SPENDESK API AGREEMENT

This API agreement (the “Agreement”) is entered into between Spendesk SAS, a simplified joint-stock company (société par actions simplifiée) incorporated under the laws of France, which registered office is located at 51, rue de Londres – 75008 Paris, and registered under number RCS Paris 821 893 286 (“Spendesk”), and a natural person or legal entity authorised by Spendesk to integrate the API (the “Developer”).

1. Contractual documents

1.1. Purpose and acceptance of this Agreement

This Agreement governs the Developer’s access to, and use of the application programming interface, related services and Documentation provided by Spendesk (the “API”).

By accessing or using the API, the Developer agrees to be bound by this Agreement and accepts all its terms. If the Developer does not accept all the terms of this Agreement, then it cannot use the API.

Acceptance of the Agreement will be expressed through an onboarding form, or any other agreement submitted to the Developer by Spendesk (the “Onboarding Form”). The Developer expressly acknowledges having read and understood the Agreement and accepting it in its entirety without reservation. The Developer must ensure that every User complies with the provisions of the Agreement.

1.2. API Documentation

The technical and functional documentation for the API (the “Documentation”) is made available by Spendesk at developer.spendesk.com/ or by any other means notified to the Developer.

1.3. Spendesk Standard Terms

The Developer can be a customer of Spendesk. However, Spendesk does not provide access to its standard product (or to payment services) to the Developer under this Agreement. Any subscription to Spendesk standard product (including payment services) will be subject only to complete registration and acceptance of Spendesk’s standard terms and conditions of use accessible at www.spendesk.com/en-eu/legals/terms/ (the “Standard Terms”), in accordance with the provisions of the Standard Terms.

2. Access to the API

2.1. API key

After approval of the Onboarding Form by both parties, the Developer will be provided by Spendesk with a unique API key for its Authorised Integration, which is required for using the API.

2.2. Security - Credentials

The Developer and the Users will access the API via dedicated credentials (the “Credentials”).

The Developer is solely responsible for maintaining the confidentiality of the Credentials. The Developer and its Users must not share, transfer, or disclose this confidential data to any third party.

The Developer is solely and entirely responsible for all uses of the API occurring under the Credentials.

2.3. Actions from Users

In this Agreement:

1. “Users” refers to natural persons accessing the API via the dedicated Credentials to develop an Authorised Integration on behalf of the Developer, in the context of their professional activity; and

2. “Developer” must be interpreted as referring to (a) the Developer itself if it is a natural person or (b) the Developer acting through a User if it is a legal entity.

Any act, decision, instruction, or request entered by a User via the API will be considered as act, decision, instruction, or request entered by the Developer. The Developer is solely responsible for any actions performed by the Users in the context of this Agreement.

3. Authorised Integration

3.1. Limited scope

The Developer is authorised to develop its integration between Spendesk services and its software, content, services, technology, data base or other digital materials via the API within the scope defined and agreed upon in the Onboarding Form (the “Authorised Integration”), subject to the Developer’s compliance with this Agreement.

Spendesk reserves the right, in its sole discretion, to refuse any integration or to limit its scope.

Any integration by the Developer beyond the agreed scope is strictly prohibited.

3.2. Pre-Launch approval

If the Developer builds an Authorised Integration for use by Spendesk’s customers and prior to its general availability, the Developer must present the Authorised Integration to Spendesk's product team, including any technical details as required by Spendesk. Spendesk is allowed to perform any testing of the Authorised Integration to ensure that the Authorised Integration will not adversely affect Spendesk’s API, website, application, and services.

Spendesk reserves the right to delay, require adjustments, or cancel the Authorised Integration launch, particularly (but not limited to) in case of security concerns, bugs, or technical malfunctions.

3.3. Access to the Authorised Integration by Spendesk’s customers

If the Developer builds an Authorised Integration for use by Spendesk’s customers, the Developer is informed that only customers with appropriate subscription plans or add-ons are eligible to access the Authorised Integration. The Developer must not circumvent any restrictions implemented by Spendesk, to give access to the Authorised Integration to non-eligible customers of Spendesk.

3.4. API usage optimisation – Limitations

The Developer must design and operate the Authorised Integration to minimise usage of the computing resources of Spendesk’s systems, and promptly remedy any situation resulting in an unusually high number of requests being sent to or received by Spendesk’s systems.

Spendesk can, in its sole discretion, limit: (i) the rate at which the Spendesk services, or any subset of them, can be called, (ii) the amount of storage, if any, made available through the API or Spendesk services, (iii) the size of data packets that can be uploaded to, or served from, the Spendesk services, and/or (iv) the duration of any session of use of the Spendesk services (all of the foregoing being forms of “Throttling”) as necessary in order to preserve the proper functioning of Spendesk’s systems. Spendesk can perform this Throttling across all Spendesk services, across individual services, per customer, per Authorized Integration, or on any other basis. The Developer will not take steps to circumvent any technical measures put in place to enforce Throttling.

4. Intellectual property

4.1. License on the API

Spendesk hereby grants the Developer a limited, non-exclusive, non-transferable, revocable license, during the term of this Agreement, to access and use the API solely for the purpose of integrating Spendesk services with the Developer's applications, websites, or platforms for the Authorised Integration (i.e., within the scope declared and agreed with Spendesk through the Onboarding Form).

4.2. Ownership of the API

Spendesk is the sole owner of all rights, title, and interest in and to the API, including all intellectual property rights therein. The Developer will not acquire any rights or licenses in the API or Spendesk’s Confidential Information, except as expressly provided in article 4.1 of this Agreement.

4.3. Restrictions

The API contains protected trade secrets and/or Confidential Information of Spendesk and its licensors. The Developer agrees not to (and represents that the Users will not) make any prohibited use of the API as described in article 6.4.

4.4. Feedback

All suggestions, proposals, ideas, recommendations, or other feedback to improve the API or other Spendesk products are referred to collectively as “Feedback”. The Developer agrees to provide Spendesk with Feedback as reasonably requested from time to time.

The Developer grants to Spendesk a non-exclusive, worldwide, irrevocable, fully paid, royalty-free, sublicensable, and transferable license under any intellectual property rights that the Developer owns or controls, to use, copy, modify, and otherwise exploit the Feedback for any purpose.

4.5. Use of the other party’s name and logo for marketing purposes

If the Developer builds an Authorised Integration for use by Spendesk’s customers:

1. each party grants to the other party a free, non-exclusive, non-transferable, revocable license limited to the territory of the services under this Agreement, for the use of (a) its brand (name and associated logo) and (b) other commercial materials specifically provided under the Agreement (together, the “Marketing Materials”);

2. this licence is granted for a limited term which may in no case exceed the term of the Agreement and each party undertakes to use the Marketing Materials of the other party only in the strict framework of the performance of the Agreement;

3. except for the licence expressly provided for in this article, each party agrees that the Agreement does not imply any other transfer of intellectual property rights relating to the elements belonging to it and of which it remains the exclusive owner;

4. each party undertakes not to associate the other party’s Marketing Materials with any potentially dangerous, threatening, defamatory, obscene, offensive, sexually explicit, violent, discriminatory, or otherwise objectionable content;

5. the Developer undertakes to comply with the Spendesk logo charter;

6. the Developer must place a Spendesk logo (a) in the integration section of its website as agreed between the parties and (b) throughout the connected user flow on the Developer’s application.

5. Spendesk’s undertakings

5.1. Security and availability

Spendesk undertakes to:

1. make its best efforts to ensure the security of the API;

2. inform the Developer of any reasonably foreseeable difficulty for the proper operation of the API; and

3. carry out regular checks to verify the proper operation and accessibility of the API.

Information about Spendesk security measures is available in Spendesk Trust Center.

Any evolution or new version of the API issued by Spendesk cannot have the effect of reducing the general level of security of the API.

5.2. Spendesk’s assistance for the integration of the API

Spendesk will provide the Developer with reasonable technical support, consisting of answering reasonable questions regarding the integration the API, for the purpose of delivering the Authorised Integration.

6. Developer’s undertakings

6.1. Compliance with regulations

The Developer undertakes, in the context of this Agreement and the use of the API:

1. to comply with all applicable laws, regulations, and industry standards; and

2. not to infringe the rights of third parties or public order.

6.2. Compliance with contractual documents

The Developer acknowledges having read and understood the Documentation, which details the characteristics and constraints of the API. The Developer undertakes to use the API only in accordance with this Agreement, the Documentation and other guidelines specifically provided by Spendesk.

The Developer will respond to any questions from Spendesk about its compliance with this Agreement. Spendesk can restrict or terminate access to the API or perform an audit (including by hiring an independent auditor acting on Spendesk’s behalf) of the Authorised Integration if the Developer fails to provide adequate information and materials to verify its compliance with this Agreement.

6.3. Technical support to Spendesk’s customers

If the Developer builds an Authorised Integration for use by Spendesk’s customers, the Developer will provide technical support to Spendesk’s customers for all Authorised Integrations. The Developer’s support will be the greater of (i) the level of support Spendesk provides to its customers or (ii) the level of support the Developer generally provides to its customers. Notwithstanding the foregoing, the Developer will respond promptly to all customers’ support requests and will use reasonable efforts to resolve all customers’ support issues within thirty (30) days.

6.4. Prohibited use

The Developer undertakes not to:

1. use the API, or allow access to it, in a manner that circumvents contractual usage restrictions or that exceeds Developer’s authorized use set forth in the Agreement;

2. interfere with the normal functioning of the API or perform any action that could cause the interruption or deterioration of any feature of the API or other Spendesk products;

3. breach or attempt to breach, scan, or test the vulnerability of the security system and related systems of the API or other Spendesk products;

4. interfere or attempt to interfere via the API with the account of Spendesk’s customers who did not specifically request access to the Authorised Integration, and more generally access to any data that is not intended for the Developer or Spendesk’s customers who specifically requested access to the Authorised Integration;

5. upload via the API, display or otherwise transmit any material containing software viruses or other computer codes, files or programs designed to interrupt, destroy, limit the functionality or flood the API, the host, the network, the messaging services or other products accessible via the API;

6. license, sub-license, sell, re-sell, rent, lease, transfer, distribute, time share or otherwise make any portion of the API available for access by third parties except as otherwise expressly provided in the Agreement;

7. reverse engineer, decompile, disassemble, or copy the API, or otherwise attempt to derive source code or other trade secrets or create any derivative works from or about any of the API, or otherwise access or give access to a direct competitor of Spendesk for the purpose of developing or operating products or services in competition with Spendesk services; and

8. use the API in a way that: (a) violates or infringes upon the rights of a third party, including those pertaining to contract, intellectual property, privacy, or publicity; or (b) effects or facilitates the storage or transmission of libellous, tortious, or otherwise unlawful material including, but not limited to, material that is harassing, threatening, or obscene.

7. Update of the API and the Authorised Integration

7.1. Update and maintenance of the API by Spendesk

Spendesk may issue regular updates and/or new versions of the API. In this context, the Developer must ensure the compatibility of its Authorised Integration with the API, which means that:

1. Spendesk can decommission former API versions from time to time (with reasonable advance notice) in which case the Developer will need to implement necessary changes to migrate to the latest version of Spendesk API in advance of an API decommissioning; and

2. If Spendesk makes available pre-release versions of the API, the Developer must ensure that the Authorised Integration functions with each upgraded or updated version of the API no later than the end of the testing period for the upgraded or updated version of the API.

Spendesk reserves the right to modify at any time the technical arrangements for access to the API depending, in particular, on the evolution of the technology, the regulations, or its offer of services. It is the Developer’s responsibility to ensure that the Authorised Integration remains up to date.

Notwithstanding Spendesk’s rights under this article, Spendesk has no specific obligation to update or maintain its API and this Agreement can be terminated in accordance with article 15.

Spendesk may temporarily suspend the API to perform necessary repairs, maintenance, or improvements of its API or other services. Spendesk will provide reasonable advance notice of any such suspension where it is practicable under the circumstances, and Spendesk will use commercially reasonable efforts to promptly restore the API. Spendesk excludes any and all liability of any kind relating to any problems of whatever nature which have been caused by the suspension of the API.

7.2. Maintenance of the Authorised Integration by the Developer

If the Developer builds an Authorised Integration for use by Spendesk’s customers:

1. The Developer is responsible for monitoring and maintaining its Authorised Integration, addressing issues promptly; and

2. Spendesk reserves the right to request enhancements to the Authorised Integration in the event of new functionality being released or to address customer complaints or performance issues.

8. Collaboration and transparency

This article applies only if the Developer builds an Authorised Integration for use by Spendesk’s customers.

8.1. Technical aspects

The Developer must provide a designated point of contact for all integration-related queries from Spendesk.

The Developer must provide Spendesk with an account to access its services, free of charge (with access to production environment, or demo environment if the features and data flow are similar to the production environment). Spendesk will be allowed to reasonably use this account to audit the Authorised Integration and to monitor the Developer’s compliance with this Agreement.

8.2. Commercial and marketing aspects

The Developer must, upon request from Spendesk, provide a training (which may be in the form of video recordings) to Spendesk’s sales, customer success and support teams to ensure alignment on the joint value proposition.

The Developer must reasonably collaborate with Spendesk’s requests for joint marketing initiatives in the context of the go-to-market of the Authorised Integration. The Developer must provide a designated point of contact for all marketing-related queries from Spendesk.

9. Financial conditions

Access to the API can be charged by Spendesk to the Developer, under the conditions (amount, frequency) provided in the Onboarding Form.

If the Developer builds an Authorised Integration for use by Spendesk’s customers:

1. Spendesk reserves the right to change the applicable pricing at any time, upon notification by email from Spendesk to the Developer sent with three (3) months prior notice; and

2. Invoices issued by Spendesk to the attention of the Developer must be paid within thirty (30) days of its issue date.

If the Developer acts as a customer, contractual conditions applicable to pricing and billing are provided in the Standard Terms.

In case of unpaid fees by the Developer, Spendesk reserves the right to block the Authorised Integration and access to the API for the Developer.

10. Confidentiality

For purposes of this Agreement, “Confidential Information” means all information exchanged between the parties before and/or while using the API (whether in writing or orally) including (but not limited to) non-public documents and information of a legal, commercial, industrial, strategic, technical, or financial nature.

Each party undertakes (i) to keep strictly confidential all received Confidential Information, (ii) not to disclose Confidential Information without the prior written consent of the other party, and (iii) not to use any Confidential Information for any other purpose than the performance of this Agreement.

This obligation does not extend to documents and information for which it can be proven that:

1. they were previously known by the receiving party;

2. they were already public at the time of disclosure, or which would become public without breach of this Agreement;

3. they would have been lawfully received from a third party; or

4. a disclosure would be required by the judicial authorities, pursuant to the laws and regulations or with a view to establishing the rights of a party under this Agreement.

This obligation of confidentiality extends to all employees, contractors, trainees, managers, and agents of the parties as well as their advisers and affiliates, to whom Confidential Information may only be transmitted on a need-to-know basis and if they are bound by the same obligation of confidentiality as that provided for herein.

It will remain effective for three (3) years following the end of the Agreement.

The receiving party may retain Confidential Information after the contractual term, to the extent required by applicable law or by its internal compliance policies or if such Confidential Information has been created in accordance with automatic electronic archiving procedures. Any Confidential Information that is kept by the receiving party in accordance with the foregoing will continue to be subject to the confidentiality obligations of this Agreement.

11. Personal data

11.1. If the Developer acts as a customer of Spendesk

If the Developer acts as a customer of Spendesk:

1. when building the Authorised Integration: the Developer acts as sole data controller for any potential processing of personal data and as such the Developer is solely liable for the compliance of the Authorised Integration with industry-standard security measures and data protection legislations; and

2. when using Spendesk services via the Authorised Integration: the Developer acts as data controller and Spendesk acts as data processor, as defined in the Standard Terms.

11.2. If the Developer builds an Authorised Integration for customers of Spendesk

If the Developer builds an Authorised Integration for use by Spendesk’s customers:

1. the Developer must ensure that its own terms and conditions and privacy policy are easily available and organise the processing of personal data between the Developer and the customers, which scope is out of Spendesk’s control;

2. the Developer’s privacy policy must meet applicable legal standards and describe the collection, use, storage and sharing of data in clear, understandable, and accurate terms;

3. the Developer is required to follow applicable legal requirements if the use of its services will result in the international transfer of personal data; and

4. the Developer must promptly notify Spendesk in writing via email to privacy@spendesk.com of any data breach that impact or may impact customers or users of Spendesk services.

12. Third-Party Services

The Developer, acting in particular as a customer of Spendesk, may choose at its discretion to integrate its services with third-party products and services (“Third-Party Services”) made available the API provided by Spendesk. Any acquisition by the Developer of Third-Party Services is solely between the Developer and the applicable Third-Party Services provider. Spendesk does not warrant, endorse, or assume any liability or other obligation with respect to such Third-Party Services, except as expressly provided in the Agreement.

If the Developer decides to integrate its own services with Third-Party Services via the API provided by Spendesk in a manner that requires Spendesk or the API to exchange its data with such Third-Party Service or Third-Party Service provider, the Developer:

1. grants Spendesk permission to allow the Third-Party Services and Third-Party Service provider to access the Developer’s data and information in an appropriate and necessary manner to enable the interoperability of such Third-Party Services with the Developer’s services;

2. acknowledges that any exchange of data between the Developer and any Third-Party Services is solely between the Developer and the Third-Party Service provider and is subject to the Third-Party Service provider's terms and conditions governing the use and provision of such Third-Party Services; and

3. releases Spendesk from any liability for any disclosure, modification or deletion of the Developer’s data resulting from access to such data by the Third-Party Services and the Third-Party Service provider.

13. Modification of the Agreement

Spendesk reserves the right to amend, at any time, all or part of this Agreement between Spendesk and the Developer, giving a reasonable prior notice to the Developer when possible. The Developer’s continued use of the API following the release of a subsequent version of this Agreement will be deemed its acceptance of any modifications of this Agreement.

Spendesk cannot under any circumstances be held liable for any damage, in any capacity whatsoever, in connection with the amendment of the Agreement, if the Developer refrains from terminating the Agreement and continues to use the API after the effective date of the amendments.

14. Effective date and duration of the Agreement

The Agreement is effective as from the signature date of the Onboarding Form, for an indefinite period until its termination under the conditions provided for in article 15. 

15. Termination of the Agreement

15.1. Termination at the Developer’s initiative

The Developer can at any time (with at least two (2) months’ prior notice if Spendesk’s customers are impacted): (i) discontinue its use of the API by deactivating its Authorised Integration and/or (ii) terminate the Agreement.

15.2. Termination at Spendesk’s initiative

Subject to any contrary provision agreed in a contract with the Developer, Spendesk can terminate this Agreement, any rights granted herein, and/or the Developer’s license to the API at any time, in its sole discretion, for any reason. When possible, this termination will be subject to prior written notice, but Spendesk can also terminate the access to the API with immediate effect (including in case of temporary limitation or denial of access to the API for security reasons).

Spendesk will not be liable to the Developer for any damages resulting solely from termination of this Agreement.

15.3. Effects of the termination

Upon termination, access to the API and all licenses granted herein immediately expire, and the Developer must cease use of the API. The Developer must also comply, as the case may be, with customers’ instruction to return or delete any data accessed or obtained through the API, unless prohibited by law.

Upon any termination, discontinuation or cancellation of the API, this Agreement or the Developer’s access, the following articles of this Agreement will survive to the extent they remain applicable: 4.2, 4.3, 4.4, 10, 11, 16, 17 and 18.

16. Liability and indemnification

16.1. Developer’s liability - Indemnification

The Developer is liable for any damages arising from its use of the API. The Developer is solely responsible for the accuracy, quality, and legality of the content uploaded by it via the API.

The Developer undertakes to indemnify, defend, and hold harmless Spendesk and its officers, directors, employees and affiliates against any claim, action or proceeding of third parties, insofar as it is caused by a breach by the Developer of its obligations under the Agreement. The Developer undertakes to indemnify Spendesk for any damage that the latter may suffer, and to pay it all fees, charges and/or penalties that it may incur as a result. The Developer will be solely responsible for defending any claim, subject to Spendesk’s right to participate with legal counsel it selects, and the Developer will not agree to any settlement that imposes any obligation or liability on the above-mentioned indemnified parties without Spendesk’s prior written consent.

16.2. Spendesk’s liability

The Developer acknowledges that the API is being provided “as is”. Spendesk makes no warranty that any part of the API will meet the Developer’s requirements and/or that the API will be uninterrupted, timely or error-free, nor does Spendesk make any warranty as to the results that may be obtained from the use of the API, or the accuracy of any other information obtained through the API.

Spendesk’s liability under the Agreement is limited to the direct damages suffered by the Developer, excluding any indirect damages.

In addition, the liability of Spendesk is limited, for all damages, to the greater of (a) the amount of the fees paid by the Developer during the twelve (12) calendar months preceding the event giving rise to the liability of Spendesk or (b) the sum of ten thousand euros (€10,000); it being specified that this limitation of liability does not apply in the event of gross negligence or fraudulent conduct by Spendesk.

Spendesk cannot be held liable in the event of:

1. misappropriation of the Credentials and, more generally, any information of a sensitive nature for the Developer of which, for example, a third party might make a fraudulent use, if this misappropriation results from an action or omission of the Developer; or

2. damage suffered by the Developer resulting from an act or omission of a third party, including in the event of immediate suspension of the API or termination of the Agreement at the request of a supervisory authority such as the ACPR.

16.3. Test versions of the API

Spendesk may occasionally make a test version of its API available to the Developer prior to its official release date. Such versions are referred to by Spendesk as “beta”, “alpha”, “test” or another similar name.

If the Developer is given access to a test version of the API, it acknowledges that: (a) this version of the API is provided to the Developer for free and it has not been made commercially available by Spendesk; (b) this version of the API may not operate properly, be in final form or fully functional; (c) this version of the API may contain errors, design flaws or other problems; (d) it may not be possible to make the API fully functional; (e) use of the test API may result in unexpected results, corruption or loss of data, or other unpredictable damage or loss. The Developer assumes all risk arising from use and test of this test version of the API.

17. Miscellaneous

17.1. Severability

If one or more provision(s) of the Agreement are considered invalid or declared as such pursuant to a law, a regulation or following a final decision of a competent court, the other provisions will remain in full force and effect.

17.2. No waiver

Neither party will be treated as having waived any rights by not exercising (or delaying the exercise of) any rights under the Agreement. Except as expressly set forth in this Agreement, the exercise by either party of any of its remedies under this Agreement will be without prejudice to its other remedies under this Agreement or applicable regulations.

17.3. Language

The English version of the Agreement is deemed authentic. Any other available translation of the Agreement exists for information purposes only.

17.4. Prior agreements

This Agreement constitutes the entire agreement between Spendesk and the Developer with respect to its subject matter. It supersedes and replaces all prior oral or written agreements with respect to its subject matter, including any confidentiality or non-disclosure agreements.

17.5. Assignment

The Developer may not assign or transfer this Agreement, by operation of law or otherwise, without Spendesk prior written consent. Any attempt by the Developer to assign or transfer this Agreement, without such consent, will be null and have no effect. Spendesk may freely assign or transfer this Agreement without restriction. Subject to the foregoing, this Agreement will bind and inure to the benefit of the parties, their successors and permitted assigns.

18. Applicable law and jurisdiction

This Agreement is subject to French law.

Any dispute relating in particular to the validity, interpretation, or execution of this Agreement will be subject to the exclusive jurisdiction of the Commercial Court of Paris.