This Developer Policy ('Policy') shall stipulate rules and guidelines that govern access to or use by a Developers ('you' or 'your') of the Okra products API, websites ('Site'), related tools, and other services ( 'our Service(s)') provided by Okra. Any violation of this Policy may result in the suspension or termination of your access to the Service and/or access to end-users’ personal and financial information (`End-User Data`).

By accessing and using the Service, you agree to comply with all the terms of this Policy. This Policy will apply each time you access or use the Service. If you are agreeing to the terms of this Policy on behalf of an organisation or entity, you represent and warrant that you are so authorised to agree on behalf of that organisation or entity. This Policy is important; please read it carefully.

To enroll for the Service, a Developer must create an account ('Account') by registering on Okra’s Site and providing true, accurate, and complete information about yourself and your use of the Service. A Developer shall be deemed by Okra to have honestly represented its identity or in any information that it may provide for its Account, and to keep the Account information up to date at all times. If a Developer becomes aware of any unauthorised use of its Account or any other breach of security, please immediately notify us via sending an email to security@okra.ng.

In relation to the use of the Service, the Developer undertakes to abide by all applicable local, state, national, and international laws and regulations. The Developer assumes sole responsibility for itself and agencies in ensuring that its use of the Service is in compliance with all laws and regulations applicable in this regard.

The Developer undertakes to conspicuously seek the consent of the end-user in using Okra to connect their financial accounts on their application or service. The Developer agrees to keep accurate records of every end user’s consent in this regard. The developer also undertakes to inform Okra of all end users who have revoked or intend to revoke all such consent earlier given.

The Developer is solely responsible for ensuring that its use of the Service is in compliance with the rules and guidelines of any system or network that facilitates payments and any security requirements, including under the Payment Card Industry Data Security Standards (PCI-DSS) and any other financial service regulatory standards as may be applicable.

Developers shall be responsible for securely maintaining end-users’ authentication credentials, including their Biometric Verification Number and other confidential end-user information in their possession. Developers must notify Okra immediately in the event of any breach or suspected breach of security including unauthorised use of its Developer account with Okra or any End-User Data. Developers shall never publish, distribute, or share confidential end user confidential information and must encrypt all data in storage and during transit.

Concerning End-User Data, Developer undertakes to follow industry best practices but, at a minimum, must perform the following:

• Maintain administrative, technical, and physical safeguards that are designed to protect the security, privacy, and confidentiality of End-User Data.
• Use modern and industry standard cryptography when transmitting any End-User Data.
• Maintain reasonable access controls to ensure that only authorised people have access to any End-User Data.
• Monitor your systems for any unauthorised access. Respond to security queries and vulnerabilities in a timely fashion.
Report to Okra any events suggesting unauthorised access.
• Plan for and respond to security vulnerabilities or incidents.
• Comply with relevant rules and regulations with regard to the type of data you are handling, such as the Safeguards Rule.

Unless otherwise agreed in writing with Okra, Developer agrees to only store all End-User Data in the locations in which it operates or licensed to be securely stored. All End-User Data in your possession must be stored securely and in accordance with applicable laws and regulations.

Developer shall be solely responsible for providing all customer service to end-users for any and all issues relating to its product and services, including but not limited to issues relating to its use of the Service.

Developer’s Accounts shall be deactivated from the Service in accordance with any applicable agreement between Okra and such Developer. Okra may also deactivate Developer Account if such a Developer has ceased using the Service for 12 months. With respect to the effluxion of time referred to in this policy, a Developer’s agreement with Okra also terminates.

Where a Developer’s Account is deactivated, Okra may still retain any information we collected about such a developer for as long as necessary to fulfill the purposes outlined in our privacy statement, or for a longer retention period as required/permitted under applicable law.

The Developer agrees not to assist or otherwise enable any third party to:

• Access or use the Service or End-User Data for any unlawful, infringing, threatening, abusive, obscene, harassing, defamatory, deceptive, or fraudulent purpose;
• Collect and store end-user’s bank credentials and/or End-User Data other than as required to access or use the Service, as authorised by the end user, as permitted by Okra, and as permitted under applicable law;
• Use or disclose any 'Sensitive Personal Data' (as defined under the 'Nigeria Data Protection Regulation 2019' ) received from Okra for any purpose not permitted under applicable law;
• Access or use the Service or access, transmit, process, or store End-User Data in violation of any applicable privacy laws or in any manner that would be a breach of contract or agreement with the applicable end-user;
• Access or use the Service to infringe any patent, trademark, trade secret, copyright, right of publicity, or other right of any person or entity;
• Access or use the Service for any purpose other than for which it is provided by us, including for competitive evaluation, spying, creating a substitute or similar service to any of the Service, or other nefarious purpose;
• Scan or test (manually or in an automated fashion) the vulnerability of any Okra infrastructure without express prior written permission from Okra;
• Breach, disable, interfere with, or otherwise circumvent any security or authentication measures or any other aspect of the Service;
• Overload, flood, or spam any part of the Service;
• Create developer accounts for the Service by any means other than our publicly- supported interfaces;
• Transfer, syndicate, resell, or otherwise distribute the Service or End-User Data without express prior written permission from Okra;
• Modify, translate, or otherwise create derivative works of any part of the Service;
• Access or use the Service or End-User Data in a manner that violates any agreement between the Developer or the end-user and Okra; or
• Access or use the Service or End-User Data in a manner that violates any applicable law, statute, or regulation.

Okra reserves the right to withhold or refuse access to the Service and/or End-User Data in whole or in part where we believe the Service is being accessed or used in violation of this Policy or any other agreement with Okra and a Developer, including Okra’s agreements with any third-party partners or where use would pose a risk to an end-user, any Partner, or Okra itself.

Okra shall use reasonable efforts to notify a Developer in writing when deciding to suspend or terminate access to the Service and/or End-User Data. Okra may immediately suspend or terminate access without notice if Okra deems it expedient to do so or where such continued access amounts to a violation of any applicable law or that exposes Okra, its infrastructure, data, or Service, or any Partner to harm, including damage to business goodwill.

If any person or member of the general public becomes aware of a violation of this Policy, we request that you immediately notify us via email to report@okra.ng. Okra may take any appropriate action including reporting any activity or conduct that we suspect violates the law to appropriate law enforcement officials, regulators, or other appropriate third parties in our sole discretion in respect to such violations.

The failure by a Developer or Okra to exercise in any respect any right provided for herein shall not be deemed a waiver of any further rights hereunder.

Where any provision of this Agreement is found to be unenforceable or invalid, that provision shall be limited or eliminated to the minimum extent necessary and shall not invalidate the entirety of this Agreement and that this agreement shall otherwise remain in full force and effect and enforceable.

Nothing in this agreement shall be construed to permit the deciphering, decompiling, disassembling, copying, reverse engineering, or attempt to derive any source code or underlying ideas or algorithms of any part of the Service, except as permitted by applicable law.

Okra shall not be liable for any damages of any nature suffered by you or any third party resulting from Okra’s exercise of its rights under this Policy or under applicable law.