MASTER SERVICES AGREEMENT
Version Date: July 1, 2025
This MASTER SERVICES AGREEMENT (“Agreement”) by and between ARK PES, Inc., a Delaware corporation with a principal place of business at 545 Boylston Street, Boston, MA 02116 (“ARK”) and the individual or entity identified on the Order Form (“Client”). When Client subscribes to the Service (defined below), or otherwise acknowledges this Agreement, Client shall be bound by and adhere to this Agreement. ARK and Client shall each be referred to herein as a “Party” and together as “Parties.”
NOW, THEREFORE, in consideration of the mutual covenants and agreements set forth herein, and for other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, the Parties agree as follows:
1. DEFINITIONS.
Capitalized terms used herein and not defined herein shall have the meaning given below.
1.1 “Affiliate” means any entity that controls, is controlled by or under common control with a Party, whereby control means the power to direct the management and policies of a Party, whether through ownership of voting securities, by contract or otherwise.
1.2 “ARK Property” means the IP of ARK and its licensors and suppliers, including without limitation, ARK’s proprietary methodologies, project management and other tools, deliverable examples, procedures, processes, techniques, data models, templates, software, general purpose consulting and software tools, utilities, and routines, and any improvements or derivative works of the foregoing, arising prior to or after the Effective Date. ARK Property includes (without limitation) the System, Services and Confidential Information of ARK.
1.3 “Authorized User” means employees, agents and contractors of Client, or its individual investors, that are authorized by Client to use the Subscription Services in accordance with Section 2 and the other terms and conditions of this Agreement.
1.4 “Client Data” means any data transmitted to ARK via the Service by or on behalf of Client or its Authorized Users. Client Data includes any Personal Data relating to Client, or its Authorized Users transmitted to ARK via the Subscription Service.
1.5 “Confidential Information” means all trade secrets, business and financial information, software, machine and operator instructions, business methods, procedures, know-how, and other information that relates to the business or technology of either Party and is marked or identified as confidential, or disclosed in circumstances that would lead a reasonable person to believe such information is confidential. Notwithstanding any failure to mark or identify it as such, the Subscription Service and System are the Confidential Information of ARK, and Client Data will be considered Client’s Confidential Information.
1.6 “Data Security Addendum” means the Data Security and Privacy Addendum attached hereto as Exhibit A.
1.7 “Deliverables” means any report, analyses, or other tangible deliverables created by ARK for Client and identified as a “Deliverable” in the Order Form or in a statement of work.
1.8 “Documentation” means the technical manuals, instructions and official technical and user documents and materials regarding the Subscription Service that ARK provides or makes available to Client in any form or medium which describe the functionality, components, features or requirements of the Subscription Services, including any aspect of the installation, configuration, integration, operation, use, support or maintenance thereof, but expressly excluding the company webpage, videos, white papers, or other marketing materials.
1.9 “Effective Date” means the date Client enters into the first Order Form for Services hereunder.
1.10 “Fees” means the fees payable by Client under this Agreement for the Services as set forth on the applicable Order Form, in the amounts and subject to the payment terms set forth herein and in the applicable Order Form.
1.11 “Intellectual Property Rights” or “IP” means any and all known or hereafter existing copyrights, trademarks, service marks, trade secrets, patents, patent applications, know-how, moral rights, contract rights, and other proprietary rights, and all registrations, applications, renewals, extensions, and combinations of the foregoing.
1.12 “Order Form” means the ARK web-based subscription interface used for Client to subscribe to the Service, including any applicable price lists for the Service, as well as any supplemental or alternative ordering documentation which may be entered into between the Parties in relation to the Service.
1.13 “Order Form Effective Date” with respect to each Order Form hereunder, means the start date for any Services or modules to be provided under such Order Form.
1.14 “Order Term” has the meaning set forth in Section 12.1.
1.15 “Personal Data” has the meaning set forth in the Data Security Addendum.
1.16 “Services” means the Subscription Services, Support Services, and such other services provided by ARK to Client as described in this Agreement and in any Order Form entered into by the Parties.
1.17 “Subscription Services” has the meaning set forth in Section 2.1.
1.18 “Support Services” has the meaning set forth in Section 6.
1.19 “System” means ARK’s web-based financial services software application used by ARK to deliver the Subscription Services, related application programming interface(s), and any current or future features or ‘modules’ thereof, and all updates, improvements, and modifications thereto, and all Intellectual Property Rights in and to the foregoing.
1.20 “Term” has the meaning set forth in Section 12.1.
2. SUBSCRIPTION SERVICES; RESTRICTIONS.
2.1 Subscription Services. Subject to the terms and conditions of this Agreement and the payment of all Fees hereunder when due, ARK will (i) host, operate, administer and maintain the System, and make the System available to Client via the Internet; and (ii) provide the Support Services pursuant to Section 6.3 below (collectively, the “Subscription Services”). Subject to Client’s compliance with this Agreement (including without limitation Client’s obligation to pay the Fees), during the Term of this Agreement (as defined below), ARK grants to Client, a non-exclusive, non-transferable, right, in the territory identified in the Order Form (or if not specified therein, the United States) to access and use the Subscription Services for Client’s internal business purposes, solely for use by the Authorized Users.
2.2 Use Restrictions. Client will not, and will not permit any other party to: (i) modify, adapt, alter, translate, or create derivative works from, the System; (ii) license, distribute, sell, lease, rent, loan, or otherwise transfer the Subscription Services; (iii) reverse engineer, decompile, disassemble, or otherwise attempt to derive or gain access to the source code for, or trade secrets in, the Subscription Services or System, except and only to the extent that such activity is expressly permitted by applicable law notwithstanding this limitation (provided, however, that to the extent Client intends to engage in any of the foregoing, Client will notify ARK in advance of such activity and will treat the results of such activity as Confidential Information of ARK); (iv) remove, alter, or obscure any proprietary notices of ARK, its licensors or suppliers from any Services or ARK proprietary materials; (v) access or use the System or Services for purposes of: developing, using or providing a competing software product or service; (vi) use the System or Services in any manner or for any purpose that knowingly infringes, misappropriates or otherwise violates any Intellectual Property Right or other right of any person, or that violates any applicable law or this Agreement; (vii) bypass or breach any security device, license enforcement utility, method, or operation, or other similar protection used by ARK to secure the Subscription Services, or access the Subscription Services other than by an Authorized User through the use of his or her own then valid access credentials; (viii) knowingly input, upload, transmit, or otherwise provide to or through the Subscription Services, any information or materials that are unlawful or injurious, or contain, transmit, or activate any disabling code; or (e) damage, destroy, disrupt, disable, impair, interfere with, or otherwise impede or harm in any manner the Subscription Services, or ARK’s provision of services to any third party, in whole or in part. For the avoidance of doubt, Client is expressly prohibited from granting access to the Service or using the Service on behalf of or for the benefit of any individual or entity that is a competitor of ARK. Any breach of the restrictions set forth in this Section 2.2 shall be a material breach of this Agreement and ARK may terminate this Agreement pursuant to Section 12.2 hereof.
2.3 Third Party Solutions. ARK may include or make available certain third party software, solutions and data integrations, for use in conjunction with the Subscription Services, including without limitation, plug-ins, add-ons, application programming interfaces, utilities or scripts (“Third Party Solutions”). The terms and conditions by which the third party provides the Third Party Solutions to Client shall govern all aspects of Client’s utilization of such Third Party Solution and ARK is not responsible for such Third Party Solutions or any adverse impact that Client’s use of Third Party Solutions may have on the Subscription Services.
2.4 Express Consent. If Client elects to use a Third Party Solution that facilitates the transmission of Client Data to or from a third party source, Client’s use of such Third Party Solution constitutes Client’s express consent for ARK’s transmission of Client Data to, or receipt of Client Data from, such third party and for ARK’s processing of any such Client Data for the purpose of providing the Subscription Services and as otherwise permitted by applicable law. If Client elects to use the interface provided by Plaid (or a similar third party provider) to establish an integration between the Subscription Service and Client’s designated financial institution (“Financial Data Integration”): (i) Client is consenting to ARK’s receipt and processing of Client Data from Client’s account(s) with such financial institution for the purpose of providing the Subscription Services; (ii) ARK will treat such Client Data as the Confidential Information of Client in accordance with Section 13; (iii) ARK may disclose Client Data with its subcontractors that have a need to access such data in providing relevant services to ARK; and (iv) Client may terminate the Financial Data Integration and revoke its consent at any time by providing notice to ARK pursuant to Section 14.5.
3. CLIENT OBLIGATIONS.
3.1 User Permissioning. Client shall be responsible for authorizing its Authorized Users to access and use the Service by assigning each Authorized User a unique login/password (and disabling the same when appropriate) utilizing the administrative tools within the Services. Further, Client shall maintain the confidentiality of its Authorized Users’ login/password information and notify ARK immediately if it becomes aware of any unauthorized access to or use of the Services under an Authorized User’s login/password or otherwise.
3.2 Responsibility for Users. Client shall restrict access and use of the Services to only Authorized Users and assume responsibility to ensure that all Authorized Users comply with this Agreement and all applicable licenses and restrictions on the use of the Subscription Service set forth in this Agreement. Client is responsible for all use of the Subscription Services using Client-issued credentials and shall prohibit the sharing of access credentials among Authorized Users.
3.3 Client Data Requirements. Client will be solely responsible for ensuring that it has all right, title, and interest in and to any Client Data necessary to provide such Client Data and the right to license such Client Data to ARK for the purposes set forth herein, and in connection with (i) the analysis and monitoring of Client’s and its Authorized Users’ use of the Services, (ii) the legitimate business and information security operations of ARK.
4. OWNERSHIP
4.1 Services and Deliverables. Except as expressly stated in the Agreement, the Agreement does not grant either party any rights, implied or otherwise, to the other’s content or Intellectual Property. As between the parties, ARK retains all Intellectual Property Rights in the Services and System and other ARK Property.
4.2 Rights and License to Data and Deliverables. As between the Parties, all Client Data shall be owned by Client and Client hereby grants ARK a limited, non-exclusive, non-transferable (except as provided in Section 14.4), license to use such Client Data during the Term of this Agreement for the purpose of providing the Services and as stated herein. Upon full payment of the applicable Fees for the Deliverables, all right title and interest in any such Deliverables (not including any ARK Property) shall vest in the Client as a “work made for hire” as defined in Section 101 of the Copyright Act of 1976; provided, however, that if such Deliverables do not qualify as a work made for hire, ARK hereby transfers, assigns and conveys to Client all right, title and interest in such Deliverables (not including any ARK Property).
5. ORDER FORM; CHANGES.
ARK shall provide the Services and Deliverables pursuant to the applicable Order Form. If there exists any conflict between the terms and conditions of this Agreement and the terms and conditions of any Order Form, the terms and conditions of the Order Form shall control. If, during an Order Term, either Party desires to make changes to any work specifications on any Order Form, the Party desiring to make such change shall notify the other, and both Parties shall agree in writing on necessary adjustments to the terms of the engagement, including but not limited to price and schedule adjustments, before any such changes are incorporated into said Order Form.
6. SUPPORT
ARK will provide Client reasonable remote help desk support via email Monday to Friday, 8am to 5pm Pacific Time, excluding all then-current U.S. Federal holidays (the “Support Services”). If Client requests remote technical support or other support in addition to the Support Services, such support shall be provided at ARK’s then-current hourly rates. For the avoidance of doubt, the Support Services shall not include any services relating to the manipulation, upload, or reconciliation of Client Data.
7. DATA SECURITY; HOSTING.
7.1 Data Security. ARK will provide the Subscription Service in compliance with the Data Security Addendum. ARK will arrange for a reputable third party to perform physical and electronic security audits with respect to the ARK System and hosting environment at least once per calendar year, and in accordance with information security industry-standards appropriate for the financial services industry. ARK will provide Client with a copy of all such audit reports upon written request of Client. Client acknowledges that all such audit reports are the Confidential Information of ARK.
7.2 Hosting. ARK will manage the hosting of the System and the Client Data. ARK will use commercially reasonable efforts to make the ARK System generally available 24 hours a day, 7 days a week. However, from time to time as may be necessary to maintain the proper operation of the ARK System, ARK may take the ARK System or portions thereof down for repairs, upgrades or routine maintenance. ARK will use commercially reasonable efforts to minimize the impact to Client of such operations, and whenever practicable, ARK will provide to Client at least five (5) days prior written notice of ARK’s plan to take down the ARK System or portions thereof for routine maintenance purposes, and where feasible will give notice in a reasonable time in advance of any unplanned or emergency maintenance or ARK System outage. Without limiting the foregoing or any other provisions of this Agreement, ARK will have no liability for (i) Client-caused outages or disruptions to the ARK System, (ii) problems due to the performance of networks or systems controlled by companies or entities other than ARK. In addition, Client understands that although ARK will use reasonable security measures and otherwise comply with its obligations under Sections 7.1 and 7.2 of this Agreement, it cannot guarantee that data breach attacks will not occur and ARK will not be liable for damages sustained by Client as a result of any such data breach, unless and to the extent such data breach was caused in whole or in part by ARK’s breach of its obligations under the Data Security Addendum (and subject to Section 11). It is Client’s responsibility to stay current with ARK’s then- current minimum technical requirements for use of the Subscription Service and other Services provided by ARK to Client in writing.
8. FEES, PAYMENT AND TAXES.
8.1 Generally. Fees and payment terms shall be as set forth in the applicable Order Form. Invoices may be delivered electronically. All Fees are payable in U.S. dollars. ARK may increase the Fees or add new Fees for existing Services upon at least 30 days’ prior notice; provided, however, ARK will not increase Fees more than once in a 12-month period. All payment obligations are payable in advance and are non-cancelable and non-refundable. Unless otherwise provided on the Order Form, non-invoiced payments will be due and payable starting on the later of the Order Form Effective Date or upon the first day of each Order Term. By providing ACH or other payment information on the Order Form, Client acknowledges and agrees that the Fees will be drafted automatically, and Client consents to such automatic charges or withdrawals. Client agrees to keep its payment information current and accurate. If ARK agrees in writing to accept payment by invoice, invoices may be delivered by email, and all Fees not subject to a good faith dispute are due and payable thirty (30) days from the invoice date, and except as agreed in writing between the Parties, all Fees and other amounts payable to ARK should be paid by EFT or wire transfer (if by wire, ARK may charge a $30 fee per wire transfer) to:
Ark PES, LLC
545 Boylston Street
Boston, MA 02116
8.2 Nonpayment. Client shall be deemed in default of this Agreement if any Fees or other invoiced amounts that are not disputed in good faith remain unpaid sixty (60) days after the date of invoice. Client must give ARK notice of any dispute regarding an invoice within forty-five (45) days of its receipt of such invoice, or Client’s right to dispute that invoice shall be waived. Late payments of any undisputed Fees by Client will be subject to late fees at the rate of one and one half percent (1.5%) per month or, if lower, the maximum rate allowed by law. If any undisputed amounts payable are not received within sixty (60) days of the date of the relevant invoice, ARK may suspend the Services or terminate the Agreement upon 15 days prior written notice to Client, without penalty or liability to ARK.
8.3 Taxes. Client is responsible for all applicable taxes and duties imposed on, based on, or measured by any consideration for any provision of services or transfer of property by ARK to Client pursuant to the Agreement (collectively “Taxes”). All Fees are exclusive of Taxes. If ARK is obligated to collect or pay any Taxes, the Taxes will be invoiced to Client as a separate line item and Client will pay such Taxes to ARK, unless Client provides ARK with a timely and valid tax exemption certificate in respect of those Taxes. Client will provide ARK with any applicable information that ARK may require under applicable law to ensure its compliance with applicable tax regulations and authorities in applicable jurisdictions. Client is solely responsible for any taxes, interest, penalties, or fines arising out of any incorrect information or any failure to provide such information to ARK. For the avoidance of doubt, Client shall not be responsible for taxes based on ARK’s net income.
9. WARRANTIES; COVENANTS.
9.1 General. Each Party represents and warrants to the other Party that:
(a) it is duly organized, validly existing and in good standing as a corporation or other entity as represented herein under the laws and regulations of its jurisdiction of incorporation, organization or chartering;
(b) has the full right, power and authority to enter into this Agreement, to grant the rights and licenses granted hereunder and to perform its obligations hereunder;
(c) this Agreement has been duly authorized by all necessary corporate action of the Party;
(d) when executed and delivered by such Party, this Agreement will constitute the legal, valid and binding obligation of such Party, enforceable against such Party in accordance with its terms; and
(e) it shall comply with all applicable laws, rules and regulations as they relate to the provision of the Services to Client hereunder.
9.2 Performance. ARK represents and warrants that the Subscription Service shall operate substantially in accordance with the Documentation.
9.3 Performance of Services. ARK represents, warrants and covenants that all professional services provided by ARK to Client hereunder will be performed in a timely, competent, professional, and workmanlike manner using personnel with required skill, experience and qualifications.
9.4 Viruses. Each Party shall use commercially reasonable, industry standard measures designed to prevent the insertion of any viruses into the System or any Client system. ARK will use and maintain anti-virus software that is commonly used by service providers providing a commercially reasonable level of protection and security for services that are the same as or similar to the Services throughout the System.
9.5 Client Data. Client represents, warrants and covenants that it has obtained, and will maintain throughout the Term, all licenses, consents and/or approvals necessary to provide the Client Data to ARK for ARK’s use and processing as set forth herein and in the Data Security Addendum.
9.6 Remedies. If ARK breaches, or is alleged to have breached, any representations, warranties or covenants in Sections 9.2-9.4, ARK may, at its sole option and expense, take any of the following steps to appropriately remedy such breach: (i) repair the ARK System so as to cure such breach; or (ii) replace the applicable portion of the ARK System with functionally equivalent software so as to cure such breach. In the event ARK is unable to timely remedy such breach as set forth in the preceding sentence, Client shall have the right to terminate this Agreement by giving notice of termination to ARK and, provided that Client fully complies with its post-termination obligations, ARK shall promptly prorate and refund Client any prepaid amount by Client for any period after the effective date of termination. The foregoing remedies are Client’s sole remedy and ARK’s sole liability for breach of Section 9.2 through 9.4.
10. INDEMNIFICATION.
10.1 “Losses” means losses, liabilities, damages, fines, penalties, settlements, judgments, costs and expenses, including reasonable attorneys’ fees and expert fees, and interest (including taxes) arising out of a third party claim.
10.2 Indemnity by ARK. ARK will indemnify, defend and hold harmless Client and Client’s officers, directors, employees, successors and assigns (the “Client Indemnified Parties”) from and against, any Losses suffered, incurred or sustained by a Client Indemnified Party or to which a Client Indemnified Party becomes subject, resulting from any third party claim: (i) that any Deliverable or Client’s use of the Subscription Service in accordance with this Agreement violates the US IP rights of any third party (“IP Claim”), or (ii) of injury or death, or damage to any tangible property caused by or arising from the gross negligence or willful misconduct of ARK in connection with performance of the Agreement.
10.3 Remedies for Infringement. In the event of any IP Claim, ARK may, at its sole discretion and at its expense, procure for Client the right to continue using the applicable Deliverable or Subscription Service, or replace or modify the Deliverable or Subscription Service so it becomes non-infringing. SECTIONS 10.2 AND SECTION 10.3 STATE ARK’S ENTIRE LIABILITY, AND SUBJECT TO SECTION 11.2, CLIENT’S SOLE AND EXCLUSIVE REMEDY FOR INFRINGEMENT CLAIMS. ARK shall have no obligation to Client for indemnification to the extent that the IP Claim is based on: (i) a modification to the Deliverable or Subscription Service made by or on behalf of Client; (ii) a violation by Client or any Authorized User of this Agreement; or (iii) Client Data.
10.4 Client Indemnity. Client will indemnify, defend and hold harmless ARK and ARK’s officers, directors, employees, successors and assigns (the “ARK Indemnified Parties”) from and against, any Losses suffered, incurred or sustained by an ARK Indemnified Party or to which an ARK Indemnified Party becomes subject, resulting from, arising out of, or relating to: (a) Client’s breach of Section 9.5; and / or (b) any third party claim that any Client Data provided by Client to ARK hereunder violates the US IP of any individual or third party. Client shall have no obligation to ARK for indemnification to the extent that the infringement claim or allegation is based on: (i) unauthorized use of the Client Data by ARK; or (ii) a violation by ARK of this Agreement.
10.5 Indemnification Procedures. If any third-party claim is commenced against a person or entity entitled to indemnification under this Section (the “Indemnified Party”), notice thereof shall be given to the party that is obligated to provide indemnification (the “Indemnifying Party”) as promptly as practicable. In addition, the Indemnified Party shall also provide the Indemnifying Party with subject to the last sentence of this section, the exclusive right to control and direct the investigation, defense, or settlement (if applicable) of the claim. The Indemnified Party will cooperate, at the cost of the Indemnifying Party, in all reasonable respects with the Indemnifying Party and its attorneys in the investigation, trial and defense of such claim and any appeal arising therefrom; provided, however, that the Indemnified Party may, at its own cost and expense, participate, through its attorneys or otherwise, in such investigation, trial and defense of such claim and any appeal arising therefrom. No settlement of a claim that involves a remedy other than the payment of money by the Indemnifying Party will be entered into without the consent of the Indemnified Party, which will not be unreasonably withheld or delayed.
11. LIMITATION OF LIABILITY.
11.1 Excluded Damages. TO THE GREATEST EXTENT PERMISSIBLE UNDER APPLICABLE LAW, EVEN IF A PARTY HERETO HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES, IN NO EVENT WILL ARK BE LIABLE TO CLIENT FOR ANY CONSEQUENTIAL, INDIRECT, EXEMPLARY, SPECIAL, OR INCIDENTAL DAMAGES, OR FOR LOST PROFITS, LOST DATA, OR COSTS OF PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES, ARISING FROM OR RELATING TO THIS AGREEMENT, HOWEVER CAUSED AND UNDER ANY THEORY OF LIABILITY (INCLUDING NEGLIGENCE).
11.2 Direct Damages Cap. NOTWITHSTANDING ANYTHING TO THE CONTRARY IN THIS AGREEMENT, NEITHER PARTY’S TOTAL CUMULATIVE LIABILITY IN CONNECTION WITH THIS AGREEMENT, WHETHER IN CONTRACT OR TORT OR OTHERWISE, SHALL EXCEED THE FEES PAID OR PAYABLE BY CLIENT IN THE 12 MONTHS PRIOR TO THE EVENT(S) GIVING RISE TO SUCH LIABILITY OR $500, WHICHEVER IS GREATER. The limitation of liability set forth in this Section 11.2 shall not apply to each Party’s obligations to protect the other Party’s Confidential Information in accordance with Section 13 of this Agreement or to the indemnification obligations of each Party hereunder, provided, however, that ARK’s total cumulative liability for same shall not exceed the Fees paid or payable by Client in the 24 month period prior to the event(s) giving rise to such damages or $500, whichever is greater.
12. TERM AND TERMINATION.
12.1 Term. This Agreement shall commence as of the Effective Date, and unless earlier terminated in accordance with this Agreement, remain in effect until all Order Forms expire (the “Term”). Each Order Form shall remain in effect for the period identified on the Order Form (which may vary for certain services or modules) (each such period, the “Order Term”). Unless earlier terminated in accordance with this Agreement, the Order Term shall automatically renew for additional periods of one (1) year each, unless a party provides the other written notice of non-renewal at least thirty (30) days before the end of the Term. For quarterly or month-to-month subscriptions, the Order Term shall automatically renew for additional quarterly or monthly terms (as appropriate), unless Client terminates the Agreement upon no less than 14 days’ written notice prior to the end of each then-current quarterly or monthly Order Term.
12.2 Mutual Termination Rights. Either Party may terminate this Agreement or any Order Form upon written notice of termination if the other Party: (i) defaults in the performance of any material obligation created by this Agreement, or breaches any material provision of this Agreement, which default or breach is not cured within thirty (30) days following the defaulting Party’s receipt of written notice of default or breach from the other Party; (ii) ceases doing business in the normal course; (iii) is the subject of any state or federal proceeding (whether voluntary or involuntary) relating to its bankruptcy, insolvency or liquidation that is not dismissed within ninety (90) days; or (iv) makes an assignment for the benefit of creditors or a receiver is appointed for a substantial part of the other Party’s assets. If either Party terminates this Agreement as set forth above, then all Order Forms to this Agreement shall also immediately terminate. Either party may terminate this Agreement immediately upon written notice if the other party, in any manner, breaches Section 13 (Confidentiality).
12.3 Effects of Termination. Upon expiration or termination of this Agreement for any reason: (i) any undisputed amounts owed to ARK under this Agreement prior to such termination or expiration will be immediately due and payable; (ii) all rights granted to Client in this Agreement will immediately cease to exist; (iii) Client will promptly discontinue all use of the Services; and (iv) ARK will return to Client all Client Data in ARK’s possession or control, or destroy such Client Data, in accordance with the Data Security Addendum. Upon the effective date of any such termination, the obligation of ARK to provide the Services shall cease. Client agrees that (i) all undisputed fees for Services performed, and all related expenses incurred, shall accrue through the effective date of termination, and Client is obligated to pay ARK, without any holdback, demur or recourse, all such Fees and expenses incurred by ARK through the effective date of termination.
12.4 Survival. Sections 1, 4, 9.7, 10, 11, 12.3, 12.4, 13 and 14, as well as any payment obligations outstanding as of termination, will survive termination of this Agreement for any reason.
13. CONFIDENTIALITY
13.1 Protection. The Party receiving Confidential Information (“Receiving Party”) from the other Party (“Disclosing Party”) will not use any Confidential Information of the Disclosing Party for any purpose not expressly permitted by this Agreement, and will disclose the Confidential Information of the Disclosing Party only to the employees or contractors of the Receiving Party who have a need to know such Confidential Information for purposes of this Agreement and who are under a duty of confidentiality no less restrictive than the Receiving Party’s duty hereunder. The Receiving Party will protect the Disclosing Party’s Confidential Information from unauthorized use, access or disclosure in the same manner as the Receiving Party protects its own confidential or proprietary information of a similar nature and with no less than reasonable care. Notwithstanding any other provisions of this Agreement, the Receiving Party’s obligations under this Section 13 with respect to any Confidential Information that constitutes a trade secret under any applicable law will continue until such time, if ever, as such Confidential Information ceases to qualify for trade secret protection under one or more such applicable laws other than as a result of any act or omission of the Receiving Party or any of its agents or representatives.
13.2 Exceptions. The Receiving Party’s obligations under Section 13.1 above with respect to any Confidential Information of the Disclosing Party will not apply if the Receiving Party can document that such information: (i) was already lawfully known to the Receiving Party without restriction at the time of disclosure by the Disclosing Party; (ii) is disclosed to the Receiving Party by a third party who had the right to make such disclosure without any confidentiality restrictions; (iii) is, or through no fault of the Receiving Party has become, generally available to the public; or (iv) is independently developed by the Receiving Party without access to, or use of, the Disclosing Party’s Confidential Information. In addition, the Receiving Party may disclose Confidential Information of the Disclosing Party to the extent that such disclosure is: (i) approved in writing by the Disclosing Party, (ii) necessary for the Receiving Party to enforce its rights under this Agreement in connection with a legal proceeding, in which case any such disclosure shall be subject to a court approved protection order; or (iii) required by law or by the order of a court or similar judicial or administrative body, in which case the Receiving Party will notify the Disclosing Party of such required disclosure in writing prior to making such disclosure and will cooperate with the Disclosing Party, at the Disclosing Party’s reasonable request and expense, in any lawful action to contest or limit the scope of such required disclosure.
14. GENERAL PROVISIONS.
14.1 Publicity. Client agrees that ARK may publicly disclose that it is providing the System and Services to Client and may use Client’s name and logo on ARK’s website and to identify Client in promotional materials, including press releases and in customer lists.
14.2 Compliance with Laws and Regulations. Client will comply with all applicable laws and regulations concerning Client’s use of the Services, including without limitation all applicable data privacy laws and regulations. Client will not use or make the Subscription Service available outside the United States unless express written permission is granted by ARK with regard to each country, or unless expressly authorized in the applicable Order Form by means of the designation of the licensed “Territory” or otherwise.
14.3 Audits. Client shall maintain, and provide to ARK upon reasonable written request of ARK (which may be made no more than once per year), such relevant records as may be reasonably required to demonstrate Client’s compliance with this Agreement (an “Audit”). The Audit will be conducted at ARK’s expense, unless the Audit reveals that Client has failed to materially comply with the terms and conditions of this Agreement, in which case Client will reimburse ARK for all reasonable costs and expenses incurred by ARK in connection with such Audit in addition to any unpaid Fees (inclusive of any accrued interest under Section 8.2).
14.4 Assignment. Client may not assign or transfer any of its rights under this Agreement to any third party without ARK’s prior express written consent, which shall not be unreasonably withheld or delayed; provided, however, that Client may assign this Agreement to any successor in interest, to its business or arising from the sale of all or substantially all of the assets, or the sale of stock, of Client, through any merger or acquisition or internal reorganization of Client. ARK may not assign or transfer any of its rights under this Agreement to any third party without Client’s prior express written consent, which shall not be unreasonably withheld or delayed, except that ARK will have the right to assign this Agreement to an Affiliate or any successor to its business or assets to which this Agreement relates, whether by merger, sale of assets, sale of stock, or internal reorganization. Any attempted assignment or transfer by either Party in violation of the foregoing will be null and void.
14.5 Notices. All notices, consents, and approvals under this Agreement that are to be sent to ARK must be delivered in writing by email or fax (both of which are not deemed delivered until confirmation of receipt is obtained from the intended recipient), courier, or certified or registered mail, (postage prepaid and return receipt requested) to the address specified in the Order Form (or other address as may be specified by a Party from time to time upon written notice to the other), and will be effective upon receipt or three (3) business days after being deposited in the mail as required above, whichever occurs sooner.
14.6 Governing Law. This Agreement will be governed by and interpreted in accordance with the laws of the State of Delaware without reference to its choice of law rules. Any action or proceeding arising from or relating to this Agreement will be brought in a federal or state court in Wilmington, Delaware, and each Party irrevocably submits to the exclusive jurisdiction and venue of any such court in any such action or proceeding.
14.7 Remedies. Except as otherwise expressly provided in Section 9, the Parties’ rights and remedies under this Agreement are cumulative. Client acknowledges that the Services contain valuable trade secrets and proprietary information of ARK, that any actual or threatened breach of Client’s obligations with regard to exercising its rights hereunder, or its confidentiality obligations hereunder, may result in immediate, irreparable harm to ARK for which monetary damages would be an inadequate remedy, and that injunctive relief may be an appropriate remedy for such breach and, if so, is to be made available to ARK without the requirement of posting bond. ARK acknowledges that the Client Data constitutes Confidential Information of Client, that any actual or threatened breach of ARK’s confidentiality obligations hereunder with respect to Client Data may result in immediate, irreparable harm to Client for which monetary damages would be an inadequate remedy, and that injunction relief may be an appropriate remedy for such breach and, if so, is to be made available to Client without a requirement of posting bond.
14.8 Force Majeure. Neither Party shall be liable for failure or delay in the fulfillment of any of its obligations hereunder (excluding payment of Fees) where such failure is due to war, riot, strike, labor dispute, civil disturbance, rebellion, invasion, terrorist attack, denial of service attack, embargo, national or local emergency, natural disaster, acts of God, flood, fire, malfunction of equipment or facilities, failure by the other Party or a third party to perform a prerequisite necessary to fulfill such obligation, or any other cause beyond its reasonable control. The Party unable to fulfill its obligations due to such a force majeure event shall use diligent efforts to restore its performance thereof as soon as reasonably possible.
14.9 Headings. Section headings in this Agreement are included for convenience only and shall not affect the interpretation of the provisions in this Agreement.
14.10 Waivers. Any waiver or failure to enforce any provision of this Agreement on one occasion will not be deemed a waiver of any other provision or of such provision on any other occasion.
14.11 Severability. If any provision of this Agreement is held by a court of competent jurisdiction to be unenforceable, such provision will be changed and interpreted to accomplish the objectives of such provision to the greatest extent possible under applicable law and the remaining provisions of this Agreement will continue in full force and effect.
14.12 Entire Agreement. This Agreement, including the exhibits hereto, constitutes the entire agreement between the parties regarding the subject hereof and supersedes all prior or contemporaneous agreements, understandings, and communication, whether written or oral.
14.13 Updates. ARK reserves the right to modify or update this Agreement at any time, in its sole discretion. ARK will notify Client to the extent ARK makes any material changes to the Agreement. Client’s use of the Services after any changes will constitute Client’s acceptance of such changes. Client’s sole remedy if Client does not agree to any change is to cease all use of the Services or, in the case of a material change only, to terminate the Agreement as set forth in Section 12.
EXHIBIT A
DATA PRIVACY AND SECURITY ADDENDUM TO THE MSA
These Data Protection Terms (the “DPA”) describes each Party’s obligations with respect to its handling of Personal Data provided under the Master Services Agreement between ARK PES, Inc. and the individual or entity identified on the Order Form (the “Agreement”). This DPA is hereby incorporated into and made a part of the Agreement. Any capitalized terms not defined herein will have the definitions used in the Agreement. The terms of this DPA will control to the extent inconsistent with the Agreement.
1. Definitions. In this DPA, these terms will have the following meanings:
“Controller” means a party that determines the purposes and means of processing Personal Data, and includes a Business as defined in the California Privacy Laws and similar terms under applicable Data Protection laws.
“Data Protection Laws” means all international, federal, state and local laws, regulations, rules, treaties, and binding guidance issued by any governmental authority concerning data protection, privacy, and breach notification that are then in effect, to the extent applicable to a Party, including, without limitation: Regulation 2016/679 (“GDPR”), Directive 2002/58/EC (the “ePrivacy Directive”), and any laws implementing the foregoing, or implemented in European Union Member States thereunder, and any successor directives or regulations thereof then in effect, and the UK DPA 2018 (collectively, “European Privacy Laws”); the Cayman Islands Data Protection Law, 2017 (“DPL”); all U.S. Federal Trade Commission (“FTC”) rules, regulations and guidance relating to the collection, use, disclosure and Processing of Personal Data; C.R.S. § 6-1-713 et seq.; Massachusetts law 201 CMR 17.00 et seq.; and Cal. Civ. Code §§ 1798.80 et seq., 1798.100 et seq., and 11 CCR § 999.300 et seq. (“California Privacy Laws”).
“Personal Data” means data that relates to an identified or identifiable natural person or household.
“Processor” means a party that processes Personal Data on behalf of a Controller, and includes a Service Provider as defined in the California Privacy Laws and similar terms under applicable Data Protection laws.
“Targeted Advertising” means the targeting of advertising to an individual based on the individual’s Personal Data obtained from the individual’s activity across businesses, distinctly-branded websites, applications, or services (other than the business, distinctly-branded website, application, or service with which the individual intentionally interacts). Without limitation, Targeted Advertising includes “cross-context behavioral advertising” as defined under California Privacy Laws, “targeted advertising” and other similar terms as may be defined in Data Protection Laws.
The terms “Data Subject”, “Personal Data Breach”, and “Process” have the same definitions as in the applicable Data Protection Laws.
2. Compliance with Data Protection Laws. Each Party will comply with all applicable Data Protection Laws, as well as all other laws, rules, and regulations applicable in relation to the Party’s Processing of Personal Data.
3. Description of Data Processing. ARK will Process Personal Data only for the purpose of fulfilling its obligations under the Agreement or the written instructions of the Client. The subject matter and nature of the Processing of Personal Data is the performance of services by Ark provided under the Agreement. Types of Personal Data processed include names, financial or tax information relating to the following categories of Data Subjects: investors, directors, members, partners, agents, individuals that are connected to the above-mentioned categories. The duration of the processing is the termination or expiry of the Agreement.
4. Limitations. ARK shall not: (i) Sell or Share (as such terms are defined under California Privacy Laws) Personal Data; (ii) use Personal Data for Targeted Advertising; (iii) retain, use, or disclose Personal Data for any purpose other than for the specific purpose of performing the services specified in the Agreement, including for any other commercial purpose other than the providing the Services and as set forth herein; (iv) retain, use, or disclose Personal Data outside the direct business relationship with Client pursuant to the Agreement; or (v) combine or comingle Personal Data ARK receives pursuant to the Agreement with personal information that ARK receives from or on behalf of any third party or collects from its own interaction with an individual. ARK hereby certifies that it understands and will comply with the restrictions on Processing set forth in this Section 4. ARK will notify Client within five business days if ARK determines that it can no longer meet its obligations under California Privacy Laws.
5. Controller/Processor. For purposes of this DPA and the Data Protection Laws, as between ARK and Client, ARK is the Processor with respect to any Personal Data processed on behalf of and at the instruction of the Client under the Agreement or other agreements between ARK and Client (as described in Section 3 of these Data Protection Terms), and Client is the Controller.
6. Authorized Persons. ARK will ensure that persons authorized to Process the Personal Data are under an appropriate contractual or statutory obligation of confidentiality with respect to their processing of Personal Data.
7. Security. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, each Party will implement appropriate technical and organizational measures to ensure a level of security appropriate to the risks posed to the security of Personal Data, including all measures required under applicable Data Protection Laws.
8. Subprocessing. ARK is authorized to appoint additional Processors to Process Personal Data on ARK’s behalf or perform its obligations under the Agreement (“Subprocessors”). ARK will perform reasonable due diligence to ensure that any Subprocessors are able to, and are obligated by written contract to comply with, ARK’s applicable processing obligations under these Data Protection Terms. ARK will inform Client of any new Subprocessors and will make available to Client on request a list of its Subprocessors.
9. Return of Data. At Client’s written request any time during the Term, or upon the termination or expiration of the Agreement for any reason, ARK will, at the Client’s option, either return or delete all copies of Personal Data (unless and solely to the extent and for so long as applicable law requires the retention of such Personal Data), and ARK shall, and shall instruct all Authorized Persons to, promptly return to Client all copies, whether in written, electronic, or other form or media, of Personal Data in its possession or control, or the possession or control of such Authorized Persons, or securely dispose of all such copies, and provide written certification to Client that such Personal Data has been returned to Client or disposed of securely. ARK shall comply with all reasonable directions provided by Client with respect to the return or disposal of Personal Data, including without limitation returning the Personal Data in the format reasonably requested by Client.
10. Data Incidents. ARK will notify Client without undue delay if ARK becomes aware of a Personal Data Breach affecting Personal Data Processed by ARK under the Agreement. Such notice will include information, to the extent known by ARK, which may be necessary for Client to comply with applicable Data Protection Laws, and ARK will provide Client with updates to such information, and assist Client, each as reasonably necessary for Client to meet its obligations under applicable Data Protection Laws.
11. Data Subject Rights. Each Party will promptly notify the other of any communication from a Data Subject or supervisory authority regarding: (i) a Party’s compliance with applicable Data Protection Laws; or (ii) a Data Subject’s exercise of rights under applicable Data Protection Laws. Notifications to ARK should be sent to privacy@arkpes.com. To the extent reasonably necessary given the nature of the Party’s Processing, each Party will use commercially reasonable technical and organizational means to assist the other Party in the fulfilment of its obligations in relation to a Data Subject’s exercise of its rights under applicable Data Protection Laws, or in connection with any response to Data Subjects or supervisory authorities. To the extent Client, in its use of the Services, does not have the ability to correct, amend, block or delete Personal Data, as required by Data Protection Laws, ARK shall comply with any commercially reasonable request by Client to facilitate such actions to the extent ARK is legally permitted to do so at Client’s sole cost and expense. To the extent legally permitted, Client shall be responsible for any reasonable costs arising from ARK’s provision of such assistance requested by Client.
12. Assistance. To the extent necessary in relation to ARK’s Processing of Personal Data hereunder, ARK will provide reasonable assistance to Client with any data protection impact assessments or any prior consultations with supervisory authority which may be required under applicable Data Protection Laws. Client may, upon reasonable advance notice and at Client’s expense, take reasonable and appropriate steps to: (i) not more than once per 12 consecutive month period, ensure that ARK Processes Personal Data received from or on behalf of Client in a manner consistent with Client’s obligations under California Privacy Laws, by (a) providing an audit report of ARK’s policies and technical and organizational measures related to ARK’s Processing of Personal Data by a qualified independent third-party auditor, or (b) by making available to Client reasonably requested information to demonstrate ARK’s compliance with Data Protection Laws; and (ii) stop and remediate any unauthorized use of Personal Data by ARK.
13. Information. ARK will maintain and make available to Client upon reasonable notice (and subject to any Subprocessor’s or other applicable requirements or limitations regarding audit timing, access, and/or confidentiality), such information as is reasonably necessary to demonstrate such Party’s compliance with the terms of this DPA and the Data Protection Laws.
14. Amendment. In the event a change in applicable Data Protection Law requires an amendment to this DPA, ARK may upon thirty (30) days prior written notice to Client, update or revise this DPA as and to the extent required by applicable Data Protection Laws. Any amended version of this DPA shall take effect after such thirty (30) day period unless Client provides written notice of its reasonable objections during such period. In the event of reasonable Client objections, the Parties shall negotiate in good faith to amend this DPA to conform to the relevant requirements of applicable Data Protection Laws.
15. Processing of EU Personal Data. The following shall apply solely to the extent ARK processes Personal Data subject to European Privacy Laws (“European Personal Data”) and shall prevail to the extent of any conflict with other provisions of this DPA:
15.1 Additional Processing Limitations. Client’s instructions to ARK for the processing of European Personal Data shall comply with European Privacy Laws, and ARK shall notify Client in the event ARK believes the Client’s instructions violate applicable European Privacy Laws. ARK is hereby authorized to Process European Personal Data solely on the documented instructions of the Controller, including without limitation, as is reasonably necessary to perform its obligations under the Agreement, unless required to do so by European Data Protection Laws, and in that case ARK shall notify the Client of such legal requirement before Processing (except where the law prohibits such disclosure on important public interest grounds).
15.2 Processing after Termination. ARK shall delete or return all European Personal Data to the Client after the end of the provision of Services relating to processing hereunder, and shall delete existing copies unless and to the extent European Privacy Law requires storage of the European Personal Data.
15.3 EU Transfers. To the extent that ARK processes PII that was initially transferred to Client by a controller or processor with an establishment in a Member State of the European Economic Area (or that is otherwise protected by data protection laws of a Member State of the European Economic Area in the hands of Client), the Parties agree to be bound by the standard contractual clauses for transfers to third countries approved by the European Commission under Article 46(2)(c) of General Data Protection Regulation 2016/679 (“GDPR”), applying the Module Three terms for Processor-to-Processor transfers, with Client being the “data exporter” and ARK being the “data importer” (the “EU SCCs,” available at https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32021D0914), supplemented as set forth below. For purposes of the EU SCCs, the Parties hereby agree as follows:
(a) In Clause 7, the optional docking clause will not apply;
(b) For purposes of Clause 9 EU SCCs, Option 2 (general authorization for Subprocessors) applies, with the specified time period being 30 days.
(c) In Clause 17, the Parties select Option 1, and the clauses shall be governed by the laws of Ireland.
(d) In Clause 18(b), disputes shall be resolved before the courts specified in the Agreement, provided these courts are located in an EU Member State, otherwise those courts shall be the courts of Ireland;
(e) Annex IA of the EU SCCs shall be deemed completed with the information set out in Annex 1 to this Exhibit A;
(f) Annex IB of the EU SCCs shall be deemed completed with the information set out in Annex 2 to this Exhibit A;
(g) For the purposes of Annex IC, the competent authority is the Irish Data Protection Authority;
(h) Annex II of the EU SCCs shall be deemed completed with the information set out in Annex 3 to this Exhibit A;
(i) Annex III of the EU SCCs shall be deemed completed with the information set out in Annex 4 of this Exhibit A;
(j) Modules and optional clauses not expressly identified in this Section as accepted by the Parties shall not be included; and
(k) In the event of any conflict between the EU SCCs and this Appendix, the provisions of the EU SCCs shall prevail.
15.4 UK Transfers. To the extent that ARK processes PII that was initially transferred to Client by a controller or processor with an establishment in the United Kingdom (or that is otherwise protected by data protection laws of the United Kingdom in the hands of Client), the Parties agree to be bound by version B1.0 of the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses as issued by the UK Information Commissioner under s119A(1) of the UK Data Protection Act 2018, in force 21 March 2022 (“the UK Addendum”). In this Section 11.2, the term “Approved EU SCCs” shall have the definition given to it in the UK Addendum. For the purposes of the UK Addendum, ARK and Client hereby agree as follows:
(a) for the purposes of Table 1 of the UK Addendum: (i) the start date is the starting date of the Agreement; (ii) the exporter’s and importer’s full legal name, main address, official registration number and key contact are set out in Annex 1;
(b) for the purposes of Table 2 of the UK Addendum, the Parties select the second option, with only the following modules, clauses or optional provisions of the Approved EU SCCs brought into effect for the purposes of the UK Addendum: (i) Module Three (processor to processor) of the Approved EU SCCs is the module in operation; and (ii) clauses 7 and clause 9(a) of the Approved EU SCCs shall be populated as per Section 15.3(a) and (b) above, respectively;
(c) for the purposes of Table 3 of the UK Addendum: (i) Annex I.A of the Approved EU SCCs is populated as per Annex 1 to this Exhibit A; (ii) Annex I.B of the Approved EU SCCs is populated as per Annex 2 to this Exhibit A; (iii) Annex II of the Approved EU SCCs is populated as per Annex 3 to this Exhibit A; and (iv) Annex III of the Approved EU SCCs is populated as per Annex 4 to this Exhibit A;
(d) for the purposes of Table 4 of the UK Addendum, Client (as exporter) or ARK (as importer) may end the UK Addendum as set out in section 19 of the UK Addendum;
(e) modules and optional clauses of the UK Addendum and the Approved EU SCCs not expressly identified in this Section 15.4 as accepted by the Parties are not included;
(f) in the event of any conflict between the UK Addendum and this Exhibit A, the provisions of the UK Addendum shall prevail.
ANNEX 1: LIST OF PARTIES
Data exporter
Data exporter: Client
Address: As set forth on Order Form.
Official registration number (if any) (company number or similar identifier): As set forth on Order Form
Key Contact person’s name, position, and contact details: As set forth on Order Form
Activities relevant to the data transferred under these clauses: Processing activities as described in Annex 2 and the Agreement between the Parties
Signature and Date: As per the Agreement.
Role: Controller
Data importer
Data importer: ARK PES, Inc.
Address: 545 Boylston Street, Boston, MA 02116
Official registration number (if any) (company number or similar identifier): As set forth on Order Form
Key Contact person’s name, position, and contact details: As set forth on Order Form
Activities relevant to the data transferred under these clauses: Processing activities as described in Annex 2 and the Agreement between the Parties
Signature and Date: As per the Agreement.
Role: Processor
ANNEX 2: DESCRIPTION OF TRANSFER
| Categories of data subjects whose personal data is transferred: | The Personal Data transferred may concern the following categories of Data Subjects, as further specified in the Agreement investors, directors, members, partners, agents, and individuals that are connected to the above-mentioned categories. |
| Categories of personal data transferred: | The Personal Data transferred concern (but are not limited to) the following categories of data: data regarding investors, directors, members, partners and agents for purposes of providing investor reporting services, such as name; contact information (including home and work address; home and work telephone numbers; mobile telephone numbers; email address). Social security number or tax ID financial information, including investments, allocations and distributions other data reasonably required to implement the Services and performance requested by Client under the Agreement. |
| Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures: | N/A |
| The frequency and duration of the transfer (e.g. whether the data is transferred on a one-off or continuous basis): | Continuous for the duration of the Agreement. |
| Nature and subject matter of the processing: | The nature of the Processing is: Receiving Personal Data, including collection, accessing, retrieval, recording, and data entryHolding Personal Data, including storage, organization and structuringUsing Personal Data, including analyzing, consultation, testing, automated decision making and profilingUpdating Personal Data, including correcting, adaptation, alteration, alignment and combinationProtecting Personal Data, including restricting, encrypting, and security testingSharing Personal Data, including disclosure, dissemination, allowing access or otherwise making available Returning Personal Data to the data exporter or the Data SubjectErasing Personal Data, including destruction and deletion. The subject matter is processing of investor data. |
| Purpose(s) of the data transfer and further processing: | Processing by the Processor for the purpose of providing the services specified in the Agreement. |
| The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: | For the duration of the Agreement (or as otherwise specified in the Agreement). |
| For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing: | The subject matter, nature and duration of the processing is as specified in the Agreement and in this Annex. |
ANNEX 3: LIST OF SECURITY MEASURES
-
- SAFEGUARDS – SPECIFIC. At a minimum, the processor’s information safeguards will include the below measures.
| MEASURE | DESCRIPTION |
| Measures of pseudonymisation and encryption of personal data | Processor shall implement Personal Data encryption at rest using at least AES-256, including when stored on any electronic notebook, portable hard drive, or removable electronic media with information storage capability. |
| Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services | Processor shall maintain secure facilities, data centers, paper files, servers, back-up systems and computing equipment including mobile devices and other equipment with information storage capability; network, device application, database and platform security. |
| Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident | Processor shall ensure it is able to implement a disaster recovery business continuity plan (“DRBC Plan”) at any time in accordance with its terms. Processor shall test the DRBC Plan on a regular basis (and, in any event, not less than annually). Processor shall identify disaster recovery scenarios and service level agreements for service recovery. |
| Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing | Processor shall conduct annual external and internal penetration testing and quarterly vulnerability scans and promptly implement a corrective action plan (including timeline) to correct material issues that are identified through testing. |
| Measures for user identification and authorisation | Processor will put in place authentication and access controls within applications, operating systems and equipment |
| Measures for the protection of data during transmission | Processor shall implement secure transmission, storage and disposal measures. Personal Data shall be encrypted in transit and the encryption protocol for data in transit should be at least TLS 1.2 or later. Processor acknowledges and accepts that the transfer of Personal Data via email or any types of unencrypted channels is prohibited. |
| Measures for the protection of data during storage | Processor shall implement Personal Data encryption at rest including when stored on any electronic notebook, portable hard drive, or removable electronic media with information storage capability. At the end of contractual relationship or end-of-life for technology systems, processor shall support secure deletion (e.g., degaussing/cryptographic wiping) of any stored, archived and backed-up data in hard-copy and/or electronic format. Any backup media should be encrypted at rest. |
| Measures for ensuring physical security of locations at which personal data are processed | Processor shall maintain secure facilities, data centers, paper files, servers, back-up systems and computing equipment including, all mobile devices and other equipment with information storage capability; reasonable physical security controls including detective control (e.g., surveillance camera), preventive control (e.g., Physical/Electronic entry point, locks) and deterrent control (e.g., alarm system) to prevent unauthorized personnel to access devices, server rooms, or office space where Personal Data is stored. |
| Measures for ensuring events logging | Processor shall log all access, modification, destruction, exfiltration, and shall retain such access control logs, for a period of at least one (1) year from the relevant event. |
| Measures for ensuring system configuration, including default configuration | Processor will put in place authentication and access controls within applications, operating systems and equipment. Processor will not knowingly introduce to Controller’s systems or devices or use any software or code that contains any virus, malware, or other software routines designed to disable, erase, or otherwise harm software, hardware, or data owned or controlled. Processor shall implement System Configuration: (a) firewall rules which have been actively configured to monitor ingress/egress traffic; (b) default-deny rule that drops all traffic except those services and ports that are explicitly allow should be in place; (c) removal or change of default passwords on software and software. Processor will have reasonable patching cadence to ensure production tools, servers, virtual machines, libraries and anti-virus software are up-to-date. Where reasonably possible Processor shall implement logical separation of production and other (staging/development) environments. |
| Measures for internal IT and IT security governance and management | Processor should have proper due diligence process, including legal review and security assessment, for any sub-processors that will have access to Personal Data. |
| Measures for certification / assurance of processes and products | Processor will implement appropriate safeguards to protect Personal Data that are consistent with accepted industry practices (such as ISO 27001 / 27002, ITIL, COBIT or other industry standards of information security), and that comply with applicable data protection law, the Agreement and this Appendix. Processor shall maintain documentation of applicable business processes, procedures and responsibilities and make sure it has back-up methodology. |
| Measures for ensuring data minimisation | Processor shall limit access of Personal Data, and provide privacy and information security training, to Processor’s Authorized Personnel. “Authorized Personnel” means Processor’s personnel who have a need to know or otherwise access Personal Data to enable Processor to perform its obligations under the Agreement, and who are bound in writing by obligations of confidentiality sufficient to protect Personal Data in accordance with the terms of the Agreement and this Appendix. Processor shall give reasonable assurance that: (1) only the minimum types and amount of data are requested to perform the Services (2) data elements will be minimized, anonymized and/or hashed, wherever applicable. |
| Measures for ensuring data quality | Processor relies upon data provided by Controller for delivery of the Services |
| Measures for ensuring accountability | Processor will implement appropriate safeguards to protect Personal Data that are consistent with accepted industry practices (such as ISO 27001 / 27002, ITIL, COBIT or other industry standards of information security), and will ensure that all such safeguards comply with applicable data protection law, the Agreement and this Appendix. |
| Measures for allowing data subject rights. | Processor shall maintain documentation of processing activities as applicable to allow Data Subjects to exercise their rights. Processor will also comply with its obligations under Section 11 of this Exhibit A. |
ANNEX 4: AUTHORIZED SUBPROCESSORS
As of the Effective Date, Processor uses the following Sub-Processors to process Personal Data.
| SUB-PROCESSOR | ADDRESS | SERVICES DESCRIPTION | LOCATIONS OF PROCESSING |
