These API Terms of Use (these "API Terms") govern access to and use of the application programming interfaces, software development kits, webhooks, and related developer tools (collectively, the "Jaris API") made available by Jaris, Inc. ("Jaris," "we," "our," or "us").

These API Terms are binding on any party whose Platform Agreement, ISO click-through terms, or other written agreement with Jaris incorporates these API Terms by reference ("Partner," "you," or "your"). By entering into any such agreement, you agree to be bound by these API Terms as in effect at the time of acceptance and as updated in accordance with Section 16.1.

1. Relationship to Other Agreements

These API Terms are a standalone agreement between you and Jaris. Where you and Jaris are also parties to a Platform Services Agreement, Master Services Agreement, or other written agreement governing your participation in Jaris-supported programs (a "Platform Agreement"), these API Terms supplement that Platform Agreement with respect to your use of the Jaris API. If there is a conflict between these API Terms and a Platform Agreement, the Platform Agreement controls as to the subject matter of the Platform Agreement, and these API Terms control as to API-specific operational requirements set forth in Sections 3 through 8 (including credential management, rate limits, versioning, webhook delivery, and acceptable use).

Nothing in these API Terms limits or modifies any compliance, security, audit, indemnification, or regulatory obligations set forth in any applicable Platform Agreement.

If you do not have a Platform Agreement in effect with Jaris, these API Terms are the sole agreement governing your access to and use of the Jaris API, and all references to a "Platform Agreement" in these API Terms shall be read as references to these API Terms.

Definitions used in these API Terms have the meanings given in these API Terms. Where a Platform Agreement is in effect, capitalized terms not defined here have the meanings given in the Platform Agreement.

2. API Documentation

Partner's use of the Jaris API is subject to the Jaris API documentation available at docs.jaris.com (the "Documentation"), as updated from time to time. The Documentation includes technical specifications, integration guides, endpoint references, rate limit parameters, webhook retry policies, and sandbox environment details. In the event of a conflict between these API Terms and the Documentation, these API Terms control. Jaris will provide no less than thirty (30) days' prior written notice before making changes to the Documentation that materially reduce Partner's rights or increase Partner's obligations.

3. API Access and Credentials

3.1 Provisioning.

Jaris will provision API credentials (including API keys, tokens, client IDs, and client secrets) (collectively, "Credentials") to Partner following execution of a Platform Agreement or acceptance of click-through terms that incorporate these API Terms by reference, and completion of any required onboarding or technical review.

3.2 Credential Security.

Partner is responsible for maintaining the confidentiality and security of all Credentials. Partner shall:

• (a) store Credentials using industry-standard encryption and secret management practices and never embed Credentials in client-side code, public repositories, or unencrypted configuration files;
• (b) restrict access to Credentials to authorized personnel and systems on a need-to-know basis;
• (c) rotate Credentials periodically in accordance with industry-standard security practices and promptly upon any suspected or confirmed compromise, and notify Jaris within twenty-four (24) hours of any known or suspected compromise; and
• (d) maintain logs of API access and Credential usage sufficient to support security investigations, incident response, and compliance reviews.

All activity occurring under Partner's Credentials is attributable to Partner. Jaris may revoke and reissue Credentials at any time for security reasons upon reasonable notice, or immediately upon reasonable belief that Credentials have been compromised.

Partner shall not share Credentials with any other legal entity, affiliate, or third party without Jaris's prior written approval. Credentials are issued to the specific legal entity accepting these API Terms and may not be transferred.

4. Acceptable Use

4.1 Permitted Use.

Partner may use the Jaris API solely to integrate with Jaris-supported programs as described in any applicable Platform Agreement or as otherwise authorized by Jaris in writing, and in accordance with the Documentation.

4.2 Restrictions.

Partner shall not:

• (a) use the Jaris API for any purpose other than (i) integration with Jaris platform services and products, and (ii) Partner's own internal business operations directly related to Partner's use of the Jaris platform, in each case as described in any applicable Platform Agreement or as otherwise authorized by Jaris in writing;
• (b) use the Jaris API to extract, export, or transfer data for the purpose of replicating Jaris platform functionality or migrating merchants to a competing platform or service provider, except as required by applicable law;
• (c) sublicense, sell, resell, transfer, or make the Jaris API available to any third party except as expressly permitted by Jaris in writing;
• (d) reverse engineer, decompile, disassemble, or otherwise attempt to derive source code from the Jaris API;
• (e) circumvent, disable, or interfere with any security, rate-limiting, or access-control features of the Jaris API;
• (f) use the Jaris API, or data obtained through the Jaris API, to build or operate a product or service that is substantially similar to the Jaris Services;
• (g) introduce any virus, malware, or harmful code through the Jaris API;
• (h) access the Jaris API using automated means (including bots, scrapers, or crawlers) except through properly authenticated API calls for their intended purpose; or
• (i) use the Jaris API in any manner that violates applicable law, regulation, or the terms of any Bank Partner agreement.

4.3 Monitoring.

Jaris may monitor API usage, request patterns, and system activity to detect abuse, enforce rate limits, ensure security, and maintain platform stability. Monitoring may include automated systems designed to detect abuse, fraud, security threats, or violations of these API Terms. Jaris may block, throttle, or restrict API requests that it reasonably believes may threaten the security, integrity, or availability of the Jaris platform. Partner acknowledges and consents to such monitoring and enforcement as a condition of API access.

5. Rate Limits and Availability

5.1 Rate Limits.

Jaris imposes rate limits on API calls to ensure platform stability and equitable access. The standard rate limit is 100 requests per second per Partner. Requests exceeding applicable limits will receive HTTP 429 responses. Partner shall implement appropriate error handling and retry logic to manage rate-limited responses. Current rate limit details, including any endpoint-specific limits, are published in the Documentation.

Jaris will provide no less than thirty (30) days' prior written notice before reducing rate limits applicable to Partner. Elevated rate limits may be made available by mutual written agreement.

Partner shall not use the Jaris API in a manner that places unreasonable load on the Jaris infrastructure or interferes with the operation of the Services for other users.

5.2 Availability.

Jaris will use commercially reasonable efforts to maintain the availability of the Jaris API. Jaris does not guarantee uninterrupted or error-free access. Scheduled maintenance windows will be communicated via the Documentation, a developer status page, or direct notice to Partner, with at least seventy-two (72) hours' prior notice for scheduled maintenance and twenty-four (24) hours' notice for emergency maintenance necessary to protect the security or integrity of the Services. Availability commitments, if any, are set forth in the applicable Platform Agreement or Order Form and not in these API Terms.

5.3 Support.

Jaris will provide technical support for the Jaris API as described in the Documentation or as otherwise agreed in a Platform Agreement. Support inquiries should be directed to the designated developer support channel identified in the Documentation.

6. Versioning, Deprecation, and Changes

6.1 Versioning.

Jaris may release updated versions of the Jaris API from time to time. Each version will be identified in the Documentation. Jaris will maintain backward compatibility within a major version to the extent commercially reasonable.

6.2 Breaking Changes.

A "Breaking Change" means any change that removes or alters existing API endpoints, required parameters, response structures, or authentication mechanisms in a manner that would cause a conforming integration to fail. Jaris will provide no less than ninety (90) days' prior written notice before introducing any Breaking Change (which may be provided via the Documentation, a developer changelog, or direct notice to Partner).

6.3 Deprecated Version Support.

Jaris will continue to support each deprecated API version for a minimum of ninety (90) days following the date of deprecation notice. During the deprecation period, the deprecated version will remain functional, but Jaris may cease providing support or bug fixes for deprecated features. Partner is responsible for migrating to the current supported version within the deprecation period.

6.4 Non-Breaking Changes.

Jaris may, without prior notice, add new API endpoints, add optional request parameters or payloads, add fields to response payloads, add new webhook event types, or publish new API versions. Partner's integration must be designed to tolerate additive, non-breaking changes.

7. Webhook Delivery

Jaris delivers webhook events on an at-least-once basis. Jaris will use commercially reasonable efforts to deliver webhook notifications in a timely manner and will retry failed deliveries in accordance with the retry policy published in the Documentation. Partner is responsible for idempotent processing of webhook events and must maintain a functioning webhook endpoint capable of returning an HTTP 2xx acknowledgment within the timeframe specified in the Documentation. Specific retry parameters (including retry count, retry intervals, and acknowledgment timeout) are published in the Documentation and may be updated from time to time.

Jaris is not responsible for duplicate, delayed, or out-of-order webhook deliveries resulting from retry behavior, network conditions, or Partner endpoint failures. Partner's integration should be designed to handle such conditions gracefully.

8. Sandbox Environment

Jaris may make a sandbox or test environment available to Partner. Sandbox environments carry no availability commitments, may have reduced rate limits, and create no financial obligations. Data in sandbox environments is logically isolated from production and may be reset without notice.

9. Security and Compliance

9.1 Security Requirements.

Partner shall implement and maintain security controls consistent with industry standards and any additional security requirements published in the Documentation, including transport-layer encryption (TLS 1.2 or higher) for all API communications and secure handling of any personally identifiable information or financial data transmitted through the Jaris API. Where a Platform Agreement is in effect, the security requirements set forth therein (including any Risk and Compliance Standards exhibit) apply to Partner's use of the Jaris API.

9.2 Data Handling.

All data transmitted through or received from the Jaris API is subject to applicable law and, where a Platform Agreement or Data Processing Addendum is in effect, to the data handling, processing, and privacy obligations set forth therein. Partner shall not store, retain, or process data received through the Jaris API except as necessary to perform its authorized integration functions and in compliance with applicable law.

9.3 Data Ownership.

As between Partner and Jaris, Partner acquires no ownership interest in Merchant data, Bank Partner data, or Jaris data transmitted through the Jaris API. Partner's right to access and process such data is limited to the purposes authorized by these API Terms and any applicable Platform Agreement. Nothing in this Section limits Jaris's rights to use data for program management, analytics, reporting, or other purposes permitted under any applicable Platform Agreement or by law.

9.4 Bank Partner Data.

Partner acknowledges that certain data transmitted through the Jaris API relates to products and services provided by federally or state-chartered financial institutions ("Bank Partners"). Such data remains subject to Bank Partner requirements, including applicable provisions of the Gramm-Leach-Bliley Act and related regulations. Partner shall not use Bank Partner data for any purpose other than as expressly permitted by Jaris or the applicable Platform Agreement.

9.5 Incident Response.

In the event of any security incident involving the Jaris API, Partner's Credentials, or data accessed through the Jaris API, Partner shall notify Jaris without undue delay and in any event within twenty-four (24) hours of discovery. Where a Platform Agreement is in effect, the incident notification requirements set forth therein also apply.

9.6 Data Storage Requirements.

Partner shall encrypt all Merchant data, Bank Partner data, and personally identifiable information received through the Jaris API at rest using industry-standard encryption (AES-256 or equivalent). Bank account numbers, routing numbers, and payment credentials must be tokenized where technically feasible and stored only in systems that meet or exceed PCI DSS requirements applicable to the data type. Partner shall not store such data in plaintext, unencrypted logs, or unprotected environments.

10. Emergency Changes

Notwithstanding the notice periods set forth in Sections 5, 6, and 7, Jaris may implement immediate changes to any API endpoint, rate limit, webhook configuration, or other operational parameter without prior notice where reasonably necessary to: (a) address a security vulnerability, (b) comply with applicable law, payment network rules, or Bank Partner requirements or directives, or (c) prevent imminent harm to the Services, Partner, merchants, or any Bank Partner. Jaris will provide notice as promptly as practicable following any such change and will use commercially reasonable efforts to minimize disruption to Partner's integration.

11. Intellectual Property

Jaris retains all right, title, and interest in and to the Jaris API, the Documentation, and all related intellectual property. These API Terms grant Partner a limited, non-exclusive, non-transferable, revocable license to access and use the Jaris API solely in accordance with these API Terms and any applicable Platform Agreement. No other rights are granted, whether by implication, estoppel, or otherwise.

Partner retains all right, title, and interest in and to any application or integration developed by Partner that uses the Jaris API, excluding the Jaris API itself and any Jaris proprietary components.

12. Indemnification

Partner shall indemnify, defend, and hold harmless Jaris, its affiliates, and its Bank Partners from and against any claims, damages, losses, liabilities, and expenses (including reasonable attorneys' fees) arising from or relating to:

• (a) Partner's applications or integrations using the Jaris API, to the extent the claim arises from Partner's code, configuration, or implementation (and not from the Jaris API itself);
• (b) Partner's use of the Jaris API in violation of these API Terms or applicable law; or
• (c) Partner's unauthorized use, disclosure, or mishandling of data obtained through the Jaris API.

Jaris will provide Partner with prompt written notice of any claim subject to indemnification, cooperate reasonably in the defense of such claim, and permit Partner to control the defense and settlement, provided that Partner may not settle any claim that imposes liability or obligations on Jaris or admits fault on behalf of Jaris without Jaris's prior written consent. Where a Platform Agreement is in effect, the indemnification provisions of the Platform Agreement apply to the extent they cover the same subject matter, and this Section 12 applies only to claims not otherwise covered by such provisions.

13. Disclaimers

THE JARIS API IS PROVIDED "AS IS" AND "AS AVAILABLE." TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, JARIS DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, AND NON-INFRINGEMENT. JARIS DOES NOT WARRANT THAT THE JARIS API WILL BE UNINTERRUPTED, ERROR-FREE, OR FREE OF HARMFUL COMPONENTS.

14. Limitation of Liability

Where a Platform Agreement is in effect, the limitation of liability provisions set forth therein govern claims arising under these API Terms. Where no Platform Agreement is in effect, Jaris's aggregate liability arising out of or relating to these API Terms shall not exceed the greater of (a) fifty thousand dollars ($50,000) or (b) the total fees paid by Partner to Jaris for API access during the twelve (12) months preceding the event giving rise to the claim. In no event shall Jaris be liable for any indirect, incidental, special, consequential, or punitive damages arising out of or relating to Partner's use of the Jaris API, regardless of the theory of liability.

15. Suspension and Termination

15.1 Suspension.

Jaris may suspend Partner's access to the Jaris API immediately upon notice if Jaris reasonably determines that Partner's use of the Jaris API: (a) poses a security risk; (b) may adversely affect Jaris, its Bank Partners, or other users of the Jaris platform; (c) may subject Jaris or any Bank Partner to regulatory liability; (d) violates these API Terms or any applicable Platform Agreement; or (e) fails to comply with Bank Partner requirements or directives relating to the Jaris Services or the Jaris API. Jaris will provide notice of the suspension and the basis therefor as promptly as practicable.

15.2 Termination.

Either party may terminate these API Terms upon thirty (30) days' written notice for any reason. Jaris may terminate these API Terms immediately upon written notice if Partner materially breaches these API Terms and fails to cure such breach within fifteen (15) days after receipt of written notice specifying the breach. These API Terms also terminate automatically upon termination or expiration of any Platform Agreement under which API access was granted, unless Jaris agrees in writing to continue API access under these API Terms on a standalone basis.

15.3 Effect of Termination or Suspension.

Upon suspension or termination of API access, Jaris may immediately revoke all Credentials and disable API endpoints associated with Partner's integration. Upon termination, Partner shall immediately cease all use of the Jaris API, destroy or return all Credentials and Documentation, and certify such destruction or return in writing upon request. Sections 9.2 (Data Handling), 9.3 (Data Ownership), 11 (Intellectual Property), 12 (Indemnification), 13 (Disclaimers), 14 (Limitation of Liability), and 16 (General Provisions) survive termination.

16. General Provisions

16.1 Modifications.

Jaris may update these API Terms from time to time by posting an updated version to its website or developer portal and providing at least thirty (30) days' prior notice. Continued use of the Jaris API after the effective date of any update constitutes acceptance of the updated API Terms. If Partner does not agree to the updated terms, Partner's sole remedy is to discontinue use of the Jaris API.

16.2 Governing Law.

These API Terms are governed by the laws of the State of Delaware, without regard to its conflicts-of-law principles. Where a Platform Agreement is in effect, the dispute resolution provisions of the Platform Agreement apply to disputes arising under these API Terms.

16.3 Entire Agreement.

These API Terms, together with any applicable Platform Agreement, constitute the entire agreement between the parties with respect to the Jaris API and supersede all prior or contemporaneous oral or written agreements regarding the Jaris API.

16.4 Severability.

If any provision of these API Terms is held to be unenforceable, the remaining provisions shall continue in full force and effect.

16.5 No Waiver.

The failure of Jaris to enforce any right or provision of these API Terms shall not constitute a waiver of such right or provision.

16.6 Notices.

All notices under these API Terms must be in writing and delivered to the contact information provided during onboarding or as otherwise designated in writing. Notices from Jaris may also be provided via the developer portal, Documentation, or email to the technical contact on file.

16.7 Export Controls and Sanctions.

Partner shall comply with all applicable export control and sanctions laws in connection with its use of the Jaris API, including restrictions administered by the U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC) and the U.S. Department of Commerce's Bureau of Industry and Security.