Exhibit 10.2

 

CERTAIN PORTIONS OF THESE MATERIALS HAVE BEEN OMITTED BASED ON A REQUEST FOR
CONFIDENTIAL TREATMENT SUBMITTED TO THE U.S. SECURITIES AND EXCHANGE COMMISSION
(THE “SEC”). THE NON-PUBLIC INFORMATION HAS BEEN OMITTED AND HAS BEEN SEPARATELY
FILED WITH THE SEC. EACH REDACTED PORTION OF THE AGREEMENT IS INDICATED BY A
“[XXXX]” AND IS SUBJECT TO THE REQUEST FOR CONFIDENTIAL TREATMENT SUBMITTED TO
THE SEC. THE REDACTED INFORMATION IS CONFIDENTIAL INFORMATION OF GLOBAL AXCESS
CORP.

 

GROUP CONTRACT
AMENDMENT

 

THIS GROUP CONTRACT AMENDMENT (this “Amendment”) is made as of the 20th day of
December, 2011, by and among Nationwide Money Services, Inc., a Nevada
corporation (“Nationwide”), Food Lion, LLC, a North Carolina limited liability
company (“Food Lion”), J.H. Harvey Co., LLC, a Georgia limited liability company
(“Harvey”) and Kash N’ Carry Food Stores, Inc., a Delaware corporation (“K&K,”
and together with Food Lion and Harvey, each a “Merchant” and together, the
“Merchants”). Nationwide, Food Lion, Harvey and K&K are sometimes referred to in
this Amendment collectively as, the “Parties,” and individually as, a “Party”).

 

W I T N E S S E T H:

 

WHEREAS, Food Lion, LLC and Nationwide are parties to that certain Agreement
dated as of October 5, 2001 (as amended by Amendment No. 1 to the Agreement by
and between Food Lion and Nationwide, dated as of August 28, 2003, and as it may
be further amended, modified or restated, the “Food Lion Agreement”); and

 

WHEREAS, Harvey and Nationwide are parties to that certain Automated Teller
Machine License/Use Agreement dated as of January 20, 2010 (as amended, modified
or restated, the “Harvey Agreement”); and

 

WHEREAS, Nationwide and K&K are parties to that certain Agreement dated October
10, 2001 (as amended by Amendment No. 1 to the Agreement by and between K&K and
Nationwide dated August 28, 2003, and as it may be further amended, modified or
restated, the “K&K Agreement”); and

 

WHEREAS, the Parties desire to modify certain provisions of the Food Lion
Agreement, the Harvey Agreement and the K&K Agreement (collectively, the
“Agreements”), so that such provisions are uniform among the three Agreements;

 





 





CERTAIN PORTIONS OF THESE MATERIALS HAVE BEEN OMITTED BASED ON A REQUEST FOR
CONFIDENTIAL TREATMENT SUBMITTED TO THE U.S. SECURITIES AND EXCHANGE COMMISSION
(THE “SEC”). THE NON-PUBLIC INFORMATION HAS BEEN OMITTED AND HAS BEEN SEPARATELY
FILED WITH THE SEC. EACH REDACTED PORTION OF THE AGREEMENT IS INDICATED BY A
“[XXXX]” AND IS SUBJECT TO THE REQUEST FOR CONFIDENTIAL TREATMENT SUBMITTED TO
THE SEC. THE REDACTED INFORMATION IS CONFIDENTIAL INFORMATION OF GLOBAL AXCESS
CORP.



 

NOW THEREFORE, in consideration of the mutual covenants and promises contained
herein and for other good and valuable consideration, the receipt and
sufficiency of which are hereby acknowledged, the Parties agree as follows:

 

1.                  Extension. The Parties agree and acknowledge that each of
the Agreements shall remain (and have remained) in full force and effect in
accordance with their current terms and provisions until December 31, 2011, and
as amended, shall continue in force until December 31, 2014, as set forth in
Section 2(A) below.

 

2.                  Amendment. The Parties agree that, effective as of January
1, 2012, each of the Agreements shall be amended as follows:

 

Notwithstanding any provision of any of the Agreements to the contrary, each of
the Agreements shall, effective as of January 1, 2012 be amended to include the
following provisions and to delete any provision of the Agreements that is in
conflict therewith. For the avoidance of doubt, the following amendments are,
among other things, intended to replace, in their entirety, any provisions
requiring Nationwide to make any payments or revenue share with respect to any
automated teller machines (“ATM’s”) placed pursuant to the Agreements
(including, without limitation, any portion of screen advertising or coupon
revenues), payments required to be made to Nationwide in connection with any ATM
that is moved at the request of Merchant, the fee paid by Food Lion, Harvey or
K&K for a permanent removal of an ATM at such Party’s request and Nationwide’s
rights to remove ATM’s due to performance issues.

 

A.                Term. Each Agreement shall continue in full force and effect,
unless earlier terminated as permitted in such Agreement, until December 31,
2014.

 

B.                 Surcharge. Nationwide shall not charge a surcharge in excess
of $[XXX] without the prior written consent of the applicable Merchant. In
addition, Nationwide shall not charge any surcharge for transactions which
relate to any of the credit unions set forth in Exhibit A attached hereto, or
any other credit union with which Delhaize Group (the parent of each of the
Merchants) has a contractual relationship of which Nationwide is informed in
writing, in each case, so long as such credit union continues to contract with
Delhaize (collectively, a “Delhaize Associated Credit Union”).

 

C.                 Revenue Share. Nationwide shall pay each Merchant an amount
equal to (i) [XXXXX percent (XX%)] of the surcharge revenue received by
Nationwide, plus [XXX] ($[XXX]) per Free Transaction (as defined below), in each
case, with respect transactions undertaken at ATM’s placed at such Merchant’s
location pursuant to an Agreement. For purposes of calculation of the above
revenue share, “Free Transaction” shall mean any cash withdrawal from a checking
or savings account or any credit card or debit card cash advance, for which
Nationwide does not receive any surcharge, other than transactions relating to
Delhaize Associated Credit Unions (as defined in Section B above) and electronic
benefit transfers (EBTs) for which no surcharge is permitted to be charged by
law.

 



2

 





CERTAIN PORTIONS OF THESE MATERIALS HAVE BEEN OMITTED BASED ON A REQUEST FOR
CONFIDENTIAL TREATMENT SUBMITTED TO THE U.S. SECURITIES AND EXCHANGE COMMISSION
(THE “SEC”). THE NON-PUBLIC INFORMATION HAS BEEN OMITTED AND HAS BEEN SEPARATELY
FILED WITH THE SEC. EACH REDACTED PORTION OF THE AGREEMENT IS INDICATED BY A
“[XXXX]” AND IS SUBJECT TO THE REQUEST FOR CONFIDENTIAL TREATMENT SUBMITTED TO
THE SEC. THE REDACTED INFORMATION IS CONFIDENTIAL INFORMATION OF GLOBAL AXCESS
CORP.

 

 



D.                New Site Setup Expenses. Merchant will pre-wire electrical and
telephone lines, for purposes of placing an ATM in a newly constructed location.
Such costs shall be borne by Merchant. Merchant shall provide power and floor
space, and prepare the same to enable installation of an ATM, at no cost to
Nationwide. Nationwide shall not charge Merchant for any installation of an ATM
and shall be responsible for all other costs related to the installation of
ATM’s pursuant to the Agreements. Nothing herein is intended to change
Merchant’s obligations with respect to the purchase or maintenance of bumpers as
set forth in the Agreements.

 

E.                 Branding/Advertising. Nationwide shall receive the approval
of Merchant before any advertising is placed on, or displayed through, an ATM
placed under an Agreement.

 

F.                  Telecommunications. Nationwide shall be responsible for
providing telecommunication services for ATM’s placed under the Agreement. In
cases where it is necessary for Merchant to provide phone service, Nationwide
will pay Merchant a one-time fee of $[XXX], due upon the initiation of such
phone service, and a $[XXX] fee per month thereafter, payable monthly in arrears
payment of the revenue share.

 

G.                ATM Moving Fees. In the event that Merchant requests
Nationwide to change the location of an ATM within a store, Merchant shall pay
Nationwide the following fees:

 

(i)                $[XXX], if Merchant provides Nationwide at least 21 days’
notice;

 

(ii)               $[XXX], if Merchant provides Nationwide with less than 21
days’ notice;

 

(iii)             $[XXX], if Merchant requests that Nationwide remove an ATM and
re-install such ATM at a later date (which date must be within at least ninety
days of the date of such removal of the ATM, or Merchant shall be subject to the
fees set forth in Section H below).

 

Any relocation of an ATM requested by Nationwide or to comply with the Americans
with Disabilities Act, shall be at Nationwide’s expense.

 

H.                Removal of ATM for In-Store Bank. Merchant shall have the
right to request Nationwide to remove an ATM in the event that Merchant is
installing a bank branch ATM at such location. In such event, Nationwide will
coordinate with Merchant for the removal of such ATM within thirty (30) days of
such request. Upon removal of an ATM pursuant to this Section H, Merchant shall
pay Nationwide a permanent removal fee equal to $[XXX], plus $[XXX] times the
number of months remaining in the Term (as set forth in Section A of this
Amendment).

 

I.                   ATM Uptime Commitment. Nationwide shall maintain the ATM’s
so that they are functional greater than [XXX]% of the time, as calculated for
each calendar month.

 

J.                   ADA Compliance. All ATM’s placed pursuant to the Agreements
shall be compliant with the Americans with Disabilities Act prior to March 15,
2012, or such later date as may be provided for such compliance by law.



3

 





CERTAIN PORTIONS OF THESE MATERIALS HAVE BEEN OMITTED BASED ON A REQUEST FOR
CONFIDENTIAL TREATMENT SUBMITTED TO THE U.S. SECURITIES AND EXCHANGE COMMISSION
(THE “SEC”). THE NON-PUBLIC INFORMATION HAS BEEN OMITTED AND HAS BEEN SEPARATELY
FILED WITH THE SEC. EACH REDACTED PORTION OF THE AGREEMENT IS INDICATED BY A
“[XXXX]” AND IS SUBJECT TO THE REQUEST FOR CONFIDENTIAL TREATMENT SUBMITTED TO
THE SEC. THE REDACTED INFORMATION IS CONFIDENTIAL INFORMATION OF GLOBAL AXCESS
CORP.

 

 



K.                Security. Nationwide shall maintain compliance with the PCI
security standards and all other applicable security rules and regulations
imposed by law. Nationwide agrees to promptly notify Merchant of any breach in
such security requirements.

 

L.                 Removal of ATM’s by Nationwide. If, in any calendar month the
average number of transactions per ATM for the ATM’s placed at a Merchant is
less than the threshold set forth below, Nationwide may, but shall not be
obligated to, remove ATM’s placed at such Merchant’s locations, so that the
calculation for such month with respect to the remaining ATM’s would exceed the
threshold. For purposes of the foregoing, the threshold shall be an average of
[XXX] transactions per ATM per month for Food Lion and K&K, and shall be [XXX]
transactions per ATM per month for Harvey.

 

3.                  Survival of License Agreement. Except as expressly amended
hereby, all terms, conditions and obligations contained in the Agreements shall
remain in full force and effect.

 

4.                  Counterparts. This Agreement may be executed in two or more
counterparts, each of which will be deemed an original, but all of which
together will constitute one and the same instrument. Signatures delivered as
facsimiles shall be binding to the same extent as original signatures.

 

IN WITNESS WHEREOF, the Parties have executed this Amendment as of the date
first set forth above.

 

 



  NATIONWIDE MONEY SERVICES, INC.       By:  /s/ Lock Ireland    

Lock Ireland

Title: CEO

 

 

  FOOD LION, LLC       By:  /s/ Patti Fletcher    

Name: Patti Fletcher

Title: Assistant Treasurer

 

 

  J.H. HARVEY CO., LLC.       By:  /s/ [Insert Name]    

Name: Patti Fletcher

Title: Assistant Treasurer

 

 

  KASH N’ CARRY FOOD STORES, INC.       By:  /s/ Patti Fletcher    

Name: Patti Fletcher

Title: Assistant Treasurer

 



4

 

 

 

 Exhibit A

 

Food Lion Credit Association

 

 

5

 





 

Exhibit A

To Group Contract Amendment

 

Service Provider Privacy, Confidentiality and Information Security Addendum

 

This Service Provider Privacy, Confidentiality and Information Security Addendum
(this “Addendum”) sets forth the terms and conditions relating to the privacy,
confidentiality and security of Personal Information (as defined below)
associated with services rendered pursuant to the Agreements.

 

1.             DEFINITIONS

 

All capitalized terms used in this Addendum but not defined herein shall have
the same meaning ascribed to such terms in the Agreement as supplemented by this
Addendum.

 

1.1.         “Access” means access to: (i) Personal Information and/or (ii)
Customer information technology (“IT”) resources or systems which use, process
or store Personal Information and/or (iii) Customer facilities where Personal
Information is used or stored, including, but not limited to, corporate offices,
distribution centers, or retail stores.

 

1.2.         “PCI Standard” means the Payment Card Industry Data Security
Standard of the PCI Security Standards Council, as may be amended from time to
time, which can be found at https://www.pcisecuritystandards.orp/.

 

1.3.         “Personal Information” means any information relating to an
identified or identifiable individual, including, but not limited to, name,
postal or email address, Social Security number, driver’s license number, date
of birth, demographic information, health or medical information, checking and
credit card account data, personal identification number, next of kin contact
information, in whatever format, including that contained in communications,
documents, databases, records, or materials of any kind whether in individual or
aggregate form, and regardless of the media in which it is contained, that may
be (i) disclosed at any time to Service Provider or Service Provider Personnel
by Customer or Customer Personnel in anticipation of, in connection with or
incidental to the performance of services of or on behalf of Customer; (ii)
Processed (as defined below) at any time by Service Provider or Service Provider
Personnel in connection with or incidental to the performance of this Addendum
or the Agreement; or (iii) derived by Service Provider or Service Provider
Personnel from the information described in (i) or (ii) above. Personal
Information includes cardholder data from Customer’s customers, including but
not limited to, transaction authorization information, credit card numbers,
service codes and expiration dates, and Track 1 and Track 2 data contained on
the magnetic stripe of standard credit and debit cards and other information
within the scope of the PCI Standard (collectively, “Cardholder Data”).

 

1.4.         “Process”, “Processed” or “Processing” means any operation or set
of operations performed upon Personal Information, whether or not by automatic
means, such as creating, collecting, procuring, obtaining, accessing, recording,
organizing, storing, adapting, altering, retrieving, consulting, using,
disclosing, transmitting or destroying the data.

 

2.             PROTECTION OF PERSONAL INFORMATION

 

2.1.         OBLIGATION TO PROTECT.

 

2.1.1.         Service Provider’s obligations regarding Personal Information
shall extend to employees, officers, directors, agents, advisors, contractors,
any subcontractors or other party or person acting on behalf of or at the
direction of Service Provider (collectively, “Service Provider Personnel”) with
Access pursuant to the Agreement or the performance of Services thereunder.
Service Provider shall limit Access to Service Provider Personnel who have a
need to know the Personal Information as a condition to Service Provider’s
performance of Services for or on behalf of Customer and who have agreed in
writing to comply with legally-enforceable privacy, confidentiality and security
obligations that are substantially similar to those required by this Addendum
(including in the case of contractors and subcontractors, an acknowledgement of
their responsibility for the security of any Cardholder Data where such
contractors or subcontractors Process Cardholder Data or manage any systems (or
components of such systems) that store, process or transmit Cardholder Data).
Service Provider shall ensure that all Service Provider Personnel comply with
the provisions of this Addendum regarding the handling and treatment of Personal
Information.

 



6

 



 

2.1.2.         Service Provider shall not contract any of its rights or
obligations concerning Personal Information without the prior written consent of
Customer. Where Service Provider, with the consent of Customer, contracts such
rights or obligations, Service Provider shall enter into a written agreement
with each contractor that imposes obligations on the contractor that are
substantially similar to those imposed on Service Provider under this Addendum.
Service Provider shall only retain contractors that Service Provider reasonably
can expect to be suitable and capable of performing the delegated obligations in
accordance with this Addendum, the Agreement and Customer’s instructions.

 

2.1.3.         Service Provider agrees to hold, maintain, and manage (i) the
existence and terms of this Addendum, and any related agreement, and (ii) any
and all Personal Information in strictest confidence and use due care to prevent
any unauthorized or inappropriate disclosure. Service Provider will not, and
will not allow any third party under its control (including Service Provider
Personnel) to transmit or disclose any of the Personal Information to any third
party, except as required in the provision of the Services, required by law or
governmental order, or otherwise with Customer’s express written consent.

 

2.1.4.         Service Provider shall notify Customer promptly in writing of any
subpoena or other judicial or administrative order by a government authority or
proceeding seeking access to or disclosure of Personal Information. Customer
shall have the right to defend such action in lieu of and on behalf of Service
Provider. Customer may, if it so chooses, seek a protective order. Service
Provider shall reasonably cooperate with Customer in such efforts.

 

2.1.5.         Service Provider covenants and agrees to adhere to all applicable
requirements to be considered compliant with the PCI Standard and shall perform
the necessary steps to validate its compliance with the PCI Standard. Service
Provider shall provide to Customer a copy of its most recent validation of PCI
Standard compliance and all supporting documentation (including any exceptions
noted therein) promptly following the Amendment Effective Date, and on an annual
basis thereafter (or at such other time to coincide with Customer’s own PCI
Standard certification). Service Provider will promptly notify Customer if it
learns that it is no longer compliant with the PCI Standard, or reasonably
anticipates that it is or will be non-compliant, and will promptly inform
Customer of the steps being taken to remediate such non-compliance. Service
Provider acknowledges that it is responsible for the security of any Cardholder
Data in its possession.

 

2.2.         SERVICE PROVIDER WRITTEN SECURITY POLICY.

 

2.2.1.         Service Provider hereby warrants, represents and covenants that,
as of the Amendment Effective Date, it has and will at all times during the term
of the Agreement, maintain a comprehensive written information security program
that complies with applicable Privacy Laws (as defined below). Service
Provider’s information security program shall include appropriate
administrative, technical, physical, organizational and operational safeguards
and other security measures designed to (a) establish minimum standards to be
met in connection with the safeguarding of Personal Information contained in
both paper and electronic records; (b) protect the security and confidentiality
of Personal Information in a manner consistent with applicable industry
standards; (c) protect against anticipated threats or hazards to the security or
integrity of Personal Information; and (d) protect against any actual or
suspected unauthorized Processing, loss, use, disclosure or acquisition of or
Access to any Personal Information (hereinafter “Information Security
Incident”).

 



7

 

 

2.2.2.         Service Provider shall immediately inform Customer in writing of
any Information Security Incident of which Service Provider becomes aware. Such
notice shall summarize in reasonable detail the effect on Customer, if known, of
the Information Security Incident and the corrective action taken or to be taken
by Service Provider. Service Provider shall promptly take all necessary and
advisable corrective actions, and shall cooperate fully with Customer in all
reasonable and lawful efforts to prevent, mitigate or rectify such Information
Security Incident. The content of any filings, communications, notices, press
releases or reports related to any Information Security Incident must be
approved by Customer prior to any publication or communication thereof.

 

2.2.3.         Service Provider shall provide appropriate training to and
exercise the necessary and appropriate supervision over its relevant Service
Provider Personnel to maintain appropriate privacy, confidentiality and security
of Personal Information.

 

2.3.         RETURN OR SECURE DESTRUCTION OF PERSONAL INFORMATION. Promptly upon
the expiration or termination of the Agreement or as otherwise requested by
Customer, Service Provider shall, at Customer’s written request, either (i)
destroy or render unreadable or undecipherable, or (ii) return to Customer, each
and every original and copy in every media of all Personal Information in
Service Provider’s possession, custody or control by secure means.

 

2.4.         COMPLIANCE.

 

2.4.1.         Service Provider agrees to comply with: (i) all applicable
federal, state, and local laws, rules, regulations and governmental
requirements, as the same may be amended or supplemented from time to time,
pertaining in any way to the privacy, confidentiality, security, management,
disclosure, reporting, and any other obligations attaching or arising from the
possession or use of Personal Information, including without limitation, the
Gramm-Leach-Bliley Act (“GLBA”), 15 U.S.C. § § 6801-6827, and all regulations
implementing GLBA; the Fair Credit Reporting Act (“FCRA”), 15 U.S.C. § 1681 et
seq., as amended by the Fair and Accurate Credit Transactions Act (“FACTA”), and
all regulations implementing the FCRA and FACTA; the Controlling the Assault of
Non-Solicited Pornography and Marketing Act (CAN-SPAM); security breach
notification laws; laws imposing minimum security requirements (such as 201
Mass. Code Reg. 17.00); laws requiring the secure disposal of records containing
certain Personal Information (such as N.Y. Gen. Bus. Law § 399-H)]
(collectively, the “Privacy Laws”); (ii) all applicable industry standards
concerning privacy, data protection, confidentiality or information security,
including, without limitation, the PCI Standard; and (iii) all applicable
provisions of Customer written policies currently in effect and as they become
effective relating in any way to the privacy, confidentiality and security of
Personal Information or applicable privacy policies, statements or notices that
are provided to Service Provider in writing.

 

2.4.2.         Service Provider warrants that no applicable law, or legal
requirement, or privacy or information security enforcement action,
investigation, litigation or claim prohibits Service Provider from fulfilling
its obligations under this Addendum. In the event a law, or legal requirement,
or privacy or information security enforcement action, investigation, litigation
or claim, or any other circumstance, is reasonably likely to adversely affect
Service Provider’s ability to fulfill its obligations under this Addendum,
Service Provider shall promptly notify Customer in writing and Customer may, in
its sole discretion and without penalty of any kind to Customer, suspend the
transfer or disclosure of Personal Information to Service Provider or access to
Personal Information by Service Provider, terminate any further Processing of
Personal Information by Service Provider, and terminate the Agreement, if doing
so is necessary to comply with applicable Privacy Laws.

 

8

 



 

2.4.3.         Service Provider shall enter into any further privacy or
information security agreement reasonably requested by Customer for the purpose
of compliance with applicable Privacy Laws. In case of any conflict between this
Addendum and any such further data privacy or information security agreement,
such further agreement shall prevail with regard to the Processing of Personal
Information covered by it.

 

2.5.         INJUNCTIVE RELIEF. Service Provider agrees that any Processing of
Personal Information in violation of Section 2 of this Addendum, Customer’s
instructions or any applicable Privacy Law, or any Information Security
Incident, may cause immediate and irreparable harm to Customer for which money
damages may not constitute an adequate remedy. Therefore, Service Provider
agrees that Customer may seek to obtain specific performance and injunctive or
other equitable relief for any such violation or incident, in addition to its
remedies at law, without proof of actual damages. Service Provider agrees to
waive any requirement for the securing or posting of any bond in connection with
such remedy.

 

3.             WARRANTY AND INDEMNIFICATION

 

Service Provider warrants and represents that it is capable of maintaining
safeguards for Personal Information as otherwise provided in this Addendum.
Notwithstanding anything to the contrary in the Agreement, Service Provider
shall indemnify, defend and hold harmless Customer, their officers, directors,
shareholders, and employees from any and all third-party claims, losses,
demands, liabilities, suits, enforcement actions, damages, penalties, fines,
expenses and costs (including attorneys’ fees, consultants’ fees and court
costs) arising from or related to (i) the failure of Service Provider to comply
with Privacy Laws; (ii) any violation of Section 2 of this Addendum; (iii) the
loss, misappropriation or other unauthorized disclosure of Personal Information
by Service Provider or Service Provider Personnel; (iv) the negligence, gross
negligence, bad faith, or intentional or willful misconduct of Service Provider
or Service Provider Personnel in connection with obligations set forth in this
Addendum; (v) Service Provider’s use of any contractor providing services in
connection with or relating to Service Provider’s performance under this
Addendum; and (vi) any Information Security Incident involving Personal
Information in Service Provider’s possession, custody or control, or for which
Service Provider is otherwise responsible.

 

4.             ACCESS TO CUSTOMER IT RESOURCES OR SYSTEMS

 

4.1.         RESTRICTIONS. Except as specifically contemplated in provision of
the Services, Service Provider agrees that it will not and will not allow any
Service Provider Personnel or other third party acting at its direction to (i)
transfer or use Personal Information (or access Personal Information from)
outside of the United States; (ii) attempt unauthorized access to such Personal
Information; (iii) input, delete or otherwise modify any Personal Information or
make any changes to the Customer’s IT resources or systems; or (iv) access, or
attempt to access, any third-party networks or systems from the Customer’s IT
resources or systems except as necessary for performance of the Services.

 

4.2.         UNAUTHORIZED STORAGE. Unless expressly authorized in writing by
Customer, Service Provider shall not allow any Personal Information to be stored
on or Accessed by laptops, USB drives, blackberry devices, or any other portable
storage media belonging to Service Provider or Service Provider’s Personnel,
except as required for the performance of the Services and only for such
duration of time necessary to complete the performance of the applicable
Services.

 

4.3.         CREDENTIALS. If Service Provider or Service Provider’s Personnel is
provided (i) a login ID, password or other authentication credential such as a
digital certificate, token, smartcard, or biometrics device; or (ii) Customer
facility identification cards or other physical security access permission
(collectively, “Credentials”), Service Provider shall treat Credentials with the
utmost care and confidentiality to prevent unauthorized disclosure or misuse.
Service Provider acknowledges that any Credentials issued to it are Customer’s
Confidential Information subject to the protections provided in the Agreement,
and Service Provider and Service Provider Personnel will not share, disclose or
use the Credentials in any unauthorized manner. Service Provider agrees that it
is responsible for the actions of any individuals using the Credentials issued
to it. Upon the termination of the Services or the underlying Agreement, Service
Provider will promptly return any Credentials to Customer upon request or when
network or physical access is no longer required. Service Provider shall
promptly notify Customer if any Service Provider Personnel is terminated or
reassigned from Customer’s account, or is otherwise no longer performing
Services under the Agreement, so that Customer may deactivate such Service
Provider Personnel’s Credentials.



9

 



 

4.4.         SECURITY DESIGN INFORMATION. For the avoidance of doubt, any
information related to the design or security topology of Customer’s IT
resources and systems acquired by Service Provider or that may be gained by
virtue of Service Provider’s Access shall constitute Confidential Information of
Customer, and Service Provider shall not share, disclose or use such design or
security information in any unauthorized manner.

 

4.5.         REMOTE ACCESS. If the Services involve remote Access to a Customer
IT resource or system, the parties shall agree upon an encryption mechanism for
use in exchanging any Personal Information and any other information in
accordance with this Addendum. Upon being provided the same, Service Provider
shall use the approved encryption mechanism for all such communications. In
addition, Service Provider shall take all reasonable precautions to prevent
transmission of a computer virus, malware, or other malicious code to a Customer
IT resource or system or any Customer customer or employee where the Services
contemplate its access to a Service Provider IT resource or system. Service
Provider shall maintain current industry standard anti-virus and anti-malware
tools on its IT resources and systems that will interface with a Customer IT
resource or system and shall ensure that all its IT resources and systems are
maintained with up-to-date security patches, hotfixes, and other similar
software or firmware changes. Prior to transmission of information to Customer,
Service Provider will use anti-virus software to check for and eradicate
viruses. Furthermore, Service Provider shall prohibit Service Provider Personnel
from using their personal IT assets or resources to gain access to any Customer
IT resource or system except as otherwise provided in the Agreement. If any
Services performed by Service Provider Personnel are performed using
non-Customer-owned and controlled IT assets and resources, such assets and
resources shall comply with this Addendum. Service Provider will notify Customer
promptly if a virus, malware, or other malicious code is detected in a file sent
to or received from Customer.

 

4.6.         BACKGROUND INVESTIGATIONS. Service Provider acknowledges and agrees
that it is responsible for the conduct of reference checks, criminal background
checks and such other screening measures as a reasonably prudent employer would
deem appropriate, of Service Provider Personnel prior to such individual’s
performance of any Services which involve Access. Vendor shall not assign any
Vendor Personnel to Customer’s account or otherwise allow any Vendor Personnel
to have Access if such Personnel have been found to have engaged in criminal
acts that involve fraud, dishonesty, or breach of trust, or that constitute a
felony under applicable law. Vendor has the ongoing duty to inform Customer
promptly upon learning that any Vendor Personnel have been convicted of a
felony, and to remove any such individual promptly from Customer’s account.
Notwithstanding the foregoing, Customer, in its sole discretion, has the option
of barring any person from any Customer facilities.

 

5.             AUDIT AND MONITORING RIGHTS

 

5.1.         CUSTOMER SYSTEMS. Service Provider’s Personnel, while using the IT
resources or systems of Customer, may be subject to monitoring and their
activity recorded. Service Provider, for itself and Service Provider Personnel,
expressly consents to such monitoring and recording. No advanced notice or
warning shall be required to monitor Service Provider Personnel’s use of a
Customer IT resource or system.



10

 



 

5.2.         AUDIT RIGHTS. In addition to any other audit rights provided in the
Agreement, upon reasonable advance notice, Customer shall have the right to
audit Service Provider’s information to the extent required to assess compliance
with the terms of this Addendum. During normal business hours, with reasonable
notice, Customer or its authorized representatives may reasonably inspect
Service Provider’s facilities and equipment, and any information or materials in
Service Provider’s possession, custody or control, relating to Service
Provider’s obligations under Section 2 of this Addendum. Such audit may be
conducted by reputable third party auditors hired on behalf of Customer and
reasonably acceptable to Service Provider, and shall be conducted so as to
minimize any disruption to the Service Provider’s operations. Service Provider
shall provide reasonable cooperation with such auditors and will provide
reasonable access to facilities necessary to audit and test compliance. Service
Provider shall deal promptly and appropriately with any inquiries from Customer
relating to the Processing of Personal Information subject to this Addendum.

 

5.3.         REPORTS. At Customer’s reasonable request (depending upon the type
of Access pursuant to the Agreement or the performance of Services thereunder),
Service Provider will provide, or cause to be prepared and provided, (i) a
description prepared by management of Service Provider of Service Provider’s
systems relating to the Services, including the control objectives and related
controls applicable to such systems, and/or (ii) an executed copy of one or more
opinions or attestations (as applicable) from independent auditors of national
reputation engaged and compensated by Service Provider, of Type II examinations
in accordance with SAS No. 70 (or a comparable or successor standard, such as
Statement on Standards for Attestation Engagements (SSAE) No. 16 or
International Standard on Assurance Engagements (ISAE) No. 3402), containing no
material exceptions and identifying no material weakness or significant
deficiency (each, a “Report”). Any such Reports shall be provided at no expense
to Customer and completed as of a date to which the parties agree.

 

6.             OWNERSHIP

 

As between the parties, the Personal Information and Credentials, together with
any intellectual property rights therein, including, but not limited to,
copyrights, shall be the sole property of Customer, and Service Provider shall
not have or obtain any rights therein.

 

7.             CONFLICT

 

In the event of a conflict between the terms of this Addendum and the terms of
the Agreement, the terms of this Addendum shall govern and control such
conflict.

 

8.             NOTICE

 

With respect to notice pursuant to paragraph 2.2.2. hereof, notice shall be made
telephonically to Customer’s Chief Information Security Officer at (704)
633-8250 and to Customer’s IT Support at (800) 559-6161, followed promptly by
written notice in the form and manner set forth in the Agreement.

 

 

 



11

