





Exhibit 10.63
Confidential Materials omitted and filed separately with the
Securities and Exchange Commission. Double asterisks denote omissions.





Tregaron-Endurance Master Services Agreement – Amendment No. 3
This Tregaron-Endurance Services Agreement – Amendment No. 3 (“the Third
Amendment”) is hereby made and entered into this 18th day of December 2017 (the
“Third Amendment Effective Date”) by and between The Endurance International
Group, Inc. ("Endurance") and Tregaron India Holdings, LLC (“Service Provider”)
(Endurance and Service Provider may be individually referred to as a “Party” or
collectively as the “Parties”).
WHEREAS, the Parties entered into that certain Tregaron-Endurance Master
Services Agreement, dated September 25, 2013, as amended by Amendment No. 1,
dated February 7, 2014, and Amendment No. 2, dated December 5, 2014 (hereinafter
collectively referred to as the “Agreement”); and
WHEREAS, the Parties hereto desire to further amend the Agreement as set forth
herein.
NOW, THEREFORE, for good and valuable consideration of the mutual promises and
covenants contained herein, the receipt and sufficiency of which are hereby
acknowledged, the Parties hereby agree as follows:
1.
Unless otherwise expressly provided herein, all defined terms shall have the
meanings set forth in the Agreement.

2.
Invoice No.8673 in the amount of [**] US dollars and [**] cents ($[**] USD) and
Invoice No. 9443 in the amount of [**] US dollars and [**] cents ($[**] USD)
shall hereby be voided by Service Provider and Endurance shall not owe any
payment to Service Provider pursuant to such invoices.

3.
In anticipation of fulfilling Endurance’s requirements for the Services, Service
Provider may increase staffing (“Ramp Up”). Service Provider hereby agrees that
Service Provider shall not charge Endurance for any such Ramp Up or any costs
associated therewith that occur during the fourth quarter of 2017.

4.
For the billing period covering October 1, 2017 through December 31, 2017,
Service Provider shall provide Endurance with a discount of [**] percent ([**]%)
off the total amount of any invoice associated with this period based on pricing
in effect as of October 1, 2017.

5.
Effective January 1, 2018 through the remaining Term of the Agreement, Service
Provider shall provide Endurance with a discount of [**] percent ([**]%) off the
total amount of any and all invoices associated with the Services provided based
on pricing in effect as of October 1, 2017.

6.
Without limitation to any of the foregoing, effective October 1, 2017, Service
Provider shall provide Endurance with a discount of [**] US dollars ($[**] USD)
per month for Engineering



 





--------------------------------------------------------------------------------







and/or Network Operations Services. Service Provider shall provide such discount
on the monthly invoices issued by Service Provider in connection with the
Engineering and/or Network Operations Services.
7.
To the extent that Endurance has already paid any invoices for Services provided
on or after October 1, 2017, Service Provider shall adjust the next two invoices
issued by Service Provider to include the applicable discount. In other words,
discounts due for the month of October 2017, will be split equally over November
2017 and December 2017 invoices.

8.
The pricing in effect as of October 1, 2017 shall remain in full force and
effect for the remaining Term of this Agreement subject to any modifications
made by mutual written amendment to this Agreement as executed by both Parties.

9.
The following Section 35 shall be added to Exhibit B of the Agreement:

“35. Information Security. Notwithstanding anything to the contrary and without
limitation to any other compliance requirements in this Agreement, Service
Provider shall implement sound policies and procedures leveraging good security
practices consistent with prevalent industry standards. Such mutually acceptable
policies and procedures shall include, without limitation, the privacy and
security requirements attached hereto as Schedule 1, which may be modified by
Endurance from time to time to address the evolving threat landscape and
identification of additional security risks. Service Provider, upon written
acceptance of said modified policies and procedures, shall comply with all
policies and procedures as developed and provided by Endurance.”
10.
Counterparts. This Third Amendment may be executed in any number of
counterparts, each of which shall be deemed to be an original and all of which
together shall be deemed to be one and the same instrument.

11.
This Third Amendment, together with the Agreement, constitutes the entire
understanding and agreement of the Parties with respect to the subject matter of
this Third Amendment and supersedes any and all prior agreements, written or
oral, dealing with the subject matter of this Third Amendment. In the event of a
conflict between this Third Amendment and the Agreement, the terms of this Third
Amendment shall govern.

12.
Except as amended herein, all other terms and conditions of the Agreement shall
remain in full force and effect and are hereby ratified. Except as expressly
amended herein, no present or future rights, remedies, benefits or power
belonging or accruing to Parties hereto, shall be affected, prejudiced, limited
or restricted hereby.



 





--------------------------------------------------------------------------------







IN WITNESS WHEREOF, the duly authorized officers or representatives of Endurance
and Service Provider have executed this Amendment as of the Third Amendment
Effective Date above intending legally to be bound.
THE ENDURANCE INTERNATIONAL GROUP, INC.


TREGARON INDIA HOLDINGS,LLC
By:     /s/ Christine Barry            
By:     /s/Vidya Ravichandran            


Name: Christine Barry            
Name: Vidya Ravichandran            
Title: Chief Services Officer            
Title: President                
Date: 12/18/17                
Date: 12/19/2017                





 





--------------------------------------------------------------------------------







Schedule 1 – Privacy and Security Requirements


1. Definitions. Any capitalized terms not defined herein will have the meaning
set forth in the Agreement.
1.1     "Agreement" means the Master Services Agreement, as amended, to which
this Schedule is attached.
1.2     "Destroy" means to render the information permanently and completely
unreadable, destroyed and undecipherable.
1.3    “Information Security Program” means the comprehensive, organized
collection of documented artifacts and processes that are used to continuously
deliver information security across the enterprise.
1.4    "Personal Data" means any information relating to an identified or
identifiable natural person ("data subject"); an identifiable person is one who
can be identified, directly or indirectly, in particular by reference to an
identifier such as a name, an identification number, location data, online
identifier or to one or more factors specific to the physical, physiological,
genetic, mental, economic, cultural or social identity of that person.
1.5    "Sensitive Personal Data" are personal data, revealing racial or ethnic
origin, political opinions, religious or philosophical beliefs, trade-union
membership; data concerning health or sex life and sexual orientation; genetic
data or biometric data.
1.6    "Process" means "Processing" as defined in Article 2(b) of the European
Union ("EU") Data Protection Directive, 95/46/EC ("Data Protection Directive").
1.7    “Security Incident” means the actual loss, or reasonable belief that
there is any loss, of EIG Confidential Information, or any unauthorized or
unlawful access to, use of, or disclosure of, EIG Confidential Information, or
any other compromise of EIG Confidential Information.    
1.8     "Services" has the meaning ascribed in the Agreement.
1.9    "Subcontractor" means any third party authorized by Service Provider to
which Service Provider discloses or allows access to EIG Confidential
Information.
1.10    “Successful Penetration Test” means a test script that achieves a
specific, attacker-simulated goal for purposes of generating a report of how
security was breached in order to reach the agreed-upon goal and remediation
plan.
1.11    “Trusted Access” means access to EIG Confidential Information that
exceeds the standard level of access granted to Service Provider’s employees to
provide the Services.
1.12    “Trusted Multi-Tenant” means an architectural model that provides
comprehensive and complete separation between service users integrating quality
of service, management reporting, security, encryption and compliance.
1.13    “EIG Authorized Requestor” means a person listed as a contact within EIG
and authorized to request changes or similar actions.
1.14    “EIG Confidential Information" means all Confidential Information (as
defined in the Agreement) disclosed by EIG to Service Provider including,
without limitation, all Personal Data, Sensitive Personal Data, and all
information and materials relating to EIG’s (a) business, operations, financial
condition, marketing, pricing, business plans, capital structure, organizational
structure, information systems, management, service partners, subcontractors,
and vendors; (b) services, products, tools, methodologies, processes, know-how
and intellectual capital, research and development, inventions; (c) directors,
officers, management, employees, retirees, benefit plan participants and
dependents, and shareholders; (d) clients and any of their needs and plans,
directors, officers, employees, retirees, benefit plan participants and
dependents, and shareholders (e) EIG system user names or system identities, IT
architecture and infrastructure and similar type of information that identify
EIG environments (f) any other information that a reasonable business person
would understand to be confidential or not otherwise publicly available. The EIG
Confidential Information will not include information or materials (except those
comprising Personal Data or Sensitive Personal Data): (a) already known to the
recipient and documented in its files at the time of disclosure; (b) in the
public domain or available to


 





--------------------------------------------------------------------------------







the public; (c) available to the recipient from third parties without any
nondisclosure obligation to the discloser that is known to recipient; or (d)
independently developed by recipient without any reference to EIG Confidential
Information.
1.15    “Vulnerability Assessment” means the process of identifying, quantifying
and prioritizing the vulnerabilities on a system so as to produce a prioritized
list of discovered vulnerabilities and remediation plan.


2. Compliance
2.1 Service Provider agrees that it will comply with all applicable local,
state, federal and foreign laws in providing the Services, including without
limitation the Massachusetts Standards for the Protection of Personal
Information of Residents of the Commonwealth (201 CMR 17.00) and EU Member State
laws or regulations implementing the EU Data Protection Directive as amended.


2.2 Additionally, without limiting the foregoing, during the term of the
Agreement and for so long as Service Provider retains EIG Confidential
Information, Service Provider will obtain [**] independent attestation to the
effectiveness of Service Provider’s product and corporate Privacy and Security
Programs. It is mandatory for Service Provider to obtain compliance by [**] with
the most current PCI-DSS standard for all in scope hardware, software,
functions, and processes or similar used in providing the Services.
Additionally, by [**], Service Provider must either undergo SSAE16 SOC 2 Type 2
audits with all trusted service principles or ISO27001 and ISO27018
certification for non-PCI activities or Services.


2.3 Service Provider will not store any EIG Confidential Information outside the
United States without EIG’s prior written permission. Where permission is
granted, EIG Confidential Information will be transferred using prevalent
industry standard encryption and will comply with all applicable privacy data
protection principles for so long such recipient retains such information. EIG
Confidential Information stored in any locations will be stored at rest in an
encrypted format, or with EIG permission, unencrypted with mitigating controls
applied and demonstrated as effective.


3. Fraud Prevention
3.1. The Parties acknowledge that the Services combined with Trusted Access
involves a potential risk for abuse, including without limitation, credit card
fraud and identity theft, and thus Service Provider shall have and maintain in
place throughout the term of the Agreement adequate policies and procedures to
reasonably prevent fraudulent abuse, enforcing them where appropriate and
coordinating with EIG when necessary.


4. Data Ownership and Control
4.1 As between Service Provider and EIG, all EIG Confidential Information
remains, at all times, the sole property of EIG. Service Provider will promptly
comply with any commercially reasonable request from EIG requiring Service
Provider to amend, transfer, return, or mask EIG Confidential Information, to
the extent permitted by applicable law, and to the extent EIG does not have the
reasonable ability to do so itself in its use of the Services. Service Provider
will restrict access to EIG Confidential Information to those who need such
access to perform their job duties.


4.2 Service Provider will take reasonable steps to ensure that disposal of
removable media holding, or suspected of once holding, EIG Confidential
Information, including without limitation, tapes, floppy discs, hard drives, or
laptops or any other portable devices or media will be disposed of in such a way
that EIG Confidential Information is not recoverable by any computer forensic
means.


 





--------------------------------------------------------------------------------









4.3 Service Provider will ensure that EIG Confidential Information on paper and
other shreddable media including without limitation paper, microfiche,
microfilm, CDs will be shredded using cross-cut shredding machines when no
longer needed. This media may be shredded immediately or temporarily stored in a
highly secured, locked container. The media may be shredded at a location other
than the Service Provider's facilities; however it must be transferred in a
highly secured locked container. Service Provider is responsible for supervising
the shredding regardless of where the shredding activity occurs and by whom the
shredding is performed. EIG Confidential Information on this media must be
completely destroyed by shredding such that the results are not readable or
useable for any purpose.


4.4 For avoidance of doubt, any deletion of EIG Confidential Information
described in this section will be subject to applicable legal requirements that
require Service Provider to retain EIG Confidential Information. Upon EIG's
request and after EIG Confidential Information has been Destroyed in accordance
with the provisions of this section, Service Provider must promptly certify in
writing to EIG that it has returned or Destroyed, as applicable, all EIG
Confidential Information. Notwithstanding anything to the contrary in the
Agreement or this Schedule, in the event of a change in any law or regulation or
a change in a governmental interpretation or application of a law or regulation
that applies to the Service (a "Change in Law"), to the extent EIG reasonably
determines that such Change in Law causes the storage of EIG Confidential
Information by EIG in the Service to violate applicable law or regulation, and
EIG cannot implement a commercially reasonable change to its configuration or
use of the Service to avoid such violation, then EIG may so notify Service
Provider in writing. If within thirty (30) days after such notice Service
Provider does not make available to EIG a change in the Service or a recommended
change in EIG's configuration or use of the Service that will avoid such
violation without unreasonably burdening EIG, then EIG may terminate this
Agreement upon written notice to Service Provider and receive a refund of any
prepaid fees for the period following the effective date of termination. Each
party represents as of the Amendment Effective Date that it is unaware of any
applicable law, regulation, or prospective Change in Law that would be violated
by Service Provider’s storage of EIG Confidential Information in connection with
the Services.


5. Data Security
5.1 Notwithstanding anything to the contrary in the Agreement, Service Provider
will implement and maintain industry standard practice administrative, technical
and physical measures that are designed to protect the security, integrity,
confidentiality, and availability of EIG Confidential Information, including
without limitation, protecting EIG Confidential Information against threats
(actual or anticipated) or hazards, improper, unauthorized or unlawful access,
use or disclosure, any reasonably anticipated loss, or any other reasonably
anticipated compromise, and will internally review such security measures and
maintain such security measures in a manner consistent with applicable industry
prevalent standards.


5.2 Service Provider will encrypt all electronic EIG Confidential Information
that is (a) required to be encrypted under applicable laws, regulations, or
standards (including without limitation PCI standards), when transmitted or
stored electronically. Service Provider will use security technologies
(including without limitation database encryption, intrusion detection and
prevention, anti-virus, anti-malware, security event/incident monitoring,
encryption, password protection and firewall protection) in providing the
Services. In no event will Service Provider permit any other third party to
undertake, mining of any content of EIG Confidential Information
 


 





--------------------------------------------------------------------------------







5.3 Where applicable, Service Provider will use a security-conscious software
development lifecycle for software engineering that will [**]. Service Provider
will additionally ensure production data is not replicated or used in a
non-production environment.
 
5.4 Service Provider will maintain a training program for all employees,
contractors and temporary workers with access to, or likely to have access to,
EIG Confidential Information, in written or electronic form. The training
program will include without limitation updates throughout the year, instruction
on maintaining awareness and compliance with security policies, procedures,
standards and applicable regulatory requirements.
 
5.5 Service Provider will maintain access control policies, processes and
procedures for segregation of duties and granting and timely revocation of
Service Provider employee, contractor or temporary worker normal and privileged
access to, without limitation, EIG Confidential Information, applications,
databases, servers, network infrastructure in accordance with best industry
practice. Service Provider’s management will approve and be aware of privileged
access and will monitor for inappropriate actions.


5.6 Service Provider will define policies, processes and procedures establishing
business continuity and disaster recovery requirements, as well as a method for
determining the impact of any disruption to the organization incorporating:
[**].


5.7 Service Provider will disclose all non-US locations involved in the
delivering the Services including but not limited to software engineering and
customer support.


5.8 In addition to PCI obligations, Service Provider will perform [**] Testing
(the “Test”) of its corporate non-PCI infrastructure to verify the sufficiency
of its security measures, and in a reasonable timeframe undertake commercially
reasonable efforts to remedy any critical defect detected in such assessment
report. The Test will be performed by an industry recognized security firm, or
individual, of sufficient knowledge and skill to attempt non-standard approaches
to the Test. A summary of the results of the Test and Service Provider’s plan
for addressing or resolving critical items will be shared with EIG within [**]
of the Service Provider’s receipt of the results. The Test should, at a minimum,
[**]. Service Provider further agrees that where an incident is declared a Test
and Vulnerability Assessment will be performed as soon as practicable post
incident.


5.9 Service Provider will make itself and any employees, subcontractors, or
agents assisting Service Provider in the performance of its obligations under
the Agreement available to EIG at no cost to EIG to testify as witnesses, or
otherwise, in the event of litigation or administrative proceedings against EIG,
its directors, officers, agents or employees based upon a claimed violation of
laws relating to security and privacy and arising out of this Agreement.


5.10 The obligations of this Section 5 will not act to restrict Service
Provider's lawful disclosure of the EIG Confidential Information pursuant to any
applicable state or federal laws or by request or order of any court or
government agency. Provided, however, before making such a disclosure, Service
Provider must give notice as described in Section 9.2.


5.11 In the event: (a) of an incident which has a significant impact or urgency
for EIG’s business, in EIG’s sole discretion, and which demands a response
beyond the routine incident management process but does not


 





--------------------------------------------------------------------------------







meet the criteria of a Security Incident under Section 1.7 (a “Major Incident”);
or (b) EIG is required by law and has demonstrated such need to Service
Provider, Service Provider must provide within a reasonable timeframe, any data
stored regarding any person affiliated with EIG, access logs, activity logs,
transaction logs, changes to access rights, etc., as detailed by the system
architecture and practices provided by Service Provider, including without
limitation:
[**].


6. Physical and Environmental Security


[**]


7. Privacy or Security Incidents
7.1 Service Provider will have appropriate staff on duty 24/7/365, and on site
during regular Service Provider business hours, capable of identifying,
categorizing and responding to a security or privacy incident and will at all
times maintain an adequate and appropriate data security and privacy incident
management program. In the event there is, or Service Provider reasonably
believes that there is, a Security Incident, Service Provider will promptly
notify EIG, subject to any legal or regulatory requirements to which Service
Provider must adhere, and will promptly take steps to implement a security fix
across the Services. Service Provider will promptly, but no later than [**],
after discovering a Security Incident, notify EIG in writing of the Security
Incident. Further, Service Provider will:
 
•
reasonably cooperate with EIG to investigate and resolve the Security Incident,
including without limitation, assisting with providing information within its
control or possession required by EIG to provide any third party notifications
of the Security Incident;

•
be responsible for all damages (including out-of-pocket costs) arising from a
breach of Service Provider’s obligations with regard to a Security Incident,
with the limitations established in Section 16 of the Agreement;

•
provide forensic reports (or assist EIG in preparing written responses to audit
requirements and/or findings without charge, sufficient to enable EIG to comply
with its legal obligations with regard to any Security Incident arising from a
breach of Service Provider’s obligations under this Agreement with regard to a
Security Incident, or if it does not do so, be responsible for reasonable costs
for EIG to perform a forensic analysis;

•
be responsible for reasonable costs for EIG's legally required notification of
data subjects with regard to any Security Incident arising from the breach of
Service Provider’s obligations under the Agreement, subject to all limitations
set forth in the Agreement;

•
be responsible for reasonable costs for EIG's provision of [**] credit
monitoring for data subjects affected by any Security Incident arising from the
breach of Service Provider’s obligations under the Agreement;

•
be responsible for reasonable costs for EIG to create and implement a security
breach support hotline in response to any Security Incident arising from the
breach of Service Provider’s obligations under the Agreement; and

•
appropriately document responsive actions taken related to any Security
Incident, including without limitation, post-incident review of events and
actions taken, if any, to make changes in business practices related to the
protection of EIG Confidential Information, escalation procedures to senior
managers, and any reporting to regulatory and law enforcement agencies.





 





--------------------------------------------------------------------------------







7.2 Notwithstanding the foregoing, if Service Provider is found to have engaged
in negligent acts in connection with its obligations under the Agreement,
Service Provider will be responsible for all costs and expenses in connection
with its participation in any EIG or governmental investigations regarding EIG
Confidential Information or the provision of the Services.
 
7.3 The content and provision of any notification by EIG of the Security
Incident will be solely at the discretion of EIG, provided EIG will not name
Service Provider in any notification unless mutually agreed by both parties in
writing, unless otherwise required by applicable law or government request.


7.4 The obligations of this Section 7 will not act to restrict Service
Provider's lawful disclosure of the EIG Confidential Information pursuant to any
applicable state or federal laws or by request or order of any court or
government agency. Provided, however, before making such a disclosure, Service
Provider must give notice as described in Section 9.2.


7.5 Service Provider must provide the following for the Security Incident when
"relevant data" might include any data stored regarding any person affiliated
with EIG, access logs, activity logs, transaction logs, changes to access
rights, etc., as detailed by the system architecture and practices provided by
Service Provider:


[**]


8. Subcontractors
Service Provider will ensure that each approved Subcontractor will comply with
terms not less stringent than the terms of this Schedule as may be applicable to
such obligations arising out of the Agreement as are performed by such
Subcontractor. Service Provider will be legally responsible to EIG for any
compensable damages under this Agreement suffered by EIG attributable to any
Subcontractor engaged by Service Provider to perform any part of Service
Provider's obligations under this Agreement, without prejudice to Service
Provider's ability to assert and pursue any claim against any such
Subcontractor. If Service Provider has knowledge of a reasonably suspected or
actual violation of Service Provider's obligations under this Agreement by a
Subcontractor, Service Provider will notify EIG promptly in writing (email
permitted). If EIG determines that such Subcontractor has violated Service
Provider's obligations with respect to EIG Confidential Information, EIG
reserves the right to require Service Provider to stop using the Subcontractor
for any of the Services provided to EIG promptly and to require the
Subcontractor to return or destroy all EIG Confidential Information in
Subcontractor's possession or control promptly. Notwithstanding anything to the
contrary in the Agreement or this Schedule, Subcontractors will not disclose or
allow access by any other party to any EIG Confidential Information without the
prior written consent (email permitted) of EIG, except to the extent such
disclosure or access is required by applicable law.


9. Data Processing and Disclosure.
9.1 The Parties will not Process or disclose the other Party’s information for
any purpose, except to the extent (i) necessary to provide the Services in
accordance with the terms of the Agreement; (ii) as mutually agreed to in
writing by the Parties; or (iii) to the extent required by applicable law.


9.2 Notwithstanding anything to the contrary in the Agreement, neither Party
will disclose nor allow access to any Confidential Information of the other
Party to any third party without the prior written consent of the other Party,
except to the extent required by applicable law. If any Party receives a
request, demand or other similar notice seeking disclosure, from a third party
in connection with any government investigation or court


 





--------------------------------------------------------------------------------







proceeding that the Party believes would require it to produce or disclose any
Confidential Information from the other Party, then the Party will first
promptly notify the other Party in writing of such request to the extent
permitted by applicable law prior to making any such production or disclosure to
provide the other Party with a reasonable amount of time to respond to such
request before disclosing the requested information to such third party, and
provide commercially reasonable cooperation at the other Party's cost to the
extent reasonable, if it wishes to limit, challenge or protect against such
disclosure, to the extent permitted by applicable law or regulation.


10. Audits and Inspections
10.1 On [**] basis, EIG may ask Service Provider to complete a privacy and
security questionnaire as part of its [**] compliance program. Additionally,
upon reasonable advance notice to Service Provider and during normal business
hours, EIG may conduct a site visit of the Facilities, subject to the following:
(a) such visit will be at EIG’s expense and be conducted by representatives of
EIG, including without limitation its independent third-party auditor; (b) such
site visit will occur at a mutually agreeable time not more than [**] per
Service Provider Facility (other than a visit in connection with a Security
Incident); (c) such site visit will not unreasonably interfere with Service
Provider's operations and will be of reasonable duration; and (d) any third
party performing such site visit on behalf of EIG will execute a nondisclosure
agreement with Service Provider in a form reasonably acceptable to Service
Provider with respect to the confidential treatment and restricted use of
Service Provider’s confidential information. If during a site visit, EIG
discovers a problem with privacy, security or other operational matters that
violate Service Provider’s obligations under the Agreement, EIG and Service
Provider will use commercially reasonable and good faith efforts to remediate
such problems ("Remediation Plan"). Service Provider will execute and complete
the Remediation Plan without unreasonable delay, and, upon request, notify EIG
when such actions are completed.


10.2 In the case of a Security Incident, Service Provider will initiate a call
with EIG regarding the Security Incident within [**] of the Security Incident,
which is in addition to the notification requirement under Section 7.1 of this
Schedule. EIG may conduct a site visit within [**] after the initial notice of
the Security Incident from Service Provider to EIG. Access to the Facilities
will be subject to Service Provider's reasonable access requirements, technical
restrictions, and security policies. [**] prior to a scheduled site visit (other
than a visit in connection with a Security Incident), EIG will provide Service
Provider with a list of records that EIG would like to inspect ("Records
Request"). If Service Provider objects to EIG reviewing particular records,
Service Provider will notify EIG promptly and the parties will discuss the
matter in good faith to arrive at a mutually agreed Records Request. Service
Provider will have the mutually agreed Records Request available for EIG's
inspection on the agreed site visit date (unless another time is mutually agreed
to). If Service Provider, in good faith, is not able to have such information
available at that time, Service Provider will notify EIG in advance, but no less
than [**] prior to the site visit date, and the parties will decide whether to
proceed with the visit. If the parties decide to reschedule the visit, the new
date will be no more than [**] after the originally scheduled date.
Notwithstanding the foregoing, if during a site visit, EIG discovers a problem
with security or other operational matters that violates Service Provider's
obligations hereunder, EIG and Service Provider will use commercially reasonable
and good faith efforts to create a Remediation Plan. Service Provider will
execute and complete the Remediation Plan without unreasonable delay, and, upon
request, notify EIG when such actions are completed.


11. Background Checks
11.1 As of the Amendment Effective Date, Service Provider will conduct
background checks on all new full-time, contract and temporary personnel
involved in the performance of Services for EIG under the Agreement consistent
with the below:


 





--------------------------------------------------------------------------------







[**]


11.2 For employees hired prior to the Amendment Effective Date, Service Provider
shall complete background checks as set forth in Section 11.1 above for all key
personnel who have privileged access to DWTPL’s systems or access to financial
information (“Key Personnel”) within [**] of the Amendment Effective Date. For
all non-Key Personnel hired prior to the Amendment Effective Date, Service
Provider has conducted basic background checks, including:


[**]


12. Administrative Controls
12.1 Service Provider will ensure that all individuals that will have access to
EIG Confidential Information undergo and successfully complete adequate and
appropriate privacy and data security training prior to having access to EIG
Confidential Information. Such training must be provided to all such individuals
on at least an annual basis and comply with applicable laws, regulations and
commercially reasonable practices.


12.2 Service Provider will implement and maintain policies documenting the
consequences for violations of Service Provider's privacy and data security
policies and escalation procedures for non-compliance with such policies.


12.3 Service Provider agrees that all Service Provider employees that Process
EIG Personal Information will comply with the requirements of this Schedule.


13. Survival
This Schedule and related provisions in the Agreement will survive so long as
Service Provider has access to or retains EIG Confidential Information.
Notwithstanding the foregoing, the following provisions in this Schedule will
survive indefinitely: Sections 4 and 9.












 



