EX-10.28 3 a2216143zex-10_28.htm EX-10.28 Confidential Treatment Requested. Certain material (indicated by asterisks) has been omitted from this document and filed separately with the Securities and Exchange Commission pursuant to a request for...

EX-10.28 3 a2216143zex-10_28.htm EX-10.28

Exhibit 10.28

Confidential Treatment Requested.

Certain material (indicated by asterisks) has been omitted from this document and filed separately with the Securities and Exchange Commission pursuant to a request for confidential treatment.

EXECUTION COPY

SECOND AMENDED AND RESTATED

SERVICING AGREEMENT

between

THE NEIMAN MARCUS GROUP, INC.

and

CAPITAL ONE, NATIONAL ASSOCIATION

Dated as of July 15, 2013

TABLE OF CONTENTS

		Page

ARTICLE I
DEFINITIONS AND INTERPRETATION


Section 1.01.	Defined Terms	1
Section 1.02.	Certain Interpretive Matters	3

ARTICLE II SERVICING

Section 2.01.	Appointment	4
Section 2.02	Servicer Compensation	4
Section 2.03	Services	4
Section 2.04	Service Level Standards	5
Section 2.05	Use of Subservicers	5
Section 2.06	Disaster Recovery	7

ARTICLE III
REPRESENTATIONS AND WARRANTIES

Section 3.01	Representations and Warranties of Servicer	7
Section 3.02	Representations and Warranties of Bank	8

ARTICLE IV
ADDITIONAL COVENANTS

Section 4.01.	Further Assurances	10
Section 4.02.	Modifications	10
Section 4.03.	Correction of Errors	10
Section 4.04.	Cooperation	10
Section 4.05.	Facilities and Equipment	10
Section 4.06.	Insurance	10
Section 4.07.	Customer Information	12
Section 4.08.	Applicable Law/Operating Procedures	12
Section 4.09.	Adequate Internal Controls	13
Section 4.10.	Additional Training	13
Section 4.11.	Insider Fraud	14
Section 4.12.	Call Recording	14

ARTICLE V
DEFAULT; REMEDIES

Section 5.01.	Servicer Default	14
Section 5.02.	Remedies	15
Section 5.03.	Non-Starred SLAs	16

ARTICLE VI
TERM

Section 6.01.	Term of Agreement	16
Section 6.02.	Servicer Termination Events	16
Section 6.03.	Termination by Bank	17
Section 6.04.	Effect of Termination	17


ARTICLE VII
INDEMNIFICATION

Section 7.01.	Indemnification By Servicer	18
Section 7.02.	Procedure for Indemnification	18
Section 7.03.	Notice and Additional Rights and Limitations	19
Section 7.04.	Limits on Indemnification	19

ARTICLE VIII
MISCELLANEOUS

Section 8.01.	Confidentiality	20
Section 8.02.	Access Rights; Audit Rights	22
Section 8.03.	No Waiver; Remedies; Amendment	23
Section 8.04.	Independent Contractor	23
Section 8.05.	No Joint Venture	23
Section 8.06.	Payment Terms	23
Section 8.07.	Entire Agreement	23
Section 8.08.	No Set-Off	23
Section 8.09.	Notices	23
Section 8.10.	Severability	24
Section 8.11.	Headings	25
Section 8.12.	Survival	25
Section 8.13.	Costs and Expenses	25
Section 8.14.	Drafting	25
Section 8.15.	Counterparts	25
Section 8.16.	Assignment; Successors	25
Section 8.17.	Governing Law	25
Section 8.18.	Waiver of Jury Trial and Venue	25

SCHEDULES

Schedule 1.01(a)	Services
Schedule 2.04(a)	Service Level Standards
Schedule 2.06	Information Protection, Business Continuity and Disaster


	Recovery Plan
Schedule 5.02	Remedies
Schedule 7.04	Indemnity Matters

iii

SECOND AMENDED AND RESTATED SERVICING AGREEMENT

This Second Amended and Restated Servicing Agreement (as amended from time to time, this “Agreement”), dated as of July 15, 2013, is between The Neiman Marcus Group, Inc., a Delaware corporation (“Servicer”), and Capital One, National Association, a national banking association (“Bank”).

WHEREAS, Servicer and certain of its subsidiaries (together, the “NMG Companies”) are parties to an Amended and Restated Credit Card Program Agreement, dated as of September 23, 2010 (as amended prior to the date hereof, the “Original Program Agreement”), with Bank and certain of its affiliates governing the operation of a credit card program and the rendering of marketing and other services by the parties thereto;

WHEREAS, the Original Program Agreement is being amended, restated and extended as of the date hereof (as so amended, restated and extended, the “Program Agreement”);

WHEREAS, Servicer and Bank are parties to an Amended and Restated Servicing Agreement, dated as of September 23, 2010 (as heretofore amended, the “Original Servicing Agreement”), pursuant to which Servicer performs certain servicing and administration activities relating to the Accounts and the Program (each as defined below); and

WHEREAS, Bank and Servicer wish to amend and restate the Original Servicing Agreement in its entirety as set forth herein in connection with the execution and delivery of the Program Agreement.

NOW, THEREFORE, in consideration of the mutual agreements set forth herein and for other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, the Parties hereby agree to amend and restate the Original Servicing Agreement in its entirety as follows:

ARTICLE I

DEFINITIONS AND INTERPRETATION

Section 1.01. Defined Terms . Wherever used in this Agreement, unless the context otherwise requires, the following terms shall have the meanings set forth below. Capitalized terms used but not defined in this Agreement shall have the meanings given them in the Program Agreement.

“Agreement”: As defined in the preamble hereof.

“Bank”: As defined in the preamble hereof.

“Confidential Information”: As defined in Section 8.01(a)(i) hereof.

“Damages”: As defined in Section 7.01 hereof.

“Deductible Amount”: As defined in Schedule 7.04.

“Disclosing Party”: As defined in Section 8.01(a)(iv) hereof.

“Effective Annual Servicing Fee Rate”: For any measurement period, (x) the Annual Servicing Fee Rate for such period minus (y) the product of (1) the Profit Sharing Differential for such period and (2) the Average Gross Receivables for such period divided by (3) the sum of the number Accounts that were Active Accounts during any month in such period divided by the number of months in such period.

“Incentive-Based Compensation” means compensation paid by the Servicer to (i) its employees or agents, (ii) an employee or agent of an Affiliate of the Servicer, or (iii) a third party (e.g., subcontractor and outsourced service provider) that is used by the Servicer to perform any of its obligations under this Agreement, in each case, that increases as a result of meeting certain goals or standards related to increased or enhanced performance of such services provided pursuant to this Agreement.

“Initial Penalty Amount”: As defined in Schedule 5.02.

“Insider Fraud” shall mean any activity of any employee or agent of Servicer, or any employee or agent of any of its Affiliates or subservicers, that the Servicer uses to perform any of its obligations under this Agreement, in each case that the Servicer concludes is fraudulent or illegal and relates to the provision of servicing activities performed pursuant to this Agreement.

“Monthly Average Servicing Cost Per Active Account” means, for any period, (i) when used in reference to the Servicer, the total costs incurred by the Servicer in connection with performing the Services divided by (A) the sum of the number of Accounts that were Active Accounts in any month in such period divided by (B) the number of months in such period, and (ii) when used in reference to Bank, the total costs incurred by Bank in connection with performing services equivalent to the Services in connection with all private label credit card programs serviced by Bank divided by (x) the sum of all credit card accounts under such programs that would have been considered Active Accounts in any month in such period if such accounts were “Accounts” under the Program divided by (y) the number of months in such period.

“NMG Companies”: As defined in the recitals hereof.

“Non-Starred SLAs”: Any SLA on Schedule 2.04(a) that is not a Starred SLA.

“Original Program Agreement”: As defined in the recitals hereof.

“Original Servicing Agreement”: As defined in the recitals hereof.

“Party”: When used in the singular, either Servicer or Bank or, when used in the plural, both Servicer and Bank.

“Program Agreement”: As defined in the recitals hereof.

“Receiving Party”: As defined in Section 8.01(a)(iv) hereof.

“Regulatory Failure”: As defined in Section 5.01(b) hereof.

“Regulatory SLA”: As defined in Section 5.01(b) hereof.

“Reviewed Party”: As defined in Section 8.02(a) hereof.

“Reviewing Party”: As defined in Section 8.02(a) hereof

“Servicer”: As defined in the preamble hereof.

“Servicer Default”: As defined in Section 5.01 hereof.

“Servicer Event of Default”: The occurrence of any one of the events listed in Section 6.02.

“Services”: As defined in Section 2.03(a) hereof.

“Significant Failure”: As defined in Section 5.01(a) hereof.

“SLA”: Each individual performance standard set forth on Schedule 2.04(a).

“Solvent”: When used with respect to any Person, that (a) the present fair salable value of such Person’s assets exceed the total amount of its liabilities, (b) such Person is able to pay its debts as they become due and (c) such Person does not have unreasonably small capital to carry on its business as theretofore operated and all business in which such Person is about to engage.

“Starred SLA”: On Schedule 2.04(a), the SLAs starred therein.

“Subsequent Failure”: As defined in Section 5.02(b) hereof.

“Subsequent Penalty Amount”: As defined in Schedule 5.02.

“Term”: As defined in Section 6.01 hereof.

“Transaction Document”: The Program Agreement and this Agreement and the agreements, instruments, schedules and other documents to be delivered pursuant thereto and hereto.

Section 1.02. Certain Interpretive Matters . As used herein: (a) all references to the plural number shall include the singular number (and vice versa); (b) all references to “herein,” “hereunder,” “hereof” or like words shall refer to this Agreement as a whole and not to any particular section, subsection or clause contained in this Agreement; (c) all references to “include,” “includes” or “including” shall be deemed to be followed by the words “without limitation”; (d) all references to “$” or “dollars” shall be deemed references to United States dollars; and (e) all references to a particular agreement, instrument or document shall include all

renewals, extensions, modifications, amendments and restatements of such agreement, instrument, or document.

ARTICLE II

SERVICING

Section 2.01. Appointment . Subject to the terms and conditions of this Agreement, Bank hereby appoints Servicer as of the Effective Date as the servicer of the Accounts and Cardholder Indebtedness and Servicer hereby accepts such appointment.

Section 2.02. Servicer Compensation.

(a) As compensation for provision of the Services hereunder, Servicer shall receive payment as set forth in Schedule 9.1(a)(ii)(c) of the Program Agreement.

(b) Servicer shall use commercially reasonable efforts to ensure that the financial incentives and penalties it uses to reward the performance of its employees, its Affiliates and the third parties (e.g., subcontractors and outsourced service providers) that it uses to perform any of its obligations under this Agreement, shall be consistent with and in support of the Parties’ commitment to comply with Applicable Laws. Without limiting the foregoing, in the event of a breach of Section 4.08 below that is attributable to (i) an employee or agent of the Servicer, (ii) an employee or agent of an Affiliate of the Servicer, or (iii) a third party (e.g., subcontractor and outsourced service provider) that is used by the Servicer to perform any of its obligations under this Agreement, Servicer shall use all commercially reasonable efforts (including terminating contractual arrangements with such breaching Person to the extent permitted under the terms of contracts then in effect) to terminate any Incentive-Based Compensation arrangements payable by Servicer to such breaching Person in compensation for any noncompliant sales, marketing or retention activities related to the products and services of the Program. Servicer shall consult with Bank in connection with the requirements of this Section 2.02(b).

Section 2.03. Services.

(a) Commencing on the Effective Date and continuing until the date, if any, upon which any listed type of Service enumerated below is transferred to Bank as provided in this Agreement, Servicer shall perform the services described in Schedule 1.01(a) (collectively, the “Services”), in each case, in accordance with this Agreement, the Program Policies and Procedures and the Risk Management Policies and Operating Procedures. Servicer shall perform the Services in such a way as to not disparage or embarrass Bank or its name, with a level of service to Cardholders and with no less care and diligence than the degree of service, care and diligence employed by Servicer prior to the Effective Date.

(b) Servicer may elect upon not less than [***] days’ written notice to Bank to transfer (i) the Late Stage Collection Services described in Schedule 1.01(a) or (ii) all of the Services being performed hereunder, to Bank, in which event Bank shall accept appointment as servicer with respect to such Services and shall be required to comply with the

provisions of the Program Agreement in connection with the performance of such Services, including the requirement to meet the SLAs applicable to Bank for such Services set forth in Schedule 7.3(a) of the Program Agreement. Upon the date of the foregoing transfer, Servicer shall be released from any further obligation with respect to the performance of the applicable Services. Upon transfer of the Late Stage Collection Services, the Annual Servicing Fee Rate shall be reduced by [***].

(c) Servicer shall maintain, in English, adequate records relating to its performance of the Services in accordance with the record retention policies set forth on Schedule 4.4(f) of the Program Agreement. Records may be kept in either paper or electronic form. Servicer shall retrieve, reproduce and deliver to Bank any records reasonably requested from time to time by Bank for the purpose of providing customer assistance or resolving customer disputes, and Bank shall compensate Servicer on demand for the reasonable costs and expenses associated with such retrieval, reproduction and delivery.

(d) Bank shall train personnel of Servicer on Bank’s systems and processes that are related to or that interface with, but that are not components of, the Services to the extent necessary for Servicer to perform the Services. Servicer shall train personnel of Bank on Servicer’s systems and processes that are related to the Services being provided under this Agreement.

(e) Bank shall cooperate, and shall ensure that each of its Affiliates shall cooperate, with Servicer in all matters relating to Servicer’s performance of the Services at Servicer’s reasonable request. Such cooperation shall be provided at the expense of Bank and shall include providing Servicer with reasonable access to the personnel, records, systems, technology and information of Bank and its Affiliates relating to the Accounts. Servicer shall obtain all licenses and authorizations necessary to perform the Services that it provides hereunder.

Section 2.04. Service Level Standards.

(a) The SLAs set forth on Schedule 2.04(a) shall apply to the Services hereunder, and the remedies set forth in Subsection 2.04(b) and Article V hereof shall apply in the event Servicer shall fail to meet one or more of such SLAs.

(b) Servicer shall report to Bank monthly, in a mutually agreed upon format, Servicer’s performance under each of the SLAs set forth on Schedule 2.04(a). If Servicer fails to meet any SLA, Servicer shall (i) immediately report to the Management Committee the reasons for the SLA failure(s); and (ii) promptly take commercially reasonable action to correct and prevent recurrence of such failure(s).

Section 2.05. Use of Subservicers.

(a) Servicer shall have the right to perform any portion of the Services through one or more subservicers; provided that (i) any subservicer that is not an Affiliate of Servicer shall be subject to approval pursuant to Article III of the Program Agreement and the procedures set forth in this Section 2.05, (ii) Servicer shall remain fully responsible to Bank for the portion of the Services performed by any such subservicer(s) (including its Affiliates) to the

same extent Servicer would be responsible if it performed such functions itself, and (iii) Servicer shall cause each such subservicer to comply with Servicer’s obligations under this Agreement. Without limiting the generality of the foregoing, Servicer shall require each such subservicer the same, or substantially the same, level of risk mitigation and compliance as Servicer is required to provide under this Agreement. Notwithstanding the foregoing, but subject to the other provisions of this Section 2.05, to the extent Servicer subcontracts or outsources to any third party any Services as of the date hereof, Servicer may continue to subcontract or outsource such Services to such third party.

(b) Prior to seeking the approval of the Management Committee pursuant to Article III of the Program Agreement in connection with the use by Servicer of one or more subservicers, other than an Affiliate of the Servicer, to perform any of the obligations to be performed by Servicer under this Agreement, Servicer shall give the Management Committee at least thirty (30) days’ prior written notice, which notice shall specify the scope of the proposed Services (including the specific services) to be performed by such subservicer, the identity or qualifications of such subservicer, the proposed site from which such services would be provided, and a written description of the scope and materials terms of the proposed agreement to be entered into by Servicer and such subservicer. Servicer shall perform reasonable due diligence in accordance with Servicer’s then-current due diligence policies and procedures, and such diligence shall include any diligence that may be required by Bank to ensure compliance with Applicable Laws, in each case, on such subservicer that Servicer desires to retain. Upon the request of Bank, Servicer shall provide a copy of such due diligence assessment to Bank.

(c) Servicer agrees to make commercially reasonable efforts to provide Bank, upon Bank’s written reasonable request, with reasonable information regarding the performance by a subservicer, including, an Affiliate of Servicer, used by Servicer to perform any obligations to be performed by Servicer under this Agreement, including information regarding (i) such subservicer’s non-compliance with the terms of this Agreement, or the terms of the agreement between Servicer and such subservicer, (ii) any external or internal audit findings relating to such subservicer’s performance, and (iii) any material trends of customer complaints in connection with such subservicer’s performance. In the case of significant concerns by Bank arising with respect to such subservicer’s performance that are based on the information provided to such Party pursuant to the immediately preceding sentence, Servicer shall use commercially reasonable efforts to facilitate joint dialog among such subservicer and the Parties that are designed to alleviate such concerns.

(d) Servicer shall, at the request of Bank, exercise any available contractual rights to terminate the services of a third party that is a subservicer, including an Affiliate of Servicer, used by Servicer to perform any obligations to be performed by the Servicer under this Agreement, and Servicer shall use all commercially reasonable efforts, including exercising such other contractual rights as Bank may reasonably request if (i) such subservicer’s performance is materially deficient in a manner that poses financial or legal risk to Bank or that poses risk to Bank’s obligation to comply with Applicable Law, (ii) good faith doubts exist concerning such subservicer’s ability to render future performance under this Agreement in the manner required by this Agreement because of prior performance breaches or changes in such subservicer’s ownership, management, financial condition, or otherwise, or (iii) there have been material misrepresentations by or concerning such subservicer.

Section 2.06. Disaster Recovery. For as long as Servicer is providing services hereunder, Servicer shall maintain an information protection, business continuity and disaster recovery plan in accordance with Schedule 2.06 (as such Schedule is applicable to the NMG Companies). Servicer shall be prepared to and have the ability to implement such plan if necessary. Servicer shall provide Bank with access to review such plan upon request. Servicer shall test the plan annually and shall promptly implement such plan upon the occurrence of a disaster or business interruption. Servicer shall be excused from its failure to meet any applicable SLAs that result directly from the failure of any of the Bank Systems. If in the event of a disaster or severe business interruption Servicer fails to take reasonable steps to respond to such disaster or severe business interruption, Bank shall have reasonable access to Servicer’s systems, technical personnel and disaster recovery resources, so as to ensure continuity of business and systems required to service the Accounts.

ARTICLE III

REPRESENTATIONS AND WARRANTIES

Section 3.01. Representations and Warranties of Servicer . Servicer represents and warrants to Bank as follows:

(a) Organization. Servicer (i) is a corporation duly organized, validly existing and in good standing under the laws of the jurisdiction of its incorporation, (ii) is duly licensed or qualified to do business and is in good standing as a foreign corporation in all jurisdictions in which the conduct of its business or the activities in which it is engaged makes such licensing or qualification necessary, except to the extent that its non-compliance would not reasonably be expected to have, individually or in the aggregate, a material adverse effect on its ability to perform its obligations hereunder, and (iii) has all necessary licenses, permits, consents or approvals from or by, and has made all necessary filings and registrations with, all governmental authorities having jurisdiction, to the extent required for the ownership, lease or conduct and operation of its business, except to the extent that the failure to obtain such licenses, permits, consents or approvals or to make such filings or registrations would not reasonably be expected to have, individually or in the aggregate, a material adverse effect on its ability to perform its obligations under this Agreement.

(b) Capacity; Authorization; Validity. Servicer has all necessary corporate power and authority to (i) execute and enter into this Agreement, and (ii) perform its obligations hereunder and the other documents, instruments and agreements relating to this Agreement executed by it pursuant hereto. The execution and delivery by Servicer of this Agreement and all documents, instruments and agreements executed and delivered by Servicer pursuant hereto, and the consummation by Servicer of the transactions specified herein, have been duly and validly authorized and approved by all necessary corporate actions of Servicer. This Agreement (i) has been duly executed and delivered by Servicer, (ii) constitutes the valid and legally binding obligation of Servicer, and (iii) is enforceable in accordance with its terms (subject to applicable bankruptcy, insolvency, reorganization, receivership or other laws affecting the rights of creditors generally and by general equity principles including those respecting the availability of specific performance).

(c) Conflicts; Defaults; Etc. The execution, delivery and performance of this Agreement by Servicer, its compliance with the terms hereof, and consummation of the transactions specified herein will not (i) conflict with, violate, result in the breach of, constitute an event which would, or with the lapse of time or action by a third party or both would, result in a default under, or accelerate the performance required by, the terms of any contract, instrument or agreement to which Servicer is a party or by which it is bound, or to which any of the assets of Servicer is subject; (ii) conflict with or violate the articles of incorporation or by-laws of Servicer; (iii) breach or violate any Applicable Law or Applicable Order, in each case, applicable to Servicer; (iv) require the consent or approval of any other party to any contract, instrument or commitment to which Servicer is a party or by which it is bound; or (v) require any filing with, notice to, consent or approval of, or any other action to be taken with respect to, any Governmental Authority, except, in the cases of clauses (i) and (iii)-(v), for such conflicts, breaches, defaults, violations or failures to obtain such consents or approvals or make or obtain such filings, notices, consents and approvals as would not reasonably be expected to have, individually or in the aggregate, a material adverse effect upon Servicer’s ability to perform its obligations under this Agreement.

(d) Litigation. No action, claim, litigation, proceeding, arbitration or investigation is pending or, to the Knowledge of Servicer, threatened against Servicer or any of its Subsidiaries, at law, in equity or otherwise, by or before any Governmental Authority, to which Servicer or any of its Subsidiaries is a party, which would reasonably be expected to have, individually or in the aggregate, a material adverse effect on the ability of Servicer to perform its obligations under this Agreement.

(e) Facilities and Equipment. Servicer has all necessary facilities, equipment, supplies and such other resources as are reasonably necessary to provide the Services under this Agreement.

(f) Solvency. Servicer is Solvent.

Section 3.02. Representations and Warranties of Bank . Bank represents and warrants to Servicer as follows:

(a) Organization. Bank (i) is a corporation duly organized, validly existing and in good standing under the laws of the jurisdiction of its incorporation, (ii) is duly licensed or qualified to do business and is in good standing as a foreign corporation in all jurisdictions in which the conduct of its business or the activities in which it is engaged makes such licensing or qualification necessary, except to the extent that its non-compliance would not reasonably be expected to have, individually or in the aggregate, a material adverse effect on its ability to perform its obligations hereunder, and (iii) has all necessary licenses, permits, consents or approvals from or by, and has made all necessary filings and registrations with, all governmental authorities having jurisdiction, to the extent required for the ownership, lease or conduct and operation of its business, except to the extent that the failure to obtain such licenses, permits, consents or approvals or to make such filings or registrations would not reasonably be expected to have, individually or in the aggregate, a material adverse effect on its ability to perform its obligations under this Agreement.

(b) Capacity; Authorization; Validity. Bank has all necessary corporate power and authority to (i) execute and enter into this Agreement, and (ii) perform its obligations hereunder and the other documents, instruments and agreements relating to this Agreement executed by it pursuant hereto. The execution and delivery by Bank of this Agreement and all documents, instruments and agreements executed and delivered by Bank pursuant hereto, and the consummation by Bank of the transactions specified herein, have been duly and validly authorized and approved by all necessary corporate actions of Bank. This Agreement (i) has been duly executed and delivered by Bank, (ii) constitutes the valid and legally binding obligation of Bank, and (iii) is enforceable in accordance with its terms (subject to applicable bankruptcy, insolvency, reorganization, receivership or other laws affecting the rights of creditors generally and by general equity principles including those respecting the availability of specific performance).

(c) Conflicts; Defaults; Etc. The execution, delivery and performance of this Agreement by Bank, its compliance with the terms hereof, and consummation of the transactions specified herein will not (i) conflict with, violate, result in the breach of, constitute an event which would, or with the lapse of time or action by a third party or both would, result in a default under, or accelerate the performance required by, the terms of any contract, instrument or agreement to which Bank is a party or by which it is bound, or to which any of the assets of Bank is subject; (ii) conflict with or violate the articles of incorporation or by-laws of Bank; (iii) breach or violate any Applicable Law or Applicable Order, in each case, applicable to Bank; (iv) require the consent or approval of any other party to any contract, instrument or commitment to which Bank is a party or by which it is bound; or (v) require any filing with, notice to, consent or approval of, or any other action to be taken with respect to, any Governmental Authority, except, in the cases of clauses (i) and (iii)-(v), for such conflicts, breaches, defaults, violations or failures to obtain such consents or approvals or make or obtain such filings, notices, consents and approvals as would not reasonably be expected to have, individually or in the aggregate, a material adverse effect upon Bank’s ability to perform its obligations under this Agreement.

(d) Litigation. No action, claim, litigation, proceeding, arbitration or investigation is pending or, to the Knowledge of Bank, threatened against Bank or any of its Affiliates, at law, in equity or otherwise, by or before any Governmental Authority, to which Bank or any of its Subsidiaries is a party, which would reasonably be expected to have, individually or in the aggregate, a material adverse effect on the ability of Bank to perform its obligations under this Agreement.

(e) Solvency. Bank is Solvent.

ARTICLE IV

ADDITIONAL COVENANTS

Section 4.01. Further Assurances . From time to time after the execution of this Agreement, as and when requested by either Party, the other Party shall execute and deliver, or cause to be executed and delivered, all such documents and instruments as may be reasonably necessary to consummate the transactions contemplated by this Agreement.

Section 4.02. Modifications. Except as permitted by this Agreement, the Program Agreement, the Risk Management Policies or the Operating Procedures, Servicer shall not enter into any agreement or arrangement reducing amounts payable by Cardholders.

Section 4.03. Correction of Errors. Each of the Parties shall correct or cause to be corrected as promptly as practicable any data processing or billing errors of which it receives knowledge that occur in the performance of the Services.

Section 4.04. Cooperation. Each Party covenants that it shall use commercially reasonable efforts to cooperate with the other Party in the servicing of the accounts.

Section 4.05. Facilities and Equipment.

(a) For as long as Servicer is providing Services hereunder, Servicer shall maintain in good working order all necessary facilities, equipment, supplies and such other resources as are reasonably necessary to provide any Services in accordance with the SLAs under this Agreement.

(b) Servicer shall provide Bank with written notice prior to opening a new servicing facility for the purpose of providing the Services.

Section 4.06. Insurance.

(a) Servicer shall maintain in force during the Term, at least the following insurance coverages:

[***]

(b) To the fullest extent allowed by its insurers, Servicer shall cause its insurers to waive all rights of subrogation against Bank, and its officers, directors and employees and any insured-versus-insured exclusion regarding Bank.

(c) The insurance under Section 4.06(a), above, shall be primary, and all coverage shall be non-contributing with respect to any other insurance or self-insurance that may be maintained by Bank.

(d) The insurance under Sections 4.06(a)(i), (ii) and (iii) shall be written on an occurrence form basis. If any other coverage is written on a claims-made basis, it shall have a retroactive date no later than the Effective Date and, notwithstanding the termination of this Agreement, either directly or through ‘tail’ coverage shall be maintained for a period of at least two (2) years following completion of the Term, or it shall allow for reporting of claims until the later of two (2) years after the Term or the period of the applicable limitations of actions has expired.

(e) Servicer shall cause its insurers to name Capital One Financial Corporation, its subsidiaries and their respective directors, officers, employees, agents, successors, and permitted assigns, as Additional Insureds on the insurance coverages under Sections 4.06(a)(i) and (ii).

(f) Servicer shall cause its insurers to issue certificates of insurance evidencing that the coverages and policy endorsements required under this Agreement are maintained in force. Servicer shall require its Workers Compensation and General Liability insurers to provide Bank not less than thirty (30) days’ written notice prior to any cancellation or non-renewal of the policies. Servicer shall provide Bank not less than thirty (30) days’ written notice prior to any adverse modification, cancellation, or non-renewal of the other policies required in Section 4.06 above. The insurers selected by Servicer shall be of good standing and authorized to conduct business in the jurisdictions in which Services are to be performed. When the policy is issued each such insurer shall have at least an A.M. Best rating of A- IX and replacement coverage shall be sought if the insurer’s rating goes below X- XXXX.

(g) Servicer shall assure that all Affiliates and subservicers that it uses to perform any of its obligations under this Agreement to maintain insurance coverages as specified in this Section 4.06 naming Servicer as an additional insured or loss payee where relevant.

(h) In the case of loss or damage or other event that requires notice or other action under the terms of any insurance coverage specified in this Section 4.06, Servicer shall be solely responsible to take such action. Servicer shall provide Bank with contemporaneous notice and with such other information as Bank may request regarding the event.

(i) Servicer’s liability to Bank for any breach of an obligation under this Agreement which is subject to insurance hereunder shall not be limited to the amount of coverage required hereunder.

Section 4.07. Customer Information. Servicer shall maintain an information security program that is designed to meet all requirements of Applicable Law, including, at a minimum, maintenance of an information security program that is designed to: (i) ensure the security and confidentiality of customer information; (ii) protect against any anticipated threats or hazards to the security or integrity of such information; (iii) protect against unauthorized access to or use of such information; and (iv) ensure the proper disposal of such information. Additionally, such security measures shall meet current industry standards and shall be at least as protective as those used by Servicer to protect its other confidential customer information. Servicer shall use the same degree of care in protecting the customer information against unauthorized disclosure as it accords to its own confidential customer information, but in no event less than a reasonable standard of care. In the event Servicer becomes aware of any unauthorized use of or access to customer information, Servicer shall immediately notify Bank and shall cooperate with Bank, as it deems necessary or as required by Applicable Law, (x) to assess the nature and scope of such incident, (y) to contain and control such incident to prevent further unauthorized access to or use of such information, and (z) to provide prompt notice to affected customers to the extent required by Applicable Law or otherwise with the approval of the Management Committee.

Section 4.08. Applicable Law/Operating Procedures.

(a) Servicer shall, and shall cause its Affiliates and subservicers that it uses to perform any of its obligations under this Agreement to, comply with this Section 4.08 at all times during the Term:

(i) Such Persons shall comply in all material respects with Applicable Law affecting their obligations under this Agreement and the Operating Procedures. The Parties acknowledge and agree that Bank shall be obligated to inform Servicer in writing of any changes in Applicable Law affecting such obligations that are adopted or implemented following the Effective Date.

(ii) Such Persons shall comply with the Program Policies and Procedures.

(b) Servicer shall, and shall cause its Affiliates and shall use commercially reasonable efforts to cause the subservicers that it uses to perform any of its obligations under this Agreement to, (A) maintain reasonable evidence (including training materials) of its

compliance with the provisions of this Section 4.08, and (B) cooperate with the Bank with respect to such Bank’s efforts to comply with Applicable Laws.

(c) The Parties understand and agree that matters relating to (i) the compliance of Servicer, and its Affiliates and subservicers that it uses to perform any of its obligations under this Agreement, with Applicable Laws, (ii) actions required by the Parties in connection with their respective obligations under this Agreement in order to ensure compliance with Applicable Law and (iii) the Program Policies and Procedures, in each case, shall be determined by the Management Committee pursuant to the provisions of the Program Agreement (including Section 3.2(g)(xii) thereof).

Section 4.09. Adequate Internal Controls. Servicer shall maintain enterprise governance practices pertaining to, and reasonable and appropriate internal controls over (including the performance of audits and monitoring activities) (i) the material Services provided by Servicer, and each subservicer, including an Affiliate of Servicer, used by Servicer perform any of the material obligations to be performed by Servicer under this Agreement, and (ii) the responsibilities and obligations of any Person referred to in the immediately preceding clause (i) arising, in each case, pursuant to this Agreement. Bank acknowledges and agrees that the policies and procedures listed on Schedule 11.4(c)(ii) of the Program Agreement constitute of the foregoing controls in effect as of the Effective Date, and Bank acknowledges and agrees that such controls satisfy all of the provisions of this Section as of the Effective Date. Without limiting the generality of the foregoing, (i) with respect to each contract entered into by a Servicer and any such subservicer prior to the Effective Date, Servicer shall use commercially reasonable efforts, including enforcing any provisions set forth in such contract, to cause such subservicer to take, or refrain from taking, such actions, and (ii) with respect to any contract entered into by Servicer with any such servicer after the Effective Date, including a renewal or an amendment of any contract referred to in the immediately preceding sentence, Servicer shall use commercially reasonable efforts to ensure that each such contract contains provisions (A) that are consistent with the provisions of this Agreement, and (B) that permit Servicer to enforce the provisions referred to in the immediately preceding clause (A).

Section 4.10. Additional Training.

(a) In addition to any other training required pursuant to this Agreement, Bank, in its sole discretion and at its sole expense, may prepare and provide Servicer with training materials (which may include web-based training materials) relevant to compliance with Applicable Law and the Program Policies and Procedures, in each case, in connection with the provision of any Services provided by Servicer to Bank pursuant to this Agreement. At the written request of Bank, Servicer shall cause each of its employees and agents, and each of the employees and agents of its Affiliates, and shall use its commercially reasonable efforts to cause the employees and agents of each of the subservicers that it uses to perform any of its obligations under this Agreement to undertake such portions of such training as is relevant for the servicing activities engaged in by such employees and agents. In addition, Bank shall provide Servicer with such updated training materials as Bank deems appropriate, and Servicer shall promptly cause each Person who is required to receive such training to undertake such additional training.

(b) Servicer shall not provide its employees and agents, and the employees and agents of its Affiliates and the subservicers that it uses to perform any of its obligations under this Agreement, with any training materials relevant to compliance with Applicable Law, and Program Policies and Procedures, in each case, in connection with any Services provided by Servicer pursuant to this Agreement, that have not received the prior written approval of Bank.

Section 4.11. Insider Fraud. Servicer shall provide written notice to Bank of any incidents that Servicer determines constitute Insider Fraud within five (5) Business Days after Servicer has detected such occurrence. Servicer shall reasonably cooperate with Bank’s efforts to timely complete its investigation and to timely submit filings required by, and otherwise comply with its obligations under, Applicable Laws in respect of such Insider Fraud. The Parties acknowledge their mutual understanding that Insider Fraud should be reported under this Section 4.11 even if the identity of one or more suspects cannot readily ascertained at the time a notification is required to be delivered under this Section 4.11.

Section 4.12. Call Recording. Servicer acknowledges and agrees that in the event that the Servicer engages in outbound telemarketing or selling activities, or any related retention activities, in each case relating to any NMG Credit Cards or Approved Ancillary Products, it may be required by Applicable Law to (i) record, and maintain a record of, telephone activities relating to such activities, and (ii) provide Bank with access to such telephone activities and such recordings. In the event that the Servicer engages in such selling or retention activities, Servicer shall promptly notify Bank in writing and shall cooperate with Bank in entering into any related amendment to this Agreement.

ARTICLE V

DEFAULT; REMEDIES

Section 5.01. Servicer Default. It shall be a “Servicer Default” if either of the events set forth below shall occur and be continuing and remain unremedied prior to the expiration of the specified period:

(a) Significant Failure. If Servicer (i) is more than [***] below the target for any Starred SLA in any Fiscal Month, (ii) fails to meet any individual Starred SLA in [***] consecutive Fiscal Months or (iii) fails to meet any Starred SLA [***] Fiscal Month period (including multiple breaches of the same and individual breaches of different Starred SLAs) (each, a “Significant Failure”).

(b) Regulatory Failure. If Servicer (i) is more than [***] below the standard for any SLA designated as a regulatory-based SLA on Schedule 2.04(a) (each, a “Regulatory SLA”) and (ii) such failure results in a breach by Servicer of Applicable Law (such failure, a “Regulatory Failure”).

Section 5.02. Remedies.

(a) In the event of a Significant Failure, Servicer shall: (A) promptly report to the Management Committee the reasons for the Starred SLA failure(s); (B) within [***] of such Significant Failure, propose a remediation plan for taking such action as Servicer deems necessary to correct and prevent recurrence of such failure(s); and (C) subject to Bank’s agreement, implement the remediation plan as soon as practicable. However, under no circumstances shall the time period between Bank’s agreement to the remediation plan and completion of such plan exceed [***].

(b) If Servicer has an additional failure of any of the same Starred SLA(s) (“Subsequent Failure”) during the [***] Fiscal Months following the occurrence of any Significant Failure, Servicer shall pay Bank the Initial Penalty Amount, within [***] days of the end of such Fiscal Month, for each such Subsequent Failure.

(c) Upon the occurrence of the second Subsequent Failure and each additional Subsequent Failure of the same Starred SLA during the [***] Fiscal Months following a Significant Failure or upon the occurrence of a Regulatory Failure, Servicer shall pay Bank the Subsequent Penalty Amount, within [***] of the end of such Fiscal Month, per each additional Subsequent Failure.

(d) Upon the occurrence of (i) the third and each additional Subsequent Failure of the same Starred SLA during the [***] Fiscal Months following a Significant Failure or (ii) a second Regulatory Failure of the same Regulatory SLA, Bank shall, in addition to payment as provided in paragraph (c) above, have the right to terminate the Program Agreement by providing [***] days prior written notice to Servicer, in which event the parties shall have the rights set forth in Article XVII of the Program Agreement; provided, however, that prior to either Party electing to transfer the provision of such Services pursuant to Section 5.02(e) below or to terminate the Program Agreement, the Management Committee shall meet to discuss the occurrence of the Subsequent Failure and shall determine whether such SLA should be modified (except in the case of a Regulatory Failure, in which event no Management Committee meeting shall be required as a condition to transferring the affected Services pursuant to Section 5.02(e)). If the Management Committee determines that such SLA shall be modified, then Bank shall not be entitled to terminate the Program Agreement as a result of the Subsequent Failure discussed at the meeting of the Management Committee unless and until an additional Subsequent Failure of the same Starred SLA occurs; and provided, further, that for purposes of transferring Services pursuant to this Section 5.02(d) or Section 5.02(e), an SLA that is both a Starred SLA and a Regulatory SLA shall be deemed to be a Regulatory SLA.

(e) Notwithstanding the foregoing, in the case of any Servicer Default with respect to any type of Service, after the Management Committee meeting referred to above (except in the case of a Regulatory Failure) and assuming that no SLA is modified, in lieu of terminating the Program Agreement, either Party may elect to cause the Services subject to such Servicer Default to be transferred to Bank pursuant to the Program Agreement.

(f) No servicing transfer or termination of this Agreement pursuant to Section 5.02(d) or Section 5.02(e) above shall be effective until either assumption by the Bank or its Affiliate of the provision of the Services or the appointment by Bank of a successor servicer reasonably satisfactory to

Servicer pursuant to a servicing agreement reasonably satisfactory to Servicer. Following the delivery by the applicable Party of written notice of a servicing transfer or termination, Bank shall have reasonable access to Servicer’s operations and systems to ensure continuity of business and systems required to service the Accounts until such time as Bank or its Affiliate assumes the provision of the Services or appoints a successor servicer reasonably satisfactory to Servicer. Both Parties shall use commercially reasonable efforts and cooperate with each other to ensure continuity of business during any transfer of Services.

Section 5.03. Non-Starred SLAs. For purposes of this Article V, “Starred SLA” shall be deemed to include Non-Starred SLAs in the event that there have been more than [***] in any [***] period with respect to any Non-Starred SLAs; provided, that in the event there are no Significant Failures in the immediately following [***] with respect to any of the Non-Starred SLAs, then such Non-Starred SLAs shall no longer be deemed to be Starred SLAs.

ARTICLE VI

TERM

Section 6.01. Term of Agreement. The term of this Agreement shall commence on the date hereof and expire simultaneously with the termination of the Program Agreement or the termination pursuant to Section 2.03(b), 5.02(d) or 5.02(e) (the “Term”).

Section 6.02. Servicer Termination Events. The occurrence of any one or more of the following events (regardless of the reason therefor) shall constitute an event of default by Servicer hereunder:

(a) Servicer shall fail to make payment in full of any amount due to Bank pursuant to Section 5.02 within two (2) Business Days after such payment is due pursuant to Section 5.02.

(b) Servicer shall fail to comply with Section 4.05 or 4.06 and such failure shall materially impair the quality of the Services hereunder.

(c) A petition under the U.S. Bankruptcy Code or similar law shall be filed against Servicer and not be dismissed within sixty (60) days.

(d) A decree or order by a court having jurisdiction (i) for relief in respect of Servicer pursuant to the Bankruptcy Code or any other applicable bankruptcy or other similar law, (ii) for appointment of a custodian, receiver, liquidator, assignee, trustee or sequestrator (or similar official) of Servicer or of any substantial part of its properties, or (iii) ordering the winding-up or liquidation of the affairs of Servicer shall, in any such case be entered, and shall not be vacated, discharged, stayed or bonded within sixty (60) days from the date of entry thereof.

(e) Servicer shall (i) file a petition seeking relief pursuant to the Bankruptcy Code or any other applicable bankruptcy or other similar law, (ii) consent to the institution of proceedings pursuant thereto or to the filing of any such petition or to the appointment of or taking possession by a custodian, receiver, liquidator, assignee, trustee or sequestrator (or similar

official) of Servicer or any substantial part of its properties, or (iii) take corporate or similar action in furtherance of any such action.

(f) Servicer shall materially breach its obligations under Section 2.05 above, Section 4.07 above, Section 4.08 above, Section 4.09 above or Article VIII below, and such material breach shall remain unremedied for a period of thirty (30) days after Bank shall have given written notice thereof specifying the nature of such failure in reasonable detail, provided that if such failure cannot be cured in a commercially reasonable manner within such time, such failure shall not constitute an Servicer Event of Default if Servicer shall have initiated and diligently pursued a cure within such time and such cure is completed within ninety (90) days from the date of written notice regarding such failure.

Section 6.03. Termination by Bank. Bank may terminate this Agreement upon written notice prior to the end of the Term after the occurrence of a Servicer Event of Default, unless such Servicer Event of Default shall have been cured prior to the date of such written notice; provided, however, that in the case of a Servicer Event of Default specified in Section 6.02(f), Bank shall not be entitled to deliver any such notice of termination after the sixtieth (60th) day following the end of the cure period applicable pursuant to Section 6.02(f). No such termination shall be effective until either assumption by Bank or its Affiliate of the provision of the Services pursuant to the Program Agreement or the appointment by Bank of a successor servicer reasonably satisfactory to Servicer pursuant to a servicing agreement reasonably satisfactory to Servicer. Following the delivery by Bank of written notice of a servicing transfer or termination, Bank shall have reasonable access to Servicer’s operations and systems to ensure continuity of business and systems required to service the Accounts until such time as Bank or its Affiliate assumes the provision of the Services or appoints a successor servicer reasonably satisfactory to Servicer. Both Parties shall use commercially reasonable efforts and cooperate with each other to ensure continuity of business during any transfer of Services.

Section 6.04. Effect of Termination.

(a) If this Agreement terminates for any reason, the Parties shall cooperate to ensure an orderly transfer of servicing as provided in subsection (b) below.

(b) If this Agreement is terminated pursuant to Section 5.02(e) or Section 6.03, Servicer shall take all commercially reasonable steps necessary to effectuate a transfer of the Services to Bank or any other applicable successor servicer. To the extent that compliance with this Section 6.04(b) shall require Servicer to disclose to a successor servicer any Confidential Information (as defined in the Program Agreement), the successor servicer shall be required to enter into a confidentiality agreement satisfactory in form and substance to Servicer. Bank agrees that so long as the Program is in effect, it shall perform, or require any successor servicer to perform, the Services in accordance with the provisions of Sections 7.2 and 7.3 of the Program Agreement.

ARTICLE VII

INDEMNIFICATION

Section 7.01. Indemnification By Servicer. Servicer agrees to indemnify and hold harmless Bank, its Affiliates and their respective officers, directors and employees from and against and in respect of any and all losses, liabilities, damages, costs and expenses of whatever nature, including reasonable attorneys’ fees and expenses (collectively, “Damages”), which are caused or incurred by, result from, arise out of or relate to:

(a) the breach of any of Servicer’s representations or warranties made in this Agreement;

(b) the failure by Servicer to perform any of its covenants or agreements contained in this Agreement, except to the extent such failure to perform is caused by (i) the failure of Bank to perform its obligations under any Transaction Document or (ii) any actions or omission by Servicer taken or not taken at Bank’s written request or direction pursuant to any Transaction Document or in compliance with documented policies, procedures, or processes with respect to the Program or Services under this Agreement;

(d) any lawsuit, legal proceeding, arbitration proceeding, claim, dispute, complaint or setoff by a Cardholder with respect to anything actually or allegedly done or not done by Servicer in connection with the Services, excluding anything actually or allegedly done or not done by Servicer that (A) is required or expressly permitted under the Risk Management Policies, the Operating Procedures or any Transaction Document or (B) is done at the express direction of Bank.

(e) any lawsuit, legal proceeding, arbitration proceeding or claim by a third party alleging any material inaccuracy in the information provided pursuant to Section 2.08.

Section 7.02. Procedure for Indemnification.

(a) In case any claim is made, or any suit or action is commenced against Bank in respect of which indemnification may be sought by it under this Section 7.02, Bank shall promptly give Servicer notice thereof and Servicer shall be entitled to participate in the defense thereof and, with prior written notice to Bank given not later than twenty (20) days after the delivery of the applicable notice from Bank, to assume, at Servicer’s expense, the defense thereof, with counsel reasonably satisfactory to Bank. After notice from Servicer to Bank of its election so to assume the defense thereof, Servicer shall not be liable to Bank under this Section for any attorneys’ fees or other expenses subsequently incurred by Bank in connection with the defense thereof, except as set forth in Section 7.02(b), other than reasonable costs of investigation.

(b) Bank shall have the right to employ its own counsel if Servicer elects to assume such defense, but the fees and expenses of such counsel shall be at Bank’s expense,

unless (i) the employment of such counsel has been authorized in writing by Servicer, (ii) Servicer has not employed counsel to take charge of the defense within twenty (20) days after delivery of the applicable notice or, having elected to assume such defense, thereafter ceases its defense of such action, or (iii) Bank has reasonably concluded that the interests of the Parties are conflicting such that it would be inappropriate for the same counsel to represent both parties (in which case Servicer shall not have the right to direct the defense of such action on behalf of Bank), in any of which events the attorneys’ fees and expenses of counsel to Bank shall be borne by Servicer.

(c) Bank or Servicer may at any time notify the other of its intention to settle or compromise any claim, suit or action against Bank in respect of which payments may be sought by Bank hereunder, and (i) Servicer may settle or compromise any such claim, suit or action solely for the payment of money damages for which Bank will be fully indemnified hereunder and given a full and complete release of any and all liability by all relevant parties relating to such claim, suit or action, but shall not agree to any other settlement or compromise unless Bank consents in writing, which consent shall not be unreasonably withheld (it being agreed that any failure of an Bank to consent to any settlement or compromise involving relief other than monetary damages shall not be deemed to be unreasonably withheld), and (ii) Bank may settle or compromise any such claim, suit or action solely for an amount not exceeding One Thousand Dollars ($1,000), but shall not settle or compromise any other matter without the prior written consent of Servicer, which consent shall not be unreasonably withheld.

Section 7.03. Notice and Additional Rights and Limitations.

(a) If Bank fails to give prompt notice of any claim being made or any suit or action being commenced in respect of which indemnification under this Section 7.03 may be sought, such failure shall not limit the liability of Servicer; provided, however, that this provision shall not be deemed to limit Servicer’s rights to recover from Bank for any loss, cost or expense which it can establish resulted from such failure to give prompt notice.

(b) This Section 7.03 shall govern the obligations of the Parties with respect to the subject matter hereof but shall not be deemed to limit the rights that either Party might otherwise have at law or in equity.

(c) Notwithstanding anything to the contrary in this Agreement, no Party shall be liable to the other for punitive or exemplary damages relating to or arising out of this Agreement, any breach hereof or any of the transactions provided for therein, unless Bank shall have become liable to a third party for such amounts.

Section 7.04. Limits on Indemnification. Notwithstanding anything to the contrary set forth in this article, Servicer shall not have any obligation to indemnify Bank in respect of any breach of a representation or warranty under Section 7.01(a) unless and until the Deductible Amount of Damages has been incurred in the aggregate by Bank in respect of breaches of representations and warranties under Section 7.01(a). After Bank incurs in aggregate the Deductible Amount of Damages in respect of breaches of representations and warranties under Section 7.01(a), Servicer shall indemnify Bank in accordance with this Article VII to the extent of the full amount of such Damages.

ARTICLE VIII

MISCELLANEOUS

Section 8.01. Confidentiality

(a) General Confidentiality.

(i) For purposes of this Agreement, “Confidential Information” means any of the following: (i) information that is provided by or on behalf of either Servicer or Bank to the other Party or its agents in connection with providing Services hereunder (including information provided prior to the date hereof or the Effective Date); (ii) information about Servicer or Bank or their Affiliates, or their respective businesses or employees, that is otherwise obtained by the other Party in connection with providing Services hereunder, in each case including: (A) information concerning marketing plans, objectives and financial results; (B) information regarding business systems, methods, processes, financing data, programs and products; (C) information regarding any products offered or proposed to be offered under the Program Agreement or the manner of offering of any such products; (D) information unrelated to the Program obtained by Servicer or Bank in connection with this Agreement, including by accessing or being present at the business location of the other Party; and (E) proprietary technical information, including source codes, or other proprietary information developed in connection with the Program; and (iii) the terms and conditions of this Agreement.

(ii) The restrictions on disclosure of Confidential Information under this Section 8.01 shall not apply to information received or obtained by Servicer or Bank, as the case may be, that: (i) is or becomes generally available to the public other than as a result of disclosure in breach of this Agreement or any other confidentiality obligations; (ii) is lawfully received on a non-confidential basis from a third party authorized to disclose such information without restriction and without breach of this Agreement; (iii) is contained in, or is capable of being discovered through examination of, publicly available records or products; (iv) is required to be disclosed by Applicable Law; provided that the Party subject to such Applicable Law shall use reasonable efforts to avoid such disclosure and notify the other Party of any such use or requirement prior to disclosure of any Confidential Information obtained from the other Party in order to afford such other Party an opportunity to seek a protective order to prevent or limit disclosure of the Confidential Information to third Parties; provided, further, that such information shall be disclosed only to the extent required by such Applicable Law and shall otherwise remain Confidential Information; or (v) is developed by Servicer or Bank, as the case may be, without the use or knowledge of any proprietary, non-public information provided by the other Party under, or otherwise made available to such Party as a result of, this Agreement. Nothing herein shall be construed to permit the Receiving Party (as defined below) to disclose to any third party any Confidential Information that the Receiving Party is required to keep confidential under Applicable Law.

(iii) The terms and conditions of this Agreement shall each be the Confidential Information of Servicer and Bank and each of the Parties to this Agreement shall be

deemed to be a Receiving Party of each of them; provided, however, that the terms of this Agreement may be filed by either Party with any Governmental Authority (including public filings with the Securities and Exchange Commission) to the extent required by Applicable Law.

(iv) If Servicer, on the one hand, or Bank, on the other hand, receives Confidential Information of the other Party (“Receiving Party”), the Receiving Party shall do the following with respect to the Confidential Information of the other Party (“Disclosing Party”): (i) keep the Confidential Information of the Disclosing Party secure and confidential; (ii) treat all Confidential Information of the Disclosing Party with the same degree of care as it accords its own Confidential Information, but in no event less than a reasonable degree of care; and (iii) implement and maintain commercially reasonable physical, electronic, administrative and procedural security measures, including commercially reasonable authentication, access controls, virus protection and intrusion detection practices and procedures.

(b) Use and Disclosure of Confidential Information.

(i) Each Receiving Party shall use and disclose the Confidential Information of the Disclosing Party only for the purpose of performing its obligations or enforcing its rights with respect to the Program or as otherwise expressly permitted by this Agreement, and shall not accumulate in any way or make use of such Confidential Information for any other purpose.

(ii) Each Receiving Party shall: (i) limit access to the Disclosing Party’s Confidential Information to those employees, authorized agents, vendors, consultants, service providers, accountants, advisors and subcontractors who have a reasonable need to access such Confidential Information in connection with the provision of the Services hereunder, in each case in accordance with the terms of this Agreement, and (ii) ensure that any Person with access to the Disclosing Party’s Confidential Information agrees to be bound by a confidentiality agreement containing the restrictions set forth in this Section 8.01.

(c) Unauthorized Use or Disclosure of Confidential Information. Each Receiving Party agrees that any unauthorized use or disclosure of Confidential Information of the Disclosing Party might cause immediate and irreparable harm to the Disclosing Party for which money damages might not constitute an adequate remedy. In that event, the Receiving Party agrees that injunctive relief may be warranted in addition to any other remedies the Disclosing Party may have. In addition, the Receiving Party agrees promptly to advise the Disclosing Party by telephone and in writing via facsimile of any security breach that may have compromised any Confidential Information or of any unauthorized misappropriation, disclosure or use by any Person of the Confidential Information of the Disclosing Party which may come to its attention, and to take all steps at its own expense reasonably requested by the Disclosing Party to limit, stop or otherwise remedy such breach, misappropriation, disclosure or use.

(d) Return or Destruction of Confidential Information. Upon the termination or expiration of this Agreement, the Receiving Party shall comply with the Disclosing Party’s

reasonable instructions regarding the disposition of the Disclosing Party’s Confidential Information, which may include return of any and all the Disclosing Party’s Confidential Information (including any electronic or paper copies, reproductions, extracts or summaries thereof); provided, however, that the Receiving Party in possession of tangible property containing the Disclosing Party’s Confidential Information may retain one archived copy of such material, subject to the terms of this Agreement, which may be used solely for regulatory purposes and may not be used for any other purpose. Such compliance shall be certified in writing, including a statement that no copies of Confidential Information have been kept, except as necessary for regulatory purposes.

Section 8.02. Access Rights; Audit Rights.

(a) Each Party shall, and shall cause its Affiliates that it uses to perform any of its obligations under this Agreement, and shall use commercially reasonable efforts to cause unaffiliated third parties (e.g., subcontractors and outsourced service providers) that it uses to perform any of its obligations under this Agreement (together with such Party, the “Reviewed Party”) to, permit the other Party and its representatives, including internal audit staff and external representatives, and any Governmental Authorities that have jurisdiction over such other Party (collectively, the “Reviewing Party”), in each case, to (i) visit the Reviewed Party’s facilities, (ii) have access to the Reviewed Party’s employees, and (iii) have access to the Reviewed Party’s books and records, including, where Servicer is the Reviewed Party, the books and records referred to in Section 2.03(c), and applications, in each case, related to the Program and/or the Services during normal business hours with reasonable advance notice. The Reviewing Party shall employ such reasonable procedures and methods as necessary and appropriate in the circumstances, minimizing interference to the extent practicable with the Reviewed Party’s normal business operations. The Reviewed Party shall use commercially reasonable efforts to facilitate the Reviewing Party’s review, including making reasonably available such personnel of the Reviewed Party and its service providers to assist the Reviewing Party and its representatives as reasonably requested. The Reviewed Party shall also permit the Reviewing Party to review (during normal business hours) and obtain copies of the books and records relating to the Program, including any audit results of subcontractors that provide Services; provided that neither Party shall be required to provide access to records to the extent that (i) such access is prohibited by Applicable Law, (ii) such records are legally privileged, (iii) such records are company planning documents of such Party or any of its Affiliates, operating budgets, management reviews or employee records, (iv) such records relate to other customers of, or credit programs operated by, Bank or Servicer or (v) such records relate to other customers or operations of such Party other than the Program or to personnel records not normally disclosed in connection with audits.

(b) The audit rights set forth in Section 12.2 of the Program Agreement are incorporated herein by reference and made a part hereof, as modified to the extent necessary to apply to this Agreement. For the avoidance of doubt, the exercise of audit rights under this Section 8.02(b) shall constitute an exercise of audit rights under Section 12.2(a)(i) of the Program Agreement.

Section 8.03. No Waiver; Remedies; Amendment.

(a) Failure or delay on the part of either Party to exercise any right provided for herein shall not act as a waiver thereof, nor shall any single or partial exercise of any right by either Party preclude any other or further exercise thereof.

(b) Remedies provided in this Agreement shall be the exclusive remedies of the Parties for breaches of, or claims relating to, this Agreement.

(c) In no event shall a term or provision of this Agreement be deemed to have been waived, modified or amended, unless a waiver, modification or amendment is in writing and signed by the Parties hereto.

Section 8.04. Independent Contractor. In the performance of its duties or obligations under this Agreement, Servicer shall not be deemed to be the agent of Bank and Bank shall not be deemed to be the agent of Servicer and each Party shall at all times take whatever measures as are necessary to ensure that its status shall be that of an independent contractor.

Section 8.05. No Joint Venture. Nothing in this Agreement or any Transaction Document shall be deemed to create a partnership or joint venture between Servicer and Bank. Except as expressly set forth herein, no Party shall have any authority hereunder to bind or commit the other Party.

Section 8.06. Payment Terms. All payments to be made by either Party pursuant to this Agreement shall be made by wire transfer in lawful money of the United States, immediately available funds, to such account as the receiving Party shall specify prior to noon, New York time, two Business Days prior to the date payment is required. Any payment required to be made on a day that is not a Business Day shall be made on the next succeeding Business Day.

Section 8.07. Entire Agreement. Each Party acknowledges that no representations, agreements, or promises were made to it by the other Party other than those representations, agreements or promises specifically contained in this Agreement and in the Transaction Documents. This Agreement and the other Transaction Documents set forth the entire understanding between the Parties hereto with respect to the subject matter hereof and thereof, and supersedes any other agreement, including the Original Servicing Agreement, whether written or oral, that may have been entered into by the Parties relating to the matters specified herein.

Section 8.08. No Set-Off. The Parties agree that each Party has waived any right to set-off, combine, consolidate or otherwise appropriate and apply (i) any assets of the other Party held by the Party or (ii) any indebtedness or other liabilities at any time owing by the Party to the other Party, as the case may be, against or on account of any obligations owed by the other Party in connection with this Agreement, except as expressly set forth herein.

Section 8.09. Notices. All notices, requests, demands and other communications which are required or permitted to be given under this Agreement shall be in writing and shall be deemed to have been duly given upon the delivery or receipt thereof, as the case may be, sent by

registered or certified mail, return receipt requested, via overnight delivery service, postage prepaid, or by facsimile transmission if provided below (receipt confirmed) to:

(a) In the case of Servicer:

c/o The Neiman Marcus Group, Inc. One Marcus Square 0000 Xxxx Xxxxxx Xxxxxx, Xxxxx 00000 Attention: General Counsel Facsimile: (000) 000-0000

With a copy to:

c/o The Neiman Marcus Group, Inc. One Marcus Square 0000 Xxxx Xxxxxx Xxxxxx, Xxxxx 00000 Attention: Credit Card Program Manager Facsimile: (000) 000-0000

With a copy to:

Xxxxxxx Xxxxxxx & Xxxxxxxx LLP 000 Xxxxxxxxx Xxxxxx Xxx Xxxx, Xxx Xxxx 00000 Attention: Xxxxxxx Xxxxxxx, Esq. Facsimile: (000) 000-0000

(b) In the case of Bank:

Capital One, National Association 00000 X. Xxxxxxxxxx Xxxx.

Xxxxxxx, XX 00000 Attention: Xxxxxxx X. Xxxxx

With a copy to:

Capital One Services, LLC 0000 Xxxxxxx Xxx Xxxxx XxXxxx, Xxxxxxxx 00000 Attention: Chief Counsel, Transactions

Section 8.10. Severability. To the fullest extent permitted by law, any term or provision of this Agreement which is invalid or unenforceable in any jurisdiction shall, as to such jurisdiction, be ineffective to the extent of such invalidity or unenforceability without rendering invalid or unenforceable the remaining terms and provisions of this Agreement in such jurisdiction or in any other jurisdiction.

Section 8.11. Headings. The headings and recitals contained in this Agreement are for reference purposes only and shall not affect in any way the meaning or interpretation of this Agreement.

Section 8.12. Survival. The provisions of Section 2.02, Section 6.02(a), Section 6.02(b), Section 6.04, Section 8.01, Section 8.08, Section 8.12, Section 8.13, Section 8.17 and Section 8.18 and Article VII shall survive any termination of this Agreement.

Section 8.13. Costs and Expenses. Except as expressly provided otherwise in this Agreement, the Risk Management Policies, the Operating Procedures or any other Transaction Document, each Party shall bear all costs and expenses incurred by such Party in connection with its performance of its duties hereunder (including, in the case of Servicer, all costs and expenses incurred by it in connection with its performance of the Services) or otherwise.

Section 8.14. Drafting. Each Party acknowledges that its legal counsel participated in the drafting of this Agreement. The Parties hereby agree that the rule of construction that ambiguities are to be resolved against the drafting party shall not be employed in the interpretation of this Agreement to favor one Party over the other.

Section 8.15. Counterparts. This Agreement may be executed in one or more counterparts, each of which counterparts shall be deemed to be original, and all such counterparts shall constitute one and the same instrument.

Section 8.16. Assignment; Successors. This Agreement shall not be assigned by either Party without the prior written consent of the other, except that (a) Servicer shall have the right to assign its rights and obligations hereunder to any Affiliate of Servicer and (b) Bank shall have the right to assign its rights and obligations hereunder to an Affiliate. This Agreement is intended for the exclusive benefit of the Parties hereto and their respective successors and permitted assigns, and shall not create any rights in or be enforceable by any other Person whomsoever, other than any Person entitled to indemnification from Servicer pursuant to Article VII hereof, it being the intention of the Parties that no other Person shall be deemed to be a third party beneficiary of this Agreement. This Agreement shall be binding on, and enforceable against, the successors and permitted assigns of the Parties.

Section 8.17. Governing Law. This Agreement shall be governed by and construed in accordance with the laws of the State of New York applicable to contracts made and to be performed within such State, and the obligations, rights and remedies of the parties hereunder shall be determined in accordance with such laws.

Section 8.18. Waiver of Jury Trial and Venue.

(a) Each party hereto hereby waives all right to trial by jury in any action or proceeding to enforce or defend any rights under this Agreement.

(b) Each party hereto hereby irrevocably submits to the jurisdiction of the United States District Court for the State of Delaware or, if such federal jurisdiction is unavailable, in the state courts of the State of Delaware over any action arising out of this Agreement, and each party hereto hereby irrevocably waives any objection which such party

may now or hereafter have to the laying of improper venue or forum non conveniens. Each party hereto agrees that a judgment in any such action or proceeding may be enforced in other jurisdictions by suit on the judgment or in any manner provided by law. Any and all service of process and any other notice in any such suit, action or proceeding with respect to this Agreement shall be effective against any party hereto if given as provided herein.

[Remainder of Page Intentionally Left Blank]

IN WITNESS WHEREOF, the Parties have caused their respective duly authorized representatives to execute this Agreement as of the date first written above.

THE NEIMAN MARCUS GROUP, INC.

By:	/s/ Xxxxxx Xxxxxxx
	Name:	Xxxxxx Xxxxxxx
	Title:	SVP - Finance and Treasurer


CAPITAL ONE, NATIONAL ASSOCIATION


By:	/s/ Xxxxxxx Xxxxx
	Name:	Xxxxxxx Xxxxx
	Title:	Vice President

[Signature Page to Second Amended and Restated Servicing Agreement]

EXECUTION COPY

SCHEDULE 1.01(a)

Services

Documentation Services — There are non-credit functions (i.e. store and marketing mailings) not included in a transfer of Documentation Services.

Late Stage Collections — Late stage collection accounts are defined as accounts equal to or greater than [***] contractual days delinquent (equal to or greater than [***]). Late stage collection servicing includes the use of power dialing equipment and the generation of collection letters in addition to outbound phone contact with the customer. (Note: Bank handles all charged-off accounts.)

Data Processing Services — Credit card data processing involves retail cardholder account data storage and maintenance, transaction authorizing and posting, fraud and risk management strategies and settlement.

Early Stage Collections — Early stage collection accounts are defined as accounts less than [***] delinquent (less than [***]). The servicing for early stage collections includes providing account monitoring, identifying over-extended accounts and initiating the appropriate collection efforts which include the use of power dialing equipment and the generation of collection letters.

Credit Processing Services include the processing, primarily through store referral call interaction, and decisioning of new applications and pending sale transactions on existing accounts. Both of these underwriting processes are governed by the risk management policies and operating procedures.

Customer Service Services has multiple areas of functionality. The call center responds and resolves cardholder and store inquiries and handles card program billing-related claims for Neiman Marcus, Bergdorf Xxxxxxx and the InCircle loyalty program. Other support groups involved in the customer resolution process include Xxxx Adjustments, Media Retention and Retrieval, Accounts Receivable reconciliation, Third Party Charge-backs as well as various clerical responsibilities.

SCHEDULE 2.04(a)

Service Level Standards

For the Term, the following Servicing Levels will be maintained by Servicer as noted:

A. Late and Early-Stage Collections Servicer will meet the following service levels on average each month (as measured by Servicer’s standard practices):

1. Percentage of time that Servicer shall make its collections operations available during the following times: [***]

Monday through Thursday [***] CST

Friday [***] CST

Saturday [***] CST

Sunday [***]

2. Minimum account penetration rate: [***]

B. Credit Processing Services & Customer Service Services Servicer will meet the following service levels on average each month (as measured by Servicer’s standard practices):

1. Percentage of all customer service inquiry batch-work correspondence (including address or name changes or credit bureau inquiries) that will be opened and reviewed within [***] days of receipt: [***]

2. Authorization, customer service and InCircle calls will be answered on a monthly average within the following timeframes after the call first becomes available for a Universal Agent to answer:

[***]

Exceptions to the ASA’s are as follows:

· [***]

3. Percentage of all adverse action letters that will be mailed out within 21 days after the adverse decision was made: [***] [Regulatory SLA]

4. Upon the request of a Cardholder or upon the auto-release based on a Bank defined parameter setting (currently set to 125 days) for any Account with a Credit Balance up to [***], the percentage of Credit Balance refunds requested verbally or systemically that will be sent out within 5 days of such request or cycle end date provided that no Credit Balance refund will be sent out for a Credit Balance under [***] [Regulatory SLA]

5. Upon the request of a Cardholder or upon the auto-release based on a Bank defined parameter setting (currently set to 125 days) for any Account with a Credit Balance up to [***], the percentage of Credit Balance refunds requested by mail correspondence that will be issued within 7 days of such request or cycle end date provided that no Credit Balance refund will be sent out for a Credit Balance under [***] [Regulatory SLA]

6. Percentage of Fair Credit billing and all other customer initiated disputes that are addressed within 60 days of receipt of notification: [***] [Regulatory SLA]

7. Percentage of time that Servicer shall make its customer service operations from Monday through Friday from 8:00 a.m. CST to 7:00 p.m. CST and Saturday from 9:00 a.m. CST to 1:00 p.m CST: [***]

8. Percentage of time that Servicer shall make its authorizations and new account operations available from Monday through Friday from 9:00 a.m. CST to 11:00 p.m. CST, Saturday from 9:00 a.m. CST to 11:30 p.m. CST and Sunday from 9:00 a.m. CST to 10:30 p.m. CST (and will extend these hours to accommodate the store operations when formal store hours are extended due to special sales events and seasonal demands): [***]

* Denotes a Starred SLA

SCHEDULE 2.06

Information Protection, Business Continuity and Disaster Recovery Plan

(see attached)

EXECUTION COPY

Schedule 2.06

Information Protection & Business Continuity Management

This Exhibit is intended to supplement Articles 4.07 and 8.01 of the Agreement; where there is a conflict between the provisions of this Exhibit and the Agreement, the provisions of this Exhibit shall apply.

For purposes of this Schedule:

Covered Information: means, with respect to Bank’s obligations under this Schedule, Cardholder Data, NMG Shopper Data, other Personally Identifiable Information, and Confidential Information of the NMG Companies and their Affiliates and, with respect to the obligations of the NMG Companies under this Schedule, Cardholder Data, other Personally Identifiable Information, and Confidential Information of Bank and its Affiliates.

1. Methodology for Compliance with This Schedule.

a. System or Methodology to Audit. Each Party (which for purposes of this Schedule shall mean Bank, on the one hand, and the NMG Companies, collectively, on the other hand) shall develop, implement and maintain, at its own expense, a proven system or methodology to audit for compliance with the requirements in this Schedule.

b. Use of Subcontractors. Each Party shall have appropriate controls in place that are designed to ensure that any third party (e.g., subcontractor or outsourced service provider), including an Affiliate of such Party, that accesses, processes or stores Covered Information of the other Party or that has access to the systems that transmit, process or store Covered Information of the other Party, meets the objectives of this Schedule. Prior to subcontracting services, the other Party shall establish appropriate contract requirements and conduct an assessment of controls as appropriate to confirm compliance with the objectives of this Schedule. Issues identified that have a high likelihood of resulting in unauthorized access to Covered Information of the other Party shall be mitigated before granting connectivity to systems or access to such Information. Remaining issues shall be mitigated in timeframes commensurate with the risk associated with (i) the data, (ii) business or operational needs including business continuity of the other Party, or (iii) granting the such Party connectivity to the other Party’s network or systems. Each Party shall exercise ongoing oversight over each such third party (e.g., subcontractor or outsourced service provider), including an Affiliate of a such Party, to ensure compliance is maintained with the objectives of this Schedule.

c. Assessment Rights. Upon thirty (30) days’ prior notice to the other Party, each Party or its representatives may perform physical and electronic reviews of security, information technology operations and business continuity control environments to evaluate and monitor the other Party’s protection of the confidentiality, integrity and availability of Covered Information of such other Party. Each Party shall employ such reasonable procedures and methods as are necessary and appropriate in the circumstances, minimizing interference to the normal business operations of the Party being reviewed to

the extent practicable and provided that no assessments shall take place during any Blackout Period. For the purposes of the foregoing sentence, Blackout Period with respect to the NMG Companies shall mean the period of [***] of each calendar year and any other dates and periods, not to exceed 20 business days in the aggregate, as the NMG Companies shall specify in advance of each calendar year in writing. Each Party shall make available a resource of sufficient seniority and expertise to work with the other Party in connection with assessments hereunder, and such personnel shall use commercially reasonable efforts to respond to the other Party’s questions regarding compliance with the terms of this Schedule and the Agreement. Each Party shall develop, implement, and maintain, at its own expense, commercially reasonable mitigation strategies to address issues identified as a result of these reviews. Prior to the commencement of any assessment pursuant to this Section 1(c), the Party performing such assessment shall inform the other Party in writing of the reasonable protocol for conducting such assessment and of the scope of such assessment, which protocol and scope shall be subject to the approval of the other Party (not to be unreasonably withheld, conditioned or delayed).

d. Annual Security and Business Continuity Audit Review. Without limiting any obligation of either Party specified elsewhere in the Agreement, each Party shall complete an annual review of its business continuity/disaster recovery, information security, and physical security program(s). Each Party shall utilize its internal audit department or a qualified, independent third party to conduct such review.

2. Information Protection Environment. During the Term of the Agreement, each Party shall maintain and monitor the following controls to protect the confidentiality, integrity and availability of the Covered Information of the other Party. Such controls shall include a reasonable combination of preventive and detective security and procedural controls based upon the requirements of this Schedule:

a. Accountability Within the Facility. Reasonable physical security policies and procedures, including access control mechanisms designed to ensure accountability of each Party’s personnel, temporary staff and third parties (e.g., subcontractor or outsourced service provider) that such Party uses to perform any of the obligations to be performed by such Party, within areas of such Party’s facilities that access, process or store Covered Information of the other Party in, on or through any form, format, channel, medium or media type. Each Party shall utilize effective security systems, technology, staff, and/or processes designed to prevent unauthorized access to its facility and Covered Information of the other Party.

b. Physical Access. Each Party shall employ physical controls over the holding and processing of information that are commensurate to the risk for Covered Information of the other Party used to hold and process such information, including, as appropriate, physical barriers, employee access badges, card readers, video surveillance cameras and visitor logs, where applicable. Any records of physical access, where applicable, shall be retained for a time period of six months.

Capital One Confidential

c. Background Checks. To the extent either Party’s personnel, temporary staff and third parties (e.g., subcontractor or outsourced service provider) that such Party uses to perform any of the obligations to be performed under the Program access Covered Information of the other Party in the course of performing their ordinary duties, policies and procedures to ensure that such Persons shall have been subject to criminal history checks in accordance with the NMG Background Screener’s Guide as demonstrating compliance to the background check requirements attached hereto in Appendix I.

d. Perimeter Controls. Reasonable network perimeter controls such as firewalls at all perimeter connections.

e. Application Security. For all applications of either Party that contain Covered Information of the other Party, such party agrees to maintain the security of the applications(s) throughout the Term of this Agreement according to general industry standards including, but not be limited to the following:

i. Each Party shall define and document non-functional application security requirements. Each Party shall develop and follow a security test plan that defines the testing approach and establishes that each of the security requirements contained herein has been met. The level of rigor of this test process shall be detailed in the plan. Each Party shall implement the security test plan and provide a copy of the application security requirements and a written report of test results to the other Party upon request.

ii. As part of its annual security review set forth in Section 1(d) of this Schedule, each Party shall conduct risk assessment(s) to determine and prioritize risks, enumerate vulnerabilities and understand the impact that particular attacks might have on an application to ensure it meets applicable contractual obligations, regulatory mandates and security best practices and standards.

iii. Each Party agrees to conduct the following tests quarterly: (1) network vulnerability scans (not denial of service or brute force attacks); and annually: (2) application layer penetration tests (not denial of service or brute force attacks). Each Party will provide the executive summary, upon request to the other Party, as part of their annual review results. NMG Companies acknowledge that because the current Bank systems are migrating to Bank oversight over time (from the previous Bank), the first such request made by NMG Companies shall be no sooner than Q1 2014.

f. System Hardening. System hardening procedures to disable all unnecessary services on devices and servers used to access, process, transmit or store Covered Information of the other Party or devices and systems that reside on the same restricted network segment. Unnecessary services include any service not required to meet business needs.

g. Patch Management. Systems and applications used to access, process or store Covered Information of the other Party shall be maintained at current stable patch level.

Capital One Confidential

h. Virus Detection. For systems that support such software, commercially reasonable malicious code detection software, to include virus detection and malware detectors, shall be installed on all systems used to access, process, transmit or store Covered Information of the other Party or devices and systems that reside on the same restricted network segment. In addition, definition files shall be updated regularly.

i. Detection of Suspicious Activity. Network intrusion detective system (IDS) or similar reasonable procedures or technology, to detect suspicious network and host activity.

j. System Logs. For all systems that access, transmit or store Covered Information of the other Party, system logs shall be in place to uniquely identify individual users and their access to associated systems and to identify, record and clearly depict all attempted or executed activities of any one or more such users. All systems creating system logs shall be synchronized to a central time source. Reasonable processes shall be in place to review privileged access and identify, investigate and respond to suspicious or malicious activity. System log trails shall be secured in a manner to prevent unauthorized access, modification, and accidental or deliberate destruction. These logs shall be maintained in accordance with the retention requirements set forth in the Agreement. If not specified elsewhere, logs shall be maintained in accordance with the following:

System Category		Log Retention Period
Security devices, perimeter devices and policy enforcement points e.g. firewalls, VPN servers, intrusion detection systems		13 months
Network logon records e.g. domain controllers, Active Directory logs		120 days
All other systems and applications		60 days

The requirements listed above do not supersede, or otherwise limit the applicability of or the need to comply with, retention requirements that are governed by law, regulations or industry requirements, such as PCI DSS.

k. Change Control Process. Reasonable change control processes similar to those currently in place to approve and track changes within the computing environment of each Party to the extent such changes have a potential impact on the performance of services under the Program and the network applications employed by the other Party. Each Party shall notify the other Party in the event there is a change planned that may impact performance of services under the Program and the network applications employed by the other Party. In addition, if changes will affect the definitions or structure of data sent to the other Party, a Manager of such Party must be provided notification prior to implementation of those changes.

l. Restrict System Access. Access to Covered Information of the other Party shall be limited solely to the authorized personnel, temporary staff and third parties (e.g., subcontractor or outsourced service provider) of such Party that it uses to perform any of the obligations to be performed by such Party under the Program, who require such

Capital One Confidential

access in order to perform such obligations. Reasonable processes shall be in place to approve and track system access granted. This access shall be periodically reviewed to verify that each access assignment remains necessary. Frequency of review shall be commensurate with risk associated with the system/application. Systems and applications used to store or process Covered Information shall be reviewed quarterly. All other applications shall be reviewed annually.

m. Remote User Access. Either Party’s personnel, temporary staff and third parties (e.g., subcontractor or outsourced service provider) that such Party uses to perform any of the obligations to be performed by such Party under the Program, must be located within a facility managed by such Party while connected to the other Party’s network or accessing Covered Information of the other Party. Either Party may grant access to only IT/system administration personnel with a business justification for connecting to the other Party’s network or accessing Covered Information while outside the facility managed by such Party. For each remote user granted access to either Party’s network to access the other Party’s network or Covered Information of the other Party, such Party shall: (i) require that the personnel, temporary staff and third parties (e.g., subcontractor or outsourced service provider) of such Party that it uses to perform any of the obligations to be performed by such Party under the Program, (x) with respect to the NMG Companies, meet the requirements as set forth in the NMG Remote Access Security Standard manual, which requires access to the network through the approved remote access methodology, which leverages a private VPN and checks the remote host for a running firewall and active anti-virus/malware software and that includes at least two (2) factor authentication of each remote user, and (z) with respect to the Bank, use only Bank-owned equipment configured to comply with the Federal Financial Institution Examination Council issued “Authentication in an Internet Banking Environment” guidance and that includes at least two (2) factor authentication of each remote user; and (ii) maintain system logs detailing activity during each remote user session. If there is a reasonable business justification to grant non-IT/system administration employees of either Party remote access to the other Party’s network or Covered Information of the other Party, and with prior written approval by the other Party, each Party shall comply with the preceding requirements.

n. Termination/Reassignment of Employees. Formal termination and reassignment procedures for the personnel, temporary staff and third parties (e.g., subcontractor or outsourced service provider) of either Party that such Party uses to perform any of the obligations to be performed by it under the Program, to ensure physical and computing system access are immediately rescinded.

o. Access Management to Systems Which Either Party Provisions Access.

i. When applicable, and only to the extent necessary, access to a system which the other Party provisions access shall be requested for personnel, temporary staff and third parties (e.g., subcontractor or outsourced service provider) of such Party that such Party uses to perform any of the obligations to be performed by it under the Program, who require access in order to provide such obligations. Each Party shall notify the other Party immediately when such access is no longer necessary. Each Party reserves

Capital One Confidential

the right to revoke such access to a system which such Party provisions access at any time and for any reason.

ii. If any personnel, temporary staff and third parties (e.g., subcontractor or outsourced service provider) of either Party that such Party uses to perform any of the obligations to be performed by such Party under the Program, require access to a system which the other Party provisions access, such Party shall provide the other Party with the appropriate data for each such Person for whom such Party is requesting access to the other Party’s systems, such as the following: Complete Legal Name, Store ID, Employee Number, Name/Function with the other Party and the other Party’s Location (City/State/Country) in a manner and consistent with past practice.

p. Authentication Credentials. Each Party shall have a user registration and deregistration procedure for systems that access, transmit or store Covered Information of the other Party with user accounts that are assigned to individuals assessing the system or particular work stations, which are only accessible by a limited number of identifiable employees of such Party whose access is strictly controlled and monitored. Each Party shall work in good faith to consider a reasonable procedure to issue individual user accounts for all roles, or implement compensating and reasonable controls to monitor use of shared user accounts. Default manufacturer passwords used in either Party’s products or Services shall be changed upon installation.

q. Data Requirements. If applicable to the Services being provided by such Party, the NMG Companies and Bank shall adhere to the following requirements:

i. Data Integrity. Notification of data quality failures or exceptions affecting the other Party shall be provided by each Party. Upon reasonable request, each Party agrees to provide periodic data quality metrics.

ii. Data Movement. Data validation checks and reports to prevent duplicative data record transfers and ensure accurate, uncorrupted data transfer into production environment shall be implemented (e.g., checksums, hash totals, data integrity checks, etc.). In the event a data transfer failure in production affecting the other Party is detected, each Party shall be notified in accordance with pre-determined service-level criteria or as soon as reasonably possible if no service-level documentation exists.

iii. Data Destruction. To the extent Covered Information of the other Party is required to be destroyed pursuant to the Agreement, such destruction shall be effected in a secure manner consistent with industry standards.

3. Covered Information in Transmission or on Portable Media. All Covered Information of the other Party shall be encrypted prior to or simultaneously while being: (i) transmitted over public networks (e.g. Internet); (ii) carrier-owned networks, (iii) copied to portable media, (iv) stored to disk on a publicly accessible system that, with respect to Covered Information of Bank, does not fall under the administrative control or compliance monitoring processes of Bank, using minimum 128 bit symmetric encryption, or the maximum allowed by Applicable

Capital One Confidential

Law. In addition, the each Party shall have appropriate checks in place to confirm data integrity upon decryption. Exceptions are allowed to meet legal or regulatory requirements when the recipient cannot accept encrypted data; provided, however, that alternate means of securing data will be employed when recipients cannot accept encrypted data. With regard to communications between the Parties, the Parties shall use encryption methodology as mutually agreed upon by the Parties. Covered Information of the other Party transported on paper media by a reputable, nationally-recognized common carrier shall be sealed and tracked via certified mail or similar tracking process while in transit.

4. Incident Response and Management.

a. Process to Detect a Security Related Incident. Each Party shall define and maintain a process to monitor and detect unauthorized access to, misuse or misappropriation of or fraudulent activity involving, Covered Information of the other Party by any personnel, temporary staff and third parties (e.g., subcontractor or outsourced service provider) of such Party that it uses to perform any of the obligations to be performed by such Party under the Program (a “Security Related Incident”).

b. Process To Report Security Related Incidents. Each Party shall have a process in place to report to the other Party any known or reasonably suspected Security Related Incident. In the event either Party discovers or reasonably suspects a Security Related Incident, such Party shall notify the other Party immediately upon initial detection, and in no event later than twenty four (24) hours after the initial detection.

c. Response to Security Related Incident. Upon notice of a Security Related Incident, each Party shall may take all reasonable steps to protect the Covered Information of such Party, including, but not limited to, an assessment of the other Party’ security safeguards, review of relevant physical access logs, and an assessment of the other Party’s security and system log files from workstations and supporting servers containing or facilitating the flow of Covered Information. In addition to any Security Related Incident-related obligations set forth in the Agreement, each Party shall have a plan that (i) enables such Party to take actions to address known or suspected Security Related Incidents, (ii) take appropriate remedial action for the cause of the breach, and (iii) provide the other Party with necessary information to allow such Party to expeditiously implement its own response program.

d. Disciplinary Actions. Each Party shall have a process in place to promptly identify violations of security controls including those set forth in this Schedule, by any personnel, temporary staff and third parties (e.g., subcontractor or outsourced service provider) of such Party that it uses to perform any of the obligations to be performed by such Party under the Program. Any Persons so identified shall be subject to appropriate disciplinary action.

e. Incident Contact Number. When Bank notification is necessary under this Schedule, the NMG Companies shall contact the Bank’s Incident Command Center at (000) 000-0000.

Capital One Confidential

5. Business Continuity and Disaster Recovery.

a. Backup Power Supply. Each Party shall maintain a reasonable backup power supply system to guard against electrical outages based upon facility and function. The solution shall allow for controlled shutdown of systems used to process or store Covered Information of the other Party as well as ongoing power support for systems that require such service based on recovery plans.

b. Fire Detection and Suppression System. Each Party shall implement reasonable fire detection and suppression system(s) to protect such Party’s computing equipment.

c. System Maintenance. Each Party shall ensure reasonable maintenance of systems to guard against failure.

d. Coordination of Continuity Plans. Each Party shall provide reasonable information, with respect to the services and obligations under the Agreement, to allow the other Party to develop a continuity plan which will work in concert with the plan of the Party providing the information. Each Party shall also incorporate the other Party’s reasonable feedback into its plan to ensure such Party can meet the obligations outlined in this Schedule.

e. Recovery Testing. Each Party may request to participate, but no more often than annually, in the other Party’s recovery testing, unless Applicable Law or a Governmental Authority with supervisory authority over either Party or the Services under the Agreement requires otherwise, in which case such requirement(s) shall govern. Such testing may include, but may not be limited to, validation of such Party’s business and/or technical recovery strategies. Either Party reserves the right to limit the number of exercise participants.

f. Call Lists. Within twenty-four (24) hours of the request of the other Party, either Party shall make available to the other Party call lists necessary for contacting key individuals at such Party’s primary and recovery locations.

g. Business Continuity Program. Each Party shall maintain a business continuity program, including a recovery plan that is designed to ensure reasonable business continuity of critical functions. The program shall provide a framework and methodology, including a business impact analysis and risk assessment process, necessary to identify and prioritize critical business functions. In the event either Party experiences an event requiring recovery of systems, information or services, the recovery plan shall be executed to ensure that critical services can be rendered in compliance with the requirements defined herein. Within 24 hours of an event requiring implementation of the plan, each Party will provide to the other Party an initial report that includes the nature of the interruption, an estimate for the time it will take to return to Agreement-required service levels and the actions the party experiencing the event is taking to achieve those levels.

Capital One Confidential

Appendix I to Schedule 11.4(k)

Background Check Requirements

Each Party shall be responsible for ensuring criminal background checks are conducted in accordance with the requirements identified herein on those individuals with access to Covered Information of the other Party in the course of performing their expected duties. Neither Party prohibits the employment by the other Party of personnel, temporary staff and third parties (e.g., subcontractor or outsourced service provider) to perform any of the obligations to be performed by such Party under the Program, whose background check is not in conformance with the requirements herein. However, each Party requires that any such Person whose background check is not in conformance with the requirements herein, not be granted access to any Covered Information of such Party.

The following requirements shall not supersede any Applicable Law prohibiting such checks.

Background Check Standards

[***]

Capital One Confidential

[***]

Capital One Confidential

[***]

Capital One Confidential

[***]

Capital One Confidential

SCHEDULE 5.02

Remedies

“Initial Penalty Amount”: [***].

“Subsequent Penalty Amount”: [***].

SCHEDULE 7.04

Indemnity Matters

“Deductible Amount”: [***].

Document Metadata

Table of Contents

EX-10.28 3 a2216143zex-10_28.htm EX-10.28 Confidential Treatment Requested. Certain material (indicated by asterisks) has been omitted from this document and filed separately with the Securities and Exchange Commission pursuant to a request for...

Document Metadata