1st AMENDMENT TO THE AWS CLOUD AGREEMENT
Exhibit 4.32
REDACTED COPY
Certain identified confidential information has been redacted from this exhibit because both (i) it is customarily and actually treated as private or confidential and (ii) it is not material.
Confidential portions of this Exhibit are designated by [*****].
ESPAIDER: ADT: /20
1st AMENDMENT TO THE AWS CLOUD AGREEMENT |
By this private instrument, the Parties, on one side,
PAGSEGURO INTERNET S.A., a corporation headquartered at Xxxxxxx Xxxxxxxxxx Xxxxx Xxxx, Xx. 0000, 0x andar, Part A, City of São Paulo, State of São Paulo, enrolled with the National Register of Legal Entities of the Ministry of Finance (CNPJ/MF) under No. 08.561.701/0001-01, herein represented pursuant to its Bylaws, hereinafter simply referred to as “CLIENT”;
UOL DIVEO TECNOLOGIA LTDA., a company established at Alameda Xxxxx xx Xxxxxxx, 000, 0x xxxxx, Xxxxxx Xxxxxxx, in the City of São Paulo, State of São Paulo, enrolled with the CNPJ under No. 01.588.770/0001-60, and branches at Avenida Ceci, 1850, in the City of Barueri, State of São Paulo, duly enrolled with the CNPJ under No. 01.588.770/0008-36, at Alameda Glete, 700 – 2º andar, Xxxxxx Xxxxxxx, in the City of São Paulo, State of São Paulo, enrolled with the CNPJ under No. 01.588.770/0011-31 and at Alameda Barão de Limeira, 425 – 2º andar, Xxxxxx Xxxxxxx, in the City of São Paulo, State of São Paulo, enrolled with the CNPJ under No. 01.588.770/0010-50, herein represented pursuant to its articles of association, hereinafter simply referred to as UOL DIVEO;
Whereas:
I.The Parties have entered into, on January 1st, 2017, a AWS CLOUD agreement, by means of which the CLIENT acquired from UOL DIVEO, AWS’s resale partner, products and services provided to CLIENT directly by AWS, as per the terms of use adhered, available at: xxxxx://x0-xx-xxxx-0.xxxxxxxxx.xxx/xxxxx- reseller/AWS+Reseller+Customer+License+Terms.pdf (periodically updated by AWS) (“Agreement”); and
II.The Parties are interested in including some conditions in the Agreement, in compliance with Circular Letter 3,909/2018, as enacted by the Full Board of the Central Bank of Brazil (BACEN).
Now, therefore, the Parties have agreed, pursuant to law, to enter into this 1st Amendment to the Agreement (“Amendment”), which shall bind the Parties and their successors at any time and at any rate, under the following terms and conditions:
1.PURPOSE
1.1.This instrument seeks to comply with BACEN Circular Letter 3,909/2018 and Resolution No. 4,658/18 of the National Monetary Council (CMN).
1.2.UOL DIVEO represents and warrants that it is and shall remain, during the entire contractual effectiveness, in compliance with BACEN Circular Letter 3,909/2018 and CMN Resolution 4,658/18, within the scope of its role as reseller and partner of AWS.
ESPAIDER: ADT: /20
1.3.For the service to the governed CLIENTS, AWS has entered into, with UOL DIVEO, the “Addendum for the Brazilian Financial Services Industry”, which includes:
(i)The AWS Regions offered to the CLIENT by AWS are listed in Exhibit I to this instrument and on AWS’s website, on the “AWS Global Infrastructure” page, available at xxxxx://xxx.xxxxxx.xxx/xxxxx-xxx/xxxxxxxxxxxxxxxxxxxx/
(ii)AWS shall implement and keep an information security program destined to offer, at least, the same protection level as evidenced, on this date, by the following:
(a)AWS’s security controls verified by AWS’s duly qualified and expert external auditors in the report of Organization and Systems Controls 1, Type 2, then in force (“SOC 1 Report”) and in the Organization and Systems Controls 2, Type 2, then in force (for availability/security and confidentiality) (“SOC 2 Report” and, jointly with SOC 1 Report, the “Reports”);
(b)AWS’s current certification by ISO 27001; and
(c)AWS’s current status as a Level 1 service provider pursuant to the PCI DSS (jointly with the ISO 27001, “Certifications”) or, in each case, the respective industry-standard alternative certifications or reports which succeed them or are reasonable alternatives thereto (provided that with a protection level at least equal to the standards set forth above), as determined by AWS (jointly, the “AWS Information Security Program”). For the avoidance of doubt, any exceptions found in any SOC 1 or SOC 2 Report (or their successors or alternatives) pursuant to this Section shall not constitute violations of AWS’s obligations, provided that AWS has taken proper measures, at its sole discretion, with the purpose of curing such exceptions. The Client may, with no additional cost, directly access and download copies of the SOC 1 Report, the SOC 2 Report and the ISO 27001 and PCI DSS certifications via AWS’s website (on the Date of Effectiveness, at xxxxx://xxx.xxxxxx.xxx/xxxxxxxx/) (“Artifact AWS”). In case AWS no longer keeps such website, UOL DIVEO or the CLIENT may request copies of AWS’s security and compliance reports directly from AWS.
(iii)Client Security and Redundancy. The CLIENT is provided with a range of options upon setting up accounts, and for each sensitive or otherwise valuable content, AWS advises the CLIENT to make use of robust security and redundancy resources, such as access controls, encrypting and backup. The CLIENT shall be responsible for properly setting up and using the Services Offers with the purpose of assuring the security and redundancy of its AWS accounts and its Content, such as, for instance, with the use of improved access controls to prevent unauthorized access to its AWS accounts and the CLIENT’s Content, employing encrypting technology to prevent unauthorized access to its Content and assuring the proper backup level to avoid loss of Content.
(iv)Client’s Content Segregation; Network Security. AWS Services are destined to allow a logic segregation of the CLIENT’s Content attributed to each AWS account. AWS shall keep access policies and controls with the purpose of managing which access is allowed to the AWS Network of each user and network connection, including the use of firewalls or equal technologies and authentication controls.
(v)Support and Transfer for the CLIENT’s Content after Termination of the Agreement: AWS shall comply with the obligations set forth in this clause, in order to aid the CLIENT in the ordered transfer of its activities after the Agreement is terminated. After the Termination Date, AWS shall provide the CLIENT with a period of at least thirty (30) days, during which AWS shall not take any measures with regard to removing the CLIENT’s Content. During said period, AWS shall allow the CLIENT to transfer or delete any Content, except if (i) forbidden by law or by any order from competent authorities, or in case such transfer or exclusion may attribute liabilities to AWS or its affiliates; or (ii) in case the CLIENT has not paid all sums due under the Resale Agreement. AWS shall delete the CLIENT’s Content upon request, by means of the Service controls, as described in the Documentation and provided by AWS for such purpose.
ESPAIDER: ADT: /20
(vi)Performance Information and Monitoring. AWS discloses updated information regarding service availability on its Service Health Dashboard, on the AWS website, available at xxxx://xxxxxx.xxx.xxxxxx.xxx, or in any successor address or related locations appointed by AWS. As of the Addendum’s Date of Effectiveness, the Amazon CloudWatch is a Service that allows the CLIENT to monitor its resources in the AWS cloud and the applications they run in the AWS. The CLIENT may use the Service Health Dashboard and the Amazon CloudWatch (or any successor Service) to monitor any limitations to the Services that may affect the CLIENT’s compliance with the applicable legislation or regulations.
(vii)Relevant Sub-Contractors. At least thirty (30) days before authorizing a Relevant Sub-Contractor, AWS shall add such Relevant Sub-Contractor to the list of Relevant Sub-Contractors available on the AWS website. A “Relevant Sub-Contractor” is an unaffiliated sub-contractor that provides a relevant portion of the web services which AWS commonly provides to its clients, and which failure to provide such relevant portion of the web services would cause a relevant adverse effect to the continuous operation of such AWS web services pursuant to the Agreement.
(viii)Regulatory Authority Requirements. In case the Regulatory Authority requires the CLIENT to verify its compliance with the Applicable Laws regulated by the Regulatory Authority in relation to the use of Services by the Regulated Entity (“Requirement”), AWS and the CLIENT shall deal with the Requirement as described in this Section:
a.Information Request. In case the CLIENT is not able to respond to a Requirement after employing commercially reasonable efforts for such (including the supply of available documentation and information and access to AWS’s relevant accounts) and notifying AWS of such condition, AWS shall employ commercially reasonable efforts to assist the CLIENT in the response to the Requirement by means of providing (i) relevant documentation and information related to the technical and organizational measures of AWS or its affiliates, and also to the Agreement; and (ii) for matters that may not be responded by said information and documentation, if any, a briefing on security and compliance to be drafted by the workers of AWS or its affiliates.
b.Regulatory Authority Supervision. AWS acknowledges that the CLIENT may be notified by the Regulatory Authority to take measures in relation to the Agreement. AWS and the CLIENT shall deal with a Requirement made by the Regulatory Authority as described in this Section. In case the parties are not able to respond to said Requirements, the CLIENT may terminate the Agreement with cause, in observance of the resale agreement entered into between the CLIENT and UOL DIVEO, which shall transfer to the CLIENT all tax exemptions or assessments agreed with AWS.
(ix)Confidentiality: Any information, replies and documentation disclosed by AWS to the CLIENT shall be treated as confidential information of the owning party and be provided to the receiving party pursuant to the confidentiality obligations reasonably accepted by the party owning the Confidential Compliance Information (which, in case of the Regulatory Authority, means confidentiality obligations set forth pursuant to the applicable law) and shall not be disclosed by the receiving party, except to the extent the Confidential Compliance Information may be disclosed to (a) the Regulatory Authority, provided that the CLIENT obtains confidential treatment or similar protections; and (b) the CLIENT, provided that all of AWS Confidential Compliance Information be treated as AWS confidential information pursuant to the Term of Use, the NDA and this Addendum. Further, (i) the CLIENT may access and directly download Reports and Certifications via the Artifact AWS (or any alternative method accessible via the AWS Website); and (ii) other AWS Confidential Compliance Information (except Reports, Certifications and any other information of, pertaining to, or otherwise included in the AWS Information Security Program) may be disclosed by UOL DIVEO to the CLIENT, provided that AWS agrees with such disclosure.
(x)The CLIENT shall bear with any costs incurred by AWS to comply with the REQUIREMENTS, which shall be collected by UOL DIVEO
Page 3 of 6
ESPAIDER: ADT: /20
1.4. DEFINITIONS:
(i)Applicable Law: means the applicable laws and regulations regulated by the Regulatory Authority related to the use of the Services by the Regulated Entity.
(ii)AWS Network: means the facilities, servers, network equipment, storage media and hosting software systems (for instance, virtual firewalls) of the AWS data center which are within AWS’s control and are used to provide the Services.
(iii)AWS Region: means a distinct set of AWS data centers located in a geographical area and used to provide the Services.
(iv)Circular Letter No. 3,909: means the “Circular Letter No. 3,909, of August 16, 2018”, issued by the Central Bank of Brazil.
(v)CMN Resolution No. 4,658: means the “Resolution No. 4,658, of April 26, 2018”, issued by the National Monetary Council and by the Central Bank of Brazil.
(vi)Regulated Entity: means the CLIENT, as subject to the supervision of the Regulatory Authority, and to CMN Resolution No. 4,658 or Circular Letter No. 3,909, pursuant to the Applicable Law.
(vii)Regulatory Authority: means the Central Bank of Brazil.
2. RATIFICATION
2.1.The Parties hereby ratify all other terms and conditions of the Agreement, making it clear that the terms and clauses that have not been expressly changed by this Addendum shall remain unchanged and fully effective.
In witness whereof, the Parties sing this instrument in two (2) counterparts of equal content, in the presence of two witnesses.
São Paulo, August 18, 2020.
DocuSigned by: /s/ Xxxxxx Bertozzo Xxxxxx | DocuSigned by: /s/ Rogildo Xxxxxxxx Xxxxxx | |||||||||||||
PAGSEGURO INTERNET S.A. | ||||||||||||||
DocuSigned by: /s/ Xxxxxx Bertozzo Xxxxxx | DocuSigned by: /s/ Rogildo Xxxxxxxx Xxxxxx | |||||||||||||
UOL DIVEO TECNOLOGIA LTDA | ||||||||||||||
Witnesses: | ||||||||||||||
1 | 2 | |||||||||||||
Name: | Name: | |||||||||||||
CPF: | CPF: |
ESPAIDER: ADT: /20
Exhibit I
Eligible Regions | |||||||||||||||||
Last Updated on 06/29/2020 | |||||||||||||||||
AWS Regions | |||||||||||||||||
The following AWS Regions: | |||||||||||||||||
US East (N. Virginia) | EU (Ireland) | Africa (Cape Town) | |||||||||||||||
US East (Ohio) | EU (Frankfurt) | Asia Pacific (Singapore) | |||||||||||||||
US West (Oregon) | EU (London) | Asia Pacific (Tokyo) | |||||||||||||||
US West (N. California) | EU (Milan) | Asia Pacific (Osaka) Local Region* | |||||||||||||||
Canada (Central) | EU (Paris) | Asia Pacific (Sydney) | |||||||||||||||
South America (São Paulo) | EU (Stockholm) | Asia Pacific (Seoul) | |||||||||||||||
GovCloud (US-West)* | Middle East (Bahrain) | Asia Pacific (Mumbai) | |||||||||||||||
GovCloud (US-East)* | Asia Pacific (Hong Kong) | ||||||||||||||||
*if you have access to such region | |||||||||||||||||
AWS Edge Network Locations | |||||||||||||||||
AWS Edge Network Locations in the following geographic regions: | |||||||||||||||||
Australia | |||||||||||||||||
Canada | |||||||||||||||||
Europe & Israel | |||||||||||||||||
Hong Kong | |||||||||||||||||
India | |||||||||||||||||
Japan | |||||||||||||||||
Malaysia | |||||||||||||||||
Middle East | |||||||||||||||||
Philippines | |||||||||||||||||
Singapore | |||||||||||||||||
South Africa & Kenya | |||||||||||||||||
South America | |||||||||||||||||
South Korea | |||||||||||||||||
Taiwan | |||||||||||||||||
United States | |||||||||||||||||
AWS Local Zones | |||||||||||||||||
The following AWS Local Zones: | |||||||||||||||||
Los Angeles, CA |
Page 5 of 6
Completion Certificate | ||||||||
Envelope ID: 2EF10C49D4054067900E768D0890B1C1 | Status: | |||||||
Completed Subject: UOL DIVEO and PagSeguro - TA - Cybersecurity | ||||||||
Source Envelope: | ||||||||
Document Pages: 6 | Signatures: 4 | Envelope Sent by: | ||||||
Certificate Pages: 5 | Initials: 1 | Xxxxxxxxx Xxxxxxxxxxxx Xxxx | ||||||
AutoNav: Enabled | ||||||||
Envelope ID Stamping: Enabled | ||||||||
Time Zone: (UTC-08:00) Pacific Time (US & Canada) |
Xx. Xxxxxxxxxx Xxxxx Xxxx, 0.000 XX, XX 00000-000
[*****]Endereço IP: [*****]
Record Tracking | ||||||||
Status: Original | Holder: Xxxxxxxxx Xxxxxxxxxxxx Xxxx | Location: DocuSign | ||||||
08/18/2020 12:13:56 | [*****] | |||||||
Signer Events | Signature | Timestamp | ||||||
Xxxxxxxxx Xxxxxxxxxxxx Neto | –DS | |||||||
[*****]LAWYER UNIVERSO ONLINE SA | -DocuSigned by: | |||||||
Security Level: E-mail, Account Authentication (None) | Signature adoption: Signature image loaded | |||||||
Signature Provider Details: | Using IP Address: [*****] | |||||||
Signature Type: DS Electronic | ||||||||
Electronic Record and Signature Disclosure: | ||||||||
Not offered via DocuSign | ||||||||
XXXXXX BERTOZZO XXXXXX | ||||||||
[*****] OFFICER UNIVERSO ONLINE LEGAL DEPARTMENT | -DocuSigned by: | Signature adoption: Pre-selected Style IP Address: [*****] | ||||||
Security Level: E-mail, Account Authentication (None) | ||||||||
Signature Provider Details: | ||||||||
Signature Type: DS Electronic | ||||||||
Electronic Record and Signature Disclosure: | ||||||||
Not offered via DocuSign | ||||||||
Rogildo Xxxxxxxx Xxxxxx | Signature adoption: Pre-selected Style IP Address: | |||||||
[*****] CEO UOLDIVEO | [*****]Signed using cellphone | |||||||
CEO | ||||||||
Security Level: E-mail, Account Authentication (None) | ||||||||
Signature Provider Details: | ||||||||
Signature Type: DS Electronic | ||||||||
Electronic Record and Signature Disclosure: | ||||||||
Accepted: 08/18/2020 12:18:12 | ||||||||
–DocuSigned by: | ||||||||
Sent: 08/18/2020 12:17:00 | ||||||||
Viewed: 08/18/2020 12:17:17 | ||||||||
Signed: 08/18/2020 12:17:34 | ||||||||
Sent: 08/18/2020 12:17:36 | ||||||||
Viewed: 08/18/2020 12:23:20 | ||||||||
Signed: 08/18/2020 12:23:25 | ||||||||
Sent: 08/18/2020 12:17:36 | ||||||||
Viewed: 08/18/2020 12:18:12 | ||||||||
Signed: 08/18/2020 12:18:24 | ||||||||
ID: [*****] | ||||||||
In Person Signer Events | Signature | Timestamp | ||||||
Editor Delivery Events | Status | Timestamp | ||||||
Agent Delivery Events | Status | Timestamp |
[*****] Confidential information redacted
Intermediary Delivery Events | Status | Timestamp | ||||||
Certified Delivery Events | Status | Timestamp | ||||||
Carbon Copy Events | Status | Timestamp | ||||||
Witness Events | Signature | Timestamp | ||||||
Notary Events | Signature | Timestamp | ||||||
Envelope Summary Events | Status | Timestamp | ||||||
Envelope sent | Hashed/Encrypted | 08/18/2020 12:17:36 | ||||||
Certified delivery | Security checked | 08/18/2020 12:23:20 | ||||||
Signing complete | Security checked | 08/18/2020 12:23:25 | ||||||
Completed | Security checked | 08/18/2020 12:23:25 | ||||||
Payment Events | Status | Timestamp | ||||||
Electronic Record and Signature Disclosure |
Electronic Record and Signature Disclosure created on: 12/27/2017 06:27:37
Parties agreed to: Rogildo Xxxxxxxx Xxxxxx
Parties agreed to: Rogildo Xxxxxxxx Xxxxxx
CONSENT TO ELECTRONIC RECEIPT OF ELECTRONIC RECORDS AND SIGNATURE DISCLOSURES
Electronic Record and Signature Disclosure
From time to time, UOL - UNIVERSO ONLINE S/A may be required by law to provide you with certain written notices or disclosures. Described below are the terms and conditions for us to provide you with such notices and disclosures electronically through the DocuSign, Inc. (DocuSign) electronic signature system. Read the information below carefully and thoroughly, and if you can access this information electronically to your satisfaction and agree to these terms and conditions, confirm your agreement by clicking the ‘I agree’ button at the bottom of this document.
Getting paper copies
At any time, you may request from us a paper copy of any record provided or made available electronically to you by us. You will have the ability to download and print the documents we send to you through the DocuSign system during and immediately after the signature session, and, if you elect to create a DocuSign user account, you may access them for a limited period of time (usually 30 days) after such documents are first sent to you. After such time, if you wish to get paper copies of any such documents to be sent from our office to you, you will not be charged a per-page fee. You may request delivery of such paper copies from us by following the procedure described below.
Withdrawing your consent
If you decide to receive notices and disclosures from us electronically, you may at any time change your mind and tell us thereafter that you want to receive notices and disclosures only in paper format. The procedure to inform us of your decision to receive future notices and disclosures in paper format and withdraw your consent to receive notices and disclosures electronically is described below.
Consequences of changing your mind
If you elect to receive notices and disclosures only in paper format, it will slow the speed at which we can complete certain steps in transactions with you and provide services to you because we will need first to send the required notices or disclosures to you in paper format, and then wait until we receive back from you your acknowledgment of receipt of such paper notices or disclosures. To let us know that you are changing your mind, you must withdraw your consent using the DocuSign “Withdraw Consent” form on the signature page of a DocuSign envelope instead of signing it. This will indicate to us that you have withdrawn your consent to receive notices and disclosures electronically from us and you will no longer be able to use the DocuSign system to receive notices and consents electronically from us or to electronically sign documents sent by us.
All notices and disclosures will be sent to you electronically
Unless you tell us otherwise in accordance with the procedures described herein, we will electronically send you through the DocuSign system all required notices, disclosures, authorizations, acknowledgements, and other documents that are required to be provided or made available to you during the course of our relationship with you. To reduce the chance of you inadvertently not receiving any notice or disclosure, we prefer to provide all of the required notices and disclosures to you using the same method and to the same address you have informed us. Thus, you can receive all the disclosures and notices electronically or in paper format through the paper mail delivery system. If you do not agree with this process, let us know as described below. Also see the paragraph immediately above that describes the consequences if you elect not to receive notices and disclosures electronically from us.
How to contact UOL - UNIVERSO ONLINE S/A:
You may contact us to let us know of your changes on how we should contact you electronically, to request paper copies of certain information from us, and to withdraw your prior consent to receive notices and disclosures electronically, as provided below: To contact us by email send messages to: [*****]
[*****] Confidential information redacted
To contact us by email send messages to: UOL - UNIVERSO ONLINE S/A
To inform of your new e-mail address to UOL - UNIVERSO ONLINE S/A:
To let us know of a change in your e-mail address to which we should send notices and disclosures electronically to you, you must send us an e-mail to [*****] providing: your
previous e-mail address and your new e-mail address. We do not require any other information from you to change your e-mail address. We do not require any other information from you to change your email address.
In addition, you must notify DocuSign, Inc. in order to reflect your new e-mail address in your DocuSign account by following the process for changing e-mail in the DocuSign system.
To request paper copies from UOL - UNIVERSO ONLINE S/A:
To request us to send you paper copies of the notices and disclosures previously provided by us to you electronically, you must send an e-mail to [*****] and provide: your e-mail address, full name, Brazil Postal address, and telephone number. We will charge you for the amount of the copies, if applicable.
To withdraw your consent to UOL - UNIVERSO ONLINE S/A:
To inform us that you no longer want to receive future notices and disclosures in electronic format you may:
(i)refuse to sign a document in your DocuSign session, and on the subsequent page, select the check-box indicating you wish to withdraw your consent; or you may
(ii)send an e-mail to [*****] and provide your e-mail address, full name, Brazil Postal Address, and telephone number. We do not need any other information from you to withdraw consent. The consequences of your withdrawing consent for online documents will be that transactions may take longer to process. We do not require any other information from you to change your email address. The consequences of your withdrawing consent for online documents will be that transactions may take a longer time to process.
Required hardware and software**:
(i)Operating Systems: Windows® 2000, Windows® XP, Windows Vista®; Mac OS®
(ii)Browsers: Latest versions Internet Explorer® 6.0 or above (only Windows); Mozilla Firefox 2.0 or above (Windows and Mac); Safari™ 3.0 or above (only Mac)
(iii)PDF readers: Acrobat® or similar software may be required to view and print PDF files.
(iv)Screen Resolution: 800 x 600 minimum
(v)Enabled Security Settings: Allow per session cookies
** These minimum requirements are subject to change. If these requirements change, you will be asked to re-accept the disclosure. Pre-release (e.g. beta) versions of operating systems and browsers are not supported.
[*****] Confidential information redacted
Acknowledging your access and consent to receive materials electronically:
To confirm to us that you can access this information electronically, which will be similar to other electronic notices and disclosures that we will provide to you, please make sure you read this electronic disclosure and are able to print on paper or electronically save this page for your future reference and access or are able to e-mail this disclosure and consent to an e-mail address in which you will be able to print on paper or save this page for your future reference and access. Further, if you consent to receiving notices and disclosures exclusively in electronic format under the terms and conditions described above, let us know by clicking the “I agree” button below.
By checking the “I agree” box, I confirm that:
(i)I can access and read this Electronic CONSENT TO ELECTRONIC RECEIPT OF ELECTRONIC RECORDS AND CONSUMER SIGNATURE DISCLOSURES; and
(ii)I can print on paper the disclosure or save or send the disclosure to a place where I can print it, for future reference and access; and (iii) Until or unless I notify UOL - UNIVERSO ONLINE S/A as described above, I consent to receive exclusively through electronic means all notices, disclosures, authorizations, acknowledgements, and other documents that are required to be provided or made available to me by UOL - UNIVERSO ONLINE S/A during the course of my relationship with you.