FORM OF ETF DISTRIBUTION AGREEMENT
Exhibit (e)(1)
FORM OF ETF DISTRIBUTION AGREEMENT
This Distribution Agreement (the “Agreement”) is made this __ day of _________ 2023, by and between Xxxxxx Xxxxxxx ETF Trust, a Delaware statutory trust (the “Trust”) having its principal place of business at 000 Xxxxx Xxxxxx, Xxx Xxxx, XX 00000, and Foreside Fund Services, LLC, a Delaware limited liability company (the “Distributor”) having its principal place of business at Three Canal Plaza, Suite 100, Portland, ME 04101.
WHEREAS, the Trust is a registered open-end management investment company organized under the Investment Company Act of 1940, as amended (the “1940 Act”) with separate and distinct series (each series a “Fund” and collectively the “Funds”) registered with the United States Securities and Exchange Commission (the “SEC”) under the Securities Act of 1933, as amended (the “1933 Act”);
WHEREAS, the Trust intends to create and redeem shares of beneficial interest (the “Shares”) of each Fund on a continuous basis and list the Shares on one or more national securities exchanges (together, the “Listing Exchanges”);
WHEREAS, the Distributor is registered with the SEC as a broker-dealer under the Securities Exchange Act of 1934, as amended (the “1934 Act”), and is a member of the Financial Industry Regulatory Authority, Inc. (“FINRA”);
WHEREAS, the Trust desires to retain the Distributor to (i) act as the principal underwriter of the Funds with respect to the creation and redemption of Creation Units of each Fund, and (ii) hold itself available to review and approve orders for such Creation Units in the manner set forth in the Trust’s Prospectus; and
WHEREAS, the Distributor desires to provide the services described herein to the Trust subject to the terms and conditions set forth below.
NOW THEREFORE, in consideration of the mutual promises and undertakings herein contained, the parties agree as follows:
1. | Appointment. |
The Trust hereby appoints the Distributor to serve as the principal underwriter of the Funds with respect to the creation and redemption of Creation Units of each Fund listed in Exhibit A hereto (as may be amended by the Trust from time to time on written notice to the Distributor) on the terms and for the period set forth in this Agreement and subject to the registration requirements of the federal securities laws and of the laws governing the sale of securities in the various states, and the Distributor hereby accepts such appointment and agrees to act in such capacity hereunder.
2. | Definitions. |
Wherever they are used herein, the following terms have the following respective meanings:
(a) “Personal Information” means, collectively, “personally identifiable information”, “non-public personal information”, “personal data”, “personal information”, and any other similar terms defined by applicable data protection or privacy laws.
(b) “Prospectus” means the Prospectus(es) and Statement(s) of Additional Information constituting parts of the Registration Statement of the Trust under the 1933 Act and the 1940 Act as such Prospectus(es) and Statement(s) of Additional Information may be amended or supplemented and filed with the SEC from time to time;
(c) “Registration Statement” means the registration statement most recently filed from time to time by the Trust with the SEC and effective under the 1933 Act and the 1940 Act, as such registration statement is amended by any amendments thereto at the time in effect;
(d) All other capitalized terms used but not defined in this Agreement shall have the meanings ascribed to such terms in the Registration Statement and the Prospectus.
3. | Duties of the Distributor |
(a) The Distributor agrees to serve as the principal underwriter of the Funds in connection with the review and approval of all purchase and redemption orders of Creation Units of each Fund by Authorized Participants that have executed an agreement with the Distributor and Transfer Agent (an “Authorized Participant Agreement” or “AP Agreement”). Nothing herein shall affect or limit the right and ability of the Transfer Agent to accept Fund Securities, Deposit Securities, and related Cash Components through or outside the Clearing Process, and as provided in and in accordance with the Registration Statement and Prospectus. The Trust acknowledges that the Distributor shall not be obligated to approve any certain number of orders for Creation Units.
(b) The Distributor agrees to use commercially reasonable efforts to provide the following services to the Trust with respect to the continuous distribution of Creation Units of each Fund: (i) at the request of the Trust, the Distributor shall enter into Authorized Participant Agreements between and among Authorized Participants, the Distributor and the Transfer Agent, for the purchase and redemption of Creation Units of the Funds, (ii) the Distributor shall approve and maintain copies of confirmations of Creation Unit purchase and redemption order acceptances; (iii) the Distributor will deliver copies of the Prospectus to purchasers of such Creation Units and, upon request, the Statement of Additional Information; and (iv) the Distributor shall maintain telephonic, facsimile and/or access to direct computer communications links with the Transfer Agent.
2 |
(c) The Distributor shall ensure that all direct requests to Distributor for Prospectuses, Statements of Additional Information, product descriptions and periodic fund reports, as applicable, are fulfilled.
(d) The Distributor agrees to make available, at the Trust’s request, one or more members of its staff to attend, either via telephone or in person, Board meetings of the Trust in order to provide information with regard to the Distributor’s services hereunder, including reports regarding the use of 12b-1 payments received by the Distributor, if any, and for such other purposes as may be requested by the Board of Trustees of the Trust.
(e) Distributor shall review and approve, prior to use, all Trust marketing materials (“Marketing Materials”) for compliance with SEC and FINRA advertising rules and will file all Marketing Materials required to be filed with FINRA. The Distributor agrees to furnish to the Trust’s investment adviser any comments provided by FINRA with respect to such materials.
(f) The Distributor shall not offer any Shares and shall not approve any creation or redemption order hereunder if and so long as the effectiveness of the Registration Statement then in effect or any necessary amendments thereto shall be suspended under any of the provisions of the 1933 Act or if and so long as a current prospectus as required by Section 10 of the 1933 Act is not on file with the SEC; provided, however, that nothing contained in this paragraph shall in any way restrict or have any application to or bearing upon the Trust’s obligation to redeem or repurchase any Shares from any shareholder in accordance with provisions of the Prospectus or Registration Statement.
(g) The Distributor shall work with the Transfer Agent to review and approve orders placed by Authorized Participants and transmitted to the Transfer Agent.
(h) The Distributor agrees to maintain, and preserve for the periods prescribed by Rule 31a-2 under the 1940 Act, such records as are required to be maintained by Rule 31a-1(d) under the 1940 Act. The Distributor agrees that all records which it maintains pursuant to the 1940 Act for the Trust shall at all times remain the property of the Trust, shall be readily accessible, and shall be promptly surrendered upon the termination of the Agreement or otherwise on written request; provided, however, that Distributor may retain all such records required to be maintained by Distributor pursuant to applicable FINRA or SEC rules and regulations.
(i) The Distributor agrees to maintain compliance policies and procedures (a “Compliance Program”) that are reasonably designed to prevent violations of the Federal Securities Laws (as defined in Rule 38a-1 of the 1940 Act) with respect to the Distributor’s services under this Agreement, and to provide any and all information with respect to the Compliance Program, including without limitation, information and certifications with respect to material violations of the Compliance Program and any material deficiencies or changes therein, as may be reasonably requested by the Trust’s Chief Compliance Officer or Board of Trustees.
3 |
(j) The Distributor is not authorized by the Trust to give any information or make any representations other than those contained in the Registration Statement or Prospectus or contained in shareholder reports or other material that may be prepared by or on behalf of the Trust for the Distributor’s use.
(k) The Distributor will promptly forward any complaints concerning the Trust received by the Distributor to the Trust, assist in resolving such complaints to the extent any such complaints relate to the Distributor’s responsibilities as the distributor for the Funds and maintain a log of such complaints to the extent required by applicable law.
(l) The Trust acknowledges and agrees that the Distributor shall not be obligated to make any payments to any broker-dealers, other financial intermediaries or other third parties, unless (i) the Distributor has received an authorized corresponding payment from the applicable Fund’s plan of distribution adopted pursuant to Rule 12b-1 under the 1940 Act (“Plan”) and (ii) such Plan been approved by the Trust’s Board.
4. | Duties of the Trust. |
(a) The Trust agrees to create, issue, and redeem Creation Units of each Fund in accordance with the procedures described in the Prospectus. Upon reasonable notice to the Distributor and in accordance with the procedures described in the Prospectus, the Trust reserves the right to reject any order for Creation Units or to stop all receipts of such orders at any time.
(b) The Trust agrees that it will take all actions necessary to register an indefinite number of Shares under the 1933 Act.
(c) The Trust will make available to the Distributor such number of copies as Distributor may reasonably request of (i) its then currently effective Prospectus and Statement of Additional Information and product description, (ii) copies of semi-annual reports and annual audited reports of the Trust’s books and accounts made by independent public accountants regularly retained by the Trust, and (iii) such other publicly available information for use in connection with the distribution of Creation Units.
(d) The Trust shall inform Distributor of any such jurisdictions in which the Trust has filed notice filings for Shares for sale under the securities laws thereof and shall promptly notify the Distributor of any change in this information. The Distributor shall not be liable for damages resulting from the sale of Shares in authorized jurisdictions where the Distributor had no information from the Trust that such sale or sales were unauthorized at the time of such sale or sales.
The Distributor acknowledges and agrees that the Trust reserves the right to suspend sales and Distributor’s authority to review and approve orders for Creation Units on behalf of the Trust. Upon due notice to the Distributor, the Trust shall suspend the Distributor’s authority to review and approve Creation Units if, in the judgment of the Trust, it is in the best interests of the Trust to do so. Suspension will continue for such period as may be determined by the Trust.
4 |
(e) The Trust shall arrange to provide the Listing Exchanges with copies of Prospectuses, Statements of Additional Information, and product descriptions to be provided to purchasers in the secondary market.
(f) The Trust will make it known that Prospectuses and Statements of Additional Information and product descriptions are available by making sure such disclosures are in all marketing and advertising materials prepared by the Trust, to the extent required by applicable law.
5. | Fees and Expenses. |
(a) The Distributor shall be entitled to no compensation or reimbursement of expenses from the Trust for the services provided by the Distributor pursuant to this Agreement. The Trust may compensate the Distributor pursuant to the terms of a Distribution Plan pursuant to Rule 12b-1 under the 1940 Act with respect to a Fund, as may be determined from time to time by the Board of Trustees of the Trust. The Distributor shall be obligated to make 12b-1 payments only after, for so long as, and to the extent that the Distributor receives such payments from the applicable Fund. All 12b-1 payments received by the Distributor shall be held to be used solely for distribution-related expenses and shall not be retained as profit by the Distributor. The Distributor may also receive compensation or reimbursement from the Trust’s investment adviser related to its services hereunder or for additional services as may be agreed to between the Trust’s investment adviser and Distributor.
(b) The Trust shall bear the cost and expenses of: (i) the registration of the Shares for sale under the 1933 Act; and (ii) the registration or qualification of the Shares for sale under the securities laws of the various States.
(c) The Distributor shall pay (i) all expenses relating to Distributor’s broker-dealer qualification and registration under the 1934 Act; and (ii) the expenses incurred by the Distributor in connection with routine FINRA filing fees.
(d) The Trust shall bear any costs associated with printing Prospectuses, Statements of Additional Information and all other such materials.
6. | Indemnification. |
(a) The Trust agrees to indemnify and hold harmless the Distributor, its affiliates and each of their respective directors, officers and employees and agents and any person who controls the Distributor within the meaning of Section 15 of the 1933 Act (any of the Distributor, its officers, employees, agents and directors or such control persons, for purposes of this paragraph, a “Distributor Indemnitee”) against any loss, liability, claim,
5 |
damages or expense (including the reasonable cost of defending any alleged loss, liability, claim, damages or expense and reasonable counsel fees incurred in connection therewith) (“Losses”) that a Distributor Indemnitee may incur arising out of or based upon: (i) Distributor serving as distributor for the Trust pursuant to this Agreement (except Losses arising pursuant to the Distributor’s indemnification obligation in Section 6(b) below); (ii) the allegation of any willful misfeasance, bad faith or negligence of the Trust or any of its directors, officers, employees or affiliates in connection with its duties and responsibilities under this Agreement or by reason of reckless disregard of the obligations or duties of the Trust or such persons under this Agreement; (iii) any claim that the Registration Statement, Prospectus, Statement of Additional Information, product description, shareholder reports, Marketing Materials and advertisements specifically approved by the Trust and the Trust’s investment adviser or other information filed or made public by the Trust (as from time to time amended) included an untrue statement of a material fact or omitted to state a material fact required to be stated therein or necessary in order to make the statements therein (and in the case of the Prospectus, Statement of Additional Information and product description, in light of the circumstances under which they were made) not misleading under the 1933 Act, or any other statute or the common law; (iv) the breach by the Trust of any obligation, representation or warranty contained in this Agreement; or (v) the Trust’s failure to comply in any material respect with applicable securities laws.
(b) The Distributor agrees to indemnify and hold harmless the Trust and each of its Trustees and officers and any person who controls the Trust within the meaning of Section 15 of the 1933 Act (for purposes of this paragraph, the Trust and each of its Trustees and officers and its controlling persons are collectively referred to as the “Trust Indemnitees”) against any Losses arising out of or based upon (i) the allegation of any willful misfeasance, bad faith or negligence of the Distributor or any of its directors, officers, employees or affiliates in connection with its activities as Distributor pursuant to this Agreement or by any reason of reckless disregard of the obligations or duties of the Distributor or such persons under this Agreement; (ii) the breach of any obligation, representation or warranty contained in this Agreement by the Distributor; (iii) the Distributor’s failure to comply in any material respect with applicable securities laws, including applicable FINRA regulations; or (iv) any allegation that the Registration Statement, Prospectus, Statement of Additional Information, product description, shareholder reports, any information or materials relating to the Funds or other information filed or made public by the Trust (as from time to time amended) included an untrue statement of a material fact or omitted to state a material fact required to be stated therein or necessary in order to make the statements not misleading, insofar as such statement or omission was made in reliance upon, and in conformity with information furnished to the Trust, in writing, by or on behalf of the Distributor.
In no case (i) is the indemnification provided by an indemnifying party to be deemed to protect against any liability the indemnified party would otherwise be subject to by reason of willful misfeasance, bad faith or negligence in the performance of its duties or by reason of its reckless disregard of its obligations and duties under this Agreement, or (ii) is the indemnifying party to be liable under this Section with respect to any claim made against any indemnified party unless the indemnified party notifies the indemnifying party
6 |
in writing of the claim within a reasonable time after the summons or other first written notification giving information of the nature of the claim shall have been served upon the indemnified party (or after the indemnified party shall have received notice of service on any designated agent).
Failure to notify the indemnifying party of any claim shall not relieve the indemnifying party from any liability that it may have to the indemnified party against whom such action is brought, on account of this Section, unless failure or delay to so notify the indemnifying party prejudices the indemnifying party’s ability to defend against such claim. The indemnifying party shall be entitled to participate at its own expense in the defense or, if it so elects, to assume the defense of any suit brought to enforce the claim, but if the indemnifying party elects to assume the defense, the defense shall be conducted by counsel chosen by it and satisfactory to the indemnified party. In the event that indemnifying party elects to assume the defense of any suit and retain counsel, the indemnified party shall bear the fees and expenses of any additional counsel retained by them. If the indemnifying party does not elect to assume the defense of any suit, it will reimburse the indemnified party for the reasonable fees and expenses of any counsel retained by them. The indemnifying party agrees to notify the indemnified party promptly of the commencement of any litigation or proceedings against it or any of its officers or directors in connection with the purchase or redemption of any of the Creation Units or the Shares.
(c) No indemnified party shall settle any claim against it for which it intends to seek indemnification from the indemnifying party, under the terms of section 6(a) or 6(b) above, without prior written notice to and consent from the indemnifying party, which consent shall not be unreasonably withheld. No indemnified or indemnifying party shall settle any claim unless the settlement contains a full release of liability with respect to the other party in respect of such action. This section 6 shall survive the termination of this Agreement.
(d) The Trust acknowledges and agrees that as part of its duties, Distributor will enter into AP Agreements. The APs may insert and require that Distributor agree to certain provisions in the AP Agreements that contain certain representations, undertakings and indemnification that are not included in the form-of AP Agreement (each such modified AP Agreement a “Non-Standard AP Agreement). Distributor acknowledges and agrees that execution of any Non-Standard AP Agreement requires prior written consent of the Trust.
To the extent that Distributor is requested or required to agree to any such representations, undertakings and/or indemnification mentioned above and the Trust’s written consent is obtained with respect to the execution of such Non-Standard AP Agreement, the Trust shall indemnify, defend and hold the Distributor Indemnitees free and harmless from and against any and all Losses that any Distributor Indemnitee may incur arising out of or relating to (a) the Distributor’s actions or failures to act pursuant to such Non-Standard AP Agreement; (b) any representations made by the Distributor in such Non-Standard AP Agreement to the extent that the Distributor is not required to make such representations in the form-of AP Agreement; or (c) any indemnification provided by the
7 |
Distributor under such Non-Standard AP Agreement. In no event shall anything contained herein be so construed as to protect the Distributor Indemnitees against any liability to the Trust or its shareholders to which the Distributor Indemnitees would otherwise be subject by reason of willful misfeasance, bad faith, or negligence in the performance of Distributor’s obligations or duties under the Non-Standard AP Agreement or by reason of Distributor’s reckless disregard of its obligations or duties under the Non-Standard AP Agreement.
(e) Notwithstanding anything contrary in this Agreement, neither party shall be liable under this Agreement to the other party for any punitive, consequential or special damages or losses.
7. | Representations. |
(a) | The Distributor represents and warrants that: |
1. | (i) it is duly organized as a Delaware limited liability company and is and at all times will remain duly authorized and licensed under applicable law to carry out its services as contemplated herein; (ii) the execution, delivery and performance of this Agreement are within its power and have been duly authorized by all necessary action; (iii) its entering into this Agreement or providing the services contemplated hereby does not conflict with or constitute a default or require a consent under or breach of any provision of any agreement or document to which the Distributor is a party or by which it is bound; (iv) it is registered as a broker-dealer under the 1934 Act and is a member of FINRA, and agrees to comply with all applicable rules and regulations of FINRA and to promptly notify the Trust in the event that it is suspended or expelled from FINRA; and (v) it has in place compliance policies and procedures reasonably designed to prevent violations of the Federal Securities Laws as that term is defined in Rule 38a-1 under the 1940 Act. |
2. | All activities by the Distributor and its agents and employees in connection with the services provided in this Agreement shall comply with the Registration Statement and Prospectus, the instructions of the Trust, and all applicable laws, rules and regulations including, without limitation, all rules and regulations made or adopted pursuant to the 1940 Act by the SEC or any securities association registered under the 1934 Act, including FINRA and the Listing Exchanges. |
(b) The Distributor and the Trust each individually represent that (i) it is subject to a rule implementing 31 U.S.C. 5318(h) and maintains an anti-money laundering program consistent with the USA PATRIOT Act and the rules thereunder; (ii) it is regulated by a Federal functional regulator as that term is defined under 31.C.F.R. §1010.100(r); (iii) provides ongoing employee training, (iv) includes an independent audit function to test
8 |
the effectiveness of the AML Program, (v) establishes internal policies, procedures, and controls that are tailored to its particular business, (vi) provides for the filing of all necessary anti-money laundering reports including, but not limited to, currency transaction reports and suspicious activity reports, and (vii) allows for appropriate regulators to examine its anti-money laundering books and records. Notwithstanding the foregoing, the Trust acknowledges that the Authorized Participants are not “customers” for the purposes of 31 CFR 1024.220.
(c) The Distributor and the Trust each individually represent and warrant that: (i) it has procedures in place reasonably designed to protect the privacy of non-public personal consumer/customer financial information to the extent required by applicable law, rule and regulation; and (ii) it will comply with all of the applicable terms and provisions of the 1934 Act.
(d) The Trust represents and warrants that:
1. | (i) it is duly organized as a Delaware statutory trust and is and at all times will remain duly authorized to carry out its obligations as contemplated herein; (ii) it is registered as an investment company under the 1940 Act; (iii) the execution, delivery and performance of this Agreement are within its power and have been duly authorized by all necessary action; (iv) its entering into this Agreement does not conflict with or constitute a default or require a consent under or breach of any provision of any agreement or document to which the Trust is a party or by which it is bound; (v) the Registration Statement and each Fund’s Prospectus have been prepared, and all Marketing Materials shall be prepared, in all material respects, in conformity with the 1933 Act, the 1940 Act and the rules and regulations of the SEC (the “Rules and Regulations”); and (vi) the Registration Statement and each Fund’s Prospectus contain, and all Marketing Materials shall contain, all statements required to be stated therein in accordance with the 1933 Act, the 1940 Act and the Rules and Regulations; (vii) all statements of fact contained therein, or to be contained in all Marketing Materials, are or will be true and correct in all material respects at the time indicated or the effective date, as the case may be, and none of the Registration Statement, any Fund’s Prospectus, nor any Marketing Materials shall include any untrue statement of a material fact or omit to state a material fact required to be stated therein or necessary to make the statements therein, in the case of each Fund’s Prospectus in light of the circumstances in which made, not misleading; and (viii) except as otherwise noted in the Registration Statement and Prospectus, the offering price for all Creation Units will be the aggregate net asset value of the Shares per Creation Unit of the relevant Fund, as determined in the manner described in the Registration Statement and Prospectus; |
9 |
2. | it shall file such amendment or amendments to the Registration Statement and each Fund’s Prospectus as, in the light of future developments, shall, in the opinion of the Trust’s counsel, be necessary in order to have the Registration Statement and each Fund’s Prospectus at all times contain all material facts required to be stated therein or necessary to make the statements therein, in light of the circumstances in which made, not misleading. The Trust shall not file any amendment to the Registration Statement or each Fund’s Prospectus without giving the Distributor reasonable notice thereof in advance, provided that nothing in this Agreement shall in any way limit the Trust’s right to file at any time such amendments to the Registration Statement or any Fund’s Prospectus as the Trust may deem advisable. The Trust will also notify the Distributor in the event of any stop order suspending the effectiveness of the Registration Statement. Notwithstanding the foregoing, the Trust shall not be deemed to make any representation or warranty as to any information or statement provided by the Distributor for inclusion in the Registration Statement or any Fund’s Prospectus; and |
3. | upon delivery of Deposit Securities or Fund Securities to an Authorized Participant in connection with a purchase or redemption of Creation Units, the Authorized Participant will acquire good and unencumbered title to such securities, free and clear of all liens, restrictions, charges and encumbrances, and not subject to any adverse claims and that such Fund Securities and Deposit Securities will not be “restricted securities” as such term is used in Rule 144(a)(3)(i) under the 1933 Act. |
8. | Duration, Termination and Amendment. |
(a) This Agreement shall be effective on the date set forth above, and unless terminated as provided herein, shall continue for two years from its effective date, and thereafter from year to year, provided such continuance is approved annually in accordance with the requirements of the 1940 Act, as such requirements may be modified by rule, regulation, order or guidance of the SEC or its staff. This Agreement may be terminated at any time, without the payment of any penalty, as to each Fund (i) by vote of a majority of those Trustees who are not parties to this Agreement or interested persons of any such party or (ii) by vote of a majority of the outstanding voting securities of the Fund, or by the Distributor, on at least sixty (60) days prior written notice. This Agreement shall automatically terminate without the payment of any penalty in the event of its assignment. As used in this paragraph, the terms “vote of a majority of the outstanding voting securities,” “assignment,” “affiliated person” and “interested person” shall have the respective meanings specified in the 1940 Act.
(b) No provision of this Agreement may be changed, waived, discharged or terminated except by an instrument in writing signed by both parties.
10 |
9. | Notice. |
Any notice or other communication authorized or required by this Agreement to be given to either party shall be in writing and deemed to have been given when delivered in person or by confirmed facsimile, email, or posted by certified mail, return receipt requested, to the following address (or such other address as a party may specify by written notice to the other):
(i) To Foreside: | (ii) If to the Trust: |
Foreside Fund Services, LLC Attn: Legal Department Three Canal Plaza, Suite 000 Xxxxxxxx, XX 00000 Telephone: (000) 000-0000 Email: xxxxx@xxxxxxxx.xxx |
Xxxxxx Xxxxxxx ETF Trust Attn: 000 Xxxxx Xxxxxx Xxx Xxxx, XX 00000 Telephone: Email: |
With a copy to: xxx-xxxxxxxx@xxxxxxxx.xxx |
10. | Choice of Law. |
This Agreement shall be governed by, and construed in accordance with, the laws of the state of Delaware, without giving effect to the choice of laws provisions thereof.
11. | Counterparts. |
This Agreement may be executed in two or more counterparts, each of which shall be deemed an original, but all of which together shall constitute one and the same instrument.
12. | Severability. |
If any provisions of this Agreement shall be held or made invalid, in whole or in part, then the other provisions of this Agreement shall remain in force. Invalid provisions shall, in accordance with this Agreement’s intent and purpose, be amended, to the extent legally possible, in order to effectuate the intended results of such invalid provisions.
13. | Insurance. |
The Distributor will maintain at its expense an errors and omissions insurance policy adequate to cover services provided by the Distributor hereunder.
11 |
14. | Confidentiality, Information Security and Business Continuity. |
During the term of this Agreement, the Distributor and the Trust may have access to confidential information relating to such matters as either party’s business, trade secrets, systems, procedures, manuals, products, contracts, personnel, and clients. As used in this Agreement, “Confidential Information” means information belonging to one of the parties that is of value to such party and the disclosure of which could result in a competitive or other disadvantage to such party. Confidential Information includes, without limitation, Personal Information of personnel (including trustees, directors, officers and employees) of the Trust and its affiliates, financial information, proposal and presentations, reports, forecasts, inventions, improvements and other intellectual property; trade secrets; know-how; designs, processes or formulae; software; market or sales information or plans; customer lists; and business plans, prospects and opportunities (such as possible acquisitions or dispositions of businesses or facilities). Confidential Information includes information developed by either party in the course of engaging in the activities provided for in this Agreement, unless: (i) the information is or becomes publicly known through lawful means; (ii) the information is disclosed to the other party without a confidential restriction by a third party who rightfully possesses the information and did not obtain it, either directly or indirectly, from one of the parties, as the case may be, or any of their respective principals, employees, affiliated persons, or affiliated entities. Any exclusion from the definition of Confidential Information will not apply to any Personal Information. The parties understand and agree that all Confidential Information shall be kept confidential by the other both during and after the term of this Agreement. Each party shall maintain commercially reasonable information security policies and procedures for protecting Confidential Information. In the event Distributor becomes aware of critical vulnerabilities in any of its product(s) or platform(s) in which the Trust’s data is stored or through which the Trust’s data can be accessed, Distributor will use commercially reasonable efforts to remediate such vulnerabilities within 30 days or as promptly thereafter as reasonably practicable. The parties further agree that they will not, without the prior written approval by the other party, disclose such Confidential Information, or use such Confidential Information in any way, either during the term of this Agreement or at any time thereafter, except as required in the course of this Agreement and as provided by the other party or as required by law. Upon termination of this Agreement for any reason, or as otherwise requested by the Trust, all Confidential Information held by or on behalf of Trust shall be promptly returned to the Trust, or an authorized officer of the Distributor will certify to the Trust in writing that all such Confidential Information has been destroyed. This section 14 shall survive the termination of this Agreement. Notwithstanding the foregoing, a party may disclose the other’s Confidential Information if (i) required by law, regulation or legal process or if requested by the SEC or other governmental regulatory agency with jurisdiction over the parties hereto or (ii) requested to do so by the other party; provided that in the event of (i), the disclosing party shall, unless prohibited by law, give the other party reasonable prior notice of such disclosure to the extent reasonably practicable and shall reasonably cooperate with the other party (at such other party’s expense). The parties agree that the procedures and restrictions set forth immediately above shall not apply to disclosures of Confidential Information to the receiving party’s applicable regulatory authorities in connection with routine regulatory examinations or requests for information, with respect to which the receiving party shall be permitted to disclose such Confidential Information to the extent necessary to respond to such examinations or requests.
12 |
Annex A (Additional Terms), attached hereto and incorporated by reference herein, sets forth certain additional obligations of the parties relating to information security, data protection, privacy and business continuity. Without limiting the generality of the foregoing provisions under this section 14, the parties shall also comply with their respective obligations under Annex A.
15. | Limitation of Liability. |
This Agreement is executed by or on behalf of the Trust with respect to each of the Funds and the obligations hereunder are not binding upon any of the trustees, officers or shareholders of the Trust individually but are binding only upon the Fund to which such obligations pertain and the assets and property of such Fund, as provided in the Declaration of Trust. Separate and distinct records are maintained for each Fund and the assets associated with any such Fund are held and accounted for separately from the other assets of the Trust, or any other Fund of the Trust. The debts, liabilities, obligations, and expenses incurred, contracted for, or otherwise existing with respect to a particular Fund of the Trust shall be enforceable against the assets of that Fund only, and not against the assets of the Trust generally or any other Fund, and none of the debts, liabilities, obligations, and expenses incurred, contracted for, or otherwise existing with respect to the Trust generally or any other Fund shall be enforceable against the assets of that Fund. The Trust’s Agreement and Declaration of Trust is on file with the Trust.
16. | Use of Names; Publicity. |
The Trust shall not use the Distributor’s name in any offering material, shareholder report, advertisement or other material relating to the Trust, other than for the purpose of merely identifying and describing the functions of the Distributor hereunder, in a manner not approved by the Distributor in writing prior to such use, such approval not to be unreasonably withheld. The Distributor hereby consents to all uses of its name required by the SEC, any state securities commission, or any federal or state regulatory authority.
The Distributor shall not use the name “__________” in any offering material, shareholder report, advertisement or other material relating to the Distributor, other than for the purpose of merely identifying the Trust as a client of Distributor hereunder, in a manner not approved by the Trust in writing prior to such use; provided, however, that the Trust shall consent to all uses of its name required by the SEC, any state securities commission, or any federal or state regulatory authority; and provided, further, that in no case shall such approval be unreasonably withheld.
The Distributor will not issue any press releases or make any public announcements regarding the existence of this Agreement without the express written consent of the Trust. Neither the Trust nor the Distributor will disclose any of the economic terms of this Agreement, except as may be required by law.
13 |
17. | Exclusivity |
Nothing herein contained shall prevent the Distributor from entering into similar distribution arrangements or from providing the services contemplated hereunder to other investment companies or investment vehicles.
18. | Governing Language. |
This Agreement has been negotiated and executed by the parties in English. In the event any translation of this Agreement is prepared for convenience or any other purpose, the provisions of the English version shall prevail.
IN WITNESS WHEREOF, the parties hereto have caused this Agreement to be executed by their officers designated below as of the date first set forth above.
Foreside Fund Services, LLC | Xxxxxx Xxxxxxx ETF Trust | |||
By: | By: | |||
Xxxxxx Xxxxx, President | Name/title: [ ] |
14 |
EXHIBIT A
[please list Funds here]
A-1 |
Annex A
Additional Terms
1. | Security. |
(a) | The Distributor shall promptly notify the Trust (but in no event later than forty-eight (48) hours or such shorter timeframe as may be required under Applicable Laws) at xxxxxxxxxxxxxxxxx@xxxxxxxxxxxxx.xxx in the event that the Distributor learns a Security Breach has occurred. Each such notification shall contain, unless otherwise prohibited by applicable law and to the extent available to the Distributor, all material details of the Security Breach that are known at the time and an estimate of the effects on the Trust and specify corrective action already taken, or proposed to be taken, by the Distributor. The Distributor shall (i) promptly use commercially reasonable efforts to take appropriate steps to contain and control the Security Breach to prevent unauthorized access or further unauthorized access (as applicable) to the Confidential Information or facilities or adverse impact on the relevant facilities or services provided by the Distributor under this Agreement; (ii) continue to provide information relating to the investigation and resolution of the Security Breach until it has been resolved; and (iii) provide reasonable cooperation to the Trust or its investigator or any regulatory authority in investigating and responding to each successful or attempted Security Breach. The Distributor shall maintain appropriate processes for evidence collection, analysis and remediation of any security-related incident and make such information available to the Trust at its request. |
(b) | The Distributor shall, throughout the term of this Agreement, maintain and comply with the Security Standards. The Distributor shall ensure that the Security Standards meet industry standard practices (for a supplier providing services similar to the services being provided by the Distributor) and are reasonably sufficient to protect against unauthorized access to and destruction, loss, or improper alteration of, the Confidential Information of the Trust. Without prejudice to the generality of the foregoing, the Distributor shall ensure that the Security Standards include: (i) IT and cyber security controls (including regular password updating, firewalls and encryption); (ii) protection of the Trust’s Confidential Information in transit and storage; (iii) physical security measures and monitoring of premises; (iv) practices to detect, report and resolve security vulnerabilities and threats; (v) screening and regular training of the Distributor’s personnel engaged in the provision of services under this Agreement and regular reviews of their access privileges; (vi) internal information barriers and internal procedures to prevent breach of confidentiality and to avoid conflict of interest; and (vii) a cybersecurity program and risk identification process. The Distributor shall ensure that the Security Standards include the IT and cyber security controls set out in Exhibit II to this Annex A. |
Annex A - 1 |
2. | Vulnerability and Patch Management |
(a) | The Distributor monitors and supervises the development of all software that is used to process the Confidential Information of the Trust and conducts an independent security review of its environment. The Distributor reviews and tests custom code that is used to process such Confidential Information to identify potential coding vulnerabilities in accordance with industry standard security practices. All documentation of such assessments and remediation actions taken are confidential and proprietary and not disclosed externally. |
(b) | Applications that are used to process the Confidential Information of the Trust are periodically scanned to detect vulnerabilities in static code or open source components and penetration tests are performed regularly (e.g., prior to releases, and at regular intervals if there are no releases). The Distributor employs a comprehensive software security assurance program (“SSAP”) that includes architectural risk reviews, secure code reviews, threat-based penetration testing, dynamic scanning in the quality assurance phase for all applications that process the Confidential Information of the Trust and a periodic security evaluation of all externally facing applications. |
(c) | Patch management and vulnerability remediation across the Distributor’s applications and infrastructure are based on an internal prioritized scoring model which uses the Common Vulnerability Scoring System (CVSS), information from internal vulnerability assessments, and internally provided risk/severity ratings of the underlying assets and applications. The scoring model is designed to decrease risk exposure in critical areas by prioritizing remediation based on the Distributor’s environment. |
(d) | If the Distributor identifies a weakness or vulnerability that could have a direct, material adverse impact on the Distributor’s ability to (i) perform its obligations under this Agreement, (ii) comply with applicable laws in connection with this Agreement, or (iii) meet the Distributor’s business continuity capabilities in connection with this Agreement (each a “Deficiency”), the Distributor shall, within a commercially reasonable time, provide high-level information about the potential impact of that Deficiency and its remediation plan. The Trust acknowledges that any Deficiency shall be remediated and verified by the Distributor’s own internal audit group that is independent from the division performing the obligations under this Agreement. |
3. | Compliance with BCP. |
The Distributor shall, throughout the Term, maintain and periodically test (not less than annually) a written business continuity plan (“BCP”) which shall be consistent with then-current generally accepted industry standards. The Distributor shall ensure that the BCP is reasonably designed to enable the Distributor to effect the recovery and, as contemplated by the BCP, continuity of its key operations,
Annex A - 2 |
systems and processes in the event of a Crisis or an occurrence of any other event that results in an interruption or suspension of the Distributor’s services. Upon request, the Distributor shall provide Trust with a reasonable overview of its then-current BCP. Upon the Trust’s reasonable request, the parties shall meet to discuss the then-current BCP. [Note to Distributor: please provide a reasonable overview of your current BCP for our review] In the event of a Crisis, the Distributor shall (where and to the extent applicable) implement the BCP in accordance with its terms. The BCP shall provide, among other things, a mechanism for the redundancy or back-up of business operations designed to keep the services from becoming unavailable for a significant amount of time due to a Crisis or other event that results in the interruption or suspension of the services. Notwithstanding the foregoing, if a Crisis or such other event prevents the Distributor from providing services to the Trust, the Distributor shall allocate its efforts and resources to restoring the services no less favorably to the Trust than it allocates to any of its other similarly situated customers affected by the Crisis or such other event.
4. | Updates to Security Standards and BCP. |
The Distributor shall maintain the Security Standards to reflect developments in applicable laws. All changes (which either party may propose) to the Security Standards and BCP (and regardless of the reason for such changes) shall be subject to notification to, and approval by, the other party, except that the Trust’s approval shall not be needed to the extent any change is mandated by applicable laws or does not degrade or compromise the robustness of the security or business continuity measures offered and does not require the upgrading or reconfiguration of any system or process of the Trust or any of its affiliates. In all other situations, the parties shall use their best endeavors, acting in good faith, to agree to the relevant change and a timeframe for implementation. If agreement cannot be reached but the party proposing the change is unwilling to continue with the then-current Security Standards or BCP (as the case may be) without such change being made, then the Trust may terminate this Agreement (in whole or in part), without any penalty or termination fee or any other liability, on written notice to the Distributor, such termination to take effect: (a) if the change was proposed by the Distributor, on the date such change is implemented (of which the Distributor shall provide not less than 90 days’ written notice); or (b) if the change was proposed by the Trust, on 30 days’ written notice (or shorter timeframe as may be required commensurate with the threat presented). Upon any such termination, the Distributor shall promptly refund to the Trust all amounts pre-paid, and cancel any invoice, in respect of the terminated services that relate to the period beyond the effective date of termination.
5. | Definitions. |
Capitalized terms used in this Annex A and not otherwise defined shall have the meanings ascribed in this Agreement. As used in this Annex A, the following terms shall have the meaning hereinafter stated:
Annex A - 3 |
“BCP” has the meaning set forth in Section 3 of this Annex A.
“Crisis” means an act of God, terrorism, disaster, emergency or other applicable force majeure event or situation.
“Deficiency” has the meaning set forth in Section 2(d) of this Annex A.
“Security Breach” means that (irrespective of cause): (i) Confidential Information has been lost, misplaced, disclosed to or accessed by an unauthorized party; (ii) the Distributor’s or any of its subcontractor’s facilities associated with any Confidential Information have been accessed by an unauthorized party; or (iii) there has been a breach of the Security Standards or is a weakness in the Distributor’s or any of its subcontractor’s security practices or systems, and such breach or weakness could reasonably be expected to allow unauthorized access to Confidential Information or the Distributor’s or such subcontractor’s facilities associated with any Confidential Information or adversely impact such facilities, any products or services or any platform.
“Security Standards” means, collectively: (i) the Distributor’s security plans, policies, procedures and standards, including as may be set out or referenced in response to any information security and/or security architecture questionnaire(s) (and any follow-up questions and refreshed questionnaire(s)) issued by the Trust or any of its affiliates in relation to the relevant services, which have been submitted by or on behalf of the Distributor or any of its affiliates; and (ii) the Trust’s minimum security requirements set out or referenced in Exhibit II to this Annex A; and in the event of any conflict or inconsistency between (i) and (ii), then the more robust standard prevailing.
“SSAP” has the meaning set forth in Section 2(b) of this Annex A.
Annex A - 4 |
EXHIBIT I to Annex A
COMPLIANCE WITH PRIVACY AND DATA PROTECTION LAWS AND REGULATIONS
1. General Privacy and Data Protection
1.1. | The term “processing” shall have the meaning ascribed to it under applicable privacy and data protection laws, and the terms “process” and “processed” shall be construed accordingly. | |
1.2. | The Distributor represents and warrants that: |
(a) | it shall process, use, maintain and disclose Personal Information only as necessary for the specific purpose for which that Personal Information was disclosed to it and only in accordance with the express instructions of the Trust and this Agreement, and it shall take steps to ensure that any natural person acting under its authority who has access to Personal Information does not process them except on instruction from the Trust, unless he or she is required to do so by applicable privacy and data protection laws; |
(b) | it shall, and shall procure that each of its subcontractors shall, put in place appropriate technical, physical, administrative and organizational measures against unauthorized or unlawful processing of Personal Information and against accidental destruction or loss of, or damage to, Personal Information processed pursuant to this Agreement, taking into account the nature, scope, context and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. Such measures shall include but are not limited to the following: |
(i) | the pseudonymization and encryption of Personal Information; |
(ii) | the ability to ensure the ongoing confidentiality, integrity, availability and resilience of the services the Distributor provides under this Agreement; |
(iii) | the ability to restore the availability and access to Personal Information in a timely manner in the event of a physical or technical incident; |
(iv) | implementing a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing. In the event any of the Distributor’s security measures are found to be inadequate by the Trust, the Distributor shall take steps to remedy such inadequacy upon the Trust’s request; and |
(v) | the requirements regarding business continuity and data security as set forth in this Agreement; |
Annex A - 5 |
(c) | it shall promptly, and in any event within forty-eight (48) hours, notify the Trust in writing if it becomes aware of: (i) any accidental or unauthorized access, unlawful processing, accidental destruction or loss of, or damage to any Personal Information; (ii) any disclosure of any Personal Information to it or its personnel where the purpose of such disclosure is not known; (iii) any request for disclosure or inquiry regarding Personal Information from a third party; (iv) any material changes made to its security measures governing Personal Information that would adversely affect the security of Personal Information; (v) any breach by the Distributor of this Exhibit I and (vi) any change in applicable law that is likely to have a substantial adverse effect on the Distributor’s ability to comply with this Exhibit I; |
(d) | if it learns or has reason to believe there has been any unauthorized access to or acquisition of Personal Information and if the law requires that the Distributor notify, or the Distributor voluntarily intends to notify, the individuals whose Personal Information was accessed or acquired, the Distributor shall not, except to the extent prohibited by mandatory applicable privacy and data protection laws, notify any such individual until the Distributor first consults with the Trust and the Trust has had an opportunity to review the notification the Distributor proposes to issue to individuals and given its express written consent to the same; |
(e) | it shall cooperate with the Trust and the relevant supervisory authority in the event of litigation or a regulatory inquiry concerning Personal Information and shall abide by the advice of the relevant supervisory authority with regard to the processing of such Personal Information; |
(f) | it shall comply with all laws, regulations and guidance concerning Personal Information which apply to the Distributor and/or the Distributor personnel and it shall enter into further agreements as requested by the Trust which are required to comply with laws applicable to the Trust or the Distributor from time to time; |
(g) | it shall assist the Trust in ensuring compliance with its obligations under applicable privacy and data protection laws, including in relation to conducting privacy impact assessments, and participating in any consultation with the relevant supervisory authority where requested and it shall take such steps necessary to mitigate any risks identified as a result of such consultation as instructed by the Trust to ensure compliance with applicable privacy and data protection laws, prior to any processing of any Personal Information; |
(h) | it shall maintain complete and accurate records of, and adequate supporting documents in relation to, its provision of the services and provide the Trust and/or its authorized representative with access to such records, supporting documents and information reasonably necessary to demonstrate compliance with applicable privacy and data protection laws and with this Exhibit I; |
Annex A - 6 |
(i) | it has not received any requests or orders, whether on a voluntary or mandatory basis, from any authority, agency, body or department for any access to or acquisition of Personal Information provided to the Distributor and/or any of its subcontractors by or on behalf of the Trust or otherwise accessed or acquired by the Distributor or any of its subcontractors in connection with the provision of services under this Agreement, nor is it aware of any such request or order pending from any such authority, agency, body or department; |
(j) | it shall promptly notify, co-operate and assist (with appropriate technical and organizational measures) the Trust, reasonably and in a timely manner, to enable the Trust and/or its affiliates to assess and respond to any requests of individuals wishing to exercise their rights under applicable privacy and data protection laws; |
(k) | it shall not provide access to any Personal Information to any authority, agency, body or department, whether on a voluntary or mandatory basis, in breach of the relevant individuals’ rights of privacy and data protection under applicable privacy and data protection laws or this Agreement, unless such access is required under applicable privacy and data protection laws; |
(l) | in the event that the Distributor and/or any of its subcontractors is requested or ordered to provide access to Personal Information to any authority, agency, body or department, or the Distributor and/or any of its subcontractors has any reason to believe that any such request or order has been or may be made to the Distributor and/or any of its subcontractors during the term of this Agreement, The Distributor shall: |
(i) | immediately (and not later than 48 hours or such shorter period required under applicable law after receipt of such request) notify the Trust in writing and, upon request, suspend or cease processing, and ensure that its subcontractors suspend or cease processing, any further Personal Information provided to the Distributor and/or any of its subcontractors by or on behalf of the Trust or otherwise accessed or acquired in connection with the provision of services under this Agreement with immediate effect and without penalty or termination fee or other liability; |
(ii) | review, under applicable laws, the legality of such request or order before responding and providing access to Personal Information to the authority, agency, body or department making such request or order; |
(iii) | work in good faith with Trust to challenge such request or order if, after review, it concludes that there are grounds under applicable laws to do so, inter alia seeking interim measures to suspend the effects of such request or order; and |
Annex A - 7 |
(iv) | provide the minimum amount of Personal Information permissible and necessary for the purposes when responding to such request or order; |
(m) | notwithstanding the foregoing, to the extent any Personal Information is disclosed by the Distributor to any authority, agency, body or department, whether on a voluntary or mandatory basis, the Distributor shall be deemed to be the controller (as defined under applicable data protection and privacy laws) of such Personal Information and accordingly shall be responsible for compliance with the obligations imposed on controllers by such laws in respect of the Distributor’s processing of such Personal Information; and |
(n) | it has no reason to believe that any applicable laws would prevent it from fulfilling the Trust’s instructions in relation to the processing of Personal Information, as specified under this Agreement. The Distributor shall promptly (and not later than 48 hours after receiving such instruction) inform the Trust if, in its reasonable opinion, an instruction infringes applicable privacy and data protection laws. In such circumstances, and not later than 48 hours after receiving such instruction, the Distributor shall provide the Trust in writing the rationale for determining that an instruction infringes applicable privacy and data protection laws. |
2. US Privacy Protection
The Distributor represents and warrants that it shall implement and maintain an appropriate written information security program, the terms of which shall meet or exceed the requirements for financial institutions, as applicable to Distributor, under 17 CFR 248.30, and which shall include appropriate technical and organisational measures to: (a) ensure the security and confidentiality of all information provided to it by the Trust, including, without limitation, Personal Information (collectively, the “information”); (b) protect against any threats or hazards to the security or integrity of information, including, without limitation, unlawful destruction or accidental loss, alteration and any other form of unlawful processing; and (c) prevent such unauthorised access to, use or disclosure of the information.
3. Cross-Border Transfers
3.1 | The Distributor warrants and undertakes that it shall, and shall procure that each of its subcontractors shall, not cause or permit personal data to be transferred or otherwise processed outside of the United States without the Trust’s express prior written consent and otherwise in accordance with Section 3.2 below. |
3.2 In the event of any cross border transfer of personal data approved by the Trust under Section 3.1 above, to the extent that any transfer is outside of a jurisdiction deemed to have an adequate level of protection for personal data by competent data protection authorities or other competent regulator, including the European Economic Area (“EEA”), Andorra, Argentina, Canada, Faroe Islands, Guernsey,
Annex A - 8 |
Israel, Isle of Man, Jersey, Japan, New Zealand, Switzerland, Uruguay and such other countries notified in writing by the Trust from time to time (“Adequate Countries”), the respective parties shall be bound by the following transfer mechanisms: (i) in the context of transfers from the EEA and/or the UK, the Standard Contractual Clauses for Data Processors established in Third Countries pursuant to the Commission Decision (2010/87/EU) of 5 February 2010 under the EU Directive 95/46/EC as may be amended, updated or replaced from time to time (“Processor Standard Contractual Clauses”). The information required to complete the Processor Standard Contractual Clauses is incorporated by reference and applies to the parties as if it were set out herein in full.
3.3 | In the event that the Processor Standard Contractual Clauses are at any time no longer deemed to provide adequate protection to personal data transferred, or in the event other jurisdictions require the implementation of transfer mechanisms, the parties shall adopt such alternative or new data transfer solution to replace the Processor Standard Contractual Clauses as is required by the Trust to comply with its legal and/or regulatory requirements. For the avoidance of doubt, the Trust shall have no liability to the Distributor in respect of the Distributor’s refusal to adopt such alternative or new data transfer solution. |
3.4 | If the Distributor operates as a data controller as defined under applicable privacy and data protection laws, in the event of any cross border transfer of personal data outside the Adequate Countries, the respective parties shall be bound by the following transfer mechanism: in the context of transfers from the EEA, the Standard Contractual Clauses for the Transfer of Personal Data from the Community to Third Countries pursuant to the Commission Decision C (2004) 5721 as may be amended, updated or replaced from time to time (Controller Standard Contractual Clauses). The information required to complete the Controller Standard Contractual Clauses is incorporated by reference and applies to the parties as if it were set out herein in full. |
3.5 | Unless otherwise specifically addressed in this Agreement, references to the European Union (“EU”) or the EEA in this Agreement, the Processor Standard Contractual Clauses and the Controller Standard Contractual Clauses includes the United Kingdom (“UK”), even though the UK is no longer a member state of the EU. |
Annex A - 9 |
EXHIBIT II TO ANNEX A
SECURITY STANDARDS - MINIMUM IT AND CYBER SECURITY CONTROLS
Control | Requirements |
1. Encryption Algorithms |
The Distributor must use one or more of the following approved protocols and cryptographic algorithms to encrypt the Trust’s Confidential Information in transit and at rest: • Encryption in transit: TLS 1.2 or above, IPSec, SSHv2. • Encryption at rest: Symmetric Encryption using AES128, AES192, or AES256 in the CBC, CFB, OFB, CTR, XTS or GCM block cipher modes. Implementation notes: • If public key is used, it must be RSA-2048, RSA-3072, or RSA-4096. • If digital signature is used, it must be DSA-2048, DSA-3072, RSA-2048, RSA-3072, RSA-4096, ECDSA-224, ECDSA-256, ECDSA-384 or ECDSA-521. • If hashing algorithm is used, it must be SHA-256, SHA-384, SHA-512, SHA-512/256, SHA3-256, SHA3-384 or SHA3-512. • If key derivation function is used, it must be Argon2, PBKDF2, scrypt, or bcrypt. |
2. Encryption | The Distributor may use volume encryption or database encryption. |
3. Key Management |
The Distributor must ensure that: • encryption keys used in conjunction with the Trust’s Confidential Information may be used in conjunction with data of any other customer of the Distributor); • all such encryption keys must be rotated at a reasonable basis standard with industry practice; and • all such encryption keys must be stored in a designated vault or key management service, following industry best practices (e.g. NIST 800-57, FIPS140-2 level 2). |
4. Authentication |
The Distributor may use one or more of the following methods for authenticating the Trust’s personnel or other authorized users attempting to access the services: • XXXX / OIDC SSO • Password + source IP validation |
Annex A - 10 |
Control | Requirements |
5. Identity and Access Management |
The Distributor must ensure that the following identity and access management operations in respect of the Trust’s personnel or other authorized users accessing the services can be controlled by the Trust (and not solely by the Distributor) : • User provisioning operations (e.g. create, modify, terminate, delete); • Entitlement management (e.g. create, modify, delete, assign and revoke roles and privileges); • Reporting for identity and access management operations (for the purpose of auditing and periodic reviews). |
6. Privileged Access | The Distributor must ensure that administrator privilege access by personnel of the Distributor to the Trust’s account(s) with the Distributor (i.e. ability of a user to modify asset configuration or controls (e.g. access management, logging etc.) beyond normal daily business use) is provided just in time, as needed, instead of persistently available. |
7. Components Deployed On-Prem | The Distributor must ensure that Locally-Installed Software does not require permanent privileged access on the host (e.g. root access on Linux, or local administrator access on Windows), but rather runs under a user specified non-privileged account. |
The Distributor must ensure that software and firmware updates to, and new versions of, Locally-Installed Software do not auto-update or download automatically without following a change control process controlled by the Trust. | |
8. Access Privilege Management | The Distributor must ensure that access privileges of all the Distributor personnel accessing the Trust’s account(s) with the Distributor are assigned on a ‘need-to-know’ basis (i.e. users granted minimum access rights that are strictly required to execute their duties) and, in all cases, are reviewed regularly and promptly modified or withdrawn (whenever appropriate). |
9. Password Updating | The Distributor must ensure that: (i) the Distributor personnel accessing the Trust’s account(s) with the Distributor are regularly required to update their passwords; and (ii) the Trust’s personnel or other authorized users attempting to access the services are regularly required to update their passwords, or else that the Trust’s administrative user(s) have the ability to configure the services settings so that such updating is required. |
10. User activity logs | The Distributor must ensure that all activities by the Distributor personnel accessing the Trust’s account(s) with the Distributor are logged (such that the individual users who performed them are identifiable), that such logs are monitored, are secured to prevent unauthorized modification or deletion and retained for a period commensurate with the criticality of the operations concerned (without prejudice to the Distributor’s record retention obligations under the Agreement). |
11. Patch Management | The Distributor must ensure that the latest available security updates and patches to all software used in the provision and/or support of the services are promptly applied. |
Annex A - 11 |
12. Anti-Virus Software | The Distributor must: (i) continuously screen the services it provides under this Agreement using a leading, commercially available software security program to detect the presence of any Virus and, upon detection, immediately eradicate or quarantine such Virus; and (ii) ensure that such services do not contain any code or protocol that would: (a) permit the gaining of unauthorized access to, or surreptitious monitoring of the use or operation of, the services or any system or platform; or (b) disable or impair the services or any system or platform, in any way, based on the elapsing of a period of time, the exceeding of an authorized number of copies or scope of use or the advancement to a particular date or other numeral. |
13. Firewall | The Distributor must ensure that a firewall is maintained in defense of all internet-facing systems used in the provision and/or support of the services the Distributor providers under this Agreement. |
Annex A - 12 |