Master Agreement between Fiserv Solutions LLC and Heartland Financial USA, Inc. dated July 1, 2021, and Amendment 1 to Agreement dated as of July 1, 2021

Legend: [***] CERTAIN INFORMATION IN THIS DOCUMENT HAS BEEN OMITTED FROM THIS EXHIBIT BECAUSE IT IS BOTH (I) NOT MATERIAL AND (II) INFORMATION THAT THE COMPANY TREATS AS PRIVATE OR CONFIDENTIAL. MASTER AGREEMENT This MASTER AGREEMENT (“Agreement”) dated as of the first day of the first calendar month following the last date signed (“Effective Date”) between Fiserv Solutions, LLC, a Wisconsin limited liability company with offices located at 255 Fiserv Drive, Brookfield, Wisconsin 53045 (“Fiserv”), and Heartland Financial USA, Inc., with offices located at 700 Locust Street, Dubuque, Iowa 52001 USA (“Heartland”). The term “Agreement”, as used herein, includes the main body of the Agreement commencing at the top of this page and through the signature page (as used in this Agreement, the “Master Agreement”), and all Exhibits, Schedules, Attachments and Appendices referenced herein. WHEREAS, Heartland and Fiserv entered into a License and Service Agreement dated June 21, 1996, subsequently amended, inclusive of all associated exhibits, schedules, appendices, and attachments (collectively, the “Prior Agreement”); WHEREAS, Heartland and Fiserv agree that, as of the Effective Date, the Prior Agreement and the Exhibits, Schedules and other attachments appended thereto are amended and superseded in their entirety with the terms and conditions of this Agreement; NOW THEREFOR, in receipt of good and valuable consideration, the sufficiency of which is hereby acknowledged, Fiserv and Heartland and hereby agree as follows: Deliverables. General. Fiserv, through the employees, agents and/or subcontractors of itself and its Affiliates (as defined herein) (collectively, “Fiserv Personnel”) agrees to provide to Client, and Client agrees to obtain from Fiserv, the services (including services provided pursuant to the ASP Services Exhibit, implementation, conversion, operational and technical support, development, professional, consulting, and training services provided pursuant to the Professional and Development Services Exhibit (as applicable), maintenance or other services provided pursuant to the Software Products Exhibit, services provided under the Instant Issuance Exhibit, and network support services and any other services provided pursuant to the Equipment Exhibit (“Services”) and products (including Software as defined in the Software Products Exhibit, products provided pursuant to the Instant Issuance Exhibit and Equipment as defined in the Equipment Exhibit) (“Products”) (collectively, “Deliverables”) described in the attached Exhibits, subject to the terms set forth in this Agreement and in the applicable Exhibit(s). For clarity, any reference, in this Agreement or any Exhibit or Schedule hereto, to the provision of Services, Products and/or Deliverables to Client, shall, unless otherwise stated, include the provision of such Services, Products and/or Deliverables to Client Affiliates and, as applicable, to employees and contractors (subject to Section 3 (Confidentiality and Ownership)) of Client and Client Affiliates. “Affiliate” means an entity that controls, is controlled by, or is under common control with a party, where “control” means the direct or indirect ownership of more than 50% of the voting securities of such entity or party. Each Exhibit will be deemed to incorporate all of the terms of this Agreement. Use of the term “Exhibit” throughout this Agreement shall include any Schedules attached to such Exhibit. Exhibits and Schedules attached as of the Effective Date are listed below.  Service Level Exhibit to Master Agreement  Support Response Time Attachment to the Master Agreement  ASP Services Exhibit to Master Agreement Card Services Schedule to ASP Services Exhibit Electronic Document Delivery Services Schedule to ASP Services Exhibit Intelligent WorkplaceSM Platform Services Schedule to the ASP Services Exhibit

 

Output Solutions Services Schedule to ASP Services Exhibit Statement Advantage Services Schedule to ASP Services Exhibit XRoads™ Services Schedule to ASP Services Exhibit Zelle® Payment Services Schedule to ASP Services Exhibit  Professional and Development Services Exhibit  Equipment Exhibit to Master Agreement Network Support Services Schedule to the Equipment Exhibit  Instant Issuance Exhibit to Master Agreement  Software Products Exhibit to Master Agreement Account Processing Software (Signature) Schedule to Software Products Exhibit EnAct Software Schedule to Software Products Exhibit Enterprise Performance Management Software (Prologue) Schedule to Software Products Exhibit Holding Company Relationship. Heartland enters into this Agreement on behalf of itself and each of its bank Affiliates identified in the applicable Exhibits and/or Schedules as receiving Deliverables under this Agreement (each, a “Client”). Heartland shall cause to be performed, and shall be responsible for the performance, by each bank Affiliate receiving Deliverables as a Client under a particular Exhibit or Schedule of all “Client” obligations under this Agreement applicable to such Deliverables as if Heartland were itself receiving such Deliverables, and shall be jointly and severally liable with each such individual bank Affiliate for all actions and omissions of such bank Affiliates receiving Deliverables as a Client under such Exhibit or Schedule in connection with this Agreement. References to “Client” herein shall include Heartland and the applicable bank Affiliate identified as Client for the Deliverables received by such bank Affiliate. For the avoidance of doubt, no bank Affiliate will be liable to Fiserv for the actions or omissions of another bank Affiliate (including any liability arising from the actions or omissions of another bank Affiliate or its customer). To the extent that any provision of this Agreement, including any Exhibit or Schedule or any document incorporated by reference provides that a Client provides a representation, warranty or covenant with respect to itself, such bank Affiliate provides such representation, warranty or covenant only with respect to itself or its customers (as applicable), and not with respect any other bank Affiliate. The initial Client Affiliates and the Deliverables used by each such Client Affiliate are as set forth in Appendix A to this Agreement. Additional Entities and Deliverables. The parties or their Affiliates may add Deliverables to this Agreement by adding an appropriate new Exhibit or Schedule to this Agreement via an amendment incorporating the added Deliverables and/or Affiliates, as applicable. Fiserv or the designated Fiserv Affiliate shall provide the Deliverables to Heartland and/or its bank Affiliates designated as Client in the applicable Exhibit or Schedule as recipients of such Deliverables. A bank Affiliate’s use of a Deliverable and/or execution of an amendment to receive such Deliverable or Heartland’s execution of such amendment on the bank Affiliate’s behalf shall constitute such bank Affiliate’s agreement to be bound by the terms of this Agreement with respect to such Deliverable. Facilities. Fiserv and its Affiliates and subcontractors will supply or provide the (A) Software and related maintenance services to the Client Location (as defined in the Software Products Exhibit and subject to the provisions of Section 4 (License) and Section 8 (Client Responsibilities) thereof) and (B) processing Services under the ASP Services Exhibit from the Fiserv data center, as such may be changed by Fiserv from time to time in accordance with the next paragraph (“Fiserv Facility(ies)”). (i) [***] (ii) Fiserv shall be financially responsible for all additional Fiserv costs, taxes or expenses resulting from any Fiserv-initiated relocation to a new or different Fiserv Facility. The immediately preceding sentence shall not apply in the event Client’s requirements result in the need for a relocation to a new or different Fiserv Facility and the parties mutually agree in writing to make such change.

 

Client PII Location. Except as otherwise expressly set forth in an Exhibit or Schedule, Fiserv will not store Client PII at any facility outside of the United States without Client’s written consent. Fiserv and its subcontractors shall be permitted to access Client PII from a location outside of the United States [***] via computer networks or systems, and such remote access shall in no event be deemed a breach of this provision. Fiserv shall not access Client PII from a location outside of the United States and the above listed countries without Client’s written consent. Changes. Fiserv may make changes in its methods of delivering the Deliverables, including in the standards, processes, operating procedures, methodologies or controls, or associated technologies, architectures, products, software, equipment, systems or materials provided, operated, managed, supported or used in connection with the Deliverables, or the type of equipment or software resident at, or, subject to and in accordance with Section 1(d) (Facilities) of this Master Agreement, the location of, Fiserv’s service center(s) (collectively, “Changes”); [***] Disabling Code. Fiserv will use commercially reasonable efforts to provide the Deliverables to Client free from any Disabling Code at the time of delivery. Client shall use commercially reasonable efforts to cause all materials and/or data provided by Client to Fiserv to be free from Disabling Code at the time of delivery. For purposes of this Agreement “Disabling Code” means any timer, clock, or counter that may cause software or any data generated or used by it to be erased, become inoperable or inaccessible, or that may otherwise cause such software to become temporarily or permanently incapable of performing in accordance with this Agreement, or subject to control or data access by parties other than Client, including any Disabling Code that is triggered after use or copying of such software or a component thereof a certain number of times, or after the lapse of a period of time, or in the absence of a hardware device or after the occurrence or lapse of any other triggering factor or event or due to external input, including across a computer network. Disabling Code includes software commonly referred to as a virus, worm, Trojan horse, backdoor, malware or spyware. Each party shall use industry standard virus detection software tools intended to ensure that any data, materials, files or, in the case of Fiserv, Deliverables, provided to the other party are free of Disabling Code. In the event Disabling Code is found in Software as delivered to Client by Fiserv, Fiserv will take reasonable actions, at no additional charge to Client, to remove such Disabling Code and re-deliver such Software without the Disabling Code. In the event Disabling Code is found in Fiserv’s Systems used to provide the Services, Fiserv will take reasonable actions, at no additional charge to Client, to remove and otherwise address such Disabling Code. [***] [***] [***] [***] Cooperation with Third Parties. Fiserv shall, subject to the confidentiality provisions of Section 3 (Confidentiality and Ownership) of this Master Agreement, cooperate with and work in good faith with Client and/or Client Third Party providers, as reasonably directed by Client. Such cooperation may include, as and to the extent mutually agreed: (i) providing electronic access to Client Data, with query and update capabilities, (ii) providing written requirements, standards, policies or other documentation for Client’s Third Party provider to write to Fiserv’s middleware as may be necessary in connection with the Deliverables, (iii) working with the Client’s Third Party providers to assist them in writing to Fiserv’s middleware, and (iv) providing any other cooperation or assistance reasonably requested by Client. Fiserv shall provide such cooperation and assistance promptly and in a commercially reasonable manner and shall use commercially reasonable efforts to support Client’s reasonable plans. Fiserv and Client shall confer in good faith and agree on the scope of such cooperation and the extent to which there are associated fees provided that Fiserv shall use commercially reasonable efforts to minimize such fees. Client Personnel. Client shall (i) designate appropriate Client personnel for training other Client personnel in the use of the Deliverables, (ii) supply Fiserv with reasonable access to Client’s site during normal business hours (or such other hours as mutually agreed between the parties) to the extent necessary for Fiserv to perform P&D Services (as defined in the Professional and Development Services Exhibit), and (iii)

 

reasonably cooperate with Fiserv personnel to the extent necessary in connection with Fiserv’s performance of the Deliverables. Subcontracting. Client agrees that Fiserv may subcontract any obligations to be performed hereunder; provided that any such subcontractors, including any Fiserv Affiliates performing any of Fiserv’s obligations hereunder, shall be required to comply with all applicable terms and conditions of this Agreement, and Fiserv shall remain primarily liable for the performance of any such subcontractors and Affiliates. Fiserv shall perform appropriate due diligence of any potential subcontractor before engaging such subcontractor, and in the event Fiserv engages a subcontractor, Fiserv shall perform an annual risk assessment of such subcontractor as part of Fiserv’s vendor management processes. Fiserv will provide, upon request by Client not more than once per year, a list of subcontractors that have access to Client Data where a ‘subcontractor’ means a third party vendor, provider or supplier to whom Fiserv contracts out a specific portion of the Deliverables provided to Client under this Agreement, and specifically excludes Fiserv Affiliates. Client will facilitate timely cooperation with Fiserv’s subcontractors, if any, in order for Fiserv to provide the Deliverables. [***] Termination Assistance Services: Except with respect to Deliverables where Fiserv has provided at least 18 months prior written notice [***] such Deliverable as of or on a date following the Expiration Date: [***] (q) Fiserv Use of Third Party Solutions. Fiserv's providing Deliverables under this Agreement may be dependent on the products or services of a third party vendor or service provider of Fiserv. In the case of Software Products licensed by Client, all such third parties are identified in the applicable Schedule to the Software Products Exhibit. In the event Fiserv’s rights to use the third party provider’s products or services to provide Deliverables to Client are impacted in any way that affects Client’s use of a Deliverable, Fiserv will (i) work in good faith and use commercially reasonable efforts to (A) remedy the impact with the applicable third party provider so that Client can continue to use the Deliverables, or (B) identify and engage a replacement third party product or service to continue providing Client the Deliverables, and if neither (A) or (B) is possible, then Fiserv may terminate the impacted Deliverable(s) (provided, Fiserv is terminating the impacted Deliverable(s) for all Fiserv clients then receiving such Deliverable(s)). [***] Fees for Deliverables. General. Client agrees to pay Fiserv: (i) fees for Deliverables as specified in the Exhibits, as otherwise described elsewhere in this Agreement, or as mutually agreed in writing between the parties such as set forth in a statement of work or other such document, (ii) travel and related expenses pursuant to Section 2(c) (Travel and Related Expenses), (iii) Taxes as defined in Section 2(d) (Taxes), and (iv) Fiserv’s then current deconversion charges in connection with Client’s deconversion from the applicable Deliverables. Increase in Fees. In addition to any provisions otherwise set forth in an Exhibit or Schedule, Fiserv’s fees, rates and charges listed in an Exhibit may be increased annually[***]; each such increase shall be limited to [***] (“Annual Increase”). Travel and Related Expenses. Client shall reimburse travel and living expenses reasonably incurred by Fiserv in connection with the Deliverables, to the extent such travel has been mutually agreed between the parties. As applicable, such travel and related expenses shall be incurred in accordance with Fiserv’s then- current corporate travel and expense policy. It is understood and agreed that the travel and related expenses to be reimbursed by Client represent the actual amount Fiserv is obligated to pay to the applicable third party, without any Fiserv markup, and that Fiserv has used and will use commercially reasonable efforts to minimize such travel and related expenses. Taxes. Client is responsible for the payment of all sales, use, excise, value added, withholdings and other taxes and duties however designated that are levied by any taxing authority relating to fees to be paid by Client in exchange for Fiserv’s provision to Client of the Deliverables (“Taxes”). Fiserv and Client shall work together to review and revise Fiserv’s invoices, if necessary, to identify and/or separate those items that are subject to tax from those items that are not subject to tax. Fiserv agrees to reasonably cooperate with and

 

assist Client in disputing any taxes, at Client’s expense. All fees and other charges under any Exhibit are exclusive of Taxes. Client shall reimburse Fiserv for those Taxes that Fiserv is required to remit on behalf of Client. In no event shall Taxes include taxes based on Fiserv’s income. . Regulatory and Compliance. [***] Payment Terms. Fiserv shall, except as otherwise provided in the applicable Schedule or Exhibit, on a monthly basis, deliver a single consolidated invoice listing all amounts payable by Client for Deliverables received pursuant to this Agreement (including its Exhibits and Schedules) during the prior calendar month. Each such invoice shall be due and payable within 30 days after Client’s receipt of such invoice; except that Client may withhold fees invoiced for Deliverables to the extent such fees are disputed by Client in good faith, provided that Client gives Fiserv written notice and explanation of such good faith dispute within 20 days of Client’s receipt of such invoice. Client shall pay Fiserv through the Automated Clearing House unless otherwise set forth in the Exhibits. [***] Client shall neither make nor assert any right of deduction or set-off from amounts invoiced. [***] [***] [***] Confidentiality and Ownership. The provisions of this Section 3 (Confidentiality and Ownership) survive any termination or expiration of this Agreement. Definitions. (i) “Information” means the following types of information obtained or accessed by or on behalf of a party to this Agreement or its Affiliates (“Recipient”) from or on behalf of the other party or its Affiliates (“Discloser”) in connection with this Agreement or any discussions between the parties regarding new services or products to be added to this Agreement: (A) trade secrets and proprietary information (including that of any client, supplier or licensor); (B) customer lists, client lists, business plans, information security plans, business continuity plans, requests for proposals or requests for information and responses to such requests that the parties may exchange after the Effective Date, and proprietary software programs; (C) any personally identifiable information (“PII“); (D) users IDs and passwords of Fiserv Systems and/or Client Systems; (E) any other information received from or on behalf of Discloser that is marked confidential or that Recipient could reasonably be expected to know is confidential; and (F) “Client Information” and “Fiserv Information”. For purposes of this Agreement, “PII” is defined as personally identifiable information that is not otherwise publicly available. Information is personally identifiable if it can reasonably be linked to a particular person, computer, or device, such as the name(s), address, telephone, account, and social security numbers, including password/authentication information, of Client’s individual customers or either party’s employees or contractors. PII does not include information reasonably believed to be made publicly available and information that is often made public; however, where an individual has directed that the information not be made public (e.g., an unlisted phone number or address) or the information has been obtained from the individual rather than a public source, it should not be considered publicly available. “Information” does not include any information that: (1) Recipient already possesses without obligation of confidentiality, develops independently without reference to Discloser’s Information, or rightfully receives without obligation of confidentiality from a third party; or (2) is or becomes publicly available without Recipient’s breach of this Agreement. (ii) “Client Information” means Information for which the Discloser is Client or its Affiliates. For clarity, Client Information includes business requirements provided by Client or its Affiliates for Fiserv’s performance of Development Services. (iii) “Fiserv Information” means Information for which the Discloser is Fiserv, and specifically includes all information and documentation regarding the Deliverables, all software Products (including

 

software modifications and documentation, databases, training aids, and all data, code, techniques, algorithms, methods, logic, architecture, and designs embodied or incorporated therein), and the terms and conditions of this Agreement. Fiserv agrees that terms and conditions of this Agreement specific to Client will not be disclosed to third parties, other than as permitted for Client Information under Section 3(b) (Obligations) below or in connection with any audit of Fiserv or Client by a regulator, without Client’s prior consent. Obligations. Recipient agrees to hold as confidential all Information it receives from the Discloser. Recipient will use the same care and discretion to prevent unauthorized disclosure of Information as it uses with its own similar information that it does not wish disclosed, but in no event less than a reasonable standard of care and no less than is required by law. Recipient may only use Information for the lawful purposes contemplated by this Agreement, including in the case of Fiserv use of Client Information for (A) fulfilling its obligations under this Agreement, performing, improving and enhancing the Deliverables, and analyzing Client’s use and adoption of the Deliverable (“Deliverable Use Limitation”), (B) de-identifying and anonymizing Client Data and aggregating it with de-identified information of other Fiserv clients (such that (1) neither Client nor any Client Affiliate nor any individual is or can be identified as the subject of or source of such data and (2) such data may not be reconstructed or reverse engineered to identify Client, Client Affiliates or any individual) for purposes of developing data analytics models, tools and products to produce data analytics-based offerings (“Analytics Use Limitation”) and (C) using such Client Information in accordance with this Agreement for purposes of detecting and preventing fraud which may include Client Data (“Fraud Detection/Prevention Limitation”). Client agrees that prior to providing Fiserv access to any PII, Client shall ensure that any necessary consent has been obtained that is required by law or regulation for Fiserv to access the and use the PII pursuant to the terms set forth in this Agreement. Fiserv specifically agrees not to use or disclose any “non-public personal information” about Client’s customers in any manner prohibited by Title V of the Gramm-Leach-Bliley Act or the regulations issued thereunder (“GLB”), as applicable to Fiserv (“GLB Use Limitation”). (i) Recipient may disclose Information to: (A) its employees and employees of permitted subcontractors and Affiliates who have a need to know; (B) its attorneys and accountants as necessary in the ordinary course of its business; and (C) any other person with Discloser’s prior written consent. Before disclosure to any of the above persons, Recipient will have a written agreement with (or in the case of clause (B) a professional obligation of confidentiality from) such person sufficient to require that person to treat Information in accordance with the requirements of this Agreement, and Recipient will remain responsible for any breach of this Section 3 (Confidentiality and Ownership) by any of the above persons. Fiserv as Recipient may also disclose Client Information to third party vendors designated by Client. (ii) Recipient may disclose Information to the extent required by law or legal process, provided that: (A) Recipient gives Discloser prompt notice, if legally permissible, so that Discloser may seek a protective order; (B) Recipient reasonably cooperates with Discloser (at Discloser’s expense) in seeking such protective order; and (C) all Information shall remain subject to the terms of this Agreement in the event of such disclosure. At Recipient’s option, Information will be returned to Discloser or destroyed (except as may be contained in back-up files created in the ordinary course of business that are recycled in the ordinary course of business over an approximate 30- to 90-day period or such longer period as required by applicable law) at the termination or expiration of this Agreement or the applicable Exhibit (and any applicable Termination Assistance Services period) and, upon Discloser’s request, Recipient will certify to Discloser in writing that it has complied with the requirements of this sentence. (iii) Recipient acknowledges that any breach of this Section 3 (Confidentiality and Ownership) may cause irreparable harm to Discloser for which monetary damages alone may be insufficient, and Recipient therefore acknowledges that Discloser shall have the right to seek injunctive or other equitable relief against such breach or threatened breach, in addition to all other remedies available to it at law or otherwise. (iv) Recipient agrees that it shall notify Discloser as soon as possible upon Recipient becoming aware of any incident of unauthorized access to Discloser’s Information, Software, or systems. For clarity,

 

Fiserv’s obligations with regard to a Security Incident are set forth in Section 4 (Information Security) below. Ownership. (i) Ownership by Client. Subject to the use rights granted above, as between Fiserv and Client, Client shall own Client Information, including Client Data (as defined in Section 4(a) (Client Data) of this Master Agreement). Client also shall own any data created, generated, or processed from Client Data by Fiserv in connection with its performance of the Services or by Client in connection with its receipt of the Deliverables, including data processing input and output. (ii) Ownership by Fiserv. Except as provided in Section 3(c)(i) (Ownership by Client) above, unless the Parties agree otherwise, and with the exception of Client Information, all information, reports, studies, object and source code (including without limitation the Deliverables and all modifications, enhancements, additions, upgrades, or other works based thereon or related thereto), flow charts, diagrams, specifications, and other tangible or intangible material of any nature whatsoever produced through or as a result of or related to any of the Deliverables (collectively, “Works”), and all patents, copyrights, and other proprietary rights related to such Works and models, shall be the sole and exclusive property of Fiserv or its Affiliates or of their third party providers. Fiserv shall be the sole and exclusive owner of all derivative works of Works, including all United States and foreign patent, copyright and other intellectual property rights in such Works. Nothing in this Agreement shall convey to Client any title to or ownership of any Deliverables, Works, or models. Client hereby irrevocably assigns and transfers to Fiserv all rights, title, and interest in any such Works and models. (iii) Right to Use. During the term of the Agreement or the applicable Exhibit (and any Termination Assistance Services period), Client and its Affiliates may use any Works, other than an Open Source Component (as defined in the Software Products Exhibit to this Agreement) which is addressed in the Software Products Exhibit, provided to or rightfully accessed by Client or such Affiliates solely as and to the extent necessary to receive and/or use the Deliverables, in compliance with applicable legal and regulatory requirements, and/or to perform functions associated with their principal lines of business, and shall do so in accordance with the applicable terms and conditions of this Agreement. In addition, following the expiration or termination of the term of the Agreement or the applicable Exhibit (and any Termination Assistance Services period), Client and its Affiliates may continue to use reports, customer statements and other Works, excluding Fiserv Software (including object and source code) and Fiserv Systems, to comply with applicable legal and regulatory requirements and perform functions associated with their principal lines of business, provided such use is in compliance with the applicable terms and conditions of this Agreement and provided further that this shall not include the right to continue using Fiserv Software or Fiserv Systems provided at a fee unless Client agrees to pay such fee. For clarity, ownership of Client Data is set forth below in Section 4(a) (Client Data) of this Master Agreement. Restrictions. Without limiting any other obligation set forth in this Section 3 (Confidentiality and Ownership), Client shall not use, transfer, distribute, interface, integrate, or dispose of any information or content contained in Deliverables in any manner that competes with the business of Fiserv. Except as expressly authorized in an Exhibit, Client shall not: (i) use the Deliverables to provide services to third parties (other than Client’s customers or authorized Affiliates, as applicable); or (ii) reproduce, republish or offer any part of the Deliverables (or compilations based on any part of the Deliverables) for sale or distribution in any form over or through any medium. Information Security. (a) Client Data. Nothing in this Section 4 (Information Security) is intended to limit the obligations of Fiserv under Section 3 (Confidentiality and Ownership) of this Master Agreement with respect to the Client Information, which the parties acknowledge includes “Client Data”. “Client Data” means collectively, Client PII, ‘customer information’ (as defined in GLB), “consumer information” (as defined in GLB), ‘Cardholder Data’ (as defined below) to the extent collected by Fiserv from or on behalf of Client. To the extent that the provisions

 

pertaining to Client Data in Section 3 (Confidentiality and Ownership) of this Master Agreement and this Section 4 (Information Security) conflict, the provisions of this Section 4 (Information Security) shall control. (i) Ownership of Client Data. For clarity, Client Data shall be and remain, as between the Parties, the property of Client or its applicable Affiliate(s), if any, regardless of whether Fiserv or Client is in possession of the Client Data. Client Data shall be made available to Client, upon its request and in accordance with the provisions of this Agreement, including Client’s agreement to pay the associated fees, in accordance with Section 8(g) (Return of Client Files) of this Master Agreement, in Fiserv’s standard form and format or such other form and format reasonably available and specifically agreed to in writing between the parties. (ii) Limitations on Use. Fiserv agrees that Fiserv Personnel shall not collect, transfer, disseminate, use or process Client Data for any purpose or to any extent other than as necessary to fulfill Fiserv’s obligations and rights under this Agreement (collectively, this use limitation together with the Deliverable Use Limitation, Analytics Use Limitation, Fraud Detection/Prevention Use Limitation, and GLB Use Limitation above shall be “Client Data Use Limitation”). Fiserv shall not (and shall cause Fiserv Personnel to not) collect, use, process, transfer or disseminate Client Data other than in accordance with the Client Data Use Limitation without the written approval of Client. Fiserv shall take appropriate action to ensure that Fiserv Personnel having access to Client Data act in accordance with the terms of this Section 4 (Information Security) and are trained regarding their handling of information such as Client Data. In addition, if such Fiserv Personnel have not already done so, Fiserv shall require such Fiserv Personnel to execute employment agreements, and for any such personnel hired through subcontractors an appropriate agreement in place with such subcontractor, having appropriate confidentiality terms in accordance with the requirements of Section 3(b) (Obligations). (b) General. Fiserv has implemented and shall maintain during the term of this Agreement, including any period of Termination Assistance Services, a comprehensive written information security program, which shall include appropriate technical, organizational and physical security measures designed to protect against the destruction, loss, unauthorized alteration or acquisition of, or unauthorized access or use or other compromise to, Client Data. The information security program shall be designed to meet, among other things, the following objectives: (i) protect the security and confidentiality of customer information (as defined in GLB); (ii) protect against any anticipated threats or hazards to the security or integrity of such information; (iii) protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer; (iv) ensure the proper disposal of “consumer information” (as defined in Interagency Guidelines Establishing Information Security Standards (“Interagency Guidelines”); and (v) require Fiserv to take appropriate actions to address incidents of unauthorized access to Client’s “sensitive customer information” (as defined in the Interagency Guidelines), including notification to Client as soon as possible of any such incident. The content and implementation of Fiserv’s information security program shall be documented in writing by Fiserv. On or before the Effective Date and thereafter within thirty (30) days of Client’s written request, Fiserv shall provide to Client a summary of Fiserv’s then current written information security program for the applicable Deliverables received by Client, and thereafter, upon Client’s request, will provide updates on the status of such information security program. Fiserv also shall permit Client to review the relevant components of Fiserv’s information security program and/or to inspect Fiserv’s compliance with such program in accordance with Section 10(e) (Client Audit) of this Master Agreement. Upon Client’s written request, Fiserv shall allow Client to review any associated audit reports as described in Section 10 (Audit) of this Master Agreement, summaries of Disaster Recovery test results as set forth in Section 6(c) (Disaster Recovery Test) of the ASP Services Exhibit, summaries of penetration test results as set forth in Section 4(c) Security Testing of the ASP Services Exhibit. To the extent Fiserv makes any modifications to its information security program during the term or any Termination Assistance Services period, such modification shall comply with all relevant requirements and obligations under this Agreement and the information security program, as modified, shall be comparable or superior in all material respects to the one it replaced.

 

(c) PCI. Fiserv agrees to comply in all material respects with applicable requirements of PCI-DSS to the extent Fiserv stores, processes or transmits “cardholder data” or “sensitive authentication data” (as defined in PCI-DSS) (collectively “Cardholder Data”) on behalf of Client in connection with the Services or to the extent the Services impact the security of Client’s cardholder data environment. Consistent with Section 3(b) (Obligations) of this Master Agreement, Fiserv shall use Cardholder Data only for Fiserv’s performance of the Services and in accordance with this Agreement. Fiserv shall maintain a current PCI-DSS compliance validation, which Client may verify by examining the list of validated entities on the applicable website. (d) Security Incident. If Fiserv confirms or is notified of any incident that has or is reasonably believed to have resulted in unauthorized possession, acquisition, use, destruction, loss, alteration, theft or disclosure of, or unauthorized access to Client Data (each such incident, a “Security Incident”), Fiserv shall as soon as reasonably possible (and in any event within 48 hours or sooner if required by applicable laws after Fiserv confirms the Security Incident) notify the Client Relationship Manager, Client’s Information Security Officer and Client’s Chief Information Officer of such Security Incident and furnish applicable known details. To the extent the Security Incident is within Fiserv’s areas of responsibility, Fiserv shall investigate and mitigate the adverse effects of such Security Incident and shall provide regular updates appropriate to the nature of the Security Incident to Client. In addition, to the extent the Security Incident is within Fiserv’s areas of responsibility, Fiserv shall promptly (and in any event as soon as reasonably practicable) (A) perform a root cause analysis, (B) prepare a corrective action plan, (C) provide in writing to Client applicable information, including how and when such Security Incident occurred and what actions Fiserv is taking or has taken to remedy such Security Incident, and (D) to the extent the Security Incident is within Fiserv’s areas of control, remediate such Security Incident and take commercially reasonable actions to prevent its recurrence. In each case, Fiserv shall perform the activities described in the two preceding sentences at no additional charge to Client to the extent such Security Incident is attributable to the failure of Fiserv or Fiserv Personnel to comply with Fiserv’s obligations under this Agreement. To the extent the Security Incident is not attributable to such a failure on the part of Fiserv or Fiserv Personnel, Fiserv and Client shall confer in good faith and agree on the terms and fees (if any) associated with doing so (provided that Fiserv uses commercially reasonable efforts to minimize such fees. (e) Additional Notice of Security Incident. (i) Absent Client’s express, written and advance agreement, Fiserv shall not independently notify any customer, client, vendor, employee or agent of Client or a Client Affiliate (except the Client Chief Information Officer, Client Information Security Officer, and Client Relationship Manager), regarding the involvement of Client’s data in any Security Incident, provided that Fiserv may inform other impacted clients of the involvement of their data in such a Security Incident, and may inform regulators if required by law or regulation. (ii) In the event of a confirmed Security Incident involving Cardholder Data, as required by an applicable industry security organization (e.g. PCI-SSC) or the applicable regulatory agency having jurisdiction over Client, Client acknowledges and agrees that Fiserv may disclose information regarding any such Security Incident to such organization and such agency. In the event of a breach or intrusion of or otherwise unauthorized access to Cardholder Data stored by or for Fiserv, Fiserv shall promptly notify Client, in writing, and provide PCI-SSC or its designee access to Fiserv’s facilities and all pertinent records to conduct a review of Fiserv’s compliance with these requirements. (iii) Fiserv shall maintain appropriate business continuity and disaster recovery procedures, as described in Section 6 (Business Continuity / Disaster Recovery) of the ASP Services Exhibit with respect to the Services and the Client Data, including Cardholder Data. (f) [***] (g) Data Encryption. (i) Fiserv. Fiserv shall encrypt Client Data in transit using Fiserv’s then-current data encryption policies and controls.

 

(ii) Client. As applicable to the Deliverables received by Client, Client agrees to comply with Fiserv’s then-current data encryption policies and controls regarding transmission to and from Fiserv of tapes, images, and records maintained and produced by Fiserv for Client in connection with the Deliverables (“Client Files”), or other data transmitted to and from Fiserv in connection with the Deliverables (collectively with Client Files, “Data”). If Client requests or requires Fiserv to send, transmit, or otherwise deliver Data to Client or any third party in a non-compliant format or manner, or Client (or third party on Client’s behalf) sends, transmits or otherwise delivers Data to Fiserv in a non-compliant format or manner (and such non-compliant transmission or delivery by Client is not caused by Fiserv’s breach of its information security or other obligations under this Agreement), then, notwithstanding any other provision of this Agreement: (i) Client understands and accepts all risk of transmitting Data in an unencrypted or otherwise noncompliant format; and (ii) Client releases, discharges, and shall indemnify and hold harmless Fiserv and its employees, officers, directors, agents, and Affiliates from any and all liability, damage, or other loss under this Agreement or otherwise suffered by or through Client or any of the indemnified entities arising out of the transmission, destruction, or loss of such Data, including any information security or privacy breach related to such Data. Reserved. Warranties / Indemnifications. (a) Warranties By Fiserv. Fiserv warrants that: (i) no contractual obligations exist that would prevent Fiserv from entering into this Agreement; (ii) it has the requisite authority to execute, deliver, and perform its obligations under this Agreement; and (iii) it will comply in all material respects with all laws and regulatory requirements applicable to Fiserv as a technology solutions provider and/or to the provision of the Deliverables or the performance of Fiserv’s obligations under this Agreement; and (iv) Fiserv has not given and will not give commissions, payments, kickbacks, lavish or extensive entertainment or gifts, or other inducements of more than minimal value to any employee or agent of Client in connection with this Agreement, and that no Fiserv Affiliate or any officer, director, employee, agent or representative of Fiserv has given such payments, gifts, entertainment or other item of value to any employee or agent of Client. (b) Warranties By Client. Client warrants that: (i) no contractual obligations exist that would prevent Client from entering into this Agreement; (ii) it has the requisite authority to execute, deliver, and perform its obligations under this Agreement; (iii) it will comply in all material respects with all laws and regulatory requirements applicable to Client’s receipt and use of Deliverables under this Agreement (iv) it will comply with all laws and regulations applicable to Client as a financial institution, as relevant to the Deliverables; and (v) that the materials provided to Fiserv will be free from any Disabling Code at the time of delivery. (c) THE WARRANTIES STATED ABOVE AND IN THE EXHIBITS, IF ANY, ARE LIMITED WARRANTIES AND ARE THE ONLY WARRANTIES MADE BY THE PARTIES. EXCEPT AS PROVIDED IN THE AGREEMENT OR APPLICABLE EXHIBITS OR SCHEDULES, FISERV DOES NOT REPRESENT THAT THE DELIVERABLES MEET CLIENT’S REQUIREMENTS OR THAT THE OPERATION OF THE DELIVERABLES WILL BE UNINTERRUPTED OR ERROR-FREE. CLIENT ACKNOWLEDGES THAT IT HAS INDEPENDENTLY EVALUATED THE DELIVERABLES AND THEIR APPLICATION TO CLIENT’S NEEDS. FISERV DISCLAIMS, AND CLIENT HEREBY EXPRESSLY WAIVES, ALL OTHER REPRESENTATIONS, CONDITIONS, AND WARRANTIES, EXPRESS AND IMPLIED, INCLUDING WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, AND ANY ARISING FROM A COURSE OF DEALING OR USAGE OR TRADE. CLIENT MAY NOT MAKE ANY WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, ON BEHALF OF FISERV, ITS AFFILIATES OR THEIR RESPECTIVE THIRD PARTY PROVIDERS OR LICENSORS TO ANY USER OR ANY OTHER PARTY IN CONNECTION WITH THE DELIVERABLES WITHOUT FISERV’S EXPRESS PRIOR WRITTEN CONSENT. (d) Client IP Indemnification. (i) Client shall, at its expense, defend, indemnify, and hold harmless Fiserv and its directors, officers, and employees from and against any claims, suits, or other proceedings (including reasonable attorneys’ fees and payment of any final settlement or judgment) brought by third parties arising from infringement of such third party’s intellectual property rights to the extent

 

that they are based on Client’s Marks, Client Content (each as defined in Section 13(l) (Marks and Content) of this Master Agreement), or data supplied to Fiserv by Client, or arising from any claim that any Derivative Works of the Signature Software and Source Code created by Authorized Programmers in accordance with Section 2(f) of the Accounting Processing Software Schedule (or the use of such Derivative Works by Client) infringes or allegedly infringes on any Third Party’s intellectual property rights (collectively, “Client IP Indemnity Assets”) (“Client Infringement Claim”) and shall pay all amounts payable by Client under any judgment, verdict, or court order entered by a court of competent jurisdiction or settlement agreed upon by Client in any Client Infringement Claim, provided that Fiserv complies with the Indemnification Procedures below. If Client IP Indemnity Assets are required for Fiserv’s provision of the Deliverable(s), in the event that any Client IP Indemnity Assets are alleged or found to be misappropriated from, or to infringe on the intellectual property rights of, a third party, or if their use by Fiserv is enjoined, then in addition to the foregoing indemnification obligation, and at Client’s option and Client’s sole expense, Client shall: (i) secure a license to enable such Client IP Indemnity Assets to be utilized in a manner consistent with the terms of this Agreement, (ii) replace the same with other suitable, non-infringing intellectual property assets, as reasonably determined by Client, (iii) modify the Client IP Indemnity Assets so that they no longer infringe or misappropriate the rights of such third party, while still meeting the requirements of this Agreement, or (iv) subject to Section 8(d) (Client Defaults; Early Termination) of this Master Agreement, authorize Fiserv to cease using such Client IP Assets and cease providing any Service to the extent it is incapable of performing such Service without such Client IP Indemnity Assets. (ii) Notwithstanding the foregoing, Client shall have no liability for nor obligation to indemnify Fiserv for any Client Infringement Claim pursuant to this Section 6(d) (Client IP Indemnification) to the extent such Client Infringement Claim arises from: (A) use of any part of the Client IP Indemnity Assets in combination with third party materials or third party software not provided or approved by Client in writing; (B) modifications made by Fiserv or any Fiserv third party, but solely to the extent such modifications were not approved by Client in writing; (C) use of other than the current release of Client IP Indemnity Assets if infringement would have been avoided by use of such current release and Client notified Fiserv of the potential infringement; (D) use of the Client IP Indemnity Assets other than in accordance with this Agreement; (E) use of any part of the Client IP Indemnity Assets for any purpose not related to the provision to or receipt by Client of Deliverables under this Agreement; (F) adherence to detailed written specifications or instructions provided by Fiserv that Client is required to comply with (provided Client notifies Fiserv of the possibility of infringement or misappropriation if and to the extent the Client Personnel adhering to such specifications or instructions possess actual knowledge of such possibility); or (G) [***] (iii) The obligations of Client as set forth in this Section 6(d) (Client IP Indemnification) shall be Client’s entire liability and Fiserv’s sole and exclusive remedy for Client’s infringement or misappropriation of the intellectual property rights of a third party and Fiserv hereby expressly waives any other liability on the part of Client arising therefrom. (e) Client Indemnity. Client shall, at its expense, defend, indemnify and hold harmless Fiserv, its Affiliates, and their officers, directors, and employees against any claims, actions, damages, and/or liabilities arising out of: (i) access to or use of the Fiserv System by Client or its customers in a manner other than as expressly permitted in the Agreement; and (ii) access to or use of the Fiserv System by any third party(ies) acting by, through, or on behalf of Client. The preceding sentence shall not preclude Client’s recovery of damages from Fiserv pursuant to the terms and subject to the limitations of the Agreement. (f) Fiserv IP Indemnification.

 

(i) Fiserv shall, at its expense, defend[***] Client and its Affiliates and, the officers, directors, officials, employees of each of the foregoing from and against any third party claim or actions based on any allegations that the Deliverables (excluding any Third Party Software (as defined in the Software Products Exhibit and identified as “Third Party Software” in the specific Schedule thereto) but including any components provided by Third Party providers of Fiserv that Fiserv embeds in Deliverables, including Open Source Components) or any other intellectual property delivered or licensed or to which rights are otherwise acquired hereunder (collectively, the “IP Assets”), or any part or parts thereof, infringe or misappropriate the proprietary rights of such third party (“Infringement Claim”), and shall pay all amounts payable by Client under any judgment, verdict, or court order entered by a court of competent jurisdiction or settlement agreed upon by Fiserv in any Infringement Claim, provided that Client complies with the Indemnification Procedures below. In the event that any IP Assets are alleged or found to be misappropriated from, or to infringe on the intellectual property rights of, a third party, or if their use by Client is enjoined, then in addition to the foregoing indemnification obligation, and at Fiserv’s option and Fiserv’s sole expense, Fiserv shall: (i) secure a license to enable such IP Assets to be utilized in a manner consistent with the terms of this Agreement, (ii) replace the same with other intellectual property assets with equally suitable, functionally equivalent, compatible, non-infringing assets or services, as reasonably determined by Fiserv, or (iii) modify the IP Assets so that they no longer infringe or misappropriate the rights of such third party, while still meeting the requirements of this Agreement. Fiserv shall not settle any claim for which it has assumed the defense pursuant to this Section 6(e) in any manner that requires Client to admit any fault or liability without the prior written consent of Client, which consent shall not be unreasonably withheld, conditioned or delayed. (ii) Notwithstanding the foregoing, Fiserv shall have no liability for nor obligation to indemnify Client for any Infringement Claim pursuant to this Section 6(e) to the extent such Infringement Claim arises from: (A) use of any part of the IP Assets in combination with materials or software not provided or approved by Fiserv in writing; (B) modifications made by Client or any third party, but solely to the extent such modifications were not approved in writing by Fiserv; (C) use of other than the current release of Software if infringement would have been avoided by use of such current release and Fiserv notified Client of the potential infringement; (D) use of the Software other than in accordance with the Software Documentation or this Agreement, including Software use in violation of Section 4 of the Software Products Exhibit; or (E) adherence to detailed written specifications or instructions provided by Client that Fiserv is required to comply with (provided Fiserv notifies Client of the possibility of infringement or misappropriation if and to the extent the Fiserv Personnel adhering to such specifications or instructions possess actual knowledge themselves of such possibility). (iii) The obligations of Fiserv as set forth in this Section 6(e) shall be Fiserv’s entire liability and Client’s sole and exclusive remedy for Fiserv’s infringement or misappropriation of the intellectual property rights of a third party. For clarity, this shall not be deemed a force majeure event and shall not operate or be construed as relieving Fiserv of its performance obligations under this Agreement, including its obligation to provide the Deliverables in accordance with the applicable Exhibits and Schedules. (g) Indemnification Procedures. If any third party makes a claim covered by Section 6(d) (Client IP Indemnification) or Section 6(f) (Fiserv IP Indemnification) of this Master Agreement and with respect to indemnification provisions elsewhere in this Agreement which reference this procedure, against an indemnitee with respect to which such indemnitee intends to seek indemnification under this Section 6 (Warranties/Indemnifications), such indemnitee shall give prompt notice of such claim to the indemnifying party, including a brief description of the amount and basis therefore, if known. Upon giving such notice, the indemnifying party shall be obligated to defend such indemnitee against such claim and shall be entitled to

 

assume control of the defense of the claim with counsel chosen by the indemnifying party. The indemnitee shall cooperate fully with and assist the indemnifying party in its defense against such claim in all reasonable aspects. The indemnifying party shall keep the indemnitee fully apprised at all times as to the status of the defense. Notwithstanding the foregoing, the indemnitee shall have the right to employ its own separate counsel in any such action, but the fees and expenses of such counsel shall be at the expense of the indemnitee. Neither the indemnifying party nor any indemnitee shall be liable for any non-monetary settlement of action or claim effected without its consent. The indemnifying party shall pay all costs of indemnity arising out of or relating to that defense and any such settlement, compromise, or payment. The indemnitee shall keep the indemnifying party fully apprise at all times as to the status of the defense. Limitation of Liability. [***] IN NO EVENT SHALL EITHER PARTY BE LIABLE FOR LOSS OF GOODWILL, PROFIT, REPUTATION, OR BUSINESS, OR FOR SPECIAL, INDIRECT, INCIDENTAL, CONSEQUENTIAL, PUNITIVE, EXEMPLARY, OR TORT DAMAGES, ARISING OUT OF OR RELATING TO THIS AGREEMENT, REGARDLESS OF WHETHER SUCH CLAIM ARISES IN TORT, CONTRACT, OR OTHERWISE. EXCEPT FOR CLAIMS RELATED TO THE MISUSE OR MISAPPROPRIATION OF INTELLECTUAL PROPERTY RIGHTS (INCLUDING ANY BREACH OF LICENSE RESTRICTIONS SET FORTH IN THIS AGREEMENT), OR THE OBLIGATIONS TO PAY AMOUNTS DUE OR OWING UNDER THIS AGREEMENT, NEITHER PARTY MAY ASSERT ANY CLAIM AGAINST THE OTHER PARTY RELATED TO THIS AGREEMENT MORE THAN 2 YEARS AFTER SUCH CLAIM ACCRUED. [***] THE AGGREGATE LIABILITY OF A PARTY TO THE OTHER PARTY (INCLUDING IN THE CASE OF HEARTLAND ALL CLIENT AFFILIATES) AND ANY THIRD PARTY FOR ANY AND ALL CLAIMS AND OBLIGATIONS RELATING TO THIS AGREEMENT SHALL BE LIMITED TO [***] THE AMOUNT OF ANY AVAILABLE CAP SHALL BE REDUCED BY AMOUNTS PREVIOUSLY PAID AND APPLIED TO ANY OTHER CAP, SO THAT IN NO EVENT SHALL FISERV’S AGGREGATE LIABILITY TO CLIENT FOR ANY AND ALL CLAIMS OR OBLIGATIONS RELATING TO THIS AGREEMENT EXCEED THE INCREASED CAP. For purposes of this Section 7 (Limitation of Liability), fines or penalties imposed on a party by a regulator or any governmental agency having valid jurisdiction over such party to the extent arising from (i) in the case of fines or penalties imposed on Client, Fiserv’s failure to comply with laws or regulatory requirements applicable to Fiserv as a technology solutions provider and/or to the provision of the Deliverables or the performance of Fiserv’s obligations under this Agreement or (ii) in the case of fines or penalties imposed on Fiserv, Client’s failure to comply with laws or regulations applicable to its or any Client Affiliate’s receipt or use of the Deliverables under this Agreement will be deemed direct damages and recoverable under this Section 7 (Limitation of Liability). Term and Termination. Term. This Agreement shall be effective on the Effective Date and shall remain in effect until the term of all outstanding Exhibits (including any holdover period) has expired or such Exhibits have terminated, unless otherwise terminated as provided herein. The term for Deliverables may be set forth in the applicable Exhibit. An Exhibit that does not state a term will be effective from its last date of execution until terminated in accordance with this Agreement or the Exhibit. Termination. In addition to termination rights set forth in any Exhibit: (i) Material Breach. Either party may, upon written notice to the other, terminate any Schedule if the other party materially breaches its obligations under that Exhibit or Schedule or under this Agreement with respect to that Exhibit or Schedule and the breaching party fails to cure such material breach within [***] following its receipt of written notice stating, with particularity and in reasonable detail, the nature of the claimed breach [***]. (ii) [***] (iii) [***]

 

(iv) Unpaid Invoice. With the exception of amounts disputed in good faith pursuant to Section 2(f) (Payment Terms) of this Master Agreement, if any invoice remains unpaid by Client 30 days after due and Client fails to cure such payment failure within 30 days following its receipt of written notice from Fiserv, Fiserv may terminate: (A) the Exhibit Schedule and/or Client’s access to and use of the Deliverables to which the payment failure relates; or (B) this Agreement, including all Exhibits and Schedules if the unpaid amounts constitute a material portion of annual charges due under this Agreement. (v) Fiserv Bankruptcy. Client may terminate this Agreement (i) upon 60 days written notice to Fiserv in the event Fiserv commits an act of bankruptcy or becomes the subject of any proceeding under the Bankruptcy Code and such action or proceeding is not dismissed by the end of such 60-day period, or (ii) upon written notice in the event Fiserv becomes insolvent or if any substantial part of Fiserv's property becomes subject to any levy, seizure, assignment, application, or sale for or by any creditor or governmental agency. Termination for Convenience; Early Termination. If Client desires to terminate the ASP Services Exhibit or Software Products Exhibit or a Schedule executed under such Exhibits early or otherwise reduces (other than as a result of account attrition or volume fluctuation in the ordinary course of business) or terminates Services under any such Exhibit or Schedule for any reason other than pursuant to Section 8(b) (Termination) of this Master Agreement, then Client shall provide at least [***] advance written notice to Fiserv and shall pay a termination fee based on the remaining unused term of the Services. [***] Client Defaults; Early Termination. If (i) a Schedule is subject to termination by Fiserv for cause for material breach or failure to pay amounts due and owing, each as set forth in Section 8(b) (Termination) of this Master Agreement; or (ii) Client deconverts any data or information from the Fiserv System (other than in the ordinary course of Client’s business or the business of Client’s Affiliates which would include deconversion of data or information for any branch location or Client Affiliate bank sold by Heartland so long as such sale is not of all Client Affiliates), or in violation of this Agreement (“Unauthorized Deconversion”); or (iii) becomes insolvent or if any substantial part of Client’s property becomes subject to any levy, seizure, assignment, application, or sale for or by any creditor or governmental agency; then, in any such event, Fiserv may, upon written notice, terminate (x) the Schedule(s) in whole or in part impacted by such material breach or failure to pay, or (y) the Schedule(s) impacted by such Unauthorized Deconversion, and, if it exercises such right, Fiserv shall be entitled to recover from Client as liquidated damages for such early termination an amount equal to [***] Liquidated Damages. The parties agree that Fiserv damages incurred as a result of early termination of any Services would be difficult or impossible to calculate as of the Effective Date. Accordingly, the amounts set forth in Sections 8(c) (Termination for Convenience; Early Termination) and (d) (Client Defaults; Early Termination) of this Master Agreement represent a reasonable pre-estimate of damages and are not a penalty. Remedies. Remedies contained in this Section 8 (Term and Termination) are cumulative and are in addition to the other rights and remedies available to the parties under this Agreement, by law or otherwise. Return of Client Files. Upon expiration or termination of this Agreement or any Exhibit or Schedule to this Agreement, Fiserv shall furnish to Client such copies of Client Files as Client may request in Fiserv’s standard formats, or such other format reasonably available and specifically agreed to between the parties, and shall provide such information and assistance as is reasonable and customary to enable Client to deconvert from the Fiserv System; provided, however, that Fiserv’s obligation to provide copies of such Client Files is conditioned on Client’s agreement to return or destroy all Fiserv Information in accordance with Section 3(b) (Obligations) of this Master Agreement and to make the following payments in accordance with the next sentence: (i) all amounts due and owing as of the requested return date for all Services provided through the date such Client Files are returned to Client; (ii) Fiserv’s then standard rates for the services necessary to return such Client Files; and (iii) the termination fee, if any, due as of the requested return date pursuant to Section 8(c) (Termination for Convenience; Early Termination) or 8(d) (Client Defaults; Early Termination) of this Master Agreement. [***] Termination of Software. Subject to the other provisions of this Section 8 (Term and Termination) and Section 1(p) (Termination Assistance Services) above, the termination of the Agreement or the Software

 

Products Exhibit or any individual Schedule thereto shall automatically, and without further action by Fiserv, terminate and extinguish the license(s) granted under the applicable Schedule(s) and Fiserv’s obligation to provide Maintenance Services with respect to such Software. Unless Client destroys all copies of the Software and provides written certification to Fiserv of said destruction within 10 days after receipt of written notice from Fiserv following termination of the applicable Schedule and completion of any requested Termination Assistance Service, Fiserv shall have the right to take immediate possession of the Software and all copies thereof wherever located without further notice or demand. [***] Assumptions. Fees set forth in the Exhibits are based on completion of the initial term of all Deliverables. If Deliverables are reduced or terminated for any reason other than by Client under Section 8(b)(i) (Material Breach) above, or if Client renegotiates pricing before expiration of the initial term, Client shall reimburse Fiserv for all credits, rebates, discounts and incentives granted with respect to all Deliverables. Any such credits, rebates, discounts and incentives will no longer be granted through the remainder of the term for any continuing Deliverables. [***]. Dispute Resolution. Before initiating legal action against the other party relating to a dispute herein, the parties agree to work in good faith to resolve disputes and claims arising out of this Agreement. To this end, either party may request that each party designate an officer or other management employee with authority to bind such party to meet to resolve the dispute or claim. If the dispute is not resolved within 30 days of the commencement of informal efforts under this paragraph, either party may request that Client’s CFO or COO meet with the Fiserv Group President (or, in each case, a management employee of comparable level with authority to bind such party) to meet to resolve the dispute or claim. If the dispute is not resolved within 30 days of the commencement of the second escalation, either party may pursue formal legal action. This paragraph will not apply if expiration of the applicable time for bringing an action is imminent and will not prohibit a party from pursuing injunctive or other equitable relief to which it may be entitled. Audit. Fiserv Operations and Security. Client acknowledges and agrees that Fiserv is subject to certain examinations by the Federal Financial Institutions Examination Council (“FFIEC”) regulators and agencies. Client acknowledges and agrees that reports of such examination of Fiserv business units are available to Client directly from the relevant FFIEC agencies. Fiserv employs an internal auditor responsible for reviewing the integrity of its processing environments and internal controls. [***] Independent Audit. Fiserv provides for periodic independent audits, which shall include the performance of an annual SSAE 18 SOC1 Type II or SOC2 Type II audit (or similar equivalent audit) by an independent public accounting firm with respect to Fiserv’s provision of the Services pursuant to the ASP Services Exhibit from Fiserv Facilities, including Fiserv Facilities from which Fiserv System maintenance, Fiserv System support and customer support are provided (“Independent Audit”). Unless otherwise agreed by the Parties, such audit shall be conducted so as to result in an audit opinion for a 12 month period, and upon Client’s request, Fiserv shall provide a bridge letter covering the period between the report end date and the Client requested date. Upon Client’s request, Fiserv shall provide Client with a copy of such independent audit report and may charge Client a fee for such report [***] Regulatory Examination. The Parties acknowledge and agree that the records, systems and personnel used by Fiserv to provide Deliverables to Client and its Affiliates are subject to examination by federal, state, and/or other governmental regulatory agencies having jurisdiction over their businesses (including the Federal Reserve, Federal Deposit Insurance Corporation, and state regulatory authorities, as applicable) to the same extent as such records, systems and personnel would be subject to such examination if maintained by Client or its Affiliates on their own premises. Client agrees that Fiserv may provide Client Information and/or reports or summaries of Client Information when formally requested to do so by a regulatory or government agency, provided that if permitted by such requesting agency, Fiserv shall provide to Client written notice of such request prior to responding. Fiserv reserves the right to charge Client at Fiserv’s then-current rates for any assistance provided in response to regulatory requests, government agency requests, and legal process

 

requests such as subpoena or search warrant, in each case to the extent related to Client or its Affiliates and/or Client Information, whether issued during or after the term of this Agreement provided that Fiserv uses commercially reasonable efforts to minimize such fees. Billing Records. Upon Client’s reasonable request in writing no more frequently than once [***], Fiserv shall provide Client with documentation supporting the amounts invoiced by Fiserv hereunder. Client shall specify the period for which such documentation is requested, provided such period may not extend back more than 12 months from the date of such request. If such documentation reveals the amounts paid to Fiserv in the prior 12 months exceed the amounts to which Fiserv is entitled and such amounts are independently verified, Fiserv shall promptly remit or otherwise credit to Client the amount of such overpayment. Conversely, if such documentation reveals the amounts paid to Fiserv are less than the amounts owed in the prior 12 months, Client shall promptly remit the amount of such underpayment to Fiserv for such period. Fiserv reserves the right to charge Client for any assistance required in connection with an audit at Fiserv’s then- current rates provided that Fiserv notifies Client in advance of any such fees, obtains Client's approval prior to incurring such fees and uses commercially reasonable efforts to minimize such fees. [***]. [***]. Hiring and Employment. Background Checks. Neither party shall knowingly permit any of its employees to have access to the premises, records or data of the other party when such employee: (i) uses drugs illegally; or (ii) has been convicted of a crime in connection with a dishonest act or a breach of trust, as set forth in Section 19 of the Federal Deposit Insurance Act, 12 U.S.C. 1829(a) (a “Conviction”). Consistent with Fiserv’s employment practices, newly hired Fiserv employees are required to pass both a pre-employment criminal background check and are required to pass a pre-employment drug screening, as permitted by law, and Fiserv periodically confirms that employees have not acquired any Convictions subsequent to hiring. Upon Client’s reasonable request and at Client’s expense, Fiserv may perform more frequent confirmation checks or utilize additional reasonable background checking criteria for those of Fiserv’s employees who will have access to Client facilities or Client’s networks and computer systems located at Client facilities. The results of all such background checks shall be retained solely by Fiserv or the third party performing such screening on behalf of Fiserv. Equal Employment. Fiserv agrees that it shall not discriminate against any employee or applicant for employment because of race, color, national origin, indigenous status, religion, marital status, sex, sexual orientation, age, physical or mental disability, veteran status or other characteristics protected by law, and that it shall comply with all applicable requirements of the Equal Opportunity Clause set forth in Executive Order 11246, as amended, and its implementing instructions, the Rehabilitation Act of 1973, the Vietnam Era Veterans’ Readjustment Assistance Act of 1974, as well as the equal opportunities and affirmative action requirements set forth in 41 C.F.R. Part 60-1.4(a) (women and minorities), 41 C.F.R. Part 60-300.5(a) (covered veterans) and 41 C.F.R. Part 60-741.5(a) (individuals with disabilities). Client Relationship. Client shall designate one individual to whom all Fiserv communications concerning this Agreement may be addressed (the “Client Relationship Manager”), who shall have the authority to act on behalf of Client in all day-to-day matters pertaining to this Agreement. Client may change the designated Client Relationship Manager from time to time by providing notice to Fiserv. Additionally, Client will designate additional representatives who will be authorized to make certain decisions (e.g., regarding emergency maintenance) if the Client Relationship Manager is not available. Requested Replacement. If Client determines in good faith that the continued assignment to Client at Client’s facilities of any individual Fiserv Personnel is not in the best interests of Client, then Client shall give Fiserv notice to that effect requesting that such Fiserv Personnel be replaced, including with reasonable particularity the reasons for such request. Promptly after Fiserv’s receipt of such a request by Client, Fiserv shall investigate the matters stated in the request and discuss its findings with Client. If requested to do so by Client, Fiserv shall immediately remove the individual in question from all Client facilities pending completion of Fiserv’s investigation and discussions with Client. If, following discussions with Fiserv, Client still reasonably

 

and in good faith requests replacement of such Fiserv Personnel, Fiserv shall promptly replace such individual with one of suitable ability and qualifications. In such event, Client shall not be obligated to pay any fees relating to any training or other knowledge transfer activities or overlaps in periods of employment. Nothing in this provision shall operate or be construed to limit Fiserv’s responsibility for the acts or omissions of the Fiserv Personnel, or be construed as joint employment. Insurance. Fiserv shall secure and maintain throughout the term of this Agreement at its sole cost and expense the following insurance coverage with insurance carriers rated “A-VIII” or higher by A. M. Best Corporation: (i) Commercial General Liability Insurance covering bodily injury, property damage, and including contractual liability coverage, with a combined single limit of [***]. per occurrence and [***]. general aggregate. (ii) Workers Compensation insurance providing coverage pursuant to statutory requirements; and Employer's Liability Insurance with limits of [***]. each accident, [***]. policy limit, and [***]. each employee. (iii) Commercial Automobile Liability Insurance with combined bodily Injury and property damage limits of [***].. (iv) Commercial Umbrella Liability Insurance with per occurrence and aggregate limits of [***]., with the liability insurance required under Sections 12(i), (ii), and (iii) above scheduled as underlying. (v) Commercial Crime Insurance, including Employee Dishonesty and Computer Fraud for the theft of property with limits of [***]. per loss. The crime insurance should include coverage for third parties, which shall cover loss of or damage to money, securities, and other property sustained by Client, or for which Client holds for others, committed by an identified Fiserv employee, acting alone or in collusion with other persons. (vi) Professional Liability and/or Technology Errors and Omissions Liability covering acts, errors and omissions arising out of Fiserv’s performance or failure to perform its services under this Agreement, including network security and privacy liability coverage, with limits of [***]. per occurrence and in the aggregate. (vii) All-risk property insurance covering Fiserv’s real and personal property at replacement cost value. Upon Client’s written request, Fiserv will endeavor to furnish to Client standard ACORD certificates of insurance issued by authorized representative(s) of the insurance carrier(s) as evidence of each foregoing coverage. Fiserv shall notify Client in the event that any policy for the insurance required above is cancelled or otherwise terminates, unless that policy is promptly replaced by another policy in accordance with the foregoing requirements, but in no event greater than 30 days. General. Binding Agreement. This Agreement is binding upon the parties, their participating Affiliates, and their respective successors and permitted assigns. Assignment. Neither this Agreement nor any part thereof or interest therein may be sold, assigned, transferred, pledged, or otherwise disposed of [***]. Entire Agreement; Amendments. This Agreement, including its Exhibits and Schedules, which are expressly incorporated herein by reference, constitutes the complete and exclusive statement of the agreement between the parties as to the subject matter hereof and supersedes all previous agreements with respect thereto and the terms of all existing or future purchase orders and acknowledgments. Each party hereby acknowledges that it has not been induced to enter into this Agreement by virtue of, and is not relying on, any representation made by the other party not embodied herein, any term sheets or other correspondence preceding the execution of this Agreement, or any prior course of dealing between the parties, including any statements concerning product or service usage or the financial condition of the parties. Section headings are

 

included for reference only and should not be used to interpret this Agreement or to define, expand, or limit its terms. The protections of this Agreement shall apply to actions of the parties performed in preparation for and anticipation of the execution of this Agreement. Modifications of this Agreement must be in writing and signed by duly authorized representatives of the parties. If the terms of any Exhibit or Schedule conflict with the terms of this Agreement, this Agreement shall control unless the applicable Exhibit or Schedule expressly states that its terms control. If the terms of any Schedule conflict with the terms of the Exhibit to which such Schedule is attached, the terms of the Schedule shall control. Severability. If any provision of this Agreement is held to be unenforceable or invalid, the other provisions shall continue in full force and effect. Governing Law; Jury Trial Waiver. This Agreement will be governed by the substantive laws of the State of New York, without reference to provisions relating to conflict of laws. The United Nations Convention on Contracts for the International Sale of Goods shall not apply to this Agreement. Both parties agree to waive any right to have a jury participate in the resolution of any dispute or claim between the parties or any of their respective Affiliates arising under this Agreement. Force Majeure. With the exception of Client’s payment obligation, neither party shall be responsible for delays or failures in performance resulting from acts of God, acts of civil or military authority, fire, flood, strikes, war, epidemics, pandemics, shortage of power, telecommunications or Internet service interruptions or other acts or causes reasonably beyond the control of that party (each such event a “Force Majeure Event”). [***]. The party experiencing the Force Majeure Event agrees to give the other party notice promptly following the occurrence of a force majeure event, and to use diligent efforts to re-commence performance as promptly as commercially practicable, including, in relation to Fiserv’s performance of the Services pursuant to the ASP Services Exhibit, using commercially reasonable efforts to perform in accordance with Section 6 (Business Continuity / Disaster Recovery) of the ASP Services Exhibit, and, where applicable, to adhere to Fiserv published recovery time objectives (“RTO”s) and recovery point objectives (“RPO”s) for the impacted Service. [***]. Notices. Any written notice required or permitted to be given hereunder shall be given by: (i) Registered or Certified Mail, Return Receipt Requested, postage prepaid; (ii) confirmed facsimile; or (iii) nationally recognized overnight courier service to the other party (and, in the case of Fiserv, to the Fiserv General Counsel) at the addresses listed on page 1 or to such other address or person as a party may designate in writing. All such notices shall be effective upon receipt. No Waiver. The failure of either party to insist on strict performance of any of the provisions hereunder shall not be construed as the waiver of any subsequent default of a similar nature. Prevailing Party. The prevailing party in any arbitration, suit, or action brought by one party against the other party to enforce the terms of this Agreement or any rights or obligations hereunder, shall be entitled to receive, in addition to such other relief as the arbitrators or court may award, its reasonable costs and expenses, including all attorneys’ fees, expert witness fees, litigation-related expenses and arbitrator and court or other costs incurred in such proceeding or otherwise in connection with bringing such arbitration, suit, or action. For purposes of this Agreement, a party is “prevailing” if that party prevails on the central issue raised in the action or claim, regardless of the amount of damages awarded or otherwise owed, if any. A party may prevail by judgment or decision in that party’s favor, consent decree, settlement agreement or voluntary dismissal with or without prejudice. Survival. All rights and obligations of the parties under this Agreement that, by their nature, do not terminate with the expiration or termination of this Agreement shall survive the expiration or termination of this Agreement. Publicity. Client and Fiserv shall have the right to make general references about each other and the type of Deliverables being provided hereunder to third parties, such as auditors, regulators, financial analysts, and prospective customers and clients, provided that in so doing Client or Fiserv does not breach Section 3 (Confidentiality and Ownership) of this Agreement. Fiserv may issue a press release regarding this Agreement, including its renewal and the addition of Deliverables, subject to Client’s review and approval, which shall not be unreasonably withheld or unduly delayed.

 

Marks and Content. Neither party shall use the name, trademark, service mark, logo or other identifying marks (collectively, “Marks”) of the other party or any of its Affiliates in any sales, marketing, or publicity activities, materials, or website display unless such party includes such Marks in a Deliverable or such party consents in advance in writing. Any such authorized or approved use shall at all times comply with such party’s Trademark Usage Guidelines (or such other requirements and/or guidelines) provided by such party or set forth on its corporate website and other reasonable requirements issued or otherwise made available by such party. Notwithstanding the foregoing, Fiserv will have the right to use Client’s Marks and third party links, information, specifications, materials, designs, copy or other such works or content provided by Client as and to the extent required in providing the Deliverables (“Client Content”), so long as Fiserv’s use complies with any reasonable usage guidelines provided in writing by Client. Client will provide such Client Content in accordance with Fiserv’s reasonable guidelines for the Deliverable and will obtain all necessary third party permissions and licenses required for Fiserv’s use of such content. If Fiserv must convert any Client Content into such format (if Fiserv is able to and does so at its own discretion), Client will pay for such conversion at Fiserv’s Professional Services Rates. Each party shall defend the other party and its Affiliates from any third party claim or action alleging that the other party’s approved use of the indemnifying party’s Marks or Client- provided content infringes a trademark, copyright, or other proprietary right of such third party as and to the extent provided in Sections 6(d) (Client IP Indemnification) and 6(f) (Fiserv IP Indemnification) of this Master Agreement. Independent Contractors. Client and Fiserv expressly agree they are acting as independent contractors and under no circumstances shall any of the employees of one party be deemed the employees of the other for any purpose. Fiserv (or its subcontractors for personnel that are hired by such subcontractor) shall be solely responsible for the payment of compensation (including provision for employment taxes, federal, state and local income taxes, workers compensation and any similar taxes) associated with the employment of, or contracting with, Fiserv Personnel. Fiserv (or its subcontractors for personnel that are hired by such subcontractors) shall also be solely responsible for obtaining and maintaining all requisite work permits, visas and any other documentation for Fiserv Personnel. Except as expressly authorized herein or in the Exhibits, this Agreement shall not be construed as authority for either party to act for the other party in any agency or other capacity, or to make commitments of any kind for the account of or on behalf of the other. Fiserv, and not Client, shall be responsible and liable for the acts and omissions of Fiserv Personnel, including acts and omissions constituting negligence, willful misconduct and/or fraud. Client and not Fiserv shall be responsible and liable for the acts and omissions of Client and Client’s Affiliates, and its and their employees, agents and/or subcontractors, including acts and omissions constituting negligence, willful misconduct and/or fraud. No Third Party Beneficiaries. Except as expressly set forth in any Exhibit hereto, no third party shall be deemed to be an intended or unintended third party beneficiary of this Agreement. [***]. Terms and Definitions. The terms defined in this Agreement include the plural as well as the singular and the derivatives of such terms. Unless otherwise expressly stated, the words “herein,” “hereof,” and “hereunder” and other words of similar import refer to the Agreement as a whole and not to any particular Article, Section, Subsection or other subdivision. Article, Section, Subsection and Attachment references refer to articles, sections and subsections of, and attachments to, the Agreement, unless specified otherwise. The words “include” and “including” shall not be construed as terms of limitation or as an exclusive set of examples. The word “or” shall not be exclusive. The words “day”, “month”, “quarter” and “year” mean, respectively, calendar day, calendar month, calendar quarter and calendar year. The words “notice” and “notification” and their derivatives mean notice or notification in writing. Other terms used in this Agreement are defined in the context in which they are used and have the meanings there indicated. Counterparts; Signatures. This Agreement and any Exhibits hereto may be executed in counterparts, each of which shall be deemed an original and which shall together constitute one instrument. The parties and their Affiliates may execute this Agreement and any Exhibit or amendment hereto in the form of an electronic record utilizing electronic signatures, as such terms are defined in the Electronic Signatures in Global and National Commerce Act (15 U.S.C. § 7001 et seq.). Electronic signatures, or signatures transmitted by facsimile or electronically via PDF or similar file delivery method, shall each have the same effect as an original signature.

 

IN WITNESS WHEREOF, the parties have caused this Agreement to be executed by their duly authorized representatives as of the Effective Date. For Client: For Fiserv: Heartland Financial USA, Inc. Fiserv Solutions, LLC By: \si1\ By: \si2\ Name: \na1\ Name: \na2\ Title: \Ti1\ Title: Authorized Signatory Date: \ds1\ Date: \ds2\

 

Heartland Financial USA, Inc. Page 1 Legend: [***] CERTAIN INFORMATION IN THIS DOCUMENT HAS BEEN OMITTED FROM THIS EXHIBIT BECAUSE IT IS BOTH (I) NOT MATERIAL AND (II) INFORMATION THAT THE COMPANY TREATS AS PRIVATE OR CONFIDENTIAL. AMENDMENT 1 TO AGREEMENT AMENDMENT (“Amendment”) dated as of July 1, 2021 (“Amendment Effective Date”) between Fiserv Solutions, LLC, a Wisconsin limited liability company with offices located at 255 Fiserv Drive, Brookfield, WI 53045 (“Fiserv”), and Heartland Financial USA, Inc., with offices located at 700 Locust Street, Dubuque, Iowa 52001 (“Heartland” or “Client”), to the Master Agreement dated July 1, 2021 between Fiserv and Client (as amended through the date hereof, the “Agreement”). WHEREAS, Fiserv and Client entered into the Agreement for Fiserv’s provision of various Deliverables to Client; and WHEREAS, Fiserv and Client wish to amend the Agreement to include additional terms; NOW, THEREFORE, Fiserv and Client hereby agree as follows: 1. Defined Terms. Unless otherwise defined herein, capitalized terms used herein shall have the same meanings assigned them in the Agreement. 2. Clarification to Agreement Effective Date. Notwithstanding anything to the contrary on page 1 of the Agreement, the Effective Date of the Agreement shall mean July 1, 2021. 3. Correction to Appendix A. Appendix A to the Master Agreement listing the Deliverables to be provided to each Client Affiliate is hereby replaced with the following new Appendix A attached to this Amendment. 4. Correction to the Card Services Schedule. Attachment 1 (Fees) to the Card Services Schedule to ASP Services Exhibit is hereby amended by deleting the introductory paragraph and replacing it with the following: [***] 5. Addition of Service Level and Support Response Time Provisions. The parties agree that the following Exhibit and Attachment listed below and attached to this Amendment are hereby added to and incorporated into the Agreement.  Service Level Exhibit to Master Agreement  Support Response Time Attachment to the Master Agreement 6. Correction to Instant Issuance Exhibit. The parties agree that: [***] 7. [***] 8. Amendment. This Amendment is intended to be a modification of the Agreement. Except as expressly modified herein, the Agreement shall remain in full force and effect. In the event of a conflict between the terms of this Amendment and the Agreement, this Amendment shall control. SIGNATURE PAGE FOLLOWS

 

Heartland Financial USA, Inc. Signature Page IN WITNESS WHEREOF, the parties have caused this Amendment to be executed by their duly authorized representatives as of the Amendment Effective Date. For Client: For Fiserv: Heartland Financial USA, Inc. Fiserv Solutions, LLC By: \si1\ By: \si2\ Name: \na1\ Name: \na2\ Title: \Ti1\ Title: Authorized Signatory Date: \ds1\ Date: \ds2\