General Service Agreement dated as of July 7, 2022 by and between the Registrant and Bank of America, N.A

------------------------------------------------------------------------------------------------------------------------------------------------------------------

This GENERAL SERVICES AGREEMENT ("Agreement") is entered into as of the Effective Date by and between Bank of America, N.A. ("Company"), a national banking association, and the above-named Vendor, a Delaware corporation, and consists of this signature page and the attached Terms and Conditions, Schedules, and all other documents attached hereto, which are incorporated in full by this reference.

    

SCHEDULE         SERVICES

SCHEDULE         SERVICE FEES

SCHEDULE         PERFORMANCE MEASUREMENTS

SCHEDULE         INFORMATION SECURITY

SCHEDULE         BACKGROUND CHECKS

SCHEDULE         RECOVERY    

SCHEDULE         USE OF CLOUD SERVICES

All capitalized terms in this Agreement not defined in this Section shall have the meanings set forth in the Sections or Schedules of this Agreement in which they are defined.

1.1Affiliate – a business entity now or hereafter controlled by, controlling or under common control with a Party. Control exists when an entity owns or controls directly or indirectly at least fifty percent (50%) plus one share of the outstanding equity representing the right to vote for the election of directors or other managing authority of another entity.

1.2Aggregated Consumer Information means information that relates solely to a group or category of consumers, from which individual consumer identities have been removed that is not linked or reasonably linkable to any one consumer or household, including via any device or other physical object that is capable of connecting to the Internet, directly or indirectly, or to another device.

1.3Associate Information – any information about a Company Representative (whether past, present or prospective), whether in paper, electronic, or other form that is maintained by or on behalf of Company.

1.4Business Day – Monday through Friday, excluding days on which Company is not open for business in the United States of America.

1.5Consumer Information – any record about an individual, whether in paper, electronic, or other form, that is a consumer report as such term is defined in the Fair Credit Reporting Act (15 USC 1681 et seq.) or is derived from a consumer report and that is maintained or otherwise possessed by or on behalf of Company for a business purpose. Consumer Information also means a compilation of such records. The term does not include any record that does not identify an individual.

1.6Customer Information – any record containing information about a customer (whether past, present or prospective), its usage of Company’s services, or about a customer’s accounts, whether in paper, electronic, or other form that is maintained by or on behalf of Company for a business purpose.

1.7Data Protection Laws – all laws, regulations or other binding rules regarding the processing of Personal Data that are applicable to the Services, including without limitation the U.S. Privacy Laws as defined in the Section entitled “CONFIDENTIALITY.”

1.8Effective Date – the date set forth on the signature page on which this Agreement, or an Order, as applicable, takes effect.

1.9Expiration Date – the date set forth on the signature page on which this Agreement, or an Order, as applicable, expires, unless terminated earlier or extended under the terms hereof.

1.10Governmental Authority - any nation or government, any state or other political subdivision thereof and any entity exercising executive, legislative, judicial, regulatory or administrative functions of or pertaining to government.

1.11Information Security Program – the policies, procedures, plans, processes, practices, roles, responsibilities, resources and structures that describe how the Vendor protects information and information systems from unauthorized access, use, disclosure, disruption, modification, and destruction in order to provide confidentiality, integrity, and availability in a manner that complies with the confidentiality and information protection requirements of this Agreement and all pertinent Schedules and Exhibits hereto.

1.12Intellectual Property Rights – all intellectual property rights throughout the world, including copyrights, patents, mask works, trademarks, service marks, trade secrets, inventions (whether or not patentable), know how, authors’ rights, rights of attribution, sui generis rights on databases, and other proprietary rights and all applications and rights to apply for registration or protection of such rights.

1.13Local Participation Agreement – an amendment or addendum to this Agreement in a form agreeable to the Parties and signed by the Parties as well as (if required by local law or desired by a Party) a Party’s Affiliates giving or receiving the Services subject to the Local Participation Agreement, which modifies this Agreement to permit performance or delivery of the Services in one or more countries or other autonomous or semi-autonomous territories outside of the United States

1.14Model - a quantitative method, system or approach that applies statistical, economic, financial or mathematical theories, techniques and assumptions to process input data into quantitative estimates, which ,includes,.1) an information input component that delivers assumptions and data to the model; 2) a processing component that transforms inputs into estimates; and 3) a reporting/output component that translates estimates into useful business information; or 4) any artificial intelligence using deep learning, ensemble learning, natural language processing, neural networks, or reinforcement learning.

1.15Order – any written agreement or instrument which documents and constitutes the description of Services Vendor will render to Company and the fees for such Services however denominated, including without limitation a product license schedule, statement of work, purchase order or work order, and which is executed by, or is an electronic transmission originated by, an authorized officer of Company’s Procurement Services and Vendor Management groups, substantially conforming to a form provided to Vendor by Company. Unless otherwise provided in writing, the business terms in each Order relating to description of Services, pricing, and performance standards shall apply only to such Order.

1.16Party – Company or Vendor.

1.17Personal Data, Personal Information - (a) any "personal data" or “personally identifiable information” as defined or regulated by the Data Protection Laws; and (b) any information that relates to a living individual who can be identified either from that information alone or when combined with other information.

1.18Personal Data Breach- a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.

1.19Process, Processing, Processed – with respect to Personal Data applicable to or relating to the Services, the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction thereof, including without limitation all activities ascribed to such term(s) in the General Data Protection Regulation (EU 2016/679) any regulatory interpretations, guidance, orders and similar publications concerning the same.

1.20Records – information created, received and maintained as evidence and information by an organization or person, in pursuit of legal obligations or in the transaction of business.

1.21Regulator - each Governmental Authority having regulatory or supervisory authority over Company or a Company Affiliate.

1.22Relationship Manager(s) – the employee designated by a Party to act on its behalf with regard to matters arising under this Agreement who shall be the person the other Party shall contact in writing regarding matters concerning this Agreement.

1.23Representative – an employee, officer, director, or agent of a Party.

1.24Services (also referred to herein as "Products" or "products") - the services as may be generally described on an attached SCHEDULE to this Agreement and/or as described in each Order, including without limitation all professional, management, labor and general services, together with any materials, supplies, products, tangible items or other goods Vendor furnishes in connection with such services.

1.25Special Resolution Event - shall mean any of the following events affecting Company or a Company Affiliate: (a) a transfer of the shares of Company or a Company Affiliate to a Special Resolution Recipient so that such entity is no longer an Affiliate; (b) a transfer of all or part of the business of Company or a Company Affiliate by way of asset transfer to an entity that is not an Affiliate; (c) with respect to Company or a Company Affiliate, the appointment of a Special Resolution Regulator as receiver of such entity; (d) with respect to Company or a Company Affiliate, the invocation of the Orderly Liquidation Authority by the Secretary of the United States Department of the Treasury; or (e) with respect to Company or a Company Affiliate, an insolvency filing or order or an administration order imposed by a Governmental Authority.

1.26Special Resolution Recipient - any entity to which all or a substantial part of the assets of Company or a Company Affiliate has been transferred as a result of a Special Resolution Event so that such entity after such transfer is not an Affiliate of Company (including in each case, without limitation, the creation of a bridge bank, bridge holding company or bridge finance company).

1.27Special Resolution Regulators - the Federal Deposit Insurance Corporation, other agencies, or regulators entrusted with administering the Special Resolution Events or their successors, or equivalent authorities outside of the US entrusted with administering Special Resolution Events.

1.28Subcontractor – a third party, including, but not limited to, Sub-processors, to whom Vendor has delegated or subcontracted any portion of its obligations set forth herein.

1.29Sub-processor - a Personal Data processor engaged by Vendor to undertake all or part of Vendor’s Processing obligations pursuant to this Agreement.

1.30Term – the initial term of the Agreement or any renewal or extension.

1.31Time Sensitive Notice - any notice provided under this Agreement pursuant to any of the following: SECTIONS entitled “TERM OF AGREEMENT,” “TERMINATION,” “FINANCIAL RESPONSIBILITY,” “CONFIDENTIALITY,” “INFORMATION PROTECTION,” “AUDIT,” “OWNERSHIP OF WORK PRODUCT” and the SCHEDULE entitled “INFORMATION SECURITY.”

1.32Vendor Security Controls – those controls implemented by Vendor as part of its Information Security Program that address each of the applicable Bank Security Requirements.

1.33Work Product – all information, data, materials, discoveries, inventions, works of authorship, documents, documentation, models, computer programs, software (including source code and object code), firmware, designs, drawings, specifications, processes, procedures, techniques, algorithms, diagrams, methods, and all tangible embodiments of each of the foregoing (in whatever form and media) conceived, created, reduced to practice or prepared by or for Vendor at the request of Company pursuant to this Agreement or within the scope of Services provided under this Agreement, whether or not prepared on Company’s premises and all Intellectual Property Rights therein.

2.1Vendor shall perform the Services described in each applicable Order in accordance with this Agreement and the service levels, specifications and timeframes set forth in such Order, and in accordance with performance measurements set forth in the SCHEDULE entitled “PERFORMANCE MEASUREMENTS,” or an applicable Order.

2.2All Services shall be processed and/or provided, whether in part or in whole, by Vendor, its employees, Representatives and/or Subcontractors on and from a location or locations in one (1) or more of the fifty (50) states of the United States of America or in the District of Columbia, unless Company agrees in advance in writing, which writing may include the Parties’ execution of a mutually agreed Local Participation Agreement for Services that are provided outside the United States as provided below in this Section. Vendor shall not relocate the provision of Services to another location without Company’s prior written consent. Any request for approval of such relocation shall designate the Services and Vendor Representative involved and the location of the proposed Vendor facility for performance of such Services. Vendor shall remain responsible for compliance with all of its obligations under this Agreement with respect to the relocated Services, and shall ensure that any such relocation does not adversely affect Company or its Affiliates. Any such relocation shall be at Vendor’s sole expense, and Company shall not be responsible for any expenses incurred or increases in charges or costs resulting from any such relocation, including increased operational costs of Company. Vendor shall be responsible for complying with all laws with respect to its relocation effort and the provision of Services from the site to which such Services are relocated.

2.3To the extent available, all documentation will be provided in printed and electronic formats. Except as otherwise provided in the SECTION entitled “OWNERSHIP OF WORK PRODUCT,” Company may use and reproduce for internal purposes all documentation furnished by Vendor, including displaying the documentation on Company’s intranet or other internal electronic distribution system, in part or in whole.

2.4All instruments, such as Orders, acknowledgments, invoices, schedules used in conjunction with this Agreement ("Instruments") shall be for the sole purpose of defining quantities, prices and describing the Services to be provided hereunder, and to this extent only are incorporated as a part of this Agreement. Any preprinted terms and conditions included in Instruments, posted on any website, or included with any media (including terms where acquiescence, approval or agreement requires a mouse click or an electronic signature) shall not be, incorporated into nor construed to amend the terms of this Agreement. Any Instrument submitted to Company by Vendor in connection with this Agreement shall reference, as applicable, Order number and Agreement number.

2.5Vendor shall deliver to Company and keep current a list of persons, emails and telephone numbers ("Contact List") for Company to contact in order to obtain answers to questions related to the Services set out in the Order. The Contact List shall include (1) the first person to contact if a question arises or problem occurs and (2) the persons in successively more responsible or qualified positions to provide the answer or assistance desired. If Vendor does not respond promptly to any request by Company for consultative service, then Company may attempt to contact the next more responsible or qualified person on the Contact List until contact is made and a designated person responds accordingly.

2.6Vendor expressly acknowledges and agrees that the rights of Company set forth in this Agreement shall inure to all Company Affiliates and such Affiliates may execute Orders and purchase Services hereunder. Company expressly acknowledges and agrees that the Services may be provided by Vendor Affiliates and such Vendor Affiliates may execute Orders and deliver Services hereunder. Notwithstanding the foregoing two sentences, neither the delivery of Services by Affiliates of Vendor or receipt of Services by Affiliates of Company, nor the execution of Orders by Affiliates of Company or Vendor, shall relieve or release Company and Vendor from primary liability for the obligations, representations, warranties and covenants under this Agreement. For Services performed by Vendor or an Affiliate of Vendor for Company or any Affiliate of Company in countries outside the United States, the Parties and their appropriate local Affiliates (to the extent local Affiliate execution is required by law or desired by the applicable Party) will execute a Local Participation Agreement. Vendor shall have the right to assert against Company all of the claims, offsets, and defenses that the applicable Vendor Affiliate has under this Agreement or the relevant Order, including any express limitations of liability set forth in this Agreement.  All claims relating to the rights and obligations of Company or its Affiliates or Vendor or its Affiliates or Subcontractors under this Agreement or any Order shall be resolved between Company and Vendor in accordance with the SECTIONS entitled "DISPUTE RESOLUTION" and "MEDIATION/ARBITRATION" in this Agreement, regardless of the location where the claim originates, and under no circumstances will Company or its Affiliates or Vendor or its Affiliates or Subcontractors bring any legal action, suit or proceeding in any way arising out of this Agreement and any Order in any jurisdiction except as set forth in such Sections.

2.7If no data transfer agreement satisfying applicable Data Protection Laws is appended to this Agreement covering all Services to be provided under this Agreement, Vendor shall enter into one or more data transfer agreements as Company may reasonably require to ensure its compliance with such Data Protection Laws (which agreements may be part of an Order) in the event (a) Vendor intends to transfer or is required to transfer any Personal Information outside the country in which the Services are provided, and/or (b) Company intends to or is required to transfer any Personal Information to Vendor or a Vendor Affiliate outside the country in which the Services are provided.  Such agreements shall be made prior to any such transfer of Personal Information occurring.  Vendor shall provide such commercially reasonable assistance to Company as may be required for Company to register or file such data transfer agreements or other data transfer information with local authorities with jurisdiction over such agreements or data transfers, and shall take any steps that are legally required to adequately implement and legitimize such data transfers in accordance with Applicable Law of the country with jurisdiction over the data transfers.

3.1Each Party shall designate an employee Relationship Manager(s) to act on its behalf with regard to matters arising under this Agreement and shall notify the other Party in writing of the name of its Relationship Manager; however, the Relationship Manager shall have no authority to alter or amend any term, condition, or provision of this Agreement. Either Party may change its Relationship Manager(s) by providing the other Party prior written notice. The Relationship Manager must be identified in a writing delivered to the other Party at least one (1) week prior to the commencement of any work under this Agreement.

3.2The Relationship Manager(s) shall meet via conference call with such frequency as Company’s Relationship Manager(s) shall reasonably request. Company may require meetings in person at a site designated by Company.

4.1This Agreement shall be in effect from the Effective Date through the Expiration Date indicated on the signature page ("Initial Term") unless terminated earlier or extended under the terms of this Agreement. Company shall have the right to extend this Agreement for an additional twelve (12) month(s) (“Renewal Term”) by giving Vendor written notice of its intent at least ninety (90) calendar days prior to the end of the Initial Term or any Renewal Term. If Company does not notify Vendor of its intent to renew or terminate this Agreement, the Agreement shall continue in effect on a month-to-month basis, at the prices in effect in each applicable Order, for the Term just expired, until terminated by either Party upon at least ninety (90) calendar days prior written notice to the other.

5.1Company may terminate this Agreement or any Order (or portion thereof) under this Agreement for its convenience, without cause, at any time without further charge or expense upon at least ninety (90) calendar days prior written notice to Vendor. Termination of one Order (or portion thereof) shall not cause a termination of this Agreement or any other Order (or portion thereof), unless otherwise specified by Company.

5.2In addition to any other remedies available to either Party, upon the occurrence of a Termination Event (as defined below) with respect to either Party, the other Party may immediately terminate this Agreement or the Order that is subject of the Termination Event by providing written notice of termination. A Termination Event shall have occurred if: (a) a Party materially breaches its obligations under this Agreement or an Order under this Agreement, and the breach is not cured within thirty (30) calendar days after written notice of the breach and intent to terminate is provided by the other Party; (b) Vendor breaches one or more of its obligations under this Agreement or an Order three (3) times in any six (6) month period with written notification of such to Vendor, whether or not cure is effected; (c) Vendor breaches an obligation under the Agreement or an Order that is not susceptible to cure; (d) to the extent Vendor’s performance obligations under this Agreement or any Order are subject to service level requirements, performance indicators or similar measurement standards, Vendor fails to meet such measurement standards more frequently than the allowable maximum, if any, of missed measurement standards provided in this Agreement or the relevant Order, (e) a Party becomes insolvent (generally unable to pay its debts as they become due) or the subject of a bankruptcy, conservatorship, receivership, dissolution, winding up or similar proceeding, or makes a general assignment for the benefit of its creditors; (f) Vendor either: (i) merges with another entity , (ii) suffers a transfer involving fifty percent (50%) or more of any class of its voting securities or (iii) transfers all, or substantially all, of its assets; (g) in providing Services hereunder, Vendor violates any law or regulation, or causes Company to be in material violation of any law or regulation; (h) Company has the right to terminate under the SECTION entitled “PRICING/FEES”; (i) a Party attempts to assign this Agreement in breach of the SECTION entitled “NON-ASSIGNMENT;” or (j) Company is directed or instructed by a Governmental Authority to terminate or exit this Agreement. Breach of one Order shall not cause a breach of any other Order, unless otherwise specified in writing by the non-breaching Party in the applicable Order. In the event of a transfer in 5.2 (f) above, Vendor shall provide notice to Company as soon as reasonably practicable prior to the legal closing of such transfer to the extent such notice is legally permitted, or if prior notice is not legally permitted, in no event later than five (5) Business Days after such transfer is made public. Termination based upon a Termination Event shall be without fee or charge to Company notwithstanding any other term or provision of this Agreement to the contrary; provided, however, that Company shall be obligated to pay undisputed amounts as provided in the SCHEDULE entitled “PERFORMANCE MEASUREMENTS,” or any Order for Services already performed or provided, and provided further that nothing herein shall constitute a release by Vendor of Company relative to any claims or actions that Vendor is otherwise entitled to bring under this Agreement or at law or in equity.

5.3In the event of expiration or termination of this Agreement or an Order under this Agreement, Vendor agrees that upon the request of Company, Vendor will, at no additional cost to Company, continue uninterrupted operations, conclude and cooperate with Company in the transition of the business at Company’s direction and in a manner that causes no material disruption to Company business and operations. The fees associated with such transition shall be in accordance with the fees in effect at the expiration or termination of this Agreement. In no event shall the transition be more than one hundred eighty (180) calendar days from the date of termination unless the Parties otherwise agree in writing; provided, however, if the event of termination constitutes, results from or is caused by a Special Resolution Event, the transition shall be no more than twenty-four (24) months starting from the applicable Special Resolution Event, with the specific period to be specified by Company as soon as practicable following the Special Resolution Event, unless the Special Resolution Regulators require the transition to be provided for a different period (whether longer or shorter) in which case, the transition permitted shall be the period required by the Special Resolution Regulators. For the avoidance of doubt, Company agrees to pay Vendor all undisputed fees for Services rendered up to the date of termination or expiration pursuant to the related terms hereunder. Reimbursement of all extraordinary costs and expenses incurred outside of the Agreement terms and conditions will be agreed upon by Vendor and Company in writing prior to their incurrence.

5.4The rights and obligations of the Parties which by their nature must survive termination or expiration of this Agreement in order to achieve its fundamental purposes including, without limitation, the provisions of the SECTIONS entitled “AUDIT,” “CONFIDENTIALITY” “INFORMATION PROTECTION,” “INDEMNITY,” “LIMITATION OF LIABILITY,” “MEDIATION/ARBITRATION,” “OWNERSHIP OF WORK PRODUCT,” “MISCELLANEOUS,” and subsections 5.5 and 5.6 of the “TERMINATION” provisions shall survive in perpetuity any termination of this Agreement.

5.5Following the occurrence of a Special Resolution Event, but prior to the execution of an applicable Special Resolution Services Agreement (as defined below): (a) Vendor shall not terminate this Agreement as a result of the occurrence of such Special Resolution Event notwithstanding anything to the contrary set forth in this Agreement and each Special Resolution Recipient shall be entitled to continue to receive the benefit of this Agreement for a period of twenty-four (24) months from the occurrence of the triggering Special Resolution Event, or any longer period if required by the Special Resolution Regulators (the “Interim Period”), provided that in the case of an asset transfer transferred assets shall be entitled to receive the benefit of this Agreement; (b) no Special Resolution Recipient is a party to, or intended third party beneficiary under, this Agreement and has no rights to enforce this Agreement; provided, however, that Company or its Affiliates may directly enforce this Agreement for and on behalf of such Special Resolution Recipient and Vendor may enforce this Agreement against Company in connection with Services provided to a Special Resolution Recipient; and (c) in the event that any Special Resolution Recipient elects to continue to use Services under this Agreement during the Interim Period, Vendor shall bill such Special Resolution Recipient directly for that portion of the Services received by Special Resolution Recipient and shall proportionately adjust the fees due and owing, if any, by Company or its Affiliates.

5.6Within a reasonable time following the occurrence of a Special Resolution Event, Vendor shall offer to enter into a direct agreement (the “Special Resolution Services Agreement”) for the supply of all or part of the relevant Services or use of all or part of the Work Product on terms substantially the same as this Agreement (revised to the extent necessary to account for changes resulting from the Special Resolution Event) with each Special Resolution Recipient. Upon execution of each Special Resolution Services Agreement, the fees due and owing under this Agreement shall be adjusted proportionately to reflect any reduction in the scope and volume of the Services, if any, utilized by Company or its Affiliates after the transfer to the Special Resolution Recipient. Upon the effective date of each Special Resolution Services Agreement, the Special Resolution Recipient that is a party to such agreement shall cease to have any entitlement to Services or Work Product under this Agreement.

6.1Company shall pay Vendor for Services provided under this Agreement as set forth in the applicable Order. Vendor shall pay in full prior to delinquency any Representative or Subcontractor utilized by Vendor in connection with the Services, and shall indemnify, defend and hold Company harmless for Vendor’s failure to make any such payments, including that Vendor shall promptly cause the release of any lien filed or assessed against any property of Company by a Vendor Representative or Subcontractor. If Vendor fails to pay any Representative or Subcontractor following the expiration of ten (10) Business Days after Company delivers written demand upon Vendor to make any such payment or payments, then Company may, but shall have no obligation to, pay such Representative or Subcontractor directly and Vendor shall promptly on Company’s demand reimburse Company for the amount of such payment or payments. If Vendor fails to reimburse Company promptly on demand, Company may offset such payment or payments against amounts Company owes to Vendor under this Agreement. For the avoidance of doubt, Vendor’s failure to make payment to any Representative or Subcontractor or to reimburse Company under this Section shall constitute a material breach of this Agreement.

6.2Company shall not be required to pay for Services that are: (a) not requested by Company and documented in an Order signed by a Company signatory or notice addressee identified on page 1 of this Agreement (provided, however, that in such circumstance Company may at its discretion pay for such Services subject to a discount of twenty-five percent (25%) of the total invoice amount without waiver of its rights under this Section with respect to future violations, and Vendor shall accept such amount in full satisfaction of compensation and reimbursement for such Services), or (b) not meeting the requirements of this Agreement and all pertinent Schedules and Exhibits hereto or any of the service levels, specifications, performance measurements and timeframes set forth in the applicable Order. Fees for additional Services not listed in the SCHEDULE entitled "SERVICE FEES" or an applicable Order shall be as mutually agreed in writing between Company and Vendor prior to performance. No fees for additional Services shall be due unless such Services and fees are agreed to in writing by Company prior to Vendor’s performance thereof.

6.3[intentionally omitted]

6.4[intentionally omitted]

7.1Vendor shall electronically conduct purchase order and invoice transactions in accordance with the then-current requirements specified by Company, including, but not limited to, use of the Ariba Network (unless otherwise specified in an Order or Local Participation Agreement). Vendor shall, at no additional cost to Company, ensure Vendor has the capability to transact utilizing the Ariba Network, if applicable to Vendor, or other processor network designated by Company. Vendor shall be responsible for payment of any fees assessed by Ariba or any other processors for registration, participation in or use of the Ariba Network or any other processor network. Under no circumstance shall Company be liable for any costs, fees or other liabilities arising out of or related to Vendor’s use of Ariba or any other processor designated by Company.

7.2Vendor shall submit invoices on a monthly basis, or as set forth in the applicable Order, and invoices shall contain such detail as Company may reasonably require from time to time, including reference to the Agreement number at the top of this Agreement and any Order numbers. Company requires Vendor to bill for Services and tangible personal property separately. Company also requires Vendor to include, on the face of the invoice, the “ship to” address for any purchase of tangible personal property and the location where the Services are performed. Amounts shall be invoiced promptly after the Services performed or Work Product delivered. Amounts not invoiced by Vendor to Company within three (3) months after such amounts could first be invoiced under this Agreement may not thereafter be invoiced, and Company shall not be required to pay such amounts.

7.3Payments will be made according to Company’s then-current payment policies. Unless otherwise specified in a Local Participation Agreement, Company requires Vendor to accept payment through electronic media in one of the following agreed upon methods: a credit card using the Company ePayables process, ACH, or electronic check. In the event that the agreed upon method of payment is through the Company ePayables process using purchase cards, the Vendor shall, at no additional cost to Company, ensure Vendor has the capability to process purchasing cards, prior to submitting invoices to Company.

7.4Company shall pay Vendor for all Services and applicable taxes, including, without limitation, all sales, use and excise taxes, and also including any tax imposed outside the United States such as value added tax, GST, sales tax, purchase tax, turnover tax or similar taxes that apply now or in the future and including without limitation value added tax chargeable under or pursuant to the Value Added Tax Act 1994 and Council Directive 2006/112/EC and any replacements thereof (all of the foregoing taxes outside the United States being hereinafter “Foreign Services Taxes”), invoiced in arrears in accordance with the terms of this Agreement, within sixty (60) calendar days of the date of receipt of a valid invoice by Company. Company reserves the right to pay prior to the expiration of the sixty (60) day period.

7.5Invoices shall include and list all applicable sales, use or excise taxes and Foreign Services Taxes that are a statutory obligation of Company as separate line items identifying each separate tax category and taxing authority. Company will reimburse Vendor for all sales, use or excise taxes and Foreign Services Taxes levied in accordance with the general statutes or other authoritative directives of the taxing authority on amounts payable by Company to Vendor pursuant to this Agreement; however, Company shall not be responsible for remittance of such taxes to applicable tax authorities.

7.6Any withholding or other tax requirements imposed on Company that may arise in respect of any fees or other payments made under this Agreement to Vendor are solely the liability of Vendor.  In the event that Company is required by laws of any relevant jurisdiction to withhold any amounts from payments made by Company to Vendor hereunder, Company will use commercially reasonable efforts to provide Vendor with tax certificates documenting remittance of such amounts to the relevant tax authorities upon Vendor’s written request.  In the alternative, Vendor shall provide Company with validly executed certificates reasonably satisfactory to Company evidencing Vendor’s exemption from any withholding or other tax requirements at least ten (10) Business Days prior to the payment date to the extent provided by Applicable Laws.

7.7Company shall not be responsible for any ad valorem, income, gross receipts, franchise, privilege, value added or occupational taxes of Vendor. Company and Vendor shall each bear sole responsibility for all taxes, assessments and other real or personal property-related levies on its owned or leased real or personal property. If applicable, Vendor must ensure that the business personal property tax exemption granted to financial institutions by California, Missouri, Virginia, Maryland, South Carolina, or other states is properly applied.

7.8Vendor shall be responsible for the payment of all taxes (including Foreign Services Taxes), interest and penalties related to any assessment by a taxing authority as contemplated by this Section to the extent that Vendor fails to accurately and timely invoice Company for such taxes and remit such taxes directly to the applicable taxing authority. In the event that a taxing authority performs a sample and projection audit on Company, then Vendor shall be responsible for the payment of all projected tax amounts including all interest and penalties on any projected taxes assessed resulting from taxing errors identified by such taxing authority on Vendor’s invoices, provided however, that Vendor shall receive timely notice that such invoice is included in a tax authority’s audit and Vendor has the right to produce documentation to support that the tax was satisfied. In the event Vendor voluntarily registers to collect sales tax at some future date, and wishes to remit historical taxes Vendor deems due, Company will only be responsible for the taxes due for the time period that Company is statutorily obligated to the tax authorities in each state.

7.9Vendor shall fully cooperate with Company's efforts to identify taxable and nontaxable portions of amounts payable pursuant to this Agreement (including segregation of such portions on invoices) and to obtain refunds of taxes paid, where appropriate. Company may furnish Vendor with certificates or other evidence supporting applicable exemptions from sales, use, excise or Foreign Services taxation. If Company pays or reimburses Vendor under this Section, Vendor hereby assigns and transfers to Company all of its right, title and interest in and to any refund for taxes paid. Any claim for refund of taxes against the assessing authority may be made in the name of Company or Vendor, or both, at Company's option. Company may initiate and manage litigation brought in the name of Company or Vendor, or both, to obtain refunds of amounts paid under this Section. Vendor shall cooperate fully with Company in pursuing any refund claims, including any related litigation or administrative procedures.

7.10Vendor shall keep and maintain complete and accurate accounting Records in accordance with generally accepted accounting principles consistently applied to support and document all amounts becoming payable to Vendor hereunder. Upon request from Company and within a reasonably prompt time after such request, Vendor shall provide to Company (or a Representative designated by Company) access to such Records for the purpose of auditing such Records during normal business hours. Vendor shall retain all Records required under this Section in accordance with the SECTION entitled “AUDIT” of this Agreement, after the amounts documented in such Records become due. Vendor shall cooperate fully with Company and any taxing authority involving any audit of sales, use or excise taxes or Foreign Services Taxes. Upon request from Company, Vendor will provide copies of invoices in electronic form that have been selected for review by any taxing authority, together with documents supporting the identification of taxable and nontaxable portions of amounts reflected on such invoices as contemplated by this Section.

8.1Each Party represents and warrants the following: (a) the Party’s execution, delivery and performance of this Agreement: (i) have been authorized by all necessary corporate action, (ii) do not violate the terms of any law, regulation, or court order to which such Party is subject or the terms of any material agreement to which the Party or any of its assets may be subject and (iii) are not subject to the consent or approval of any third party; (b) this Agreement is the valid and binding obligation of the representing Party, enforceable against such Party in accordance with its terms;

and (c) such Party is not subject to any pending or threatened litigation or governmental action which could interfere with such Party's performance of its obligations hereunder.

9.1In rendering its obligations under this Agreement, without limiting other applicable performance warranties, Vendor represents and warrants to Company as follows: (a) Vendor is in good standing in the state of its incorporation and is qualified to do business as a foreign corporation in each of the other states in which it is providing Services hereunder; (b) Vendor shall secure or has secured all permits, licenses, regulatory approvals and registrations required to render Services set forth herein, including without limitation, registration with the appropriate taxing authorities for remittance of taxes; and (c) Vendor’s Representatives and Subcontractors are not employees or agents of, or otherwise affiliated with, any government or government instrumentality. With respect to 9.1(c), Vendor will inform Company of any change in status.

9.2Vendor represents and warrants that it shall perform the Services in a timely and professional manner using competent personnel having expertise suitable to their assignments. Vendor represents and warrants that the Services shall conform to or exceed, in all material respects, the specifications described herein, as well as the standards generally observed in the industry for similar services. Vendor represents and warrants that Services supplied hereunder shall be free of defects in workmanship, design and material. Vendor represents and warrants that the Work Product and Services furnished under this Agreement do not and shall not infringe, misappropriate or otherwise violate any Intellectual Property Rights or any other rights of any third party.

9.3As of the Effective Date, there are no actions, suits or proceedings pending, or to the knowledge of Vendor threatened, against Vendor, Vendor’s Representatives and Subcontractors alleging infringement, misappropriation or other violation of any Intellectual Property Rights related to any Work Product or Service contemplated by this Agreement.

9.4(a)    Vendor shall, and shall be responsible for ensuring that Vendor’s Representatives and Subcontractors shall, perform all obligations of Vendor under this Agreement in compliance with all laws, rules, regulations and other legal requirements applicable to Vendor as well as applicable to Company as and to the extent such laws, rules, regulatory guidance, regulations and legal requirements relate to the Services (all such laws, rules, regulatory guidance, regulations and legal requirements being, hereinafter, “Applicable Laws”). With regard to compliance with Applicable Laws, Vendor acknowledges that Company has an obligation to its customers to prohibit unfair or deceptive acts in violation of section 5(a)(1) of the Federal Trade Commission Act, 15 U.S.C. 45(a)(1) and to comply with all applicable unclaimed property state regulatory requirements, among other Applicable Laws. All software, websites, web-based applications, online content and other electronic or information technology provided to or accessed by Company, its Affiliates, or their customers receiving Services under this Agreement shall conform with the World Wide Web Consortium’s Web Content Accessibility Guidelines 2.1, Conformance Level AA Success Criteria, or as amended, updated or successor guidelines that may be adopted by the World Wide Web Consortium. Applicable Laws shall include, without limitation, all labor and employment laws applicable to Vendor in the jurisdictions in which it or its Affiliates conduct business, including without limitation those that address child labor, forced labor, slavery, human trafficking, equal pay and nondiscrimination in the workforce. For purposes of child labor under the Agreement, a child is any person under the age of 15 unless Applicable Law sets a higher age. Vendor shall not engage in or encourage others to engage in human trafficking or the use of child labor, forced labor or slavery. Additionally, Vendor shall, and shall be responsible for ensuring that Vendor’s Representatives and Subcontractors shall, perform all obligations of Vendor under this Agreement in compliance with all policies, procedures, standards and other instructions of Company or its Affiliates, as the same may be amended from time to time in the sole discretion of Company or its Affiliates. Applicable policies, procedures and other instructions will be provided to Vendor by Company. Additionally, Vendor acknowledges that the appropriate Representatives of Vendor have or will read and are or will become familiar with Company’s Vendor Code of Conduct, from time to time revised by Company, as the same is made available to Vendor.

(b)    Vendor shall implement policies, procedures, training and guidelines to ensure compliance with Applicable Laws. In addition, Vendor shall ensure that all Vendor’s Representatives and Subcontractors successfully complete and implement, on an annual basis, such training as Company may require in connection with compliance with Applicable Laws. Required training may include training programs and materials provided by Company. Where Company does not provide the training program and materials, Vendor and its Subcontractors, at their sole cost and expense, shall provide or procure their own training satisfying Company’s requirements. Company’s requirements for training programs or content may be revised, replaced or terminated at any time at Company’s sole discretion. Vendor shall provide to Company on Company’s request a certification of completion of such training by Vendor’s Representatives and Subcontractors. Vendor and its Representatives and Subcontractors shall follow all procedures, processes, and guidelines outlined in any Company-provided training. Upon Company’s request and pursuant to the “VENDOR PERSONNEL” SECTION of this Agreement, any Vendor Representative or Subcontractor who fails to successfully complete Company’s required training on an annual basis shall be immediately removed from working on the Company’s account. The foregoing is not intended to be applicable to process servers in the course of serving process nor upon licensed attorneys during the course of their appearance with a Company customer before a court of law.

9.5Vendor represents, and warrants that it is familiar with, all applicable domestic and foreign anti-bribery or anticorruption laws, including, without limitation, the UK Bribery Act 2010, US Foreign Corrupt Practices Act and other laws prohibiting the Company and/or Vendor, and, if applicable, its officers, employees, agents and others working on its behalf, from taking actions in furtherance of an offer, payment, promise to pay or authorization of the payment of anything of value, including but not limited to cash, checks, wire transfers, tangible and intangible gifts, favors, services, offers of employment and those entertainment and travel expenses that go beyond what is reasonable and customary and of modest value, to: (i) an executive, official, employee or agent of a governmental department, agency or instrumentality, (ii) a director, officer, employee or agent of a wholly or partially government-owned or -controlled company or business, (iii) a political party or official thereof, or candidate for political office, or (iv) an executive, official, employee or agent of a public international organization (e.g., the International Monetary Fund or the World Bank) (“Government Official”) or any other person; while knowing or having a reasonable belief that all or some portion will be used for the purpose of rewarding or: (a) influencing any act, decision or failure to act by a Government Official in his or her official capacity; (b) inducing a Government Official to use his or her influence with a government or instrumentality to affect any act or decision of such government or entity; (c) inducing any person to use his or her influence to improperly affect any act or decision of their employer; or (d) securing an improper advantage, in order to obtain, retain, or direct business (the “Anti-Bribery and Corruption Laws”). The Vendor agrees that it will immediately notify the Company in writing in the event that it becomes aware of any conduct that would violate Anti-Bribery and Corruption Laws, or that it is being investigated by any government body for conduct potentially in violation of the Anti-Bribery and Corruption Laws.

9.6Vendor represents and warrants that it currently complies with the Anti-Bribery and Corruption Laws, and will remain in compliance with all applicable laws; that it will not authorize, offer or make payments directly or indirectly to any Government Official; and that no part of the payments received by it (whether compensation or otherwise) from Company will be used for any purpose that could constitute a violation of any Anti-Bribery and Corruption Laws.

9.7Vendor represents and warrants that neither it nor its Representatives and/or Subcontractors is the subject of any sanctions administered or enforced by the U.S. Department of the Treasury’s Office of Foreign Assets Control (“OFAC”), the United Nations Security Council (“UNSC”), the European Union (“EU”), Her Majesty’s Treasury (“HMT”), or other relevant sanctions authority (collectively, “Sanctions”), nor is the Vendor, or its Representatives or Subcontractors located, organized or resident in a country or territory that is the subject of Sanctions. Vendor represents and warrants that neither it nor its Representatives and/or Subcontractors has violated, and during the term of this Agreement will not violate or cause Company to be in violation of, any Sanctions.

9.8THE WARRANTIES CONTAINED IN THIS AGREEMENT ARE IN LIEU OF ALL OTHER WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THOSE OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.

Upon request, Vendor shall provide its fraud policy which addresses the following components: list of the fraud risks associated with the Products and/or Services performed for Company, controls in place for prevention, detection, monitoring and remediation of such fraud risks, including the logging and tracking of suspicious activity immediately upon discovery.  In the event that Vendor or a Subcontractor discovers any unusual or potentially suspicious activity arising in connection with the Products and/or Services, including without limitation activity that could be indicative of fraud, money laundering, terrorist financing or other financial crimes, Vendor shall treat such information as Confidential Information and either: (a) file an online referral through The Referral Management System (“TRMS”) for Company; or, (b) if Vendor does not have access to the Company TRMS system, immediately notify and cooperate with the appropriate Relationship Manager of such activity to ensure proper reporting and escalation of such activity within Company. Vendor shall not inform those suspected of such activity that the activity is under review or that Company has been notified.

10.1Upon Company’s request, Vendor shall promptly furnish its audited financial statements in English or translated to English, when applicable, as prepared by or for Vendor, including without limitation Vendor’s balance sheets, statements of income and retained earnings and statements of changes in financial position and auditor’s letter. If appropriate, such financial statements may be consolidated with those of Vendor’s Affiliates. All financial statements shall be prepared in accordance with Generally Accepted Accounting Procedures. If Vendor is subject to laws and regulations of the U.S. Securities & Exchange Commission (“SEC”), the financial reporting and notification requirements contained herein shall be limited to all information that is legally permitted to be provided and at such times as it is legally permitted to be provided, under securities laws, rules and regulations applicable to Vendor. Financial information provided hereunder shall be used by Company solely for the purpose of determining Vendor’s ability to perform its obligations under this Agreement. To the extent any such financial information is not otherwise publicly available, it shall be deemed Confidential Information (as defined in the SECTION entitled "CONFIDENTIALITY") of Vendor. If Company’s review of financial statements causes Company to question Vendor’s ability to perform its duties hereunder, Company may request, and Vendor shall provide to Company within ten (10) business days of receipt of Company’s request, reasonable assurances of Vendor’s ability to perform its duties hereunder. If Vendor fails to respond within such ten (10) business day period, or if Company in its reasonable discretion believes that Vendor’s assurances are not sufficient to address Company’s concerns, Company may issue a written notice indicating that Vendor has failed to provide reasonable assurances as required in this Section and setting forth the basis for Company’s determination; provided, however, that Company’s failure to provide such notice shall not prevent or limit the exercise of Company’s remedies under this Agreement for Vendor’s failure to provide reasonable assurance, and irrespective of the giving of notice, such failure shall be deemed a material breach of this Agreement and comprising a Termination Event as provided in the SECTION of this Agreement entitled “TERMINATION.” Furthermore, and without waiver of Company’s rights under the SECTION entitled "TERMINATION,” Vendor shall notify Company immediately in the event there is, or based on the then current circumstances a strong likelihood of, a change of control or material adverse change in Vendor’s business or financial condition.

11.1Definitions:

Business Continuity Planning – is the process of developing a Business Continuity Plan that enables the Vendor to respond to an event in such a manner that critical business functions can continue within planned levels of disruption.

Business Continuity Management Program – the ongoing management and governance process supported by executive management and appropriately resourced to coordinate the efforts of Business Continuity Planning and Disaster Recovery Planning, and to identify the impact of potential losses, maintain viable recovery strategies and plans, and ensure continuity of services through training, testing, maintenance and review.

Business Continuity Plan – Vendor’s policies and procedures and advance arrangements to maintain or resume business in the event of a disruption or disaster, including both technology recovery capability and business unit recovery capability. For the purposes of this Agreement, the Business Continuity Plan shall also include contingency exercise and testing schedules and contingency exercise final reports, including, but not limited to, disaster scenario descriptions, contingency exercise scope and objectives, detailed tasks, exercise issues lists and remediation plans, and exercise results.

Disaster Recovery Planning – the process of developing a Business Continuity Plan that enables the Vendor to minimize loss and ensure continuity of its critical business functions in the event of a disaster, including the continued availability and restoration of the Vendor’s information technology infrastructure and telecommunications.

11.2Vendor shall establish prior to the Effective Date, and maintain during the Term, a Business Continuity Management Program that includes all aspects of Business Continuity Planning and Disaster Recovery Planning. The Business Continuity Management Program and the resulting Business Continuity Plan shall cover all the Services to be provided under this Agreement, and address the applicable business continuity requirements described in the SCHEDULE entitled "RECOVERY" and the Bank Security Requirements. The Business Continuity Management Program must have been approved by the Vendor’s board of directors or applicable board-delegated executive management or management committee within twelve (12) months prior to the Effective Date and at least on an annual basis thereafter. Prior to the Effective Date and annually thereafter, Vendor shall provide Company with the opportunity to review and evaluate the Business Continuity Management Program, including the Business Continuity Plan, and shall remediate any findings. Such review and evaluation may include participation in Company’s (a) third party assessment program (or any successor program) including the completion of online and/or on-site assessment(s), as appropriate, and (b) recovery testing of a mutually agreed-upon scope and frequency. Company acknowledges and agrees that the information Vendor provides to Company under this subsection is and shall be Confidential Information, as defined in this Agreement, and is the valuable proprietary information of Vendor.

11.3Vendor shall continually assess its Business Continuity Management Program and risks to the loss of service of systems acquired or maintained by Vendor and its agents and Subcontractors in connection with Services, including (a) identification and monitoring of events that could cause disruption to the Services, (b) assessment of likelihood of such events and potential damage, and (c) assessment of the sufficiency of policies, procedures and systems of Vendor and its agents and Subcontractors and other arrangements in place to control such risks. Vendor shall promptly notify Company of any significant changes to Vendor's Business Continuity Management Program and/or Business Continuity Plan(s) pertaining to the Services, and upon request, provide Company with an opportunity to review and evaluate the changes to the Vendor's Business Continuity Management Program and Business Continuity Plan(s).

11.4In the event of a disaster or any other disruption event that prevents or impairs Vendor from providing the Services, Vendor will notify Company and immediately implement its Business Continuity Plan to restore and continue providing the Services to meet the recovery objectives contained in the SCHEDULE entitled "RECOVERY." Upon cessation of the disaster or disruption event, Vendor will as soon as reasonably practicable, provide Company with an incident report detailing the reason for the disaster or disruption and all actions taken by Vendor to resolve the disaster or disruption. In addition, Vendor shall also immediately notify Company of any Technology Incidents and/or Business Operations Incidents affecting the Services by reporting them to Command Center at ###-###-####. A “Technology Incident” is any actual or potential technology disruption of an application, technology infrastructure component, or IT service. A “Business Operations Incident” is a failure or disruption to normal business operations resulting from inadequate or failed internal processes, human errors, deliberate acts, or external events.

11.5If Vendor fails to recommence providing the Services within the prescribed period, Company shall have, in addition to any other rights of Company hereunder, the right to retain a third party to provide such Services or to perform the affected Services itself for so long as the impairment or disruption continues. If either Vendor or Company retains a third party to provide the affected Services, then Vendor agrees to pay to the third party or reimburse Company for the excess cost of such third party (costs above amounts that would have been paid to Vendor under this Agreement), and the costs of transfer to such party shall be at Vendor’s expense. If Company performs the affected Services itself, then Vendor agrees to reimburse Company for any costs or expenses Company incurs to perform the affected Services less any amounts that would have been paid to Vendor under this Agreement.

11.6No failure, delay or default in performance of any obligation of a Party to this Agreement or any Order shall constitute an event of default or breach of this Agreement or such Order to the extent that such failure, delay or default in performance (i) arises out of a Force Majeure Event (hereinafter defined), (ii) is beyond the control and without negligence of such Party, (iii) is promptly and thereafter diligently addressed by the affected Party to minimize the consequences, and (iv), in the case of Vendor, is not caused by Vendor’s non-compliance with the business continuity requirements as provided in this Agreement or in any Order. “Force Majeure Event” shall mean fire; flood, earthquake, wind or other natural disaster; war, riot or civil disorder; strike, lockout or other labor dispute; and embargo, quarantine or similar governmental action. A Party desiring to rely upon the foregoing as an excuse from performance shall give to the other Party prompt notice in writing of the facts which excuse performance including when such facts first arose. When such facts cease to exist, the Party claiming excuse from performance shall give prompt notice thereof to the other Party. If a Force Majeure Event causes a material failure, delay or default in Vendor’s providing of all or any part of the Services for more than five (5) consecutive calendar days, Company may, at its election, and in addition to any other rights Company may have under this Agreement and any Order or at law or in equity, procure the affected or similar Services from an alternate source or perform the affected or similar Services itself until Vendor is again able to provide the affected Services. Company shall continue to pay Vendor as provided under this Agreement or any Order, less any amounts payable by Company to the alternate source or less any costs or expenses Company incurs to perform the affected or similar Services itself, but Vendor shall not be entitled to any additional payments as a result of the Force Majeure Event.

12.1The Parties are independent contractors. Nothing in this Agreement or in the activities contemplated by the Parties hereunder shall be deemed to create an agency, partnership, employment or joint venture relationship between the Parties or any of their Subcontractors or Representatives.

13.1Company shall provide Vendor, if necessary and at a mutually agreed upon time, reasonable access to Company to provide its Services, subject to the existing security regulations at Company.

13.2Vendor's personnel are not eligible to participate in any of the employee benefit or similar programs of Company. Vendor shall inform all of its personnel providing Services pursuant to this Agreement that they will not be considered employees of Company for any purpose, and that Company shall not be liable to any of them as an employer for any claims or causes of action arising out of or relating to their assignment. Vendor is and shall be solely responsible for determining the classification of its employees/independent contractors and shall indemnify Company and its Affiliates from and against any claims relating to employee classification pursuant to the Section of this Agreement entitled “INDEMNITY.”

13.3Upon the request of Company and after consultation with Company, Vendor shall promptly address any reasonable concerns or issues raised by Company regarding any of Vendor’s Representatives or Subcontractors performing Services under this Agreement. If any such concerns or issues are not adequately addressed in Company’s sole discretion, Vendor shall promptly remove from Company’s account any of the applicable Vendor’s Representatives or Subcontractors and replace the same on Company’s account as soon as practicable. Without limiting Vendor’s obligations under the SECTION entitled “REPRESENTATIONS AND WARRANTIES OF VENDOR,” Vendor shall comply and shall cause its Representatives and Subcontractors to comply with all Company requirements for training of personnel performing Services under this Agreement and shall provide certification of completion of such training to Company when requested.

13.4Vendor shall obtain Company’s prior written consent before Vendor: (a) engages any Subcontractor to perform any work or Services under the Agreement, (b) replaces a previously approved Subcontractor with a new Subcontractor, (c) gives a new scope of work to a previously approved Subcontractor, (d) materially changes the scope of work of a previously approved Subcontractor, or (e) authorizes Subcontractor to begin performing work or Services from a location outside of the United States. Vendor must obtain such consent before the Subcontractor commences any work or Services on a Company account. Company’s consent may not be unreasonably withheld, and shall not relieve Vendor of any of its obligations under this Agreement. Vendor shall be responsible for the performance or nonperformance of its Subcontractors as if such performance or nonperformance were that of Vendor. Vendor shall require all Subcontractors, as a condition to their engagement, to agree to be bound by provisions substantially the same as those included in this Agreement particularly the SECTIONS entitled “VENDOR PERSONNEL,” “INSURANCE,” “CONFIDENTIALITY,” “INFORMATION PROTECTION,” “AUDIT” and "BUSINESS CONTINUITY."

13.5Vendor shall comply and shall cause its Representatives and Subcontractors to comply with all personnel, facility, safety and security policies, rules and regulations and other instructions of Company when performing work at a Company facility or accessing any Company systems or data, and shall conduct its work at Company facilities or on Company systems in such a manner as to avoid endangering the safety of, or interfering with the convenience of, Company Representatives or customers. Vendor understands that Company operates under various laws and regulations that are unique to the security-sensitive banking industry. As such, persons engaged by Vendor to provide Services under this Agreement are held to a higher standard of conduct and scrutiny than in other industries or business enterprises. Vendor represents that its Representatives and Subcontractors providing Services hereunder shall possess appropriate character, disposition and honesty for the Services for which they are engaged. Vendor shall not knowingly permit a Representative or Subcontractor to be assigned to perform the Services for Company when such Representative or Subcontractor (a) has been convicted of, or has agreed to or entered into a pretrial diversion or similar program in connection with, a felony or misdemeanor involving dishonesty or a breach of trust as set forth in Section 19 of the Federal Deposit Insurance Act, 12 U.S.C. 1829(a); (b) unless Vendor obtains Company’s prior written consent, has been convicted of any other felony; or (c) uses illegal drugs. With respect to Vendor or Subcontractor employees who require Company credentials to perform work using Company data or systems, Company reserves the right to review such Vendor or Subcontractor employees’ past employment with Company, if any, and to determine, in its sole and absolute discretion, whether to grant or deny such credentials. In the event Company determines to deny such credentials based on the results of its review, Vendor or the Subcontractor shall not assign such Vendor or Subcontractor employee to that portion of the Services requiring such credentials.

13.6With respect to employees or contract labor assigned by Vendor or any Subcontractor to perform the Services for Company Vendor shall both (i) to the extent permitted by law, conduct at its expense background checks and other investigations of Vendor’s employees and contract laborers, and (ii) ensure Vendor’s Subcontractors conduct background checks of the Subcontractor’s employees and contract laborers. All such background checks and other investigations shall comply with Company procedures and requirements as set forth in the SCHEDULE entitled “BACKGROUND CHECKS” to this Agreement and updated in writing delivered to Vendor from time to time., all as subject to Applicable Law. Vendor shall report to Company on background checks and other investigations done prior to an employee or contract laborer being assigned to perform the Services. Vendor shall keep copies of documentation of background screening and other investigations and provide certification of completion to Company when requested during the time that the Vendor or Subcontractor employee or contract laborer provides any of the Services. Additionally, Vendor shall allow Company to audit screening documentation and compliance when requested as provided in the SECTION entitled “AUDIT.”

13.7Company and Vendor shall each notify the other of any known or suspected crime of dishonesty or breach of trust committed against Company of which the notifying Party becomes aware and which may involve a Vendor Representative or Subcontractor. Following such notice, at the request of Company and to the extent permitted by law, Vendor shall cooperate with investigations conducted by or on behalf of Company.

13.8To the extent Executive Order 13496 applies to this Agreement or the work performed hereunder, the text of 29 CFR Part 471, Appendix A to Subpart A (as amended, modified, restated or supplemented from time to time) is hereby incorporated by reference into this Agreement as if set forth fully herein. Vendor shall comply with all requirements set forth in 29 CFR Part 471, Appendix A to Subpart A, and all promulgated regulations applicable thereto (collectively, “EO 13496 Requirements”). At least annually, and on a more frequent basis as determined by Company, Vendor shall certify in writing, in a form acceptable to Company, that Vendor has fully complied with all EO 13496 Requirements. Failure to comply with the EO 13496 Requirements or the written certification requirements shall be deemed a material breach of this Agreement.

13.9Vendor shall indemnify, defend, and hold harmless Company and its Representatives, successors and permitted assigns from and against any and all claims or legal actions of whatever kind or nature that are made or threatened by any third party or government agency and all related losses, expenses, damages, costs and liabilities, including reasonable attorneys' fees and expenses incurred in investigation, defense or settlement, which arise out of, are alleged to arise out of, or relate to Vendor’s failure to comply with the EO 13496 Requirements. Vendor’s liability pursuant to this subsection shall not be subject to or limited in any way by the limitations set forth in the SECTION entitled “LIMITATION OF LIABILITY.”

13.10Vendor shall comply and cause its Subcontractors, if applicable, to comply with the pertinent provisions of the Patient Protection and Affordable Care Act, as amended by the Health Care and Education Reconciliation Act of 2010 (collectively, the ‘ACA’), including, but not limited to, either avoiding the assessment of employer shared responsibility payments under Section 4980H of the Code or payment of any such payments that are assessed by the IRS. In the event that Vendor and/or its Subcontractor fails to avoid the assessment of employer shared responsibility payments under Section 4980H of the Code, Vendor and/or its Subcontractors shall indemnify, defend and hold Company harmless from all claims, actions, fines, penalties, and liabilities resulting from any such failure, including, but not limited to, any claims, actions, fines, penalties and liabilities imposed on Company with respect to Vendor’s full-time employees arising out of Vendor’s failure to avoid the assessment of employer shared responsibility payments under Section 4980H of the Code with respect to its full-time employees or Vendor’s failure to require its Subcontractors to avoid the assessment of employer shared responsibility payments under Section 4980H of the Code with respect to Subcontractor employees.

14.1Vendor shall at its own expense secure and continuously maintain, and shall require its Subcontractors to secure and continuously maintain, throughout the Term, the following insurance with companies qualified to do business in the jurisdiction in which the Services will be performed and rating A-VII or better in the current Best's Insurance Reports published by A. M. Best Company. If such insurance covers only claims made during policy life, insurance shall be maintained for [six] years following expiration or termination of the Term. Vendor shall, within thirty (30) calendar days of the Effective Date and prior to commencing work, and thereafter upon Company’s request, furnish to Company certificates and required endorsements evidencing such insurance. Company shall be named as an “Additional Insured” to the coverages described in subsections (c), (d) and (e) below for the purpose of protecting Company from any expense and/or liability arising out of, alleged to arise out of, related to, or connected with the Services provided by Vendor and/or its Subcontractors. The certificates shall state the amount of all deductibles and self-insured retentions. Vendor shall, or shall cause its insurer to, notify Company in writing at least thirty (30) days in advance of the policy or policies being canceled or materially altered. Vendor and its Subcontractors shall pay any and all costs which are incurred by Company as a result of any such deductibles or self-insured retentions to the extent that Company is named as an “Additional Insured,” and to the same extent as if the policies contained no deductibles or self-insured retention. The insurance coverages and limits required to be maintained by Vendor and its Subcontractors shall be primary and non-contributory to insurance coverage, if any, maintained by Company. Vendor and its Subcontractors and their underwriters shall waive subrogation against Company and shall cause their insurer(s) to waive subrogation against Company.

Insurance Coverages

(a)Workers’ Compensation Insurance which shall fully comply with the statutory requirements of all applicable state and federal laws.

(b)Employer’s Liability Insurance which limit shall be one million dollars ($1,000,000) per accident for Bodily Injury and one million dollars ($1,000,000) per employee/aggregate for disease.

(c)Commercial General Liability Insurance with a minimum combined single limit of liability of one million dollars ($1,000,000) per occurrence and two million dollars ($2,000,000) aggregate for bodily injury, death, property damage and personal injury. This policy shall include products/completed operations coverage and shall also include contractual liability coverage.

(d)Business Automobile Liability Insurance covering all owned, hired and non-owned vehicles and equipment used by Vendor with a minimum combined single limit of liability of one million dollars ($1,000,000) for injury and/or death and/or property damage.

(e)Excess/Umbrella coverage with respect to subsections (b), (c) and (d) above with a per occurrence limit of five million dollars ($5,000,000). The limits of liability required in such subsections may be satisfied by a combination of those policies with an Umbrella/Excess Liability policy.

(f)Errors and Omissions coverage with a minimum limit of five million dollars ($5,000,000).

(g)Fidelity Bond or Crime Coverage: Vendor shall be responsible for loss to bank property and customer property, directly or indirectly, and shall maintain Fidelity Bond or Crime coverage for the dishonest acts of its employees in a minimum amount of five million dollars ($5,000,000).

14.2The failure of Company to obtain certificates, endorsements, or other forms of insurance evidence from Vendor and its Subcontractors is not a waiver by Company of any requirements for the Vendor and its Subcontractors to secure and continuously maintain the specified coverages. Vendor shall notify and shall advise its Subcontractors to notify insurers of the coverages required hereunder. Company’s acceptance of certificates and/or endorsements that in any respect do not comply with the requirements of this Section does not release the Vendor and its Subcontractors from compliance herewith. Should Vendor and/or its Subcontractors fail to secure and continuously maintain the insurance coverage required under this Agreement, Vendor shall itself be responsible to Company for all the benefits and protections that would have been provided by such coverage, including without limitation, the defense and indemnification protections.

15.1The term “Confidential Information” shall mean this Agreement and all data, trade secrets, business information, proprietary and other information of any kind and in whatever form whatsoever or however it may be marked or denominated, including data developed or produced through access to Confidential Information, that a Party (“Discloser”) discloses, in writing, orally, visually or in any other medium, to the other Party (“Recipient”) or to which Recipient obtains access and that relates to Discloser or, in the case of Vendor, to Company or its Affiliates, Representatives, customers, third-party vendors or licensors. Confidential Information includes Associate Information, Personal Information, Customer Information and Consumer Information. A “writing” shall include an electronic transfer of information by e-mail, over the Internet or otherwise. All Confidential Information disclosed by Company and any results of processing such Confidential Information or derived in any way therefrom shall at all times remain the property of Company. Notwithstanding the foregoing, any confidential or proprietary information, reports or documents generated in connection with the provision of Services by Vendor or its Representatives to Company hereunder shall be deemed Company’s Confidential Information.

15.2Subject to the exceptions in subsection 15.8 below, each of the Parties, as Recipient, hereby agrees that it will not, and will cause its Representatives, consultants, Affiliates and independent contractors not to disclose Confidential Information of the other Party during or after the Term of this Agreement, other than on a “need to know” basis and then only: (a) to Affiliates of Company or Vendor; (b) to Recipient’s employees, officers or directors; (c) to Recipient’s Affiliates, Subcontractors, independent contractors at any level, agents, advisors, consultants, accountants and insurers, provided that all such persons are subject to a written confidentiality agreement that shall be no less restrictive than the provisions of this Section, evidence of which shall be provided to Company upon request; (d) where applicable, pursuant to the exceptions set forth in 15 U.S.C 6802(e) and accompanying regulations, which disclosures are made in the ordinary course of business; (e) to bank external regulators and examiners, tax auditors, economic development controllers or others with lawful enforcement and oversight powers over Company and/or its Affiliates ("External Examiners"); and (f) as required by law or as otherwise expressly permitted by this Agreement or an Order. Unless otherwise authorized by this Agreement, Recipient shall not use or disclose Confidential Information of the other Party for any purpose other than to carry out this Agreement. Recipient shall treat Confidential Information of the other Party with no less care than it employs for its own Confidential Information of a similar nature that it does not wish to disclose, publish or disseminate, but in no event less than a commercially reasonable degree of care. Upon (i) expiration or termination of this Agreement for any reason or (ii) any time at the written request of Company during the Term of this Agreement, Vendor shall promptly return or destroy according to the Information Destruction and Return Requirements described within the SCHEDULE entitled "INFORMATION SECURITY," at Company’s election, all Company Confidential Information and data in the possession of Vendor or Vendor’s Subcontractors, subject to and in accordance with the terms and provisions of this Agreement. Notwithstanding anything herein to the contrary, Vendor shall have the right to retain a copy of Confidential Information of Company only to the extent required for legal, regulatory, archival or other governmental compliance purposes provided that such retention is in accordance with this Agreement and Bank Security Requirements (hereinafter defined), and when such retention period ends, Company’s Confidential Information subject to such retention shall be promptly destroyed according to the Information Destruction and Return Requirements described within the SCHEDULE entitled “INFORMATION SECURITY.”

15.3To the extent legally permitted, subject to the exceptions in subsection 15.8 below, Recipient shall notify Discloser of any actual or threatened requirement of law to disclose Confidential Information promptly upon receiving actual knowledge thereof and shall cooperate with Discloser's reasonable, lawful efforts to resist, limit or delay disclosure. Nothing in this Section shall require any notice or other action by Company in connection with requests or demands for Confidential Information by External Examiners.

15.4Vendor shall not remove or download from Company’s premises or systems, the original or any reproduction of any data, notes, memoranda, files, records, or other documents, whether in electronic or tangible format, containing Company’s Confidential Information or any document prepared by or on behalf of Vendor that contains or is based on Company’s Confidential Information, without the prior written consent of an authorized Representative of Company. Any document or media expressly provided by an authorized Company Representative for Vendor to retain, or notes taken by Vendor’s Representatives to document discussions with Company Representatives pertaining to specific instructions or clarifications relating to the Services performed hereunder will be deemed to fall outside this consent requirement unless otherwise stated by the Company Representative.

15.5With the exception of Associate Information, Customer Information and Consumer Information or other Personal Information under the Data Protection Laws, the obligations of confidentiality in this Section shall not apply to any information that (i) Recipient rightfully has in its possession when disclosed to it, free of obligation to Discloser to maintain its confidentiality; (ii) Recipient independently develops without access to Discloser’s Confidential Information; (iii) is or becomes known to the public other than by breach of this Section or (iv) is rightfully received by Recipient from a third party without the obligation of confidentiality. Any combination of Confidential Information disclosed with information not so classified shall not be deemed to be within one of the foregoing exclusions merely because individual portions of such combination are free of any confidentiality obligation or are separately known in the public domain. All confidentiality obligations are subject to the exceptions in subsection 15.8 below.

15.6Company may disclose Confidential Information of Vendor to independent contractors for the purpose of further handling, processing, modifying and adapting the Services for use by or for Company or for developing bank processes, conducting analyses and similar internal purposes, provided that such independent contractors have agreed to observe in substance the obligations of Company set forth in this Section.

15.7Vendor acknowledges that Company is required to comply with the information security standards required by the Gramm-Leach-Bliley Act (15 U.S.C. 6801, 6805(b)(1)) and the regulations issued thereunder (12 C.F.R. 1016), the Fair Credit Reporting Act (15 U.S.C. 1681, et. seq.) as amended by the Fair and Accurate Credit Transactions Act (15 U.S.C. 1681, 1681w) and the regulations issued thereunder (12 C.F.R. Parts 30 and 41) and with all other federal or state statutory, legal and regulatory requirements applicable to Company regarding the protection and privacy of information relating to individuals, including, by way of example only and not limitation, the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), and the Massachusetts Standards for the Protection of Personal Information of Residents of the Commonwealth (201 CMR 17.00) (collectively, “the U.S. Privacy Laws”). As applicable to the Services and upon Company’s request, Vendor shall employ commercially reasonable efforts to assist Company to comply with the applicable U.S. Privacy Laws. Furthermore, if Vendor at any time has access to Company Confidential Information covered by the U.S. Privacy Laws, Vendor shall comply and conform with such applicable U.S. Privacy Laws, as amended from time to time, and the applicable Bank Security Requirements.

15.8Notwithstanding the foregoing, this confidentiality provision does not prevent Representatives, consultants, Affiliates and independent contractors from providing information in response to valid and enforceable subpoenas or otherwise required by law or regulation, for financial reporting, or from using this Agreement to enforce its terms, or from making statements related to information that was required to be provided pursuant to such law, regulation, financial reporting requirement and, as a result, became publicly available.  Further, nothing in this Agreement prohibits Representatives, consultants, Affiliates and independent contractors or other individuals from initiating communications directly with, responding to any inquiry from, volunteering information to, or providing testimony before, the Securities and Exchange Commission, the Department of Justice, Financial Industry Regulatory Authority, Inc., any other self-regulatory organization or any other governmental, law enforcement, or regulatory authority, in connection with any reporting of, investigation into, or proceeding regarding suspected violations of law, and no individual is required to advise or seek permission from Company before engaging in any such activity. In connection with any such activity permitted above, individuals should identify any information that is confidential and ask the government agency for confidential treatment of such information. Despite the foregoing, individuals are not permitted to reveal to any third party, including any governmental, law enforcement, or regulatory authority, information an individual came to learn during the course of providing Services under this Agreement that is protected from disclosure by any applicable privilege, including but not limited to the attorney-client privilege, attorney work product doctrine and/or other applicable legal privileges. Company does not waive any applicable privileges or the right to continue to protect its privileged attorney-client information, attorney work product, and other privileged information. Additionally, an individual’s ability to disclose information may be limited or prohibited by applicable law and Company does not consent to disclosures that would violate applicable law. Such applicable laws include, without limitation, laws and regulations restricting disclosure of confidential supervisory information or disclosures subject to the Bank Secrecy Act (31 U.S.C. §§ 5311-5330), including information that would reveal the existence or contemplated filing of a suspicious activity report.

15.9In the event of a breach of Vendor responsibilities under this Section 15 related to statements made by Vendor regarding Company [***], which have not yet been approved by the Company, the Company reserves the right to levy a penalty on the Vendor of [***] due and payable by the Vendor within 30 days of invoice by the Company provided that Company notifies Vendor in writing of its intent to levy the penalty within ninety (90) days of the alleged breach.

16.1Subject to Section 15, Vendor may: use, reproduce, and retain Aggregated Consumer Information solely for the purposes of delivering the Services outlined in this Agreement including in connection with: [***] Except for the limited rights granted herein for purposes of this Agreement and the use of Aggregated Consumer Information, Vendor shall not otherwise use or retain any Customer Information or Consumer Information. Notwithstanding anything to the contrary to the Agreement, Vendor may not under any circumstances [***].

17.1Company’s information security and business continuity practices and standards are described in the Information Security Program Features section within the SCHEDULE entitled “INFORMATION SECURITY” and set forth in the Company Service Provider Security Requirements document (“SPSRD”) provided separately and incorporated into this Agreement by reference. Company may also provide Vendor with documents containing additional information security practices and standards (“Additional Security Documents”) based upon the type of Services being provided or the location from where the Services are provided. Vendor shall comply with those Company information security and business continuity practices and standards described in the Information Security Program Features section within the SCHEDULE entitled “INFORMATION SECURITY” and set forth in the SPSRD and the Additional Security Documents that are applicable to the Services being provided and the classification of the Confidential Information that Vendor will access, store or process (the “Bank Security Requirements”). Vendor acknowledges and agrees that the Bank Security Requirements are Company’s Confidential Information, and are valuable proprietary information of Company. From time to time, Company may, in its sole discretion, modify the Bank Security Requirements and will provide such modified Bank Security Requirements to Vendor. Upon receiving notice of any changed Bank Security Requirements, Vendor shall make commercially reasonable modifications to its Information Security Program or to the Vendor Security Controls thereunder to conform at least to such Bank Security Requirements.

17.2As a condition of access to the Confidential Information of Company, Vendor shall provide Company with an opportunity to review and evaluate a copy of Vendor's and Vendor's Subcontractors written Information Security Program. Vendor’s Information Security Program shall be designed to:

A.Ensure the security, integrity and confidentiality of Company Confidential Information;

B.Protect against any anticipated threats or hazards to the security or integrity of such Confidential Information;

C.Protect against unauthorized access to or use of such Confidential Information that could result in substantial harm or inconvenience to the person or entity that is the subject of such Confidential Information;

D.Ensure the proper disposal of such Confidential Information; and

E.Have network infrastructure, physical and electronic security procedures and controls that protect Company Confidential Information, which meets or exceeds the Bank Security Requirements.

17.3Company may, in its sole discretion and at any time during the Term of this Agreement, suspend, revoke or terminate Vendor's right to access Company Confidential Information upon written notice to Vendor. Upon receipt of such notice, Vendor shall (i) immediately stop accessing and/or accepting Company Confidential Information and (ii) promptly return or destroy according to the Information Destruction and Return Requirements described within the SCHEDULE entitled "INFORMATION SECURITY," at Company’s election, all Company Confidential Information and data in the possession of Vendor or Vendor’s Subcontractors, subject to and in accordance with the terms and provisions of this Agreement. In the event that Company exercises its rights pursuant to this Section and, as a direct result, Vendor becomes unable to perform the Services, then, if such event is not due to Vendor’s action or inaction in breach of the Agreement, Vendor’s performance shall be waived for so long as it remains unable to perform the Services due to the suspension, revocation or termination of its right to access Confidential Information. Notwithstanding anything herein to the contrary, Vendor shall have the right to retain a copy of Confidential Information of Company only to the extent required for legal, regulatory, archival or other governmental compliance purposes provided that such retention is in accordance with this Agreement and Bank Security Requirements, and when such retention period ends, Company’s Confidential Information subject to such retention shall be promptly destroyed according to the Information Destruction and Return Requirements described within the SCHEDULE entitled “INFORMATION SECURITY.”

17.4Vendor shall have responsibility for and bear all risk of loss or damage to Company Confidential Information resulting from improper or inaccurate processing of such Confidential Information arising from the negligence or willful misconduct of Vendor, its Representatives or Subcontractors. Vendor shall also take commercial best measures to prevent the unintended or malicious loss, destruction or alteration of Company's files, Confidential Information, software and other property received and held by Vendor or its Subcontractors. Vendor shall maintain back-up files (including off-site back-up copies) thereof and of resultant output to facilitate their reconstruction in the case of such loss, destruction or alteration, in order to ensure uninterrupted Services in accordance with the terms of this Agreement, its Schedules, Bank Security Requirements and Vendor’s Business Continuity Plan.

17.5For any Subcontractors or other persons or entities who provide services to Vendor for delivery to Company directly or indirectly, or who hold, process or access Company Confidential Information, Vendor shall:

A.    Require such Subcontractors or other persons or entities to implement and administer an information protection program and plan that complies with the Bank Security Requirements;

B.    Include or shall cause to be included in written agreements with such Subcontractors or other persons or entities terms substantially similar to the terms of this Section and the provisions of the SCHEDULE entitled “INFORMATION SECURITY,” and shall provide proof of the same to Company upon its reasonable request;

C.    Require such Subcontractor or other person or entity to permit Company, upon Company’s request, to inspect their physical system equipment, operational environment, and data handling procedures;

D.    Upon Company’s request, secure permission from such Subcontractor or other entity, for Company to conduct security vulnerability and/or penetration testing on such Subcontractor or other entity related to the services being provided;

E.    Require such Subcontractors or other persons or entities to have a security awareness program in place that communicates security policies to all their personnel that have access to Company Confidential Information; and

F.    Require such Subcontractors or other person or entities to notify Vendor, in accordance with the Detection and Response requirements described in the SCHEDULE entitled “INFORMATION SECURITY,” following the discovery of any Significant Security Incident at such Subcontractor or other person or entity. Vendor shall then immediately notify Company of such Significant Security Incident at such Subcontractor or other person or entity in accordance with the notification requirements in the Detection and Response section in the SCHEDULE entitled “INFORMATION SECURITY.”

17.6    One aspect of the determination of Vendor's compliance with the Bank Security Requirements is a review of Vendor Security Controls. As a condition precedent to performance under this Agreement, Vendor agrees to satisfy the following validation requirements:

A.Participation in Company’s vendor testing and assessment process including the completion of online and/or on-site assessment(s), as appropriate, and remediation of any findings;

B.Permit Company or its third party representatives, subject to Vendor’s reasonable security policies and procedures, to inspect the physical system equipment, operational environment, and data handling procedures;

C.Upon prior notice, (i) permit Company or its third party representatives to conduct security vulnerability and/or penetration testing on Vendor, including but not limited to application and network testing, related to the Services; and (ii) permit Company or its third party representatives, following a Significant Security Incident, to conduct security vulnerability and/or penetration testing on Vendor’s systems to test the remediation measures implemented by Vendor after such Significant Security Incident. Application vulnerability and/or penetration testing shall be conducted in a non-production environment with production equivalent security controls;

D.Periodic discussions between Company Representatives and Vendor information technology security personnel to review Vendor Security Controls; and

E.Provide Company the opportunity to review and evaluate (i) network diagrams depicting Vendor perimeter controls and security policies and processes relevant to the protection of Company’s Confidential Information, (ii) detailed information on the Information Security Program Features described within the SCHEDULE entitled "INFORMATION SECURITY," and (iii) the results of any vulnerability and/or penetration testing conducted by Vendor or a qualified third party provider of this service. Examples of the security policies include, but are not limited to, access control, physical security, patch management, password standards, encryption standards, and change control. Company acknowledges and agrees that the information Vendor so provides under this subsection is Vendor’s Confidential Information, as defined in this Agreement, and is valuable proprietary information of Vendor.

17.7    During the course of performance under this Agreement, Vendor shall ensure the following:

A.Adequate governance and risk assessment processes are in place to maintain controls over Confidential Information. A security awareness program must be in place or implemented that communicates security policies to all Vendor personnel having access to Confidential Information.

B.Notification to Company’s Relationship Manager of: (i) Changes that may impact the security of Company’s Confidential Information, including by way of example and not limitation, outsourcing of computer networking, data storage, management and processing or other information technology functions or facilities, the implementation of external web-enabled (Internet) access to Company’s Confidential Information, and the storage or processing of Company’s Confidential Information in a cloud or multi-tenant environment; (ii) Any planned system configuration changes or other changes affecting the Information Security Program or Vendor Security Controls applicable to the security and protection of Company’s Confidential Information, setting forth how such change will impact the security and protection of Company’s Confidential Information; (iii) Any other planned updates, upgrades or service disruptions that may impact Company’s systems, customers or clients, providing both sufficient detail to enable Company to evaluate and test the changes and sufficient lead time to allow Company to prepare for any changes and (iv) the use or planned use of any Model in connection with the Services, including the following documentation: (a) developmental evidence explaining product components and Model purpose and design; (b) products, processes or applications that the Model will support; (c) analysis and support for methodology; (d) procedures used to test or validate Model outputs and results of those procedures; (e) relevant tests that demonstrate Model performance; (f) discussion of the appropriate application of the Model outputs and any limitations; (g) any customization of the Vendor Model for Company use, along with supporting rationale; (h) an executive summary that outlines the purpose of the Model, its limitations and major assumptions; and (i) where applicable, relevant change control procedures. No such change which could reasonably be expected by Company to have a material adverse impact on the security and protection of Company’s Confidential Information may be implemented without the prior written consent of the Company’s Relationship Manager, such approval not to be unreasonably withheld or delayed. Vendor shall implement changes only after adhering to rigorous processes to evaluate and test such changes, and Vendor shall notify Company’s Relationship Manager of the results of any changes promptly following the implementation of such changes In the event of a change identified in item (i) above that results from Vendor’s use of a third party cloud or multi-tenant environment, Vendor shall observe and comply with the requirements set forth in the SCHEDULE entitled “USE OF CLOUD SERVICES.”

C.Notification to Company, in accordance with the Detection and Response requirements described in the SCHEDULE entitled “INFORMATION SECURITY,” following the discovery of any Significant Security Incident at Vendor.

D.Installation and use of a change control process to ensure that access to Vendor’s systems and to Company’s Confidential Information is controlled and recorded.

E.Monitoring for and fixing newly identified system vulnerabilities in accordance with the Protection requirements described in the SCHEDULE entitled “INFORMATION SECURITY.”

F.When applicable, compliance with Bank Security Requirements regarding protection and mitigation of Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks.

G.Use of strong, industry-standard encryption of Company’s Confidential Information (i) transmitted over public networks (e.g. Internet, non-dedicated leased lines), or (ii) contained on any electronic/magnetic media, including any residing at off-site storage facilities.

H.Company’s Confidential Information shall not be stored on any portable media or devices, including without limitation notebook/laptop computers, tablets, smartphones, USB storage devices, external drives, personal digital assistants (e.g. Blackberry) or similar equipment. Use of such devices to store Company’s Confidential Information shall be only as approved by Company (provided however, to the extent that Vendor needs to store Company’s Confidential Information on notebook/laptop computers, tablets, smartphones or personal digital assistants (e.g. Blackberry), use of such devices to store Company’s Confidential Information is permitted without Company approval provided that such notebook/laptop computers, tablets, smartphones and personal digital assistants are configured in a manner designed to secure and protect confidential information, including, but not limited to, the use of strong industry standard encryption and power-on passwords or PINs, and Company Confidential Information is deleted from such mobile devices as soon as it is no longer needed), and security precautions such as encryption of data and remote network connectivity must be addressed in Vendor’s Information Security Program.

I.Implementation of record retention processes and controls and other measures to ensure that all records transferred from Company to Vendor (including without limitation, and as applicable, originals of promissory notes, mortgage documents and other Customer Information) or created by Vendor on behalf of Company, remain within the custody and control of Vendor during the Term and until transferred back to Company.

17.8    Company reserves the right to monitor Vendor-maintained platforms that reside on the Company network. The Vendor may be required, at the expense of Company, to assist with installation, support and problem resolution of Company owned equipment or processes, or to provide an information feed from the Vendor-maintained platform to the Company monitoring processes.

1.34The Information Security Program must have been approved by Vendor’s board of directors or equivalent executive management within twelve (12) months prior to the Effective Date and at least on an annual basis thereafter. Vendor shall continually assess its written Information Security Program and risks to the security of Company Confidential Information and systems acquired or maintained by Vendor and its agents and Subcontractors in connection with the Services, including: (a) identification of internal and external threats that could result in a security breach; (b) assessment of the likelihood and potential damage of such threats, taking into account the sensitivity of Company Confidential Information; and (c) assessment of the sufficiency of policies, procedures, and information systems of Vendor and its agents and Subcontractors, and other arrangements in place, to control risks; and take appropriate protection against such risks. Vendor shall promptly notify Company of any significant changes to Vendor's Information Security Program and, upon request, provide Company with an opportunity to review and evaluate the changes to the Vendor's Information Security Program.

17.1Vendor shall use the latest, up-to-date commercially available virus and malicious code detection and protection products on all workstations and servers used to provide software and Services to Company. Vendor shall inform Company, as soon as possible, of any advanced threat that Vendor discovers on such workstations or servers that was not previously detected by any of the Vendor’s deployed virus and malicious code detection and protection measures. By way of example, and not limitation, an “advanced threat” may be software, firmware, code or script intended to perform an unauthorized process with the potential to commit fraud or other criminal activity or to adversely impact the confidentiality, integrity or availability of an information system via backdoors, malicious active content, worms, key loggers or other processes that are designed to cause undesired effects or to continuously monitor and extract data.

17.2Unless prohibited by law, Vendor shall promptly notify Company if it becomes the subject of any regulatory or other investigation or of any government or other enforcement or private proceeding relating to its data handling practices.

18.1Vendor shall indemnify, defend, and hold harmless Company and its Representatives, successors and permitted assigns from and against any and all claims or legal actions of whatever kind or nature that are made or threatened by any third party and all related losses, expenses, damages, costs and liabilities, including reasonable attorneys' fees and expenses incurred in investigation, defense or settlement (“Damages”), which arise out of, are alleged to arise out of, or relate to the following: (a) any negligent act or omission or willful misconduct by Vendor, its Representatives or any Subcontractor engaged by Vendor in the performance of Vendor’s obligations under this Agreement; or (b) any breach in a representation, covenant or obligation of Vendor contained in this Agreement.

18.2Vendor shall defend or settle at its expense any threat, claim, suit or proceeding arising from or alleging infringement, misappropriation or other violation of any Intellectual Property Rights or any other rights of any third party in connection with Work Product or Services furnished under this Agreement. Vendor shall indemnify and hold Company, its Affiliates and each of their Representatives and customers harmless from and against and pay any Damages, including royalties and license fees attributable to such threat, claim, suit or proceeding.

A.If any Work Product or Services furnished under this Agreement, including, without limitation, software, system design, equipment or documentation, becomes, or in Company’s or Vendor's reasonable opinion is likely to become, the subject of any claim, suit, or proceeding arising from or alleging facts that if true would constitute infringement, misappropriation or other violation of, or in the event of any adjudication that such Work Product or Service infringes, misappropriates or otherwise violates, any Intellectual Property Rights or any other rights of a third party, Vendor, at its own expense, shall take the following actions in the listed order of preference: (a) secure for Company the right to continue using the Work Product or Service; or if commercially reasonable efforts are unavailing, (b) replace or modify the Work Product or Service to make it non-infringing; provided, however, that such modification or replacement shall not degrade the operation or performance of the Work Product or Service.

B.The indemnity in the preceding provision shall not extend to any claim of infringement resulting solely from Company's unauthorized modification or use of the Work Product or Service.

18.3Company shall give Vendor notice of, and the Parties shall cooperate in, the defense of any such claim, suit or proceeding, including appeals, negotiations and any settlement or compromise thereof, provided that Company must approve the terms of any settlement or compromise that may impose any unindemnified or nonmonetary liability on Company or that requires any admission of wrongdoing or liability by Company.

19.1Neither Party shall be liable to the other for any special, indirect, incidental, consequential, punitive or exemplary damages, including, but not limited to, lost profits, even if such Party alleged to be liable has knowledge of the possibility of such damages, provided, however, that the limitations set forth in this Section shall not apply to or in any way limit the obligations of the SECTION entitled “INDEMNITY,” the SECTION entitled “CONFIDENTIALITY,” and the SECTION entitled “INFORMATION PROTECTION,” or Vendor’s gross negligence or willful misconduct.

20.1Vendor represents that it is an equal opportunity employer that does not discriminate in employment of persons or awarding of subcontracts because of a person’s race, sex, age, religion, national origin, sexual orientation, gender identity, veteran status, handicap status or any other factor that is irrelevant to the ability to provide products or Services to Company and that provides a workplace free of discrimination or harassment. Vendor shall maintain, implement, and provide to Company upon request, policies and procedures to recruit, develop and retain such diverse Representatives of all types and shall provide, upon Company’s request, reports on its workforce representation by gender and by race.

20.2Vendor acknowledges and supports the Company vendor diversity efforts supporting minority, woman, veteran, disabled veteran, service-disabled veteran, disabled-owned business enterprises, and lesbian, gay, bi-sexual or transgender-owned business enterprises and Historically Underutilized Business Zone business enterprises (also known as HUBZone business enterprises) and Company’s commitment to the participation of such business enterprises in its procurement of goods and services.

20.3Definitions: For purposes of this Agreement, the following are the definitions of “Minority-Owned Business Enterprise,” “Minority Group,” “Woman-Owned Business Enterprise,” “Veteran, Disabled Veteran, Service-Disabled Veteran Owned Business Enterprise,” “Disabled-Owned Business Enterprise,” “Lesbian, Gay, Bisexual or Transgender-Owned Business Enterprise” and “HUBZone Business Enterprise.”

A."Minority-Owned Business Enterprise" is recognized as a "for profit" enterprise, regardless of size, physically located in the United States or its trust territories, which is at least fifty-one percent (51%) owned, operated and controlled, by one or more member(s) of a Minority Group who maintain United States citizenship.

B."Minority Group" means African Americans, Hispanic Americans, Native Americans (American Indians, Eskimos, Aleuts, and native Hawaiians), Asian-Pacific Americans, and other minority group as recognized by the United States Small Business Administration Office of Minority Small Business and Capital Ownership Development.

C."Woman-Owned Business Enterprise" is recognized as a "for profit" enterprise, regardless of size, located in the United States or its trust territories, which is at least fifty-one percent (51%) owned, operated and controlled by a female of United States citizenship. The ownership and control shall be real and continuing and not created solely to take advantage of special programs aimed at vendor diversity.

D.“Veteran, Disabled Veteran, and Service-Disabled Veteran Owned Business Enterprise” is recognized as a “for profit” enterprise, regardless of size, located in the United States or its trust territories, which is at least fifty-one percent (51%) owned, operated, and controlled by a veteran, disabled or service-disabled veteran. The ownership and control shall be real and continuing and not created solely to take advantage of special programs aimed at vendor diversity.

E.“Disabled-Owned Business Enterprise” is recognized as a “for profit” enterprise, regardless of size, located in the United States or its trust territories, which is at least fifty-one percent (51%) owned, operated and controlled, by an individual of United States citizenship with a permanent mental or physical impairment that substantially limits one or more of the major life activities and which has a significant negative impact upon the company’s ability to successfully compete. The ownership and control shall be real and continuing and not created solely to take advantage of special programs aimed at vendor diversity.

F.“Lesbian, Gay, Bi-sexual or Transgender-Owned Business Enterprise” or “LGBT-Owned Business Enterprise” is a “for profit” enterprise, regardless of size, located in the United States or its trust territories, which is at least fifty-one percent (51%) owned, operated and controlled, by an individual of United States citizenship with a certified LGBT certification. Certification for LGBT Businesses can be obtained through the National Gay and Lesbian Chamber of Commerce (www.NGLCC.org). The ownership and control shall be real and continuing and not created solely to take advantage of special programs aimed at vendor diversity.

G.“Historically Underutilized Business Zone or HUBZone Business Enterprise” is a small business as determined under the standards set from time to time by the United States Small Business Administration (“SBA”) or its successors, and which (i) is at least fifty-one percent (51%) owned and controlled by U.S. citizens, a Community Development Corporation, an agricultural cooperative or a federal recognized Indian tribe, (ii) maintains its principal office within a HUBZone as such zones are determined from time to time by the SBA, and (iii) demonstrates that at least thirty-five percent (35%) of its employees reside in a HUBZone.

20.4In addition to the above criteria to qualify as a Minority-Owned, Woman-Owned, “Veteran, Disabled Veteran, and Service-Disabled Veteran Owned , Disabled-Owned, LGBT-Owned Business Enterprise or HUBZone Business Enterprise under this Agreement, the diverse vendor must be certified by an agency acceptable to Company.

20.5Participation Representation: Vendor represents it is not a Minority, Woman, Disabled, Veteran, Disabled Veteran, Service-Disabled Veteran, LGBT-Owned or HUBZone Business Enterprise. Vendor represents that, upon the execution of this Agreement, it is publicly traded company.

A.During the Term of this Agreement, at no additional charge to Company and consistent with the efficient performance of this Agreement, Vendor shall, regardless of Vendor’s Diversity Participation Representation, obtain from Minority-Owned Business Enterprise(s), Woman-Owned Business Enterprise(s), Disabled-Owned Business Enterprise(s), Veteran, Disabled Veteran, Service-Disabled Veteran Owned Business Enterprises(s), and LGBT Owned Business Enterprise(s) and HUBZone Business Enterprise(s) as Vendors or Subcontractors to Vendor, a quantity of goods and services that is equal to or greater in dollar amount to five percent (5%) of Company’s total revenue earned under this Agreement.    

B.Reports. Vendor shall provide Company, in a format acceptable to Company, one report a calendar year which specify the total amounts invoiced by and paid collectively to Minority-Owned, Woman-Owned, Disabled-Owned, LGBT-Owned, Veteran, Disabled Veteran, Service-Disabled Veteran Owned, HUBZone Business Enterprises for the previous calendar year for which the Vendor remitted invoices. Vendor shall report the previous year spend beginning Q1 2023.  Provided, however, that Vendor’s failure to meet such diversity spend commitment outlined in Sections 19.12(A)-(B) shall not constitute a breach of the Agreement.

C.Disability Inclusion Assessment.  Upon request, Vendor shall report to Company the results of its participation in an annual assessment, conducted or administered by a nationally recognized assessor, of its disability inclusion performance, such as the Disability Equality Index from Disability:IN and the American Association of People with Disabilities, Disability Employment Tracker™ from the National Organization on Disability, or the BenchmarkABILITY tool from Cornell University.  The provisions of this Section shall apply only to Services rendered in the United States; any diversity requirements to be applied for Services rendered outside of the United States

21.1Vendor shall use beneficial practices to control and reduce the environmental and social impacts of its operations in line with best practices of Vendor’s industry in the location or locations of Vendor’s operations. Vendor shall maintain, implement and provide to Company upon request, its environmental, social and governance (ESG) policies and procedures which are directed at a senior executive level.

21.2Vendor shall establish environmental management procedures and initiatives to measure and mitigate any potential negative environmental impacts associated with its operations, products and services including, energy and water consumption, greenhouse gas emissions, waste and, if applicable, hazardous materials.

21.3Vendor shall publish public goals to reduce the environmental impacts of its operations, products and services, and publicly disclose its progress relative to these commitments.

21.4In addition to ensuring compliance with Applicable Laws, Vendor shall maintain policies and procedures, which shall be provided to Company upon request, that effectively address the following topics:

(a)Grievance Mechanism. Vendor shall provide its Representatives with access to transparent and confidential processes to raise workplace concerns. Vendor shall investigate such concerns fairly, provide a clear resolution, and prevent retaliation against such Representatives.

(b)Fair Wages and Benefits. Vendor shall provide fair and competitive compensation and benefits to Representatives that meets or exceeds the requirements of Applicable Law or, where legal requirements do not exist, provides for an adequate standard of living for all Representatives.

(c)Freely Chosen Employment. Vendor shall not withhold wages or security payments, confiscate identity documents, allow Representatives to pay recruitment fees or restrict movement of Representatives. Vendor shall document terms of employment, including compensation and benefits, in a written agreement. No involuntary work of any type is permitted, including, but not limited to: forced or compulsory labor, trafficked labor, indentured labor, bonded labor, involuntary prison labor, or forced overtime.

(d)Child Labor. Vendor shall have age verification procedures and policies to prevent workers under the age of 18 from performing hazardous work.

(e)Safe Workplace Conditions. Vendor shall maintain and implement occupational health and safety programs, as well as, the provision of appropriate personal protective equipment, potable drinking water, clean toilet facilities, adequate lighting, temperature, ventilation and sanitation and, if applicable, safe and healthy worker accommodations.

21.5Vendor shall satisfy validation requirements to ensure its compliance with the requirements of this Section, including, providing copies of its relevant policies, procedures and participation in Company’s assessment questionnaires, on-site audits, reporting or other means of due diligence requested by Company.

21.6For Vendors and their Subcontractors with at least fifty (50) employees, Vendor shall pay Vendor personnel, and shall ensure that Subcontractors pay Subcontractor personnel, who are working in the United States and are providing Services exclusively to Company under this Agreement a minimum rate of pay of fifteen dollars ($15) per hour. Personnel are deemed to provide Services exclusively to Company when all of their hours worked in the United States for Vendor in any pay period are dedicated to providing Services to Company.

22.1Company may, at its sole expense, perform confidential audits, tests and inspections of all aspects of Vendor’s and Vendor’s Representatives and Subcontractors policies, procedures, controls and operations as they pertain to the Services provided under this Agreement and Vendor’s obligations, covenants and representations under this Agreement, including, without limitation, Vendor’s processes and procedures concerning compliance with Applicable Laws, for providing information to be used for detecting and preventing money laundering, terrorist financing and other financial crimes, and for identifying and preventing fraud. Such audits, tests or inspections are in addition to, and not in lieu of, any other audits, tests or inspections permitted elsewhere under this Agreement. Such audits shall be conducted on a mutually agreed upon date (which shall be no more than ten (10) Business Days after Company’s written notice of time, location and duration), subject to reasonable postponement by Vendor upon Vendor’s reasonable request, provided, however, that no such postponement shall exceed twenty (20) Business Days, and shall be conducted during regular business hours but no more frequently than once per year unless (i) Company has a reasonable concern of operational or compliance risks or knowledge of significant regulatory change that would warrant additional audits, tests or inspections, or (ii) the annual audit results in findings of noncompliance as provided below in this subsection. Company will provide Vendor a summary of the findings from each report prepared in connection with any such audit and discuss results, including any remediation plans. If audit results find Vendor is not in substantial compliance with the requirements of this Agreement, then Company shall be entitled, at Vendor’s expense, to perform up to two (2) additional such audits in that year in accordance with the procedure set forth in this Section. Vendor agrees to promptly take action at its expense to correct those matters or items identified in any such audit that require correction. Failure to correct such matters shall be considered a material breach of this Agreement. Any restrictions on the frequency of audits performed by Company under this Section shall not apply to any such audit that Company reasonably deems necessary to ensure that Vendor’s performance of Services complies with the representations and warranties set forth in the SECTION of this Agreement entitled "REPRESENTATIONS AND WARRANTIES OF VENDOR."

22.2Vendor shall maintain at no additional cost to Company, in a reasonably accessible location, all Records pertaining to its Services provided to Company under this Agreement. For Records that are owned by Vendor, such retention shall be for not less than the period required by Applicable Laws, or if no legal requirement exists, for such period as dictated by prudent business practice or as otherwise directed by Company. For Records that are owned by the Company and are held by Vendor on the Company’s behalf in connection with the Services, such retention shall be as directed by the Company. Such Vendor Records referenced above may be inspected, audited and copied by Company, its Representatives or by federal or state agencies having jurisdiction over Company, during normal business hours and at such reasonable times as Company and Vendor may determine. Records available for review shall exclude any records pertaining to Vendor’s other customers deemed proprietary and confidential and Vendor confidential and proprietary records not associated with the Services provided under the Agreement. Vendor will give prior notice to Company of requests by federal or state authorities to examine Vendor’s Company Records. At Company’s written request, Vendor shall reasonably cooperate with Company in seeking a protective order with respect to such Records.

22.3Vendor shall provide a copy of the latest operational audit for facilities not managed by Company that are used to provide Services under this Agreement. If necessary, Vendor, at its sole cost and expense, will engage a nationally recognized certified public accounting firm within the jurisdiction of the country of contract to conduct the audit and prepare applicable reports. Each report will cover a minimum consecutive six (6) calendar month period each calendar year during the Term. Such audits may be on a rotating site basis where operations and procedures of Vendor Services provided to Company are in multiple locations in order to confirm that Vendor is in compliance in all aspects of the Agreement. Vendor shall provide Company with a copy of each report prepared in connection with each such audit within thirty (30) calendar days after it receives such report.

22.4Upon prior written notice and at a mutually acceptable time, Company personnel or its Representatives (e.g., independent and external audit consultants) may audit, test or inspect Vendor’s Information Security Program and its practices, systems, equipment, hardware and facilities to assure Company’s data and Confidential Information are adequately protected. This right to audit is in addition to the other audit rights granted herein. Company will determine the scope of such audits, tests or inspections, which may extend to Vendor’s Subcontractors and other Vendor resources (other systems, environmental support, recovery processes, etc.) used to support the systems and handling of Confidential Information. The foregoing audit rights may include, without limitation, audits: (a) of practices and procedures; (b) of systems; (c) of general and specific controls and security practices and procedures; (d) of disaster recovery and backup procedures; (e) of charges under any Order; (f) necessary to enable Company to meet applicable regulatory requirements; and (g) for any other reasonable purpose as determined by Company. Vendor shall provide full cooperation to such auditors, inspectors, regulators and Representatives, including the installation and operation of audit and investigative and forensic software. Vendor will inform Company of any internal auditing capability it possesses and permit Company’s personnel or its Representatives to consult on a confidential basis with such auditors at all reasonable times. Company may provide Vendor a summary of the findings from each report prepared in connection with any such audit and discuss results, including any remediation plans. Independent external auditors are subject to the provisions contained in the "CONFIDENTIALITY" SECTION of this Agreement. In no event shall Representatives be required to execute a separate non-disclosure or confidentiality agreement in connection with performing such audit. Notwithstanding anything to the contrary in this Agreement, if Vendor is in breach or otherwise not compliant with any of the provisions set forth in the SECTIONS of this Agreement entitled “CONFIDENTIALITY” and “INFORMATION PROTECTION” and/or the SCHEDULE entitled "INFORMATION SECURITY," then Company may conduct additional audits.

22.5Vendor will provide reasonable access to Company’s federal and state governmental regulators (at a minimum, to the extent required by law), at Company’s expense, to Company’s Records held by Vendor and to the procedures and facilities of Vendor relating to the Services provided under this Agreement. Pursuant to 12 U.S.C. 1867(c), the performance of such Services will be subject to regulation and examination by the appropriate federal banking agency to the same extent as if the Services were being performed by Company itself. Vendor acknowledges and agrees that regulatory agencies may audit Vendor’s performance of Services to Company at any time during normal business hours and that such audits may include both methods and results under this Agreement.

22.6In addition to the requirements under this Section and upon Company’s request, Vendor shall deliver to Company, within thirty (30) calendar days after its receipt by its board of directors or senior management, a copy of (i) any final report of audit of Vendor by any third-party auditors retained by Vendor, including any management letter such auditors submit, (ii) any internal audit that examines anti-money laundering processes and/or procedures employed by Vendor in delivering the Services, and (iii) any other audit or inspection upon which Company and Vendor may mutually agree.

22.7Records required to be maintained by Vendor shall include without limitation documentation of Vendor’s adhering to the Company’s policy and standards and regulatory requirements related to complaint handling processes, procedures and controls for quality assurance, quality control, records retention, personnel training, compliance with legal requirements, handling of customer complaints and such other documentation necessary to establish Vendor’s compliance with the requirements of this Agreement (including without limitation the representations and warranties set forth in the SECTION entitled “REPRESENTATIONS AND WARRANTIES OF VENDOR”) and all pertinent Schedules and Exhibits hereto and any applicable Order.

22.8Vendor shall, on Vendor’s premises, provide to Company and such auditors and inspectors as Company may designate in writing, space, office furnishings (including lockable cabinets), telephone and facsimile service, utilities and office-related equipment and duplicating services as Company or such auditors and inspectors may reasonably require to perform the audits described herein.

23.1Neither Party may assign this Agreement or any of the rights hereunder or delegate any of its obligations hereunder, without the prior written consent of the other Party, and any such attempted assignment shall be void, except that Company or any permitted Company assignee may assign any of its rights and obligations under this Agreement (including, without limitation, any individual Order) to any Company Affiliate, the surviving corporation with or into which Company or such assignee may merge or consolidate or an entity to which Company or such assignee transfers all, or substantially all, of its business and assets or all or substantially all of the business and assets of any Affiliate, subsidiary or division.

23.2Notwithstanding anything to the contrary in this Agreement, Company shall be entitled to assign, transfer (including, without limitation, by way of novation) or other dispose, in whole or in part, of any of its rights and obligations under this Agreement (including, without limitation, any individual Order) without the prior written consent of the Vendor to any Special Resolution Recipient, in each case, solely in connection with any Special Resolution Event. Any provision in this Agreement that provides that an assignment is in breach of that provision shall be void shall not apply to any exercise by Company of its rights under this Section.

24.1This Agreement shall be governed by the internal laws, and not by the laws regarding conflicts of laws, of the State of New York. Each Party hereby submits to the exclusive jurisdiction of the courts of such state, and waives any objection to venue with respect to actions brought in such courts. This provision shall not be construed to conflict with the provisions of the SECTION entitled “MEDIATION/ARBITRATION.”

25.1The following procedure will be adhered to in all disputes arising under this Agreement which the Parties cannot resolve informally through their Relationship Managers. The aggrieved Party shall notify the other Party in writing of the nature of the dispute with as much detail as possible about the deficient performance of the other Party. The Relationship Managers shall meet (in person or by telephone) within fourteen (14) calendar days (or other mutually agreed upon date) after the date of the written notification to reach an agreement about the nature of the deficiency and the corrective action to be taken by the respective Parties. If the Relationship Managers do not meet or are unable to agree on corrective action, senior managers of the Parties having authority to resolve the dispute without the further consent of any other person ("Management") shall meet or otherwise act to facilitate an agreement within fourteen (14) calendar days (or other mutually agreed upon date) of the date of the written notification. If Management does not meet or cannot resolve the dispute or agree upon a written plan of corrective action to do so within seven (7) calendar days (or other mutually agreed upon date) after their initial meeting or other action, or if the agreed-upon completion dates in the written plan of corrective action are exceeded, either Party may request mediation and/or arbitration as provided for in this Agreement. Except as otherwise specifically provided, neither Party shall initiate arbitration, mediation or litigation unless and until this dispute resolution procedure has been substantially complied with or waived. Failure of a Party to fulfill its obligations in this Section, including failure to meet timely upon the other Party’s notice, shall be deemed such a waiver.

26.1If the Parties are unable to resolve a dispute arising out of or relating to this Agreement in accordance with the SECTION entitled “DISPUTE RESOLUTION,” the Parties will in good faith attempt to resolve such dispute through non-binding mediation. The mediation shall be conducted before a mediator acceptable to both sides, who shall be an attorney or retired judge practicing in the areas of banking and/or information technology law. The mediation shall be held in New York, NY.

26.2Any controversy or claim, other than those specifically excluded, between or among the Parties not resolved through mediation under the preceding provision, shall at the request of a Party be determined by arbitration. The arbitration shall be conducted by one independent arbitrator who shall be an attorney or retired judge practicing in the areas of banking and/or information technology law. The arbitration shall be held in New York, NY in accordance with the United States Arbitration Act (9 U.S.C. 1 et seq.), notwithstanding any choice of law provision in this Agreement, and under the auspices and the Commercial Arbitration Rules of the American Arbitration Association.

26.3Consistent with the expedited nature of arbitration, each Party will, upon the written request of the other Party, promptly provide the other with copies of documents relevant to the issues raised by any claim or counterclaim on which the producing Party may rely in support of or in opposition to any claim or defense. At the request of a Party, the arbitrator shall have the discretion to order examination by deposition of witnesses to the extent the arbitrator deems such additional discovery relevant and appropriate. Depositions shall be limited to a maximum of three (3) per Party and shall be held within thirty (30) calendar days of the making of a request. Additional depositions may be scheduled only with the permission of the arbitrator, and for good cause shown. Each deposition shall be limited to a maximum of three (3) hours duration. All objections are reserved for the arbitration hearing except for objections based on privilege and proprietary or confidential information. Any dispute regarding discovery, or the relevance or scope thereof, shall be determined by the arbitrator, which determination shall be conclusive. All discovery shall be completed within sixty (60) calendar days following the appointment of the arbitrator.

26.4The arbitrator shall give effect to statutes of limitation in determining any claim, and any controversy concerning whether an issue is arbitrable shall be determined by the arbitrator. The arbitrator shall follow the law in reaching a reasoned decision and shall deliver a written opinion setting forth findings of fact, conclusions of law and the rationale for the decision. The arbitrator shall reconsider the decision once upon the motion and at the expense of a Party. The SECTION of this Agreement entitled “CONFIDENTIALITY” shall apply to the arbitration proceeding, all evidence taken, and the arbitrator’s opinion, which shall be Confidential Information of both Parties. Judgment upon the decision rendered by the arbitrator may be entered in any court having jurisdiction.

26.5No provision of this Section shall limit the right of a Party to obtain provisional or ancillary remedies from a court of competent jurisdiction before, after, or during the pendency of any arbitration. The exercise of a remedy does not waive the right of either Party to resort to arbitration. The institution and maintenance of an action for judicial relief or pursuit of a provisional or ancillary remedy shall not constitute a waiver of the right of either Party to submit the controversy or claim to arbitration if the other Party contests such action for judicial relief.

27.1Vendor agrees that it shall not be considered Company’s exclusive provider of any goods or Services provided hereunder. Unless otherwise stated in an Order, Company retains the unconditional right to utilize other vendors in the provision of similar services.

28.1Company will own exclusively all Work Product and Vendor hereby assigns to Company all right, title and interest (including all Intellectual Property Rights) in the Work Product. Work Product, to the extent permitted by law, shall be deemed “works made for hire” (as that term is defined in the United States Copyright Act). Vendor shall provide Company upon request with all assistance reasonably required to register, perfect or enforce such right, title and interest, including providing pertinent information and, executing all applications, specifications, oaths, assignments and all other instruments that Company shall deem necessary. Vendor shall enter into agreements with all of its Representatives and Subcontractors necessary to establish Company’s sole ownership in the Work Product. Company acknowledges Vendor’s and its licensors’ claims of proprietary rights in preexisting works of authorship and other intellectual property (“Pre-existing IP”) Vendor uses in its work pursuant to this Agreement. Company does not claim any right not expressly granted by this Agreement in such Pre-existing IP, which shall not be deemed Work Product, even if incorporated with Work Product in the Services Vendor delivers to Company. Unless otherwise agreed in an Order, Vendor grants Company a perpetual, worldwide, irrevocable, nonexclusive, royalty free license to any Pre-existing IP embedded in the Work Product, which shall permit Company and any transferee or sublicensee of Company, subject to the restrictions in this Agreement, to make, use, import, reproduce, display, distribute, make derivative works and modify such Pre-existing IP as necessary or desirable for the use of the Work Product.

28.2Vendor shall promptly notify Company in writing, of any threat, or the filing of any action, suit or proceeding, against Vendor, its Affiliates, Subcontractors or Representatives, (i) alleging infringement, misappropriation or other violation of any Intellectual Property Right related to any Work Product or Service furnished under this Agreement, or (ii) in which an adverse decision would reasonably be expected to have a material adverse effect on the Vendor or the use by Company of the Work Product or Services furnished under this Agreement.

28.3Immediately prior to (a) an assignment, sale or grant of an exclusive license of a patent or patent application by Vendor or any of its Affiliates, or (b) Vendor or any of its Affiliates becoming a Patent Assertion Entity, Vendor, on behalf of itself and its Affiliates, hereby grants Company and its Affiliates, the following rights: (i) a worldwide, non-exclusive, royalty-free, perpetual, irrevocable license under such Vendor’s or its Affiliates’ patent and patent application to make, have made, use (including distribute products or services), sell, offer to sell, import or otherwise distribute products and services, alone or in combination with other products or services, upon such patent being asserted by a Patent Assertion Entity against Company or its Affiliates; and (ii) a release from and a covenant not to sue for any and all past damages relating to alleged infringement by Company and its Affiliates, or by their direct and indirect customers solely with respect to such customers’ use of Company’s or its Affiliates’ products or services, alone or in combination with other products or services, upon Vendor’s or its Affiliates’ patent being asserted by a Patent Assertion Entity against Company or its Affiliates. These licenses, releases and covenants shall bind and apply to all entities that subsequently obtain any right to enforce any patent to which such licenses and covenants pertain. A “Patent Assertion Entity” means any entity, inclusive of all Affiliates, that primarily earns revenue (or that primarily seeks to earn revenue) from (i) monetizing patents or patent applications through assertion and/or assertion-based or threat-of-assertion-based licensing, or (ii) transferring patents or patent applications to an entity that does subpart (i).

29.1Vendor agrees that if (i) any Company unit, division or Affiliate receiving Services under this Agreement becomes the subject of an asset sale, stock sale, business sale, spinoff, restructuring, divestiture or similar transaction (such unit, division or Affiliate being hereinafter a "Transferee"), then Company shall have the right, exercisable in its sole discretion, at no additional charge, to require Vendor to continue to provide the Services to the Transferee for a period of twelve (12) months from the date of the closing of the transaction whereby the Transferee becomes divested (the “Transfer Transition Period”) on the same basis as if the Transferee had continued to be a part of Company. Company acknowledges that any Services provided by Vendor to a Transferee during a Transfer Transition Period hereunder must be performed while this Agreement remains in effect (unless otherwise agreed to in writing by Vendor). In the event any Transfer Transition Period exceeds the then remaining Term of this Agreement, this Agreement shall automatically be extended for an additional period of time, a Renewal Term, to satisfy the Transfer Transition Period at the then current prices in effect under this Agreement.

29.2Company shall continue to be responsible for payment of all fees to Vendor with respect to the Services provided to or for the benefit of the Transferee during the Transfer Transition Period, unless Company provides to Vendor a written assumption of such liability executed by the party acquiring the Transferee, in which event neither Company nor any Affiliate of Company shall thereafter be liable for any such fees in relation to Services Vendor provides to the Transferee.

29.3During the Transfer Transition Period or as soon as possible thereafter, Vendor shall, if so required by the Transferee, negotiate in good faith with the Transferee a separate agreement for the continuation of the Services to the Transferee after the Transfer Transition Period. If, during the Transfer Transition Period, the Transferee enters into a separate agreement with Vendor, then neither Company nor any Affiliate of Company shall be liable in any way for any related costs or fees under that separate agreement.

29.4At the conclusion of the Transfer Transition Period, (a) Vendor shall cease to provide the Services to the Transferee; and (b) neither Company nor any Affiliate of Company shall thereafter be liable for any Service Fees in relation to Services Vendor provides to the Transferee. All restrictions set forth in this Agreement on Company’s use of the Services shall be deemed also to apply to any divested Affiliate’s or division’s use of the Services. In no event shall Company be responsible to Vendor for any such use of the Services by the divested Affiliate or division after the expiration of the Transfer Transition Period.

30.1Vendor is aware of and fully informed of Vendor's responsibilities and agrees to the provisions under the following: (a) Executive Order 11246, as amended or superseded in whole or in part, and as contained in Section 202 of the Executive Order as found at 41 C.F.R. § 60-1.4(a)(1-7); (b) Section 503 of the Rehabilitation Act of 1973 as contained in 41 C.F.R. § 60-741.5; and (c) The Vietnam Era Veterans' Readjustment Assistance Act of 1974 as contained in 41 C.F.R. § 60-300.5 (1) This contractor and subcontractor shall abide by the requirements of 41 CFR §§ 60-1.4(a), 60-300.5(a) and 60-741.5(a). These regulations prohibit discrimination against qualified individuals based on their status as protected veterans or individuals with disabilities, and prohibit discrimination against all individuals based on their race, color, religion, sex, or national origin. Moreover, these regulations require that covered prime contractors and subcontractors take affirmative action to employ and advance in employment individuals without regard to race, color, religion, sex, national origin, protected veteran status or disability. (2) This contractor and subcontractor shall abide by the requirements of 29 CFR Part 471, Appendix A to Subpart A. [Note: for purposes of the above contractor means Vendor]

30.2Section headings are included for convenience or reference only and are not intended to define or limit the scope of any provision of this Agreement and should not be used to construe or interpret this Agreement.

30.3No delay, failure or waiver of either Party's exercise or partial exercise of any right or remedy under this Agreement shall operate to limit, impair, preclude, cancel, waive or otherwise affect such right or remedy. Any waiver by either Party of any provision of this Agreement shall not imply a subsequent waiver of that or any other provision of this Agreement.

30.4If any provision of this Agreement is held invalid, illegal or unenforceable, the validity, legality or enforceability of the remaining provisions shall in no way be affected or impaired thereby.

30.5No amendments of any provision of this Agreement shall be valid unless made by an instrument in writing signed by both Parties specifically referencing this Agreement. The terms of any Order or schedule to this Agreement shall supplement and not replace or amend the Terms and Conditions of this Agreement and the Terms and Conditions of this Agreement shall control in the event of any conflict with any such Order or schedule, and such conflict shall be resolved in the following order of precedence: 1) Terms and Conditions, then 2) schedule to this Agreement, then 3) Order under this Agreement and then all other documents attached hereto. The Terms and Conditions of this Agreement shall be incorporated by reference into any Order under this Agreement.

30.6Anything in this Agreement to the contrary notwithstanding, the Parties hereby agree that thirty (30) calendar days after written notice by Company of any amendment to this Agreement for compliance with a change in federal law, rule or regulation affecting financial services companies or the vendors to financial services companies, this Agreement shall be amended by such notice and the amendment contained therein and without need for further action of the Parties, and the Agreement, as amended thereby, shall be enforceable against the Parties, their successors and assigns. The notice provided hereunder shall set forth such change and provide the relevant amendment to the Agreement. Company shall have the right to terminate immediately the Agreement, without further liability to Vendor, in the event of Vendor’s failure to comply with the terms and conditions of any such amendment to the Agreement.

30.7This Agreement may be executed by the Parties in one or more counterparts, and each of which when so executed shall be an original but all such counterparts shall constitute one and the same instrument.

30.8The remedies under this Agreement shall be cumulative and are not exclusive. Election of one remedy shall not preclude pursuit of other remedies available under this Agreement or at law or in equity. In arbitration a Party may seek any remedy generally available under the governing law.

30.9Notwithstanding the general rules of construction, both Company and Vendor acknowledge that both Parties were given an equal opportunity to negotiate the terms and conditions contained in this Agreement, and agree that the identity of the drafter of this Agreement is not relevant to any interpretation of the terms and conditions of this Agreement.

30.10All notices or other communications required under this Agreement shall be given to the Parties in writing to the applicable addresses set forth on the signature page, or to such other addresses as the Parties may substitute by written notice given in the manner prescribed in this Section as follows: (a) by first class, registered or certified United States mail, return receipt requested and postage prepaid, (b) over-night express courier or (c) by hand delivery to such addresses. Such notices shall be deemed to have been duly given (i) five (5) Business Days after the date of mailing as described above, (ii) one (1) Business Day after being received by an express courier during business hours, or (iii) the same day if by hand delivery. Time Sensitive Notices shall only be delivered by the methods described in (b) or (c) above.

30.11Wherever this Agreement requires either Party's approval or consent such approval or consent shall not be unreasonably withheld or delayed.

30.12This Agreement shall be binding upon, and inure to the benefit of, the Parties and their respective permitted successors and assigns. With the exception of the Affiliates of Company, the Parties do not intend the benefits of this Agreement to inure to any third party, and nothing contained herein shall be construed as creating any right, claim or cause of action in favor of any such other third party, against either of the Parties hereto.

30.13Any transaction undertaken pursuant to this Agreement in which Vendor furnishes services shall be governed by Article 2 of the Uniform Commercial Code as if the services were goods, unless the Applicable Laws of the state of the governing law expressly otherwise provides.

30.14Unless otherwise permitted by this Agreement, neither Party nor any of such Party’s Affiliates, without the express written consent of the other Party, shall (i) issue any media releases, public disclosures or public announcements (for purposes of this Section, “public announcement” shall mean any announcement or release of information made to a person or entity outside of a Party’s organization) relating to this Agreement, or (ii) use the name, logo, trademarks or service marks of the other Party or its Affiliates in promotional or marketing material or on a list of customers, or (iii) except to the extent required as part of the Services, use the name, logo, trademarks or service marks of the other Party in any communication that would by intent or inference imply such other Party’s sponsorship, approval or recommendation of, or participation in, any person, place or event, or (iv) except to the extent required as part of the Services, use the name, logo, trademarks, or service marks of the other Party in any username, handle, profile name, or other object identifier, in the case of each of (i) –(iv), inclusive, whether appearing in mainstream media, social media, virtual reality, augmented reality, games, personal device applications or any form. Nothing in this paragraph shall restrict any disclosure required by legal, accounting or regulatory requirements beyond the reasonable control of the releasing Party or its Affiliates. For monitoring purposes, during [***], the Vendor shall provide the Company [***]days prior written notification with details, including subject matter and talking points, of all Vendor public speaking engagements or public disclosures which are covered by this section, including but not limited to, conferences and investor calls.

30.15Upon the terms and conditions hereinafter set forth, Company hereby grants to Vendor and Vendor hereby accepts a limited, non-exclusive, non-transferable, revocable license to use the Marks solely to provide the Services. For purpose of Section 30.15, “Marks” shall mean BANK OF AMERICA and the STRIPES LOGO, which Company owns and has developed extensive good will therein.

Vendor acknowledges that its failure to comply with the provisions of this Section 30.15 may result in immediate and irremediable damage to Company for which there is no adequate remedy at law, and Vendor agrees that, in the event of such failure, Company shall be entitled to seek equitable relief by way of temporary and permanent injunctions and such other further relief as any court with jurisdiction may deem just and proper.

30.16[intentionally omitted]

30.17THE PARTIES HEREBY WAIVE TRIAL BY JURY IN ANY ACTION, PROCEEDING OR COUNTERCLAIM BROUGHT BY EITHER OF THE PARTIES AGAINST THE OTHER ON ANY MATTERS WHATSOEVER ARISING OUT OF OR IN ANY WAY CONNECTED WITH THE INTERPRETATION, PERFORMANCE, ENFORCEMENT AND OTHER ASPECTS OF, AND OPERATIONS UNDER, THIS AGREEMENT, THE SERVICES, THE RELATIONSHIP OF THE PARTIES WITH RESPECT TO THIS AGREEMENT OR ANY CLAIM OF INJURY OR DAMAGE ARISING OUT OF UNDER OR RELATING TO THIS AGREEMENT.

31.1This Agreement, the Schedules, and other documents incorporated herein by reference, is the final, full and exclusive expression of the agreement of the Parties and supersedes all prior agreements, understandings, writings, proposals, representations and communications, oral or written, of either Party with respect to the subject matter hereof and the transactions contemplated hereby. The Parties agree to accept a digital image of this Agreement, as executed, as a true and correct original and admissible as best evidence to the extent permitted by a court with proper jurisdiction.

32.1The provisions of this Section entitled “PERSONAL DATA PROTECTION – EUROPEAN ECONOMIC AREA” shall apply only in the event Services during the Term require the Processing (as hereinafter defined) of Personal Data where either of the following is true: (i) Company or the Company Affiliate receiving the Services is established in the European Economic Area, or (ii) Company or the Company Affiliate receiving the Services is established outside the European Economic Area but is offering goods or services to, or is monitoring, individuals within the European Economic Area. These provisions shall be in addition to and not in lieu of Data Protection Laws applicable in the territory where the Services are performed. In the event of a conflict between local territory Data Protection Laws and the General Data Protection Regulation (hereinafter defined), Vendor shall comply with the obligations that provide the most protection for Personal Data.

32.2Definitions applicable to the application of this Section entitled “PERSONAL DATA PROTECTION – EUROPEAN ECONOMIC AREA” to the Services and to the rights and obligations of Vendor and Company under this Agreement:

(f)“Company” shall include Affiliates of Company and where applicable, “Vendor” shall mean and include Affiliates of Vendor.

(g)“Data Protection Laws” shall, for the purposes of this Section entitled “PERSONAL DATA PROTECTION – EUROPEAN ECONOMIC AREA,” include the General Data Protection Regulation (EU 2016/679).

32.3To the extent Vendor’s Services include or require the Processing of Personal Data delivered or made available to Vendor by Company, or Processed by Vendor on behalf of Company, under or pursuant to this Agreement or any Order, and notwithstanding anything to the contrary in this Agreement or any Order, Vendor agrees as follows:

(h)It is the intention of the Parties that Company will be the data controller and Vendor will be a data processor. Vendor will Process the Personal Data Company provides to Vendor only (i) as needed to provide contracted products or services to Company; and (ii) in accordance with the specific documented instructions Vendor and/or its Affiliates receive from Company, including as set forth in this Agreement with Company and any related Orders, schedules, statements of work or project documentation, unless otherwise required by Applicable Law (in which case, Vendor will provide prior notice to Company of such legal requirement, unless that law prohibits this disclosure on important grounds of public interest).

(i)Vendor shall, upon the request of Company, provide Company with sufficient information regarding its privacy and data protection policies, practices and processes to allow Company to evaluate the same.

(j)Vendor shall comply with any relevant processes and procedures maintained by Company and provide Company with all assistance required by the Company to comply with Company's obligations under Data Protection Laws.

(k)Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Vendor’s Processing of Personal Data, as well as the risk of varying likelihood and severity of infringement upon the rights and freedoms of individuals, Vendor will implement appropriate technical and organizational security measures to ensure an appropriate level of security of Personal Data in its possession and/or transmitted by Vendor. Vendor will include in its security measures, as appropriate: (a) the pseudonymization and encryption of Personal Data; (b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; (c) the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and (d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the Processing. If required under the Data Protection Laws, such requirements may go beyond the applicable information security and business continuity practices and standards set forth in the Bank Security Requirements, and the requirements set out in the Sections entitled “BUSINESS CONTINUITY” and “INFORMATION PROTECTION” and the Schedules entitled “INFORMATION SECURITY” and “RECOVERY.”

(l)Company will be permitted to conduct audits and inspections of Vendor’s compliance with all aspects of Data Protection Laws in accordance with the Section entitled “AUDIT”. Vendor will provide Company with all information necessary to demonstrate compliance with and satisfaction of all obligations set forth in any relevant Data Protection Laws. When responding to a Company-mandated audit or request for information, Vendor will inform Company if Vendor believes that any of Company’s instructions regarding the Personal Data violate Applicable Laws.

(m)Taking into account the nature of the Personal Data Processing and the information available to Vendor. Vendor shall comply and assist Company to comply with obligations and requirements regarding Personal Data Breaches, data protection impact assessments and prior consultation in accordance with the relevant Data Protection Laws and as may be specifically set forth elsewhere in this Agreement, including as set forth in the SCHEDULE entitled “INFORMATION SECURITY,” including notifying Company of any breach of Data Protection Laws in accordance with the timescales set out in the “DETECTION AND RESPONSE” Section of the “INFORMATION SECURITY” Schedule, or any timescales set out in relevant Data Protection Laws, whichever is the shorter.

(n)Vendor will ensure that persons authorized to Process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality, and any such persons will be subject to the requirements as set out in the Sections entitled “CONFIDENTIALITY” and “INFORMATION PROTECTION.” Vendor will not disclose or transfer Personal Data to, or allow Processing of Personal Data by, any third party (including Vendor’s Affiliates and Subcontractors) without the prior written consent of Company, except as otherwise authorized in writing between the Parties. Vendor will be liable for all actions by such third parties with respect to the Personal Data as though they were the actions of Vendor.

(o)To the extent required under any relevant Data Protection Laws, using appropriate technical and organizational measures, Vendor will assist Company in the fulfillment of its obligation to respond to requests for exercising individuals’ rights, taking into account the nature of Vendor’s Processing of such Personal Data. If Vendor receives: (i) a request with respect to the data subject’s Personal Data Processed under this Agreement or any Order, including but not limited to opt-out requests, requests for access and/or rectification, erasure, restriction, requests for data portability, and all similar requests; or (ii) any complaint relating to the Processing of Personal Data, including allegations that the Processing infringes on an individual’s rights, Vendor: (a) shall promptly notify Company of the request; (b) shall not respond to any such request or complaint unless expressly authorized to do so by Company; (c) shall assist and cooperate with Company with respect to any action taken relating to such request or complaint; and (d) shall provide any information requested by Company within the lesser of five (5) working days of such request or in accordance with timescales set out in any relevant Data Protection Laws.

(p)Vendor shall not transfer any Personal Data outside of the European Economic Area or any other relevant jurisdiction in providing Services or otherwise without the prior written consent of Company, which may be subject to Vendor entering into such additional data transfer agreements as Company may require to ensure its compliance with the applicable Data Protection Laws.

(q)To the extent they are applicable to Vendor’s Services for Company, Vendor will (a) maintain all records with specificity as required by the Data Protection Laws, including of the nature and use of all Personal Data that Vendor and its Affiliates and Subcontractors Process in connection with the Services, (b) make such records available to Company and/or its regulators promptly upon request, and (c) on (i) termination of this Agreement or any Order; or (ii) the written request of Company, Vendor shall promptly and in a secure manner in accordance with the obligations set forth in the Sections entitled “INFORMATION PROTECTION” and the “INFORMATION DESTRUCTION AND RETURN REQUIREMENTS” section of the Schedule entitled “INFORMATION SECURITY” and any additional Bank Security Requirements, return to Company all such Personal Data held by Vendor under this Agreement (including any copies and on whatever media it is stored) or at Company’s written direction, destroy such Personal Data. Upon request Vendor shall provide a written certification that the relevant Personal Data has been returned or securely destroyed in accordance with this Agreement, unless any legislation or legal action prevents it from doing so, in which case it shall keep such Personal Data and copies secure and confidential and shall no longer Process them and shall return or, at Company’s written direction, destroy such Personal Data and copies (and certify that it has done so) as soon as such legislation or legal action no longer prevents it from doing so.

Vendor is being retained to provide Services as described in this Schedule or in each Order.

Fees for services shall be set forth in each Order.

[TO BE COMPLETED BY SOURCING LEAD/SOURCING MANAGER]

Unless otherwise provided in an Order, all Services shall comply with the following standards:

Any performance measurements provided in this Schedule are and shall be in addition to and not in lieu of Vendor’s representation and warranties of performance provided in subsection 9.2 of the SECTION of the Agreement entitled “REPRESENTATIONS AND WARRANTIES OF VENDOR.”

Financial or other penalties expressly stated in this Schedule or elsewhere this Agreement, or in any Order, with respect to Vendor’s failure to satisfy particular service levels, specifications, timeframes or performance measurements:

(A)     are not and shall not create a limitation of any of Company’s rights of termination that may be provided elsewhere in this Agreement or in any Order, whether for convenience, for cause or otherwise, and such termination may be based upon the applicable Vendor failure to satisfy particular service levels, specifications, timeframes or performance measurements; and

(B)    shall not prohibit, bar or serve as a defense against Company’s ability to seek the protection of equitable remedies such as (without limitation) specific performance and injunctive relief to address the applicable Vendor failure to satisfy particular service levels, specifications, timeframes or performance measurements.

Any financial or other penalties expressly stated in this Schedule or elsewhere this Agreement, or in any Order, with respect to Vendor’s failure to satisfy particular service levels, specifications, timeframes or performance measurements shall not apply (1) to Company’s losses that are also exempt under the SECTION entitled “LIMITATION OF LIABILITY,” and (2) in the event Vendor fails to satisfy service levels, specifications, timeframes or performance measures more than three (3) times in any successive twelve (12) month period. In the event of (1) and (2), Company shall be entitled to seek recovery under all rights and claims available to it at law or in equity.

The following topics, as applicable, shall be addressed in Vendor’s Information Security Program:

1.    Diagrams. The diagrams shall show the detail of the system architecture including, without limitation, the logical topology of routers, switches, Internet firewalls, management or monitoring firewalls, servers (web, application and database), intrusion detection systems, network and platform redundancy. The diagrams shall include all hosting environments, including those provided by Vendor’s Subcontractors.

2.    Firewalls. State the specifications of the firewalls in use and who manages them. Specify the services, tools and connectivity required to manage the firewalls.

3.    Intrusion Detection Systems. Describe the intrusion detection system (“IDS”) environment and the security breach and event escalation process. Indicate who manages the IDS environment. Specify the services, tools and connectivity required to manage the IDS environment, and if the IDS network is host based.

4.    Change Management. Describe the change management process for automated systems used to provide Services. Describe the process for information handling policies and practices.

5.    Business Continuity. Describe the Business Continuity Management Program.

6.    System Administration Access Control. Describe the positions that perform administration functions on servers, firewalls or other devices within the application and network infrastructure. Detail level of access needed to perform functions. Describe how application access rights are designed and maintained to ensure separation of duties.  Explain the access control mechanisms. Describe the frequency and process by which recurring access review of the system(s) is conducted to ensure permissions are granted on a “need to know” basis. Detail access reports generated and when reports are reviewed periodically. Describe methods used to track/log/monitor the usage of each account.

7.    Customer/Employee Access Control. Describe each logon process to be followed by Company customers and employees to obtain access to Services provided to Company. Describe the initial enrollment process for such customers and employees. Describe the password policies and procedures Vendor’s system enforces, including, without limitation, password expiration, length of password, password revocation, invalid logon attempt threshold, etc. Describe methods used to track/log/monitor the usage of each account. Vendor shall demonstrate how a customer, employee or end user authenticates to each application.

(A)    Requirements for System Administration Access Controls and Customer/Employee Access Controls (Access Management Requirements). 

Ensure that Company minimum required standards are met including but not limited to the following items:  Provide documentation on process for granting access to the application. Provide documentation on process for access removal ensuring that all Company revocation timelines are met.  Describe the frequency and process by which recurring access review of the system(s) is conducted to ensure permissions are granted on a “need to know” basis (inclusive of separation of duties).  Agree that the Vendor will provide Company, upon Company’s request, a file upload of all Company employee entitlement information-including user accounts, service accounts and access entitlement levels. Describe the ID and password policies and procedures Vendor’s system enforces, including, without limitation, password expiration, length of password, password revocation, invalid logon attempt threshold, authentication, inactivity time out, ID strength, etc.

8.    Access to Confidential Information in Human-Perceptible Forms. Describe policies, procedures and controls used to protect confidential information when it is printed or in other perceptible forms; how and how often these policies and procedures are reviewed and tested; and what methods are used to ensure destruction of confidential information on hard copy.

9.    Operating System Baselines. Describe Vendor’s operating system security controls and configurations. Examples: Operating system services that have been removed because not required by Vendor’s Services to Company. Identify and provide current operating system fixes that have not been applied, if any.

10.    Encryption. Describe in detail the technology and usage of encryption for protecting Confidential Information, including passwords and authentication information, during transit and in all forms and locations where it may be stored by Vendor or its Subcontractors.

11.    Application and Network Management. Specify the services, tools and connectivity required to manage the application and network environments; who carries out the management functions; and what level of physical security applies to managed devices.

12.    Physical Security. For each location where Confidential Information will be processed or stored or Services for Company produced by Vendor, describe in detail the arrangements in place for physical security.

13.    Privacy: Describe Vendor’s privacy and security policies.

14.    Location of Servers. Describe the location of web servers on the Vendor’s network.  If not on a separate segment of the network from the application and database servers, explain the reason this has not been done. At Company’s request, Vendor shall make reasonable efforts to create this separation.

Vendor shall monitor industry-standard information channels for newly identified system or security vulnerability regarding the technologies and Services provided to Company. Such information channels to monitor must include the following sources:

Vendor shall immediately report all known and verified information security vulnerabilities affecting the technologies and Services provided to Company by contacting Bank of America’s InfoSafe team at infosafe@bankofamerica.com or by calling either ###-###-#### (U.S. Domestic) or ###-###-#### (Global), and selecting option 1. Such notification shall include the following information:

To the extent information is not known at the time of notification, Vendor shall promptly update Company when such information becomes known and provide updates to previously provided information.

Additionally, Vendor shall promptly report all such vulnerabilities through the CVE reporting process at Mitre and take all other notification actions in accordance with industry best practice, including promptly reporting the vulnerabilities on Vendor’s website. In addition to any other notification obligations set forth herein, Vendor shall notify the InfoSafe team via email at infosafe@bankofamerica.com no later than 1 hour after publication on Vendor’s website.

Vendor shall fix or patch any such vulnerabilities in an adequate and timely manner, and shall provide Company with all test results for any proposed fix or patch prior to the implementation of such fix or patch.  If Company notifies Vendor of any newly identified system or security vulnerability, Vendor shall immediately determine whether its systems are affected by such vulnerability and, if so, comply with the notification and fix/patch requirements of this section.  Unless otherwise expressly agreed in writing, “timely” shall mean that Vendor shall introduce such fix or patch as soon as commercially reasonable after Vendor becomes aware of the security problem.  This obligation extends to all devices that comprise Vendor’s system, e.g., application software, databases, servers, firewalls, routers and switches, hubs, etc., and to all of Vendor’s other confidential information handling practices.

Vendor shall notify Company in accordance with the notification schedule below following discovery of (1) any actual or suspected Personal Data Breach of the Personal Data of any data subject (“Affected Persons”) provided to Vendor by Company under this Agreement including any circumstance pursuant to which applicable law requires notification of such breach to be given to Affected Persons or other activity in response to such circumstance; (2) any actual or suspected breach or compromise of the security, confidentiality, or integrity of Company Confidential Information provided to Vendor by Company under this Agreement; or (3) any actual, attempted, suspected, threatened, or reasonably foreseeable circumstance that compromises, or could reasonably be expected to compromise, either physical security or systems security in a fashion that either does or could reasonably be expected to permit unauthorized processing, use, disclosure, destruction or acquisition of or access to any Company software, work product or any Company Confidential Information developed, maintained, processed or transmitted by Vendor or its agents or Subcontractors in connection with the Services (collectively referred to as a “Security Breach”). Pings or scans of Vendor’s network or systems shall not be considered a suspected breach or compromise under this paragraph unless and until Vendor reasonably suspects that such pings or scans resulted in the breach or compromise of the security, confidentiality, or integrity of the nonpublic Personal Information of any Affected Person or Company’s Confidential Information.

Notification One (1): Vendor shall notify Company immediately but no later than twenty-four (24) hours following the discovery of any Security Breach. Notification to Company of a Security Breach shall precede notifications to any other party except relevant law enforcement.

Notification Two (2): Vendor shall provide updates to Company on the current status of the Security Breach every four (4) hours, or more frequently as warranted by the severity of the Security Breach or the remediation efforts taken by the Vendor to resolve the Security Breach.

Notification Three (3): Vendor shall provide a final notification to Company once the Security Breach has been mitigated, not to exceed four (4) hours from the completion of the remediation efforts.

Vendor shall also notify Company within one (1) hour following the discovery of any security incident or event that has a significant impact on the availability or integrity of the Services, including but not limited to DoS or DDoS attacks (a “Security Event”; a Security Breach and a Security Event are collectively referred to as a “Significant Security Incident”), and shall promptly notify Company upon the restoration of the Services to pre-Security Event levels.

All notifications described above shall be made to the Company Incident Response Team (“InfoSafe”) by calling ###-###-####, option 1, or by such other method prescribed by Company from time to time. Callers will be asked to identify themselves as a vendor.

Company reserves the right in its sole discretion to make appropriate privacy breach notifications to Affected Persons and regulators pursuant to federal guidelines, including but not limited to the Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice, and/or state laws or regulations. To assist Company in such notifications, Vendor shall include a brief summary of the available facts, the status of any investigation, and, if known, the potential number of Affected Persons. With the exception of communications with applicable law enforcement agencies, Vendor agrees that it shall not communicate with any third party, including, but not limited to the media, vendors, consumers, and Affected Persons regarding any Security Breach involving Company Confidential Information without the express written consent of Company; provided, however, if Vendor needs to communicate with a third party regarding such Security Breach, Vendor may communicate with such third party without the consent of Company provided that Vendor does not disclose or provide any information that informs, suggests, implies or leads such third party to believe that such Security Breach involved Company or Company’s Confidential Information or such third party is subject to a non-disclosure agreement with the Vendor.

Vendor agrees to fully reimburse Company for the cost of providing to Affected Persons appropriate credit monitoring services for two (2) years. In addition, all costs associated with any Security Breach, including but not limited to, the costs of the notices to, and credit monitoring for, Affected Persons, preparation and mailing or other transmission of legally required notifications; preparation and mailing or other transmission of such other communications to customers, agents or others as Company deems reasonably appropriate; establishment of a call center or other communications procedures in response to such Security Breach (e.g., customer service FAQs, talking points and training); public relations and other similar crisis management services; and legal and accounting fees and expenses associated with Company’s investigation of and response to such event shall be the sole responsibility of Vendor.

Vendor shall cooperate fully with all Company security investigation activities related to any Significant Security Incidents. Vendor shall maintain, in accordance with the Bank Security Requirements, all records and logs of that portion of Vendor’s network that stores or processes Company Confidential Information. Following a Significant Security Incident, Vendor shall maintain such records and logs for a mutually agreed-upon additional length of time and, upon request, afford Company reasonable access to such records and logs. Company may review and inspect any record of system activity or Company Confidential Information handling upon reasonable prior notice. Vendor acknowledges and agrees that records of system activity and of Confidential Information handling may be evidence (subject to appropriate chain of custody procedures) in the event of a Significant Security Incident or other inappropriate activity. Upon the request of Company, Vendor shall deliver the originals or properly authenticated copies of such records to Company for use in any legal, investigatory or regulatory proceeding.

Unless Vendor is directed to return Company Confidential Information and data, Vendor shall destroy all Company Confidential Information and data at all locations where it is stored after it is no longer needed for performance under this Agreement or to satisfy regulatory or retention requirements. Vendor must have in place or develop information destruction schedules and processes that meet the Bank Security Requirements and that must be used in all cases when Company Confidential Information and data is no longer needed. These information destruction requirements are to be applied to paper, microfiche, disks, disk drives, tape and other destroyable electronic or digital media containing Company Confidential Information and data.

Paper and other shreddable media includes paper, microfiche, microfilm, compact disks (CDs) and any other media that can be shredded. This media must be shredded using shredding techniques or machines such that Company Confidential Information and data in this media is completely destroyed as set forth herein when Vendor is finished with the Company Confidential Information and data contained thereon and it is no longer needed. This media may be shredded immediately or temporarily stored in a highly secured, locked container. The media may be shredded at a location other than Vendor's facilities; however it must be transferred in a highly secured, locked container. Vendor is responsible for supervising the shredding regardless of where the shredding activity occurs and by whom the shredding is performed. Company Confidential Information and data in this media must be completely destroyed by shredding such that the results are not readable or useable for any purpose.

Electronic media includes, but is not limited to, disk drives, diskettes, tapes, universal serial bus (USB) and other media that is used for electronic recording and storage. This media is to be wiped or degaussed using a wipe or degaussing tool that complies with the Bank Security Requirements. Wiping uses a program that repeatedly writes data to the media and thereby destroys the original content. Degaussing produces an electronic field that electronically eliminates the original data and clears the media. These techniques must meet the Bank Security Requirements. The resulting media must be free from any machine or computer content readable for any purpose.

These processes must be documented as a procedure by Vendor and should outline the techniques and methods to be used. The procedure must also indicate when and where Company Confidential Information and data is to be destroyed. Vendor shall keep records of all Company Confidential Information and data destruction completed and provide such records to Company upon request.

When Vendor is instructed by Company to return Company Confidential Information and data, such Confidential Information and data shall be returned to Company, or such other party as directed by Company, (i) at no additional expense to Company, and (ii) unless a specific format is requested by Company, in a format reasonably acceptable to Company.

1.As provided in the SECTION entitled “VENDOR PERSONNEL,” prior to assignment of a Vendor or Subcontractor employee or contract laborer (“Contract Person” in this Schedule) to the Services, Vendor shall administer and comply with, and shall ensure that Vendor’s Subcontractors administer and comply with, the background screening requirements as set forth below or with such other requirements as may be set forth in a Local Participation Agreement or Order relating to Services to be performed and/or delivered outside the United States.

(a)Validate United States citizenship and/or certification to work in the United States. The Vendor or Subcontractor Contract Person shall not be assigned to Company’s account if Vendor or Subcontractor is unable to confirm United States citizenship or obtain proper evidence of certification to work in the United States.

(b)Search the Contract Person’s social security number to verify the accuracy of the individual’s identity. Vendors with employees providing Services to Bank of America on U.S. federal contracts must enroll in E-Verify and, upon request must provide Bank of America with a copy of its “Company Information Profile” page in E-Verify as proof of enrollment. E-Verify is an Internet-based system that compares information from an employee's Form I-9, Employment Eligibility Verification, to data from U.S. Department of Homeland Security and Social Security Administration records to confirm employment eligibility. The Vendor or Subcontractor Contract Person shall not be assigned to Company’s account if Vendor or Subcontractor is unable to verify the accuracy of the individual’s identity.

(c)Conduct or obtain a comprehensive criminal background check of all criminal court records (misdemeanor and felony in federal courts and state courts) in each venue of the Vendor or Subcontractor Contract Person’s current and previous home addresses for the past ten (10) years prior to the date of being assigned to provide any of the Services, unless local or state laws or regulations mandate a lesser period. Subject to the SECTION entitled “VENDOR PERSONNEL,” the Vendor or Subcontractor Contract Person shall not be assigned to Company’s account if Vendor or Subcontractor’s criminal background check discloses matters set forth in the SECTION entitled “VENDOR PERSONNEL,” subsection 13.5 (a)-(c), inclusive.

2.    If a Vendor or Subcontractor Contract Person had a break in continuous service with the Vendor or Subcontractor of longer than ninety (90) consecutive days, then Vendor or Subcontractor shall perform a new background check according to the requirements in #1 above, prior to re-assignment of the Contract Person to the Services.

3.If required for the role or Services and requested by the applicable Company business unit for which the Services are being provided, Vendor or Subcontractor will verify completion of any post high school education or degrees (i.e., B.A., B.S., Associate, or professional certifications).

4.Any other additional checks that Company may require will be submitted to Vendor for review, and Vendor will be allowed a reasonable and mutually agreed upon timeframe to implement such additional checks for Vendor and Subcontractor Contract Persons. In the event Company determines in its sole discretion that additional checks need to be conducted on currently engaged Vendor or Subcontractor Contract Persons, such checks shall be at Company’s expense based upon a mutually agreed process and timeline as evidenced in writing.

(a)Contract Persons of Vendor or Subcontractors who are placed within the Consumer Real Estate/Mortgage business and any other lines of business that may have similar requirements may have additional databases checked upon Company’s request and at Company’s discretion as part of the Financial Sanctions Search, such check to be administered by a Company’s preferred service provider.

(b)In the event Company requests, in its sole discretion, Financial Industry Regulatory Authority (FINRA) fingerprint screening and/or FBI fingerprint screening, such fingerprint screening will be managed and paid for by Company, provided, however, that Vendor shall be obligated to obtain from each affected Vendor or Subcontractor Contract Person a completed background check and fingerprint authorization in a form reasonably acceptable to the Parties and compliant with any applicable laws.

1.    Vendor’s Business Continuity Management Program (“BCM Program”) shall include, but not be limited to, on-going proper risk identification and controls, planning, testing, response and recovery strategy procedures with executive governance. The Business Continuity Plan shall include, but not be limited to, recovery and contingency plans, recovery strategies, loss of critical personnel and vital records protection covering all areas of Vendor’s operations necessary to deliver the Services pursuant to this Agreement. The Business Continuity Plan shall also provide, without limitation, for off-site backup of critical data files, Confidential Information, software, documentation, forms and supplies as well as alternative means of transmitting and processing Confidential Information. The BCM Program must contain testing and validation of the Business Continuity Plan, and response and recovery procedures.

2.    The recovery strategy shall provide for recovery after both short and long term disasters and disruptions in facilities, environmental support, workforce availability, and data processing equipment. Although short term outages can be protected with redundant resources and network diversity, the long term strategy must allow for total destruction of Vendor’s business operations for a period of six (6) months or longer and set forth a recovery strategy. If Vendor provides critical products or services, as determined by Company in its sole discretion, Vendor’s recovery strategy must also provide for recoverability during periods lasting up to three (3) months of the potential unavailability of up to fifty percent (50%) of Vendor’s workforce.

3.    Vendor’s recovery objectives shall not exceed the following during any recovery period:

A.    Recovery Time Objective (RTO) (the time period within which the Services must be restored after a disaster or disruption event): 10.5 Hours

B.    Recovery Point Objective (RPO) (maximum amount of acceptable data loss, measured in hours or minutes preceding a disaster or disruption event): 1 Hour

In the event Company requires a change, Company agrees to work with Vendor to determine a mutually agreeable date for Vendor to match the new recovery objectives, if necessary.

4.    Vendor shall continue to provide service to Company within the established recovery objectives if Company activates its contingency plan or moves to an interim site to conduct its business, including during tests of Company's contingency operations plans.

5.    If requested, Vendor shall allow Company, at its own expense, to observe and participate in, subject to Vendor’s reasonable security policies and procedures, a scheduled test of Vendor’s BCM Program and applicable Business Continuity Plan.

6.    Vendor must provide Company the opportunity to review and evaluate evidence of capability to meet any applicable regulatory requirements concerning Vendor’s BCM Program and Business Continuity Plan.

7.     If requested by Company, Vendor shall participate in Company’s application resiliency program. Participation includes the validation of Vendor’s recovery strategy through a full-scale test where applications must failover production workload to an alternate site for a minimum duration of five (5) consecutive days.

The following provisions shall apply to and be a requirement of Vendor’s use of Cloud Services (as defined below) to store or process Company Confidential Information in relation to the performance of Services under this Agreement. The Cloud Provider (as defined below) shall be considered a Subcontractor under the Agreement and the terms of this Schedule entitled “USE of CLOUD SERVICES” shall be in addition to any Subcontractor requirements in the Agreement; provided, however, that the provisions of this SCHEDULE entitled “USE OF CLOUD SERVICES” shall prevail in the event of any express conflict with any information protection term in the Agreement applying to Vendor’s use of a Subcontractor generally.

1.For the purposes of this Schedule entitled “USE of CLOUD SERVICES”, the following definitions apply:

A.Cloud Provider means the third party approved by Company in accordance with Section 3 below, providing the Cloud Services to the Vendor.

B.Cloud Services means information technology services, including Software as a Service (SaaS), Infrastructure as a Service (IaaS) and Platform as a Service (PaaS), delivered or provided via the Internet from a Cloud Services Platform.

C.Cloud Services Platform means the hardware, software, infrastructure, facilities and operating environment used by the Cloud Provider to provide the Cloud Services.

2.Vendor agrees that it will provide Company with at least three (3) months prior written notice before Vendor stores or processes any Company Confidential Information with a new, additional or replacement third party provider of Cloud Services. Such notice shall include the name of the third party, the Cloud Services such third party will provide under this Agreement, and the geographic locations where Company’s Confidential Information will be stored or processed. Vendor also agrees to promptly provide any information requested by Company regarding the cloud provider, the Cloud Services and the Cloud Services Platform, including, but not limited to, information about cloud provider’s information security program.

3.Vendor acknowledges and agrees that Vendor may not use a third party’s Cloud Services Platform to store or process Company Confidential Information without the prior written consent of the Company Relationship Manager after receipt of the required notice under Section 2 above. Upon Vendor’s receipt of such written consent from Company, such third party identified in the required notice in Section 2 above shall be considered a Cloud Provider under this Schedule entitled “USE of CLOUD SERVICES.” Vendor agrees that consent of Company under this Section 3 shall be at the sole discretion of Company and may be subject to certain additional terms and conditions required by Company.

4.Vendor agrees to immediately notify Company if:

D.Vendor receives notice from Cloud Provider that Cloud Provider is acquiring, merging with, or being acquired by, another entity;

E.Cloud Provider (i) ceases operations for any reason, or (ii) becomes insolvent (generally unable to pay its debts as they become due) or the subject of a bankruptcy, conservatorship, receivership or similar proceeding, or makes a general assignment for the benefit of its creditors;

F.Cloud Provider withholds, for any reason, Vendor’s access to the Cloud Services and/or any Company Confidential Information stored on the Cloud Services Platform;

G.Vendor receives notice from Cloud Provider of a breach or compromise involving Company Confidential Information under Section 6.F below or otherwise learns of such event;

H.Vendor receives notice from Cloud Provider of any actual or threatened requirement of law or any government data request under Section 6.G below that may require Cloud Provider to seize or disclose Company Confidential Information; or

I.Vendor receives or provides any notice of termination of Vendor’s agreement with Cloud Provider.

5.Vendor shall:

A.Have a program to actively manage Cloud Provider and to assess how Cloud Provider secures and protects information and data stored or processed on its Cloud Services Platform, including, but not limited to:

(1)Obtaining and reviewing on at least an annual basis, Cloud Provider’s most current SOC 2, Type II audit report (or successor audit report) and/or other available equivalent independent third party audit reports (collectively, the “Cloud Provider Audit Reports);

(2)Mapping Vendor’s Information Security Program to the controls and associated testing results in the Cloud Provider Audit Reports. Any gaps identified during the mapping (each a “Control Gap”) shall be listed in an assessment report (the “Assessment Report”) with an explanation of the risk associated with each Control Gap. Vendor shall use commercially reasonable efforts to address each Control Gap with the Cloud Provider. Vendor shall include in the Assessment Report an explanation of how each Control Gap was remediated, including any compensating and mitigating controls;

(3)Verifying Cloud Provider’s remediation of any testing exceptions contained in the Cloud Provider Audit Reports;

(4)If permitted by Cloud Provider, inspecting at least annually, Cloud Provider’s Cloud Services Platform and data handling procedures; and

(5)Performing periodic vulnerability and/or penetration testing (hereinafter referred to as a “Vulnerability Assessment”) in accordance with the Bank Security Requirements, on any application(s) hosted by Cloud Provider on its Cloud Services Platform and used by Vendor to store or process Company Confidential Information.

J.Provide Company, at Company’s request, information on Vendor’s program to manage and assess Cloud Provider under Section 5.A. above, including an opportunity to review a copy of the Assessment Report and the results of any Vulnerability Assessment performed under Section 5.A(5) above. If Company determines that any Control Gap presents a critical risk to the confidentiality, availability or integrity of Company Confidential Information or systems, and such Control Gap was not adequately remediated, or cannot be remediated within a mutually agreed upon time period, then Company may immediately terminate this Agreement without additional cost or penalty.

K.Ensure Cloud Provider stores or processes all Company Confidential Information in one (1) or more of the fifty (50) states of the United States of America or in the District of Columbia, unless Company agrees in advance in writing.

L.Upon Company’s reasonable, written request:

(6)If permitted by Cloud Provider, secure permission from Cloud Provider for Company to review and evaluate Cloud Provider’s information security program and to visually inspect Cloud Provider’s Cloud Services Platform and data handling procedures. In lieu of such review and inspection, at Company’s election, Vendor shall provide Company with an opportunity to review a copy of the Assessment Report and the results of any Vulnerability Assessment performed under Section 5.A(5) above.

(7)If Cloud Provider is hosting an application(s) on its Cloud Services Platform that is used by Vendor to store or process Company Confidential Information, secure permission from Cloud Provider for Company to perform a Vulnerability Assessment on such application(s). Notwithstanding the foregoing, if Cloud Provider will only permit a third party security assessment firm to conduct the Vulnerability Assessment, Vendor shall contract with a third party security assessment firm, selected from Company’s most current list of approved security assessment firms, to conduct the Vulnerability Assessment. Such Vulnerability Assessment shall be conducted in a non-production environment using production equivalent security controls. Any Vulnerability Assessment conducted by a third party shall use a methodology and scope that complies with Company’s most current Ethical Hacking Guidelines (or any successor guidelines) and Vendor shall provide Company with the opportunity to review the resulting report prepared by such third party security assessment firm.

6.Vendor’s agreement with Cloud Provider shall:

B.Provide that (i) between Vendor and Cloud Provider, Vendor owns, either for itself or on behalf of its clients, all information and data Vendor stores or processes on Cloud Provider’s Cloud Services Platform, and (ii) Cloud Provider has no right to use, access or disclose such information and data, including aggregated or de-identified data, without Vendor’s prior written consent unless required by applicable law.

C.Contain performance-level requirements that will allow Vendor to meet any applicable Service Levels attached to this Agreement.

D.Contain business continuity and disaster recovery provisions that will allow Vendor to meet or exceed the recovery objectives (Recovery Time Objective and Recovery Point Objective) listed in the Schedule entitled “RECOVERY” attached to this Agreement.

E.Permit Vendor and Company (in accordance with Section 9 below) to immediately access, retrieve and destroy all information and data Vendor stores or processes on Cloud Provider’s Cloud Services Platform.

F.Require Cloud Provider to communicate Cloud Provider’s security and privacy policies to all Cloud Provider personnel that have access to the information and data Vendor stores or processes on Cloud Provider’s Cloud Services Platform.

G.Require Cloud Provider to have a security incident response plan that (i) requires Cloud Provider to notify Vendor promptly and without undue delay following the discovery of any breach or compromise of any information or data Vendor stores or processes on Cloud Provider’s Cloud Services Platform, including, but not limited to, any unauthorized access to, alteration, destruction or misuse of such information or data by Cloud Provider personnel, and (ii) requires Cloud Provider to provide regular updates to Vendor regarding such breach or compromise.

H.Require Cloud Provider to promptly notify Vendor of any actual or threatened requirement of law (for example, a subpoena) or any government data request that may require Cloud Provider to disclose or seize information or data Vendor stores or processes on Cloud Provider’s Cloud Services Platform upon receiving actual knowledge thereof and prior to any disclosure, and to cooperate with Vendor’s reasonable, lawful efforts to resist, limit or delay disclosure.

I.Permit Vendor to specify in what country or countries Vendor’s information or data must be stored or processed.

J.Require Cloud Provider’s subcontractors that have access to the Cloud Services Platform or information stored or processed on the Cloud Services Platform to have an information security program that is periodically assessed by Cloud Provider.

K.Require Cloud Provider to have a vulnerability management program to fix or patch newly identified vulnerabilities in a timely manner based upon risk.

7.Vendor acknowledges and agrees that all Company Confidential Information Vendor stores or processes on the Cloud Services Platform, and any results of processing such Company Confidential Information or derived in any way therefrom, shall at all times remain the property of Company.

8.Vendor agrees to ensure that all Company Confidential Information while stored or processed on the Cloud Services Platform is (a) encrypted in transit, in motion and at rest, using an encryption method and standard that meets or exceeds Bank Security Requirements; and (b) logically separated from information and data of Vendor’s and Cloud Provider’s other clients. Vendor must ensure Cloud Provider utilizes a hardware security module (“HSM”) for key management (i) that complies with the Bank Security Requirements, and (ii) with Vendor or Company controlling the master key.

9.Vendor agrees, upon Company’s request, to allow Company to immediately access and retrieve any Company Confidential Information stored on the Cloud Services Platform. Vendor agrees that upon receiving such request, to immediately provide Company with the necessary instructions, including any required access codes, to allow Company to access and retrieve Company Confidential Information from the Cloud Services Platform.

10.Upon Company’s request to destroy Company Confidential Information stored on the Cloud Services Platform, Vendor shall ensure all such Company Confidential Information is completely destroyed in accordance with the Bank Security Requirements and is unable to be recovered from the Cloud Services Platform by Cloud Provider or any other party by any means. Upon completion of such destruction, Vendor shall provide a certification to Company as to its compliance with this Section 10.

11.Upon expiration or termination of Vendor’s agreement with Cloud Provider for any reason during the Term of this Agreement and following the transfer of all Company Confidential Information stored on the Cloud Services Platform to either (a) a new Cloud Provider approved by Company in accordance with Section 3 above, (b) Vendor, or (c) Company, Vendor shall ensure all Company Confidential Information is completely destroyed from the Cloud Services Platform in accordance with the Bank Security Requirements and is unable to be recovered from the Cloud Services Platform by Cloud Provider or any other party by any means. Upon completion of such transfer and destruction, Vendor shall certify as to its compliance with this Section 11.

12.Failure of the Cloud Provider to provide the Cloud Services to Vendor, for any reason, including but not limited to a force majeure event, shall be addressed in Vendor’s Business Continuity Plan.