Novation Agreement, dated July 28, 2021, among Broadridge Financial Solutions, Inc., International Business Machines Corporation and Kyndryl, Inc

    This Novation Agreement (this “Novation Agreement”), dated July 28, 2021, is entered into by and among International Business Machines Corporation (“Transferor”), Kyndryl, Inc. (“Kyndryl” or “Transferee”), and Broadridge Financial Solutions, Inc. (“Customer”). Transferor, Transferee and Customer are collectively referred to herein as the "Parties" and individually as a “Party”. Any capitalized terms used but not defined herein shall have the meanings given to such terms in: (A) prior to the Transfer Date, the Old Services Agreements, and (B) on or after the Transfer Date, the New Agreements, in each case, as hereinafter defined.

WHEREAS, on October 8, 2020, Transferor announced its intention to separate the Infrastructure Services unit from its Global Technology Services division and move such Infrastructure Services unit into Transferee, which will ultimately become a new publicly traded company;

WHEREAS, as a preliminary step in this separation, in all jurisdictions where Transferor provides services to Customer under the Old Services Agreement, Kyndryl shall commence operations as a wholly owned Transferor affiliate as of September 1, 2021 (the “Transfer Date”);

WHEREAS, Transferee will then be spun out of Transferor and become a separate, publicly traded company (the “Spin”) on a date to be announced (the “Spin Date”);

    WHEREAS, Transferor and Customer are parties to:

(1)2019 Master Services Agreement, made and entered into as of December 31, 2019 (together with all exhibits, attachments, and amendments thereto, the “MSA”);

(2)Amended and Restated 2019 Information Technology Services Agreement, made and entered into as of December 31, 2019 (together with all exhibits, attachments and amendments thereto, the “A&R ITSA”); and

(3)Broadridge Vendor GDPR Annex - Compliance with the EU General Data Protection Regulation, dated June 14, 2018, as amended (the “GDPR Annex”).

The above agreements are hereafter collectively referred to as the “Old Services Agreements” pursuant to which Transferor provides certain information technology services to Customer.

WHEREAS, in connection with the Spin, Transferor intends to transfer by novation all of its rights, liabilities, duties and obligations under the Old Services Agreements to Transferee and Transferee intends to accept the transfer by novation of all such rights, liabilities, duties and obligations, as of the Transfer Date.

NOW, THEREFORE, in consideration of the representations, warranties, promises and covenants contained herein, and other good and valuable consideration, the receipt, sufficiency and adequacy of which are hereby acknowledged, the Parties, intending to be legally bound, agree as follows:

1.Effective as of the Transfer Date: (a) Transferor hereby novates to Transferee all of its rights, title and interests and duties, liabilities and obligations in, to and under and the Old Services Agreements, thereby replacing the Old Services Agreements with new agreements that duplicate each of the Old Services Agreements (as hereby amended) in its entirety, except Transferee is a party in place of Transferor (collectively, the “New Agreements”); (b) Transferee hereby expressly accepts all such rights, title and interests and assumes and agrees to be bound by and to perform all of the duties, liabilities and obligations of Transferee under the New Agreements. All references in the New Agreements to “International Business Machines Corporation” (or “IBM”) (except for any new references to IBM added to the New Agreements pursuant to this Novation Agreement) shall be deemed from and after the Transfer Date to be references to “Kyndryl, Inc.” (or “Kyndryl”). Customer’s contractual relationship under the New Agreements will, as of the Transfer Date, be between Customer and Transferee instead of Transferor.

2.Notwithstanding anything to the contrary herein or in the New Agreements, as a material inducement for Customer to enter into this Novation Agreement, in consideration of which Transferor will receive substantial benefit, but only during the period from the Transfer Date to the Spin Date, Transferor hereby agrees that it shall be jointly and severally liable for the performance of all obligations, duties and liabilities of Transferee under the New Agreements.

3.Transferor and Transferee each represents and warrants that: (a) on or before the Transfer Date, Transferee shall: (i) commence operations as a wholly owned Transferor affiliate in in all jurisdictions where Transferee provides services to Customer under the New Agreements, and (ii) the entire portion of Transferor’s business that provides any services to Customer under the Old Services Agreements shall be transferred to Transferee (except for services which are still provided by the Transferor pursuant to Section 8 herein); (b) as of the Transfer Date, Transferee shall be adequately capitalized to meet or exceed all duties, liabilities and obligations under all of Transferee’s respective contracts with Customer and third parties; (c) the security,

controls, infrastructure, software, processes and personnel used by Transferee to provide the services to Customer under the New Agreements shall be the same or better than the security, controls, infrastructure, software, processes and personnel used by Transferor to provide the services to Customer under the Old Services Agreements; and (d) Transferee shall comply in a timely and thorough manner with the applicable requirements of Customer’s enterprise vendor management program.

4.Solely during the period from the Transfer Date to the Spin Date, Transferor and Transferee shall jointly and severally indemnify, defend and hold Customer harmless from and against any breach of Section 3 herein. From and after the Spin Date, Transferee shall indemnify, defend and hold Customer harmless from and against any breach of Section 3 herein.

5.Customer consents to the novation of the Old Services Agreements (as hereby amended) from Transferor to Transferee.

6.On the Transfer Date, Transferor hereby releases and forever discharges Customer from all of Customer’s duties, liabilities and obligations under the New Agreements.

7.On the Spin Date, except for claims based on fraud, gross negligence or willful misconduct, Customer hereby releases and forever discharges Transferor from any breach of contract claims solely under the New Agreements. Notwithstanding the foregoing and for the avoidance of doubt, the release in this Section 7 only applies to breach of contract claims under the New Agreements, and applies neither to claims based on any other agreement, including, without limitation, the Novation Agreement, nor to claims against Transferor for damages incurred by Customer based on any other legal theory.

8.Subject to Section 9 herein, Customer agrees that Transferee may engage Transferor as a subcontractor to perform only the following services listed and detailed in this Section 8, under the New Agreements from and after the Transfer Date, in each case, solely from the applicable Service Location(s) (as defined in the MSA or A&R ITSA, as applicable): (a) product maintenance services; (b) public cloud services provided under the MSA (as defined in SOW PC-20-0034, dated September 30, 2020, and the following amendments of the MSA: Amendment No. 6, Amendment No. 7 and Amendment No. 10); (c) Security services (as defined in Attachment 2-B (Managed Network Services) (solely with respect to the firewall network devices), and Attachment 2-G (Enterprise Security Services), under both the MSA and the A&R ITSA. For the avoidance of doubt, other than the foregoing services listed in this Section 8, Transferee must obtain Customer’s prior written consent pursuant to the New Agreements to subcontract any services performed under the New Agreements to Transferor.

9.Notwithstanding anything to the contrary in the New Agreements or herein, Transferor and Transferee hereby agree that the agreement between them

governing Transferor’s provision of the services to Customer on behalf of Transferee shall: (a) contain provisions at least materially equivalent to those contained in the New Agreements that shall enable Transferee to comply with Transferee’s obligations under the New Agreements; and (b) in connection with any services under the New Agreements performed by Transferor and the locations where such services are performed: (i) require Transferor to comply with all information security and architecture, audit, inspection, data, data processing, data protection and other material provisions under the New Agreements (as if Transferor were Supplier under the New Agreements, and such locations were Service Locations owned or leased by Supplier under the New Agreements), and (ii) permit Customer to exercise directly against Transferor, all information security and architecture, audit, inspection, data, data processing, data protection and other material provisions under the New Agreements (as if Transferor were Supplier under the New Agreements, and such locations were Service Locations owned or leased by Supplier under the New Agreements).

10.Attachment A attached hereto and made a part hereof sets forth amendments to the Old Services Agreements that together with the Old Services Agreements, constitute the New Agreements.

11.Promptly after the Transfer Date, Transferor and Transferee shall, at their sole cost and expense, cooperate with Customer, as requested by Customer in responding to Customer’s clients’ questions about the foregoing to such clients’ reasonable satisfaction.

12.Transferor will provide Customer with at least seven (7) days’ written notice prior to the Spin Date.

13.All liability arising under or relating to this Novation Agreement shall be determined and resolved in accordance with: (a) prior to the Transfer Date, the Old Services Agreements, and (b) on or after the Transfer Date, the New Agreements.

14.Any invoice received by Customer from Transferor for services rendered under the Old Services Agreements prior to the Transfer Date should be paid according to the terms of the invoice. Transferee shall provide Customer with further written information to enable Customer to make other payments directly to Transferee.

15.Effective as of the Transfer Date and subject to Section 9 herein, Transferee shall be the processor of personal data under the New Agreements, including under any data processing agreements in the New Agreements and in respect of any business contact information Transferor collected in connection with providing services to Customer under the Old Services Agreements. In addition, subject to Section 9 herein, Transferee may engage as subprocessors, Transferee’s Affiliates pre-approved in writing by Customer and Transferor (solely with respect to the services set forth in Section 8 herein) under the New Agreement. Following the Spin Date, Transferee’s subprocessors

that are located in non-adequate countries shall be considered Data Importers under the EU Standard Contractual Clause attached to the applicable data processing agreement.

16.Transferor, Transferee and Customer each represents and warrants and covenants to the other that: (a) it has full power and authority to enter into this Agreement and to consummate (or to consent to, in the case of Customer) the transactions contemplated hereby; (b) the execution and delivery of this Novation Agreement have been duly authorized by all necessary action on the part of such Party; and (c) this Novation Agreement constitutes a valid and binding agreement and obligation of each Party, enforceable against such Party in accordance with its terms.

17.This Novation Agreement, together with the Old Services Agreements and the New Agreements, are the complete agreement between the Parties and replace any prior oral and/or written communications between the Parties concerning this subject matter, and no Party has relied or is relying upon any representation made by or on behalf of the other that is not specified in the foregoing agreements. This Novation Agreement shall be binding upon and inure to the benefit of each of the Parties and their respective successors and assigns.

    

18.This Novation Agreement shall apply the governing law and jurisdiction provisions from: (a) if prior to the Transfer Date, the Old Services Agreements, and (b) if on or after the Transfer Date, the New Agreements.

19.This Novation Agreement may be executed in one or more counterparts, each of which shall be deemed an original, and all of which together will constitute one and the same instrument, and signatures may be exchanged electronically and shall be deemed originals. Any copy of this Novation Agreement made by reliable means is considered an original.

    IN WITNESS WHEREOF, the Parties have executed this Novation Agreement as of the day and year first above written.

Effective as of the Transfer Date:

1.Section 29.11 (Notices) of the MSA, is amended to update the notification information for the Supplier as follows:

The initial notification information for each Contracting Party is:

For Supplier:

Kyndryl, Inc.

One Vanderbilt Avenue, 15th Floor

New York, NY 10017

Attention: Vice President, Financial Services

with a copy to:

Kyndryl, Inc.

One Vanderbilt Avenue, 15th Floor

New York, NY 10017

Attention: General Counsel

Customer shall pay Supplier (i.e., Transferee) the Fees for the Services invoiced in accordance with the MSA (as hereby amended) and the A&R ITSA (as hereby amended), in accordance with the banking information supplied to Customer’s Enterprise Vendor Management group.

2.The Parties agree that the name of the MSA is hereby modified from “2019 Master Services Agreement” to “Private Cloud Information Technology Services Agreement”.

3.[****]

4.    Notwithstanding anything to the contrary in the MSA or the A&R ITSA: (a) the EBA Financial Services Addendum attached as Appendix B hereto and made a part hereof (the “EBA Addendum”) applies to each of the MSA and the A&R ITSA where Customer uses the Services to perform outsourcing that is subject to the regulatory oversight of the Regulator (as defined in the EBA Addendum) under Applicable Law (as defined in the EBA Addendum) as long as Customer or Customer’s End User (as defined in the EBA Addendum) is a Regulated Entity (as defined in the EBA Addendum) and is subject to oversight by the Regulator in relation to any Services being consumed under the MSA or A&R ITSA, as applicable; and (b) to the extent any requirement set forth in either the MSA or the A&R ITSA prior to the Transfer Date conflicts with any requirement set forth in the EBA Addendum, then the more stringent requirement shall apply on and after the Transfer Date.

1.Definitions. The following definitions apply to this EBA Addendum:

“Applicable Law” means the applicable laws and regulations administered by the Regulator in connection with Regulated Entity’s use of the Kyndryl Services.

“BRRD” means Directive 2014/59/EU establishing a framework for the recovery and resolution of credit institutions and investment firms and any valid laws which give effect to its provisions under Applicable Law.

“EBA Guidelines” means EBA/GL/2019/02, “Guidelines on outsourcing”, published by the European Banking Authority on 25 February 2019, or any successor or update thereto (subject to such successor or update being in force).

“End User” means any client of the Customer or any service recipient of services provided by the Customer to such client.

“Notice” means any notice provided in accordance with the Agreement.

“Regulated Entity” means the Customer or the Customer’s End User if and so long as: (i) such entity is regulated by or subject to oversight by the Regulator; and (ii) such entity is either (A) an “institution” as defined in Article 4(1)(3) of Regulation (EU) No 575/2013, (B) a “payment institution” as defined in Article 4(4) of Directive (EU) 2015/2366 or “electronic money institution” as defined in Article 2(1) of Directive 2009/110/EC, in each case provided such entity subject to the EBA Guidelines, or (C) otherwise subject to the EBA Guidelines pursuant to Applicable Law.

“Regulator” means a government, regulatory body, or competent authority in the European Economic Area, with binding authority to regulate Regulated Entity’s financial services activities.

“Resolution Authority” has the meaning as set out in Article 2 of the BRRD.

“Special Resolution Event” means, with respect to a BRRD Institution, the occurrence of an insolvency, resolution, or other similar proceeding or event, including pursuant to recovery and resolution, special administration, special resolution regime or analogous applicable laws or regulations.

“Sub-outsourcing” means a situation where Kyndryl further transfers its obligations to provide the Services under the Agreement to another service provider.

All capitalized terms used but not defined in this Addendum have the same means ascribed to them in the Agreement (as hereby amended).

2.Information Security Program. The parties agree that Kyndryl has, pursuant to the Private Cloud Information Technology Services Agreement and the A&R ITSA, implemented and will maintain an information and security program which is designed to provide at least the same level of protection as evidenced by:

•the Kyndryl security controls verified by Kyndryl’s appropriately skilled and knowledgeable external auditors in its then-current System Organization Controls 1, Type 2 report (the "Report"); and

•its then-current certification under ISO 27001 (the “Certifications”)

or, in each case, such alternative industry standard reports or certifications that are its successor or reasonable alternative (provided that they are at least as protective as the standards set out above) as determined by the Parties (together, the "Kyndryl Information Security Program").

Kyndryl shall provide to Customer and End Users, at Customer’s request and no additional charge, copies of Kyndryl’s Report and Certifications. Customer may by Notice submit requests for the expansion of scope of Certifications and the Report, and the Parties shall agree on the scope of such expansion.

a.Kyndryl agrees to provide the Regulated Entity (which, as defined below, could be either Customer or the Customer's End User), the Regulator and the Resolution Authority (each a “Requester”) with:

i.full access to its relevant business premises (e.g., head offices and operations centers), including the full range of relevant devices, systems, networks and data used for providing the services outsourced, including related financial information, personnel and Kyndryl’s external auditors; and

ii.unrestricted rights of inspection and auditing related to the Services used by Customer to enable the Requester to monitor the Services and to ensure compliance with all applicable regulatory and contractual requirements.

(3.a.i. and ii. are collectively the "Right of Access and Audit").

b.The Requester will exercise the Right of Access and Audit and Kyndryl will cooperate with the Requester in accordance with the following stipulations in the EBA Guidelines:

i.The Requester will exercise the Right of Access and Audit in a proportional manner, taking into account the complexity of the Services used by Customer, the risks arising from the Services used by Customer, the criticality or importance of the Services used by Customer, and the potential impact of the Services on the continuity of Customer's activities.

ii.The Requester shall adhere to relevant, commonly accepted, national and international audit standards.

iii.The Requester can appoint a third party to exercise the Right of Access and Audit. The Requester or such third party shall

have the appropriate and relevant skills and knowledge to perform the audit effectively.

iv.If the Requester's exercise of the Right of Access and Audit could, in Kyndryl’s reasonable opinion, create a risk for another Kyndryl customer's environment (e.g., impact on service levels, availability of data, and confidentiality), Requester and Kyndryl shall agree on a way to address the request that provides Requester a similar level of assurance which ensures that risks to another Kyrndryl customer’s environment are avoided or mitigated.

v.Where sufficient to comply with the Requester’s regulatory obligations, the Requester shall perform the audit by: (i) requesting Kyndryl to provide it with copies of Certifications and the Report; or (ii) if Kyndryl has implemented a process for pooled audits, through a pooled audit conducted in cooperation with other Kyndryl clients in accordance with such process.

c.Kyndryl acknowledges that nothing in this EBA Addendum will limit or restrict relevant Regulators' or Resolution Authorities' information gathering and investigatory powers under article 63(1)(a) of Directive 2014/59/EU and article 65(3) of Directive 2013/36/EU. Kyndryl's customer audit policies will not apply to the Right of Access and Audit described in this Section 3. If there is a conflict between this Section 3 and another Section of the Agreement, the terms of this Section 3 will control.

4.Performance Reporting. In addition to any reporting requirements in the Agreement, Kyndryl shall provide ongoing reporting in writing to Customer of developments that may have a material impact on Kyndryl’s ability to provide the Services.

5.Sub-outsourcing.

a.No Sub-outsourcing of any material portion of the Services is permitted under the Agreement without Customer’s prior written consent in each instance.

b.For any Sub-outsourcing, Kyndryl shall:

i.perform due diligence on the proposed sub-contractor;

ii.enter into a written agreement with such sub-contractor which requires such sub-contractor to comply with all Applicable Laws and relevant contractual obligations of Kyndryl under the MSA (as hereby amended) or the A&R ITSA (as hereby amended), as applicable; and

iii.oversee such sub-contractor in line with the terms of the MSA (as hereby amended) or the A&R ITSA (as hereby amended), as applicable.

6.Compliance with Laws and Protection of Data. Kyndryl will comply with all legal requirements regarding the protection of data that are applicable to it and binding on it in the performance of the Services, including, where applicable, requirements relating to protection of personal data, banking secrecy or similar confidentiality duties.

7.Data Retrieval. Without limiting any rights under the Agreement, in the event that Kyndryl: (a) is declared bankrupt or in liquidation (or equivalent), (b) is dissolved or wound up, or (c) discontinues its entire business operations of providing the Services (except as the result of any assignment permitted under the Agreement), Customer will have the immediate right to retrieve all data of Customer and End Users unless prohibited by law or the order of a governmental or regulatory body or insolvency practitioner (or equivalent).

a.This Section 6 applies to Regulated Entities that are subject to the requirements of the BRRD as implemented under Applicable Law (each a "BRRD Institution").

b.Kyndryl acknowledges that when a BRRD Institution is taken into resolution, the BRRD Institution will be subject to a range of powers exercisable by the designated Resolution Authority, including pursuant to Articles 68 and 71 of the BRRD. In the event that a BRRD Institution is taken into resolution in accordance with the BRRD, Kyndryl shall comply with all laws applicable to it in relation to that resolution and, if so requested in writing, will cooperate in good faith with the Resolution Authority (but without prejudice to any rights or remedies Kyndryl has under the Agreement) regarding any concerns in respect of the ongoing provision of the Services to Customer.

c.Kyndryl acknowledges that the occurrence of a Special Resolution Event does not, in and of itself, constitute a material breach giving rise to Kyndryl's termination for cause rights with respect to the Agreement, provided that the Customer continues to fulfill its substantive obligations under the Agreement (as such term is understood for the purposes of Article 68 of the BRRD), including payment obligations.

9.Confidentiality. Any information, responses and documentation provided by Kyndryl or by Customer in connection with this EBA Addendum (“Confidential Compliance Information”) will be treated as confidential information of the party owning it and will be provided to the recipient pursuant to confidentiality obligations reasonably acceptable to the party owning the Confidential Compliance Information (which, in case of the Regulator, means confidentiality obligations set out under applicable law) and will not be disclosed by the recipient, except that Confidential Compliance Information may be disclosed to (a) the Regulator, provided that the Customer obtains confidential treatment or similar protections, (b) the Customer, provided that all Confidential Compliance

Information of Kyndryl will be treated as confidential information of Kyndryl under the Agreement and this EBA Addendum, and (c) the End Users which are Regulated Entities. Notwithstanding anything to the contrary in the Agreement, other Confidential Compliance Information of Kyndryl (excluding the Report, Certifications and any other information from, referring to or otherwise included in the Kyndryl Information Security Program) may be disclosed by Customer to End Users which are Regulated Entities.