Earned Wage Access Addendum

This Earned Wage Access Addendum (“Addendum”) is entered into by and between One Finance, Inc. (“OnePay”) and the Company listed on the applicable Order Form (“Company”), and supplements that certain Enterprise Terms of Service (“Terms”). 


  1. Purpose. This Addendum sets forth the terms and conditions under which OnePay will offer Earned Wage Access (“EWA”) Services, as further described herein, to Employees of Company. 

  2. Relationship to the Agreement. This Addendum supplements the Order Form and Terms (the “Agreement”). Except as expressly modified by this Addendum, the Agreement remains in full force and effect. In the event of a conflict or inconsistency between the Agreement and this Addendum, the terms of this Addendum shall govern solely with respect to the EWA Service. 

  3. Definitions. Defined terms not otherwise defined in this Addendum shall have the meanings set forth in the Terms.

    1. "Company Administrator(s)" means an individual(s) designated by Company to (i) serve as Company’s primary point of contact for coordinating and assisting with the implementation of the EWA Service (and any related services) provided by OnePay, and (ii) oversee, on Company’s behalf, the timely performance of Company’s obligations under this Agreement.

    2. “Company-Provided Data” means, Payroll Data, Employment Data, and Timekeeping & Compensation Data. 

    3. “Data & Operations Guide” means the document provided by OnePay to Company that sets forth the Company-Provided Data and Deduction File requirements, including; file formats, transmission and integration specifications, disclosures, Deduction File processing and administration, and other operational details necessary to launch and maintain the EWA Service, as updated by OnePay from time to time.

    4. “Deduction File(s)” means a data file prepared by OnePay and provided to the Company that lists all post-tax amounts to be withheld from employees’ paychecks by the Company to repay EWA Advances.

    5. “Employment Data” means, for each EWA Employee: demographic, employment status, and any other data reasonably required by OnePay to provide the EWA Service. 

    6. "EWA Advance(s)" means a disbursement by OnePay to an EWA Employee under this Addendum representing a portion of accrued, unpaid wages as reported in the Payroll Data.

    7. “EWA Employees” means Employees that applied for and are approved to receive the EWA Service. 

    8. "EWA Service" means the OnePay service under which EWA Employees may request EWA Advances of wages earned but not yet paid by the Company.

    9. "Payroll Data" means, for each EWA Employee, gross earnings, net earnings, deductions, hours worked, and any other data reasonably required by OnePay to provide the EWA Service.

    10. “Timekeeping & Compensation Data” means, for each EWA Employee, the compensation details and timekeeping data required by OnePay to provide the EWA Service.

    11. "Settlement Failure" means any failure by the Company to administer payroll deductions and withhold from payroll an amount equal to the aggregate amount of all EWA Advances for a payroll cycle and remit such amounts to OnePay.

  4. OnePay Obligations. OnePay will:

    1. undertake the disbursement of EWA Advances to EWA Employees in material compliance with Applicable Law and this Addendum.

    2. provide EWA Employee-facing customer support through in-app and email

    3. provide mutually agreed upon launch and promotional Materials for the Company to use to promote the EWA Service and support the Company with best practices regarding the deployment thereof. 

  5. Company Obligations. Company will: 

    1. Provide Company Administrators: Company shall designate at least two (2) Company Administrators who will serve as primary points of contacts with OnePay for the integration and ongoing administration and maintenance of the EWA Service.

    2. Provide Necessary Data. Company will provide all data reasonably required for offering of the EWA Service including the Company-Provided Data, as further detailed in the Data & Operations Guide. Timely and accurate provision of such data is a precondition to OnePay’s ability to deliver the EWA Service.

    3. Deduction Authority. Company will accept and process all Deduction Files received from OnePay in accordance with the designated pay schedule for each EWA Employee without set-off, defense, or counterclaim, as outlined in the Data & Operations Guide.

    4. On-going basis: Company on an on-going basis shall:

      1. promptly alert OnePay of any issues with Company’s ability to comply with its obligations in the Data & Operations Guide

      2. Provide at least two pay cycles advance written notice of technical and/or process changes that may impact the OnePay/Company integration, as outlined in the Data & Operations Guide

      3. actively cooperate with OnePay on resolution and remediation in the event that an issue, error or omission could reasonably be expected to have a material adverse impact on an EWA Employee or OnePay. 

      4. The Company shall implement and maintain practices designed to prevent fraud, unauthorized access, and other activities that may create fraud or risk vectors, in accordance with the Data & Operations Guide. Fraud losses that result from Company’s failure to implement and maintain required controls shall be the sole responsibility of Company.

  6. Data Security and Access Controls.

    1. Company will (i) protect credentials and systems used to access or transmit data to OnePay, (ii) train Company Administrators and relevant staff on secure-password practices, (iii) promptly report any suspected breach related to the Company-Provided Data or EWA Employees to OnePay, and (iv) not intentionally disrupt the EWA Service, access restricted areas, or test system vulnerabilities.

    2. The Parties agree to the terms and obligations in Schedule A. 

    3. Each Party represents and warrants that any files or data it shares with the other Party pursuant to the Data & Operations Guide will not contain malicious code, viruses, worms, Trojan horses, or any other harmful or destructive content. 

  7. Representations and Warranties. Company represents and warrants that all Company-Provided Data submitted are accurate and complete based on actual time worked or a mutually agreed calculation methodology. 

  8. Indemnification. In addition to the indemnification obligations in the Agreement, Company shall indemnify OnePay, its Affiliates, and their respective officers, directors, employees, advisors, and agents from and against any and all damages, losses, liabilities, costs, expenses (including reasonable attorney’s fees), fines, penalties, and amounts paid in settlement arising out of or relating to (i) inaccurate, incomplete, or late submission of Company-Provided Data, (ii) Company’s failure to remit repayment of EWA Advances, (iii) any wage and hour investigations, proceedings, audits, or related matters involving Company or its employees, or (iv) any Settlement Failures. Company’s indemnification obligations under this Addendum are not subject to any limitation of liability and shall survive termination or expiration of this Agreement. 

  9. Limitation of Liability. Except in the case of (a) gross negligence, willful misconduct, or fraud; (b) indemnification obligations; (c) breach of confidentiality; (d) breach of data-protection or information-security obligations (a “Security Incident”); (e) infringement or misappropriation of the other Party’s intellectual property rights; (f) Company’s failure to comply with the Data & Operations Guide; (g) fraud losses to the extent arising from or related to the Company’s negligence; or (h) any liability that cannot legally be limited or excluded under applicable law, neither Party shall be liable to the other for any indirect, consequential, incidental, special, exemplary, or punitive damages (including lost profits, revenues, business, or goodwill), whether in contract, tort (including negligence), strict liability, or otherwise, and the total cumulative liability of either Party for all claims arising out of or relating to this Addendum shall not exceed One Hundred Thousand U.S. Dollars (US $100,000); provided, however, that the Company’s obligations to remit payroll deductions related to EWA Advances, together with the related indemnification obligations, and the Company’s liability for (i) unpaid EWA Advances caused by inaccurate or late Company-Provided Data, (ii) failure to process Deduction Files and remit repayment of EWA Advances paid by OnePay, (iii) untimely notification of EWA Employee terminations, and (iv) failure to notify OnePay of any fraud, misuse, or abuse facilitated through the Company’s systems, shall not be subject to such limitation of liability and shall remain absolute, unconditional, and not subject to set-off, defense, or counterclaim, and shall survive expiration or termination of this Addendum.

  10. Suspension Rights and Disclaimers. 

    1. OnePay makes no representations that EWA Advances constitute loans or credit. OnePay may, in its sole discretion, suspend or limit the EWA Service to comply with risk-management or legal requirements, without liability. 

    2. OnePay may suspend or limit access to the EWA Service, in whole or in part, without liability, if (i) Company fails to (x) timely provide accurate Company-Provided Data or (y) remit repayment amounts as required under this Agreement, or (ii) if OnePay determines in its sole discretion that an EWA Employee poses a fraud, abuse, or misuse risk.

  11. Independent Relationship. Notwithstanding anything to the contrary in this Addendum, the Parties acknowledge and agree that any EWA Employee (including any Employee who starts but does not finish an application) who accesses the EWA Service does so as an independent customer of OnePay. All data, information, or materials provided directly by an EWA Employee to OnePay or its Affiliates shall be governed solely by the applicable terms and conditions, privacy policies, or agreements between such EWA Employee and OnePay (or its Affiliates). For clarity: (a) Company shall have no ability to impose limitations or restrictions on OnePay’s collection, use, or processing of such data, and (b) OnePay shall have no obligations to Company with respect to such data, information, or materials. 

  12. Intellectual Property. In addition to the intellectual property obligations in the Agreement, the Parties agree that: 

    1. Company grants OnePay and its Affiliates a perpetual, worldwide, irrevocable, transferable, sublicensable, royalty-free license to collect, use, reproduce, modify, create derivative works of, distribute, and otherwise exploit (a) usage, performance, and other technical data generated through Company’s and Employee’s use of the EWA Service (“Analytics”) and (b) Company and Employee data that OnePay has aggregated or otherwise de-identified so it cannot reasonably identify Company or Employee (“De-identified Data”), for any lawful purpose—including operating, maintaining, securing, and improving the Platform or Products, developing or training algorithms and models, and producing benchmarks, reports, or other materials for internal or external publication—provided that OnePay will not disclose Analytics or De-identified Data in a form that identifies Company or Employee or attempt to re-identify such data. This clause survives termination or expiration of the Agreement.

  13. EWA Service Audit & Reporting.

    1. Books, Records & Retention. Company shall maintain complete and accurate books, records, systems and supporting documentation relating to the Program (including Employee data, marketing collateral, compliance policies and security logs) in a form that is accessible and reproducible for at least seven (7) years after the record is created, or for any longer period required by Applicable Law.

    2. Scheduled Audits. Once per calendar year, upon at least thirty (30) days’ written notice, either party (the “Requesting Party”) may require the other (the “Responding Party”) to transmit, via secure electronic means, a consolidated assurance package consisting of (i) a completed industry-standard security questionnaire; (ii) a SOC 2 Type II report or current ISO/IEC 27001 certificate (or functionally equivalent third-party attestation) covering the prior twelve-month period; (iii) certificates of insurance evidencing required coverage; (iv) an executive summary of the most recent independent penetration test (conducted within the prior twelve months) together with the status of all High- and Critical-severity findings; (v) a summary of the most recent business-continuity/disaster-recovery exercise results; and (vi) any additional documentation reasonably necessary to demonstrate compliance with Applicable Law and prevailing industry frameworks (e.g., NIST CSF, PCI DSS to the extent applicable). Outside the annual cycle, the Requesting Party may seek updated documentation described above when (A) a material security incident has occurred, (B) a material change to the services or security controls has been implemented, or (C) such information is necessary to respond to a written inquiry by a regulator, Bank Partner, or other third party which has a right to such information, and any such request must be limited to information reasonably required under the circumstances. The Responding Party shall, no more than once per year except as permitted in the preceding sentence, make qualified personnel available remotely to address reasonable follow-up questions arising from the assurance package. Each party bears its own internal costs of preparing or reviewing materials hereunder. 

    3. Remediation. If an audit identifies a material deficiency, Company must deliver a written remediation plan acceptable to OnePay within fifteen (15) business days and cure the deficiency within the timeframe specified in that plan. Failure to meet the remediation timeline constitutes a material breach.

    4. Co-operation with Authorities. Company shall, at OnePay’s request and expense, reasonably assist OnePay in responding to any examination, subpoena or other inquiry by a governmental or self-regulatory authority relating to the Program, including by making personnel and relevant service providers available for interview.

  14. EWA Service Confidentiality. The confidentiality obligations in this Addendum supplement, and where inconsistent supersede, Section 7 of the Agreement, but solely with respect to Earned Wage Access Services:

    1. Use and Protection. The Receiving Party shall (1) use Confidential Information solely to perform its obligations or exercise its rights under this Agreement, (2) protect such information with at least the same degree of care it uses for its own similar information, but not less than a reasonable standard of care, and (3) restrict access to those of its and its Affiliates’ employees, officers, directors, advisers, Bank partners, and service-providers who have a “need to know” and are bound by written obligations no less protective than this Section.

    2. Legal Disclosures. The Receiving Party may disclose Confidential Information to the extent required by subpoena, court order, regulator or other legal process, provided that it (1) gives the Disclosing Party prompt written notice (unless prohibited by law), (2) limits disclosure to the minimum required, and (3) reasonably cooperates, at the Disclosing Party’s expense, with efforts to seek confidential treatment or protective relief. Notwithstanding the foregoing, nothing in this Agreement (including this section 4) shall require notice by OnePay to Company, or prohibit disclosure of Confidential Information by OnePay, in connection with requests, exams or audits by regulatory authorities, OnePay’s Bank Partners, or other third parties that have a contractual right to such information. 

    3. Notwithstanding anything to the contrary, OnePay and its Affiliates may freely use, for any purpose, “Residuals” resulting from access to or work with Confidential Information; provided that OnePay does not intentionally memorize the Confidential Information for the purpose of retaining it and does not disclose any source code, personally-identifiable information or other information protected by law. “Residuals” means information in intangible form that is retained in the unaided memory of individuals who have had access to Confidential Information, including ideas, concepts, know-how or techniques contained therein. OnePay shall have no obligation to limit the assignment of such individuals or to pay royalties for work resulting from the use of Residuals, and nothing herein grants OnePay a license under the Disclosing Party’s patents or copyrights.

    4. Return or Destruction. Upon the earlier of (1) the Disclosing Party’s written request or (2) termination or expiration of this Agreement, the Receiving Party shall promptly return or, at the Disclosing Party’s option, destroy all Confidential Information (including all copies, extracts and derivative works) and certify such destruction in writing, except that the Receiving Party may retain archival copies that are (i) automatically stored on backup systems and not readily retrievable, or (ii) required by applicable law or bona-fide document-retention policies; any retained copies remain subject to this Section 12.

    5. Injunctive Relief. The parties acknowledge that unauthorized disclosure or use of Confidential Information would cause irreparable harm for which monetary damages are an inadequate remedy. Accordingly, each party is entitled to seek immediate injunctive or other equitable relief, in addition to any other remedies available at law or in equity, without the necessity of posting bond.

  15. EWA Service Wind-Down. Within ten (10) business days after receipt of written notice, the Parties will exchange and in good faith agree on a written wind-down or transition plan for the EWA Service, including setting timelines, cost allocation and customer-communications (the “Wind-Down Plan”). If the Parties cannot agree within sixty (60) days, an independent third-party facilitator may be appointed to finalize a Wind-Down Plan.

    1. Continued Performance. Notwithstanding anything in the Agreement to the contrary, termination of the Agreement or this Addendum shall not relieve either Party of its obligations under this Addendum. Each Party shall continue to perform all obligations needed to serve existing EWA Employees, process transactions, and maintain compliance for up to one hundred eighty (180) days (or such longer period reasonably required for regulatory approval) after termination.

    2. Data & Records. The Parties will retain and make available all EWA Service records for at least seven (7) years (or longer if required by Applicable Law) to respond to customer, audit or regulatory requests.

    3. Survival. Confidentiality, intellectual property ownership, limitation of liability, indemnification, and any provisions that by their nature should survive will remain in effect through the Wind-Down Plan and thereafter as stated in those sections. Company remains responsible for repayment of all EWA Advances during the wind-down period. 



Schedule A

EWA Service Information Security & Data Security


This Schedule A sets forth the mutual understanding of the Parties relating to the privacy and security of Confidential Information, EWA Employee Data, OnePay Data, and each Party’s Systems.


  1. Definitions.

    Controller” means a natural or legal person, governed by public or private law, who is responsible for decisions regarding the Processing of Personal Data or EWA Employee Data.


    Data Incident” means any act or omission that materially compromises either the security, confidentiality or integrity of data or the physical, technical, administrative or organizational safeguards put in place by a Party or a third-party service provider that relate to the protection of the security, confidentiality or integrity of data relating to the Platform. Without limiting the foregoing, a material compromise shall include any unauthorized access to, unauthorized disclosure of or unauthorized acquisition of Confidential Information, OnePay Data, or EWA Employee Data.


    Data Subject” means a natural person to whom the Personal Data is the object of Processing.


    “EWA Employee Data” means information related to an EWA Employee that is provided by the Company, including all Company-Provided Data.


    “OnePay Data” means information related to an EWA Employee that is obtained, generated or created in connection with applying for, establishing, or servicing a OnePay account; including, all Personal Data, data related to servicing and maintenance activities conducted in connection with a OnePay account, transaction data, and  any and all documentation related to including statements, notices, correspondence, customer service and telephone records.


    “Personal Data” means information that directly identifies or relates to a Data Subject or is otherwise defined as “personal data,” “personal information,” “personally identifiable information,” “nonpublic personal information” and/or any similar term under Applicable Law. 


    “Process” or “Processing” or “Processes” means any operation or set of operations performed on Personal Data or EWA Employee Data including collection, production, reception, classification, use, access, reproduction, transmission, distribution, processing, archiving, storage, elimination, evaluation or control of information, modification, communication, transfer, diffusion, or extraction.


    Systems” means the information technology assets and environments owned, operated, or controlled by a Party or its Affiliates including networks, endpoints, hardware, software, databases, applications, and cloud-based resource that are used to receive, store, process, or transmit Confidential Information, EWA Employee Data, or OnePay Data under the Agreement.

  2. Information Security Program.

    1. Mutual Requirement. Each Party shall establish and maintain, in writing, an information security and privacy program (an "Information Security Program") that (a) complies with all Applicable Law, and (b) is reasonably designed to meet or exceed generally accepted industry standards, including alignment with frameworks such as ISO/IEC 27001, SOC 2, and the NIST Cybersecurity Framework. 

    2. Safeguards. Each Information Security Program shall include appropriate physical, technical, and administrative safeguards, including any safeguards and controls agreed by the Parties in writing, sufficient to protect the Party’s systems as well as the other Party’s Confidential Information, EWA Employee Data, and OnePay Data from unauthorized or unlawful destruction, loss, alteration, disclosure, or access.

  3. Program Monitoring and Review. Each Party shall monitor and, at least annually, test and evaluate the effectiveness of its Information Security Program. Each Party shall promptly adjust its practices in light of the results of such testing, any material changes to its operations or business arrangements, or any other facts or circumstances that may have a material impact on the security of systems or data covered by this Schedule.

  4. Breach Notification and Investigation Notification. 

    1. Notice. Each Party shall notify the other Party’s information-security contact by telephone within forty-eight (48) hours of any confirmed Data Incident, by written notice summarizing, in reasonable detail, the nature and scope of the incident and the corrective actions taken or planned. 

      1. Notice to OnePay shall be sent to:  vendor-security-notice@onepay.com

      2. Notice to Company shall be sent to: the email address on file (which may be updated by Company upon written notice to OnePay. 

    2. Co-operation. The Parties shall cooperate in investigating any Data Incident and shall respond promptly to reasonable inquiries.

    3. Remediation and Notice to Individuals. The affected Party shall, at its own cost, take all reasonable actions to contain and remediate the Data Incident, mitigate its impact, prevent recurrence, and, where required by Applicable Law or mutually agreed by the Parties, provide notice to affected individuals.

  5. Roles of the Parties. The Parties acknowledge and agree that each Party is an independent Controller of the EWA Employee Data or other Personal Data that it Processes pursuant to the Agreement. It is further acknowledged and agreed by the Parties that regardless of being an independent Controller, each Party will only Process EWA Employee Data and other Personal Data in accordance with the expressly permitted uses and limitations set forth in this DPA and the EWA Employee’s written consent.  OnePay shall receive, access, transmit, or otherwise process EWA Employee Data solely on the written instructions of the EWA Employee. For clarity, OnePay is not subject to any restrictions on use or disclosure of OnePay Data under this Addendum.

  6. Post-Termination Rights. Upon termination or expiration of the Agreement and subject to retention obligations under Applicable Law, each Party shall cease all use of the other Party’s Confidential Information and Data and, at the other Party’s election, securely destroy or return such information. Each Party may retain copies required for legal or regulatory purposes, provided such copies are maintained under the protections of this Schedule and are not used for any other purpose.

  7. Data Subject Rights. To the extent either Party receives a valid request from a data subject to exercise rights under Applicable Law (including rights of access, correction, deletion, or opt-out), the receiving Party shall comply with such request in accordance with Applicable Law and shall, where the request relates to data originating with the other Party, promptly notify and reasonably cooperate with the other Party to fulfil the request.

  8. Survival; Severability. This Schedule A shall survive termination or expiration of the Agreement. If any provision of this Schedule is found unenforceable, that provision shall be severed and the remainder of the Schedule shall remain in full force and effect.