Amendment To Transfer Agency and Services Agreement
EXHIBIT (k)(4)
Amendment To
Transfer Agency and Services Agreement
This Amendment is entered into as of October 13, 2023 by and between each registered investment company listed on Exhibit 1 hereof (as may be amended from time to time) (each, a “Fund” and collectively, the “Funds”), each being a voluntary association commonly known as a “Massachusetts business trust” (each with its investment adviser and administrator being Xxxxx Xxxxx Management) with its principal place of business at Two International Place, Boston MA 02110 and Equiniti Trust Company (f/k/a American Stock Transfer & Trust Company, LLC (“AST”)), with its principal place of business at 0000 00xx Xxxxxx, Xxxxxxxx, XX 00000 (“EQ”), and is supplemental to the Transfer Agency and Services Agreement entered into as of February 5, 2007 by and between the parties (the “Agreement”).
Effective July 1, 2023, as evidenced in the Amended and Restated Organization Certificate of AST and pursuant to Section 8007 of the Banking Law of the State of New York, AST changed: (i) its name to EQ, (ii) its principal office address, and (iii) its term of existence to perpetual (collectively, the “2023 Changes”). The Boards of Trustees of the Funds are aware and consented to the 2023 Changes.
Unless separately defined in this Amendment, capitalized terms have the same meanings as in the Agreement. References to a Paragraph or Schedule are to a paragraph of, or a schedule to, the Agreement.
In consideration of the mutual agreements below, and intending to be legally bound, the parties agree that the Agreement shall be varied as set out in the remainder of this Amendment, from and with effect from the date of this Amendment.
| 1. | VARIATIONS TO AGREEMENT |
Fund and EQ agree that the terms of the Agreement shall be varied as follows:
| 1.1 | Paragraph 4(a) shall be amended by the addition of an additional sentence after the end of the first sentence as follows: |
“Upon request, EQ shall, and shall exercise commercially reasonable efforts to procure that each of its subcontractors shall, make available to Fund and its internal and external auditors and any regulator a copy of Fund’s records and other information relative to the Fund stored or processed by EQ at any time upon reasonable prior written notice.”
| 1.2 | A new paragraph 4(d) shall be inserted immediately following paragraph 4(c) and shall read as follows: |
“Without prejudice to the foregoing, EQ shall provide the Fund and EVM, annually and to the extent available, with a copy of the report of an independent audit conducted in relation to the architecture, systems, procedures and internal controls of EQ and each of its subcontractors, and their respective compliance with the Security Standards. EQ shall, and shall exercise commercially reasonable efforts to procure that each of its subcontractors shall, throughout the term of this Agreement: (i) allow the Fund and/or EVM to conduct (either itself or through a third party and including any regulator) an on-site audit (subject to Fund’s and EVM’s compliance with EQ’s internal policies and procedures) of: (a) EQ’s and/or such subcontractor’s architecture, systems and procedures (including security measures) used, and records kept, in connection with its provision of any Services (including the right to take copies of such records; provided, that such records do not include detailed information relating to EQ internal workings, EQ systems and EQ vulnerabilities which could give rise to a security threat or risk for EQ); and (b) EQ’s and/or such subcontractor’s compliance with the provisions of this Agreement; and (ii) provide access to EQ personnel and its external auditors and all reasonable cooperation in connection with any such audit. Any audit shall be conducted no more than once per calendar year (except to the extent required by a regulator) during normal business hours and upon at least 14 days’ notice, unless a regulator requires shorter notice or in the case of investigations of reasonable suspicion of fraud or business irregularities of a potentially criminal nature, or relating to the Fund’s or EVM’s data protection requirements”
| 1 |
| 1.3 | A new paragraph 4(e) shall be inserted immediately following paragraph 4(d) and shall read as follows: |
“EQ shall, and shall exercise commercially reasonable efforts to procure that each of its subcontractors shall, throughout the Term and, subject to applicable laws, for six years thereafter, maintain complete and accurate records, in accordance with generally accepted industry standards, so as to permit the Fund and EVM to monitor EQ’s compliance with this Agreement.”
| 1.4 | The following wording shall be added at the end of paragraph 5(d): |
“EQ shall, at least annually, test the EQ Security Breach (as defined below) management plan and the Disaster Recovery Plan and EQ’s compliance with them and provide the Fund and EVM with a summary of the results of such testing. If such testing reveals deficiencies in the Security Breach management plan and/or the Disaster Recovery Plan, EQ shall promptly remediate them.”
| 1.5 | Paragraph 8(iv) shall be amended from: |
“(vi) to the best of its knowledge, the various procedures and systems which EQ has implemented or will implement with regard to safeguarding from loss or damage attributable to fire, theft or any other cause (including provision of 24 hours-a-day restricted access) of the Fund’s records and other data and EQ’s records, data, equipment, facilities and other property used in the performance of its obligations hereunder are adequate and that it will make such changes therein from time to time as in its judgment are required for the secure performance of its obligations hereunder. The parties shall review such systems and procedures on a periodic basis.”
to:
“(vi) EQ shall make sure that the various procedures and systems which EQ has implemented or will implement with regard to safeguarding from loss or damage attributable to fire, theft or any other cause of the Fund’s records and other data and EQ’s records, data, equipment, facilities and other property used in the performance of its obligations hereunder are adequate and comply, and shall exercise commercially reasonable efforts to procure that its subcontractors shall comply, with the Security Standards, the Disaster Recovery Plan and the terms set out in Exhibit 3 (Data Protection). “Security Standards” means, collectively: (i) EQ’s security plans, policies, procedures and standards; and (ii) the Fund’s minimum security requirements set out in Exhibit 2 (Security Standards); and in the event of any conflict or inconsistency between (i) and (ii), then the more robust standard prevailing. The Disaster Recovery Plan refers to EQ’s business continuity plans, policies, procedures and standards designed to ensure the continuity of the Services in the event of disruption. EQ undertakes to provide full and accurate details of its security plans, policies, procedures and standards, and business continuity plans, policies, procedures and standards, in response to any information security and/or security architecture questionnaire(s) (and any follow-up questions and any refreshed questionnaire(s)) issued by the Fund or EVM or any of its affiliates in relation to the relevant services and submitted by or on behalf of EQ from time to time; provided that such information and documents provided do not include detailed information relating to EQ internal workings, EQ systems and EQ vulnerabilities which could give rise to a security threat or risk for EQ.”
| 1.6 | The first sentence of paragraph 9(b) shall be amended as follows: |
“The Fund will indemnify EQ against and hold it harmless from any and all losses, claims, damages, liabilities or expenses (including reasonable counsel fees and expenses) resulting from any claim, demand, action or suit not resulting from EQ’s breach of this Agreement (save where such breach is directly caused by EQ acting in accordance with the Fund’s instructions) and/or the bad faith or negligence of EQ, arising out of, or in connection with, its duties on behalf of the Fund hereunder.”
| 1.7 | Paragraph 9(g) shall be amended from: |
“(g) IN NO EVENT SHALL EQ HAVE ANY LIABILITY FOR ANY INCIDENTAL, SPECIAL, STATUTORY, INDIRECT OR CONSEQUENTIAL DAMAGES, OR FOR ANY LOSS OF PROFITS, REVENUE, DATA, OR COSTS OF COVER.”
| 2 |
To:
“(g) EXCEPT IN CONNECTION WITH THE INDEMNIFICATION OBLIGATIONS HEREIN, NEITHER EQ NOR THE FUND SHALL HAVE ANY LIABILITY FOR ANY INCIDENTAL, SPECIAL, STATUTORY, INDIRECT OR CONSEQUENTIAL DAMAGES, OR FOR ANY LOSS OF PROFITS, REVENUE, OR COSTS OF COVER.”
| 1.8 | A new paragraph 10(f) shall be inserted immediately following paragraph 10(e), and shall read as follows: |
“Notwithstanding anything to the contrary in this Agreement, the Fund may, on 30 days’ written notice or shorter timeframe requested by a relevant regulator, terminate this Agreement, without any penalty or termination fee or any other liability, in the event any regulator so requires pursuant to a written order, memorandum, or agreement.”
| 1.9 | A new paragraph 11(d) shall be inserted immediately following paragraph 11(c) and shall read as follows: |
“EQ shall make all the Fund’s confidential information or records in EQ’s possession (including those on electronic systems) available to the Fund upon request, in accordance with this Agreement.”
| 1.10 | A new paragraph 11(e) shall be inserted immediately following paragraph 11(d) and shall read as follows: |
“EQ shall not use any of the Fund’s information for any purpose other than in connection with this Agreement.”
| 1.11 | The words “(as defined in the 1940 Act)” shall be deleted from paragraph 12(b). |
| 1.12 | Paragraph 12(c) shall be deleted in its entirety and replaced with the following: |
“(c) EQ may not subcontract any of its obligations under this Agreement or any statement of work to any Material Subcontractor without Fund’s and/or EVM’s express prior written consent (which must be requested by email to XXXX_Xxxxxx@xxxxxxxxxxxxx.xxx and not to be unreasonably withheld or delayed); provided, however, that EQ is hereby authorized to continue using such Material Subcontractors engaged as of the date hereof as listed in Annex 1. Without prejudice to the foregoing, EQ shall: (a) enter into a written contract with all subcontractors requiring such subcontractors to comply with all relevant terms of this Agreement; and (ii) remain fully liable for the acts and omissions of all subcontractors (including all Material Subcontractors) as if performed by EQ. “Material Subcontractor” means any subcontractor of EQ that: (i) may have physical or logical access to any of Fund’s confidential information, or responsibility for the security of any of Fund’s confidential information or any system; (ii) is significantly relied on by EQ, meaning that interruption or discontinuance of service by such subcontractor could cause the provision of the services to be materially disrupted or degraded; and/or (iii) provides a service, feature or functionality that is client-facing or public-facing. Notwithstanding the foregoing, Fund hereby consents to EQ’s use of cloud data hosting services provided by recognized cloud service providers for data hosting, infrastructure, back-up, resiliency and disaster recovery purposes (including but not limited to Microsoft Azure and/or Amazon Web Services).”
| 1.13 | A new paragraph 12(d) shall be inserted immediately following paragraph 12(c) and shall read as follows: |
“12(d) Notwithstanding anything to the contrary in this Agreement, the Fund may assign its rights and/or obligations under this Agreement, in whole or in part, to any of its affiliates upon written notice to EQ, provided that such affiliates shall satisfy EQ’s “know-your-customer” requirements.”
| 3 |
| 1.14 | A new paragraph 20 shall be inserted immediately following paragraph 19, and shall read as follows: |
“20. Security Standards
“20.1 Compliance with Disaster Recovery Plan. EQ shall, throughout the Term, maintain and comply with the Disaster Recovery Plan. EQ shall ensure that the Disaster Recovery Plan is designed, in accordance with appropriate industry standards (for a supplier to the financial services sector), to ensure the continuity of provision of the Services, without any material interruption or deterioration, notwithstanding the occurrence of any crisis and, in the event of any interruption to such continuity, shall ensure service provision is restored in a time period that shall not materially adversely affect the ongoing operation of Fund’s business to which the Services relate. EQ shall ensure its operations are maintained in a state of readiness such that the Disaster Recovery Plan can be immediately invoked in the event of a crisis, in which event EQ shall do so and promptly notify the Fund that it has done so. In implementing the Disaster Recovery Plan, EQ shall allocate its efforts and resources no less favourably to the Fund than it allocates to any of its other customers.
20.2 Updates to Security Standards and Disaster Recovery Plan. EQ shall maintain the Security Standards and Disaster Recovery Plan to reflect developments in applicable laws. All changes (which either party may propose) to the Security Standards (and regardless of the reason for such changes) shall be subject to notification to, and approval by, the other party, except that the Fund’s or EVM’s approval shall not be needed to the extent any change is mandated by applicable Laws or does not degrade or compromise the robustness of the security or business continuity measures offered and does not require the upgrading or reconfiguration of any system or process of the Fund, EVM or any of its affiliates. In all other situations, the parties shall use their best endeavours, acting in good faith, to agree the relevant change and a timeframe for implementation. If agreement cannot be reached but the party proposing the change is unwilling to continue with the then-current Security Standards or Disaster Recovery Plan (as the case may be), without such change being made, and failing to make such change could give rise to a security threat or risk, then the Fund may terminate this Agreement and/or any applicable order (in whole or in part), without any penalty or termination fee or any other liability, on written notice to EQ, such termination to take effect: (i) if the change was proposed by EQ, on the date such change is implemented (of which EQ shall provide not less than 90 days’ written notice); or (ii) if the change was proposed by the Fund or EVM, on 30 days’ written notice (or shorter timeframe as may be required commensurate with the threat presented). Upon any such termination, EQ shall promptly refund to the Fund all amounts pre-paid, and cancel any invoice, in respect of the terminated Services that relate to the period beyond the effective date of termination.”
| 1.15 | A new paragraph 21 shall be inserted immediately following paragraph 20, and shall read as follows: |
“21. Security Breach Notification. EQ agrees that it shall promptly notify the Fund and EVM in writing and via email to xxxxxxxxxxxxxxxxx@xxxxxxxxxxxxx.xxx of any Security Breach of which it becomes aware (and such notification shall contain all material details of the Security Breach, an estimate of the effects on the Fund and specify corrective action already taken, or proposed to be taken, by EQ). “Security Breach” means that (irrespective of cause: (i) the Fund’s confidential information has been lost, misplaced, disclosed to or accessed by an unauthorized party; and/or (ii) there has been any non-compliance with the Security Standards which could reasonably be expected to allow unauthorized access to Fund’s and/or EVM’s Confidential Information.”
| 1.16 | A new paragraph 22 shall be inserted immediately following paragraph 21, and shall read as follows: |
“22. Insurance. EQ agrees that it shall throughout the term of his Agreement, obtain and maintain in full force and effect, cyber insurance for a minimum coverage of $10 million (USD) per occurrence and in the aggregate.”
| 1.17 | Exhibits 2 (Security Standards) and 3 (Data Protection), as appended to this Amendment, shall be inserted immediately after Exhibit 1 of the Agreement. |
| 1.18 | Except as expressly varied by this Amendment, the Agreement shall continue in full force and effect in accordance with its terms. |
| 2. | GENERAL |
| 2.1 | Other than each of Fund’s affiliates, any party that is not a party to this Amendment shall not be entitled to any benefit from or to enforce any benefit under this Amendment. |
| 4 |
| 2.2 | This Amendment shall be governed by, and construed in accordance with, the governing law specified in the Agreement and any dispute arising from or in connection with this Amendment shall be subject to the dispute resolution provisions set out in the Agreement. |
This Amendment has been entered into by signature of the parties’ respective duly authorized representatives below:
|
Signed for and on behalf of Each of the Funds listed on Exhibit 1, severally and not jointly by:
/s/ Xxxxx X. Xxxxxxxx (signature) …………………………………………… Treasurer
…………………………………………… |
) ) ) |
Signed for and on behalf of EQUINITI TRUST COMPANY, LLC by:
/s/ Xxxxxx Xxxxx (signature) …………………………………………… Senior Vice President, Director Relationship Management
…………………………………………… |
| 5 |
APPENDIX 1
EXHIBIT 2
SECURITY STANDARDS
| Control | Requirements |
| 1. Encryption Algorithms |
EQ must encrypt the Fund’s and EVM’s confidential information in transit and at rest, using one or more of the following approved protocols and cryptographic algorithms: Encryption in transit: TLS 1.2 or above, IPSec, SSHv2. Encryption at rest: Symmetric Encryption using AES128, AES192, or AES256 in the CBC, CFB, OFB, CTR, XTS or GCM block cipher modes. Implementation notes: If public key is used, it must be RSA-2048, RSA-3072, or RSA-4096. If digital signature is used, it must be DSA-2048, DSA-3072, RSA-2048, RSA-3072, RSA-4096, ECDSA-224, ECDSA-256, ECDSA-384 or ECDSA-521. If hashing algorithm is used, it must be SHA-256, SHA-384, SHA-512, SHA-512/256, SHA3-256, SHA3-384 or SHA3-512. If key derivation function is used, it must be Argon2, PBKDF2, scrypt, or bcrypt. |
| 2. Application Level Encryption | EQ must use application level encryption to encrypt the Fund’s and EVM’s confidential information at rest (rather than, e.g., self-encrypting drives, volume encryption or database encryption). |
| 3. Key Management |
EQ must ensure that: · all encryption keys used in conjunction with the Fund’s and EVM’s confidential information as stored and processed in any Public Cloud environment are dedicated to the Fund and EVM (and not used in conjunction with data of any other customer of EQ); · all such encryption keys must be rotated at least once every two years; and · all such encryption keys must be stored in a designated vault or key management service, following industry best practices (e.g. NIST 800-57, FIPS140-2 level 2). |
| 4. Authentication |
EQ must use only one or more of the following methods for authenticating Fund’s or EVM’s personnel or other authorized users attempting to access the Services: · XXXX / OIDC SSO · Strong Password + source IP validation |
| 5. Privileged Access | EQ must ensure that administrator privilege access by EQ personnel to the Fund’s or EVM’s account(s) with EQ (i.e. ability of a user to modify asset configuration or controls (e.g. access management, logging etc.) beyond normal daily business use) is provided just in time, as needed, instead of persistently available. |
| Control | Requirements |
| 6. Access Privilege Management | EQ must ensure that access privileges of all EQ personnel accessing the Fund’s or EVM’s account(s) with EQ are assigned on a ‘need-to-know’ basis (i.e. users granted minimum access rights that are strictly required to execute their duties) and, in all cases, are reviewed regularly and promptly modified or withdrawn (whenever appropriate). |
| 7. Password Updating | EQ must ensure that: (i) EQ personnel accessing the Fund’s or EVM’s account(s) with EQ are regularly required to update their passwords; and (ii) the Fund’s or EVM’s personnel or other authorized users attempting to access the Services are regularly required to update their passwords. |
| 1 |
| 8. User activity logs | EQ must ensure that all activities by EQ personnel accessing the Fund’s or EVM’s account(s) with EQ are logged (such that the individual users who performed them are identifiable), that such logs are monitored, are secured to prevent unauthorized modification or deletion and retained for a period commensurate with the criticality of the operations concerned (without prejudice to EQ’s record retention obligations under the Agreement). |
| 9. Patch Management | EQ must ensure that the latest available security updates and patches to all software used in the provision and/or support of the Services are promptly applied. |
| 10. Anti-Virus Software | EQ must: (i) continuously screen the Services using a leading, commercially available software security program to detect the presence of any Virus and, upon detection, immediately eradicate or quarantine such Virus; and (ii) ensure that the Services do not contain any code or protocol that would: (a) permit the gaining of unauthorized access to, or surreptitious monitoring of the use or operation of, the Services or any System; or (b) disable or impair the Services or any System, in any way, based on the elapsing of a period of time, the exceeding of an authorized number of copies or scope of use or the advancement to a particular date or other numeral. |
| 11. Firewall | EQ must ensure that a firewall is maintained in defence of all internet-facing systems used in the provision and/or support of the Services. |
| 2 |
APPENDIX B
EXHIBIT 3
DATA PROTECTION
| 1. | General Privacy and Data Protection |
| 1.1 | In this Agreement, the term “processing” shall have the meaning ascribed to it under applicable privacy and data protection laws, and the terms “process” and “processed” shall be construed accordingly. |
| 1.2 | EQ represents and warrants that: |
| (a) | it shall process, use, maintain and disclose Personal Information only as necessary for the specific purpose for which that Personal Information was disclosed to it and only in accordance with the express instructions of the Fund, EVM and this Agreement, and it shall take steps to ensure that any natural person acting under its authority who has access to Personal Information does not process them except on instruction from the Fund or EVM, unless he or she is required to do so by applicable privacy and data protection laws; |
| (b) | it shall, and shall procure that each of its subcontractors shall, put in place appropriate technical, physical, administrative and organisational measures against unauthorised or unlawful processing of Personal Information and against accidental destruction or loss of, or damage to, Personal Information processed pursuant to this Agreement, taking into account the nature, scope, context and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. Such measures shall include but are not limited to the following: |
| (i) | the pseudonymisation and encryption of Personal Information; |
| (ii) | the ability to ensure the ongoing confidentiality, integrity, availability and resilience of the Services; |
| (iii) | the ability to restore the availability and access to Personal Information in a timely manner in the event of a physical or technical incident; |
| (iv) | implementing a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing. In the event any of EQ’s security measures are found to be inadequate by the Fund or EVM, EQ shall take steps to remedy such inadequacy upon the Fund’s or EVM’s request; and |
| (v) | the requirements regarding business continuity and data security as set forth in this Agreement; |
| (c) | it shall promptly and without undue delay (and in any event within 24 hours) notify the Fund and EVM in writing if it becomes aware of: (i) any accidental or unauthorised access, unlawful processing, accidental destruction or loss of, or damage to any Personal Information; (ii) any disclosure of any Personal Information to it or its personnel where the purpose of such disclosure is not known; (iii) any request for disclosure or inquiry regarding Personal Information from a third party; (iv) any breach by EQ of this Exhibit and (v) any change in applicable law that is likely to have a substantial adverse effect on EQ’s ability to comply with this Exhibit; |
| (d) | if it learns or has reason to believe there has been any unauthorized access to or acquisition of Personal Information and if the law requires that EQ notify, or EQ voluntarily intends to notify, the individuals whose Personal Information was accessed or acquired, EQ shall not, except to the extent prohibited by mandatory applicable privacy and data protection laws, notify any such individual until EQ first consults with the Fund and EVM, and the Fund and EVM has had an opportunity to review the notification EQ proposes to issue to individuals and given its express written consent to the same; |
| 3 |
| (e) | it shall cooperate with the Fund and EVM and the relevant supervisory authority in the event of litigation or a regulatory inquiry concerning Personal Information and shall abide by the advice of the relevant supervisory authority with regard to the processing of such Personal Information; |
| (f) | it shall comply with all laws, regulations and guidance concerning Personal Information which apply to EQ and/or EQ personnel and it shall enter into further agreements as requested by the Fund or EVM which are required to comply with laws applicable to the Fund and EVM or EQ from time to time; |
| (g) | it shall assist the Fund and EVM in ensuring compliance with its obligations under applicable privacy and data protection laws, including in relation to conducting privacy impact assessments, and participating in any consultation with the relevant supervisory authority where requested and it shall take such steps necessary to mitigate any risks identified as a result of such consultation as instructed by the Fund or EVM to ensure compliance with applicable privacy and data protection laws, prior to any processing of any Personal Information; |
| (h) | it shall maintain complete and accurate records of, and adequate supporting documents in relation to, its provision of the services and provide the Fund, EVM and/or its authorized representative with full access to such records, supporting documents and information necessary to demonstrate compliance with applicable privacy and data protection laws and with this Exhibit; |
| (i) | it has not received any requests or orders, whether on a voluntary or mandatory basis, from any authority, agency, body or department for any access to or acquisition of Personal Information provided to EQ and/or any of its subcontractors by or on behalf of the Fund or EVM, or otherwise accessed or acquired by EQ or any of its subcontractors in connection with the provision of services, nor is it aware of any such request or order pending from any such authority, agency, body or department; |
| (j) | it shall promptly notify, co-operate and assist (with appropriate technical and organizational measures) the Fund and EVM, fully and in a timely manner, to enable the Fund, EVM and/or its affiliates to assess and respond to any requests of individuals wishing to exercise their rights under applicable privacy and data protection laws; |
| (k) | it shall not provide access to any Personal Information to any authority, agency, body or department, whether on a voluntary or mandatory basis, in breach of the relevant individuals’ rights of privacy and data protection under applicable privacy and data protection laws or this Agreement, unless such access is required under applicable privacy and data protection laws; |
| (l) | in the event that EQ and/or any of its subcontractors is requested or ordered to provide access to Personal Information to any authority, agency, body or department, or EQ and/or any of its subcontractors has any reason to believe that any such request or order has been or may be made to EQ and/or any of its subcontractors during the Term, EQ shall: |
| (i) | as promptly as practicable (and not later than 24 hours or such shorter period required under applicable law after receipt of such request) notify the Fund and EVM in writing and, upon request, suspend or cease processing, and ensure that its subcontractors suspend or cease processing, any further Personal Information provided to EQ and/or any of its subcontractors by or on behalf of the Fund and EVM or otherwise accessed or acquired in connection with the provision of Services with immediate effect and without penalty or termination fee or other liability; |
| 4 |
| (ii) | review, under applicable laws, the legality of such request or order before responding and providing access to Personal Information to the authority, agency, body or department making such request or order; |
| (iii) | challenge such request or order if, after review, it concludes that there are grounds under applicable laws to do so, inter alia seeking interim measures to suspend the effects of such request or order; and |
| (iv) | provide the minimum amount of Personal Information permissible and necessary for the purposes when responding to such request or order; |
| (m) | notwithstanding the foregoing, to the extent any Personal Information is disclosed by EQ to any authority, agency, body or department, whether on a voluntary or mandatory basis, EQ shall be deemed to be the controller (as defined under applicable data protection and privacy laws) of such Personal Information and accordingly shall be responsible for compliance with the obligations imposed on controllers by such laws in respect of EQ’s processing of such Personal Information; and |
| (n) | it has no reason to believe that any applicable laws would prevent it from fulfilling the Fund’s or EVM’s instructions in relation to the processing of Personal Information, as specified under this Agreement and any applicable statement of work. EQ shall immediately (and not later than 48 hours after receiving such instruction) inform the Fund and EVM if, in its reasonable opinion, an instruction relating to such statement of work infringes applicable privacy and data protection laws. In such circumstances, and not later than 48 hours after receiving such instruction, EQ shall provide the Fund and EVM in writing the rationale for determining that an instruction relating to such Statement of Work infringes applicable privacy and data protection laws. |
| 2. | Cross-Border Transfers |
| 2.1 | EQ warrants and undertakes that it shall, and shall procure that each of its subcontractors shall, not cause or permit personal data to be transferred or otherwise processed outside of the countries specified in this Agreement without the Fund’s or EVM’s express prior written consent and otherwise in accordance with paragraph 2.2. |
| 2.2 | In the event of any cross border transfer of personal data approved by the Fund or EVM under paragraph 2.1, to the extent that any transfer is outside of a jurisdiction deemed to have an adequate level of protection for personal data by competent data protection authorities or other competent regulator, including the European Economic Area (“EEA”), Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, Japan, New Zealand, Switzerland, Uruguay and such other countries notified in writing by the Fund or EVM from time to time (“Adequate Countries”), the respective parties shall be bound by the following transfer mechanisms: (i) in the context of transfers from the EEA and/or the United Kingdom (“UK”), the Standard Contractual Clauses pursuant to the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 (“GDPR”) of the European Parliament and of the Council, as may be amended, updated or replaced from time to time (“Standard Contractual Clauses”), including Module Two – Transfer controller to processor (“Processor SCCs”); and/or (ii) in the context of transfers from other jurisdictions, the data transfer agreement as available at xxx.xxxxxxxxxxxxx.xxx/xxxxxxx-xxxxxx, as may be amended, updated or replaced from time to time (“Equivalent Processor DTA”). The information required to complete the Processor SCCs and/or Equivalent Processor DTA as detailed in the applicable statement of work is incorporated by reference and applies to the parties as if it were set out herein in full. |
| 2.3 | In the event that the Processor SCCs and/or Equivalent Processor DTA are at any time no longer deemed to provide adequate protection to personal data transferred, or in the event other jurisdictions require the implementation of transfer mechanisms, the parties shall adopt such alternative or new data transfer solution to replace the Processor SCCs and/or Equivalent Processor DTA as is required by the Fund or EVM to comply with its legal and/or regulatory requirements. For the avoidance of doubt, the Fund or EVM shall have no liability to EQ in respect of EQ’s refusal to adopt such alternative or new data transfer solution. |
| 5 |
| 2.4 | If EQ operates as a data controller as defined under applicable privacy and data protection laws, in the event of any cross border transfer of personal data outside the Adequate Countries, the respective parties shall be bound by the following transfer mechanisms: (i) in the context of transfers from the EEA, the Standard Contractual Clauses including Module One – Transfer controller to controller (“Controller SCCs”); and/or (ii) in the context of transfers from other jurisdictions, the data transfer agreement as available at xxx.xxxxxxxxxxxxx.xxx/xxxxxxx-xxxxxx, as may be amended, updated or replaced from time to time (“Equivalent Controller DTA”). The information required to complete the Controller SCCs and/or Equivalent Controller DTA as detailed in the applicable statement of work is incorporated by reference and applies to the parties as if it were set out herein in full. |
| 2.5 | Unless otherwise specifically addressed in this Agreement, references to the European Union (“EU”) or the EEA in this Agreement and the Standard Contractual Clauses includes the UK, even though it is no longer a member state of the EU. |
| 6 |
APPENDIX C- Material Subcontractors
| Subcontractor | Services Provided | Location of Processing |
| Sungard availability Services, LP | Data centre -colocation and hosting | United States |
| Avenu Inights & Analytics, LLC | Escheatment Services | United States |
| Iron Mountain | Data Tape/Document Storage & Shredding Services | United States |
| 7 |
Exhibit 1
LIST OF FUNDS
XXXXX XXXXX CALIFORNIA MUNICIPAL BOND FUND
XXXXX XXXXX CALIFORNIA MUNICIPAL INCOME TRUST
XXXXX XXXXX ENHANCED EQUITY INCOME FUND
XXXXX XXXXX ENHANCED EQUITY INCOME FUND II
XXXXX XXXXX FLOATING-RATE INCOME TRUST
XXXXX XXXXX LIMITED DURATION INCOME FUND
XXXXX XXXXX MUNICIPAL BOND FUND
XXXXX XXXXX MUNICIPAL INCOME 2028 TERM TRUST
XXXXX XXXXX MUNICIPAL INCOME TRUST
XXXXX XXXXX NATIONAL MUNICIPAL OPPORTUNITIES TRUST
XXXXX XXXXX NEW YORK MUNICIPAL BOND FUND
XXXXX XXXXX RISK-MANAGED DIVERSIFIED EQUITY INCOME FUND
XXXXX XXXXX SENIOR FLOATING-RATE TRUST
XXXXX XXXXX SENIOR INCOME TRUST
XXXXX XXXXX SHORT DURATION DIVERSIFIED INCOME FUND
XXXXX XXXXX TAX-ADVANTAGED DIVIDEND INCOME FUND
XXXXX XXXXX TAX-ADVANTAGED GLOBAL DIVIDEND INCOME FUND
XXXXX XXXXX TAX-ADVANTAGED GLOBAL DIVIDEND OPPORTUNITIES FUND
XXXXX XXXXX TAX-MANAGED BUY-WRITE INCOME FUND
XXXXX XXXXX TAX-MANAGED BUY-WRITE OPPORTUNITIES FUND
XXXXX XXXXX TAX-MANAGED BUY-WRITE STRATEGY FUND
XXXXX XXXXX TAX-MANAGED DIVERSIFIED EQUITY INCOME FUND
XXXXX XXXXX TAX-MANAGED GLOBAL BUY-WRITE OPPORTUNITIES FUND
XXXXX XXXXX TAX-MANAGED GLOBAL DIVERSIFIED EQUITY INCOME FUND
Dated: October 13, 2023
| 1 |
