API Data Processing Addendum

The RiskInMind Privacy Policy governs personal information collected from users of the RiskInMind platform. This Addendum governs a separate and distinct category of data: nonpublic personal information ("NPI") belonging to third-party individuals (such as loan applicants and borrowers) that Financial Institutions transmit to RiskInMind via the API for the purpose of risk assessment, document verification, and related services.

To the extent of any conflict between this Addendum and the Privacy Policy with respect to API-transmitted NPI, this Addendum controls.

When a Financial Institution transmits a payload to the RiskInMind API — including but not limited to credit memo extracts, document uploads, and bank statement data — the request may contain NPI as defined under the Gramm-Leach-Bliley Act (15 U.S.C. § 6809), including but not limited to:

• Full legal name, residential address, and date of birth
• Social Security Number or Tax Identification Number
• Account numbers, loan amounts, and credit terms
• Income, employment, and asset information
• Credit bureau data and risk scores
• Financial documents including bank statements, pay stubs, and tax returns

RiskInMind acts solely as a data processor with respect to all such NPI. The Financial Institution retains status as data controller and remains responsible for ensuring that transmission of NPI to RiskInMind is permitted under its applicable privacy notices, vendor agreements, and regulatory obligations.

RiskInMind does not sell, share, or otherwise transfer NPI submitted via the API to any third party except as required to deliver the requested service or as required by law.

RiskInMind does not use NPI submitted by Financial Institutions via the API to train, fine-tune, or otherwise improve its AI models without explicit prior written consent from the Financial Institution. Aggregate, anonymized, and de-identified performance metrics may be used internally for model quality purposes.

All data transmitted to the RiskInMind API is protected as follows:

• Encryption in transit: TLS 1.2 or higher is required for all API connections. Requests over unencrypted connections are rejected.
• Encryption at rest: All data stored by RiskInMind is encrypted using AES-256.
• Authentication: API access requires a secret API key. Keys must be stored securely and must not be embedded in client-side code or exposed in version control.
• Access controls: Access to NPI is restricted to authorized RiskInMind personnel on a least-privilege basis, consistent with RiskInMind's SOC 2® program.

RiskInMind retains NPI submitted via the API only for the period necessary to complete the requested analysis and deliver a response. Unless the Financial Institution has elected extended audit logging under a separate written agreement:

• Raw payload data is purged within 30 days of submission.
• Analysis results and risk scores are retained for 12 months for audit and model quality purposes, after which they are deleted or anonymized.
• Backup copies are purged on a rolling basis consistent with RiskInMind's standard backup retention schedule, not to exceed 90 days.

These retention periods are separate from and in addition to the account and profile data retention terms set out in Section 6 of the Privacy Policy, which apply to platform users only.

RiskInMind maintains the following certifications and controls relevant to Financial Institution customers:

• SOC 2® aligned — RiskInMind's controls align with the AICPA SOC 2® Trust Services Criteria for Security, Availability, Confidentiality, Processing Integrity, and Privacy, as described at riskinmind.ai/soc-2.
• GLBA Safeguards Rule — RiskInMind maintains a written information security program consistent with 16 C.F.R. Part 314, treating NPI received from Financial Institutions as customer financial information subject to appropriate safeguards.
• CCPA — RiskInMind does not sell or share personal information as defined under the California Consumer Privacy Act.
• GDPR / UK GDPR — Where Financial Institutions transmit personal data relating to individuals located in the EEA or United Kingdom, RiskInMind processes such data under Standard Contractual Clauses (SCCs) as set out in Section 10 of the Privacy Policy and Part 2 of this Addendum.

Financial Institutions are advised to designate RiskInMind as a third-party service provider in their vendor management programs prior to production use of the API. RiskInMind will provide the following upon request:

• SOC 2® aligned program documentation
• Completed vendor security questionnaire
• Executed API Data Processing Addendum (see Part 2)
• Information Security Policy summary
• Sub-processor list

Data Controller: The Financial Institution executing this Addendum.

Data Processor: RiskInMind, Inc., 110 Chestnut Ridge Road, Montvale, NJ 07663, USA — a provider of AI-powered risk management software to credit unions and community banks.

The parties acknowledge that with respect to NPI transmitted via the API, the Institution is the data controller and RiskInMind is the data processor, consistent with applicable law including GLBA, CCPA, and GDPR where applicable.

RiskInMind processes NPI submitted by the Institution solely for the purpose of delivering the requested API services, which may include:

• Document fraud detection and authenticity verification
• Credit memo analysis and risk scoring
• Bank statement analysis
• Related risk assessment and decisioning functions

Processing for any other purpose is prohibited without prior written instruction from the Institution.

RiskInMind agrees to:

1. Process only on instruction. Process NPI solely on documented instructions from the Institution, except where required by applicable law, in which case RiskInMind will notify the Institution before processing unless prohibited by law.
2. Ensure confidentiality. Ensure that all personnel authorized to access NPI are bound by written confidentiality obligations and receive appropriate data protection training.
3. Implement security measures. Maintain technical and organizational security measures appropriate to the risk, including encryption in transit (TLS 1.2+) and at rest (AES-256), role-based access controls, and a documented incident response procedure, consistent with RiskInMind's SOC 2® aligned program.
4. Prohibit model training on NPI. Not use NPI submitted by the Institution to train, fine-tune, or improve AI or machine learning models without explicit prior written consent from the Institution.
5. Restrict sub-processors. Not engage new sub-processors that will access Institution NPI without prior written authorization from the Institution. RiskInMind maintains a current sub-processor list available at riskinmind.ai/legal/sub-processors and will provide reasonable advance notice of any changes.
6. Assist with data subject rights. Assist the Institution in fulfilling obligations to respond to data subject rights requests under applicable law (including access, correction, deletion, and portability requests) taking into account the nature of the processing.
7. Support audits. Upon reasonable written notice, make available information necessary to demonstrate compliance with this Addendum and permit audits by the Institution or its designated auditor, subject to reasonable confidentiality protections.
8. Notify of breaches. Notify the Institution without undue delay — and in no event later than 72 hours — upon becoming aware of a personal data breach involving Institution NPI, consistent with the notification obligations in Section 7 of the Privacy Policy.
9. Delete or return data on termination. At the Institution's written election upon termination of the API relationship, delete or return all NPI and certify deletion in writing within 30 days.

The Institution agrees to:

1. Ensure it has a lawful basis for transmitting NPI to RiskInMind under all applicable laws, including GLBA, CCPA, and GDPR where applicable.
2. Ensure its customer-facing privacy notices accurately disclose the sharing of NPI with third-party service providers such as RiskInMind.
3. Designate RiskInMind as a service provider or processor in its vendor management program and complete applicable due diligence prior to production use.
4. Notify RiskInMind promptly of any changes to processing instructions that may affect RiskInMind's obligations under this Addendum.
5. Ensure that NPI transmitted to RiskInMind is limited to what is necessary for the requested service (data minimization).

Where the Institution transmits personal data relating to individuals located in the European Economic Area or United Kingdom, such transfers from RiskInMind to the Institution's jurisdiction are governed by Standard Contractual Clauses (SCCs) as referenced in Section 10 of the Privacy Policy, or such other transfer mechanism as the parties agree in writing. RiskInMind's registered address is in the United States; EU/UK institutions should ensure SCCs are incorporated into their executed Addendum.

RiskInMind uses third-party sub-processors — including cloud hosting, infrastructure, and analytics providers — that may process Institution NPI as part of service delivery. These sub-processors are bound by contractual obligations at least as protective as those in this Addendum. The current sub-processor list is available at riskinmind.ai/legal/sub-processors.

Each party is liable for damages caused by its failure to comply with its obligations under this Addendum. RiskInMind's aggregate liability under this Addendum shall not exceed the fees paid by the Institution in the twelve (12) months preceding the event giving rise to the claim, except in cases of gross negligence, willful misconduct, or breach of the no-model-training obligation in Section 2.3(4).

This Addendum is governed by the laws of the State of Delaware, without regard to conflict of law principles, unless the Institution's primary federal regulator requires otherwise.

To request a fully executed copy of this Addendum, contact hello@riskinmind.ai. RiskInMind targets a 5 business day turnaround to support bank and credit union procurement timelines.

This Addendum is published at riskinmind.ai/dpaand incorporated by reference into RiskInMind's API Terms of Service.