SUPPLEMENTAL AGREEMENT
EXHIBIT NO. 99.(g) 11
WHEREAS, JPMorgan Chase Bank, N.A. (“X.X. Xxxxxx”) and Massachusetts Financial Services Company d/b/a MFS Investment Management, and each of its affiliates or funds listed as a party to the agreements listed in Section 1 below (hereinafter collectively referred to as “MFS” for ease of reference), are parties to each of the valid and binding agreements listed in Section 1 below, together with any amendments thereto (hereinafter collectively referred to as the “Agreements” for ease of reference); and
WHEREAS, X.X. Xxxxxx and MFS mutually desire to establish the terms and conditions set forth in this agreement (this “Supplemental Agreement”) and have such terms amend the Agreements described below, to the extent applicable to the services X.X. Xxxxxx provides thereunder;
THEREFORE, in consideration of the exchange of mutual covenants and agreements, the value and sufficiency of which are specifically acknowledged by the parties, X.X. Xxxxxx and MFS, intending to be legally bound by the terms herein, hereby agree to update and amend the Agreements to include the terms set forth herein.
1. AGREEMENTS SUPPLEMENTED:
A. Administrative Services Agreement dated June 11, 2004 by and among MFS Institutional Advisors, Inc., JPMorgan Chase Bank, N.A. (successor in interest to X.X. Xxxxxx Investor Services Co.) and each limited liability company listed on Schedule E thereto, as amended from time to time.
B. Global Custody Agreement dated as of June 11, 2004 by and among JPMorgan Chase Bank, N.A. and, as amended from time to time, MFS International Growth LLC, MFS International Research Equity LLC, MFS Core Plus Fixed Income LLC, MFS Global Equity LLC, MFS International Concentrated Equity LLC, MFS International Growth LLC II, MFS Global Aggregate Opportunistic LLC and MFS Emerging Markets Debt LLC I.
C. Custodian Agreement between each of the Investment Companies listed on Appendix A thereto, on behalf of each of Their Respective Portfolios, and JPMorgan Chase Bank, N.A., dated November 13, 2006, as amended from time to time.
D. Fund Accounting Agreement between each of the Investment Companies listed on Appendix A thereto, on behalf of each of Their Respective Portfolios, and JPMorgan Chase Bank, N.A. (successor in interest to X.X. Xxxxxx Investor Services Co.), dated November 13, 2006, as amended from time to time.
E. Securities Lending Agency Agreement among each of the entities listed on Exhibit A thereto, acting on behalf of itself or, in the case of a series company, on behalf of one or more of its portfolios or series listed on Exhibit A thereto and JPMorgan Chase Bank, N.A., dated November 22, 2006, as amended from time to time.
F. Any other Agreement entered into between X.X. Xxxxxx and MFS for provision of services by the Securities Services division of X.X. Xxxxxx that X.X. Xxxxxx and MFS agree to apply this Supplemental Agreement to; provided that MFS and X.X. Xxxxxx shall have entered into a joinder agreement in a form acceptable to X.X. Xxxxxx and MFS.
2. INTENT AND CONSTRUCTION
A. Purpose: The parties intend for this Supplemental Agreement to apply to the services (the “Services”) provided by X.X. Xxxxxx under each of the Agreements listed above and all Agreements entered into by the parties as described above in Section 1.F.
B. Construction: Except as otherwise expressly set forth herein, in the event of a conflict between this Supplemental Agreement and the Agreements related to the subject matters hereof, the provisions of this Supplemental Agreement shall control.
C. Effective Date: This Supplemental Agreement shall be effective as of April 9, 2024 (“Effective Date”). The term of this Supplemental Agreement shall commence on the Effective Date and shall automatically terminate as to each Agreement, upon such Agreement’s termination or expiration.
3. CONTRACTUAL PROVISIONS TO BE ADDED TO THE AGREEMENTS:
A. Data Security:
The parties hereto shall abide by Exhibit A: Security, which is attached hereto and made a part hereof.
B. Privacy:
X.X. Xxxxxx shall abide by Exhibit B: Privacy, which is attached hereto and made a part hereof.
C. Subcontractors; Liability Limitations
X.X. Xxxxxx may contract with or use affiliates or non-affiliate third parties (“Subcontractors”) to perform a portion of the Services. The term Subcontractors, as used herein, shall not include securities depositories.
X.X. Xxxxxx shall at all times remain the prime contractor to MFS with respect to such Subcontractors and shall retain full and complete responsibility and liability for the Services provided pursuant to the Agreements, the performance of the Services and the acts and omissions of each Subcontractor as if X.X. Xxxxxx provided such Services directly (without such Subcontractors).
If X.X. Xxxxxx permits any Subcontractor to subcontract any portion of the Services or provide any portion of the Services through the use of any other party including any affiliates of the Subcontractor, X.X. Xxxxxx shall be liable for the acts and omissions of such subcontractor of a Subcontractor as if X.X. Xxxxxx provided such Services directly (without such subcontractors of Subcontractors).
D. Audit Rights:
(i) Unless prohibited by applicable law and subject to the limitations set forth in clause (iii) below, upon reasonable prior written notice from MFS, X.X. Xxxxxx will provide: (i) any governmental or regulatory agencies or authorities having jurisdiction over MFS (“Regulatory Authorities”) (to the extent legally required); (ii) any of MFS auditors; and (iii) MFS (collectively, “MFS Monitors”) with reasonable access to X.X. Xxxxxx service location(s) out of which X.X. Xxxxxx personnel provide the Services, X.X. Xxxxxx personnel who provide the Services, and X.X. Xxxxxx books and records related to the Services as MFS Monitors may reasonably request for the purpose of reviewing X.X. Xxxxxx'x compliance with the provisions of this Supplemental Agreement and the applicable Agreements.
(ii) In the event X.X. Xxxxxx is found not to be in material compliance with this Supplemental Agreement as a result of MFS’ exercise of the rights set forth in clause (i) above, X.X. Xxxxxx will promptly take actions, at X.X. Xxxxxx’x expense, to comply with this Supplemental Agreement. If X.X. Xxxxxx does not take such actions, after 90 days' notice and opportunity to cure, X.X. Xxxxxx shall be deemed to be in material breach of this Supplemental Agreement. In addition, if permitted by applicable law and subject to the limitations set forth in clause (iii) below, X.X. Xxxxxx shall promptly respond to any reasonable, specific written or verbal inquiries by MFS Monitors regarding the foregoing.
(iii) The following limitations shall apply to this Section 3.G:
1. access shall only be provided during X.X. Xxxxxx’x business hours;
2. MFS Monitors shall (a) comply with X.X. Xxxxxx’x reasonable security and confidentiality requirements when accessing such locations, personnel or books and records and (b) cooperate with X.X. Xxxxxx to minimize disruption to X.X. Xxxxxx’x business activities;
3. the rights set forth in this Section 3.G. shall be subject to X.X. Xxxxxx’x rights to impose reasonable limitations on the scope, frequency and timing of exercise of such rights and MFS Monitors may not exercise the rights set forth in this Section 3.G. more than once in every two calendar years;
4. X.X. Xxxxxx shall not be required to disclose or make any information available or provide access to: (a) the extent that such information is subject to legal privilege; (b) the extent that such disclosure or access would result in a breach of law or duty of confidentiality or privacy owed to a third party or any X.X. Xxxxxx personnel; (c) the extent that such information is unrelated to the provision of the Services; (d) X.X. Xxxxxx internal audit reports, compliance or risk management plans or reports, work papers and
- 2 -
other reports and information relating to management functions; or (e) the extent that such disclosure or access by MFS Monitors would, in X.X. Xxxxxx’x reasonable opinion, compromise the security of its technology systems; and
5. To the extent required by X.X. Xxxxxx’x policies and procedures relating to data security, X.X. Xxxxxx may provide access to summary materials in lieu of access to the full text of policies, procedures and other similar documentation.
E. Service Organization Control Reports:
Within 30 days of receiving MFS’ request and at least annually, X.X. Xxxxxx will send to MFS a copy of X.X. Xxxxxx'x Service Organizational Control (SOC) 1 reports (or any successor reports) prepared in accordance with the requirements of AT section 801, Reporting on Controls at a Service Organization (formerly Statement on Standards for Attestation Engagements (SSAE) No. 16). In addition, from time to time as requested, X.X. Xxxxxx will furnish MFS a "gap" or "bridge" letter that will address any material changes that might have occurred in X.X. Xxxxxx'x controls covered in the SOC Report from the end of the SOC Report period through a specified requested date. To the extent X.X. Xxxxxx obtains a SOC-2 report during the term of this Supplemental Agreement, X.X. Xxxxxx will provide MFS with a copy of its SOC-2 report. For the avoidance of doubt, MFS hereby acknowledges and agrees that X.X. Xxxxxx does not currently obtain a SOC-2 report in connection with its Services.
F. Business Continuity and Disaster Recovery:
X.X. Xxxxxx shall at all times maintain in place and (where and to the extent applicable) use reasonable efforts to implement business continuity plans and procedures (the “Business Continuity Plan” or “BCP”) that are reasonably designed to enable X.X. Xxxxxx to continue and/or effect the recovery of its operations and the products and services it provides to its clients in the event of a disruption, including, without limitation, due to Force Majeure Events (as defined below). The BCP shall be designed to restore business-critical activities within a reasonable time following a disruption. Upon reasonable request from MFS (but no more than once every calendar year), X.X. Xxxxxx shall, at its sole discretion, either (1) discuss with senior management of MFS the BCP or (2) provide a high-level presentation summarizing the BCP, including without limitation, X.X. Xxxxxx’x general approach to setting recovery time objectives. The effectiveness of the BCP is subject to actual implementation thereof in a Force Majeure Event, during which time unforeseen crises and critical events may occur that may affect the results of the implementation of the BCP. The BCP shall, at a minimum, address crisis management, business recovery, and IT disaster recovery, and shall include, without limitation, alternative work sites, back-ups and recovery of all relevant data and relevant computer systems, personnel plans, and physical and remote access to a recovery site. X.X. Xxxxxx shall regularly (no less frequently than annually) review, test and, if necessary, update the BCP. X.X. Xxxxxx shall (i) promptly address any material deficiencies in the BCP; and (ii) promptly complete and return MFS' annual Business Continuity/IT Security questionnaire. MFS shall not incur any additional fees solely as a result of any Force Majeure Event.
Notwithstanding the foregoing, neither party hereto shall be liable for any failure or delay in the performance of its obligations under the Agreements to the extent such failure or delay is caused by acts of God, acts of war, terrorism, civil riots or rebellions, quarantines, pandemics, embargoes and other similar unusual governmental action, and other causes beyond such party’s reasonable control. Events meeting any of the foregoing criteria are referred to collectively as “Force Majeure Events.”
G. Use of Data:
Notwithstanding anything to the contrary contained in any of the Agreements or in this Supplemental Agreement, neither MFS nor X.X. Xxxxxx (nor their respective Affiliates) may perform “Data Mining Operations” (as defined herein) or otherwise use the Confidential Information or data of the other party obtained from Data Mining Operations (including, without limitation, website visitation activity, meta data and product or service usage statistics) for internal or commercial benefit or for the benefit of any third party, or for any purpose other than in furtherance of the performance of the obligations under one or more of the Agreements and for any operational, credit or risk management purposes. It is understood by the parties that due diligence, verification or sanctions screening purposes, prevention or investigation of crime, fraud or any malpractice, including the prevention of terrorism, money laundering and corruption, purposes as well as tax reporting in connection with the Services specified in the Agreements is considered part and parcel of the performance of X.X. Xxxxxx’x obligations under the Agreements. Except as permitted in the foregoing sentences of this paragraph, any attempt to compile and/or use for its advantage or otherwise commercially exploit any Confidential Information of the other party is strictly prohibited. Furthermore, other than in furtherance of the performance of the obligations under one or more of the Agreements, any use for its advantage of any other data obtained from Data Mining Operations, including, without limitation, the nature, number and amount of transactions entered into through the systems, whether collected with respect to all or substantially all users of the systems, products and services contemplated by the Agreements in the aggregate, and whether or not any reference would otherwise enable any person to identify MFS or X.X. Xxxxxx, as the case may be, is strictly prohibited by this Supplemental Agreement. For the avoidance of doubt, all MFS data and other Confidential Information shall remain, at all times, the exclusive property of MFS, and all X.X. Xxxxxx data shall remain, at all times, the exclusive property of X.X. Xxxxxx.
- 3 -
As used herein, “Data Mining Operations” shall mean the use of tools such as “robots,” “bots,” “spiders” and “scrapers” and the use of Intelligent Process Automation or other methods (including manual methods) to extract, combine and/or analyze data for purposes other than in furtherance of providing the services under the Agreements. “Intelligent Process Automation” shall have the definition set forth under The Institute of Electrical and Electronics Engineers’ “IEEE P2755™”.
4. MISCELLANEOUS:
A. Severability; Waiver; and Survival:
(i) If one or more provisions of this Supplemental Agreement are held invalid, illegal or unenforceable in any respect on the basis of any particular circumstances or in any jurisdiction, the validity, legality and enforceability of such provision or provisions under other circumstances or in other jurisdictions and of the remaining provisions will not in any way be affected or impaired.
(ii) Except as otherwise provided herein, no failure or delay on the part of either party in exercising any power or right under this Supplemental Agreement operates as a waiver, nor does any single or partial exercise of any power or right preclude any other or further exercise, or the exercise of any other power or right. No waiver by a party of any provision of this Supplemental Agreement, or waiver of any breach or default, is effective unless it is in writing and signed by the party against whom the waiver is to be enforced.
(iii) The parties’ rights, protections and remedies under this Supplemental Agreement shall survive its termination.
B. Additional Definitions:
(i) “Confidential Information” means all non-public information concerning MFS which X.X. Xxxxxx receives in the course of providing the Services. Nevertheless, the term Confidential Information does not include (i) information that is or becomes available to the general public other than as a direct result of X.X. Xxxxxx’x breach of the terms of the relevant Agreement, (ii) information that X.X. Xxxxxx develops independently without using the MFS’ confidential information, (iii) information that X.X. Xxxxxx obtains on a non-confidential basis from a person who is not subject to any obligation of confidence to MFS with respect to that information, or (iv) information that MFS has designated as non-confidential or consented to be disclosed.
C. No Third Party Beneficiaries:
A person who is not a party to this Supplemental Agreement shall have no right to enforce any term of this Supplemental Agreement.
This Supplemental Agreement supersedes any other agreement, statement or representation relating to its subject matter, whether oral or written. Amendments to this Supplemental Agreement must be in writing and signed by all parties hereto. Except as otherwise agreed to in this Supplemental Agreement, all other terms and conditions of the Agreements shall remain in full force and effect.
D. Counterparts:
This Supplemental Agreement may be executed in multiple counterparts, each of which shall be deemed an original, but all such counterparts shall together constitute one and the same instrument. Signatures transmitted by facsimile or electronic mail (including, without limitation, electronic mailing of a PDF) shall be treated as and deemed to be original signatures for all purposes and will have the same binding effect as if they were original, signed instruments delivered in person.
IN WITNESS WHEREOF, Each of the parties have caused this Supplemental Agreement to be signed and delivered by their duly authorized officers as of the Effective Date above.
SIGNATURE PAGES FOLLOW
- 4 -
AS TO:
Administrative Services Agreement dated June 11, 2004 by and among MFS Institutional Advisors, Inc., JPMorgan Chase Bank, N.A. (successor in interest to X.X. Xxxxxx Investor Services Co.) and each limited liability company listed on Schedule E thereto, as amended from time to time.
Each of the limited liability companies listed on Schedule E of the Agreement
By: MFS Institutional Advisors, Inc., its Managing Member
By: /S/ XXXXX XXXXXX
Name: Xxxxx Xxxxxx
Title: Authorized Person
MFS Institutional Advisors, Inc.
By: /S/ XXXXX XXXXXX
Name: Xxxxx Xxxxxx
Title: Authorized Person
JPMORGAN CHASE BANK, N.A.
By: /S/ XXXX XXXX
Name: Xxxx Xxxx
Title: Executive Director
- 5 -
AS TO:
Global Custody Agreement dated as of June 11, 2004 by and among JPMorgan Chase Bank, N.A. and, as amended from time to time, MFS International Growth LLC, MFS International Research Equity LLC, MFS Core Plus Fixed Income LLC, MFS Global Equity LLC, MFS International Concentrated Equity LLC, MFS International Growth LLC II, MFS Global Aggregate Opportunistic LLC and MFS Emerging Markets Debt LLC I.
MFS International Growth LLC
MFS International Research Equity LLC
MFS Global Equity LLC
MFS International Concentrated Equity LLC
MFS Core Plus Fixed Income LLC
MFS International Growth LLC II
MFS Global Aggregate Opportunistic LLC
MFS Emerging Markets Debt LLC I
By: MFS Institutional Advisors, Inc., its Managing Member
By: /S/ XXXXX XXXXXX
Name: Xxxxx Xxxxxx
Title: Authorized Person
JPMORGAN CHASE BANK, N.A.
By: /S/ XXXX XXXXXXX
Name: Xxxx Xxxxxxx
Title: Executive Director
- 6 -
AS TO:
Custodian Agreement between each of the Investment Companies listed on Appendix A thereto on behalf of each of their Respective Portfolios and JPMorgan Chase Bank, N.A. dated November 13, 2006, as amended from time to time.
Signed by,
for and on behalf of
EACH OF THE INVESTMENT COMPANIES LISTED ON APPENDIX A THERETO ON BEHALF OF EACH OF THEIR RESPECTIVE PORTFOLIOS
By: /S/ XXXXX XXXXXXXXX
Name: Xxxxx XxXxxxxxx
Title: Fund President
Signed by,
for and on behalf of
JPMORGAN CHASE BANK, N.A.
By: /S/ XXXX XXXXXXX
Name: Xxxx Xxxxxxx
Title: Executive Director
- 7 -
AS TO:
Fund Accounting Agreement between each of the Investment Companies listed on Appendix A thereto, on behalf of each of Their Respective Portfolios, and JPMorgan Chase Bank, N.A. (successor in interest to X.X. Xxxxxx Investor Services Co.), dated November 13, 2006, as amended from time to time.
Signed by,
for and on behalf of
EACH OF THE INVESTMENT COMPANIES LISTED ON APPENDIX A THERETO ON BEHALF OF EACH OF THEIR RESPECTIVE PORTFOLIOS.
By: /S/ XXXXX XXXXXXXXX
Name: Xxxxx XxXxxxxxx
Title: Fund President
Signed by,
for and on behalf of
JPMORGAN CHASE BANK, N.A.
By: /S/ XXXX XXXX
Name: Xxxx Xxxx
Title: Executive Director
- 8 -
AS TO:
Securities Lending Agency Agreement among each of the entities listed on Exhibit A thereto, acting on behalf of itself or, in the case of a series company, on behalf of one or more of its portfolios or series listed on Exhibit A and JPMorgan Chase Bank, N.A., dated November 22, 2006, as amended from time to time.
Signed by,
for and on behalf of
EACH OF THE ENTITIES LISTED ON EXHIBIT A THERETO.
By: /S/ XXXXX XXXXXXXXX
Name: Xxxxx XxXxxxxxx
Title: Fund President
Signed by,
for and on behalf of
JPMORGAN CHASE BANK, N.A.
By: /S/ XXXXXX XXXXXXX
Name: Xxxxxx Xxxxxxx
Title: Managing Director
- 9 -
EXHIBIT A: SECURITY
A. Objective.
X. X. Xxxxxx shall maintain and enforce an information security policy (“Security Policy”) that satisfies the requirements set forth below. X. X. Xxxxxx may make changes to its information security controls provided that it does not materially reduce the protection it applies to systems, information, materials, documents or other data, whether in hard copy or electronic format, made available by MFS or their agents (including without limitation Confidential Information) to X.X. Xxxxxx during the course of receiving the Services and any data derived therefrom (collectively, “MFS Data”) as such protection is described in this Exhibit A.
The objective of X. X. Xxxxxx’x Security Policy and related information security program is to implement data security measures consistent in all material respects with applicable prevailing industry practices and standards (“Objective”). In order to meet such Objective, X. X. Xxxxxx shall:
i. protect the privacy, confidentiality, integrity, and availability of all MFS Data and the systems used to access, store and/or transfer of MFS Data;
ii. ensure that MFS Data shall only be used by X. X. Xxxxxx for (a) the express purposes of providing the Services specified in the Agreements, (b) any operational, credit or risk management purposes in connection with the Services specified in the Agreements, (c) for due diligence, verification or sanctions screening purposes in connection with the Services specified in the Agreements, or (d) for the prevention or investigation of crime, fraud or any malpractice, including the prevention of terrorism, money laundering and corruption as well as for tax in connection with the Services specified in the Agreements.
iii. protect against accidental, unauthorized, unauthenticated or unlawful access, copying, use, processing, disclosure, alteration, transfer, storage, loss or destruction of MFS Data;
iv. comply with applicable governmental laws, rules and regulations that are relevant to the handling, processing and use of MFS Data by X. X. Xxxxxx in accordance with the Agreement; and
v. implement administrative, physical, technical, procedural and organizational safeguards.
B. Risk Assessments.
i. Risk Assessment – X. X. Xxxxxx shall, at least annually, perform risk assessments that are designed to identify material threats (both internal and external) against X. X. Xxxxxx’x systems that process MFS Data, the likelihood of those threats occurring and the impact of those threats upon the X. X. Xxxxxx organization to evaluate and analyze the appropriate level of information security safeguards (“Risk Assessments”).
ii. Risk Mitigation – X. X. Xxxxxx shall manage, control and remediate any threats identified in the Risk Assessments that are likely to result in unauthorized access, copying, use, processing, disclosure, alteration, transfer, loss or destruction of MFS Data, consistent with the Objective, considering the complexity and scope of the activities of X. X. Xxxxxx pursuant to the Agreement.
iii. Security Controls Testing – X. X. Xxxxxx shall regularly test its environment for potential security flaws, and perform vulnerability scanning at least quarterly and regular testing. X. X. Xxxxxx shall, on at least an annual basis and at its own expense, engage an independent, accredited external party or internal team to conduct reviews of X. X. Xxxxxx’x information security practices, including but not limited to conducting a penetration test on its systems having access to or holding or containing MFS Data consistent with its internal vulnerability management practices. If such reviews and tests identify a weakness or vulnerability that would materially adversely impact X.X. Xxxxxx’x ability to (i) perform its obligations under the Agreement, or (ii) comply with applicable laws in connection with the Agreement, X. X. Xxxxxx shall, within a reasonable time, provide MFS with high-level information about such impact to MFS and its remediation plan. Notwithstanding the foregoing, if the penetration testing reveals any critical or high vulnerabilities, X. X. Xxxxxx shall undertake remediation efforts to address such vulnerabilities in accordance with its internal policies.
iv. X. X. Xxxxxx Due Diligence – At any time during the term of this Agreement but no more than once annually, X. X. Xxxxxx shall complete MFS’s standard security diligence questionnaire in order for MFS to perform its standard due diligence on X. X. Xxxxxx (“X. X. Xxxxxx Due Diligence”). If X.X. Xxxxxx refuses to complete X. X. Xxxxxx Due Diligence, or if MFS determines after completing X. X. Xxxxxx Due Diligence on X. X. Xxxxxx in connection with this Agreement that X. X. Xxxxxx does not meet MFS’s reasonable security
- 10 -
requirements (collectively, “Security Risks”), MFS may provide X. X. Xxxxxx the opportunity to remedy such Security Risk within thirty (30) days. If after such thirty (30) day period, the Security Risk is not remedied, MFS shall have the right to terminate this Agreement. In the event that X. X. Xxxxxx does not remedy the Security Risk and MFS terminates the Agreement, X. X. Xxxxxx shall promptly refund MFS a pro rata portion of any unused pre-paid fees paid by MFS in connection herewith (it being understood that any termination within the first three months of the Agreements shall result in a full refund), and MFS shall have no further fee payment obligations to X. X. Xxxxxx as of the termination date. The foregoing shall in no way limit any other remedies that MFS may have under this Agreement. In the event MFS determines that the Security Risk cannot be cured or that the Security Risk is of such a nature that MFS in its reasonable discretion determines it is an extreme risk, then it shall be deemed an incurable material breach and MFS may immediately terminate this Agreement.
C. Security Controls. Annually, X. X. Xxxxxx shall provide MFS’s Chief Information Security Officer or his or her designee with the latest client overview letter of X. X. Xxxxxx’x corporate information security program and an opportunity to discuss X. X. Xxxxxx’x information security measures with a qualified member of X. X. Xxxxxx’x information technology management team. X. X. Xxxxxx shall comprehensively review its Security Policy at least annually.
D. Organizational Security.
i. Responsibility – X. X. Xxxxxx shall assign responsibility for the oversight and implementation of X. X. Xxxxxx’x Security Policy and related information security program to a senior member of X. X. Xxxxxx’x personnel with appropriate qualifications and experience. Allocation of information security responsibilities for the protection of data and systems shall be assigned to qualified staff members to implement and maintain controls defined within the information security policy.
ii. Confidentiality – X. X. Xxxxxx personnel who have accessed or otherwise been made known of MFS Data shall maintain the confidentiality of such information in accordance internal policies which are consistent with the terms of the Agreement.
iii. Training – X. X. Xxxxxx will provide information security training to its personnel on at least an annual basis.
iv. Background Checks – X. X. Xxxxxx warrants that it has performed the following background investigations of Authorized Personnel based in the United States prior to becoming Authorized Personnel: (i) verification of I-9 completion, Social Security and address verification; (ii) seven-year county of residence criminal records search; (iii) federal criminal search; (iv) fingerprinting with the search sent to and conducted by the Department of Justice/FBI; (v) verification that Authorized Personnel are not subject to or included on the regulations administered by the Office of Foreign Assets Control of the United States Department of the Treasury through the General Services Administration’s Federal Acquisition Regulation compliance program; (vi) verification of compliance with immigration laws; and (vii) verification of education and professional licenses, if applicable (collectively, the “Background Investigations”). For foreign nationals to the United States, X. X. Xxxxxx shall ensure that the Background Investigations also include, to the extent legally permissible, the local equivalent of such Authorized Personnel’s country of origin. X. X. Xxxxxx shall promptly notify MFS of any non-compliance with these obligations. Before Authorized Personnel based outside of the United States access MFS Data, X. X. Xxxxxx shall perform the local equivalent of the above -mentioned Background Investigations to the extent legally permissible in such jurisdictions.
All X. X. Xxxxxx personnel must successfully pass a background investigation before X.X. Xxxxxx employs them. Results of the background investigation are reviewed using X. X. Xxxxxx corporate guidelines and eligibility for hire and all employees must successfully pass the requirements for employment under applicable federal or local law before X.X. Xxxxxx employs them. These requirements include Section 19 of the Federal Deposit Insurance Act, wherein no individual can be employed by or participate in the affairs of an insured institution if that individual has been convicted of, or who has entered into a Program Entry for, a criminal offense involving dishonesty, breach of trust, or money laundering without the consent of the FDIC. As such, during the background investigation X. X. Xxxxxx looks closely for records involving these offenses and requires clarification and documentation from an individual as necessary. Furthermore, pursuant to the X. X. Xxxxxx policy, eligibility for employment or assignment is evaluated on a case-by-case basis for the following types of offenses: crimes of violence, crimes involving moral turpitude and crimes related to the performance of an employee’s responsibilities. X. X. Xxxxxx agrees that it will not allow X. X. Xxxxxx personnel to perform any services or have access to any MFS Data who have not successfully passed a background investigation. Should X. X. Xxxxxx become aware that an Authorized Personnel has engaged in new criminal offenses or offenses not previously reviewed during initial screening that are inconsistent with X. X. Xxxxxx corporate guidelines and eligibility for employment, or lack of required education and professional licenses under this provision after the initial screening is performed, X. X. Xxxxxx shall immediately notify MFS and replace such Authorized Personnel on MFS’ account.
E. Changes in Technology and Hosting Provider.
- 11 -
i. Change in Technology – X. X. Xxxxxx shall promptly (but in no event less than 30 days after the date of such change or, if reasonably practicable, in advance of such change) notify MFS in writing in the event there is a change in the technology solutions that would materially adversely impact the provision of the Services to MFS as it relates to the handling of MFS Data in accordance with this Supplemental Agreement (“Material Technology Changes”). MFS may elect to terminate this Agreement upon written notice to X. X. Xxxxxx in the event that MFS reasonably opposes any such Material Technology Changes. X. X. Xxxxxx shall promptly (but in no event greater than 30 days after the date of providing written notice to X. X. Xxxxxx) provide MFS with a pro-rata refund for all unused pre-paid fees upon such termination.
ii. External Hosting Facilities – X. X. Xxxxxx shall implement controls, consistent with applicable laws and prevailing industry practices and standards, regarding the collection, use, transmittal, storage and/or disclosure of MFS Data by an external third party hosting provider (“Hosting Provider”). X. X. Xxxxxx shall: (i) perform all reasonable due diligence on such Hosting Provider to ensure that the Hosting Provider is, and will at all times be capable of, protecting MFS’ Data; (ii) inform MFS, upon its reasonable request, the jurisdiction(s) where the Hosting Provider(s) storing MFS Data is located; and (iii) contractually obligate any Hosting Provider to employ appropriate security measures. X. X. Xxxxxx’x third party supplier oversight framework is designed to identify, assess and address risks arising from third party suppliers (including, without limitation, Hosting Providers) regarding the information security and controls in place to protect X. X. Xxxxxx and its clients in accordance with this Supplemental Agreement. Depending on the inherent risk rating of the Hosting Provider, reviews of their control environments and compliance with supplier Minimum Control Requirements (“MCRs”) are performed initially and then again periodically thereafter. Third party supplier reviews validate supplier compliance with MCRs in a wide range of control categories. Discrepancies are noted and, where agreed by stakeholders to be a risk, remediation plans with target dates are created and tracked to completion. Examples of key control categories include: risk management, security policy, physical and environmental controls, logical access control, incident response, vulnerability monitoring, encryption, business continuity and disaster recovery, third party (subcontractor) controls and cloud technology.
X. X. Xxxxxx shall be liable for the performance of this Supplemental Agreement (including those through any Hosting Provider). X.X. Xxxxxx acknowledges that regulated entities are obligated to oversee their third party service providers to assess and mitigate associated risks, and to demonstrate to regulators that its use of third party service providers is within the parameters of its regulatory obligations.
X. X. Xxxxxx shall not utilize a Hosting Provider that stores any MFS Data in sanctioned countries. All references in this Agreement to “Hosting Provider” shall include any third parties to whom X. X. Xxxxxx has outsourced material business functions and, if applicable, shall include, without limitation, Amazon Web Services and Microsoft.
F. Physical Security.
i. Securing Physical Facilities – X. X. Xxxxxx shall maintain systems located in X. X. Xxxxxx facilities that host MFS Data or provide services under the Agreement in an environment that is designed to be physically secure and to allow access only to authorized individuals. A secure environment includes the availability of onsite security personnel on a 24 x 7 x 365 basis or equivalent means of monitoring locations supporting the delivery of Services under the Agreement.
ii. Physical Security of Media – X. X. Xxxxxx shall implement and maintain controls, consistent with prevailing information security practices and standards, that are designed to deter the unauthorized access, copying, alteration or removal of any media containing MFS Data.
G. Communications and Operations Management.
i. Data Protection During Storage and Transmission – X. X. Xxxxxx shall at all times use secure methods to store, transmit and receive data to and from MFS or other locations. X. X. Xxxxxx shall encrypt information assets, using methods such as algorithms and key strengths. X.X. Xxxxxx’x encryption practice is consistent with industry standard solutions that are commercially reasonable and available from industry recognized vendors. Where encryption is mandatory, X.X. Xxxxxx shall encrypt, using an industry recognized encryption algorithm. Where encryption is not mandatory, X.X. Xxxxxx protects the data in other ways, for example, by data masking or tokenization. Specific details of X.X. Xxxxxx’x cryptographic standards are considered confidential and proprietary, and not for public disclosure.
X. X. Xxxxxx transmits MFS Data via wireless technology, email or the internet by encrypting information and utilizing a secure connection. X. X. Xxxxxx maintains controls designed to prohibit a direct connection between an employee’s own network and its remote network. X. X. Xxxxxx implements several mechanisms, as appropriate, that are designed to protect MFS Data in transit, processing and storage between connected networks.
- 12 -
ii. Data Loss Prevention – X. X. Xxxxxx shall have in place a data leakage program that is reasonably designed to identify, prevent, detect, monitor and document MFS Data leaving X. X. Xxxxxx’x control without authorization in place.
iii. Protection of Information Stored on Media – MFS Data may be stored on any removable media (e.g., laptops, tablets, cell phones, thumb drives, CDs, and DVDs, and PDAS or other portable media devices), by X. X. Xxxxxx as long as it has the ability to be encrypted consistent with the practices in Section G.i and Data Loss Prevention in G.ii.
iv. Malicious Code and Network Related Safeguards – X. X. Xxxxxx shall maintain and enforce security procedures with respect to its application server(s), database server(s) and related systems and equipment upon which MFS Data resides (whether in a production, test, development or other region or environment) or which may connect or have access to MFS affiliates' network (collectively, “X.X. Xxxxxx Environment”) that provide appropriate technical and organizational safeguards against accidental or unauthorized access to, destruction, loss, alteration or disclosure of MFS Data or access to X.X. Xxxxxx Environment.
v. Virus and Malware Management – X. X. Xxxxxx shall maintain a malware protection program designed to deter malware infections, detect the presence of malware within the X. X. Xxxxxx environment, and recover from any impact caused by malware. X. X. Xxxxxx shall implement and maintain reasonable controls that are designed to detect the introduction or intrusion of malicious code on information systems handling or holding MFS Data and implement, maintain and deploy a process for removing the malicious code from information systems handling or holding MFS Data.
H. Access Controls.
i. Logical Separation – Separation controls are implemented among MFS Data and X. X. Xxxxxx’x other clients’ data. Logical segregation and permission models are implemented to ensure data segmentation based on data classification and business needs are maintained. Databases are maintained as a single tenancy.
ii. Information Transfer – Unless otherwise approved in writing by MFS or for the purposes of providing the Services in accordance with the Agreements, Authorized Personnel shall not be permitted to transmit any MFS Data to any third party.
iii. User Access and Monitoring – Only X. X. Xxxxxx’x employees, including any contractors, with a business “need to know” (“Authorized Personnel”) and who have passed Background Investigations and are not based in a sanctioned country can have access to MFS Data. X. X. Xxxxxx must be able to monitor and document all access to and activity with respect to MFS Data, including without limitation: (i) verifying that only Authorized Personnel utilizing either personal or generic/service accounts are permitted to access MFS Data; and (ii) tracking, monitoring and documenting the activities and identities of each individual accessing MFS Data. X. X. Xxxxxx shall have a process to disable, within a reasonable time, access of MFS Data by any X. X. Xxxxxx personnel who no longer requires such access, consistent with its internal practices. Upon MFS’ request, X. X. Xxxxxx shall also promptly disable access to its product/service by any MFS personnel.
iv. Authentication Credential Management – X. X. Xxxxxx shall communicate authentication credentials to users in a secure manner, with a proof of identity check of the intended users, including password resets.
v. Multi-Factor Authentication for Remote Access – X. X. Xxxxxx shall use multi-factor authentication and a secure tunnel, or another strong authentication mechanism, for allowing X. X. Xxxxxx users to remotely access X. X. Xxxxxx’x internal network.
I. Information Systems Acquisition Development and Maintenance.
i. Information Security Control Requirements – X. X. Xxxxxx shall implement and deploy systems, networks and services with security by design methods where MFS Data will be accessed, processed, stored and transmitted.
ii. Quality Assurance of Security Controls – X. X. Xxxxxx shall have in place and maintain procedures to validate that security controls are implemented as designed to protect the confidentiality, integrity, and availability of systems, networks and services where MFS Data will be accessed, processed, stored and transmitted.
iii. Change Control Procedures – X. X. Xxxxxx will have procedures documented, in place and enforced to provide assurance that the confidentiality, integrity, and availability of systems, networks and services are maintained when changes are applied.
J. Incident Event and Communications Management.
- 13 -
i. Incident Management/Notification of Breach – X. X. Xxxxxx has developed and implemented an incident response plan (the “Response Plan”) that specifies actions to be taken when X. X. Xxxxxx or one of its subcontractors or suppliers has reasonable knowledge or detects that: (i) it has experienced unauthorized loss or deletion of MFS Data; or (ii) an internal or external individual or other party has gained unauthorized access (intentional or otherwise) to MFS Data or systems or applications containing any MFS Data; or (iii) there has been any material breach or compromise of X. X. Xxxxxx systems or operations that had an adverse impact on MFS (collectively, “Security Incident”). Such Response Plan shall include the following:
1. Escalation Procedures – An escalation procedure that includes prompt notification to MFS (no later than 72 hours from discovery of the Security Incident and confirming the relevant details of such incident, and in any event prior to any press disclosure of such breach that names MFS), X. X. Xxxxxx’x senior managers and, if appropriate, reporting to regulatory and law enforcement agencies. This procedure shall provide for notification of all Security Incidents to MFS via telephone or email (and provide a confirmatory notice in writing as soon as practicable); provided that the foregoing notice obligation is excused for such period of time as X. X. Xxxxxx is prohibited by law, rule, regulation or other governmental authority from notifying MFS.
2. Incident Reporting – X. X. Xxxxxx shall promptly furnish to MFS reasonable information that X. X. Xxxxxx has regarding the general circumstances and extent of such actual knowledge of or confirmed Security Incident and its impact to MFS. X.X. Xxxxxx shall reasonably cooperate with MFS in providing such information to MFS as is necessary for MFS to comply with applicable regulatory reporting requirements related to Security Incidents. After initial report of the Security Incident to MFS, Vendor shall keep MFS informed of any later-discovered material circumstances of the Security Incident.
3. Investigation and Prevention – X. X. Xxxxxx shall investigate any such Security Incident and shall use commercially reasonable efforts to: (A) cooperate with MFS to the extent necessary to comply with statutory notice or other legal obligations applicable to MFS arising out of any Security Incident; and (B) take reasonable actions necessary to prevent and mitigate against loss from any such Security Incident. X. X. Xxxxxx shall use continuous and diligent efforts to remedy the cause and the effects of any Security Incident in an expeditious manner. X. X. Xxxxxx shall be responsible for associated costs that MFS and/or X. X. Xxxxxx may incur in connection with responding to, or managing a Security Incident.
K. MFS Data Destruction – Subject to any applicable international, country-specific, federal or state legal or regulatory requirements concerning record retention and litigation holds, X. X. Xxxxxx shall, upon MFS’ request or the termination of the Agreement, promptly, in X.X. Xxxxxx’x sole discretion: (i) return MFS Data (including all copies thereof) to MFS in a format reasonably requested by MFS at no cost to MFS; or (ii) destroy MFS Data; or (iii) render MFS Data unusable as it awaits destruction. Any destruction of MFS Data required hereunder shall be in accordance with then current Department of Defense (DoD) standards (which shall at least comply with DoD 5220.22-M or NIST SP800-88), in a manner such that the data cannot be read, restored or retrieved. Many regulatory requirements impose a prescribed time period for X.X. Xxxxxx to maintain and destroy records. X.X. Xxxxxx’x Record Retention Policy (“Policy”) describes how records are retained, managed, stored and, where appropriate, destroyed. Since certain information cannot be erased or deleted from electronic systems, X.X. Xxxxxx maintains the confidentiality of all retained information until such time as the information is destroyed. All archival copies that are not destroyed must meet the level of protection described in this Security section until destroyed. X. X. Xxxxxx shall be responsible for any unauthorized use, deletion, destruction or alteration of MFS Data while in the possession or custody or under the control of X. X. Xxxxxx, including without limitation, while in the possession, custody, or control of X. X. Xxxxxx’x subcontractors, including any Hosting Provider.
- 14 -
EXHIBIT B: Privacy Terms
A. Compliance with laws
In connection with the Services, and the operation of its business X.X. Xxxxxx collects information about natural persons including MFS’s directors, officers, employees, and owners from the MFS, third parties, or directly from such natural persons. This information may constitute “Personal Data”, “Personal Information,” or similar as defined in and subject to Data Protection Laws (“Relevant Personal Data”). “Data Protection Laws” means laws anywhere in the world applicable to X.X. Xxxxxx’x collection, use, disclosure, sharing, transfer, storage, destruction, or other processing of Personal Data in the country in which X.X. Xxxxxx providing the relevant Services under the applicable Agreement is located. X.X. Xxxxxx makes available and updates from time to time information about X.X. Xxxxxx’x processing of Personal Data including its various privacy notices and policies on X.X. Xxxxxx’x website at xxx.xxxxxxxx.xxx. MFS is encouraged to review, and to direct individuals whose information MFS may provide to X.X. Xxxxxx to review, this information.
B. Security
i. X. X. Xxxxxx agrees that it has established appropriate technical and organizational measures, and will maintain and comply with written policies and procedures, as mandated by the Data Protection Laws to prevent any accidental, unauthorized or unlawful processing (including, without limitation, accidental, unauthorized or unlawful disclosure of, access to and/or alteration) to Relevant Personal Data which it processes. Without limiting any requirements under Data Protection Laws, such policies and procedures shall address: (i) administrative, technical, and physical safeguards for the protection of Relevant Personal Data; (ii) detection of any unauthorized access to or use of Relevant Personal Data for unauthorized purposes; and (iii) the proper destruction of such materials so that the information contained therein cannot be practicably read or reconstructed.
C. Export requirements
i. If X. X. Xxxxxx at any time processes Relevant Personal Data originating from an MFS affiliate in any country which restricts the processing, export, or use of the Relevant Personal Data outside that country, X. X. Xxxxxx will take steps to ensure that the appropriate lawful transfer mechanism is in place.
- 15 -