represent that you have the authority to bind the entity to this Agreement. If you are registered as an individual, you represent that you are the individual you purport to be.

2. Fees and Service.

Capital Confirmation provides a venue for digital transaction management, including but not limited to, audit confirmations, accounts receivable/accounts payable confirmations, credit inquiries, employee benefit plan audits and confirmations, and legal confirmations for accounting firms, law firms, banks, and other users (the “Service”). Joining and using our Service to respond to audit confirmations is free. We may in our sole discretion change some or all of our services at any time. In the event we introduce a new service, the fees for that service are effective at the launch of the service. The Service also includes the provision of ancillary services deemed reasonably necessary by Capital Confirmation to run a venue for digital transaction management, including but not limited to customer support, billing, and account management.

3. Capital Confirmation is a Venue.

3.1 Capital Confirmation is not a bank or law firm nor are we an authorized bank or law firm representative. Instead, our site acts as a venue to allow users to request and receive confirmations at anytime, from anywhere. We are not involved in the actual transaction between users of and providers of the confirmation information. As a result, we have no control over the quality, accuracy, timeliness or legality of the requests and the responses, or the truth or accuracy of the requests and responses. We also cannot ensure that a provider will actually complete a transaction.

3.2 Identity Verification. We use many techniques to identify our users when they register on our site. However, because user verification on the Internet is difficult, Capital Confirmation cannot and does not confirm each user’s purported identity. Thus, we have established a user-initiated communication system to help you evaluate with whom you are dealing. We encourage you to communicate directly with individual parties through the tools available on our site.

3.3 Release. Because we are a venue, in the event that you have a dispute with one or more users, you release Capital Confirmation (and our officers, directors, agents, subsidiaries, joint ventures and employees) from claims, demands and damages (actual and consequential) of every kind and nature, known and unknown, suspected and unsuspected, disclosed and undisclosed, arising out of or in any way connected with such disputes. If you are a California resident, you waive California Civil Code §1542, which says: “A general release does not extend to claims which the creditor does not know or suspect to exist in his favor at the time of executing the release, which if known by him must have materially affected his settlement with the debtor.”

3.4 Information Control. We do not control the information provided by other users that is made available through our system. You may find other user’s information to be inaccurate. Please use caution, common sense, and safe practices when using our site.

3.5 Customer Support. Monday through Friday between the hours of 8:00 A.M. and 5:00 P.M Central Standard Time, customer support shall be available free of charge by telephone or by email at one or more phone numbers or email addresses to be specified on our website located at www.confirmation.com.

4. Authorizing and Requesting.

By authorizing and/or requesting a confirmation you agree to be bound by the conditions of this Agreement. Authorizations and requests are not retractable. If you choose to authorize and/or request a confirmation you are certifying that you have the legal right to authorize and/or request and/or respond to such confirmations.

5. Address Lookup.

Capital Confirmation pulls Address Lookup information from public and private data sources. The Public Records, private records and commercially available data sources used in this system have errors and are not complete. Data is sometimes entered poorly and processed incorrectly. This system should not be relied upon as definitively accurate. Before relying on any data this system supplies, it should be independently verified.

6. Fraud.

Without limiting any other remedies, Capital Confirmation may suspend or terminate your account if we suspect that you (by conviction, settlement, insurance investigation, or otherwise) have engaged in fraudulent activity in connection with our site.

7. Your Information.

 7.1 Definition. “Your Information” is defined as any information you provide to us or other users in the registration or confirmation process, in any message area or through any email feature. You are solely responsible for Your Information, and we act as a passive conduit for your online distribution and publication of Your Information.

7.2 Restricted Activities. Your Information (or any items listed) and your activities on the site shall not: (a) be false, inaccurate or misleading; (b) be fraudulent; (c) infringe any third party’s copyright, patent, trademark, trade secret or other proprietary rights or rights of publicity or privacy; (d) violate any law, statute, ordinance or regulation (including, but not limited to, those governing consumer protection or antidiscrimination); (e) be defamatory, trade libelous, unlawfully threatening or unlawfully harassing; (f) be obscene or contain child pornography; (g) contain any viruses, Trojan horses, worms, time bombs, cancelbots, easter eggs or other computer programming routines that may damage, detrimentally interfere with, surreptitiously intercept or expropriate any system, data or personal information; and (h) create liability for us or cause us to lose (in whole or in part) the services of our ISPs or other suppliers. Furthermore, you may not authorize or request any confirmation on the site (or consummate any transaction that was initiated using our service) that, by authorizing or requesting could cause us to violate any applicable law, statute, ordinance or regulation.

7.3 License. Solely to enable Capital Confirmation to use the information you supply us with, so that we are not violating any rights you might have in that information, you agree to grant us a non-exclusive, worldwide, perpetual, irrevocable, royalty-free, sublicensable (through multiple tiers) right to exercise the copyright, publicity, and database rights (but no other rights) you have in Your Information, in any media now known or not currently known, with respect to Your Information. Capital Confirmation will only use Your Information in accordance with our Privacy Statement.

8. Ownership of Intellectual Property.

Capital Confirmation shall have and retain all rights, title and interest in all Intellectual Property relating to the Service or arising out of the relationship described in this Agreement. “Intellectual Property” means all ideas, discoveries, inventions, developments, designs, improvements, trademarks, service marks, trade secrets, proprietary information, programs, source code, object code, applications for patents, patents, copyrights (for the duration thereof, including renewals, extensions, and reversions thereof), copyrightable works, and the goodwill associated therewith, including enhancements, improvements, and derivative works, either presently existing or hereinafter arising. You hereby assign and transfer to Capital Confirmation any and all rights in any such Intellectual Property, either presently existing or hereinafter arising, and agree to take such actions (at Capital Confirmation’s expense) as Capital Confirmation may reasonably request to secure such rights for Capital Confirmation. While a registered user of our service, and for a period of two (2) years from the date of last login, you agree not to offer services or assist others in offering services that would compete in any way with the services offered by Capital Confirmation. Unsolicited ideas or product feedback will automatically become our property, without any compensation to you and we may use or distribute such submissions and their contents for any purpose and in any way without any obligations of confidentiality or otherwise.

9. Access and Interference.

You agree that you will not use any robot, spider, other automatic device, or manual process to monitor or copy our web pages or the content contained herein without our prior expressed written permission. You agree that you will not reverse engineer, disassemble, decompile, decode, adapt, develop, or modify the website or Service, or otherwise attempt to derive or gain access to the source code of the website or Service, in whole or in part. You agree that you will not use any device, software or routine to bypass our security features, or to interfere or attempt to interfere with the proper working of the Capital Confirmation site or any activities conducted on our site. You agree that you will not take any action that imposes an unreasonable or disproportionately large load on our infrastructure. Much of the information on our site is updated on a real time basis and is proprietary or is licensed to Capital Confirmation by our users or third parties. You agree that you will not copy, reproduce, alter, modify, create derivative works, or publicly display any content (except for Your Information) from our website without the prior expressed written permission of Capital Confirmation or the appropriate third party. You must ensure that all information you supply to us through our website or Service, or in relation to our website or Service, is true, accurate, complete and not misleading.  You shall have sole responsibility for the legality, reliability, integrity, accuracy, and quality of this information. You shall not access all or any part of our website or Service to build a product or service which competes with the Service.  You shall not attempt to obtain, or assist third parties in obtaining, access to our website or Service, other than as provided under this Agreement.  You shall not make, nor permit any party to make, any use of our website or Service other than to avail of the Service.  You shall not make alterations to, or permit our website or Service or any part of it to be combined with, or become incorporated into, any other programs.  You shall not provide or otherwise make available our website or the Service in whole or in part (including object and source code), in any form, to any person without our prior written consent.  You shall not infringe on our licensors’ intellectual property rights or those of any third party in relation to your use of our website or Service. We may make available to you certain Application Programming Interfaces (an “API” or “APIs”) to achieve additional functionality for users, and provide capabilities or integrations that leverage one or more of our products or services available at www.confirmation.com or provided by our affiliates, which you may use where applicable, subject to our then current fees (if any) for such APIs.  Unless previously authorized by us, or our affiliates, you must not automatically connect (whether through APIs or otherwise) any Service to other data, software, services or networks.

10. Breach.
Without limiting other remedies, we may immediately remove you, warn our community of your actions, issue a warning, temporarily suspend, indefinitely suspend or terminate your membership and refuse to provide our services to you if: (a) you breach this Agreement or the documents it incorporates by reference; (b) we are unable to verify or authenticate any information you provide to us; or (c) we believe that your actions may cause financial loss or legal liability for you, our users or us.

11. Electronic Communications; Identifiers and Passwords; Binding Effect.

You will receive and transmit information to us over the Internet using SSL technology and 2048-bit encryption. You must use Internet browsers  that will support the use of 2048-bit encryption. In order to initiate a session where information is transmitted, you will select and use an identification code (such as a “log-in ID”) and a password. You shall protect and safeguard its identification code and password, and shall only permit authorized employees to use the identification code and password in connection with the service. We, and all other persons receiving information from you that has been transmitted using the identification code and password selected by you, shall be entitled to rely in all instances that the information so transmitted has been transmitted by you, that such information is true, accurate and complete in all respects, with the same effect and intent as if such information had been transmitted in written form bearing your written signature. If you believe that your identification code and password have been lost, stolen or compromised in any respect, please notify us immediately at 1-866-325-7201. Communications using the identification code and password received after we have had an opportunity to respond to your notice will not be valid or effective.

12. Privacy.
We do not sell or rent your personal information to third parties and only use your information as described in the Privacy Statement available at https://www.confirmation.com/legal-security-privacy/index.html. We take the protection of our users’ privacy seriously. We store and process your information on computers located in Ireland and the United States that are protected with security measures.

Customer Financial information residing within Confirmation.com’s processing controls will be maintained and stored according to our security and privacy policies. Confirmation.com takes no responsibility for Customer Financial information once this data is no longer within Confirmation.com’s control (e.g., data downloaded by a user or mailed confirmations).

If you object to your information being collected, used, transferred, or otherwise processed in this way, please do not use our services.

12.1    Data Protection Legislation.  When using our Services or otherwise providing Personally Identifiable Information to us, you agree to comply with all applicable laws governing or relating to the processing of that Personally Identifiable Information (“Data Protection Laws”). “Personally Identifiable Information” shall mean any information relating to an identified or identifiable natural person whose information you provide to us and that we process as part of the Service or in connection with this Agreement. You confirm that any Personally Identifiable Information that has been provided by you has been collected and disclosed in accordance with Data Protection Laws. When using the Service, you shall not input, upload, maintain or disclose any irrelevant or unnecessary information about individuals.

12.2 Personal Data transferred outside of your home country.

Without limiting the foregoing and for clarity, you agree that we may transfer your personal information outside of your home country to another country where the laws may not provide an equivalent level of protection and you confirm that we may so transfer any Personally Identifiable Information that has been provided by you.

Where the provision of Service by the us to you involves any transfer of Personally Identifiable Information that has been provided by you outside of the European Economic Area or Switzerland (by way of direct or indirect transfer), the parties agree that the transfers will be done in accordance with Schedule 1 attached hereto. If any other Data Protection Laws require you and us to implement appropriate safeguards to legitimize the transfer of Personally Identifiable Information to a third country, you will let us know and we will negotiate in good faith to implement the required safeguards.

13. No Warranty.

WE, OUR SUBSIDIARIES, EMPLOYEES AND OUR SUPPLIERS PROVIDE OUR WEB SITE AND SERVICES, INCLUDING BUT NOT LIMITED TO ANY APIS, ON AN “AS IS” BASIS WITHOUT ANY WARRANTIES OF ANY KIND. WE, TO THE FULLEST EXTENT PERMITTED BY LAW, DISCLAIM ALL WARRANTIES, INCLUDING THE WARRANTY OF MERCHANTABILITY, NON-INFRINGEMENT OF THIRD-PARTIES’ RIGHTS, AND THE WARRANTY OF FITNESS FOR A PARTICULAR PURPOSE. WE MAKE NO WARRANTIES ABOUT THE ACCURACY, RELIABILITY, COMPLETENESS, OR TIMELINESS OF THE SERVICES OR ANY CONTENT THEREIN. WE MAKE NO WARRANTIES THAT THE WEBSITE OR SERVICE WILL REMAIN AVAILABLE.  WE RESERVE THE RIGHT TO DISCONTINUE OR ALTER ANY OR ALL OF THE WEBSITE OR SERVICE, AND TO STOP PUBLISHING OUR WEBSITE OR SERVICE AT ANY TIME AND IN OUR SOLE DISCRETION WITHOUT NOTICE OR EXPLANATION, AND YOU WILL NOT BE ENTITLED TO ANY COMPENSATION OR OTHER PAYMENT UPON THE DISCONTINUANCE OR ALTERATION OF OUR WEBSITE OR SERVICES. FOR THE AVOIDANACE OF ALL DOUBT, WE DO NOT WARRANT, NOR WILL BE RESPONSIBLE FOR, ANY PRODUCTS, SERVICES, FUNCTIONALITY, OR INTERFACES THAT ARE PROVIDED BY YOU OR ANY THIRD PARTY.

14. Liability Limit.

IN NO EVENT SHALL WE, OUR SUBSIDIARIES, EMPLOYEES OR OUR SUPPLIERS BE LIABLE FOR LOST PROFITS OR ANY SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF OR IN CONNECTION WITH OUR SITE, OUR SERVICES, INCLUDING WITHOUT LIMITATION USE OF ANY APIS, OR THIS AGREEMENT (HOWEVER ARISING, INCLUDING NEGLIGENCE). THE USER SHALL HAVE NO LIABILITY WITH RESPECT TO THE SERVICE FOR CONSEQUENTIAL, EXEMPLARY, SPECIAL, INCIDENTAL, OR PUNITIVE DAMAGES EVEN IF IT HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

IN NO EVENT SHALL WE, OUR SUBSIDIARIES, EMPLOYEES OR OUR SUPPLIERS BE LIABLE WITH RESPECT TO THE ACCURACY OR RELIABILITY OF INFORMATION PROVIDED BY THE AUDITOR, WHETHER INPUTTED INTO THE CAPITAL CONFIRMATION WEBSITE OR ANY ASSOCIATED PLATFORMS BY US CAPITAL CONFIRMATION OR BY THE AUDITOR.  THE AUDITOR MAINTAINS THE SOLE RESPONSIBILITY AND LIABILITY FOR REVIEWING AND APPROVING THE INFORMATION POPULATED INTO THE CAPITAL CONFIRMATION WEBSITE AND ASSOCIATED PLATFORMS.

OUR LIABILITY, AND THE LIABILITY OF OUR SUBSIDIARIES, EMPLOYEES, AND SUPPLIERS, TO YOU OR ANY THIRD PARTIES IN ANY CIRCUMSTANCE IS LIMITED TO THE GREATER OF (A) THE AMOUNT OF FEES YOU PAY TO US IN THE 12 MONTHS PRECEDING THE FIRST DATE ON WHICH SUCH LIABILITY AROSE, AND (B) $100. NOTWITHSTANDING ANYTHING TO THE CONTRARY HEREIN YOUR SOLE AND EXCLUSIVE REMEDY FOR ANY FAILURE OR NONPERFORMANCE OF ANY APIS PROVIDED BY CAPITAL CONFIRMATION SHALL BE FOR CAPITAL CONFIRMATION TO USE COMMERCIALLY REASONABLE EFFORTS TO ADJUST OR REPAIR THE NONPERFORMING APIS.

15. Fair Credit Reporting Disclosure.

The parties acknowledge that CCI is not a consumer reporting agency as such term is defined in the federal Fair Credit Reporting Act, 15 U.S.C. 1581 et seq. (“FCRA”) and therefore, is not subject to the requirements or provisions of the FCRA.  Any reports accessed through the Services or Sites do not constitute consumer reports as such term is defined in the FCRA, and accordingly, such reports may not be used to determine eligibility for credit, employment, insurance underwriting, tenant screening or for any other purpose provided for in the FCRA.  CCI makes no representations or warranties as to its compliance or certifications with respect to the Fair Credit Reporting Act or its regulatory requirements.  However, other Users, including banking institutions, financial organizations, credit reporting agencies, and other entities with which the User may interact through the Services or Sites may be subject to the Fair Credit Reporting Act.  CCI makes no representations or warranties about such other User’s compliance or certifications with respect to the Fair Credit Reporting Act or its regulatory requirements.  CCI shall not be deemed a guarantor of the accuracy or completeness of information provided by other Users.

16. Indemnity.

You shall indemnify and hold Capital Confirmation and (as applicable) our parent, subsidiaries, affiliates, officers, directors, agents, and employees and the financial institutions harmless from any and all third-party claims, losses and damages, liability, and costs, including attorney’s fees, against, or incurred by, Capital Confirmation to the extent such claims, damages, liability and costs result directly or indirectly from: (a) Your negligence or intentional conduct; (b) Your breach of its obligations under this Agreement including, but not limited to, any breach which results in the unauthorized and/or non-permissible use of information obtained via Capital Confirmation’s Confirmation.com service or any other such service under this Agreement; (c) any claim that our website or Service or the use thereof infringes upon, misappropriates, or violates any intellectual property rights of any third party, provided that such claim results from or is related to (i) an unauthorized modification of our website or Service; (ii) the combination of the website or Service with software, hardware, or equipment not provided by us if our website or Service alone would not be the subject of such claim; or (iii) your unauthorized use of the website or Service; (d) any data breach suffered by You, Your vendor or processor, or by a vendor or processor for Capital Confirmation; or (e) any claim, action, audit, investigation, regulatory action, inquiry, or other proceeding that arises out of or relates to your failure to comply with any applicable laws and regulations in connection with the transfer of personal data to or outside the EU/EEA including any applicable data protection legislation.

17. Confidentiality.

You may be given access to our confidential information or confidential information from other authorized Users in relation to your use of our website or Service. Information and knowledge related to the operation and processes of the website and Service are also considered confidential information. You shall hold confidential information in confidence and, unless required by law, not make confidential information available to any third party, or use confidential information for any purpose other than as provided for in using our website or Service.  You shall take all reasonable steps to ensure that confidential information to which you have access is not disclosed or distributed by any person in violation of this Agreement.  You acknowledge that details of the Service constitute our confidential information.

18. Legal Compliance.

You represent and warrant that you have read, understand and shall comply with all laws, regulations and judicial actions including, but not limited to, the Identity Theft and Assumption Deterrence Act, the Fraud and False Statements Act, the USA Freedom Act, the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), the Gramm-Leach-Bliley Act and the Fair Credit Reporting Act (15 U.S.C. 1681 et seq.), including without limitation, all amendments thereto, and all other applicable federal or state legislation, regulations and judicial actions, as now or as may become effective.

You certify that you will use the service and the information received for no other purpose than is legally permissible. You understand that if the system is used improperly by your personnel, or if your access codes are made available to any unauthorized personnel due to carelessness your part or any other, you may be held responsible for financial losses, fees or monetary charges that may be incurred and that your access privileges may be terminated. You will not obtain, retain, use, or provide access to the Service to an affiliate or any third party in a manner that may breach any applicable export control or economic sanctions laws and regulations for any jurisdiction, including the United States of America, the United Kingdom and the European Union and its Member States. You warrant that neither you, nor any affiliate to which you provide access to the Service, is affiliated with a specially designated or sanctioned entity under any of those laws and that, in any transaction relating to Confirmation or the Service, such transactions will not involve sanctioned parties, including without limitation through the use of bank accounts at banks that are sanctioned parties. Further, the parties represent and warrant that they have read, understand and shall comply with all applicable laws, regulations and judicial actions including, but not limited to, anti-bribery laws, anti-corruption laws, anti-slavery laws, anti-human trafficking, tax laws, any applicable law aimed at preventing the facilitation of criminal behavior.

19. British Banker’s Association, BBA Enterprises Limited plus any other group company of the British Banker’s Association (Together the “BBA”).
Nothing in this agreement shall limit the BBA’s liability for death or personal injury caused by its negligence or that or its personnel; fraud or fraudulent misrepresentation; or for any other liability which cannot be excluded under English law, even if any other terms of this Agreement would suggest that this might otherwise be the case.

You expressly acknowledge and agree that the BBA: (a) is not a part to this   Agreement and is not involved in the design, supply or support of Capital Confirmation Inc.’s services including the service promoted to UK banks as “BBA Confirmations”; (b) makes no representation or warranty that the services will be adequate or appropriate for you and its requirements and any BBA trademarks or    logos present in marketing materials or other documents do not represent an endorsement of the service; (c) shall not be responsible for providing any of the services; and (d) shall have no liability to you whatsoever whether direct or indirect and whether in contact, tort (including negligence), misrepresentation or for any other reason in respect of any of the services provided under this agreement.

20. No Agency.

You and Capital Confirmation are independent contractors, and no agency, partnership, joint venture, employee-employer or franchiser-franchisee relationship is intended or created by this Agreement.

21. Notices.
Except as explicitly stated otherwise, any notices shall be given by postal mail to Capital Confirmation Inc. Attn: Legal Department Centerview Drive, Suite 100, Brentwood, TN 37027 (in the case of Capital Confirmation) or to the email address you provide to Capital Confirmation during the registration process (in your case). Notice shall be deemed given 24 hours after email is sent, unless the sending party is notified that the email address is invalid. Alternatively, we may give you notice by certified mail, postage prepaid and return receipt requested, to the address provided to Capital Confirmation during the registration process. In such case, notice shall be deemed given 3 days after the date of mailing.

22. Arbitration.
Any legal controversy or legal claim arising out of or relating to this Agreement or our services, excluding legal action taken by Capital Confirmation to recover damages for, or obtain an injunction relating to, the Capital Confirmation site operations, intellectual property, and our services, shall be settled by binding arbitration in accordance with the commercial arbitration rules of the American Arbitration Association. Any such controversy or claim shall be arbitrated on an individual basis, and shall not be consolidated in any arbitration with any claim or controversy of any other party. The arbitration shall be conducted in Nashville, Tennessee, and judgment on the arbitration award may be entered into any court having jurisdiction thereof. Either you or Capital Confirmation may seek any interim or preliminary relief from a court of competent jurisdiction in Nashville, Tennessee necessary to protect the rights or property of you or Capital Confirmation pending the completion of arbitration. Should either party file an action contrary to this provision, the other party may recover attorney’s fees and costs up to $1000.00.

23. Additional Terms.
The following policies are incorporated into this Agreement by reference and provide additional terms and conditions related to specific services offered on our site:

Privacy Statement:

https://www.confirmation.com/legal-security-privacy/index.html

Each of these policies may be changed from time to time and are effective immediately after we post the changes on our site, except for the Privacy Statement for which we will provide you with thirty days prior notice. In addition, when using particular services on our site, you agree that you are subject to any posted policies or rules applicable to services you use through our site, which may be posted from time to time. All such posted policies or rules are hereby incorporated by reference into this Agreement.

You acknowledge and agree that: (a) members of Capital Confirmation’s Group may be retained as sub-processors; and (b) Capital Confirmation and members of Capital Confirmation’s Group respectively may engage third-party sub-processors in connection with the provision of the Services.

We do not guarantee and shall not be liable for the performance of any sub-processor or sub-contractor.

24. Governing Law.

This Agreement shall be governed in all respects by the laws of the State of Tennessee, without reference to conflict of laws principles.  You further consent to exclusive jurisdiction by the United States District Court for the Middle District of Tennessee.

25. Assignment.

You agree that this Agreement and all incorporated agreements may be automatically assigned by Capital Confirmation, in our sole discretion, to a third party in the event of a merger or acquisition.  You may not, without our prior written consent, assign, transfer, sub-contract or otherwise deal with any of your rights and/or obligations under this Agreement.

26. General.

We do not guarantee continuous, uninterrupted or secure access to our services, and operation of our site may be interfered with by numerous factors outside of our control. If any provision of this Agreement is held to be invalid or unenforceable, such provision shall be struck and the remaining provisions shall be enforced. Headings are for reference purposes only and in no way define, limit, construe or describe the scope or extent of such section. Our failure to act with respect to a breach by you or others does not waive our right to act with respect to subsequent or similar breaches. English is the official language used for content on the Confirmation.com website. Through the use of a third-party provider Confirmation.com provides its users with limited English proficiency to access information on the site. Translations made through this automated process should not be considered exact particularly in cases of technical and legal terminology. Additionally, some files including graphs, photos and portable document formats (pdfs) cannot be translated through this process. Capital Confirmation Inc. does not warrant the accuracy or reliability of any information translated by this system and shall not be liable for any losses caused by such reliance on the accuracy or reliability of such information. While every effort is made to ensure the accuracy of the translation, portions may be incorrect. Any person or entity who relies on information obtained from the system does so at his or her own risk. This Agreement sets forth the entire understanding and agreement between us with respect to the subject matter hereof. Sections 2 (Fees and Service) with respect to fees owed for our services, 3.3 (Release), 7.3 (License), 9 (Access and Interference), 14 (Liability Limit), 15 (Indemnity) and 19 (Arbitration) shall survive any termination or expiration of this Agreement.

27. Disclosures.

The services hereunder are offered by Capital Confirmation Inc., located at 214 Centerview Drive, Suite 100, Brentwood, Tennessee 37027. Fees for our services are described above in Section 2 (Fees and Service).

28. Disputes.

Disputes between you and Capital Confirmation regarding our services may be reported to Customer Support by mailing us at Capital Confirmation, Customer Support, Centerview Drive, Suite 100, Brentwood, TN 37027. We encourage you to report all user-to-user disputes to your local law enforcement, postmaster general, or a certified mediation or arbitration entity.

29. Your Acceptance of this User Agreement.

You evidence your acceptance of this User Agreement by using the Confirmation.com service. Such acceptance shall have the same legal effect as your written signature set forth on a written document containing the terms and conditions of this User Agreement.

30. Release.

You have the right to and do certify and agree to the following:

    • I have read and agree to the User’s Agreement and all information provided.
    • I have the right to and do hereby authorize my financial institution, trade creditor, bank, trading partner, debtor and other business partners to use Capital Confirmation’s Confirmation.com service to respond to and release the requested information to my Accountant.
    • I also recognize that these confirming entities may receive financial compensation from Capital Confirmation for providing the information.

On behalf of my company, who I have the right to and do represent:

To our financial institutions, trade creditors, banks, trading partners, debtors and other business partners:

We have provided to our accountants the information on the electronic confirmation as of the close of business on the date requested on the electronic confirmation regarding our deposit and loan balances. Please confirm the accuracy of the information, noting any exceptions to the information provided. If the balances have been left blank, please complete this form by furnishing the balance in the appropriate space on the electronic form. Although we do not request or expect you to conduct a comprehensive, detailed search of your records, if during the process of completing this confirmation additional information about other deposit and loan accounts we may have with you comes to your attention, please include such information on the electronic form. Please use Capital Confirmation’s Confirmation.com service to return the electronic confirmation directly to our accountants.

Schedule 1

European Data Transfers

We process Personally Identifiable Information outside of the European Economic Area (EEA) and Switzerland including in third countries which may not be recognized by the European Commission or the Swiss Federal Data Protection and Information Commission as providing an adequate level of privacy protection, such as in the United States.

Capital Confirmation will enter into the Standard Contractual Clauses approved by the European Commission to legitimize the transfers of Personally Identifiable Information outside of the EEA and/or Switzerland to an inadequate third country.

If we are required to enter into the Standard Contractual Clauses to legitimize the transfer of Personally Identifiable Information outside of the EEA and/or Switzerland, then the parties hereby agree to the Standard Contractual Clauses set forth in Attachment 1 (for those cases where we act as a processor with respect to personal data) below, and you evidence your acceptance of the Standard Contractual Clauses by clicking on “Accept User Agreement and Add Account” button on the Capital Confirmation website or by using the Confirmation.com service.

Notwithstanding the foregoing, if the Standard Contractual Clauses are not a valid transfer mechanism to legitimize the transfers of Personally Identifiable Information outside of the EEA to the United States (or another third country that does not provide an equivalent level of protection even with the use of such data transfer agreements), then you shall procure the appropriate consent of any data subject whose Personally Identifiable Information is transferred to us to enable us to transfer that Personally Identifiable Information to the United States (or such other third country).

Attachment 1: Standard Contractual Clauses (Processor)

For the transfer of Personal Data outside of the EEA and/or Switzerland to processors established in third countries which do not ensure an adequate level of data protection, the data exporter and the data importer have agreed on the following Contractual Clauses (the Clauses) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the Personal Data specified in Appendix 1.

Notwithstanding the foregoing, if the following Contractual Clauses are not a valid transfer mechanism to legitimize the transfers of Personal Data outside of the EEA and/or Switzerland to the United States (or another third country that does not provide an equivalent level of protection even with the use of such data transfer Clauses), you shall procure the appropriate consent of any data subject whose Personal Data is transferred to us to enable the Parties to transfer that Personal Data to the United States (or such other third country).

Clause 1

Definitions

For the purposes of the Clauses:

(a)‘personal data’, ‘special categories of data’, ‘process/processing’, ‘controller’, ‘processor’, ‘data subject’ and ‘supervisory authority’ shall have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data;

(b)‘the data exporter’ means the party who transfers the personal data;

(c)‘the data importer’ means the processor who agrees to receive from the data exporter personal data intended for processing on his behalf after the transfer in accordance with his instructions and the terms of the Clauses and who is not subject to a third country’s system ensuring adequate protection within the meaning of Article 25(1) of Directive 95/46/EC;

(d)‘the sub-processor’ means any processor engaged by the data importer or by any other sub-processor of the data importer who agrees to receive from the data importer or from any other sub-processor of the data importer personal data exclusively intended for processing activities to be carried out on behalf of the data exporter after the transfer in accordance with his instructions, the terms of the Clauses and the terms of the written subcontract;

(e)‘the applicable data protection law’ means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data applicable to a data controller in the Member State in which the data exporter is established;

(f)‘technical and organisational security measures’ means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.

Clause 2

Details of the transfer

The details of the transfer and in particular the special categories of personal data where applicable are specified in Appendix 1 which forms an integral part of the Clauses.

Clause 3

Third-party beneficiary clause
(a)The data subject can enforce against the data exporter this Clause, Clause 4(b) to (i), Clause 5(a) to (e), and (g) to (j), Clause 6(1) and (2), Clause 7, Clause 8(2), and Clauses 9 to 12 as third-party beneficiary.

(b)The data subject can enforce against the data importer this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where the data exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity.

(c)The data subject can enforce against the sub-processor this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity. Such third-party liability of the sub-processor shall be limited to its own processing operations under the Clauses.

(d)The parties do not object to a data subject being represented by an association or other body if the data subject so expressly wishes and if permitted by national law.

Clause 4

Obligations of the data exporter

The data exporter agrees and warrants:
(a)that the processing, including the transfer itself, of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the Member State where the data exporter is established) and does not violate the relevant provisions of that State;

(b)that it has instructed and throughout the duration of the personal data-processing services will instruct the data importer to process the personal data transferred only on the data exporter’s behalf and in accordance with the applicable data protection law and the Clauses;

(c)that the data importer will provide sufficient guarantees in respect of the technical and organisational security measures specified in Appendix 2 to this contract;

(d)that after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation;

(e)that it will ensure compliance with the security measures;

(f)that, if the transfer involves special categories of data, the data subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not providing adequate protection within the meaning of Directive 95/46/EC;

(g)to forward any notification received from the data importer or any sub-processor pursuant to Clause 5(b) and Clause 8(3) to the data protection supervisory authority if the data exporter decides to continue the transfer or to lift the suspension;

(h)to make available to the data subjects upon request a copy of the Clauses, with the exception of Appendix 2, and a summary description of the security measures, as well as a copy of any contract for sub-processing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information;

(i)that, in the event of sub-processing, the processing activity is carried out in accordance with Clause 11 by a sub-processor providing at least the same level of protection for the personal data and the rights of data subject as the data importer under the Clauses; and

(j)that it will ensure compliance with Clause 4(a) to (i).

Clause 5

Obligations of the data importer

The data importer agrees and warrants:
(a)to process the personal data only on behalf of the data exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;

(b)that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;

(c)that it has implemented the technical and organisational security measures specified in Appendix 2 before processing the personal data transferred;

(d)that it will promptly notify the data exporter about:

(e)any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation;
i. any accidental or unauthorised access; and
ii. any request received directly from the data subjects without responding to that request, unless it has been otherwise authorised to do so;
iii. to deal promptly and properly with all inquiries from the data exporter relating to its processing of the personal data subject to the transfer and to abide by the advice of the supervisory authority with regard to the processing of the data transferred;

(f)at the request of the data exporter to submit its data-processing facilities for audit of the processing activities covered by the Clauses which shall be carried out by the data exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the data exporter, where applicable, in agreement with the supervisory authority. The data importer has included the security requirements detailed in Appendix 2 at the request of the data exporter, and the data exporter agrees that such security requirements and the audit obligations and rights under the Master Agreement will be deemed to fully satisfy the audit rights granted to the data exporter under Clauses 5(f) and 12.2;

(g)to make available to the data subject upon request a copy of the Clauses, or any existing contract for sub-processing, unless the Clauses or contract contain commercial information, in which case it may remove such commercial information, with the exception of Appendix 2 which shall be replaced by a summary description of the security measures in those cases where the data subject is unable to obtain a copy from the data exporter;

(h)that, in the event of sub-processing, it has previously informed the data exporter and obtained its prior written consent (whether under or in connection with the Master Agreement or otherwise);

(i)that the processing services by the sub-processor will be carried out in accordance with Clause 11;

(j)to send promptly, on request, a copy of any sub-processor agreement it concludes under the Clauses to the data exporter.

Clause 6

Liability

1. The parties agree that any data subject, who has suffered damage as a result of any breach of the obligations referred to in Clause 3 or in Clause 11 by any party or sub-processor is entitled to receive compensation from the data exporter for the damage suffered.

2. If a data subject is not able to bring a claim for compensation in accordance with paragraph 1 against the data exporter, arising out of a breach by the data importer or his sub-processor of any of their obligations referred to in Clause 3 or in Clause 11, because the data exporter has factually disappeared or ceased to exist in law or has become insolvent, the data importer agrees that the data subject may issue a claim against the data importer as if it were the data exporter, unless any successor entity has assumed the entire legal obligations of the data exporter by contract of by operation of law, in which case the data subject can enforce its rights against such entity.

a. The data importer may not rely on a breach by a sub-processor of its obligations in order to avoid its own liabilities.

3. If a data subject is not able to bring a claim against the data exporter or the data importer referred to in paragraphs 1 and 2, arising out of a breach by the sub-processor of any of their obligations referred to in Clause 3 or in Clause 11 because both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, the sub-processor agrees that the data subject may issue a claim against the data sub-processor with regard to its own processing operations under the Clauses as if it were the data exporter or the data importer, unless any successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law, in which case the data subject can enforce its rights against such entity. The liability of the sub-processor shall be limited to its own processing operations under the Clauses.

Clause 7

Mediation and jurisdiction

(a) The data importer agrees that if the data subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the Clauses, the data importer will accept the decision of the data subject:
(b)to refer the dispute to mediation, by an independent person or, where applicable, by the supervisory authority;
(c)to refer the dispute to the courts in the Member State in which the data exporter is established.
(d)The parties agree that the choice made by the data subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.

Clause 8

Cooperation with supervisory authorities

1. The data exporter agrees to deposit a copy of this contract with the supervisory authority if it so requests or if such deposit is required under the applicable data protection law.

2. The parties agree that the supervisory authority has the right to conduct an audit of the data importer, and of any sub-processor, which has the same scope and is subject to the same conditions as would apply to an audit of the data exporter under the applicable data protection law.

3. The data importer shall promptly inform the data exporter about the existence of legislation applicable to it or any sub-processor preventing the conduct of an audit of the data importer, or any sub-processor, pursuant to paragraph 2. In such a case the data exporter shall be entitled to take the measures foreseen in Clause 5(b).

Clause 9

Governing law

The Clauses shall be governed by the law of the Member State in which the data exporter is established.

Clause 10

Variation of the contract

The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clause.

Clause 11

Sub-processing

1. The data importer shall not subcontract any of its processing operations performed on behalf of the data exporter under the Clauses without the prior written consent of the data exporter. Where the data importer subcontracts its obligations under the Clauses, with the consent of the data exporter, it shall do so only by way of a written agreement with the sub-processor which imposes the same obligations on the sub-processor as are imposed on the data importer under the Clauses. Where the sub-processor fails to fulfil its data protection obligations under such written agreement the data importer shall remain fully liable to the data exporter for the performance of the sub-processor’s obligations under such agreement.

2. The prior written contract between the data importer and the sub-processor shall also provide for a third-party beneficiary clause as laid down in Clause 3 for cases where the data subject is not able to bring the claim for compensation referred to in paragraph 1 of Clause 6 against the data exporter or the data importer because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law. Such third-party liability of the sub-processor shall be limited to its own processing operations under the Clauses.

3. The provisions relating to data protection aspects for sub-processing of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which the data exporter is established.

4. The data exporter shall keep a list of sub-processing agreements concluded under the Clauses and notified by the data importer pursuant to Clause 5(j), which shall be updated at least once a year. The list shall be available to the data exporter’s data protection supervisory authority.

Clause 12

Obligation after the termination of personal data-processing services

1. The parties agree that on the termination of the provision of data-processing services, the data importer and the sub-processor shall, at the choice of the data exporter, return all the personal data transferred and the copies thereof to the data exporter or shall destroy all the personal data and certify to the data exporter that it has done so, unless legislation imposed upon the data importer prevents it from returning or destroying all or part of the personal data transferred. In that case, the data importer warrants that it will guarantee the confidentiality of the personal data transferred and will not actively process the personal data transferred anymore.

2. The data importer and the sub-processor warrant that upon request of the data exporter and/or of the supervisory authority, it will submit its data-processing facilities for an audit of the measures referred to in paragraph 1.

On behalf of the data exporter:

Name (written out in full):

Position:

Address:………………………………………………………………………………………………………………………

Other information necessary in order for the contract to be binding (if any): (stamp of organisation)

Signature ………………………………………………………………………………………………………………………

On behalf of the data importer:

Capital Confirmation, Inc.

Name (written out in full): Diana Flanders

Position: VP, Business Integrations

Address: Capital Confirmation Inc. Centerview Drive, Suite 100, Brentwood, TN 37027

Other information necessary in order for the contract to be binding (if any): N/A

Signature ………………………………………………………………………………………………………………………

Appendix 1

to the Standard Contractual Clauses

This Appendix forms part of the Clauses and must be completed and signed by the parties

The Member States may complete or specify, according to their national procedures, any additional necessary information to be contained in this Appendix

Data exporter

The data exporter is (please specify briefly your activities relevant to the transfer):

The data exporter will export the personal data contained in the client’s documentation to the requestors via the Confirmation.com platform. Exported data will concern personal data of data exporter’s employees with access given to the online platform handled by the data importer. Also, data exporter’s customers data for the purposes of forwarding data exporter’s audits to requestors by the Importer.

Data importer

The data importer is (please specify briefly activities relevant to the transfer):

Capital Confirmation Inc.

The data importer provides an online venue for digital transaction management, including but not limited to, audit confirmations, accounts receivable/accounts payable confirmations, credit inquiries, employee benefit plan audits and confirmations, and legal confirmations for accounting firms, law firms, banks, and other users. Processed data will concern data exporter’s employees for which accounts in the platform handled by the data importer will be created. Also, data exporter’s customers data for the purposes of forwarding data exporters confirmations to requestors by the data importer.

Data subjects

The personal data transferred concern the following categories of data subjects (please specify):

Data exporter’s employees and personal data of data exporter’s client’s representatives and other subjects mentioned in the documentation, which is sent to the requestor

Categories of data

The personal data transferred concern the following categories of data (please specify):

-names, surnames, names of authorized representatives of the data exporter’s clients

-including but not limited to: names, surnames, addresses, account numbers, financial information, PESEL number and other personal data of the subjects mentioned in the documentation sent to the requestor.

Special categories of data (if appropriate)

Not applicable

Processing operations

The personal data transferred will be subject to the following basic processing activities (please specify):

The platform Confirmation.com is internet-based system, that allows the data exporter to send documentation to auditors for the needs of the audit. The documentation will be encrypted by the data importer while uploading it to the platform, so the data importer should not get access to the contents of the documentation and personal data contained in the documentation beyond the scope necessary to perform the encryption process.

DATA EXPORTER

Name:………………………………………………………………………………………………………………………

Authorised Signature………………………………………………………………………………………………………………………

DATA IMPORTER

Capital Confirmation, Inc.

Name: Diana Flanders

Authorised Signature………………………………………………………………………………………………………………………

Appendix 2

to the Standard Contractual Clauses

This Appendix forms part of the Clauses and must be completed and signed by the parties.

Description of the technical and organisational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) (or document/legislation attached):

Data Importer has implemented the technical and organisation security measures set out in the Agreements and incorporated herein by reference.

DATA EXPORTER

Name:

Authorised Signature

Capital Confirmation Inc.

Name: Diana Flanders

Authorised Signature:

For Law Firms

Confirmation.comSM Service Agreement – Law Firm User*

This Confirmation.com Service Agreement – Law Firm User (this “Agreement”) is between Capital Confirmation, Inc., a Delaware corporation (the “Provider”), and the law firm accessing and using the Confirmation.com Service (as defined below) (the “Law Firm”), and sets forth the terms and conditions under which the Law Firm shall have the right to use the Provider’s Confirmation.com Service. This Agreement shall be effective as of the date of its electronic acceptance by the Law Firm (the “Effective Date”).

1. Confirmation.com Service. During the Term of this Agreement, the Law Firm shall have the right to access and use the Provider’s Confirmation.comSM Service (the “Confirmation.com Service”). For purposes of this Agreement, the Confirmation.com Service shall mean the Provider’s electronic communications platform operated for purposes of delivering communications between the Law Firm and other Confirmation.com Service users, including, but not limited to, accounting firms (“Auditors”) engaged from time to time by the Law Firm’s clients (“Clients”). The Confirmation.com Service shall facilitate the delivery of audit request letters from Clients to the Law Firm and the delivery of audit response letters from the Law Firm to Auditors, in each case in connection with audit services conducted for Clients and for which the relevant Client has duly authorized the use of the Confirmation.com Service. For the avoidance of doubt, (i) the Confirmation.com Service is a communication platform, and the Law Firm’s transmission of information via the Confirmation.com Service shall have the same effect and intent as if such information had been transmitted in written form; and (ii) the Confirmation.com Service shall include the provision of ancillary services deemed reasonably necessary by Provider to run an electronic communications platform as outlined herein, including but not limited to customer support, billing, and account management..

2. APIs. Provider may make available to the Law Firm certain Application Programming Interfaces (an “API” or “APIs”) to achieve additional functionality for users, and provide capabilities or integrations that leverage one or more of our products or services available at www.confirmation.com or provided by our affiliates, which the Law Firm may use where applicable, subject to Provider’s then current fees (if any) for such APIs. Unless previously authorized by Provider, or Provider’s affiliates, the Law Firm must not automatically connect (whether through APIs or otherwise) any Confirmation.com Service to other data, software, services or networks. NOTWITHSTANDING ANYTHING TO THE CONTRARY HEREIN, THE LAW FIRM’S SOLE AND EXCLUSIVE REMEDY FOR ANY FAILURE OR NONPERFORMANCE OF ANY APIS PROVIDED, PURSUANT TO THIS AGREEMENT BY THE PROVIDER, SHALL BE FOR THE PROVIDER TO USE COMMERCIALLY REASONABLE EFFORTS TO ADJUST OR REPAIR THE NONPERFORMING APIS. FOR THE AVOIDANCE OF ALL DOUBT, THE PROVIDER DOES NOT WARRANT, NOR WILL THE PROVIDER BE RESPONSIBLE FOR, ANY PRODUCTS, SERVICES, FUNCTIONALITY, OR INTERFACES THAT ARE PROVIDED BY THE LAW FIRM OR ANY THIRD PARTY.

3. Term. This Agreement shall be effective from the Effective Date until it is terminated in accordance with the provisions of this Agreement (the “Term”).

4. Termination. Either party may terminate this Agreement at any time, to be effective immediately upon receipt by the other party of a written notice of termination. Without limiting any other remedies, the Provider may suspend or terminate the Law Firm’s account if the Provider reasonably suspects that the Law Firm (by conviction, settlement, insurance investigation or otherwise) has engaged in fraudulent activity in connection with the Provider’s site.

5. Electronic Communications; Identifiers and Passwords; Binding Effect. In order to initiate a session where information is transmitted, the Law Firm will select and use an identification code (such as a “log-in ID”) and a password. The Law Firm shall protect and safeguard its identification codes and passwords and shall permit only authorized officials, employees or agents of the Law Firm (“Authorized Persons”) to use the identification codes and passwords in connection with the Confirmation.com Service. The Provider and all other persons receiving information from the Law Firm (“Law Firm Information”) that has been transmitted using the Law Firm’s identification codes and passwords selected by the Law Firm shall be entitled to rely (absent a breach of the Provider’s physical and technological security safeguards) that the information so transmitted has been transmitted by Authorized Persons and has been duly authorized by a Client with the same effect and intent as if such information had been transmitted in written form bearing the written signature of an Authorized Person. The Provider shall promptly notify the Law Firm if the Provider has reason to believe that the Provider has suffered any breach of its systems, including without limitation its physical and technological security safeguards. If the Law Firm believes that the Law Firm’s identification codes and passwords have been lost, stolen or compromised in any respect, the Law Firm shall promptly notify the Provider’s Customer Support team at 1-866-325-72011.

6. Ownership of Intellectual Property. The Provider shall have and retain all rights, title and interest in all intellectual property relating to the Confirmation.com Service or arising out of the relationship described in this Agreement, in each case as developed by the Provider. The Provider shall have no right, title or interest in any information transmitted by or on behalf of Clients to the Law Firm or by the Law Firm to Clients or Auditors via the Confirmation.com Service. This Section 5 shall survive the termination of this Agreement. Unsolicited ideas or product feedback will automatically become our property, without any compensation to you and we may use or distribute such submissions and their contents for any purpose and in any way without any obligations of confidentiality or otherwise.

7. Notices. All notices under this Agreement must be in writing and sent by email and will be effective when received by such party at the respective following address or such other address as will have been provided in writing.

For the Provider, such notice shall be sent to:
Capital Confirmation, Inc.
Customer.Support@Confirmation.com

For the Law Firm, such notice shall be sent to the email address(es) provided by the Law Firm to the Provider.

7. Custom Development Requests. Custom development requests for the Provider’s applications must be requested in writing, reviewed by the Provider and mutually agreed to by both parties in writing. Custom development fees are charged at the Provider’s standard development rate and paid in accordance with the terms set forth within a Statement of Work (SOW) to be agreed upon by the parties in writing.

8. Confidentiality of Law Firm Information.
a. The Law Firm’s transmittal of Law Firm Information to Auditors through the Confirmation.com Service shall not be deemed to constitute a waiver of any attorney-client privilege, work product doctrine or any other applicable privilege that applies to such Law Firm Information.

b. The Provider represents and warrants to the Law Firm that the Confirmation.com Service is an electronic conduit to facilitate the delivery of requests for information and responses thereto in connection with audit services conducted for the Law Firm’s Clients by Auditors. In accordance with the Provider’s stated security and privacy policies, the Provider shall maintain physical and technological security safeguards to protect the confidentiality of all Law Firm Information transmitted via the Confirmation.com Service.

c. The Provider agrees that all Law Firm Information is to be treated confidentially and that, except as required by law, the Provider shall not provide any Law Firm Information to any person, other than Auditors within the scope of the relevant Client’s authorization, without the prior written consent of the Law Firm.

d. If the Provider is requested or required (by oral questions, interrogatories, requests for information or documents in legal proceedings, subpoena, civil investigative demand or other similar process) to disclose any of the Law Firm Information, the Provider shall provide the Law Firm with prompt written notice of any such request or requirement so that the Law Firm may seek a protective order or other appropriate remedy and/or waive compliance with the provisions of this Agreement. If, in the absence of a protective order or other appropriate remedy or the receipt of a waiver from the Law Firm, the Provider is nonetheless legally compelled to disclose the Law Firm Information to any tribunal or other entity or else stand liable for contempt or suffer other censure or penalty, the Provider may, without liability hereunder, disclose to such tribunal or other entity only that portion of the Law Firm Information which the Provider is legally required to be disclosed, provided that the Provider exercises its best efforts to preserve the confidentiality of the Law Firm Information, including, without limitation, by cooperating with the Law Firm without expense to the Provider, to obtain an appropriate protective order or other reliable assurance that confidential treatment will be accorded the Law Firm Information by such tribunal or other entity.

9. Privacy. Provider does not sell or rent your personal information to third parties and only use your information as described in the Privacy Statement available at https://www.confirmation.com/legal-security-privacy/index.html . Provider take the protection of our users’ privacy seriously. Provider stores and processes your information on computers located in Ireland and the United States that are protected with security measures.

If you object to your personal information being collected, used, transferred, or otherwise processed in this way, please do not use our services.

9.1 Data Protection Legislation. When using Provider’s Services or otherwise providing Personally Identifiable Information to Provider, the Law Firm agrees to comply with all applicable laws governing or relating to the processing of that Personally Identifiable Information (“Data Protection Laws”). “Personally Identifiable Information” shall mean any information relating to an identified or identifiable natural person whose information the Law Firm provides to Provider and that Provider process as part of the Service or in connection with this Agreement. The Law Firm confirms that any Personally Identifiable Information that has been provided by the Law Firm has been collected and disclosed in accordance with Data Protection Laws. When using the Service, The Law Firm shall not input, upload, maintain or disclose any irrelevant or unnecessary information about individuals.

9.2 Personal Data Transferred Outside of the Law Firm’s Home Country. Without limiting the foregoing and for clarity, the Firm agrees that Provider may transfer the Law Firm’s personal information outside of Law Firm’s home country to another country where the laws may not provide an equivalent level of protection and the Law Firm confirm that Provider may so transfer any Personally Identifiable Information that has been provided by the Law Firm.
Where the provision of Service by Provider to the Law Firm involves any transfer of Personally Identifiable Information that has been provided by the Law Firm outside of the European Economic Area or Switzerland (by way of direct or indirect transfer), the Law Firm and Provider agree that the transfers will be done in accordance with Exhibit A attached hereto. If any other Data Protection Laws require the Law Firm and Provider to implement appropriate safeguards to legitimize the transfer of Personally Identifiable Information to a third country, you will let the Provider know and the parties will negotiate in good faith to implement the required safeguards.

10. Compliance. The Law Firm will not obtain, retain, use, or provide access to the Confirmation.com Service to an affiliate or any third party in a manner that may breach any applicable export control or economic sanctions laws and regulations for any jurisdiction, including the United States of America, the United Kingdom and the European Union and its Member States. The Law Firm warrants that neither the Law Firm, nor any affiliate to which the Law Firm provides access to the Confirmation.com Service, is affiliated with a specially designated or sanctioned entity under any of those laws and that, in any transaction relating to Provider or the Confirmation.com Service, such transactions will not involve sanctioned parties, including without limitation through the use of bank accounts at banks that are sanctioned parties. Further, the parties represent and warrant that they have read, understand and shall comply with all applicable laws, regulations and judicial actions including, but not limited to, anti-bribery laws, anti-corruption laws, anti-slavery laws, anti-human trafficking, tax laws, any applicable law aimed at preventing the facilitation of criminal behavior.

11. Entire Agreement; Amendment. This Agreement represents the entire agreement between the Law Firm and the Provider with respect to the Confirmation.com Service, and it takes the place of all other agreements, writings and negotiations, including any other user agreement that is either posted on the Provider’s website or deemed to be accepted by the Law Firm upon the Law Firm’s usage of the Confirmation.com Service at any time prior or subsequent to the date of this Agreement.

12. Acceptance. You evidence your acceptance of this Agreement by using the Confirmation.com Service. Such acceptance shall have the same legal effect as your written signature set forth on a written document containing the terms and conditions of this Agreement.

EXHIBIT A

EUROPEAN PERSONAL DATA TRANSFERS

Provider processes Personally Identifiable Information outside of the European Economic Area (EEA) and Switzerland including in third countries which may not be recognized by the European Commission or the Swiss Federal Data Protection and Information Commission as providing an adequate level of privacy protection, such as in the United States.

Provider will enter into the Standard Contractual Clauses approved by the European Commission to legitimize the transfers of Personally Identifiable Information outside of the EEA and/or Switzerland to an inadequate third country.

If the Provider is required to enter into the Standard Contractual Clauses to legitimize the transfer of Personally Identifiable Information outside of the EEA and/or Switzerland, then the parties hereby agree to the Standard Contractual Clauses set forth in Attachment 1 (for those cases where Provider acts as a processor with respect to personal data) below, and the Firm evidences its acceptance of the Standard Contractual Clauses by clicking on “Accept User Agreement and Add Account” button on the Provider website or by using the Provider’s Service.

Notwithstanding the foregoing, if the Standard Contractual Clauses are not a valid transfer mechanism to legitimize the transfers of Personally Identifiable Information outside of the EEA to the United States (or another third country that does not provide an equivalent level of protection even with the use of such data transfer agreements), then the Law Firm shall procure the appropriate consent of any data subject whose Personally Identifiable Information is transferred to the Provider to enable the Provider to transfer that Personally Identifiable Information to the United States (or such other third country).

Attachment 1: Standard Contractual Clauses (Processor)

For the transfer of personal data outside of the EEA and/or Switzerland to processors established in third countries which do not ensure an adequate level of data protection, the data exporter and the data importer have agreed on the following Contractual Clauses (the Clauses) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in Appendix 1.

Notwithstanding the foregoing, if the following Contractual Clauses are not a valid transfer mechanism to legitimize the transfers of Personal Data outside of the EEA and/or Switzerland to the United States (or another third country that does not provide an equivalent level of protection even with the use of such data transfer Clauses), you shall procure the appropriate consent of any data subject whose Personal Data is transferred to us to enable the Parties to transfer that Personal Data to the United States (or such other third country).

Clause 1
Definitions

For the purposes of the Clauses:
(a) ‘personal data’, ‘special categories of data’, ‘process/processing’, ‘controller’, ‘processor’, ‘data subject’ and ‘supervisory authority’ shall have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data;

(b) ‘the data exporter’ means the party who transfers the personal data;

(c) ‘the data importer’ means the processor who agrees to receive from the data exporter personal data intended for processing on his behalf after the transfer in accordance with his instructions and the terms of the Clauses and who is not subject to a third country’s system ensuring adequate protection within the meaning of Article 25(1) of Directive 95/46/EC;

(d) ‘the sub-processor’ means any processor engaged by the data importer or by any other sub-processor of the data importer who agrees to receive from the data importer or from any other sub-processor of the data importer personal data exclusively intended for processing activities to be carried out on behalf of the data exporter after the transfer in accordance with his instructions, the terms of the Clauses and the terms of the written subcontract;

(e) ‘the applicable data protection law’ means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data applicable to a data controller in the Member State in which the data exporter is established;

(f) ‘technical and organisational security measures’ means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.

Clause 2
Details of the transfer

The details of the transfer and in particular the special categories of personal data where applicable are specified in Appendix 1 which forms an integral part of the Clauses.

Clause 3
Third-party beneficiary clause

(a) The data subject can enforce against the data exporter this Clause, Clause 4(b) to (i), Clause 5(a) to (e), and (g) to (j), Clause 6(1) and (2), Clause 7, Clause 8(2), and Clauses 9 to 12 as third-party beneficiary.

(b) The data subject can enforce against the data importer this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where the data exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity.

(c) The data subject can enforce against the sub-processor this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity. Such third-party liability of the sub-processor shall be limited to its own processing operations under the Clauses.

(d) The parties do not object to a data subject being represented by an association or other body if the data subject so expressly wishes and if permitted by national law.

Clause 4
Obligations of the data exporter

The data exporter agrees and warrants:
(a) that the processing, including the transfer itself, of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the Member State where the data exporter is established) and does not violate the relevant provisions of that State;

(b) that it has instructed and throughout the duration of the personal data-processing services will instruct the data importer to process the personal data transferred only on the data exporter’s behalf and in accordance with the applicable data protection law and the Clauses;

(c) that the data importer will provide sufficient guarantees in respect of the technical and organisational security measures specified in Appendix 2 to this contract;

(d) that after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation;

(e) that it will ensure compliance with the security measures;

(f) that, if the transfer involves special categories of data, the data subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not providing adequate protection within the meaning of Directive 95/46/EC;

(g) to forward any notification received from the data importer or any sub-processor pursuant to Clause 5(b) and Clause 8(3) to the data protection supervisory authority if the data exporter decides to continue the transfer or to lift the suspension;

(h) to make available to the data subjects upon request a copy of the Clauses, with the exception of Appendix 2, and a summary description of the security measures, as well as a copy of any contract for sub-processing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information;

(i) that, in the event of sub-processing, the processing activity is carried out in accordance with Clause 11 by a sub-processor providing at least the same level of protection for the personal data and the rights of data subject as the data importer under the Clauses; and

(j) that it will ensure compliance with Clause 4(a) to (i).

Clause 5
Obligations of the data importer

The data importer agrees and warrants:
(a) to process the personal data only on behalf of the data exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;

(b) that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;

(c) that it has implemented the technical and organisational security measures specified in Appendix 2 before processing the personal data transferred;

(d) that it will promptly notify the data exporter about:

(e) any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation;
i. any accidental or unauthorised access; and
ii. any request received directly from the data subjects without responding to that request, unless it has been otherwise authorised to do so;
iii. to deal promptly and properly with all inquiries from the data exporter relating to its processing of the personal data subject to the transfer and to abide by the advice of the supervisory authority with regard to the processing of the data transferred;

(f) at the request of the data exporter to submit its data-processing facilities for audit of the processing activities covered by the Clauses which shall be carried out by the data exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the data exporter, where applicable, in agreement with the supervisory authority. The data importer has included the security requirements detailed in Appendix 2 at the request of the data exporter, and the data exporter agrees that such security requirements and the audit obligations and rights under the Master Agreement will be deemed to fully satisfy the audit rights granted to the data exporter under Clauses 5(f) and 12.2;

(g) to make available to the data subject upon request a copy of the Clauses, or any existing contract for sub-processing, unless the Clauses or contract contain commercial information, in which case it may remove such commercial information, with the exception of Appendix 2 which shall be replaced by a summary description of the security measures in those cases where the data subject is unable to obtain a copy from the data exporter;

(h) that, in the event of sub-processing, it has previously informed the data exporter and obtained its prior written consent (whether under or in connection with the Master Agreement or otherwise);

(i) that the processing services by the sub-processor will be carried out in accordance with Clause 11;

(j) to send promptly, on request, a copy of any sub-processor agreement it concludes under the Clauses to the data exporter.

Clause 6
Liability

1. The parties agree that any data subject, who has suffered damage as a result of any breach of the obligations referred to in Clause 3 or in Clause 11 by any party or sub-processor is entitled to receive compensation from the data exporter for the damage suffered.

2. If a data subject is not able to bring a claim for compensation in accordance with paragraph 1 against the data exporter, arising out of a breach by the data importer or his sub-processor of any of their obligations referred to in Clause 3 or in Clause 11, because the data exporter has factually disappeared or ceased to exist in law or has become insolvent, the data importer agrees that the data subject may issue a claim against the data importer as if it were the data exporter, unless any successor entity has assumed the entire legal obligations of the data exporter by contract of by operation of law, in which case the data subject can enforce its rights against such entity.
a. The data importer may not rely on a breach by a sub-processor of its obligations in order to avoid its own liabilities.

3. If a data subject is not able to bring a claim against the data exporter or the data importer referred to in paragraphs 1 and 2, arising out of a breach by the sub-processor of any of their obligations referred to in Clause 3 or in Clause 11 because both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, the sub-processor agrees that the data subject may issue a claim against the data sub-processor with regard to its own processing operations under the Clauses as if it were the data exporter or the data importer, unless any successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law, in which case the data subject can enforce its rights against such entity. The liability of the sub-processor shall be limited to its own processing operations under the Clauses.

Clause 7
Mediation and jurisdiction

(a) The data importer agrees that if the data subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the Clauses, the data importer will accept the decision of the data subject:

(b) to refer the dispute to mediation, by an independent person or, where applicable, by the supervisory authority;

(c) to refer the dispute to the courts in the Member State in which the data exporter is established.

(d) The parties agree that the choice made by the data subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.

Clause 8
Cooperation with supervisory authorities

1. The data exporter agrees to deposit a copy of this contract with the supervisory authority if it so requests or if such deposit is required under the applicable data protection law.

2. The parties agree that the supervisory authority has the right to conduct an audit of the data importer, and of any sub-processor, which has the same scope and is subject to the same conditions as would apply to an audit of the data exporter under the applicable data protection law.

3. The data importer shall promptly inform the data exporter about the existence of legislation applicable to it or any sub-processor preventing the conduct of an audit of the data importer, or any sub-processor, pursuant to paragraph 2. In such a case the data exporter shall be entitled to take the measures foreseen in Clause 5(b).

Clause 9
Governing law

The Clauses shall be governed by the law of the Member State in which the data exporter is established.

Clause 10
Variation of the contract

The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clause.

Clause 11
Sub-processing

1. The data importer shall not subcontract any of its processing operations performed on behalf of the data exporter under the Clauses without the prior written consent of the data exporter. Where the data importer subcontracts its obligations under the Clauses, with the consent of the data exporter, it shall do so only by way of a written agreement with the sub-processor which imposes the same obligations on the sub-processor as are imposed on the data importer under the Clauses. Where the sub-processor fails to fulfil its data protection obligations under such written agreement the data importer shall remain fully liable to the data exporter for the performance of the sub-processor’s obligations under such agreement.

2. The prior written contract between the data importer and the sub-processor shall also provide for a third-party beneficiary clause as laid down in Clause 3 for cases where the data subject is not able to bring the claim for compensation referred to in paragraph 1 of Clause 6 against the data exporter or the data importer because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law. Such third-party liability of the sub-processor shall be limited to its own processing operations under the Clauses.

3. The provisions relating to data protection aspects for sub-processing of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which the data exporter is established.

4. The data exporter shall keep a list of sub-processing agreements concluded under the Clauses and notified by the data importer pursuant to Clause 5(j), which shall be updated at least once a year. The list shall be available to the data exporter’s data protection supervisory authority.

Clause 12
Obligation after the termination of personal data-processing services

1. The parties agree that on the termination of the provision of data-processing services, the data importer and the sub-processor shall, at the choice of the data exporter, return all the personal data transferred and the copies thereof to the data exporter or shall destroy all the personal data and certify to the data exporter that it has done so, unless legislation imposed upon the data importer prevents it from returning or destroying all or part of the personal data transferred. In that case, the data importer warrants that it will guarantee the confidentiality of the personal data transferred and will not actively process the personal data transferred anymore.

2. The data importer and the sub-processor warrant that upon request of the data exporter and/or of the supervisory authority, it will submit its data-processing facilities for an audit of the measures referred to in paragraph 1.

On behalf of the data exporter:
Name (written out in full):
Position:
Address:
Other information necessary in order for the contract to be binding (if any): (stamp of organisation)
Signature

On behalf of the data importer:
Capital Confirmation, Inc.
Name (written out in full): Diana Flanders
Position: VP, Business Integrations
Address: Capital Confirmation, Inc. 214 Centerview Drive, Suite 100, Brentwood, TN 37027
Other information necessary in order for the contract to be binding (if any): N/A
Signature

Appendix 1
to the Standard Contractual Clauses

This Appendix forms part of the Clauses and must be completed and signed by the parties

The Member States may complete or specify, according to their national procedures, any additional necessary information to be contained in this Appendix

Data exporter

The data exporter is (please specify briefly your activities relevant to the transfer):

The data exporter will export the personal data contained in the client’s documentation to the requestors via the Confirmation.com platform. Exported data will concern personal data of data exporter’s employees with access given to the online platform handled by the data importer. Also, data exporter’s customers data for the purposes of forwarding data exporter’s audits to requestors by the Importer.

Data importer

The data importer is (please specify briefly activities relevant to the transfer):
Capital Confirmation Inc.

The data importer provides an online venue for digital transaction management, including but not limited to, audit confirmations, accounts receivable/accounts payable confirmations, credit inquiries, employee benefit plan audits and confirmations, and legal confirmations for accounting firms, law firms, banks, and other users. Processed data will concern data exporter’s employees for which accounts in the platform handled by the data importer will be created. Also, data exporter’s customers data for the purposes of forwarding data exporters confirmations to requestors by the data importer.

Data subjects

The personal data transferred concern the following categories of data subjects (please specify):

Data exporter’s employees and personal data of data exporter’s client’s representatives and other subjects mentioned in the documentation, which is sent to the requestor

Categories of data

The personal data transferred concern the following categories of data (please specify):
-names, surnames, names of authorized representatives of the data exporter’s clients
-including but not limited to: names, surnames, addresses, account numbers, financial information, PESEL number and other personal data of the subjects mentioned in the documentation sent to the requestor.

Special categories of data (if appropriate)

Not applicable

Processing operations

The personal data transferred will be subject to the following basic processing activities (please specify):

The platform Confirmation.com is internet-based system, that allows the data exporter to send documentation to auditors for the needs of the audit. The documentation will be encrypted by the data importer while uploading it to the platform, so the data importer should not get access to the contents of the documentation and personal data contained in the documentation beyond the scope necessary to perform the encryption process.

DATA EXPORTER
Name:
Authorised Signature

DATA IMPORTER
Capital Confirmation Inc.
Name: Diana Flanders
Authorised Signature

Appendix 2
to the Standard Contractual Clauses

This Appendix forms part of the Clauses and must be completed and signed by the parties.

Description of the technical and organisational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) (or document/legislation attached):

Data Importer has implemented the technical and organisation security measures set out in the Agreements and incorporated herein by reference.

DATA EXPORTER
Name:
Authorised Signature
Capital Confirmation Inc.
Name: Diana Flanders
Authorised Signature

*This Agreement incorporates the input of members of the American Bar Association Business Law Section Audit Responses Committee, which takes no position regarding whether individual law firms should employ the services contemplated by this Agreement or should accept its terms and conditions.

For Asset Verification Users

User Agreement

THE FOLLOWING DESCRIBES THE TERMS ON WHICH CAPITAL CONFIRMATION INC. OFFERS YOU ACCESS TO OUR SERVICES.

Welcome to the User Agreement for Capital Confirmation Inc. This Agreement describes the terms and conditions applicable to your use of our services available under the domains and sub-domains of www.confirmation.com, and learn.confirmation.com (“Confirmation Website(s)”) owned and operated by Capital Confirmation, and the general principles for the websites of our subsidiaries. If you do not agree to be bound by the terms and conditions of this Agreement, do not use or access our services. You evidence your acceptance of the terms and conditions of this Agreement by checking the box for the “Yes, I have read and accept the User Agreement.” statement and clicking the “Create New Account” button on Capital Confirmation’s website and through your use of any of the Confirmation.com services (aka “Confirm” service).

If you have any questions, please email us at customer.support@confirmation.com.

You must read, agree with and accept all of the terms and conditions contained in this User Agreement and the Privacy Statement, which include those terms and conditions expressly set out below and those incorporated by reference, before you may become a member of Capital Confirmation. We strongly recommend that, as you read this User Agreement, you also access and read the information contained in the other pages and websites referred to in this document, as they may contain further terms and conditions that apply to you as a Capital Confirmation user. Please note: underlined words and phrases are links to these pages and websites. By accepting this User Agreement, you also agree that your use of other Capital Confirmation websites will be governed by the terms and conditions posted on those websites.

We may amend this Agreement at any time by posting the amended terms on our site. Except as stated below, all amended terms shall automatically be effective immediately upon posting on our site. You will not be notified in writing or by email of any changes in this Agreement. This Agreement may not be otherwise amended except in writing signed by you and Capital Confirmation Inc. This Agreement is effective starting March 1, 2003.

1. Membership Eligibility.
Our services are available only to individuals who can form legally binding contracts under applicable law. Without limiting the foregoing, our services are not available to minors or to temporarily or indefinitely suspended Capital Confirmation members. If you are a minor, you cannot use this service. If you do not qualify, please do not use our services. Further, your Capital Confirmation account (including feedback) and User Id may not be transferred or sold to another party. If you are registering as a business entity, you represent that you have the authority to bind the entity to this Agreement. If you are registered as an individual, you represent that you are the individual you purport to be.

2. Fees and Service.
Capital Confirmation provides a venue for digital transaction management, including but not limited to, audit confirmations, accounts receivable/accounts payable confirmations, credit inquiries, employee benefit plan audits and confirmations, and legal confirmations for accounting firms, law firms, banks, and other users (the “Service”). The Service also includes the provision of ancillary services deemed reasonably necessary by Capital Confirmation to run a venue for digital transaction management, including but not limited to customer support, billing, and account management.

Joining and using our service is free. There is a charge for requesting and receiving confirmations. Our Fees and Credit Policy is available here and is incorporated by reference. We may change our Fees and Credit Policy and the fees for our services from time to time. Our changes to the policy are effective after we provide you with at least fourteen (14) days’ notice of the changes by posting the changes in this Agreement. However, we may choose to temporarily change our Fee Policy and the fees for our services for promotional events and such changes are effective when we post the temporary promotional event on the www.confirmation.com website. When you purchase a confirmation you have an opportunity to review and accept the fees that you will be charged for the use of our services. We may in our sole discretion change some or all of our services at any time. In the event we introduce a new service, the fees for that service are effective at the launch of the service. Unless otherwise stated, all fees are quoted in U.S. Dollars. You are responsible for paying all fees associated with using our service and our website and all applicable taxes.

3. Capital Confirmation is a Venue.

3.1 Capital Confirmation is not a bank or law firm nor are we an authorized bank or law firm representative. Instead, our site acts as a venue to allow users to request, receive, and buy confirmations at any time, from anywhere. We are not involved in the actual transaction between users of and providers of the confirmation information. As a result, we have no control over the quality, accuracy, timeliness or legality of the requests and the responses, or the truth or accuracy of the requests and responses. We also cannot ensure that a provider will actually complete a transaction.
3.2 Identity Verification. We use many techniques to identify our users when they register on our site. However, because user verification on the Internet is difficult, Capital Confirmation cannot and does not confirm each user’s purported identity. Thus, we have established a user-initiated communication system to help you evaluate with whom you are dealing. We encourage you to communicate directly with individual parties through the tools available on our site.
3.3 Release. Because we are a venue, in the event that you have a dispute with one or more users, you release Capital Confirmation (and our officers, directors, agents, subsidiaries, joint ventures and employees) from claims, demands and damages (actual and consequential) of every kind and nature, known and unknown, suspected and unsuspected, disclosed and undisclosed, arising out of or in any way connected with such disputes. If you are a California resident, you waive California Civil Code §1542, which says: “A general release does not extend to claims which the creditor does not know or suspect to exist in his favor at the time of executing the release, which if known by him must have materially affected his settlement with the debtor.”
3.4 Information Control. We do not control the information provided by other users that is made available through our system. You may find other user’s information to be inaccurate. Please use caution, common sense, and safe practices when using our site.
3.5 Customer Support. Monday through Friday between the hours of 8:00 A.M. and 5:00 P.M. Central Standard Time, customer support shall be available free of charge by telephone or by email at one or more phone numbers or email addresses to be specified on our website located at www.confirmation.com.

4. Authorizing, Requesting and Purchasing.
By authorizing, requesting and purchasing a confirmation you agree to be bound by the conditions of this Agreement. Requests are not retractable. If you choose to authorize, request or purchase a confirmation you are certifying that you have the legal right to authorize, request or purchase such confirmations.

5. Address Lookup.
Capital Confirmation pulls Address Lookup information from public and private data sources. The Public Records, private records and commercially available data sources used in this system have errors and are not complete. Data is sometimes entered poorly and processed incorrectly. This system should not be relied upon as definitively accurate. Before relying on any data this system supplies, it should be independently verified.

6. Out-of-Network Confirmations.
The Out-of-Network confirmation service requires the requestor to enter the contact information for the responder and the responder’s company. Because you as the requestor determine who and at which entity an out-of-network confirmation is directed, and therefore which entity and who at that entity is the responder, you agree to accept full and sole responsibility for the verification and validation of the identity of the individual responder and the company they claim to represent. You understand that Capital Confirmation has not and will not validate the identity of the responder or the company they claim to represent. You release and hold harmless Capital Confirmation from any and all claims related to the responder’s identity and/or the identity of the company the responder claims to represent if you request confirmations through www.confirmation.com using the Out-of-Network confirmation service.

7. Fraud.
Without limiting any other remedies, Capital Confirmation may suspend or terminate your account if we suspect that you (by conviction, settlement, insurance investigation, or otherwise) have engaged in fraudulent activity in connection with our site.

8. Your Information.

8.1 Definition. “Your Information” is defined as any information you provide to us or other users in the registration or confirmation process, in any message area or through any email feature. You are solely responsible for Your Information, and we act as a passive conduit for your online distribution and publication of Your Information.
8.2 Restricted Activities. Your Information (or any items listed) and your activities on the site shall not: (a) be false, inaccurate or misleading; (b) be fraudulent; (c) infringe any third party’s copyright, patent, trademark, trade secret or other proprietary rights or rights of publicity or privacy; (d) violate any law, statute, ordinance or regulation (including, but not limited to, those governing consumer protection or antidiscrimination); (e) be defamatory, trade libelous, unlawfully threatening or unlawfully harassing; (f) be obscene or contain child pornography; (g) contain any viruses, Trojan horses, worms, time bombs, cancelbots, easter eggs or other computer programming routines that may damage, detrimentally interfere with, surreptitiously intercept or expropriate any system, data or personal information; and (h) create liability for us or cause us to lose (in whole or in part) the services of our ISPs or other suppliers. Furthermore, you may not authorize or request any confirmation on the site (or consummate any transaction that was initiated using our service) that, by authorizing or paying to us the usage fee or the final value fee, could cause us to violate any applicable law, statute, ordinance or regulation.
8.3 License. Solely to enable Capital Confirmation to use the information you supply us with, so that we are not violating any rights you might have in that information, you agree to grant us a non-exclusive, worldwide, perpetual, irrevocable, royalty-free, sublicensable (through multiple tiers) right to exercise the copyright, publicity, and database rights (but no other rights) you have in Your Information, in any media now known or not currently known, with respect to Your Information. Capital Confirmation will only use Your Information in accordance with our Privacy Statement.

9. Ownership of Intellectual Property.
Capital Confirmation shall have and retain all rights, title and interest in all Intellectual Property relating to the Service or arising out of the relationship described in this Agreement. “Intellectual Property” means all ideas, discoveries, inventions, developments, designs, improvements, trademarks, service marks, trade secrets, proprietary information, programs, source code, object code, applications for patents, patents, copyrights (for the duration thereof, including renewals, extensions, and reversions thereof), copyrightable works, and the goodwill associated therewith, including enhancements, improvements, and derivative works, either presently existing or hereinafter arising. You hereby assign and transfer to Capital Confirmation any and all rights in any such Intellectual Property, either presently existing or hereinafter arising, and agree to take such actions (at Capital Confirmation’s expense) as Capital Confirmation may reasonably request to secure such rights for Capital Confirmation. While a registered user of our service, and for a period of two (2) years from the date of last login, you agree not to offer services or assist others in offering services that would compete in any way with the services offered by Capital Confirmation. Unsolicited ideas or product feedback will automatically become our property, without any compensation to you and we may use or distribute such submissions and their contents for any purpose and in any way without any obligations of confidentiality or otherwise.

10. Access and Interference.
You agree that you will not use any robot, spider, other automatic device, or manual process to monitor or copy our web pages or the content contained herein without our prior expressed written permission. You agree that you will not reverse engineer, disassemble, decompile, decode, adapt, develop, or modify the website or Service, or otherwise attempt to derive or gain access to the source code of the website or Service, in whole or in part. You agree that you will not use any device, software or routine to bypass our security features, or to interfere or attempt to interfere with the proper working of the Capital Confirmation site or any activities conducted on our site. You agree that you will not take any action that imposes an unreasonable or disproportionately large load on our infrastructure. Much of the information on our site is updated on a real time basis and is proprietary or is licensed to Capital Confirmation by our users or third parties. You agree that you will not copy, reproduce, alter, modify, create derivative works, or publicly display any content (except for Your Information) from our website without the prior expressed written permission of Capital Confirmation or the appropriate third party. You must ensure that all information you supply to us through our website or Service, or in relation to our website or Service, is true, accurate, complete and not misleading. You shall have sole responsibility for the legality, reliability, integrity, accuracy, and quality of this information. You shall not access all or any part of our website or Service to build a product or service which competes with the Service. You shall not attempt to obtain, or assist third parties in obtaining, access to our website or Service, other than as provided under this Agreement. You shall not make, nor permit any party to make, any use of our website or Service other than to avail of the Service. You shall not make alterations to, or permit our website or Service or any part of it to be combined with, or become incorporated into, any other programs. You shall not provide or otherwise make available our website or the Service in whole or in part (including object and source code), in any form, to any person without our prior written consent. You shall not infringe on our licensors’ intellectual property rights or those of any third party in relation to your use of our website or Service. We may make available to you certain Application Programming Interfaces (an “API” or “APIs”) to achieve additional functionality for users, and provide capabilities or integrations that leverage one or more of our products or services available at www.confirmation.com or provided by our affiliates, which you may use where applicable, subject to our then current fees (if any) for such APIs. Unless previously authorized by us, or our affiliates, you must not automatically connect (whether through APIs or otherwise) any Service to other data, software, services or networks

11. Breach.
Without limiting other remedies, we may immediately remove you, warn our community of your actions, issue a warning, temporarily suspend, indefinitely suspend or terminate your membership and refuse to provide our services to you if: (a) you breach this Agreement or the documents it incorporates by reference; (b) we are unable to verify or authenticate any information you provide to us; or (c) we believe that your actions may cause financial loss or legal liability for you, our users or us.

12. Electronic Communications; Identifiers and Passwords; Binding Effect.
You will receive and transmit information to us over the Internet using SSL technology and 2048-bit encryption. You must use Internet browsers that will support the use of 2048-bit encryption. In order to initiate a session where information is transmitted, you will select and use an identification code (such as a “log-in ID”) and a password. You shall protect and safeguard its identification code and password, and shall only permit authorized employees to use the identification code and password in connection with the service. We, and all other persons receiving information from you that has been transmitted using the identification code and password selected by you, shall be entitled to rely in all instances that the information so transmitted has been transmitted by you, that such information is true, accurate and complete in all respects, with the same effect and intent as if such information had been transmitted in written form bearing your written signature. If you believe that your identification code and password have been lost, stolen or compromised in any respect, please notify us immediately at 1-866-325-72011. Communications using the identification code and password received after we have had an opportunity to respond to your notice will not be valid or effective.

13. Privacy.
We do not sell or rent your personal information to third parties and we only use your information as described in the Privacy Statement. We view protection of users’ privacy as a very important community principle. We take the protection of our users’ privacy seriously. We store and process your information on computers located in Ireland and the United States that are protected with security measures.

Customer Financial information residing within Confirmation.com’s processing controls will be maintained and stored according to our security and privacy policies. Confirmation.com takes no responsibility for Customer Financial information once this data is no longer within Confirmation.com’s control (e.g., data downloaded by a user or mailed confirmations).

If you object to your Information being collected, used, transferred, or otherwise processed in this way, please do not use our services.

13.1 Data Protection Legislation. When using our Services or otherwise providing Personally Identifiable Information to us, you agree to comply with all applicable laws governing or relating to the processing of that Personally Identifiable Information (“Data Protection Laws”). “Personally Identifiable Information” shall mean any information relating to an identified or identifiable natural person whose information you provide to us and that we process as part of the Service or in connection with this Agreement. You confirm that any Personally Identifiable Information that has been provided by you has been collected and disclosed in accordance with Data Protection Laws. When using the Service, you shall not input, upload, maintain or disclose any irrelevant or unnecessary information about individuals.
13.2 Personal Data transferred outside of your home country. Without limiting the foregoing and for clarity, you agree that we may transfer your personal information outside of your home country to another country where the laws may not provide an equivalent level of protection and you confirm that we may so transfer any Personally Identifiable Information that has been provided by you.
Where the provision of Service by us to the you involves any transfer of Personally Identifiable Information that has been provided by you outside of the European Economic Area or Switzerland (by way of direct or indirect transfer), the parties agree that the transfers will be done in accordance with Schedule 1 attached hereto. If any other Data Protection Laws require you and us to implement appropriate safeguards to legitimize the transfer of Personally Identifiable Information to a third country, you will let us know and we will negotiate in good faith to implement the required safeguards.

14. Client Authentication.
You certify that any and all subject(s) set up as your client(s) on the Confirmation.com service are authorized representatives of your client(s).

15. Authorization.
You certify that any confirmations requested are with the subject(s)’ prior written permission. You agree to keep the authorization on file for a minimum of 5 years. Typically this written permission is in the form of a client engagement letter. You warrant that the release of the subject(s)’ information will not result in a breach of any applicable data privacy legislation.

16. Audit Rights.
Capital Confirmation may, from time to time, conduct various audits of your practices and procedures to determine your compliance with this Agreement. You agree to reasonably cooperate in all those audits. Capital Confirmation may conduct on-site and/or off-site audits of your facilities as Capital Confirmation determines during normal business hours, and upon reasonable notice.

17. No Warranty.
WE, OUR SUBSIDIARIES, EMPLOYEES AND OUR SUPPLIERS PROVIDE OUR WEB SITE AND SERVICES, INCLUDING BUT NOT LIMITED TO ANY APIS, ON AN “AS IS” BASIS WITHOUT ANY WARRANTIES OF ANY KIND. WE, TO THE FULLEST EXTENT PERMITTED BY LAW, DISCLAIMS ALL WARRANTIES, INCLUDING THE WARRANTY OF
MERCHANTABILITY, NON-INFRINGEMENT OF THIRD-PARTIES’ RIGHTS, AND THE WARRANTY OF FITNESS FOR A PARTICULAR PURPOSE. THE WE MAKE NO WARRANTIES ABOUT THE ACCURACY, RELIABILITY, COMPLETENESS, OR TIMELINESS OF THE SERVICES OR ANY CONTENT THEREIN. WE MAKE NO WARRANTIES THAT THE WEBSITE OR SERVICE WILL REMAIN AVAILABLE. WE RESERVE THE RIGHT TO DISCONTINUE OR ALTER ANY OR ALL OF THE WEBSITE OR SERVICE, AND TO STOP PUBLISHING OUR WEBSITE OR SERVICE AT ANY TIME AND IN OUR SOLE DISCRETION WITHOUT NOTICE OR EXPLANATION, AND YOU WILL NOT BE ENTITLED TO ANY COMPENSATION OR OTHER PAYMENT UPON THE DISCONTINUANCE OR ALTERATION OF OUR WEBSITE OR SERVICES. FOR THE AVOIDANACE OF ALL DOUBT, WE DO NOT WARRANT, NOR WILL BE RESPONSIBLE FOR, ANY PRODUCTS, SERVICES, FUNCTIONALITY, OR INTERFACES THAT ARE PROVIDED BY YOU OR ANY THIRD PARTY.

18. Liability Limit.
IN NO EVENT SHALL WE, OUR SUBSIDIARIES, EMPLOYEES OR OUR SUPPLIERS BE LIABLE FOR LOST PROFITS OR ANY SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF OR IN CONNECTION WITH OUR SITE, OUR SERVICES, INCLUDING WITHOUT LIMITATION USE OF ANY APIS, OR THIS AGREEMENT (HOWEVER ARISING, INCLUDING NEGLIGENCE). THE USER SHALL HAVE NO LIABILITY WITH RESPECT TO THE SERVICE FOR CONSEQUENTIAL, EXEMPLARY, SPECIAL, INCIDENTAL, OR PUNITIVE DAMAGES EVEN IF IT HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

IN NO EVENT SHALL WE, OUR SUBSIDIARIES, EMPLOYEES OR OUR SUPPLIERS BE LIABLE WITH RESPECT TO THE ACCURACY OR RELIABILITY OF INFORMATION PROVIDED BY THE AUDITOR, WHETHER INPUTTED INTO THE CAPITAL CONFIRMATION WEBSITE OR ANY ASSOCIATED PLATFORMS BY US CAPITAL CONFIRMATION OR BY THE AUDITOR. THE AUDITOR MAINTAINS THE SOLE RESPONSIBILITY AND LIABILITY FOR REVIEWING AND APPROVING THE INFORMATION POPULATED INTO THE CAPITAL CONFIRMATION WEBSITE AND ASSOCIATED PLATFORMS.

OUR LIABILITY, AND THE LIABILITY OF OUR SUBSIDIARIES, EMPLOYEES, AND SUPPLIERS, TO YOU OR ANY THIRD PARTIES IN ANY CIRCUMSTANCE IS LIMITED TO THE LESSOR OF (A) THE AMOUNT OF FEES YOU PAY TO US
IN THE 12 MONTHS PRECEDING THE FIRST DATE ON WHICH SUCH
LIABILITY AROSE, OR (B) $100. NOTWITHSTANDING ANYTHING TO THE CONTRARY HEREIN YOUR SOLE AND EXCLUSIVE REMEDY FOR ANY FAILURE OR NONPERFORMANCE OF ANY APIS PROVIDED BY CAPITAL CONFIRMATION SHALL BE FOR CAPITAL CONFIRMATION TO USE COMMERCIALLY REASONABLE EFFORTS TO ADJUST OR REPAIR THE NONPERFORMING APIS.

19. Fair Credit Reporting Disclosure.
The parties acknowledge that CCI is not a consumer reporting agency as such term is defined in the federal Fair Credit Reporting Act, 15 U.S.C. 1581 et seq. (“FCRA”) and therefore, is not subject to the requirements or provisions of the FCRA. Any reports accessed through the Services or Sites do not constitute consumer reports as such term is defined in the FCRA, and accordingly, such reports may not be used to determine eligibility for credit, employment, insurance underwriting, tenant screening or for any other purpose provided for in the FCRA. CCI makes no representations or warranties as to its compliance or certifications with respect to the Fair Credit Reporting Act or its regulatory requirements. However, other Users, including banking institutions, financial organizations, credit reporting agencies, and other entities with which the User may interact through the Services or Sites may be subject to the Fair Credit Reporting Act. CCI makes no representations or warranties about such other User’s compliance or certifications with respect to the Fair Credit Reporting Act or its regulatory requirements. CCI shall not be deemed a guarantor of the accuracy or completeness of information provided by other Users.

20. Indemnity.
You shall indemnify and hold Capital Confirmation and (as applicable) our parent, subsidiaries, affiliates, officers, directors, agents, and employees and the financial institutions harmless from any and all third-party claims, losses and damages, liability, and costs, including attorney’s fees, against, or incurred by, Capital Confirmation to the extent such claims, damages, liability and costs result directly or indirectly from: (a) your negligence or intentional conduct; and/or (b) your breach of your obligations under this Agreement including, but not limited to, any breach which results in the unauthorized and/or non-permissible use of information obtained via Capital Confirmation’s Confirmation.com service or any other such service under this Agreement; (c) any claim that our website or Service or the use thereof infringes upon, misappropriates, or violates any intellectual property rights of any third party, provided that such claim results from or is related to (i) an unauthorized modification of our website or Service; (ii) the combination of the website or Service with software, hardware, or equipment not provided by us if our website or Service alone would not be the subject of such claim; or (iii) your unauthorized use of the website or Service; (d) any data breach suffered by you, your vendor or processor, or by a vendor or processor for Capital Confirmation; or (e) any claim, action, audit, investigation, regulatory action, inquiry, or other proceeding that arises out of or relates to your failure to comply with any applicable laws and regulations in connection with the transfer of personal data to or outside the EU/EEA including any applicable data protection legislation.

21. Confidentiality.
You may be given access to our confidential information or confidential information from other authorized Users in relation to your use of our website or Service. Information and knowledge related to the operation and processes of the website and Service are also considered confidential information. You shall hold confidential information in confidence and, unless required by law, not make confidential information available to any third party, or use confidential information for any purpose other than as provided for in using our website or Service. You shall take all reasonable steps to ensure that confidential information to which you have access is not disclosed or distributed by any person in violation of this Agreement. You acknowledge that details of the Service constitute our confidential information.

22. Legal Compliance.
You represent and warrant that you have read, understand, and shall comply with all laws, regulations and judicial actions including, but not limited to, the Identity Theft and Assumption Deterrence Act, the Fraud and False Statements Act, the USA Freedom Act, the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), the Gramm-Leach-Bliley Act and the Fair Credit Reporting Act (15 U.S.C. 1681 et seq.), including without limitation, all amendments thereto, and all other applicable federal or state legislation, regulations and judicial actions, as now or as may become effective.

You certify that you will use the service and the information received for no other purpose than is legally permissible. You understand that if the system is used improperly by company personnel, or if its access codes are made available to any unauthorized personnel due to carelessness on your part or any other, you may be held responsible for financial losses, fees or monetary charges that may be incurred and that its access privileges may be terminated. You will not obtain, retain, use, or provide access to the Service to an affiliate or any third party in a manner that may breach any applicable export control or economic sanctions laws and regulations for any jurisdiction, including the United States of America, the United Kingdom and the European Union and its Member States. You warrant that neither you, nor any affiliate to which you provide access to the Service, is affiliated with a specially designated or sanctioned entity under any of those laws and that, in any transaction relating to Confirmation or the Service, such transactions will not involve sanctioned parties, including without limitation through the use of bank accounts at banks that are sanctioned parties. Further, the parties represent and warrant that they have read, understand and shall comply with all applicable laws, regulations and judicial actions including, but not limited to, anti-bribery laws, anti-corruption laws, anti-slavery laws, anti-human trafficking, tax laws, any applicable law aimed at preventing the facilitation of criminal behavior.

23. British Banker’s Association, BBA Enterprises Limited plus any other group company of the British Banker’s Association (Together the “BBA”)
Nothing in this agreement shall limit the BBA’s liability for death or personal injury caused by its negligence or that or its personnel; fraud or fraudulent misrepresentation; or for any other liability which cannot be excluded under English law, even if any other terms of this Agreement would suggest that this might otherwise be the case.
You expressly acknowledge and agree that the BBA: (a) is not a part to this Agreement and is not involved in the design, supply or support of Capital Confirmation Inc’s services including the service promoted to UK banks as “BBA Confirmations”; (b) makes no representation or warranty that the services will be adequate or appropriate for you and its requirements and any BBA trademarks or logos present in marketing materials or other documents o not represent and endorsement of the service; (c) shall not be responsible for providing any of the services; and (d) shall have no liability to you whatsoever whether direct or indirect and whether in contact, tort (including negligence), misrepresentation or for any other reason in respect of any of the services provided under this agreement.

24. No Agency.
You and Capital Confirmation are independent contractors, and no agency, partnership, joint venture, employee-employer or franchiser-franchisee relationship is intended or created by this Agreement.

25. Notices.
Except as explicitly stated otherwise, any notices shall be given by postal mail to
Capital Confirmation Inc. Attn: Legal Department 214 Centerview Drive, Suite 100, Brentwood, TN 37027 (in the case of Capital Confirmation) or to the email address you provide to Capital Confirmation during the registration process (in your case). Notice shall be deemed given 24 hours after email is sent, unless the sending party is notified that the email address is invalid. Alternatively, we may give you notice by certified mail, postage prepaid and return receipt requested, to the address provided to Capital Confirmation during the registration process. In such case, notice shall be deemed given 3 days after the date of mailing.

26. Arbitration.
Any legal controversy or legal claim arising out of or relating to this Agreement or our services, excluding legal action taken by Capital Confirmation to collect our fees and/or recover damages for, or obtain an injunction relating to, the Capital Confirmation site operations, intellectual property, and our services, shall be settled by binding arbitration in accordance with the commercial arbitration rules of the American Arbitration Association. Any such controversy or claim shall be arbitrated on an individual basis, and shall not be consolidated in any arbitration with any claim or controversy of any other party. The arbitration shall be conducted in Nashville, Tennessee, and judgment on the arbitration award may be entered into any court having jurisdiction thereof. Either you or Capital Confirmation may seek any interim or preliminary relief from a court of competent jurisdiction in Nashville, Tennessee necessary to protect the rights or property of you or Capital Confirmation pending the completion of arbitration. Should either party file an action contrary to this provision, the other party may recover attorney’s fees and costs up to $1000.00.

27. Additional Terms.
The following policies are incorporated into this Agreement by reference and provide additional terms and conditions related to specific services offered on our site:

Privacy Statement: https://www.confirmation.com/legal-security-privacy/index.html
Fee and Credit Policy: https://www.confirmation.com/resources/uncategorized/fees-and-credit-policy/

Each of these policies may be changed from time to time and are effective immediately after we post the changes on our site, except for the Privacy Statement for which we will provide you with thirty days prior notice. In addition, when using particular services on our site, you agree that you are subject to any posted policies or rules applicable to services you use through our site, which may be posted from time to time. All such posted policies or rules are hereby incorporated by reference into this Agreement.

You acknowledge and agree that: (a) members of Capital Confirmation’s Group may be retained as sub-processors; and (b) Capital Confirmation and members of Capital Confirmation’s Group respectively may engage third-party sub-processors in connection with the provision of the Services.

We do not guarantee and shall not be liable for the performance of any sub-processor or sub-contractor.

28. Governing Law.
This Agreement shall be governed in all respects by the laws of the State of Tennessee, without reference to conflict of laws principles. You further consent to exclusive jurisdiction by the United States District Court for the Middle District of Tennessee.

29. Assignment.
You agree that this Agreement and all incorporated agreements may be automatically assigned by Capital Confirmation, in our sole discretion, to a third party in the event of a merger or acquisition. You may not, without our prior written consent, assign, transfer, sub-contract or otherwise deal with any of your rights and/or obligations under this Agreement.

30. General.
We do not guarantee continuous, uninterrupted or secure access to our services, and operation of our site may be interfered with by numerous factors outside of our control. If any provision of this Agreement is held to be invalid or unenforceable, such provision shall be struck and the remaining provisions shall be enforced. Headings are for reference purposes only and in no way define, limit, construe or describe the scope or extent of such section. Our failure to act with respect to a breach by you or others does not waive our right to act with respect to subsequent or similar breaches. English is the official language used for content on the Confirmation.com website. Through the use of a third-party provider Confirmation.com provides its users with limited English proficiency to access information on the site. Translations made through this automated process should not be considered exact particularly in cases of technical and legal terminology. Additionally, some files including graphs, photos and portable document formats (pdfs) cannot be translated through this process. Capital Confirmation Inc. does not warrant the accuracy or reliability of any information translated by this system and shall not be liable for any losses caused by such reliance on the accuracy or reliability of such information. While every effort is made to ensure the accuracy of the translation, portions may be incorrect. Any person or entity who relies on information obtained from the system does so at his or her own risk. This Agreement sets forth the entire understanding and agreement between us with respect to the subject matter hereof. Sections 2 (Fees and Service) with respect to fees owed for our services, 3.3 (Release), 8.3 (License), 10 (Access and Interference), 18 (Liability Limit), 19 (Indemnity) and 26 (Arbitration) shall survive any termination or expiration of this Agreement.

31. Disclosures.
The services hereunder are offered by Capital Confirmation Inc., located at 214 Centerview Drive, Suite 100, Brentwood, Tennessee 37027. Fees for our services are described above in Section 2 (Fees and Service).

32. Disputes.
Disputes between you and Capital Confirmation regarding our services may be reported to Customer Support by mailing us at Capital Confirmation, Customer Support, 214 Centerview Drive, Suite 100, Brentwood, TN 37027. We encourage you to report all user-to-user disputes to your local law enforcement, postmaster general, or a certified mediation or arbitration entity.

33. Your Acceptance of this User Agreement.
You evidence your acceptance of this User Agreement by clicking on “Accept User
Agreement and Add Account” button on the Capital Confirmation website or by using the Confirmation.com service. Such acceptance shall have the same legal effect as your written signature set forth on a written document containing the terms and conditions of this User Agreement.

Schedule 1
EUROPEAN DATA TRANSFERS

We process Personally Identifiable Information outside of the European Economic Area (EEA) and Switzerland including in third countries which may not be recognized by the European Commission or the Swiss Federal Data Protection and Information Commission as providing an adequate level of privacy protection, such as in the United States.

Capital Confirmation will enter into the Standard Contractual Clauses approved by the European Commission to legitimize the transfers of Personally Identifiable Information outside of the EEA and/or Switzerland to an inadequate third country.

If we are required to enter into the Standard Contractual Clauses to legitimize the transfer of Personally Identifiable Information outside of the EEA and/or Switzerland, then the parties hereby agree to the Standard Contractual Clauses set forth in Attachment 1 (for those cases where we act as a processor with respect to personal data) below, and you evidence your acceptance of the Standard Contractual Clauses by clicking on “Accept User Agreement and Add Account” button on the Capital Confirmation website or by using the Confirmation.com Service.

Notwithstanding the foregoing, if the Standard Contractual Clauses are not a valid transfer mechanism to legitimize the transfers of Personally Identifiable Information outside of the EEA to the United States (or another third country that does not provide an equivalent level of protection even with the use of such data transfer agreements), then you shall procure the appropriate consent of any data subject whose Personally Identifiable Information is transferred to us to enable us to transfer that Personally Identifiable Information to the United States (or such other third country).

Attachment 1: Standard Contractual Clauses (Processor)

For the transfer of personal data outside of the EEA and/or Switzerland to processors established in third countries which do not ensure an adequate level of data protection, the data exporter and the data importer have agreed on the following Contractual Clauses (the Clauses) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in Appendix 1.

Notwithstanding the foregoing, if the following Contractual Clauses are not a valid transfer mechanism to legitimize the transfers of Personal Data outside of the EEA and/or Switzerland to the United States (or another third country that does not provide an equivalent level of protection even with the use of such data transfer Clauses), you shall procure the appropriate consent of any data subject whose Personal Data is transferred to us to enable the Parties to transfer that Personal Data to the United States (or such other third country).

Clause 1
Definitions
For the purposes of the Clauses:
(a) ‘personal data’, ‘special categories of data’, ‘process/processing’, ‘controller’, ‘processor’, ‘data subject’ and ‘supervisory authority’ shall have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data;
(b) ‘the data exporter’ means the party who transfers the personal data;
(c) ‘the data importer’ means the processor who agrees to receive from the data exporter personal data intended for processing on his behalf after the transfer in accordance with his instructions and the terms of the Clauses and who is not subject to a third country’s system ensuring adequate protection within the meaning of Article 25(1) of Directive 95/46/EC;
(d) ‘the sub-processor’ means any processor engaged by the data importer or by any other sub-processor of the data importer who agrees to receive from the data importer or from any other sub-processor of the data importer personal data exclusively intended for processing activities to be carried out on behalf of the data exporter after the transfer in accordance with his instructions, the terms of the Clauses and the terms of the written subcontract;
(e) ‘the applicable data protection law’ means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data applicable to a data controller in the Member State in which the data exporter is established;
(f) ‘technical and organisational security measures’ means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.

Clause 2
Details of the transfer
The details of the transfer and in particular the special categories of personal data where applicable are specified in Appendix 1 which forms an integral part of the Clauses.

Clause 3
Third-party beneficiary clause

(a) The data subject can enforce against the data exporter this Clause, Clause 4(b) to (i), Clause 5(a) to (e), and (g) to (j), Clause 6(1) and (2), Clause 7, Clause 8(2), and Clauses 9 to 12 as third-party beneficiary.
(b) The data subject can enforce against the data importer this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where the data exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity.
(c) The data subject can enforce against the sub-processor this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity. Such third-party liability of the sub-processor shall be limited to its own processing operations under the Clauses.
(d) The parties do not object to a data subject being represented by an association or other body if the data subject so expressly wishes and if permitted by national law.

Clause 4
Obligations of the data exporter
The data exporter agrees and warrants:
(a) that the processing, including the transfer itself, of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the Member State where the data exporter is established) and does not violate the relevant provisions of that State;
(b) that it has instructed and throughout the duration of the personal data-processing services will instruct the data importer to process the personal data transferred only on the data exporter’s behalf and in accordance with the applicable data protection law and the Clauses;
(c) that the data importer will provide sufficient guarantees in respect of the technical and organisational security measures specified in Appendix 2 to this contract;
(d) that after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation;
(e) that it will ensure compliance with the security measures;
(f) that, if the transfer involves special categories of data, the data subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not providing adequate protection within the meaning of Directive 95/46/EC;
(g) to forward any notification received from the data importer or any sub-processor pursuant to Clause 5(b) and Clause 8(3) to the data protection supervisory authority if the data exporter decides to continue the transfer or to lift the suspension;
(h) to make available to the data subjects upon request a copy of the Clauses, with the exception of Appendix 2, and a summary description of the security measures, as well as a copy of any contract for sub-processing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information;
(i) that, in the event of sub-processing, the processing activity is carried out in accordance with Clause 11 by a sub-processor providing at least the same level of protection for the personal data and the rights of data subject as the data importer under the Clauses; and
(j) that it will ensure compliance with Clause 4(a) to (i).

Clause 5
Obligations of the data importer
The data importer agrees and warrants:
(a) to process the personal data only on behalf of the data exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
(b) that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
(c) that it has implemented the technical and organisational security measures specified in Appendix 2 before processing the personal data transferred;
(d) that it will promptly notify the data exporter about:
(e) any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation;
i. any accidental or unauthorised access; and
ii. any request received directly from the data subjects without responding to that request, unless it has been otherwise authorised to do so;
iii. to deal promptly and properly with all inquiries from the data exporter relating to its processing of the personal data subject to the transfer and to abide by the advice of the supervisory authority with regard to the processing of the data transferred;
(f) at the request of the data exporter to submit its data-processing facilities for audit of the processing activities covered by the Clauses which shall be carried out by the data exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the data exporter, where applicable, in agreement with the supervisory authority. The data importer has included the security requirements detailed in Appendix 2 at the request of the data exporter, and the data exporter agrees that such security requirements and the audit obligations and rights under the Master Agreement will be deemed to fully satisfy the audit rights granted to the data exporter under Clauses 5(f) and 12.2;
(g) to make available to the data subject upon request a copy of the Clauses, or any existing contract for sub-processing, unless the Clauses or contract contain commercial information, in which case it may remove such commercial information, with the exception of Appendix 2 which shall be replaced by a summary description of the security measures in those cases where the data subject is unable to obtain a copy from the data exporter;
(h) that, in the event of sub-processing, it has previously informed the data exporter and obtained its prior written consent (whether under or in connection with the Master Agreement or otherwise);
(i) that the processing services by the sub-processor will be carried out in accordance with Clause 11;
(j) to send promptly, on request, a copy of any sub-processor agreement it concludes under the Clauses to the data exporter.

Clause 6
Liability
1. The parties agree that any data subject, who has suffered damage as a result of any breach of the obligations referred to in Clause 3 or in Clause 11 by any party or sub-processor is entitled to receive compensation from the data exporter for the damage suffered.
2. If a data subject is not able to bring a claim for compensation in accordance with paragraph 1 against the data exporter, arising out of a breach by the data importer or his sub-processor of any of their obligations referred to in Clause 3 or in Clause 11, because the data exporter has factually disappeared or ceased to exist in law or has become insolvent, the data importer agrees that the data subject may issue a claim against the data importer as if it were the data exporter, unless any successor entity has assumed the entire legal obligations of the data exporter by contract of by operation of law, in which case the data subject can enforce its rights against such entity.
3. The data importer may not rely on a breach by a sub-processor of its obligations in order to avoid its own liabilities.
4. If a data subject is not able to bring a claim against the data exporter or the data importer referred to in paragraphs 1 and 2, arising out of a breach by the sub-processor of any of their obligations referred to in Clause 3 or in Clause 11 because both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, the sub-processor agrees that the data subject may issue a claim against the data sub-processor with regard to its own processing operations under the Clauses as if it were the data exporter or the data importer, unless any successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law, in which case the data subject can enforce its rights against such entity. The liability of the sub-processor shall be limited to its own processing operations under the Clauses.

Clause 7
Mediation and jurisdiction
(a) The data importer agrees that if the data subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the Clauses, the data importer will accept the decision of the data subject:
(b) to refer the dispute to mediation, by an independent person or, where applicable, by the supervisory authority;
(c) to refer the dispute to the courts in the Member State in which the data exporter is established.
(d) The parties agree that the choice made by the data subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.

Clause 8
Cooperation with supervisory authorities
1. The data exporter agrees to deposit a copy of this contract with the supervisory authority if it so requests or if such deposit is required under the applicable data protection law.
2. The parties agree that the supervisory authority has the right to conduct an audit of the data importer, and of any sub-processor, which has the same scope and is subject to the same conditions as would apply to an audit of the data exporter under the applicable data protection law.
3. The data importer shall promptly inform the data exporter about the existence of legislation applicable to it or any sub-processor preventing the conduct of an audit of the data importer, or any sub-processor, pursuant to paragraph 2. In such a case the data exporter shall be entitled to take the measures foreseen in Clause 5(b).

Clause 9
Governing law
The Clauses shall be governed by the law of the Member State in which the data exporter is established.

Clause 10
Variation of the contract
The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clause.

Clause 11
Sub-processing
1. The data importer shall not subcontract any of its processing operations performed on behalf of the data exporter under the Clauses without the prior written consent of the data exporter. Where the data importer subcontracts its obligations under the Clauses, with the consent of the data exporter, it shall do so only by way of a written agreement with the sub-processor which imposes the same obligations on the sub-processor as are imposed on the data importer under the Clauses. Where the sub-processor fails to fulfil its data protection obligations under such written agreement the data importer shall remain fully liable to the data exporter for the performance of the sub-processor’s obligations under such agreement.
2. The prior written contract between the data importer and the sub-processor shall also provide for a third-party beneficiary clause as laid down in Clause 3 for cases where the data subject is not able to bring the claim for compensation referred to in paragraph 1 of Clause 6 against the data exporter or the data importer because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law. Such third-party liability of the sub-processor shall be limited to its own processing operations under the Clauses.
3. The provisions relating to data protection aspects for sub-processing of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which the data exporter is established.
4. The data exporter shall keep a list of sub-processing agreements concluded under the Clauses and notified by the data importer pursuant to Clause 5(j), which shall be updated at least once a year. The list shall be available to the data exporter’s data protection supervisory authority.

Clause 12
Obligation after the termination of personal data-processing services
1. The parties agree that on the termination of the provision of data-processing services, the data importer and the sub-processor shall, at the choice of the data exporter, return all the personal data transferred and the copies thereof to the data exporter or shall destroy all the personal data and certify to the data exporter that it has done so, unless legislation imposed upon the data importer prevents it from returning or destroying all or part of the personal data transferred. In that case, the data importer warrants that it will guarantee the confidentiality of the personal data transferred and will not actively process the personal data transferred anymore.
2. The data importer and the sub-processor warrant that upon request of the data exporter and/or of the supervisory authority, it will submit its data-processing facilities for an audit of the measures referred to in paragraph 1.

On behalf of the data exporter:
Name (written out in full):
Position:
Address:

Other information necessary in order for the contract to be binding (if any): (stamp of organisation)
Signature

On behalf of the data importer:
Capital Confirmation, Inc.
Name (written out in full): Diana Flanders
Position: VP, Business Integrations
Address: Capital Confirmation, Inc. 214 Centerview Drive, Suite 100, Brentwood, TN 37027

Other information necessary in order for the contract to be binding (if any): N/A
Signature

Appendix 1
to the Standard Contractual Clauses

This Appendix forms part of the Clauses and must be completed and signed by the parties

The Member States may complete or specify, according to their national procedures, any additional necessary information to be contained in this Appendix

Data exporter

The data exporter is (please specify briefly your activities relevant to the transfer):

The data exporter will export the personal data contained in the client’s documentation to the responders via the Confirmation.com platform. Exported data will concern personal data of data exporter’s employees with access given to the online platform handled by the data importer. Also, data exporter’s client data for the purposes of forwarding data exporter’s audit requests to responders by the data importer.

Data importer
The data importer is (please specify briefly activities relevant to the transfer):
Capital Confirmation Inc.

The data importer provides an online venue for digital transaction management, including but not limited to, audit confirmations, accounts receivable/accounts payable confirmations, credit inquiries, employee benefit plan audits and confirmations, and legal confirmations for accounting firms, law firms, banks, and other users. Processed data will concern data exporter’s employees for which accounts in the platform handled by the data importer will be created. Also, data exporter’s client data for the purposes of forwarding data exporter’s audit requests to responders by the data importer.

Data subjects

The personal data transferred concern the following categories of data subjects (please specify):

Data exporter’s employees and personal data of data exporter’s client’s representatives and other subjects mentioned in the documentation, which is sent to the responder

Categories of data

The personal data transferred concern the following categories of data (please specify):

The categories of data are: names, surnames, addresses, account numbers, financial information, PESEL number and other personal data of the subjects mentioned in the documentation sent to the responder. Employees, partners, principals, directors, former employees, former partners, former principals, former directors, new hires, individual contractors and temporary staff of the data exporter, as well as applicants, dependants, contractors / subcontractors, clients, suppliers/vendors of the data exporter

Special categories of data (if appropriate)
Not applicable

Processing operations

The personal data transferred will be subject to the following basic processing activities (please specify):

The platform Confirmation.com is internet-based system, that allows the data exporter to send documentation to auditors for the needs of the audit. The documentation will be encrypted by the data importer while uploading it to the platform, so the data importer should not get access to the contents of the documentation and personal data contained in the documentation beyond the scope necessary to perform the encryption process.

DATA EXPORTER
Name:
Authorised Signature

DATA IMPORTER
Capital Confirmation, Inc.
Name: Diana Flanders
Authorised Signature

Appendix 2
to the Standard Contractual Clauses

This Appendix forms part of the Clauses and must be completed and signed by the parties.

Description of the technical and organisational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) (or document/legislation attached):

Data Importer has implemented the technical and organisation security measures set out in the Agreements and incorporated herein by reference.

DATA EXPORTER
Name:
Authorised Signature
Capital Confirmation Inc.
Name: Diana Flanders
Authorised Signature

Setting the Standard for Security

To illustrate Confirmation’s commitment to effective operational controls and privacy and security best practices, we undergo all three Service Organization Control (SOC) examinations annually, have received an ISO 27001 certification for the service, TRUSTe Privacy Policy certified, and EU Privacy Shield certified. Collectively, these provide assurance about the controls we implement to protect privacy and confidentiality of our users’ data and the security, availability, and processing integrity of our system.

TRUSTe            

                    

 

SOC 1, SOC 2, and SOC 3 Examinations

SOC reports examine controls over the services provided by service organizations. There are three types of SOC reports, and to address our customers varying needs, we complete all three SOC examinations.

  • Type 2 SOC 1—prepared in accordance with SSAE 18 reports on the design and operating effectiveness of controls relevant to user entities’ internal control over financial reporting.
  • Type 2 SOC 2—reports on the design and operating effectiveness of controls that affect the security, availability and processing integrity of the system used to process users’ data and the confidentiality and privacy of the information processed by the system.
  • SOC 3—reports on whether a system complies with specified Trust Services Criteria.

View our SOC 3 Report.

          

ISO 27001 Certification

ISO 27001 Certification on the Confirmation.com services—Represents globally recognized standard for the establishment and certification of an information security management system (ISMS). The standard specifies the requirements for establishing, implementing, operating, monitoring, maintaining and improving a documented ISMS within the context of an organization’s overall business risks.

Confirmation.com’s ISMS covers its online audit confirmation service and infrastructure including data and data environments, servers, source code, and internal networks related to its Brentwood, Tennessee and Delray Beach, Florida offices.

View our ISO27001 Certificate

TRUSTe Certification

Confirmation.com adheres to the Internet’s most trusted third-party Privacy Certification Standards issued by TRUSTe. The TRUSTe Web Privacy seal marks companies that adhere to TRUSTe’s strict privacy principles, and who strive to treat customer information with the utmost respect.

View our TRUSTe Privacy Seal

TRUSTe

Privacy Shield Frameworks

Capital Confirmation has certified under the guidelines set forth in the EU-US Privacy Shield and Swiss-US Privacy Shield frameworks and has undergone successful review by the U.S. Department of Commerce.

The Privacy Shield Frameworks provide a set of robust and enforceable protections for the personal data of EU and Swiss individuals transferred to third parties. The Frameworks provide strong U.S. government oversight, increased cooperation with EU and Swiss data protection authorities (DPAs), and transparency regarding how participating companies use personal data. The Privacy Shield Frameworks also offer EU and Swiss individuals multiple avenues to address any concerns regarding participants’ compliance with the Frameworks including free dispute resolution.

View our Privacy Shield

General Data Protection Regulation (GDPR)

The GDPR aims primarily to give control back to EU residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation across the member states. Confirmation.com is committed to protecting its information and that of its customers. To achieve this goal, the company has implemented many controls to ensure compliance with GDPR. Please read below for more information.

What is GDPR?

On May 25, 2018, the European Union (EU) began enforcing a new data protection regulation, the General Data Protection Regulation, or GDPR. The GDPR is designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens’ data privacy and to reshape the way organizations across the region approach data privacy.

Who does the GDPR impact?

The GDPR applies to organizations located within the EU, and to organizations located outside of the EU if they offer goods or services to, or monitor the behavior of, EU natural persons or ‘data subjects.’ It applies to all companies processing and holding the personal data of data subjects residing in the EU, regardless of the company’s location.

What steps is Confirmation.com taking to comply with GDPR?

Confirmation.com welcomes the GDPR as an important step forward in streamlining data protection requirements across the EU, and as an opportunity for our organization to strengthen our commitment to data protection.

The following steps have been taken to ensure compliance with the GDPR:

  • Implemented a Security Management System
  • Appointed a Data Protection Officer
  • Appointed a EU-Based Data Protection Representative
  • Updated Data Privacy Policies
  • All Data Classified as “Most Sensitive” is Encrypted At-Rest
  • Annual Data Protection Impact Assessments Performed
  • Implemented Data Protection by Design Into All Business Projects
  • Created a GDPR Compliant Data Breach Incident Response Plan
  • Personal Data Processing Inventory (Article 30 Report) Created and Maintained.
  • Implemented Personal Data Loss Prevention Controls
  • Enhanced Data Privacy and Security Awareness Training implemented
  • Enhanced Encryption For Personal Data in Transit via TLS 1.2
  • Created GDPR Compliant Procedures for EU Data Subject Inquiries
  • Streamlined Explicit Consent and Withdrawal Procedures Implemented
  • Fair Personal Data Processing Notices Created and Sent to Data Subjects
  • Implemented GDPR Compliant Third Party Risk Management System
  • Registered with the ICO (UK Information Commissioner’s Office) To Provide EU Data Subject Inquiry Recourse
  • Certified EU-US Privacy Shield
  • Certified Swiss-US Privacy Shield

For more information about Confirmation.com and GDPR, email DataInquiries@confirmation.com. Further information on GDPR specifically can be found at eugdpr.org.

HIPAA/HITECH

The federal Health Insurance Portability and Accountability Act of 1996 (HIPAA), includes laws and regulations governing health insurance coverage protection and health information security for Americans and their families. The intent of HIPAA is to assure the portability of health insurance, decrease health care fraud and abuse, improve efficiency and effectiveness of healthcare, enforce standards, and guarantee security and privacy of patient identifiable information.

The Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act of 2009, was signed into law on February 17, 2009, to promote the adoption and meaningful use of health information technology. Subtitle D of the HITECH Act addresses the privacy and security concerns associated with the electronic transmission of health information, in part, through several provisions that strengthen the civil and criminal enforcement of the HIPAA rules.

HIPAA and HITECH compliance certification is the formal way to assure individuals that a provider is committed to protect their medical information.

We are committed to respect the privacy of all health care information and to follow industry standard guidelines for securing patient information.

PCI-DSS Level 2 Compliance

Maintaining payment security is required for all entities that store, process or transmit cardholder data. Guidance for maintaining payment security is provided in PCI security standards. These standards detail the technical and operational requirements for organizations accepting or processing payment transactions, and for software developers and manufacturers of applications and devices used in those transactions.

AICPA - AU-C Section 500: Audit Evidence

Confirmation helps auditors comply with auditing standards and requirements. Please read below to learn how Confirmation complies with the AICPA.

External Confirmations

Guidance

.A18  An external confirmation represents audit evidence obtained by the auditor as a direct written response to the auditor from a third party (the confirming party) in paper form or by electronic or other medium.

How Confirmation Complies

Confirmation uses a unique authentication and authorization process to verify the authenticity of each user. By sending a request to a validated responder, you eliminate the burden of having to verify the identity of the respondent and whether or not they are authorized to respond.

Reliability

Guidance

.A32  While recognizing that exceptions may exist, the following generalizations about the reliability of audit evidence may be useful:

  • Audit evidence obtained directly by the auditor is more reliable than audit evidence obtained indirectly or by inference.
  • Audit evidence in documentary form, whether paper, electronic, or other medium, is more reliable than evidence obtained orally.

How Confirmation Complies

Confirmation uses a unique authentication and authorization process to verify the authenticity of each user. By sending a request to a validated responder, you eliminate the burden of having to verify the identity of the respondent and whether or not they are authorized to respond.Undergoes SOC 1, SOC 2 and SOC 3 examinations annually, and has received an ISO 27001 certification of its Confirmation.com service.

AICPA - AU-C Section 505: External Confirmations

Confirmation helps auditors comply with auditing standards and requirements. Please read below to learn how Confirmation complies with the AICPA.

Selecting the Appropriate Confirming Party 

Guidance

.A3  Responses to confirmation requests provide more relevant and reliable audit evidence when confirmation requests are sent to a confirming party who the auditor believes is knowledgeable about the information to be confirmed.

How Confirmation Complies

Confirmation uses a unique authentication and authorization process to verify the authenticity of each user. By sending a request to a validated responder, you eliminate the burden of having to verify the identity of the respondent and whether or not they are authorized to respond.

Reliability of Responses to Confirmation Requests 

Guidance

.A15  An electronic confirmation system or process that creates a secure confirmation environment may mitigate the risks of interception or alteration. Creating a secure confirmation environment depends on the process or mechanism used by the auditor and the respondent to minimize the possibility that the results will be compromised because of interception or alteration of the confirmation.    

How Confirmation Complies

Uses the highest level of security to ensure privacy and data integrity.  Undergoes SOC 1, SOC 2 and SOC 3 examinations annually, and has received an ISO 27001 certification of its Confirmation service.    

AICPA - Practice Alert 03-1: Audit Confirmations

Confirmation helps auditors comply with auditing standards and requirements. Please read below to learn how Confirmation complies with the AICPA.

Guidance

.19  If the auditor is satisfied that the electronic confirmation process is secure and properly controlled, and the confirmation is directly from a third party who is a bona fide authorized respondent, electronic confirmations may be considered as sufficient, valid confirmation responses.

How Confirmation Complies

Undergoes SOC 1, SOC 2 and SOC 3 examinations annually, and has received an ISO 27001 certification of its Confirmation service. Uses the highest level of security to ensure privacy and data integrity. Confirmation uses a unique authentication and authorization process to verify the authenticity of each user. By sending a request to a validated responder, you eliminate the burden of having to verify the identity of the respondent and whether or not they are authorized to respond.

PCAOB - AU Section 330: The Confirmation Process

Confirmation helps auditors comply with auditing standards and requirements. Please read below to learn how Confirmation complies with the PCAOB.

Respondent

Guidance

.27  The auditor should consider whether there is sufficient basis for concluding that the confirmation request is being sent to a respondent from whom the auditor can expect the response will provide meaningful and appropriate audit evidence. 

How Confirmation Complies

Confirmation.com uses a unique authentication and authorization process to verify the authenticity of each user. By sending a request to a validated responder, you eliminate the burden of having to verify the identity of the respondent and whether or not they are authorized to respond.

Performing Confirmation Procedures 

Guidance

.29  During the performance of confirmation procedures, the auditor should maintain control over the confirmation requests and responses.  Maintaining control means establishing direct communication between the intended recipient and the auditor to minimize the possibility that the results will be biased because the interception and alteration of the confirmation requests or responses.

How Confirmation Complies

Uses the highest level of security to ensure privacy and data integrity.  Allows an auditor to send audit confirmation requests directly to the intended responder. Undergoes SOC 1, SOC 2 and SOC 3 examinations annually, and has received an ISO 27001 certification of its Confirmation.com service.

PCAOB - AU Section 326: Audit Evidence

Confirmation helps auditors comply with auditing standards and requirements. Please read below to learn how Confirmation complies with the PCAOB.

Sufficient Appropriate Audit Evidence

Guidance

.08  Audit evidence is more reliable when it is obtained from knowledgeable independent sources outside the entity.

How Confirmation Complies

Undergoes SOC 1, SOC 2 and SOC 3 examinations annually, and has received an ISO 27001 certification of its Confirmation.com service.

ISA - ISA 505: External Confirmations

Confirmation helps auditors comply with auditing standards and requirements. Please read below to learn how Confirmation complies with the ISA.

Para 6(a) Definition: External Confirmation 

Guidance

Audit evidence obtained as a direct written response to the auditor from a third party (the confirming party), in paper form, or by electronic or other medium. 

How Confirmation Complies

Confirmation.com enables auditors to receive audit confirmations electronically. Responses are prepared by authorized bank officials based on the auditor’s request. Use of Confirmation.com meets the requirements of an ‘External Confirmation’.

Para 7 Maintaining control 

Guidance

When using external confirmation procedures, the auditor shall maintain control over external confirmation requests. 

How Confirmation Complies

Auditors keep complete control over the process, including client and accounts setup, requesting client authorization and the sending and receipt of confirmations.

A2 Selecting the appropriate confirming party 

Guidance

Responses to confirmation requests provide more relevant and reliable audit evidence when confirmation requests are sent to a confirming party the auditor believes is knowledgeable about the information to be confirmed. For example, a financial institution official who is knowledgeable about the transactions or arrangements for which confirmation is requested may be the most appropriate person at the financial institution from whom to request confirmation. 

How Confirmation Complies

Participating banks have strict user access controls and monitoring procedures in place to ensure that only authorized bank officials respond to audit requests through Confirmation.com.

A6 Validating addresses 

Guidance

Determining that requests are properly addressed includes testing the validity of some or all of the addresses on confirmation requests before they are sent out.

How Confirmation Complies

We validate all entities participating in the Confirmation.com network. The controls surrounding this process are included in our SOC 1 report that is issued annually as part of our controls audit. By relying on our validation procedures, you avoid the need to perform your own validation procedures.

A12 Electronic responses 

Guidance

Responses received electronically, for example by facsimile or electronic mail, involve risks as to reliability because proof of origin and authority of the respondent may be difficult to establish, and alterations may be difficult to detect. A process used by the auditor and the respondent that creates a secure environment for responses received electronically may mitigate these risks. If the auditor is satisfied that such a process is secure and properly controlled, the reliability of the related responses is enhanced. An electronic confirmation process might incorporate various techniques for validating the identity of a sender of information in electronic form, for example, through the use of encryption, electronic digital signatures, and procedures to verify web site authenticity.

How Confirmation Complies

Confirmation.com’s operates industry-leading information security and data privacy practices. We have procedures and controls in place to ensure the integrity, confidentiality and accessibility of data. We undergo third-party audits to demonstrate the effectiveness of our controls: 

  • SOC 1, SOC 2 and SOC 3 examinations annually.
  • Received an ISO27001 certification of the Confirmation.com service.
  • TRUSTe data privacy and EU-US Privacy Shield and Swiss-US Privacy Shield frameworks certification.

A13 Involvement of third parties 

Guidance

If a confirming party uses a third party to coordinate and provide responses to confirmation requests, the auditor may perform procedures to address the risks that: (a) The response may not be from the proper source; (b) A respondent may not be authorized to respond; and (c) The integrity of the transmission may have been compromised.

How Confirmation Complies

Confirmation.com’s control environment ensures that user access if controlled and monitored at the banks, and that transmission of data is secure and maintains integrity. Our controls reports outlined above demonstrate the effectiveness of these procedures.

Para 12 Non-responses 

Guidance

In the case of each non-response, the auditor shall perform alternative audit procedures to obtain relevant and reliable audit evidence.

How Confirmation Complies

Confirmation.com guarantees responses for In-Network confirmations, avoiding the need for alternative procedures.