Technology Program Services Terms and Conditions

Updated – May 8, 2025

These TECHNOLOGY PROGRAM TERMS AND CONDITIONS (the “Terms and Conditions”), including all exhibits and attachments affixed hereto (the “Agreement”), are entered into and made effective as of the Effective Date set forth in the Order Form by and between Hypercard Network, Inc. (“Hypercard”)  and you (“Client”). Each of Hypercard and Client shall be referred to herein as a “Party” and together the “Parties.”  Capitalized terms used but not defined herein shall have the meaning ascribed to such terms in the Order Form.

You accept and agree to these Terms of Service by:

  • Accessing or using the Platform Services;
  • Clicking to accept these Terms and Conditions, or
  • Accepting these Terms and Conditions in any other way.

If you do not agree to these Terms and Conditions, you may not access the service.

RECITALS

WHEREAS, Hypercard provides clients with access to a proprietary, AI-powered technology platform that includes expense management, stipends, per diems, travel related, and related back-office automation features (the “Platform”),

NOW, THEREFORE, in consideration of the mutual covenants and agreements contained herein, the parties agree as follows:

Definitions:

  1. Services.
    • Performance of Services.  During the Term (as defined below), Hypercard will provide to Client (i) the services related to the Platform as set forth in Schedule A (the “Platform Services”), (ii) any other services as mutually agreed in writing by the Parties from time to time.  
    • Subcontractors.  Hypercard may subcontract the performance of certain of its obligations under this Agreement to qualified third parties (“Subcontractors”), provided that (a) the subcontractor performs those services in a manner consistent with the terms and conditions of this Agreement and (b) Hypercard remains liable for the performance of the subcontractor.
    • Non-Exclusive Service Relationship.  Client acknowledges and agrees that Hypercard is acting as a non-exclusive service provider to Client, and subject to the confidentiality provisions set forth in this Agreement, nothing in this Agreement restricts Hypercard from providing services that are similar to the services to another entity, including a competitor of Client.
  2. Hypercard Fees; Client Advisory Services
    • Hypercard Fees.  Client shall pay all fees associated with the Hypercard Solution as set forth in the Order Form. Hypercard shall issue invoices as described in the Order Form, and Client shall remit payment in accordance with the terms specified therein.
  3. Trademark License. Client grants HyperCard with a limited, revocable, non-exclusive, non-transferable license to use its name, trademarks, logos, and service marks (“Marks”) for (i) marketing activities under this Agreement and (ii) to use, reproduce and display Client’s Marks in connection with the Platform. Client may request removal or replacement of its Marks upon reasonable prior written notice,.
  4. Dashboard Access.  
    • Subject to Client’s compliance with the Agreement, during the Term, Hypercard hereby permits Client to access and use the Universal Dashboard & Stipend Manager (“Dashboard”) for Client’s internal business purposes. Each user authorized by Client to access and use the Dashboard solely on behalf of and for the benefit of Client (each, “Authorized User”) shall be required as a condition of their use to agree to Hypercard’s terms of service available at https://www.hypercard.com/terms (“End User Terms”). Client is responsible for all activities that occur under Authorized User accounts, for ensuring that all Authorized Users comply with this Agreement and the End User Terms, for maintaining the secrecy of its access credentials and for providing such access credentials only to individuals that Client intends to be Authorized Users. If an individual ceases to act in an authorized capacity on behalf of Client for any reason, Client will immediately remove the access credentials from such individual. Client is responsible and liable for any breach of this Agreement by Authorized Users as if such breach was committed by Client. For clarity, a Client Cardholder’s use of the Dashboard is also subject to the End User Terms.  
    • Restrictions. Client shall not (and shall ensure that its Authorized Users do not) (i) attempt to copy, duplicate, modify, create derivative works from or distribute all or any portion of the Hypercard Technology; (ii) reverse engineer, disassemble or decompiles the Hypercard Technology, or otherwise attempt to discover or disclose the source code of the Hypercard Technology; (iii) license, sublicence, resell, rent, lease, distribute, transfer or assign the Hypercard Technology; (iv) attempt to circumvent, modify or disable any safety or security measures in the Hypercard Technology; (v) undertake any security testing of the Hypercard Technology without the prior written consent of Hypercard; (vi) assist third parties (other than Authorized Users and Client Cardholders) in obtaining access to the Hypercard Technology; or (vii) use the Dashboard in a manner that violates any applicable law.
  5. Intellectual Property Rights. Hypercard retains all rights, title and interest (including any intellectual property or other proprietary rights) in and to the Platform, Dashboard, Hypercard Proprietary Expense Platform, except for any Client Marks displayed on the Platform (collectively, “Hypercard Technology”). Client does not acquire any other rights, express or implied, other than those rights expressly granted under the Agreement.  
  6. Feedback.  Client acknowledges that, as between Client and Hypercard, all feedback, comments and suggestions for improvements to Hypercard’s products, services or technologies provided by Client hereunder, (collectively, “Feedback”) are the sole and exclusive property of Hypercard. Hypercard may use and disclose Feedback in any manner and for any purpose, without further notice, compensation or attribution to Client. Client hereby assigns to Hypercard any and all right, title and interest that Client may have in and to any Feedback.
  7. Client Data. Hypercard’s Privacy Policy found at https://www.hypercard.com/privacy, which may be updated from time to time, explains how Hypercard’s services, including the Dashboard, collects, processes, stores, uses and discloses any date or information included in the Client Data (as defined below). Client acknowledges and agrees that Hypercard may use Client Data in accordance with its Privacy Policy. Notwithstanding the foregoing, Hypercard will not use Client Data except to provide and improve the Dashboard and the services and fulfill Hypercard’s obligations under this Agreement. Hypercard will use commercially reasonable efforts to maintain administrative, physical, and technical safeguards designed to protect the security, confidentiality and integrity of data uploaded to the Dashboard. “Client Data” means any data submitted by or on behalf of Client or its Authorized Users via the Dashboard.
  8. Confidentiality.  
    • Confidential Information. From time to time under this Agreement, either Party (the “Disclosing Party”) may disclose or make available to the other Party (the “Receiving Party”), non-public, proprietary, or confidential information of Disclosing Party that is clearly designated by Disclosing Party as confidential or which Receiving Party should reasonably understand Disclosing Party would expect to be treated as confidential (collectively “Confidential Information”); provided, however, that Confidential Information does not include any information that: (i) is or becomes lawfully and generally available to the public other than as a result of Receiving Party’s breach of this Section  or any other duty or obligation of confidentiality owed to the other Party, (ii) is or becomes available to Receiving Party on a non-confidential basis from a third-party source, provided that such third-party is not and was not prohibited from disclosing such Confidential Information, (iii) was in Receiving Party’s possession prior to Disclosing Party’s disclosure hereunder as evidenced by its records, or (iv) was or is independently developed by Receiving Party without using any Confidential Information.
    • Obligations. Receiving Party will: (i) protect and safeguard the confidentiality of Disclosing Party’s Confidential Information with at least the same degree of care as Receiving Party would protect its own Confidential Information, but in no event with less than a commercially reasonable degree of care, (ii) not use Disclosing Party’s Confidential Information, or permit it to be used, for any purpose other than to exercise its rights or perform its obligations under this Agreement, and (iii) not disclose any such Confidential Information to any person or entity, except to Receiving Party’s employees, agents, contractors, attorneys or representatives (“Representatives”) acting in the course of their obligations and rights hereunder.
    • Required Disclosure. If Receiving Party is required by applicable law or legal process to disclose any Confidential Information, it will, prior to making such disclosure, use commercially reasonable efforts to notify Disclosing Party of such requirements to afford Disclosing Party the opportunity to seek, at Disclosing Party’s sole cost and expense, a protective order or other remedy and Receiving Party must only disclose or furnish that portion of Confidential Information as such Receiving Party or the applicable Representative is legally obligated or compelled to so produce or disclose.
    • Return or Destruction. At the Disclosing Party’s request, the Receiving Party will return or destroy any Confidential Information Receiving Party obtained from the Disclosing Party. However, nothing contained herein will be construed to prohibit Receiving Party from retaining electronic information maintained in compliance with its digital data retention and automated backup procedures provided that; such Confidential Information will remain subject to the confidentiality obligations set forth herein.
    • Remedies. In the event of a breach of this Section, the Receiving Party understands and agrees that direct money damages may not be an adequate remedy for any breach of this Agreement by it and that the Disclosing Party may be entitled (without exclusion of other remedies herein) to seek specific performance and injunctive or other equitable relief as a remedy for any such breach. The Receiving Party further agrees to waive any requirement for the Disclosing Party to secure or post any bond in connection with such remedy.
  9. Representations, Warranties and Covenants
    1. Mutual Representations.  Each Party represents, warrants and covenants that, as of the Effective Date, and continuing throughout the Term:
      • 9.1.1.It is a corporation duly incorporated, validly existing and in good standing under the laws of the country, province, or state in which it is incorporated, and is in good standing in each other jurisdiction where the failure to be in good standing would have a material adverse effect on its business or its ability to perform its obligations under this Agreement.
      • 9.1.2.This Agreement constitutes a legal, valid, and binding obligation of such Party, enforceable against it in accordance with its terms.
    2. Client Representations. Client represents and warrants that:
      • 9.2.1.It has obtained, or shall obtain, all requisite rights, approvals, permits and waivers needed to provide the Cardholder Data and any other materials, data or information provided by Client to Hypercard hereunder.
  10. DISCLAIMER. EXCEPT AS EXPRESSLY SET FORTH IN THIS AGREEMENT, THE SERVICES ARE PROVIDED “AS IS” WITHOUT ANY WARRANTIES OF ANY KIND.  EXCEPT AS EXPRESSLY SET FORTH IN THIS AGREEMENT, NEITHER PARTY MAKES ANY OTHER WARRANTIES AND HEREBY DISCLAIMS ALL OTHER WARRANTIES, EXPRESS OR IMPLIED OR STATUTORY, INCLUDING ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND ANY WARRANTIES ARISING OUT OF COURSE OF PERFORMANCE, COURSE OF DEALING OR USAGE OF TRADE.  
  11. LIMITATION OF LIABILITY.  NEITHER PARTY WILL BE LIABLE TO THE OTHER PARTY FOR ANY INDIRECT, CONSEQUENTIAL, INCIDENTAL, PUNITIVE OR SPECIAL DAMAGES INCURRED BY SUCH PARTY AS A RESULT OF ANY BREACH OF THIS AGREEMENT, INCLUDING, BUT NOT LIMITED TO, ANY LOST PROFITS, PHYSICAL INJURY, LOST BUSINESS OPPORTUNITY OR COST SAVINGS, EVEN IF SUCH PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.  THIS EXCLUSION OF CONSEQUENTIAL DAMAGES UNDER THIS SECTION WILL APPLY REGARDLESS OF THE FORM OF ACTION, WHETHER IN CONTRACT OR TORT, INCLUDING NEGLIGENCE, STRICT LIABILITY, BREACH OF CONTRACT OR BREACH OF WARRANTY, AND INDEPENDENT OF ANY FAILURE OF ESSENTIAL PURPOSE OF ANY LIMITED WARRANTY OR OTHER REMEDIES PROVIDED UNDER THIS AGREEMENT. IN NO EVENT WILL HYPERCARD’S AGGREGATE LIABILITY TO CLIENT EXCEED THE TOTAL AMOUNT PAID BY CLIENT TO HYPERCARD DURING THE TWELVE (12) MONTH PERIOD PRECEDING THE DATE OF THE CLAIM OR LIABILITY.
  12. Indemnification.  
    • Client Indemnification Obligation.  Client agrees to indemnify and hold harmless Hypercard and its affiliates and their respective officers, agents, directors, employees and contractors (“Hypercard Indemnified Parties”) from against all losses, liabilities and damages finally awarded to a third party by a court (or similar body) of competent jurisdiction or agreed to in a settlement approved by Hypercard that result from any actions, suits, demands or claims brought by a third party (collectively, “Claims”) and any direct out-of-pocket costs and expenses (including reasonable attorneys’ fees) incurred by a Hypercard Indemnified Party while investigating or conducting the defense of such Claim, arising out of or resulting from (i) Client’s violation of the intellectual property rights of any party or violation of applicable law or (ii) Client’s failure to pay or delayed payment of federal or state taxes in connection with the Rewards redeemed or otherwise used by Employees.
    • Hypercard Indemnification Obligation.  Hypercard agrees to indemnify and hold harmless Client and its officers, agents, directors, employees and contractors (“Client Indemnified Parties” and together with the Hypercard Indemnified Parties, the “Indemnified Parties”) from against all losses, liabilities and damages finally awarded to a third party by a court (or similar body) of competent jurisdiction or agreed to in a settlement approved by Client that result from any Claims and any direct out-of-pocket costs and expenses (including reasonable attorneys’ fees) incurred by a Client Indemnified Party while investigating or conducting the defense of such Claim, arising out of or resulting from  infringement of the intellectual property rights of a third party.  In the event that the services becomes subject to a third-party intellectual property claim or Hypercard believes that it will become subject to such a claim, Hypercard may elect to (i) defend or settle the claim; (ii) procure the right for Customer to continue to use the services without material reduction in functionality; (iii) modify the services to preclude the claim; or (iv) terminate this Agreement and refund pro rata for the remainder of the then-current term any prepaid fees.  Notwithstanding the foregoing, Hypercard shall have no responsibility for intellectual property infringement Claims to the extent resulting from or based on: (i) modifications to the services made by a party other than Hypercard or its designee; (ii) the Customer’s failure to implement software updates provided by Hypercard specifically to avoid infringement; or (iii) combination or use of the services with software not supplied by Hypercard or not in accordance with Hypercard’s policies.
    • Indemnification Procedures.
      1. 12.3.1.The Indemnified Party agrees to provide the Indemnifying Party with notice of any such claim that the Indemnified Party believes falls within the scope of this Section promptly after receipt by an Indemnified Party of any written allegation, Claim or notice of any action giving rise to a claim for indemnification by the other Party (the “Indemnifying Party”); provided, however, that the failure of any Indemnified Party to give such notice does not relieve the Indemnifying Party of its obligations or liabilities pursuant to this Agreement, except to the extent that such failure has materially prejudiced the Indemnifying Party.
      2. 12.3.2.The Indemnifying Party may employ counsel of its choice to defend any indemnifiable Claim, or to compromise, settle or otherwise dispose of the same, if the Indemnifying Party deems it advisable to do so, all at the expense of the Indemnifying Party; provided that the Indemnifying Party does not settle, or consent to any entry of judgment in, any Claim without obtaining either (i) an unconditional release of the Indemnified Party (and its officers agents, directors, employees and contractors) from all liability with respect to such Claim, or (ii) the prior written consent of the Indemnified Party.  The Indemnified Party may participate in the defense or settlement of any Claim, at the Indemnified Party’s expense, with counsel of its choice.  
  13. Term and Termination.
    • Term.  The term of this Agreement will commence on the Effective Date and remain in effect for the Initial Term (as defined in the Order Form). Thereafter, the Agreement shall automatically renew for successive Renewal Terms (as defined in the Order Form) (each Renewal Term together with the Initial Term, the “Term”), unless and until either Party provides written notice of non-renewal to the other Party at least 30 days’ prior to the end of the then-current term.  
    • Termination for Convenience.  During the Initial Term, each Party may terminate this Agreement without cause and upon 30 days’ prior written notice. If Hypercard terminates this Agreement for convenience, Client shall not be liable for any fees incurred after the effective date of termination. Fees already incurred for services rendered up to the termination date shall remain payable. No refunds shall be issued for partial months of usage already billed or consumed.
    • Termination for Cause.  Either Party shall have the right to terminate this Agreement upon written notice if:
      • 13.3.1.the other Party breaches any of the provisions of this Agreement, and such breach is incapable of cure or, if such breach is capable of cure, fails to cure such breach within 30 days of its receipt of written notice thereof from the non-breaching Party; or
      • the other Party (a) fails to pay its debts or perform its obligations in the ordinary course of business as they mature or (b) becomes the subject of any voluntary or involuntary proceeding in bankruptcy, liquidation, dissolution, receivership, attachment, or assignment or composition for the benefit of creditors that is not dismissed within 90 days of such action having been filed.
    • Effect of Termination. Upon any termination or expiration of this Agreement, (i) Hypercard will not be obligated to provide any additional services under this Agreement, (ii) Client will pay Hypercard for all fees related to the services performed but not yet paid through the date of termination and (iii) each Party will cease using and return (or, at the other Party’s election, destroy) all materials that may have been provided to such Party by the other Party in connection with this Agreement. Those sections of this Agreement whose obligations would normally extend beyond the termination of this Agreement shall so survive the termination of this Agreement.
  14. General Terms.
    • Publicity. Neither Party shall not use the other Party’s name, logos or trademarks in any publicity (including press releases) or advertising without such Party’s prior written consent.  Such consent may be revocable at any time.
    • Assignment.  Neither Party may assign this Agreement without the prior written consent of the other Party, except that Hypercard may assign this Agreement to an affiliate or in connection with any merger, reorganization, or any similar transaction.
    • Force Majeure.  Neither Party shall be liable for any loss or delay to the extent resulting from any force majeure event, including, but not limited to, acts of God, fire, natural disaster, terrorism, labor stoppage, internet service provider failures or delays, pandemic, epidemic, quarantine restriction, civil unrest, war or military hostilities, criminal acts of third parties or any other event beyond such Party’s reasonable control.  
    • Independent Contractor.  The relationship between the Parties is that of independent contractors and nothing in this Agreement shall be construed to create or imply any other relationship (such as a partnership or an employer/employee or agency relationship).
    • Third Party Beneficiaries.  This Agreement is entered into solely between, and may be enforced only by, Client and Hypercard; and except as set forth in Section 12, this Agreement shall not be deemed to create any rights in third parties, including employees, suppliers and customers of a Party, or to create any obligations of a Party to any such third parties.
    • Amendment and Waiver.  This Agreement may not be amended or modified without the prior written approval of each Party.
    • Severability.  If any provision of this Agreement is held to be invalid or unenforceable, the holding will not affect any other term or provision of this Agreement.
    • Governing Law and Dispute Resolution.  The Parties hereby agree that any disputes under this Agreement will be resolved pursuant to the laws of the State of New York and the United States of America, and in the courts located in the City of New York, without giving effect of any conflicts of laws principles.
    • Entire Agreement.  This Agreement (including the Order Form), and any other documents expressly incorporated into this Agreement by reference, constitute the entire agreement, understandings, and representations by and between the Parties. This Agreement supersedes all prior negotiations, understandings, correspondence, representations, and agreements between the Parties. In the event of any conflict between the provisions of the documents subject to the Agreement, such conflict will be resolved by giving precedence to such different parts of the Agreement in the following order of precedence: first, the Order Form; second, the Terms and Conditions; third, any other document incorporated by reference into this Agreement unless the document of lower precedence expressly states that its terms are intended to override the conflicting provisions of the document of higher order precedence.
    • Amendments.  Hypercard may modify these Terms of Service in its sole discretion by posting updated versions of these Terms of Service on the website or otherwise providing notice to you. All such changes shall become effective upon the posting of the revised Terms of Service on the website or upon notice to you, as applicable.
    • Notices.  All notices required by this Agreement must be in writing and will be valid if delivered to the address and/or email address listed above. Either Party may update the address by providing written notice to the other Party.
    • Data Processing Agreement. The Parties agree to comply with the Data Processing Agreement found at _________ (“Data Processing Agreement”), the terms of which are incorporated into this Agreement.

Schedule A

Platform Services

  1. Description of the Platform Services. Hypercard shall provide Client access to its Platform, which includes the following capabilities:
    1. Technology Platform Services
      1. AI-driven workflows to support expense report submission, review, and approval, including automatic policy enforcement, GL code assignment, and budget checks.
      2. Tools for configuring and managing per diems, travel stipends, recurring benefits, and non-payroll reimbursements.
      3. Ability for Participants to link personal or corporate cards to the Platform for unified visibility, rule enforcement, and auto-classification of transactions.
      4. Client may propose workflow configurations or features, which Hypercard will consider in good faith for implementation, depending on technical feasibility and roadmap alignment.
      5. Hypercard will provide Platform users with access to a support channel, available Monday through Friday (excluding federal holidays) from 9:00 AM to 5:00 PM Pacific Time, via the Platform or designated phone support.

Schedule B

Data Processing Agreement

This Data Processing Agreement (the “DPA”) forms part of, and is subject to the Technology Program Services Agreement (the “Agreement”) entered into by and between [ ] (“Company”) and Hypercard Network, Inc. (“Provider”) (the “Agreement”). All capitalized terms not defined in this DPA shall have the meaning set forth in the Agreement. In case of any divergences between the terms of the Agreement and this DPA, this DPA shall prevail. This DPA will be effective as of the effective date of the Agreement (“DPA Effective Date”).

If you are accepting this DPA on behalf of Company, you warrant that: (a) you have full legal authority to bind Company to this DPA; (b) you have read and understand this DPA; and (c) you agree, on behalf of Company, to this DPA. If you do not have the legal authority to bind Company, please do not accept this DPA.

  1. DEFINITIONS.
    1. Business, Consumer, Controller, Data Subject, Personal Data, Personal Information, Process, Processor, Sale, Sell, Selling, Share, Sharing, Service Provider, Subprocessor, Supervisory Authority, and Third Party: shall have the meanings ascribed under Data Protection Laws.
    2. Company Personal Data: any Personal Data processed on behalf of the Company pursuant to or in connection with the Agreement and this DPA.
    3. Data Protection Laws: all applicable law and regulation relating to privacy, data protection, data transfer, the processing or security of Personal Data, data breaches and marketing, including U.S. Privacy Law, European Data Protection Laws insofar as they apply, each as may be amended, updated or replaced from time to time.
    4. European Data Protection Laws: the GDPR, and UK GDPR. and/or the Swiss FADP.
    5. GDPR: the General Data Protection Regulation (EU) 2016/679 as implemented and supplemented in each European Economic Area member state, as applicable.
    6. Restricted Transfer: means any transfer of Personal Data which would be prohibited by Data Protection Laws in the absence of fulfillment of conditions required to ensure that such transfer complies with such Data Protection Laws.
    7. SCCs: the standard contractual clauses approved by Commission Implementing Decision (EU) 2021/914 of 4 June 2021 (as may be amended or updated from time to time).
    8. Services: shall have the same meaning as set out in the Agreement.
    9. Swiss FADP: the Swiss Federal Act on Data Protection of 19 June 1992 (SR 235.1) and, following it coming into force, the revised version of 25 September 2020.
    10. U.S. Privacy Laws: means all applicable data protection and privacy laws in the U.S., including but not limited to, where applicable, the California Consumer Privacy Act and its amendments including the California Privacy Rights Act (“CCPA”), Virginia Consumer Data Protection Act (“VCDPA”), the Colorado Privacy Act (“CPA”), Connecticut Data Privacy Act (“CTDPA”), Utah Consumer Privacy Act (“UCPA”), Oregon Consumer Privacy Act (“OCPA”), Texas Data Privacy and Security Act (“TXDPSA”), Florida Digital Bill or Rights (“FLDBR”), Montana Consumer Data Privacy Act (“MTCDPA”), Iowa Consumer Data Protection Act (“IACDPA”), the Delaware Personal Data Privacy Act (“DEPDPA”), the Nebraska Data Privacy Act (“NEDPA”), New Hampshire Privacy Act (“NHPA”), New Jersey Data Privacy Act (“NJDPA”), Tennessee Information Protection Act (“TNIPA”), Minnesota Consumer Data Privacy Act (“MNCDPA”), and Maryland Online Data Privacy Act (“MDODPA”).
    11. UK Addendum: template addendum B.1.0 issued by the UK Information Commissioner’s Office (ICO) in accordance with section 119(A) of the Data Protection Act 2018 (as may be amended or updated from time to time).
    12. UK GDPR: the UK version of the GDPR which is part of UK law by virtue of the European Union (Withdrawal) Act 2018, as supplemented by the Data Protection Act 2018.
  2. DESIGNATIONS. The Parties acknowledge that for the purposes of Data Protection Laws:
    1. Company is a Controller (and a Business under CCPA).
    2. Provider is a:
      1. Processor (and Service Provider under CCPA) in its processing of Company’s corporate customer relationship management (CRM) data; and
      2. Provider is a Controller (and Business under CCPA) in its processing of Company Personal Data, except Provider is a Processor (and Service Provider under CCPA) in its processing of Applicants’ (as defined in the Agreement) personal data.
  3. COMPLIANCE.
    1. Each Party shall comply with the obligations that apply to it under Data Protection Laws. Controller shall provide consumers with any necessary notice and obtain any necessary consent required by Data Protection Laws. If either Party becomes aware that processing for the Permitted Purpose (defined below) infringes Data Protection Laws, it shall  promptly inform the other Party, but neither Party shall be under any obligation to actively monitor  the other Party's compliance with Data Protection Laws.
    2. Each Party shall promptly inform the other if it is unable to comply with this DPA. If the non-complying Party cannot comply within a reasonable period of time, or is in substantial or persistent breach of this DPA, the complying Party shall be entitled to remediate the non-compliant action and/or terminate the DPA and the Agreement insofar as it concerns processing of Company Personal Data.
  4. SECURITY.
    1. The Parties shall implement and maintain appropriate technical and organizational  measures in order to protect the Company Personal Data from: (i) accidental or unlawful destruction; and (ii) loss, alteration, unauthorized disclosure of, or access to the Company Personal Data (a "Security  Incident"). Provider shall ensure that any person it authorizes to process  the Company Personal Data (an "Authorized Person") is bound by an appropriate obligation of confidentiality (whether statutory or contractual).  
    2. Security Incidents. If Provider becomes aware of a confirmed Security Incident, Provider shall inform Company without undue delay and shall provide reasonable information and cooperation to Company so that Company can fulfill any data breach reporting obligations it may have under (and in accordance with the timescales required by) Data Protection Laws. Further, Provider shall, at its own cost and expense, take such reasonably necessary measures and actions to remedy or mitigate the effects of the Security Incident and shall keep Company informed of all material developments in connection with the Security Incident.
  5. PROVIDER AS A PROCESSOR. Where Provider is a Processor of Company Personal Data, this Section 5 shall apply.
    1. Processing Instructions. In connection with the performance of the Services, Provider shall only process the Company Personal Data for the limited purposes specified in the Agreement, this DPA, or as otherwise agreed on in writing by the Parties) (the "Permitted  Purpose").
    2. Access Limitation. Provider shall ensure that: (i) access to the Company Personal Data is strictly limited to those individuals acting on behalf of the Provider or a subprocessor who need to have access to the Company Personal Data for the purposes of the Agreement; and (ii) such individuals have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
    3. Data Subject Rights. Provider shall promptly notify Company if Provider receives a request from Consumer exercising their right(s) under Data Protection Laws (“Consumer Request”). Upon Company’s request, Provider shall assist Company in responding to such Consumer Requests.
    4. Data Protection Impact Assessment and Prior Consultation. Provider shall provide reasonable assistance to Company with any data protection impact assessments, audits, certifications, or prior consultations with legal or regulatory authorities or other competent data protection authorities, which Company reasonably considers to be appropriate or required under any Data Protection Laws, in relation to processing of Company Personal Data by Provider.
    5. Return or Deletion of Personal Data. Upon the expiration or termination of the Agreement, Provider shall, at Company's request either: (i) securely return to Company; or (ii) securely destroy, all Company Personal Data obtained by Provider in its role as a Processor in connection with the Agreement. Provider will provide written confirmation to Company of its compliance with this provision.
    6. Audit. Upon the reasonable request of the Company, Provider shall make available to Company all information in its possession necessary to demonstrate Provider's compliance with the obligations described in this DPA and shall allow for, and cooperate with, reasonable assessments by Company or the Company’s designated assessor. Company shall not use such an audit report for any other purpose than to assess Provider’s compliance with this DPA. Company shall have the right, upon notice, to take reasonable and appropriate steps to stop and remediate the Provider’s unauthorized use of Company Personal Data.
    7. Subcontracting. Provider will not permit any subprocessor to process Company Personal Data, unless Provider and the subprocessor have entered into an agreement that imposes obligations on the subprocessor that are no less restrictive and at least equally protective of Company Personal Data than those imposed on Provider under this DPA and the Agreement. Provider is responsible for ensuring the compliance of subprocessors with Data Protection Laws in connection with the processing of Company Personal Data.
    8. Service Provide Obligations Under the CCPA. To the extent any Company Personal Data is deemed “personal information” (as such term is defined under the CCPA) and is subject to the CCPA, Provider agrees not to: (a) “sell” or “share” the personal information as such terms are defined under the CCPA; (b) retain, use, or disclose personal information for any purpose other than for the specific purpose of performing the Services or as otherwise expressly permitted under the Agreement including retaining, using or disclosing the personal information for a commercial purpose other than the business purposes specified in this DPA or the Agreement, or as otherwise permitted by the CCPA; (c) retain, use or disclose the personal information outside of the direct business relationship with Company; (d) combine personal information it receives from Company with personal information it receives from or on behalf of another person or collects from its own interactions with consumers, except where required to provide the Services provided it is permitted under the CCPA.
      • Business Purposes. In accordance with the CCPA, Provider may engage in the following Business Purposes:
        • 5.8.1.1.Auditing consumer transactions, including, but not limited to, measuring advertising performance to unique visitors.
        • 5.8.1.2.Detecting and protecting against malicious, deceptive, fraudulent, or illegal advertising activity.
        • 5.8.1.3.Identifying and repairing errors that impair existing intended functionality.
        • 5.8.1.4.Short-term, transient use, provided that the personal information is not disclosed to another third party and is not used to build a profile about a consumer.
        • 5.8.1.5.Providing analytic, advertising, or marketing-related services.
        • 5.8.1.6.Undertaking internal research for technological development and demonstration.
  6. PROVIDER AS A CONTROLLER. Where Provider is a Controller of Company Personal Data, this Section 6 shall apply.
    • Cooperation and Consumer Rights. Each Party shall cooperate with the other in complying with Data Protection Laws. As it pertains to Company Personal Data, each Party shall be responsible for responding to enquiries from regulators and for responding to Consumer Requests and shall implement mechanisms to facilitate such enquiries and Consumer Requests. Company shall forward to Provider any applicable Consumer Requests within fifteen (15) days of receipt by Company. Provider shall process all such Consumer Requests within thirty (30) days of receipt from Company. In the event any request, correspondence, enquiry or complaint is made directly to Provider by a regulator under Data Protection Laws, Provider shall promptly inform Company of such regulator request, correspondence, enquiry or complaint.
  7. TRANSFERS. If the Services involves the transfer of Company Personal Data of Data Subjects in the EEA or the UK, to a country or territory outside of those regions which has not received an applicable adequacy decision, the Parties hereby incorporate, and agree to comply with, the SCCs. In such case: (1) The Parties will complete Annexes IA, IB, IC, and II of this DPA; and (2) The Parties represent that they do not believe the laws and practices in any country to which Company Personal Data is transferred for purposes of the Agreement will prevent the importing Party from fulfilling its obligations under this DPA or the SCCs. By entering into this DPA, the Parties are deemed to have signed the EU SCCs incorporated herein, including their Annexes.
    • Ex-EEA Transfers. The Parties agree that the transfer of Company Personal Data outside the EEA that is not governed by an adequacy decision made by the European Commission in accordance with the relevant provisions of the GDPR will be made pursuant to the EU SCCs, which are deemed entered into (and incorporated this DPA by this reference) and completed as follows:
      • Where Provider is a Processor, Module 2 shall apply; Where Provider is a Controller, Module 1 shall apply;
      • Clause 7, the optional docking clause, applies;
      • in Clause 9(a) of Module Two, Option 2 applies, and the period for prior notice of sub-processor changes is as set out in this DPA;
      • in Clause 11(a), the optional language does not apply;
      • in Clause 17, the Parties agree that the governing law shall be that of the Republic of Ireland;
      • in Clause 18, the Parties agree that disputes will be resolved before the courts in Dublin, Republic of Ireland;
      • insofar as they apply, Clauses 17 and 18 of the SCCs prevail over any other selection of governing law or jurisdiction in any agreement between the Parties;
      • the Parties are deemed to have signed the SCCs with effect from the date of this DPA;
      • in Annex I, the competent supervisory authority is the Irish Data Protection Commission;
      • 7.1.10.the remainder of Annex I and Annex III are deemed completed with the information from this DPA and Appendix 1 hereto;
      • 7.1.11.Annex II is deemed completed with the information from Appendix 2 hereto.
    • Ex-UK Transfers. The Parties agree that transfer of Company Personal Data of UK Data Subjects outside the UK that is not governed by an adequacy decision are made pursuant to the SCCs as well as the UK Addendum to the SCCs, which are deemed entered into and incorporated this DPA by this reference.
    • Ex-Swiss Transfers. To the extent that Company Personal Data processed subject to the Swiss FADP is transferred from the Company to the Provider, the SCCs shall apply as set out in Clause 7.1, subject to the following amendments:
      1. references to “Regulation (EU) 2016/679” or “that Regulation” are to be read as references to the Swiss FADP;
      2. references to specific Article(s) of “Regulation (EU) 2016/679” are to be read as references to the equivalent Article or provision of the Swiss FADP;
      3. the “competent supervisory authority” under Part C of Annex I of the SCCs is the Swiss Federal Data Protection and Information Commissioner;
      4. nothing, including the term “member state”, shall be interpreted in such a manner as to exclude data subjects in Switzerland from enforcing their rights in Switzerland, in accordance with Clause 18 of the SCCs, provided Switzerland is their habitual residence.
  8. GENERAL PROVISIONS.
    • Termination and Survival. This DPA and all provisions herein shall survive so long as, and to the extent that, Provider processes or retains Company Personal Data.
    • Governing Law and Jurisdiction. The applicable law and jurisdiction as set forth in the Agreement apply to this DPA.

Appendix 1

Processing, Personal Data and Data Subjects

Subject matter and duration of the processing

As set out in the Agreement and this DPA.

The nature of the processing

As set out in the Agreement and this DPA.

The purpose of the processing

As set out in the Agreement and this DPA.

The types of Company Personal Data to be processed (including details of any sensitive data)

As part of our service, we process the following types of Company Customer Personal Data obtained from various data feeds:

  • First Name and Last Name
  • Employment Status
  • Work Email Address
  • Job Title

Additionally, when using the product, users may choose to provide and upload further personal information, which may include:

  • Date of Birth
  • Residential Address (for purposes such as shipping and billing for cards)
  • Personal Email Address
  • Phone Number
  • Bank Account Numbers (for card-related transactions and services)

The categories of Data Subject to whom the Company Personal Data relates

The Company Personal Data processed relates primarily to the employees of the Company’s organization who use the product for managing corporate cards. The product does not process data from any other categories of data subjects, such as dependents, minors, or third-party individuals. Furthermore, the product does not collect personal data from individuals under special legal protection.

Frequency of transfer

The frequency of transfer for Company Personal Data depends on the source of the data. For data feeds, such as those from Concur, the transfer occurs continuously as the data is updated. For other types of data, the transfer is typically a one-time event on a need-to-know basis. Data transfers are initiated automatically whenever users update their personal information within the product, with the exception of data received from continuous data feeds. There are no periodic transfers for reporting or auditing purposes.

For transfers to (sub-)processors, the subject matter, nature and duration of processing

We utilize a few key sub-processors to assist in the processing of Company Personal Data, each with specific roles and responsibilities:

  1. AWS
    • Subject Matter: AWS hosts our servers and stores Company Personal Data, including sensitive data such as Social Security Numbers (SSNs) and bank account numbers.
    • Nature of Processing: AWS stores and maintains the data in secure databases.
    • Duration of Processing: Data is retained for at least five years, in compliance with AML, BSA, and other financial reporting obligations.

List of current Subprocessors:

As applicable, Hypercard's subprocessors are:

  1. AWS 1. Appendix 2

Security Measures

We implement several security measures to ensure the protection of personal data. All sensitive data, such as Social Security Numbers (SSNs) and bank account numbers, are pseudonymized. Data is encrypted both at rest using AES-256 encryption, with rotating keys on a weekly basis, and in transit using TLS 1.3.

To maintain the confidentiality, integrity, availability, and resilience of our processing systems, all code changes undergo peer review, and the codebase maintains 80% test coverage. Breaking changes block new deployments. Our serverless infrastructure scales automatically to meet demand. We make daily backups and snapshots of Company Personal Data, and our team undergoes biannual disaster recovery training.

We conduct biannual penetration tests and continuous vulnerability scans. Our security policies are reviewed quarterly or biannually, as required, to ensure compliance with SOC 2 and GDPR standards. All internal users are required to use multi-factor authentication (MFA), and access control checks are performed quarterly.

Data is protected in transit using TLS 1.3 and at rest using AES-256 encryption. SSNs and bank account numbers are tokenized and stored in separate secure databases. Data is stored in AWS data centers, which have robust physical security measures in place.

Audit logs are maintained indefinitely, unless a Company requests deletion of their data, and they track access and modifications to personal data. Logs are reviewed as needed, and alerts are set for critical events.

We follow SOC 2 and GDPR guidelines for data retention, only keeping personal data for as long as necessary to fulfill processing purposes or meet legal obligations. Data is deleted or anonymized after this period.

We ensure accountability through clear internal processes, regular staff training, and logging of all actions related to the handling of personal data. We also provide mechanisms for users to request data portability or erasure, in compliance with GDPR requirements. Data erasure requests are processed promptly, subject to legal retention obligations.

Guide & Benefits Terms & Conditions

ISSUED BY CELTIC BANK | 2025 © HYPERCARD NETWORK, INC.

HYPERCARD® IS A REGISTERED TRADEMARK OF HYPERCARD NETWORK, INC. HYPERCARD NETWORK, INC. IS NOT A BANK. HYPERCARD IS ISSUED BY Celtic Bank CARDHOLDERS MUST BE AT LEAST 18 YEARS OF AGE AND A CITIZEN OF THE UNITED STATES OR A PERMANENT RESIDENT WITH A VALID SOCIAL SECURITY NUMBER (SSN) OR INDIVIDUAL TAXPAYER IDENTIFICATION NUMBER (ITIN). AN APPLICATION IS REQUIRED AND FINANCING IS SUBJECT TO Celtic Bank APPROVAL. FEES WILL BE ASSESSED ON OVERDUE AMOUNTS FOR CREDIT CARD HOLDERS.

CARD IS ISSUED BY CELTIC BANK, PURSUANT TO A LICENSE FROM AMERICAN EXPRESS®. AMERICAN EXPRESS IS A REGISTERED TRADEMARK OF AMERICAN EXPRESS.