Data Security and Privacy Policy
Updated: March 14, 2018
Welcome to www.firstaccess.io, the online and mobile service of First Access, Inc. ("First Access," "we," "us," or "our"). First Access takes the topic of data security and confidentiality very seriously. We recognize that when you provide us your information, you trust us to handle it in a responsible and secure manner. This Data Security & Privacy Policy explains how we collect, use, disclose, and protect information related to use of all services being provided by First Access (“Service”), to our client institutions (“you”, “your”, “your institution”, “the Client Institution”), and your choices about the collection and use of your information, and that of your users and customers.
Capitalized terms that are not defined in this Data Security & Privacy Policy have the meaning given to them in our Terms of Service Agreement ("Agreement") and any attached Subscription Agreements. Any conflict between this policy and the Agreement shall be resolved in favor of the Agreement and its attached Subscription Agreements.
INFORMATION WE COLLECT
The following describes the types of information we may collect from your institution, your users, and your customers.
Information required to register an account on our platform
Our Platform means the web-based application, mobile application, API, or other medium through which First Access provides, and through which you may access, the Service.
In order to use our Service, your institution will be required to designate at least one employee (loan officer, supervisor, credit committee member, or any other agent) as a person who has been granted access to the Service (“User”).
Before you or any of your Users can access our Service, you will need to create an account and provide us with the name, email address, a password, and other contact information related to the User and your institution. We request this information for identification purposes, to communicate with you regarding your account, and to facilitate the functionality of our Service. All registered Users on the Platform will be required to share this information.
Types of information we collect
Raw Platform Data means data provided by the Client Institution and its Users to the Platform in the form such data was provided. This includes information about current or potential customers of your institution (“Customers”) that you enter directly into our Platform in order to use the Service. Raw Platform Data may include information that can be used to distinguish or trace the identity of an individual or institution (including a User, a Customer or the Client Institution) by direct or indirect means, either when used alone or when combined with other personal or identifying information that is linked or linkable to a specific individual or institution (“Identifiable Information”).
Raw Data means all data provided to First Access by the Client Institution, including Raw Platform Data, database backups, direct database queries, extracted datasets in the form of spreadsheets, comma separated value documents, and other data transferred directly from the Client Institution via other mediums.
Derived Data means data which cannot be traced to an identifiable Customer or to the Client Institution, that is derived by First Access (i) from Raw Data by applying mathematical models, aggregation or transformations of any kind to such data or (ii) by collecting data on the Client Institution’s use of the Platform. First Access shall be the exclusive owner of Derived Data.
Confidential Data means business, technical or financial information you disclose to us including non-public information regarding your Customers, loan portfolio and credit practices. For purposes hereof, Raw Data and Identifiable Information shall always be treated as Confidential Data and Derived Data shall be excluded from the definition of Confidential Data.
Other information collected through use of our Service
We may capture certain information about the devices you use to access our Service. For example, if you have enabled location services on your mobile device, we may collect geolocation data from your device, as well as photos, images or documents Users may upload through the mobile application. When you use our Service, we also automatically receive your computer's internet protocol (IP) address in order to provide us with information that helps us learn about your browser and operating system.
Third-party services
First Access may directly collect data from your institution using third-party tools that can help us measure traffic and usage trends to offer and improve the Service over time. Certain third-party service providers, such as payment gateways and other payment transaction processors, have their own privacy policies in respect to the information we are required to provide to process your payments for the Service. For these providers, we recommend that you read their privacy policies so you can understand the manner in which your personal information will be handled by these providers.
HOW WE USE THIS INFORMATION AND TO WHOM IT IS DISCLOSED
Your Confidential Data will not be disclosed
We will not share, rent, sell, trade, or otherwise disclose any Confidential Data that we collect from you, your Users or your Customers, except when we have your permission.
We will take reasonable precautions in conformity with industry practices in effect at any time to protect your Confidential Data, and not use or divulge to any third person any such Confidential Data, except in performance of the Service, or as otherwise permitted. The foregoing shall not apply with respect to any information that First Access can document (i) is or becomes generally available to the public, (ii) was legally in its possession or known by it prior to receipt from the Client Institution, (iii) was legally disclosed to it without restriction by a third party, (iv) was independently developed without use of any Confidential Data or (v) is required to be disclosed by law.
How we use information derived from your use of the Service
First Access shall be free to utilize Derived Data such as loan origination and platform usage data in its sole discretion. For example, we may disclose the results of aggregated data about your institution for marketing or promotional purposes, but never accompanied by any information that could be used to specifically identify your institution. In general, we use aggregated data to analyze and improve the performance of the Service.
WHO CAN ACCESS OUR SERVICE
Authorizing your users
Your institution shall be responsible for assigning rights to access the Platform to each User and managing the rights of Users, including assigning administrative rights and removing the right of any User to access the Platform when such User ceases working for your institution. Information transmitted through or stored by the Service is only available to those Users to whom you have granted permission to view such information. Notwithstanding the foregoing, First Access may in its sole discretion terminate or limit any User’s rights when First Access determines that such User’s activities are inconsistent with the purpose of the Service.
Acceptable use and reporting violations
By using our Service, your institution and your Users agree to use the Service in accordance with its purpose. Users shall not engage in any offensive or inflammatory behavior in using the Service, nor shall they engage in any fraudulent or illegal activities. Content uploaded by your Users to the Platform using the mobile application must adhere to this policy and any content shared by your Users that violates this policy should be reported. Neither this policy, nor the MSA, requires First Access to take any action against any User who violates this policy, however, First Access may in its sole discretion, remove any content that it determines is inconsistent with the purpose of the Service. Our Service is not directed to children under the age of 18. If you learn that a child under 18 has provided us with personal information without consent, or you suspect or have identified any cases of unauthorized access or abuse of the Service, please contact us at info@firstaccess.co.
WHO HAS ACCESS TO THE INFORMATION YOU SHARE WITH US
First Access employees and contractors generally do not have access to view data or contact information associated with any User’s account, except to the extent it is strictly necessary in order to deliver the Service. Certain authorized employees and contractors of First Access, who are under strict confidentiality agreements, may have access to view some data associated with your account, including profile settings, automated services, log messages, and summary statistics. In limited circumstances, authorized employees or contractors of First Access may access other information associated with your account, including contacts or messages, in order to investigate or resolve problems with the Service, or if required by law.
HOW WE COMMUNICATE WITH YOU AND YOUR USERS
Email communications
We may send you and your Users email containing Service-related content (e.g., account verification, purchase and billing confirmations, technical and security notifications, updates about the Service, and other notifications). With your permission, we may send you emails about our Service, new products, and other updates. We will never communicate directly with your Customers without your permission.
Correcting information on the Platform
You may correct or update information collected from your institution or your Users by logging into the Platform and editing your account settings, or by contacting us through the support function on the Platform. We will use all reasonable efforts to update our records in a timely manner. For our records, we may retain original and updated information for reasons such as technical constraints, dispute resolution, troubleshooting and agreement enforcement.
OUR SECURITY PRACTICES
Protecting your information
To help protect the security of information transmitted by you and your Users in connection with the Service, First Access uses SSL/TLS to encrypt such information both in transit and at rest. In addition, we takes steps to protect the information we collect against unauthorized access. We utilize commercially reasonable security, though no system can perfectly guard against risks of intentional intrusion or inadvertent disclosure of information. The Service is run on hardware and networks, any component of which may, from time to time, require maintenance or experience problems or breaches of security beyond our control. Performance of the Service requires that information be transmitted over a medium that is not controlled by First Access. The Client Institution expressly assumes the risk of any unauthorized disclosures, intentional intrusion or any delay, failure, interruption or corruption of data or other information transmitted in connection with the use of the Service.
Where information is stored and processed
Your institution’s information collected through the Service may be stored and processed in the United States or the United Kingdom on secured servers, or any other country in which First Access or its technology partners maintain facilities. If your institution is located in a jurisdiction with laws governing data collection and use that may differ from U.S. law, you should be aware that information may be transferred to a jurisdiction that does not have the same data protection laws. You consent to such transfer of information. If you notify First Access that such transfer of information will be problematic under the laws of a jurisdiction, First Access will take reasonable steps to work with the your institution to avoid the problems arising from such transfer.
Storing your information
First Access may retain your institution’s information for up to two years, for backup, archival or audit purposes.
UPDATES TO THIS POLICY
First Access reserves the right to update this Data Security & Privacy Policy from time to time. Please visit this page periodically so that you will be apprised of any changes. When we change the policy in a material manner we will update the "Updated" date at the top of this page. We may also notify you at via the email address associated with your account to inform you about any such updates. We may provide you additional forms of notice of modifications or updates as deemed appropriate in our sole discretion. Your continued use of the Service after any modification to this Data Security & Privacy Policy will constitute your acceptance of such modification.