Master Services Agreement Amendment No. 3 dated as of December 18, 2017 between The Endurance International Group, Inc. and Tregaron India Holdings, LLC

EX-10.63 5 ex_10x63.htm EXHIBIT 10.63 Exhibit



Exhibit 10.63
Confidential Materials omitted and filed separately with the
Securities and Exchange Commission. Double asterisks denote omissions.


Tregaron-Endurance Master Services Agreement – Amendment No. 3
This Tregaron-Endurance Services Agreement – Amendment No. 3 (“the Third Amendment”) is hereby made and entered into this 18th day of December 2017 (the “Third Amendment Effective Date”) by and between The Endurance International Group, Inc. ("Endurance") and Tregaron India Holdings, LLC (“Service Provider”) (Endurance and Service Provider may be individually referred to as a “Party” or collectively as the “Parties”).
WHEREAS, the Parties entered into that certain Tregaron-Endurance Master Services Agreement, dated September 25, 2013, as amended by Amendment No. 1, dated February 7, 2014, and Amendment No. 2, dated December 5, 2014 (hereinafter collectively referred to as the “Agreement”); and
WHEREAS, the Parties hereto desire to further amend the Agreement as set forth herein.
NOW, THEREFORE, for good and valuable consideration of the mutual promises and covenants contained herein, the receipt and sufficiency of which are hereby acknowledged, the Parties hereby agree as follows:
1.
Unless otherwise expressly provided herein, all defined terms shall have the meanings set forth in the Agreement.
2.
Invoice No.8673 in the amount of [**] US dollars and [**] cents ($[**] USD) and Invoice No. 9443 in the amount of [**] US dollars and [**] cents ($[**] USD) shall hereby be voided by Service Provider and Endurance shall not owe any payment to Service Provider pursuant to such invoices.
3.
In anticipation of fulfilling Endurance’s requirements for the Services, Service Provider may increase staffing (“Ramp Up”). Service Provider hereby agrees that Service Provider shall not charge Endurance for any such Ramp Up or any costs associated therewith that occur during the fourth quarter of 2017.
4.
For the billing period covering October 1, 2017 through December 31, 2017, Service Provider shall provide Endurance with a discount of [**] percent ([**]%) off the total amount of any invoice associated with this period based on pricing in effect as of October 1, 2017.
5.
Effective January 1, 2018 through the remaining Term of the Agreement, Service Provider shall provide Endurance with a discount of [**] percent ([**]%) off the total amount of any and all invoices associated with the Services provided based on pricing in effect as of October 1, 2017.
6.
Without limitation to any of the foregoing, effective October 1, 2017, Service Provider shall provide Endurance with a discount of [**] US dollars ($[**] USD) per month for Engineering

 





and/or Network Operations Services. Service Provider shall provide such discount on the monthly invoices issued by Service Provider in connection with the Engineering and/or Network Operations Services.
7.
To the extent that Endurance has already paid any invoices for Services provided on or after October 1, 2017, Service Provider shall adjust the next two invoices issued by Service Provider to include the applicable discount. In other words, discounts due for the month of October 2017, will be split equally over November 2017 and December 2017 invoices.
8.
The pricing in effect as of October 1, 2017 shall remain in full force and effect for the remaining Term of this Agreement subject to any modifications made by mutual written amendment to this Agreement as executed by both Parties.
9.
The following Section 35 shall be added to Exhibit B of the Agreement:
“35. Information Security. Notwithstanding anything to the contrary and without limitation to any other compliance requirements in this Agreement, Service Provider shall implement sound policies and procedures leveraging good security practices consistent with prevalent industry standards. Such mutually acceptable policies and procedures shall include, without limitation, the privacy and security requirements attached hereto as Schedule 1, which may be modified by Endurance from time to time to address the evolving threat landscape and identification of additional security risks. Service Provider, upon written acceptance of said modified policies and procedures, shall comply with all policies and procedures as developed and provided by Endurance.”
10.
Counterparts. This Third Amendment may be executed in any number of counterparts, each of which shall be deemed to be an original and all of which together shall be deemed to be one and the same instrument.
11.
This Third Amendment, together with the Agreement, constitutes the entire understanding and agreement of the Parties with respect to the subject matter of this Third Amendment and supersedes any and all prior agreements, written or oral, dealing with the subject matter of this Third Amendment. In the event of a conflict between this Third Amendment and the Agreement, the terms of this Third Amendment shall govern.
12.
Except as amended herein, all other terms and conditions of the Agreement shall remain in full force and effect and are hereby ratified. Except as expressly amended herein, no present or future rights, remedies, benefits or power belonging or accruing to Parties hereto, shall be affected, prejudiced, limited or restricted hereby.

 





IN WITNESS WHEREOF, the duly authorized officers or representatives of Endurance and Service Provider have executed this Amendment as of the Third Amendment Effective Date above intending legally to be bound.
THE ENDURANCE INTERNATIONAL GROUP, INC.

TREGARON INDIA HOLDINGS,LLC
By:     /s/ Christine Barry            
By:     /s/Vidya Ravichandran            

Name: Christine Barry            
Name: Vidya Ravichandran            
Title: Chief Services Officer            
Title: President                
Date: 12/18/17                
Date: 12/19/2017                


 





Schedule 1 – Privacy and Security Requirements

1. Definitions. Any capitalized terms not defined herein will have the meaning set forth in the Agreement.
1.1     "Agreement" means the Master Services Agreement, as amended, to which this Schedule is attached.
1.2     "Destroy" means to render the information permanently and completely unreadable, destroyed and undecipherable.
1.3    “Information Security Program” means the comprehensive, organized collection of documented artifacts and processes that are used to continuously deliver information security across the enterprise.
1.4    "Personal Data" means any information relating to an identified or identifiable natural person ("data subject"); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.
1.5    "Sensitive Personal Data" are personal data, revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership; data concerning health or sex life and sexual orientation; genetic data or biometric data.
1.6    "Process" means "Processing" as defined in Article 2(b) of the European Union ("EU") Data Protection Directive, 95/46/EC ("Data Protection Directive").
1.7    “Security Incident” means the actual loss, or reasonable belief that there is any loss, of EIG Confidential Information, or any unauthorized or unlawful access to, use of, or disclosure of, EIG Confidential Information, or any other compromise of EIG Confidential Information.    
1.8     "Services" has the meaning ascribed in the Agreement.
1.9    "Subcontractor" means any third party authorized by Service Provider to which Service Provider discloses or allows access to EIG Confidential Information.
1.10    “Successful Penetration Test” means a test script that achieves a specific, attacker-simulated goal for purposes of generating a report of how security was breached in order to reach the agreed-upon goal and remediation plan.
1.11    “Trusted Access” means access to EIG Confidential Information that exceeds the standard level of access granted to Service Provider’s employees to provide the Services.
1.12    “Trusted Multi-Tenant” means an architectural model that provides comprehensive and complete separation between service users integrating quality of service, management reporting, security, encryption and compliance.
1.13    “EIG Authorized Requestor” means a person listed as a contact within EIG and authorized to request changes or similar actions.
1.14    “EIG Confidential Information" means all Confidential Information (as defined in the Agreement) disclosed by EIG to Service Provider including, without limitation, all Personal Data, Sensitive Personal Data, and all information and materials relating to EIG’s (a) business, operations, financial condition, marketing, pricing, business plans, capital structure, organizational structure, information systems, management, service partners, subcontractors, and vendors; (b) services, products, tools, methodologies, processes, know-how and intellectual capital, research and development, inventions; (c) directors, officers, management, employees, retirees, benefit plan participants and dependents, and shareholders; (d) clients and any of their needs and plans, directors, officers, employees, retirees, benefit plan participants and dependents, and shareholders (e) EIG system user names or system identities, IT architecture and infrastructure and similar type of information that identify EIG environments (f) any other information that a reasonable business person would understand to be confidential or not otherwise publicly available. The EIG Confidential Information will not include information or materials (except those comprising Personal Data or Sensitive Personal Data): (a) already known to the recipient and documented in its files at the time of disclosure; (b) in the public domain or available to

 





the public; (c) available to the recipient from third parties without any nondisclosure obligation to the discloser that is known to recipient; or (d) independently developed by recipient without any reference to EIG Confidential Information.
1.15    “Vulnerability Assessment” means the process of identifying, quantifying and prioritizing the vulnerabilities on a system so as to produce a prioritized list of discovered vulnerabilities and remediation plan.

2. Compliance
2.1 Service Provider agrees that it will comply with all applicable local, state, federal and foreign laws in providing the Services, including without limitation the Massachusetts Standards for the Protection of Personal Information of Residents of the Commonwealth (201 CMR 17.00) and EU Member State laws or regulations implementing the EU Data Protection Directive as amended.

2.2 Additionally, without limiting the foregoing, during the term of the Agreement and for so long as Service Provider retains EIG Confidential Information, Service Provider will obtain [**] independent attestation to the effectiveness of Service Provider’s product and corporate Privacy and Security Programs. It is mandatory for Service Provider to obtain compliance by [**] with the most current PCI-DSS standard for all in scope hardware, software, functions, and processes or similar used in providing the Services. Additionally, by [**], Service Provider must either undergo SSAE16 SOC 2 Type 2 audits with all trusted service principles or ISO27001 and ISO27018 certification for non-PCI activities or Services.

2.3 Service Provider will not store any EIG Confidential Information outside the United States without EIG’s prior written permission. Where permission is granted, EIG Confidential Information will be transferred using prevalent industry standard encryption and will comply with all applicable privacy data protection principles for so long such recipient retains such information. EIG Confidential Information stored in any locations will be stored at rest in an encrypted format, or with EIG permission, unencrypted with mitigating controls applied and demonstrated as effective.

3. Fraud Prevention
3.1. The Parties acknowledge that the Services combined with Trusted Access involves a potential risk for abuse, including without limitation, credit card fraud and identity theft, and thus Service Provider shall have and maintain in place throughout the term of the Agreement adequate policies and procedures to reasonably prevent fraudulent abuse, enforcing them where appropriate and coordinating with EIG when necessary.

4. Data Ownership and Control
4.1 As between Service Provider and EIG, all EIG Confidential Information remains, at all times, the sole property of EIG. Service Provider will promptly comply with any commercially reasonable request from EIG requiring Service Provider to amend, transfer, return, or mask EIG Confidential Information, to the extent permitted by applicable law, and to the extent EIG does not have the reasonable ability to do so itself in its use of the Services. Service Provider will restrict access to EIG Confidential Information to those who need such access to perform their job duties.

4.2 Service Provider will take reasonable steps to ensure that disposal of removable media holding, or suspected of once holding, EIG Confidential Information, including without limitation, tapes, floppy discs, hard drives, or laptops or any other portable devices or media will be disposed of in such a way that EIG Confidential Information is not recoverable by any computer forensic means.

 






4.3 Service Provider will ensure that EIG Confidential Information on paper and other shreddable media including without limitation paper, microfiche, microfilm, CDs will be shredded using cross-cut shredding machines when no longer needed. This media may be shredded immediately or temporarily stored in a highly secured, locked container. The media may be shredded at a location other than the Service Provider's facilities; however it must be transferred in a highly secured locked container. Service Provider is responsible for supervising the shredding regardless of where the shredding activity occurs and by whom the shredding is performed. EIG Confidential Information on this media must be completely destroyed by shredding such that the results are not readable or useable for any purpose.

4.4 For avoidance of doubt, any deletion of EIG Confidential Information described in this section will be subject to applicable legal requirements that require Service Provider to retain EIG Confidential Information. Upon EIG's request and after EIG Confidential Information has been Destroyed in accordance with the provisions of this section, Service Provider must promptly certify in writing to EIG that it has returned or Destroyed, as applicable, all EIG Confidential Information. Notwithstanding anything to the contrary in the Agreement or this Schedule, in the event of a change in any law or regulation or a change in a governmental interpretation or application of a law or regulation that applies to the Service (a "Change in Law"), to the extent EIG reasonably determines that such Change in Law causes the storage of EIG Confidential Information by EIG in the Service to violate applicable law or regulation, and EIG cannot implement a commercially reasonable change to its configuration or use of the Service to avoid such violation, then EIG may so notify Service Provider in writing. If within thirty (30) days after such notice Service Provider does not make available to EIG a change in the Service or a recommended change in EIG's configuration or use of the Service that will avoid such violation without unreasonably burdening EIG, then EIG may terminate this Agreement upon written notice to Service Provider and receive a refund of any prepaid fees for the period following the effective date of termination. Each party represents as of the Amendment Effective Date that it is unaware of any applicable law, regulation, or prospective Change in Law that would be violated by Service Provider’s storage of EIG Confidential Information in connection with the Services.

5. Data Security
5.1 Notwithstanding anything to the contrary in the Agreement, Service Provider will implement and maintain industry standard practice administrative, technical and physical measures that are designed to protect the security, integrity, confidentiality, and availability of EIG Confidential Information, including without limitation, protecting EIG Confidential Information against threats (actual or anticipated) or hazards, improper, unauthorized or unlawful access, use or disclosure, any reasonably anticipated loss, or any other reasonably anticipated compromise, and will internally review such security measures and maintain such security measures in a manner consistent with applicable industry prevalent standards.

5.2 Service Provider will encrypt all electronic EIG Confidential Information that is (a) required to be encrypted under applicable laws, regulations, or standards (including without limitation PCI standards), when transmitted or stored electronically. Service Provider will use security technologies (including without limitation database encryption, intrusion detection and prevention, anti-virus, anti-malware, security event/incident monitoring, encryption, password protection and firewall protection) in providing the Services. In no event will Service Provider permit any other third party to undertake, mining of any content of EIG Confidential Information
 

 





5.3 Where applicable, Service Provider will use a security-conscious software development lifecycle for software engineering that will [**]. Service Provider will additionally ensure production data is not replicated or used in a non-production environment.
 
5.4 Service Provider will maintain a training program for all employees, contractors and temporary workers with access to, or likely to have access to, EIG Confidential Information, in written or electronic form. The training program will include without limitation updates throughout the year, instruction on maintaining awareness and compliance with security policies, procedures, standards and applicable regulatory requirements.
 
5.5 Service Provider will maintain access control policies, processes and procedures for segregation of duties and granting and timely revocation of Service Provider employee, contractor or temporary worker normal and privileged access to, without limitation, EIG Confidential Information, applications, databases, servers, network infrastructure in accordance with best industry practice. Service Provider’s management will approve and be aware of privileged access and will monitor for inappropriate actions.

5.6 Service Provider will define policies, processes and procedures establishing business continuity and disaster recovery requirements, as well as a method for determining the impact of any disruption to the organization incorporating: [**].

5.7 Service Provider will disclose all non-US locations involved in the delivering the Services including but not limited to software engineering and customer support.

5.8 In addition to PCI obligations, Service Provider will perform [**] Testing (the “Test”) of its corporate non-PCI infrastructure to verify the sufficiency of its security measures, and in a reasonable timeframe undertake commercially reasonable efforts to remedy any critical defect detected in such assessment report. The Test will be performed by an industry recognized security firm, or individual, of sufficient knowledge and skill to attempt non-standard approaches to the Test. A summary of the results of the Test and Service Provider’s plan for addressing or resolving critical items will be shared with EIG within [**] of the Service Provider’s receipt of the results. The Test should, at a minimum, [**]. Service Provider further agrees that where an incident is declared a Test and Vulnerability Assessment will be performed as soon as practicable post incident.

5.9 Service Provider will make itself and any employees, subcontractors, or agents assisting Service Provider in the performance of its obligations under the Agreement available to EIG at no cost to EIG to testify as witnesses, or otherwise, in the event of litigation or administrative proceedings against EIG, its directors, officers, agents or employees based upon a claimed violation of laws relating to security and privacy and arising out of this Agreement.

5.10 The obligations of this Section 5 will not act to restrict Service Provider's lawful disclosure of the EIG Confidential Information pursuant to any applicable state or federal laws or by request or order of any court or government agency. Provided, however, before making such a disclosure, Service Provider must give notice as described in Section 9.2.

5.11 In the event: (a) of an incident which has a significant impact or urgency for EIG’s business, in EIG’s sole discretion, and which demands a response beyond the routine incident management process but does not

 





meet the criteria of a Security Incident under Section 1.7 (a “Major Incident”); or (b) EIG is required by law and has demonstrated such need to Service Provider, Service Provider must provide within a reasonable timeframe, any data stored regarding any person affiliated with EIG, access logs, activity logs, transaction logs, changes to access rights, etc., as detailed by the system architecture and practices provided by Service Provider, including without limitation:
[**].

6. Physical and Environmental Security

[**]

7. Privacy or Security Incidents
7.1 Service Provider will have appropriate staff on duty 24/7/365, and on site during regular Service Provider business hours, capable of identifying, categorizing and responding to a security or privacy incident and will at all times maintain an adequate and appropriate data security and privacy incident management program. In the event there is, or Service Provider reasonably believes that there is, a Security Incident, Service Provider will promptly notify EIG, subject to any legal or regulatory requirements to which Service Provider must adhere, and will promptly take steps to implement a security fix across the Services. Service Provider will promptly, but no later than [**], after discovering a Security Incident, notify EIG in writing of the Security Incident. Further, Service Provider will:
 
reasonably cooperate with EIG to investigate and resolve the Security Incident, including without limitation, assisting with providing information within its control or possession required by EIG to provide any third party notifications of the Security Incident;
be responsible for all damages (including out-of-pocket costs) arising from a breach of Service Provider’s obligations with regard to a Security Incident, with the limitations established in Section 16 of the Agreement;
provide forensic reports (or assist EIG in preparing written responses to audit requirements and/or findings without charge, sufficient to enable EIG to comply with its legal obligations with regard to any Security Incident arising from a breach of Service Provider’s obligations under this Agreement with regard to a Security Incident, or if it does not do so, be responsible for reasonable costs for EIG to perform a forensic analysis;
be responsible for reasonable costs for EIG's legally required notification of data subjects with regard to any Security Incident arising from the breach of Service Provider’s obligations under the Agreement, subject to all limitations set forth in the Agreement;
be responsible for reasonable costs for EIG's provision of [**] credit monitoring for data subjects affected by any Security Incident arising from the breach of Service Provider’s obligations under the Agreement;
be responsible for reasonable costs for EIG to create and implement a security breach support hotline in response to any Security Incident arising from the breach of Service Provider’s obligations under the Agreement; and
appropriately document responsive actions taken related to any Security Incident, including without limitation, post-incident review of events and actions taken, if any, to make changes in business practices related to the protection of EIG Confidential Information, escalation procedures to senior managers, and any reporting to regulatory and law enforcement agencies.


 





7.2 Notwithstanding the foregoing, if Service Provider is found to have engaged in negligent acts in connection with its obligations under the Agreement, Service Provider will be responsible for all costs and expenses in connection with its participation in any EIG or governmental investigations regarding EIG Confidential Information or the provision of the Services.
 
7.3 The content and provision of any notification by EIG of the Security Incident will be solely at the discretion of EIG, provided EIG will not name Service Provider in any notification unless mutually agreed by both parties in writing, unless otherwise required by applicable law or government request.

7.4 The obligations of this Section 7 will not act to restrict Service Provider's lawful disclosure of the EIG Confidential Information pursuant to any applicable state or federal laws or by request or order of any court or government agency. Provided, however, before making such a disclosure, Service Provider must give notice as described in Section 9.2.

7.5 Service Provider must provide the following for the Security Incident when "relevant data" might include any data stored regarding any person affiliated with EIG, access logs, activity logs, transaction logs, changes to access rights, etc., as detailed by the system architecture and practices provided by Service Provider:

[**]

8. Subcontractors
Service Provider will ensure that each approved Subcontractor will comply with terms not less stringent than the terms of this Schedule as may be applicable to such obligations arising out of the Agreement as are performed by such Subcontractor. Service Provider will be legally responsible to EIG for any compensable damages under this Agreement suffered by EIG attributable to any Subcontractor engaged by Service Provider to perform any part of Service Provider's obligations under this Agreement, without prejudice to Service Provider's ability to assert and pursue any claim against any such Subcontractor. If Service Provider has knowledge of a reasonably suspected or actual violation of Service Provider's obligations under this Agreement by a Subcontractor, Service Provider will notify EIG promptly in writing (email permitted). If EIG determines that such Subcontractor has violated Service Provider's obligations with respect to EIG Confidential Information, EIG reserves the right to require Service Provider to stop using the Subcontractor for any of the Services provided to EIG promptly and to require the Subcontractor to return or destroy all EIG Confidential Information in Subcontractor's possession or control promptly. Notwithstanding anything to the contrary in the Agreement or this Schedule, Subcontractors will not disclose or allow access by any other party to any EIG Confidential Information without the prior written consent (email permitted) of EIG, except to the extent such disclosure or access is required by applicable law.

9. Data Processing and Disclosure.
9.1 The Parties will not Process or disclose the other Party’s information for any purpose, except to the extent (i) necessary to provide the Services in accordance with the terms of the Agreement; (ii) as mutually agreed to in writing by the Parties; or (iii) to the extent required by applicable law.

9.2 Notwithstanding anything to the contrary in the Agreement, neither Party will disclose nor allow access to any Confidential Information of the other Party to any third party without the prior written consent of the other Party, except to the extent required by applicable law. If any Party receives a request, demand or other similar notice seeking disclosure, from a third party in connection with any government investigation or court

 





proceeding that the Party believes would require it to produce or disclose any Confidential Information from the other Party, then the Party will first promptly notify the other Party in writing of such request to the extent permitted by applicable law prior to making any such production or disclosure to provide the other Party with a reasonable amount of time to respond to such request before disclosing the requested information to such third party, and provide commercially reasonable cooperation at the other Party's cost to the extent reasonable, if it wishes to limit, challenge or protect against such disclosure, to the extent permitted by applicable law or regulation.

10. Audits and Inspections
10.1 On [**] basis, EIG may ask Service Provider to complete a privacy and security questionnaire as part of its [**] compliance program. Additionally, upon reasonable advance notice to Service Provider and during normal business hours, EIG may conduct a site visit of the Facilities, subject to the following: (a) such visit will be at EIG’s expense and be conducted by representatives of EIG, including without limitation its independent third-party auditor; (b) such site visit will occur at a mutually agreeable time not more than [**] per Service Provider Facility (other than a visit in connection with a Security Incident); (c) such site visit will not unreasonably interfere with Service Provider's operations and will be of reasonable duration; and (d) any third party performing such site visit on behalf of EIG will execute a nondisclosure agreement with Service Provider in a form reasonably acceptable to Service Provider with respect to the confidential treatment and restricted use of Service Provider’s confidential information. If during a site visit, EIG discovers a problem with privacy, security or other operational matters that violate Service Provider’s obligations under the Agreement, EIG and Service Provider will use commercially reasonable and good faith efforts to remediate such problems ("Remediation Plan"). Service Provider will execute and complete the Remediation Plan without unreasonable delay, and, upon request, notify EIG when such actions are completed.

10.2 In the case of a Security Incident, Service Provider will initiate a call with EIG regarding the Security Incident within [**] of the Security Incident, which is in addition to the notification requirement under Section 7.1 of this Schedule. EIG may conduct a site visit within [**] after the initial notice of the Security Incident from Service Provider to EIG. Access to the Facilities will be subject to Service Provider's reasonable access requirements, technical restrictions, and security policies. [**] prior to a scheduled site visit (other than a visit in connection with a Security Incident), EIG will provide Service Provider with a list of records that EIG would like to inspect ("Records Request"). If Service Provider objects to EIG reviewing particular records, Service Provider will notify EIG promptly and the parties will discuss the matter in good faith to arrive at a mutually agreed Records Request. Service Provider will have the mutually agreed Records Request available for EIG's inspection on the agreed site visit date (unless another time is mutually agreed to). If Service Provider, in good faith, is not able to have such information available at that time, Service Provider will notify EIG in advance, but no less than [**] prior to the site visit date, and the parties will decide whether to proceed with the visit. If the parties decide to reschedule the visit, the new date will be no more than [**] after the originally scheduled date. Notwithstanding the foregoing, if during a site visit, EIG discovers a problem with security or other operational matters that violates Service Provider's obligations hereunder, EIG and Service Provider will use commercially reasonable and good faith efforts to create a Remediation Plan. Service Provider will execute and complete the Remediation Plan without unreasonable delay, and, upon request, notify EIG when such actions are completed.

11. Background Checks
11.1 As of the Amendment Effective Date, Service Provider will conduct background checks on all new full-time, contract and temporary personnel involved in the performance of Services for EIG under the Agreement consistent with the below:

 





[**]

11.2 For employees hired prior to the Amendment Effective Date, Service Provider shall complete background checks as set forth in Section 11.1 above for all key personnel who have privileged access to DWTPL’s systems or access to financial information (“Key Personnel”) within [**] of the Amendment Effective Date. For all non-Key Personnel hired prior to the Amendment Effective Date, Service Provider has conducted basic background checks, including:

[**]

12. Administrative Controls
12.1 Service Provider will ensure that all individuals that will have access to EIG Confidential Information undergo and successfully complete adequate and appropriate privacy and data security training prior to having access to EIG Confidential Information. Such training must be provided to all such individuals on at least an annual basis and comply with applicable laws, regulations and commercially reasonable practices.

12.2 Service Provider will implement and maintain policies documenting the consequences for violations of Service Provider's privacy and data security policies and escalation procedures for non-compliance with such policies.

12.3 Service Provider agrees that all Service Provider employees that Process EIG Personal Information will comply with the requirements of this Schedule.

13. Survival
This Schedule and related provisions in the Agreement will survive so long as Service Provider has access to or retains EIG Confidential Information. Notwithstanding the foregoing, the following provisions in this Schedule will survive indefinitely: Sections 4 and 9.