Master Service Agreement

1. Definitions

Capitalized terms used but not defined in the body of this Agreement have the meanings given below:

• “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with a party.
• “API” means the application programming interfaces, SDKs, and related documentation made available by Service Provider for programmatic access to the Services.
• “API Key” means the unique authentication credential issued to Client for accessing the API in either sandbox or production mode.
• “Authorized User” means any individual whom Client permits to access the Services under Client’s account.
• “Bureau” or “CRA” means a consumer reporting agency, including Equifax, Experian, TransUnion, and Innovis.
• “Client Data” means all data, records, files, and content that Client or its Authorized Users upload, submit, or transmit through the Services, including consumer credit data and personally identifiable information.
• “Confidential Information” means any non-public information disclosed by either party, whether orally or in writing, that is designated as confidential or that a reasonable person would understand to be confidential given the nature of the information and circumstances of disclosure. Confidential Information includes, without limitation, business plans, pricing, technical data, product roadmaps, consumer data, and API Keys.
• “Consumer” means a natural person whose credit information is the subject of a Metro 2 record.
• “Dashboard” means the web-based administration interface at metro2.switchlabs.dev through which Client manages records, submissions, disputes, and account settings.
• “Documentation” means the user guides, API reference, developer documentation, and help materials made available at metro2.switchlabs.dev/developers.
• “EOSCAR” means the Electronic Online Solution for Complete and Accurate Reporting, the industry-standard system for processing consumer credit disputes.
• “ACDV” means Automated Consumer Dispute Verification, the standardized form used by CRAs to notify data furnishers of consumer disputes.
• “Metro 2 Format” means the data- reporting format specified by the CDIA for furnishing consumer credit information to CRAs.
• “Order Form” means the document (whether physical or electronic) referencing this Agreement that specifies the Services purchased, pricing, term, and any customer-specific provisions.
• “Sandbox” means the non-production testing environment that mirrors production functionality without submitting data to any Bureau.
• “Software” means Service Provider’s proprietary Metro 2 platform, including the Dashboard, API, validation engine, scheduling system, dispute management tools, and all related technology.
• “SLA” means the Service Level Agreement attached as Exhibit B.
• “Subscriber Code” means the unique identifier issued by a Bureau that permits a business to furnish consumer credit data to that Bureau.
• “Webhook” means an HTTP callback configured by Client to receive real-time event notifications from the Services.

2. Scope of Services

Subject to the terms of this Agreement and the applicable Order Form, Service Provider will provide the following:

1. Data Ingestion. Accept Client Data via the API (JSON payloads), file upload (CSV, XLSX), pre-built integration connectors, or SFTP.
2. Validation. Apply Bureau-grade validation rules to Client Data, including format validation, cross-field validation, Metro 2 specification compliance checks, and field-level error reporting.
3. Metro 2 Transformation. Convert validated Client Data into Metro 2 Format files, including all applicable segments (Base, J1, J2, K1, K2, K3, K4, L1, N1).
4. Bureau Submission. Transmit Metro 2 files to the Bureaus specified in the Order Form using the Subscriber Code(s) provided by Client, via encrypted SFTP connections.
5. Automated Scheduling. Enable Client to configure independent per-Bureau submission schedules (monthly, bi-weekly, weekly, or custom) through the Dashboard or API.
6. CRA Response Parsing. Receive, parse, and present Bureau response files, including acceptance/rejection status, error codes, and record-level matching to original submissions.
7. Dispute Management. Provide FCRA-compliant dispute intake, investigation tracking, resolution workflows, 30-day deadline monitoring, and ACDV/EOSCAR integration.
8. Audit Trail. Maintain field-level change tracking with user attribution, timestamps, and automatic redaction of sensitive data, exportable in CSV and PDF formats.
9. Webhooks. Deliver real-time event notifications via HMAC-SHA256-signed HTTP callbacks for file processing, record changes, dispute events, submission completions, validation failures, and scheduled runs.
10. Dashboard. Provide a web-based interface for record management, submission monitoring, dispute handling, analytics, and administrative functions.
11. Sandbox Environment. Provide a non-production environment with production-identical validation for integration testing, with separate API Keys and no Bureau submission.
12. Integration Connectors. Where applicable, provide or develop pre-built connectors to Client’s systems as specified in the Order Form.

3. Client Responsibilities

1. Data Accuracy & Authority. Client warrants that all data furnished through the Services is accurate, complete, legally reportable, and supported by any required consumer authorizations. Client is solely responsible for the content and legality of all Client Data.
2. Regulatory Compliance. Client will comply with all applicable laws and regulations governing consumer credit reporting, including without limitation the Fair Credit Reporting Act (FCRA), Fair and Accurate Credit Transactions Act (FACTA), Equal Credit Opportunity Act (ECOA), Gramm-Leach-Bliley Act (GLBA), California Consumer Privacy Act (CCPA), and all applicable state laws, as well as all Bureau rules, policies, and procedures.
3. Disputes. Client will promptly investigate all consumer disputes within the timeframes required by the FCRA (generally 30 days from receipt), correct errors, furnish updated information, and notify Service Provider of any changes affecting previously reported data. Client is responsible for maintaining reasonable policies and procedures for responding to disputes.
4. Security. Client will (a) safeguard all access credentials, API Keys, and Authorized User accounts; (b) use only the secure data-transmission methods specified in the Documentation; (c) notify Service Provider immediately of any suspected or confirmed security compromise; and (d) not transmit real consumer PII in the Sandbox environment.
5. Bureau Relationships. Client will (a) obtain and maintain in good standing each Subscriber Code required to furnish data to the applicable Bureaus; (b) comply with each Bureau’s data-submission requirements and dispute- resolution procedures; (c) maintain an active EOSCAR subscription when required; and (d) promptly notify Service Provider of any change in Subscriber Code status.
6. Authorized Users. Client is responsible for all actions taken under its account, including by Authorized Users. Client will ensure that all Authorized Users comply with this Agreement and the Acceptable Use Policy.

4. Service Provider Responsibilities

1. Service Delivery. Service Provider will use commercially reasonable efforts to (a) format and transmit Client Data accurately and in accordance with the Metro 2 specification; (b) maintain the Services in accordance with the SLA; and (c) provide the support described in the Order Form.
2. Security Measures. Service Provider maintains industry-standard technical and organizational measures to protect Client Data, including AES-256 encryption at rest, TLS 1.2+ encryption in transit, role-based access controls, row-level data segregation, and multi-factor authentication. See our Security & Compliance page for current details.
3. Breach Notification. If Service Provider confirms a security incident affecting Client Data, it will notify Client without undue delay and in any event within 72 hours of confirmation, and will provide a detailed incident report within five (5) business days, including the nature and scope of the breach, the categories of data affected, and remediation steps.
4. Subprocessors. Service Provider may use subprocessors to deliver the Services, subject to the terms of the Data Processing Addendum (Exhibit C).
5. Compliance Support. Service Provider will cooperate reasonably with Client’s regulatory examinations, audits, and compliance inquiries related to the Services, including providing audit trail exports and dispute documentation in formats suitable for CFPB examinations.

5. API Terms

1. Authentication. All API access requires authentication via API Key. Client must use separate keys for Sandbox and production environments and must not embed production API Keys in client-side code or publicly accessible repositories.
2. Rate Limits. API requests are subject to rate limits as published in the Documentation. Service Provider may adjust rate limits with 30 days’ notice. Sustained exceeding of rate limits may result in temporary throttling.
3. Versioning & Deprecation. Service Provider will maintain backward compatibility within a major API version. When a breaking change is necessary, Service Provider will (a) release a new major version, (b) provide at least 90 days’ notice before deprecating the prior version, and (c) support both versions concurrently during the deprecation period.
4. Webhooks. Webhook payloads are signed using HMAC-SHA256. Client is responsible for verifying signatures and processing events idempotently. Service Provider will retry failed deliveries up to five (5) times with exponential backoff.
5. Sandbox. The Sandbox environment mirrors production validation logic but does not transmit data to any Bureau. Client must not submit real consumer PII in the Sandbox. Service Provider does not guarantee Sandbox availability at the same level as production.

6. Intellectual Property & License

1. Ownership. Service Provider retains all right, title, and interest in and to the Software, Documentation, APIs, and all related intellectual property, including improvements, derivatives, and modifications.
2. License Grant. Subject to this Agreement and payment of applicable fees, Service Provider grants Client a limited, non-exclusive, non-transferable, non-sublicensable right to access and use the Services during the Term solely for Client’s internal credit-reporting operations as described in the Order Form.
3. Restrictions. Client shall not (a) copy, modify, adapt, or create derivative works of the Software; (b) reverse engineer, decompile, disassemble, or attempt to extract source code from the Software; (c) resell, sublicense, lease, or distribute the Services to any third party; (d) remove, alter, or obscure any proprietary notices; (e) use the Services to build a competing product; or (f) access the Services to benchmark or evaluate competitive products.
4. Feedback. If Client provides suggestions, ideas, or feedback regarding the Services, Service Provider may use such feedback without restriction or obligation.
5. Trademarks. “Metro 2” is a registered trademark of the CDIA. Neither party acquires any rights in the other party’s trademarks except as expressly authorized.

7. Data Ownership, Retention & Destruction

1. Client Data. Client retains all right, title, and interest in the raw consumer data it supplies. Nothing in this Agreement transfers ownership of Client Data to Service Provider.
2. Derived Data. Service Provider owns the Metro 2 files, system-generated metadata, aggregated analytics, and platform usage data, exclusive of any consumer PII or Client Confidential Information contained therein.
3. Retention. Unless a longer period is required by law or regulation, Service Provider retains (a) raw upload files for 180 days; (b) audit trail records for the duration of the Term plus 24 months; and (c) Metro 2 submission files and Bureau response files for 36 months. Client may configure shorter retention periods through the Dashboard.
4. Consumer Deletion. Service Provider supports consumer data deletion requests in compliance with CCPA and other applicable privacy laws. Client may initiate deletion through the API or Dashboard, and Service Provider will process such requests within 30 days.
5. Post-Termination. Upon written request made within 30 days after termination, Service Provider will (a) provide Client with an export of Client Data in a standard format (CSV or JSON) and (b) securely delete Client Data remaining in its possession within 60 days, except as required by law or regulation. Service Provider will certify deletion in writing upon Client’s request.

8. Fees & Payment

1. Fees. Client will pay the fees specified in the Order Form. Fees are exclusive of all applicable taxes, duties, and levies, which Client is responsible for paying.
2. Invoicing. Service Provider will invoice Client in accordance with the billing frequency specified in the Order Form (monthly or annually). Invoices are due Net 15 from the invoice date unless otherwise specified.
3. Late Payments. Past-due amounts accrue interest at the rate of 1.5% per month (or the maximum rate permitted by applicable law, whichever is less). Service Provider may suspend access to the Services (including Bureau submissions) after 30 days of delinquency, upon 10 days’ prior written notice.
4. Fee Adjustments. Service Provider may adjust fees upon 60 days’ written notice, effective at the start of the next renewal term. If Client objects to a fee increase, Client may terminate this Agreement at the end of the then-current term by providing notice within 30 days of the adjustment notice.
5. Refunds. All fees are non-refundable unless (a) expressly stated in the Order Form, or (b) a service credit is issued pursuant to the SLA.

9. Confidentiality

1. Obligations. Each party will (a) protect the other’s Confidential Information with at least the same degree of care it uses for its own similar information, but not less than reasonable care; (b) use such information only to perform or receive the Services; and (c) not disclose it except to employees, contractors, and advisors who have a need to know and are bound by obligations at least as protective as this Section.
2. Exclusions. Confidential Information does not include information that (a) is or becomes publicly available through no fault of the receiving party; (b) was known to the receiving party prior to disclosure; (c) is independently developed without use of the disclosing party’s Confidential Information; or (d) is rightfully received from a third party without restriction.
3. Compelled Disclosure. A party may disclose Confidential Information if required by law, regulation, or court order, provided it (a) gives prompt notice to the other party (to the extent legally permitted), (b) cooperates with efforts to obtain protective treatment, and (c) discloses only the minimum required.
4. Duration. Confidentiality obligations survive for five (5) years after disclosure, except that obligations regarding trade secrets survive indefinitely.

10. Warranties & Disclaimers

1. Service Provider Warranty. Service Provider warrants that the Services will materially conform to the Documentation during the Term. Client’s exclusive remedy for breach of this warranty is, at Service Provider’s option, (a) correction of the non-conforming Services, or (b) if correction is not commercially feasible, termination of the affected Services and a pro-rata refund of prepaid fees for the unused portion of the Term.
2. Client Warranty. Client warrants that (a) all data furnished is accurate, complete, and legally reportable; (b) Client has the legal authority to furnish such data to the Bureaus; (c) Client has obtained all required consumer authorizations; and (d) Client’s use of the Services complies with all applicable laws.
3. Mutual Warranty. Each party warrants that it has the legal power and authority to enter into this Agreement.
4. Disclaimer. EXCEPT AS EXPRESSLY STATED IN THIS AGREEMENT, THE SERVICES ARE PROVIDED “AS IS.” SERVICE PROVIDER DISCLAIMS ALL OTHER WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, AND ACCURACY OF BUREAU ACCEPTANCE. SERVICE PROVIDER DOES NOT WARRANT THAT THE SERVICES WILL BE UNINTERRUPTED, ERROR-FREE, OR THAT ALL BUREAU SUBMISSIONS WILL BE ACCEPTED.

11. Indemnification

1. Client Indemnification. Client will defend, indemnify, and hold harmless Service Provider, its officers, directors, employees, and agents from and against any third-party claim, demand, penalty, fine, or loss arising out of or related to (a) Client’s breach of this Agreement; (b) inaccurate, incomplete, or unlawful data furnished by Client; (c) Client’s violation of any consumer-reporting law; or (d) Client’s failure to respond to disputes within legally required timeframes.
2. Service Provider Indemnification. Service Provider will defend, indemnify, and hold harmless Client from and against any third-party claim that the Services, as provided by Service Provider and used in accordance with this Agreement, infringe or misappropriate a third party’s intellectual property rights. If an infringement claim arises, Service Provider may, at its option, (a) modify the Services to be non-infringing, (b) procure the right for Client to continue using the Services, or (c) if neither (a) nor (b) is commercially reasonable, terminate the affected Services and refund prepaid fees for the unused portion of the Term.
3. Indemnification Procedures. The indemnified party will (a) provide prompt written notice, (b) grant the indemnifying party sole control of the defense and settlement (provided no settlement may impose non-monetary obligations on the indemnified party without its consent), and (c) provide reasonable cooperation at the indemnifying party’s expense.

12. Limitation of Liability

1. Cap. EXCEPT FOR THE EXCLUSIONS BELOW, EACH PARTY’S TOTAL CUMULATIVE LIABILITY UNDER THIS AGREEMENT SHALL NOT EXCEED THE GREATER OF (A) THE FEES PAID OR PAYABLE BY CLIENT DURING THE TWELVE (12) MONTHS IMMEDIATELY PRECEDING THE EVENT GIVING RISE TO THE CLAIM, OR (B) FIFTY THOUSAND DOLLARS ($50,000).
2. Exclusion of Consequential Damages. NEITHER PARTY SHALL BE LIABLE FOR ANY INDIRECT, INCIDENTAL, CONSEQUENTIAL, SPECIAL, OR PUNITIVE DAMAGES, INCLUDING LOST PROFITS, LOST DATA, BUSINESS INTERRUPTION, OR COST OF COVER, REGARDLESS OF THE THEORY OF LIABILITY.
3. Carve-Outs. The limitations in Sections 12.1 and 12.2 do not apply to (a) breach of confidentiality obligations; (b) either party’s indemnification obligations; (c) either party’s gross negligence or willful misconduct; (d) Client’s payment obligations; or (e) Client’s infringement of Service Provider’s intellectual property.

13. Term & Termination

1. Term. This Agreement commences on the Effective Date and continues for the initial subscription term stated in the Order Form. It will automatically renew for successive periods of equal length unless either party provides written notice of non-renewal at least 30 days before the end of the then-current term.
2. Termination for Cause. Either party may terminate this Agreement immediately upon written notice if the other party (a) materially breaches and fails to cure within 15 days of receiving notice specifying the breach; (b) becomes insolvent, files for bankruptcy, or has a receiver appointed; or (c) ceases business operations.
3. Termination for Regulatory Reasons. Either party may terminate upon 30 days’ notice if a change in law or regulation materially prevents it from performing its obligations under this Agreement.
4. Effect of Termination. Upon termination or expiration: (a) all rights and licenses granted to Client immediately cease; (b) Client will cease all use of the Services; (c) all accrued fees become immediately due and payable; (d) each party will return or destroy the other party’s Confidential Information upon request; and (e) Service Provider will comply with the data return and destruction obligations in Section 7.5.
5. Survival. Sections 1 (Definitions), 6 (Intellectual Property), 7 (Data Ownership), 8 (Fees, as to accrued amounts), 9 (Confidentiality), 10 (Warranties & Disclaimers), 11 (Indemnification), 12 (Limitation of Liability), and 14–20 survive termination or expiration.

14. Insurance

During the Term, Service Provider will maintain (a) commercial general liability insurance with limits of at least $1,000,000 per occurrence; (b) technology errors and omissions (E&O) / cyber liability insurance with limits of at least $2,000,000 per occurrence; and (c) workers’ compensation insurance as required by law. Service Provider will provide certificates of insurance upon Client’s reasonable request.

15. Force Majeure

Neither party is liable for failure to perform obligations (other than payment obligations) due to events beyond its reasonable control, including natural disaster, war, terrorism, pandemic, governmental action, internet or cloud-provider outage, or Bureau system unavailability, provided the affected party (a) gives prompt notice, (b) uses reasonable efforts to mitigate, and (c) resumes performance as soon as practicable. If a force majeure event continues for more than 60 days, either party may terminate the affected Order Form.

16. Assignment

Neither party may assign this Agreement without the other party’s prior written consent, except that either party may assign without consent (a) to an Affiliate, or (b) in connection with a merger, acquisition, or sale of all or substantially all of its assets, provided the assignee assumes all obligations under this Agreement. Any purported assignment in violation of this Section is void.

17. Governing Law & Dispute Resolution

1. Governing Law. This Agreement is governed by the laws of the State of New York, without regard to its conflict-of-laws principles.
2. Informal Resolution. Before initiating formal proceedings, the parties will attempt in good faith to resolve any dispute through direct negotiation between senior executives for a period of at least 30 days.
3. Jurisdiction. If informal resolution fails, the parties consent to the exclusive jurisdiction and venue of the state and federal courts located in the State of New York.

18. Notices

All notices under this Agreement must be in writing and delivered (a) by hand, (b) by nationally recognized overnight courier, (c) by certified mail (return receipt requested), or (d) by email with confirmation of receipt, to the addresses specified in the Order Form (or as updated by written notice). Notices are deemed given upon confirmed delivery. Routine operational communications (support tickets, API status updates, etc.) are not subject to this Section.

19. Amendments

Service Provider may update the general terms of this Agreement, SLA, DPA, or AUP by providing 30 days’ written notice. If Client objects to a material change, Client may terminate before the change takes effect by providing written notice within 15 days of the amendment notice. Continued use of the Services after the effective date of the amendment constitutes acceptance. Amendments to the Order Form require mutual written agreement.

20. General Provisions

1. Entire Agreement. This Agreement, together with the Exhibits and any Order Forms, constitutes the entire agreement between the parties and supersedes all prior and contemporaneous agreements, understandings, negotiations, and discussions, whether oral or written.
2. Severability. If any provision of this Agreement is held to be invalid or unenforceable, such provision shall be modified to the minimum extent necessary to make it valid and enforceable, or if modification is not possible, severed, and the remaining provisions shall continue in full force and effect.
3. Waiver. No failure or delay by either party in exercising any right shall constitute a waiver of that right.
4. No Third-Party Beneficiaries. This Agreement does not create any rights in any person or entity that is not a party to it.
5. Independent Contractors. The parties are independent contractors. Nothing in this Agreement creates an employment, agency, partnership, or joint venture relationship.
6. Electronic Execution. This Agreement and any Order Form may be executed electronically, and electronic signatures and click-through acceptances are binding and enforceable.
7. Counterparts. This Agreement may be executed in counterparts, each of which is deemed an original.

Signatures

By executing this Agreement (or the applicable Order Form incorporating it), the parties agree to the terms set forth above.